JavaScriptCore-7600.1.4.15.12.tar.gz

[apple/javascriptcore.git] / ChangeLog-2012-05-22

2012-05-22  Yong Li  <yoli@rim.com>

        [BlackBerry] getPlatformThreadRegisters() should fetch target thread's registers
        https://bugs.webkit.org/show_bug.cgi?id=87148

        Reviewed by George Staikos.

        Our previous implementation of getPlatformThreadRegisters() read registers in current
        thread's context but it is supposed to read the target thread's registers.

        * heap/MachineStackMarker.cpp:
        (JSC::getPlatformThreadRegisters):

2012-05-05  Filip Pizlo  <fpizlo@apple.com>

        DFG should support reflective arguments access
        https://bugs.webkit.org/show_bug.cgi?id=85721

        Reviewed by Oliver Hunt.
        
        Merged r116345 from dfgopt.
        
        This adds support for op_create_arguments to the DFG. No other arguments-related
        opcodes are added by this change, though it does add a lot of the scaffolding
        necessary for the other ops.
        
        This also adds GetByVal/PutByVal optimizations for Arguments.
        
        Finally, this rationalizes slowPathCall with no return. Previously, that would
        work via callOperation() overloads that took InvalidGPRReg as the return GPR.
        But that creates awful ambiguity, since we had template functions that were
        polymorphic over all parameters except the second, which was a GPRReg, and a
        bunch of non-template overloads that also potentially had GPRReg as the second
        argument. I finally started to hit this ambiguity and was getting absolutely
        bizarre compiler errors, that made me feel like I was programming in SML. So,
        I changed the no-argument overloads to take NoResultTag instead, which made
        everything sensible again by eliminating the overload ambiguity.
        
        This is a ~7% speed-up on V8/earley and neutral elsewhere.

        * bytecode/PredictedType.h:
        (JSC::isArgumentsPrediction):
        (JSC):
        (JSC::isActionableMutableArrayPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        (CCallHelpers):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        (JSC::DFG::canInlineOpcode):
        * dfg/DFGCommon.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::unmodifiedArgumentsRegister):
        (Node):
        (JSC::DFG::Node::shouldSpeculateArguments):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::pickCanTrample):
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/Arguments.h:
        (ArgumentsData):
        (Arguments):
        (JSC::Arguments::offsetOfData):

2011-05-21  Geoffrey Garen  <ggaren@apple.com>

        GC allocation trigger should be tuned to system RAM
        https://bugs.webkit.org/show_bug.cgi?id=87039

        Reviewed by Darin Adler.

        This helps avoid OOM crashes on small platforms, and helps avoid "too much GC"
        performance issues on big platforms.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::collect):
        * heap/Heap.h:
        (Heap): GC balances between a fixed minimum and a proportional multiplier,
        which are limited based on system RAM.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::createContextGroup):
        (JSC::JSGlobalData::create):
        (JSC::JSGlobalData::createLeaked):
        * runtime/JSGlobalData.h:
        (JSGlobalData): Renamed HeapSize to HeapType because the exact size is
        influenced by the heap type, but not determined by it.

2012-05-21  Gavin Barraclough  <barraclough@apple.com>

        Disable private names by default in WebCore
        https://bugs.webkit.org/show_bug.cgi?id=87088

        Reviewed by Geoff Garen.

        r117859 introduced a preliminary implementation of ES6-like private name objects to JSC.
        These are probably not yet ready to be web-facing, so disabling by default in WebCore.
        Opting-in for JSC & DumpRenderTree so that we can still run the fast/js/names.html test.

        * jsc.cpp:
        (GlobalObject):
        (GlobalObject::javaScriptExperimentsEnabled):
            - Implemented new trap to opt-in to private names support.
        * runtime/JSGlobalObject.cpp:
        (JSC):
        (JSC::JSGlobalObject::reset):
            - Only add the Name property to the global object if experiments are enabled.
        * runtime/JSGlobalObject.h:
        (GlobalObjectMethodTable):
            - Added new trap to enabled experiments.
        (JSGlobalObject):
        (JSC::JSGlobalObject::finishCreation):
            - Set the global object's m_experimentsEnabled state on construction.
        (JSC::JSGlobalObject::javaScriptExperimentsEnabled):
            - Defaults to off.

2012-05-06  Filip Pizlo  <fpizlo@apple.com>

        Truncating multiplication on integers should not OSR exit every time
        https://bugs.webkit.org/show_bug.cgi?id=85752

        Reviewed by Gavin Barraclough.
        
        Merge r116264 from dfgopt.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::mulShouldSpeculateInteger):
        (Graph):
        (JSC::DFG::Graph::mulImmediateShouldSpeculateInteger):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMul):

2012-05-21  Csaba Osztrogonác  <ossy@webkit.org>

        DFG should be able to compute dominators
        https://bugs.webkit.org/show_bug.cgi?id=85269

        Unreviewed trivial 32 bit buildfix after r117861.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):

2012-05-21  Filip Pizlo  <fpizlo@apple.com>

        DFG should be able to compute dominators
        https://bugs.webkit.org/show_bug.cgi?id=85269

        Reviewed by Oliver Hunt.
        
        Merged r115754 from dfgopt.
        
        Implements a naive dominator calculator, which is currently just used to
        print information in graph dumps. I've enabled it by default mainly to
        be able to track its performance impact. So far it appears that there is
        none, which is unsurprising given that the number of basic blocks in most
        procedures is small.
        
        Also tweaked bytecode dumping to reveal more useful information about the
        nature of the code block.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * dfg/DFGDominators.cpp: Added.
        (DFG):
        (JSC::DFG::Dominators::Dominators):
        (JSC::DFG::Dominators::~Dominators):
        (JSC::DFG::Dominators::compute):
        (JSC::DFG::Dominators::iterateForBlock):
        * dfg/DFGDominators.h: Added.
        (DFG):
        (Dominators):
        (JSC::DFG::Dominators::invalidate):
        (JSC::DFG::Dominators::computeIfNecessary):
        (JSC::DFG::Dominators::isValid):
        (JSC::DFG::Dominators::dominates):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (Graph):

2012-05-21  Michael Saboff  <msaboff@apple.com>

        Cleanup of Calls to operationStrCat and operationNewArray and Use Constructor after r117729
        https://bugs.webkit.org/show_bug.cgi?id=87027

        Reviewed by Oliver Hunt.

        Change calls to operationStrCat and operationNewArray to provide the
        pointer to the EncodedJSValue* data buffer instead of the ScratchBuffer
        that contains it.  Added a ScratchBuffer::create() function.
        This is a clean-up to r117729.

        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSGlobalData.h:
        (JSC::ScratchBuffer::create):
        (JSC::ScratchBuffer::dataBuffer):
        (JSC::JSGlobalData::scratchBufferForSize):

2012-05-15  Gavin Barraclough  <barraclough@apple.com>

        Add support for private names
        https://bugs.webkit.org/show_bug.cgi?id=86509

        Reviewed by Oliver Hunt.

        The spec isn't final, but we can start adding support to allow property maps
        to contain keys that aren't identifiers.

        * API/JSCallbackObjectFunctions.h:
        (JSC::::getOwnPropertySlot):
        (JSC::::put):
        (JSC::::deleteProperty):
        (JSC::::getStaticValue):
        (JSC::::staticFunctionGetter):
        (JSC::::callbackGetter):
            - Only expose public named properties over the JSC API.
        * CMakeLists.txt:
        * DerivedSources.make:
        * DerivedSources.pri:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
            - Added new files to build system.
        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
            - Added support for property access with name objects.
        * interpreter/CallFrame.h:
        (JSC::ExecState::privateNamePrototypeTable):
            - Added hash table for NamePrototype
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
            - Added support for property access with name objects.
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
            - Added support for property access with name objects.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::opIn):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::symbolTableGet):
        (JSC::JSActivation::symbolTablePut):
        (JSC::JSActivation::symbolTablePutWithAttributes):
            - Added support for property access with name objects.
        * runtime/JSGlobalData.cpp:
        (JSC):
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
            - Added hash table for NamePrototype
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        (JSC::JSGlobalObject::privateNameStructure):
        (JSC::JSGlobalObject::symbolTableHasProperty):
            - Added new global properties.
        * runtime/JSType.h:
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::isName):
            - Added type for NameInstances, for fast isName check.
        * runtime/JSVariableObject.cpp:
        (JSC::JSVariableObject::deleteProperty):
        (JSC::JSVariableObject::symbolTableGet):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::symbolTableGet):
        (JSC::JSVariableObject::symbolTablePut):
        (JSC::JSVariableObject::symbolTablePutWithAttributes):
            - symbol table lookup should take a PropertyName.
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashTable::entry):
            - entry lookup should take a PropertyName.
        * runtime/NameConstructor.cpp: Added.
        (JSC):
        (JSC::NameConstructor::NameConstructor):
        (JSC::NameConstructor::finishCreation):
        (JSC::constructPrivateName):
        (JSC::NameConstructor::getConstructData):
        (JSC::NameConstructor::getCallData):
        * runtime/NameConstructor.h: Added.
        (JSC):
        (NameConstructor):
        (JSC::NameConstructor::create):
        (JSC::NameConstructor::createStructure):
            - Added constructor.
        * runtime/NameInstance.cpp: Added.
        (JSC):
        (JSC::NameInstance::NameInstance):
        (JSC::NameInstance::destroy):
        * runtime/NameInstance.h: Added.
        (JSC):
        (NameInstance):
        (JSC::NameInstance::createStructure):
        (JSC::NameInstance::create):
        (JSC::NameInstance::privateName):
        (JSC::NameInstance::nameString):
        (JSC::NameInstance::finishCreation):
        (JSC::isName):
            - Added instance.
        * runtime/NamePrototype.cpp: Added.
        (JSC):
        (JSC::NamePrototype::NamePrototype):
        (JSC::NamePrototype::finishCreation):
        (JSC::NamePrototype::getOwnPropertySlot):
        (JSC::NamePrototype::getOwnPropertyDescriptor):
        (JSC::privateNameProtoFuncToString):
        * runtime/NamePrototype.h: Added.
        (JSC):
        (NamePrototype):
        (JSC::NamePrototype::create):
        (JSC::NamePrototype::createStructure):
            - Added prototype.
        * runtime/PrivateName.h: Added.
        (JSC):
        (PrivateName):
        (JSC::PrivateName::PrivateName):
        (JSC::PrivateName::uid):
            - A private name object holds a StringImpl that can be used as a unique key in a property map.
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::find):
        (JSC::PropertyTable::findWithString):
            - Strings should only match keys in the table that are identifiers.
        * runtime/PropertyName.h:
        (JSC::PropertyName::PropertyName):
        (PropertyName):
        (JSC::PropertyName::uid):
        (JSC::PropertyName::publicName):
        (JSC::PropertyName::asIndex):
        (JSC::operator==):
        (JSC::operator!=):
            - replaced impl() & ustring() with uid() [to get the raw impl] and publicName() [impl or null, if not an identifier].
        * runtime/Structure.cpp:
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::addPropertyTransitionToExistingStructure):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::remove):
        (JSC::Structure::getPropertyNamesFromStructure):
        * runtime/Structure.h:
        (JSC::Structure::get):
            - call uid() to get a PropertyName raw impl, for use as a key.

2012-04-30  Filip Pizlo  <fpizlo@apple.com>

        Bytecode dumps should contain data about the state of get_by_id caches
        https://bugs.webkit.org/show_bug.cgi?id=85246

        Reviewed by Gavin Barraclough.
        
        Merge r115694 from dfgopt.
        
        Changed the DFG bytecode parser (and the code that calls it) to be able
        to call codeBlock->dump() on the code blocks being parsed.
        
        Changed bytecode dumping to be able to print the state of get_by_id
        caches inline with the bytecode.
        
        Removed the old StructureStubInfo dumping code, which no longer worked
        right, and was incapable of telling us information about chain and list
        accesses.
        
        This change does not add dumping for put_by_id caches. We can add that
        at a later time.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printUnaryOp):
        (JSC::CodeBlock::printBinaryOp):
        (JSC::CodeBlock::printConditionalJump):
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::dumpStructure):
        (JSC):
        (JSC::dumpChain):
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::printPutByIdOp):
        (JSC::printGlobalResolveInfo):
        (JSC::CodeBlock::printStructure):
        (JSC::CodeBlock::printStructures):
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::visitStructures):
        (JSC::ProgramCodeBlock::jitCompileImpl):
        (JSC::EvalCodeBlock::jitCompileImpl):
        (JSC::FunctionCodeBlock::jitCompileImpl):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::jitCompile):
        (ProgramCodeBlock):
        (EvalCodeBlock):
        (FunctionCodeBlock):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        (JSC::DFG::parse):
        * dfg/DFGByteCodeParser.h:
        (DFG):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        * dfg/DFGDriver.h:
        (DFG):
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        * dfg/DFGOSRExitCompiler.cpp:
        * jit/JITDriver.h:
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::jitCompile):
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::jitCompile):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::jitCompileForCall):
        (JSC::FunctionExecutable::jitCompileForConstruct):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (EvalExecutable):
        (ProgramExecutable):
        (FunctionExecutable):
        (JSC::FunctionExecutable::jitCompileFor):
        * runtime/ExecutionHarness.h:
        (JSC::prepareForExecution):
        (JSC::prepareFunctionForExecution):

2012-05-21  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing header files.

2012-05-21  Allan Sandfeld Jensen  <allan.jensen@nokia.com>

        GCC 4.7 and C++11
        https://bugs.webkit.org/show_bug.cgi?id=86465

        Reviewed by Darin Adler.

        Set emptyValueIsZero flag so RegExpKey can be used with the non-copyable RegExp values.

        * runtime/RegExpKey.h:

2012-05-20  Michael Saboff  <msaboff@apple.com>

        JSGlobalData ScratchBuffers Are Not Visited During Garbage Collection
        https://bugs.webkit.org/show_bug.cgi?id=86553

        Reviewed by Gavin Barraclough.

        Scratch buffers can contain the only reference to live objects.
        Therefore visit scratch buffer contents as conservative roots.
        Changed the scratch buffers to be a struct with an "active"
        length and the actual buffer.  The users of the scratch
        buffer emit code where needed to set and clear the active
        length as appropriate.  During marking, the active count is
        used for conservative marking.

        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::debugCall):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitGenerationThunkGenerator):
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::gatherConservativeRoots):
        * runtime/JSGlobalData.h:
        (JSC::ScratchBuffer::ScratchBuffer):
        (ScratchBuffer):
        (JSC::ScratchBuffer::allocationSize):
        (JSC::ScratchBuffer::setActiveLength):
        (JSC::ScratchBuffer::activeLength):
        (JSC::ScratchBuffer::activeLengthPtr):
        (JSC::ScratchBuffer::dataBuffer):
        (JSGlobalData):
        (JSC::JSGlobalData::scratchBufferForSize):

2012-05-20  Filip Pizlo  <fpizlo@apple.com>

        Predicted types should know about arguments
        https://bugs.webkit.org/show_bug.cgi?id=85165

        Reviewed by Oliver Hunt.
        
        Merge r115604 from dfgopt.

        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        (JSC::predictionToAbbreviatedString):
        (JSC::predictionFromClassInfo):
        * bytecode/PredictedType.h:
        (JSC):
        (JSC::isMyArgumentsPrediction):
        (JSC::isArgumentsPrediction):

2012-05-20  Filip Pizlo  <fpizlo@apple.com>

        Bytecompiler should emit trivially fewer jumps in loops
        https://bugs.webkit.org/show_bug.cgi?id=85144

        Reviewed by Oliver Hunt.
        
        Merged r115587 from dfgopt.
        
        1-2% across the board win.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):

2012-05-19  Vivek Galatage  <vivekgalatage@gmail.com>

        Windows build broken due to changes in the http://trac.webkit.org/changeset/117646
        https://bugs.webkit.org/show_bug.cgi?id=86939

        The changeset 117646 changed the JSString::toBoolean signature. This
        change is for fixing the windows build break.

        Reviewed by Ryosuke Niwa.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-05-18  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(117646): fast/canvas/webgl/glsl-conformance.html is crashing in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=86929

        Reviewed by Oliver Hunt.
        
        The problem was that if CFG simplification saw a Branch with identical successors,
        it would always perform a basic block merge. But that's wrong if the successor has
        other predecessors.

        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):

2012-05-18  Filip Pizlo  <fpizlo@apple.com>

        DFG CFG simplification crashes if it's trying to remove an unreachable block
        that has an already-killed-off unreachable successor
        https://bugs.webkit.org/show_bug.cgi?id=86918

        Reviewed by Oliver Hunt.
        
        This fixes crashes in:
        inspector/styles/styles-computed-trace.html
        inspector/console/console-big-array.html

        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::fixPhis):

2012-05-18  Filip Pizlo  <fpizlo@apple.com>

        DFG should have control flow graph simplification
        https://bugs.webkit.org/show_bug.cgi?id=84553

        Reviewed by Oliver Hunt.
        
        Merged r115512 from dfgopt.

        This change gives the DFG the ability to simplify the control flow graph
        as part of an optimization fixpoint that includes CSE, CFA, and constant
        folding. This required a number of interesting changes including:
        
        - Solidifying the set of invariants that the DFG obeys. For example, the
          head and tail of each basic block must advertise the set of live locals
          and the set of available locals, respectively. It must do so by
          referring to the first access to the local in the block (for head) and
          the last one (for tail). This patch introduces the start of a
          validation step that may be turned on even with asserts disabled. To
          ensure that these invariants are preserved, I had to remove the
          redundant phi elimination phase. For now I just remove the call, but in
          the future we will probably remove it entirely unless we find a use for
          it.
        
        - Making it easier to get the boolean version of a JSValue. This is a
          pure operation, but we previously did not treat it as such.
        
        - Fixing the merging and filtering of AbstractValues that correspond to
          concrete JSValues. This was previously broken and was limiting the
          effect of running constant folding. Fixing this meant that I had to
          change how constant folding eliminates GetLocal nodes, so as to ensure
          that the resulting graph still obeys DFG rules.
        
        - Introducing simplified getters for some of the things that DFG phases
          want to know about, like the Nth child of a node (now just
          graph.child(...) if you don't care about performance too much) or
          getting successors of a basic block.
        
        The current CFG simplifier can handle almost all of the cases that it
        ought to handle; the noteworthy one that is not yet handled is removing
        basic blocks that just have jumps. To do this right we need to be able
        to remove jump-only blocks that also perform keep-alive on some values.
        To make this work, we need to be able to hoist the keep-alive into (or
        just above) a Branch. This is not fundamentally difficult but I opted to
        let this patch omit this optimization. We can handle this later.
        
        This is a big win on programs that include inline functions that are
        often called with constant arguments. Of course, SunSpider, V8, and
        Kraken don't count. Those benchmarks are completely neutral with this
        change.

        * API/JSValueRef.cpp:
        (JSValueToBoolean):
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::dfgOSREntryDataForBytecodeIndex):
        * bytecode/Operands.h:
        (JSC::Operands::setOperandFirstTime):
        (Operands):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        (JSC::DFG::AbstractState::mergeToSuccessors):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::isClear):
        (JSC::DFG::AbstractValue::operator!=):
        (JSC::DFG::AbstractValue::merge):
        (JSC::DFG::AbstractValue::filter):
        (JSC::DFG::AbstractValue::validateIgnoringValue):
        (AbstractValue):
        * dfg/DFGAdjacencyList.h:
        (JSC::DFG::AdjacencyList::child):
        (JSC::DFG::AdjacencyList::setChild):
        (AdjacencyList):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::~BasicBlock):
        (BasicBlock):
        (JSC::DFG::BasicBlock::numNodes):
        (JSC::DFG::BasicBlock::nodeIndex):
        (JSC::DFG::BasicBlock::isPhiIndex):
        (JSC::DFG::BasicBlock::isInPhis):
        (JSC::DFG::BasicBlock::isInBlock):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (DFG):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::run):
        (JSC::DFG::CFAPhase::performBlockCFA):
        (JSC::DFG::performCFA):
        * dfg/DFGCFAPhase.h:
        (DFG):
        * dfg/DFGCFGSimplificationPhase.cpp: Added.
        (DFG):
        (CFGSimplificationPhase):
        (JSC::DFG::CFGSimplificationPhase::CFGSimplificationPhase):
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::killUnreachable):
        (JSC::DFG::CFGSimplificationPhase::findOperandSource):
        (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
        (JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
        (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
        (JSC::DFG::CFGSimplificationPhase::fixPhis):
        (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
        (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
        (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::OperandSubstitution):
        (OperandSubstitution):
        (JSC::DFG::CFGSimplificationPhase::OperandSubstitution::dump):
        (JSC::DFG::CFGSimplificationPhase::skipGetLocal):
        (JSC::DFG::CFGSimplificationPhase::fixTailOperand):
        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
        (JSC::DFG::performCFGSimplification):
        * dfg/DFGCFGSimplificationPhase.h: Added.
        (DFG):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::run):
        (CSEPhase):
        (JSC::DFG::CSEPhase::impureCSE):
        (JSC::DFG::CSEPhase::globalVarLoadElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkStructureLoadElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        (JSC::DFG::CSEPhase::performBlockCSE):
        (JSC::DFG::performCSE):
        * dfg/DFGCSEPhase.h:
        (DFG):
        * dfg/DFGCommon.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::run):
        (JSC::DFG::performConstantFolding):
        * dfg/DFGConstantFoldingPhase.h:
        (DFG):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGEdge.h:
        (Edge):
        (JSC::DFG::Edge::operator UnspecifiedBoolType*):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupBlock):
        (JSC::DFG::performFixup):
        * dfg/DFGFixupPhase.h:
        (DFG):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::handleSuccessor):
        (DFG):
        (JSC::DFG::Graph::determineReachability):
        (JSC::DFG::Graph::resetReachability):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::deref):
        (JSC::DFG::Graph::changeIndex):
        (Graph):
        (JSC::DFG::Graph::changeEdge):
        (JSC::DFG::Graph::numSuccessors):
        (JSC::DFG::Graph::successor):
        (JSC::DFG::Graph::successorForCondition):
        (JSC::DFG::Graph::isPredictedNumerical):
        (JSC::DFG::Graph::byValIsPure):
        (JSC::DFG::Graph::clobbersWorld):
        (JSC::DFG::Graph::numChildren):
        (JSC::DFG::Graph::child):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToConstant):
        (JSC::DFG::Node::numSuccessors):
        (Node):
        (JSC::DFG::Node::successor):
        (JSC::DFG::Node::successorForCondition):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOperations.cpp:
        * dfg/DFGPhase.cpp:
        (JSC::DFG::Phase::endPhase):
        * dfg/DFGPhase.h:
        (JSC::DFG::runPhase):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):
        (JSC::DFG::performPredictionPropagation):
        * dfg/DFGPredictionPropagationPhase.h:
        (DFG):
        * dfg/DFGRedundantPhiEliminationPhase.cpp:
        (JSC::DFG::RedundantPhiEliminationPhase::run):
        (JSC::DFG::performRedundantPhiElimination):
        * dfg/DFGRedundantPhiEliminationPhase.h:
        (DFG):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::use):
        (ScoreBoard):
        (JSC::DFG::ScoreBoard::useIfHasResult):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::createOSREntries):
        (JSC::DFG::SpeculativeJIT::linkOSREntries):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        (JSC::DFG::SpeculativeJIT::compileRegExpExec):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::nextBlock):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::use):
        (JSC::DFG::SpeculativeJIT::jump):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValidate.cpp: Added.
        (DFG):
        (Validate):
        (JSC::DFG::Validate::Validate):
        (JSC::DFG::Validate::validate):
        (JSC::DFG::Validate::reportValidationContext):
        (JSC::DFG::Validate::dumpData):
        (JSC::DFG::Validate::dumpGraphIfAppropriate):
        (JSC::DFG::validate):
        * dfg/DFGValidate.h: Added.
        (DFG):
        (JSC::DFG::validate):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):
        (JSC::DFG::performVirtualRegisterAllocation):
        * dfg/DFGVirtualRegisterAllocationPhase.h:
        (DFG):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncEvery):
        (JSC::arrayProtoFuncSome):
        * runtime/BooleanConstructor.cpp:
        (JSC::constructBoolean):
        (JSC::callBooleanConstructor):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSObject.cpp:
        (JSC):
        * runtime/JSObject.h:
        * runtime/JSString.cpp:
        (JSC::JSString::toBoolean):
        * runtime/JSString.h:
        (JSString):
        (JSC::JSCell::toBoolean):
        (JSC::JSValue::toBoolean):
        * runtime/JSValue.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::toPropertyDescriptor):
        * runtime/RegExpConstructor.cpp:
        (JSC::setRegExpConstructorMultiline):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncToString):

2012-05-18  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, build fix.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):

2012-04-17  Filip Pizlo  <fpizlo@apple.com>

        DFG should have constant propagation
        https://bugs.webkit.org/show_bug.cgi?id=84004

        Reviewed by Gavin Barraclough.
        
        Merge r114554 from dfgopt.
        
        Changes AbstractValue to be able to hold a "set" of constants, where
        the maximum set size is 1 - so merging a value containing constant A
        with another value containing constant B where A != B will result in
        the AbstractValue claiming that it does not know any constants (i.e.
        it'll just have a predicted type and possible a structure).
        
        Added a constant folding phase that uses this new information to
        replace pure operations known to have constant results with
        JSConstants. This is OSR-exit-aware, in that it will prepend a Phantom
        that refers to all of the kids of the node we replaced.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::beginBasicBlock):
        (JSC::DFG::AbstractState::endBasicBlock):
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGAbstractState.h:
        (AbstractState):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::clear):
        (JSC::DFG::AbstractValue::isClear):
        (JSC::DFG::AbstractValue::makeTop):
        (JSC::DFG::AbstractValue::clobberValue):
        (AbstractValue):
        (JSC::DFG::AbstractValue::valueIsTop):
        (JSC::DFG::AbstractValue::value):
        (JSC::DFG::AbstractValue::set):
        (JSC::DFG::AbstractValue::operator==):
        (JSC::DFG::AbstractValue::merge):
        (JSC::DFG::AbstractValue::filter):
        (JSC::DFG::AbstractValue::validate):
        (JSC::DFG::AbstractValue::checkConsistency):
        (JSC::DFG::AbstractValue::dump):
        * dfg/DFGAdjacencyList.h:
        (JSC::DFG::AdjacencyList::initialize):
        (AdjacencyList):
        (JSC::DFG::AdjacencyList::reset):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::BasicBlock):
        (BasicBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::constantCSE):
        (CSEPhase):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGConstantFoldingPhase.cpp: Added.
        (DFG):
        (ConstantFoldingPhase):
        (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
        (JSC::DFG::ConstantFoldingPhase::run):
        (JSC::DFG::performConstantFolding):
        * dfg/DFGConstantFoldingPhase.h: Added.
        (DFG):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.h:
        (Graph):
        (JSC::DFG::Graph::convertToConstant):
        * dfg/DFGInsertionSet.h:
        (JSC::DFG::InsertionSet::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToConstant):
        (Node):
        * runtime/JSValue.cpp:
        (JSC::JSValue::description):
        * runtime/JSValue.h:
        (JSValue):

2012-05-18  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>

        Fix build for Qt by using ASSERT_UNUSED in DFGSpeculativeJIT
        https://bugs.webkit.org/show_bug.cgi?id=86902

        Reviewed by Andreas Kling.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):

2012-04-16  Filip Pizlo  <fpizlo@apple.com>

        DFG should have out-of-line slow paths
        https://bugs.webkit.org/show_bug.cgi?id=83992

        Reviewed by Oliver Hunt.
        
        Merge of r114472 and r114553 from dfgopt.
        
        Introduces the notion of slow path code generation closures in the DFG.
        These are defined in DFGSlowPathGenerator.h, though they are fairly
        extensible so DFGSpeculativeJIT64.cpp and DFGSpeculativeJIT32_64.cpp
        define a couple special-purpose ones. A slow path generation closure
        (DFG::SlowPathGenerator) is executed after the main speculative path is
        generated. This makes them great for scheduling slow path code out of
        the way of the hot paths.
        
        This patch also converts most - but not all - of the DFG to use slow
        path generators instead of inline slow paths.
        
        The result is a sub-1% improvement on SunSpider and V8, and a miniscule
        regression on Kraken.
        
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
        (TrustedImmPtr):
        (JSC::AbstractMacroAssembler::TrustedImm32::TrustedImm32):
        (TrustedImm32):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGCommon.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (DFG):
        (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
        (PropertyAccessRecord):
        (JITCompiler):
        * dfg/DFGSilentRegisterSavePlan.h: Added.
        (DFG):
        (SilentRegisterSavePlan):
        (JSC::DFG::SilentRegisterSavePlan::SilentRegisterSavePlan):
        (JSC::DFG::SilentRegisterSavePlan::spillAction):
        (JSC::DFG::SilentRegisterSavePlan::fillAction):
        (JSC::DFG::SilentRegisterSavePlan::nodeIndex):
        (JSC::DFG::SilentRegisterSavePlan::gpr):
        (JSC::DFG::SilentRegisterSavePlan::fpr):
        * dfg/DFGSlowPathGenerator.h: Added.
        (DFG):
        (SlowPathGenerator):
        (JSC::DFG::SlowPathGenerator::SlowPathGenerator):
        (JSC::DFG::SlowPathGenerator::~SlowPathGenerator):
        (JSC::DFG::SlowPathGenerator::generate):
        (JSC::DFG::SlowPathGenerator::label):
        (JSC::DFG::SlowPathGenerator::call):
        (JumpingSlowPathGenerator):
        (JSC::DFG::JumpingSlowPathGenerator::JumpingSlowPathGenerator):
        (JSC::DFG::JumpingSlowPathGenerator::linkFrom):
        (JSC::DFG::JumpingSlowPathGenerator::jumpTo):
        (CallSlowPathGenerator):
        (JSC::DFG::CallSlowPathGenerator::CallSlowPathGenerator):
        (JSC::DFG::CallSlowPathGenerator::call):
        (JSC::DFG::CallSlowPathGenerator::setUp):
        (JSC::DFG::CallSlowPathGenerator::recordCall):
        (JSC::DFG::CallSlowPathGenerator::tearDown):
        (CallResultAndNoArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::CallResultAndNoArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::generateInternal):
        (CallResultAndOneArgumentSlowPathGenerator):
        (JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::CallResultAndOneArgumentSlowPathGenerator):
        (JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::generateInternal):
        (CallResultAndTwoArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::CallResultAndTwoArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::generateInternal):
        (CallResultAndThreeArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::CallResultAndThreeArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::generateInternal):
        (CallResultAndFourArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::CallResultAndFourArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::generateInternal):
        (CallResultAndFiveArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::CallResultAndFiveArgumentsSlowPathGenerator):
        (JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::generateInternal):
        (JSC::DFG::slowPathCall):
        (AssigningSlowPathGenerator):
        (JSC::DFG::AssigningSlowPathGenerator::AssigningSlowPathGenerator):
        (JSC::DFG::AssigningSlowPathGenerator::generateInternal):
        (JSC::DFG::slowPathMove):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        (DFG):
        (JSC::DFG::SpeculativeJIT::~SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
        (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        (DFG):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
        (JSC::DFG::SpeculativeJIT::silentSpill):
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
        (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
        (JSC::DFG::SpeculativeJIT::pickCanTrample):
        (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (ValueToNumberSlowPathGenerator):
        (JSC::DFG::ValueToNumberSlowPathGenerator::ValueToNumberSlowPathGenerator):
        (JSC::DFG::ValueToNumberSlowPathGenerator::generateInternal):
        (DFG):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (CompareAndBoxBooleanSlowPathGenerator):
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (ValueToNumberSlowPathGenerator):
        (JSC::DFG::ValueToNumberSlowPathGenerator::ValueToNumberSlowPathGenerator):
        (JSC::DFG::ValueToNumberSlowPathGenerator::generateInternal):
        (DFG):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (CompareAndBoxBooleanSlowPathGenerator):
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::generateInternal):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::compile):

2012-05-18  Tony Chang  <tony@chromium.org>

        remove the CSS_GRID_LAYOUT compiler define, but default grid layout to off
        https://bugs.webkit.org/show_bug.cgi?id=86767

        Reviewed by Ojan Vafai.

        * Configurations/FeatureDefines.xcconfig: Remove ENABLE_CSS_GRID_LAYOUT.

2012-05-17  Filip Pizlo  <fpizlo@apple.com>

        Setting array index -1 and looping over array causes bad behavior
        https://bugs.webkit.org/show_bug.cgi?id=86733
        <rdar://problem/11477670>

        Reviewed by Oliver Hunt.

        * dfg/DFGOperations.cpp:

2012-05-17  Geoffrey Garen  <ggaren@apple.com>

        Not reviewed.

        Rolled out r117495 because it caused som out of memory crashes.

        * heap/Heap.cpp:
        (JSC::Heap::collect):

2012-05-17  Geoffrey Garen  <ggaren@apple.com>

        Refactored the Heap to move more MarkedSpace logic into MarkedSpace
        https://bugs.webkit.org/show_bug.cgi?id=86790

        Reviewed by Gavin Barraclough.

        * heap/Heap.cpp:
        (JSC::Heap::lastChanceToFinalize):
        (JSC::Heap::markRoots):
        (JSC):
        (JSC::Heap::objectCount):
        (JSC::Heap::size):
        (JSC::Heap::capacity):
        (JSC::Heap::collect):
        * heap/Heap.h:
        (Heap): Took all the functors from here...

        * heap/MarkedBlock.h:
        (CountFunctor):
        (JSC::MarkedBlock::CountFunctor::CountFunctor):
        (JSC::MarkedBlock::CountFunctor::count):
        (JSC::MarkedBlock::CountFunctor::returnValue):
        (MarkedBlock):
        * heap/MarkedSpace.h:
        (JSC::ClearMarks::operator()):
        (JSC):
        (JSC::Sweep::operator()):
        (JSC::MarkCount::operator()):
        (JSC::Size::operator()):
        (JSC::Capacity::operator()):
        (MarkedSpace):
        (JSC::MarkedSpace::clearMarks):
        (JSC::MarkedSpace::sweep):
        (JSC::MarkedSpace::objectCount):
        (JSC::MarkedSpace::size):
        (JSC::MarkedSpace::capacity): and put them here.

2012-05-17  Geoffrey Garen  <ggaren@apple.com>

        Increase the GC allocation trigger
        https://bugs.webkit.org/show_bug.cgi?id=86699

        Reviewed by Sam Weinig.

        This helps a lot when the heap is growing, and helps to resolve
        the regression caused by r116484.

        * heap/Heap.cpp:
        (JSC::Heap::collect):

2012-05-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        GC in the middle of JSObject::allocatePropertyStorage can cause badness
        https://bugs.webkit.org/show_bug.cgi?id=83839

        Reviewed by Geoff Garen.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * jit/JITStubs.cpp: Making changes to use the new return value of growPropertyStorage.
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSObject.cpp:
        (JSC::JSObject::growPropertyStorage): Renamed to more accurately reflect that we're 
        growing our already-existing PropertyStorage.
        * runtime/JSObject.h:
        (JSObject):
        (JSC::JSObject::setPropertyStorage): "Atomically" sets the new property storage 
        and the new structure so that we can be sure a GC never occurs when our Structure
        info is out of sync with our PropertyStorage.
        (JSC):
        (JSC::JSObject::putDirectInternal): Moved the check to see if we should 
        allocate more backing store before the actual property insertion into 
        the structure.
        (JSC::JSObject::putDirectWithoutTransition): Ditto.
        (JSC::JSObject::transitionTo): Ditto.
        * runtime/Structure.cpp:
        (JSC::Structure::suggestedNewPropertyStorageSize): Added to keep the resize policy 
        for property backing stores contained within the Structure class.
        (JSC):
        * runtime/Structure.h:
        (JSC::Structure::shouldGrowPropertyStorage): Lets clients know if another insertion 
        into the Structure would require resizing the property backing store so that they can 
        preallocate the required storage.
        (Structure):

2012-05-16  Geoffrey Garen  <ggaren@apple.com>

        GC is not thread-safe when moving values between C stacks
        https://bugs.webkit.org/show_bug.cgi?id=86672

        Reviewed by Phil Pizlo.

        GC pauses thread A while marking thread A, and then B while marking B,
        which isn't safe against A and B moving values between each others'
        stacks.

        This is a theoretical bug -- I haven't been able to reproduce it
        in the wild.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::gatherFromOtherThread):
        (JSC::MachineThreads::gatherConservativeRoots): Pause all C stacks for the
        duration of stack marking, to avoid missing values that might be moving
        between C stacks.

2012-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Block freeing thread should not free blocks when we are actively requesting them
        https://bugs.webkit.org/show_bug.cgi?id=86519

        Reviewed by Geoff Garen.

        * heap/BlockAllocator.h:
        (JSC::BlockAllocator::allocate): Reordering the setting of the flag so its done 
        while we hold the lock to ensure proper locking.

2012-05-15  Filip Pizlo  <fpizlo@apple.com>

        shrinkToFit() is often not called for Vectors in CodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=86436

        Reviewed by Oliver Hunt.
        
        The vectors in CodeBlock are often appended to during various stages of
        compilation, but we neglect to shrink them after compilation finishes. This
        patch takes the most brutal possible approach: shrink all the vectors after
        the bytecompile phase, and then shrink them again after the appropriate
        JITing phase. The two shrinks are necessary because the JIT may append more
        stuff, but may also generate code that directly references things in other
        vectors; hence some can only be shrunk before JIT and some after. Also,
        we may allow a CodeBlock to sit around for a long time - possibly forever -
        before invoking the JIT, hence it makes sense to have two shrinks.
        
        This is performance neutral on the major benchmarks we track.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::appendWeakReferenceTransition):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):

2012-05-15  Oliver Hunt  <oliver@apple.com>

        Make error information available even if all we have is line number information.
        https://bugs.webkit.org/show_bug.cgi?id=86547

        Reviewed by Filip Pizlo.

        We don't need expression information to generate useful line, file, and stack information,
        so only require that we have line number info available.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):
        * runtime/Executable.h:
        (JSC):

2012-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Block freeing thread should not free blocks when we are actively requesting them
        https://bugs.webkit.org/show_bug.cgi?id=86519

        Reviewed by Geoffrey Garen.

        The block freeing thread shoots us in the foot if it decides to run while we're actively 
        requesting blocks and returning them. This situation can arise when there is a lot of copying 
        collection going on in steady state. We allocate a large swath of pages to copy into, then we 
        return all the newly free old pages to the BlockAllocator. In this state, if the block freeing 
        thread wakes up in between collections (which is more likely than it waking up during a 
        collection) and frees half of these pages, they will be needed almost immediately during the 
        next collection, causing a storm of VM allocations which we know are going to be very slow.

        What we'd like is for when things have quieted down the block freeing thread can then return 
        memory to the OS. Usually this will be when a page has fully loaded and has a low allocation 
        rate. In this situation, our opportunistic collections will only be running at least every few 
        seconds, thus the extra time spent doing VM allocations won't matter nearly as much as, say, 
        while a page is loading.

        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::BlockAllocator): Initialize our new field.
        (JSC::BlockAllocator::blockFreeingThreadMain): We check if we've seen any block requests recently.
        If so, reset our flag and go back to sleep. We also don't bother with locking here. If we miss out 
        on an update, we'll see it when we wake up again.
        * heap/BlockAllocator.h: Add new field to track whether or not we've received recent block requests.
        (BlockAllocator):
        (JSC::BlockAllocator::allocate): If we receive a request for a block, set our field that tracks 
        that to true. We don't bother locking since we assume that writing to a bool is atomic.

2012-05-14  Luke Macpherson  <macpherson@chromium.org>

        Introduce ENABLE_CSS_VARIABLES compile flag.
        https://bugs.webkit.org/show_bug.cgi?id=86338

        Reviewed by Dimitri Glazkov.

        Add a configuration option for CSS Variables support, disabling it by default.

        * Configurations/FeatureDefines.xcconfig:

2012-05-14  Gavin Barraclough  <barraclough@apple.com>

        Cannot login to iCloud
        https://bugs.webkit.org/show_bug.cgi?id=86321

        Reviewed by Filip Pizlo.

        This is a bug introduced by bug#85853, we shouldn't allow assignment to
        the prototype property of functions to be cached, since we need to clear
        the cached inheritorID.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::put):

2012-05-14  Michael Saboff  <msaboff@apple.com>

        Enh: Add the Ability to Disable / Enable JavaScript GC Timer
        https://bugs.webkit.org/show_bug.cgi?id=86382

        Reviewed by Darin Adler.

        Add flag to GCActivityCallback to enable / disable activity timer.
        Add api via Heap to set the flag's value.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Windows export
        * heap/Heap.cpp:
        (JSC::Heap::setGarbageCollectionTimerEnabled):
        * heap/Heap.h:
        * runtime/GCActivityCallback.h:
        (JSC::GCActivityCallback::isEnabled):
        (JSC::GCActivityCallback::setEnabled):
        (JSC::GCActivityCallback::GCActivityCallback):
        * runtime/GCActivityCallbackCF.cpp:
        (JSC::DefaultGCActivityCallbackPlatformData::timerDidFire):

2012-05-14  Michael Saboff  <msaboff@apple.com>

        Increase Debug Logging in MarkStack::validate()
        https://bugs.webkit.org/show_bug.cgi?id=86408

        Rubber-stamped by Filip Pizlo.

        Added some descriptive debug messages for the conditions and
        values when a cell validation fails.

        * heap/MarkStack.cpp:
        (JSC::MarkStack::validate):

2012-05-14  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing header file.

2012-05-14  Yong Li  <yoli@rim.com>

        DFG JIT didn't work with ARM EABI.
        https://bugs.webkit.org/show_bug.cgi?id=84449

        Reviewed by Filip Pizlo.

        Add a 32-bit dummy argument for some callOperation()
        methods to make it work for ARM EABI.

        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        (CCallHelpers):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::callOperation):

2012-05-13  Gavin Barraclough  <barraclough@apple.com>

        Introduce PropertyName class
        https://bugs.webkit.org/show_bug.cgi?id=86241

        Reviewed by Darin Adler.

        This patch introduced a couple of small bugs.

        * runtime/PropertyName.h:
        (JSC::toUInt32FromCharacters):
            - Returning wrong value for "" - should not convert to 0.
        (JSC::PropertyName::PropertyName):
            - Remove the ASSERT, it was a little too aspirational.

2012-05-13  Filip Pizlo  <fpizlo@apple.com>

        DFG performs incorrect constant folding on double-to-uint32 conversion in
        Uint32Array PutByVal
        https://bugs.webkit.org/show_bug.cgi?id=86330

        Reviewed by Darin Adler.
        
        static_cast<int>(d) is wrong, since JS semantics require us to use toInt32(d).
        In particular, C++ casts on typical hardware (like x86 and similar) will
        return 0x80000000 for double values that are out of range of the int32 domain
        (i.e. less than -2^31 or greater than or equal to 2^31). But JS semantics call
        for wrap-around; for example the double value 4294967297 ought to become the
        int32 value 1, not 0x80000000.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):

2012-05-11  Gavin Barraclough  <barraclough@apple.com>

        Introduce PropertyName class
        https://bugs.webkit.org/show_bug.cgi?id=86241

        Reviewed by Geoff Garen.

        Replace 'const Identifier&' arguments to functions accessing object properties with a new 'PropertyName' type.
        This change paves the way to allow for properties keyed by values that are not Identifiers.

        This change is largely a mechanical find & replace.
        It also changes JSFunction's constructor to take a UString& instead of an Identifier&
        (since in some cases we can no longer guarantee that we'lll have an Identifier), and
        unifies Identifier's methods to obtain array indices onto PropertyName.

        The new PropertyName class retains the ability to support .impl() and .ustring(), but
        in a future patch we may need to rework this, since not all PropertyNames should be
        equal based on their string representation.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::finishCreation):
        * API/JSCallbackFunction.h:
        (JSCallbackFunction):
        (JSC::JSCallbackFunction::create):
        * API/JSCallbackObject.h:
        (JSCallbackObject):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::getOwnPropertySlot):
        (JSC::::getOwnPropertyDescriptor):
        (JSC::::put):
        (JSC::::deleteProperty):
        (JSC::::getStaticValue):
        (JSC::::staticFunctionGetter):
        (JSC::::callbackGetter):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunctionWithCallback):
        * JSCTypedArrayStubs.h:
        (JSC):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::getOwnPropertySlot):
        (JSC::DebuggerActivation::put):
        (JSC::DebuggerActivation::putDirectVirtual):
        (JSC::DebuggerActivation::deleteProperty):
        (JSC::DebuggerActivation::getOwnPropertyDescriptor):
        (JSC::DebuggerActivation::defineOwnProperty):
        * debugger/DebuggerActivation.h:
        (DebuggerActivation):
        * jsc.cpp:
        (GlobalObject::addFunction):
        (GlobalObject::addConstructableFunction):
        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertySlot):
        (JSC::Arguments::getOwnPropertyDescriptor):
        (JSC::Arguments::put):
        (JSC::Arguments::deleteProperty):
        (JSC::Arguments::defineOwnProperty):
        * runtime/Arguments.h:
        (Arguments):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::finishCreation):
        (JSC::ArrayConstructor::getOwnPropertySlot):
        (JSC::ArrayConstructor::getOwnPropertyDescriptor):
        * runtime/ArrayConstructor.h:
        (ArrayConstructor):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::getOwnPropertySlot):
        (JSC::ArrayPrototype::getOwnPropertyDescriptor):
        (JSC::putProperty):
        * runtime/ArrayPrototype.h:
        (ArrayPrototype):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::finishCreation):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::getOwnPropertySlot):
        (JSC::BooleanPrototype::getOwnPropertyDescriptor):
        * runtime/BooleanPrototype.h:
        (BooleanPrototype):
        * runtime/ClassInfo.h:
        (MethodTable):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::finishCreation):
        (JSC::DateConstructor::getOwnPropertySlot):
        (JSC::DateConstructor::getOwnPropertyDescriptor):
        * runtime/DateConstructor.h:
        (DateConstructor):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::getOwnPropertySlot):
        (JSC::DatePrototype::getOwnPropertyDescriptor):
        * runtime/DatePrototype.h:
        (DatePrototype):
        * runtime/Error.h:
        (JSC::StrictModeTypeErrorFunction::create):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::finishCreation):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::getOwnPropertySlot):
        (JSC::ErrorPrototype::getOwnPropertyDescriptor):
        * runtime/ErrorPrototype.h:
        (ErrorPrototype):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::finishCreation):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::finishCreation):
        (JSC::FunctionPrototype::addFunctionProperties):
        (JSC::functionProtoFuncBind):
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::create):
        (FunctionPrototype):
        * runtime/Identifier.cpp:
        (JSC):
        * runtime/Identifier.h:
        (Identifier):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::finishCreation):
        * runtime/InternalFunction.h:
        (InternalFunction):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::symbolTableGet):
        (JSC::JSActivation::symbolTablePut):
        (JSC::JSActivation::symbolTablePutWithAttributes):
        (JSC::JSActivation::getOwnPropertySlot):
        (JSC::JSActivation::put):
        (JSC::JSActivation::putDirectVirtual):
        (JSC::JSActivation::deleteProperty):
        (JSC::JSActivation::argumentsGetter):
        * runtime/JSActivation.h:
        (JSActivation):
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        (JSC::JSArray::getOwnPropertySlot):
        (JSC::JSArray::getOwnPropertyDescriptor):
        (JSC::JSArray::put):
        (JSC::JSArray::deleteProperty):
        * runtime/JSArray.h:
        (JSArray):
        (JSC):
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::create):
        (JSC::JSBoundFunction::finishCreation):
        * runtime/JSBoundFunction.h:
        (JSBoundFunction):
        * runtime/JSCell.cpp:
        (JSC::JSCell::getOwnPropertySlot):
        (JSC::JSCell::put):
        (JSC::JSCell::deleteProperty):
        (JSC::JSCell::putDirectVirtual):
        (JSC::JSCell::defineOwnProperty):
        (JSC::JSCell::getOwnPropertyDescriptor):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        (JSC::JSFunction::finishCreation):
        (JSC::JSFunction::argumentsGetter):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::lengthGetter):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::getOwnPropertyDescriptor):
        (JSC::JSFunction::put):
        (JSC::JSFunction::deleteProperty):
        (JSC::JSFunction::defineOwnProperty):
        (JSC::getCalculatedDisplayName):
        * runtime/JSFunction.h:
        (JSFunction):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::put):
        (JSC::JSGlobalObject::putDirectVirtual):
        (JSC::JSGlobalObject::defineOwnProperty):
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::createThrowTypeError):
        (JSC::JSGlobalObject::getOwnPropertySlot):
        (JSC::JSGlobalObject::getOwnPropertyDescriptor):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        (JSC::JSGlobalObject::hasOwnPropertyForWrite):
        (JSC::JSGlobalObject::symbolTableHasProperty):
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::getOwnPropertySlot):
        (JSC::JSNotAnObject::getOwnPropertyDescriptor):
        (JSC::JSNotAnObject::put):
        (JSC::JSNotAnObject::deleteProperty):
        * runtime/JSNotAnObject.h:
        (JSNotAnObject):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::getOwnPropertySlot):
        (JSC::JSONObject::getOwnPropertyDescriptor):
        * runtime/JSONObject.h:
        (JSONObject):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::putDirectVirtual):
        (JSC::JSObject::putDirectAccessor):
        (JSC::JSObject::hasProperty):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::hasOwnProperty):
        (JSC::callDefaultValueFunction):
        (JSC::JSObject::findPropertyHashEntry):
        (JSC::JSObject::getPropertySpecificValue):
        (JSC::JSObject::removeDirect):
        (JSC::JSObject::getOwnPropertyDescriptor):
        (JSC::JSObject::getPropertyDescriptor):
        (JSC::putDescriptor):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        (JSObject):
        (JSC::JSObject::getDirect):
        (JSC::JSObject::getDirectLocation):
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSObject::getOwnPropertySlot):
        (JSC::JSCell::fastGetOwnPropertySlot):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::get):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putOwnDataProperty):
        (JSC::JSObject::putDirect):
        (JSC::JSObject::putDirectWithoutTransition):
        (JSC::JSValue::get):
        (JSC::JSValue::put):
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::put):
        (JSC::JSStaticScopeObject::putDirectVirtual):
        (JSC::JSStaticScopeObject::getOwnPropertySlot):
        * runtime/JSStaticScopeObject.h:
        (JSStaticScopeObject):
        * runtime/JSString.cpp:
        (JSC::JSString::getOwnPropertySlot):
        (JSC::JSString::getStringPropertyDescriptor):
        * runtime/JSString.h:
        (JSString):
        (JSC::JSString::getStringPropertySlot):
        * runtime/JSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        * runtime/JSValue.h:
        (JSC):
        (JSValue):
        * runtime/JSVariableObject.cpp:
        (JSC::JSVariableObject::deleteProperty):
        (JSC::JSVariableObject::symbolTableGet):
        (JSC::JSVariableObject::putDirectVirtual):
        * runtime/JSVariableObject.h:
        (JSVariableObject):
        (JSC::JSVariableObject::symbolTableGet):
        (JSC::JSVariableObject::symbolTablePut):
        (JSC::JSVariableObject::symbolTablePutWithAttributes):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashTable::entry):
        (JSC):
        (JSC::getStaticPropertySlot):
        (JSC::getStaticPropertyDescriptor):
        (JSC::getStaticFunctionSlot):
        (JSC::getStaticFunctionDescriptor):
        (JSC::getStaticValueSlot):
        (JSC::getStaticValueDescriptor):
        (JSC::lookupPut):
        * runtime/MathObject.cpp:
        (JSC::MathObject::getOwnPropertySlot):
        (JSC::MathObject::getOwnPropertyDescriptor):
        * runtime/MathObject.h:
        (MathObject):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::finishCreation):
        * runtime/NumberConstructor.cpp:
        (JSC):
        (JSC::NumberConstructor::finishCreation):
        (JSC::NumberConstructor::getOwnPropertySlot):
        (JSC::NumberConstructor::getOwnPropertyDescriptor):
        (JSC::NumberConstructor::put):
        (JSC::numberConstructorNaNValue):
        (JSC::numberConstructorNegInfinity):
        (JSC::numberConstructorPosInfinity):
        (JSC::numberConstructorMaxValue):
        (JSC::numberConstructorMinValue):
        * runtime/NumberConstructor.h:
        (NumberConstructor):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::getOwnPropertySlot):
        (JSC::NumberPrototype::getOwnPropertyDescriptor):
        * runtime/NumberPrototype.h:
        (NumberPrototype):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::finishCreation):
        (JSC::ObjectConstructor::getOwnPropertySlot):
        (JSC::ObjectConstructor::getOwnPropertyDescriptor):
        * runtime/ObjectConstructor.h:
        (ObjectConstructor):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::put):
        (JSC::ObjectPrototype::defineOwnProperty):
        (JSC::ObjectPrototype::getOwnPropertySlot):
        (JSC::ObjectPrototype::getOwnPropertyDescriptor):
        * runtime/ObjectPrototype.h:
        (ObjectPrototype):
        * runtime/PropertySlot.h:
        (PropertySlot):
        (JSC::PropertySlot::getValue):
        * runtime/RegExpConstructor.cpp:
        (JSC):
        (JSC::RegExpConstructor::finishCreation):
        (JSC::RegExpConstructor::getOwnPropertySlot):
        (JSC::RegExpConstructor::getOwnPropertyDescriptor):
        (JSC::regExpConstructorDollar1):
        (JSC::regExpConstructorDollar2):
        (JSC::regExpConstructorDollar3):
        (JSC::regExpConstructorDollar4):
        (JSC::regExpConstructorDollar5):
        (JSC::regExpConstructorDollar6):
        (JSC::regExpConstructorDollar7):
        (JSC::regExpConstructorDollar8):
        (JSC::regExpConstructorDollar9):
        (JSC::regExpConstructorInput):
        (JSC::regExpConstructorMultiline):
        (JSC::regExpConstructorLastMatch):
        (JSC::regExpConstructorLastParen):
        (JSC::regExpConstructorLeftContext):
        (JSC::regExpConstructorRightContext):
        (JSC::RegExpConstructor::put):
        * runtime/RegExpConstructor.h:
        (RegExpConstructor):
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::getOwnPropertySlot):
        (JSC::RegExpMatchesArray::getOwnPropertyDescriptor):
        (JSC::RegExpMatchesArray::put):
        (JSC::RegExpMatchesArray::deleteProperty):
        (JSC::RegExpMatchesArray::defineOwnProperty):
        * runtime/RegExpObject.cpp:
        (JSC):
        (JSC::RegExpObject::getOwnPropertySlot):
        (JSC::RegExpObject::getOwnPropertyDescriptor):
        (JSC::RegExpObject::deleteProperty):
        (JSC::RegExpObject::defineOwnProperty):
        (JSC::regExpObjectGlobal):
        (JSC::regExpObjectIgnoreCase):
        (JSC::regExpObjectMultiline):
        (JSC::regExpObjectSource):
        (JSC::RegExpObject::put):
        * runtime/RegExpObject.h:
        (RegExpObject):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::getOwnPropertySlot):
        (JSC::RegExpPrototype::getOwnPropertyDescriptor):
        * runtime/RegExpPrototype.h:
        (RegExpPrototype):
        * runtime/StrictEvalActivation.cpp:
        (JSC::StrictEvalActivation::deleteProperty):
        * runtime/StrictEvalActivation.h:
        (StrictEvalActivation):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::finishCreation):
        (JSC::StringConstructor::getOwnPropertySlot):
        (JSC::StringConstructor::getOwnPropertyDescriptor):
        * runtime/StringConstructor.h:
        (StringConstructor):
        * runtime/StringObject.cpp:
        (JSC::StringObject::getOwnPropertySlot):
        (JSC::StringObject::getOwnPropertyDescriptor):
        (JSC::StringObject::put):
        (JSC::StringObject::defineOwnProperty):
        (JSC::StringObject::deleteProperty):
        * runtime/StringObject.h:
        (StringObject):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::getOwnPropertySlot):
        (JSC::StringPrototype::getOwnPropertyDescriptor):
        * runtime/StringPrototype.h:
        (StringPrototype):
        * runtime/Structure.cpp:
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::addPropertyTransitionToExistingStructure):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::removePropertyTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::remove):
        * runtime/Structure.h:
        (Structure):
        (JSC::Structure::get):

2012-05-11  Michael Saboff  <msaboff@apple.com>

        Rolling out r116659.

        Causes ASSERT failures on bots.

        Rubber stamped by Geoff Garen.

        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * heap/MarkStack.cpp:
        (JSC::MarkStackThreadSharedData::markingThreadMain):
        (JSC::MarkStackThreadSharedData::markingThreadStartFunc):
        (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
        (JSC::MarkStackThreadSharedData::reset):
        (JSC::MarkStack::reset):
        (JSC):
        (JSC::SlotVisitor::copyAndAppend):
        * heap/MarkStack.h:
        (MarkStackThreadSharedData):
        (MarkStack):
        * runtime/JSString.h:
        (JSString):
        (JSC::JSString::finishCreation):
        (JSC::JSString::is8Bit):
        (JSC::JSRopeString::finishCreation):

2012-05-11  Oliver Hunt  <oliver@apple.com>

        Appease thread verifier when dealing with the JSC API's shared VM
        https://bugs.webkit.org/show_bug.cgi?id=86268

        Reviewed by Geoffrey Garen.

        If we're the shared VM, just disable the verifier.  This makes debug builds
        livable against non-webkit clients.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):

2012-05-11  Filip Pizlo  <fpizlo@apple.com>

        JIT memory allocator is not returning memory to the OS on Darwin
        https://bugs.webkit.org/show_bug.cgi?id=86047

        Reviewed by Geoff Garen.

        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):

2012-05-11  Geoffrey Garen  <ggaren@apple.com>

        Clarified JSGlobalData (JavaScript VM) lifetime
        https://bugs.webkit.org/show_bug.cgi?id=85142

        Reviewed by Alexey Proskuryakov.

        (Follow-up fix.)

        * API/JSContextRef.cpp:
        (JSGlobalContextCreate): Restored some code I removed because I misread an #ifdef.
        (We don't need to test BUILDING_ON_LEOPARD, but we still need the linked-on
        test, because apps might have been linked on older OS's.)

2012-05-11  Sam Weinig  <sam@webkit.org>

        Fix crash seen when running with libgmalloc
        <rdar://problem/11435411>
        https://bugs.webkit.org/show_bug.cgi?id=86232

        Reviewed by Gavin Barraclough.

        * heap/MarkStack.cpp:
        (JSC::MarkStackThreadSharedData::markingThreadMain):
        Don't delete the SlotVisitor before the ParallelModeEnabler has had a chance to run its
        destructor.

2012-05-10  Gavin Barraclough  <barraclough@apple.com>

        Remove op_get_callee

        Rubber stamped by Geoff Garen.
        
        This is now redundant.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC):
        * jit/JITOpcodes32_64.cpp:
        (JSC):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2012-05-10  Gavin Barraclough  <barraclough@apple.com>

        Cache inheritorID on JSFunction
        https://bugs.webkit.org/show_bug.cgi?id=85853

        Reviewed by Geoff Garen & Filip Pizlo.

        An object's prototype is indicated via its structure.  To create an otherwise
        empty object with object A as its prototype, we require a structure with its
        prototype set to point to A.  We wish to use this same structure for all empty
        objects created with a prototype of A, so we presently store this structure as
        a property of A, known as the inheritorID.

        When a function F is invoked as a constructor, where F has a property 'prototype'
        set to point to A, in order to create the 'this' value for the constructor to
        use the following steps are taken:
          - the 'prototype' proptery of F is read, via a regular [[Get]] access.
          - the inheritorID internal property of the prototype is read.
          - a new, empty object is constructed with its structure set to point to inheritorID.

        There are two drawbacks to the current approach:
          - it requires that every object has an inheritorID field.
          - it requires a [[Get]] access on every constructor call to access the 'prototype' property.

        Instead, switch to caching a copy of the inheritorID on the function.  Constructor
        calls now only need read the internal property from the callee, saving a [[Get]].
        This also means that JSObject::m_inheritorID is no longer commonly read, and in a
        future patch we can move to storing this in a more memory efficient fashion.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateJSFunction):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_create_this):
        (JSC::JIT::emitSlow_op_create_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_create_this):
        (JSC::JIT::emitSlow_op_create_this):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::cacheInheritorID):
        (JSC):
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSFunction.h:
        (JSC::JSFunction::cachedInheritorID):
        (JSFunction):
        (JSC::JSFunction::offsetOfCachedInheritorID):

2012-05-10  Michael Saboff  <msaboff@apple.com>

        Enh: Hash Const JSString in Backing Stores to Save Memory
        https://bugs.webkit.org/show_bug.cgi?id=86024

        Reviewed by Filip Pizlo.

        During garbage collection, each marking thread keeps a HashMap of
        strings.  While visiting via MarkStack::copyAndAppend(), we check to
        see if the string we are visiting is already in the HashMap.  If not
        we add it.  If so, we change the reference to the current string we're
        visiting to the prior string.

        To somewhat reduce the performance impact of this change, if a string
        is unique at the end of a marking it will not be checked during further
        GC phases.  In some cases this won't catch all duplicates, but we are
        trying to catch the growth of duplicate strings.

        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * heap/MarkStack.cpp:
        (JSC::MarkStackThreadSharedData::resetChildren): New method called by the 
        main thread to reset the slave threads.  This is primarily done to
        clear the m_uniqueStrings HashMap.
        (JSC):
        (JSC::MarkStackThreadSharedData::markingThreadMain):
        (JSC::MarkStackThreadSharedData::markingThreadStartFunc):
        (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
        (JSC::MarkStackThreadSharedData::reset):
        (JSC::MarkStack::reset): Added call to clear m_uniqueStrings.
        (JSC::MarkStack::internalAppend): New method that performs the hash consting.
        (JSC::SlotVisitor::copyAndAppend): Changed to call the new hash consting
        internalAppend()
        * heap/MarkStack.h:
        (MarkStackThreadSharedData):
        (MarkStack):
        (JSC::MarkStack::sharedData):
        * runtime/JSString.h:
        (JSString): Added m_isHashConstSingleton flag, accessors for the flag and
        code to initialize the flag.
        (JSC::JSString::finishCreation):
        (JSC::JSString::isHashConstSingleton):
        (JSC::JSString::clearHashConstSingleton):
        (JSC::JSString::setHashConstSingleton):
        (JSC::JSRopeString::finishCreation):

2012-05-09  Filip Pizlo  <fpizlo@apple.com>

        JIT memory allocator is not returning memory to the OS on Darwin
        https://bugs.webkit.org/show_bug.cgi?id=86047
        <rdar://problem/11414948>

        Reviewed by Geoff Garen.
        
        Work around the problem by using a different madvise() flag, but only for the JIT memory
        allocator. Also put in ASSERTs that the call is actually working.

        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::notifyNeedPage):
        (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):

2012-05-09  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to get useful debug logging from the JIT memory allocator
        https://bugs.webkit.org/show_bug.cgi?id=86042

        Reviewed by Geoff Garen.

        * jit/ExecutableAllocator.h:

2012-05-09  Gavin Barraclough  <barraclough@apple.com>

        GC race condition in OpaqueJSClass::prototype
        https://bugs.webkit.org/show_bug.cgi?id=86034

        Build fix.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype):
            - Eeeep, landed bad version of patch!

2012-05-09  Gavin Barraclough  <barraclough@apple.com>

        GC race condition in OpaqueJSClass::prototype
        https://bugs.webkit.org/show_bug.cgi?id=86034

        Reviewed by Filip Pizlo.

        The bug here is basically:
            if (weakref) weakref->method()
        where a GC may occur between the if & the method call.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype):

2012-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        CopiedSpace does not add pinned blocks back to the to-space filter
        https://bugs.webkit.org/show_bug.cgi?id=86011

        Reviewed by Geoffrey Garen.

        After a collection has finished, we go through the blocks in from-space 
        and move any of them that are pinned into to-space. At the beginning of 
        collection, we reset the to-space block filter that is used during 
        conservative scanning and add back the blocks that are filled during the 
        collection. However, we neglect to add back those blocks that are moved 
        from from-space to to-space, which can cause the conservative scan to 
        think that some pinned items are not actually in CopiedSpace.

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::doneCopying): Add the pinned blocks back to the 
        to-space filter. Also added a comment and assert for future readers that 
        indicates that it's okay that we don't also add the block to the 
        to-space block set since it was never removed.


2012-05-09  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Use independent version numbers for public libraries
        https://bugs.webkit.org/show_bug.cgi?id=85984

        Reviewed by Gustavo Noronha Silva.

        * GNUmakefile.am: Use LIBJAVASCRIPTCOREGTK_VERSION for library
        version.

2012-05-09  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Do not install JavaScriptCore platform-specific headers
        https://bugs.webkit.org/show_bug.cgi?id=85983

        Reviewed by Gustavo Noronha Silva.

        JavaScriptCore.h includes JSStringRefCF.h unconditionally. It was
        renamed to JavaScript.h in r29234 and it still exists for
        compatibility with mac and windows users.

        * GNUmakefile.list.am: Remove JavaScriptCore.h, JSStringRefCF.h
        and JSStringRefBSTR.h from the sources and headers list.

2012-05-08  Gavin Barraclough  <barraclough@apple.com>

        ROLLING OUT r114255
        
        GC in the middle of JSObject::allocatePropertyStorage can cause badness
        https://bugs.webkit.org/show_bug.cgi?id=83839

        Reviewed by nobody.

        This breaks the world, with COLLECT_ON_EVERY_ALLOCATION enabled.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSObject.cpp:
        (JSC::JSObject::allocatePropertyStorage):
        * runtime/JSObject.h:
        (JSObject):
        (JSC::JSObject::isUsingInlineStorage):
        (JSC):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putDirectWithoutTransition):
        (JSC::JSObject::transitionTo):
        * runtime/Structure.cpp:
        (JSC):
        * runtime/Structure.h:
        (JSC::Structure::didTransition):

2012-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        Heap should not continually allocate new pages in steady state
        https://bugs.webkit.org/show_bug.cgi?id=85936

        Reviewed by Geoff Garen.

        Currently, in steady state (i.e. a constant amount of live GC 
        memory with a constant rate of allocation) assuming we've just 
        finished a collection with X live blocks in CopiedSpace, we 
        increase our working set by X blocks in CopiedSpace with each 
        collection we perform. This is due to the fact that we allocate 
        until we run out of free blocks to use in the Heap before we 
        consider whether we should run a collection. 

        In the longer term, this issue will be mostly resolved by 
        implementing quick release for the CopiedSpace. In the shorter 
        term, we should change our policy to check whether we should 
        allocate before trying to use a free block from the Heap. We 
        can change our policy to something more appropriate once we 
        have implemented quick release.

        This change should also have the convenient side effect of 
        reducing the variance in GC-heavy tests (e.g. v8-splay) due 
        to fact that we are doing less VM allocation during copying 
        collection. Overall, this patch is performance neutral across 
        the benchmarks we track.

        * heap/CopiedSpace.cpp: 
        (JSC::CopiedSpace::getFreshBlock): Shuffle the request from the BlockAllocator
        around so that we only do it if the block request must succeed 
        i.e. after we've already checked whether we should do a collection.
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateSlowCase): Ditto.
        (JSC::MarkedAllocator::allocateBlock): We no longer have a failure mode in this 
        function because by the time we've called it, we've already checked whether we 
        should run a collection so there's no point in returning null.
        * heap/MarkedAllocator.h: Removing old arguments from function declaration.
        (MarkedAllocator):

2012-05-08  Gavin Barraclough  <barraclough@apple.com>

        SIGFPE on divide in classic interpreter
        https://bugs.webkit.org/show_bug.cgi?id=85917

        Rubber stamped by Oliver Hunt.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
            - check for divisor of -1.

2012-05-07  Oliver Hunt  <oliver@apple.com>

        Rolling out r110287

        RS=Filip Pizlo

        r110287 was meant to be refactoring only, but changed behavior
        enough to break some websites, including qq.com.

2012-05-07  Andy Estes  <aestes@apple.com>

        ENABLE_IFRAME_SEAMLESS should be part of FEATURE_DEFINES.

        * Configurations/FeatureDefines.xcconfig:

2012-05-07  Oliver Hunt  <oliver@apple.com>

        Fix release build.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2012-05-07  Oliver Hunt  <oliver@apple.com>

        LLInt doesn't check for Ropes when performing a character switch
        https://bugs.webkit.org/show_bug.cgi?id=85837

        Reviewed by Filip Pizlo.

        Make LLint check if the scrutinee of a char switch is a rope, and if
        so fall back to a slow case.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (LLInt):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2012-05-07  Eric Seidel  <eric@webkit.org>

        Add ENABLE_IFRAME_SEAMLESS so Apple can turn off SEAMLESS if needed
        https://bugs.webkit.org/show_bug.cgi?id=85822

        Reviewed by Adam Barth.

        * Configurations/FeatureDefines.xcconfig:

2012-05-05  Gavin Barraclough  <barraclough@apple.com>

        Remove TrustedImm32::m_isPointer
        https://bugs.webkit.org/show_bug.cgi?id=85726

        Rubber stamped by Sam Weinig.

        We used to rely on being able to generate code with known, fixed offsets – to do so we
        would inhibit more optimal code generation for pointers. This is no longer necessary.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::TrustedImm32::TrustedImm32):
        (TrustedImm32):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::store32):
        (JSC::MacroAssemblerARM::move):
        (JSC::MacroAssemblerARM::branch32):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::move):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::add32):
        (JSC::MacroAssemblerMIPS::and32):
        (JSC::MacroAssemblerMIPS::mul32):
        (JSC::MacroAssemblerMIPS::or32):
        (JSC::MacroAssemblerMIPS::sub32):
        (JSC::MacroAssemblerMIPS::store32):
        (JSC::MacroAssemblerMIPS::move):

2012-05-04  Filip Pizlo  <fpizlo@apple.com>

        DFG should not Flush GetLocal's
        https://bugs.webkit.org/show_bug.cgi?id=85663
        <rdar://problem/11373600>

        Reviewed by Oliver Hunt.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::flushArgument):
        (JSC::DFG::ByteCodeParser::handleCall):

2012-05-04  Allan Sandfeld Jensen  <allan.jensen@nokia.com>

        Doesn't build with ENABLE_JIT=0 
        https://bugs.webkit.org/show_bug.cgi?id=85042

        Reviewed by Gavin Barraclough.

        * bytecode/Operands.h:

2012-05-03  Oliver Hunt  <oliver@apple.com>

        Regression(r114702): Clobbering the caller frame register before we've stored it.
        https://bugs.webkit.org/show_bug.cgi?id=85564

        Reviewed by Filip Pizlo.

        Don't use t0 as a temporary, when we're about to use the value in t0.

        * llint/LowLevelInterpreter32_64.asm:

2012-05-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        Removing remainder of accidental printfs.

        * heap/Heap.cpp:
        (JSC::Heap::collect):

2012-05-03  Andy Estes  <aestes@apple.com>

        If you add printf()s to your garbage collector, the layout tests are gonna have a bad time.

        * runtime/GCActivityCallbackCF.cpp:
        (JSC::DefaultGCActivityCallbackPlatformData::timerDidFire):

2012-05-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        Heap::reportAbandonedObjectGraph should not hasten an allocation-triggered collection
        https://bugs.webkit.org/show_bug.cgi?id=85543

        Reviewed by Filip Pizlo.

        Currently reportAbandonedObjectGraph causes the Heap to think it is closer to its 
        allocation limit for the current cycle, thus hastening an allocation-triggered collection. 
        In reality, it should just affect the opportunistic GC timer. We should track the bytes 
        we think have been abandoned and the bytes that have been allocated separately.

        * heap/Heap.cpp: Added a new field m_abandonedBytes to Heap to keep track of how much 
        we think we've abandoned.
        (JSC::Heap::Heap): 
        (JSC::Heap::reportAbandonedObjectGraph): 
        (JSC):
        (JSC::Heap::didAbandon): Added this function for reportAbandonedObjectGraph to call 
        rather than didAllocate. Works the same as didAllocate, but modifies bytes abandoned rather 
        than bytes allocated. Also notifies the timer, summing the two values together.
        (JSC::Heap::collect):
        (JSC::Heap::didAllocate): Now adds the bytes allocated and bytes abandoned when reporting 
        to GCActivityCallback.
        * heap/Heap.h:
        (Heap):

2012-05-02  Eric Seidel  <eric@webkit.org>

        Sort ENABLE_ defines in FeatureDefines.xcconfig files to make them easier to compare with one another (and easier to autogenerate)
        https://bugs.webkit.org/show_bug.cgi?id=85433

        Reviewed by Adam Barth.

        I have a script which can autogenerate these xcconfig files as well as the
        vsprops files (and soon the Chromium, cmake, gnumake and qmake) feature lists
        from a central feature list file.
        In preparation for posting such a tool, I'm re-sorting these xcconfig files to be
        alphabetically ordered (currently they're close, but not quite).
        There is also at least one inconsistency between these files (CSS_LEGACY_PREFIXES) which
        I will fix in a second pass.  I will also sort the FEATURE_DEFINES = line in a follow-up patch.

        * Configurations/FeatureDefines.xcconfig:

2012-05-02  Hojong Han  <hojong.han@samsung.com>

        ARM_TRADITIONAL build fix
        https://bugs.webkit.org/show_bug.cgi?id=85358

        Reviewed by Gavin Barraclough.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::lshift32):
        (MacroAssemblerARM):
        (JSC::MacroAssemblerARM::or32):
        (JSC::MacroAssemblerARM::urshift32):
        (JSC::MacroAssemblerARM::xor32):
        (JSC::MacroAssemblerARM::branchSub32):

2012-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        Opportunistic GC should give up if the Heap is paged out
        https://bugs.webkit.org/show_bug.cgi?id=85411

        Reviewed by Filip Pizlo.

        Opportunistic GC is punishing us severely in limited memory situations because its 
        assumptions about how much time a collection will take are way out of whack when the Heap 
        has been paged out by the OS. We should add a simple detection function to the Heap that 
        detects if its is paged out. It will do this by iterating each block of both the MarkedSpace 
        and CopiedSpace. If that operation takes longer than a fixed amount of time (e.g. 100ms), 
        the function returns true. This function will only be run prior to an opportunistic 
        collection (i.e. it will not run during our normal allocation-triggered collections).

        In my tests, steady state was drastically improved in high memory pressure situations (i.e. 
        the browser was still usable, significant reduction in SPODs). Occasionally, a normal GC
        would be triggered due to pages doing things in the background, which would cause a 
        significant pause. As we close pages we now cause normal collections rather than full 
        collections, which prevents us from collecting all of the dead memory immediately. One 
        nice way to deal with this issue might be to do incremental sweeping.


        * heap/CopiedSpace.cpp:
        (JSC::isBlockListPagedOut): Helper function to reduce code duplication when iterating over 
        to-space, from-space, and the oversize blocks.
        (JSC):
        (JSC::CopiedSpace::isPagedOut): Tries to determine whether or not CopiedSpace is paged out
        by iterating all of the blocks.
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/Heap.cpp:
        (JSC::Heap::isPagedOut): Tries to determine whether the Heap is paged out by asking the 
        MarkedSpace and CopiedSpace if they are paged out.
        (JSC):
        * heap/Heap.h:
        (Heap):
        (JSC::Heap::increaseLastGCLength): Added this so that the GC timer can linearly back off 
        each time it determines that the Heap is paged out.
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::isPagedOut): Tries to determine if this particular MarkedAllocator's
        list of blocks are paged out.
        (JSC):
        * heap/MarkedAllocator.h:
        (MarkedAllocator):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::isPagedOut): For each MarkedAllocator, check to see if they're paged out.
        * heap/MarkedSpace.h:
        (MarkedSpace):
        * runtime/GCActivityCallback.cpp:
        (JSC::DefaultGCActivityCallback::cancel):
        (JSC):
        * runtime/GCActivityCallback.h:
        (JSC::GCActivityCallback::cancel):
        (DefaultGCActivityCallback):
        * runtime/GCActivityCallbackCF.cpp: Added a constant of 100ms for the timeout in determining
        whether the Heap is paged out or not.
        (JSC):
        (JSC::DefaultGCActivityCallbackPlatformData::timerDidFire): Added the check to see if we 
        should attempt a collection based on whether or not we can iterate the blocks of the Heap in 
        100ms. If we can't, we cancel the timer and tell the Heap we just wasted 100ms more trying to 
        do a collection. This gives us a nice linear backoff so we're not constantly re-trying in
        steady state paged-out-ness.
        (JSC::DefaultGCActivityCallback::cancel): Added this function which, while currently doing 
        exactly the same thing as willCollect, is more obvious as to what it's doing when we call it 
        in timerDidFire.

2012-05-02  Yong Li  <yoli@rim.com>

        Fix GCC X86 build error
        https://bugs.webkit.org/show_bug.cgi?id=85379

        Reviewed by Rob Buis.

        Always explicitly claim ".text" to make sure
        functions defined with inline assembly will be
        created in the correct section.

        * dfg/DFGOperations.cpp:
        (JSC):

2012-05-02  Oliver Hunt  <oliver@apple.com>

        Unreviewed, rolling out r115388.
        http://trac.webkit.org/changeset/115388
        https://bugs.webkit.org/show_bug.cgi?id=85011

        This caused many weird performance problems, and needs to be
        landed in pieces.

        * dfg/DFGOperations.cpp:
        * heap/Heap.cpp:
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::markRoots):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::dumpCaller):
        (JSC):
        * interpreter/CallFrame.h:
        (JSC::ExecState::init):
        (ExecState):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        (JSC::Interpreter::privateExecute):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::execute):
        * interpreter/RegisterFile.cpp:
        (JSC::RegisterFile::growSlowCase):
        (JSC::RegisterFile::gatherConservativeRoots):
        * interpreter/RegisterFile.h:
        (JSC::RegisterFile::end):
        (JSC::RegisterFile::size):
        (JSC::RegisterFile::addressOfEnd):
        (RegisterFile):
        (JSC::RegisterFile::RegisterFile):
        (JSC::RegisterFile::shrink):
        (JSC::RegisterFile::grow):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::jitCompileFor):
        (JSC::lazyLinkFor):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::handleHostCall):
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):

2012-05-01  Oliver Hunt  <oliver@apple.com>

        Physijs demo crashes due to DFG not updating topCallFrame correctly.
        https://bugs.webkit.org/show_bug.cgi?id=85311

        Reviewed by Filip Pizlo.

        A few of the dfg operations failed to correctly set the topCallFrame,
        and so everything goes wrong.  This patch corrects the effected operations,
        and makes debug builds poison topCallFrame before calling a dfg operation.

        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::prepareForExternalCall):
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
        (JSC::DFG::SpeculativeJIT::appendCallSetResult):

2012-04-30  Gavin Barraclough  <barraclough@apple.com>

        Should be able to use YARR JIT without the JS language JIT
        https://bugs.webkit.org/show_bug.cgi?id=85252

        Reviewed by Geoff Garen.

        Need to split canUseRegExpJIT out of canUseJIT.

        * runtime/JSGlobalData.cpp:
        (JSC):
        (JSC::useJIT):
        (JSC::JSGlobalData::JSGlobalData):
            - replace m_canUseJIT with m_canUseAssembler
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        (JSC::JSGlobalData::canUseRegExpJIT):
            - Added canUseRegExpJIT, distinct from canUseJIT.
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::compileMatchOnly):
            - Call canUseRegExpJIT instead of canUseJIT.

2012-04-30  Gavin Barraclough  <barraclough@apple.com>

        Should be able to build YARR JIT without the JS language JIT
        https://bugs.webkit.org/show_bug.cgi?id=85242

        Reviewed by Michael Saboff.

        Some build macros are wrong.

        * assembler/RepatchBuffer.h:
        * jit/ExecutableAllocator.h:
        (JSC):
        * jit/JITExceptions.cpp:
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):

2012-04-26  Gavin Barraclough  <barraclough@apple.com>

        Arguments object resets attributes on redefinition of a parameter
        https://bugs.webkit.org/show_bug.cgi?id=84994

        Rubber stamped by Oliver Hunt.

        There is a bug that we always re-add the original property before
        redefinition, doing so in a way that will reset the attributes
        without checking configurability.

        * runtime/Arguments.cpp:
        (JSC::Arguments::defineOwnProperty):
            - Only instantiate the property once - do not re-add if
              it has already been added, or if it has been deleted.

2012-04-30  Ryosuke Niwa  <rniwa@webkit.org>

        Remove an erroneous assertion after r115655.

        * runtime/NumberPrototype.cpp:
        (JSC::toUStringWithRadix):

2012-04-30  Myles Maxfield  <mmaxfield@google.com>

        End of Interpreter::tryCacheGetByID can trigger the garbage collector
        https://bugs.webkit.org/show_bug.cgi?id=84927

        Reviewed by Oliver Hunt.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::tryCacheGetByID):

2012-04-30  Benjamin Poulain  <benjamin@webkit.org>

        jsSingleCharacterString and jsSingleCharacterSubstring are not inlined
        https://bugs.webkit.org/show_bug.cgi?id=85147

        Reviewed by Darin Adler.

        The functions jsSingleCharacterString() and jsSingleCharacterSubstring() were not inlined
        by the compiler. This annihilate the gains of using SmallStrings.

        On stringProtoFuncCharAt(), this patch improves the performance by 11%.

        * runtime/JSString.h:
        (JSC::jsSingleCharacterString):
        (JSC::jsSingleCharacterSubstring):

2012-04-30  Benjamin Poulain  <bpoulain@apple.com>

        Add fast patch for radix == 10 on numberProtoFuncToString
        https://bugs.webkit.org/show_bug.cgi?id=85120

        Reviewed by Darin Adler.

        When radix, we use to turn the doubleValue into a JSValue just to convert
        it to a String. The problem is that was using the slow path for conversion and
        for the toString() operation.

        This patch shortcuts the creation of a JSValue and uses NumericStrings directly.
        The conversion is split between Integer and Double to ensure the fastest conversion
        for the common case of integer arguments.

        Converting number with radix 10 becomes 5% faster.

        Due to the simpler conversion of number to string for integer, converting
        integers that do not fall in the two previous optimizations get 32% faster.

        * runtime/NumberPrototype.cpp:
        (JSC::extractRadixFromArgs):
        (JSC::integerValueToString):
        (JSC::numberProtoFuncToString):

2012-04-30  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing header.

2012-04-28  Geoffrey Garen  <ggaren@apple.com>

        Factored threaded block allocation into a separate object
        https://bugs.webkit.org/show_bug.cgi?id=85148

        Reviewed by Sam Weinig.

        99% of this patch just moves duplicated block allocation and 
        deallocation code into a new object named BlockAllocator, with these 
        exceptions:

        * heap/BlockAllocator.h: Added.
        (BlockAllocator::BlockAllocator): The order of declarations here now 
        guards us against an unlikely race condition during startup.

        * heap/BlockAllocator.cpp:
        JSC::BlockAllocator::blockFreeingThreadMain): Added a FIXME to 
        highlight a lack of clarity we have in our block deallocation routines.

2012-04-28  Sam Weinig  <sam@webkit.org>

        Try to fix the Qt build.

        * heap/Heap.cpp:
        (JSC::Heap::lastChanceToFinalize):

2012-04-28  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-04-28  Geoffrey Garen  <ggaren@apple.com>

        Clarified JSGlobalData (JavaScript VM) lifetime
        https://bugs.webkit.org/show_bug.cgi?id=85142

        Reviewed by Anders Carlsson.

        This was so confusing that I didn't feel like I could reason about 
        memory lifetime in the heap without fixing it.

        The rules are:

        (1) JSGlobalData owns the virtual machine and all memory in it.

        (2) Deleting a JSGlobalData frees the virtual machine and all memory 
        in it.

        (Caveat emptor: if you delete the virtual machine while you're running 
        JIT code or accessing GC objects, you're gonna have a bad time.)

        (I opted not to make arbitrary sub-objects keep the virtual machine 
        alive automatically because:

                (a) doing that right would be complex and slow;

                (b) in the case of an exiting thread or process, there's no 
                clear way to give the garbage collector a chance to try again 
                later; 

                (c) continuing to run the garbage collector after we've been 
                asked to shut down the virtual machine seems rude;

                (d) we've never really supported that feature, anyway.)

        (3) Normal ref-counting will do. No need to call a battery of 
        specialty functions to tear down a JSGlobalData. Its foibles 
        notwithstanding, C++ does in fact know how to execute destructors in 
        order.

        * API/JSContextRef.cpp:
        (JSGlobalContextCreate): Removed compatibility shim for older 
        operating systems because it's no longer used.

        (JSGlobalContextRelease): Now that we can rely on JSGlobalData to "do 
        the right thing", this code is much simpler. We still have one special 
        case to notify the garbage collector if we're removing the last 
        reference to the global object, since this can improve memory behavior.

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::freeAllBlocks):
        * heap/CopiedSpace.h:
        (CopiedSpace): Renamed "destroy" => "freeAllBlocks" because true 
        destruction-time behaviors should be limited to our C++ destructor.

        * heap/Heap.cpp:
        (JSC::Heap::~Heap):
        (JSC):
        (JSC::Heap::lastChanceToFinalize):
        * heap/Heap.h:
        (Heap):
        (JSC::Heap::heap): Renamed "destroy" => "lastChanceToFinalize" because 
        true destruction-time behaviors should be limited to our C++ 
        destructor.

        Reorganized the code, putting code that must run before any objects 
        get torn down into lastChanceToFinalize, and code that just tears down 
        objects into our destructor.

        * heap/Local.h:
        (JSC::LocalStack::LocalStack):
        (JSC::LocalStack::push):
        (LocalStack): See rule (2).

        * jsc.cpp:
        (functionQuit):
        (main):
        (printUsageStatement):
        (parseArguments):
        (jscmain):
        * testRegExp.cpp:
        (main):
        (printUsageStatement):
        (parseArguments):
        (realMain): See rule (3).

        I removed the feature of ensuring orderly tear-down when calling quit()
        or running in --help mode because it didn't seem very useful and 
        making it work with Windows structured exception handling and 
        NO_RETURN didn't seem like a fun way to spend a Saturday.

        * runtime/JSGlobalData.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData): Moved heap to be the first data 
        member in JSGlobalData to ensure that it's destructed last, so other 
        objects that reference it destruct without crashing. This allowed me 
        to remove clearBuiltinStructures() altogether, and helped guarantee 
        rule (3).

        (JSC::JSGlobalData::~JSGlobalData): Explicitly call 
        lastChanceToFinalize() at the head of our destructor to ensure that 
        all pending finalizers run while the virtual machine is still in a 
        valid state. Trying to resurrect (re-ref) the virtual machine at this 
        point is not valid, but all other operations are.

        Changed a null to a 0xbbadbeef to clarify just how bad this beef is.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        (JSC::JSGlobalObject::globalData): See rule (3).

2012-04-27  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Windows build.

        * heap/WeakBlock.h:
        (WeakBlock):

2012-04-27  Geoffrey Garen  <ggaren@apple.com>

        Made WeakSet::allocate() static and removed its JSGlobalData argument
        https://bugs.webkit.org/show_bug.cgi?id=85128

        Reviewed by Anders Carlsson.

        This is a step toward faster finalization.

        WeakSet::allocate() now deduces which WeakSet to allocate from based on
        its JSCell* argument. (Currently, there's only one WeakSet, but soon
        there will be many.)

        This was a global replace of "globalData.heap.weakSet()->allocate" with
        "WeakSet::allocate", plus by-hand removal of the JSGlobalData argument.

        * heap/WeakSetInlines.h: Copied from Source/JavaScriptCore/heap/WeakSet.h.

        I had to split out WeakSet::allocate() in to a separate header to avoid
        a cycle.

        (JSC::WeakSet::allocate): We can mask the pointer we're passed to
        figure out where to allocate our WeakImpl. (Soon, we'll use this to
        associate the WeakImpl with the GC block it references.)

2012-04-27  Geoffrey Garen  <ggaren@apple.com>

        Stop using aligned allocation for WeakBlock
        https://bugs.webkit.org/show_bug.cgi?id=85124

        Reviewed by Anders Carlsson.

        We don't actually use the alignment for anything.

        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::create):
        (JSC::WeakBlock::WeakBlock): Switched from aligned allocation to regular
        allocation.

        * heap/WeakBlock.h:
        (WeakBlock): Don't use HeapBlock because HeapBlock requires aligned
        allocation. This change required me to add some declarations that we used
        to inherit from HeapBlock.

        (WeakBlock::blockFor): Removed. This function relied on aligned allocation
        but didn't do anything for us.

        (WeakBlock::deallocate): Removed. WeakBlock doesn't own any of the deallocation
        logic, so it shouldn't own the function.

        * heap/WeakSet.cpp:
        (JSC::WeakSet::~WeakSet):
        (JSC::WeakSet::finalizeAll):
        (JSC::WeakSet::visitLiveWeakImpls):
        (JSC::WeakSet::visitDeadWeakImpls):
        (JSC::WeakSet::sweep):
        (JSC::WeakSet::shrink):
        (JSC::WeakSet::resetAllocator):
        (JSC::WeakSet::tryFindAllocator):
        * heap/WeakSet.h:
        (WeakSet): Updated declarations to reflect WeakBlock not inheriting from
        HeapBlock. This allowed me to remove some casts, which was nice.

        (JSC::WeakSet::deallocate): Directly set the deallocated flag instead of
        asking WeakBlock to do it for us.  We don't need to have a WeakBlock
        pointer to set the flag, so stop asking for one.

2012-04-27  Kentaro Hara  <haraken@chromium.org>

        [JSC] Implement a helper method createNotEnoughArgumentsError()
        https://bugs.webkit.org/show_bug.cgi?id=85102

        Reviewed by Geoffrey Garen.

        In bug 84787, kbr@ requested to avoid hard-coding
        createTypeError(exec, "Not enough arguments") here and there.
        This patch implements createNotEnoughArgumentsError(exec)
        and uses it in JSC bindings.

        c.f. a corresponding bug for V8 bindings is bug 85097.

        * runtime/Error.cpp:
        (JSC::createNotEnoughArgumentsError):
        (JSC):
        * runtime/Error.h:
        (JSC):

2012-04-27  Geoffrey Garen  <ggaren@apple.com>

        Only allow non-null pointers in the WeakSet
        https://bugs.webkit.org/show_bug.cgi?id=85119

        Reviewed by Darin Adler.

        This is a step toward more efficient finalization.

        No clients put non-pointers (JSValues) into Weak<T> and PassWeak<T>.

        Some clients put null pointers into Weak<T> and PassWeak<T>, but this is
        more efficient and straight-forward to model with a null in the Weak<T>
        or PassWeak<T> instead of allocating a WeakImpl just to hold null.

        * heap/PassWeak.h:
        (JSC): Removed the Unknown (JSValue) type of weak pointer because it's
        unused now.

        (PassWeak): Don't provide a default initializer for our JSCell* argument.
        This feature was only used in one place, and it was a bug.

        (JSC::::get): Don't check for a null stored inside our WeakImpl: that's 
        not allowed anymore.

        (JSC::PassWeak::PassWeak): Handle null as a null WeakImpl instead of
        allocating a WeakImpl and storing null into it.

        * heap/Weak.h:
        (Weak):
        (JSC::::Weak): Same changes as in PassWeak<T>.

        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::visitLiveWeakImpls):
        (JSC::WeakBlock::visitDeadWeakImpls): Only non-null cells are valid in
        the WeakSet now, so no need to check for non-cells and null cell pointers.

        * heap/WeakImpl.h:
        (JSC::WeakImpl::WeakImpl): Only non-null cells are valid in the WeakSet
        now, so ASSERT that.

2012-04-27  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/7909395> Math in JavaScript is inaccurate on iOS

        By defalut IEEE754 denormal support is disabled on iOS;
        turn it on.

        Reviewed by Filip Pizlo.

        * jsc.cpp:
        (main):
            - clear the appropriate bit in the fpscr.

2012-04-27  Michael Saboff  <msaboff@apple.com>

        Memory wasted in JSString for non-rope strings
        https://bugs.webkit.org/show_bug.cgi?id=84907

        Reviewed by Geoffrey Garen.

        Split JSString into two classes, JSString as a base class that does not
        include the fibers of a Rope, and a subclass JSRopeString that has the
        rope functionality.  Both classes "share" the same ClassInfo.  Added
        a bool to JSString to indicate that the string was allocated as a JSRopeString
        to properly handle visiting the fiber children when the rope is resolved and
        the JSRopeString appears as a JSString.  Didn't change the interface of JSString
        to require any JIT changes.

        As part of this change, removed "cellSize" from ClassInfo since both classes
        share the same ClassInfo, but have different sizes.  The only use I could find
        for cellSize was an ASSERT in allocateCell().

        This appears to be neutral on performance tests.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Changed JSString::resolveRope
                to JSRopeString::resolveRope
        * runtime/ClassInfo.h:
        (JSC):
        (ClassInfo):
        * runtime/JSCell.h:
        (JSC::allocateCell):
        * runtime/JSString.cpp:
        (JSC::JSRopeString::RopeBuilder::expand):
        (JSC::JSString::visitChildren):
        (JSC):
        (JSC::JSRopeString::visitFibers):
        (JSC::JSRopeString::resolveRope):
        (JSC::JSRopeString::resolveRopeSlowCase8):
        (JSC::JSRopeString::resolveRopeSlowCase):
        (JSC::JSRopeString::outOfMemory):
        (JSC::JSRopeString::getIndexSlowCase):
        * runtime/JSString.h:
        (JSC):
        (JSString):
        (JSC::JSString::finishCreation):
        (JSC::JSString::create):
        (JSC::JSString::isRope):
        (JSC::JSString::is8Bit):
        (JSRopeString):
        (RopeBuilder):
        (JSC::JSRopeString::RopeBuilder::RopeBuilder):
        (JSC::JSRopeString::RopeBuilder::append):
        (JSC::JSRopeString::RopeBuilder::release):
        (JSC::JSRopeString::RopeBuilder::length):
        (JSC::JSRopeString::JSRopeString):
        (JSC::JSRopeString::finishCreation):
        (JSC::JSRopeString::createNull):
        (JSC::JSRopeString::create):
        (JSC::JSString::value):
        (JSC::JSString::tryGetValue):
        (JSC::JSString::getIndex):
        (JSC::jsStringBuilder):
        * runtime/Operations.h:
        (JSC::jsString):
        (JSC::jsStringFromArguments):

2012-04-27  Oliver Hunt  <oliver@apple.com>

        Correct assertion.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):

2012-04-27  Oliver Hunt  <oliver@apple.com>

        Lazy link phase of baseline jit fails to propagate exception
        https://bugs.webkit.org/show_bug.cgi?id=85092

        Reviewed by Filip Pizlo.

        Very simple patch, when linking produces an error we need to actually store
        the exception prior to throwing it.  I can't find any other examples of this,
        but as we're already in the slow path when throwing an exception I've hardened
        exception throwing against null exceptions.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):
        * jit/JITStubs.cpp:
        (JSC::lazyLinkFor):

2012-04-27  Benjamin Poulain  <benjamin@webkit.org>

        Generalize the single character optimization of numberProtoFuncToString
        https://bugs.webkit.org/show_bug.cgi?id=85027

        Reviewed by Geoffrey Garen.

        The function numberProtoFuncToString() has an optimization to use SmallStrings::singleCharacterString()
        when the radix is 36.

        This patch generalize the optimization for any radix. Any positive number smaller than its radix
        can be represented by a single character of radixDigits.

        This makes numberProtoFuncToString() about twice as fast for this case of single digit conversion.

        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToString):

2012-04-27  Gavin Peters  <gavinp@chromium.org>

        Add new ENABLE_LINK_PRERENDER define to control the Prerendering API
        https://bugs.webkit.org/show_bug.cgi?id=84871

        Reviewed by Adam Barth.

        Prerendering is currently covered by the ENABLE_LINK_PREFETCH macro, but the new Prerendering
        API separates it from prefetching.  Having separate include guards lets ports enable prefetching,
        a relatively easy change, without needing to build the infrastructure for prerendering, which
        is considerably more complicated.

        * Configurations/FeatureDefines.xcconfig:

2012-04-26  Oliver Hunt  <oliver@apple.com>

        Allocating WeakImpl should not trigger GC, as that makes the world very tricksy.
        https://bugs.webkit.org/show_bug.cgi?id=85020

        Reviewed by Gavin Barraclough.

        Now in the event that we are unable to find an allocator for a new handle, just
        add a new allocator rather than trying to recover "dead" handles through a GC.

        Find allocator is now much simpler, and addAllocator directly reports the
        increased memory usage to the heap without causing any GC to happen immediately.

        * heap/WeakSet.cpp:
        (JSC::WeakSet::findAllocator):
        (JSC::WeakSet::addAllocator):

2012-04-26  Oliver Hunt  <oliver@apple.com>

        Remove RegisterFile::end()/m_end
        https://bugs.webkit.org/show_bug.cgi?id=85011

        Reviewed by Gavin Barraclough.

        Get rid of end() and m_end from RegisterFile.  From now on
        we only care about the end of the committed region when calling
        code.  When re-entering the VM we now plant the new CallFrame
        immediately after whatever the current topCallFrame is.  This
        required adding a routine to CallFrame to determine exactly what
        we should be doing (in the absence of an existing CallFrame, we
        can't reason about the frameExtent() so we check for that).

        This also now means that the GC only marks the portion of the
        RegisterFile that is actually in use, and that VM re-entry doesn't
        exhaust the RegisterFile as rapidly.

        * dfg/DFGOperations.cpp:
        * heap/Heap.cpp:
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::markRoots):
        * interpreter/CallFrame.h:
        (JSC::ExecState::init):
        (JSC::ExecState::startOfReusableRegisterFile):
        (ExecState):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        (JSC::Interpreter::privateExecute):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::execute):
        * interpreter/RegisterFile.cpp:
        (JSC::RegisterFile::growSlowCase):
        (JSC::RegisterFile::gatherConservativeRoots):
        * interpreter/RegisterFile.h:
        (JSC::RegisterFile::commitEnd):
        (JSC::RegisterFile::addressOfEnd):
        (RegisterFile):
        (JSC::RegisterFile::RegisterFile):
        (JSC::RegisterFile::shrink):
        (JSC::RegisterFile::grow):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::jitCompileFor):
        (JSC::lazyLinkFor):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::handleHostCall):
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):

2012-04-26  Filip Pizlo  <fpizlo@apple.com>

        DFG ARMv7 backend should optimize Float32 arrays
        https://bugs.webkit.org/show_bug.cgi?id=85000
        <rdar://problem/10652827>

        Reviewed by Gavin Barraclough.

        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):
        (JSC::ARMv7Assembler::flds):
        (JSC::ARMv7Assembler::fsts):
        (JSC::ARMv7Assembler::vcvtds):
        (JSC::ARMv7Assembler::vcvtsd):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::loadFloat):
        (MacroAssemblerARMv7):
        (JSC::MacroAssemblerARMv7::storeFloat):
        (JSC::MacroAssemblerARMv7::convertFloatToDouble):
        (JSC::MacroAssemblerARMv7::convertDoubleToFloat):
        * bytecode/PredictedType.h:
        (JSC::isActionableFloatMutableArrayPrediction):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateFloat32Array):

2012-04-25  Benjamin Poulain  <benjamin@webkit.org>

        Add a version of StringImpl::find() without offset
        https://bugs.webkit.org/show_bug.cgi?id=83968

        Reviewed by Sam Weinig.

        Add support for the new StringImpl::find() to UString.

        Change stringProtoFuncIndexOf() to specifically take advatage of the feature.
        This gives a 12% gains on a distribution of strings between 30 and 100 characters.

        * runtime/StringPrototype.cpp:
        (JSC::substituteBackreferences):
        (JSC::stringProtoFuncIndexOf):
        * runtime/UString.h:
        (UString):
        (JSC::UString::find):

2012-04-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        WebCore shouldn't call collectAllGarbage directly
        https://bugs.webkit.org/show_bug.cgi?id=84897

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Exported symbol 
        for reportAbanondedObjectGraph so WebCore can use it.
        * heap/Heap.h: Ditto.

2012-04-25  Oliver Hunt  <oliver@apple.com>

        Biolab disaster crashes on ToT
        https://bugs.webkit.org/show_bug.cgi?id=84898

        Reviewed by Filip Pizlo.

        Whoops, committed without saving reviewer requested change.

        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2012-04-25  Oliver Hunt  <oliver@apple.com>

        Biolab disaster crashes on ToT
        https://bugs.webkit.org/show_bug.cgi?id=84898

        Reviewed by Filip Pizlo.

        I recently added an assertion to the Interpreter to catch incorrect
        updates of topCallFrame.  This caused a bunch of sites (including biolab
        disaster) to crash as we were not correctly handling callee registers
        of inlined functions, leading to a mismatch.

        I could not actually make this trigger directly, although it does trigger
        already on some of the GTK and QT bots.

        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2012-04-25  Kenneth Russell  <kbr@google.com>

        Delete CanvasPixelArray, ByteArray, JSByteArray and JSC code once unreferenced
        https://bugs.webkit.org/show_bug.cgi?id=83655

        Reviewed by Oliver Hunt.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.order:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        (JSC::predictionToAbbreviatedString):
        (JSC::predictionFromClassInfo):
        * bytecode/PredictedType.h:
        (JSC):
        (JSC::isActionableIntMutableArrayPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::ValueSource::forPrediction):
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/JSByteArray.cpp: Removed.
        * runtime/JSByteArray.h: Removed.
        * runtime/JSGlobalData.cpp:

2012-04-25  Filip Pizlo  <fpizlo@apple.com>

        http://bellard.org/jslinux/ triggers an assertion failure in the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=84815
        <rdar://problem/11319514>

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):

2012-04-25  Michael Saboff  <msaboff@apple.com>

        Closure in try {} with catch captures all locals from the enclosing function
        https://bugs.webkit.org/show_bug.cgi?id=84804

        Reviewed by Oliver Hunt.

        Changed the capturing of local variables from capturing when eval is used,
        within a "with" or within a "catch" to be just when an eval is used.
        Renamed the function returning that we should capture from
        getCapturedVariables() to usesEval(), since that what it noew returns.
        Needed to fix the "with" code to only range check when the activation
        has actually been torn off.  Added m_isTornOff to JSActivation to
        track this.

        * parser/Parser.h:
        (JSC::Scope::usesEval):
        (JSC::Scope::getCapturedVariables):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::JSActivation):
        (JSC::JSActivation::symbolTableGet):
        (JSC::JSActivation::symbolTablePut):
        * runtime/JSActivation.h:
        (JSActivation):
        (JSC::JSActivation::tearOff):

2012-04-24  Mark Hahnenberg  <mhahnenberg@apple.com>

        GC Activity Callback timer should be based on how much has been allocated since the last collection
        https://bugs.webkit.org/show_bug.cgi?id=84763

        Reviewed by Geoffrey Garen.

        The desired behavior for the GC timer is to collect at some point in the future, 
        regardless of how little we've allocated. A secondary goal, which is almost if not 
        as important, is for the timer to collect sooner if there is the potential to 
        collect a greater amount of memory. Conversely, as we allocate more memory we'd 
        like to reduce the delay to the next collection. If we're allocating quickly enough, 
        the timer should be preempted in favor of a normal allocation-triggered collection. 
        If allocation were to slow or stop, we'd like the timer to be able to opportunistically 
        run a collection without us having to allocate to the hard limit set by the Heap.

        This type of policy can be described in terms of the amount of CPU we are willing 
        to dedicate to reclaim a single MB of memory. For example, we might be willing to 
        dedicate 1% of our CPU to reclaim 1 MB. We base our CPU usage off of the length of 
        the last collection, e.g. if our last collection took 1ms, we would want to wait about 
        100ms before running another collection to reclaim 1 MB. These constants should be 
        tune-able, e.g. 0.1% CPU = 1 MB vs. 1% CPU = 1 MB vs. 10% CPU = 1 MB.

        * API/JSBase.cpp: Use the new reportAbandonedObjectGraph.
        (JSGarbageCollect):
        * API/JSContextRef.cpp: Ditto.
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::reportAbandonedObjectGraph): Similar to reportExtraMemoryCost. Clients call
        this function to notify the Heap that some unknown number of JSC objects might have just 
        been abandoned and are now garbage. The Heap might schedule a new collection timer based 
        on this notification.
        (JSC):
        (JSC::Heap::collect): Renamed m_lastFullGCSize to the less confusing m_sizeAfterLastCollect.
        * heap/Heap.h:
        (Heap):
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::zapFreeList): Fixed a bug in zapFreeList that failed to nullify the 
        current allocator's FreeList once zapping was complete.
        * runtime/GCActivityCallback.cpp: Removed didAbandonObjectGraph because it was replaced by 
        Heap::reportAbandonedObjectGraph.
        (JSC):
        * runtime/GCActivityCallback.h:
        (JSC::GCActivityCallback::willCollect):
        (DefaultGCActivityCallback):
        * runtime/GCActivityCallbackCF.cpp: Refactored the GC timer code so that we now schedule the 
        timer based on how much we have allocated since the last collection up to a certain amount. 
        We use the length of the previous GC to try to keep our total cost of opportunistic timer-triggered
        collections around 1% of the CPU per MB of garbage we expect to reclaim up to a maximum of 5 MB.
        (DefaultGCActivityCallbackPlatformData):
        (JSC):
        (JSC::DefaultGCActivityCallback::~DefaultGCActivityCallback):
        (JSC::DefaultGCActivityCallback::commonConstructor):
        (JSC::scheduleTimer):
        (JSC::cancelTimer):
        (JSC::DefaultGCActivityCallback::didAllocate):

2012-04-24  Michael Saboff  <msaboff@apple.com>

        objectProtoFuncToString creates new string every invocation
        https://bugs.webkit.org/show_bug.cgi?id=84781

        Reviewed by Geoffrey Garen.

        Cache the results of object toString() in the attached Structure.

        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToString):
        * runtime/Structure.cpp:
        (JSC::Structure::visitChildren): visit new m_hasObjectToStringValue.
        * runtime/Structure.h: Added new member m_hasObjectToStringValue
        (JSC):
        (JSC::Structure::objectToStringValue):
        (Structure):
        (JSC::Structure::setObjectToStringValue):

2012-04-24  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=84727.
        Fix build when ENABLE_JIT_CONSTANT_BLINDING enabled.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::or32):
        (JSC::MacroAssemblerSH4::and32):
        (JSC::MacroAssemblerSH4::lshift32):
        (JSC::MacroAssemblerSH4::xor32):
        (JSC::MacroAssemblerSH4::branchSub32):
        (JSC::MacroAssemblerSH4::urshift32):

2012-04-24  Gavin Barraclough  <barraclough@apple.com>

        Add explicit patchableBranchPtrWithPatch/patchableJump methods
        https://bugs.webkit.org/show_bug.cgi?id=84498

        Reviewed by Filip Pizlo.

        Don't rely on inUninterruptedSequence to distinguish which jumps we need to be able to repatch.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::PatchableJump::PatchableJump):
        (PatchableJump):
        (JSC::AbstractMacroAssembler::PatchableJump::operator Jump&):
        (AbstractMacroAssembler):
        (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
            - Added PatchableJump type, removed inUninterruptedSequence.
        * assembler/LinkBuffer.h:
        (LinkBuffer):
        (JSC::LinkBuffer::locationOf):
            - Only allow the location to be taken of patchable branches
        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::patchableBranchPtrWithPatch):
        (JSC::MacroAssembler::patchableJump):
        (JSC::MacroAssembler::shouldBlind):
            - Added default implementation of patchableBranchPtrWithPatch, patchableJump.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::MacroAssemblerARMv7):
        (MacroAssemblerARMv7):
        (JSC::MacroAssemblerARMv7::patchableBranchPtrWithPatch):
        (JSC::MacroAssemblerARMv7::patchableJump):
        (JSC::MacroAssemblerARMv7::jump):
        (JSC::MacroAssemblerARMv7::makeBranch):
            - Added ARMv7 implementation of patchableBranchPtrWithPatch, patchableJump.
        * dfg/DFGCorrectableJumpPoint.h:
        (DFG):
        (JSC::DFG::CorrectableJumpPoint::switchToLateJump):
            - Late jumps are PatchableJumps.
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
            - replace use of inUninterruptedSequence
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
        (PropertyAccessRecord):
            - replace use of inUninterruptedSequence
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
            - replace use of inUninterruptedSequence
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
            - replace use of inUninterruptedSequence
        * jit/JIT.h:
        (PropertyStubCompilationInfo):
            - replace use of inUninterruptedSequence
        * jit/JITInlineMethods.h:
        (JSC::JIT::beginUninterruptedSequence):
        (JSC::JIT::endUninterruptedSequence):
            - replace use of inUninterruptedSequence
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::compileGetByIdHotPath):
            - replace use of inUninterruptedSequence
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::compileGetByIdHotPath):
            - replace use of inUninterruptedSequence

2012-04-24  Benjamin Poulain  <bpoulain@apple.com>

        Generalize the single character optimization of r114072
        https://bugs.webkit.org/show_bug.cgi?id=83961

        Reviewed by Eric Seidel.

        Use the regular String::find(StringImpl*) in all cases now that it has been made faster.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingStringSearch):

2012-04-24  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, 32-bit build fix.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-04-24  Filip Pizlo  <fpizlo@apple.com>

        DFG performs incorrect DCE on (some?) intrinsics
        https://bugs.webkit.org/show_bug.cgi?id=84746
        <rdar://problem/11310772>

        Reviewed by Oliver Hunt.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::setIntrinsicResult):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-04-24  Mark Hahnenberg  <mhahnenberg@apple.com>

        Failure to allocate ArrayStorage in emit_op_new_array leads to poisonous JSArray
        https://bugs.webkit.org/show_bug.cgi?id=84648

        Reviewed by Geoffrey Garen.

        When emit_op_new_array successfully allocates a new JSArray but fails to allocate 
        the corresponding ArrayStorage for it, it falls back to the out-of-line stub call 
        to constructArray, which constructs and entirely new JSArray/ArrayStorage pair. 
        This leaves us with a JSArray hanging around on the stack or in a register that 
        did not go through its own constructor, thus giving it uninitialized memory in the 
        two fields that are checked in JSArray::visitChildren.

        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateJSArray): We try to allocate the ArrayStorage first, so that 
        if we fail we haven't generated the poisonous JSArray that can cause a GC crash.
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitSlow_op_new_array):

2012-04-23  Filip Pizlo  <fpizlo@apple.com>

        DFG on ARMv7 should not OSR exit on every integer division
        https://bugs.webkit.org/show_bug.cgi?id=84661

        Reviewed by Oliver Hunt.
        
        On ARMv7, ArithDiv no longer has to know whether or not to speculate integer (since
        that was broken with the introduction of Int32ToDouble) nor does it have to know
        whether or not to convert its result to integer. This is now taken care of for free
        with the addition of the DoubleAsInt32 node, which represents a double-is-really-int
        speculation.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
        * dfg/DFGOSRExit.h:
        (OSRExit):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-04-24  Geoffrey Garen  <ggaren@apple.com>

        "GlobalHandle" HandleHeap (now WeakSet) allocations grow but do not shrink
        https://bugs.webkit.org/show_bug.cgi?id=84740
        <rdar://problem/9917638>

        Reviewed by Gavin Barraclough.

        Shrink!

        * heap/Heap.cpp:
        (JSC::Heap::destroy): Be more specific about what's shrinking, since we
        can also shrink the WeakSet, but we don't do so here.

        (JSC::Heap::collect): If we're going to shrink the heap, shrink the
        WeakSet too. Otherwise, its footprint is permanent.

        * heap/Heap.h:
        (Heap): Removed shrink() as a public interface, since it's vague about
        which parts of the heap it affects, and it's really an internal detail.

        * heap/WeakSet.cpp:
        (JSC::WeakSet::shrink): Nix any free blocks. We assume that sweep() has
        already taken place, since that's the convention for shrink() in the heap.

        * heap/WeakSet.h:
        (WeakSet): New function!

2012-04-24  Adam Klein  <adamk@chromium.org>

        Fix includes in StrongInlines.h and ScriptValue.h
        https://bugs.webkit.org/show_bug.cgi?id=84659

        Reviewed by Geoffrey Garen.

        * heap/StrongInlines.h: Include JSGlobalData.h, since JSGlobalData's
        definiition is required here.

2012-04-23  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit should ensure that all variables have been initialized
        https://bugs.webkit.org/show_bug.cgi?id=84653
        <rdar://problem/11258183>

        Reviewed by Gavin Barraclough.
        
        Initialize all uncaptured dead variables to undefined on OSR exit.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::ValueSource::dump):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:

2012-04-23  Oliver Hunt  <oliver@apple.com>

        Call instruction for the baseline JIT stores origin info in wrong callframe
        https://bugs.webkit.org/show_bug.cgi?id=84645

        Reviewed by Gavin Barraclough.

        The baseline JIT was updating the wrong callframe when making a call.  If the
        call failed during dispatch (unable to perform codegen, calling a non-object)
        we would attempt to use this information, but it would be completely wrong.

        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):

2012-04-23  Filip Pizlo  <fpizlo@apple.com>

        DFG must keep alive values that it will perform speculations on
        https://bugs.webkit.org/show_bug.cgi?id=84638
        <rdar://problem/11258183>

        Reviewed by Oliver Hunt.

        * dfg/DFGNodeType.h:
        (DFG):

2012-04-23  Oliver Hunt  <oliver@apple.com>

        Fix non-LLInt builds by temporarily removing an over-enthusiastic assertion

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeCall):

2012-04-22  Jon Lee  <jonlee@apple.com>

        Remove notifications support on Mac Lion.
        https://bugs.webkit.org/show_bug.cgi?id=84554
        <rdar://problem/11297128>

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:

2012-04-21  Darin Adler  <darin@apple.com>

        Change JavaScript lexer to use 0 instead of -1 for sentinel, eliminating the need to put characters into ints
        https://bugs.webkit.org/show_bug.cgi?id=84523

        Reviewed by Oliver Hunt.

        Profiles showed that checks against -1 were costly, and I saw they could be eliminated.
        Streamlined this code to use standard character types and 0 rather than -1. One benefit
        of this is that there's no widening and narrowing. Another is that there are many cases
        where we already have the correct behavior for 0, so can eliminate a branch that was
        used to test for -1 before. Also eliminates typecasts in the code.

        * parser/Lexer.cpp:
        (JSC::Lexer::invalidCharacterMessage): Updated use of String::format since m_current is now a
        character type, not an int.
        (JSC::Lexer::setCode): Use 0 rather than -1 when past the end.
        (JSC::Lexer::shift): Ditto. Also spruced up the comment a bit.
        (JSC::Lexer::atEnd): Added. New function that distinguishes an actual 0 character from the end
        of the code. This can be used places we used to cheeck for -1.
        (JSC::Lexer::peek): Updated to use -1 instead of 0. Removed meaningless comment.
        (JSC::Lexer::parseFourDigitUnicodeHex): Changed to use character types instead of int.
        (JSC::Lexer::shiftLineTerminator): Removed now-unneeded type casts. Changed local variable that
        had a data-member-style name.
        (JSC::Lexer::parseIdentifier): Removed now-unneeded explicit checks for -1, since the isIdentPart
        function already returns false for the 0 character. Updated types in a couple other places. Used
        the atEnd function where needed.
        (JSC::Lexer::parseIdentifierSlowCase): More of the same.
        (JSC::characterRequiresParseStringSlowCase): Added overloaded helper function for parseString.
        (JSC::Lexer::parseString): Ditto.
        (JSC::Lexer::parseStringSlowCase): Ditto.
        (JSC::Lexer::parseMultilineComment): Ditto.
        (JSC::Lexer::lex): More of the same. Also changed code to set the startOffset directly in
        the tokenInfo instead of putting it in a local variable first, saving some memory access.
        (JSC::Lexer::scanRegExp): Ditto.
        (JSC::Lexer::skipRegExp): Ditto.

        * parser/Lexer.h: Changed return type of the peek function and type of m_current from int to
        the character type. Added atEnd function.
        (JSC::Lexer::setOffset): Used 0 instead of -1 and removed an overzealous attempt to optimize. 
        (JSC::Lexer::lexExpectIdentifier): Used 0 instead of -1.

2012-04-21  Darin Adler  <darin@apple.com>

        Change JavaScript lexer to use 0 instead of -1 for sentinel, eliminating the need to put characters into ints
        https://bugs.webkit.org/show_bug.cgi?id=84523

        Reviewed by Oliver Hunt.

        Separate preparation step of copyright dates, renaming, and other small tweaks.

        * parser/Lexer.cpp:
        (JSC::Lexer::invalidCharacterMessage): Removed "get" from name to match WebKit naming conventions.
        (JSC::Lexer::peek): Removed meaningless comment.
        (JSC::Lexer::parseFourDigitUnicodeHex): Renamed from getUnicodeCharacter to be more precise about
        what this function does.
        (JSC::Lexer::shiftLineTerminator): Renamed local variable that had a data-member-style name.
        (JSC::Lexer::parseStringSlowCase): Updated for new name of parseFourDigitUnicodeHex.
        (JSC::Lexer::lex): Updated for new name of invalidCharacterMessage.

        * parser/Lexer.h: Removed an unneeded forward declaration of the RegExp class.
        Renamed getInvalidCharMessage to invalidCharacterMessage and made it const. Renamed
        getUnicodeCharacter to parseFourDigitUnicodeHex.

2012-04-20  Filip Pizlo  <fpizlo@apple.com>

        DFG should optimize int8 and int16 arrays on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=84503

        Reviewed by Oliver Hunt.

        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):
        (JSC::ARMv7Assembler::ldrsb):
        (JSC::ARMv7Assembler::ldrsh):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::load16Signed):
        (JSC::MacroAssemblerARMv7::load8Signed):
        * bytecode/PredictedType.h:
        (JSC::isActionableIntMutableArrayPrediction):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateInt8Array):
        (JSC::DFG::Node::shouldSpeculateInt16Array):

2012-04-20  Oliver Hunt  <oliver@apple.com>

        Add an ability to find the extent of a callframe
        https://bugs.webkit.org/show_bug.cgi?id=84513

        Reviewed by Filip Pizlo.

        Add a function to get the extent of a callframe and
        use that function for a new assertion to make sure the
        RegisterFile makes sense using that information.

        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::frameExtentInternal):
        (JSC):
        * interpreter/CallFrame.h:
        (JSC::ExecState::frameExtent):
        (ExecState):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeCall):

2012-04-20  Benjamin Poulain  <bpoulain@apple.com>

        Inline the JSArray constructor
        https://bugs.webkit.org/show_bug.cgi?id=84416

        Reviewed by Geoffrey Garen.

        The constructor is trivial, no reason to jump for it.

        This makes the creation of array ~5% faster (on non-trivial cases, no empty arrays).

        * runtime/JSArray.cpp:
        (JSC):
        * runtime/JSArray.h:
        (JSC::JSArray::JSArray):
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-04-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Heap should cancel GC timer at the start of the collection
        https://bugs.webkit.org/show_bug.cgi?id=84477

        Reviewed by Geoffrey Garen.

        Currently the Heap cancels the GC timer at the conclusion of a collection. 
        We should change this to be at the beginning because something (e.g. a finalizer) 
        could call didAbandonObjectGraph(), which will schedule the timer, but then 
        we'll immediately unschedule the timer at the conclusion of the collection, 
        thus potentially preventing large swaths of memory from being reclaimed in a timely manner.

        * API/JSBase.cpp:
        (JSGarbageCollect): Remove outdated fix-me and remove check for whether the Heap is 
        busy or not, since we're just scheduling a timer to run a GC in the future.
        * heap/Heap.cpp:
        (JSC::Heap::collect): Rename didCollect to willCollect and move the call to the 
        top of Heap::collect.
        * runtime/GCActivityCallback.cpp: Renamed didCollect to willCollect.
        (JSC::DefaultGCActivityCallback::willCollect):
        * runtime/GCActivityCallback.h: Ditto.
        (JSC::GCActivityCallback::willCollect):
        (DefaultGCActivityCallback): 
        * runtime/GCActivityCallbackCF.cpp: Ditto.
        (JSC::DefaultGCActivityCallback::willCollect):

2012-04-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSGarbageCollect should not call collectAllGarbage()
        https://bugs.webkit.org/show_bug.cgi?id=84476

        Reviewed by Geoffrey Garen.

        * API/JSBase.cpp:
        (JSGarbageCollect): Notify the Heap's GCActivityCallback using didAbandonObjectGraph.

2012-04-19  Oliver Hunt  <oliver@apple.com>

        Exception stack traces aren't complete when the exception starts in native code
        https://bugs.webkit.org/show_bug.cgi?id=84073

        Reviewed by Filip Pizlo.

        Refactored building the stack trace to so that we can construct
        it earlier, and don't rely on any prior work performed in the
        exception handling machinery. Also updated LLInt and the DFG to
        completely initialise the callframes of host function calls.

        Also fixed a few LLInt paths that failed to correctly update the
        topCallFrame.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * dfg/DFGJITCompiler.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * interpreter/Interpreter.cpp:
        (JSC::eval):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::addStackTraceIfNecessary):
        (JSC):
        (JSC::Interpreter::throwException):
        * interpreter/Interpreter.h:
        (Interpreter):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        * jsc.cpp:
        (functionJSCStack):
        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::interpreterThrowInCaller):
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::handleHostCall):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * parser/Parser.h:
        (JSC::::parse):
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        (JSC::throwError):
        * runtime/Error.h:
        (JSC):

2012-04-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        We're collecting pathologically due to small allocations
        https://bugs.webkit.org/show_bug.cgi?id=84404

        Reviewed by Geoffrey Garen.

        No change in performance on run-jsc-benchmarks.

        * dfg/DFGSpeculativeJIT.h: Replacing m_firstFreeCell with m_freeList.
        (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject):
        * heap/CopiedSpace.cpp: Getting rid of any water mark related stuff, since it's no 
        longer useful. 
        (JSC::CopiedSpace::CopiedSpace):
        (JSC::CopiedSpace::tryAllocateSlowCase): We now only call didAllocate here rather than 
        carrying out a somewhat complicated accounting job for our old water mark throughout CopiedSpace.
        (JSC::CopiedSpace::tryAllocateOversize):  Call the new didAllocate to notify the Heap of 
        newly allocated stuff.
        (JSC::CopiedSpace::tryReallocateOversize):
        (JSC::CopiedSpace::doneFillingBlock):
        (JSC::CopiedSpace::doneCopying):
        (JSC::CopiedSpace::destroy):
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::startedCopying):
        * heap/Heap.cpp: Removed water mark related stuff, replaced with new bytesAllocated and 
        bytesAllocatedLimit to track how much memory has been allocated since the last collection.
        (JSC::Heap::Heap):
        (JSC::Heap::reportExtraMemoryCostSlowCase):
        (JSC::Heap::collect): We now set the new limit of bytes that we can allocate before triggering 
        a collection to be the size of the Heap after the previous collection. Thus, we still have our 
        2x allocation amount.
        (JSC::Heap::didAllocate): Notifies the GC activity timer of how many bytes have been allocated 
        thus far and then adds the new number of bytes to the current total.
        (JSC):
        * heap/Heap.h: Removed water mark related stuff.
        (JSC::Heap::notifyIsSafeToCollect):
        (Heap):
        (JSC::Heap::shouldCollect):
        (JSC):
        * heap/MarkedAllocator.cpp: 
        (JSC::MarkedAllocator::tryAllocateHelper): Refactored to use MarkedBlock's new FreeList struct.
        (JSC::MarkedAllocator::allocateSlowCase):
        (JSC::MarkedAllocator::addBlock):
        * heap/MarkedAllocator.h: 
        (MarkedAllocator):
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::allocate): 
        (JSC::MarkedAllocator::zapFreeList): Refactored to take in a FreeList instead of a FreeCell.
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::specializedSweep):
        (JSC::MarkedBlock::sweep):
        (JSC::MarkedBlock::sweepHelper):
        (JSC::MarkedBlock::zapFreeList):
        * heap/MarkedBlock.h:
        (FreeList): Added a new struct that keeps track of the current MarkedAllocator's
        free list including the number of bytes of stuff in the free list so that when the free list is 
        exhausted, the correct amount can be reported to Heap.
        (MarkedBlock):
        (JSC::MarkedBlock::FreeList::FreeList):
        (JSC):
        * heap/MarkedSpace.cpp: Removing all water mark related stuff.
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::resetAllocators):
        * heap/MarkedSpace.h:
        (MarkedSpace):
        (JSC):
        * heap/WeakSet.cpp:
        (JSC::WeakSet::findAllocator): Refactored to use the didAllocate interface with the Heap. This 
        function still needs work though now that the Heap knows how many bytes have been allocated 
        since the last collection.
        * jit/JITInlineMethods.h: Refactored to use MarkedBlock's new FreeList struct.
        (JSC::JIT::emitAllocateBasicJSObject): Ditto.
        * llint/LowLevelInterpreter.asm: Ditto.
        * runtime/GCActivityCallback.cpp: 
        (JSC::DefaultGCActivityCallback::didAllocate): 
        * runtime/GCActivityCallback.h:
        (JSC::GCActivityCallback::didAllocate): Renamed willAllocate to didAllocate to indicate that 
        the allocation that is being reported has already taken place.
        (DefaultGCActivityCallback):
        * runtime/GCActivityCallbackCF.cpp:
        (JSC):
        (JSC::DefaultGCActivityCallback::didAllocate): Refactored to return early if the amount of 
        allocation since the last collection is not above a threshold (initially arbitrarily chosen to 
        be 128KB). 

2012-04-19  Filip Pizlo  <fpizlo@apple.com>

        MacroAssemblerARMv7::branchTruncateDoubleToUint32 should obey the overflow signal
        https://bugs.webkit.org/show_bug.cgi?id=84401

        Reviewed by Gavin Barraclough.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branchTruncateDoubleToUint32):

2012-04-19  Don Olmstead  <don.olmstead@am.sony.com>

        KeywordLookupGenerator.py should take an output file as an argument
        https://bugs.webkit.org/show_bug.cgi?id=84292

        Reviewed by Eric Seidel.

        Extended KeywordLookupGenerator to accept an additional argument specifying an output file. If this argument is found stdout is redirected to a file for the duration of the script.

        * KeywordLookupGenerator.py:

2012-04-19  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to perform debugCall on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=84381

        Reviewed by Oliver Hunt.
        
        debugCall() was clobbering the argument to the call it was making, leading to a
        corrupt ExecState*. This change fixes that issue by using a scratch register that
        does not clobber arguments, and it also introduces more assertions that we have
        a valid call frame.

        * dfg/DFGAssemblyHelpers.cpp:
        (DFG):
        (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::selectScratchGPR):
        (AssemblyHelpers):
        (JSC::DFG::AssemblyHelpers::debugCall):
        (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::selectScratchGPR):

2012-04-19  Filip Pizlo  <fpizlo@apple.com>

        LLInt no-JIT fallback native call trampoline's exception handler incorrectly assumes that
        the PB/PC has been preserved
        https://bugs.webkit.org/show_bug.cgi?id=84367

        Reviewed by Oliver Hunt.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2012-04-19  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to load from Float64 arrays on ARMv7 without crashing
        https://bugs.webkit.org/show_bug.cgi?id=84361

        Reviewed by Oliver Hunt.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::loadDouble):
        (JSC::MacroAssemblerARMv7::storeDouble):

2012-04-19  Dominik Röttsches  <dominik.rottsches@linux.intel.com>

        [CMake] Build fix after r114575
        https://bugs.webkit.org/show_bug.cgi?id=84322

        Reviewed by Simon Hausmann.

        Build fix, adding WTF when linking jsc shell.

        * shell/CMakeLists.txt:

2012-04-18  Filip Pizlo  <fpizlo@apple.com>

        JSC testing should have complete coverage over typed array types
        https://bugs.webkit.org/show_bug.cgi?id=84302

        Reviewed by Geoff Garen.
        
        Added Uint8ClampedArray to the set of typed arrays that are supported by jsc
        command-line.

        * JSCTypedArrayStubs.h:
        (JSC):
        * jsc.cpp:
        (GlobalObject::finishCreation):

2012-04-18  Filip Pizlo  <fpizlo@apple.com>

        jsc command line should support typed arrays by default
        https://bugs.webkit.org/show_bug.cgi?id=84298

        Rubber stamped by Gavin Barraclough.

        * JSCTypedArrayStubs.h:
        (JSC):
        * jsc.cpp:
        (GlobalObject::finishCreation):

2012-04-18  Filip Pizlo  <fpizlo@apple.com>

        JSVALUE32_64 should be able to perform division on ARM without crashing, and variables
        forced double should not be scrambled when performing OSR entry
        https://bugs.webkit.org/show_bug.cgi?id=84272

        Reviewed by Geoff Garen.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):

2012-04-18  Don Olmstead  <don.olmstead@am.sony.com> 

        JavaScriptCore.gypi not current
        https://bugs.webkit.org/show_bug.cgi?id=84224

        Reviewed by Eric Seidel.

        Updated JavaScriptCore.gypi to contain the latest sources. Removed os-win32 as it wasn't used. Also removed references to ICU files in the gypi file as ICU is most likely specified by the port itself.

        Private and public header files were determined by looking at copy-files.cmd within Apple's Visual Studio directory.

        * JavaScriptCore.gypi:

2012-04-18  Benjamin Poulain  <bpoulain@apple.com>

        Remove m_subclassData from JSArray, move the attribute to subclass as needed
        https://bugs.webkit.org/show_bug.cgi?id=84249

        Reviewed by Geoffrey Garen.

        JSArray's m_subclassData is only used by WebCore's RuntimeArray. This patch moves
        the attribute to RuntimeArray to avoid allocating memory for the pointer in the common
        case.

        This gives ~1% improvement in JSArray creation microbenchmark thanks to fewer allocations
        of CopiedSpace.

        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateJSArray):
        * runtime/JSArray.cpp:
        (JSC::JSArray::JSArray):
        * runtime/JSArray.h:

2012-04-18  Benjamin Poulain  <bpoulain@apple.com>

        replaceUsingStringSearch: delay the creation of the replace string until needed
        https://bugs.webkit.org/show_bug.cgi?id=83841

        Reviewed by Geoffrey Garen.

        We do not need to obtain the replaceValue until we have a match. By moving the intialization
        of replaceValue when needed, we save a few instructions when there is no match.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):
        (JSC::replaceUsingStringSearch):
        (JSC::stringProtoFuncReplace):

2012-04-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        GC activity timer should be tied to allocation, not collection
        https://bugs.webkit.org/show_bug.cgi?id=83919

        Reviewed by Geoffrey Garen.

        * API/JSContextRef.cpp: Used the new didAbandonObjectGraph callback to indicate that now that we've 
        released a global object, we're abandoning a potentially large number of objects that JSC might want 
        to collect.
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::tryAllocateSlowCase): Added the call to timer's willAllocate function to indicate 
        that we've hit a slow path and are allocating now, so schedule the timer.
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::collectAllGarbage): Removed the call to discardAllCompiledCode because it was causing us to 
        throw away too much code during our benchmarks (especially vp8, which is very large and thus has large 
        amounts of compiled code).
        (JSC::Heap::collect): Added the new call to didCollect at the conclusion of a collection so that we 
        can cancel the timer if we no longer need to run a collection. Also added a check at the beginning of a 
        collection to see if we should throw away our compiled code. Currently this is set to happen about once 
        every minute.
        * heap/Heap.h: Added field to keep track of the last time we threw away our compiled code.
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateSlowCase): Added call to willAllocate on the allocation slow path, just like 
        in CopiedSpace.
        * runtime/GCActivityCallback.cpp: Added default stubs for non-CF platforms.
        (JSC::DefaultGCActivityCallback::willAllocate):
        (JSC):
        (JSC::DefaultGCActivityCallback::didCollect):
        (JSC::DefaultGCActivityCallback::didAbandonObjectGraph):
        * runtime/GCActivityCallback.h: Added new functions to make JSC's GC timer less arcane. This includes replacing 
        the operator () with willAllocate() and adding an explicit didCollect() to cancel the timer after a collection 
        occurs rather than relying on the way the timer is invoked to cancel itself. Also added a callback for 
        when somebody else (e.g. WebCore or the JSC API) to notify JSC that they have just abandoned an entire graph of 
        objects and that JSC might want to clean them up.
        (JSC::GCActivityCallback::~GCActivityCallback):
        (JSC::GCActivityCallback::willAllocate):
        (JSC::GCActivityCallback::didCollect):
        (JSC::GCActivityCallback::didAbandonObjectGraph):
        (JSC::GCActivityCallback::synchronize):
        (DefaultGCActivityCallback):
        * runtime/GCActivityCallbackCF.cpp: Re-wired all the run loop stuff to implement the aforementioned functions. 
        We added a flag to check whether the timer was active because the call to CFRunLoopTimerSetNextFireDate actually 
        turned out to be quite expensive (although Instruments couldn't tell us this).
        (DefaultGCActivityCallbackPlatformData):
        (JSC):
        (JSC::DefaultGCActivityCallbackPlatformData::timerDidFire):
        (JSC::DefaultGCActivityCallback::commonConstructor):
        (JSC::scheduleTimer):
        (JSC::cancelTimer):
        (JSC::DefaultGCActivityCallback::willAllocate):
        (JSC::DefaultGCActivityCallback::didCollect):
        (JSC::DefaultGCActivityCallback::didAbandonObjectGraph):

2012-04-17  Filip Pizlo  <fpizlo@apple.com>

        DFG should not attempt to get rare case counts for op_mod on ARM
        https://bugs.webkit.org/show_bug.cgi?id=84218

        Reviewed by Geoff Garen.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        * dfg/DFGCommon.h:
        (JSC::DFG::isX86):
        (DFG):

2012-04-17  Myles Maxfield  <mmaxfield@google.com>

        BumpPointerAllocator assumes page size is less than MINIMUM_BUMP_POOL_SIZE
        https://bugs.webkit.org/show_bug.cgi?id=80912

        Reviewed by Hajime Morita.

        * wtf/BumpPointerAllocator.h:
        (WTF::BumpPointerPool::create):

2012-04-17  Filip Pizlo  <fpizlo@apple.com>

        Attempt to fix Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-04-17  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to create an inheritorID for the global this object without crashing
        https://bugs.webkit.org/show_bug.cgi?id=84200
        <rdar://problem/11251082>

        Reviewed by Oliver Hunt.

        * runtime/JSGlobalThis.cpp:
        (JSC::JSGlobalThis::setUnwrappedObject):
        * runtime/JSGlobalThis.h:
        (JSC::JSGlobalThis::unwrappedObject):
        (JSGlobalThis):
        * runtime/JSObject.cpp:
        (JSC::JSObject::createInheritorID):
        * runtime/JSObject.h:
        (JSObject):
        (JSC::JSObject::resetInheritorID):

2012-04-17  Filip Pizlo  <fpizlo@apple.com>

        DFG and LLInt should not clobber the frame pointer on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=84185
        <rdar://problem/10767252>

        Reviewed by Gavin Barraclough.
        
        Changed LLInt to use a different register. Changed DFG to use one fewer
        registers. We should revisit this and switch the DFG to use a different
        register instead of r7, but we can do that in a subsequent step since
        the performance effect is tiny.

        * dfg/DFGGPRInfo.h:
        (GPRInfo):
        (JSC::DFG::GPRInfo::toRegister):
        (JSC::DFG::GPRInfo::toIndex):
        * offlineasm/armv7.rb:

2012-04-17  Filip Pizlo  <fpizlo@apple.com>

        use after free in JSC::DFG::Node::op / JSC::DFG::ByteCodeParser::flushArgument
        https://bugs.webkit.org/show_bug.cgi?id=83942
        <rdar://problem/11247370>

        Reviewed by Gavin Barraclough.
        
        Don't use references to the graph after resizing the graph.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::flushArgument):

2012-04-16  Gavin Barraclough  <barraclough@apple.com>

        Array.prototype.toString should be generic
        https://bugs.webkit.org/show_bug.cgi?id=81588

        Reviewed by Sam Weinig.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
            - check for join function, use fast case if base object is array & join is present & default.
        * runtime/CommonIdentifiers.h:
            - added 'join'.

2012-04-16  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck issues.

        * GNUmakefile.list.am: Add missing files.

2012-04-16  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r114309.
        http://trac.webkit.org/changeset/114309
        https://bugs.webkit.org/show_bug.cgi?id=84097

        it broke everything (Requested by olliej on #webkit).

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * bytecode/CodeBlock.h:
        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::throwException):
        * interpreter/Interpreter.h:
        (Interpreter):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jsc.cpp:
        (functionJSCStack):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::handleHostCall):
        * parser/Parser.h:
        (JSC::::parse):
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        (JSC::throwError):
        * runtime/Error.h:
        (JSC):

2012-04-16  Oliver Hunt  <oliver@apple.com>

        Exception stack traces aren't complete when the exception starts in native code
        https://bugs.webkit.org/show_bug.cgi?id=84073

        Reviewed by Gavin Barraclough.

        Refactored building the stack trace to so that we can construct
        it earlier, and don't rely on any prior work performed in the
        exception handling machinery. Also updated LLInt and the DFG to
        completely initialise the callframes of host function calls.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::codeOriginIndexForReturn):
        (CodeBlock):
        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::addStackTraceIfNecessary):
        (JSC):
        (JSC::Interpreter::throwException):
        * interpreter/Interpreter.h:
        (Interpreter):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jsc.cpp:
        (functionJSCStack):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::handleHostCall):
        * parser/Parser.h:
        (JSC::::parse):
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        (JSC::throwError):
        * runtime/Error.h:
        (JSC):

2012-04-16  Oliver Hunt  <oliver@apple.com>

        Fix COMMANDLINE_TYPEDARRAYS build
        https://bugs.webkit.org/show_bug.cgi?id=84051

        Reviewed by Gavin Barraclough.

        Update for new putByIndex API and wtf changes.

        * JSCTypedArrayStubs.h:
        (JSC):

2012-04-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        GC in the middle of JSObject::allocatePropertyStorage can cause badness
        https://bugs.webkit.org/show_bug.cgi?id=83839

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * jit/JITStubs.cpp: Making changes to use the new return value of growPropertyStorage.
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSObject.cpp:
        (JSC::JSObject::growPropertyStorage): Renamed to more accurately reflect that we're 
        growing our already-existing PropertyStorage.
        * runtime/JSObject.h:
        (JSObject):
        (JSC::JSObject::setPropertyStorage): "Atomically" sets the new property storage 
        and the new structure so that we can be sure a GC never occurs when our Structure
        info is out of sync with our PropertyStorage.
        (JSC):
        (JSC::JSObject::putDirectInternal): Moved the check to see if we should 
        allocate more backing store before the actual property insertion into 
        the structure.
        (JSC::JSObject::putDirectWithoutTransition): Ditto.
        (JSC::JSObject::transitionTo): Ditto.
        * runtime/Structure.cpp:
        (JSC::Structure::suggestedNewPropertyStorageSize): Added to keep the resize policy 
        for property backing stores contained within the Structure class.
        (JSC):
        * runtime/Structure.h:
        (JSC::Structure::shouldGrowPropertyStorage): Lets clients know if another insertion 
        into the Structure would require resizing the property backing store so that they can 
        preallocate the required storage.
        (Structure):

2012-04-13  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r114185.
        http://trac.webkit.org/changeset/114185
        https://bugs.webkit.org/show_bug.cgi?id=83967

        Broke a bunch of JavaScript related tests (Requested by
        andersca on #webkit).

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        * runtime/CommonIdentifiers.h:
        * tests/mozilla/ecma/Array/15.4.4.2.js:
        (getTestCases):

2012-04-13  Gavin Barraclough  <barraclough@apple.com>

        Don't rely on fixed offsets to patch calls
        https://bugs.webkit.org/show_bug.cgi?id=83966

        Rubber stamped by Oliver Hunt.

        These aren't being used anywhere!

        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):

2012-04-13  Hojong Han  <hojong.han@samsung.com>

        Array.prototype.toString and Array.prototype.toLocaleString should be generic
        https://bugs.webkit.org/show_bug.cgi?id=81588

        Reviewed by Gavin Barraclough.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        * runtime/CommonIdentifiers.h:
        * tests/mozilla/ecma/Array/15.4.4.2.js:
        (getTestCases.array.item.new.TestCase):
        (getTestCases):

2012-04-13  Gavin Barraclough  <barraclough@apple.com>

        Don't rely on fixed offsets to patch method checks
        https://bugs.webkit.org/show_bug.cgi?id=83958

        Reviewed by Oliver Hunt.

        * bytecode/StructureStubInfo.h:
            - Add fields for the method check info.
        * jit/JIT.cpp:
        (JSC::PropertyStubCompilationInfo::copyToStubInfo):
            - Store the offsets on the stub info, instead of asserting.
        * jit/JIT.h:
            - Delete all the method check related offsets.
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::patchMethodCallProto):
            - Use the offset from the stubInfo.
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
            - Pass the stubInfo to patchMethodCallProto.

2012-04-13  Gavin Barraclough  <barraclough@apple.com>

        Don't rely on fixed offsets to patch get_by_id/put_by_id
        https://bugs.webkit.org/show_bug.cgi?id=83924

        Reviewed by Oliver Hunt.

        Store offsets in the structure stub info, as we do for the DFG JIT.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::differenceBetween):
            - this method can be static (now used from PropertyStubCompilationInfo::copyToStubInfo, will be removed soon!)
        * bytecode/StructureStubInfo.h:
            - added new fields for baseline JIT offsets.
        * jit/JIT.cpp:
        (JSC::PropertyStubCompilationInfo::copyToStubInfo):
            - moved out from JIT::privateCompile.
        (JSC::JIT::privateCompile):
            - moved out code to PropertyStubCompilationInfo::copyToStubInfo.
        * jit/JIT.h:
        (PropertyStubCompilationInfo):
            - added helper functions to initializae PropertyStubCompilationInfo, state to store more offset info.
            - removed many offsets.
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::compileGetByIdSlowCase):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        (JSC::JIT::patchGetByIdSelf):
        (JSC::JIT::patchPutByIdReplace):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        (JSC::JIT::resetPatchGetById):
        (JSC::JIT::resetPatchPutById):
            - changed code generation to use new interface to store info on PropertyStubCompilationInfo.
            - changed repatch functions to read offsets from the structure stub info.
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::compileGetByIdSlowCase):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        (JSC::JIT::patchGetByIdSelf):
        (JSC::JIT::patchPutByIdReplace):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        (JSC::JIT::resetPatchGetById):
        (JSC::JIT::resetPatchPutById):
            - changed code generation to use new interface to store info on PropertyStubCompilationInfo.
            - changed repatch functions to read offsets from the structure stub info.

2012-04-13  Rob Buis  <rbuis@rim.com>

        Fix some compiler warnings (miscellaneous)
        https://bugs.webkit.org/show_bug.cgi?id=80790

        Reviewed by Antonio Gomes.

        Fix signed/unsigned comparison warning.

        * parser/Lexer.cpp:
        (JSC::::record16):

2012-04-12  Benjamin Poulain  <bpoulain@apple.com>

        Improve replaceUsingStringSearch() for case of a single character searchValue
        https://bugs.webkit.org/show_bug.cgi?id=83738

        Reviewed by Geoffrey Garen.

        This patch improves replaceUsingStringSearch() with the following:
        -Add a special case for single character search, taking advantage of the faster WTF::find().
        -Inline replaceUsingStringSearch().
        -Use StringImpl::create() instead of UString::substringSharingImpl() since we know we are in the bounds
         by definition.

        This gives less than 1% improvement for the multicharacter replace.
        The single character search show about 9% improvement.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingStringSearch):

2012-04-12  Michael Saboff  <msaboff@apple.com>

        StructureStubInfo::reset() causes leaks of PolymorphicAccessStructureList and ExecutableMemoryHandle objects
        https://bugs.webkit.org/show_bug.cgi?id=83823

        Reviewed by Gavin Barraclough.

        Put the clearing of the accessType to after the call to deref() so that
        deref() can use the accessType to delete referenced objects as needed.

        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::reset):

2012-04-12  Balazs Kelemen  <kbalazs@webkit.org>

        [Qt] Fix WebKit1 build with V8
        https://bugs.webkit.org/show_bug.cgi?id=83322

        Reviewed by Adam Barth.

        * yarr/yarr.pri:

2012-04-12  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=83821
        Move dfg repatching properties of structure stub info into a union

        Reviewed by Oliver Hunt.

        We want to be able to have similar properties for the baseline JIT, some restructuring to prepare for this.

        * bytecode/StructureStubInfo.h:
        (StructureStubInfo):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgRepatchByIdSelfAccess):
        (JSC::DFG::linkRestoreScratch):
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::tryBuildGetByIDProtoList):
        (JSC::DFG::emitPutReplaceStub):
        (JSC::DFG::emitPutTransitionStub):
        (JSC::DFG::tryCachePutByID):
        (JSC::DFG::tryBuildPutByIdList):
        (JSC::DFG::dfgResetGetByID):
        (JSC::DFG::dfgResetPutByID):

2012-04-12  Gavin Barraclough  <barraclough@apple.com>

        Delete a bunch of unused, copy & pasted values in JIT.h
        https://bugs.webkit.org/show_bug.cgi?id=83822

        Reviewed by Oliver Hunt.
        
        The only architecture we support the JSVALUE64 JIT on is x86-64, all the patch offsets for other architectures are just nonsense.

        * jit/JIT.h:
        (JIT):

2012-04-12  Csaba Osztrogonác  <ossy@webkit.org>

        [Qt][ARM] Buildfix after r113934.

        Reviewed by Zoltan Herczeg.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::compare8):
        (MacroAssemblerARM):

2012-04-11  Filip Pizlo  <fpizlo@apple.com>

        It is incorrect to short-circuit Branch(LogicalNot(@a)) if boolean speculations on @a may fail
        https://bugs.webkit.org/show_bug.cgi?id=83744
        <rdar://problem/11206946>

        Reviewed by Andy Estes.
        
        This does the conservative thing: it only short-circuits Branch(LogicalNot(@a)) if @a is a node
        that is statically known to return boolean results.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2012-04-11  Michael Saboff  <msaboff@apple.com>

        Invalid Union Reference in StructureStubInfo.{cpp.h}
        https://bugs.webkit.org/show_bug.cgi?id=83735

        Reviewed by Filip Pizlo.

        Changed the references to u.getByIdProtoList and u.getByIdSelfList
        to be consistent.

        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::initGetByIdSelfList):

2012-04-11  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed attempting to make Qt's eccentric hardware work.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::compare8):
        (MacroAssemblerARM):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::compare8):
        (MacroAssemblerMIPS):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::compare8):
        (MacroAssemblerSH4):

2012-04-11  Filip Pizlo  <fpizlo@apple.com>

        op_is_foo should be optimized
        https://bugs.webkit.org/show_bug.cgi?id=83666

        Reviewed by Gavin Barraclough.
        
        This implements inlining of op_is_undefined, op_is_string, op_is_number,
        and op_is_boolean in LLInt and the baseline JIT. op_is_object and
        op_is_function are not inlined because they are quite a bit more complex.
        
        This also implements all of the op_is_foo opcodes in the DFG, but it does
        not do any type profiling based optimizations, yet.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::compare8):
        (MacroAssemblerARMv7):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::compare8):
        (MacroAssemblerX86Common):
        * assembler/MacroAssemblerX86_64.h:
        (MacroAssemblerX86_64):
        (JSC::MacroAssemblerX86_64::testPtr):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupArguments):
        (CCallHelpers):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (JSC::DFG::SpeculativeJIT::appendCallSetResult):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        (JIT):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_is_undefined):
        (JSC):
        (JSC::JIT::emit_op_is_boolean):
        (JSC::JIT::emit_op_is_number):
        (JSC::JIT::emit_op_is_string):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_is_undefined):
        (JSC):
        (JSC::JIT::emit_op_is_boolean):
        (JSC::JIT::emit_op_is_number):
        (JSC::JIT::emit_op_is_string):
        * jit/JITStubs.cpp:
        (JSC):
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/armv7.rb:
        * offlineasm/instructions.rb:
        * offlineasm/x86.rb:

2012-04-11  Filip Pizlo  <fpizlo@apple.com>

        If you use an IntegerOperand and want to return it with integerResult, you need to
        zero extend to get rid of the box
        https://bugs.webkit.org/show_bug.cgi?id=83734
        <rdar://problem/11232296>

        Reviewed by Oliver Hunt.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):

2012-04-11  Filip Pizlo  <fpizlo@apple.com>

        SpeculativeJIT::fillStorage() should work with all the states that a cell may be in
        https://bugs.webkit.org/show_bug.cgi?id=83722

        Reviewed by Gavin Barraclough.
        
        It's now possible to do StorageOperand on a cell, in the case that the storage is
        inline. But this means that fillStorage() must be able to handle all of the states
        that a cell might be in. Previously it didn't.
        
        With this change, it now does handle all of the states, and moreover, it does so
        by preserving the DataFormat of cells and performing all of the cell speculations
        that should be performed if you're using a cell as storage. But if you use this on
        something that is known to be storage already then it behaves as it did before.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillStorage):

2012-04-11  Filip Pizlo  <fpizlo@apple.com>

        Global variable predictions should not be coalesced unnecessarily
        https://bugs.webkit.org/show_bug.cgi?id=83678

        Reviewed by Geoff Garen.
        
        Removed the PredictionTracker and everyone who used it. Converted GetGlobalVar
        to have a heapPrediction like a civilized DFG opcode ought to.
        
        No performance effect.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        * bytecode/PredictionTracker.h: Removed.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGenerationInfo.h:
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):

2012-04-11  Benjamin Poulain  <bpoulain@apple.com>

        Optimize String.split() for 1 character separator
        https://bugs.webkit.org/show_bug.cgi?id=83546

        Reviewed by Gavin Barraclough.

        This patch adds a serie of optimizations to make stringProtoFuncSplit() faster in the common case
        where the separator is a single character.

        The two main gains are:
        -Use of the find() function with a single character instead of doing a full string matching.
        -Use of WTF::find() instead of UString::find() to avoid branching on is8Bit() and have a simpler inline
         function.

        The code is also changed to avoid making unnecessary allocations by converting the 8bit string to 16bits.

        This makes String.split() faster by about 13% in that particular case.

        * runtime/StringPrototype.cpp:
        (JSC):
        (JSC::splitStringByOneCharacterImpl):
        (JSC::stringProtoFuncSplit):

2012-04-10  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck issues.

        * GNUmakefile.list.am: Ad missing files.

2012-04-10  Mark Rowe  <mrowe@apple.com>

        Attempt to fix the Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-04-10  Patrick Gansterer  <paroga@webkit.org>

        Cleanup wtf/Platform.h and config.h files
        https://bugs.webkit.org/show_bug.cgi?id=83431

        Reviewed by Eric Seidel.

        The ENABLE() and USE() macros take care about the case when the flag
        isn't defined. So there is no need to define anything with 0.

        Also move duplicated code from the config.h files to Platform.h and
        merge a few preprocessor commands to make the file more readable.

        * config.h:

2012-04-10  Filip Pizlo  <fpizlo@apple.com>

        DFG should flush SetLocals to arguments
        https://bugs.webkit.org/show_bug.cgi?id=83554

        Reviewed by Gavin Barraclough.
        
        This is necessary to match baseline JIT argument capture behavior.
        
        But to make this work right we need to have a story for arguments into
        which we store values of different formats. This patch introduces the
        notion of an ArgumentPosition - i.e. an argument in a particular inline
        call frame - and forces unification of all data pertinent to selecting
        the argument's data format.
        
        Also fixed an amusing bug in the handling of OSR on SetLocals if there
        was any insertion/deletion of nodes in the basic block. This is benign
        for now but won't be eventually since the DFG is getting smarter. So
        better fix it now.
        
        Also fixed an amusing bug in the handling of OSR on SetLocals if they
        are immediately followed by a Flush. I think this bug might have always
        been there but now it'll happen more commonly, and it's covered by the
        run-javascriptcore-tests.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGArgumentPosition.h: Added.
        (DFG):
        (ArgumentPosition):
        (JSC::DFG::ArgumentPosition::ArgumentPosition):
        (JSC::DFG::ArgumentPosition::addVariable):
        (JSC::DFG::ArgumentPosition::mergeArgumentAwareness):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::setArgument):
        (InlineStackEntry):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGDoubleFormatState.h: Added.
        (DFG):
        (JSC::DFG::mergeDoubleFormatStates):
        (JSC::DFG::mergeDoubleFormatState):
        (JSC::DFG::doubleFormatStateToString):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::predict):
        (JSC::DFG::VariableAccessData::argumentAwarePrediction):
        (VariableAccessData):
        (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
        (JSC::DFG::VariableAccessData::doubleFormatState):
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
        (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
        (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
        (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):

2012-04-10  Adam Klein  <adamk@chromium.org>

        Remove unused NonNullPassRefPtr from WTF
        https://bugs.webkit.org/show_bug.cgi?id=82389

        Reviewed by Kentaro Hara.

        * JavaScriptCore.order: Remove nonexistent symbols referencing NonNullPassRefPtr.

2012-04-10  Darin Adler  <darin@apple.com>

        Remove unused data member from Lexer class
        https://bugs.webkit.org/show_bug.cgi?id=83429

        Reviewed by Kentaro Hara.

        I noticed that m_delimited was "write-only", so I deleted it.

        * parser/Lexer.cpp:
        (JSC::Lexer::setCode): Removed code to set m_delimited.
        (JSC::Lexer::parseIdentifier): Ditto.
        (JSC::Lexer::parseIdentifierSlowCase): Ditto.
        (JSC::Lexer::lex): Ditto.
        * parser/Lexer.h: Deleted m_delimited.

2012-04-10  Patrick Gansterer  <paroga@webkit.org>

        [CMake] Enable USE_FOLDERS property
        https://bugs.webkit.org/show_bug.cgi?id=83571

        Reviewed by Daniel Bates.

        Setting the FOLDER property on targets gives more structure 
        to the generated Visual Studio solutions.
        This does not affect other CMake generators.

        * CMakeLists.txt:
        * shell/CMakeLists.txt:

2012-04-10  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to see why a code block was not compiled by the DFG
        https://bugs.webkit.org/show_bug.cgi?id=83553

        Reviewed by Geoff Garen.
        
        If DFG_ENABLE(DEBUG_VERBOSE) and a code block is rejected, then print the
        opcode that caused the rejection.

        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::debugFail):
        (DFG):
        (JSC::DFG::canHandleOpcodes):

2012-04-09  Gavin Barraclough  <barraclough@apple.com>

        If a callback constructor returns a C++ null, throw a type error.
        https://bugs.webkit.org/show_bug.cgi?id=83537

        Rubber Stamped by Geoff Garen.

        * API/JSCallbackConstructor.cpp:
        (JSC::constructJSCallback):
            - If a callback constructor returns a C++ null, throw a type error.
        * API/tests/testapi.c:
        (Base_returnHardNull):
        * API/tests/testapi.js:
            - Add a test case for callback constructors that return a C++ null.

2012-04-09  Gavin Barraclough  <barraclough@apple.com>

        If a callback function returns a C++ null, convert to undefined.
        https://bugs.webkit.org/show_bug.cgi?id=83534

        Reviewed by Geoff Garen.

        * API/JSCallbackFunction.cpp:
            - If a callback function returns a C++ null, convert to undefined.
        (JSC::JSCallbackFunction::call):
        * API/tests/testapi.c:
        (Base_returnHardNull):
        * API/tests/testapi.js:
            - Add a test case for callback functions that return a C++ null.

2012-04-09  Filip Pizlo  <fpizlo@apple.com>

        Classic interpreter's GC hooks shouldn't attempt to scan instructions for code blocks that
        are currently being generated
        https://bugs.webkit.org/show_bug.cgi?id=83531
        <rdar://problem/11215200>

        Reviewed by Gavin Barraclough.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::stronglyVisitStrongReferences):

2012-04-09  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, modernize and clean up uses of ARM assembly mnemonics in inline asm blocks.

        * dfg/DFGOperations.cpp:
        (JSC):
        * offlineasm/armv7.rb:

2012-04-09  Patrick Gansterer  <paroga@webkit.org>

        Remove HAVE_STDINT_H
        https://bugs.webkit.org/show_bug.cgi?id=83434

        Reviewed by Kentaro Hara.

        HAVE_STDINT_H is defined with 1 all the time and we us stdint.h without HAVE(STDINT_H) already.

        * config.h:

2012-04-08  Filip Pizlo  <fpizlo@apple.com>

        DFG should not load the property storage if it is inline.
        https://bugs.webkit.org/show_bug.cgi?id=83455

        Reviewed by Gavin Barraclough.
        
        We had previously decided to have all property storage accesses go through
        the property storage pointer even if they don't "really" have to, because
        we were thinking this would help GC barriers somehow. Well, we never ended
        up doing anything with that. Hence, doing these wasted loads of the
        property storage pointer when the storage is inline is just a waste of CPU
        cycles.
        
        This change makes the DFG's inline property accesses (GetByOffset and
        PutByOffset) go directly to the inline property storage if the structure(s)
        tell us that it's OK.
        
        This looks like an across-the-board 1% win.

        * bytecode/StructureSet.h:
        (JSC):
        (JSC::StructureSet::allAreUsingInlinePropertyStorage):
        (StructureSet):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillStorage):

2012-04-08  Filip Pizlo  <fpizlo@apple.com>

        Command-line jsc's exception handling should be rationalized
        https://bugs.webkit.org/show_bug.cgi?id=83437

        Reviewed by Dan Bernstein.
        
        - If an exception is thrown during run() execution, it is now propagated,
          so that it will terminate program execution unless it is caught.
          
        - If program execution terminates with an exception, the exception is now
          always printed.
          
        - When printing the exception, the backtrace is now also printed if one is
          available. It will only not be available if you use something akin to my
          favorite line of code, 'throw "error"', since primitives don't have
          properties and hence we cannot attach a "stack" property to them.

        * jsc.cpp:
        (functionRun):
        (runWithScripts):

2012-04-04  Filip Pizlo  <fpizlo@apple.com>

        Forced OSR exits should lead to recompilation based on count, not rate
        https://bugs.webkit.org/show_bug.cgi?id=83247
        <rdar://problem/10720925>

        Reviewed by Geoff Garen.
        
        Track which OSR exits happen because of inadequate coverage. Count them
        separately. If the count reaches a threshold, immediately trigger
        reoptimization.
        
        This is in contrast to the recompilation trigger for all other OSR exits.
        Normally recomp is triggered when the exit rate exceeds a certain ratio.
        
        Looks like a slight V8 speedup (sub 1%).

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::forcedOSRExitCounter):
        (JSC::CodeBlock::addressOfForcedOSRExitCounter):
        (JSC::CodeBlock::offsetOfForcedOSRExitCounter):
        (JSC::CodeBlock::shouldReoptimizeNow):
        (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
        (CodeBlock):
        * bytecode/DFGExitProfile.h:
        (JSC::DFG::exitKindToString):
        * dfg/DFGOSRExitCompiler.cpp:
        (JSC::DFG::OSRExitCompiler::handleExitCounts):
        (DFG):
        * dfg/DFGOSRExitCompiler.h:
        (OSRExitCompiler):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/Options.cpp:
        (Options):
        (JSC::Options::initializeOptions):
        * runtime/Options.h:
        (Options):

2012-04-06  Benjamin Poulain  <bpoulain@apple.com>

        Do not abuse ArrayStorage's m_length for testing array consistency
        https://bugs.webkit.org/show_bug.cgi?id=83403

        Reviewed by Geoffrey Garen.

        Array creation from a list of values is a 3 steps process:
        -JSArray::tryCreateUninitialized()
        -JSArray::initializeIndex() for each values
        -JSArray::completeInitialization()

        Previously, the attribute m_length was not set to the final size
        JSArray::tryCreateUninitialized() because it was used to test the array
        consistency JSArray::initializeIndex().

        This caused the initialization loop using JSArray::initializeIndex() maintain
        two counters:
        -index of the loop
        -storage->m_length++

        This patch fixes this by using the index of the initialization loop for the indinces of
        JSArray::initializeIndex(). For testing consistency, the variable m_initializationIndex
        is introduced if CHECK_ARRAY_CONSISTENCY is defined.

        The patch also fixes minor unrelated build issue when CHECK_ARRAY_CONSISTENCY is defined.

        This improves the performance of JSArray creation from literals by 8%.

        * runtime/JSArray.cpp:
        (JSC::JSArray::tryFinishCreationUninitialized):
        (JSC::JSArray::checkConsistency):
        * runtime/JSArray.h:
        (ArrayStorage):
        (JSC::JSArray::initializeIndex):
        (JSC::JSArray::completeInitialization):

2012-04-06  Jon Lee  <jonlee@apple.com>

        Build fix for Windows bots.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: export missing symbol.

2012-04-06  Geoffrey Garen  <ggaren@apple.com>

        Renamed

                WeakHeap => WeakSet
                HandleHeap => HandleSet

        Reviewed by Sam Weinig.

        These sets do have internal allocators, but it's confusing to call them
        heaps because they're sub-objects of an object called "heap".

        * heap/HandleHeap.cpp: Removed.
        * heap/HandleHeap.h: Removed.
        * heap/HandleSet.cpp: Copied from JavaScriptCore/heap/HandleHeap.cpp.
        * heap/WeakHeap.cpp: Removed.
        * heap/WeakHeap.h: Removed.
        * heap/WeakSet.cpp: Copied from JavaScriptCore/heap/WeakHeap.cpp.
        * heap/WeakSet.h: Copied from JavaScriptCore/heap/WeakHeap.h.

        Plus global rename using grep.

2012-04-06  Dan Bernstein  <mitz@apple.com>

        <rdar://problem/10912476> HiDPI: Have canvas use a hidpi backing store, but downsample upon access

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig: Added ENABLE_HIGH_DPI_CANVAS.

2012-04-06  Rob Buis  <rbuis@rim.com>

        Fix cast-align warnings in JSC
        https://bugs.webkit.org/show_bug.cgi?id=80790

        Reviewed by George Staikos.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::computeJumpType):
        (JSC::ARMv7Assembler::link):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::linkCode):
        * heap/MarkStack.cpp:
        (JSC::SlotVisitor::copyAndAppend):
        * runtime/JSArray.cpp:
        (JSC::JSArray::visitChildren):
        * wtf/RefCountedArray.h:
        (WTF::RefCountedArray::Header::payload):

2012-04-06  Darin Adler  <darin@apple.com>

        Streamline strtod and fix some related problems
        https://bugs.webkit.org/show_bug.cgi?id=82857

        Reviewed by Geoffrey Garen.

        * parser/Lexer.cpp:
        (JSC::Lexer<>::lex): Use parseDouble. Since we have already scanned the number
        and we know it has only correct characters, leading spaces, trailing junk, and
        trailing spaces are not a possibility. No need to add a trailing null character.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::parseInt): Changed overflow based 10 case to use parseDouble. No need
        to allow trailing junk since the code above already allows only numeric digits
        in the string. This code path is used only in unusual cases, so it's not
        optimized for 8-bit strings, but easily could be.
        (JSC::jsStrDecimalLiteral): Removed the allow trailing junk argument to this
        function template because all the callers are OK with trailing junk. Use the
        parseDouble function. No need to copy the data into a byte buffer, because
        parseDouble handles that.
        (JSC::toDouble): Got rid of the DisallowTrailingJunk argument to the
        jsStrDecimalLiteral function template. That's OK because this function
        already checks for trailing junk and handles it appropriately. The old code
        path was doing it twice.
        (JSC::parseFloat): Got rid of the AllowTrailingJunk argument to the
        jsStrDecimalLiteral function template; the template allows junk unconditionally.

        * runtime/LiteralParser.cpp:
        (JSC::::Lexer::lexNumber): Use parseDouble. Since we have already scanned the number
        and we know it has only correct characters, leading spaces, trailing junk, and
        trailing spaces are not a possibility. No need to add a trailing null character.
        No need to copy the data into a byte buffer, because parseDouble handles that.
        We could optimize the UChar case even more because we know all the characters
        are ASCII, but not doing that at this time.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Updated.

2012-04-06  Patrick Gansterer  <paroga@webkit.org>

        Remove JSC dependency from GregorianDateTime
        https://bugs.webkit.org/show_bug.cgi?id=83290

        Reviewed by Geoffrey Garen.

        This allows us to move it to WTF later.

        * runtime/DateConstructor.cpp:
        (JSC::callDate):
        * runtime/JSDateMath.h:

2012-04-05  Michael Saboff  <msaboff@apple.com>

        Call Heap::discardAllCompiledCode() in low memory situations
        https://bugs.webkit.org/show_bug.cgi?id=83335

        Reviewed by Geoffrey Garen.

        Restructured Heap::discardAllCompiledCode() to do the "Is JavaScriptRunning?"
        check inline so that it can be called directly without this check.

        * heap/Heap.cpp:
        (JSC::Heap::discardAllCompiledCode):
        (JSC::Heap::collectAllGarbage):
        * heap/Heap.h: Added JS_EXPORT_PRIVATE to discardAllCompiledCode() so it can be
        called from WebCore.
        (Heap):
        * runtime/JSGlobalData.h: Removed unused " void discardAllCompiledCode()" declaration.
        (JSGlobalData):

2012-04-05  Benjamin Poulain  <bpoulain@apple.com>

        Speed up the conversion from JSValue to String for bulk operations
        https://bugs.webkit.org/show_bug.cgi?id=83243

        Reviewed by Geoffrey Garen.

        When making operations on primitive types, we loose some time converting
        values to JSString in order to extract the string.

        This patch speeds up some basic Array operations by avoiding the creation
        of intermediary JSString when possible.

        For the cases where we need to convert a lot of JSValue in a tight loop,
        an inline conversion is used.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncSort):
        * runtime/CommonIdentifiers.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::sort):
        * runtime/JSString.h:
        (JSC::JSValue::toUString):
        (JSC):
        (JSC::inlineJSValueNotStringtoUString):
        (JSC::JSValue::toUStringInline):
        * runtime/JSValue.cpp:
        (JSC::JSValue::toUStringSlowCase):
        (JSC):
        * runtime/JSValue.h:
        (JSValue):

2012-04-05  Benjamin Poulain  <bpoulain@apple.com>

        Use QuickSort when sorting primitive values by string representation
        https://bugs.webkit.org/show_bug.cgi?id=83312

        Reviewed by Gavin Barraclough.

        When the value we are sorting are all primitive values, we do not need to
        ensure a stable sort as two values with equal string representation are
        indistinguishable from JavaScript.

        This gives about 16% performance increase when sorting primitive values.

        * runtime/JSArray.cpp:
        (JSC::JSArray::sort):

2012-04-05  Oliver Hunt  <oliver@apple.com>

        SIGILL in JavaScriptCore on a Geode processor
        https://bugs.webkit.org/show_bug.cgi?id=82496

        Reviewed by Gavin Barraclough.

        Don't attempt to use the DFG when SSE2 is not available.

        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::canCompileOpcodes):

2012-04-05  Oliver Hunt  <oliver@apple.com>

        Fix 32-bit build.

        * API/APICast.h:
        (toJS):

2012-04-05  Oliver Hunt  <oliver@apple.com>

        Replace static_cast with jsCast when casting JSCell subclasses in JSC
        https://bugs.webkit.org/show_bug.cgi?id=83307

        Reviewed by Gavin Barraclough.

        Replace all usage of static_cast<JSCell subtype*> with jsCast<> in JavaScriptCore.
        This results in assertions when unsafe casts are performed, but simply leaves
        a static_cast<> in release builds.

        * API/APICast.h:
        (toJS):
        * API/JSCallbackConstructor.cpp:
        (JSC::constructJSCallback):
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::call):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::asCallbackObject):
        (JSC::::finishCreation):
        (JSC::::construct):
        (JSC::::call):
        * API/JSObjectRef.cpp:
        (JSObjectGetPrivate):
        (JSObjectSetPrivate):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        * API/JSValueRef.cpp:
        (JSValueIsObjectOfClass):
        * API/JSWeakObjectMapRefPrivate.cpp:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::resolve):
        (JSC::BytecodeGenerator::resolveConstDecl):
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::finishCreation):
        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Executable.h:
        (JSC::isHostFunction):
        * runtime/JSActivation.h:
        (JSC::asActivation):
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        * runtime/JSArray.h:
        (JSC::asArray):
        * runtime/JSBoundFunction.cpp:
        (JSC::boundFunctionCall):
        (JSC::boundFunctionConstruct):
        * runtime/JSByteArray.h:
        (JSC::asByteArray):
        * runtime/JSCell.cpp:
        (JSC::JSCell::toObject):
        * runtime/JSCell.h:
        (JSC::jsCast):
        * runtime/JSGlobalObject.h:
        (JSC::asGlobalObject):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * runtime/JSObject.cpp:
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::JSObject::allowsAccessFrom):
        (JSC::JSObject::toThisObject):
        (JSC::JSObject::unwrappedObject):
        * runtime/JSObject.h:
        (JSC::asObject):
        * runtime/JSPropertyNameIterator.h:
        (JSC::Register::propertyNameIterator):
        * runtime/JSString.h:
        (JSC::asString):
        (JSC::JSValue::toString):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSubstr):

2012-04-05  Benjamin Poulain  <bpoulain@apple.com>

        Make something faster than JSStringBuilder for joining an array of JSValue
        https://bugs.webkit.org/show_bug.cgi?id=83180

        Reviewed by Geoffrey Garen.

        This patch add the class JSStringJoiner optimized for join() operations.

        This class makes stricter constraints than JSStringBuilder in order avoid
        memory allocations.

        In the best case, the class allocate memory only twice:
        -Allocate an array to keep a list of UString to join.
        -Allocate the final string.

        We also avoid the conversion from 8bits strings to 16bits strings since
        they are costly and unlikly to help for subsequent calls.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        * runtime/JSStringJoiner.cpp: Added.
        (JSC):
        (JSC::appendStringToData):
        (JSC::joinStrings):
        (JSC::JSStringJoiner::build):
        * runtime/JSStringJoiner.h: Added.
        (JSC):
        (JSStringJoiner):
        (JSC::JSStringJoiner::JSStringJoiner):
        (JSC::JSStringJoiner::append):

2012-04-05  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=77293
        [Un]Reserve 'let'

        Rubber stamped by Oliver Hunt.

        Revert r106198.
        This does break the web - e.g. https://bvi.bnc.ca/index/bnc/indexen.html
        If we're going to reserve let, we're going to have to do so in a more
        circumspect fashion.

        * parser/Keywords.table:

2012-04-05  Michael Saboff  <msaboff@apple.com>

        Rolling out http://trac.webkit.org/changeset/113262.
        Original code was fine.

        Rubber-stamped by Oliver Hunt.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::additionBlindedConstant):

2012-04-05  Patrick Gansterer  <paroga@webkit.org>

        [WinCE] Remove unnecessary function decleration
        https://bugs.webkit.org/show_bug.cgi?id=83155

        Reviewed by Kentaro Hara.

        * runtime/JSDateMath.cpp:

2012-04-04  Patrick Gansterer  <paroga@webkit.org>

        Add WTF::getCurrentLocalTime()
        https://bugs.webkit.org/show_bug.cgi?id=83164

        Reviewed by Alexey Proskuryakov.

        Replace the calls to WTF::getLocalTime() with time(0) with the new function.
        This allows us to use Win32 API on windows to get the same result in a next step.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/DateConstructor.cpp:
        (JSC::callDate):

2012-04-04  Oliver Hunt  <oliver@apple.com>

        Parser fails to revert some state after parsing expression and object literals.
        https://bugs.webkit.org/show_bug.cgi?id=83236

        Reviewed by Gavin Barraclough.

        Reset left hand side counter after parsing the literals.

        * parser/Parser.cpp:
        (JSC::::parseObjectLiteral):
        (JSC::::parseStrictObjectLiteral):
        (JSC::::parseArrayLiteral):

2012-04-04  Filip Pizlo  <fpizlo@apple.com>

        DFG InstanceOf should not uselessly speculate cell
        https://bugs.webkit.org/show_bug.cgi?id=83234

        Reviewed by Oliver Hunt.
        
        If InstanceOf is the only user of its child then don't speculate cell, since
        the not-cell case is super easy to handle.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInstanceOf):

2012-04-04  Michael Saboff  <msaboff@apple.com>

        Fixed minor error: "& 3" should be "& 2".

        Rubber-stamped by Oliver Hunt.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::additionBlindedConstant):

2012-04-04  Michael Saboff  <msaboff@apple.com>

        Constant Blinding for add/sub immediate crashes in ArmV7 when dest is SP
        https://bugs.webkit.org/show_bug.cgi?id=83191

        Reviewed by Oliver Hunt.

        Make are that blinded constant pairs are similarly aligned to the
        original immediate values so that instructions that expect that
        alignment work correctly.  One example is ARMv7 add/sub imm to SP.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::add): Added ASSERT that immediate is word aligned.
        (JSC::ARMv7Assembler::sub): Added ASSERT that immediate is word aligned.
        (JSC::ARMv7Assembler::sub_S): Added ASSERT that immediate is word aligned.
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::additionBlindedConstant):

2012-04-04  Filip Pizlo  <fpizlo@apple.com>

        DFG should short-circuit Branch(LogicalNot(...))
        https://bugs.webkit.org/show_bug.cgi?id=83181

        Reviewed by Geoff Garen.
        
        Slight (sub 1%) speed-up on V8.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2012-04-04  Geoffrey Garen  <ggaren@apple.com>

        [Qt] REGRESSION(r113141): All tests assert on 32 bit debug mode
        https://bugs.webkit.org/show_bug.cgi?id=83139

        Reviewed by Sam Weinig.

        * heap/PassWeak.h:
        (JSC::::get): 32-bit JSValue treats JSValue(nullptr).asCell() as an error,
        so work around that here. (Long-term, we should make 32-bit and 64-bit
        agree on the right behavior.)

2012-04-03  Geoffrey Garen  <ggaren@apple.com>

        Updated JSC expected test results to reflect recent bug fixes <disapproving look>.

        Reviewed by Sam Weinig.

        * tests/mozilla/expected.html:

2012-03-29  Geoffrey Garen  <ggaren@apple.com>

        First step toward incremental Weak<T> finalization
        https://bugs.webkit.org/show_bug.cgi?id=82670

        Reviewed by Filip Pizlo.

        This patch implements a Weak<T> heap that is compatible with incremental
        finalization, while making as few behavior changes as possible. The behavior
        changes it makes are:

        (*) Weak<T>'s raw JSValue no longer reverts to JSValue() automatically --
        instead, a separate flag indicates that the JSValue is no longer valid.
        (This is required so that the JSValue can be preserved for later finalization.)
        Objects dealing with WeakImpls directly must change to check the flag.

        (*) Weak<T> is no longer a subclass of Handle<T>.

        (*) DOM GC performance is different -- 9% faster in the geometric mean,
        but 15% slower in one specific case:
                gc-dom1.html: 6%  faster
                gc-dom2.html: 23% faster
                gc-dom3.html: 17% faster
                gc-dom4.html: 15% *slower*

        The key features of this new heap are:

        (*) Each block knows its own state, independent of any other blocks.

        (*) Each block caches its own sweep result.

        (*) The heap visits dead Weak<T>s at the end of GC. (It doesn't
        mark them yet, since that would be a behavior change.)

        * API/JSCallbackObject.cpp:
        (JSC::JSCallbackObjectData::finalize):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::init): Updated to use the new WeakHeap API.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri: Paid the build system tax since I added some new files.

        * heap/Handle.h: Made WeakBlock a friend and exposed slot() as public,
        so we can keep passing a Handle<T> to finalizers, to avoid more surface
        area change in this patch. A follow-up patch should change the type we
        pass to finalizers.

        * heap/HandleHeap.cpp:
        (JSC):
        (JSC::HandleHeap::writeBarrier):
        (JSC::HandleHeap::isLiveNode):
        * heap/HandleHeap.h:
        (JSC):
        (HandleHeap):
        (Node):
        (JSC::HandleHeap::Node::Node): Removed all code related to Weak<T>, since
        we have a separate WeakHeap now.

        * heap/Heap.cpp:
        (JSC::Heap::Heap): Removed m_extraCost because extra cost is accounted
        for through our watermark now. Removed m_waterMark because it was unused.

        (JSC::Heap::destroy): Updated for addition of WeakHeap.

        (JSC::Heap::reportExtraMemoryCostSlowCase): Changed from using its own
        variable to participating in the watermark strategy. I wanted to standardize
        WeakHeap and all other Heap clients on this strategy, to make sure it's
        accurate.
 
        (JSC::Heap::markRoots): Updated for addition of WeakHeap. Added WeakHeap
        dead visit pass, as explained above.

        (JSC::Heap::collect):
        (JSC::Heap::resetAllocators): Updated for addition of WeakHeap.

        (JSC::Heap::addFinalizer):
        (JSC::Heap::FinalizerOwner::finalize): Updated for new Weak<T> API.

        * heap/Heap.h:
        (JSC::Heap::weakHeap):
        (Heap):
        (JSC::Heap::addToWaterMark): Added a way to participate in the watermarking
        strategy, since this is the best way for WeakHeap to report its memory
        cost. (I plan to update this in a follow-up patch to make it more accurate,
        but for now it is not less accurate than it used to be.)

        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::resetAllocators):
        * heap/MarkedSpace.h:
        (MarkedSpace):
        (JSC::MarkedSpace::addToWaterMark):
        (JSC::MarkedSpace::didConsumeFreeList): Removed m_nurseryWaterMark because
        it was unused, and I didn't want to update WeakHeap to keep an usused
        variable working. Added API for above.

        * heap/PassWeak.h:
        (JSC):
        (WeakImplAccessor):
        (PassWeak):
        (JSC::::operator):
        (JSC::::get):
        (JSC::::was):
        (JSC::::PassWeak):
        (JSC::::~PassWeak):
        (JSC::UnspecifiedBoolType):
        (JSC::::leakImpl):
        (JSC::adoptWeak):
        * heap/Strong.h:
        (JSC::Strong::operator!):
        (Strong):
        (JSC::Strong::operator UnspecifiedBoolType*):
        (JSC::Strong::get):
        * heap/Weak.h:
        (Weak):
        (JSC::::Weak):
        (JSC):
        (JSC::::isHashTableDeletedValue):
        (JSC::::~Weak):
        (JSC::::swap):
        (JSC::=):
        (JSC::::operator):
        (JSC::UnspecifiedBoolType):
        (JSC::::release):
        (JSC::::clear):
        (JSC::::hashTableDeletedValue): Lots of code changes here, but they boil
        down to two things:

        (*) Allocate WeakImpls from the WeakHeap instead of Handles from the HandleHeap.

        (*) Explicitly check WeakImpl::state() for non-liveness before returning
        a value (explained above).

        These files implement the new Weak<T> heap behavior described above:

        * heap/WeakBlock.cpp: Added.
        * heap/WeakBlock.h: Added.
        * heap/WeakHandleOwner.cpp: Added.
        * heap/WeakHandleOwner.h: Added.
        * heap/WeakHeap.cpp: Added.
        * heap/WeakHeap.h: Added.
        * heap/WeakImpl.h: Added.

        One interesting difference from the old heap is that we don't allow
        clients to overwrite a WeakImpl after allocating it, and we don't recycle
        WeakImpls prior to garbage collection. This is required for lazy finalization,
        but it will also help us esablish a useful invariant in the future: allocating
        a WeakImpl will be a binding contract to run a finalizer at some point in the
        future, even if the WeakImpl is later deallocated.

        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub): Check the Weak<T> for ! instead of
        its JSValue, since that's our API contract now, and the JSValue might
        be stale.

        * runtime/JSCell.h:
        (JSC::jsCast): Allow casting NULL pointers because it's useful and harmless.

        * runtime/Structure.cpp:
        (JSC::StructureTransitionTable::add): I can't remember why I did this.

        * runtime/StructureTransitionTable.h:
        * runtime/WeakGCMap.h: I had to update these classes because they allocate
        and deallocate weak pointers manually. They should probably stop doing that.

2012-04-03  Keishi Hattori  <keishi@webkit.org>

        Disable ENABLE_DATALIST for now
        https://bugs.webkit.org/show_bug.cgi?id=82871

        Reviewed by Kent Tamura.

        * Configurations/FeatureDefines.xcconfig: Disabled ENABLE_DATALIST.

2012-04-02  Filip Pizlo  <fpizlo@apple.com>

        jsr/sret should be removed
        https://bugs.webkit.org/show_bug.cgi?id=82986
        <rdar://problem/11017015>

        Reviewed by Sam Weinig and Geoff Garen.
        
        Replaces jsr/sret with finally block inlining.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::pushFinallyContext):
        (JSC::BytecodeGenerator::emitComplexJumpScopes):
        (JSC):
        * bytecompiler/BytecodeGenerator.h:
        (FinallyContext):
        (BytecodeGenerator):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::TryNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JIT):
        * jit/JITOpcodes.cpp:
        (JSC):
        * jit/JITOpcodes32_64.cpp:
        (JSC):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2012-04-03  Mark Rowe  <mrowe@apple.com>

        Make it possible to install the JavaScriptCore test tools.

        Part of <rdar://problem/11158607>.
        
        Reviewed by Filip Pizlo.

        * JavaScriptCore.xcodeproj/project.pbxproj: Introduce an aggregate target named
        Test Tools that builds testapi, minidom and testRegExp. Switch All from depending on
        those targets individually to depending on the new aggregate target.

2012-04-03  Filip Pizlo  <fpizlo@apple.com>

        Offlineasm ARM backend has a very convoluted way of saying it wants to emit a
        three-operand multiply instruction
        https://bugs.webkit.org/show_bug.cgi?id=83100

        Reviewed by Darin Adler.
        
        Changed the "muli"/"mulp" case to call emitArmV7() since that helper method was
        already smart enough to do the Right Thing for multiply.

        * offlineasm/armv7.rb:

2012-04-03  Filip Pizlo  <fpizlo@apple.com>

        Offlineasm ARM backend uses the wrong mnemonic for multiply
        https://bugs.webkit.org/show_bug.cgi?id=83098
        <rdar://problem/11168744>

        Reviewed by Gavin Barraclough.
        
        Use "mul" instead of "muls" since we're passing three operands, not two.

        * offlineasm/armv7.rb:

2012-04-03  Gavin Barraclough  <barraclough@apple.com>

        Linux crashes during boot
        https://bugs.webkit.org/show_bug.cgi?id=83096

        Reviewed by Filip Pizlo.

        The bug here is that we add empty JSValues to the sparse map, and then set them
        - but a GC may occur before doing so (due to a call to reportExtraMemory cost).
        We may want to consider making it safe to mark empty JSValues, but the simple &
        contained fix to this specific bug is to just initialize these values to
        something other than JSValue().

        * runtime/JSArray.cpp:
        (JSC::SparseArrayValueMap::add):
            - Initialize sparse map entries.

2012-04-02  Oliver Hunt  <oliver@apple.com>

        Incorrect liveness information when inlining
        https://bugs.webkit.org/show_bug.cgi?id=82985

        Reviewed by Filip Pizlo.

        Don't remap register numbers that have already been remapped.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):

2012-04-02  Filip Pizlo  <fpizlo@apple.com>

        Activation tear-off neglects to copy the callee and scope chain, leading to crashes if we
        try to create an arguments object from the activation
        https://bugs.webkit.org/show_bug.cgi?id=82947
        <rdar://problem/11058598>

        Reviewed by Gavin Barraclough.
        
        We now copy the entire call frame header just to be sure. This is mostly perf-netural,
        except for a 3.7% slow-down in V8/earley.

        * runtime/JSActivation.cpp:
        (JSC::JSActivation::visitChildren):
        * runtime/JSActivation.h:
        (JSC::JSActivation::tearOff):

2012-04-02  Daniel Bates  <dbates@webkit.org>

        Remove Source/JavaScriptCore/wtf and its empty subdirectories

        Rubber-stamped by Eric Seidel.

        Following the move of WTF from Source/JavaScriptCore/wtf to Source/WTF
        (https://bugs.webkit.org/show_bug.cgi?id=75673), remove directory
        Source/JavaScriptCore/wtf and its empty subdirectories.

        * wtf: Removed.
        * wtf/android: Removed.
        * wtf/blackberry: Removed.
        * wtf/chromium: Removed.
        * wtf/dtoa: Removed.
        * wtf/efl: Removed.
        * wtf/gobject: Removed.
        * wtf/gtk: Removed.
        * wtf/mac: Removed.
        * wtf/qt: Removed.
        * wtf/qt/compat: Removed.
        * wtf/tests: Removed.
        * wtf/text: Removed.
        * wtf/threads: Removed.
        * wtf/threads/win: Removed.
        * wtf/unicode: Removed.
        * wtf/unicode/glib: Removed.
        * wtf/unicode/icu: Removed.
        * wtf/unicode/qt4: Removed.
        * wtf/unicode/wince: Removed.
        * wtf/url: Removed.
        * wtf/url/api: Removed.
        * wtf/url/src: Removed.
        * wtf/win: Removed.
        * wtf/wince: Removed.
        * wtf/wx: Removed.

2012-04-02  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck issues.

        * GNUmakefile.list.am: Add missing file.

2012-04-01  Darin Adler  <darin@apple.com>

        Fix incorrect path for libWTF.a in Mac project file.

        * JavaScriptCore.xcodeproj/project.pbxproj: Removed the "../Release" prefix that
        would cause other configurations to try to link with the "Release" version of
        libWTF.a instead of the correct version.

2012-03-29  Filip Pizlo  <fpizlo@apple.com>

        DFG should optimize a==b for a being an object and b being either an object or
        null/undefined, and vice versa
        https://bugs.webkit.org/show_bug.cgi?id=82656

        Reviewed by Oliver Hunt.
        
        Implements additional object equality optimizations for the case that one
        operand is predicted to be an easily speculated object (like FinalObject or
        Array) and the other is either an easily speculated object or Other, i.e.
        Null or Undefined.
        
        2-5% speed-up on V8/raytrace, leading to a sub-1% progression on V8.
        
        I also took the opportunity to clean up the control flow for the speculation
        decisions in the various Compare opcodes. And to fix a build bug in SamplingTool.
        And to remove debug cruft I stupidly committed in my last patch.
        
        * bytecode/SamplingTool.h:
        (SamplingRegion):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compare):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):

2012-03-30  David Barr  <davidbarr@chromium.org>

        Split up top-level .gitignore and .gitattributes
        https://bugs.webkit.org/show_bug.cgi?id=82687

        Reviewed by Tor Arne Vestbø.

        * JavaScriptCore.gyp/.gitignore: Added.

2012-03-30  Steve Falkenburg  <sfalken@apple.com>

        Windows (make based) build fix.

        * JavaScriptCore.vcproj/JavaScriptCore.make: Copy WTF header files into a place where JavaScriptCore build can see them.

2012-03-30  Keishi Hattori  <keishi@webkit.org>

        Change ENABLE_INPUT_COLOR to ENABLE_INPUT_TYPE_COLOR and enable it for chromium
        https://bugs.webkit.org/show_bug.cgi?id=80972

        Reviewed by Kent Tamura.

        * Configurations/FeatureDefines.xcconfig:

2012-03-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        Refactor recompileAllJSFunctions() to be less expensive
        https://bugs.webkit.org/show_bug.cgi?id=80330

        Reviewed by Filip Pizlo.

        This change is performance neutral on the JS benchmarks we track. It's mostly to improve page 
        load performance, which currently does at least a couple full GCs per navigation.

        * heap/Heap.cpp:
        (JSC::Heap::discardAllCompiledCode): Rename recompileAllJSFunctions to discardAllCompiledCode 
        because the function doesn't actually recompile anything (and never did); it simply throws code
        away for it to be recompiled later if we determine we should do so.
        (JSC):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::addFunctionExecutable): Adds a newly created FunctionExecutable to the Heap's list.
        (JSC::Heap::removeFunctionExecutable): Removes the specified FunctionExecutable from the Heap's list.
        * heap/Heap.h:
        (JSC):
        (Heap):
        * runtime/Executable.cpp: Added next and prev fields to FunctionExecutables so that they can 
        be used in DoublyLinkedLists.
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::FunctionExecutable::finalize): Removes the FunctionExecutable from the Heap's list.
        * runtime/Executable.h:
        (FunctionExecutable):
        (JSC::FunctionExecutable::create): Adds the FunctionExecutable to the Heap's list.
        * runtime/JSGlobalData.cpp: Remove recompileAllJSFunctions, as it's the Heap's job to own and manage 
        the list of FunctionExecutables.
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): Use the new discardAllCompiledCode.

2012-03-29  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for non-x86 platforms.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSlow_op_mod):

2012-03-29  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix p2.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-29  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix p1.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-29  Gavin Barraclough  <barraclough@apple.com>

        Template the Yarr::Interpreter on the character type
        https://bugs.webkit.org/show_bug.cgi?id=82637

        Reviewed by Sam Weinig.

        We should be able to call to the interpreter after having already checked the character type,
        without having to re-package the character pointer back up into a string!

        * runtime/RegExp.cpp:
        (JSC::RegExp::match):
        (JSC::RegExp::matchCompareWithInterpreter):
            - Don't pass length.
        * yarr/Yarr.h:
            - moved function declarations to YarrInterpreter.h.
        * yarr/YarrInterpreter.cpp:
        (Yarr):
        (Interpreter):
        (JSC::Yarr::Interpreter::InputStream::InputStream):
        (InputStream):
        (JSC::Yarr::Interpreter::Interpreter):
        (JSC::Yarr::interpret):
            - templated Interpreter class on CharType.
        * yarr/YarrInterpreter.h:
        (Yarr):
            - added function declarations.

2012-03-29  David Kilzer  <ddkilzer@apple.com>

        Don't use a flattened framework path when building on OS X

        Reviewed by Mark Rowe.

        * Configurations/ToolExecutable.xcconfig: Use REAL_PLATFORM_NAME
        to select different INSTALL_PATH values.

2012-03-29  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed build fix, add Win-specific sources
        the wx port needs after WTF move.

        * wscript:

2012-03-29  Andy Estes  <aestes@apple.com>

        Remove an unused variable that breaks the build with newer versions of clang.

        Rubber stamped by Gavin Barraclough.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):

2012-03-29  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>

        HashMap<>::add should return a more descriptive object
        https://bugs.webkit.org/show_bug.cgi?id=71063

        Reviewed by Ryosuke Niwa.

        Update code to use AddResult instead of a pair. Note that since WeakGCMap wraps
        the iterator type, there's a need for its own AddResult type -- instantiated from
        HashTableAddResult template class.

        * API/JSCallbackObject.h:
        (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
        * API/JSClassRef.cpp:
        (OpaqueJSClass::contextData):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addVar):
        (JSC::BytecodeGenerator::addGlobalVar):
        (JSC::BytecodeGenerator::addConstant):
        (JSC::BytecodeGenerator::addConstantValue):
        (JSC::BytecodeGenerator::emitLoad):
        (JSC::BytecodeGenerator::addStringConstant):
        (JSC::BytecodeGenerator::emitLazyNewFunction):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitBytecode):
        * debugger/Debugger.cpp:
        * dfg/DFGAssemblyHelpers.cpp:
        (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::cellConstant):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::ctiStub):
        (JSC::JITThunks::hostFunctionStub):
        * parser/Parser.cpp:
        (JSC::::parseStrictObjectLiteral):
        * parser/Parser.h:
        (JSC::Scope::declareParameter):
        * runtime/Identifier.cpp:
        (JSC::Identifier::add):
        (JSC::Identifier::add8):
        (JSC::Identifier::addSlowCase):
        * runtime/Identifier.h:
        (JSC::Identifier::add):
        (JSC::IdentifierTable::add):
        * runtime/JSArray.cpp:
        (JSC::SparseArrayValueMap::add):
        (JSC::SparseArrayValueMap::put):
        (JSC::SparseArrayValueMap::putDirect):
        (JSC::JSArray::enterDictionaryMode):
        (JSC::JSArray::defineOwnNumericProperty):
        * runtime/JSArray.h:
        (SparseArrayValueMap):
        * runtime/PropertyNameArray.cpp:
        (JSC::PropertyNameArray::add):
        * runtime/StringRecursionChecker.h:
        (JSC::StringRecursionChecker::performCheck):
        * runtime/Structure.cpp:
        (JSC::StructureTransitionTable::add):
        * runtime/WeakGCMap.h:
        (WeakGCMap):
        (JSC::WeakGCMap::add):
        (JSC::WeakGCMap::set):
        * tools/ProfileTreeNode.h:
        (JSC::ProfileTreeNode::sampleChild):

2012-03-29  Patrick Gansterer  <paroga@webkit.org>

        Build fix for !ENABLE(YARR_JIT) after r112454.

        * runtime/RegExp.cpp:
        (JSC::RegExp::invalidateCode):

2012-03-28  Filip Pizlo  <fpizlo@apple.com>

        DFG object equality speculations should be simplified
        https://bugs.webkit.org/show_bug.cgi?id=82557

        Reviewed by Gavin Barraclough.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateFinalObject):
        (JSC::DFG::Node::shouldSpeculateArray):

2012-03-28  David Kilzer  <ddkilzer@apple.com>

        minidom configurations should be based on ToolExecutable.xcconfig
        <http://webkit.org/b/82513>

        Reviewed by Mark Rowe.

        Note that this patch changes minidom from being installed in
        /usr/local/bin to JavaScriptCore.framework/Resources.

        * Configurations/ToolExecutable.xcconfig: Add semi-colon.
        * JavaScriptCore.xcodeproj/project.pbxproj: Base minidom
        configurations on ToolExecutable.xcconfig.  Remove redundant
        PRODUCT_NAME and SKIP_INSTALL variables.

2012-03-28  Gavin Barraclough  <barraclough@apple.com>

        Build fix - some compiles generating NORETURN related warnings.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::setSubpatternStart):
        (JSC::Yarr::YarrGenerator::setSubpatternEnd):
        (JSC::Yarr::YarrGenerator::clearSubpatternStart):

2012-03-28  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed. Build fix, move WTF back into JSCore target
        until issues with JSCore not linking in all WTF symbols are resolved.
        
        * wscript:

2012-03-28  Gavin Barraclough  <barraclough@apple.com>

        Yarr: if we're not using the output array, don't populate it!
        https://bugs.webkit.org/show_bug.cgi?id=82519

        Reviewed by Sam Weinig.

        * runtime/RegExp.cpp:
        (JSC):
            - Missed review comment! - didn't fully remove RegExpRepresentation.

2012-03-28  Gavin Barraclough  <barraclough@apple.com>

        Yarr: if we're not using the output array, don't populate it!
        https://bugs.webkit.org/show_bug.cgi?id=82519

        Reviewed by Sam Weinig.

        Add a new variant of the match method to RegExp that returns a MatchResult,
        and modify YarrJIT to be able to compile code that doesn't use an output vector.

        This is a 3% progression on v8-regexp.

        * JavaScriptCore.xcodeproj/project.pbxproj:
            - Moved MatchResult into its own header.
        * assembler/AbstractMacroAssembler.h:
            - Added missing include.
        * runtime/MatchResult.h: Added.
        (MatchResult::MatchResult):
        (MatchResult):
        (MatchResult::failed):
        (MatchResult::operator bool):
        (MatchResult::empty):
            - Moved MatchResult into its own header.
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::compileIfNecessary):
        (JSC::RegExp::match):
            - Changed due to execute & representation changes.
        (JSC::RegExp::compileMatchOnly):
        (JSC::RegExp::compileIfNecessaryMatchOnly):
            - Added helper to compile MatchOnly code.
        (JSC::RegExp::invalidateCode):
        (JSC::RegExp::matchCompareWithInterpreter):
        (JSC::RegExp::printTraceData):
            - Changed due representation changes.
        * runtime/RegExp.h:
        (RegExp):
        (JSC::RegExp::hasCode):
            - Made YarrCodeBlock a member.
        * runtime/RegExpConstructor.h:
        (RegExpConstructor):
        (JSC::RegExpConstructor::performMatch):
            - Added no-ovector form.
        * runtime/RegExpMatchesArray.cpp:
        (JSC::RegExpMatchesArray::reifyAllProperties):
            - Match now takes a reference to ovector, not a pointer.
        * runtime/RegExpObject.h:
        (JSC):
            - Moved MatchResult into its own header.
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSplit):
            - Match now takes a reference to ovector, not a pointer.
        * testRegExp.cpp:
        (testOneRegExp):
            - Match now takes a reference to ovector, not a pointer.
        * yarr/YarrJIT.cpp:
        (Yarr):
        (YarrGenerator):
        (JSC::Yarr::YarrGenerator::initCallFrame):
        (JSC::Yarr::YarrGenerator::removeCallFrame):
        (JSC::Yarr::YarrGenerator::setSubpatternStart):
        (JSC::Yarr::YarrGenerator::setSubpatternEnd):
        (JSC::Yarr::YarrGenerator::clearSubpatternStart):
        (JSC::Yarr::YarrGenerator::setMatchStart):
        (JSC::Yarr::YarrGenerator::getMatchStart):
            - Added helper functions to intermediate access to output.
        (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
        (JSC::Yarr::YarrGenerator::generate):
        (JSC::Yarr::YarrGenerator::backtrack):
        (JSC::Yarr::YarrGenerator::generateEnter):
        (JSC::Yarr::YarrGenerator::compile):
            - Changed to use the new helpers, only generate subpatterns if IncludeSubpatterns.
        (JSC::Yarr::jitCompile):
            - Needs to template of MatchOnly or IncludeSubpatterns.
        * yarr/YarrJIT.h:
        (YarrCodeBlock):
        (JSC::Yarr::YarrCodeBlock::set8BitCode):
        (JSC::Yarr::YarrCodeBlock::set16BitCode):
        (JSC::Yarr::YarrCodeBlock::has8BitCodeMatchOnly):
        (JSC::Yarr::YarrCodeBlock::has16BitCodeMatchOnly):
        (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
        (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
        (JSC::Yarr::YarrCodeBlock::execute):
        (JSC::Yarr::YarrCodeBlock::clear):
            - Added a second set of CodeRefs, so that we can compile RexExps with/without subpattern matching.

2012-03-27  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit should not generate an exit for variables of inlinees if the
        inlinees are not in scope
        https://bugs.webkit.org/show_bug.cgi?id=82312

        Reviewed by Oliver Hunt.
        
        * bytecode/CodeBlock.h:
        (JSC::baselineCodeBlockForInlineCallFrame):
        (JSC):
        (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::computeNumVariablesForCodeOrigin):
        (DFG):
        (JSC::DFG::OSRExit::OSRExit):

2012-03-27  Matt Lilek  <mrl@apple.com>

        Stop compiling Interpreter.cpp with -fno-var-tracking
        https://bugs.webkit.org/show_bug.cgi?id=82299

        Reviewed by Anders Carlsson.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-03-27  Pratik Solanki  <psolanki@apple.com>

        Compiler warning when JIT is not enabled
        https://bugs.webkit.org/show_bug.cgi?id=82352

        Reviewed by Filip Pizlo.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):

2012-03-26  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        Unaligned userspace access for SH4 platforms
        https://bugs.webkit.org/show_bug.cgi?id=79104

        Reviewed by Gavin Barraclough.

        * assembler/AbstractMacroAssembler.h:
        (Jump):
        (JSC::AbstractMacroAssembler::Jump::Jump):
        (JSC::AbstractMacroAssembler::Jump::link):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::load16Unaligned):
        (JSC::MacroAssemblerSH4::load32WithUnalignedHalfWords):
        (JSC::MacroAssemblerSH4::branchDouble):
        (JSC::MacroAssemblerSH4::branchTrue):
        (JSC::MacroAssemblerSH4::branchFalse):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::extraInstrForBranch):
        (SH4Assembler):
        (JSC::SH4Assembler::bra):
        (JSC::SH4Assembler::linkJump):
        * jit/JIT.h:
        (JIT):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):

2012-03-26  Ryosuke Niwa  <rniwa@webkit.org>

        cssText should use shorthand notations
        https://bugs.webkit.org/show_bug.cgi?id=81737

        Reviewed by Enrica Casucci.

        Export symbols of BitVector on Windows.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-26  Filip Pizlo  <fpizlo@apple.com>

        DFG should assert that argument value recoveries can only be
        AlreadyInRegisterFile or Constant
        https://bugs.webkit.org/show_bug.cgi?id=82249

        Reviewed by Michael Saboff.
        
        Made the assertions that the DFG makes for argument value recoveries match
        what Arguments expects.

        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::isConstant):
        (ValueRecovery):
        (JSC::ValueRecovery::isAlreadyInRegisterFile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-26  Dan Bernstein  <mitz@apple.com>

        Tried to fix the Windows build.

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::putRange):

2012-03-26  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed - speculative Windows build fix.

        * yarr/YarrCanonicalizeUCS2.h:
        (JSC::Yarr::getCanonicalPair):

2012-03-26  Dan Bernstein  <mitz@apple.com>

        Fixed builds with assertions disabled.

        * yarr/YarrCanonicalizeUCS2.h:
        (JSC::Yarr::areCanonicallyEquivalent):

2012-03-26  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed - errk! - accidentally the whole pbxproj.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-03-25  Gavin Barraclough  <barraclough@apple.com>

        Greek sigma is handled wrong in case independent regexp.
        https://bugs.webkit.org/show_bug.cgi?id=82063

        Reviewed by Oliver Hunt.

        The bug here is that we assume that any given codepoint has at most one additional value it
        should match under a case insensitive match, and that the pair of codepoints that match (if
        a codepoint does not only match itself) can be determined by calling toUpper/toLower on the
        given codepoint). Life is not that simple.

        Instead, pre-calculate a set of tables mapping from a UCS2 codepoint to the set of characters
        it may match, under the ES5.1 case-insensitive matching rules. Since unicode is fairly regular
        we can pack this table quite nicely, and get it down to 364 entries. This means we can use a
        simple binary search to find an entry in typically eight compares.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * yarr/yarr.pri:
            - Added new files to build systems.
        * yarr/YarrCanonicalizeUCS2.cpp: Added.
            - New - autogenerated, UCS2 canonicalized comparison tables.
        * yarr/YarrCanonicalizeUCS2.h: Added.
        (JSC::Yarr::rangeInfoFor):
            - Look up the canonicalization info for a UCS2 character.
        (JSC::Yarr::getCanonicalPair):
            - For a UCS2 character with a single equivalent value, look it up.
        (JSC::Yarr::isCanonicallyUnique):
            - Returns true if no other UCS2 code points are canonically equal.
        (JSC::Yarr::areCanonicallyEquivalent):
            - Compare two values, under canonicalization rules.
        * yarr/YarrCanonicalizeUCS2.js: Added.
            - script used to generate YarrCanonicalizeUCS2.cpp.
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::tryConsumeBackReference):
            - Use isCanonicallyUnique, rather than Unicode toUpper/toLower.
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
            - Use isCanonicallyUnique, rather than Unicode toUpper/toLower.
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::putChar):
            - Updated to determine canonical equivalents correctly.
        (JSC::Yarr::CharacterClassConstructor::putUnicodeIgnoreCase):
            - Added, used to put a non-ascii, non-unique character in a case-insensitive match.
        (JSC::Yarr::CharacterClassConstructor::putRange):
            - Updated to determine canonical equivalents correctly.
        (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
            - Changed to call putUnicodeIgnoreCase, instead of putChar, avoid a double lookup of rangeInfo.

2012-03-26  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed build fix. Add the build outputs dir to the list of build dirs,
        so we make sure it finds the API headers on all platforms.

        * wscript:

2012-03-26  Patrick Gansterer  <paroga@webkit.org>

        Build fix for WinCE after r112039.

        * interpreter/Register.h:
        (Register): Removed inline keyword from decleration since
                    there is an ALWAYS_INLINE at the definition anyway.

2012-03-26  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing files.

2012-03-25  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed build fix. Move WTF to its own static lib build.

        * wscript:

2012-03-25  Filip Pizlo  <fpizlo@apple.com>

        DFG int-to-double conversion should be revealed to CSE
        https://bugs.webkit.org/show_bug.cgi?id=82135

        Reviewed by Oliver Hunt.
        
        This introduces the notion of an Int32ToDouble node, which is injected
        into the graph anytime we know that we have a double use of a node that
        was predicted integer. The Int32ToDouble simplifies double speculation
        on integers by skipping the path that would unbox doubles, if we know
        that the value is already proven to be an integer. It allows integer to
        double conversions to be subjected to common subexpression elimination
        (CSE) by allowing the CSE phase to see where these conversions are
        occurring. Finally, it allows us to see when a constant is being used
        as both a double and an integer. This is a bit odd, since it means that
        sometimes a double use of a constant will not refer directly to the
        constant. This should not cause problems, for now, but it may require
        some canonizalization in the future if we want to support strength
        reductions of double operations based on constants.
        
        To allow injection of nodes into the graph, this change introduces the
        DFG::InsertionSet, which is a way of lazily inserting elements into a
        list. This allows the FixupPhase to remain O(N) despite performing
        multiple injections in a single basic block. Without the InsertionSet,
        each injection would require performing an insertion into a vector,
        which is O(N), leading to O(N^2) performance overall. With the
        InsertionSet, each injection simply records what insertion would have
        been performed, and all insertions are performed at once (via
        InsertionSet::execute) after processing of a basic block is completed.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PredictedType.h:
        (JSC::isActionableIntMutableArrayPrediction):
        (JSC):
        (JSC::isActionableFloatMutableArrayPrediction):
        (JSC::isActionableTypedMutableArrayPrediction):
        (JSC::isActionableMutableArrayPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCommon.h:
        (JSC::DFG::useKindToString):
        (DFG):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupBlock):
        (FixupPhase):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixDoubleEdge):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGInsertionSet.h: Added.
        (DFG):
        (Insertion):
        (JSC::DFG::Insertion::Insertion):
        (JSC::DFG::Insertion::index):
        (JSC::DFG::Insertion::element):
        (InsertionSet):
        (JSC::DFG::InsertionSet::InsertionSet):
        (JSC::DFG::InsertionSet::append):
        (JSC::DFG::InsertionSet::execute):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::IntegerOperand::IntegerOperand):
        (JSC::DFG::DoubleOperand::DoubleOperand):
        (JSC::DFG::JSValueOperand::JSValueOperand):
        (JSC::DFG::StorageOperand::StorageOperand):
        (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
        (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-25  Filip Pizlo  <fpizlo@apple.com>

        DFGOperands should be moved out of the DFG and into bytecode
        https://bugs.webkit.org/show_bug.cgi?id=82151

        Reviewed by Dan Bernstein.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/Operands.h: Copied from Source/JavaScriptCore/dfg/DFGOperands.h.
        * dfg/DFGBasicBlock.h:
        * dfg/DFGNode.h:
        * dfg/DFGOSREntry.h:
        * dfg/DFGOSRExit.h:
        * dfg/DFGOperands.h: Removed.
        * dfg/DFGVariableAccessData.h:

2012-03-24  Filip Pizlo  <fpizlo@apple.com>

        DFG 64-bit Branch implementation should not be creating a JSValueOperand that
        it isn't going to use
        https://bugs.webkit.org/show_bug.cgi?id=82136

        Reviewed by Geoff Garen.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitBranch):

2012-03-24  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed. Fix the build after WTF move.

        * wscript:

2012-03-23  Filip Pizlo  <fpizlo@apple.com>

        DFG double voting may be overzealous in the case of variables that end up
        being used as integers
        https://bugs.webkit.org/show_bug.cgi?id=82008

        Reviewed by Oliver Hunt.
        
        Cleaned up propagation, making the intent more explicit in most places.
        Back-propagate NodeUsedAsInt for cases where a node was used in a context
        that is known to strongly prefer integers.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpCodeOrigin):
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::nodeFlagsAsString):
        * dfg/DFGNodeFlags.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (PredictionPropagationPhase):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
        (JSC::DFG::PredictionPropagationPhase::vote):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        (JSC::DFG::PredictionPropagationPhase::fixupNode):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):

2012-03-24  Filip Pizlo  <fpizlo@apple.com>

        DFG::Node::shouldNotSpeculateInteger() should be eliminated
        https://bugs.webkit.org/show_bug.cgi?id=82123

        Reviewed by Geoff Garen.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (Node):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):

2012-03-24  Yong Li  <yoli@rim.com>

        Increase getByIdSlowCase ConstantSpace/InstructionSpace for CPU(ARM_TRADITIONAL)
        https://bugs.webkit.org/show_bug.cgi?id=81521

        Increase sequenceGetByIdSlowCaseConstantSpace and sequenceGetByIdSlowCaseInstructionSpace
        for CPU(ARM_TRADITIONAL) to fit actual need.

        Reviewed by Oliver Hunt.

        * jit/JIT.h:
        (JIT):

2012-03-23  Filip Pizlo  <fpizlo@apple.com>

        DFG Fixup should be able to short-circuit trivial ValueToInt32's
        https://bugs.webkit.org/show_bug.cgi?id=82030

        Reviewed by Michael Saboff.
        
        Takes the fixup() method of the prediction propagation phase and makes it
        into its own phase. Adds the ability to short-circuit trivial ValueToInt32
        nodes, and mark pure ValueToInt32's as such.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCommon.h:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGFixupPhase.cpp: Added.
        (DFG):
        (FixupPhase):
        (JSC::DFG::FixupPhase::FixupPhase):
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::performFixup):
        * dfg/DFGFixupPhase.h: Added.
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):
        (PredictionPropagationPhase):

2012-03-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        tryReallocate could break the zero-ed memory invariant of CopiedBlocks
        https://bugs.webkit.org/show_bug.cgi?id=82087

        Reviewed by Filip Pizlo.

        Removing this optimization turned out to be ~1% regression on kraken, so I simply 
        undid the modification to the current block if we fail.

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::tryReallocate): Undid the reset in the CopiedAllocator if we fail 
        to reallocate from the current block.

2012-03-23  Alexey Proskuryakov  <ap@apple.com>

        [Mac] No need for platform-specific ENABLE_BLOB values
        https://bugs.webkit.org/show_bug.cgi?id=82102

        Reviewed by David Kilzer.

        * Configurations/FeatureDefines.xcconfig:

2012-03-23  Michael Saboff  <msaboff@apple.com>

        DFG::compileValueToInt32 Sometime Generates GPR to FPR reg back to GPR
        https://bugs.webkit.org/show_bug.cgi?id=81805

        Reviewed by Filip Pizlo.

        Added SpeculativeJIT::checkGeneratedType() to determine the current format
        of an operand.  Used that information in SpeculativeJIT::compileValueToInt32
        to generate code that will use integer and JSValue types in integer
        format directly without a conversion to double.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkGeneratedType):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        * dfg/DFGSpeculativeJIT.h:
        (DFG):
        (SpeculativeJIT):

2012-03-23  Steve Falkenburg  <sfalken@apple.com>

        Update Apple Windows build files for WTF move
        https://bugs.webkit.org/show_bug.cgi?id=82069

        Reviewed by Jessie Berlin.

        * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Removed WTF and WTFGenerated.

2012-03-23  Dean Jackson  <dino@apple.com>

        Disable CSS_SHADERS in Apple builds
        https://bugs.webkit.org/show_bug.cgi?id=81996

        Reviewed by Simon Fraser.

        Remove ENABLE_CSS_SHADERS from FeatureDefines. It's now in Platform.h.

        * Configurations/FeatureDefines.xcconfig:

2012-03-23  Gavin Barraclough  <barraclough@apple.com>

        RexExp constructor last match properties should not rely on previous ovector
        https://bugs.webkit.org/show_bug.cgi?id=82077

        Reviewed by Oliver Hunt.

        This change simplifies matching, and will enable subpattern results to be fully lazily generated in the future.

        This patch changes the scheme used to lazily generate the last match properties of the RegExp object.
        Instead of relying on the results in the ovector, we can instead lazily generate the subpatters using
        a RegExpMatchesArray. To do so we just need to store the input, the regexp matched, and the match
        location (the MatchResult). When the match is accessed or the input is set, we reify results. We use
        a special value of setting the saved result to MatchResult::failed() to indicated that we're in a
        reified state. This means that next time a match is performed, the store of the result will
        automatically blow away the reified value.

        * JavaScriptCore.xcodeproj/project.pbxproj:
            - Added new files.
        * runtime/RegExp.cpp:
        (JSC::RegExpFunctionalTestCollector::outputOneTest):
            - changed 'subPattern' -> 'subpattern' (there was a mix in JSC, 'subpattern' was more common).
        * runtime/RegExpCachedResult.cpp: Added.
        (JSC::RegExpCachedResult::visitChildren):
        (JSC::RegExpCachedResult::lastResult):
        (JSC::RegExpCachedResult::setInput):
            - New methods, mark GC objects, lazily create the matches array, and record a user provided input (via assignment to RegExp.inupt).
        * runtime/RegExpCachedResult.h: Added.
        (RegExpCachedResult):
            - Added new class.
        (JSC::RegExpCachedResult::RegExpCachedResult):
        (JSC::RegExpCachedResult::record):
        (JSC::RegExpCachedResult::input):
            - Initialize the object, record the result of a RegExp match, access the stored input property.
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::RegExpConstructor):
            - Initialize m_result/m_multiline properties.
        (JSC::RegExpConstructor::visitChildren):
            - Make sure the cached results (or lazy source for them) are marked.
        (JSC::RegExpConstructor::getBackref):
        (JSC::RegExpConstructor::getLastParen):
        (JSC::RegExpConstructor::getLeftContext):
        (JSC::RegExpConstructor::getRightContext):
            - Moved from RegExpConstructor, moved to RegExpCachedResult, and using new caching scheme.
        (JSC::regExpConstructorInput):
        (JSC::setRegExpConstructorInput):
            - Changed to use RegExpCachedResult.
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::create):
        (RegExpConstructor):
        (JSC::RegExpConstructor::setMultiline):
        (JSC::RegExpConstructor::multiline):
            - Move multiline property onto the constructor object; it is not affected by the last match.
        (JSC::RegExpConstructor::setInput):
        (JSC::RegExpConstructor::input):
            - These defer to RegExpCachedResult.
        (JSC::RegExpConstructor::performMatch):
        * runtime/RegExpMatchesArray.cpp: Added.
        (JSC::RegExpMatchesArray::visitChildren):
            - Eeeep! added missing visitChildren!
        (JSC::RegExpMatchesArray::finishCreation):
        (JSC::RegExpMatchesArray::reifyAllProperties):
        (JSC::RegExpMatchesArray::reifyMatchProperty):
            - Moved from RegExpConstructor.cpp.
        (JSC::RegExpMatchesArray::leftContext):
        (JSC::RegExpMatchesArray::rightContext):
            - Since the match start/
        * runtime/RegExpMatchesArray.h:
        (RegExpMatchesArray):
            - Declare new methods & structure flags.
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::match):
            - performMatch now requires the JSString input, to cache.
        * runtime/StringPrototype.cpp:
        (JSC::removeUsingRegExpSearch):
        (JSC::replaceUsingRegExpSearch):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
            - performMatch now requires the JSString input, to cache.

2012-03-23  Tony Chang  <tony@chromium.org>

        [chromium] rename newwtf target back to wtf
        https://bugs.webkit.org/show_bug.cgi?id=82064

        Reviewed by Adam Barth.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2012-03-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Simplify memory usage tracking in CopiedSpace
        https://bugs.webkit.org/show_bug.cgi?id=80705

        Reviewed by Filip Pizlo.

        * heap/CopiedAllocator.h:
        (CopiedAllocator): Rename currentUtilization to currentSize.
        (JSC::CopiedAllocator::currentCapacity):
        * heap/CopiedBlock.h:
        (CopiedBlock):
        (JSC::CopiedBlock::payload): Move the implementation of payload() out of the class
        declaration.
        (JSC):
        (JSC::CopiedBlock::size): Add new function to calculate the block's size.
        (JSC::CopiedBlock::capacity): Ditto for capacity.
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::CopiedSpace): Remove old bogus memory stats fields and add a new
        field for the water mark.
        (JSC::CopiedSpace::init):
        (JSC::CopiedSpace::tryAllocateSlowCase): When we fail to allocate from the current 
        block, we need to update our current water mark with the size of the block.
        (JSC::CopiedSpace::tryAllocateOversize): When we allocate a new oversize block, we 
        need to update our current water mark with the size of the used portion of the block.
        (JSC::CopiedSpace::tryReallocate): We don't need to update the water mark when 
        reallocating because it will either get accounted for when we fill up the block later 
        in the case of being able to reallocate in the current block or it will get picked up 
        immediately because we'll have to get a new block.
        (JSC::CopiedSpace::tryReallocateOversize): We do, however, need to update in when 
        realloc-ing an oversize block because we deallocate the old block and allocate a brand 
        new one.
        (JSC::CopiedSpace::doneFillingBlock): Update the water mark as blocks are returned to 
        the CopiedSpace by the SlotVisitors.
        (JSC::CopiedSpace::doneCopying): Add in any pinned blocks to the water mark.
        (JSC::CopiedSpace::getFreshBlock): We use the Heap's new function to tell us whether or 
        not we should collect now instead of doing the calculation ourself.
        (JSC::CopiedSpace::destroy):
        (JSC):
        (JSC::CopiedSpace::size): Manually calculate the size of the CopiedSpace, similar to how 
        MarkedSpace does.
        (JSC::CopiedSpace::capacity): Ditto for capacity.
        * heap/CopiedSpace.h:
        (JSC::CopiedSpace::waterMark):
        (CopiedSpace):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::startedCopying): Reset water mark to 0 when we start copying during a 
        collection.
        (JSC::CopiedSpace::allocateNewBlock):
        (JSC::CopiedSpace::fitsInBlock):
        (JSC::CopiedSpace::allocateFromBlock):
        * heap/Heap.cpp:
        (JSC::Heap::size): Incorporate size of CopiedSpace into the total size of the Heap.
        (JSC::Heap::capacity): Ditto for capacity.
        (JSC::Heap::collect):
        * heap/Heap.h:
        (Heap):
        (JSC::Heap::shouldCollect): New function for other sub-parts of the Heap to use to 
        determine whether they should initiate a collection or continue to allocate new blocks.
        (JSC):
        (JSC::Heap::waterMark): Now is the sum of the water marks of the two sub-parts of the
        Heap (MarkedSpace and CopiedSpace).
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateSlowCase): Changed to use the Heap's new shouldCollect() function.

2012-03-23  Ryosuke Niwa  <rniwa@webkit.org>

        BitVector::resizeOutOfLine doesn't memset when converting an inline buffer
        https://bugs.webkit.org/show_bug.cgi?id=82012

        Reviewed by Filip Pizlo.

        Initialize out-of-line buffers while extending an inline buffer. Also export symbols to be used in WebCore.

        * wtf/BitVector.cpp:
        (WTF::BitVector::resizeOutOfLine):
        * wtf/BitVector.h:
        (BitVector):
        (OutOfLineBits):

2012-03-22  Michael Saboff  <msaboff@apple.com>

        ExecutableAllocator::memoryPressureMultiplier() might can return NaN
        https://bugs.webkit.org/show_bug.cgi?id=82002

        Reviewed by Filip Pizlo.

        Guard against divide by zero and then make sure the return
        value is >= 1.0.

        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::memoryPressureMultiplier):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::memoryPressureMultiplier):

2012-03-22  Jessie Berlin  <jberlin@apple.com>

        Windows build fix after r111778.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        Don't include and try to build files owned by WTF.
        Also, let VS have its way with the vcproj in terms of file ordering.

2012-03-22  Raphael Kubo da Costa  <rakuco@FreeBSD.org>

        [CMake] Unreviewed build fix after r111778.

        * CMakeLists.txt: Move ${WTF_DIR} after ${JAVASCRIPTCORE_DIR} in
        the include paths so that the right config.h is used.

2012-03-22  Tony Chang  <tony@chromium.org>

        Unreviewed, fix chromium build after wtf move.

        Remove old wtf_config and wtf targets.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2012-03-22  Martin Robinson  <mrobinson@igalia.com>

        Fixed the GTK+ WTF/JavaScriptCore build after r111778.

        * GNUmakefile.list.am: Removed an extra trailing backslash.

2012-03-22  Mark Rowe  <mrowe@apple.com>

        Fix the build.

        * Configurations/JavaScriptCore.xcconfig: Tell the linker to pull in all members from static libraries
        rather than only those that contain symbols that JavaScriptCore itself uses.
        * JavaScriptCore.xcodeproj/project.pbxproj: Remove some bogus settings that crept in to the Xcode project.

2012-03-22  Filip Pizlo  <fpizlo@apple.com>

        DFG NodeFlags has some duplicate code and naming issues
        https://bugs.webkit.org/show_bug.cgi?id=81975

        Reviewed by Gavin Barraclough.
        
        Removed most references to "ArithNodeFlags" since those are now just part
        of the node flags. Fixed some renaming goofs (EdgedAsNum is once again
        NodeUsedAsNum). Got rid of setArithNodeFlags() and mergeArithNodeFlags()
        because the former was never called and the latter did the same things as
        mergeFlags().

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::arithNodeFlags):
        (Node):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::nodeFlagsAsString):
        * dfg/DFGNodeFlags.h:
        (DFG):
        (JSC::DFG::nodeUsedAsNumber):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultArithFlags):

2012-03-22  Eric Seidel  <eric@webkit.org>

        Actually move WTF files to their new home
        https://bugs.webkit.org/show_bug.cgi?id=81844

        Unreviewed.  The details of the port-specific changes
        have been seen by contributors from those ports, but
        the whole 5MB change isn't very reviewable as-is.

        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JSCTypedArrayStubs.h:
        * JavaScriptCore.gypi:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jsc.cpp:

2012-03-22  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed. Adding Source/WTF to the build.

        * wscript:

2012-03-22  Gavin Barraclough  <barraclough@apple.com>

        Add JSValue::isFunction
        https://bugs.webkit.org/show_bug.cgi?id=81935

        Reviewed by Geoff Garen.

        This would be useful in the WebCore bindings code.
        Also, remove asFunction, replace with jsCast<JSFunction*>.

        * API/JSContextRef.cpp:
        * debugger/Debugger.cpp:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::functionName):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueOfFunctionConstant):
        * dfg/DFGOperations.cpp:
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::isInlineCallFrameSlow):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::jitCompileFor):
        (JSC::lazyLinkFor):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::traceFunctionPrologue):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::setUpCall):
        * runtime/Arguments.h:
        (JSC::Arguments::finishCreation):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        (JSC::arrayProtoFuncEvery):
        (JSC::arrayProtoFuncForEach):
        (JSC::arrayProtoFuncSome):
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::compileFor):
        (JSC::FunctionExecutable::compileOptimizedFor):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        * runtime/JSArray.cpp:
        (JSC::JSArray::sort):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::argumentsGetter):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::lengthGetter):
        * runtime/JSFunction.h:
        (JSC):
        (JSC::asJSFunction):
        (JSC::JSValue::isFunction):
        * runtime/JSGlobalData.cpp:
        (WTF::Recompiler::operator()):
        (JSC::JSGlobalData::releaseExecutableMemory):
        * runtime/JSValue.h:
        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):

2012-03-21  Filip Pizlo  <fpizlo@apple.com>

        DFG speculation on booleans should be rationalized
        https://bugs.webkit.org/show_bug.cgi?id=81840

        Reviewed by Gavin Barraclough.
        
        This removes isKnownBoolean() and replaces it with AbstractState-based
        optimization, and cleans up the control flow in code gen methods for
        Branch and LogicalNot. Also fixes a goof in Node::shouldSpeculateNumber,
        and removes isKnownNotBoolean() since that method appeared to be a
        helper used solely by 32_64's speculateBooleanOperation().
        
        This is performance-neutral.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateNumber):
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-21  Mark Rowe  <mrowe@apple.com>

        Fix the build.

        * wtf/MetaAllocator.h:
        (MetaAllocator): Export the destructor.

2012-03-21  Eric Seidel  <eric@webkit.org>

        Fix remaining WTF includes in JavaScriptCore in preparation for moving WTF headers out of JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=81834

        Reviewed by Adam Barth.

        * jsc.cpp:
        * os-win32/WinMain.cpp:
        * runtime/JSDateMath.cpp:
        * runtime/TimeoutChecker.cpp:
        * testRegExp.cpp:
        * tools/CodeProfiling.cpp:

2012-03-21  Eric Seidel  <eric@webkit.org>

        WTF::MetaAllocator has a weak vtable (discovered when building wtf as a static library)
        https://bugs.webkit.org/show_bug.cgi?id=81838

        Reviewed by Geoffrey Garen.

        My understanding is that weak vtables happen when the compiler/linker cannot
        determine which compilation unit should constain the vtable.  In this case
        because there were only pure virtual functions as well as an "inline"
        virtual destructor (thus the virtual destructor was defined in many compilation
        units).  Since you can't actually "inline" a virtual function (it still has to
        bounce through the vtable), the "inline" on this virutal destructor doesn't
        actually help performance, and is only serving to confuse the compiler here.
        I've moved the destructor implementation to the .cpp file, thus making
        it clear to the compiler where the vtable should be stored, and solving the error.

        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocator::~MetaAllocator):
        (WTF):
        * wtf/MetaAllocator.h:

2012-03-20  Gavin Barraclough  <barraclough@apple.com>

        RegExpMatchesArray should not copy the ovector
        https://bugs.webkit.org/show_bug.cgi?id=81742

        Reviewed by Michael Saboff.

        Currently, all RegExpMatchesArray object contain Vector<int, 32>, used to hold any sub-pattern results.
        This makes allocation/construction/destruction of these objects more expensive. Instead, just store the
        main match, and recreate the sub-pattern ranges only if necessary (these are often only used for grouping,
        and the results never accessed).
        If the main match (index 0) of the RegExpMatchesArray is accessed, reify that value alone.

        * dfg/DFGOperations.cpp:
            - RegExpObject match renamed back to test (test returns a bool).
        * runtime/RegExpConstructor.cpp:
        (JSC):
            - Removed RegExpResult, RegExpMatchesArray constructor, destroy method.
        (JSC::RegExpMatchesArray::finishCreation):
            - Removed RegExpConstructorPrivate parameter.
        (JSC::RegExpMatchesArray::reifyAllProperties):
            - (Was fillArrayInstance) Reify all properties of the RegExpMatchesArray.
            If there are sub-pattern properties, the RegExp is re-run to generate their values.
        (JSC::RegExpMatchesArray::reifyMatchProperty):
            - Reify just the match (index 0) property of the RegExpMatchesArray.
        * runtime/RegExpConstructor.h:
        (RegExpConstructor):
        (JSC::RegExpConstructor::performMatch):
            - performMatch now returns a MatchResult, rather than using out-parameters.
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::RegExpMatchesArray):
            - Moved from .cpp, stores the input/regExp/result to use when lazily reifying properties.
        (RegExpMatchesArray):
        (JSC::RegExpMatchesArray::create):
            - Now passed the input string matched against, the RegExp, and the MatchResult.
        (JSC::RegExpMatchesArray::reifyAllPropertiesIfNecessary):
        (JSC::RegExpMatchesArray::reifyMatchPropertyIfNecessary):
            - Helpers to conditionally reify properties.
        (JSC::RegExpMatchesArray::getOwnPropertySlot):
        (JSC::RegExpMatchesArray::getOwnPropertySlotByIndex):
        (JSC::RegExpMatchesArray::getOwnPropertyDescriptor):
        (JSC::RegExpMatchesArray::put):
        (JSC::RegExpMatchesArray::putByIndex):
        (JSC::RegExpMatchesArray::deleteProperty):
        (JSC::RegExpMatchesArray::deletePropertyByIndex):
        (JSC::RegExpMatchesArray::getOwnPropertyNames):
        (JSC::RegExpMatchesArray::defineOwnProperty):
            - Changed to use reifyAllPropertiesIfNecessary/reifyMatchPropertyIfNecessary
            (getOwnPropertySlotByIndex calls reifyMatchPropertyIfNecessary if index is 0).
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::exec):
        (JSC::RegExpObject::match):
            - match now returns a MatchResult.
        * runtime/RegExpObject.h:
        (JSC::MatchResult::MatchResult):
            - Added the result of a match is a start & end tuple.
        (JSC::MatchResult::failed):
            - A failure is indicated by (notFound, 0).
        (JSC::MatchResult::operator bool):
            - Evaluates to false if the match failed.
        (JSC::MatchResult::empty):
            - Evaluates to true if the match succeeded with length 0.
        (JSC::RegExpObject::test):
            - Now returns a bool.
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTest):
            - RegExpObject match renamed back to test (test returns a bool).
        * runtime/StringPrototype.cpp:
        (JSC::removeUsingRegExpSearch):
        (JSC::replaceUsingRegExpSearch):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
            - performMatch now returns a MatchResult, rather than using out-parameters.

2012-03-21  Hojong Han  <hojong.han@samsung.com>

        Fix out of memory by allowing overcommit
        https://bugs.webkit.org/show_bug.cgi?id=81743

        Reviewed by Geoffrey Garen.

        Garbage collection is not triggered and new blocks are added
        because overcommit is allowed by MAP_NORESERVE flag when high water mark is big enough.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit):

2012-03-21  Jessie Berlin  <jberlin@apple.com>

        More Windows build fixing.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        Fix the order of the include directories to look in include/private first before looking
        in include/private/JavaScriptCore.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops:
        Look in the Production output directory (where the wtf headers will be). This is the same
        thing that is done for jsc and testRegExp in ReleasePGO.

2012-03-21  Jessie Berlin  <jberlin@apple.com>

        WTF headers should be in $(ConfigurationBuildDir)\include\private\wtf, not
        $(ConfigurationBuildDir)\include\private\JavaScriptCore\wtf.
        https://bugs.webkit.org/show_bug.cgi?id=81739

        Reviewed by Dan Bernstein.

        * JavaScriptCore.vcproj/jsc/jsc.vcproj:
        Look for AtomicString.cpp, StringBuilder.cpp, StringImpl.cpp, and WTFString.cpp in the wtf
        subdirectory of the build output, not the JavaScriptCore/wtf subdirectory.
        * JavaScriptCore.vcproj/testRegExp/testRegExp.vcproj:
        Ditto.

        * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops:
        Get the headers for those 4 files from the wtf subdirectory of the build output, not the
        JavaScriptCore/wtf subdirectory.
        * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops:
        Ditto.

2012-03-20  Eric Seidel  <eric@webkit.org>

        Move wtf/Platform.h from JavaScriptCore to Source/WTF/wtf
        https://bugs.webkit.org/show_bug.cgi?id=80911

        Reviewed by Adam Barth.

        Update the various build systems to depend on Source/WTF headers
        as well as remove references to Platform.h (since it's now moved).

        * CMakeLists.txt:
        * JavaScriptCore.pri:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CMakeLists.txt:

2012-03-20  Filip Pizlo  <fpizlo@apple.com>

        op_mod fails on many interesting corner cases
        https://bugs.webkit.org/show_bug.cgi?id=81648

        Reviewed by Oliver Hunt.
        
        Removed most strength reduction for op_mod, and fixed the integer handling
        to do the right thing for corner cases. Oddly, this revealed bugs in OSR,
        which this patch also fixes.
        
        This patch is performance neutral on all of the major benchmarks we track.

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        * jit/JIT.h:
        (JIT):
        * jit/JITArithmetic.cpp:
        (JSC):
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC):
        * jit/JITStubs.h:
        (TrampolineStructure):
        (JSC::JITThunks::ctiNativeConstruct):
        * llint/LowLevelInterpreter64.asm:
        * wtf/Platform.h:
        * wtf/SimpleStats.h:
        (WTF::SimpleStats::variance):

2012-03-20  Steve Falkenburg  <sfalken@apple.com>

        Windows (make based) build fix.
        <rdar://problem/11069015>

        * JavaScriptCore.vcproj/JavaScriptCore.make: devenv /rebuild doesn't work with JavaScriptCore.vcproj. Use /clean and /build instead.

2012-03-20  Steve Falkenburg  <sfalken@apple.com>

        Move WTF-related Windows project files out of JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=80680

        This change only moves the vcproj and related files from JavaScriptCore/JavaScriptCore.vcproj/WTF.
        It does not move any source code. This is in preparation for the WTF source move out of
        JavaScriptCore.

        Reviewed by Jessie Berlin.

        * JavaScriptCore.vcproj/JavaScriptCore.sln:
        * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln:
        * JavaScriptCore.vcproj/WTF: Removed.
        * JavaScriptCore.vcproj/WTF/WTF.vcproj: Removed.
        * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFDebug.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFDebugAll.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFDebugCairoCFLite.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGenerated.make: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGenerated.vcproj: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedCommon.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebug.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebugAll.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebugCairoCFLite.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedProduction.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedRelease.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedReleaseCairoCFLite.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFPostBuild.cmd: Removed.
        * JavaScriptCore.vcproj/WTF/WTFPreBuild.cmd: Removed.
        * JavaScriptCore.vcproj/WTF/WTFProduction.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFRelease.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFReleaseCairoCFLite.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/build-generated-files.sh: Removed.
        * JavaScriptCore.vcproj/WTF/copy-files.cmd: Removed.
        * JavaScriptCore.vcproj/WTF/work-around-vs-dependency-tracking-bugs.py: Removed.

2012-03-20  Benjamin Poulain  <bpoulain@apple.com>

        Cache the type string of JavaScript object
        https://bugs.webkit.org/show_bug.cgi?id=81446

        Reviewed by Geoffrey Garen.

        Instead of creating the JSString every time, we create
        lazily the strings in JSGlobalData.

        This avoid the construction of the StringImpl and of the JSString,
        which gives some performance improvements.

        * runtime/CommonIdentifiers.h:
        * runtime/JSValue.cpp:
        (JSC::JSValue::toStringSlowCase):
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::SmallStrings):
        (JSC::SmallStrings::finalizeSmallStrings):
        (JSC::SmallStrings::initialize):
        (JSC):
        * runtime/SmallStrings.h:
        (SmallStrings):

2012-03-20  Oliver Hunt  <oliver@apple.com>

        Allow LLINT to work even when executable allocation fails.
        https://bugs.webkit.org/show_bug.cgi?id=81693

        Reviewed by Gavin Barraclough.

        Don't crash if executable allocation fails if we can fall back on LLINT

        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit):

2012-03-20  Csaba Osztrogonác  <ossy@webkit.org>

        Division optimizations fail to infer cases of truncated division and mishandle -2147483648/-1
        https://bugs.webkit.org/show_bug.cgi?id=81428

        32 bit buildfix after r111355.

        2147483648 (2^31) isn't valid int literal in ISO C90, because 2147483647 (2^31-1) is the biggest int.
        The smallest int is -2147483648 (-2^31) == -2147483647 - 1  == -INT32_MAX-1 == INT32_MIN (stdint.h).

        Reviewed by Zoltan Herczeg.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):

2012-03-19  Jochen Eisinger  <jochen@chromium.org>

        Split WTFReportBacktrace into WTFReportBacktrace and WTFPrintBacktrace
        https://bugs.webkit.org/show_bug.cgi?id=80983

        Reviewed by Darin Adler.

        This allows printing a backtrace acquired by an earlier WTFGetBacktrace
        call which is useful for local debugging.

        * wtf/Assertions.cpp:
        * wtf/Assertions.h:

2012-03-19  Benjamin Poulain  <benjamin@webkit.org>

        Do not copy the script source in the SourceProvider, just reference the existing string
        https://bugs.webkit.org/show_bug.cgi?id=81466

        Reviewed by Geoffrey Garen.

        * parser/SourceCode.h: Remove the unused, and incorrect, function data().
        * parser/SourceProvider.h: Add OVERRIDE for clarity.

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        Division optimizations fail to infer cases of truncated division and
        mishandle -2147483648/-1
        https://bugs.webkit.org/show_bug.cgi?id=81428
        <rdar://problem/11067382>

        Reviewed by Oliver Hunt.

        If you're a division over integers and you're only used as an integer, then you're
        an integer division and remainder checks become unnecessary. If you're dividing
        -2147483648 by -1, don't crash.

        * assembler/MacroAssemblerX86Common.h:
        (MacroAssemblerX86Common):
        (JSC::MacroAssemblerX86Common::add32):
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * llint/LowLevelInterpreter64.asm:

2012-03-19  Benjamin Poulain  <bpoulain@apple.com>

        Simplify SmallStrings
        https://bugs.webkit.org/show_bug.cgi?id=81445

        Reviewed by Gavin Barraclough.

        SmallStrings had two methods that should not be public: count() and clear().

        The method clear() is effectively replaced by finalizeSmallStrings(). The body
        of the method was moved to the constructor since the code is obvious.

        The method count() is unused.

        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::SmallStrings):
        * runtime/SmallStrings.h:
        (SmallStrings):

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        DFG can no longer compile V8-v4/regexp in debug mode
        https://bugs.webkit.org/show_bug.cgi?id=81592

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        Prediction propagation for UInt32ToNumber incorrectly assumes that outs outcome does not
        change throughout the fixpoint
        https://bugs.webkit.org/show_bug.cgi?id=81583

        Reviewed by Michael Saboff.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        GC should not attempt to clear LLInt instruction inline caches for code blocks that are in
        the process of being generated
        https://bugs.webkit.org/show_bug.cgi?id=81565

        Reviewed by Oliver Hunt.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally):

2012-03-19  Eric Seidel  <eric@webkit.org>

        Fix WTF header include discipline in Chromium WebKit
        https://bugs.webkit.org/show_bug.cgi?id=81281

        Reviewed by James Robinson.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * wtf/unicode/icu/CollatorICU.cpp:

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        DFG NodeUse should be called Edge and NodeReferenceBlob should be called AdjacencyList
        https://bugs.webkit.org/show_bug.cgi?id=81556

        Rubber stamped by Gavin Barraclough.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractState.h:
        (JSC::DFG::AbstractState::forNode):
        * dfg/DFGAdjacencyList.h: Copied from Source/JavaScriptCore/dfg/DFGNodeReferenceBlob.h.
        (JSC::DFG::AdjacencyList::AdjacencyList):
        (JSC::DFG::AdjacencyList::child):
        (JSC::DFG::AdjacencyList::setChild):
        (JSC::DFG::AdjacencyList::child1):
        (JSC::DFG::AdjacencyList::child2):
        (JSC::DFG::AdjacencyList::child3):
        (JSC::DFG::AdjacencyList::setChild1):
        (JSC::DFG::AdjacencyList::setChild2):
        (JSC::DFG::AdjacencyList::setChild3):
        (JSC::DFG::AdjacencyList::child1Unchecked):
        (JSC::DFG::AdjacencyList::initialize):
        (AdjacencyList):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addVarArgChild):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::canonicalize):
        (JSC::DFG::CSEPhase::performSubstitution):
        * dfg/DFGEdge.h: Copied from Source/JavaScriptCore/dfg/DFGNodeUse.h.
        (DFG):
        (JSC::DFG::Edge::Edge):
        (JSC::DFG::Edge::operator==):
        (JSC::DFG::Edge::operator!=):
        (Edge):
        (JSC::DFG::operator==):
        (JSC::DFG::operator!=):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::operator[]):
        (JSC::DFG::Graph::at):
        (JSC::DFG::Graph::ref):
        (JSC::DFG::Graph::deref):
        (JSC::DFG::Graph::clearAndDerefChild1):
        (JSC::DFG::Graph::clearAndDerefChild2):
        (JSC::DFG::Graph::clearAndDerefChild3):
        (Graph):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::getPrediction):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::child1):
        (JSC::DFG::Node::child1Unchecked):
        (JSC::DFG::Node::child2):
        (JSC::DFG::Node::child3):
        (Node):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::arithNodeFlagsAsString):
        * dfg/DFGNodeFlags.h:
        (DFG):
        (JSC::DFG::nodeUsedAsNumber):
        * dfg/DFGNodeReferenceBlob.h: Removed.
        * dfg/DFGNodeUse.h: Removed.
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultArithFlags):
        (JSC::DFG::PredictionPropagationPhase::vote):
        (JSC::DFG::PredictionPropagationPhase::fixupNode):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::use):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::useChildren):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::at):
        (JSC::DFG::SpeculativeJIT::canReuse):
        (JSC::DFG::SpeculativeJIT::use):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        (JSC::DFG::IntegerOperand::IntegerOperand):
        (JSC::DFG::DoubleOperand::DoubleOperand):
        (JSC::DFG::JSValueOperand::JSValueOperand):
        (JSC::DFG::StorageOperand::StorageOperand):
        (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
        (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):

2012-03-19  Gavin Barraclough  <barraclough@apple.com>

        Object.freeze broken on latest Nightly
        https://bugs.webkit.org/show_bug.cgi?id=80577

        Reviewed by Oliver Hunt.

        * runtime/Arguments.cpp:
        (JSC::Arguments::defineOwnProperty):
            - defineOwnProperty was checking for correct behaviour, provided that length/callee hadn't
            been overrridden. instead, just reify length/callee & rely on JSObject::defineOwnProperty.
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::defineOwnProperty):
            - for arguments/caller/length properties, defineOwnProperty was incorrectly asserting that
            the object must be extensible; this is incorrect since these properties should already exist
            on the object. In addition, it was asserting that the arguments/caller values must match the
            corresponding magic data properties, but for strict mode function this is incorrect. Instead,
            just reify the arguments/caller accessor & defer to JSObject::defineOwnProperty.

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        LLInt get_by_pname slow path incorrectly assumes that the operands are not constants
        https://bugs.webkit.org/show_bug.cgi?id=81559

        Reviewed by Michael Saboff.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2012-03-19  Yong Li  <yoli@rim.com>

        [BlackBerry] Implement OSAllocator::commit/decommit in the correct way
        https://bugs.webkit.org/show_bug.cgi?id=77013

        We should use mmap(PROT_NONE, MAP_LAZY) instead of posix_madvise() to
        implement memory decommitting for QNX.

        Reviewed by Rob Buis.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveUncommitted):
        (WTF::OSAllocator::commit):
        (WTF::OSAllocator::decommit):

2012-03-19  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed - revent a couple of files accidentally committed.

        * runtime/Arguments.cpp:
        (JSC::Arguments::defineOwnProperty):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::defineOwnProperty):

2012-03-19  Jessie Berlin  <jberlin@apple.com>

        Another Windows build fix after r111129.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-19  Raphael Kubo da Costa  <rakuco@FreeBSD.org>

        Cross-platform processor core counter: fix build on FreeBSD.
        https://bugs.webkit.org/show_bug.cgi?id=81482

        Reviewed by Zoltan Herczeg.

        The documentation of sysctl(3) shows that <sys/types.h> should be
        included before <sys/sysctl.h> (sys/types.h tends to be the first
        included header in general).

        This should fix the build on FreeBSD and other systems where
        sysctl.h really depends on types defined in types.h.

        * wtf/NumberOfCores.cpp:

2012-03-19  Jessie Berlin  <jberlin@apple.com>

        Windows build fix after r111129.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-19  Gavin Barraclough  <barraclough@apple.com>

        JSCallbackFunction::toStringCallback/valueOfCallback do not handle 0 return value from convertToType
        https://bugs.webkit.org/show_bug.cgi?id=81468 <rdar://problem/11034745>

        Reviewed by Oliver Hunt.

        The API specifies that convertToType may opt not to handle a conversion:
            "@result The objects's converted value, or NULL if the object was not converted."
        In which case, it would propagate first up the JSClass hierarchy, calling its superclass's
        conversion functions, and failing that call the JSObject::defaultValue function.

        Unfortunately this behaviour was removed in bug#69677/bug#69858, and instead we now rely on
        the toStringCallback/valueOfCallback function introduced in bug#69156. Even after a fix in
        bug#73368, these will return the result from the first convertToType they find, regardless
        of whether this result is null, and if no convertToType method is found in the api class
        hierarchy (possible if toStringCallback/valueOfCallback was accessed off the prototype
        chain), they will also return a null pointer. This is unsafe.

        It would be easy to make the approach based around toStringCallback/valueOfCallback continue
        to walk the api class hierarchy, but making the fallback to defaultValue would be problematic
        (since defaultValue calls toStringCallback/valueOfCallback, this would infinitely recurse).
        Making the fallback work with toString/valueOf methods attached to api objects is probably
        not the right thing to do – instead, we should just implement the defaultValue trap for api
        objects.

        In addition, this bug highlights that fact that JSCallbackFunction::call will allow a hard
        null to be returned from C to JavaScript - this is not okay. Handle with an exception.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::call):
            - Should be null checking the return value.
        (JSC):
            - Remove toStringCallback/valueOfCallback.
        * API/JSCallbackFunction.h:
        (JSCallbackFunction):
            - Remove toStringCallback/valueOfCallback.
        * API/JSCallbackObject.h:
        (JSCallbackObject):
            - Add defaultValue mthods to JSCallbackObject.
        * API/JSCallbackObjectFunctions.h:
        (JSC::::defaultValue):
            - Add defaultValue mthods to JSCallbackObject.
        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype):
            - Remove toStringCallback/valueOfCallback.
        * API/tests/testapi.js:
            - Revert this test, now we no longer artificially introduce a toString method onto the api object.

2012-03-18  Raphael Kubo da Costa  <rakuco@FreeBSD.org>

        [EFL] Include ICU_INCLUDE_DIRS when building.
        https://bugs.webkit.org/show_bug.cgi?id=81483

        Reviewed by Daniel Bates.

        So far, only the ICU libraries were being included when building
        JavaScriptCore, however the include path is also needed, otherwise the
        build will fail when ICU is installed into a non-standard location.

        * PlatformEfl.cmake: Include ${ICU_INCLUDE_DIRS}.

2012-03-17  Gavin Barraclough  <barraclough@apple.com>

        Strength reduction, RegExp.exec -> RegExp.test
        https://bugs.webkit.org/show_bug.cgi?id=81459

        Reviewed by Sam Weinig.

        RegExp.prototype.exec & RegExp.prototype.test can both be used to test a regular
        expression for a match against a string - however exec is more expensive, since
        it allocates a matches array object. In cases where the result is consumed in a
        boolean context the allocation of the matches array can be trivially elided.

        For example:
            function f()
            {
                for (i =0; i < 10000000; ++i)
                    if(!/a/.exec("a"))
                        err = true;
            }

        This is a 2.5x speedup on this example microbenchmark loop.

        In a more advanced form of this optimization, we may be able to avoid allocating
        the array where access to the array can be observed.

        * create_hash_table:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileRegExpExec):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jsc.cpp:
        (GlobalObject::addConstructableFunction):
        * runtime/Intrinsic.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        (JSC):
        * runtime/JSFunction.h:
        (JSFunction):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::exec):
        (JSC::RegExpObject::match):
        * runtime/RegExpObject.h:
        (RegExpObject):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTest):
        (JSC::regExpProtoFuncExec):

2012-03-16  Michael Saboff  <msaboff@apple.com>

        Improve diagnostic benefit of JSGlobalData::m_isInitializingObject
        https://bugs.webkit.org/show_bug.cgi?id=81244

        Rubber stamped by Filip Pizlo.

        Changed type and name of JSGlobalData::m_isInitializingObject to
        ClassInfo* and m_initializingObjectClass.
        Changed JSGlobalData::setInitializingObject to
        JSGlobalData::setInitializingObjectClass.  This pointer can be used within 
        the debugger to determine what type of object is being initialized.
        
        * runtime/JSCell.h:
        (JSC::JSCell::finishCreation):
        (JSC::allocateCell):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        (JSC::JSGlobalData::isInitializingObject):
        (JSC::JSGlobalData::setInitializingObjectClass):
        * runtime/Structure.h:
        (JSC::JSCell::finishCreation):

2012-03-16  Mark Rowe  <mrowe@apple.com>

        Build fix. Do not preserve owner and group information when installing the WTF headers.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-03-15  David Dorwin  <ddorwin@chromium.org>

        Make the array pointer parameters in the Typed Array create() methods const.
        https://bugs.webkit.org/show_bug.cgi?id=81147

        Reviewed by Kenneth Russell.

        This allows const arrays to be passed to these methods.
        They use PassRefPtr<Subclass> create(), which already has a const parameter.

        * wtf/Int16Array.h:
        (Int16Array):
        (WTF::Int16Array::create):
        * wtf/Int32Array.h:
        (Int32Array):
        (WTF::Int32Array::create):
        * wtf/Int8Array.h:
        (Int8Array):
        (WTF::Int8Array::create):
        * wtf/Uint16Array.h:
        (Uint16Array):
        (WTF::Uint16Array::create):
        * wtf/Uint32Array.h:
        (Uint32Array):
        (WTF::Uint32Array::create):
        * wtf/Uint8Array.h:
        (Uint8Array):
        (WTF::Uint8Array::create):
        * wtf/Uint8ClampedArray.h:
        (Uint8ClampedArray):
        (WTF::Uint8ClampedArray::create):

2012-03-15  Myles Maxfield  <mmaxfield@google.com>

        CopiedSpace::tryAllocateOversize assumes system page size
        https://bugs.webkit.org/show_bug.cgi?id=80615

        Reviewed by Geoffrey Garen.

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::tryAllocateOversize):
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::oversizeBlockFor):
        * wtf/BumpPointerAllocator.h:
        (WTF::BumpPointerPool::create):
        * wtf/StdLibExtras.h:
        (WTF::roundUpToMultipleOf):

2012-03-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fixing Windows build breakage

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-15  Patrick Gansterer  <paroga@webkit.org>

        [EFL] Make zlib a general build requirement
        https://bugs.webkit.org/show_bug.cgi?id=80153

        Reviewed by Hajime Morita.

        After r109538 WebSocket module needs zlib to support deflate-frame extension.

        * wtf/Platform.h:

2012-03-15  Benjamin Poulain  <bpoulain@apple.com>

        NumericStrings should be inlined
        https://bugs.webkit.org/show_bug.cgi?id=81183

        Reviewed by Gavin Barraclough.

        NumericStrings is not always inlined. When it is not, the class is not faster
        than using UString::number() directly.

        * runtime/NumericStrings.h:
        (JSC::NumericStrings::add):
        (JSC::NumericStrings::lookupSmallString):

2012-03-15  Andras Becsi  <andras.becsi@nokia.com>

        Fix ARM build after r110792.

        Unreviewed build fix.

        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::cacheFlush):
        Remove superfluous curly brackets.

2012-03-15  Gavin Barraclough  <barraclough@apple.com>

        ARMv7: prefer vmov(gpr,gpr->double) over vmov(gpr->single)
        https://bugs.webkit.org/show_bug.cgi?id=81256

        Reviewed by Oliver Hunt.

        This is a 0.5% sunspider progression.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::convertInt32ToDouble):
            - switch which form of vmov we use.

2012-03-15  YoungTaeck Song  <youngtaeck.song@samsung.com>

        [EFL] Add OwnPtr specialization for Ecore_Timer.
        https://bugs.webkit.org/show_bug.cgi?id=80119

        Reviewed by Hajime Morita.

        Add an overload for deleteOwnedPtr(Ecore_Timer*) on EFL port.

        * wtf/OwnPtrCommon.h:
        (WTF):
        * wtf/efl/OwnPtrEfl.cpp:
        (WTF::deleteOwnedPtr):
        (WTF):

2012-03-15  Hojong Han  <hojong.han@samsung.com>

        Linux has madvise enough to support OSAllocator::commit/decommit
        https://bugs.webkit.org/show_bug.cgi?id=80505

        Reviewed by Geoffrey Garen.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveUncommitted):
        (WTF::OSAllocator::commit):
        (WTF::OSAllocator::decommit):

2012-03-15  Steve Falkenburg  <sfalken@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGOOptimize.vsprops:
        * JavaScriptCore.vcproj/WTF/copy-files.cmd:
        * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops:

2012-03-15  Steve Falkenburg  <sfalken@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj:

2012-03-15  Kevin Ollivier  <kevino@theolliviers.com>

        Move wx port to using export macros
        https://bugs.webkit.org/show_bug.cgi?id=77279

        Reviewed by Hajime Morita.

        * wscript:
        * wtf/Platform.h:

2012-03-14  Benjamin Poulain  <bpoulain@apple.com>

        Avoid StringImpl::getData16SlowCase() when sorting array
        https://bugs.webkit.org/show_bug.cgi?id=81070

        Reviewed by Geoffrey Garen.

        The function codePointCompare() is used intensively when sorting strings.
        This patch improves its performance by:
        -Avoiding character conversion.
        -Inlining the function.

        This makes Peacekeeper's arrayCombined test 30% faster.

        * wtf/text/StringImpl.cpp:
        * wtf/text/StringImpl.h:
        (WTF):
        (WTF::codePointCompare):
        (WTF::codePointCompare8):
        (WTF::codePointCompare16):
        (WTF::codePointCompare8To16):

2012-03-14  Hojong Han  <hojong.han@samsung.com>

        Fix memory allocation failed by fastmalloc
        https://bugs.webkit.org/show_bug.cgi?id=79614

        Reviewed by Geoffrey Garen.

        Memory allocation failed even if the heap grows successfully.
        It is wrong to get the span only from the large list after the heap grows,
        because new span could be added in the normal list.

        * wtf/FastMalloc.cpp:
        (WTF::TCMalloc_PageHeap::New):

2012-03-14  Hojong Han  <hojong.han@samsung.com>

        Run cacheFlush page by page to assure of flushing all the requested ranges
        https://bugs.webkit.org/show_bug.cgi?id=77712

        Reviewed by Geoffrey Garen.

        Current MetaAllocator concept, always coalesces adjacent free spaces,
        doesn't meet memory management of Linux kernel.
        In a certain case Linux kernel doesn't regard contiguous virtual memory areas as one but two.
        Therefore cacheFlush page by page guarantees a flush-requested range.

        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::cacheFlush):

2012-03-14  Oliver Hunt  <oliver@apple.com>

        Make ARMv7 work again
        https://bugs.webkit.org/show_bug.cgi?id=81157

        Reviewed by Geoffrey Garen.

        We were trying to use the ARMv7 dataRegister as a scratch register in a scenario
        where we the ARMv7MacroAssembler would also try to use dataRegister for its own
        nefarious purposes.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::store32):
        * assembler/MacroAssemblerARMv7.h:
        (MacroAssemblerARMv7):

2012-03-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Heap::destroy leaks CopiedSpace
        https://bugs.webkit.org/show_bug.cgi?id=81055

        Reviewed by Geoffrey Garen.

        Added a destroy() function to CopiedSpace that moves all normal size 
        CopiedBlocks from the CopiedSpace to the Heap's list of free blocks 
        as well as deallocates all of the oversize blocks in the CopiedSpace. 
        This function is now called in Heap::destroy().

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::destroy):
        (JSC):
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/Heap.cpp:
        (JSC::Heap::destroy):

2012-03-14  Andrew Lo  <anlo@rim.com>

        [BlackBerry] Implement REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR using AnimationFrameRateController
        https://bugs.webkit.org/show_bug.cgi?id=81000

        Enable WTF_USE_REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR for BlackBerry.

        Reviewed by Antonio Gomes.

        * wtf/Platform.h:

2012-03-13  Filip Pizlo  <fpizlo@apple.com>

        ValueToInt32 speculation will cause OSR exits even when it does not have to
        https://bugs.webkit.org/show_bug.cgi?id=81068
        <rdar://problem/11043926>

        Reviewed by Anders Carlsson.
        
        Two related changes:
        1) ValueToInt32 will now always just defer to the non-speculative path, instead
           of exiting, if it doesn't know what speculations to perform.
        2) ValueToInt32 will speculate boolean if it sees this to be profitable.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateBoolean):
        (Node):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):

2012-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        More Windows build fixing

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        Windows build fix

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        Type conversion of exponential part failed
        https://bugs.webkit.org/show_bug.cgi?id=80673

        Reviewed by Geoffrey Garen.

        * parser/Lexer.cpp:
        (JSC::::lex):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::parseInt):
        (JSC):
        (JSC::jsStrDecimalLiteral): Added another template argument that exposes whether or not
        we accept trailing junk to clients of jsStrDecimalLiteral. Also added additional template 
        parameter for strtod to allow trailing spaces.
        (JSC::toDouble):
        (JSC::parseFloat): Accept trailing junk, as per the ECMA 262 spec (15.1.2.3).
        * runtime/LiteralParser.cpp:
        (JSC::::Lexer::lexNumber):
        * tests/mozilla/expected.html: Update the expected page for run-javascriptcore-tests so that 
        we will run ecma/TypeConversion/9.3.1-3.js as a regression test now.
        * wtf/dtoa.cpp:
        (WTF):
        (WTF::strtod): We also needed to sometimes accept trailing spaces to pass a few other tests that were 
        broken by changing the default allowance of trailing junk in jsStrDecimalLiteral.
        * wtf/dtoa.h:
        * wtf/dtoa/double-conversion.cc: When the AdvanceToNonspace function was lifted out of the 
        Chromium codebase, the person porting it only thought to check for spaces when skipping whitespace.
        A few of our JSC tests check for other types of trailing whitespace, so I've added checks for those 
        here to cover those cases (horizontal tab, vertical tab, carriage return, form feed, and line feed).
        * wtf/text/WTFString.cpp:
        (WTF::toDoubleType): Disallow trailing spaces, as this breaks form input verification stuff.

2012-03-13  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, build fix since is_pod<> includes some header that I didn't know about.
        Removing the assert for now.

        * dfg/DFGOperations.h:
        * llint/LLIntSlowPaths.h:

2012-03-13  Filip Pizlo  <fpizlo@apple.com>

        Functions with C linkage should return POD types
        https://bugs.webkit.org/show_bug.cgi?id=81061

        Reviewed by Mark Rowe.

        * dfg/DFGOperations.h:
        * llint/LLIntSlowPaths.h:
        (LLInt):
        (SlowPathReturnType):
        (JSC::LLInt::encodeResult):

2012-03-13  Filip Pizlo  <fpizlo@apple.com>

        Loads from UInt32Arrays should not result in a double up-convert if it isn't necessary
        https://bugs.webkit.org/show_bug.cgi?id=80979
        <rdar://problem/11036848>

        Reviewed by Oliver Hunt.
        
        Also improved DFG IR dumping to include type information in a somewhat more
        intuitive way.

        * bytecode/PredictedType.cpp:
        (JSC::predictionToAbbreviatedString):
        (JSC):
        * bytecode/PredictedType.h:
        (JSC):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):

2012-03-13  George Staikos  <staikos@webkit.org>

        The callback is only used if SA_RESTART is defined.  Compile it out
        otherwise to avoid a warning.
        https://bugs.webkit.org/show_bug.cgi?id=80926

        Reviewed by Alexey Proskuryakov.

        * heap/MachineStackMarker.cpp:
        (JSC):

2012-03-13  Hojong Han  <hojong.han@samsung.com>

        Dump the generated code for ARM_TRADITIONAL
        https://bugs.webkit.org/show_bug.cgi?id=80975

        Reviewed by Gavin Barraclough.

        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::dumpCode):

2012-03-13  Adam Barth  <abarth@webkit.org> && Benjamin Poulain  <bpoulain@apple.com>

        Always enable ENABLE(CLIENT_BASED_GEOLOCATION)
        https://bugs.webkit.org/show_bug.cgi?id=78853

        Reviewed by Adam Barth.

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2012-03-13  Kwonjin Jeong  <gram@company100.net>

        Remove SlotVisitor::copy() method.
        https://bugs.webkit.org/show_bug.cgi?id=80973

        Reviewed by Geoffrey Garen.

        SlotVisitor::copy() method isn't called anywhere.

        * heap/MarkStack.cpp: Remove definition of SlotVisitor::copy() method.
        * heap/SlotVisitor.h: Remove declaration of SlotVisitor::copy() method.

2012-03-12  Hojong Han  <hojong.han@samsung.com>

        Fix test cases for RegExp multiline
        https://bugs.webkit.org/show_bug.cgi?id=80822

        Reviewed by Gavin Barraclough.

        * tests/mozilla/js1_2/regexp/RegExp_multiline.js:
        * tests/mozilla/js1_2/regexp/RegExp_multiline_as_array.js:
        * tests/mozilla/js1_2/regexp/beginLine.js:
        * tests/mozilla/js1_2/regexp/endLine.js:

2012-03-12  Filip Pizlo  <fpizlo@apple.com>

        Arithmetic use inference should be procedure-global and should run in tandem
        with type propagation
        https://bugs.webkit.org/show_bug.cgi?id=80819
        <rdar://problem/11034006>

        Reviewed by Gavin Barraclough.
        
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGArithNodeFlagsInferencePhase.cpp: Removed.
        * dfg/DFGArithNodeFlagsInferencePhase.h: Removed.
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
        (PredictionPropagationPhase):
        (JSC::DFG::PredictionPropagationPhase::isNotZero):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultArithFlags):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::flags):
        (VariableAccessData):
        (JSC::DFG::VariableAccessData::mergeFlags):

2012-03-12  Filip Pizlo  <fpizlo@apple.com>

        Node::op and Node::flags should be private
        https://bugs.webkit.org/show_bug.cgi?id=80824
        <rdar://problem/11033435>

        Reviewed by Gavin Barraclough.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        (JSC::DFG::AbstractState::mergeToSuccessors):
        * dfg/DFGArithNodeFlagsInferencePhase.cpp:
        (JSC::DFG::ArithNodeFlagsInferencePhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::injectLazyOperandPrediction):
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::flushArgument):
        (JSC::DFG::ByteCodeParser::toInt32):
        (JSC::DFG::ByteCodeParser::isJSConstant):
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::linkBlock):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::canonicalize):
        (JSC::DFG::CSEPhase::endIndexForPureCSE):
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::byValIsPure):
        (JSC::DFG::CSEPhase::clobbersWorld):
        (JSC::DFG::CSEPhase::impureCSE):
        (JSC::DFG::CSEPhase::globalVarLoadElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkFunctionElimination):
        (JSC::DFG::CSEPhase::checkStructureLoadElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getScopeChainLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (DFG):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addShouldSpeculateInteger):
        (JSC::DFG::Graph::negateShouldSpeculateInteger):
        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
        * dfg/DFGNode.cpp: Removed.
        * dfg/DFGNode.h:
        (DFG):
        (JSC::DFG::Node::Node):
        (Node):
        (JSC::DFG::Node::op):
        (JSC::DFG::Node::flags):
        (JSC::DFG::Node::setOp):
        (JSC::DFG::Node::setFlags):
        (JSC::DFG::Node::mergeFlags):
        (JSC::DFG::Node::filterFlags):
        (JSC::DFG::Node::clearFlags):
        (JSC::DFG::Node::setOpAndDefaultFlags):
        (JSC::DFG::Node::mustGenerate):
        (JSC::DFG::Node::isConstant):
        (JSC::DFG::Node::isWeakConstant):
        (JSC::DFG::Node::valueOfJSConstant):
        (JSC::DFG::Node::hasVariableAccessData):
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::resolveGlobalDataIndex):
        (JSC::DFG::Node::hasArithNodeFlags):
        (JSC::DFG::Node::arithNodeFlags):
        (JSC::DFG::Node::setArithNodeFlag):
        (JSC::DFG::Node::mergeArithNodeFlags):
        (JSC::DFG::Node::hasConstantBuffer):
        (JSC::DFG::Node::hasRegexpIndex):
        (JSC::DFG::Node::hasVarNumber):
        (JSC::DFG::Node::hasScopeChainDepth):
        (JSC::DFG::Node::hasResult):
        (JSC::DFG::Node::hasInt32Result):
        (JSC::DFG::Node::hasNumberResult):
        (JSC::DFG::Node::hasJSResult):
        (JSC::DFG::Node::hasBooleanResult):
        (JSC::DFG::Node::isJump):
        (JSC::DFG::Node::isBranch):
        (JSC::DFG::Node::isTerminal):
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::hasFunctionCheckData):
        (JSC::DFG::Node::hasStructureTransitionData):
        (JSC::DFG::Node::hasStructureSet):
        (JSC::DFG::Node::hasStorageAccessData):
        (JSC::DFG::Node::hasFunctionDeclIndex):
        (JSC::DFG::Node::hasFunctionExprIndex):
        (JSC::DFG::Node::child1):
        (JSC::DFG::Node::child2):
        (JSC::DFG::Node::child3):
        (JSC::DFG::Node::firstChild):
        (JSC::DFG::Node::numChildren):
        * dfg/DFGNodeFlags.cpp: Copied from Source/JavaScriptCore/dfg/DFGNode.cpp.
        * dfg/DFGNodeFlags.h: Added.
        (DFG):
        (JSC::DFG::nodeUsedAsNumber):
        (JSC::DFG::nodeCanTruncateInteger):
        (JSC::DFG::nodeCanIgnoreNegativeZero):
        (JSC::DFG::nodeMayOverflow):
        (JSC::DFG::nodeCanSpeculateInteger):
        * dfg/DFGNodeType.h: Added.
        (DFG):
        (JSC::DFG::defaultFlags):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::vote):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        (JSC::DFG::PredictionPropagationPhase::fixupNode):
        * dfg/DFGRedundantPhiEliminationPhase.cpp:
        (JSC::DFG::RedundantPhiEliminationPhase::run):
        (JSC::DFG::RedundantPhiEliminationPhase::replacePhiChild):
        (JSC::DFG::RedundantPhiEliminationPhase::updateBlockVariableInformation):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::useChildren):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compare):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2012-03-12  Laszlo Gombos  <laszlo.1.gombos@nokia.com>

        Minor DataLog fixes
        https://bugs.webkit.org/show_bug.cgi?id=80826

        Reviewed by Andreas Kling.

        * bytecode/ExecutionCounter.cpp:
        Do not include DataLog.h, it is not used.
        
        * jit/ExecutableAllocator.cpp:
        Ditto.

        * wtf/DataLog.cpp:
        (WTF::initializeLogFileOnce):
        Add missing semi-colon to the code path where DATA_LOG_FILENAME is defined.

        * wtf/HashTable.cpp:
        Include DataLog as it is used.

2012-03-12  SangGyu Lee  <sg5.lee@samsung.com>

        Integer overflow check code in arithmetic operation in classic interpreter
        https://bugs.webkit.org/show_bug.cgi?id=80465

        Reviewed by Gavin Barraclough.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2012-03-12  Zeno Albisser  <zeno@webkit.org>

        [Qt][Mac] Build fails after enabling LLINT when JIT is disabled (r109863)
        https://bugs.webkit.org/show_bug.cgi?id=80827

        Qt on Mac uses OS(DARWIN) as well, but we do not want to enable LLINT.

        Reviewed by Simon Hausmann.

        * wtf/Platform.h:

2012-03-12  Simon Hausmann  <simon.hausmann@nokia.com>

        Unreviewed prospective Qt/Mac build fix

        * runtime/JSGlobalData.cpp: use #USE(CF) instead of PLATFORM(MAC) to determine
        whether to include CoreFoundation headers, used for JIT configuration in JSGlobalData
        constructor.

2012-03-12  Filip Pizlo  <fpizlo@apple.com>

        All DFG nodes should have a mutable set of flags
        https://bugs.webkit.org/show_bug.cgi?id=80779
        <rdar://problem/11026218>

        Reviewed by Gavin Barraclough.
        
        Got rid of NodeId, and placed all of the flags that distinguished NodeId
        from NodeType into a separate Node::flags field. Combined what was previously
        ArithNodeFlags into Node::flags.
        
        In the process of debugging, I found that the debug support in the virtual
        register allocator was lacking, so I improved it. I also realized that the
        virtual register allocator was assuming that the nodes in a basic block were
        contiguous, which is no longer the case. So I fixed that. The fix also made
        it natural to have more extreme assertions, so I added them. I suspect this
        will make it easier to catch virtual register allocation bugs in the future.
        
        This is mostly performance neutral; if anything it looks like a slight
        speed-up.
        
        This patch does leave some work for future refactorings; for example, Node::op
        is unencapsulated. This was already the case, though now it feels even more
        like it should be. I avoided doing that because this patch has already grown
        way bigger than I wanted.
        
        Finally, this patch creates a DFGNode.cpp file and makes a slight effort to
        move some unnecessarily inline stuff out of DFGNode.h.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGArithNodeFlagsInferencePhase.cpp:
        (JSC::DFG::ArithNodeFlagsInferencePhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::endIndexForPureCSE):
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::clobbersWorld):
        (JSC::DFG::CSEPhase::impureCSE):
        (JSC::DFG::CSEPhase::setReplacement):
        (JSC::DFG::CSEPhase::eliminate):
        (JSC::DFG::CSEPhase::performNodeCSE):
        (JSC::DFG::CSEPhase::performBlockCSE):
        (CSEPhase):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::opName):
        (JSC::DFG::Graph::dump):
        (DFG):
        * dfg/DFGNode.cpp: Added.
        (DFG):
        (JSC::DFG::arithNodeFlagsAsString):
        * dfg/DFGNode.h:
        (DFG):
        (JSC::DFG::nodeUsedAsNumber):
        (JSC::DFG::nodeCanTruncateInteger):
        (JSC::DFG::nodeCanIgnoreNegativeZero):
        (JSC::DFG::nodeMayOverflow):
        (JSC::DFG::nodeCanSpeculateInteger):
        (JSC::DFG::defaultFlags):
        (JSC::DFG::Node::Node):
        (Node):
        (JSC::DFG::Node::setOpAndDefaultFlags):
        (JSC::DFG::Node::mustGenerate):
        (JSC::DFG::Node::arithNodeFlags):
        (JSC::DFG::Node::setArithNodeFlag):
        (JSC::DFG::Node::mergeArithNodeFlags):
        (JSC::DFG::Node::hasResult):
        (JSC::DFG::Node::hasInt32Result):
        (JSC::DFG::Node::hasNumberResult):
        (JSC::DFG::Node::hasJSResult):
        (JSC::DFG::Node::hasBooleanResult):
        (JSC::DFG::Node::isJump):
        (JSC::DFG::Node::isBranch):
        (JSC::DFG::Node::isTerminal):
        (JSC::DFG::Node::child1):
        (JSC::DFG::Node::child2):
        (JSC::DFG::Node::child3):
        (JSC::DFG::Node::firstChild):
        (JSC::DFG::Node::numChildren):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::vote):
        (JSC::DFG::PredictionPropagationPhase::fixupNode):
        * dfg/DFGScoreBoard.h:
        (ScoreBoard):
        (JSC::DFG::ScoreBoard::~ScoreBoard):
        (JSC::DFG::ScoreBoard::assertClear):
        (JSC::DFG::ScoreBoard::use):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::useChildren):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2012-03-10  Filip Pizlo  <fpizlo@apple.com>

        LLInt should support JSVALUE64
        https://bugs.webkit.org/show_bug.cgi?id=79609
        <rdar://problem/10063437>

        Reviewed by Gavin Barraclough and Oliver Hunt.
        
        Ported the LLInt, which previously only worked on 32-bit, to 64-bit. This
        patch moves a fair bit of code from LowLevelInterpreter32_64.asm to the common
        file, LowLevelInterpreter.asm. About 1/3 of the LLInt did not have to be
        specialized for value representation.
        
        Also made some minor changes to offlineasm and the slow-paths.

        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntEntrypoints.cpp:
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        (JSC::LLInt::llint_trace_value):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::jitCompileAndSetHeuristics):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        (SlowPathReturnType):
        (JSC::LLInt::SlowPathReturnType::SlowPathReturnType):
        (JSC::LLInt::encodeResult):
        * llint/LLIntThunks.cpp:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/armv7.rb:
        * offlineasm/asm.rb:
        * offlineasm/ast.rb:
        * offlineasm/backends.rb:
        * offlineasm/instructions.rb:
        * offlineasm/parser.rb:
        * offlineasm/registers.rb:
        * offlineasm/transform.rb:
        * offlineasm/x86.rb:
        * wtf/Platform.h:

2012-03-10  Yong Li  <yoli@rim.com>

        Web Worker crashes with WX_EXCLUSIVE
        https://bugs.webkit.org/show_bug.cgi?id=80532

        Let each JS global object own a meta allocator
        for WX_EXCLUSIVE to avoid conflicts from Web Worker.
        Also fix a mutex leak in MetaAllocator's dtor.

        Reviewed by Filip Pizlo.

        * jit/ExecutableAllocator.cpp:
        (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
        (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
        (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
        (DemandExecutableAllocator):
        (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
        (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
        (JSC::DemandExecutableAllocator::allocateNewSpace):
        (JSC::DemandExecutableAllocator::allocators):
        (JSC::DemandExecutableAllocator::allocatorsMutex):
        (JSC):
        (JSC::ExecutableAllocator::initializeAllocator):
        (JSC::ExecutableAllocator::ExecutableAllocator):
        (JSC::ExecutableAllocator::underMemoryPressure):
        (JSC::ExecutableAllocator::memoryPressureMultiplier):
        (JSC::ExecutableAllocator::allocate):
        (JSC::ExecutableAllocator::committedByteCount):
        (JSC::ExecutableAllocator::dumpProfile):
        * jit/ExecutableAllocator.h:
        (JSC):
        (ExecutableAllocator):
        (JSC::ExecutableAllocator::allocator):
        * wtf/MetaAllocator.h:
        (WTF::MetaAllocator::~MetaAllocator): Finalize the spin lock.
        * wtf/TCSpinLock.h:
        (TCMalloc_SpinLock::Finalize): Add empty Finalize() to some implementations.

2012-03-09  Gavin Barraclough  <barraclough@apple.com>

        Object.freeze broken on latest Nightly
        https://bugs.webkit.org/show_bug.cgi?id=80577

        Reviewed by Oliver Hunt.

        The problem here is that deleteProperty rejects deletion of prototype.
        This is correct in most cases, however defineOwnPropery is presently
        implemented internally to ensure the attributes change by deleting the
        old property, and creating a new one.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::deleteProperty):
            - If deletePropery is called via defineOwnPropery, allow old prototype to be removed.

2012-03-09  Gavin Barraclough  <barraclough@apple.com>

        Array.prototype.toLocaleString visits elements in wrong order under certain conditions
        https://bugs.webkit.org/show_bug.cgi?id=80663

        Reviewed by Michael Saboff.

        The bug here is actually that we're continuing to process the array after an exception
        has been thrown, and that the second value throw is overriding the first.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToLocaleString):

2012-03-09  Ryosuke Niwa  <rniwa@webkit.org>

        WebKit compiled by gcc (Xcode 3.2.6) hangs while running DOM/Accessors.html
        https://bugs.webkit.org/show_bug.cgi?id=80080

        Reviewed by Filip Pizlo.

        * bytecode/SamplingTool.cpp:
        (JSC::SamplingRegion::Locker::Locker):
        (JSC::SamplingRegion::Locker::~Locker):
        * bytecode/SamplingTool.h:
        (JSC::SamplingRegion::exchangeCurrent):
        * wtf/Atomics.h:
        (WTF):
        (WTF::weakCompareAndSwap):
        (WTF::weakCompareAndSwapUIntPtr):

2012-03-09  Gavin Barraclough  <barraclough@apple.com>

        REGRESSION: Date.parse("Tue Nov 23 20:40:05 2010 GMT") returns NaN
        https://bugs.webkit.org/show_bug.cgi?id=49989

        Reviewed by Oliver Hunt.

        Patch originally by chris reiss <christopher.reiss@nokia.com>,
        allow the year to appear before the timezone in date strings.

        * wtf/DateMath.cpp:
        (WTF::parseDateFromNullTerminatedCharacters):

2012-03-09  Mark Rowe  <mrowe@apple.com>

        Ensure that the WTF headers are copied at installhdrs time.

        Reviewed by Dan Bernstein and Jessie Berlin.

        * Configurations/JavaScriptCore.xcconfig: Set INSTALLHDRS_SCRIPT_PHASE = YES
        so that our script phases are invoked at installhdrs time. The only one that
        does any useful work at that time is the one that installs WTF headers.

2012-03-09  Jon Lee  <jonlee@apple.com>

        Add support for ENABLE(LEGACY_NOTIFICATIONS)
        https://bugs.webkit.org/show_bug.cgi?id=80497

        Reviewed by Adam Barth.

        Prep for b80472: Update API for Web Notifications
        * Configurations/FeatureDefines.xcconfig:

2012-03-09  Ashod Nakashian  <ashodnakashian@yahoo.com>

        Bash scripts should support LF endings only
        https://bugs.webkit.org/show_bug.cgi?id=79509

        Reviewed by David Kilzer.

        * gyp/generate-derived-sources.sh: Added property svn:eol-style.
        * gyp/run-if-exists.sh: Added property svn:eol-style.
        * gyp/update-info-plist.sh: Added property svn:eol-style.

2012-03-09  Jessie Berlin  <jberlin@apple.com>

        Windows debug build fix.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlind):
        Fix unreachable code warnings (which we treat as errors).

2012-03-09  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        Reviewed by Zoltan Herczeg.

        [Qt] Fix the SH4 build after r109834
        https://bugs.webkit.org/show_bug.cgi?id=80492

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::branchAdd32):
        (JSC::MacroAssemblerSH4::branchSub32):

2012-03-09  Andy Wingo  <wingo@igalia.com>

        Refactor code feature analysis in the parser
        https://bugs.webkit.org/show_bug.cgi?id=79112

        Reviewed by Geoffrey Garen.

        This commit refactors the parser to more uniformly propagate flag
        bits down and up the parse process, as the parser descends and
        returns into nested blocks.  Some flags get passed town to
        subscopes, some apply to specific scopes only, and some get
        unioned up after parsing subscopes.

        The goal is to eventually be very precise with scoping
        information, once we have block scopes: one block scope might use
        `eval', which would require the emission of a symbol table within
        that block and containing blocks, whereas another block in the
        same function might not, allowing us to not emit a symbol table.

        * parser/Nodes.h:
        (JSC::ScopeFlags): Rename from CodeFeatures.
        (JSC::ScopeNode::addScopeFlags):
        (JSC::ScopeNode::scopeFlags): New accessors for m_scopeFlags.
        (JSC::ScopeNode::isStrictMode):
        (JSC::ScopeNode::usesEval):
        (JSC::ScopeNode::usesArguments):
        (JSC::ScopeNode::setUsesArguments):
        (JSC::ScopeNode::usesThis):
        (JSC::ScopeNode::needsActivationForMoreThanVariables):
        (JSC::ScopeNode::needsActivation): Refactor these accessors to
        operate on the m_scopeFlags member.
        (JSC::ScopeNode::source):
        (JSC::ScopeNode::sourceURL):
        (JSC::ScopeNode::sourceID): Shuffle these definitions around; no
        semantic change.
        (JSC::ScopeNode::ScopeNode)
        (JSC::ProgramNode::ProgramNode)
        (JSC::EvalNode::EvalNode)
        (JSC::FunctionBodyNode::FunctionBodyNode): Have these constructors
        take a ScopeFlags as an argument, instead of a bool inStrictContext.

        * parser/Nodes.cpp:
        (JSC::ScopeNode::ScopeNode):
        (JSC::ProgramNode::ProgramNode):
        (JSC::ProgramNode::create):
        (JSC::EvalNode::EvalNode):
        (JSC::EvalNode::create):
        (JSC::FunctionBodyNode::FunctionBodyNode):
        (JSC::FunctionBodyNode::create): Adapt constructors to change.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::ASTBuilder):
        (JSC::ASTBuilder::thisExpr):
        (JSC::ASTBuilder::createResolve):
        (JSC::ASTBuilder::createFunctionBody):
        (JSC::ASTBuilder::createFuncDeclStatement):
        (JSC::ASTBuilder::createTryStatement):
        (JSC::ASTBuilder::createWithStatement):
        (JSC::ASTBuilder::addVar):
        (JSC::ASTBuilder::Scope::Scope):
        (Scope):
        (ASTBuilder):
        (JSC::ASTBuilder::makeFunctionCallNode): Don't track scope
        features here.  Instead rely on the base Parser mechanism to track
        features.

        * parser/NodeInfo.h (NodeInfo, NodeDeclarationInfo): "ScopeFlags".

        * parser/Parser.h:
        (JSC::Scope::Scope): Manage scope through flags, not
        bit-booleans.  This lets us uniformly propagate them up and down.
        (JSC::Scope::declareWrite):
        (JSC::Scope::declareParameter):
        (JSC::Scope::useVariable):
        (JSC::Scope::collectFreeVariables):
        (JSC::Scope::getCapturedVariables):
        (JSC::Scope::saveFunctionInfo):
        (JSC::Scope::restoreFunctionInfo):
        (JSC::Parser::pushScope): Adapt to use scope flags and their
        accessors instead of bit-booleans.
        * parser/Parser.cpp:
        (JSC::::Parser):
        (JSC::::parseInner):
        (JSC::::didFinishParsing):
        (JSC::::parseSourceElements):
        (JSC::::parseVarDeclarationList):
        (JSC::::parseConstDeclarationList):
        (JSC::::parseWithStatement):
        (JSC::::parseTryStatement):
        (JSC::::parseFunctionBody):
        (JSC::::parseFunctionInfo):
        (JSC::::parseFunctionDeclaration):
        (JSC::::parsePrimaryExpression): Hoist some of the flag handling
        out of the "context" (ASTBuilder or SyntaxChecker) and to here.
        Does not seem to have a performance impact.

        * parser/SourceProviderCacheItem.h (SourceProviderCacheItem):
        Cache the scopeflags.
        * parser/SyntaxChecker.h: Remove evalCount() decl.

        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::produceCodeBlockFor):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::ScriptExecutable::usesEval):
        (JSC::ScriptExecutable::usesArguments):
        (JSC::ScriptExecutable::needsActivation):
        (JSC::ScriptExecutable::isStrictMode):
        (JSC::ScriptExecutable::recordParse):
        (ScriptExecutable): ScopeFlags, not features.

2012-03-08  Benjamin Poulain  <bpoulain@apple.com>

        Build fix for MSVC after r110266

        Unreviewed. A #ifdef for MSVC was left over in r110266.

        * runtime/RegExpObject.h:
        (RegExpObject):

2012-03-08  Benjamin Poulain  <bpoulain@apple.com>

        Allocate the RegExpObject's data with the Cell
        https://bugs.webkit.org/show_bug.cgi?id=80654

        Reviewed by Gavin Barraclough.

        This patch removes the creation of RegExpObject's data to avoid the overhead
        create by the allocation and destruction.

        We RegExp are created repeatedly, this provides some performance improvment.
        The PeaceKeeper test stringDetectBrowser improves by 10%.

        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::RegExpObject):
        (JSC::RegExpObject::visitChildren):
        (JSC::RegExpObject::getOwnPropertyDescriptor):
        (JSC::RegExpObject::defineOwnProperty):
        (JSC::RegExpObject::match):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::setRegExp):
        (JSC::RegExpObject::regExp):
        (JSC::RegExpObject::setLastIndex):
        (JSC::RegExpObject::getLastIndex):
        (RegExpObject):

2012-03-08  Steve Falkenburg  <sfalken@apple.com>

        Separate WTF parts of JavaScriptCoreGenerated into WTFGenerated for Windows build
        https://bugs.webkit.org/show_bug.cgi?id=80657
        
        Preparation for WTF separation from JavaScriptCore.
        The "Generated" vcproj files on Windows are necessary so Visual Studio can calculate correct
        dependencies for generated files.
        
        This also removes the PGO build targets from the WTF code, since we can't build instrumentation/optimization
        versions of the WTF code independent of the JavaScriptCore code.

        Reviewed by Jessie Berlin.

        * JavaScriptCore.vcproj/JavaScriptCore.sln: Add WTFGenerated, update dependent projects.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.make: Removed WTF specific parts.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj: Removed WTF specific parts.
        * JavaScriptCore.vcproj/JavaScriptCore/build-generated-files.sh: Removed WTF specific parts.
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd: Removed WTF specific parts.
        * JavaScriptCore.vcproj/JavaScriptCore/work-around-vs-dependency-tracking-bugs.py: Removed.
        * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Add WTFGenerated, update dependent projects.
        * JavaScriptCore.vcproj/WTF/WTF.vcproj: Remove PGO targets from WTF.
        * JavaScriptCore.vcproj/WTF/WTFGenerated.make: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.make.
        * JavaScriptCore.vcproj/WTF/WTFGenerated.vcproj: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedCommon.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedCommon.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebug.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebug.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebugAll.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugAll.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebugCairoCFLite.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugCairoCFLite.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedProduction.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedProduction.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedRelease.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedRelease.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedReleaseCairoCFLite.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleaseCairoCFLite.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFReleasePGO.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/build-generated-files.sh: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/build-generated-files.sh.
        * JavaScriptCore.vcproj/WTF/copy-files.cmd: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd.
        * JavaScriptCore.vcproj/WTF/work-around-vs-dependency-tracking-bugs.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/work-around-vs-dependency-tracking-bugs.py.

2012-03-08  Benjamin Poulain  <benjamin@webkit.org>

        Fix the build of WebKit with WTFURL following the removal of ForwardingHeaders/wtf
        https://bugs.webkit.org/show_bug.cgi?id=80652

        Reviewed by Eric Seidel.

        Fix the header, URLSegments.h is not part of the API.

        * wtf/url/api/ParsedURL.h:

2012-03-08  Ryosuke Niwa  <rniwa@webkit.org>

        Mac build fix for micro data API.

        * Configurations/FeatureDefines.xcconfig:

2012-03-08  Gavin Barraclough  <barraclough@apple.com>

        String.prototype.match and replace do not clear global regexp lastIndex per ES5.1 15.5.4.10
        https://bugs.webkit.org/show_bug.cgi?id=26890

        Reviewed by Oliver Hunt.

        Per 15.10.6.2 step 9.a.1 called via the action of the last iteration of 15.5.4.10 8.f.i.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):
        (JSC::stringProtoFuncMatch):
            - added calls to setLastIndex.

2012-03-08  Matt Lilek  <mrl@apple.com>

        Don't enable VIDEO_TRACK on all OS X platforms
        https://bugs.webkit.org/show_bug.cgi?id=80635

        Reviewed by Eric Carlson.

        * Configurations/FeatureDefines.xcconfig:

2012-03-08  Oliver Hunt  <oliver@apple.com>

        Build fix.  That day is not today.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlind):
        * assembler/MacroAssemblerX86Common.h:
        (MacroAssemblerX86Common):
        (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch):

2012-03-08  Oliver Hunt  <oliver@apple.com>

        Build fix. One of these days I'll manage to commit something that works everywhere.

        * assembler/AbstractMacroAssembler.h:
        (AbstractMacroAssembler):
        * assembler/MacroAssemblerARMv7.h:
        (MacroAssemblerARMv7):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch):
        (MacroAssemblerX86Common):

2012-03-08  Chao-ying Fu  <fu@mips.com>

        Update MIPS patchOffsetGetByIdSlowCaseCall
        https://bugs.webkit.org/show_bug.cgi?id=80302

        Reviewed by Oliver Hunt.

        * jit/JIT.h:
        (JIT):

2012-03-08  Oliver Hunt  <oliver@apple.com>

        Missing some places where we should be blinding 64bit values (and blinding something we shouldn't)
        https://bugs.webkit.org/show_bug.cgi?id=80633

        Reviewed by Gavin Barraclough.

        Add 64-bit trap for shouldBlindForSpecificArch, so that we always blind
        if there isn't a machine specific implementation (otherwise the 64bit value
        got truncated and 32bit checks were used -- leaving 32bits untested).
        Also add a bit of logic to ensure that we don't try to blind a few common
        constants that go through the ImmPtr paths -- encoded numeric JSValues and
        unencoded doubles with common "safe" values.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::shouldBlindForSpecificArch):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlindDouble):
        (MacroAssembler):
        (JSC::MacroAssembler::shouldBlind):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch):

2012-03-08  Mark Rowe  <mrowe@apple.com>

        <rdar://problem/11012572> Ensure that the staged frameworks path is in the search path for JavaScriptCore

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:

2012-03-08  Steve Falkenburg  <sfalken@apple.com>

        Fix line endings for copy-files.cmd.
        
        If a cmd file doesn't have Windows line endings, it doesn't work properly.
        In this case, the label :clean wasn't found, breaking the clean build.
        
        Reviewed by Jessie Berlin.

        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:

2012-03-07  Filip Pizlo  <fpizlo@apple.com>

        DFG CFA incorrectly handles ValueToInt32
        https://bugs.webkit.org/show_bug.cgi?id=80568

        Reviewed by Gavin Barraclough.
        
        Changed it match exactly the decision pattern used in
        DFG::SpeculativeJIT::compileValueToInt32

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):

2012-03-08  Viatcheslav Ostapenko  <ostapenko.viatcheslav@nokia.com>

        [Qt] [WK2] Webkit fails to link when compiled with force_static_libs_as_shared
        https://bugs.webkit.org/show_bug.cgi?id=80524

        Reviewed by Simon Hausmann.

        Move IdentifierTable methods defintion to WTFThreadData.cpp to fix linking 
        of WTF library.

        * runtime/Identifier.cpp:
        * wtf/WTFThreadData.cpp:
        (JSC):
        (JSC::IdentifierTable::~IdentifierTable):
        (JSC::IdentifierTable::add):

2012-03-08  Filip Pizlo  <fpizlo@apple.com>

        DFG instruction count threshold should be lifted to 10000
        https://bugs.webkit.org/show_bug.cgi?id=80579

        Reviewed by Gavin Barraclough.

        * runtime/Options.cpp:
        (JSC::Options::initializeOptions):

2012-03-07  Filip Pizlo  <fpizlo@apple.com>

        Incorrect tracking of abstract values of variables forced double
        https://bugs.webkit.org/show_bug.cgi?id=80566
        <rdar://problem/11001442>

        Reviewed by Gavin Barraclough.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::mergeStateAtTail):

2012-03-07  Chao-yng Fu  <fu@mips.com>

        [Qt] Fix the MIPS/SH4 build after r109834
        https://bugs.webkit.org/show_bug.cgi?id=80492

        Reviewed by Oliver Hunt.

        Implement three-argument branch(Add,Sub)32.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::add32):
        (MacroAssemblerMIPS):
        (JSC::MacroAssemblerMIPS::sub32):
        (JSC::MacroAssemblerMIPS::branchAdd32):
        (JSC::MacroAssemblerMIPS::branchSub32):

2012-03-07  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r110127.
        http://trac.webkit.org/changeset/110127
        https://bugs.webkit.org/show_bug.cgi?id=80562

        compile failed on AppleWin (Requested by ukai on #webkit).

        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage):
        * heap/Heap.h:
        (JSC):
        (Heap):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::FunctionExecutable::finalize):
        * runtime/Executable.h:
        (FunctionExecutable):
        (JSC::FunctionExecutable::create):
        * runtime/JSGlobalData.cpp:
        (WTF):
        (Recompiler):
        (WTF::Recompiler::operator()):
        (JSC::JSGlobalData::recompileAllJSFunctions):
        (JSC):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope):

2012-03-07  Hojong Han  <hojong.han@samsung.com>

        The end atom of the marked block considered to filter invalid cells
        https://bugs.webkit.org/show_bug.cgi?id=79191

        Reviewed by Geoffrey Garen.

        Register file could have stale pointers beyond the end atom of marked block.
        Those pointers can weasel out of filtering in-middle-of-cell pointer.

        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::isLiveCell):

2012-03-07  Jessie Berlin  <jberlin@apple.com>

        Clean Windows build fails after r110033
        https://bugs.webkit.org/show_bug.cgi?id=80553

        Rubber-stamped by Jon Honeycutt and Eric Seidel.

        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        Place the implementation files next to their header files in the wtf/text subdirectory.
        Use echo -F to tell xcopy that these are files (since there is apparently no flag).
        * JavaScriptCore.vcproj/jsc/jsc.vcproj:
        Update the path to those implementation files.
        * JavaScriptCore.vcproj/testRegExp/testRegExp.vcproj:
        Ditto.

2012-03-07  Yuqiang Xian  <yuqiang.xian@intel.com>

        Eliminate redundant Phis in DFG
        https://bugs.webkit.org/show_bug.cgi?id=80415

        Reviewed by Filip Pizlo.

        Although this may not have any advantage at current stage, this is towards
        minimal SSA to make more high level optimizations (like bug 76770) easier.
        We have the choices either to build minimal SSA from scratch or to
        keep current simple Phi insertion mechanism and remove the redundancy
        in another phase. Currently we choose the latter because the change
        could be smaller.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGRedundantPhiEliminationPhase.cpp: Added.
        (DFG):
        (RedundantPhiEliminationPhase):
        (JSC::DFG::RedundantPhiEliminationPhase::RedundantPhiEliminationPhase):
        (JSC::DFG::RedundantPhiEliminationPhase::run):
        (JSC::DFG::RedundantPhiEliminationPhase::getRedundantReplacement):
        (JSC::DFG::RedundantPhiEliminationPhase::replacePhiChild):
        (JSC::DFG::RedundantPhiEliminationPhase::fixupPhis):
        (JSC::DFG::RedundantPhiEliminationPhase::updateBlockVariableInformation):
        (JSC::DFG::performRedundantPhiElimination):
        * dfg/DFGRedundantPhiEliminationPhase.h: Added.
        (DFG):

2012-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        Refactor recompileAllJSFunctions() to be less expensive
        https://bugs.webkit.org/show_bug.cgi?id=80330

        Reviewed by Geoffrey Garen.

        This change is performance neutral on the JS benchmarks we track. It's mostly to improve page 
        load performance, which currently does at least a couple full GCs per navigation.

        * heap/Heap.cpp:
        (JSC::Heap::discardAllCompiledCode): Rename recompileAllJSFunctions to discardAllCompiledCode 
        because the function doesn't actually recompile anything (and never did); it simply throws code
        away for it to be recompiled later if we determine we should do so.
        (JSC):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::addFunctionExecutable): Adds a newly created FunctionExecutable to the Heap's list.
        (JSC::Heap::removeFunctionExecutable): Removes the specified FunctionExecutable from the Heap's list.
        * heap/Heap.h:
        (JSC):
        (Heap):
        * runtime/Executable.cpp: Added next and prev fields to FunctionExecutables so that they can 
        be used in DoublyLinkedLists.
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::FunctionExecutable::finalize): Removes the FunctionExecutable from the Heap's list.
        * runtime/Executable.h:
        (FunctionExecutable):
        (JSC::FunctionExecutable::create): Adds the FunctionExecutable to the Heap's list.
        * runtime/JSGlobalData.cpp: Remove recompileAllJSFunctions, as it's the Heap's job to own and manage 
        the list of FunctionExecutables.
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): Use the new discardAllCompiledCode.

2012-03-06  Oliver Hunt  <oliver@apple.com>

        Further harden 64-bit JIT
        https://bugs.webkit.org/show_bug.cgi?id=80457

        Reviewed by Filip Pizlo.

        This patch implements blinding for ImmPtr.  Rather than xor based blinding
        we perform randomised pointer rotations in order to avoid the significant
        cost in executable memory that would otherwise be necessary (and to avoid
        the need for an additional scratch register in some cases).

        As with the prior blinding patch there's a moderate amount of noise as we
        correct the use of ImmPtr vs. TrustedImmPtr.

        * assembler/AbstractMacroAssembler.h:
        (ImmPtr):
        (JSC::AbstractMacroAssembler::ImmPtr::asTrustedImmPtr):
        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::storePtr):
        (JSC::MacroAssembler::branchPtr):
        (JSC::MacroAssembler::shouldBlind):
        (JSC::MacroAssembler::RotatedImmPtr::RotatedImmPtr):
        (RotatedImmPtr):
        (JSC::MacroAssembler::rotationBlindConstant):
        (JSC::MacroAssembler::loadRotationBlindedConstant):
        (JSC::MacroAssembler::convertInt32ToDouble):
        (JSC::MacroAssembler::move):
        (JSC::MacroAssembler::poke):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::storeDouble):
        (JSC::MacroAssemblerARMv7::branchAdd32):
        * assembler/MacroAssemblerX86_64.h:
        (MacroAssemblerX86_64):
        (JSC::MacroAssemblerX86_64::rotateRightPtr):
        (JSC::MacroAssemblerX86_64::xorPtr):
        * assembler/X86Assembler.h:
        (X86Assembler):
        (JSC::X86Assembler::xorq_rm):
        (JSC::X86Assembler::rorq_i8r):
        * dfg/DFGCCallHelpers.h:
        (CCallHelpers):
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::createOSREntries):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentFillGPR):
        (JSC::DFG::SpeculativeJIT::callOperation):
        (JSC::DFG::SpeculativeJIT::emitEdgeCode):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillDouble):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSlow_op_post_inc):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):
        (JSC::JIT::emitGetVirtualRegister):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_mov):
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emit_op_strcat):
        (JSC::JIT::emit_op_ensure_property_exists):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        (JSC::JIT::emit_op_jmp_scopes):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        (JSC::JIT::emit_op_throw_reference_error):
        (JSC::JIT::emit_op_debug):
        (JSC::JIT::emitSlow_op_resolve_global_dynamic):
        (JSC::JIT::emit_op_new_array):
        (JSC::JIT::emitSlow_op_new_array):
        (JSC::JIT::emit_op_new_array_buffer):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emit_op_strcat):
        (JSC::JIT::emit_op_ensure_property_exists):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        (JSC::JIT::emit_op_jmp_scopes):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_index):
        * jit/JITStubCall.h:
        (JITStubCall):
        (JSC::JITStubCall::addArgument):

2012-03-07  Simon Hausmann  <simon.hausmann@nokia.com>

        ARM build fix.

        Reviewed by Zoltan Herczeg.

        Implement three-argument branch(Add,Sub)32.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::add32):
        (MacroAssemblerARM):
        (JSC::MacroAssemblerARM::sub32):
        (JSC::MacroAssemblerARM::branchAdd32):
        (JSC::MacroAssemblerARM::branchSub32):

2012-03-07  Andy Wingo  <wingo@igalia.com>

        Parser: Inline ScopeNodeData into ScopeNode
        https://bugs.webkit.org/show_bug.cgi?id=79776

        Reviewed by Geoffrey Garen.

        It used to be that some ScopeNode members were kept in a separate
        structure because sometimes they wouldn't be needed, and
        allocating a ParserArena was expensive.  This patch makes
        ParserArena lazily allocate its IdentifierArena, allowing the
        members to be included directly, which is simpler and easier to
        reason about.

        * parser/ParserArena.cpp:
        (JSC::ParserArena::ParserArena):
        (JSC::ParserArena::reset):
        (JSC::ParserArena::isEmpty):
        * parser/ParserArena.h:
        (JSC::ParserArena::identifierArena): Lazily allocate the
        IdentifierArena.

        * parser/Nodes.cpp:
        (JSC::ScopeNode::ScopeNode):
        (JSC::ScopeNode::singleStatement):
        (JSC::ProgramNode::create):
        (JSC::EvalNode::create):
        (JSC::FunctionBodyNode::create):
        * parser/Nodes.h:
        (JSC::ScopeNode::destroyData):
        (JSC::ScopeNode::needsActivationForMoreThanVariables):
        (JSC::ScopeNode::needsActivation):
        (JSC::ScopeNode::hasCapturedVariables):
        (JSC::ScopeNode::capturedVariableCount):
        (JSC::ScopeNode::captures):
        (JSC::ScopeNode::varStack):
        (JSC::ScopeNode::functionStack):
        (JSC::ScopeNode::neededConstants):
        (ScopeNode):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ScopeNode::emitStatementsBytecode): Inline ScopeNodeData
        into ScopeNode.  Adapt accessors.

2012-03-06  Eric Seidel  <eric@webkit.org>

        Make WTF public headers use fully-qualified include paths and remove ForwardingHeaders/wtf
        https://bugs.webkit.org/show_bug.cgi?id=80363

        Reviewed by Mark Rowe.

        Historically WTF has been part of JavaScriptCore, and on Mac and Windows
        its headers have appeared as part of the "private" headers exported by
        JavaScriptCore.  All of the WTF headers there are "flattened" into a single
        private headers directory, and WebCore, WebKit and WebKit2 have used "ForwardingHeaders"
        to re-map fully-qualified <wtf/text/Foo.h> includes to simple <JavaScriptCore/Foo.h> includes.

        However, very soon, we are moving the WTF source code out of JavaScriptCore into its
        own directory and project.  As part of such, the WTF headers will no longer be part of
        the JavaScriptCore private interfaces.
        In preparation for that, this change makes both the Mac and Win builds export
        WTF headers in a non-flattened manner.  On Mac, that means into usr/local/include/wtf
        (and subdirectories), on Windows for now that means JavaScriptCore/wtf (and subdirectories).

        There are 5 parts to this change.
        1.  Updates the JavaScriptCore XCode and VCProj files to actually install these headers
            (and header directories) into the appropriate places in the build directory.
        2.  Updates JavaScriptCore.xcodeproj to look for these WTF headers in this install location
            (WebCore, WebKit, etc. had already been taught to look in previous patches).
        3.  Fixes all JavaScriptCore source files, and WTF headers to include WTF headers
            using fully qualified paths.
        4.  Stops the Mac and Win builds from installing these WTF headers in their old "flattened" location.
        5.  Removes WebCore and WebKit ForwardingHeaders/wtf directories now that the flattened headers no longer exist.

        Unfortunately we see no way to do this change in smaller parts, since all of these steps are interdependant.
        It is possible there are internal Apple projects which depend on JavaScriptCore/Foo.h working for WTF
        headers, those will have to be updated to use <wtf/Foo.h> after this change.
        I've discussed this proposed change at length with Mark Rowe, and my understanding is they
        are ready for (and interested in) this change happening.

        * API/tests/JSNode.c:
        * API/tests/JSNodeList.c:
        * Configurations/Base.xcconfig:
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssemblerCodeRef.h:
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGOperations.cpp:
        * heap/GCAssertions.h:
        * heap/HandleHeap.h:
        * heap/HandleStack.h:
        * heap/MarkedSpace.h:
        * heap/PassWeak.h:
        * heap/Strong.h:
        * heap/Weak.h:
        * jit/HostCallReturnValue.cpp:
        * jit/JIT.cpp:
        * jit/JITStubs.cpp:
        * jit/ThunkGenerators.cpp:
        * parser/Lexer.cpp:
        * runtime/Completion.cpp:
        * runtime/Executable.cpp:
        * runtime/Identifier.h:
        * runtime/InitializeThreading.cpp:
        * runtime/JSDateMath.cpp:
        * runtime/JSGlobalObjectFunctions.cpp:
        * runtime/JSStringBuilder.h:
        * runtime/JSVariableObject.h:
        * runtime/NumberPrototype.cpp:
        * runtime/WriteBarrier.h:
        * tools/CodeProfile.cpp:
        * tools/TieredMMapArray.h:
        * wtf/AVLTree.h:
        * wtf/Alignment.h:
        * wtf/AlwaysInline.h:
        * wtf/ArrayBufferView.h:
        * wtf/Assertions.h:
        * wtf/Atomics.h:
        * wtf/Bitmap.h:
        * wtf/BoundsCheckedPointer.h:
        * wtf/CheckedArithmetic.h:
        * wtf/Deque.h:
        * wtf/ExportMacros.h:
        * wtf/FastAllocBase.h:
        * wtf/FastMalloc.h:
        * wtf/Float32Array.h:
        * wtf/Float64Array.h:
        * wtf/Functional.h:
        * wtf/HashCountedSet.h:
        * wtf/HashFunctions.h:
        * wtf/HashMap.h:
        * wtf/HashSet.h:
        * wtf/HashTable.h:
        * wtf/HashTraits.h:
        * wtf/Int16Array.h:
        * wtf/Int32Array.h:
        * wtf/Int8Array.h:
        * wtf/IntegralTypedArrayBase.h:
        * wtf/ListHashSet.h:
        * wtf/MainThread.h:
        * wtf/MetaAllocator.h:
        * wtf/Noncopyable.h:
        * wtf/OwnArrayPtr.h:
        * wtf/OwnPtr.h:
        * wtf/PackedIntVector.h:
        * wtf/ParallelJobs.h:
        * wtf/PassOwnArrayPtr.h:
        * wtf/PassOwnPtr.h:
        * wtf/PassRefPtr.h:
        * wtf/PassTraits.h:
        * wtf/Platform.h:
        * wtf/PossiblyNull.h:
        * wtf/RefCounted.h:
        * wtf/RefCountedLeakCounter.h:
        * wtf/RefPtr.h:
        * wtf/RetainPtr.h:
        * wtf/SimpleStats.h:
        * wtf/Spectrum.h:
        * wtf/StdLibExtras.h:
        * wtf/TCPageMap.h:
        * wtf/TemporaryChange.h:
        * wtf/ThreadSafeRefCounted.h:
        * wtf/Threading.h:
        * wtf/ThreadingPrimitives.h:
        * wtf/TypeTraits.h:
        * wtf/TypedArrayBase.h:
        * wtf/Uint16Array.h:
        * wtf/Uint32Array.h:
        * wtf/Uint8Array.h:
        * wtf/Uint8ClampedArray.h:
        * wtf/UnusedParam.h:
        * wtf/Vector.h:
        * wtf/VectorTraits.h:
        * wtf/dtoa/double-conversion.h:
        * wtf/dtoa/utils.h:
        * wtf/gobject/GRefPtr.h:
        * wtf/gobject/GlibUtilities.h:
        * wtf/text/AtomicString.h:
        * wtf/text/AtomicStringImpl.h:
        * wtf/text/CString.h:
        * wtf/text/StringConcatenate.h:
        * wtf/text/StringHash.h:
        * wtf/text/WTFString.h:
        * wtf/unicode/CharacterNames.h:
        * wtf/unicode/UTF8.h:
        * wtf/unicode/glib/UnicodeGLib.h:
        * wtf/unicode/qt4/UnicodeQt4.h:
        * wtf/unicode/wince/UnicodeWinCE.h:
        * wtf/url/api/ParsedURL.h:
        * wtf/url/api/URLString.h:
        * wtf/wince/FastMallocWinCE.h:
        * yarr/YarrJIT.cpp:

2012-03-06  Gavin Barraclough  <barraclough@apple.com>

        Array.prototype functions should throw if delete fails
        https://bugs.webkit.org/show_bug.cgi?id=80467

        Reviewed by Oliver Hunt.

        All calls to [[Delete]] from Array.prototype are specified to pass 'true' as the value of Throw.
        In the case of shift/unshift, these are also missing a throw from the 'put' in the implementations
        in JSArray.cpp. There are effectively three copies of each of the generic shift/unshift routines,
        one in splice, one in ArrayPrototype's shift/unshift methods, and one in JSArray's shift/unshift
        routines, for handling arrays with holes. These three copies should be unified.

        * runtime/ArrayPrototype.cpp:
        (JSC::shift):
        (JSC::unshift):
            - Added - shared copies of the shift/unshift functionality.
        (JSC::arrayProtoFuncPop):
            - should throw if the delete fails.
        (JSC::arrayProtoFuncReverse):
            - should throw if the delete fails.
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
            - use shift/unshift.
        * runtime/JSArray.cpp:
        (JSC::JSArray::shiftCount):
        (JSC::JSArray::unshiftCount):
            - Don't try to handle arrays with holes; return a value indicating
              the generic routine should be used instead.
        * runtime/JSArray.h:
            - declaration for shiftCount/unshiftCount changed.
        * tests/mozilla/js1_6/Array/regress-304828.js:
            - this was asserting incorrect behaviour.

2012-03-06  Raphael Kubo da Costa  <kubo@profusion.mobi>

        [CMake] Make the removal of transitive library dependencies work with CMake < 2.8.7.
        https://bugs.webkit.org/show_bug.cgi?id=80469

        Reviewed by Antonio Gomes.

        * CMakeLists.txt: Manually set the LINK_INTERFACE_LIBRARIES target
        property on the library being created.

2012-03-06  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG BasicBlock should group the Phi nodes together and separate them
        from the other nodes
        https://bugs.webkit.org/show_bug.cgi?id=80361

        Reviewed by Filip Pizlo.

        This would make it more efficient to remove the redundant Phi nodes or
        insert new Phi nodes for SSA, besides providing a cleaner BasicBlock structure.
        This is performance neutral on SunSpider, V8 and Kraken.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::clobberStructures):
        (JSC::DFG::AbstractState::dump):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::BasicBlock):
        (BasicBlock):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::insertPhiNode):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::impureCSE):
        (JSC::DFG::CSEPhase::globalVarLoadElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkFunctionElimination):
        (JSC::DFG::CSEPhase::checkStructureLoadElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getScopeChainLoadElimination):
        (JSC::DFG::CSEPhase::performBlockCSE):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        GCActivityCallback timer should vary with the length of the previous GC
        https://bugs.webkit.org/show_bug.cgi?id=80344

        Reviewed by Geoffrey Garen.

        * heap/Heap.cpp: Gave Heap the ability to keep track of the length of its last 
        GC length so that the GC Activity Callback can use it.
        (JSC::Heap::Heap):
        (JSC::Heap::collect):
        * heap/Heap.h:
        (JSC::Heap::lastGCLength):
        (Heap):
        * runtime/GCActivityCallbackCF.cpp:
        (JSC):
        (JSC::DefaultGCActivityCallback::operator()): Use the length of the Heap's last 
        GC to determine the length of our timer trigger (currently set at 100x the duration 
        of the last GC).

2012-03-06  Rob Buis  <rbuis@rim.com>

        BlackBerry] Fix cast-align gcc warnings when compiling JSC
        https://bugs.webkit.org/show_bug.cgi?id=80420

        Reviewed by Gavin Barraclough.

        Fix warnings given in Blackberry build.

        * heap/CopiedBlock.h:
        (JSC::CopiedBlock::CopiedBlock):
        * wtf/RefCountedArray.h:
        (WTF::RefCountedArray::Header::fromPayload):

2012-03-06  Gavin Barraclough  <barraclough@apple.com>

        writable/configurable not respected for some properties of Function/String/Arguments
        https://bugs.webkit.org/show_bug.cgi?id=80436

        Reviewed by Oliver Hunt.

        Special properties should behave like regular properties.

        * runtime/Arguments.cpp:
        (JSC::Arguments::defineOwnProperty):
            - Mis-nested logic for making read-only properties non-live.
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::put):
            - arguments/length/caller are non-writable, non-configurable - reject appropriately.
        (JSC::JSFunction::deleteProperty):
            - Attempting to delete prototype/caller should fail.
        (JSC::JSFunction::defineOwnProperty):
            - Ensure prototype is reified on attempt to reify it.
            - arguments/length/caller are non-writable, non-configurable - reject appropriately.
        * runtime/JSFunction.h:
            - added declaration for defineOwnProperty.
        (JSFunction):
        * runtime/StringObject.cpp:
        (JSC::StringObject::put):
            - length is non-writable, non-configurable - reject appropriately.

2012-03-06  Ulan Degenbaev  <ulan@chromium.org>

        TypedArray subarray call for subarray does not clamp the end index parameter properly
        https://bugs.webkit.org/show_bug.cgi?id=80285

        Reviewed by Kenneth Russell.

        * wtf/ArrayBufferView.h:
        (WTF::ArrayBufferView::calculateOffsetAndLength):

2012-03-06  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r109837.
        http://trac.webkit.org/changeset/109837
        https://bugs.webkit.org/show_bug.cgi?id=80399

        breaks Mac Productions builds, too late to try and fix it
        tonight (Requested by eseidel on #webkit).

        * API/tests/JSNode.c:
        * API/tests/JSNodeList.c:
        * Configurations/Base.xcconfig:
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssemblerCodeRef.h:
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGOperations.cpp:
        * heap/GCAssertions.h:
        * heap/HandleHeap.h:
        * heap/HandleStack.h:
        * heap/MarkedSpace.h:
        * heap/PassWeak.h:
        * heap/Strong.h:
        * heap/Weak.h:
        * jit/HostCallReturnValue.cpp:
        * jit/JIT.cpp:
        * jit/JITStubs.cpp:
        * jit/ThunkGenerators.cpp:
        * parser/Lexer.cpp:
        * runtime/Completion.cpp:
        * runtime/Executable.cpp:
        * runtime/Identifier.h:
        * runtime/InitializeThreading.cpp:
        * runtime/JSDateMath.cpp:
        * runtime/JSGlobalObjectFunctions.cpp:
        * runtime/JSStringBuilder.h:
        * runtime/JSVariableObject.h:
        * runtime/NumberPrototype.cpp:
        * runtime/WriteBarrier.h:
        * tools/CodeProfile.cpp:
        * tools/TieredMMapArray.h:
        * yarr/YarrJIT.cpp:

2012-03-06  Zoltan Herczeg  <zherczeg@webkit.org>

        [Qt][ARM] Speculative buildfix after r109834.

        Reviewed by Csaba Osztrogonác.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::and32):
        (MacroAssemblerARM):

2012-03-05  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed windows build fix pt 2.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-05  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed windows build fix pt 1.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-05  Gavin Barraclough  <barraclough@apple.com>

        putByIndex should throw in strict mode
        https://bugs.webkit.org/show_bug.cgi?id=80335

        Reviewed by Filip Pizlo.

        Make the MethodTable PutByIndex trap take a boolean 'shouldThrow' parameter.

        This is a largely mechanical change, simply adding an extra parameter to a number
        of functions. Some call sites need perform additional exception checks, and
        operationPutByValBeyondArrayBounds needs to know whether it is strict or not.

        This patch doesn't fix a missing throw from some cases of shift/unshift (this is
        an existing bug), I'll follow up with a third patch to handle that.

        * API/JSObjectRef.cpp:
        (JSObjectSetPropertyAtIndex):
        * JSCTypedArrayStubs.h:
        (JSC):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Arguments.cpp:
        (JSC::Arguments::putByIndex):
        * runtime/Arguments.h:
        (Arguments):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        * runtime/ClassInfo.h:
        (MethodTable):
        * runtime/JSArray.cpp:
        (JSC::SparseArrayValueMap::put):
        (JSC::JSArray::put):
        (JSC::JSArray::putByIndex):
        (JSC::JSArray::putByIndexBeyondVectorLength):
        (JSC::JSArray::push):
        (JSC::JSArray::shiftCount):
        (JSC::JSArray::unshiftCount):
        * runtime/JSArray.h:
        (SparseArrayValueMap):
        (JSArray):
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::putByIndex):
        * runtime/JSByteArray.h:
        (JSByteArray):
        * runtime/JSCell.cpp:
        (JSC::JSCell::putByIndex):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::putByIndex):
        * runtime/JSNotAnObject.h:
        (JSNotAnObject):
        * runtime/JSONObject.cpp:
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putByIndex):
        * runtime/JSObject.h:
        (JSC::JSValue::putByIndex):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpMatchesArray::fillArrayInstance):
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::putByIndex):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSplit):

2012-03-05  Yuqiang Xian  <yuqiang.xian@intel.com>

        PredictNone is incorrectly treated as isDoublePrediction
        https://bugs.webkit.org/show_bug.cgi?id=80365

        Reviewed by Filip Pizlo.

        Also it is incorrectly treated as isFixedIndexedStorageObjectPrediction.

        * bytecode/PredictedType.h:
        (JSC::isFixedIndexedStorageObjectPrediction):
        (JSC::isDoublePrediction):

2012-03-05  Filip Pizlo  <fpizlo@apple.com>

        The LLInt should work even when the JIT is disabled
        https://bugs.webkit.org/show_bug.cgi?id=80340
        <rdar://problem/10922235>

        Reviewed by Gavin Barraclough.

        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
        (MacroAssemblerCodeRef):
        (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::initialize):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        * jit/JIT.h:
        (JSC::JIT::compileCTINativeCall):
        * jit/JITStubs.h:
        (JSC::JITThunks::ctiNativeCall):
        (JSC::JITThunks::ctiNativeConstruct):
        * llint/LLIntEntrypoints.cpp:
        (JSC::LLInt::getFunctionEntrypoint):
        (JSC::LLInt::getEvalEntrypoint):
        (JSC::LLInt::getProgramEntrypoint):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (LLInt):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        * llint/LowLevelInterpreter.h:
        * llint/LowLevelInterpreter32_64.asm:
        * runtime/Executable.h:
        (NativeExecutable):
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::finishCreation):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/Options.cpp:
        (Options):
        (JSC::Options::parse):
        (JSC::Options::initializeOptions):
        * runtime/Options.h:
        (Options):
        * wtf/Platform.h:

2012-03-05  Yuqiang Xian  <yuqiang.xian@intel.com>

        Checks for dead variables are not sufficient when fixing the expected
        values in DFG OSR entry
        https://bugs.webkit.org/show_bug.cgi?id=80371

        Reviewed by Filip Pizlo.

        A dead variable should be identified when there's no node referencing it.
        But we currently failed to catch the case where there are some nodes
        referencing a variable but those nodes are actually not referenced by
        others so will be ignored in code generation. In such case we should
        also consider that variable to be a dead variable in the block and fix
        the expected values.
        This is performance neutral on SunSpider, V8 and Kraken.

        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):

2012-03-05  Oliver Hunt  <oliver@apple.com>

        Fix Qt build.

        * assembler/AbstractMacroAssembler.h:
        * assembler/MacroAssembler.h:
        (MacroAssembler):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSub32Constant):

2012-03-05  Eric Seidel  <eric@webkit.org>

        Update JavaScriptCore files to use fully-qualified WTF include paths
        https://bugs.webkit.org/show_bug.cgi?id=79960

        Reviewed by Adam Barth.

        This change does 5 small/related things:
         1. Updates JavaScriptCore.xcodeproj to install WTF headers into $BUILD/usr/local/include
            (WebCore, WebKit were already setup to look there, but JavaScriptCore.xcodeproj
            was not installing headers there.)
         2. Makes JavaScriptCore targets include $BUILD/usr/local/include in their
            header search path, as that's where the WTF headers will be installed.
         3. Similarly updates JavaScriptCore.vcproj/copy-files.cmd to copy WTF headers to PrivateHeaders/wtf/*
            in addition to the current behavior of flattening all headers to PrivateHeaders/*.h.
         4. Updates a bunch of JSC files to use #include <wtf/Foo.h> instead of #include "Foo.h"
            since soon the WTF headers will not be part of the JavaScriptCore Xcode project.
         5. Makes build-webkit build the WTF XCode project by default.

        * API/tests/JSNode.c:
        * API/tests/JSNodeList.c:
        * Configurations/Base.xcconfig:
        * assembler/MacroAssemblerCodeRef.h:
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGOperations.cpp:
        * heap/GCAssertions.h:
        * heap/HandleHeap.h:
        * heap/HandleStack.h:
        * heap/MarkedSpace.h:
        * heap/PassWeak.h:
        * heap/Strong.h:
        * heap/Weak.h:
        * jit/HostCallReturnValue.cpp:
        * jit/JIT.cpp:
        * jit/JITStubs.cpp:
        * jit/ThunkGenerators.cpp:
        * parser/Lexer.cpp:
        * runtime/Completion.cpp:
        * runtime/Executable.cpp:
        * runtime/Identifier.h:
        * runtime/InitializeThreading.cpp:
        * runtime/JSDateMath.cpp:
        * runtime/JSGlobalObjectFunctions.cpp:
        * runtime/JSStringBuilder.h:
        * runtime/JSVariableObject.h:
        * runtime/NumberPrototype.cpp:
        * runtime/WriteBarrier.h:
        * tools/CodeProfile.cpp:
        * tools/TieredMMapArray.h:
        * yarr/YarrJIT.cpp:

2012-03-05  Oliver Hunt  <oliver@apple.com>

        Add basic support for constant blinding to the JIT
        https://bugs.webkit.org/show_bug.cgi?id=80354

        Reviewed by Filip Pizlo.

        This patch adds basic constant blinding support to the JIT, at the
        MacroAssembler level.  This means all JITs in JSC (Yarr, baseline, and DFG)
        get constant blinding.  Woo!

        This patch only introduces blinding for Imm32, a later patch will do similar
        for ImmPtr.  In order to make misuse of Imm32 as a trusted type essentially
        impossible, we make TrustedImm32 a private parent of Imm32 and add an explicit
        accessor that's needed to access the actual value.  This also means you cannot
        accidentally pass an untrusted value to a function that does not perform
        blinding.

        To make everything work sensibly, this patch also corrects some code that was using
        Imm32 when TrustedImm32 could be used, and refactors a few callers that use
        untrusted immediates, so that they call slightly different varaints of the functions
        that they used previously.  This is largely necessary to deal with x86-32 not having
        sufficient registers to handle the additional work required when we choose to blind
        a constant.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::Imm32::asTrustedImm32):
        (Imm32):
        (JSC::AbstractMacroAssembler::beginUninterruptedSequence):
        (JSC::AbstractMacroAssembler::endUninterruptedSequence):
        (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
        (AbstractMacroAssembler):
        (JSC::AbstractMacroAssembler::inUninterruptedSequence):
        (JSC::AbstractMacroAssembler::random):
        (JSC::AbstractMacroAssembler::scratchRegisterForBlinding):
        (JSC::AbstractMacroAssembler::shouldBlindForSpecificArch):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::addressForPoke):
        (MacroAssembler):
        (JSC::MacroAssembler::poke):
        (JSC::MacroAssembler::branchPtr):
        (JSC::MacroAssembler::branch32):
        (JSC::MacroAssembler::convertInt32ToDouble):
        (JSC::MacroAssembler::shouldBlind):
        (JSC::MacroAssembler::BlindedImm32::BlindedImm32):
        (BlindedImm32):
        (JSC::MacroAssembler::keyForConstant):
        (JSC::MacroAssembler::xorBlindConstant):
        (JSC::MacroAssembler::additionBlindedConstant):
        (JSC::MacroAssembler::andBlindedConstant):
        (JSC::MacroAssembler::orBlindedConstant):
        (JSC::MacroAssembler::loadXorBlindedConstant):
        (JSC::MacroAssembler::add32):
        (JSC::MacroAssembler::addPtr):
        (JSC::MacroAssembler::and32):
        (JSC::MacroAssembler::andPtr):
        (JSC::MacroAssembler::move):
        (JSC::MacroAssembler::or32):
        (JSC::MacroAssembler::store32):
        (JSC::MacroAssembler::sub32):
        (JSC::MacroAssembler::subPtr):
        (JSC::MacroAssembler::xor32):
        (JSC::MacroAssembler::branchAdd32):
        (JSC::MacroAssembler::branchMul32):
        (JSC::MacroAssembler::branchSub32):
        (JSC::MacroAssembler::trustedImm32ForShift):
        (JSC::MacroAssembler::lshift32):
        (JSC::MacroAssembler::rshift32):
        (JSC::MacroAssembler::urshift32):
        * assembler/MacroAssemblerARMv7.h:
        (MacroAssemblerARMv7):
        (JSC::MacroAssemblerARMv7::scratchRegisterForBlinding):
        (JSC::MacroAssemblerARMv7::shouldBlindForSpecificArch):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::branchSubPtr):
        (MacroAssemblerX86_64):
        (JSC::MacroAssemblerX86_64::scratchRegisterForBlinding):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::compileBinaryArithOp):
        (JSC::JIT::emit_op_add):
        (JSC::JIT::emit_op_mul):
        (JSC::JIT::emit_op_div):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitAdd32Constant):
        (JSC::JIT::emitSub32Constant):
        (JSC::JIT::emitBinaryDoubleOp):
        (JSC::JIT::emitSlow_op_mul):
        (JSC::JIT::emit_op_div):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITInlineMethods.h:
        (JSC::JIT::updateTopCallFrame):
        (JSC::JIT::emitValueProfilingSite):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emitSlow_op_jfalse):
        (JSC::JIT::emitSlow_op_jtrue):
        * jit/JITStubCall.h:
        (JITStubCall):
        (JSC::JITStubCall::addArgument):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::backtrack):

2012-03-05  Gavin Barraclough  <barraclough@apple.com>

        putByIndex should throw in strict mode
        https://bugs.webkit.org/show_bug.cgi?id=80335

        Reviewed by Filip Pizlo.

        We'll need to pass an additional parameter.

        Part 1 - rename JSValue::put() for integer indices to JSValue::putByIndex()
        to match the method in the MethodTable, make this take a parameter indicating
        whether the put should throw. This fixes the cases where the base of the put
        is a primitive.

        * dfg/DFGOperations.cpp:
        (DFG):
        (JSC::DFG::putByVal):
        (JSC::DFG::operationPutByValInternal):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/JSObject.h:
        (JSC::JSValue::putByIndex):
        * runtime/JSValue.cpp:
        (JSC):
        * runtime/JSValue.h:
        (JSValue):

2012-03-05  Sam Weinig  <sam@webkit.org>

        Add support for hosting layers in the window server in WebKit2
        <rdar://problem/10400246>
        https://bugs.webkit.org/show_bug.cgi?id=80310

        Reviewed by Anders Carlsson.

        * wtf/Platform.h:
        Add HAVE_LAYER_HOSTING_IN_WINDOW_SERVER.

2012-03-05  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, attempted build fix for !ENABLE(JIT) after r109705.

        * bytecode/ExecutionCounter.cpp:
        (JSC::ExecutionCounter::applyMemoryUsageHeuristics):
        * bytecode/ExecutionCounter.h:

2012-03-05  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed. Build fix for !ENABLE(JIT) after r109705.

        * bytecode/ExecutionCounter.cpp:
        * bytecode/ExecutionCounter.h:

2012-03-05  Andy Wingo  <wingo@igalia.com>

        Lexer: Specialize character predicates for LChar, UChar
        https://bugs.webkit.org/show_bug.cgi?id=79677

        Reviewed by Oliver Hunt.

        This patch specializes isIdentStart, isIdentPart, isWhiteSpace,
        and isLineTerminator to perform a more limited number of checks if
        the lexer is being instantiated to work on LChar sequences.  This
        is about a 1.5% win on the --parse-only suite, here.

        * parser/Lexer.cpp:
        (JSC::isLatin1): New static helper, specialized for LChar and
        UChar.
        (JSC::typesOfLatin1Characters): Rename from
        typesOfASCIICharacters, and expand to the range of the LChar
        type.  All uses of isASCII are changed to use isLatin1.  Generated
        using libunistring.
        (JSC::isNonLatin1IdentStart):
        (JSC::isIdentStart):
        (JSC::isNonLatin1IdentPart):
        (JSC::isIdentPart):
        (JSC::Lexer::shiftLineTerminator):
        (JSC::Lexer::parseIdentifier):
        (JSC::Lexer::parseIdentifierSlowCase):
        (JSC::Lexer::parseStringSlowCase):
        (JSC::Lexer::parseMultilineComment):
        (JSC::Lexer::lex):
        (JSC::Lexer::scanRegExp):
        (JSC::Lexer::skipRegExp): Sprinkle static_cast<T>(_) around.
        * parser/Lexer.h:
        (JSC::Lexer::isWhiteSpace):
        (JSC::Lexer::isLineTerminator):
        * KeywordLookupGenerator.py:
        (Trie.printAsC): Declare specialized isIdentPart static functions.

2012-03-05  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing header file.

2012-03-05  Andy Wingo  <wingo@igalia.com>

        WTF: Micro-optimize cleanup of empty vectors and hash tables
        https://bugs.webkit.org/show_bug.cgi?id=79903

        Reviewed by Michael Saboff and Geoffrey Garen.

        This patch speeds up cleanup of vectors and hash tables whose
        backing store was never allocated.  This is the case by default
        for most vectors / hash tables that never had any entries added.

        The result for me is that calling checkSyntax 1000 times on
        concat-jquery-mootools-prototype.js goes from 6.234s to 6.068s, a
        2.4% speedup.

        * wtf/HashTable.h:
        (WTF::HashTable::~HashTable):
        (WTF::::clear): Don't deallocate the storage or frob member
        variables if there is no backing storage.
        * wtf/Vector.h:
        (WTF::VectorBufferBase::deallocateBuffer): Likewise.

2012-03-04  Filip Pizlo  <fpizlo@apple.com>

        JIT heuristics should be hyperbolic
        https://bugs.webkit.org/show_bug.cgi?id=80055
        <rdar://problem/10922260>

        Reviewed by Oliver Hunt.
        
        Added tracking of the amount of executable memory typically used for a bytecode
        instruction. Modified the execution counter scheme to use this, and the amount
        of free memory, to determine how long to wait before invoking the JIT.
        
        The result is that even if we bomb the VM with more code than can fit in our
        executable memory pool, we still keep running and almost never run out of
        executable memory - which ensures that if we have to JIT something critical, then
        we'll likely have enough memory to do so. This also does not regress performance
        on the three main benchmarks.
        
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::predictedMachineCodeSize):
        (JSC):
        (JSC::CodeBlock::usesOpcode):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::checkIfJITThresholdReached):
        (JSC::CodeBlock::dontJITAnytimeSoon):
        (JSC::CodeBlock::jitAfterWarmUp):
        (JSC::CodeBlock::jitSoon):
        (JSC::CodeBlock::llintExecuteCounter):
        (JSC::CodeBlock::counterValueForOptimizeAfterWarmUp):
        (JSC::CodeBlock::counterValueForOptimizeAfterLongWarmUp):
        (JSC::CodeBlock::addressOfJITExecuteCounter):
        (JSC::CodeBlock::offsetOfJITExecuteCounter):
        (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
        (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
        (JSC::CodeBlock::jitExecuteCounter):
        (JSC::CodeBlock::checkIfOptimizationThresholdReached):
        (JSC::CodeBlock::optimizeNextInvocation):
        (JSC::CodeBlock::dontOptimizeAnytimeSoon):
        (JSC::CodeBlock::optimizeAfterWarmUp):
        (JSC::CodeBlock::optimizeAfterLongWarmUp):
        (JSC::CodeBlock::optimizeSoon):
        * bytecode/ExecutionCounter.cpp: Added.
        (JSC):
        (JSC::ExecutionCounter::ExecutionCounter):
        (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet):
        (JSC::ExecutionCounter::setNewThreshold):
        (JSC::ExecutionCounter::deferIndefinitely):
        (JSC::ExecutionCounter::applyMemoryUsageHeuristics):
        (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt):
        (JSC::ExecutionCounter::hasCrossedThreshold):
        (JSC::ExecutionCounter::setThreshold):
        (JSC::ExecutionCounter::reset):
        * bytecode/ExecutionCounter.h: Added.
        (JSC):
        (ExecutionCounter):
        (JSC::ExecutionCounter::formattedTotalCount):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * jit/ExecutableAllocator.cpp:
        (JSC::DemandExecutableAllocator::allocateNewSpace):
        (JSC::ExecutableAllocator::underMemoryPressure):
        (JSC):
        (JSC::ExecutableAllocator::memoryPressureMultiplier):
        * jit/ExecutableAllocator.h:
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::memoryPressureMultiplier):
        (JSC):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        * llint/LowLevelInterpreter32_64.asm:
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/Options.cpp:
        (Options):
        (JSC::Options::initializeOptions):
        * runtime/Options.h:
        (Options):
        * wtf/SimpleStats.h: Added.
        (WTF):
        (SimpleStats):
        (WTF::SimpleStats::SimpleStats):
        (WTF::SimpleStats::add):
        (WTF::SimpleStats::operator!):
        (WTF::SimpleStats::count):
        (WTF::SimpleStats::sum):
        (WTF::SimpleStats::sumOfSquares):
        (WTF::SimpleStats::mean):
        (WTF::SimpleStats::variance):
        (WTF::SimpleStats::standardDeviation):

2012-03-04  Raphael Kubo da Costa  <kubo@profusion.mobi>

        [CMake] Libraries are installed to /usr/lib and not /usr/lib64 on x86_64
        https://bugs.webkit.org/show_bug.cgi?id=71507

        Reviewed by Antonio Gomes.

        * CMakeLists.txt: Use ${LIB_INSTALL_DIR} instead of hardcoding "lib".

2012-03-04  David Kilzer  <ddkilzer@apple.com>

        Fix build when the classic interpreter is enabled

        Reviewed by Gavin Barraclough.

        Fixes the following build error when running the "Generate
        Derived Sources" build phase script:

            offlineasm: Parsing JavaScriptCore/llint/LowLevelInterpreter.asm and ../../JSCLLIntOffsetsExtractor and creating assembly file LLIntAssembly.h.
            ./JavaScriptCore/offlineasm/offsets.rb:145:in `offsetsAndConfigurationIndex': unhandled exception
                    from JavaScriptCore/offlineasm/asm.rb:131
            Command /bin/sh failed with exit code 1

        Gavin's fix in r109674 avoided the #error statement in
        JITStubs.h when compiling LLIntOffsetsExtractor.cpp, but it
        caused the "Generate Derived Sources" build phase script to fail
        when JavaScriptCore/offlineasm/asm.rb was run.  The solution is
        to detect when the classic interpreter is being built and simply
        exit early from asm.rb in that case.

        * llint/LLIntOffsetsExtractor.cpp:
        (JSC::LLIntOffsetsExtractor::dummy): Return NULL pointer if the
        JIT is disabled.  Note that offsets.rb doesn't care about the
        return value here, but instead it cares about finding the magic
        values in the binary.  The magic values are no longer present
        when the JIT is disabled.
        * offlineasm/asm.rb: Catch MissingMagicValuesException and exit
        early with a status message.
        * offlineasm/offsets.rb:
        (MissingMagicValuesException): Add new exception class.
        (offsetsAndConfigurationIndex): Throw
        MissingMagicValuesException when no magic values are found.

2012-03-04  Jurij Smakov  <jurij@wooyd.org>

        SPARC also needs aligned accesses.

        Rubber-stamped by Gustavo Noronha Silva.

        * wtf/Platform.h:

2012-03-04  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed build fix.

        * jit/JITStubs.h:
            - Move ENABLE(JIT) to head of file.

2012-03-03  Gavin Barraclough  <barraclough@apple.com>

        Split JSArray's [[Put]] & [[DefineOwnProperty]] traps.
        https://bugs.webkit.org/show_bug.cgi?id=80217

        Reviewed by Filip Pizlo.

        putByIndex() provides similar behavior to put(), but for indexed property names.
        Many places in ArrayPrototype call putByIndex() where they really mean to call
        [[DefineOwnProperty]]. This is only okay due to a bug – putByIndex should be
        calling numeric accessors (& respecting numeric read only properties) on the
        prototype chain, but isn't. Add a new putDirectIndex (matching JSObject's
        putDirect* methods), to correctly provide a fast [[DefineOwnProperty]] interface.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncConcat):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        * runtime/JSArray.cpp:
        (JSC):
        (JSC::reject):
        (JSC::SparseArrayValueMap::putDirect):
        (JSC::JSArray::defineOwnNumericProperty):
        (JSC::JSArray::putByIndexBeyondVectorLength):
        (JSC::JSArray::putDirectIndexBeyondVectorLength):
        * runtime/JSArray.h:
        (SparseArrayValueMap):
        (JSArray):
        (JSC::JSArray::putDirectIndex):

2012-03-03  Benjamin Poulain  <benjamin@webkit.org>

        Implement the basis of KURLWTFURL
        https://bugs.webkit.org/show_bug.cgi?id=79600

        Reviewed by Adam Barth.

        Add an API to know if a ParsedURL is valid.

        * wtf/url/api/ParsedURL.cpp:
        (WTF::ParsedURL::ParsedURL):
        (WTF):
        (WTF::ParsedURL::isolatedCopy): This is needed by APIs moving URL objects between thread
        and by KURL's detach() on write.
        (WTF::ParsedURL::baseAsString):
        (WTF::ParsedURL::segment):
        Add a stronger constraint on accessors: the client of this API should never ask for the segments
        on an invalid URL.
        * wtf/url/api/ParsedURL.h:
        (WTF):
        (WTF::ParsedURL::ParsedURL):
        (ParsedURL):
        (WTF::ParsedURL::isValid):

2012-03-03  Hans Wennborg  <hans@chromium.org>

        Implement Speech JavaScript API
        https://bugs.webkit.org/show_bug.cgi?id=80019

        Reviewed by Adam Barth.

        Add ENABLE_SCRIPTED_SPEECH.

        * Configurations/FeatureDefines.xcconfig:

2012-03-02  Filip Pizlo  <fpizlo@apple.com>

        When getting the line number of a call into a call frame with no code block, it's
        incorrect to rely on the returnPC
        https://bugs.webkit.org/show_bug.cgi?id=80195

        Reviewed by Oliver Hunt.

        * interpreter/Interpreter.cpp:
        (JSC::getCallerInfo):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):

2012-03-02  Han Hojong  <hojong.han@samsung.com>

        Expected results updated for checking type conversion
        https://bugs.webkit.org/show_bug.cgi?id=80138

        Reviewed by Gavin Barraclough.

        * tests/mozilla/ecma/TypeConversion/9.3.1-3.js:

2012-03-02  Kenichi Ishibashi  <bashi@chromium.org>

        Adding WebSocket per-frame DEFLATE extension
        https://bugs.webkit.org/show_bug.cgi?id=77522

        Added USE(ZLIB) flag.

        Reviewed by Kent Tamura.

        * wtf/Platform.h:

2012-03-02  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for platforms that have DFG_JIT disabled but PARALLEL_GC enabled.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):

2012-03-01  Filip Pizlo  <fpizlo@apple.com>

        DFGCodeBlocks should not trace CodeBlocks that are also going to be traced by
        virtue of being in the transitive closure
        https://bugs.webkit.org/show_bug.cgi?id=80098
 
        Reviewed by Anders Carlsson.
        
        If DFGCodeBlocks traces a CodeBlock that might also be traced via its owner Executable,
        then you might have the visitAggregate() method called concurrently by multiple threads.
        This is benign on 64-bit -- visitAggregate() and everything it calls turns out to be
        racy and slightly imprecise but not unsound. But on 32-bit, visitAggregate() may crash
        due to word tearing in ValueProfile bucket updates inside of computeUpdatedPrediction().
        
        It would seem that the fix is just to have DFGCodeBlocks not trace CodeBlocks that are
        not jettisoned. But CodeBlocks may be jettisoned later during the GC, so it must trace
        any CodeBlock that it knows to be live by virtue of it being reachable from the stack.
        Hence the real fix is to make sure that concurrent calls into CodeBlock::visitAggregate()
        don't lead to two threads racing over each other as they clobber state. This patch
        achieves this with a simple CAS loop: whichever thread wins the CAS race (which is
        trivially linearizable) will get to trace the CodeBlock; all other threads give up and
        go home.
        
        Unfortunately there will be no new tests. It's possible to reproduce this maybe 1/10
        times by running V8-v6's raytrace repeatedly, using the V8 harness hacked to rerun it
        even when it's gotten sufficient counts. But that takes a while - sometimes up to a
        minute to get a crash. I have no other reliable repro case.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * bytecode/CodeBlock.h:
        (DFGData):
        * heap/DFGCodeBlocks.cpp:
        (JSC::DFGCodeBlocks::clearMarks):

2012-03-01  Filip Pizlo  <fpizlo@apple.com>

        The JIT should not crash the entire process just because there is not enough executable
        memory, if the LLInt is enabled
        https://bugs.webkit.org/show_bug.cgi?id=79962

        Reviewed by Csaba Osztrogonác.
        
        Fix for ARM, SH4.

        * assembler/AssemblerBufferWithConstantPool.h:
        (JSC::AssemblerBufferWithConstantPool::executableCopy):

2012-03-01  Ryosuke Niwa  <rniwa@webkit.org>

        Revert my change. Broke builds.
        Source/JavaScriptCore/wtf/Atomics.h:188: error: redefinition of 'bool WTF::weakCompareAndSwap(volatile uintptr_t*, uintptr_t, uintptr_t)'
        Source/JavaScriptCore/wtf/Atomics.h:122: error: 'bool WTF::weakCompareAndSwap(volatile unsigned int*, unsigned int, unsigned i

        * wtf/Atomics.h:
        (WTF):
        (WTF::weakCompareAndSwap):

2012-03-01  Ryosuke Niwa  <rniwa@webkit.org>

        Gcc build fix.

        Rubber-stamped by Filip Pizlo.

        * wtf/Atomics.h:
        (WTF):
        (WTF::weakCompareAndSwap):

2012-03-01  Gavin Barraclough  <barraclough@apple.com>

        ES5.1-15.3.5.4. prohibits Function.caller from [[Get]]ting a strict caller
        https://bugs.webkit.org/show_bug.cgi?id=80011

        Reviewed by Oliver Hunt.

        Also, fix getting the caller from within a bound function, for within a getter,
        or setter (make our implementation match other browsers).

        * interpreter/Interpreter.cpp:
        (JSC::getCallerInfo):
            - Allow this to get the caller of host functions.
        (JSC::Interpreter::retrieveCallerFromVMCode):
            - This should use getCallerInfo, and should skip over function bindings.
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::callerGetter):
            - This should never return a strict-mode function.

2012-03-01  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG local CSE for a node can be terminated earlier
        https://bugs.webkit.org/show_bug.cgi?id=80014

        Reviewed by Filip Pizlo.

        When one of the node's childredn is met in the process of back traversing
        the nodes, we don't need to traverse the remaining nodes.
        This is performance neutral on SunSpider, V8 and Kraken.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::impureCSE):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkFunctionElimination):
        (JSC::DFG::CSEPhase::checkStructureLoadElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):

2012-02-29  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG BasicBlocks should not require that their nodes have continuous indices in the graph
        https://bugs.webkit.org/show_bug.cgi?id=79899

        Reviewed by Filip Pizlo.

        This will make it more convenient to insert nodes into the DFG.
        With this capability we now place the Phi nodes in the corresponding
        blocks.
        Local CSE is modified to not to rely on the assumption of continuous
        node indices in a block.
        This is performance neutral on SunSpider, V8 and Kraken.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::AbstractState):
        (JSC::DFG::AbstractState::beginBasicBlock):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::clobberStructures):
        (JSC::DFG::AbstractState::mergeToSuccessors):
        (JSC::DFG::AbstractState::dump):
        * dfg/DFGAbstractState.h:
        (JSC::DFG::AbstractState::forNode):
        (AbstractState):
        * dfg/DFGArithNodeFlagsInferencePhase.cpp:
        (ArithNodeFlagsInferencePhase):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::BasicBlock):
        (BasicBlock):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::insertPhiNode):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::linkBlock):
        (JSC::DFG::ByteCodeParser::determineReachability):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        (CFAPhase):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::CSEPhase):
        (JSC::DFG::CSEPhase::endIndexForPureCSE):
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::impureCSE):
        (JSC::DFG::CSEPhase::globalVarLoadElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkFunctionElimination):
        (JSC::DFG::CSEPhase::checkStructureLoadElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getScopeChainLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        (JSC::DFG::CSEPhase::performBlockCSE):
        (CSEPhase):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGPhase.cpp:
        (JSC::DFG::Phase::beginPhase):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2012-02-29  Filip Pizlo  <fpizlo@apple.com>

        The JIT should not crash the entire process just because there is not
        enough executable memory, if the LLInt is enabled
        https://bugs.webkit.org/show_bug.cgi?id=79962
        <rdar://problem/10922215>

        Unreviewed, adding forgotten file.

        * jit/JITCompilationEffort.h: Added.
        (JSC):

2012-02-29  Filip Pizlo  <fpizlo@apple.com>

        The JIT should not crash the entire process just because there is not
        enough executable memory, if the LLInt is enabled
        https://bugs.webkit.org/show_bug.cgi?id=79962
        <rdar://problem/10922215>

        Reviewed by Gavin Barraclough.
        
        Added the notion of JITCompilationEffort. If we're JIT'ing as a result of
        a tier-up, then we set it to JITCompilationCanFail. Otherwise it's
        JITCompilationMustSucceed. This preserves the old behavior of LLInt is
        disabled or if we're compiling something that can't be interpreted (like
        an OSR exit stub).

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::executableCopy):
        * assembler/ARMAssembler.h:
        (ARMAssembler):
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerBuffer::executableCopy):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::~LinkBuffer):
        (LinkBuffer):
        (JSC::LinkBuffer::didFailToAllocate):
        (JSC::LinkBuffer::isValid):
        (JSC::LinkBuffer::linkCode):
        (JSC::LinkBuffer::performFinalization):
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::executableCopy):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::executableCopy):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::executableCopy):
        (JSC::X86Assembler::X86InstructionFormatter::executableCopy):
        * bytecode/CodeBlock.cpp:
        (JSC::ProgramCodeBlock::jitCompileImpl):
        (JSC::EvalCodeBlock::jitCompileImpl):
        (JSC::FunctionCodeBlock::jitCompileImpl):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::jitCompile):
        (CodeBlock):
        (ProgramCodeBlock):
        (EvalCodeBlock):
        (FunctionCodeBlock):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JITCompiler):
        * jit/ExecutableAllocator.cpp:
        (JSC::DemandExecutableAllocator::allocateNewSpace):
        (JSC::ExecutableAllocator::allocate):
        * jit/ExecutableAllocator.h:
        (ExecutableAllocator):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::allocate):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::JIT::compile):
        (JIT):
        * jit/JITCompilationEffort.h: Added.
        (JSC):
        * jit/JITDriver.h:
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        (JSC::LLInt::jitCompileAndSetHeuristics):
        (JSC::LLInt::entryOSR):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::jitCompile):
        (JSC::ProgramExecutable::jitCompile):
        (JSC::FunctionExecutable::jitCompileForCall):
        (JSC::FunctionExecutable::jitCompileForConstruct):
        * runtime/Executable.h:
        (EvalExecutable):
        (ProgramExecutable):
        (FunctionExecutable):
        (JSC::FunctionExecutable::jitCompileFor):
        * runtime/ExecutionHarness.h:
        (JSC::prepareForExecution):
        (JSC::prepareFunctionForExecution):

2012-02-29  No'am Rosenthal  <noam.rosenthal@nokia.com>

        [Qt][WK2] Get rid of the #ifdef mess in LayerTreeHost[Proxy]
        https://bugs.webkit.org/show_bug.cgi?id=79501

        Enable WTF_USE_UI_SIDE_COMPOSITING for Qt.

        Reviewed by Kenneth Rohde Christiansen.

        * wtf/Platform.h:

2012-02-29  Gavin Barraclough  <barraclough@apple.com>

        Rubber stamped by Oliver Hunt.

        * tests/mozilla/ecma_2/RegExp/constructor-001.js:
        * tests/mozilla/ecma_2/RegExp/function-001.js:
        * tests/mozilla/ecma_2/RegExp/properties-001.js:
            - Check in new test cases results.

2012-02-29  Mark Rowe  <mrowe@apple.com>

        Stop installing JSCLLIntOffsetsExtractor.

        Replace the separate TestRegExp and TestAPI xcconfig files with a single ToolExecutable xcconfig file
        that derives the product name from the target name. We can then use that xcconfig file for JSCLLIntOffsetsExtractor.
        This has the results of setting SKIP_INSTALL = YES for JSCLLIntOffsetsExtractor.

        While I was doing this fiddling I noticed that the JSCLLIntOffsetsExtractor target had a custom value
        for USER_HEADER_SEARCH_PATHS to allow it to find LLIntDesiredOffsets.h. A better way of doing that is
        to add LLIntDesiredOffsets.h to the Xcode project so that it'll be included in the header map. That
        allows us to remove the override of USER_HEADER_SEARCH_PATHS entirely. So I did that too!

        Reviewed by Filip Pizlo.

        * Configurations/TestRegExp.xcconfig: Removed.
        * Configurations/ToolExecutable.xcconfig: Renamed from Source/JavaScriptCore/Configurations/TestAPI.xcconfig.
        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-02-28  Filip Pizlo  <fpizlo@apple.com>

        RefCounted::deprecatedTurnOffVerifier() should not be deprecated
        https://bugs.webkit.org/show_bug.cgi?id=79864

        Reviewed by Oliver Hunt.
        
        Removed the word "deprecated" from the name of this method, since this method
        should not be deprecated. It works just fine as it is, and there is simply no
        alternative to calling this method for many interesting JSC classes.

        * parser/SourceProvider.h:
        (JSC::SourceProvider::SourceProvider):
        * runtime/SymbolTable.h:
        (JSC::SharedSymbolTable::SharedSymbolTable):
        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocatorHandle::MetaAllocatorHandle):
        (WTF::MetaAllocator::allocate):
        * wtf/RefCounted.h:
        (RefCountedBase):
        (WTF::RefCountedBase::turnOffVerifier):

2012-02-29  Gavin Barraclough  <barraclough@apple.com>

        'source' property of RegExp instance cannot be ""
        https://bugs.webkit.org/show_bug.cgi?id=79938

        Reviewed by Oliver Hunt.

        15.10.6.4 specifies that RegExp.prototype.toString must return '/' + source + '/',
        and also states that the result must be a valid RegularExpressionLiteral. '//' is
        not a valid RegularExpressionLiteral (since it is a single line comment), and hence
        source cannot ever validly be "". If the source is empty, return a different Pattern
        that would match the same thing.

        * runtime/RegExpObject.cpp:
        (JSC::regExpObjectSource):
            - Do not return "" if the source is empty, this would lead to invalid behaviour in toString.
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncToString):
            - No need to special case the empty string - this should be being done by 'source'.

2012-02-29  Gavin Barraclough  <barraclough@apple.com>

        Writable attribute not set correctly when redefining an accessor to a data descriptor
        https://bugs.webkit.org/show_bug.cgi?id=79931

        Reviewed by Oliver Hunt.

        * runtime/JSObject.cpp:
        (JSC::JSObject::defineOwnProperty):
            - use attributesOverridingCurrent instead of attributesWithOverride.
        * runtime/PropertyDescriptor.cpp:
        * runtime/PropertyDescriptor.h:
            - remove attributesWithOverride - attributesOverridingCurrent does the same thing.

2012-02-29  Kevin Ollivier  <kevino@theolliviers.com>

        Add JSCore symbol exports needed by wx port
        https://bugs.webkit.org/show_bug.cgi?id=77280

        Reviewed by Hajime Morita.

        * wtf/ArrayBufferView.h:
        * wtf/ExportMacros.h:

2012-02-28  Raphael Kubo da Costa  <kubo@profusion.mobi>

        [CMake] Always build wtf as a static library.
        https://bugs.webkit.org/show_bug.cgi?id=79857

        Reviewed by Eric Seidel.

        To help the efforts in bug 75673 to move WTF out of
        JavaScriptCore, act more like the other ports and remove the
        possibility of building WTF as a shared library.

        It does not make much sense to, for example, ship WTF as a
        separate .so with webkit-efl packages, and it should be small
        enough not to cause problems during linking.

        * wtf/CMakeLists.txt:

2012-02-28  Dmitry Lomov  <dslomov@google.com>

        [JSC] Implement ArrayBuffer transfer
        https://bugs.webkit.org/show_bug.cgi?id=73493.
        Implement ArrayBuffer transfer, per Khronos spec:  http://www.khronos.org/registry/typedarray/specs/latest/#9.
        This brings parity with V8 implementation of transferable typed arrays.

        Reviewed by Oliver Hunt.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Extra export.
        * wtf/ArrayBuffer.h:
        (ArrayBuffer): Added extra export.

2012-02-28  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed. Build fix after recent LLInt additions.
        
        * wscript:

2012-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        Refactor SpeculativeJIT::emitAllocateJSFinalObject
        https://bugs.webkit.org/show_bug.cgi?id=79801

        Reviewed by Filip Pizlo.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateBasicJSObject): Split emitAllocateJSFinalObject out to form this
        function, which is more generic in that it can allocate a variety of classes.
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject): Changed to use the new helper function.

2012-02-28  Gavin Barraclough  <barraclough@apple.com>

        [[Get]]/[[Put]] for primitives should not wrap on strict accessor call
        https://bugs.webkit.org/show_bug.cgi?id=79588

        Reviewed by Oliver Hunt.

        In the case of [[Get]], this is a pretty trivial bug - just don't wrap
        primitives at the point you call a getter.

        For setters, this is a little more involved, since we have already wrapped
        the value up in a synthesized object. Stop doing so. There is also a further
        subtely, that in strict mode all attempts to create a new data property on
        the object should throw.

        * runtime/JSCell.cpp:
        (JSC::JSCell::put):
            - [[Put]] to a string primitive should use JSValue::putToPrimitive.
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
            - Remove static function called in one place.
        * runtime/JSObject.h:
        (JSC::JSValue::put):
            - [[Put]] to a non-cell JSValue should use JSValue::putToPrimitive.
        * runtime/JSValue.cpp:
        (JSC::JSValue::synthesizePrototype):
            - Add support for synthesizing the prototype of strings.
        (JSC::JSValue::putToPrimitive):
            - Added, implements [[Put]] for primitive bases, per 8.7.2.
        * runtime/JSValue.h:
        (JSValue):
            - Add declaration for JSValue::putToPrimitive.
        * runtime/PropertySlot.cpp:
        (JSC::PropertySlot::functionGetter):
            - Don't call ToObject on primitive this values.

2012-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        Re-enable parallel GC on Mac
        https://bugs.webkit.org/show_bug.cgi?id=79837

        Rubber stamped by Filip Pizlo.

        * runtime/Options.cpp:
        (JSC::Options::initializeOptions): We accidentally disabled parallel GC with this line,
        so we removed it and things should go back to normal.

2012-02-28  Filip Pizlo  <fpizlo@apple.com>

        Some run-javascriptcore-tests broken for 32-bit debug
        https://bugs.webkit.org/show_bug.cgi?id=79844

        Rubber stamped by Oliver Hunt.
        
        These assertions are just plain wrong for 32-bit. We could either have a massive
        assertion that depends on value representation, that has to be changed every
        time we change the JITs, resulting in a bug tail of debug-mode crashes, or we
        could get rid of the assertions. I pick the latter.

        * dfg/DFGOperations.cpp:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2012-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        Get rid of padding cruft in CopiedBlock
        https://bugs.webkit.org/show_bug.cgi?id=79686

        Reviewed by Filip Pizlo.

        * heap/CopiedBlock.h:
        (CopiedBlock): Removed the extra padding that was used for alignment purposes until 
        the calculation of the payload offset into CopiedBlocks was redone recently.

2012-02-28  Anders Carlsson  <andersca@apple.com>

        Fix build with newer versions of clang.

        Clang now warns since we're not passing a CFString literal to CFStringCreateWithFormatAndArguments,
        but it's OK to ignore this warning since clang is also checking that the caller (vprintf_stderr_common)
        takes a string literal.

        * wtf/Assertions.cpp:

2012-02-28  Mario Sanchez Prada  <msanchez@igalia.com>

        [GTK] Add GMainLoop and GMainContext to be handled by GRefPtr
        https://bugs.webkit.org/show_bug.cgi?id=79496

        Reviewed by Martin Robinson.

        Handle GMainLoop and GMainContext in GRefPtr, by calling
        g_main_loop_(un)ref and g_main_context_(un)ref in the
        implementation of the refGPtr and derefGPtr template functions.

        * wtf/gobject/GRefPtr.cpp:
        (WTF::refGPtr):
        (WTF):
        (WTF::derefGPtr):
        * wtf/gobject/GRefPtr.h:
        (WTF):
        * wtf/gobject/GTypedefs.h:

2012-02-28  Yong Li  <yoli@rim.com>

        JSString::resolveRope() should report extra memory cost to the heap.
        https://bugs.webkit.org/show_bug.cgi?id=79555

        Reviewed by Michael Saboff.

        At the time a JSString is constructed with fibers, it doesn't report
        extra memory cost, which is reasonable because it hasn't allocate
        new memory. However when the rope is resolved, it should report meory
        cost for the new buffer.

        * runtime/JSString.cpp:
        (JSC::JSString::resolveRope):

2012-02-27  Oliver Hunt  <oliver@apple.com>

        sputnik/Unicode/Unicode_500/S7.2_A1.6_T1.html crashes in the interpreter
        https://bugs.webkit.org/show_bug.cgi?id=79728

        Reviewed by Gavin Barraclough.

        When initialising a chained get instruction we may end up in a state where
        the instruction stream says we have a scopechain, but it has not yet been set
        (eg. if allocating the StructureChain itself is what leads to the GC).  We could
        re-order the allocation, but it occurs in a couple of places, so it seems less
        fragile simply to null check the scopechain slot before we actually visit the slot.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitStructures):

2012-02-27  Filip Pizlo  <fpizlo@apple.com>

        Old JIT's style of JSVALUE64 strict equality is subtly wrong
        https://bugs.webkit.org/show_bug.cgi?id=79700

        Reviewed by Oliver Hunt.

        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::comparePtr):
        (MacroAssemblerX86_64):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emitSlow_op_stricteq):
        (JSC::JIT::emitSlow_op_nstricteq):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2012-02-27  Gavin Barraclough  <barraclough@apple.com>

        Implement support for op_negate and op_bitnot in the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=79617

        Reviewed by Filip Pizlo.

        Add an ArithNegate op to the DFG JIT, to implement op_negate.

        This patch also adds support for op_negate to the JSVALUE64 baseline JIT
        (JSVALUE32_64 already had this), so that we can profile the slowpath usage.

        This is a 2.5%-3% Sunspider progression and a 1% win on Kraken.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::sub_S):
            - Added sub_S from immediate.
        (ARMv7Assembler):
        (JSC::ARMv7Assembler::vneg):
            - Added double negate.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::negateDouble):
            - Added double negate.
        (MacroAssemblerARMv7):
        (JSC::MacroAssemblerARMv7::branchNeg32):
            - Added.
        * assembler/MacroAssemblerX86.h:
        (MacroAssemblerX86):
            - moved loadDouble, absDouble to common.
        * assembler/MacroAssemblerX86Common.h:
        (MacroAssemblerX86Common):
        (JSC::MacroAssemblerX86Common::absDouble):
            - implementation can be shared.
        (JSC::MacroAssemblerX86Common::negateDouble):
            - Added.
        (JSC::MacroAssemblerX86Common::loadDouble):
            - allow absDouble to have a common implementation.
        * assembler/MacroAssemblerX86_64.h:
        (MacroAssemblerX86_64):
            - moved loadDouble, absDouble to common.
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
            - support ArithNegate.
        * dfg/DFGArithNodeFlagsInferencePhase.cpp:
        (JSC::DFG::ArithNodeFlagsInferencePhase::propagate):
            - support ArithNegate.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
            - support ArithNegate.
        (JSC::DFG::ByteCodeParser::parseBlock):
            - support op_negate.
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
            - support ArithNegate.
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
            - support op_negate.
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::negateShouldSpeculateInteger):
            - support ArithNegate.
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasArithNodeFlags):
            - support ArithNegate.
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
            - support ArithNegate.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
            - support ArithNegate.
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
            - support ArithNegate.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
            - support ArithNegate.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
            - support ArithNegate.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
            - Add support for op_negate in JSVALUE64.
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_negate):
        (JSC::JIT::emitSlow_op_negate):
            - Add support for op_negate in JSVALUE64.

2012-02-27  Mahesh Kulkarni  <mahesh.kulkarni@nokia.com>

        Unreviewed. Build fix for linux-bot (qt) after r109021.

        * runtime/Error.cpp:

2012-02-27  Oliver Hunt  <oliver@apple.com>

        REGRESSION (r108112): AWS Management Console at amazon.com fails to initialize
        https://bugs.webkit.org/show_bug.cgi?id=79693

        Reviewed by Filip Pizlo.

        Alas we can't provide the stack trace as an array, as despite everyone wanting
        an array, everyone arbitrarily creates the array by calling split on the stack
        trace.  To create the array we would have provided them in the first place.

        This changes the exception's stack property to a \n separated string.  To get the
        old array just do <exception>.stack.split("\n").

        * runtime/Error.cpp:
        (JSC::addErrorInfo):

2012-02-27  Gavin Barraclough  <barraclough@apple.com>

        RegExp lastIndex should behave as a regular property
        https://bugs.webkit.org/show_bug.cgi?id=79446

        Reviewed by Sam Weinig.

        lastIndex should be a regular data descriptor, with the attributes configurable:false,
        enumerable:false, writable:true. As such, it should be possible to reconfigure writable
        as false. If the lastIndex property is reconfigured to be read-only, we should respect
        this correctly.

        * runtime/CommonIdentifiers.h:
            - Removed some unused identifiers, added lastIndex.
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::getOwnPropertySlot):
            - lastIndex is no longer a static value, provided specific handling.
        (JSC::RegExpObject::getOwnPropertyDescriptor):
            - lastIndex is no longer a static value, provided specific handling.
        (JSC::RegExpObject::deleteProperty):
            - lastIndex is no longer a static value, provided specific handling.
        (JSC::RegExpObject::getOwnPropertyNames):
            - lastIndex is no longer a static value, provided specific handling.
        (JSC::RegExpObject::getPropertyNames):
            - lastIndex is no longer a static value, provided specific handling.
        (JSC::reject):
            - helper function for defineOwnProperty.
        (JSC::RegExpObject::defineOwnProperty):
            - lastIndex is no longer a static value, provided specific handling.
        (JSC::RegExpObject::put):
            - lastIndex is no longer a static value, provided specific handling.
        (JSC::RegExpObject::match):
            - Pass setLastIndex an ExecState, so it can throw if read-only.
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::setLastIndex):
            - Pass setLastIndex an ExecState, so it can throw if read-only.
        (RegExpObjectData):
            - Added lastIndexIsWritable.
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncCompile):
            - Pass setLastIndex an ExecState, so it can throw if read-only.

2012-02-27  Gavin Barraclough  <barraclough@apple.com>

        Implement support for op_negate and op_bitnot in the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=79617

        Reviewed by Sam Weinig.

        Remove op_bitnop - this is redundant, ~x === x^-1.
        This is a fractional (<1%) progression.

        Remove not32(X) from the MacroAssemblers - make this an optimization to add32(-1, X).
        Remove CanReuse from the result type - this was unused.
        Remove op_bitnot.

        * assembler/MacroAssemblerARM.h:
        (MacroAssemblerARM):
        (JSC::MacroAssemblerARM::xor32):
        * assembler/MacroAssemblerARMv7.h:
        (MacroAssemblerARMv7):
        (JSC::MacroAssemblerARMv7::xor32):
        * assembler/MacroAssemblerMIPS.h:
        (MacroAssemblerMIPS):
        (JSC::MacroAssemblerMIPS::xor32):
        * assembler/MacroAssemblerSH4.h:
        (MacroAssemblerSH4):
        (JSC::MacroAssemblerSH4::xor32):
        * assembler/MacroAssemblerX86Common.h:
        (MacroAssemblerX86Common):
        (JSC::MacroAssemblerX86Common::xor32):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecompiler/NodesCodegen.cpp:
        (JSC):
        (JSC::BitwiseNotNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JIT):
        * jit/JITArithmetic32_64.cpp:
        (JSC):
        * jit/JITOpcodes.cpp:
        (JSC):
        * jit/JITStubs.cpp:
        (JSC):
        * jit/JITStubs.h:
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        * llint/LowLevelInterpreter32_64.asm:
        * parser/NodeConstructors.h:
        (JSC::NegateNode::NegateNode):
        (JSC::BitwiseNotNode::BitwiseNotNode):
        (JSC::MultNode::MultNode):
        (JSC::DivNode::DivNode):
        (JSC::ModNode::ModNode):
        (JSC::SubNode::SubNode):
        (JSC::UnsignedRightShiftNode::UnsignedRightShiftNode):
        * parser/Nodes.h:
        (BitwiseNotNode):
        (JSC::BitwiseNotNode::expr):
        (JSC):
        * parser/ResultType.h:
        (ResultType):
        (JSC::ResultType::numberTypeIsInt32):
        (JSC::ResultType::stringOrNumberType):
        (JSC::ResultType::forAdd):
        (JSC::ResultType::forBitOp):

2012-02-27  Michael Saboff  <msaboff@apple.com>

        Error check regexp min quantifier
        https://bugs.webkit.org/show_bug.cgi?id=70648

        Reviewed by Gavin Barraclough.

        Added checking for min or only quantifier being UINT_MAX.
        When encountered this becomes a SyntaxError during parsing.

        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::parseQuantifier):
        (JSC::Yarr::Parser::parse):
        (Parser):

2012-02-27  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing files.

2012-02-26  Hajime Morrita  <morrita@chromium.org>

        Move ChromeClient::showContextMenu() to ContextMenuClient
        https://bugs.webkit.org/show_bug.cgi?id=79427

        Reviewed by Adam Barth.

        Added ACCESSIBILITY_CONTEXT_MENUS.

        * wtf/Platform.h:

2012-02-26  Filip Pizlo  <fpizlo@apple.com>

        LayoutTests/fast/xpath/xpath-functional-test.html is crashing in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=79616

        Reviewed by Oliver Hunt.
        
        Guard against the fact that in JSVALUE64, JSValue().isCell() == true.

        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::validate):

2012-02-26  Filip Pizlo  <fpizlo@apple.com>

        DFG should support activations and nested functions
        https://bugs.webkit.org/show_bug.cgi?id=79554

        Reviewed by Sam Weinig.
        
        Fix 32-bit. The 32-bit function+activation code had some really weird
        register reuse bugs.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-02-26  Filip Pizlo  <fpizlo@apple.com>

        Getting the instruction stream for a code block should not require two loads
        https://bugs.webkit.org/show_bug.cgi?id=79608

        Reviewed by Sam Weinig.
        
        Introduced the RefCountedArray class, which contains a single inline pointer
        to a ref-counted non-resizeable vector backing store. This satisfies the
        requirements of CodeBlock, which desires the ability to share instruction
        streams with other CodeBlocks. It also reduces the number of loads required
        for getting the instruction stream by one.
        
        This patch also gets rid of the bytecode discarding logic, since we don't
        use it anymore and it's unlikely to ever work right with DFG or LLInt. And
        I didn't feel like porting dead code to use RefCountedArray.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::instructionOffsetForNth):
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::handlerForBytecodeOffset):
        (JSC::CodeBlock::lineNumberForBytecodeOffset):
        (JSC::CodeBlock::expressionRangeForBytecodeOffset):
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::numberOfInstructions):
        (JSC::CodeBlock::instructions):
        (JSC::CodeBlock::instructionCount):
        (JSC::CodeBlock::valueProfileForBytecodeOffset):
        (JSC):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::Label::setLocation):
        (JSC):
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::newLabel):
        * bytecompiler/BytecodeGenerator.h:
        (JSC):
        (BytecodeGenerator):
        (JSC::BytecodeGenerator::instructions):
        * bytecompiler/Label.h:
        (JSC::Label::Label):
        (Label):
        * dfg/DFGByteCodeCache.h:
        (JSC::DFG::ByteCodeCache::~ByteCodeCache):
        (JSC::DFG::ByteCodeCache::get):
        * jit/JITExceptions.cpp:
        (JSC::genericThrow):
        * llint/LowLevelInterpreter32_64.asm:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::codeBlockWithBytecodeFor):
        (JSC::FunctionExecutable::produceCodeBlockFor):
        * wtf/RefCountedArray.h: Added.
        (WTF):
        (RefCountedArray):
        (WTF::RefCountedArray::RefCountedArray):
        (WTF::RefCountedArray::operator=):
        (WTF::RefCountedArray::~RefCountedArray):
        (WTF::RefCountedArray::size):
        (WTF::RefCountedArray::data):
        (WTF::RefCountedArray::begin):
        (WTF::RefCountedArray::end):
        (WTF::RefCountedArray::at):
        (WTF::RefCountedArray::operator[]):
        (Header):
        (WTF::RefCountedArray::Header::size):
        (WTF::RefCountedArray::Header::payload):
        (WTF::RefCountedArray::Header::fromPayload):
        * wtf/Platform.h:

2012-02-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        StringLiteral and NumericLiteral are allowed as ObjectLiteral getter / setter name
        https://bugs.webkit.org/show_bug.cgi?id=79571

        Reviewed by Gavin Barraclough.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        * parser/Parser.cpp:
        (JSC::::parseProperty):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createGetterOrSetterProperty):

2012-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        Implement fast path for op_new_array in the baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=78612

        Reviewed by Filip Pizlo.

        heap/CopiedAllocator.h:
        (CopiedAllocator): Friended the JIT to allow access to m_currentOffset.
        * heap/CopiedSpace.h:
        (CopiedSpace): Friended the JIT to allow access to isOversize.
        (JSC::CopiedSpace::allocator):
        * heap/Heap.h:
        (JSC::Heap::storageAllocator): Added a getter for the CopiedAllocator class so the JIT
        can use it for simple allocation i.e. when we can just bump the offset without having to 
        do anything else.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases): Added new slow case for op_new_array for when
        we have to bail out because the fast allocation path fails for whatever reason.
        * jit/JIT.h:
        (JIT):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicStorage): Added utility function that allows objects to 
        allocate generic backing stores. This function is used by emitAllocateJSArray.
        (JSC):
        (JSC::JIT::emitAllocateJSArray): Added utility function that allows the client to 
        more easily allocate JSArrays. This function is used by emit_op_new_array and I expect 
        it will also be used for emit_op_new_array_buffer.
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_array): Changed to do inline allocation of JSArrays. Still does 
        a stub call for oversize arrays.
        (JSC):
        (JSC::JIT::emitSlow_op_new_array): New slow path that just bails out to a stub call if we 
        fail in any way on the fast path.
        * runtime/JSArray.cpp:
        (JSC):
        * runtime/JSArray.h: Added lots of offset functions for all the fields that we need to 
        initialize in the JIT.
        (ArrayStorage):
        (JSC::ArrayStorage::lengthOffset):
        (JSC::ArrayStorage::numValuesInVectorOffset):
        (JSC::ArrayStorage::allocBaseOffset):
        (JSC::ArrayStorage::vectorOffset):
        (JSArray):
        (JSC::JSArray::sparseValueMapOffset):
        (JSC::JSArray::subclassDataOffset):
        (JSC::JSArray::indexBiasOffset):
        (JSC):
        (JSC::JSArray::storageSize): Moved this function from being a static function in the cpp file
        to being a static function in the JSArray class. This move allows the JIT to call it to 
        see what size it should allocate.

2012-02-26  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed. Build fix for ENABLE(CLASSIC_INTERPRETER) after r108681.

        * interpreter/Interpreter.cpp:
        (JSC::getLineNumberForCallFrame):
        (JSC::Interpreter::getStackTrace):

2012-02-26  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed. Build fix for !ENABLE(JIT) after r108681.

        * interpreter/Interpreter.cpp:
        (JSC::getLineNumberForCallFrame):

2012-02-25  Filip Pizlo  <fpizlo@apple.com>

        LLInt assembly file should be split into 32-bit and 64-bit parts
        https://bugs.webkit.org/show_bug.cgi?id=79584

        Reviewed by Sam Weinig.
        
        Moved LowLevelInterpreter.asm to LowLevelInterpreter32_64.asm. Gave offlineasm
        the ability to include files, and correctly track dependencies: it restricts
        the include mechanism to using the same directory as the source file, and uses
        the SHA1 hash of all .asm files in that directory as an input hash.

        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm: Added.
            - This is just the entire contents of what was previously LowLevelInterpreter.asm
        * llint/LowLevelInterpreter64.asm: Added.
        * offlineasm/asm.rb:
        * offlineasm/ast.rb:
        * offlineasm/generate_offset_extractor.rb:
        * offlineasm/parser.rb:
        * offlineasm/self_hash.rb:

2012-02-25  Filip Pizlo  <fpizlo@apple.com>

        Offlineasm should support X86_64
        https://bugs.webkit.org/show_bug.cgi?id=79581

        Reviewed by Oliver Hunt.

        * llint/LLIntOfflineAsmConfig.h:
        * offlineasm/backends.rb:
        * offlineasm/instructions.rb:
        * offlineasm/settings.rb:
        * offlineasm/x86.rb:

2012-02-25  Filip Pizlo  <fpizlo@apple.com>

        DFG should support activations and nested functions
        https://bugs.webkit.org/show_bug.cgi?id=79554

        Reviewed by Oliver Hunt.
        
        Wrote the simplest possible implementation of activations. Big speed-up on
        code that uses activations, no speed-up on major benchmarks (SunSpider, V8,
        Kraken) because they do not appear to have sufficient coverage over code
        that uses activations.

        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        (JSC::predictionFromValue):
        * bytecode/PredictedType.h:
        (JSC):
        (JSC::isEmptyPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        (JSC::DFG::canInlineOpcode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::needsActivation):
        * dfg/DFGNode.h:
        (DFG):
        (JSC::DFG::Node::storageAccessDataIndex):
        (Node):
        (JSC::DFG::Node::hasFunctionDeclIndex):
        (JSC::DFG::Node::functionDeclIndex):
        (JSC::DFG::Node::hasFunctionExprIndex):
        (JSC::DFG::Node::functionExprIndex):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-02-25  Benjamin Poulain  <benjamin@webkit.org>

        Add an empty skeleton of KURL for WTFURL
        https://bugs.webkit.org/show_bug.cgi?id=78990

        Reviewed by Adam Barth.

        * JavaScriptCore.xcodeproj/project.pbxproj: Export the relevant classes from WTFURL
        so that can use them in WebCore.

2012-02-25  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix build for DFG disabled and LLInt enabled.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2012-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix the CopiedBlock offset alignment in a cross platform fashion
        https://bugs.webkit.org/show_bug.cgi?id=79556

        Reviewed by Filip Pizlo.

        Replaced m_payload with a payload() method that calculates the offset
        of the payload with the proper alignment. This change allows us to 
        avoid alignment-related issues in a cross-platform manner.

        * heap/CopiedAllocator.h:
        (JSC::CopiedAllocator::currentUtilization):
        * heap/CopiedBlock.h:
        (JSC::CopiedBlock::CopiedBlock):
        (JSC::CopiedBlock::payload):
        (CopiedBlock):
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::doneFillingBlock):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::borrowBlock):
        (JSC::CopiedSpace::allocateFromBlock):

2012-02-24  Michael Saboff  <msaboff@apple.com>

        Unreviewed, Windows build fix.  Changed signature in export to match
        change made in r108858.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-02-24  Filip Pizlo  <fpizlo@apple.com>

        DFG support for op_new_regexp should be enabled
        https://bugs.webkit.org/show_bug.cgi?id=79538

        Reviewed by Oliver Hunt.
        
        No performance change.

        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGCommon.h:

2012-02-24  Michael Saboff  <msaboff@apple.com>

        ASSERT(position < 0) in JSC::Yarr::Interpreter::InputStream::readChecked
        https://bugs.webkit.org/show_bug.cgi?id=73728

        Reviewed by Gavin Barraclough.

        Fixed the mixing of signed and unsigned character indeces in YARR
        interpreter.

        * runtime/RegExp.cpp:
        (JSC::RegExp::match): Added code to check for match longer than 2^31 and
        return no match after resetting the offsets.
        * yarr/YarrInterpreter.cpp: Changed to use unsigned for all character index
        handling except when matching back references.
        (JSC::Yarr::Interpreter::InputStream::readChecked):
        (JSC::Yarr::Interpreter::InputStream::checkInput):
        (JSC::Yarr::Interpreter::InputStream::uncheckInput):
        (JSC::Yarr::Interpreter::InputStream::atStart):
        (JSC::Yarr::Interpreter::InputStream::atEnd):
        (JSC::Yarr::Interpreter::InputStream::isAvailableInput):
        (JSC::Yarr::Interpreter::checkCharacter):
        (JSC::Yarr::Interpreter::checkCasedCharacter):
        (JSC::Yarr::Interpreter::checkCharacterClass):
        (JSC::Yarr::Interpreter::tryConsumeBackReference):
        (JSC::Yarr::Interpreter::matchAssertionBOL):
        (JSC::Yarr::Interpreter::matchAssertionWordBoundary):
        (JSC::Yarr::Interpreter::backtrackPatternCharacter):
        (JSC::Yarr::Interpreter::backtrackPatternCasedCharacter):
        (JSC::Yarr::Interpreter::matchCharacterClass):
        (JSC::Yarr::Interpreter::backtrackCharacterClass):
        (JSC::Yarr::Interpreter::matchParenthesesOnceBegin):
        (JSC::Yarr::Interpreter::matchDisjunction):
        (JSC::Yarr::Interpreter::interpret):
        (JSC::Yarr::ByteCompiler::assertionBOL):
        (JSC::Yarr::ByteCompiler::assertionEOL):
        (JSC::Yarr::ByteCompiler::assertionWordBoundary):
        (JSC::Yarr::ByteCompiler::atomPatternCharacter):
        (JSC::Yarr::ByteCompiler::atomCharacterClass):
        (JSC::Yarr::ByteCompiler::atomBackReference):
        (JSC::Yarr::ByteCompiler::atomParenthesesOnceBegin):
        (JSC::Yarr::ByteCompiler::atomParenthesesTerminalBegin):
        (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternBegin):
        (JSC::Yarr::ByteCompiler::atomParentheticalAssertionEnd):
        (JSC::Yarr::ByteCompiler::emitDisjunction):
        * yarr/YarrInterpreter.h:

2012-02-24  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, build fix for builds where the DFG is disabled but the LLInt is
        enabled.

        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter.asm:

2012-02-24  Filip Pizlo  <fpizlo@apple.com>

        DFG should be able to handle variables getting captured
        https://bugs.webkit.org/show_bug.cgi?id=79469

        Reviewed by Oliver Hunt.
        
        Made captured variables work by placing a Flush on the SetLocal and
        forcing the emission of the GetLocal even if copy propagation tells us
        who has the value.
        
        Changed the CFA and various prediction codes to understand that we can't
        really prove anything about captured variables. Well, we could in the
        future by just looking at what side effects are happening, but in this
        first cut we just assume that we can't reason about captured variables.
        
        Also added a mode where the DFG pretends that all variables and arguments
        got captured. Used this mode to harden the code.
        
        This is performance neutral. Capturing all variables is a slow down, but
        not too big of one. This seems to predict that when we add activation
        support, the amount of speed benefit we'll get from increased coverage
        will far outweigh the pessimism that we'll have to endure for captured
        variables.

        * bytecode/CodeType.h:
        (JSC::codeTypeToString):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::endBasicBlock):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::merge):
        * dfg/DFGAbstractState.h:
        (AbstractState):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::flushArgument):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::mightInlineFunctionForCall):
        (JSC::DFG::mightInlineFunctionForConstruct):
        * dfg/DFGCommon.h:
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::needsActivation):
        (Graph):
        (JSC::DFG::Graph::argumentIsCaptured):
        (JSC::DFG::Graph::localIsCaptured):
        (JSC::DFG::Graph::isCaptured):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldGenerate):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        (JSC::DFG::ValueSource::dump):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (ValueSource):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2012-02-24  Gavin Barraclough  <barraclough@apple.com>

        Should not allow malformed \x escapes
        https://bugs.webkit.org/show_bug.cgi?id=79462

        Reviewed by Oliver Hunt.

        * parser/Lexer.cpp:
        (JSC::::parseString):
        (JSC::::parseStringSlowCase):
            - Prohibit malformed '\x' escapes
        * tests/mozilla/ecma/Array/15.4.5.1-1.js:
        * tests/mozilla/ecma/LexicalConventions/7.7.4.js:
        * tests/mozilla/ecma_2/RegExp/hex-001.js:
        * tests/mozilla/js1_2/regexp/hexadecimal.js:
            - Remove erroneous test cases (correct behaviour is tested by LayoutTests/sputnik).

2012-02-24  Daniel Bates  <dbates@webkit.org>

        Fix change log entry for changeset r108819; add bug URL
        https://bugs.webkit.org/show_bug.cgi?id=79504

        Changeset r108819 is associated with bug #79504.

        * ChangeLog

2012-02-24  Daniel Bates  <dbates@webkit.org>

        Substitute ENABLE(CLASSIC_INTERPRETER) for ENABLE(INTERPRETER) in Interpreter.cpp
        https://bugs.webkit.org/show_bug.cgi?id=79504

        Reviewed by Oliver Hunt.

        There are a few places in Interpreter.cpp that need to be updated to use
        ENABLE(CLASSIC_INTERPRETER) following the renaming of ENABLE_INTERPRETER to
        ENABLE_CLASSIC_INTERPRETER in changeset <http://trac.webkit.org/changeset/108020>
        (https://bugs.webkit.org/show_bug.cgi?id=78791).

        * interpreter/Interpreter.cpp:
        (JSC::getLineNumberForCallFrame):
        (JSC::getCallerInfo):
        (JSC::getSourceURLFromCallFrame):

2012-02-24  Adam Roben  <aroben@apple.com>

        Undo the BUILDING_WTF part of r108808

        This broke the build, which is obviously worse than the linker warning it was trying to
        solve.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:

2012-02-24  Adam Roben  <aroben@apple.com>

        Fix linker warnings on Windows

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed symbols that are already
        exported via JS_EXPORTDATA.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops: Define BUILDING_WTF. We
        aren't actually building WTF, but we are statically linking it, so we need to define this
        symbol so that we export WTF's exports.

2012-02-24  Philippe Normand  <pnormand@igalia.com>

        Fix GTK WebAudio build for WebKitGTK 1.7.90.

        Patch by Priit Laes <plaes@plaes.org> on 2012-02-24
        Rubber-stamped by Philippe Normand.

        * GNUmakefile.list.am: Add Complex.h to the list of files so it
        gets disted in the tarballs.

2012-02-24  Zoltan Herczeg  <zherczeg@webkit.org>

        [Qt] Buildfix for "Zero out CopiedBlocks on initialization".
        https://bugs.webkit.org/show_bug.cgi?id=79199

        Ruber stamped by Csaba Osztrogonác.

        Temporary fix since the new member wastes a little space on
        64 bit systems. Although it is harmless, it is only needed
        for 32 bit systems.

        * heap/CopiedBlock.h:
        (CopiedBlock):

2012-02-24  Han Hojong  <hojong.han@samsung.com>

        Remove useless jump instructions for short circuit
        https://bugs.webkit.org/show_bug.cgi?id=75602

        Reviewed by Michael Saboff.

        Jump instruction is inserted to make short circuit, 
        however it does nothing but moving to the next instruction.
        Therefore useless jump instructions are removed, 
        and jump list is moved into the case not for a short circuit,
        so that only necessary instructions are added to JIT code
        unless it has a 16 bit pattern character and an 8 bit string.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):

2012-02-24  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r108731.
        http://trac.webkit.org/changeset/108731
        https://bugs.webkit.org/show_bug.cgi?id=79464

        Broke Chromium Win tests (Requested by bashi on #webkit).

        * wtf/Platform.h:

2012-02-24  Andrew Lo  <anlo@rim.com>

        [BlackBerry] Enable requestAnimationFrame
        https://bugs.webkit.org/show_bug.cgi?id=79408

        Use timer implementation of requestAnimationFrame on BlackBerry.

        Reviewed by Rob Buis.

        * wtf/Platform.h:

2012-02-24  Mathias Bynens  <mathias@qiwi.be>

        `\u200c` and `\u200d` should be allowed in IdentifierPart, as per ES5
        https://bugs.webkit.org/show_bug.cgi?id=78908

        Add additional checks for zero-width non-joiner (0x200C) and
        zero-width joiner (0x200D) characters.

        Reviewed by Michael Saboff.

        * parser/Lexer.cpp:
        (JSC::isNonASCIIIdentPart)
        * runtime/LiteralParser.cpp:
        (JSC::::Lexer::lexIdentifier)

2012-02-23  Kenichi Ishibashi  <bashi@chromium.org>

        Adding WebSocket per-frame DEFLATE extension
        https://bugs.webkit.org/show_bug.cgi?id=77522

        Added USE(ZLIB) flag.

        Reviewed by Kent Tamura.

        * wtf/Platform.h:

2012-02-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Zero out CopiedBlocks on initialization
        https://bugs.webkit.org/show_bug.cgi?id=79199

        Reviewed by Filip Pizlo.

        Made CopyBlocks zero their payloads during construction. This allows 
        JSArray to avoid having to manually clear its backing store upon allocation
        and also alleviates any future pain with regard to the garbage collector trying 
        to mark what it thinks are values in what is actually uninitialized memory.

        * heap/CopiedBlock.h:
        (JSC::CopiedBlock::CopiedBlock):
        * runtime/JSArray.cpp:
        (JSC::JSArray::finishCreation):
        (JSC::JSArray::tryFinishCreationUninitialized):
        (JSC::JSArray::increaseVectorLength):
        (JSC::JSArray::unshiftCountSlowCase):

2012-02-23  Oliver Hunt  <oliver@apple.com>

        Make Interpreter::getStackTrace be able to generate the line number for the top callframe if none is provided
        https://bugs.webkit.org/show_bug.cgi?id=79407

        Reviewed by Gavin Barraclough.

        Outside of exception handling, we don't know what our source line number is.  This
        change allows us to pass -1 is as the initial line number, and get the correct line
        number in the resultant stack trace.  We can't completely elide the initial line
        number (yet) due to some idiosyncrasies of the exception handling machinery.

        * interpreter/Interpreter.cpp:
        (JSC::getLineNumberForCallFrame):
        (JSC):
        (JSC::Interpreter::getStackTrace):

2012-02-22  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit value profiling should have graceful handling of local variables and arguments
        https://bugs.webkit.org/show_bug.cgi?id=79310

        Reviewed by Gavin Barraclough.
        
        Previously, if we OSR exited because a prediction in a local was wrong, we'd
        only realize what the true type of the local was if the regular value profiling
        kicked in and told us. Unless the local was block-locally copy propagated, in
        which case we'd know from an OSR exit profile.
        
        This patch adds OSR exit profiling to all locals and arguments. Now, if we OSR
        exit because of a mispredicted local or argument type, we'll know what the type of
        the local or argument should be immediately upon exiting.
        
        The way that local variable OSR exit profiling works is that we now have a lazily
        added set of OSR-exit-only value profiles for exit sites that are BadType and that
        cited a GetLocal as their value source. The value profiles are only added if the
        OSR exit is taken, and are keyed by CodeBlock, bytecode index of the GetLocal, and
        operand. The look-up is performed by querying the
        CompressedLazyOperandValueProfileHolder in the CodeBlock, using a key that contains
        the bytecode index and the operand. Because the value profiles are added at random
        times, they are not sorted; instead they are just stored in an arbitrarily-ordered
        SegmentedVector. Look-ups are made fast by "decompressing": the DFG::ByteCodeParser
        creates a LazyOperandValueProfileParser, which turns the
        CompressedLazyOperandValueProfileHolder's contents into a HashMap for the duration
        of DFG parsing.
        
        Previously, OSR exits had a pointer to the ValueProfile that had the specFailBucket
        into which values observed during OSR exit would be placed. Now it uses a lazy
        thunk for a ValueProfile. I call this the MethodOfGettingAValueProfile. It may
        either contain a ValueProfile inside it (which works for previous uses of OSR exit
        profiling) or it may just have knowledge of how to go about creating the
        LazyOperandValueProfile in the case that the OSR exit is actually taken. This
        ensures that we never have to create NumOperands*NumBytecodeIndices*NumCodeBlocks
        value profiling buckets unless we actually did OSR exit on every single operand,
        in every single instruction, in each code block (that's probably unlikely).
        
        This appears to be neutral on the major benchmarks, but is a double-digit speed-up
        on code deliberately written to have data flow that spans basic blocks and where
        the code exhibits post-optimization polymorphism in a local variable.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::lazyOperandValueProfiles):
        * bytecode/LazyOperandValueProfile.cpp: Added.
        (JSC):
        (JSC::CompressedLazyOperandValueProfileHolder::CompressedLazyOperandValueProfileHolder):
        (JSC::CompressedLazyOperandValueProfileHolder::~CompressedLazyOperandValueProfileHolder):
        (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
        (JSC::CompressedLazyOperandValueProfileHolder::add):
        (JSC::LazyOperandValueProfileParser::LazyOperandValueProfileParser):
        (JSC::LazyOperandValueProfileParser::~LazyOperandValueProfileParser):
        (JSC::LazyOperandValueProfileParser::getIfPresent):
        (JSC::LazyOperandValueProfileParser::prediction):
        * bytecode/LazyOperandValueProfile.h: Added.
        (JSC):
        (LazyOperandValueProfileKey):
        (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey):
        (JSC::LazyOperandValueProfileKey::operator!):
        (JSC::LazyOperandValueProfileKey::operator==):
        (JSC::LazyOperandValueProfileKey::hash):
        (JSC::LazyOperandValueProfileKey::bytecodeOffset):
        (JSC::LazyOperandValueProfileKey::operand):
        (JSC::LazyOperandValueProfileKey::isHashTableDeletedValue):
        (JSC::LazyOperandValueProfileKeyHash::hash):
        (JSC::LazyOperandValueProfileKeyHash::equal):
        (LazyOperandValueProfileKeyHash):
        (WTF):
        (JSC::LazyOperandValueProfile::LazyOperandValueProfile):
        (LazyOperandValueProfile):
        (JSC::LazyOperandValueProfile::key):
        (CompressedLazyOperandValueProfileHolder):
        (LazyOperandValueProfileParser):
        * bytecode/MethodOfGettingAValueProfile.cpp: Added.
        (JSC):
        (JSC::MethodOfGettingAValueProfile::fromLazyOperand):
        (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
        * bytecode/MethodOfGettingAValueProfile.h: Added.
        (JSC):
        (MethodOfGettingAValueProfile):
        (JSC::MethodOfGettingAValueProfile::MethodOfGettingAValueProfile):
        (JSC::MethodOfGettingAValueProfile::operator!):
        * bytecode/ValueProfile.cpp: Removed.
        * bytecode/ValueProfile.h:
        (JSC):
        (ValueProfileBase):
        (JSC::ValueProfileBase::ValueProfileBase):
        (JSC::ValueProfileBase::dump):
        (JSC::ValueProfileBase::computeUpdatedPrediction):
        (JSC::MinimalValueProfile::MinimalValueProfile):
        (ValueProfileWithLogNumberOfBuckets):
        (JSC::ValueProfileWithLogNumberOfBuckets::ValueProfileWithLogNumberOfBuckets):
        (JSC::ValueProfile::ValueProfile):
        (JSC::getValueProfileBytecodeOffset):
        (JSC::getRareCaseProfileBytecodeOffset):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::injectLazyOperandPrediction):
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (InlineStackEntry):
        (JSC::DFG::ByteCodeParser::fixVariableAccessPredictions):
        (DFG):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueProfileFor):
        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
        (Graph):
        * dfg/DFGNode.h:
        (Node):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        * dfg/DFGOSRExit.h:
        (OSRExit):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGPhase.cpp:
        (JSC::DFG::Phase::beginPhase):
        (JSC::DFG::Phase::endPhase):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::nonUnifiedPrediction):
        (VariableAccessData):

2012-02-23  Filip Pizlo  <fpizlo@apple.com>

        Build fix.

        * llint/LLIntOffsetsExtractor.cpp:

2012-02-23  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Build fix, disable LLINT for now and fix ENABLE defines for it.

        * llint/LLIntOffsetsExtractor.cpp:
        * wtf/Platform.h:

2012-02-23  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Build fix for non-Mac wx builds.

        * runtime/DatePrototype.cpp:

2012-02-22  Filip Pizlo  <fpizlo@apple.com>

        DFG's logic for emitting a Flush is too convoluted and contains an inaccurate comment
        https://bugs.webkit.org/show_bug.cgi?id=79334

        Reviewed by Oliver Hunt.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::flush):

2012-02-23  Gavin Barraclough  <barraclough@apple.com>

        Object.isSealed / Object.isFrozen don't work for native objects
        https://bugs.webkit.org/show_bug.cgi?id=79331

        Reviewed by Sam Weinig.

        Need to inspect all properties, including static ones.
        This exposes a couple of bugs in Array & Arguments:
            - getOwnPropertyDescriptor doesn't correctly report the writable attribute of array length.
            - Arguments object's defineOwnProperty does not handle callee/caller/length correctly.

        * runtime/Arguments.cpp:
        (JSC::Arguments::defineOwnProperty):
            - Add handling for callee/caller/length.
        * runtime/JSArray.cpp:
        (JSC::JSArray::getOwnPropertyDescriptor):
            - report length's writability correctly.
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
            - Add spec-based implementation for non-final objects.

2012-02-23  Gavin Barraclough  <barraclough@apple.com>

        pop of array hole should get from the prototype chain
        https://bugs.webkit.org/show_bug.cgi?id=79338

        Reviewed by Sam Weinig.

        * runtime/JSArray.cpp:
        (JSC::JSArray::pop):
            - If the fast fast vector case fails, more closely follow the spec.

2012-02-23  Yong Li  <yoli@rim.com>

        JSString::outOfMemory() should ASSERT(isRope()) rather than !isRope()
        https://bugs.webkit.org/show_bug.cgi?id=79268

        Reviewed by Michael Saboff.

        resolveRope() is the only caller of outOfMemory(), and it calls outOfMemory()
        after it fails to allocate a buffer for m_value. So outOfMemory() should assert
        isRope() rather than !isRope().

        * runtime/JSString.cpp:
        (JSC::JSString::outOfMemory):

2012-02-23  Patrick Gansterer  <paroga@webkit.org>

        [CMake] Add WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS macro
        https://bugs.webkit.org/show_bug.cgi?id=79371

        Reviewed by Daniel Bates.

        * CMakeLists.txt:
        * shell/CMakeLists.txt:
        * wtf/CMakeLists.txt:

2012-02-23  Aron Rosenberg  <arosenberg@logitech.com>

        Fix the PRI macros used in WTF::String formatters to be compatible with Qt and Visual Studio 2005 and newer.
        https://bugs.webkit.org/show_bug.cgi?id=76210

        Add compile time check for Visual Studio 2005 or newer.

        Reviewed by Simon Hausmann.

        * os-win32/inttypes.h:

2012-02-22  Gavin Barraclough  <barraclough@apple.com>

        Implement [[DefineOwnProperty]] for the arguments object
        https://bugs.webkit.org/show_bug.cgi?id=79309

        Reviewed by Sam Weinig.

        * runtime/Arguments.cpp:
        (JSC::Arguments::deletePropertyByIndex):
        (JSC::Arguments::deleteProperty):
            - Deleting an argument should also delete the copy on the object, if any.
        (JSC::Arguments::defineOwnProperty):
            - Defining a property may override the live mapping.
        * runtime/Arguments.h:
        (Arguments):

2012-02-22  Gavin Barraclough  <barraclough@apple.com>

        Fix Object.freeze for non-final objects.
        https://bugs.webkit.org/show_bug.cgi?id=79286

        Reviewed by Oliver Hunt.

        For vanilla objects we implement this with a single transition, for objects
        with special properties we should just follow the spec defined algorithm.

        * runtime/JSArray.cpp:
        (JSC::SparseArrayValueMap::put):
            - this does need to handle inextensible objects.
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
            - Implement spec defined algorithm for non-final objects.
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::freezeTransition):
            - freeze should set m_hasReadOnlyOrGetterSetterPropertiesExcludingProto.
        * runtime/Structure.h:
        (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto):
        (JSC::Structure::setHasGetterSetterProperties):
        (JSC::Structure::setContainsReadOnlyProperties):
        (Structure):
            - renamed m_hasReadOnlyOrGetterSetterPropertiesExcludingProto.

2012-02-22  Mark Hahnenberg  <mhahnenberg@apple.com>

        Allocations from CopiedBlocks should always be 8-byte aligned
        https://bugs.webkit.org/show_bug.cgi?id=79271

        Reviewed by Geoffrey Garen.

        * heap/CopiedAllocator.h:
        (JSC::CopiedAllocator::allocate):
        * heap/CopiedBlock.h: Changed to add padding so that the start of the payload is always 
        guaranteed to be 8 byte aligned on both 64- and 32-bit platforms.
        (CopiedBlock):
        * heap/CopiedSpace.cpp: Changed all assertions of isPointerAligned to is8ByteAligned.
        (JSC::CopiedSpace::tryAllocateOversize):
        (JSC::CopiedSpace::getFreshBlock):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::allocateFromBlock):
        * runtime/JSArray.h:
        (ArrayStorage): Added padding for ArrayStorage to make sure that it is always 8 byte 
        aligned on both 64- and 32-bit platforms.
        * wtf/StdLibExtras.h:
        (WTF::is8ByteAligned): Added new utility function that functions similarly to the 
        way isPointerAligned does, but it just always checks for 8 byte alignment.
        (WTF):

2012-02-22  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r108456.
        http://trac.webkit.org/changeset/108456
        https://bugs.webkit.org/show_bug.cgi?id=79223

        Broke fast/regex/pcre-test-4.html and cannot find anyone on
        IRC (Requested by zherczeg on #webkit).

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterGreedy):

2012-02-22  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r108468.
        http://trac.webkit.org/changeset/108468
        https://bugs.webkit.org/show_bug.cgi?id=79219

        Broke Chromium Win release build (Requested by bashi on
        #webkit).

        * wtf/Platform.h:

2012-02-22  Kenichi Ishibashi  <bashi@chromium.org>

        Adding WebSocket per-frame DEFLATE extension
        https://bugs.webkit.org/show_bug.cgi?id=77522

        Added USE(ZLIB) flag.

        Reviewed by Kent Tamura.

        * wtf/Platform.h:

2012-02-22  Hojong Han  <hojong.han@samsung.com>

        Short circuit fixed for a 16 bt pattern character and an 8 bit string.
        https://bugs.webkit.org/show_bug.cgi?id=75602

        Reviewed by Gavin Barraclough.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterGreedy):

2012-02-21  Filip Pizlo  <fpizlo@apple.com>

        Build fix for systems with case sensitive disks.

        * llint/LLIntOfflineAsmConfig.h:

2012-02-21  Filip Pizlo  <fpizlo@apple.com>

        JSC should be a triple-tier VM
        https://bugs.webkit.org/show_bug.cgi?id=75812
        <rdar://problem/10079694>

        Reviewed by Gavin Barraclough.
        
        Implemented an interpreter that uses the JIT's calling convention. This
        interpreter is called LLInt, or the Low Level Interpreter. JSC will now
        will start by executing code in LLInt and will only tier up to the old
        JIT after the code is proven hot.
        
        LLInt is written in a modified form of our macro assembly. This new macro
        assembly is compiled by an offline assembler (see offlineasm), which
        implements many modern conveniences such as a Turing-complete CPS-based
        macro language and direct access to relevant C++ type information
        (basically offsets of fields and sizes of structs/classes).
        
        Code executing in LLInt appears to the rest of the JSC world "as if" it
        were executing in the old JIT. Hence, things like exception handling and
        cross-execution-engine calls just work and require pretty much no
        additional overhead.
        
        This interpreter is 2-2.5x faster than our old interpreter on SunSpider,
        V8, and Kraken. With triple-tiering turned on, we're neutral on SunSpider,
        V8, and Kraken, but appear to get a double-digit improvement on real-world
        websites due to a huge reduction in the amount of JIT'ing.
        
        * CMakeLists.txt:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.pri:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/LinkBuffer.h:
        * assembler/MacroAssemblerCodeRef.h:
        (MacroAssemblerCodePtr):
        (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
        * bytecode/BytecodeConventions.h: Added.
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFromLLInt):
        (JSC):
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CallLinkStatus.h:
        (JSC::CallLinkStatus::isSet):
        (JSC::CallLinkStatus::operator!):
        (CallLinkStatus):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        (JSC):
        (JSC::CodeBlock::unlinkCalls):
        (JSC::CodeBlock::unlinkIncomingCalls):
        (JSC::CodeBlock::bytecodeOffset):
        (JSC::ProgramCodeBlock::jettison):
        (JSC::EvalCodeBlock::jettison):
        (JSC::FunctionCodeBlock::jettison):
        (JSC::ProgramCodeBlock::jitCompileImpl):
        (JSC::EvalCodeBlock::jitCompileImpl):
        (JSC::FunctionCodeBlock::jitCompileImpl):
        * bytecode/CodeBlock.h:
        (JSC):
        (CodeBlock):
        (JSC::CodeBlock::baselineVersion):
        (JSC::CodeBlock::linkIncomingCall):
        (JSC::CodeBlock::bytecodeOffset):
        (JSC::CodeBlock::jitCompile):
        (JSC::CodeBlock::hasOptimizedReplacement):
        (JSC::CodeBlock::addPropertyAccessInstruction):
        (JSC::CodeBlock::addGlobalResolveInstruction):
        (JSC::CodeBlock::addLLIntCallLinkInfo):
        (JSC::CodeBlock::addGlobalResolveInfo):
        (JSC::CodeBlock::numberOfMethodCallLinkInfos):
        (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
        (JSC::CodeBlock::likelyToTakeSlowCase):
        (JSC::CodeBlock::couldTakeSlowCase):
        (JSC::CodeBlock::likelyToTakeSpecialFastCase):
        (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
        (JSC::CodeBlock::likelyToTakeAnySlowCase):
        (JSC::CodeBlock::addFrequentExitSite):
        (JSC::CodeBlock::dontJITAnytimeSoon):
        (JSC::CodeBlock::jitAfterWarmUp):
        (JSC::CodeBlock::jitSoon):
        (JSC::CodeBlock::llintExecuteCounter):
        (ProgramCodeBlock):
        (EvalCodeBlock):
        (FunctionCodeBlock):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        (JSC):
        (JSC::GetByIdStatus::computeFor):
        * bytecode/GetByIdStatus.h:
        (JSC::GetByIdStatus::GetByIdStatus):
        (JSC::GetByIdStatus::wasSeenInJIT):
        (GetByIdStatus):
        * bytecode/Instruction.h:
        (JSC):
        (JSC::Instruction::Instruction):
        (Instruction):
        * bytecode/LLIntCallLinkInfo.h: Added.
        (JSC):
        (JSC::LLIntCallLinkInfo::LLIntCallLinkInfo):
        (LLIntCallLinkInfo):
        (JSC::LLIntCallLinkInfo::~LLIntCallLinkInfo):
        (JSC::LLIntCallLinkInfo::isLinked):
        (JSC::LLIntCallLinkInfo::unlink):
        * bytecode/MethodCallLinkStatus.cpp:
        (JSC::MethodCallLinkStatus::computeFor):
        * bytecode/Opcode.cpp:
        (JSC):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        (JSC):
        (JSC::PutByIdStatus::computeFor):
        * bytecode/PutByIdStatus.h:
        (PutByIdStatus):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveWithBase):
        (JSC::BytecodeGenerator::emitGetById):
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitDirectPutById):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        (JSC::BytecodeGenerator::emitCatch):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOperations.cpp:
        * heap/Heap.h:
        (JSC):
        (JSC::Heap::firstAllocatorWithoutDestructors):
        (Heap):
        * heap/MarkStack.cpp:
        (JSC::visitChildren):
        * heap/MarkedAllocator.h:
        (JSC):
        (MarkedAllocator):
        * heap/MarkedSpace.h:
        (JSC):
        (MarkedSpace):
        (JSC::MarkedSpace::firstAllocator):
        * interpreter/CallFrame.cpp:
        (JSC):
        (JSC::CallFrame::bytecodeOffsetForNonDFGCode):
        (JSC::CallFrame::setBytecodeOffsetForNonDFGCode):
        (JSC::CallFrame::currentVPC):
        (JSC::CallFrame::setCurrentVPC):
        (JSC::CallFrame::trueCallerFrame):
        * interpreter/CallFrame.h:
        (JSC::ExecState::hasReturnPC):
        (JSC::ExecState::clearReturnPC):
        (ExecState):
        (JSC::ExecState::bytecodeOffsetForNonDFGCode):
        (JSC::ExecState::currentVPC):
        (JSC::ExecState::setCurrentVPC):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::~Interpreter):
        (JSC):
        (JSC::Interpreter::initialize):
        (JSC::Interpreter::isOpcode):
        (JSC::Interpreter::unwindCallFrame):
        (JSC::getCallerInfo):
        (JSC::Interpreter::privateExecute):
        (JSC::Interpreter::retrieveLastCaller):
        * interpreter/Interpreter.h:
        (JSC):
        (Interpreter):
        (JSC::Interpreter::getOpcode):
        (JSC::Interpreter::getOpcodeID):
        (JSC::Interpreter::classicEnabled):
        * interpreter/RegisterFile.h:
        (JSC):
        (RegisterFile):
        * jit/ExecutableAllocator.h:
        (JSC):
        * jit/HostCallReturnValue.cpp: Added.
        (JSC):
        (JSC::getHostCallReturnValueWithExecState):
        * jit/HostCallReturnValue.h: Added.
        (JSC):
        (JSC::initializeHostCallReturnValue):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JITCode.h:
        (JSC::JITCode::isOptimizingJIT):
        (JITCode):
        (JSC::JITCode::isBaselineCode):
        (JSC::JITCode::JITCode):
        * jit/JITDriver.h:
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):
        * jit/JITExceptions.cpp:
        (JSC::jitThrow):
        * jit/JITInlineMethods.h:
        (JSC::JIT::updateTopCallFrame):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC):
        * jit/JITStubs.h:
        (JSC):
        * jit/JSInterfaceJIT.h:
        * llint: Added.
        * llint/LLIntCommon.h: Added.
        * llint/LLIntData.cpp: Added.
        (LLInt):
        (JSC::LLInt::Data::Data):
        (JSC::LLInt::Data::performAssertions):
        (JSC::LLInt::Data::~Data):
        * llint/LLIntData.h: Added.
        (JSC):
        (LLInt):
        (Data):
        (JSC::LLInt::Data::exceptionInstructions):
        (JSC::LLInt::Data::opcodeMap):
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntEntrypoints.cpp: Added.
        (LLInt):
        (JSC::LLInt::getFunctionEntrypoint):
        (JSC::LLInt::getEvalEntrypoint):
        (JSC::LLInt::getProgramEntrypoint):
        * llint/LLIntEntrypoints.h: Added.
        (JSC):
        (LLInt):
        (JSC::LLInt::getEntrypoint):
        * llint/LLIntExceptions.cpp: Added.
        (LLInt):
        (JSC::LLInt::interpreterThrowInCaller):
        (JSC::LLInt::returnToThrowForThrownException):
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * llint/LLIntExceptions.h: Added.
        (JSC):
        (LLInt):
        * llint/LLIntOfflineAsmConfig.h: Added.
        * llint/LLIntOffsetsExtractor.cpp: Added.
        (JSC):
        (LLIntOffsetsExtractor):
        (JSC::LLIntOffsetsExtractor::dummy):
        (main):
        * llint/LLIntSlowPaths.cpp: Added.
        (LLInt):
        (JSC::LLInt::llint_trace_operand):
        (JSC::LLInt::llint_trace_value):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::traceFunctionPrologue):
        (JSC::LLInt::shouldJIT):
        (JSC::LLInt::entryOSR):
        (JSC::LLInt::resolveGlobal):
        (JSC::LLInt::getByVal):
        (JSC::LLInt::handleHostCall):
        (JSC::LLInt::setUpCall):
        (JSC::LLInt::genericCall):
        * llint/LLIntSlowPaths.h: Added.
        (JSC):
        (LLInt):
        * llint/LLIntThunks.cpp: Added.
        (LLInt):
        (JSC::LLInt::generateThunkWithJumpTo):
        (JSC::LLInt::functionForCallEntryThunkGenerator):
        (JSC::LLInt::functionForConstructEntryThunkGenerator):
        (JSC::LLInt::functionForCallArityCheckThunkGenerator):
        (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
        (JSC::LLInt::evalEntryThunkGenerator):
        (JSC::LLInt::programEntryThunkGenerator):
        * llint/LLIntThunks.h: Added.
        (JSC):
        (LLInt):
        * llint/LowLevelInterpreter.asm: Added.
        * llint/LowLevelInterpreter.cpp: Added.
        * llint/LowLevelInterpreter.h: Added.
        * offlineasm: Added.
        * offlineasm/armv7.rb: Added.
        * offlineasm/asm.rb: Added.
        * offlineasm/ast.rb: Added.
        * offlineasm/backends.rb: Added.
        * offlineasm/generate_offset_extractor.rb: Added.
        * offlineasm/instructions.rb: Added.
        * offlineasm/offset_extractor_constants.rb: Added.
        * offlineasm/offsets.rb: Added.
        * offlineasm/opt.rb: Added.
        * offlineasm/parser.rb: Added.
        * offlineasm/registers.rb: Added.
        * offlineasm/self_hash.rb: Added.
        * offlineasm/settings.rb: Added.
        * offlineasm/transform.rb: Added.
        * offlineasm/x86.rb: Added.
        * runtime/CodeSpecializationKind.h: Added.
        (JSC):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
        (CommonSlowPaths):
        * runtime/Executable.cpp:
        (JSC::jettisonCodeBlock):
        (JSC):
        (JSC::EvalExecutable::jitCompile):
        (JSC::samplingDescription):
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::jitCompile):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::baselineCodeBlockFor):
        (JSC::FunctionExecutable::jitCompileForCall):
        (JSC::FunctionExecutable::jitCompileForConstruct):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (JSC):
        (EvalExecutable):
        (ProgramExecutable):
        (FunctionExecutable):
        (JSC::FunctionExecutable::jitCompileFor):
        * runtime/ExecutionHarness.h: Added.
        (JSC):
        (JSC::prepareForExecution):
        (JSC::prepareFunctionForExecution):
        * runtime/JSArray.h:
        (JSC):
        (JSArray):
        * runtime/JSCell.h:
        (JSC):
        (JSCell):
        * runtime/JSFunction.h:
        (JSC):
        (JSFunction):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSC):
        (JSGlobalData):
        * runtime/JSGlobalObject.h:
        (JSC):
        (JSGlobalObject):
        * runtime/JSObject.h:
        (JSC):
        (JSObject):
        (JSFinalObject):
        * runtime/JSPropertyNameIterator.h:
        (JSC):
        (JSPropertyNameIterator):
        * runtime/JSString.h:
        (JSC):
        (JSString):
        * runtime/JSTypeInfo.h:
        (JSC):
        (TypeInfo):
        * runtime/JSValue.cpp:
        (JSC::JSValue::description):
        * runtime/JSValue.h:
        (LLInt):
        (JSValue):
        * runtime/JSVariableObject.h:
        (JSC):
        (JSVariableObject):
        * runtime/Options.cpp:
        (Options):
        (JSC::Options::initializeOptions):
        * runtime/Options.h:
        (Options):
        * runtime/ScopeChain.h:
        (JSC):
        (ScopeChainNode):
        * runtime/Structure.cpp:
        (JSC::Structure::addPropertyTransition):
        * runtime/Structure.h:
        (JSC):
        (Structure):
        * runtime/StructureChain.h:
        (JSC):
        (StructureChain):
        * wtf/InlineASM.h:
        * wtf/Platform.h:
        * wtf/SentinelLinkedList.h:
        (SentinelLinkedList):
        (WTF::SentinelLinkedList::isEmpty):
        * wtf/text/StringImpl.h:
        (JSC):
        (StringImpl):

2012-02-21  Oliver Hunt  <oliver@apple.com>

        Unbreak double-typed arrays on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=79177

        Reviewed by Gavin Barraclough.

        The existing code had completely broken address arithmetic.

        * JSCTypedArrayStubs.h:
        (JSC):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::storeDouble):
        (JSC::MacroAssemblerARMv7::storeFloat):

2012-02-21  Gavin Barraclough  <barraclough@apple.com>

        Should be able to reconfigure a non-configurable property as read-only
        https://bugs.webkit.org/show_bug.cgi?id=79170

        Reviewed by Sam Weinig.

        See ES5.1 8.12.9 10.a.i - the spec prohibits making a read-only property writable,
        but does not inhibit making a writable property read-only.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::setInDefineOwnProperty):
        (JSGlobalData):
        (JSC::JSGlobalData::isInDefineOwnProperty):
            - Added flag, tracking whether we are in JSObject::defineOwnProperty.
        * runtime/JSObject.cpp:
        (JSC::JSObject::deleteProperty):
        (DefineOwnPropertyScope):
            - Always allow properties to be deleted by DefineOwnProperty - assume it knows what it is doing!
        (JSC::DefineOwnPropertyScope::DefineOwnPropertyScope):
        (JSC::DefineOwnPropertyScope::~DefineOwnPropertyScope):
            - Added RAII helper.
        (JSC::JSObject::defineOwnProperty):
            - Track on the globalData when we are in this method.

2012-02-21  Oliver Hunt  <oliver@apple.com>

        Make TypedArrays be available in commandline jsc
        https://bugs.webkit.org/show_bug.cgi?id=79163

        Reviewed by Gavin Barraclough.

        Adds a compile time option to have jsc support a basic implementation
        of the TypedArrays available in WebCore.  This lets us test the typed
        array logic in the JIT witout having to build webcore.

        * JSCTypedArrayStubs.h: Added.
        (JSC):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (GlobalObject):
        (GlobalObject::addConstructableFunction):
        * runtime/JSGlobalData.h:
        (JSGlobalData):

2012-02-21  Tom Sepez  <tsepez@chromium.org>

        equalIgnoringNullity() only comparing half the bytes for equality
        https://bugs.webkit.org/show_bug.cgi?id=79135

        Reviewed by Adam Barth.

        * wtf/text/StringImpl.h:
        (WTF::equalIgnoringNullity):

2012-02-21  Roland Takacs  <takacs.roland@stud.u-szeged.hu>

        Unnecessary preprocessor macros in MainThread.h/cpp
        https://bugs.webkit.org/show_bug.cgi?id=79083

        Removed invalid/wrong PLATFORM(WINDOWS) preprocessor macro.

        * wtf/MainThread.cpp:
        (WTF):
        * wtf/MainThread.h:
        (WTF):

2012-02-21  Sam Weinig  <sam@webkit.org>

        Attempt to fix the Snow Leopard build.

        * Configurations/Base.xcconfig:

2012-02-21  Sam Weinig  <sam@webkit.org>

        Use libc++ when building with Clang on Mac
        https://bugs.webkit.org/show_bug.cgi?id=78981

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:

2012-02-21  Adam Roben  <aroben@apple.com>

        Roll out r108309, r108323, and r108326

        They broke the 32-bit Lion build.

        Original bugs is <http://webkit.org/b/75812> <rdar://problem/10079694>.

        * CMakeLists.txt:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.pri:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/LinkBuffer.h:
        * assembler/MacroAssemblerCodeRef.h:
        * bytecode/BytecodeConventions.h: Removed.
        * bytecode/CallLinkStatus.cpp:
        * bytecode/CallLinkStatus.h:
        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        * bytecode/GetByIdStatus.cpp:
        * bytecode/GetByIdStatus.h:
        * bytecode/Instruction.h:
        * bytecode/LLIntCallLinkInfo.h: Removed.
        * bytecode/MethodCallLinkStatus.cpp:
        * bytecode/Opcode.cpp:
        * bytecode/Opcode.h:
        * bytecode/PutByIdStatus.cpp:
        * bytecode/PutByIdStatus.h:
        * bytecompiler/BytecodeGenerator.cpp:
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGCapabilities.h:
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOperations.cpp:
        * heap/Heap.h:
        * heap/MarkStack.cpp:
        * heap/MarkedAllocator.h:
        * heap/MarkedSpace.h:
        * interpreter/CallFrame.cpp:
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        * interpreter/Interpreter.h:
        * interpreter/RegisterFile.h:
        * jit/ExecutableAllocator.h:
        * jit/HostCallReturnValue.cpp: Removed.
        * jit/HostCallReturnValue.h: Removed.
        * jit/JIT.cpp:
        * jit/JITCode.h:
        * jit/JITDriver.h:
        * jit/JITExceptions.cpp:
        * jit/JITInlineMethods.h:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JSInterfaceJIT.h:
        * llint/LLIntCommon.h: Removed.
        * llint/LLIntData.cpp: Removed.
        * llint/LLIntData.h: Removed.
        * llint/LLIntEntrypoints.cpp: Removed.
        * llint/LLIntEntrypoints.h: Removed.
        * llint/LLIntExceptions.cpp: Removed.
        * llint/LLIntExceptions.h: Removed.
        * llint/LLIntOfflineAsmConfig.h: Removed.
        * llint/LLIntOffsetsExtractor.cpp: Removed.
        * llint/LLIntSlowPaths.cpp: Removed.
        * llint/LLIntSlowPaths.h: Removed.
        * llint/LLIntThunks.cpp: Removed.
        * llint/LLIntThunks.h: Removed.
        * llint/LowLevelInterpreter.asm: Removed.
        * llint/LowLevelInterpreter.cpp: Removed.
        * llint/LowLevelInterpreter.h: Removed.
        * offlineasm/armv7.rb: Removed.
        * offlineasm/asm.rb: Removed.
        * offlineasm/ast.rb: Removed.
        * offlineasm/backends.rb: Removed.
        * offlineasm/generate_offset_extractor.rb: Removed.
        * offlineasm/instructions.rb: Removed.
        * offlineasm/offset_extractor_constants.rb: Removed.
        * offlineasm/offsets.rb: Removed.
        * offlineasm/opt.rb: Removed.
        * offlineasm/parser.rb: Removed.
        * offlineasm/registers.rb: Removed.
        * offlineasm/self_hash.rb: Removed.
        * offlineasm/settings.rb: Removed.
        * offlineasm/transform.rb: Removed.
        * offlineasm/x86.rb: Removed.
        * runtime/CodeSpecializationKind.h: Removed.
        * runtime/CommonSlowPaths.h:
        * runtime/Executable.cpp:
        * runtime/Executable.h:
        * runtime/ExecutionHarness.h: Removed.
        * runtime/JSArray.h:
        * runtime/JSCell.h:
        * runtime/JSFunction.h:
        * runtime/JSGlobalData.cpp:
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.h:
        * runtime/JSObject.h:
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSString.h:
        * runtime/JSTypeInfo.h:
        * runtime/JSValue.cpp:
        * runtime/JSValue.h:
        * runtime/JSVariableObject.h:
        * runtime/Options.cpp:
        * runtime/Options.h:
        * runtime/ScopeChain.h:
        * runtime/Structure.cpp:
        * runtime/Structure.h:
        * runtime/StructureChain.h:
        * wtf/InlineASM.h:
        * wtf/Platform.h:
        * wtf/SentinelLinkedList.h:
        * wtf/text/StringImpl.h:

2012-02-21  Gustavo Noronha Silva  <kov@debian.org> and Bob Tracy  <rct@frus.com>

        Does not build on IA64, SPARC and Alpha
        https://bugs.webkit.org/show_bug.cgi?id=79047

        Rubber-stamped by Kent Tamura.

        * wtf/dtoa/utils.h: these architectures also have correct double
        operations, so add them to the appropriate side of the check.

2012-02-21  Filip Pizlo  <fpizlo@apple.com>

        Fix massive crashes in all tests introduced by previous build fix, and fix non-DFG build.
        https://bugs.webkit.org/show_bug.cgi?id=75812

        Reviewed by Csaba Osztrogonác.

        * dfg/DFGOperations.cpp:
        (JSC):
        * jit/HostCallReturnValue.h:
        (JSC::initializeHostCallReturnValue):

2012-02-21  Filip Pizlo  <fpizlo@apple.com>

        Attempted build fix for ELF platforms.

        * dfg/DFGOperations.cpp:
        (JSC):
        (JSC::getHostCallReturnValueWithExecState):
        * jit/HostCallReturnValue.cpp:
        (JSC):
        * jit/HostCallReturnValue.h:
        (JSC::initializeHostCallReturnValue):

2012-02-20  Filip Pizlo  <fpizlo@apple.com>

        JSC should be a triple-tier VM
        https://bugs.webkit.org/show_bug.cgi?id=75812
        <rdar://problem/10079694>

        Reviewed by Gavin Barraclough.
        
        Implemented an interpreter that uses the JIT's calling convention. This
        interpreter is called LLInt, or the Low Level Interpreter. JSC will now
        will start by executing code in LLInt and will only tier up to the old
        JIT after the code is proven hot.
        
        LLInt is written in a modified form of our macro assembly. This new macro
        assembly is compiled by an offline assembler (see offlineasm), which
        implements many modern conveniences such as a Turing-complete CPS-based
        macro language and direct access to relevant C++ type information
        (basically offsets of fields and sizes of structs/classes).
        
        Code executing in LLInt appears to the rest of the JSC world "as if" it
        were executing in the old JIT. Hence, things like exception handling and
        cross-execution-engine calls just work and require pretty much no
        additional overhead.
        
        This interpreter is 2-2.5x faster than our old interpreter on SunSpider,
        V8, and Kraken. With triple-tiering turned on, we're neutral on SunSpider,
        V8, and Kraken, but appear to get a double-digit improvement on real-world
        websites due to a huge reduction in the amount of JIT'ing.
        
        * CMakeLists.txt:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.pri:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/LinkBuffer.h:
        * assembler/MacroAssemblerCodeRef.h:
        (MacroAssemblerCodePtr):
        (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
        * bytecode/BytecodeConventions.h: Added.
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFromLLInt):
        (JSC):
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CallLinkStatus.h:
        (JSC::CallLinkStatus::isSet):
        (JSC::CallLinkStatus::operator!):
        (CallLinkStatus):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        (JSC):
        (JSC::CodeBlock::unlinkCalls):
        (JSC::CodeBlock::unlinkIncomingCalls):
        (JSC::CodeBlock::bytecodeOffset):
        (JSC::ProgramCodeBlock::jettison):
        (JSC::EvalCodeBlock::jettison):
        (JSC::FunctionCodeBlock::jettison):
        (JSC::ProgramCodeBlock::jitCompileImpl):
        (JSC::EvalCodeBlock::jitCompileImpl):
        (JSC::FunctionCodeBlock::jitCompileImpl):
        * bytecode/CodeBlock.h:
        (JSC):
        (CodeBlock):
        (JSC::CodeBlock::baselineVersion):
        (JSC::CodeBlock::linkIncomingCall):
        (JSC::CodeBlock::bytecodeOffset):
        (JSC::CodeBlock::jitCompile):
        (JSC::CodeBlock::hasOptimizedReplacement):
        (JSC::CodeBlock::addPropertyAccessInstruction):
        (JSC::CodeBlock::addGlobalResolveInstruction):
        (JSC::CodeBlock::addLLIntCallLinkInfo):
        (JSC::CodeBlock::addGlobalResolveInfo):
        (JSC::CodeBlock::numberOfMethodCallLinkInfos):
        (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
        (JSC::CodeBlock::likelyToTakeSlowCase):
        (JSC::CodeBlock::couldTakeSlowCase):
        (JSC::CodeBlock::likelyToTakeSpecialFastCase):
        (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
        (JSC::CodeBlock::likelyToTakeAnySlowCase):
        (JSC::CodeBlock::addFrequentExitSite):
        (JSC::CodeBlock::dontJITAnytimeSoon):
        (JSC::CodeBlock::jitAfterWarmUp):
        (JSC::CodeBlock::jitSoon):
        (JSC::CodeBlock::llintExecuteCounter):
        (ProgramCodeBlock):
        (EvalCodeBlock):
        (FunctionCodeBlock):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        (JSC):
        (JSC::GetByIdStatus::computeFor):
        * bytecode/GetByIdStatus.h:
        (JSC::GetByIdStatus::GetByIdStatus):
        (JSC::GetByIdStatus::wasSeenInJIT):
        (GetByIdStatus):
        * bytecode/Instruction.h:
        (JSC):
        (JSC::Instruction::Instruction):
        (Instruction):
        * bytecode/LLIntCallLinkInfo.h: Added.
        (JSC):
        (JSC::LLIntCallLinkInfo::LLIntCallLinkInfo):
        (LLIntCallLinkInfo):
        (JSC::LLIntCallLinkInfo::~LLIntCallLinkInfo):
        (JSC::LLIntCallLinkInfo::isLinked):
        (JSC::LLIntCallLinkInfo::unlink):
        * bytecode/MethodCallLinkStatus.cpp:
        (JSC::MethodCallLinkStatus::computeFor):
        * bytecode/Opcode.cpp:
        (JSC):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        (JSC):
        (JSC::PutByIdStatus::computeFor):
        * bytecode/PutByIdStatus.h:
        (PutByIdStatus):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveWithBase):
        (JSC::BytecodeGenerator::emitGetById):
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitDirectPutById):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        (JSC::BytecodeGenerator::emitCatch):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOperations.cpp:
        * heap/Heap.h:
        (JSC):
        (JSC::Heap::firstAllocatorWithoutDestructors):
        (Heap):
        * heap/MarkStack.cpp:
        (JSC::visitChildren):
        * heap/MarkedAllocator.h:
        (JSC):
        (MarkedAllocator):
        * heap/MarkedSpace.h:
        (JSC):
        (MarkedSpace):
        (JSC::MarkedSpace::firstAllocator):
        * interpreter/CallFrame.cpp:
        (JSC):
        (JSC::CallFrame::bytecodeOffsetForNonDFGCode):
        (JSC::CallFrame::setBytecodeOffsetForNonDFGCode):
        (JSC::CallFrame::currentVPC):
        (JSC::CallFrame::setCurrentVPC):
        (JSC::CallFrame::trueCallerFrame):
        * interpreter/CallFrame.h:
        (JSC::ExecState::hasReturnPC):
        (JSC::ExecState::clearReturnPC):
        (ExecState):
        (JSC::ExecState::bytecodeOffsetForNonDFGCode):
        (JSC::ExecState::currentVPC):
        (JSC::ExecState::setCurrentVPC):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::~Interpreter):
        (JSC):
        (JSC::Interpreter::initialize):
        (JSC::Interpreter::isOpcode):
        (JSC::Interpreter::unwindCallFrame):
        (JSC::getCallerInfo):
        (JSC::Interpreter::privateExecute):
        (JSC::Interpreter::retrieveLastCaller):
        * interpreter/Interpreter.h:
        (JSC):
        (Interpreter):
        (JSC::Interpreter::getOpcode):
        (JSC::Interpreter::getOpcodeID):
        (JSC::Interpreter::classicEnabled):
        * interpreter/RegisterFile.h:
        (JSC):
        (RegisterFile):
        * jit/ExecutableAllocator.h:
        (JSC):
        * jit/HostCallReturnValue.cpp: Added.
        (JSC):
        (JSC::getHostCallReturnValueWithExecState):
        * jit/HostCallReturnValue.h: Added.
        (JSC):
        (JSC::initializeHostCallReturnValue):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JITCode.h:
        (JSC::JITCode::isOptimizingJIT):
        (JITCode):
        (JSC::JITCode::isBaselineCode):
        (JSC::JITCode::JITCode):
        * jit/JITDriver.h:
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):
        * jit/JITExceptions.cpp:
        (JSC::jitThrow):
        * jit/JITInlineMethods.h:
        (JSC::JIT::updateTopCallFrame):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC):
        * jit/JITStubs.h:
        (JSC):
        * jit/JSInterfaceJIT.h:
        * llint: Added.
        * llint/LLIntCommon.h: Added.
        * llint/LLIntData.cpp: Added.
        (LLInt):
        (JSC::LLInt::Data::Data):
        (JSC::LLInt::Data::performAssertions):
        (JSC::LLInt::Data::~Data):
        * llint/LLIntData.h: Added.
        (JSC):
        (LLInt):
        (Data):
        (JSC::LLInt::Data::exceptionInstructions):
        (JSC::LLInt::Data::opcodeMap):
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntEntrypoints.cpp: Added.
        (LLInt):
        (JSC::LLInt::getFunctionEntrypoint):
        (JSC::LLInt::getEvalEntrypoint):
        (JSC::LLInt::getProgramEntrypoint):
        * llint/LLIntEntrypoints.h: Added.
        (JSC):
        (LLInt):
        (JSC::LLInt::getEntrypoint):
        * llint/LLIntExceptions.cpp: Added.
        (LLInt):
        (JSC::LLInt::interpreterThrowInCaller):
        (JSC::LLInt::returnToThrowForThrownException):
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * llint/LLIntExceptions.h: Added.
        (JSC):
        (LLInt):
        * llint/LLIntOfflineAsmConfig.h: Added.
        * llint/LLIntOffsetsExtractor.cpp: Added.
        (JSC):
        (LLIntOffsetsExtractor):
        (JSC::LLIntOffsetsExtractor::dummy):
        (main):
        * llint/LLIntSlowPaths.cpp: Added.
        (LLInt):
        (JSC::LLInt::llint_trace_operand):
        (JSC::LLInt::llint_trace_value):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::traceFunctionPrologue):
        (JSC::LLInt::shouldJIT):
        (JSC::LLInt::entryOSR):
        (JSC::LLInt::resolveGlobal):
        (JSC::LLInt::getByVal):
        (JSC::LLInt::handleHostCall):
        (JSC::LLInt::setUpCall):
        (JSC::LLInt::genericCall):
        * llint/LLIntSlowPaths.h: Added.
        (JSC):
        (LLInt):
        * llint/LLIntThunks.cpp: Added.
        (LLInt):
        (JSC::LLInt::generateThunkWithJumpTo):
        (JSC::LLInt::functionForCallEntryThunkGenerator):
        (JSC::LLInt::functionForConstructEntryThunkGenerator):
        (JSC::LLInt::functionForCallArityCheckThunkGenerator):
        (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
        (JSC::LLInt::evalEntryThunkGenerator):
        (JSC::LLInt::programEntryThunkGenerator):
        * llint/LLIntThunks.h: Added.
        (JSC):
        (LLInt):
        * llint/LowLevelInterpreter.asm: Added.
        * llint/LowLevelInterpreter.cpp: Added.
        * llint/LowLevelInterpreter.h: Added.
        * offlineasm: Added.
        * offlineasm/armv7.rb: Added.
        * offlineasm/asm.rb: Added.
        * offlineasm/ast.rb: Added.
        * offlineasm/backends.rb: Added.
        * offlineasm/generate_offset_extractor.rb: Added.
        * offlineasm/instructions.rb: Added.
        * offlineasm/offset_extractor_constants.rb: Added.
        * offlineasm/offsets.rb: Added.
        * offlineasm/opt.rb: Added.
        * offlineasm/parser.rb: Added.
        * offlineasm/registers.rb: Added.
        * offlineasm/self_hash.rb: Added.
        * offlineasm/settings.rb: Added.
        * offlineasm/transform.rb: Added.
        * offlineasm/x86.rb: Added.
        * runtime/CodeSpecializationKind.h: Added.
        (JSC):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
        (CommonSlowPaths):
        * runtime/Executable.cpp:
        (JSC::jettisonCodeBlock):
        (JSC):
        (JSC::EvalExecutable::jitCompile):
        (JSC::samplingDescription):
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::jitCompile):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::baselineCodeBlockFor):
        (JSC::FunctionExecutable::jitCompileForCall):
        (JSC::FunctionExecutable::jitCompileForConstruct):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (JSC):
        (EvalExecutable):
        (ProgramExecutable):
        (FunctionExecutable):
        (JSC::FunctionExecutable::jitCompileFor):
        * runtime/ExecutionHarness.h: Added.
        (JSC):
        (JSC::prepareForExecution):
        (JSC::prepareFunctionForExecution):
        * runtime/JSArray.h:
        (JSC):
        (JSArray):
        * runtime/JSCell.h:
        (JSC):
        (JSCell):
        * runtime/JSFunction.h:
        (JSC):
        (JSFunction):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSC):
        (JSGlobalData):
        * runtime/JSGlobalObject.h:
        (JSC):
        (JSGlobalObject):
        * runtime/JSObject.h:
        (JSC):
        (JSObject):
        (JSFinalObject):
        * runtime/JSPropertyNameIterator.h:
        (JSC):
        (JSPropertyNameIterator):
        * runtime/JSString.h:
        (JSC):
        (JSString):
        * runtime/JSTypeInfo.h:
        (JSC):
        (TypeInfo):
        * runtime/JSValue.cpp:
        (JSC::JSValue::description):
        * runtime/JSValue.h:
        (LLInt):
        (JSValue):
        * runtime/JSVariableObject.h:
        (JSC):
        (JSVariableObject):
        * runtime/Options.cpp:
        (Options):
        (JSC::Options::initializeOptions):
        * runtime/Options.h:
        (Options):
        * runtime/ScopeChain.h:
        (JSC):
        (ScopeChainNode):
        * runtime/Structure.cpp:
        (JSC::Structure::addPropertyTransition):
        * runtime/Structure.h:
        (JSC):
        (Structure):
        * runtime/StructureChain.h:
        (JSC):
        (StructureChain):
        * wtf/InlineASM.h:
        * wtf/Platform.h:
        * wtf/SentinelLinkedList.h:
        (SentinelLinkedList):
        (WTF::SentinelLinkedList::isEmpty):
        * wtf/text/StringImpl.h:
        (JSC):
        (StringImpl):

2012-02-20  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, rolling out http://trac.webkit.org/changeset/108291
        It completely broke the 32-bit JIT.

        * heap/CopiedAllocator.h:
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/Heap.h:
        (JSC::Heap::allocatorForObjectWithDestructor):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JIT):
        * jit/JITInlineMethods.h:
        (JSC):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_array):
        * runtime/JSArray.cpp:
        (JSC::storageSize):
        (JSC):
        * runtime/JSArray.h:
        (ArrayStorage):
        (JSArray):

2012-02-20  Gavin Barraclough  <barraclough@apple.com>

        [[Put]] should throw if prototype chain contains a readonly property.
        https://bugs.webkit.org/show_bug.cgi?id=79069

        Reviewed by Oliver Hunt.

        Currently we only check the base of the put, not the prototype chain.
        Fold this check in with the test for accessors.

        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
            - Updated to test all objects in the propotype chain for readonly properties.
        (JSC::JSObject::putDirectAccessor):
        (JSC::putDescriptor):
            - Record the presence of readonly properties on the structure.
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
            - hasGetterSetterPropertiesExcludingProto expanded to hasReadOnlyOrGetterSetterPropertiesExcludingProto.
        * runtime/Structure.h:
        (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto):
        (JSC::Structure::setHasGetterSetterProperties):
            - hasGetterSetterPropertiesExcludingProto expanded to hasReadOnlyOrGetterSetterPropertiesExcludingProto.
        (JSC::Structure::setContainsReadOnlyProperties):
            - Added.

2012-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Implement fast path for op_new_array in the baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=78612

        Reviewed by Filip Pizlo.

        * heap/CopiedAllocator.h:
        (CopiedAllocator): Friended the JIT to allow access to m_currentOffset.
        * heap/CopiedSpace.h:
        (CopiedSpace): Friended the JIT to allow access to 
        (JSC::CopiedSpace::allocator):
        * heap/Heap.h:
        (JSC::Heap::storageAllocator): Added a getter for the CopiedAllocator class so the JIT
        can use it for simple allocation i.e. when we can just bump the offset without having to 
        do anything else.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases): Added new slow case for op_new_array for when
        we have to bail out because the fast allocation path fails for whatever reason.
        * jit/JIT.h:
        (JIT):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicStorage): Added utility function that allows objects to 
        allocate generic backing stores. This function is used by emitAllocateJSArray.
        (JSC):
        (JSC::JIT::emitAllocateJSArray): Added utility function that allows the client to 
        more easily allocate JSArrays. This function is used by emit_op_new_array and I expect 
        it will also be used for emit_op_new_array_buffer.
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_array): Changed to do inline allocation of JSArrays. Still does 
        a stub call for oversize arrays.
        (JSC):
        (JSC::JIT::emitSlow_op_new_array): Just bails out to a stub call if we fail in any way on 
        the fast path.
        * runtime/JSArray.cpp:
        (JSC):
        * runtime/JSArray.h: Added lots of offset functions for all the fields that we need to 
        initialize in the JIT.
        (ArrayStorage):
        (JSC::ArrayStorage::lengthOffset):
        (JSC::ArrayStorage::numValuesInVectorOffset):
        (JSC::ArrayStorage::allocBaseOffset):
        (JSC::ArrayStorage::vectorOffset):
        (JSArray):
        (JSC::JSArray::sparseValueMapOffset):
        (JSC::JSArray::subclassDataOffset):
        (JSC::JSArray::indexBiasOffset):
        (JSC):
        (JSC::JSArray::storageSize): Moved this function from being a static function in the cpp file
        to being a static function in the JSArray class. This move allows the JIT to call it to 
        see what size it should allocate.

2012-02-20  Gavin Barraclough  <barraclough@apple.com>

        DefineOwnProperty fails with numeric properties & Object.prototype
        https://bugs.webkit.org/show_bug.cgi?id=79059

        Reviewed by Oliver Hunt.

        ObjectPrototype caches whether it contains any numeric properties (m_hasNoPropertiesWithUInt32Names),
        calls to defineOwnProperty need to update this cache.

        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::put):
        (JSC::ObjectPrototype::defineOwnProperty):
        (JSC):
        (JSC::ObjectPrototype::getOwnPropertySlotByIndex):
        * runtime/ObjectPrototype.h:
        (ObjectPrototype):

2012-02-20  Pino Toscano  <pino@debian.org>

        Does not build on GNU Hurd
        https://bugs.webkit.org/show_bug.cgi?id=79045

        Reviewed by Gustavo Noronha Silva.

        * wtf/Platform.h: define WTF_OS_HURD.
        * wtf/ThreadIdentifierDataPthreads.cpp: adds a band-aid fix
        for the lack of PTHREAD_KEYS_MAX definition, with a value which
        should not cause issues.

2012-02-20  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Undoing accidental changes

        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage):

2012-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Factor out allocation in CopySpace into a separate CopyAllocator
        https://bugs.webkit.org/show_bug.cgi?id=78610

        Reviewed by Oliver Hunt.

        Added a new CopyAllocator class, which allows us to do allocations without 
        having to load the current offset and store the current offset in the current 
        block. This change will allow us to easily do inline assembly in the JIT for 
        array allocations.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/CopiedAllocator.h: Added.
        (JSC):
        (CopiedAllocator):
        (JSC::CopiedAllocator::currentBlock):
        (JSC::CopiedAllocator::CopiedAllocator):
        (JSC::CopiedAllocator::allocate):
        (JSC::CopiedAllocator::fitsInCurrentBlock):
        (JSC::CopiedAllocator::wasLastAllocation):
        (JSC::CopiedAllocator::startedCopying):
        (JSC::CopiedAllocator::resetCurrentBlock):
        (JSC::CopiedAllocator::currentUtilization):
        (JSC::CopiedAllocator::resetLastAllocation):
        * heap/CopiedBlock.h:
        (CopiedBlock):
        * heap/CopiedSpace.cpp: Moved some stuff from CopiedSpaceInlineMethods to here because we 
        weren't really getting any benefits from having such big functions in a header file.
        (JSC::CopiedSpace::CopiedSpace):
        (JSC):
        (JSC::CopiedSpace::init):
        (JSC::CopiedSpace::tryAllocateSlowCase):
        (JSC::CopiedSpace::tryAllocateOversize):
        (JSC::CopiedSpace::tryReallocate):
        (JSC::CopiedSpace::tryReallocateOversize):
        (JSC::CopiedSpace::doneFillingBlock):
        (JSC::CopiedSpace::doneCopying):
        (JSC::CopiedSpace::getFreshBlock):
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC):
        (JSC::CopiedSpace::startedCopying):
        (JSC::CopiedSpace::addNewBlock):
        (JSC::CopiedSpace::allocateNewBlock):
        (JSC::CopiedSpace::fitsInBlock):
        (JSC::CopiedSpace::tryAllocate):
        (JSC::CopiedSpace::allocateFromBlock):
        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage):
        * heap/HeapBlock.h:
        (HeapBlock):

2012-02-20  Patrick Gansterer  <paroga@webkit.org>

        Fix Visual Studio 2010 build.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitBytecode):

2012-02-16  Gavin Barraclough  <barraclough@apple.com>

        Move special __proto__ property to Object.prototype
        https://bugs.webkit.org/show_bug.cgi?id=78409

        Reviewed by Oliver Hunt.

        Re-implement this as a regular accessor property.  This has three key benefits:
        1) It makes it possible for objects to be given properties named __proto__.
        2) Object.prototype.__proto__ can be deleted, preventing object prototypes from being changed.
        3) This largely removes the magic used the implement __proto__, it can just be made a regular accessor property.

        * parser/Parser.cpp:
        (JSC::::parseFunctionInfo):
            - No need to prohibit functions named __proto__.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
            - Add __proto__ accessor to Object.prototype.
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoGetter):
        (JSC::globalFuncProtoSetter):
            - Definition of the __proto__ accessor functions.
        * runtime/JSGlobalObjectFunctions.h:
            - Declaration of the __proto__ accessor functions.
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
            - Remove the special handling for __proto__, there is still a check to allow for a fast guard for accessors excluding __proto__.
        (JSC::JSObject::putDirectAccessor):
            - Track on the structure whether an object contains accessors other than one for __proto__.
        (JSC::JSObject::defineOwnProperty):
            - No need to prohibit definition of own properties named __proto__.
        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):
            - Remove the special handling for __proto__.
        (JSC::JSValue::get):
            - Remove the special handling for __proto__.
        * runtime/JSString.cpp:
        (JSC::JSString::getOwnPropertySlot):
            - Remove the special handling for __proto__.
        * runtime/JSValue.h:
        (JSValue):
            - Made synthesizePrototype public (this may be needed by the __proto__ getter).
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetPrototypeOf):
            - Perform the security check & call prototype() directly.
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
            - Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.
        * runtime/Structure.h:
        (JSC::Structure::hasGetterSetterPropertiesExcludingProto):
        (JSC::Structure::setHasGetterSetterProperties):
        (Structure):
            - Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.

2012-02-20  Michael Saboff  <msaboff@apple.com>

        Update toLower and toUpper tests for Unicode 6.1 changes
        https://bugs.webkit.org/show_bug.cgi?id=78923

        Reviewed by Oliver Hunt.

        * tests/mozilla/ecma/String/15.5.4.11-2.js: Updated the test
        to handle a third set of results for updated Unicode 6.1
        changes.
        (getTestCases):
        (TestCaseMultiExpected):
        (writeTestCaseResultMultiExpected):
        (getTestCaseResultMultiExpected):
        (test):
        (GetUnicodeValues):
        (DecimalToHexString):

2012-02-20  Andy Wingo  <wingo@igalia.com>

        Remove unused features from CodeFeatures
        https://bugs.webkit.org/show_bug.cgi?id=78804

        Reviewed by Gavin Barraclough.

        * parser/Nodes.h:
        * parser/ASTBuilder.h:
        (JSC::ClosureFeature):
        (JSC::ASTBuilder::createFunctionBody):
        (JSC::ASTBuilder::usesClosures):
        Remove "ClosureFeature".  Since we track captured variables more
        precisely, this bit doesn't do us any good.

        (JSC::AssignFeature):
        (JSC::ASTBuilder::makeAssignNode):
        (JSC::ASTBuilder::makePrefixNode):
        (JSC::ASTBuilder::makePostfixNode):
        (JSC::ASTBuilder::usesAssignment):
        Similarly, remove AssignFeature.  It is unused.

2012-02-19  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck issues.

        * GNUmakefile.list.am: Add missing files.

2012-02-18  Sam Weinig  <sam@webkit.org>

        Fix style issues in DFG Phase classes
        https://bugs.webkit.org/show_bug.cgi?id=78983

        Reviewed by Ryosuke Niwa.

        * dfg/DFGArithNodeFlagsInferencePhase.cpp:
        * dfg/DFGCFAPhase.cpp:
        * dfg/DFGCSEPhase.cpp:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        Add a space before the colon in class declarations.

2012-02-18  Filip Pizlo  <fpizlo@apple.com>

        Attempt to fix Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-02-18  Sam Weinig  <sam@webkit.org>

        Fix the libc++ build.

        Reviewed by Anders Carlsson.

        * heap/Weak.h:
        Libc++'s nullptr emulation does not allow default construction
        of the nullptr_t type. Work around this with the arguably clearer
        just returning nullptr.

2012-02-18  Filip Pizlo  <fpizlo@apple.com>

        DFGPropagator.cpp has too many things
        https://bugs.webkit.org/show_bug.cgi?id=78956

        Reviewed by Oliver Hunt.
        
        Added the notion of a DFG::Phase. Removed DFG::Propagator, and took its
        various things and put them into separate files. These new phases follow
        the naming convention "DFG<name>Phase" where <name> is a noun. They are
        called via functions of the form "perform<name>".

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGArithNodeFlagsInferencePhase.cpp: Added.
        (DFG):
        (JSC::DFG::performArithNodeFlagsInference):
        * dfg/DFGArithNodeFlagsInferencePhase.h: Added.
        (DFG):
        * dfg/DFGCFAPhase.cpp: Added.
        (DFG):
        (JSC::DFG::performCFA):
        * dfg/DFGCFAPhase.h: Added.
        (DFG):
        * dfg/DFGCSEPhase.cpp: Added.
        (DFG):
        (JSC::DFG::performCSE):
        * dfg/DFGCSEPhase.h: Added.
        (DFG):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGPhase.cpp: Added.
        (DFG):
        (JSC::DFG::Phase::beginPhase):
        (JSC::DFG::Phase::endPhase):
        * dfg/DFGPhase.h: Added.
        (DFG):
        (Phase):
        (JSC::DFG::Phase::Phase):
        (JSC::DFG::Phase::~Phase):
        (JSC::DFG::Phase::globalData):
        (JSC::DFG::Phase::codeBlock):
        (JSC::DFG::Phase::profiledBlock):
        (JSC::DFG::Phase::beginPhase):
        (JSC::DFG::Phase::endPhase):
        (JSC::DFG::runPhase):
        * dfg/DFGPredictionPropagationPhase.cpp: Added.
        (DFG):
        (JSC::DFG::performPredictionPropagation):
        * dfg/DFGPredictionPropagationPhase.h: Added.
        (DFG):
        * dfg/DFGPropagator.cpp: Removed.
        * dfg/DFGPropagator.h: Removed.
        * dfg/DFGVirtualRegisterAllocationPhase.cpp: Added.
        (DFG):
        (JSC::DFG::performVirtualRegisterAllocation):
        * dfg/DFGVirtualRegisterAllocationPhase.h: Added.
        (DFG):

2012-02-17  Filip Pizlo  <fpizlo@apple.com>

        DFG::Graph should have references to JSGlobalData, the CodeBlock being compiled, and
        the CodeBlock that was used for profiling
        https://bugs.webkit.org/show_bug.cgi?id=78954

        Reviewed by Gavin Barraclough.

        * bytecode/CodeBlock.h:
        (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
        (JSC):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::AbstractState):
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGAbstractState.h:
        * dfg/DFGAssemblyHelpers.h:
        (AssemblyHelpers):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::parse):
        * dfg/DFGByteCodeParser.h:
        (DFG):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::Graph):
        (Graph):
        (JSC::DFG::Graph::getJSConstantPrediction):
        (JSC::DFG::Graph::addShouldSpeculateInteger):
        (JSC::DFG::Graph::isInt32Constant):
        (JSC::DFG::Graph::isDoubleConstant):
        (JSC::DFG::Graph::isNumberConstant):
        (JSC::DFG::Graph::isBooleanConstant):
        (JSC::DFG::Graph::isFunctionConstant):
        (JSC::DFG::Graph::valueOfJSConstant):
        (JSC::DFG::Graph::valueOfInt32Constant):
        (JSC::DFG::Graph::valueOfNumberConstant):
        (JSC::DFG::Graph::valueOfBooleanConstant):
        (JSC::DFG::Graph::valueOfFunctionConstant):
        (JSC::DFG::Graph::baselineCodeBlockFor):
        (JSC::DFG::Graph::valueProfileFor):
        (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::JITCompiler):
        (JITCompiler):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::Propagator):
        (JSC::DFG::Propagator::isNotNegZero):
        (JSC::DFG::Propagator::isNotZero):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::doRoundOfDoubleVoting):
        (JSC::DFG::Propagator::globalCFA):
        (JSC::DFG::propagate):
        * dfg/DFGPropagator.h:
        (DFG):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isConstant):
        (JSC::DFG::SpeculativeJIT::isJSConstant):
        (JSC::DFG::SpeculativeJIT::isInt32Constant):
        (JSC::DFG::SpeculativeJIT::isDoubleConstant):
        (JSC::DFG::SpeculativeJIT::isNumberConstant):
        (JSC::DFG::SpeculativeJIT::isBooleanConstant):
        (JSC::DFG::SpeculativeJIT::isFunctionConstant):
        (JSC::DFG::SpeculativeJIT::valueOfInt32Constant):
        (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
        (JSC::DFG::SpeculativeJIT::valueOfJSConstant):
        (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant):
        (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):

2012-02-17  Ahmad Sharif  <asharif.tools@gmail.com>

        There is a warning in memset in glibc that gets triggered through a
        warndecl when the fill-value of memset is a non-zero constant and the
        size is zero. This warning is enabled when building with
        -D_FORTIFY_SOURCE=2. This patch fixes the warning.

        https://bugs.webkit.org/show_bug.cgi?id=78513

        Reviewed by Alexey Proskuryakov

        * wtf/Vector.h:

2012-02-17  Kalev Lember  <kalevlember@gmail.com>

        Remove unused parameters from WTF threading API
        https://bugs.webkit.org/show_bug.cgi?id=78389

        Reviewed by Adam Roben.

        waitForThreadCompletion() had an out param 'void **result' to get the
        'void *' returned by ThreadFunction. However, the implementation in
        ThreadingWin.cpp ignored the out param, not filling it in. This had
        led to a situation where none of the client code made use of the param
        and just ignored it.

        To clean this up, the patch changes the signature of ThreadFunction to
        return void instead of void* and drops the the unused 'void **result'
        parameter from waitForThreadCompletion. Also, all client code is
        updated for the API change.

        As mentioned in https://bugs.webkit.org/show_bug.cgi?id=78389 , even
        though the change only affects internal API, Safari is using it
        directly and we'll need to keep the old versions around for ABI
        compatibility. For this, the patch adds compatibility wrappers with
        the old ABI.

        * JavaScriptCore.order:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * bytecode/SamplingTool.cpp:
        (JSC::SamplingThread::threadStartFunc):
        (JSC::SamplingThread::stop):
        * bytecode/SamplingTool.h:
        (SamplingThread):
        * heap/Heap.cpp:
        (JSC::Heap::~Heap):
        (JSC::Heap::blockFreeingThreadStartFunc):
        * heap/Heap.h:
        * heap/MarkStack.cpp:
        (JSC::MarkStackThreadSharedData::markingThreadStartFunc):
        (JSC::MarkStackThreadSharedData::~MarkStackThreadSharedData):
        * heap/MarkStack.h:
        (MarkStackThreadSharedData):
        * wtf/ParallelJobsGeneric.cpp:
        (WTF::ParallelEnvironment::ThreadPrivate::workerThread):
        * wtf/ParallelJobsGeneric.h:
        (ThreadPrivate):
        * wtf/ThreadFunctionInvocation.h: Update the signature of
        ThreadFunction.
        (WTF):
        * wtf/Threading.cpp:
        (WTF::threadEntryPoint): Update for ThreadFunction signature change.
        (WTF):
        (WTF::ThreadFunctionWithReturnValueInvocation::ThreadFunctionWithReturnValueInvocation):
        ABI compatibility function for Safari.
        (ThreadFunctionWithReturnValueInvocation): Ditto.
        (WTF::compatEntryPoint): Ditto.
        (WTF::createThread): Ditto.
        (WTF::waitForThreadCompletion): Ditto.
        * wtf/Threading.h: Update the signature of ThreadFunction and
        waitForThreadCompletion.
        (WTF):
        * wtf/ThreadingPthreads.cpp: Implement the new API.
        (WTF::wtfThreadEntryPoint):
        (WTF):
        (WTF::createThreadInternal):
        (WTF::waitForThreadCompletion):
        * wtf/ThreadingWin.cpp: Implement the new API.
        (WTF::wtfThreadEntryPoint):
        (WTF::waitForThreadCompletion):

2012-02-16  Oliver Hunt  <oliver@apple.com>

        Implement Error.stack
        https://bugs.webkit.org/show_bug.cgi?id=66994

        Reviewed by Gavin Barraclough.

        Implement support for stack traces on exception objects.  This is a rewrite
        of the core portion of the last stack walking logic, but the mechanical work
        of adding the information to an exception comes from the original work by
        Juan Carlos Montemayor Elosua.

        * interpreter/Interpreter.cpp:
        (JSC::getCallerInfo):
        (JSC):
        (JSC::getSourceURLFromCallFrame):
        (JSC::getStackFrameCodeType):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::throwException):
        (JSC::Interpreter::privateExecute):
        * interpreter/Interpreter.h:
        (JSC):
        (StackFrame):
        (JSC::StackFrame::toString):
        (Interpreter):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionJSCStack):
        * parser/Nodes.h:
        (JSC::FunctionBodyNode::setInferredName):
        * parser/Parser.h:
        (JSC::::parse):
        * runtime/CommonIdentifiers.h:
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        * runtime/Error.h:
        (JSC):

2012-02-17  Mark Hahnenberg  <mhahnenberg@apple.com>

        Rename Bump* to Copy*
        https://bugs.webkit.org/show_bug.cgi?id=78573

        Reviewed by Geoffrey Garen.

        Renamed anything with "Bump" in the name to have "Copied" instead.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * heap/BumpBlock.h: Removed.
        * heap/BumpSpace.cpp: Removed.
        * heap/BumpSpace.h: Removed.
        * heap/BumpSpaceInlineMethods.h: Removed.
        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::ConservativeRoots):
        (JSC::ConservativeRoots::genericAddPointer):
        * heap/ConservativeRoots.h:
        (ConservativeRoots):
        * heap/CopiedBlock.h: Added.
        (JSC):
        (CopiedBlock):
        (JSC::CopiedBlock::CopiedBlock):
        * heap/CopiedSpace.cpp: Added.
        (JSC):
        (JSC::CopiedSpace::tryAllocateSlowCase):
        * heap/CopiedSpace.h: Added.
        (JSC):
        (CopiedSpace):
        (JSC::CopiedSpace::isInCopyPhase):
        (JSC::CopiedSpace::totalMemoryAllocated):
        (JSC::CopiedSpace::totalMemoryUtilized):
        * heap/CopiedSpaceInlineMethods.h: Added.
        (JSC):
        (JSC::CopiedSpace::CopiedSpace):
        (JSC::CopiedSpace::init):
        (JSC::CopiedSpace::contains):
        (JSC::CopiedSpace::pin):
        (JSC::CopiedSpace::startedCopying):
        (JSC::CopiedSpace::doneCopying):
        (JSC::CopiedSpace::doneFillingBlock):
        (JSC::CopiedSpace::recycleBlock):
        (JSC::CopiedSpace::getFreshBlock):
        (JSC::CopiedSpace::borrowBlock):
        (JSC::CopiedSpace::addNewBlock):
        (JSC::CopiedSpace::allocateNewBlock):
        (JSC::CopiedSpace::fitsInBlock):
        (JSC::CopiedSpace::fitsInCurrentBlock):
        (JSC::CopiedSpace::tryAllocate):
        (JSC::CopiedSpace::tryAllocateOversize):
        (JSC::CopiedSpace::allocateFromBlock):
        (JSC::CopiedSpace::tryReallocate):
        (JSC::CopiedSpace::tryReallocateOversize):
        (JSC::CopiedSpace::isOversize):
        (JSC::CopiedSpace::isPinned):
        (JSC::CopiedSpace::oversizeBlockFor):
        (JSC::CopiedSpace::blockFor):
        * heap/Heap.cpp:
        * heap/Heap.h:
        (JSC):
        (Heap):
        * heap/MarkStack.cpp:
        (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
        (JSC::SlotVisitor::drainFromShared):
        (JSC::SlotVisitor::startCopying):
        (JSC::SlotVisitor::allocateNewSpace):
        (JSC::SlotVisitor::doneCopying):
        * heap/MarkStack.h:
        (MarkStackThreadSharedData):
        * heap/SlotVisitor.h:
        (SlotVisitor):
        * runtime/JSArray.cpp:
        * runtime/JSObject.cpp:

2012-02-16  Yuqiang Xian  <yuqiang.xian@intel.com>

        Add JSC code profiling support on Linux x86
        https://bugs.webkit.org/show_bug.cgi?id=78871

        Reviewed by Gavin Barraclough.

        We don't unwind the stack for now as we cannot guarantee all the
        libraries are compiled without -fomit-frame-pointer.

        * tools/CodeProfile.cpp:
        (JSC::CodeProfile::sample):
        * tools/CodeProfiling.cpp:
        (JSC):
        (JSC::profilingTimer):
        (JSC::CodeProfiling::begin):
        (JSC::CodeProfiling::end):

2012-02-16  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed. Rolling out r107980, because it broke 32 bit platforms.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):
        (JSC::Interpreter::privateExecute):
        * interpreter/Interpreter.h:
        (JSC):
        (Interpreter):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        * parser/Nodes.h:
        (JSC::FunctionBodyNode::setInferredName):
        * parser/Parser.h:
        (JSC::::parse):
        * runtime/CommonIdentifiers.h:
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        * runtime/Error.h:
        (JSC):

2012-02-16  Filip Pizlo  <fpizlo@apple.com>

        ENABLE_INTERPRETER should be ENABLE_CLASSIC_INTERPRETER
        https://bugs.webkit.org/show_bug.cgi?id=78791

        Rubber stamped by Oliver Hunt.
        
        Just a renaming, nothing more. Also renamed COMPUTED_GOTO_INTERPRETER to
        COMPUTED_GOTO_CLASSIC_INTERPRETER.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        (JSC):
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * bytecode/Instruction.h:
        (JSC::Instruction::Instruction):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveWithBase):
        (JSC::BytecodeGenerator::emitGetById):
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitDirectPutById):
        * interpreter/AbstractPC.cpp:
        (JSC::AbstractPC::AbstractPC):
        * interpreter/AbstractPC.h:
        (AbstractPC):
        * interpreter/CallFrame.h:
        (ExecState):
        * interpreter/Interpreter.cpp:
        (JSC):
        (JSC::Interpreter::initialize):
        (JSC::Interpreter::isOpcode):
        (JSC::Interpreter::unwindCallFrame):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::privateExecute):
        (JSC::Interpreter::retrieveLastCaller):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::getOpcode):
        (JSC::Interpreter::getOpcodeID):
        (Interpreter):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (NativeExecutable):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::getHostFunction):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit):
        * wtf/Platform.h:

2012-02-15  Geoffrey Garen  <ggaren@apple.com>

        Made Weak<T> single-owner, adding PassWeak<T>
        https://bugs.webkit.org/show_bug.cgi?id=78740

        Reviewed by Sam Weinig.

        This works basically the same way as OwnPtr<T> and PassOwnPtr<T>.

        This clarifies the semantics of finalizers: It's ambiguous and probably
        a bug to copy a finalizer (i.e., it's a bug to run a C++ destructor
        twice), so I've made Weak<T> non-copyable. Anywhere we used to copy a 
        Weak<T>, we now use PassWeak<T>.

        This also makes Weak<T> HashMaps more efficient.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype): Use PassWeak<T> instead of set(), since 
        set() is gone now.

        * JavaScriptCore.xcodeproj/project.pbxproj: Export!

        * heap/PassWeak.h: Added.
        (JSC):
        (PassWeak):
        (JSC::PassWeak::PassWeak):
        (JSC::PassWeak::~PassWeak):
        (JSC::PassWeak::get):
        (JSC::::leakHandle):
        (JSC::adoptWeak):
        (JSC::operator==):
        (JSC::operator!=): This is the Weak<T> version of PassOwnPtr<T>.

        * heap/Weak.h:
        (Weak):
        (JSC::Weak::Weak):
        (JSC::Weak::release):
        (JSC::Weak::hashTableDeletedValue):
        (JSC::=):
        (JSC): Changed to be non-copyable, removing a lot of copying-related
        APIs. Added hash traits so hash maps still work.

        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * runtime/RegExpCache.cpp:
        (JSC::RegExpCache::lookupOrCreate): Use PassWeak<T>, as required by
        our new hash map API.

2012-02-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix the broken viewport tests
        https://bugs.webkit.org/show_bug.cgi?id=78774

        Reviewed by Kenneth Rohde Christiansen.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/text/WTFString.cpp:
        (WTF):
        (WTF::toDoubleType): Template-ized to allow other functions to specify whether they
        want to allow trailing junk or not when calling strtod.
        (WTF::charactersToDouble):
        (WTF::charactersToFloat):
        (WTF::charactersToFloatIgnoringJunk): Created new version of charactersToFloat that allows 
        trailing junk.
        * wtf/text/WTFString.h:
        (WTF):

2012-02-16  Oliver Hunt  <oliver@apple.com>

        Implement Error.stack
        https://bugs.webkit.org/show_bug.cgi?id=66994

        Reviewed by Gavin Barraclough.

        Implement support for stack traces on exception objects.  This is a rewrite
        of the core portion of the last stack walking logic, but the mechanical work
        of adding the information to an exception comes from the original work by
        Juan Carlos Montemayor Elosua.

        * interpreter/Interpreter.cpp:
        (JSC::getCallerInfo):
        (JSC):
        (JSC::getSourceURLFromCallFrame):
        (JSC::getStackFrameCodeType):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::throwException):
        (JSC::Interpreter::privateExecute):
        * interpreter/Interpreter.h:
        (JSC):
        (StackFrame):
        (JSC::StackFrame::toString):
        (Interpreter):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionJSCStack):
        * parser/Nodes.h:
        (JSC::FunctionBodyNode::setInferredName):
        * parser/Parser.h:
        (JSC::::parse):
        * runtime/CommonIdentifiers.h:
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        * runtime/Error.h:
        (JSC):

2012-02-15  Gavin Barraclough  <barraclough@apple.com>

        Numerous trivial bugs in Object.defineProperty
        https://bugs.webkit.org/show_bug.cgi?id=78777

        Reviewed by Sam Weinig.

        There are a handful of really trivial bugs, related to Object.defineProperty:
            * Redefining an accessor with different attributes changes the attributes, but not the get/set functions!
            * Calling an undefined setter should only throw in strict mode.
            * When redefining an accessor to a data decriptor, if writable is not specified we should default to false.
            * Any attempt to redefine a non-configurable property of an array as configurable should be rejected.
            * Object.defineProperties should call toObject on 'Properties' argument, rather than throwing if it is not an object.
            * If preventExtensions has been called on an array, subsequent assignment beyond array bounds should fail.
            * 'isFrozen' shouldn't be checking the ReadOnly bit for accessor descriptors (we presently always keep this bit as 'false').
            * Should be able to redefine an non-writable, non-configurable property, with the same value and attributes.
            * Should be able to define an non-configurable accessor.
        These are mostly all one-line changes, e.g. inverted boolean checks, masking against wrong attribute.

        * runtime/JSArray.cpp:
        (JSC::SparseArrayValueMap::put):
            - Added ASSERT.
            - Calling an undefined setter should only throw in strict mode.
        (JSC::JSArray::putDescriptor):
            - Should be able to define an non-configurable accessor.
        (JSC::JSArray::defineOwnNumericProperty):
            - Any attempt to redefine a non-configurable property of an array as configurable should be rejected.
        (JSC::JSArray::putByIndexBeyondVectorLength):
            - If preventExtensions has been called on an array, subsequent assignment beyond array bounds should fail.
        * runtime/JSArray.h:
        (JSArray):
            - made enterDictionaryMode public, called from JSObject.
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
            - Calling an undefined setter should only throw in strict mode.
        (JSC::JSObject::preventExtensions):
            - Put array objects into dictionary mode to handle this!
        (JSC::JSObject::defineOwnProperty):
            - Should be able to redefine an non-writable, non-configurable property, with the same value and attributes.
            - Redefining an accessor with different attributes changes the attributes, but not the get/set functions!
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorDefineProperties):
            - Object.defineProperties should call toObject on 'Properties' argument, rather than throwing if it is not an object.
        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::attributesWithOverride):
            - When redefining an accessor to a data decriptor, if writable is not specified we should default to false.
        (JSC::PropertyDescriptor::attributesOverridingCurrent):
            - When redefining an accessor to a data decriptor, if writable is not specified we should default to false.
        * runtime/Structure.cpp:
        (JSC::Structure::freezeTransition):
            - 'freezeTransition' shouldn't be setting the ReadOnly bit for accessor descriptors (we presently always keep this bit as 'false').
        (JSC::Structure::isFrozen):
            - 'isFrozen' shouldn't be checking the ReadOnly bit for accessor descriptors (we presently always keep this bit as 'false').

2012-02-13  Filip Pizlo  <fpizlo@apple.com>

        DFG should not check the types of arguments that are dead
        https://bugs.webkit.org/show_bug.cgi?id=78518

        Reviewed by Geoff Garen.
        
        The argument checks are now elided if the corresponding SetArgument is dead,
        and the abstract value of the argument is set to bottom (None, []). This is
        performance neutral on the benchmarks we currently track.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):

2012-02-15  Oliver Hunt  <oliver@apple.com>

        Ensure that the DFG JIT always plants a CodeOrigin when making calls
        https://bugs.webkit.org/show_bug.cgi?id=78763

        Reviewed by Gavin Barraclough.

        Make all calls plant a CodeOrigin prior to the actual
        call.  Also clobbers the Interpreter with logic to ensure
        that the interpreter always plants a bytecode offset.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (CallBeginToken):
        (JSC::DFG::JITCompiler::beginJSCall):
        (JSC::DFG::JITCompiler::beginCall):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryBuildGetByIDList):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * interpreter/AbstractPC.cpp:
        (JSC::AbstractPC::AbstractPC):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::trueCallFrame):
        * interpreter/CallFrame.h:
        (JSC::ExecState::bytecodeOffsetForNonDFGCode):
        (ExecState):
        (JSC::ExecState::setBytecodeOffsetForNonDFGCode):
        (JSC::ExecState::codeOriginIndexForDFG):

2012-02-14  Oliver Hunt  <oliver@apple.com>

        Fix Interpreter.

        * runtime/Executable.cpp:
        (JSC):
        * runtime/Executable.h:
        (ExecutableBase):

2012-02-14  Matt Lilek  <mrl@apple.com>

        Don't ENABLE_DASHBOARD_SUPPORT unconditionally on all Mac platforms
        https://bugs.webkit.org/show_bug.cgi?id=78629

        Reviewed by David Kilzer.

        * Configurations/FeatureDefines.xcconfig:

2012-02-14  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, build fix for non-DFG platforms.

        * assembler/MacroAssembler.h:
        (MacroAssembler):

2012-02-14  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix build and configuration goof.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::invert):
        * dfg/DFGCommon.h:

2012-02-13  Filip Pizlo  <fpizlo@apple.com>

        DFG should be able to emit code on control flow edges
        https://bugs.webkit.org/show_bug.cgi?id=78515

        Reviewed by Gavin Barraclough.
        
        This gets us a few steps closer to being able to perform global register allocation,
        by allowing us to have landing pads on control flow edges. This will let us reshuffle
        registers if it happens to be necessary due to different reg alloc decisions in
        differen blocks.
        
        This also introduces the notion of a landing pad for OSR entry, which will allow us
        to emit code that places data into registers when we're entering into the DFG from
        the old JIT.
        
        Finally, this patch introduces a verification mode that checks that the landing pads
        are actually emitted and do actually work as advertised. When verification is disabled,
        this has no effect on behavior.

        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::invert):
        (JSC::MacroAssembler::isInvertible):
        * dfg/DFGCommon.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::createOSREntries):
        (DFG):
        (JSC::DFG::SpeculativeJIT::linkOSREntries):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::branchDouble):
        (JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
        (JSC::DFG::SpeculativeJIT::branch32):
        (JSC::DFG::SpeculativeJIT::branchTest32):
        (JSC::DFG::SpeculativeJIT::branchPtr):
        (JSC::DFG::SpeculativeJIT::branchTestPtr):
        (JSC::DFG::SpeculativeJIT::branchTest8):
        (JSC::DFG::SpeculativeJIT::jump):
        (JSC::DFG::SpeculativeJIT::haveEdgeCodeToEmit):
        (JSC::DFG::SpeculativeJIT::emitEdgeCode):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):

2012-02-14  Filip Pizlo  <fpizlo@apple.com>

        Assertion failure under JSC::DFG::AbstractState::execute loading economist.com
        https://bugs.webkit.org/show_bug.cgi?id=78153
        <rdar://problem/10861712> <rdar://problem/10861947>

        Reviewed by Oliver Hunt.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAdd):

2012-02-14  Eric Seidel  <eric@webkit.org>

        Upstream Android's additions to Platform.h
        https://bugs.webkit.org/show_bug.cgi?id=78536

        Reviewed by Adam Barth.

        * wtf/Platform.h:

2012-02-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Replace old strtod with new strtod
        https://bugs.webkit.org/show_bug.cgi?id=68044

        Reviewed by Geoffrey Garen.

        * parser/Lexer.cpp: Added template argument. This version allows junk after numbers.
        (JSC::::lex):
        * runtime/JSGlobalObjectFunctions.cpp: Ditto.
        (JSC::parseInt):
        (JSC::jsStrDecimalLiteral):
        * runtime/LiteralParser.cpp: Ditto.
        (JSC::::Lexer::lexNumber):
        * wtf/dtoa.cpp: Replaced old strtod with a new version that uses the new StringToDoubleConverter.
        It takes a template argument to allow clients to determine statically whether it should allow 
        junk after the numbers or not.
        (WTF):
        (WTF::strtod):
        * wtf/dtoa.h:
        (WTF):
        * wtf/text/WTFString.cpp: Added template argument. This version does not allow junk after numbers.
        (WTF::toDoubleType):

2012-02-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        More windows build fixing

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-02-13  Oliver Hunt  <oliver@apple.com>

        Executing out of bounds in JSC::Yarr::YarrCodeBlock::execute / JSC::RegExp::match
        https://bugs.webkit.org/show_bug.cgi?id=76315

        Reviewed by Gavin Barraclough.

        Perform a 3 byte compare using two comparisons, rather than trying to perform the
        operation with a four byte load.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):

2012-02-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        Windows build fix

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-02-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Replace old strtod with new strtod
        https://bugs.webkit.org/show_bug.cgi?id=68044

        Reviewed by Geoffrey Garen.

        * parser/Lexer.cpp: Added template argument. This version allows junk after numbers.
        (JSC::::lex):
        * runtime/JSGlobalObjectFunctions.cpp: Ditto.
        (JSC::parseInt):
        (JSC::jsStrDecimalLiteral):
        * runtime/LiteralParser.cpp: Ditto.
        (JSC::::Lexer::lexNumber):
        * wtf/dtoa.cpp: Replaced old strtod with a new version that uses the new StringToDoubleConverter.
        It takes a template argument to allow clients to determine statically whether it should allow 
        junk after the numbers or not.
        (WTF):
        (WTF::strtod):
        * wtf/dtoa.h:
        (WTF):
        * wtf/text/WTFString.cpp: Added template argument. This version does not allow junk after numbers.
        (WTF::toDoubleType):

2012-02-13  Sam Weinig  <sam@webkit.org>

        Move JSC related assertions out of Assertions.h and into their own header
        https://bugs.webkit.org/show_bug.cgi?id=78508

        Reviewed by Gavin Barraclough.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add GCAssertions.h

        * heap/GCAssertions.h: Added.
        Move assertions here.

        * runtime/WriteBarrier.h:
        Add #include of GCAssertions.h

        * wtf/Assertions.h:
        Remove JSC related assertions.

        * wtf/Compiler.h:
        Add compiler check for __has_trivial_destructor.

2012-02-13  Chao-ying Fu  <fu@mips.com>

        Update MIPS patchOffsetGetByIdSlowCaseCall
        https://bugs.webkit.org/show_bug.cgi?id=78392

        Reviewed by Gavin Barraclough.

        * jit/JIT.h:
        (JIT):

2012-02-13  Patrick Gansterer  <paroga@webkit.org>

        Remove obsolete #if from ThreadSpecific.h
        https://bugs.webkit.org/show_bug.cgi?id=78485

        Reviewed by Adam Roben.

        Since alle platform use either pthread or Win32 for threading,
        we can remove all PLATFORM() preprocessor statements.

        * wtf/ThreadSpecific.h:
        (ThreadSpecific):

2012-02-13  Jessie Berlin  <jberlin@apple.com>

        Fix the Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-02-13  Sam Weinig  <sam@webkit.org>

        Use C11's _Static_assert for COMPILE_ASSERT if it is available
        https://bugs.webkit.org/show_bug.cgi?id=78506

        Rubber-stamped by Antti Koivisto.

        Use C11's _Static_assert for COMPILE_ASSERT if it is available to give slightly
        better error messages.

        * wtf/Assertions.h:
        Use _Static_assert if it is available.

        * wtf/Compiler.h:
        Add COMPILER_SUPPORTS support for _Static_assert when using the LLVM Compiler.

2012-02-13  Mario Sanchez Prada  <msanchez@igalia.com>

        [GTK] Add GSList to the list of GObject types in GOwnPtr
        https://bugs.webkit.org/show_bug.cgi?id=78487

        Reviewed by Philippe Normand.

        Handle the GSList type in GOwnPtr, by calling g_slist_free in the
        implementation of the freeOwnedGPtr template function.

        * wtf/gobject/GOwnPtr.cpp:
        (WTF::GSList):
        (WTF):
        * wtf/gobject/GOwnPtr.h:
        (WTF):
        * wtf/gobject/GTypedefs.h:

2012-02-06  Raphael Kubo da Costa  <kubo@profusion.mobi>

        [EFL] Drop support for the Curl network backend.
        https://bugs.webkit.org/show_bug.cgi?id=77874

        Reviewed by Eric Seidel.

        Nobody seems to be maintaining the Curl backend in WebCore, the
        EFL port developers all seem to be using the Soup backend and the
        port itself has many features which are only implemented for the
        latter.

        * wtf/PlatformEfl.cmake: Always build the gobject-dependent source
        files.

2012-02-13  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed. Build fix for !ENABLE(JIT) after r107485.

        * bytecode/PolymorphicPutByIdList.cpp:

2012-02-13  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=78434
        Unreviewed - temporarily reverting r107498 will I fix a couple of testcases.

        * parser/Parser.cpp:
        (JSC::::parseFunctionInfo):
        * runtime/ClassInfo.h:
        (MethodTable):
        (JSC):
        * runtime/JSCell.cpp:
        (JSC):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC):
        * runtime/JSGlobalObjectFunctions.h:
        (JSC):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC):
        (JSC::JSObject::putDirectAccessor):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSValue::get):
        * runtime/JSString.cpp:
        (JSC::JSString::getOwnPropertySlot):
        * runtime/JSValue.h:
        (JSValue):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetPrototypeOf):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        * runtime/Structure.h:
        (JSC::Structure::setHasGetterSetterProperties):
        (Structure):

2012-02-12  Ashod Nakashian  <ashodnakashian@yahoo.com>

        KeywordLookupGenerator.py script fails in some cases
        https://bugs.webkit.org/show_bug.cgi?id=77886

        Reviewed by Benjamin Poulain.

        * parser/Keywords.table: Converted to LF-only.

2012-02-12  Shinya Kawanaka  <shinyak@google.com>

        Introduce ShadowRootList.
        https://bugs.webkit.org/show_bug.cgi?id=78069

        Reviewed by Hajime Morita.

        DoublyLinkedList should have tail() method to take the last element.

        * wtf/DoublyLinkedList.h:
        (DoublyLinkedList):
        (WTF::::tail):
        (WTF):

2012-02-12  Raphael Kubo da Costa  <kubo@profusion.mobi>

        [CMake] Move source files in WTF_HEADERS to WTF_SOURCES.
        https://bugs.webkit.org/show_bug.cgi?id=78436

        Reviewed by Daniel Bates.

        * wtf/CMakeLists.txt: Move .cpp files from WTF_HEADERS to WTF_SOURCES,
        and correctly sort the files which start with 'M'.

2012-02-12  Sam Weinig  <sam@webkit.org>

        Move the NumberOfCores.h/cpp files into the WTF group of JavaScriptCore.xcodeproj.

        Rubber-stamped by Anders Carlsson.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-02-12  Raphael Kubo da Costa  <kubo@profusion.mobi>

        [CMake] Remove unused or empty variable definitions.
        https://bugs.webkit.org/show_bug.cgi?id=78437

        Reviewed by Daniel Bates.

        * CMakeLists.txt: Remove unused JavaScriptCore_HEADERS definition.
        * shell/CMakeLists.txt: Remove unused JSC_HEADERS definition.
        * wtf/CMakeLists.txt: Remove empty WTF_LIBRARIES definition, it will
        be defined later by Platform*.cmake via LIST(APPEND WTF_LIBRARIES).

2012-02-12  Filip Pizlo  <fpizlo@apple.com>

        DFG::SpeculativeJIT calls fprintf() instead of dataLog in terminateSpeculativeExecution()
        https://bugs.webkit.org/show_bug.cgi?id=78431

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):

2012-02-11  Benjamin Poulain  <benjamin@webkit.org>

        Add back WTFURL to WebKit
        https://bugs.webkit.org/show_bug.cgi?id=77291

        Reviewed by Adam Barth.

        WTFURL was removed from WebKit in r86787.

        This patch adds the code back to WTF with the following changes:
        -Guard the feature with USE(WTFURL).
        -Change the typename CHAR to CharacterType to follow recent WebKit conventions.
        -Fix some coding style to make check-webkit-style happy.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/Platform.h:
        * wtf/url/api/ParsedURL.cpp: Added.
        (WTF):
        (WTF::ParsedURL::ParsedURL):
        (WTF::ParsedURL::scheme):
        (WTF::ParsedURL::username):
        (WTF::ParsedURL::password):
        (WTF::ParsedURL::host):
        (WTF::ParsedURL::port):
        (WTF::ParsedURL::path):
        (WTF::ParsedURL::query):
        (WTF::ParsedURL::fragment):
        (WTF::ParsedURL::segment):
        * wtf/url/api/ParsedURL.h: Added.
        (WTF):
        (ParsedURL):
        (WTF::ParsedURL::spec):
        * wtf/url/api/URLString.h: Added.
        (WTF):
        (URLString):
        (WTF::URLString::URLString):
        (WTF::URLString::string):
        * wtf/url/src/RawURLBuffer.h: Added.
        (WTF):
        (RawURLBuffer):
        (WTF::RawURLBuffer::RawURLBuffer):
        (WTF::RawURLBuffer::~RawURLBuffer):
        (WTF::RawURLBuffer::resize):
        * wtf/url/src/URLBuffer.h: Added.
        (WTF):
        (URLBuffer):
        (WTF::URLBuffer::URLBuffer):
        (WTF::URLBuffer::~URLBuffer):
        (WTF::URLBuffer::at):
        (WTF::URLBuffer::set):
        (WTF::URLBuffer::capacity):
        (WTF::URLBuffer::length):
        (WTF::URLBuffer::data):
        (WTF::URLBuffer::setLength):
        (WTF::URLBuffer::append):
        (WTF::URLBuffer::grow):
        * wtf/url/src/URLCharacterTypes.cpp: Added.
        (WTF):
        ():
        * wtf/url/src/URLCharacterTypes.h: Added.
        (WTF):
        (URLCharacterTypes):
        (WTF::URLCharacterTypes::isQueryChar):
        (WTF::URLCharacterTypes::isIPv4Char):
        (WTF::URLCharacterTypes::isHexChar):
        ():
        (WTF::URLCharacterTypes::isCharOfType):
        * wtf/url/src/URLComponent.h: Added.
        (WTF):
        (URLComponent):
        (WTF::URLComponent::URLComponent):
        (WTF::URLComponent::fromRange):
        (WTF::URLComponent::isValid):
        (WTF::URLComponent::isNonEmpty):
        (WTF::URLComponent::isEmptyOrInvalid):
        (WTF::URLComponent::reset):
        (WTF::URLComponent::operator==):
        (WTF::URLComponent::begin):
        (WTF::URLComponent::setBegin):
        (WTF::URLComponent::length):
        (WTF::URLComponent::setLength):
        (WTF::URLComponent::end):
        * wtf/url/src/URLEscape.cpp: Added.
        (WTF):
        ():
        * wtf/url/src/URLEscape.h: Added.
        (WTF):
        (WTF::appendURLEscapedCharacter):
        * wtf/url/src/URLParser.h: Added.
        (WTF):
        (URLParser):
        ():
        (WTF::URLParser::isPossibleAuthorityTerminator):
        (WTF::URLParser::parseAuthority):
        (WTF::URLParser::extractScheme):
        (WTF::URLParser::parseAfterScheme):
        (WTF::URLParser::parseStandardURL):
        (WTF::URLParser::parsePath):
        (WTF::URLParser::parsePathURL):
        (WTF::URLParser::parseMailtoURL):
        (WTF::URLParser::parsePort):
        (WTF::URLParser::extractFileName):
        (WTF::URLParser::extractQueryKeyValue):
        (WTF::URLParser::isURLSlash):
        (WTF::URLParser::shouldTrimFromURL):
        (WTF::URLParser::trimURL):
        (WTF::URLParser::consecutiveSlashes):
        (WTF::URLParser::isPortDigit):
        (WTF::URLParser::nextAuthorityTerminator):
        (WTF::URLParser::parseUserInfo):
        (WTF::URLParser::parseServerInfo):
        * wtf/url/src/URLQueryCanonicalizer.h: Added.
        (WTF):
        (URLQueryCanonicalizer):
        (WTF::URLQueryCanonicalizer::canonicalize):
        (WTF::URLQueryCanonicalizer::isAllASCII):
        (WTF::URLQueryCanonicalizer::isRaw8Bit):
        (WTF::URLQueryCanonicalizer::appendRaw8BitQueryString):
        (WTF::URLQueryCanonicalizer::convertToQueryEncoding):
        * wtf/url/src/URLSegments.cpp: Added.
        (WTF):
        (WTF::URLSegments::length):
        (WTF::URLSegments::charactersBefore):
        * wtf/url/src/URLSegments.h: Added.
        (WTF):
        (URLSegments):
        ():
        (WTF::URLSegments::URLSegments):

2012-02-11  Filip Pizlo  <fpizlo@apple.com>

        Old JIT put_by_id profiling counts every put_by_id_transition as taking slow path
        https://bugs.webkit.org/show_bug.cgi?id=78430
        <rdar://problem/10849469> <rdar://problem/10849684>

        Reviewed by Gavin Barraclough.
        
        The old JIT's put_by_id transition caching involves repatching the slow call to
        a generated stub. That means that the call is counted as "slow case". So, this
        patch inserts code to decrement the slow case count if the stub succeeds.
        
        Looks like a ~1% speed-up on V8.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):

2012-02-11  Filip Pizlo  <fpizlo@apple.com>

        Build fix for Qt.

        * wtf/DataLog.h:

2012-02-11  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to send all JSC debug logging to a file
        https://bugs.webkit.org/show_bug.cgi?id=78418

        Reviewed by Sam Weinig.
        
        Introduced wtf/DataLog, which defines WTF::dataFile, WTF::dataLog,
        and WTF::dataLogV. Changed all debugging- and profiling-related printfs
        to use WTF::dataLog() or one of its friends. By default, debug logging
        goes to stderr, unless you change the setting in wtf/DataLog.cpp.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::dumpLinkStatistics):
        (JSC::LinkBuffer::dumpCode):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::vprintfStdoutInstr):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printUnaryOp):
        (JSC::CodeBlock::printBinaryOp):
        (JSC::CodeBlock::printConditionalJump):
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::printPutByIdOp):
        (JSC::printGlobalResolveInfo):
        (JSC::printStructureStubInfo):
        (JSC::CodeBlock::printStructure):
        (JSC::CodeBlock::printStructures):
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::dumpStatistics):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::shouldOptimizeNow):
        (JSC::CodeBlock::tallyFrequentExitSites):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/Opcode.cpp:
        (JSC::OpcodeStats::~OpcodeStats):
        * bytecode/SamplingTool.cpp:
        (JSC::SamplingFlags::stop):
        (JSC::SamplingRegion::dumpInternal):
        (JSC::SamplingTool::dump):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::endBasicBlock):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::linkBlock):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCommon.h:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::printWhiteSpace):
        (JSC::DFG::Graph::dumpCodeOrigin):
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::propagateArithNodeFlagsForward):
        (JSC::DFG::Propagator::propagateArithNodeFlagsBackward):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::propagatePredictionsForward):
        (JSC::DFG::Propagator::propagatePredictionsBackward):
        (JSC::DFG::Propagator::doRoundOfDoubleVoting):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::fixup):
        (JSC::DFG::Propagator::startIndexForChildren):
        (JSC::DFG::Propagator::endIndexForPureCSE):
        (JSC::DFG::Propagator::setReplacement):
        (JSC::DFG::Propagator::eliminate):
        (JSC::DFG::Propagator::performNodeCSE):
        (JSC::DFG::Propagator::localCSE):
        (JSC::DFG::Propagator::allocateVirtualRegisters):
        (JSC::DFG::Propagator::performBlockCFA):
        (JSC::DFG::Propagator::performForwardCFA):
        * dfg/DFGRegisterBank.h:
        (JSC::DFG::RegisterBank::dump):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::dump):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::dump):
        (JSC::DFG::SpeculativeJIT::checkConsistency):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        * heap/Heap.cpp:
        (JSC::Heap::destroy):
        * heap/MarkedBlock.h:
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::dumpCaller):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::dumpRegisters):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * profiler/Profile.cpp:
        (JSC::Profile::debugPrintData):
        (JSC::Profile::debugPrintDataSampleStyle):
        * profiler/ProfileNode.cpp:
        (JSC::ProfileNode::debugPrintData):
        (JSC::ProfileNode::debugPrintDataSampleStyle):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::dumpRegExpTrace):
        * runtime/RegExp.cpp:
        (JSC::RegExp::matchCompareWithInterpreter):
        * runtime/SamplingCounter.cpp:
        (JSC::AbstractSamplingCounter::dump):
        * runtime/SamplingCounter.h:
        (JSC::DeletableSamplingCounter::~DeletableSamplingCounter):
        * runtime/ScopeChain.cpp:
        (JSC::ScopeChainNode::print):
        * runtime/Structure.cpp:
        (JSC::Structure::dumpStatistics):
        (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
        * tools/CodeProfile.cpp:
        (JSC::CodeProfile::report):
        * tools/ProfileTreeNode.h:
        (JSC::ProfileTreeNode::dumpInternal):
        * wtf/CMakeLists.txt:
        * wtf/DataLog.cpp: Added.
        (WTF):
        (WTF::initializeLogFileOnce):
        (WTF::initializeLogFile):
        (WTF::dataFile):
        (WTF::dataLogV):
        (WTF::dataLog):
        * wtf/DataLog.h: Added.
        (WTF):
        * wtf/HashTable.cpp:
        (WTF::HashTableStats::~HashTableStats):
        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocator::dumpProfile):
        * wtf/text/WTFString.cpp:
        (String::show):
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::dumpDisjunction):

2012-02-11  Gavin Barraclough  <barraclough@apple.com>

        Move special __proto__ property to Object.prototype
        https://bugs.webkit.org/show_bug.cgi?id=78409

        Reviewed by Oliver Hunt.

        Re-implement this as a regular accessor property.  This has three key benefits:
        1) It makes it possible for objects to be given properties named __proto__.
        2) Object.prototype.__proto__ can be deleted, preventing object prototypes from being changed.
        3) This largely removes the magic used the implement __proto__, it can just be made a regular accessor property.

        * parser/Parser.cpp:
        (JSC::::parseFunctionInfo):
            - No need to prohibit functions named __proto__.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
            - Add __proto__ accessor to Object.prototype.
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoGetter):
        (JSC::globalFuncProtoSetter):
            - Definition of the __proto__ accessor functions.
        * runtime/JSGlobalObjectFunctions.h:
            - Declaration of the __proto__ accessor functions.
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
            - Remove the special handling for __proto__, there is still a check to allow for a fast guard for accessors excluding __proto__.
        (JSC::JSObject::putDirectAccessor):
            - Track on the structure whether an object contains accessors other than one for __proto__.
        (JSC::JSObject::defineOwnProperty):
            - No need to prohibit definition of own properties named __proto__.
        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):
            - Remove the special handling for __proto__.
        (JSC::JSValue::get):
            - Remove the special handling for __proto__.
        * runtime/JSString.cpp:
        (JSC::JSString::getOwnPropertySlot):
            - Remove the special handling for __proto__.
        * runtime/JSValue.h:
        (JSValue):
            - Made synthesizePrototype public (this may be needed by the __proto__ getter).
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetPrototypeOf):
            - Perform the security check & call prototype() directly.
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
            - Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.
        * runtime/Structure.h:
        (JSC::Structure::hasGetterSetterPropertiesExcludingProto):
        (JSC::Structure::setHasGetterSetterProperties):
        (Structure):
            - Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.

2012-02-11  Filip Pizlo  <fpizlo@apple.com>

        DFG CFA assumes that a WeakJSConstant's structure is known
        https://bugs.webkit.org/show_bug.cgi?id=78428
        <rdar://problem/10849492> <rdar://problem/10849621>

        Reviewed by Gavin Barraclough.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):

2012-02-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        Qt debug build fix

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::callDestructor): Platforms that don't use clang will allocate 
        JSFinalObjects in the destuctor subspace, so we should remove this assert so it 
        doesn't cause crashes.

2012-02-11  Filip Pizlo  <fpizlo@apple.com>

        Old 32_64 JIT should assert that its use of map() is consistent with the DFG
        OSR exit's expectations
        https://bugs.webkit.org/show_bug.cgi?id=78419
        <rdar://problem/10817121>

        Reviewed by Oliver Hunt.

        * jit/JITInlineMethods.h:
        (JSC::JIT::map):

2012-02-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        Reduce the reentrancy limit of the interpreter for the iOS simulator
        https://bugs.webkit.org/show_bug.cgi?id=78400

        Reviewed by Gavin Barraclough.

        * interpreter/Interpreter.h: Lowered the maximum reentrancy limit for large thread stacks.
        (JSC):

2012-02-11  Filip Pizlo  <fpizlo@apple.com>

        [DFG] Misuse of WeakJSConstants in silentFillGPR code.
        https://bugs.webkit.org/show_bug.cgi?id=78423
        <rdar://problem/10849353> <rdar://problem/10804043>

        Reviewed by Sam Weinig.
        
        The code was using Node::isConstant(), when it was supposed to use Node::hasConstant().
        This patch is a surgical fix; the bigger problem is: why do we have isConstant() and
        hasConstant() when hasConstant() is correct and isConstant() is almost always wrong?

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentFillGPR):

2012-02-11  Sam Weinig  <sam@webkit.org>

        Prepare JavaScriptCore to build with libc++
        <rdar://problem/10426673>
        https://bugs.webkit.org/show_bug.cgi?id=78424

        Reviewed by Anders Carlsson.

        * wtf/NullPtr.cpp:
        * wtf/NullPtr.h:
        libc++ provides std::nullptr emulation, so we don't have to.

2012-02-07  Filip Pizlo  <fpizlo@apple.com>

        DFG should have polymorphic put_by_id caching
        https://bugs.webkit.org/show_bug.cgi?id=78062
        <rdar://problem/10326439> <rdar://problem/10824839>

        Reviewed by Oliver Hunt.
        
        Implemented polymorphic put_by_id caching in the DFG, and added much of the
        machinery that would be needed to implement it in the old JIT as well.
        
        I decided against using the old PolymorphicAccessStructureList mechanism as
        this didn't quite fit with put_by_id. In particular, I wanted the ability to
        have one list that captured all relevant cases (including proto put_by_id
        if we ever decided to do it). And I wanted the code to have better
        encapsulation. And I didn't want to get confused by the fact that the
        original (non-list) put_by_id cache may itself consist of a stub routine.
        
        This code is still sub-optimal (for example adding a replace to a list whose
        previous elements are all transitions should just repatch the original code,
        but here it will generate a stub) but it already generates a >20% speed-up
        on V8-splay, leading to a 2% win overall in splay. Neutral elsewhere.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/PolymorphicPutByIdList.cpp: Added.
        (JSC):
        (JSC::PutByIdAccess::fromStructureStubInfo):
        (JSC::PutByIdAccess::visitWeak):
        (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
        (JSC::PolymorphicPutByIdList::from):
        (JSC::PolymorphicPutByIdList::~PolymorphicPutByIdList):
        (JSC::PolymorphicPutByIdList::isFull):
        (JSC::PolymorphicPutByIdList::isAlmostFull):
        (JSC::PolymorphicPutByIdList::addAccess):
        (JSC::PolymorphicPutByIdList::visitWeak):
        * bytecode/PolymorphicPutByIdList.h: Added.
        (JSC):
        (PutByIdAccess):
        (JSC::PutByIdAccess::PutByIdAccess):
        (JSC::PutByIdAccess::transition):
        (JSC::PutByIdAccess::replace):
        (JSC::PutByIdAccess::isSet):
        (JSC::PutByIdAccess::operator!):
        (JSC::PutByIdAccess::type):
        (JSC::PutByIdAccess::isTransition):
        (JSC::PutByIdAccess::isReplace):
        (JSC::PutByIdAccess::oldStructure):
        (JSC::PutByIdAccess::structure):
        (JSC::PutByIdAccess::newStructure):
        (JSC::PutByIdAccess::chain):
        (JSC::PutByIdAccess::stubRoutine):
        (PolymorphicPutByIdList):
        (JSC::PolymorphicPutByIdList::currentSlowPathTarget):
        (JSC::PolymorphicPutByIdList::isEmpty):
        (JSC::PolymorphicPutByIdList::size):
        (JSC::PolymorphicPutByIdList::at):
        (JSC::PolymorphicPutByIdList::operator[]):
        (JSC::PolymorphicPutByIdList::kind):
        * bytecode/PutKind.h: Added.
        (JSC):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        (JSC):
        (JSC::isPutByIdAccess):
        (JSC::StructureStubInfo::initPutByIdList):
        (StructureStubInfo):
        (JSC::StructureStubInfo::reset):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        (DFG):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::appropriateGenericPutByIdFunction):
        (JSC::DFG::appropriateListBuildingPutByIdFunction):
        (DFG):
        (JSC::DFG::emitPutReplaceStub):
        (JSC::DFG::emitPutTransitionStub):
        (JSC::DFG::tryCachePutByID):
        (JSC::DFG::dfgRepatchPutByID):
        (JSC::DFG::tryBuildPutByIdList):
        (JSC::DFG::dfgBuildPutByIdList):
        (JSC::DFG::dfgResetPutByID):
        * dfg/DFGRepatch.h:
        (DFG):
        * runtime/WriteBarrier.h:
        (WriteBarrierBase):
        (JSC::WriteBarrierBase::copyFrom):

2012-02-10  Vineet Chaudhary  <rgf748@motorola.com>

        https://bugs.webkit.org/show_bug.cgi?id=72756
        DOMHTMLElement’s accessKey property is declared as available in WebKit version that didn’t have it 

        Reviewed by Timothy Hatcher.

        * API/WebKitAvailability.h: Added AVAILABLE_AFTER_WEBKIT_VERSION_5_1 and
          AVAILABLE_WEBKIT_VERSION_1_3_AND_LATER_BUT_DEPRECATED_AFTER_WEBKIT_VERSION_5_1 for the new versions.

2012-02-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fixing windows build

        Unreviewed build fix

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-02-10  Adam Klein  <adamk@chromium.org>

        Enable MUTATION_OBSERVERS by default on all platforms
        https://bugs.webkit.org/show_bug.cgi?id=78196

        Reviewed by Ojan Vafai.

        * Configurations/FeatureDefines.xcconfig:

2012-02-10  Yong Li  <yoli@rim.com>

        ENABLE(ASSEMBLER_WX_EXCLUSIVE): LinkBuffer can leave pages not marked as executable.
        https://bugs.webkit.org/show_bug.cgi?id=76724

        Reviewed by Rob Buis.

        This issue only exists when both ENABLE(ASSEMBLER_WX_EXCLUSIVE) and ENABLE(BRANCH_COMPACTION) are on.
        The size used to call makeExecutable can be smaller than the one that was used for makeWritable.
        So it can leave pages behind that are not set back to default flags. When an assembly on one of those
        pages is executed or JIT returns to those pages in the case it was already executing from there, the
        software will crash.

        * assembler/LinkBuffer.h: Add m_initialSize and use it in performFinalization().
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::linkCode):
        (JSC::LinkBuffer::performFinalization):
        (LinkBuffer):

2012-02-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        Split MarkedSpace into destructor and destructor-free subspaces
        https://bugs.webkit.org/show_bug.cgi?id=77761

        Reviewed by Geoffrey Garen.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject): Switched over to use destructor-free space.
        * heap/Heap.h:
        (JSC::Heap::allocatorForObjectWithoutDestructor): Added to give clients (e.g. the JIT) the ability to 
        pick which subspace they want to allocate out of.
        (JSC::Heap::allocatorForObjectWithDestructor): Ditto.
        (Heap):
        (JSC::Heap::allocateWithDestructor): Added private function for CellAllocator to use.
        (JSC):
        (JSC::Heap::allocateWithoutDestructor): Ditto.
        * heap/MarkedAllocator.cpp: Added the cellsNeedDestruction flag to allocators so that they can allocate 
        their MarkedBlocks correctly.
        (JSC::MarkedAllocator::allocateBlock):
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::cellsNeedDestruction):
        (MarkedAllocator):
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC):
        (JSC::MarkedAllocator::init): Replaced custom set functions, which were only used upon initialization, with
        an init function that does all of that stuff in fewer lines.
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::create):
        (JSC::MarkedBlock::recycle):
        (JSC::MarkedBlock::MarkedBlock):
        (JSC::MarkedBlock::callDestructor): Templatized, along with specializedSweep and sweepHelper, to make 
        checking the m_cellsNeedDestructor flag faster and cleaner looking.
        (JSC):
        (JSC::MarkedBlock::specializedSweep):
        (JSC::MarkedBlock::sweep):
        (JSC::MarkedBlock::sweepHelper):
        * heap/MarkedBlock.h:
        (MarkedBlock):
        (JSC::MarkedBlock::cellsNeedDestruction):
        (JSC):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::resetAllocators):
        (JSC::MarkedSpace::canonicalizeCellLivenessData):
        (JSC::TakeIfUnmarked::operator()):
        * heap/MarkedSpace.h:
        (MarkedSpace):
        (Subspace):
        (JSC::MarkedSpace::allocatorFor): Needed function to differentiate between the two broad subspaces of 
        allocators.
        (JSC):
        (JSC::MarkedSpace::destructorAllocatorFor): Ditto.
        (JSC::MarkedSpace::allocateWithoutDestructor): Ditto.
        (JSC::MarkedSpace::allocateWithDestructor): Ditto.
        (JSC::MarkedSpace::forEachBlock):
        * jit/JIT.h:
        * jit/JITInlineMethods.h: Modified to use the proper allocator for JSFinalObjects and others.
        (JSC::JIT::emitAllocateBasicJSObject):
        (JSC::JIT::emitAllocateJSFinalObject):
        (JSC::JIT::emitAllocateJSFunction):
        * runtime/JSArray.cpp:
        (JSC):
        * runtime/JSArray.h:
        (JSArray):
        (JSC::JSArray::create):
        (JSC):
        (JSC::JSArray::tryCreateUninitialized):
        * runtime/JSCell.h:
        (JSCell):
        (JSC):
        (NeedsDestructor): Template struct that calculates at compile time whether the class in question requires 
        destruction or not using the compiler type trait __has_trivial_destructor. allocateCell then checks this 
        constant to decide whether to allocate in the destructor or destructor-free parts of the heap.
        (JSC::allocateCell): 
        * runtime/JSFunction.cpp:
        (JSC):
        * runtime/JSFunction.h:
        (JSFunction):
        * runtime/JSObject.cpp:
        (JSC):
        * runtime/JSObject.h:
        (JSNonFinalObject):
        (JSC):
        (JSFinalObject):
        (JSC::JSFinalObject::create):

2012-02-10  Adrienne Walker  <enne@google.com>

        Remove implicit copy constructor usage in HashMaps with OwnPtr
        https://bugs.webkit.org/show_bug.cgi?id=78071

        Reviewed by Darin Adler.

        Change the return type of emptyValue() in PairHashTraits to be the
        actual type returned rather than the trait type to avoid an implicit
        generation of the OwnPtr copy constructor. This happens for hash
        traits involving OwnPtr where the empty value is not zero and each
        hash bucket needs to be initialized with emptyValue().

        Also, update StructureTransitionTable to use default hash traits
        rather than rolling its own, in order to update it to handle
        EmptyValueType.

        Test: patch from bug 74154 compiles on Clang with this patch

        * runtime/StructureTransitionTable.h:
        (StructureTransitionTable):
        * wtf/HashTraits.h:
        (GenericHashTraits):
        (PairHashTraits):
        (WTF::PairHashTraits::emptyValue):

2012-02-10  Aron Rosenberg  <arosenberg@logitech.com>

        [Qt] Fix compiler warning in Visual Studio 2010 about TR1
        https://bugs.webkit.org/show_bug.cgi?id=63642

        Reviewed by Simon Hausmann.

        * JavaScriptCore.pri:

2012-02-10  Michael Saboff  <msaboff@apple.com>

        Yarr assert with regexp where alternative in *-quantified group matches empty
        https://bugs.webkit.org/show_bug.cgi?id=67752        

        Reviewed by Gavin Barraclough.

        Added backtracking for the prior alternative if it matched
        but didn't consume any input characters.

        * yarr/YarrJIT.cpp:
        (YarrOp): New jump.
        (JSC::Yarr::YarrGenerator::generate): Emit conditional jump
        when an alternative matches and no input was consumed.  Moved the
        zero length match check for a set of alternatives to the alternative
        code from the parentheses cases to the alternative end cases.
        Converted the existing zero length checks in the parentheses cases
        to runtime assertion checks.
        (JSC::Yarr::YarrGenerator::backtrack): Link new jump to backtrack
        to prior term.

2012-02-10  Roland Takacs  <takacs.roland@stud.u-szeged.hu>

        [Qt] GC should be parallel on Qt platform
        https://bugs.webkit.org/show_bug.cgi?id=73309

        Reviewed by Zoltan Herczeg.

        These changes made the parallel gc feature available for Qt port.
        The implementation of "registerGCThread" and "isMainThreadOrGCThread",
        and a local static function [initializeGCThreads] is moved from
        MainThreadMac.mm to the common MainThread.cpp to make them available
        for other platforms.

        Measurement results:
        V8           speed-up:  1.025x as fast  [From: 663.4ms  To: 647.0ms ]
        V8 Splay     speed-up:  1.185x as fast  [From: 138.4ms  To: 116.8ms ]

        Tested on Intel(R) Core(TM) i5-2320 CPU @ 3.00GHz with 4-core.

        * JavaScriptCore.order:
        * wtf/MainThread.cpp:
        (WTF::initializeMainThread):
        (WTF):
        (WTF::initializeGCThreads):
        (WTF::registerGCThread):
        (WTF::isMainThreadOrGCThread):
        * wtf/MainThread.h:
        (WTF):
        * wtf/Platform.h:
        * wtf/mac/MainThreadMac.mm:
        (WTF):

2012-02-09  Andy Wingo  <wingo@igalia.com>

        Eliminate dead code in BytecodeGenerator::resolve()
        https://bugs.webkit.org/show_bug.cgi?id=78242

        Reviewed by Gavin Barraclough.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::resolve):
        BytecodeGenerator::shouldOptimizeLocals() is only true for
        FunctionCode, and thus cannot be true for GlobalCode.

2012-02-09  Andy Wingo  <wingo@igalia.com>

        Remove BytecodeGenerator::isLocal
        https://bugs.webkit.org/show_bug.cgi?id=78241

        Minor refactor to BytecodeGenerator.

        Reviewed by Gavin Barraclough.

        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::isLocal):
        (JSC::BytecodeGenerator::isLocalConstant): Remove now-unused
        methods.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ResolveNode::isPure): Use the ResolveResult mechanism
        instead of isLocal.  This will recognize more resolve nodes as
        being pure.
        (JSC::PrefixResolveNode::emitBytecode): Use isReadOnly on the
        location instead of isLocalConstant.

2012-02-09  Oliver Hunt  <oliver@apple.com>

        The JS Parser scope object needs a VectorTrait specialization
        https://bugs.webkit.org/show_bug.cgi?id=78308

        Reviewed by Gavin Barraclough.

        This showed up as a periodic crash in various bits of generated code
        originally, but I've added an assertion in the bytecode generator
        that makes the effected code much more crash-happy should it go
        wrong again.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::resolve):
        * parser/Parser.cpp:
        * parser/Parser.h:
        (JSC):
        * runtime/JSActivation.h:
        (JSC::JSActivation::isValidScopedLookup):
        (JSActivation):

2012-02-08  Oliver Hunt  <oliver@apple.com>

        Whoops, fix the build.

        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):

2012-02-08  Oliver Hunt  <oliver@apple.com>

        Fix issue encountered while debugging stacktraces
        https://bugs.webkit.org/show_bug.cgi?id=78147

        Reviewed by Gavin Barraclough.

        Debugging is easier if we always ensure that we have a non-null
        inferred name.

        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):

2012-02-08  Oliver Hunt  <oliver@apple.com>

        updateTopCallframe in the baseline JIT doesn't provide enough information to the stubs
        https://bugs.webkit.org/show_bug.cgi?id=78145

        Reviewed by Gavin Barraclough.

        Fix the updateTopCallFrame helper to store additional information
        that becomes necessary when we are trying to provide more stack
        frame information.

        * interpreter/CallFrame.h:
        (JSC::ExecState::bytecodeOffsetForBaselineJIT):
        (ExecState):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::JIT::compileGetByIdProto):
        (JSC::JIT::compileGetByIdSelfList):
        (JSC::JIT::compileGetByIdProtoList):
        (JSC::JIT::compileGetByIdChainList):
        (JSC::JIT::compileGetByIdChain):
        (JSC::JIT::compilePutByIdTransition):
        (JIT):
        * jit/JITInlineMethods.h:
        (JSC::JIT::updateTopCallFrame):

2012-02-07  Robert Kroeger  <rjkroege@chromium.org>

        [chromium] Remove the enable marcro for the no longer necessary Chromium
        gesture recognizer.
        https://bugs.webkit.org/show_bug.cgi?id=77492

        Reviewed by Adam Barth.

        * wtf/Platform.h:

2012-02-07  Tony Chang  <tony@chromium.org>

        merge DashboardSupportCSSPropertyNames.in into CSSPropertyNames.in
        https://bugs.webkit.org/show_bug.cgi?id=78036

        Reviewed by Darin Adler.

        * Configurations/FeatureDefines.xcconfig: Add ENABLE_DASHBOARD_SUPPORT to FEATURE_DEFINES.

2012-02-07  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        [CMAKE] Use *bin* and *lib* directories for executable and libraries.
        https://bugs.webkit.org/show_bug.cgi?id=77928

        Reviewed by Daniel Bates.

        CMake has used *Programs* directory for executable. In addition, shared libraries are being
        built in source directory. It is better to set common places in order to maintain executable
        and libraries. *bin* is for executable and *lib* is for library.

        * shell/CMakeLists.txt: Change *Programs* with *bin*.

2012-02-07  Gavin Barraclough  <barraclough@apple.com>

        Crash on http://www.rickshawbags.com/
        https://bugs.webkit.org/show_bug.cgi?id=78045

        Reviewed by Darin Adler.

        Problem URL is: http://www.rickshawbags.com/customize/custom-bag#!thl=rickshaw/bag()
        
        This is a bug introduced by https://bugs.webkit.org/show_bug.cgi?id=71933,
        isVariableObject() checks were excluding StaticScopeObjects, this patch
        inadvertently changed them to be included.

        * runtime/JSType.h:
            - sort JSType enum such that StaticScopeObjectType comes before VariableObjectType,
              and thus is excluded from isVariableObject() checks.

2012-02-06  Jer Noble  <jer.noble@apple.com>

        Use CMClock as a timing source for PlatformClock where available.
        https://bugs.webkit.org/show_bug.cgi?id=77885

        Reviewed by Eric Carlson.

        * wtf/Platform.h: Added WTF_USE_COREMEDIA.

2012-02-06  Filip Pizlo  <fpizlo@apple.com>

        ValueToNumber and ValueToDouble nodes don't do anything and should be removed
        https://bugs.webkit.org/show_bug.cgi?id=77855
        <rdar://problem/10811325>

        Reviewed by Gavin Barraclough.
        
        Removed ValueToNumber and ValueToDouble, because the only thing they were doing
        was wasting registers.
        
        This looks like a 1% win on V8 (with a 5% win on crypto) and a 2-3% win on Kraken,
        mostly due to a >10% win on gaussian-blur. No win anywhere else.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getToInt32):
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        (DFG):
        (JSC::DFG::Node::hasArithNodeFlags):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::vote):
        (JSC::DFG::Propagator::doRoundOfDoubleVoting):
        (Propagator):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::canonicalize):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-02-06  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed WinCE build fix after r106197.

        * tools/CodeProfiling.cpp:
        (JSC::CodeProfiling::notifyAllocator): getenv() isn't supported by WinCE. Don't call it.

2012-02-05  Gavin Barraclough  <barraclough@apple.com>

        Remove JSObject defineGetter/defineSetter lookupGetter/lookupSetter
        https://bugs.webkit.org/show_bug.cgi?id=77451

        Reviewed by Sam Weinig.

        These can now all be implemented in terms of defineOwnProperty & getPropertyDescriptor.
        Also remove initializeGetterSetterProperty, since this is equivalent to putDirectAccessor.

        * JavaScriptCore.exp:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::defineOwnProperty):
        * debugger/DebuggerActivation.h:
        (DebuggerActivation):
        * runtime/ClassInfo.h:
        (MethodTable):
        (JSC):
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::finishCreation):
        * runtime/JSCell.cpp:
        (JSC):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::getOwnPropertyDescriptor):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::defineOwnProperty):
        (JSC):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        * runtime/JSObject.cpp:
        (JSC):
        * runtime/JSObject.h:
        (JSObject):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):

2012-02-06  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing files.

2012-02-05  Filip Pizlo  <fpizlo@apple.com>

        DFG's child references from one node to another should have room for type information
        https://bugs.webkit.org/show_bug.cgi?id=77797

        Reviewed by Oliver Hunt.
        
        The DFG::Node::child fields now contain both a DFG::NodeIndex (which is just an unsigned)
        and a DFG::UseKind (which is currently an effectively empty enum). They are encapsulated
        together as a DFG::NodeUse, which can in most cases still be used as an index (for
        example DFG::Graph, AbstractState, and SpeculativeJIT all accept NodeUse in most places
        where they really want a NodeIndex).
        
        The NodeUse stores both the index and the UseKind without bloating the memory usage of
        DFG::Node, since we really don't need full 32 bits for the NodeIndex (a DFG::Node is
        roughly 11 words, so if we assume that we never want to use more than 1GB to DFG compile
        something - likely a sensible assumption! - then we will only be able to have room for
        about 24 million nodes, which means we only need about 24.5 bits for the node index).
        Currently the DFG::NodeUse allocates 4 bits for the UseKind and 28 bits for the index,
        but stores the index as a signed number to make NoNode work naturally. Hence we really
        just have 27 bits for the index.
        
        This is performance-neutral on all benchmarks we track.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractState.h:
        (JSC::DFG::AbstractState::forNode):
        (AbstractState):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::toInt32):
        (JSC::DFG::ByteCodeParser::addVarArgChild):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        * dfg/DFGCommon.h:
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (DFG):
        * dfg/DFGGraph.h:
        (Graph):
        (JSC::DFG::Graph::operator[]):
        (JSC::DFG::Graph::at):
        (JSC::DFG::Graph::ref):
        (JSC::DFG::Graph::deref):
        (JSC::DFG::Graph::clearAndDerefChild1):
        (JSC::DFG::Graph::clearAndDerefChild2):
        (JSC::DFG::Graph::clearAndDerefChild3):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::getPrediction):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::child1):
        (JSC::DFG::Node::child1Unchecked):
        (JSC::DFG::Node::child2):
        (JSC::DFG::Node::child3):
        (JSC::DFG::Node::firstChild):
        (JSC::DFG::Node::numChildren):
        (JSC::DFG::Node::dumpChildren):
        (Node):
        * dfg/DFGNodeReferenceBlob.h: Added.
        (DFG):
        (NodeReferenceBlob):
        (JSC::DFG::NodeReferenceBlob::NodeReferenceBlob):
        (JSC::DFG::NodeReferenceBlob::child):
        (JSC::DFG::NodeReferenceBlob::child1):
        (JSC::DFG::NodeReferenceBlob::child2):
        (JSC::DFG::NodeReferenceBlob::child3):
        (JSC::DFG::NodeReferenceBlob::child1Unchecked):
        (JSC::DFG::NodeReferenceBlob::initialize):
        (JSC::DFG::NodeReferenceBlob::firstChild):
        (JSC::DFG::NodeReferenceBlob::setFirstChild):
        (JSC::DFG::NodeReferenceBlob::numChildren):
        (JSC::DFG::NodeReferenceBlob::setNumChildren):
        * dfg/DFGNodeUse.h: Added.
        (DFG):
        (NodeUse):
        (JSC::DFG::NodeUse::NodeUse):
        (JSC::DFG::NodeUse::indexUnchecked):
        (JSC::DFG::NodeUse::index):
        (JSC::DFG::NodeUse::setIndex):
        (JSC::DFG::NodeUse::useKind):
        (JSC::DFG::NodeUse::setUseKind):
        (JSC::DFG::NodeUse::isSet):
        (JSC::DFG::NodeUse::operator!):
        (JSC::DFG::NodeUse::operator==):
        (JSC::DFG::NodeUse::operator!=):
        (JSC::DFG::NodeUse::shift):
        (JSC::DFG::NodeUse::makeWord):
        (JSC::DFG::operator==):
        (JSC::DFG::operator!=):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::vote):
        (JSC::DFG::Propagator::toDouble):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::canonicalize):
        (JSC::DFG::Propagator::startIndex):
        (JSC::DFG::Propagator::globalVarLoadElimination):
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::performSubstitution):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::use):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::useChildren):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::at):
        (JSC::DFG::SpeculativeJIT::canReuse):
        (JSC::DFG::SpeculativeJIT::use):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        (JSC::DFG::IntegerOperand::IntegerOperand):
        (JSC::DFG::DoubleOperand::DoubleOperand):
        (JSC::DFG::JSValueOperand::JSValueOperand):
        (JSC::DFG::StorageOperand::StorageOperand):
        (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
        (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileValueAdd):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileValueAdd):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):

2012-02-05  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        [CMAKE] Support javascriptcore test for EFL port. 
        https://bugs.webkit.org/show_bug.cgi?id=77425

        Reviewed by Daniel Bates.

        Efl and WinCE as well as Blackberry port are now using Cmake as its build system
        and they are share the make file to create jsc excutable. In order to run
        "run-javascriptcore-tests", EFL port needs to change jsc installation configuration
        with executable output directory(e.g. Programs). So, this patch change jsc installation
        configuration only for EFL port.

        * shell/CMakeLists.txt:

2012-02-04  Gavin Barraclough  <barraclough@apple.com>

        Rubber stamped by Sam Weinig.

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::quantifyAtom):
            - Fix comment.

2012-02-04  Kalev Lember  <kalevlember@gmail.com>

        [GTK] CurrentTime: Reorder headers for win32
        https://bugs.webkit.org/show_bug.cgi?id=77808

        Reviewed by Martin Robinson.

        In GTK+ win32 port, monotonicallyIncreasingTime() implementation is
        based on g_get_monotonic_time(). Reorder headers to make sure glib.h
        gets included even when the platform is win32.

        CurrentTime.cpp: In function 'double WTF::monotonicallyIncreasingTime()':
        CurrentTime.cpp:321:53: error: 'g_get_monotonic_time' was not declared in this scope
        CurrentTime.cpp:322:1: warning: control reaches end of non-void function [-Wreturn-type]

        * wtf/CurrentTime.cpp:

2012-02-03  Anders Carlsson  <andersca@apple.com>

        Prefix the typedef in WTF_MAKE_FAST_ALLOCATED with underscores
        https://bugs.webkit.org/show_bug.cgi?id=77788

        Reviewed by Andreas Kling.

        The current typedef name, 'ThisIsHereToForceASemicolonAfterThisMacro', shows up when trying to 
        code-complete 'this' in Xcode. Prefix the typedef with two underscores to stop this from happening.

        * wtf/FastAllocBase.h:

2012-02-03  Rob Buis  <rbuis@rim.com>

        Fix alignment warnings in ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=55368

        Reviewed by Filip Pizlo.

        Use reinterpret_cast_ptr and static_cast to get rid of alignment issues in ARMv7 code.

        * heap/HandleTypes.h:
        (JSC::HandleTypes::getFromSlot):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::specializedSweep):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::forEachCell):
        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase::get):
        (JSC::WriteBarrierBase::unvalidatedGet):

2012-02-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        Build fix

        Unreviewed build fix

        Forgot to add a couple files.

        * heap/MarkedAllocator.cpp: Added.
        (JSC):
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::tryAllocate):
        (JSC::MarkedAllocator::allocateSlowCase):
        (JSC::MarkedAllocator::allocateBlock):
        (JSC::MarkedAllocator::addBlock):
        (JSC::MarkedAllocator::removeBlock):
        * heap/MarkedAllocator.h: Added.
        (JSC):
        (DFG):
        (MarkedAllocator):
        (JSC::MarkedAllocator::cellSize):
        (JSC::MarkedAllocator::heap):
        (JSC::MarkedAllocator::setHeap):
        (JSC::MarkedAllocator::setCellSize):
        (JSC::MarkedAllocator::setMarkedSpace):
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::allocate):
        (JSC::MarkedAllocator::reset):
        (JSC::MarkedAllocator::zapFreeList):
        (JSC::MarkedAllocator::forEachBlock):

2012-02-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        Refactor MarkedBlock::SizeClass into a separate class
        https://bugs.webkit.org/show_bug.cgi?id=77600

        Reviewed by Geoffrey Garen.

        We pulled SizeClass out into its own class, named MarkedAllocator, and gave it
        the responsibility of allocating objects from the collection of MarkedBlocks 
        that it manages. Also limited the amount of coupling to internal data fields 
        from other places, although it's mostly unavoidable in the JIT code.

        Eventually MarkedAllocator will implement various policies to do with object 
        management, e.g. whether or not to run destructors on objects that it manages.
        MarkedSpace will manage a collection of MarkedAllocators with varying policies,
        as it does now but to a larger extent. 

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        (JSC::Heap::resetAllocators):
        * heap/Heap.h:
        (JSC::Heap::allocatorForObject):
        (Heap):
        * heap/MarkedAllocator.cpp: Added.
        (JSC):
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::tryAllocate):
        (JSC::MarkedAllocator::allocateSlowCase):
        (JSC::MarkedAllocator::allocateBlock):
        (JSC::MarkedAllocator::addBlock):
        (JSC::MarkedAllocator::removeBlock):
        * heap/MarkedAllocator.h: Added.
        (JSC):
        (DFG):
        (MarkedAllocator):
        (JSC::MarkedAllocator::cellSize):
        (JSC::MarkedAllocator::heap):
        (JSC::MarkedAllocator::setHeap):
        (JSC::MarkedAllocator::setCellSize):
        (JSC::MarkedAllocator::setMarkedSpace):
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::allocate):
        (JSC::MarkedAllocator::reset):
        (JSC::MarkedAllocator::zapFreeList):
        (JSC::MarkedAllocator::forEachBlock):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::resetAllocators):
        (JSC::MarkedSpace::canonicalizeCellLivenessData):
        (JSC::TakeIfUnmarked::operator()):
        * heap/MarkedSpace.h:
        (MarkedSpace):
        (JSC::MarkedSpace::allocatorFor):
        (JSC::MarkedSpace::allocate):
        (JSC::MarkedSpace::forEachBlock):
        (JSC::MarkedSpace::didAddBlock):
        (JSC::MarkedSpace::didConsumeFreeList):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicJSObject):

2012-02-03  Simon Hausmann  <simon.hausmann@nokia.com>

        [Qt] Replace GNU linker script for exports with export macros in WTF/JSC
        https://bugs.webkit.org/show_bug.cgi?id=77723

        Reviewed by Tor Arne Vestbø.

        * wtf/Platform.h: Enable use of export macros.

2012-02-02  Hajime Morrita  <morrita@chromium.org>

        Unreviewed, removing an unnecessarily JS_PRIVATE_EXPORT annotation.

        * interpreter/Interpreter.h:
        (Interpreter):

2012-01-31  Hajime Morrita  <morrita@chromium.org>

        [Mac] eliminate JavaScriptCore.exp
        https://bugs.webkit.org/show_bug.cgi?id=72854

        Reviewed by Darin Adler.

        - Removed exp files and corresponding makefile entries.
        - Changed the build configuration no to use exp file.

        * Configurations/JavaScriptCore.xcconfig:
        * DerivedSources.make:
        * JavaScriptCore.JSVALUE32_64only.exp: Removed.
        * JavaScriptCore.JSVALUE64only.exp: Removed.
        * JavaScriptCore.exp: Removed.
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/Platform.h:

2012-02-02  Benjamin Poulain  <bpoulain@apple.com>

        Running a Web Worker on about:blank crashes the interpreter
        https://bugs.webkit.org/show_bug.cgi?id=77593

        Reviewed by Michael Saboff.

        The method Interpreter::execute() was crashing on empty programs because
        the assumption is made the source is not null.

        This patch shortcut the execution when the String is null to avoid invalid
        memory access.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):

2012-02-02  Kalev Lember  <kalevlember@gmail.com>

        [GTK] Use win32 native threading
        https://bugs.webkit.org/show_bug.cgi?id=77676

        Reviewed by Martin Robinson.

        r97269 switched from glib threading to pthreads, breaking win32 GTK+.
        This is a follow up, removing some leftovers in ThreadSpecific.h and
        switching win32 to use the native threading in ThreadingWin.cpp.

        * GNUmakefile.list.am: Compile in win32 native threading support
        * wtf/ThreadSpecific.h: Remove GTK+-specific definitions
        (ThreadSpecific):
        (WTF::::destroy):

2012-02-02  Filip Pizlo  <fpizlo@apple.com>

        retrieveCallerFromVMCode should call trueCallerFrame
        https://bugs.webkit.org/show_bug.cgi?id=77684

        Reviewed by Oliver Hunt.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::retrieveCallerFromVMCode):

2012-02-02  Kalev Lember  <kalevlember@gmail.com>

        [GTK] Implement current executable path finding for win32
        https://bugs.webkit.org/show_bug.cgi?id=77677

        Reviewed by Martin Robinson.

        The WTF helper for getting the binary path that was added in r101710
        left out the win32 implementation. Fix this.

        * wtf/gobject/GlibUtilities.cpp:
        (getCurrentExecutablePath):

2012-02-02  Filip Pizlo  <fpizlo@apple.com>

        Throwing away bytecode and then reparsing during DFG optimization is just
        plain wrong and makes things crash
        https://bugs.webkit.org/show_bug.cgi?id=77680
        <rdar://problem/10798490>

        Reviewed by Oliver Hunt.

        This is the minimal surgical fix: it removes the code that triggered bytecode
        throw-away. Once we're confident that this is a good idea, we can kill all of
        the code that implements the feature.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::discardBytecodeLater):
        (JSC::CodeBlock::addValueProfile):
        * jit/JITDriver.h:
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):

2012-02-02  Filip Pizlo  <fpizlo@apple.com>

        Release build debugging should be easier
        https://bugs.webkit.org/show_bug.cgi?id=77669

        Reviewed by Gavin Barraclough.

        * assembler/ARMAssembler.h:
        (ARMAssembler):
        (JSC::ARMAssembler::debugOffset):
        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):
        (JSC::ARMv7Assembler::debugOffset):
        (ARMInstructionFormatter):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::debugOffset):
        * assembler/AbstractMacroAssembler.h:
        (AbstractMacroAssembler):
        (JSC::AbstractMacroAssembler::debugOffset):
        * assembler/AssemblerBuffer.h:
        (AssemblerBuffer):
        (JSC::AssemblerBuffer::debugOffset):
        * assembler/LinkBuffer.h:
        (LinkBuffer):
        (JSC::LinkBuffer::debugSize):
        * assembler/MIPSAssembler.h:
        (MIPSAssembler):
        (JSC::MIPSAssembler::debugOffset):
        * assembler/X86Assembler.h:
        (X86Assembler):
        (JSC::X86Assembler::debugOffset):
        (X86InstructionFormatter):
        (JSC::X86Assembler::X86InstructionFormatter::debugOffset):
        * bytecode/CodeBlock.cpp:
        (JSC):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * bytecode/CodeOrigin.h:
        (CodeOrigin):
        (JSC):
        (JSC::CodeOrigin::inlineStack):
        * bytecode/DFGExitProfile.h:
        (JSC::DFG::exitKindToString):
        * bytecode/DataFormat.h:
        (JSC::dataFormatToString):
        * bytecode/PredictedType.cpp:
        (JSC):
        (JSC::predictionToString):
        * bytecode/PredictedType.h:
        (JSC):
        * bytecode/ValueRecovery.h:
        (ValueRecovery):
        (JSC::ValueRecovery::dump):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC):
        (JSC::BytecodeGenerator::setDumpsGeneratedCode):
        (JSC::BytecodeGenerator::dumpsGeneratedCode):
        (JSC::BytecodeGenerator::generate):
        * dfg/DFGAbstractValue.h:
        (StructureAbstractValue):
        (JSC::DFG::StructureAbstractValue::dump):
        (AbstractValue):
        (JSC::DFG::AbstractValue::dump):
        * dfg/DFGAssemblyHelpers.h:
        (DFG):
        (AssemblyHelpers):
        (JSC::DFG::AssemblyHelpers::debugCall):
        * dfg/DFGFPRInfo.h:
        (FPRInfo):
        (JSC::DFG::FPRInfo::debugName):
        * dfg/DFGGPRInfo.h:
        (GPRInfo):
        (JSC::DFG::GPRInfo::debugName):
        * dfg/DFGGraph.cpp:
        (DFG):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGNode.h:
        (DFG):
        (JSC::DFG::arithNodeFlagsAsString):
        (Node):
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::dumpChildren):
        * dfg/DFGOSRExit.cpp:
        (DFG):
        (JSC::DFG::OSRExit::dump):
        * dfg/DFGOSRExit.h:
        (OSRExit):
        * runtime/JSValue.cpp:
        (JSC):
        (JSC::JSValue::description):
        * runtime/JSValue.h:
        (JSValue):
        * wtf/BitVector.cpp:
        (WTF):
        (WTF::BitVector::dump):
        * wtf/BitVector.h:
        (BitVector):

2012-02-02  Oliver Hunt  <oliver@apple.com>

        Getters and setters cause line numbers in errors/console.log to be offset for the whole file
        https://bugs.webkit.org/show_bug.cgi?id=77675

        Reviewed by Timothy Hatcher.

        Our default literal parsing logic doesn't handle the extra work required for
        getters and setters.  When it encounters one, it rolls back the lexer and 
        then switches to a more complete parsing function.  Unfortunately it was only
        winding back the character position, and was ignoring the line number and
        other lexer data.  This led to every getter and setter causing the line number
        to be incorrectly incremented leading to increasingly incorrect numbers for
        the rest of the file.

        * parser/Parser.cpp:
        (JSC::::parseObjectLiteral):

2012-02-02  Andy Wingo  <wingo@igalia.com>

        Fix type punning warning in HashTable.h debug builds
        https://bugs.webkit.org/show_bug.cgi?id=77422

        Reviewed by Gavin Barraclough.

        * wtf/HashTable.h (WTF::HashTable::checkKey): Fix type punning
        warning appearing in debug builds with gcc-4.6.2 on GNU/Linux.

2012-02-01  Michael Saboff  <msaboff@apple.com>

        Yarr crash with regexp replace
        https://bugs.webkit.org/show_bug.cgi?id=67454

        Reviewed by Gavin Barraclough.

        Properly handle the case of a back reference to an unmatched
        subpattern by always matching without consuming any characters.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::matchBackReference):
        (JSC::Yarr::Interpreter::backtrackBackReference):

2012-02-01  Gavin Barraclough  <barraclough@apple.com>

        calling function on catch block scope containing an eval result in wrong this value being passed
        https://bugs.webkit.org/show_bug.cgi?id=77581

        Reviewed by Oliver Hunt.

        javascript:function F(){ return 'F' in this; }; try { throw F; } catch (e) { eval(""); alert(e()); }

        * bytecompiler/NodesCodegen.cpp:
        (JSC::TryNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createTryStatement):
        * parser/NodeConstructors.h:
        (JSC::TryNode::TryNode):
        * parser/Nodes.h:
        (TryNode):
        * parser/Parser.cpp:
        (JSC::::parseTryStatement):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createTryStatement):
        * runtime/JSObject.h:
        (JSObject):
        (JSC::JSObject::isStaticScopeObject):
        (JSC):

2012-02-01  Oliver Hunt  <oliver@apple.com>

        Add support for inferred function names
        https://bugs.webkit.org/show_bug.cgi?id=77579

        Reviewed by Gavin Barraclough.

        Add new "inferred" names to function expressions, getters, and setters.
        This property is not exposed to JS, so is only visible in the debugger
        and profiler.

        * JavaScriptCore.exp:
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::makeFunction):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::calculatedFunctionName):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createAssignResolve):
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createProperty):
        (JSC::ASTBuilder::makeAssignNode):
        * parser/Nodes.h:
        (JSC::FunctionBodyNode::setInferredName):
        (JSC::FunctionBodyNode::inferredName):
        (FunctionBodyNode):
        * profiler/Profiler.cpp:
        (JSC):
        (JSC::Profiler::createCallIdentifier):
        (JSC::createCallIdentifierFromFunctionImp):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::create):
        (JSC::FunctionExecutable::inferredName):
        (FunctionExecutable):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::calculatedDisplayName):
        (JSC):
        (JSC::getCalculatedDisplayName):
        * runtime/JSFunction.h:
        (JSC):

2012-02-01  Filip Pizlo  <fpizlo@apple.com>

        DFG should fold double-to-int conversions
        https://bugs.webkit.org/show_bug.cgi?id=77532

        Reviewed by Oliver Hunt.
        
        Performance neutral on major benchmarks. But it makes calling V8's
        Math.random() 4x faster.

        * bytecode/CodeBlock.cpp:
        (JSC):
        (JSC::CodeBlock::addOrFindConstant):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addConstant):
        (CodeBlock):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::toInt32):
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::getJSConstantForValue):
        (JSC::DFG::ByteCodeParser::isInt32Constant):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addShouldSpeculateInteger):
        (Graph):
        (JSC::DFG::Graph::addImmediateShouldSpeculateInteger):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::doRoundOfDoubleVoting):
        (JSC::DFG::Propagator::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::valueOfNumberConstantAsInt32):
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSValueInlineMethods.h:
        (JSC::JSValue::asDouble):

2012-02-01  Filip Pizlo  <fpizlo@apple.com>

        DFG graph dump for GetScopedVar should show the correct prediction
        https://bugs.webkit.org/show_bug.cgi?id=77530

        Reviewed by Geoff Garen.
        
        GetScopedVar has a heap prediction, not a variable prediction. But it does
        have a variable. Hence we need to check for heap predictions before checking
        for variable predictions.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):

2012-02-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        Replace JSArray destructor with finalizer
        https://bugs.webkit.org/show_bug.cgi?id=77488

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.exp:
        * runtime/JSArray.cpp:
        (JSC::JSArray::finalize): Added finalizer.
        (JSC::JSArray::allocateSparseMap): Factored out code for allocating new sparse maps.
        (JSC):
        (JSC::JSArray::deallocateSparseMap): Factored out code for deallocating sparse maps.
        (JSC::JSArray::enterDictionaryMode): Renamed enterSparseMode to enterDictionaryMode 
        because the old name was confusing because we could have a sparse array that never 
        called enterSparseMode.
        (JSC::JSArray::defineOwnNumericProperty):
        (JSC::JSArray::setLengthWritable):
        (JSC::JSArray::putByIndexBeyondVectorLength):
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::sort):
        (JSC::JSArray::compactForSorting):
        * runtime/JSArray.h:
        (JSArray):

2012-02-01  Andy Wingo  <wingo@igalia.com>

        Refactor identifier resolution in BytecodeGenerator
        https://bugs.webkit.org/show_bug.cgi?id=76285

        Reviewed by Geoffrey Garen.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::ResolveResult): New class, to describe the storage
        location corresponding to an identifier in a program.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::resolve): New function, replacing
        findScopedProperty.
        (JSC::BytecodeGenerator::resolveConstDecl): New function,
        encapsulating what ConstDeclNode::emitBytecode used to do.
        (JSC::BytecodeGenerator::emitGetStaticVar):
        (JSC::BytecodeGenerator::emitPutStaticVar): New functions,
        corresponding to the old emitGetScopedVar and emitPutScopedVar.
        (JSC::BytecodeGenerator::registerFor): Remove version that took an
        Identifier&; replaced by ResolveResult::local().
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveBase):
        (JSC::BytecodeGenerator::emitResolveBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithBase):
        (JSC::BytecodeGenerator::emitResolveWithThis): Change to accept a
        "resolveResult" argument.  This is more clear, and reduces the
        amount of double analysis happening at compile-time.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ResolveNode::emitBytecode):
        (JSC::EvalFunctionCallNode::emitBytecode):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::PostfixResolveNode::emitBytecode):
        (JSC::DeleteResolveNode::emitBytecode):
        (JSC::TypeOfResolveNode::emitBytecode):
        (JSC::PrefixResolveNode::emitBytecode):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::ConstDeclNode::emitCodeSingle):
        (JSC::ForInNode::emitBytecode): Refactor to use the new
        ResolveResult structure.

2012-02-01  Csaba Osztrogonác  <ossy@webkit.org>

        Implement Error.stack
        https://bugs.webkit.org/show_bug.cgi?id=66994

        Unreviewed, rolling out r106407.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/AbstractPC.cpp:
        (JSC::AbstractPC::AbstractPC):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):
        * interpreter/Interpreter.h:
        (JSC):
        (Interpreter):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        * parser/Parser.h:
        (JSC::::parse):
        * runtime/CommonIdentifiers.h:
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        * runtime/Error.h:
        (JSC):

2012-01-31  Hajime Morrita  <morrita@chromium.org>

        Add missing JS_PRIVATE_EXPORTs
        https://bugs.webkit.org/show_bug.cgi?id=77507

        Reviewed by Kevin Ollivier.

        * heap/MarkedSpace.h:
        (MarkedSpace):
        * interpreter/Interpreter.h:
        (Interpreter):
        * runtime/JSValue.h:
        (JSValue):
        * wtf/text/AtomicString.h:
        (WTF::AtomicString::add):
        * wtf/text/WTFString.h:
        (WTF):

2012-01-31  Geoffrey Garen  <ggaren@apple.com>

        Stop using -fomit-frame-pointer
        https://bugs.webkit.org/show_bug.cgi?id=77403

        Reviewed by Filip Pizlo.
        
        JavaScriptCore is too fast. I'm just the man to fix it.

        * Configurations/JavaScriptCore.xcconfig:

2012-01-31  Michael Saboff  <msaboff@apple.com>

        StringProtoFuncToUpperCase should call StringImpl::upper similar to StringProtoToLowerCase
        https://bugs.webkit.org/show_bug.cgi?id=76647

        Reviewed by Darin Adler.

        Changed stringProtoFuncToUpperCase to call StringImpl::upper() in a manor similar
        to stringProtoFuncToLowerCase().  Fixed StringImpl::upper() to handle to special
        cases.  One case is s-sharp (0xdf) which converts to "SS".  The other case is 
        for characters which become 16 bit values when converted to upper case.  For
        those, we up convert the the source string and use the 16 bit path.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncToUpperCase):
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::upper):
        * wtf/unicode/CharacterNames.h:
        (smallLetterSharpS): New constant

2012-01-31  Oliver Hunt  <oliver@apple.com>

        Remove unneeded sourceId property
        https://bugs.webkit.org/show_bug.cgi?id=77495

        Reviewed by Filip Pizlo.

        sourceId isn't used anymore, so we'll just remove it.

        * runtime/Error.cpp:
        (JSC):
        (JSC::addErrorInfo):
        (JSC::hasErrorInfo):

2012-01-31  Oliver Hunt  <oliver@apple.com>

        Implement Error.stack
        https://bugs.webkit.org/show_bug.cgi?id=66994

        Reviewed by Gavin Barraclough.

        Original patch by Juan Carlos Montemayor Elosua:
            This patch utilizes topCallFrame to create a stack trace when
            an error is thrown. Users will also be able to use the stack()
            command in jsc to get arrays with stack trace information.

        Modified to be correct on ToT, with a variety of correctness,
        performance, and security improvements.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::getCallerLine):
        (JSC::getSourceURLFromCallFrame):
        (JSC::getStackFrameCodeType):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::throwException):
        * interpreter/Interpreter.h:
        (JSC::StackFrame::toString):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionJSCStack):
        * parser/Parser.h:
        (JSC::Parser::parse):
        * runtime/CommonIdentifiers.h:
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        * runtime/Error.h:

2012-01-31  Scott Graham  <scottmg@chromium.org>

        [Chromium] Remove references to gyp cygwin build target
        https://bugs.webkit.org/show_bug.cgi?id=77253

        Reviewed by Julien Chaffraix.

        Target dependency is no longer required, it's done earlier in the
        build process.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2012-01-31  Michael Saboff  <msaboff@apple.com>

        ASSERT(m_jumpsToLink.isEmpty()) failing in ARMv7Assembler dtor
        https://bugs.webkit.org/show_bug.cgi?id=77443

        Reviewed by Gavin Barraclough.

        Removed failing ASSERT() and thus destructor.  The ASSERT isn't needed.
        We are hitting it in the YARR JIT case where we bail out and go to the
        interpreter with a partially JIT'ed function.  Since we haven't linked
        the JIT'ed code, there is likely to be some unresolved jumps in the vector
        when the ARMv7Assembler destructor is called.  For the case where we
        complete the JIT process, we clear the vector at the end of
        LinkBuffer::linkCode (LinkBuffer.h:292).

        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):

2012-01-31  Anders Carlsson  <andersca@apple.com>

        Vector<T>::operator== shouldn't require T to have operator!=
        https://bugs.webkit.org/show_bug.cgi?id=77448

        Reviewed by Andreas Kling.

        Change VectorComparer::compare to use !(a == b) instead of a != b since
        it makes more sense for Vector::operator== to use the element's operator==.

        * wtf/Vector.h:

2012-01-30  Oliver Hunt  <oliver@apple.com>

        get_by_val_arguments is broken in the interpreter
        https://bugs.webkit.org/show_bug.cgi?id=77389

        Reviewed by Gavin Barraclough.

        When get_by_val had wad a value profile added, the same slot was not added to
        get_by_val_arguments.  This broke the interpreter as the interpreter falls
        back on its regular get_by_val implementation.

        No tests are added as the interpreter is fairly broken in its
        current state (multiple tests fail due to this bug).

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        (JSC):
        ():
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetArgumentByVal):

2012-01-30  Oliver Hunt  <oliver@apple.com>

        Unexpected syntax error
        https://bugs.webkit.org/show_bug.cgi?id=77340

        Reviewed by Gavin Barraclough.

        Function calls and new expressions have the same semantics for
        assignment, so should simply share their lhs handling.

        * parser/Parser.cpp:
        (JSC::::parseMemberExpression):

2012-01-30  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed ARMv7 build fix.

        * tools/CodeProfiling.cpp:
        (JSC):
        (JSC::setProfileTimer):
        (JSC::CodeProfiling::begin):
        (JSC::CodeProfiling::end):

2012-01-30  David Levin  <levin@chromium.org>

        Using OS(WIN) or OS(MAC) should cause a build error.
        https://bugs.webkit.org/show_bug.cgi?id=77162

        Reviewed by Darin Adler.

        * wtf/Platform.h: Expand them into something that will
         cause a compile error.

2012-01-30  Yong Li  <yoli@rim.com>

        [BlackBerry] OS(QNX) also has TM_GMTOFF, TM_ZONE, and TIMEGM
        https://bugs.webkit.org/show_bug.cgi?id=77360

        Reviewed by Rob Buis.

        Turn on HAVE(TM_GMTOFF), HAVE(TM_ZONE), and HAVE(TIMEGM)
        for OS(QNX).

        * wtf/Platform.h:

2012-01-30  Gavin Barraclough  <barraclough@apple.com>

        Speculative Windows build fix.

        * assembler/MacroAssemblerCodeRef.h:
        (FunctionPtr):

2012-01-30  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=77163
        MacroAssemblerCodeRef.h uses OS(WIN) instead of OS(WINDOWS)

        Rubber stamped by Geoff Garen

        * assembler/MacroAssemblerCodeRef.h:

2012-01-30  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed build fix for interpreter builds.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * tools/CodeProfile.cpp:
        (JSC::CodeProfile::sample):

2012-01-30  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed build fix following bug#76855

        * JavaScriptCore.exp:

2012-01-30  Michael Saboff  <msaboff@apple.com>

        CaseFoldingHash::hash() doesn't handle 8 bit strings directly
        https://bugs.webkit.org/show_bug.cgi?id=76652

        Reviewed by Andreas Kling.

        * wtf/text/StringHash.h:
        (WTF::CaseFoldingHash::hash): Added 8 bit string code path.

2012-01-30  Michael Saboff  <msaboff@apple.com>

        stringProtoFuncReplace converts 8 bit strings to 16 bit during replacement
        https://bugs.webkit.org/show_bug.cgi?id=76651

        Reviewed by Geoffrey Garen.

        Made local function substituteBackreferencesSlow a template function
        based on character width.  Cleaned up getCharacters() in both UString
        and StringImpl.  Changed getCharacters<UChar> to up convert an 8 bit
        string to 16 bits if necessary.

        * runtime/StringPrototype.cpp:
        (JSC::substituteBackreferencesSlow):
        (JSC::substituteBackreferences):
        * runtime/UString.h:
        (JSC::LChar):
        (JSC::UChar):
        * wtf/text/StringImpl.h:
        (WTF::UChar):

2012-01-30  Gavin Barraclough  <barraclough@apple.com>

        Clean up putDirect
        https://bugs.webkit.org/show_bug.cgi?id=76232

        Reviewed by Sam Weinig.

        Part 3 - merge op_put_getter & op_put_setter.

        Putting these separately is inefficient (and makes future optimiation,
        e.g. making GetterSetter immutable) harder. Change to emit a single
        op_put_getter_setter bytecode op. Ultimately we should probably be
        able to merge this with put direct, to create a common op to initialize
        object literal properties.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        (JSC):
        ():
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitPutGetterSetter):
        * bytecompiler/BytecodeGenerator.h:
        (BytecodeGenerator):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        (JIT):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_getter_setter):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_getter_setter):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        ():
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectVirtual):
        (JSC::JSObject::putDirectAccessor):
        (JSC):
        (JSC::putDescriptor):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        ():
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putDirect):
        (JSC::JSObject::putDirectWithoutTransition):

2012-01-30  Michael Saboff  <msaboff@apple.com>

        Dromaeo tests call parseSimpleLengthValue() on 8 bit strings
        https://bugs.webkit.org/show_bug.cgi?id=76649

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.exp: Added export for charactersToDouble.

2012-01-30  Michael Saboff  <msaboff@apple.com>

        WebCore decodeEscapeSequences unnecessarily converts 8 bit strings to 16 bit when decoding.
        https://bugs.webkit.org/show_bug.cgi?id=76648

        Reviewed by Geoffrey Garen.

        Added a new overloaded append member that takes a String& argument, an offest
        and a length to do direct sub string appending to a StringBuilder.

        * wtf/text/StringBuilder.h:
        (WTF::StringBuilder::append):

2012-01-29  Zoltan Herczeg  <zherczeg@webkit.org>

        Custom written CSS lexer
        https://bugs.webkit.org/show_bug.cgi?id=70107

        Reviewed by Antti Koivisto and Oliver Hunt.

        Add new helper functions for the custom written CSS lexer.

        * wtf/ASCIICType.h:
        (WTF::toASCIILowerUnchecked):
        (WTF):
        (WTF::isASCIIAlphaCaselessEqual):

2012-01-29  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION (r105576-r105582): Web Inspector Crash in JSC::JSValue::toString(JSC::ExecState*) const
        https://bugs.webkit.org/show_bug.cgi?id=77146
        <rdar://problem/10770586>

        Reviewed by Oliver Hunt.
        
        The old JIT expects that the result of the last operation is in the lastResultRegister.  The DFG JIT is
        designed to correctly track the lastResultRegister by looking at SetLocal nodes.  However, when the DFG
        JIT inlines a code block, it forgets that the inlined code block's result would have been placed in the
        lastResultRegister.  Hence if we OSR exit on the first node following the end of an inlined code block
        that had a return value, and that first node uses the return value, the old JIT will get massively
        confused.  This patch takes a surgical approach: instead of making the DFG smarter, it makes the old
        JIT slightly dumber.

        * jit/JITCall.cpp:
        (JSC::JIT::emit_op_call_put_result):

2012-01-29  Filip Pizlo  <fpizlo@apple.com>

        Build fix for Mac non-x64 platforms.

        * tools/CodeProfiling.cpp:
        (JSC):

2012-01-28  Gavin Barraclough  <barraclough@apple.com>

        Reserve 'let'
        https://bugs.webkit.org/show_bug.cgi?id=77293

        Rubber stamped by Oliver Hunt.

        'let' may become a keyword in ES6.  We're going to try experimentally reserving it,
        to see if this breaks the web.

        * parser/Keywords.table:

2012-01-27  Gavin Barraclough  <barraclough@apple.com>

        Implement a JIT-code aware sampling profiler for JSC
        https://bugs.webkit.org/show_bug.cgi?id=76855

        Reviewed by Oliver Hunt.

        To enable the profiler, set the JSC_CODE_PROFILING environment variable to
        1 (no tracing the C stack), 2 (trace one level of C code) or 3 (recursively
        trace all samples).

        The profiler requires -fomit-frame-pointer to be removed from the build flags.

        * JavaScriptCore.exp:
            - Removed an export.
        * JavaScriptCore.xcodeproj/project.pbxproj:
            - Added new files
        * bytecode/CodeBlock.cpp:
            - For baseline codeblocks, cache the result of canCompileWithDFG.
        * bytecode/CodeBlock.h:
            - For baseline codeblocks, cache the result of canCompileWithDFG.
        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::initializeAllocator):
            - Notify the profiler when the allocator is created.
        (JSC::ExecutableAllocator::allocate):
            - Inform the allocated of the ownerUID.
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::initializeAllocator):
            - Notify the profiler when the allocator is created.
        (JSC::ExecutableAllocator::allocate):
            - Inform the allocated of the ownerUID.
        * jit/JITStubs.cpp:
            - If profiling, don't mask the return address in JIT code.
              (We do so to provide nicer backtraces in debug builds).
        * runtime/Completion.cpp:
        (JSC::evaluate):
            - Notify the profiler of script evaluations.
        * tools: Added.
        * tools/CodeProfile.cpp: Added.
        (JSC::symbolName):
            - Helper function to get the name of a symbol in the framework.
        (JSC::truncateTrace):
            - Helper to truncate traces into methods know to have uninformatively deep stacks.
        (JSC::CodeProfile::sample):
            - Record a stack trace classifying samples.
        (JSC::CodeProfile::report):
            - {Print profiler output.
        * tools/CodeProfile.h: Added.
            - new class, captures a set of samples associated with an evaluated script,
              and nested to record samples from subscripts.
        * tools/CodeProfiling.cpp: Added.
        (JSC::CodeProfiling::profilingTimer):
            - callback fired then a timer event occurs.
        (JSC::CodeProfiling::notifyAllocator):
            - called when the executable allocator is constructed.
        (JSC::CodeProfiling::getOwnerUIDForPC):
            - helper to lookup the codeblock from an address in JIT code
        (JSC::CodeProfiling::begin):
            - enter a profiling scope.
        (JSC::CodeProfiling::end):
            - exit a profiling scope.
        * tools/CodeProfiling.h: Added.
            - new class, instantialed from Completion to define a profiling scope.
        * tools/ProfileTreeNode.h: Added.
            - new class, used to construct a tree of samples.
        * tools/TieredMMapArray.h: Added.
            - new class, a malloc-free vector (can be used while the main thread is suspended,
              possibly holding the malloc heap lock).
        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocatorHandle::MetaAllocatorHandle):
        (WTF::MetaAllocator::allocate):
            - Allow allocation handles to track information about their owner.
        * wtf/MetaAllocator.h:
        (MetaAllocator):
            - Allow allocation handles to track information about their owner.
        * wtf/MetaAllocatorHandle.h:
        (MetaAllocatorHandle):
        (WTF::MetaAllocatorHandle::ownerUID):
            - Allow allocation handles to track information about their owner.
        * wtf/OSAllocator.h:
        (WTF::OSAllocator::reallocateCommitted):
            - reallocate an existing, committed memory allocation.

2012-01-28  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r106187.
        http://trac.webkit.org/changeset/106187
        https://bugs.webkit.org/show_bug.cgi?id=77276

        The last rollout was a false charge. (Requested by morrita on
        #webkit).

        * runtime/ExceptionHelpers.h:
        (InterruptedExecutionError):
        * runtime/JSBoundFunction.h:
        (JSBoundFunction):
        * runtime/RegExp.h:
        (RegExp):
        * runtime/RegExpMatchesArray.h:
        (RegExpMatchesArray):

2012-01-28  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r106151.
        http://trac.webkit.org/changeset/106151
        https://bugs.webkit.org/show_bug.cgi?id=77275

        may break windows build (Requested by morrita on #webkit).

        * runtime/ExceptionHelpers.h:
        (InterruptedExecutionError):
        * runtime/JSBoundFunction.h:
        (JSBoundFunction):
        * runtime/RegExp.h:
        (RegExp):
        * runtime/RegExpMatchesArray.h:
        (RegExpMatchesArray):

2012-01-28  Filip Pizlo  <fpizlo@apple.com>

        GC invoked while doing an old JIT property storage reallocation may lead
        to an object that refers to a dead structure
        https://bugs.webkit.org/show_bug.cgi?id=77273
        <rdar://problem/10770565>

        Reviewed by Gavin Barraclough.
        
        The put_by_id transition was already saving the old structure by virtue of
        having the object on the stack, so that wasn't going to get deleted. But the
        new structure was unprotected in the transition. I've now changed the
        transition code to save the new structure, ensuring that the GC will know it
        to be marked if invoked from within put_by_id_transition_realloc.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        (JSC):
        ():

2012-01-27  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r106167.
        http://trac.webkit.org/changeset/106167
        https://bugs.webkit.org/show_bug.cgi?id=77264

        broke LayoutTests/fast/js/string-capitalization.html
        (Requested by msaboff on #webkit).

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncToLowerCase):
        (JSC::stringProtoFuncToUpperCase):
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::upper):

2012-01-27  Filip Pizlo  <fpizlo@apple.com>

        Build fix for interpreter platforms.

        * interpreter/AbstractPC.cpp:
        (JSC::AbstractPC::AbstractPC):

2012-01-27  Michael Saboff  <msaboff@apple.com>

        StringProtoFuncToUpperCase should call StringImpl::upper similar to StringProtoToLowerCase
        https://bugs.webkit.org/show_bug.cgi?id=76647

        Reviewed by Geoffrey Garen.

        Changed stringProtoFuncToUpperCase to call StringImpl::upper() is a manor similar
        to stringProtoFuncToLowerCase().  Fixed StringImpl::upper() to handle the two
        8 bit characters that when converted to upper case become 16 bit characters.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncToLowerCase): Removed extra trailing whitespace.
        (JSC::stringProtoFuncToUpperCase):
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::upper):

2012-01-27  Hajime Morita  <morrita@google.com>

        [JSC] ThunkGenerators.cpp should hide its asm-defined symbols
        https://bugs.webkit.org/show_bug.cgi?id=77244

        Reviewed by Filip Pizlo.

        * jit/ThunkGenerators.cpp: Added HIDE_SYMBOLS()
        * wtf/InlineASM.h: Moved some duplicated macros from ThunkGenerators.cpp

2012-01-27  Simon Hausmann  <simon.hausmann@nokia.com>

        [JSC] Asm-originated symbols should be marked as hidden
        https://bugs.webkit.org/show_bug.cgi?id=77150

        Reviewed by Filip Pizlo.

        * dfg/DFGOperations.cpp: The HIDE_SYMBOLS macros were present in the CPU(ARM) preprocessor branches,
        but they were missing in the CPU(X86) and the CPU(X86_64) cases.

2012-01-27  MORITA Hajime  <morrita@google.com>

        [JSC] Some JS_EXPORTDATA may not be necessary.
        https://bugs.webkit.org/show_bug.cgi?id=77145

        Reviewed by Darin Adler.

        Removed JS_EXPORTDATA attributes whose attributing symbols are
        not exported on Mac port.
        
        * runtime/ExceptionHelpers.h:
        (InterruptedExecutionError):
        * runtime/JSBoundFunction.h:
        (JSBoundFunction):
        * runtime/RegExp.h:
        (RegExp):
        * runtime/RegExpMatchesArray.h:
        (RegExpMatchesArray):

2012-01-27  MORITA Hajime  <morrita@google.com>

        [WTF] WTFString.h has some extra JS_EXPORT_PRIVATEs
        https://bugs.webkit.org/show_bug.cgi?id=77113

        Reviewed by Darin Adler.

        * wtf/text/WTFString.h: Removed some WTF_EXPORT_PRIVATE attributes which we don't need to export.

2012-01-27  Zeno Albisser  <zeno@webkit.org>

        [Qt][Mac] Build fails after adding ICU support (r105997).
        https://bugs.webkit.org/show_bug.cgi?id=77118

        Use Apple code path for unicode date formats on mac.

        Reviewed by Tor Arne Vestbø.

        * runtime/DatePrototype.cpp:
        ():

2012-01-27  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Add a GKeyFile especialization to GOwnPtr
        https://bugs.webkit.org/show_bug.cgi?id=77191

        Reviewed by Martin Robinson.

        * wtf/gobject/GOwnPtr.cpp:
        (WTF::GKeyFile): Implement freeOwnedGPtr for GKeyFile.
        * wtf/gobject/GOwnPtr.h: Add GKeyFile template.
        * wtf/gobject/GTypedefs.h: Add forward declaration for GKeyFile.

2012-01-25  Yury Semikhatsky  <yurys@chromium.org>

        Web Inspector: should be possible to open function declaration from script popover
        https://bugs.webkit.org/show_bug.cgi?id=76913

        Added display function name and source location to the popover in scripts panel.
        Now when a function is hovered user can navigate to its definition.

        Reviewed by Pavel Feldman.

        * JavaScriptCore/JavaScriptCore.exp
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSFunction.h:
        (JSFunction):

2012-01-26  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed. Build fix, wx uses the Mac ICU headers so we must match Mac behavior.
        
        * runtime/DatePrototype.cpp:
        ():

2012-01-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        Merge AllocationSpace into MarkedSpace
        https://bugs.webkit.org/show_bug.cgi?id=77116

        Reviewed by Geoffrey Garen.

        Merging AllocationSpace and MarkedSpace in preparation for future refactoring/enhancement to 
        MarkedSpace allocation.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * heap/AllocationSpace.cpp: Removed.
        * heap/AllocationSpace.h: Removed.
        * heap/BumpSpace.h:
        (BumpSpace):
        * heap/Heap.h:
        (JSC::Heap::objectSpace):
        (Heap):
        ():
        * heap/HeapBlock.h:
        ():
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::tryAllocateHelper):
        (JSC):
        (JSC::MarkedSpace::tryAllocate):
        (JSC::MarkedSpace::allocateSlowCase):
        (JSC::MarkedSpace::allocateBlock):
        (JSC::MarkedSpace::freeBlocks):
        (TakeIfUnmarked):
        (JSC::TakeIfUnmarked::TakeIfUnmarked):
        (JSC::TakeIfUnmarked::operator()):
        (JSC::TakeIfUnmarked::returnValue):
        (JSC::MarkedSpace::shrink):
        (GatherDirtyCells):
        (JSC::GatherDirtyCells::returnValue):
        (JSC::GatherDirtyCells::GatherDirtyCells):
        (JSC::GatherDirtyCells::operator()):
        (JSC::MarkedSpace::gatherDirtyCells):
        * heap/MarkedSpace.h:
        (MarkedSpace):
        (JSC::MarkedSpace::blocks):
        (JSC::MarkedSpace::forEachCell):
        (JSC):
        (JSC::MarkedSpace::allocate):

2012-01-26  Oliver Hunt  <oliver@apple.com>

        MSVC bug fix.
        <rdar://problem/10703671> MSVC generates bad code for enum compare.

        RS=Geoff

        Make bitfield large enough to work around MSVC's desire to make enums
        signed types.

        * bytecode/CallLinkInfo.h:
        (CallLinkInfo):

2012-01-26  Filip Pizlo  <fpizlo@apple.com>

        All DFG helpers that may call out to arbitrary JS code must know where they
        were called from due to inlining and call stack walking
        https://bugs.webkit.org/show_bug.cgi?id=77070
        <rdar://problem/10750834>

        Reviewed by Geoff Garen.
        
        Changed the DFG to always record a code origin index in the tag of the argument
        count (which we previously left blank for the benefit of LLInt, but is still
        otherwise unused by the DFG), so that if we ever need to walk the stack accurately
        we know where to start. In particular, if the current ExecState* points several
        semantic call frames away from the true semantic call frame because we had
        performed inlining, having the code origin index recorded means that we can reify
        those call frames as necessary to give runtime/library code an accurate view of
        the current JS state.
        
        This required several large but mechanical changes:
        
        - Calling a function from the DFG now plants a store32 instruction to store the
          code origin index. But the indices of code origins were previously picked by
          the DFG::JITCompiler after code generation completed. I changed this somewhat;
          even though the code origins are put into the CodeBlock after code gen, the
          code gen now knows a priori what their indices will be. Extensive assertions
          are in place to ensure that the two don't get out of sync, in the form of the
          DFG::CallBeginToken. Note that this mechanism has almost no effect on JS calls;
          those don't need the code origin index set in the call frame because we can get
          it by doing a binary search on the return PC.

        - Stack walking now always calls trueCallFrame() first before beginning the walk,
          since even the top call frame may be wrong. It still calls trueCallerFrame() as
          before to get to the next frame, though trueCallerFrame() is now mostly a
          wrapper around callerFrame()->trueCallFrame().
          
        - Because the mechanism for getting the code origin of a call frame is bimodal
          (either the call frame knows its code origin because the code origin index was
          set, or it's necessary to use the callee frame's return PC), I put in extra
          mechanisms to determine whether your caller, or your callee, corresponds to
          a call out of C++ code. Previously we just had the host call flag, but this is
          insufficient as it does not cover the case of someone calling JSC::call(). But
          luckily we can determine this just by looking at the return PC: if the return
          PC is in range of the ctiTrampiline, then two things are true: this call
          frame's PC will tell you nothing about where you came from in your caller, and
          the caller already knows where it's at because it must have set the code origin
          index (unless it's not DFG code, in which case we don't care because there is
          no inlining to worry about).
          
        - During testing this revealed a simple off-by-one goof in DFG::ByteCodeParser's
          inlining code, so I fixed it.

        - Finally because I was tired of doing random #if's for checking if I should be
          passing around an Instruction* or a ReturnAddressPtr, I created a class called
          AbstractPC that holds whatever notion of a PC is appropriate for the current
          execution environment. It's designed to work gracefully even if both the
          interpreter and the JIT are compiled in, and should integrate nicely with the
          LLInt.
          
        This is neutral on all benchmarks and fixes some nasty corner-case regressions of
        evil code that uses combinations of getters/setters and function.arguments.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::codeOrigin):
        (CodeBlock):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (CallBeginToken):
        (JSC::DFG::CallBeginToken::CallBeginToken):
        (JSC::DFG::CallBeginToken::assertCodeOriginIndex):
        (JSC::DFG::CallBeginToken::assertNoCodeOriginIndex):
        (DFG):
        (JSC::DFG::CallExceptionRecord::CallExceptionRecord):
        (CallExceptionRecord):
        (JSC::DFG::JITCompiler::JITCompiler):
        (JITCompiler):
        (JSC::DFG::JITCompiler::nextCallBeginToken):
        (JSC::DFG::JITCompiler::beginCall):
        (JSC::DFG::JITCompiler::notifyCall):
        (JSC::DFG::JITCompiler::addExceptionCheck):
        (JSC::DFG::JITCompiler::addFastExceptionCheck):
        * dfg/DFGOperations.cpp:
        ():
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryBuildGetByIDList):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * interpreter/AbstractPC.cpp: Added.
        (JSC):
        (JSC::AbstractPC::AbstractPC):
        * interpreter/AbstractPC.h: Added.
        (JSC):
        (AbstractPC):
        (JSC::AbstractPC::AbstractPC):
        (JSC::AbstractPC::hasJITReturnAddress):
        (JSC::AbstractPC::jitReturnAddress):
        (JSC::AbstractPC::hasInterpreterReturnAddress):
        (JSC::AbstractPC::interpreterReturnAddress):
        (JSC::AbstractPC::isSet):
        (JSC::AbstractPC::operator!):
        ():
        * interpreter/CallFrame.cpp:
        (JSC):
        (JSC::CallFrame::trueCallFrame):
        (JSC::CallFrame::trueCallerFrame):
        * interpreter/CallFrame.h:
        (JSC::ExecState::abstractReturnPC):
        (JSC::ExecState::codeOriginIndexForDFGWithInlining):
        (ExecState):
        (JSC::ExecState::trueCallFrame):
        (JSC::ExecState::trueCallFrameFromVMCode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::retrieveArgumentsFromVMCode):
        (JSC::Interpreter::retrieveCallerFromVMCode):
        (JSC::Interpreter::findFunctionCallFrameFromVMCode):
        * interpreter/Interpreter.h:
        (Interpreter):
        ():
        * jit/JITStubs.cpp:
        (JSC):
        ():
        * jit/JITStubs.h:
        (JSC):
        (JSC::returnAddressIsInCtiTrampoline):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::argumentsGetter):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::getOwnPropertyDescriptor):

2012-01-26  Peter Varga  <pvarga@webkit.org>

        Fix build when VERBOSE_SPECULATION_FAILURE is enabled in DFG
        https://bugs.webkit.org/show_bug.cgi?id=77104

        Reviewed by Filip Pizlo.

        * dfg/DFGOperations.cpp:
        ():

2012-01-26  Michael Saboff  <msaboff@apple.com>

        String::latin1() should take advantage of 8 bit strings
        https://bugs.webkit.org/show_bug.cgi?id=76646

        Reviewed by Geoffrey Garen.

        * wtf/text/WTFString.cpp:
        (WTF::String::latin1): For 8 bit strings, use existing buffer
        without conversion.

2012-01-26  Michael Saboff  <msaboff@apple.com>

        Dromaeo tests usage of StringImpl find routines cause 8->16 bit conversions
        https://bugs.webkit.org/show_bug.cgi?id=76645

        Reviewed by Geoffrey Garen.

        * wtf/text/StringImpl.cpp:
        (WTF::equalIgnoringCase): New LChar version.
        (WTF::findInner): New helper function.
        (WTF::StringImpl::find): Added 8 bit path.
        (WTF::reverseFindInner): New helper funciton.
        (WTF::StringImpl::reverseFind): Added 8 bit path.
        (WTF::StringImpl::reverseFindIgnoringCase): Added 8 bit path.
        * wtf/text/StringImpl.h:
        (WTF):

2012-01-26  Csaba Osztrogonác  <ossy@webkit.org>

        [Qt][Win] One more speculative buildfix after r105970.

        * JavaScriptCore.pri:

2012-01-26  Csaba Osztrogonác  <ossy@webkit.org>

        [Qt][Win] Speculative buildfix after r105970.

        * JavaScriptCore.pri: Link lgdi for DeleteObject() and DeleteDC().

2012-01-26  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r105982.
        http://trac.webkit.org/changeset/105982
        https://bugs.webkit.org/show_bug.cgi?id=77090

        breaks the world (Requested by WildFox on #webkit).

        * wtf/MainThread.cpp:
        (WTF):
        * wtf/Platform.h:
        * wtf/mac/MainThreadMac.mm:
        (WTF):
        (WTF::registerGCThread):
        (WTF::isMainThreadOrGCThread):

2012-01-26  Roland Takacs  <takacs.roland@stud.u-szeged.hu>

        [Qt] GC should be parallel on Qt platform
        https://bugs.webkit.org/show_bug.cgi?id=73309

        Reviewed by Zoltan Herczeg.

        These changes made the parallel gc feature available for Qt port.
        The implementation of "registerGCThread" and "isMainThreadOrGCThread"
        is moved from MainThreadMac.mm to the common MainThread.cpp to make
        them available for other platforms.

        Measurement results:
        V8           speed-up:  1.071x as fast  [From: 746.1ms  To: 696.4ms ]
        WindScorpion speed-up:  1.082x as fast  [From: 3490.4ms To: 3226.7ms]
        V8 Splay     speed-up:  1.158x as fast  [From: 145.8ms  To: 125.9ms ]

        Tested on Intel(R) Core(TM) i5-2320 CPU @ 3.00GHz with 4-core.

        * wtf/MainThread.cpp:
        (WTF):
        (WTF::registerGCThread):
        (WTF::isMainThreadOrGCThread):
        * wtf/Platform.h:
        * wtf/mac/MainThreadMac.mm:

2012-01-26  Andy Estes  <aestes@apple.com>

        REGRESSION (r105555): Incorrect use of OS() macro breaks OwnPtr when used with Win32 data types
        https://bugs.webkit.org/show_bug.cgi?id=77073

        Reviewed by Ryosuke Niwa.
        
        r105555 changed PLATFORM(WIN) to OS(WIN), but WTF_OS_WIN isn't defined.
        This should have been changed to OS(WINDOWS). This causes the
        preprocessor to strip out Win32 data type overrides for deleteOwnedPtr,
        causing allocations made by Win32 to be deleted by fastmalloc.

        * wtf/OwnPtrCommon.h:
        (WTF): Use OS(WINDOWS) instead of OS(WIN).

2012-01-25  Mark Rowe  <mrowe@apple.com>

        Attempted Mac build fix after r105939.

        * runtime/DatePrototype.cpp: Don't #include unicode/udat.h on Mac or iOS.
        It isn't used on these platforms and isn't available in the ICU headers
        for Mac.

2012-01-25  Mark Rowe  <mrowe@apple.com>

        Build in to an alternate location when USE_STAGING_INSTALL_PATH is set.

        <rdar://problem/10609417> Adopt USE_STAGING_INSTALL_PATH

        Reviewed by David Kilzer.

        * Configurations/Base.xcconfig: Define NORMAL_JAVASCRIPTCORE_FRAMEWORKS_DIR, which contains
        the path where JavaScriptCore is normally installed. Update JAVASCRIPTCORE_FRAMEWORKS_DIR
        to point to the staged frameworks directory when USE_STAGING_INSTALL_PATH is set.
        * Configurations/JavaScriptCore.xcconfig: Always set the framework's install name based on
        the normal framework location. This prevents an incorrect install name from being used when
        installing in to the staged frameworks directory.

2012-01-25  Eli Fidler  <efidler@rim.com>

        Implement Date.toLocaleString() using ICU
        https://bugs.webkit.org/show_bug.cgi?id=76714

        Reviewed by Darin Adler.

        * runtime/DatePrototype.cpp:
        (JSC::formatLocaleDate):

2012-01-25  Hajime Morita  <morrita@google.com>

        ENABLE_SHADOW_DOM should be available via build-webkit --shadow-dom
        https://bugs.webkit.org/show_bug.cgi?id=76863

        Reviewed by Dimitri Glazkov.

        Added a feature flag.

        * Configurations/FeatureDefines.xcconfig:

2012-01-25  Yong Li  <yoli@rim.com>

        [BlackBerry] Implement OSAllocator::commit/decommit.
        BlackBerry port should support virtual memory decommiting.
        https://bugs.webkit.org/show_bug.cgi?id=77013

        Reviewed by Rob Buis.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveUncommitted):
        (WTF::OSAllocator::commit):
        (WTF::OSAllocator::decommit):
        * wtf/Platform.h:

2012-01-24  Oliver Hunt  <oliver@apple.com>

        Make DFG update topCallFrame
        https://bugs.webkit.org/show_bug.cgi?id=76969

        Reviewed by Filip Pizlo.

        Add NativeCallFrameTracer to manage topCallFrame assignment
        in the DFG operations, and make use of it.

        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        ():
        * interpreter/Interpreter.h:
        (JSC):
        (NativeCallFrameTracer):
        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):

2012-01-24  Filip Pizlo  <fpizlo@apple.com>

        Inlining breaks call frame walking when the walking is done from outside the inlinee,
        but inside a code block that had inlining
        https://bugs.webkit.org/show_bug.cgi?id=76978
        <rdar://problem/10720904>

        Reviewed by Oliver Hunt.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::codeOriginForReturn):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::trueCallerFrame):

2012-01-24  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=76855
        Implement a JIT-code aware sampling profiler for JSC

        Reviewed by Oliver Hunt.

        Add support to MetaAllocator.cpp to track all live handles in a map,
        allowing lookup based on any address within the allocation.

        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocatorTracker::notify):
        (WTF::MetaAllocatorTracker::release):
            - Track live handle objects in a map.
        (WTF::MetaAllocator::release):
            - Removed support for handles with null m_allocator (no longer used).
            - Notify the tracker of handles being released.
        (WTF::MetaAllocatorHandle::~MetaAllocatorHandle):
            - Moved functionality out into MetaAllocator::release.
        (WTF::MetaAllocatorHandle::shrink):
            - Removed support for handles with null m_allocator (no longer used).
        (WTF::MetaAllocator::MetaAllocator):
            - Initialize m_tracker.
        (WTF::MetaAllocator::allocate):
            - Notify the tracker of new allocations.
        * wtf/MetaAllocator.h:
        (WTF::MetaAllocatorTracker::find):
            - Lookup a MetaAllocatorHandle based on an address inside the allocation.
        (WTF::MetaAllocator::trackAllocations):
            - Register a callback object to track allocation state.
        * wtf/MetaAllocatorHandle.h:
            - Remove unused createSelfManagedHandle/constructor.
        (WTF::MetaAllocatorHandle::key):
            - Added, for use in RedBlackTree.

2012-01-24  Mark Hahnenberg  <mhahnenberg@apple.com>

        Use copying collector for out-of-line JSObject property storage
        https://bugs.webkit.org/show_bug.cgi?id=76665

        Reviewed by Geoffrey Garen.

        * runtime/JSObject.cpp:
        (JSC::JSObject::visitChildren): Changed to use copyAndAppend whenever the property storage is out-of-line.
        Also added a temporary variable to avoid warnings from GCC.
        (JSC::JSObject::allocatePropertyStorage): Changed to use tryAllocateStorage/tryReallocateStorage as opposed to 
        operator new. Also added a temporary variable to avoid warnings from GCC.
        * runtime/JSObject.h:

2012-01-24  Geoffrey Garen  <ggaren@apple.com>

        JSValue::toString() should return a JSString* instead of a UString
        https://bugs.webkit.org/show_bug.cgi?id=76861

        Fixed two failing layout tests after my last patch.

        Reviewed by Gavin Barraclough.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSort): Call value() after calling toString(), as
        in all other cases.
        
        I missed this case because the JSString* type has a valid operator<,
        so the compiler didn't complain.

2012-01-24  Kenichi Ishibashi  <bashi@chromium.org>

        [V8] Add Uint8ClampedArray support
        https://bugs.webkit.org/show_bug.cgi?id=76803

        Reviewed by Kenneth Russell.

        * wtf/ArrayBufferView.h:
        (WTF::ArrayBufferView::isUnsignedByteClampedArray): Added.
        * wtf/Uint8ClampedArray.h:
        (WTF::Uint8ClampedArray::isUnsignedByteClampedArray): Overridden to return true.

2012-01-23  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Add WebKitDownload to WebKit2 GTK+ API
        https://bugs.webkit.org/show_bug.cgi?id=72949

        Reviewed by Martin Robinson.

        * wtf/gobject/GOwnPtr.cpp:
        (WTF::GTimer): Use g_timer_destroy() to free a GTimer.
        * wtf/gobject/GOwnPtr.h: Add GTimer template.
        * wtf/gobject/GTypedefs.h: Add GTimer forward declaration.

2012-01-24  Ilya Tikhonovsky  <loislo@chromium.org>

        Unreviewed build fix for Qt LinuxSH4 build after r105698.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2012-01-23  Geoffrey Garen  <ggaren@apple.com>

        JSValue::toString() should return a JSString* instead of a UString
        https://bugs.webkit.org/show_bug.cgi?id=76861

        Reviewed by Gavin Barraclough.
        
        This makes the common case -- toString() on a string -- faster and
        inline-able. (Not a measureable speedup, but we can now remove a bunch
        of duplicate hand-rolled code for this optimization.)
        
        This also clarifies the boundary between "C++ strings" and "JS strings".
        
        In all cases other than true, false, null, undefined, and multi-digit
        numbers, the JS runtime was just retrieving a UString from a JSString,
        so returning a JSString* is strictly better. In the other cases, we can
        optimize to avoid creating a new JSString if we care to, but it doesn't
        seem to be a big deal.

        * JavaScriptCore.exp: Export!
        
        * jsc.cpp:
        (functionPrint):
        (functionDebug):
        (functionRun):
        (functionLoad):
        (functionCheckSyntax):
        (runWithScripts):
        (runInteractive):
        * API/JSValueRef.cpp:
        (JSValueToStringCopy):
        * bytecode/CodeBlock.cpp:
        (JSC::valueToSourceString): Call value() after calling toString(), to
        convert from "JS string" (JSString*) to "C++ string" (UString), since
        toString() no longer returns a "C++ string".

        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationValueAddNotNumber):
        * jit/JITStubs.cpp:
        (op_add): Updated for removal of toPrimitiveString():
        all '+' operands can use toString(), except for object operands, which
        need to take a slow path to call toPrimitive().

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncPush):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::opIn):
        * runtime/DateConstructor.cpp:
        (JSC::dateParse):
        * runtime/DatePrototype.cpp:
        (JSC::formatLocaleDate): Call value() after calling toString(), as above.

        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::create): Simplified down to one canonical create()
        function, to make string handling easier.

        * runtime/ErrorPrototype.cpp:
        (JSC::errorProtoFuncToString):
        * runtime/ExceptionHelpers.cpp:
        (JSC::createInvalidParamError):
        (JSC::createNotAConstructorError):
        (JSC::createNotAFunctionError):
        (JSC::createNotAnObjectError):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncBind):
        * runtime/JSArray.cpp:
        (JSC::JSArray::sort): Call value() after calling toString(), as above.

        * runtime/JSCell.cpp:
        * runtime/JSCell.h: Removed JSCell::toString() because JSValue does this
        job now. Doing it in JSCell is slower (requires extra type checking), and
        creates the misimpression that language-defined toString() behavior is
        an implementation detail of JSCell.
        
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::encode):
        (JSC::decode):
        (JSC::globalFuncEval):
        (JSC::globalFuncParseInt):
        (JSC::globalFuncParseFloat):
        (JSC::globalFuncEscape):
        (JSC::globalFuncUnescape): Call value() after calling toString(), as above.

        * runtime/JSONObject.cpp:
        (JSC::unwrapBoxedPrimitive):
        (JSC::Stringifier::Stringifier):
        (JSC::JSONProtoFuncParse): Removed some manual optimization that toString()
        takes care of.

        * runtime/JSObject.cpp:
        (JSC::JSObject::toString):
        * runtime/JSObject.h: Updated to return JSString*.

        * runtime/JSString.cpp:
        * runtime/JSString.h:
        (JSC::JSValue::toString): Removed, since I removed JSCell::toString().

        * runtime/JSValue.cpp:
        (JSC::JSValue::toStringSlowCase): Removed toPrimitiveString(), and re-
        spawned toStringSlowCase() from its zombie corpse, since toPrimitiveString()
        basically did what we want all the time. (Note that the toPrimitive()
        preference changes from NoPreference to PreferString, because that's
        how ToString is defined in the language. op_add does not want this behavior.)

        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToString):
        (JSC::numberProtoFuncToLocaleString): A little simpler, now that toString()
        returns a JSString*.

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyDescriptor):
        (JSC::objectConstructorDefineProperty):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncHasOwnProperty):
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):
        (JSC::objectProtoFuncPropertyIsEnumerable): More calls to value(), as above.

        * runtime/Operations.cpp:
        (JSC::jsAddSlowCase): Need to check for object before taking the toString()
        fast path becuase adding an object to a string requires calling toPrimitive()
        on the object, not toString(). (They differ in their preferred conversion
        type.)

        * runtime/Operations.h:
        (JSC::jsString):
        (JSC::jsStringFromArguments): This code gets simpler, now that toString()
        does the right thing.

        (JSC::jsAdd): Now checks for object, just like jsAddSlowCase().

        * runtime/RegExpConstructor.cpp:
        (JSC::setRegExpConstructorInput):
        (JSC::constructRegExp):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::match):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncCompile):
        (JSC::regExpProtoFuncToString): More calls to value(), as above.

        * runtime/StringConstructor.cpp:
        (JSC::constructWithStringConstructor):
        (JSC::callStringConstructor): This code gets simpler, now that toString()
        does the right thing.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):
        (JSC::replaceUsingStringSearch):
        (JSC::stringProtoFuncReplace):
        (JSC::stringProtoFuncCharAt):
        (JSC::stringProtoFuncCharCodeAt):
        (JSC::stringProtoFuncConcat):
        (JSC::stringProtoFuncIndexOf):
        (JSC::stringProtoFuncLastIndexOf):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
        (JSC::stringProtoFuncSlice):
        (JSC::stringProtoFuncSplit):
        (JSC::stringProtoFuncSubstr):
        (JSC::stringProtoFuncSubstring):
        (JSC::stringProtoFuncToLowerCase):
        (JSC::stringProtoFuncToUpperCase):
        (JSC::stringProtoFuncLocaleCompare):
        (JSC::stringProtoFuncBig):
        (JSC::stringProtoFuncSmall):
        (JSC::stringProtoFuncBlink):
        (JSC::stringProtoFuncBold):
        (JSC::stringProtoFuncFixed):
        (JSC::stringProtoFuncItalics):
        (JSC::stringProtoFuncStrike):
        (JSC::stringProtoFuncSub):
        (JSC::stringProtoFuncSup):
        (JSC::stringProtoFuncFontcolor):
        (JSC::stringProtoFuncFontsize):
        (JSC::stringProtoFuncAnchor):
        (JSC::stringProtoFuncLink):
        (JSC::trimString): Some of this code gets simpler, now that toString()
        does the right thing. More calls to value(), as above.

2012-01-23  Luke Macpherson   <macpherson@chromium.org>

        Unreviewed, rolling out r105676.
        http://trac.webkit.org/changeset/105676
        https://bugs.webkit.org/show_bug.cgi?id=76665

        Breaks build on max due to compile warnings.

        * runtime/JSObject.cpp:
        (JSC::JSObject::finalize):
        (JSC::JSObject::visitChildren):
        (JSC::JSObject::allocatePropertyStorage):
        * runtime/JSObject.h:

2012-01-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Use copying collector for out-of-line JSObject property storage
        https://bugs.webkit.org/show_bug.cgi?id=76665

        Reviewed by Geoffrey Garen.

        * runtime/JSObject.cpp:
        (JSC::JSObject::visitChildren): Changed to use copyAndAppend whenever the property storage is out-of-line.
        (JSC::JSObject::allocatePropertyStorage): Changed to use tryAllocateStorage/tryReallocateStorage as opposed to 
        operator new.
        * runtime/JSObject.h:

2012-01-23  Brian Weinstein  <bweinstein@apple.com>

        More build fixing after r105646.

        * JavaScriptCore.exp:

2012-01-23  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=76855
        Implement a JIT-code aware sampling profiler for JSC

        Reviewed by Geoff Garen.

        Step 2: generalize RedBlackTree. The profiler is going to want tio use
        a RedBlackTree, allow this class to work with subclasses of
        RedBlackTree::Node, Node should not need to know the names of the m_key
        and m_value fields (the subclass can provide a key() accessor), and
        RedBlackTree does not need to know anything about ValueType.

        * JavaScriptCore.exp:
        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocator::findAndRemoveFreeSpace):
        (WTF::MetaAllocator::debugFreeSpaceSize):
        (WTF::MetaAllocator::addFreeSpace):
        * wtf/MetaAllocator.h:
        (WTF::MetaAllocator::FreeSpaceNode::FreeSpaceNode):
        (WTF::MetaAllocator::FreeSpaceNode::key):
        * wtf/MetaAllocatorHandle.h:
        (WTF::MetaAllocatorHandle::key):
        * wtf/RedBlackTree.h:
        (WTF::RedBlackTree::Node::successor):
        (WTF::RedBlackTree::Node::predecessor):
        (WTF::RedBlackTree::Node::parent):
        (WTF::RedBlackTree::Node::setParent):
        (WTF::RedBlackTree::Node::left):
        (WTF::RedBlackTree::Node::setLeft):
        (WTF::RedBlackTree::Node::right):
        (WTF::RedBlackTree::Node::setRight):
        (WTF::RedBlackTree::insert):
        (WTF::RedBlackTree::remove):
        (WTF::RedBlackTree::findExact):
        (WTF::RedBlackTree::findLeastGreaterThanOrEqual):
        (WTF::RedBlackTree::findGreatestLessThanOrEqual):
        (WTF::RedBlackTree::first):
        (WTF::RedBlackTree::last):
        (WTF::RedBlackTree::size):
        (WTF::RedBlackTree::treeMinimum):
        (WTF::RedBlackTree::treeMaximum):
        (WTF::RedBlackTree::treeInsert):
        (WTF::RedBlackTree::leftRotate):
        (WTF::RedBlackTree::rightRotate):
        (WTF::RedBlackTree::removeFixup):

2012-01-23  Andy Estes  <aestes@apple.com>

        Fix the build after r105635.

        * JavaScriptCore.exp:

2012-01-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove StackBounds from JSGlobalData
        https://bugs.webkit.org/show_bug.cgi?id=76310

        Reviewed by Sam Weinig.

        Removed StackBounds and the stack() function from JSGlobalData since it no 
        longer accessed any members of JSGlobalData.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::addCurrentThread):
        (JSC::MachineThreads::gatherFromCurrentThread):
        * parser/Parser.cpp:
        (JSC::::Parser):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:

2012-01-23  Gavin Barraclough  <barraclough@apple.com>

        Implement a JIT-code aware sampling profiler for JSC
        https://bugs.webkit.org/show_bug.cgi?id=76855

        Rubber stanmped by Geoff Garen.

        Mechanical change - pass CodeBlock through to the executable allocator,
        such that we will be able to map ranges of JIT code back to their owner.

        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::executableCopy):
        * assembler/ARMAssembler.h:
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerBuffer::executableCopy):
        * assembler/AssemblerBufferWithConstantPool.h:
        (JSC::AssemblerBufferWithConstantPool::executableCopy):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::linkCode):
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::executableCopy):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::executableCopy):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::executableCopy):
        (JSC::X86Assembler::X86InstructionFormatter::executableCopy):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::tryCachePutByID):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitGenerationThunkGenerator):
        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::allocate):
        * jit/ExecutableAllocator.h:
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::allocate):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/JITStubs.cpp:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::finalize):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::compile):

2012-01-23  Xianzhu Wang  <wangxianzhu@chromium.org>

        Basic enhancements to StringBuilder
        https://bugs.webkit.org/show_bug.cgi?id=67081

        This change contains the following enhancements to StringBuilder,
        for convenience, performance, testability, etc.:
        - Change toStringPreserveCapacity() to const
        - new public methods: capacity(), swap(), toAtomicString(), canShrink()
          and append(const StringBuilder&)
        - == and != opearators to compare StringBuilders and a StringBuilder/String

        Unit tests: Tools/TestWebKitAPI/Tests/WTF/StringBuilder.cpp

        Reviewed by Darin Adler.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/text/AtomicString.cpp:
        (WTF::SubstringTranslator::hash):
        (WTF::SubstringTranslator::equal):
        (WTF::SubstringTranslator::translate):
        (WTF::AtomicString::add):
        (WTF::AtomicString::addSlowCase):
        * wtf/text/AtomicString.h:
        (WTF::AtomicString::AtomicString):
        (WTF::AtomicString::add):
        * wtf/text/StringBuilder.cpp:
        (WTF::StringBuilder::reifyString):
        (WTF::StringBuilder::resize):
        (WTF::StringBuilder::canShrink):
        (WTF::StringBuilder::shrinkToFit):
        * wtf/text/StringBuilder.h:
        (WTF::StringBuilder::append):
        (WTF::StringBuilder::toString):
        (WTF::StringBuilder::toStringPreserveCapacity):
        (WTF::StringBuilder::toAtomicString):
        (WTF::StringBuilder::isEmpty):
        (WTF::StringBuilder::capacity):
        (WTF::StringBuilder::is8Bit):
        (WTF::StringBuilder::swap):
        (WTF::equal):
        (WTF::operator==):
        (WTF::operator!=):
        * wtf/text/StringImpl.h:

2012-01-23  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing files, remove deleted files and
        fix indentation.

2012-01-22  Filip Pizlo  <fpizlo@apple.com>

        Build fix for non-DFG platforms that error out on warn-unused-parameter.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        * bytecode/MethodCallLinkStatus.cpp:
        (JSC::MethodCallLinkStatus::computeFor):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):

2012-01-22  Filip Pizlo  <fpizlo@apple.com>

        Build fix for non-DFG platforms.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        * bytecode/MethodCallLinkStatus.cpp:
        (JSC::MethodCallLinkStatus::computeFor):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):

2012-01-20  Filip Pizlo  <fpizlo@apple.com>

        DFG should not have code that directly decodes the states of old JIT inline
        cache data structures
        https://bugs.webkit.org/show_bug.cgi?id=76768

        Reviewed by Sam Weinig.
        
        Introduced new classes (like GetByIdStatus) that encapsulate the set of things
        that the DFG would like to know about property accesses and calls. Whereas it
        previously got this information by directly decoding the data structures used
        by the old JIT for inline caching, it now uses these classes, which do the work
        for it. This should make it somewhat more straight forward to introduce new
        ways of profiling the same information.
        
        Also hoisted StructureSet into bytecode/ from dfg/, because it's now used by
        code in bytecode/.
        
        Making this work right involved carefully ensuring that the heuristics for
        choosing how to handle property accesses was at least as good as what we had
        before, since I completely restructured that code. Currently the performance
        looks neutral. Since I rewrote the code I did change some things that I never
        liked before, like previously if a put_bu_id had executed exactly once then
        we'd compile it as if it had taken slow-path. Executing once is special because
        then the inline cache is not baked in, so there is no information about how the
        DFG should optimize the code. Now this is rationalized: if the put_by_id does
        not offer enough information to be optimized (i.e. had executed 0 or 1 times)
        then we turn it into a forced OSR exit (i.e. a patch point). However, get_by_id
        still has the old behavior; I left it that way because I didn't want to make
        too many changes at once.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CallLinkStatus.cpp: Added.
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CallLinkStatus.h: Added.
        (JSC::CallLinkStatus::CallLinkStatus):
        (JSC::CallLinkStatus::isSet):
        (JSC::CallLinkStatus::operator!):
        (JSC::CallLinkStatus::couldTakeSlowPath):
        (JSC::CallLinkStatus::callTarget):
        * bytecode/GetByIdStatus.cpp: Added.
        (JSC::GetByIdStatus::computeFor):
        * bytecode/GetByIdStatus.h: Added.
        (JSC::GetByIdStatus::GetByIdStatus):
        (JSC::GetByIdStatus::state):
        (JSC::GetByIdStatus::isSet):
        (JSC::GetByIdStatus::operator!):
        (JSC::GetByIdStatus::isSimpleDirect):
        (JSC::GetByIdStatus::takesSlowPath):
        (JSC::GetByIdStatus::makesCalls):
        (JSC::GetByIdStatus::structureSet):
        (JSC::GetByIdStatus::offset):
        * bytecode/MethodCallLinkStatus.cpp: Added.
        (JSC::MethodCallLinkStatus::computeFor):
        * bytecode/MethodCallLinkStatus.h: Added.
        (JSC::MethodCallLinkStatus::MethodCallLinkStatus):
        (JSC::MethodCallLinkStatus::isSet):
        (JSC::MethodCallLinkStatus::operator!):
        (JSC::MethodCallLinkStatus::needsPrototypeCheck):
        (JSC::MethodCallLinkStatus::structure):
        (JSC::MethodCallLinkStatus::prototypeStructure):
        (JSC::MethodCallLinkStatus::function):
        (JSC::MethodCallLinkStatus::prototype):
        * bytecode/PutByIdStatus.cpp: Added.
        (JSC::PutByIdStatus::computeFor):
        * bytecode/PutByIdStatus.h: Added.
        (JSC::PutByIdStatus::PutByIdStatus):
        (JSC::PutByIdStatus::state):
        (JSC::PutByIdStatus::isSet):
        (JSC::PutByIdStatus::operator!):
        (JSC::PutByIdStatus::isSimpleReplace):
        (JSC::PutByIdStatus::isSimpleTransition):
        (JSC::PutByIdStatus::takesSlowPath):
        (JSC::PutByIdStatus::oldStructure):
        (JSC::PutByIdStatus::newStructure):
        (JSC::PutByIdStatus::structureChain):
        (JSC::PutByIdStatus::offset):
        * bytecode/StructureSet.h: Added.
        (JSC::StructureSet::StructureSet):
        (JSC::StructureSet::clear):
        (JSC::StructureSet::add):
        (JSC::StructureSet::addAll):
        (JSC::StructureSet::remove):
        (JSC::StructureSet::contains):
        (JSC::StructureSet::isSubsetOf):
        (JSC::StructureSet::isSupersetOf):
        (JSC::StructureSet::size):
        (JSC::StructureSet::at):
        (JSC::StructureSet::operator[]):
        (JSC::StructureSet::last):
        (JSC::StructureSet::predictionFromStructures):
        (JSC::StructureSet::operator==):
        (JSC::StructureSet::dump):
        * dfg/DFGAbstractValue.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGStructureSet.h: Removed.

2012-01-20  Filip Pizlo  <fpizlo@apple.com>

        JIT compilation should not require ExecState
        https://bugs.webkit.org/show_bug.cgi?id=76729
        <rdar://problem/10731545>

        Reviewed by Gavin Barraclough.
        
        Changed the relevant JIT driver functions to take JSGlobalData& instead of
        ExecState*, since really they just needed the global data.

        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        * dfg/DFGDriver.h:
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        * jit/JITDriver.h:
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):

2012-01-20  David Levin  <levin@chromium.org>

        Make OwnPtr<HDC> work for the Chromium Windows port.
        https://bugs.webkit.org/show_bug.cgi?id=76738

        Reviewed by Jian Li.

        * JavaScriptCore.gyp/JavaScriptCore.gyp: Added OwnPtrWin.cpp to the
        Chromium Windows build.
        * wtf/OwnPtrCommon.h: Changed from platform WIN to OS WIN for
        OwnPtr<HDC> and similar constructs.

2012-01-19  Geoffrey Garen  <ggaren@apple.com>

        Removed some regexp entry boilerplate code
        https://bugs.webkit.org/show_bug.cgi?id=76687

        Reviewed by Darin Adler.
        
        1% - 2% speedup on regexp tests, no change overall.

        * runtime/RegExp.cpp:
        (JSC::RegExp::match):
            - ASSERT that our startIndex is non-negative, because anything less
            would be uncivilized.
            
            - ASSERT that our input is not the null string for the same reason.

            - No need to test for startOffset being past the end of the string,
            since the regular expression engine will do this test for us.

            - No need to initialize the output vector, since the regular expression
            engine will fill it in for us.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::interpret):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::compile):
        
            RegExp used to do these jobs for us, but now we do them for ourselves
            because it's a better separation of concerns, and the JIT can do them
            more efficiently than C++ code:

            - Test for "past the end" before doing any matching -- otherwise
            a* will match with zero length past the end of the string, which is wrong.

            - Initialize the output vector before doing any matching.

2012-01-20  Filip Pizlo  <fpizlo@apple.com>

        Build fix for no-DFG configuration.
        Needed for <rdar://problem/10727689>.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitProfiledOpcode):
        * jit/JIT.h:
        (JSC::JIT::emitValueProfilingSite):

2012-01-19  Filip Pizlo  <fpizlo@apple.com>

        Bytecode instructions that may have value profiling should have a direct inline
        link to the ValueProfile instance
        https://bugs.webkit.org/show_bug.cgi?id=76682
        <rdar://problem/10727689>

        Reviewed by Sam Weinig.
        
        Each opcode that gets value profiled now has a link to its ValueProfile. This
        required rationalizing the emission of value profiles for opcode combos, like
        op_method_check/op_get_by_id and op_call/op_call_put_result. It only makes
        sense for one of them to have a value profile link, and it makes most sense
        for it to be the one that actually sets the result. The previous behavior was
        to have op_method_check profile for op_get_by_id when they were used together,
        but otherwise for op_get_by_id to have its own profiles. op_call already did
        the right thing; all profiling was done by op_call_put_result.
        
        But rationalizing this code required breaking some of the natural boundaries
        that the code had; for instance the code in DFG that emits a GetById in place
        of both op_method_check and op_get_by_id must now know that it's the latter of
        those that has the value profile, while the first of those constitutes the OSR
        target. Hence each CodeOrigin must now have two bytecode indices - one for
        OSR exit and one for profiling.
        
        Finally this change required some refiddling of our optimization heuristics,
        because now all code blocks have "more instructions" due to the value profile
        slots.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::CodeBlock::dump):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::valueProfileForBytecodeOffset):
        * bytecode/CodeOrigin.h:
        (JSC::CodeOrigin::CodeOrigin):
        (JSC::CodeOrigin::bytecodeIndexForValueProfile):
        * bytecode/Instruction.h:
        (JSC::Instruction::Instruction):
        * bytecode/Opcode.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitProfiledOpcode):
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitGetScopedVar):
        (JSC::BytecodeGenerator::emitResolveBase):
        (JSC::BytecodeGenerator::emitResolveBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithBase):
        (JSC::BytecodeGenerator::emitResolveWithThis):
        (JSC::BytecodeGenerator::emitGetById):
        (JSC::BytecodeGenerator::emitGetByVal):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallVarargs):
        (JSC::BytecodeGenerator::emitConstruct):
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::currentCodeOrigin):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        (JSC::DFG::ByteCodeParser::getPrediction):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueProfileFor):
        * jit/JIT.h:
        (JSC::JIT::emitValueProfilingSite):
        * jit/JITCall.cpp:
        (JSC::JIT::emit_op_call_put_result):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emit_op_call_put_result):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_resolve):
        (JSC::JIT::emit_op_resolve_base):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emit_op_resolve_global):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        (JSC::JIT::emitSlow_op_resolve_global_dynamic):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_resolve):
        (JSC::JIT::emit_op_resolve_base):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emit_op_resolve_global):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::emitSlow_op_method_check):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC::JIT::emit_op_get_global_var):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::emitSlow_op_method_check):
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC::JIT::emit_op_get_global_var):
        * jit/JITStubCall.h:
        (JSC::JITStubCall::callWithValueProfiling):
        * runtime/Options.cpp:
        (JSC::Options::initializeOptions):

2012-01-20  ChangSeok Oh  <shivamidow@gmail.com>

        undefined reference to symbol eina_module_free
        https://bugs.webkit.org/show_bug.cgi?id=76681

        Reviewed by Martin Robinson.

        eina_module_free has been used without including eina libraries after r104936.

        * wtf/PlatformEfl.cmake: Add EINA_LIBRARIES.

2012-01-19  Tony Chang  <tony@chromium.org>

        [chromium] Remove an obsolete comment about features.gypi
        https://bugs.webkit.org/show_bug.cgi?id=76643

        There can be only one features.gypi.

        Reviewed by James Robinson.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2012-01-19  Geoffrey Garen  <ggaren@apple.com>

        Implicit creation of a regular expression should eagerly check for syntax errors
        https://bugs.webkit.org/show_bug.cgi?id=76642

        Reviewed by Oliver Hunt.
        
        This is a correctness fix and a slight optimization.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch): Check for syntax errors because that's the
        correct behavior.

        * runtime/RegExp.cpp:
        (JSC::RegExp::match): ASSERT that we aren't a syntax error. (One line
        of code change, many lines of indentation change.)

        Since we have no clients that try to match a RegExp that is a syntax error,
        let's optimize out the check.

2012-01-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Implement a new allocator for backing stores
        https://bugs.webkit.org/show_bug.cgi?id=75181

        Reviewed by Filip Pizlo.

        We want to move away from using fastMalloc for the backing stores for 
        some of our objects (e.g. JSArray, JSObject, JSString, etc).  These backing 
        stores have a nice property in that they only have a single owner (i.e. a 
        single pointer to them at any one time).  One way that we can take advantage 
        of this property is to implement a simple bump allocator/copying collector, 
        which will run alongside our normal mark/sweep collector, that only needs to 
        update the single owner pointer rather than having to redirect an arbitrary 
        number of pointers in from-space to to-space.

        This plan can give us a number of benefits. We can beat fastMalloc in terms 
        of both performance and memory usage, we can track how much memory we're using 
        far more accurately than our rough estimation now through the use of 
        reportExtraMemoryCost, and we can allocate arbitrary size objects (as opposed 
        to being limited to size classes like we have been historically). This is also 
        another step toward moving away from lazy destruction, which will improve our memory footprint.

        We start by creating said allocator and moving the ArrayStorage for JSArray 
        to use it rather than fastMalloc.

        The design of the collector is as follows:
        Allocation:
        -The collector allocates 64KB chunks from the OS to use for object allocation.
        -Each chunk contains an offset, a flag indicating if the block has been pinned, 
         and a payload, along with next and prev pointers so that they can be put in DoublyLinkedLists.
        -Any allocation greater than 64KB gets its own separate oversize block, which 
         is managed separately from the rest.
        -If the allocator receives a request for more than the remaining amount in the 
         current block, it grabs a fresh block.
        -Grabbing a fresh block means grabbing one off of the global free list (which is now 
         shared between the mark/sweep allocator and the bump allocator) if there is one. 
         If there isn't a new one we do one of two things: allocate a new block from the OS 
         if we're not ready for a GC yet, or run a GC and then try again. If we still don't 
         have enough space after the GC, we allocate a new block from the OS.

        Garbage collection:
        -At the start of garbage collection during conservative stack scanning, if we encounter 
         what appears to be a pointer to a bump-allocated block of memory, we pin that block so 
         that it will not be copied for this round of collection.
        -We also pin any oversize blocks that we encounter, which effectively doubles as a 
         "mark bit" for that block. Any oversize blocks that aren't pinned at the end of copying 
         are given back to the OS.
        -Marking threads are now also responsible for copying bump-allocated objects to newSpace
        -Each marking thread has a private 64KB block into which it copies bump-allocated objects that it encounters.
        -When that block fills up, the marking thread gives it back to the allocator and requests a new one.
        -When all marking has concluded, each thread gives back its copy block, even if it isn't full.
        -At the conclusion of copying (which is done by the end of the marking phase), we un-pin 
         any pinned blocks and give any blocks left in from-space to the global free list.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * heap/AllocationSpace.cpp:
        (JSC::AllocationSpace::allocateSlowCase):
        (JSC::AllocationSpace::allocateBlock):
        (JSC::AllocationSpace::freeBlocks):
        * heap/AllocationSpace.h:
        (JSC::AllocationSpace::waterMark):
        * heap/BumpBlock.h: Added.
        (JSC::BumpBlock::BumpBlock):
        * heap/BumpSpace.cpp: Added.
        (JSC::BumpSpace::tryAllocateSlowCase):
        * heap/BumpSpace.h: Added.
        (JSC::BumpSpace::isInCopyPhase):
        (JSC::BumpSpace::totalMemoryAllocated):
        (JSC::BumpSpace::totalMemoryUtilized):
        * heap/BumpSpaceInlineMethods.h: Added.
        (JSC::BumpSpace::BumpSpace):
        (JSC::BumpSpace::init):
        (JSC::BumpSpace::contains):
        (JSC::BumpSpace::pin):
        (JSC::BumpSpace::startedCopying):
        (JSC::BumpSpace::doneCopying):
        (JSC::BumpSpace::doneFillingBlock):
        (JSC::BumpSpace::recycleBlock):
        (JSC::BumpSpace::getFreshBlock):
        (JSC::BumpSpace::borrowBlock):
        (JSC::BumpSpace::addNewBlock):
        (JSC::BumpSpace::allocateNewBlock):
        (JSC::BumpSpace::fitsInBlock):
        (JSC::BumpSpace::fitsInCurrentBlock):
        (JSC::BumpSpace::tryAllocate):
        (JSC::BumpSpace::tryAllocateOversize):
        (JSC::BumpSpace::allocateFromBlock):
        (JSC::BumpSpace::tryReallocate):
        (JSC::BumpSpace::tryReallocateOversize):
        (JSC::BumpSpace::isOversize):
        (JSC::BumpSpace::isPinned):
        (JSC::BumpSpace::oversizeBlockFor):
        (JSC::BumpSpace::blockFor):
        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::ConservativeRoots):
        (JSC::ConservativeRoots::genericAddPointer):
        (JSC::ConservativeRoots::add):
        * heap/ConservativeRoots.h:
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::blockFreeingThreadMain):
        (JSC::Heap::reportExtraMemoryCostSlowCase):
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::markRoots):
        (JSC::Heap::collect):
        (JSC::Heap::releaseFreeBlocks):
        * heap/Heap.h:
        (JSC::Heap::waterMark):
        (JSC::Heap::highWaterMark):
        (JSC::Heap::setHighWaterMark):
        (JSC::Heap::tryAllocateStorage):
        (JSC::Heap::tryReallocateStorage):
        * heap/HeapBlock.h: Added.
        (JSC::HeapBlock::HeapBlock):
        * heap/MarkStack.cpp:
        (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
        (JSC::SlotVisitor::drain):
        (JSC::SlotVisitor::drainFromShared):
        (JSC::SlotVisitor::startCopying):
        (JSC::SlotVisitor::allocateNewSpace):
        (JSC::SlotVisitor::copy):
        (JSC::SlotVisitor::copyAndAppend):
        (JSC::SlotVisitor::doneCopying):
        * heap/MarkStack.h:
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::recycle):
        (JSC::MarkedBlock::MarkedBlock):
        * heap/MarkedBlock.h:
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::allocate):
        (JSC::MarkedSpace::forEachBlock):
        (JSC::MarkedSpace::SizeClass::resetAllocator):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::SlotVisitor):
        * heap/TinyBloomFilter.h:
        (JSC::TinyBloomFilter::reset):
        * runtime/JSArray.cpp:
        (JSC::JSArray::JSArray):
        (JSC::JSArray::finishCreation):
        (JSC::JSArray::tryFinishCreationUninitialized):
        (JSC::JSArray::~JSArray):
        (JSC::JSArray::enterSparseMode):
        (JSC::JSArray::defineOwnNumericProperty):
        (JSC::JSArray::setLengthWritable):
        (JSC::JSArray::getOwnPropertySlotByIndex):
        (JSC::JSArray::getOwnPropertyDescriptor):
        (JSC::JSArray::putByIndexBeyondVectorLength):
        (JSC::JSArray::deletePropertyByIndex):
        (JSC::JSArray::getOwnPropertyNames):
        (JSC::JSArray::increaseVectorLength):
        (JSC::JSArray::unshiftCountSlowCase):
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::unshiftCount):
        (JSC::JSArray::visitChildren):
        (JSC::JSArray::sortNumeric):
        (JSC::JSArray::sort):
        (JSC::JSArray::compactForSorting):
        (JSC::JSArray::subclassData):
        (JSC::JSArray::setSubclassData):
        (JSC::JSArray::checkConsistency):
        * runtime/JSArray.h:
        (JSC::JSArray::inSparseMode):
        (JSC::JSArray::isLengthWritable):
        * wtf/CheckedBoolean.h: Added.
        (CheckedBoolean::CheckedBoolean):
        (CheckedBoolean::~CheckedBoolean):
        (CheckedBoolean::operator bool):
        * wtf/DoublyLinkedList.h:
        (WTF::::push):
        * wtf/StdLibExtras.h:
        (WTF::isPointerAligned):

2012-01-19  Joi Sigurdsson  <joi@chromium.org>

        Enable use of precompiled headers in Chromium port on Windows.

        Bug 76381 - Use precompiled headers in Chromium port on Windows
        https://bugs.webkit.org/show_bug.cgi?id=76381

        Reviewed by Tony Chang.

        * JavaScriptCore.gyp/JavaScriptCore.gyp: Include WinPrecompile.gypi.

2012-01-18  Roland Takacs  <takacs.roland@stud.u-szeged.hu>

        Cross-platform processor core counter fix
        https://bugs.webkit.org/show_bug.cgi?id=76540

        Reviewed by Zoltan Herczeg.

        I attached "OS(FREEBSD)" to "#if OS(DARWIN) || OS(OPENBSD) || OS(NETBSD)"
        and I removed the OS checking macros from ParallelJobsGeneric.cpp because
        the NumberOfCores.cpp contains them for counting CPU cores.
        The processor core counter patch located at
        https://bugs.webkit.org/show_bug.cgi?id=76530

        * wtf/NumberOfCores.cpp:
        * wtf/ParallelJobsGeneric.cpp:

2012-01-18  Csaba Osztrogonác  <ossy@webkit.org>

        Cross-platform processor core counter
        https://bugs.webkit.org/show_bug.cgi?id=76530

        Unreviewed cross-MinGW buildfix after r105270.

        * wtf/NumberOfCores.cpp: Use windows.h instead of Windows.h.

2012-01-18  Roland Takacs  <takacs.roland@stud.u-szeged.hu>

        Cross-platform processor core counter
        https://bugs.webkit.org/show_bug.cgi?id=76530

        Reviewed by Zoltan Herczeg.

        Two files have been created that include the processor core counter function.
        It used to be in ParallelJobsGeneric.h/cpp before.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/Options.cpp:
        (JSC::Options::initializeOptions):
        * wtf/CMakeLists.txt:
        * wtf/NumberOfCores.cpp: Added.
        (WTF::numberOfProcessorCores):
        * wtf/NumberOfCores.h: Added.
        * wtf/ParallelJobsGeneric.cpp:
        (WTF::ParallelEnvironment::ParallelEnvironment):
        * wtf/ParallelJobsGeneric.h:

2012-01-18  Balazs Kelemen  <kbalazs@webkit.org>

        [Qt] Consolidate layout test crash logging
        https://bugs.webkit.org/show_bug.cgi?id=75088

        Reviewed by Simon Hausmann.

        Move backtrace generating logic into WTFReportBacktrace
        and add a way to deinstall signal handlers if we know
        that we have already printed the backtrace.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/Assertions.cpp:
        (WTFLogLocker::WTFReportBacktrace):
        (WTFLogLocker::WTFSetCrashHook):
        (WTFLogLocker::WTFInvokeCrashHook):
        * wtf/Assertions.h:

2012-01-17  Geoffrey Garen  <ggaren@apple.com>

        Factored out some code into a helper function.
        
        I think this might help getting rid of omit-frame-pointer.

        Reviewed by Sam Weinig.
        
        No benchmark change.

        * runtime/StringPrototype.cpp:
        (JSC::removeUsingRegExpSearch): Moved to here...
        (JSC::replaceUsingRegExpSearch): ...from here.

2012-01-17  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>

        Uint8ClampedArray support
        https://bugs.webkit.org/show_bug.cgi?id=74455

        Reviewed by Filip Pizlo.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        (JSC::predictionFromClassInfo):
        * bytecode/PredictedType.h:
        (JSC::isUint8ClampedArrayPrediction):
        (JSC::isActionableMutableArrayPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateUint8ClampedArray):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::clampDoubleToByte):
        (JSC::DFG::compileClampIntegerToByte):
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSCell.h:
        * runtime/JSGlobalData.h:
        * wtf/Forward.h:
        * wtf/Uint8Array.h:
        * wtf/Uint8ClampedArray.h: Added.
        (WTF::Uint8ClampedArray::set):
        (WTF::Uint8ClampedArray::create):
        (WTF::Uint8ClampedArray::Uint8ClampedArray):
        (WTF::Uint8ClampedArray::subarray):

2012-01-17  Sam Weinig  <sam@webkit.org>

        Add helper macro for forward declaring objective-c classes
        https://bugs.webkit.org/show_bug.cgi?id=76485

        Reviewed by Anders Carlsson.

        * wtf/Compiler.h:
        Add OBJC_CLASS macro which helps reduce code when forward declaring an
        objective-c class in a header which can be included from both Objective-C
        and non-Objective-C files.

2012-01-17  Filip Pizlo  <fpizlo@apple.com>

        DFG should be able to do JS and custom getter caching
        https://bugs.webkit.org/show_bug.cgi?id=76361

        Reviewed by Csaba Osztrogonác.
        
        Fix for 32-bit.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryBuildGetByIDList):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-01-15  Filip Pizlo  <fpizlo@apple.com>

        DFG should be able to do JS and custom getter caching
        https://bugs.webkit.org/show_bug.cgi?id=76361
        <rdar://problem/10698060>

        Reviewed by Geoff Garen.
        
        Added the ability to cache JS getter calls and custom getter calls in the DFG.
        Most of this is pretty mundane, since the old JIT supported this functionality
        as well. But a couple interesting things had to happen:
        
        - There are now two variants of GetById: GetById, which works as before, and
          GetByIdFlush, which flushes registers prior to doing the GetById. Only
          GetByIdFlush can be used for caching getters. We detect which GetById style
          to use by looking at the inline caches of the old JIT.
        
        - Exception handling for getter calls planted in stubs uses a separate lookup
          handler routine, which uses the CodeOrigin stored in the StructureStubInfo.
          
        This is a 40% speed-up in the Dromaeo DOM Traversal average. It removes all of
        the DFG regressions we saw in Dromaeo. This is neutral on SunSpider, V8, and
        Kraken.

        * bytecode/StructureStubInfo.h:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::willNeedFlush):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupResults):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
        (JSC::DFG::JITCompiler::addExceptionCheck):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::compile):

2012-01-16  Jon Lee  <jonlee@apple.com>

        Build fix for r105086.

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2012-01-16  Jon Lee  <jonlee@apple.com>

        Remove HTML notifications support on Mac
        https://bugs.webkit.org/show_bug.cgi?id=76401
        <rdar://problem/10589881>

        Reviewed by Sam Weinig.

        * wtf/Platform.h: Define ENABLE_HTML_NOTIFICATIONS macro.

2012-01-16  Zeno Albisser  <zeno@webkit.org>

        [Qt] Fix QT_VERSION related warnings when building on Mac OS X
        https://bugs.webkit.org/show_bug.cgi?id=76340

        This bug was caused by r104826.
        As already mentioned for https://bugs.webkit.org/show_bug.cgi?id=57239
        we should not use "using namespace WebCore" in header files,
        because it might cause ambiguous references.
        This patch reverts the changes from r104826 and r104981
        and removes the "using namespace WebCore" statement from
        two header files.

        Reviewed by Tor Arne Vestbø.

        * wtf/Platform.h:

2012-01-16  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Fix typo.

2012-01-16  Pavel Heimlich  <tropikhajma@gmail.com>

        Solaris Studio supports alignment macros too
        https://bugs.webkit.org/show_bug.cgi?id=75453

        Reviewed by Hajime Morita.

        * wtf/Alignment.h:

2012-01-16  Yuqiang Xian  <yuqiang.xian@intel.com>

        Build fix on 32bit if verbose debug is enabled in DFG
        https://bugs.webkit.org/show_bug.cgi?id=76351

        Reviewed by Hajime Morita.

        Mostly change "%lu" to "%zu" to print a "size_t" variable.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::endBasicBlock):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):

2012-01-15  Filip Pizlo  <fpizlo@apple.com>

        The C calling convention logic in DFG::SpeculativeJIT should be available even
        when not generating code for the DFG speculative path
        https://bugs.webkit.org/show_bug.cgi?id=76355

        Reviewed by Dan Bernstein.
        
        Moved all of the logic for placing C call arguments into the right place (stack
        or registers) into a new class, DFG::CCallHelpers.  This class inherits from
        AssemblyHelpers, another DFG grab-bag of helper functions.  I could have moved
        this code into AssemblyHelpers, but decided against it, because I wanted to
        limit the number of methods each class in the JIT has.  Hence now we have a
        slightly odd organization of JIT classes in DFG: MacroAssembler (basic instruction
        emission) <= AssemblyHelpers (some additional JS smarts) <= CCallHelpers
        (understands calls to C functions) <= JITCompiler (can compile a graph to machine
        code).  Each of these except for JITCompiler can be reused for stub compilation.
        
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGCCallHelpers.h: Added.
        (JSC::DFG::CCallHelpers::CCallHelpers):
        (JSC::DFG::CCallHelpers::resetCallArguments):
        (JSC::DFG::CCallHelpers::addCallArgument):
        (JSC::DFG::CCallHelpers::setupArguments):
        (JSC::DFG::CCallHelpers::setupArgumentsExecState):
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        (JSC::DFG::CCallHelpers::setupTwoStubArgs):
        (JSC::DFG::CCallHelpers::setupStubArguments):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::JITCompiler):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):

2012-01-15  Pablo Flouret  <pablof@motorola.com>

        Fix compilation errors on build-webkit --debug --no-video on mac.
        https://bugs.webkit.org/show_bug.cgi?id=75867

        Reviewed by Philippe Normand.

        Make ENABLE_VIDEO_TRACK conditional on ENABLE_VIDEO, video track feature
        doesn't build without video.

        * wtf/Platform.h:

2012-01-14  David Levin  <levin@chromium.org>

        HWndDC should be in platform/win instead of wtf.
        https://bugs.webkit.org/show_bug.cgi?id=76314

        Reviewed by Sam Weinig.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * JavaScriptCore.gypi:

2012-01-13  David Levin  <levin@chromium.org>

        check-webkit-style: should encourage the use of Own* classes for Windows DC.
        https://bugs.webkit.org/show_bug.cgi?id=76227

        Reviewed by Dirk Pranke.

        * wtf/win/HWndDCWin.h:
        (WTF::HwndDC::HwndDC): Add a way to do GetDCEx.
        There are no users, but I want to catch this in check-webkit-style
        and tell any users to use HwndDC to avoid leaks.

2012-01-13  David Levin  <levin@chromium.org>

        Header file is missing header guard.

        Reviewed by Dirk Pranke.

        * wtf/win/HWndDCWin.h: Added the guards.

2012-01-13  Andy Wingo  <wingo@igalia.com>

        Eval in strict mode does not need dynamic checks
        https://bugs.webkit.org/show_bug.cgi?id=76286

        Reviewed by Oliver Hunt.

        * runtime/JSActivation.cpp (JSC::JSActivation::JSActivation):
        Eval in strict mode cannot introduce variables, so it not impose
        the need for dynamic checks.

2012-01-13  David Levin  <levin@chromium.org>

        HWndDC is a better name than HwndDC.
        https://bugs.webkit.org/show_bug.cgi?id=76281

        Reviewed by Darin Adler.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * JavaScriptCore.gypi:
        * wtf/win/HWndDCWin.h: Renamed from Source/JavaScriptCore/wtf/win/HwndDCWin.h.
        (WTF::HWndDC::HWndDC):
        (WTF::HWndDC::~HWndDC):
        (WTF::HWndDC::operator HDC):

2012-01-13  YoungTaeck Song  <youngtaeck.song@samsung.com>

        [EFL] Add OwnPtr specialization for Eina_Module.
        https://bugs.webkit.org/show_bug.cgi?id=76255

        Reviewed by Andreas Kling.

        Add an overload for deleteOwnedPtr(Eina_Module*) on EFL port.

        * wtf/OwnPtrCommon.h:
        * wtf/efl/OwnPtrEfl.cpp:
        (WTF::deleteOwnedPtr):

2012-01-13  Yuqiang Xian  <yuqiang.xian@intel.com>

        Unreviewed build fix after r104787 if JIT_VERBOSE_OSR is defined

        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2012-01-12  Hajime Morrita  <morrita@chromium.org>

        JavaScriptCore: Mark all exported symbols in the header file automatically.
        https://bugs.webkit.org/show_bug.cgi?id=72855

        Reviewed by Darin Adler.

        Added WTF_EXPORT_PRIVATE and JS_EXPORT_PRIVATE based on JavaScriptCore.exp files.
        The change is generated by a tool calledListExportables (https://github.com/omo/ListExportables)

        * API/OpaqueJSString.h:
        * bytecode/CodeBlock.h:
        * bytecode/SamplingTool.h:
        * debugger/Debugger.h:
        * debugger/DebuggerActivation.h:
        * debugger/DebuggerCallFrame.h:
        * heap/AllocationSpace.h:
        * heap/HandleHeap.h:
        * heap/Heap.h:
        * heap/MachineStackMarker.h:
        * heap/MarkStack.h:
        * heap/VTableSpectrum.h:
        * heap/WriteBarrierSupport.h:
        * parser/Nodes.h:
        * parser/ParserArena.h:
        * profiler/Profile.h:
        * runtime/ArgList.h:
        * runtime/CallData.h:
        * runtime/Completion.h:
        * runtime/ConstructData.h:
        * runtime/DateInstance.h:
        * runtime/Error.h:
        * runtime/ExceptionHelpers.h:
        * runtime/FunctionConstructor.h:
        * runtime/Identifier.h:
        * runtime/InitializeThreading.h:
        * runtime/InternalFunction.h:
        * runtime/JSArray.h:
        * runtime/JSByteArray.h:
        * runtime/JSCell.h:
        * runtime/JSFunction.h:
        * runtime/JSGlobalData.cpp:
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalThis.h:
        * runtime/JSLock.h:
        * runtime/JSObject.h:
        * runtime/JSString.h:
        * runtime/JSValue.h:
        * runtime/JSVariableObject.h:
        * runtime/Lookup.h:
        * runtime/MemoryStatistics.h:
        * runtime/ObjectPrototype.h:
        * runtime/Options.h:
        * runtime/PropertyDescriptor.h:
        * runtime/PropertyNameArray.h:
        * runtime/PropertySlot.h:
        * runtime/RegExp.h:
        * runtime/RegExpObject.h:
        * runtime/SamplingCounter.h:
        * runtime/SmallStrings.h:
        * runtime/StringObject.h:
        * runtime/Structure.h:
        * runtime/TimeoutChecker.h:
        * runtime/UString.h:
        * runtime/WriteBarrier.h:
        * wtf/ArrayBufferView.h:
        * wtf/ByteArray.h:
        * wtf/CryptographicallyRandomNumber.h:
        * wtf/CurrentTime.h:
        * wtf/DateMath.h:
        * wtf/DecimalNumber.h:
        * wtf/FastMalloc.cpp:
        * wtf/FastMalloc.h:
        * wtf/MD5.h:
        * wtf/MainThread.h:
        * wtf/MetaAllocator.h:
        * wtf/MetaAllocatorHandle.h:
        * wtf/OSAllocator.h:
        * wtf/PageBlock.h:
        * wtf/RandomNumber.h:
        * wtf/RefCountedLeakCounter.h:
        * wtf/SHA1.h:
        * wtf/Threading.cpp:
        * wtf/Threading.h:
        * wtf/ThreadingPrimitives.h:
        * wtf/WTFThreadData.h:
        * wtf/dtoa.h:
        * wtf/text/AtomicString.h:
        * wtf/text/CString.h:
        * wtf/text/StringBuilder.h:
        * wtf/text/StringImpl.h:
        * wtf/text/WTFString.h:
        * wtf/unicode/Collator.h:
        * wtf/unicode/UTF8.h:
        * yarr/Yarr.h:
        * yarr/YarrPattern.h:

2012-01-12  MORITA Hajime  <morrita@google.com>

        [Chromium] JSExportMacros.h should be visible.
        https://bugs.webkit.org/show_bug.cgi?id=76147

        Reviewed by Tony Chang.

        * config.h:

2012-01-12  David Levin  <levin@chromium.org>

        HwndDC is a better name than OwnGetDC.
        https://bugs.webkit.org/show_bug.cgi?id=76235

        Reviewed by Dmitry Titov.

        This is a better name for two reasons:
        1. "Own" implies "delete". In this case, the final call is a release (ReleaseDC).
        2. "Ref" would be a better name due to the release but the RefPtr (and OwnPtr)
           classes always take something to hold on to. In this case, the object (the DC)
           is created by the class once it is given a Window to ensure that the HDC
           was actually created using GetDC.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * JavaScriptCore.gypi:
        * wtf/win/HwndDCWin.h: Renamed from Source/JavaScriptCore/wtf/win/OwnGetDCWin.h.
        (WTF::HwndDC::HwndDC):
        (WTF::HwndDC::~HwndDC):
        (WTF::HwndDC::operator HDC):

2012-01-12  Gavin Barraclough  <barraclough@apple.com>

        Clean up putDirect (part 2)
        https://bugs.webkit.org/show_bug.cgi?id=76232

        Reviewed by Sam Weinig.

        Rename putWithAttributes to putDirectVirtual, to identify that this
        has the same unchecked-DefineOwnProperty behaviour, change putDirectInternal
        to be templated on an enum indicating which behaviour it is supposed to be
        implementing, and change clients that are defining properties to call
        putDirectInternal correctly.

        * API/JSObjectRef.cpp:
        (JSObjectSetProperty):
        * JavaScriptCore.exp:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::putDirectVirtual):
        * debugger/DebuggerActivation.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * runtime/ClassInfo.h:
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::putDirectVirtual):
        * runtime/JSActivation.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::putDirectVirtual):
        * runtime/JSCell.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::putDirectVirtual):
        * runtime/JSGlobalObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::putDirectVirtual):
        (JSC::JSObject::defineGetter):
        (JSC::JSObject::initializeGetterSetterProperty):
        (JSC::JSObject::defineSetter):
        (JSC::putDescriptor):
        * runtime/JSObject.h:
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putOwnDataProperty):
        (JSC::JSObject::putDirect):
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::putDirectVirtual):
        * runtime/JSStaticScopeObject.h:
        * runtime/JSVariableObject.cpp:
        (JSC::JSVariableObject::putDirectVirtual):
        * runtime/JSVariableObject.h:

2012-01-12  Gavin Barraclough  <barraclough@apple.com>

        Clean up putDirect (part 1)
        https://bugs.webkit.org/show_bug.cgi?id=76232

        Reviewed by Sam Weinig.

        putDirect has ambiguous semantics, clean these up a bit.

        putDirect generally behaves a bit like a fast defineOwnProperty, but one that
        always creates the property, with no checking to validate the put it permitted.

        It also encompasses two slightly different behaviors.
        (1) a fast form of put for JSActivation, which doesn't have to handle searching
            the prototype chain, getter/setter properties, or the magic __proto__ value.
            Break this out as a new method, 'putOwnDataProperty'.
        (2) the version of putDirect on JSValue will also check for overwriting ReadOnly
            values, in strict mode. This is, however, not so smart on a few level, since
            it is only called from op_put_by_id with direct set, which is only used with
            an object as the base, and is only used to put new properties onto objects.

        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::put):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSObject.h:
        (JSC::JSObject::putOwnDataProperty):
        * runtime/JSValue.h:

2012-01-12  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=76141
        defineSetter/defineGetter may fail to update Accessor attribute

        Reviewed by Oliver Hunt.

        * runtime/JSObject.cpp:
        (JSC::JSObject::defineGetter):
        (JSC::JSObject::initializeGetterSetterProperty):
        (JSC::JSObject::defineSetter):
        * runtime/Structure.cpp:
        (JSC::Structure::attributeChangeTransition):
        * runtime/Structure.h:

2012-01-12  David Levin  <levin@chromium.org>

        [chromium] Fix DC leak in WebScreenInfoFactory.
        https://bugs.webkit.org/show_bug.cgi?id=76203

        Reviewed by Dmitry Titov.

        * JavaScriptCore.gyp/JavaScriptCore.gyp: Added OwnGetDCWin.h
        * JavaScriptCore.gypi: Added OwnGetDCWin.h
        * JavaScriptCore/wtf/win/OwnGetDCWin.h: Made an owner class for GetDC which needs ReleaseDC as opposed to DeleteDC.

2012-01-11  Gavin Barraclough  <barraclough@apple.com>

        Allow accessor get/set property to be set to undefined
        https://bugs.webkit.org/show_bug.cgi?id=76148

        Reviewed by Oliver Hunt.

        AccessorDescriptor properties may have their get & set properties defined to reference a function
        (Callable object) or be set to undefined. Valid PropertyDescriptors created by toPropertyDescriptor
        (defined from JS code via Object.defineProperty, etc) have get and set properties that are in one of
        three states (1) nonexistent, (2) set to undefined, or (3) a function (any Callable object).

        On the PropertyDescriptor object these three states are represneted by JSValue(), jsUndefined(), and
        any JSObject* (with a constraint that this must be callable).

        Logically the get/set property of an accessor descriptor on an object might be in any of the three
        states above, but in practice there is no way to distinguish between the first two states. As such
        we stor the get/set values in property storage in a JSObject* field, with 0 indicating absent or
        undefined. When unboxing to a PropertyDescriptor, map this back to a JS undefined value.

        * runtime/GetterSetter.h:
        (JSC::GetterSetter::setGetter):
        (JSC::GetterSetter::setSetter):
            - Allow the getter/setter to be cleared.
        * runtime/JSArray.cpp:
        (JSC::JSArray::putDescriptor):
            - Changed to call getterObject/setterObject.
        (JSC::JSArray::defineOwnNumericProperty):
            - Added ASSERT.
        * runtime/JSObject.cpp:
        (JSC::putDescriptor):
        (JSC::JSObject::defineOwnProperty):
            - Changed to call getterObject/setterObject.
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyDescriptor):
            - getter/setter values read from properties on object are never missing, they will now be set as undefined by 'setDescriptor'.
        (JSC::toPropertyDescriptor):
            - Do not translate undefined->empty, this loses an important distinction between a get/set property being absent, or being explicitly set to undefined.
        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::getterObject):
        (JSC::PropertyDescriptor::setterObject):
            - Accessors to convert the get/set property to an object pointer, converting undefined to 0.
        (JSC::PropertyDescriptor::setDescriptor):
        (JSC::PropertyDescriptor::setAccessorDescriptor):
            - Translate a getter/setter internally represented at 0 to undefined, indicating that it is present.
        * runtime/PropertyDescriptor.h:
            - Declare getterObject/setterObject.

2012-01-12  Zeno Albisser  <zeno@webkit.org>

        [Qt][WK2][Mac] Conflict of MacTypes.h defining a Fixed type after r104560.
        https://bugs.webkit.org/show_bug.cgi?id=76175

        Defining ENABLE_CSS_FILTERS leads to ambiguous references
        due to MacTypes.h being included.
        Defining CF_OPEN_SOURCE works around this problem.

        Reviewed by Simon Hausmann.

        * wtf/Platform.h:

2012-01-12  Simon Hausmann  <simon.hausmann@nokia.com>

        Make the new WTF module build on Qt
        https://bugs.webkit.org/show_bug.cgi?id=76163

        Reviewed by Tor Arne Vestbø.

        * JavaScriptCore.pro: Removed wtf from the subdirs to build.

2012-01-11  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock::m_executeCounter should be renamed to CodeBlock::m_jitExecuteCounter
        https://bugs.webkit.org/show_bug.cgi?id=76144
        <rdar://problem/10681711>

        Rubber stamped by Gavin Barraclough.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addressOfJITExecuteCounter):
        (JSC::CodeBlock::offsetOfJITExecuteCounter):
        (JSC::CodeBlock::jitExecuteCounter):
        (JSC::CodeBlock::optimizeNextInvocation):
        (JSC::CodeBlock::dontOptimizeAnytimeSoon):
        (JSC::CodeBlock::optimizeAfterWarmUp):
        (JSC::CodeBlock::optimizeAfterLongWarmUp):
        (JSC::CodeBlock::optimizeSoon):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):

2012-01-11  Gavin Barraclough  <barraclough@apple.com>

        Merge 'Getter'/'Setter' attributes into 'Accessor'
        https://bugs.webkit.org/show_bug.cgi?id=76141

        Reviewed by Filip Pizlo.

        These are currently ambiguous (and used inconsistently). It would logically appear
        that either being bit set implies that the corresponding type of accessor is present
        but (a) we don't correctly enforce this, and (b) this means the attributes would not
        be able to distinguish between a data descriptor and an accessor descriptor with
        neither a getter nor setter defined (which is a descriptor permissible under the spec).
        This ambiguity would lead to unsafe property caching behavior (though this does not
        represent an actual current bug, since we are currently unable to create descriptors
        that have neither a getter nor setter, it just prevents us from doing so).

        * runtime/Arguments.cpp:
        (JSC::Arguments::createStrictModeCallerIfNecessary):
        (JSC::Arguments::createStrictModeCalleeIfNecessary):
        * runtime/JSArray.cpp:
        (JSC::SparseArrayValueMap::put):
        (JSC::JSArray::putDescriptor):
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::finishCreation):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::getOwnPropertyDescriptor):
        * runtime/JSObject.cpp:
        (JSC::JSObject::defineGetter):
        (JSC::JSObject::initializeGetterSetterProperty):
        (JSC::JSObject::defineSetter):
        (JSC::putDescriptor):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorDefineProperty):
        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::setDescriptor):
        (JSC::PropertyDescriptor::setAccessorDescriptor):
        (JSC::PropertyDescriptor::setSetter):
        (JSC::PropertyDescriptor::setGetter):
        (JSC::PropertyDescriptor::attributesOverridingCurrent):

2012-01-11  Gavin Barraclough  <barraclough@apple.com>

        Object.defineProperty([], 'length', {}) should not make length read-only
        https://bugs.webkit.org/show_bug.cgi?id=76097

        Reviewed by Oliver Hunt.

        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
            - We should be checking writablePresent().

2012-01-11  Filip Pizlo  <fpizlo@apple.com>

        Code duplication for invoking the JIT and DFG should be reduced
        https://bugs.webkit.org/show_bug.cgi?id=76117
        <rdar://problem/10680189>

        Rubber stamped by Geoff Garen.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jit/JITDriver.h: Added.
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):

2012-01-11  Geoffrey Garen  <ggaren@apple.com>

        Bytecode dumping is broken for call opcodes (due to two new operands)
        https://bugs.webkit.org/show_bug.cgi?id=75886

        Reviewed by Oliver Hunt.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printCallOp): Made a helper function, so I wouldn't have
        to fix this more than once. The helper function skips the extra two operands
        at the end of the opcode, used for optimization.
        
        (JSC::CodeBlock::dump): Used the helper function.

        * bytecode/CodeBlock.h: Declared the helper function.

2012-01-09  Geoffrey Garen  <ggaren@apple.com>

        REGRESSION: d3 Bullet Charts demo doesn't work (call with argument assignment is broken)
        https://bugs.webkit.org/show_bug.cgi?id=75911

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitNodeForLeftHandSide): Cleanup: No need to
        explicitly cast to our return type in C++.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode): Make sure to copy our function
        into a temporary register before evaluating our arguments, since argument
        evaluation might include function calls or assignments that overwrite our callee by name.

2012-01-11  Michael Saboff  <msaboff@apple.com>

        v8-regexp spends 35% of its time allocating and copying internal regexp results data
        https://bugs.webkit.org/show_bug.cgi?id=76079

        Reviewed by Geoffrey Garen.

        Added a new RegExpResults struct that has the input string, the number of
        subexpressions and the output vector.  Changed RegExpConstructor to
        include a RegExpConstructorPrivate instead of having a reference to one.
        Changed RegExpMatchesArray to include a RegExpResults instead of a 
        reference to a RegExpConstructorPrivate.  Created an overloaded assignment
        operator to assign a RegExpConstructorPrivate to a RegExpResults.
        Collectively this change is worth 24% performance improvement to v8-regexp.
        
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpResult::operator=):
        (JSC::RegExpConstructor::RegExpConstructor):
        (JSC::RegExpMatchesArray::RegExpMatchesArray):
        (JSC::RegExpMatchesArray::finishCreation):
        (JSC::RegExpMatchesArray::~RegExpMatchesArray):
        (JSC::RegExpMatchesArray::fillArrayInstance):
        (JSC::RegExpConstructor::arrayOfMatches):
        (JSC::RegExpConstructor::getBackref):
        (JSC::RegExpConstructor::getLastParen):
        (JSC::RegExpConstructor::getLeftContext):
        (JSC::RegExpConstructor::getRightContext):
        (JSC::RegExpConstructor::setInput):
        (JSC::RegExpConstructor::input):
        (JSC::RegExpConstructor::setMultiline):
        (JSC::RegExpConstructor::multiline):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpResult::RegExpResult):
        (JSC::RegExpConstructor::performMatch):
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::create):
        (JSC::RegExpMatchesArray::getOwnPropertySlot):
        (JSC::RegExpMatchesArray::getOwnPropertySlotByIndex):
        (JSC::RegExpMatchesArray::getOwnPropertyDescriptor):
        (JSC::RegExpMatchesArray::put):
        (JSC::RegExpMatchesArray::putByIndex):
        (JSC::RegExpMatchesArray::deleteProperty):
        (JSC::RegExpMatchesArray::deletePropertyByIndex):
        (JSC::RegExpMatchesArray::getOwnPropertyNames):

2012-01-11  Eugene Girard  <girard@google.com>

        Typo in error message: Unexpected token 'defualt'
        https://bugs.webkit.org/show_bug.cgi?id=75105

        Reviewed by Simon Fraser.

        * parser/Parser.h:
        (JSC::Parser::getTokenName):

2012-01-11  Anders Carlsson  <andersca@apple.com>

        Assertion failure in JSC::allocateCell trying to allocate a JSString
        https://bugs.webkit.org/show_bug.cgi?id=76101

        Reviewed by Adam Roben.

        Remove the ExecutableBase::s_info and JSString::s_info static member variables  from the .def file and
        export them explicitly using the JS_EXPORTDATA macro.

        member variables explicitly using 
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/Executable.h:
        * runtime/JSString.h:

2012-01-10  Mark Rowe  <mrowe@apple.com>

        <rdar://problem/10673792> jsc should install directly in to versioned Resources subfolder

        This ensures that jsc ends up in a consistent location whether built in to the same DSTROOT
        as JavaScriptCore.framework or in to a different one.

        Rubber-stamped by Dan Bernstein.

        * Configurations/JSC.xcconfig: Update INSTALL_PATH.

2012-01-10  Filip Pizlo  <fpizlo@apple.com>

        DFG inlining block linking compares BlockIndex against bytecode index
        https://bugs.webkit.org/show_bug.cgi?id=76018
        <rdar://problem/10671979>

        Reviewed by Gavin Barraclough.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseCodeBlock):

2012-01-10  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock.h declares too many things
        https://bugs.webkit.org/show_bug.cgi?id=76001

        Rubber stamped by Gavin Barraclough.
        
        Removed all non-CodeBlock type declarations from CodeBlock.h, and put them
        into separate header files. Also removed all non-CodeBlock method implementations
        from CodeBlock.cpp and put them into corresponding cpp files.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/RepatchBuffer.h:
        * bytecode/CallLinkInfo.cpp: Added.
        (JSC::CallLinkInfo::unlink):
        * bytecode/CallLinkInfo.h: Added.
        (JSC::CallLinkInfo::callTypeFor):
        (JSC::CallLinkInfo::CallLinkInfo):
        (JSC::CallLinkInfo::~CallLinkInfo):
        (JSC::CallLinkInfo::isLinked):
        (JSC::CallLinkInfo::seenOnce):
        (JSC::CallLinkInfo::setSeen):
        (JSC::getCallLinkInfoReturnLocation):
        (JSC::getCallLinkInfoBytecodeIndex):
        * bytecode/CallReturnOffsetToBytecodeOffset.h: Added.
        (JSC::CallReturnOffsetToBytecodeOffset::CallReturnOffsetToBytecodeOffset):
        (JSC::getCallReturnOffset):
        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        * bytecode/CodeType.h: Added.
        * bytecode/ExpressionRangeInfo.h: Added.
        * bytecode/GlobalResolveInfo.h: Added.
        (JSC::GlobalResolveInfo::GlobalResolveInfo):
        * bytecode/HandlerInfo.h: Added.
        * bytecode/LineInfo.h: Added.
        * bytecode/MethodCallLinkInfo.cpp: Added.
        (JSC::MethodCallLinkInfo::reset):
        * bytecode/MethodCallLinkInfo.h: Added.
        (JSC::MethodCallLinkInfo::MethodCallLinkInfo):
        (JSC::MethodCallLinkInfo::seenOnce):
        (JSC::MethodCallLinkInfo::setSeen):
        (JSC::getMethodCallLinkInfoReturnLocation):
        (JSC::getMethodCallLinkInfoBytecodeIndex):
        * bytecode/StructureStubInfo.h:
        (JSC::getStructureStubInfoReturnLocation):
        (JSC::getStructureStubInfoBytecodeIndex):

2012-01-10  Anders Carlsson  <andersca@apple.com>

        Hang opening movie that requires authentication
        https://bugs.webkit.org/show_bug.cgi?id=75989
        <rdar://problem/9601915>

        Reviewed by Sam Weinig.

        * wtf/Functional.h:
        Add function wrapper for a function that takes three parameters.

2012-01-10  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock::m_numParameters should be encapsulated
        https://bugs.webkit.org/show_bug.cgi?id=75985
        <rdar://problem/10671020>

        Reviewed by Oliver Hunt.
        
        Encapsulated CodeBlock::m_numParameters and hooked argument profile creation
        into it.  This appears to be performance neutral.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::setNumParameters):
        (JSC::CodeBlock::addParameter):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::numParameters):
        (JSC::CodeBlock::addressOfNumParameters):
        (JSC::CodeBlock::offsetOfNumParameters):
        (JSC::CodeBlock::numberOfArgumentValueProfiles):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::addParameter):
        (JSC::BytecodeGenerator::emitReturn):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::AbstractState):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::slideRegisterWindowForCall):
        (JSC::Interpreter::dumpRegisters):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::prepareForRepeatCall):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITStubs.cpp:
        (JSC::arityCheckFor):
        (JSC::lazyLinkFor):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):

2012-01-10  Gavin Barraclough  <barraclough@apple.com>

        Build fix following https://bugs.webkit.org/show_bug.cgi?id=75935

        Fix 32-bit builds.

        * runtime/JSArray.cpp:
        (JSC::JSArray::getOwnPropertyNames):
        (JSC::JSArray::setLength):

2012-01-10  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-01-10  Gavin Barraclough  <barraclough@apple.com>

        Do not allow Array length to be set if it is non-configurable
        https://bugs.webkit.org/show_bug.cgi?id=75935

        Reviewed by Sam Weinig.

        Do not allow Array length to be set if it is non-configurable, and if the new
        length is less than the old length then intervening properties should removed
        in reverse order. Removal of properties should cease if an intervening indexed
        property being removed is non-configurable.

        * JavaScriptCore.exp:
            - Removed export for setLength.
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncConcat):
            - JSArray::setLength now takes an ExecState*
        (JSC::arrayProtoFuncSlice):
            - JSArray::setLength now takes an ExecState*
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
            - JSArray::setLength now takes an ExecState*
        (JSC::JSArray::put):
            - JSArray::setLength now takes an ExecState*
        (JSC::compareKeysForQSort):
            - Keys extracted from the map can be stored as unsigneds.
        (JSC::JSArray::getOwnPropertyNames):
            - Keys extracted from the map can be stored as unsigneds.
        (JSC::JSArray::setLength):
            - Check lengthIsReadOnly(), rather than copying the entire map to iterate
              over to determine which keys to remove, instead just copy the keys from
              the map to a Vector. When inSparseMode sort the keys in the Vector so
              that we can remove properties in reverse order.
        * runtime/JSArray.h:
            - JSArray::setLength now takes an ExecState*

2012-01-10  Gavin Barraclough  <barraclough@apple.com>

        Use SameValue to compare property descriptor values
        https://bugs.webkit.org/show_bug.cgi?id=75975

        Reviewed by Sam Weinig.

        Rather than strictEqual.

        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnNumericProperty):
            - Missing configurablePresent() check.
        * runtime/JSObject.cpp:
        (JSC::JSObject::defineOwnProperty):
            - call sameValue.
        * runtime/PropertyDescriptor.cpp:
        (JSC::sameValue):
            - Moved from JSArray.cpp, fix NaN comparison.
        (JSC::PropertyDescriptor::equalTo):
            - call sameValue.
        * runtime/PropertyDescriptor.h:
            - Added declaration for sameValue.
2012-01-09  Gavin Barraclough  <barraclough@apple.com>

        Error handling : in ISO8601 timezone
        https://bugs.webkit.org/show_bug.cgi?id=75919

        Reviewed by Sam Weinig.

        * wtf/DateMath.cpp:
        (WTF::parseDateFromNullTerminatedCharacters):
            - need to increment the string position.

2012-01-09  Mark Rowe  <mrowe@apple.com>

        JavaScriptCore executable targets shouldn't explicitly depend on the JavaScriptCore framework target
        <http://webkit.org/b/75907> / <rdar://problem/10659862>

        We'd like for it to be possible to build jsc without building JavaScriptCore.framework and the explicit
        dependencies prevent this.

        Reviewed by Dan Bernstein.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-01-09  Adam Treat  <atreat@rim.com>

        Log is a little to verbose for blackberry port
        https://bugs.webkit.org/show_bug.cgi?id=75728

        The BlackBerry::Platform::Log* functions take care of the call to vfprintf
        which is resulting in unintentional noise in our logs.  Add a conditional
        directive to fix.

        Change to using BlackBerry::Platform::logStreamV which does not insert
        threading info and newlines unlike BlackBerry::Platform::log.

        Finally, add log locking and unlocking which the BlackBerry platform
        uses to ensure that N threads do not trample on each other's logs.

        Reviewed by Rob Buis.

        * wtf/Assertions.cpp:
        (WTFLogLocker::WTFReportAssertionFailure):
        (WTFLogLocker::WTFReportAssertionFailureWithMessage):
        (WTFLogLocker::WTFReportArgumentAssertionFailure):
        (WTFLogLocker::WTFReportFatalError):
        (WTFLogLocker::WTFReportError):
        (WTFLogLocker::WTFLog):
        (WTFLogLocker::WTFLogVerbose):

2012-01-09  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75789
        defineOwnProperty not implemented for Array objects

        Reviewed by Sam Weinig.

        Implements support for getter/setter & non-default attribute properties on arrays,
        by forcing them into a dictionary-like 'SparseMode'. This fixes ~300 test-262
        test failures.

        * JavaScriptCore.exp:
            - Updated exports.
        * dfg/DFGOperations.cpp:
            - JSArray::pop now requires an exec state.
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncPop):
            - JSArray::pop now requires an exec state.
        * runtime/JSArray.cpp:
        (JSC::SparseArrayValueMap::add):
            - Add a potentially empty entry into the map.
        (JSC::SparseArrayValueMap::put):
            - Changed to call setter.
        (JSC::SparseArrayEntry::get):
            - calls getters.
        (JSC::SparseArrayEntry::getNonSparseMode):
            - does not call getters.
        (JSC::JSArray::enterSparseMode):
            - Convert into 'SparseMode' - removes the vectors, don't allow it to be recreated.
        (JSC::JSArray::putDescriptor):
            - Create a numeric property based on a descriptor.
        (JSC::sameValue):
            - See ES5.1 9.12.
        (JSC::reject):
            - Helper for the [[DefineOwnProperty]] algorithm.
        (JSC::JSArray::defineOwnNumericProperty):
            - Define an indexed property on an array object.
        (JSC::JSArray::setLengthWritable):
            - Marks the length read-only, enters SparseMode as necessary.
        (JSC::JSArray::defineOwnProperty):
            - Defines either an indexed property or 'length' on an array object.
        (JSC::JSArray::getOwnPropertySlotByIndex):
            - Updated to correctly handle accessor descriptors & attributes.
        (JSC::JSArray::getOwnPropertyDescriptor):
            - Updated to correctly handle accessor descriptors & attributes.
        (JSC::JSArray::put):
            - Pass strict mode flag to setLength.
        (JSC::JSArray::putByIndex):
            - putByIndexBeyondVectorLength requires an ExecState* rather than a JSGloablData&.
        (JSC::JSArray::putByIndexBeyondVectorLength):
            - Pass exec to SparseArrayValueMap::put.
        (JSC::JSArray::deletePropertyByIndex):
            - Do not allow deletion of non-configurable properties.
        (JSC::compareKeysForQSort):
            - used in implementation of getOwnPropertyNames.
        (JSC::JSArray::getOwnPropertyNames):
            - Properties in the sparse map should be iterated in order.
        (JSC::JSArray::setLength):
            - Updated to take a 'shouldThrow' flag, return a result indicating error.
        (JSC::JSArray::pop):
            - pop should throw an error if length is not writable, even if the array is empty.
        (JSC::JSArray::push):
            - putByIndexBeyondVectorLength requires an ExecState* rather than a JSGloablData&.
        (JSC::JSArray::sort):
            - Changed 'get' to 'getNonSparseMode' (can't be getters to call).
        (JSC::JSArray::compactForSorting):
            - Changed 'get' to 'getNonSparseMode' (can't be getters to call).
        * runtime/JSArray.h:
        (JSC::SparseArrayValueMap::lengthIsReadOnly):
            - Check if the length is read only.
        (JSC::SparseArrayValueMap::setLengthIsReadOnly):
            - Mark the length as read only.
        (JSC::SparseArrayValueMap::find):
            - Moved into header.
        (JSC::JSArray::isLengthWritable):
            - Wraps SparseArrayValueMap::lengthIsReadOnly.
        * runtime/JSObject.cpp:
        (JSC::JSObject::defineOwnProperty):
            - Should be returning the result of putDescriptor.
        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::attributesOverridingCurrent):
            - Added attributesOverridingCurrent - this should probably be merged with attributesWithOverride.
        * runtime/PropertyDescriptor.h:
            - Added attributesOverridingCurrent.

2012-01-09  Pavel Heimlich  <tropikhajma@gmail.com>

        There is no support for fastcall in Solaris Studio.
        Fixes build on Solaris.
        https://bugs.webkit.org/show_bug.cgi?id=75736

        Reviewed by Gavin Barraclough.

        * jit/JITStubs.h:

2012-01-09  Pavel Heimlich  <tropikhajma@gmail.com>

        Fix build failure on Solaris
        https://bugs.webkit.org/show_bug.cgi?id=75733

        Reviewed by Gavin Barraclough.

        * wtf/ByteArray.h:

2012-01-01  Raphael Kubo da Costa  <kubo@profusion.mobi>

        [CMake] Clean up some cruft from WTF's CMakeLists.txt
        https://bugs.webkit.org/show_bug.cgi?id=75420

        Reviewed by Daniel Bates.

        * wtf/CMakeLists.txt: Remove the unused WTF_PORT_FLAGS variable; add
        all needed paths to WTF_INCLUDE_DIRECTORIES in a single place.

2012-01-08  Xianzhu Wang  <wangxianzhu@chromium.org>

        Fix compilation error about ListHashSetReverseIterator
        https://bugs.webkit.org/show_bug.cgi?id=75372

        Reviewed by Darin Adler.

        There is a typo in class ListHashSetReverseIterator:
        typedef ListHashSetConstIterator<ValueArg, inlineCapacity, HashArg> const_reverse_iterator;
        Should be
        typedef ListHashSetConstReverseIterator<ValueArg, inlineCapacity, HashArg> const_reverse_iterator;

        * wtf/ListHashSet.h:

2012-01-08  Ryosuke Niwa  <rniwa@webkit.org>

        WinCE build fix after r104415.

        * jit/JITExceptions.cpp:
        * jit/JITExceptions.h:

2012-01-08  Filip Pizlo  <fpizlo@apple.com>

        The JIT's protocol for exception handling should be available to other parts of the system
        https://bugs.webkit.org/show_bug.cgi?id=75808
        <rdar://problem/10661025>

        Reviewed by Oliver Hunt.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * jit/JITExceptions.cpp: Added.
        (JSC::genericThrow):
        (JSC::jitThrow):
        * jit/JITExceptions.h: Added.
        * jit/JITStubs.cpp:
        * runtime/JSGlobalData.h:

2012-01-06  Hajime Morrita  <morrita@chromium.org>

        https://bugs.webkit.org/show_bug.cgi?id=75296
        JSString should not have JS_EXPORTCLASS annotation

        Reviewed by Kevin Ollivier.

        * runtime/JSString.h: Removed JS_EXPORTCLASS annotation.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        Added missing symbols which were hidden by JS_EXPORTCLASS.

2012-01-06  Michael Saboff  <msaboff@apple.com>

        JSArray::pop() should compare SparseArrayValueMap::find() to SparseArrayValueMap::notFound()
        https://bugs.webkit.org/show_bug.cgi?id=75757

        Reviewed by Gavin Barraclough.

        * runtime/JSArray.cpp:
        (JSC::JSArray::pop): Changed map->end() to map->notFound().

2012-01-06  Filip Pizlo  <fpizlo@apple.com>

        JIT stub slow paths that would be identical to that of an interpreter should be factored out
        https://bugs.webkit.org/show_bug.cgi?id=75743
        <rdar://problem/10657024>

        Reviewed by Geoff Garen.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/CommonSlowPaths.h: Added.
        (JSC::CommonSlowPaths::opInstanceOfSlow):
        (JSC::CommonSlowPaths::opIn):
        (JSC::CommonSlowPaths::opResolve):
        (JSC::CommonSlowPaths::opResolveSkip):
        (JSC::CommonSlowPaths::opResolveWithBase):
        (JSC::CommonSlowPaths::opResolveWithThis):

2012-01-06  Sam Weinig  <sam@webkit.org>

        Fix windows build.

        * wtf/TypeTraits.cpp:

2012-01-05  Michael Saboff  <msaboff@apple.com>

        Default HashTraits for Opcode don't work for Opcode = 0
        https://bugs.webkit.org/show_bug.cgi?id=75595

        Reviewed by Oliver Hunt.

        Removed the populating of the m_opcodeIDTable table in the
        case where the OpcodeID and Opcode are the same (m_enabled is false).
        Instead we just cast the one type to the other.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::initialize):
        (JSC::Interpreter::isOpcode):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::getOpcodeID):

2012-01-06  Sam Weinig  <sam@webkit.org>

        Add a DecayArray type trait as a first step towards merging OwnPtr and OwnArrayPtr
        https://bugs.webkit.org/show_bug.cgi?id=75737

        Reviewed by Anders Carlsson.

        * wtf/TypeTraits.cpp:
        * wtf/TypeTraits.h:
        Added a DecayArray trait, that can convert T[] and T[3] -> T*. DecayArray
        is composed of some helpers which are also exposed, Conditional<>, which
        can provide one type or another based on a boolean predicate, IsArray<>
        which can deduce array types, and RemoveExtent<>, which removes the extent
        from an array type. 

2012-01-06  Oliver Hunt  <oliver@apple.com>

        GetByteArrayLength is incorrect
        https://bugs.webkit.org/show_bug.cgi?id=75735

        Reviewed by Filip Pizlo.

        Load the byte array length from the correct location.
        This stops an existing test from hanging.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-01-06  Filip Pizlo  <fpizlo@apple.com>

        Fix build.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-01-06  Oliver Hunt  <oliver@apple.com>

        DFG no longer optimises CanvasPixelArray
        https://bugs.webkit.org/show_bug.cgi?id=75729

        Reviewed by Gavin Barraclough.

        Rename ByteArray (in its ClassInfo) to Uint8ClampedArray to match
        the future name when we switch over to the new typed-array based
        ImageData specification.

        * runtime/JSByteArray.cpp:

2012-01-06  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>

        Use HashMap<OwnPtr> for SourceProviderCache items
        https://bugs.webkit.org/show_bug.cgi?id=75346

        Reviewed by Daniel Bates.

        * parser/Parser.cpp:
        * parser/SourceProviderCache.cpp:
        (JSC::SourceProviderCache::clear):
        (JSC::SourceProviderCache::add):
        * parser/SourceProviderCache.h:

2012-01-06  Sam Weinig  <sam@webkit.org>

        Remove unused OwnFastMallocPtr class.
        https://bugs.webkit.org/show_bug.cgi?id=75722

        Reviewed by Geoffrey Garen.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CMakeLists.txt:
        * wtf/OwnFastMallocPtr.h: Removed.
        * wtf/text/StringImpl.h:
        * wtf/wtf.pro:

2012-01-06  Benjamin Poulain  <bpoulain@webkit.org>

        [Mac] Sort the resources of JavaScriptCore.xcodeproj and remove duplicates
        https://bugs.webkit.org/show_bug.cgi?id=75631

        Reviewed by Andreas Kling.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-01-06  Eric Seidel  <eric@webkit.org> and Gustavo Noronha Silva  <gustavo.noronha@collabora.com>

        Make the new WTF module build on Gtk
        https://bugs.webkit.org/show_bug.cgi?id=75669

        * GNUmakefile.am:

2012-01-06  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>

        [Qt] Remove un-needed VPATHs from project includes

        Reviewed by Simon Hausmann.

        * JavaScriptCore.pri:
        * wtf/wtf.pri:

2012-01-06  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>

        [Qt] Move listing of include paths and libs to pri files in sources

        Includepaths are sometimes modified by non-Qt contributors so keeping
        them in files inside Sources makes it more likely that they are updated
        along with project files for the other ports.

        Using pri files instead of prf files for this also has the benefit that
        the include() from the main target file can be parsed and followed by
        Qt Creator -- something that does not work with load().

        Dependency from a target to a library through the WEBKIT variable are
        handled through forwarding-files in Tools/qmake/mkspecs/modules, which
        set the source root of the module and include the right pri file.

        Ideally we'd use the variant of include() that takes an optional
        namespace to read the variables into, or the fromfile() function,
        but both of these add an overhead of about 40% on the total qmake
        runtime, due to making a deep copy of all the variables in the
        project or re-reading all the prf files from scratch.

        Reviewed by Simon Hausmann.
        Reviewed by Ossy.

        * JavaScriptCore.pri: Renamed from Tools/qmake/mkspecs/features/javascriptcore.prf.
        * Target.pri:
        * wtf/wtf.pri: Renamed from Tools/qmake/mkspecs/features/wtf.prf.
        * wtf/wtf.pro:

2012-01-06  Hajime Morrita  <morrita@chromium.org>

        WTF::String: Inline method shouldn't have WTF_EXPORT_PRIVATE
        https://bugs.webkit.org/show_bug.cgi?id=75612

        Reviewed by Kevin Ollivier.

        * wtf/text/WTFString.h:
        (WTF::String::findIgnoringCase):
        (WTF::String::append):
        (WTF::String::fromUTF8):
        (WTF::String::fromUTF8WithLatin1Fallback):
        (WTF::String::isHashTableDeletedValue):

2012-01-05  Dan Bernstein  <mitz@apple.com>

        <rdar://problem/10633760> Update copyright strings

        Reviewed by Mark Rowe.

        * Info.plist:

2012-01-05  Gavin Barraclough  <barraclough@apple.com>

        Date constructor handles infinite values incorrectly.
        https://bugs.webkit.org/show_bug.cgi?id=70998

        Reviewed by Filip Pizlo.

        * runtime/DateConstructor.cpp:
        (JSC::constructDate):
            - should be checking !finite rather then isnan.

2012-01-05  Gavin Barraclough  <barraclough@apple.com>

        date.toISOString produces incorrect results for dates with ms prior to 1970
        https://bugs.webkit.org/show_bug.cgi?id=75684

        Reviewed by Sam Weinig.

        * runtime/DatePrototype.cpp:
        (JSC::dateProtoFuncToISOString):

2012-01-05  Gavin Barraclough  <barraclough@apple.com>

        Array.prototype.lastIndexOf ignores undefined fromIndex.
        https://bugs.webkit.org/show_bug.cgi?id=75678

        Reviewed by Sam Weinig.

        array.lastIndexOf(x, undefined) is equivalent to array.lastIndexOf(x, 0), not array.lastIndexOf(x)

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncLastIndexOf):
            - should check argumnet count, rather than checking agument value for undefined.

2012-01-05  Gavin Barraclough  <barraclough@apple.com>

        Date parsing is too restrictive.
        https://bugs.webkit.org/show_bug.cgi?id=75671

        Reviewed by Oliver Hunt.

        ES5 date parsing currently requires all fields to be present, which does not match the spec (ES5.1 15.9.1.15).
        The spec allow a date to be date only, or date + time.

        The date portion on the should match: (pseudocode!:)
            [(+|-)YY]YYYY[-MM[-DD]]
        though we are slightly more liberal (permitted by the spec), allowing:
            [+|-]Y+[-MM[-DD]]
        The time portion should match:
            THH:mm[:ss[.sss]][Z|(+|-)HH:mm]
        again we're slightly more liberal, allowing:
            THH:mm[:ss[.s+]][Z|(+|-)HH:mm]

        * wtf/DateMath.cpp:
        (WTF::parseES5DatePortion):
            - Month/day fields are optional, default to 01.
        (WTF::parseES5TimePortion):
            - Hours/Minutes are requires, seconds/timezone are optional.
        (WTF::parseES5DateFromNullTerminatedCharacters):
            - Dates may be date only, or date + time.

2012-01-05  Bruno Dilly  <bdilly@profusion.mobi>

        [EFL] Undefined references to ICU_I18N symbols on WTF
        https://bugs.webkit.org/show_bug.cgi?id=75642

        Unreviewed build fix.

        Add ${ICU_I18N_LIBRARIES} to WTF_LIBRARIES on wtf efl platform cmake.
        Some undefined references were ucol_setAttribute_44, ucol_close_44,
        ucol_getAttribute_44...

        * wtf/PlatformEfl.cmake:

2012-01-05  Geoffrey Garen  <ggaren@apple.com>

        Refined the fast path for StringImpl::hash()
        https://bugs.webkit.org/show_bug.cgi?id=75178

        Reviewed by Darin Adler.

        Moved the hash calculation code into an out-of-line function to clean up
        the hot path.

        No measurable benchmark change, but this knocks some samples off in
        Instruments, and I think this is a step toward removing -fomit-frame-pointer.
        
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::hashSlowCase):
        * wtf/text/StringImpl.h:
        (WTF::StringImpl::hash): The patch.

        * wtf/text/StringStatics.cpp:
        (WTF::StringImpl::hashSlowCase): Abide by the cockamamie Windows build
        scheme, which requires all out-of-line StringImpl functions used by
        WebCore be defined in this file instead of StringImpl.cpp. (See http://trac.webkit.org/changeset/59187.)

2012-01-05  Gavin Barraclough  <barraclough@apple.com>

        Literal tab in JSONString fails
        https://bugs.webkit.org/show_bug.cgi?id=71772

        Reviewed by Oliver Hunt.

        rfc4627 does not allow literal tab characters in JSON source.

        * runtime/LiteralParser.cpp:
        (JSC::isSafeStringCharacter):
            - do not allow literal tab in StrictJSON mode.

2012-01-05  Gavin Barraclough  <barraclough@apple.com>

        push/shift fifo may consume excessive memory
        https://bugs.webkit.org/show_bug.cgi?id=75610

        Reviewed by Sam Weinig.

        Array object commonly store data in a vector, consisting of a portion that is
        in use, a pre-capacity (m_indexBias) and a post-capacity (the delta between
        m_length and m_vectorLength). Calls to shift with grow the pre-capacity, and
        the current algorithm for increaseVectorLength (used by push, or [[Put]]) will
        never shrink the pre-capacity, so a push/shift fifo may consume an inordinate
        amount of memory, whilst having a relatively small active length.

        * runtime/JSArray.cpp:
        (JSC::JSArray::increaseVectorLength):
            - If m_indexBias is non-zero, decay it over time.

2012-01-05  Csaba Osztrogonác  <ossy@webkit.org>

        unshift/pop fifo may consume excessive memory
        https://bugs.webkit.org/show_bug.cgi?id=75588

        Reviewed by Zoltan Herczeg.

        Buildfix after r104120.

        * runtime/JSArray.cpp: Remove useless asserts, baecause unsigned expression >= 0 is always true
        (JSC::JSArray::unshiftCount):

2012-01-05  Zoltan Herczeg  <zherczeg@webkit.org>

        Unreviewed gardening after r104134.

        * wtf/Assertions.cpp:

2012-01-05  Zoltan Herczeg  <zherczeg@webkit.org>

        Unreviewed gardening after r75605.

        Rubber stamped by NOBODY Csaba Osztrogonác.

        * wtf/Assertions.cpp:

2012-01-05  Benjamin Poulain  <benjamin@webkit.org>

        Improve charactersAreAllASCII() to compare multiple characters at a time
        https://bugs.webkit.org/show_bug.cgi?id=74063

        Reviewed by Darin Adler.

        A new header ASCIIFastPath.h contains the functions related to
        the detection of ASCII by using machine words. Part of it comes from
        WebCore's TextCodecASCIIFastPath.h.

        The function charactersAreAllASCII() is moved to TextCodecASCIIFastPath.h
        and is implemented with computer word comparison.
        The gain over the previous implementation of charactersAreAllASCII() is of
        the order of how many comparison are avoided (4x, 8x, 16x depending on the
        format and the CPU type).

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/text/ASCIIFastPath.h: Added.
        (WTF::isAlignedToMachineWord):
        (WTF::alignToMachineWord):
        (WTF::isAllASCII):
        (WTF::charactersAreAllASCII):
        * wtf/text/WTFString.h:
        * wtf/wtf.pro:

2012-01-05  Mark Rowe  <mrowe@apple.com>

        <http://webkit.org/b/75606> [Mac] WTF logging functions should output to both stderr and ASL

        We should always log to both ASL and stderr on platforms where this won't result in launchd
        duplicating the messages.

        Reviewed by Dan Bernstein.

        * wtf/Assertions.cpp:
        (vprintf_stderr_common):

2012-01-05  Mark Rowe  <mrowe@apple.com>

        <http://webkit.org/b/75605> WTF logging functions should call vprintf_stderr_common only once per line

        Several of the WTF logging functions make multiple calls to vprintf_stderr_common to output a
        single line of text. This results in strangely formatted output if vprintf_stderr_common is
        retargeted to an output device that is message-oriented (such as ASL) rather than stream-oriented
        like stderr.

        Reviewed by Dan Bernstein.

        * wtf/Assertions.cpp:
        (vprintf_stderr_with_prefix): Helper function to prepend a given prefix on to the given format
        string before handing it off to vprintf_stderr_common. This requires disabling warnings about
        calling a printf-like function with a non-literal format string for this piece of code. It's
        safe in this particular case as vprintf_stderr_with_prefix is only ever given a literal prefix.
        (vprintf_stderr_with_trailing_newline): Helper function to append a trailling newline on to the
        given format string if one does not already exist. It requires the same treatment with regards
        to the non-literal format string warning.
        (WTFReportAssertionFailureWithMessage): Switch to using vprintf_stderr_with_prefix.
        (WTFReportBacktrace): Switch from calling fprintf directly to using fprintf_stderr_common.
        (WTFReportFatalError): Switch to using vprintf_stderr_with_prefix.
        (WTFReportError): Ditto.
        (WTFLog): Switch to using vprintf_stderr_with_trailing_newline.
        (WTFLogVerbose): Ditto.

2012-01-04  Gavin Barraclough  <barraclough@apple.com>

        unshift/pop fifo may consume excessive memory
        https://bugs.webkit.org/show_bug.cgi?id=75588

        Reviewed by Sam Weinig.

        The Array object commonly store data in a vector, consisting of a portion that
        is in use, a pre-capacity (m_indexBias) and a post-capacity (the delta between
        m_length and m_vectorLength). Calls to pop with grow the post-capacity, and the
        current algorithm for increasePrefixVectorLength (used by unshift) will never
        stink the post-capacity, so a unshift/pop fifo may consume an inordinate amount
        of memory, whilst having a relatively small active length.

        * runtime/JSArray.cpp:
        (JSC::storageSize):
            - sizeof(JSValue) should be sizeof(WriteBarrier<Unknown>)
        (JSC::SparseArrayValueMap::put):
            - sizeof(JSValue) should be sizeof(WriteBarrier<Unknown>)
        (JSC::JSArray::increaseVectorLength):
            - sizeof(JSValue) should be sizeof(WriteBarrier<Unknown>)
        (JSC::JSArray::unshiftCountSlowCase):
            - renamed from increaseVectorPrefixLength (this was a bad name, since it
              also moved the ArrayStorage header), rewritten.
        (JSC::JSArray::shiftCount):
            - sizeof(JSValue) should be sizeof(WriteBarrier<Unknown>), count should be unsigned
        (JSC::JSArray::unshiftCount):
            - sizeof(JSValue) should be sizeof(WriteBarrier<Unknown>), count should be unsigned,
              increaseVectorPrefixLength renamed to unshiftCountSlowCase
        (JSC::JSArray::sortNumeric):
        * runtime/JSArray.h:
            - Updated function declarations, m_indexBias should be unsigned.

2012-01-04  Mark Rowe  <mrowe@apple.com>

        <http://webkit.org/b/75604> All instances of JSC::ArgumentsData appear to be leaked by JSC::Arguments

        Since JSC::Arguments has an OwnPtr for a member it needs to override destroy
        to ensure that the correct destructor is invoked. This is necessary because
        JSCell subclasses all intentionally have non-virtual destructors.

        Reviewed by Filip Pizlo.

        * runtime/Arguments.cpp:
        (JSC::Arguments::destroy):
        * runtime/Arguments.h:

2012-01-04  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, accidentally turned off the JIT in previous commit. Turning
        it back on.

        * wtf/Platform.h:

2012-01-04  Filip Pizlo  <fpizlo@apple.com>

        Changed "return" to "break" in some macrology I introduced in
        http://trac.webkit.org/changeset/104086. This is a benign change, as
        "return" was technically correct for all uses of the macro.

        Reviewed by Oliver Hunt.

        * dfg/DFGGraph.cpp:
        * wtf/Platform.h:

2012-01-04  Michael Saboff  <msaboff@apple.com>

        StructureStubInfo not reset when corresponding MethodCallLinkInfo is reset
        https://bugs.webkit.org/show_bug.cgi?id=75583

        Reviewed by Filip Pizlo.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally): Find the corresponding
        StructureStubInfo and reset the appropriate JIT and
        the StructureStubInfo itself when reseting a MethodCallLinkInfo.

2012-01-04  Michael Saboff  <msaboff@apple.com>

        Invalid ASSERT() in DFGRepatch.cpp near line 385
        https://bugs.webkit.org/show_bug.cgi?id=75584

        Reviewed by Filip Pizlo.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryBuildGetByIDProtoList): Fixed ASSERT to use ==.

2012-01-04  Filip Pizlo  <fpizlo@apple.com>

        Incorrect use of DFG node reference counts when mutating the graph
        https://bugs.webkit.org/show_bug.cgi?id=75580
        <rdar://problem/10644607>

        Reviewed by Oliver Hunt.
        
        Made deref(node) follow the pattern of ref(node), which it should have
        to begin with.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::refChildren):
        (JSC::DFG::Graph::derefChildren):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::deref):
        (JSC::DFG::Graph::clearAndDerefChild1):
        (JSC::DFG::Graph::clearAndDerefChild2):
        (JSC::DFG::Graph::clearAndDerefChild3):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::deref):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::fixupNode):

2012-01-04  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>

        [Qt] Introduce new qmake variable 'WEBKIT' for signaling dependencies

        The custom qmake variable 'WEBKIT' is used for signaling that a
        target depends in some way on other subproject of the WebKit
        project. For now this is limited to the set of intermediate
        libraries: wtf, javascriptcore, webcore, and webkit2.

        This replaces the previous convension of using load(foo) for
        just include paths, and CONFIG += foo to also link against foo.

        Adding a dependency results in additional include paths being
        available, and potentially linking to the library. This is
        decided by the build system based on conditions such as what
        kind of target is being built and the general build config.

        An advantage to his approach is that it simplifies the individual
        foo.prf files, for example by allowing us to use INCLUDEPATH +=
        and LIBS += as normal instead of prepending.

        Reviewed by Simon Hausmann.

        * Target.pri:
        * jsc.pro:
        * wtf/wtf.pro:

2012-01-03  Filip Pizlo  <fpizlo@apple.com>

        DFG: The assertion that a double-voted variable cannot become double-unvoted is wrong
        https://bugs.webkit.org/show_bug.cgi?id=75516
        <rdar://problem/10640266>

        Reviewed by Gavin Barraclough.
        
        Removed the offending assertion, since it was wrong.  Also hardened the code to make
        this case less likely by first having the propagator fixpoint converge, and then doing
        double voting combined with a second fixpoint.  This is neutral on benchmarks and
        fixes the assertion in a fairly low-risk way (i.e. we won't vote a variable double
        until we've converged to the conclusion that it really is double).

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagatePredictions):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):

2012-01-03  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION (r98196-98236): Incorrect layout of iGoogle with RSS feeds
        https://bugs.webkit.org/show_bug.cgi?id=75303
        <rdar://problem/10633533>

        Reviewed by Gavin Barraclough.
        
        The this argument was not being kept alive in some cases during inlining and intrinsic
        optimizations.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::emitFunctionCheck):
        (JSC::DFG::ByteCodeParser::handleInlining):

2012-01-03  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-01-03  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-01-03  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75140

        Reviewed by Sam Weinig.

        Rewrite JSArray::putSlowCase to be much cleaner & simpler.

        This rewrite only significantly changes behaviour for sparse array, specifically
        in how sparse arrays are reified back to vector form. This does not affect arrays
        with less than 10000 entries (since these always use a vector). The more common
        cases of sparse array behavior (though large sparse arrays are rare) - arrays that
        always remain sparse, and arrays that are filled in reverse sequential order -
        should be just as fast or faster (since reification is simpler & no longer
        requires map lookups) after these changes.

        Simplifying this code allows all cases of putByIndex that need to grow the vector
        to do so via increaseVectorLength, which means that this method can encapsulate
        the policy of determining how the vector should be grown.

        No performance impact.

        * runtime/JSArray.cpp:
        (JSC::isDenseEnoughForVector):
            - any array of length <= MIN_SPARSE_ARRAY_INDEX is dense enough for a vector.
        (JSC::JSArray::putByIndex):
            - simplify & comment.
        (JSC::JSArray::putByIndexBeyondVectorLength):
            - Re-written to be much clearer & simpler.
        (JSC::JSArray::increaseVectorLength):
        (JSC::JSArray::increaseVectorPrefixLength):
            - add explicit checks against MAX_STORAGE_VECTOR_LENGTH, so clients do not need do so.
        (JSC::JSArray::push):
            - simplify & comment.
        * runtime/JSArray.h:
            - removed SparseArrayValueMap::take.

2012-01-03  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-01-03  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75140

        Reviewed by Sam Weinig.

        Simplify JSArray creation - remove ArgsList/JSValue* create methods
        (this functionality can be implemented in terms of tryCreateUninitialized).

        * JavaScriptCore.exp:
        * runtime/ArrayConstructor.cpp:
            - use constructArray/constructEmptyArray instead of calling JSArray::create directly
        (JSC::constructArrayWithSizeQuirk):
        * runtime/JSArray.cpp:
        * runtime/JSArray.h:
            - removed ArgsList/JSValue* create methods
        * runtime/JSGlobalObject.h:
        (JSC::constructEmptyArray):
        (JSC::constructArray):
            - changed to be implemented in terms of JSArray::tryCreateUninitialized

2012-01-03  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75429
        ThrowTypeError should be a singleton object

        Reviewed by Sam Weinig.

        Per section 13.2.3 of the spec.
        We could change setAccessorDescriptor to be able to share the global
        GetterSetter object, rather than storing the accessor functions and
        creating a new GetterSetter in defineProperty - but this won't be a
        small change to PropertyDescriptors (and would probably mean making
        GetterSetter objects immutable?) - so I'll leave that for another
        patch.

        * JavaScriptCore.exp:
            - don't export setAccessorDescriptor
        * runtime/Arguments.cpp:
        (JSC::Arguments::createStrictModeCallerIfNecessary):
        (JSC::Arguments::createStrictModeCalleeIfNecessary):
            - call throwTypeErrorGetterSetter instead of createTypeErrorFunction
        * runtime/Error.cpp:
        * runtime/Error.h:
            - remove createTypeErrorFunction
        * runtime/JSFunction.cpp:
        * runtime/JSFunction.h:
            - remove unused createDescriptorForThrowingProperty
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
            - removed m_strictModeTypeErrorFunctionStructure.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::internalFunctionStructure):
            - removed m_strictModeTypeErrorFunctionStructure.
        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::setAccessorDescriptor):
            - changed to take a GetterSetter
        * runtime/PropertyDescriptor.h:
            - changed to take a GetterSetter

2012-01-02  Gavin Barraclough  <barraclough@apple.com>

        Check in fixes for jsc tests following bug #75455.

        * tests/mozilla/ecma/GlobalObject/15.1.2.2-1.js:
        * tests/mozilla/ecma/GlobalObject/15.1.2.2-2.js:

2012-01-02  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75452
        If argument to Error is undefined, message is not set

        Reviewed by Sam Weinig.

        Per section 15.11.1.1 of the spec.

        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::create):
        (JSC::ErrorInstance::finishCreation):

2012-01-02  Gavin Barraclough  <barraclough@apple.com>

        ES5 prohibits parseInt from supporting octal
        https://bugs.webkit.org/show_bug.cgi?id=75455

        Reviewed by Sam Weinig.

        See sections 15.1.2.2 and annex E.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::parseInt):

2012-01-02  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=55343
        Global JSON should be configurable but isn't

        Reviewed by Sam Weinig.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
            - make JSON configurable

2012-01-01  Filip Pizlo  <fpizlo@apple.com>

        Call instructions should leave room for linking information
        https://bugs.webkit.org/show_bug.cgi?id=75422
        <rdar://problem/10633985>

        Reviewed by Oliver Hunt.

        * bytecode/Opcode.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):

2011-12-31  Dan Bernstein  <mitz@apple.com>

        Continue trying to fix the Windows build after r103823.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-12-31  Dan Bernstein  <mitz@apple.com>

        Start trying to fix the Windows build after r103823.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-12-30  Anders Carlsson  <andersca@apple.com>

        Add a ParamStorageTraits specialization for RetainPtr
        https://bugs.webkit.org/show_bug.cgi?id=75392

        Reviewed by Daniel Bates.

        * wtf/Functional.h:
        Add a partial specialization of ParamStorageTraits for RetainPtr<T>.

        * wtf/RetainPtr.h:
        Bring in the retainPtr function template from WTF.

2011-12-29  Sam Weinig  <sam@webkit.org>

        It should be easier to iterate a Vector backwards
        https://bugs.webkit.org/show_bug.cgi?id=75359

        Reviewed by Anders Carlsson.

        Adds Vector::rbegin(), Vector::rend(), and Vector::reversed(),
        a new proxy driven way to access a vector backwards. One can use
        reversed() in a range-based for loop like so:

            for (auto val: myVector.reversed())
                doSomething(val)

        * wtf/Vector.h:
        (WTF::Vector::~Vector):
        Fix style.

        (WTF::Vector::rbegin):
        (WTF::Vector::rend):
        Added using standard adaptor std::reverse_iterator.

        (WTF::Vector::reversed):
        (WTF::Vector::VectorReverseProxy::begin):
        (WTF::Vector::VectorReverseProxy::end):
        Add proxy similar to one used in HashMap for keys() and values()
        which allows access to a Vector backwards for use in range-based
        for loops.

2011-12-29  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75140

        Reviewed by Oliver Hunt.

        Start cleaning up JSArray construction. JSArray has a set of create methods,
        one of which (currently) takes a 'creation mode' enum parameter. Based on that
        parameter, the constructor does one of two completely different things. If the
        parameter is 'CreateInitialized' it creates an array, setting the length, but
        does not eagerly allocate a storage vector of the specified length. A small
        (BASE_VECTOR_LEN sized) initial vector will be allocated, and cleared, property
        access to the vector will read the hole value (return undefined). The alternate
        usage of this method ('CreateCompact') does something very different. It tries
        to create an array of the requested length, and also allocates a storage vector
        large enough to hold all properties. It does not clear the storage vector,
        leaving the memory uninitialized and requiring the user to call a method
        'uncheckedSetIndex' to initialize values in the vector.

        This patch factors out these two behaviours, moving the 'CreateCompact' mode
        into its own method, 'tryCreateUninitialized' (matching the naming for this
        functionality in the string classes). 'tryCreateUninitialized' may return 0 if
        memory allocation fails during construction of the object. The construction
        pattern changes such that values added during initialization will be marked if
        a GC is triggered during array allocation. 'CreateInitialized' no longer need
        be passed to create a normal, fully constructed array with a length, and this
        method is merged with the version of 'create' that does not take an initial
        length (length parameter defaults to 0).

        * JavaScriptCore.exp:
        * runtime/ArrayConstructor.cpp:
        (JSC::constructArrayWithSizeQuirk):
            - removed 'CreateInitialized' argument
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSplice):
            - changed to call 'tryCreateUninitialized'
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncBind):
            - changed to call 'tryCreateUninitialized'
        * runtime/JSArray.cpp:
        (JSC::JSArray::JSArray):
            - initialize m_storage to null; if construction fails, make destruction safe
        (JSC::JSArray::finishCreation):
            - merge versions of this method, takes an initialLength parameter defaulting to zero
        (JSC::JSArray::tryFinishCreationUninitialized):
            - version of 'finishCreation' that tries to eagerly allocate storage; may fail & return 0
        (JSC::JSArray::~JSArray):
            - check for null m_storage, in case array construction failed.
        (JSC::JSArray::increaseVectorPrefixLength):
        * runtime/JSArray.h:
        (JSC::JSArray::create):
            - merge versions of this method, takes an initialLength parameter defaulting to zero
        (JSC::JSArray::tryCreateUninitialized):
            - version of 'create' that tries to eagerly allocate storage; may fail & return 0
        (JSC::JSArray::initializeIndex):
        (JSC::JSArray::completeInitialization):
            - used in conjunction with 'tryCreateUninitialized' to initialize the array
        * runtime/JSGlobalObject.h:
        (JSC::constructEmptyArray):
            - removed 'CreateInitialized' argument
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpMatchesArray::finishCreation):
            - removed 'CreateInitialized' argument

2011-12-29  Anders Carlsson  <andersca@apple.com>

        Add a retainPtr function template
        https://bugs.webkit.org/show_bug.cgi?id=75365

        Reviewed by Dan Bernstein.

        This makes it easier to make a RetainPtr using template argument deduction, which
        is useful when passing RetainPtr objects as function arguments.

        * wtf/RetainPtr.h:
        (WTF::retainPtr):

2011-12-28  Yuqiang Xian  <yuqiang.xian@intel.com>

        spill unboxed values in DFG 32_64
        https://bugs.webkit.org/show_bug.cgi?id=75291

        Reviewed by Filip Pizlo.

        Currently all the values are spilled as boxed in DFG 32_64, which is
        not necessary and introduces additional stores/loads. Instead we
        can spill them as unboxed if feasible. It can be applied to the
        Integers, Cells and Booleans in DFG 32_64. Doubles are left as is
        because they don't need to be boxed at all. The modifications to the
        spill/fill and the OSR exit are required, as well as a bug fix to the
        "isUnknownJS" logic.

        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::displacedInRegisterFile):
        (JSC::ValueRecovery::virtualRegister):
        (JSC::ValueRecovery::dump):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::isUnknownJS):
        (JSC::DFG::GenerationInfo::spill):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::isKnownNotBoolean):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentFillGPR):
        (JSC::DFG::SpeculativeJIT::spill):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillDouble):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-28  Anders Carlsson  <andersca@apple.com>

        Add an implicit block conversion operator to WTF::Function
        https://bugs.webkit.org/show_bug.cgi?id=75325

        Reviewed by Dan Bernstein.

        * wtf/Compiler.h:
        Add a define for COMPILER_SUPPORTS(BLOCKS). It's only defined for clang, since the gcc blocks implementation
        is buggy, especially when it comes to C++.

        * wtf/Functional.h:
        Add a block conversion operator that creates and returns an autoreleased block that will call the function when executed.

2011-12-27  Anders Carlsson  <andersca@apple.com>

        Add a new WTF::bind overload that takes 6 parameters
        https://bugs.webkit.org/show_bug.cgi?id=75287

        Reviewed by Sam Weinig.

        * wtf/Functional.h:

2011-12-27  Sam Weinig  <sam@webkit.org>

        Continue moving compiler feature checks to use the COMPILER_SUPPORTS() macro
        https://bugs.webkit.org/show_bug.cgi?id=75268

        Reviewed by Anders Carlsson.

        * wtf/Compiler.h:
        Add support for COMPILER_SUPPORTS(CXX_NULLPTR) and COMPILER_SUPPORTS(CXX_DELETED_FUNCTIONS).

        * wtf/Noncopyable.h:
        Use COMPILER_SUPPORTS(CXX_DELETED_FUNCTIONS).

        * wtf/NullPtr.cpp:
        * wtf/NullPtr.h:
        Use COMPILER_SUPPORTS(CXX_NULLPTR). Remove support for HAVE(NULLPTR).

        * wtf/RefPtr.h:
        * wtf/RetainPtr.h:
        Switch from HAVE(NULLPTR) to COMPILER_SUPPORTS(CXX_NULLPTR).

2011-12-27  Anders Carlsson  <andersca@apple.com>

        Misc fixes and cleanups in Functional.h
        https://bugs.webkit.org/show_bug.cgi?id=75281

        Reviewed by Andreas Kling.

        - Reformat template declarations so that the class begins on a new line.
        - Change the parameter template parameters to start at P1 instead of P0.
        - Add function wrappers and bind overloads for 4 and 5 parameter functions.
        - Change the Function call operator to be const so const functions can be called.

        * wtf/Functional.h:

2011-12-27  Tony Chang  <tony@chromium.org>

        [chromium] Minor cleanup of gyp files.
        https://bugs.webkit.org/show_bug.cgi?id=75269

        Reviewed by Adam Barth.

        * JavaScriptCore.gyp/JavaScriptCore.gyp: msvs_guid is no longer needed
        and vim/emacs specific hooks should be added by the user.

2011-12-27  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75260
        Null name for host function can result in dereference of uninitialize memory

        Reviewed by Filip Pizlo.

        This is a recent regression in ToT, if the name passed to finishCreation of a host function is null,
        we are currently skipping the putDirect, which leaves memory uninitialized. This patch reverts the
        aspect of the change that introduced the issue.  It might be better if functions that don't have a
        name don't have this property at all, but that's change should be separate from fixing the bug.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::finishCreation):
            - Always initialize the name property.

2011-12-27  Anders Carlsson  <andersca@apple.com>

        Function should handle wrapping/unwrapping RefPtr and PassRefPtr
        https://bugs.webkit.org/show_bug.cgi?id=75266

        Reviewed by Sam Weinig.

        Add ParamStorageTraits that can be used for deciding how bound parameters should be stored
        and peeked at. For RefPtr we want to use the raw pointer when "peeking" to avoid ref-churn.
        For PassRefPtr, we want to use RefPtr for storage but still use the raw pointer when peeking.

        * wtf/Functional.h:
        (WTF::ParamStorageTraits::wrap):
        (WTF::ParamStorageTraits::unwrap):

2011-12-27  Tony Chang  <tony@chromium.org>

        [chromium] really enable wpo for WebCore libs and for WTF
        https://bugs.webkit.org/show_bug.cgi?id=75264

        Reviewed by Adam Barth.

        * JavaScriptCore.gyp/JavaScriptCore.gyp: Enable WPO for wtf and yarr.

2011-12-26  Gavin Barraclough  <barraclough@apple.com>

        Errk! OS X build fix.

        * JavaScriptCore.exp:

2011-12-26  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSObject.h:

2011-12-26  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75231
        Fail to throw in strict mode on assign to read only static properties

        Reviewed by Filip Pizlo.

        There are three bugs here:
        * symbolTablePut should throw for strict mode accesses.
        * lookupPut should throw for strict mode accesses.
        * NumberConstructor should override put to call lookupPut, to trap assignment to readonly properties.

        * runtime/JSActivation.cpp:
        (JSC::JSActivation::symbolTablePut):
        (JSC::JSActivation::put):
        * runtime/JSActivation.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::put):
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::put):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::symbolTablePut):
        * runtime/Lookup.h:
        (JSC::lookupPut):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::put):
        * runtime/NumberConstructor.h:

2011-12-26  Gavin Barraclough  <barraclough@apple.com>

        Fix miss-commit of utf8 change.

        Reviewed by Filip Pizlo

        Eeep, patch as landed a while ago had no effect! - acidentally landed
        modified version of patch used for performance testing.

        (This isn't covered by layout tests because layour tests don't use jsc,
        and the tests/mozilla tests use latin1, which was already supported!)

        Landing changes as intended (and as originally reviewed).

        * jsc.cpp:
        (jscSource):

2011-12-26  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for ARMv7.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::load16Signed):
        (JSC::MacroAssemblerARMv7::load8Signed):

2011-12-26  Hajime Morrita  <morrita@google.com>

        Rename WTF_INLINE, JS_INLINE to HIDDEN_INLINE
        https://bugs.webkit.org/show_bug.cgi?id=74990

        Reviewed by Kevin Ollivier.

        * runtime/JSExportMacros.h: Removed JS_INLINE
        * wtf/ExportMacros.h: Renamed WTF_INLINE to HIDDEN_INLINE

2011-12-24  Filip Pizlo  <fpizlo@apple.com>

        The ArgumentCount field in the CallFrame should have its tag left blank for other uses
        https://bugs.webkit.org/show_bug.cgi?id=75199
        <rdar://problem/10625105>
        <rdar://problem/10625106>

        Reviewed by Oliver Hunt.

        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * interpreter/CallFrame.h:
        (JSC::ExecState::argumentCountIncludingThis):
        (JSC::ExecState::setArgumentCountIncludingThis):
        * interpreter/Register.h:
        (JSC::Register::unboxedInt32):
        (JSC::Register::unboxedBoolean):
        (JSC::Register::unboxedCell):
        (JSC::Register::payload):
        (JSC::Register::tag):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        (JSC::JIT::compileOpCall):

2011-12-25  Andreas Kling  <awesomekling@apple.com>

        Yarr: Avoid copying vectors in CharacterClassConstructor.
        <http://webkit.org/b/75206>

        Reviewed by Darin Adler.

        Yarr::CharacterClassConstructor::charClass() was hot when loading twitter
        feeds (1.2%), replace the usage of Vector::append() by swap() since we're
        always clearing the source vector afterwards anyway.

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::charClass):

2011-12-24  Darin Adler  <darin@apple.com>

        Specialize HashTraits for RefPtr to use PassRefPtr as "pass type" to reduce reference count churn
        https://bugs.webkit.org/show_bug.cgi?id=72476

        Reviewed by Sam Weinig.

        * wtf/HashTraits.h: Defined PassInType and store function in HashTraits<RefPtr>.

2011-12-23  Geoffrey Garen  <ggaren@apple.com>

        Inlined Yarr::execute
        https://bugs.webkit.org/show_bug.cgi?id=75180

        Reviewed reluctantly by Beth Dakin.
        
        Tiny speedup on SunSpider string tests. Removes some samples from
        Instruments. A step toward removing -fomit-frame-pointer.

        * yarr/YarrJIT.cpp:
        * yarr/YarrJIT.h:
        (JSC::Yarr::execute): ONE LINE FUNCTION, Y U NOT INLINED?!

2011-12-23  Filip Pizlo  <fpizlo@apple.com>

        DFG loads from signed 8-bit and 16-bit typed arrays are broken
        https://bugs.webkit.org/show_bug.cgi?id=75163

        Reviewed by Geoffrey Garen.
        
        Added 8-bit and 16-bit signed loads. Because doing so on ARM is less trivial, I'm
        currently disabling Int8Array and Int16Array optimizations on ARM.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::load8Signed):
        (JSC::MacroAssemblerX86Common::load16Signed):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movswl_mr):
        (JSC::X86Assembler::movsbl_mr):
        * bytecode/PredictedType.h:
        (JSC::isActionableMutableArrayPrediction):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateInt8Array):
        (JSC::DFG::Node::shouldSpeculateInt16Array):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):

2011-12-23  Filip Pizlo  <fpizlo@apple.com>

        DFG does double-to-int conversion incorrectly when storing into int typed arrays
        https://bugs.webkit.org/show_bug.cgi?id=75164
        <rdar://problem/10557547>

        Reviewed by Geoffrey Garen.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branchTruncateDoubleToUint32):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::branchTruncateDoubleToUint32):
        (JSC::MacroAssemblerX86Common::truncateDoubleToUint32):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):

2011-12-23  Geoffrey Garen  <ggaren@apple.com>

        Refactored String.prototype.replace
        https://bugs.webkit.org/show_bug.cgi?id=75114
        
        Reviewed by Darin Adler.

        No performance difference.
        
        I think this is a step toward removing -fomit-frame-pointer.

        * runtime/JSString.cpp:
        * runtime/JSString.h: Removed the test and special case for a single-character
        search string because the standard path does this test and special case
        for us. (As an aside, if we do come up with a unique single-character
        replace optimization in future, it probably belongs in the replace function,
        and not in JSString.)

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncReplace): Split this mega-sized function into:
        (JSC::replaceUsingStringSearch): - This reasonably sized function, and
        (JSC::replaceUsingRegExpSearch): - This still mega-sized function.

2011-12-23  Pierre Rossi  <pierre.rossi@gmail.com>

        [Qt] REGRESSION(r103467): It broke fast/images/animated-gif-restored-from-bfcache.html
        https://bugs.webkit.org/show_bug.cgi?id=75087

        monotonicallyIncreasingTime needs to hava a higher resolution than milliseconds.

        Reviewed by Darin Adler.

        * wtf/CurrentTime.cpp:
        (WTF::monotonicallyIncreasingTime):

2011-12-22  Filip Pizlo  <fpizlo@apple.com>

        DFG should not speculate array even when predictions say that the base is not an array
        https://bugs.webkit.org/show_bug.cgi?id=75160
        <rdar://problem/10622646>
        <rdar://problem/10622649>

        Reviewed by Oliver Hunt.
        
        Added the ability to call slow path when the base is known to not be an array.
        Also rationalized the logic for deciding when the index is not an int, and
        cleaned up the logic for deciding when to speculate typed array.
        
        Neutral for the most part, with odd speed-ups and slow-downs. The slow-downs can
        likely be mitigated by having the notion of a polymorphic array access, where we
        try, but don't speculate, to access the array one way before either trying some
        other ways or calling slow path.

        * bytecode/PredictedType.h:
        (JSC::isActionableMutableArrayPrediction):
        (JSC::isActionableArrayPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateInt8Array):
        (JSC::DFG::Node::shouldSpeculateInt16Array):
        (JSC::DFG::Node::shouldSpeculateInt32Array):
        (JSC::DFG::Node::shouldSpeculateUint8Array):
        (JSC::DFG::Node::shouldSpeculateUint16Array):
        (JSC::DFG::Node::shouldSpeculateUint32Array):
        (JSC::DFG::Node::shouldSpeculateFloat32Array):
        (JSC::DFG::Node::shouldSpeculateFloat64Array):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::byValIsPure):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-22  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed - fix stylebot issues from last patch.

        * runtime/JSArray.cpp:
        (JSC::JSArray::putSlowCase):

2011-12-22  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75151
        Add attributes field to JSArray's SparseMap

        Reviewed by Sam Weinig.

        This will be necessary to be able to support non- writable/configurable/enumerable
        properties, and helpful for getters/setters.

        Added a concept of being 'inSparseMode' - this indicates the array has a non-standard

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSort):
            - JSArray::sort methods not allowed on arrays that are 'inSparseMode'.
              (must fall back to generic sort alogrithm).
        * runtime/JSArray.cpp:
        (JSC::JSArray::finishCreation):
            - moved reportedMapCapacity into the SparseArrayValueMap object.
        (JSC::SparseArrayValueMap::find):
        (JSC::SparseArrayValueMap::put):
        (JSC::SparseArrayValueMap::visitChildren):
            - Added.
        (JSC::JSArray::getOwnPropertySlotByIndex):
        (JSC::JSArray::getOwnPropertyDescriptor):
        (JSC::JSArray::putSlowCase):
        (JSC::JSArray::deletePropertyByIndex):
        (JSC::JSArray::getOwnPropertyNames):
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::visitChildren):
            - Updated for changes in SparseArrayValueMap.
        (JSC::JSArray::sortNumeric):
        (JSC::JSArray::sort):
        (JSC::JSArray::compactForSorting):
            - Disallow on 'SparseMode' arrays.
        * runtime/JSArray.h:
        (JSC::SparseArrayEntry::SparseArrayEntry):
            - An entry in the sparse array - value (WriteBarrier) + attributes.
        (JSC::SparseArrayValueMap::SparseArrayValueMap):
        (JSC::SparseArrayValueMap::sparseMode):
        (JSC::SparseArrayValueMap::setSparseMode):
            - Flags to track whether an Array is forced into SparseMode.
        (JSC::SparseArrayValueMap::remove):
        (JSC::SparseArrayValueMap::notFound):
        (JSC::SparseArrayValueMap::isEmpty):
        (JSC::SparseArrayValueMap::contains):
        (JSC::SparseArrayValueMap::size):
        (JSC::SparseArrayValueMap::begin):
        (JSC::SparseArrayValueMap::end):
            - accessors to the map
        (JSC::SparseArrayValueMap::take):
            - only for use on non-SpareMode arrays.
        (JSC::JSArray::inSparseMode):
            - Added.

2011-12-22  Filip Pizlo  <fpizlo@apple.com>

        DFG CFA sometimes generates an incorrect proof that a node is known to be a typed array
        https://bugs.webkit.org/show_bug.cgi?id=75150
        <rdar://problem/10621900>

        Reviewed by Gavin Barraclough.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):

2011-12-22  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does exactly the wrong thing when doing strict equality on two known cells
        https://bugs.webkit.org/show_bug.cgi?id=75138
        <rdar://problem/10621526>

        Reviewed by Oliver Hunt.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):

2011-12-22  Balazs Kelemen  <kbalazs@webkit.org>

        Fix debug build with assertions disabled
        https://bugs.webkit.org/show_bug.cgi?id=75075

        Reviewed by Darin Adler.

        Check whether assertions are disabled instead of NDEBUG
        where appropriate to avoid "defined but not used" warnings.

        * wtf/DateMath.cpp:
        (WTF::initializeDates):

2011-12-22  Mariusz Grzegorczyk  <mariusz.g@samsung.com>

        [EFL] Missing plugins support for efl port
        https://bugs.webkit.org/show_bug.cgi?id=44505

        Reviewed by Anders Carlsson.

        Add define of ENABLE_PLUGIN_PACKAGE_SIMPLE_HASH for efl port.

        * wtf/Platform.h:

2011-12-22  Wei Charles  <charles.wei@torchmobile.com.cn>

        Remove un-used data member of LiteralParser::Lex::m_string
        https://bugs.webkit.org/show_bug.cgi?id=68216

        Reviewed by George Staikos.

        * runtime/LiteralParser.h:

2011-12-21  Dan Bernstein  <mitz@apple.com>

        OS X build fix after r103488.

        * JavaScriptCore.exp:

2011-12-21  Konrad Piascik  <kpiascik@rim.com>

        Implement the JavaScriptCore bindings for eventListenerHandlerLocation
        https://bugs.webkit.org/show_bug.cgi?id=74313

        Reviewed by Eric Seidel.

        Updated project files to get Windows and Mac builds working.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-12-21  Filip Pizlo  <fpizlo@apple.com>

        DFG ConvertThis optimizations do not honor the distinction between the global object and the global this object
        https://bugs.webkit.org/show_bug.cgi?id=75058
        <rdar://problem/10616612>
        <rdar://problem/10617500>

        Reviewed by Oliver Hunt.
        
        Added a call to toThisObject() in the DFG when planting a direct reference to the global this object.
        Instead of adding a separate toThisObject() method on JSCell which does not take ExecState*, I reascribed
        a new contract: if you're calling toThisObject() on JSObject or one of its subtypes, then the ExecState*
        is optional.

        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::globalThisObjectFor):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSObject.h:

2011-12-21  Pierre Rossi  <pierre.rossi@gmail.com>

        Implement montonicallyIncreasingClock() on Qt
        https://bugs.webkit.org/show_bug.cgi?id=62159

        Reviewed by Darin Adler.

        * wtf/CurrentTime.cpp:
        (WTF::monotonicallyIncreasingTime):

2011-12-20  Filip Pizlo  <fpizlo@apple.com>

        32_64 baseline JIT should attempt to convert division results to integers, and record when that fails
        https://bugs.webkit.org/show_bug.cgi?id=74997
        <rdar://problem/10612389>

        Reviewed by Gavin Barraclough.

        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_div):

2011-12-20  Filip Pizlo  <fpizlo@apple.com>

        JavaScriptCore should be consistent about how it reads and writes ArgumentCount
        https://bugs.webkit.org/show_bug.cgi?id=74989
        <rdar://problem/10612006>

        Reviewed by Gavin Barraclough.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_get_arguments_length):
        (JSC::JIT::emit_op_get_argument_by_val):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::SpecializedThunkJIT):

2011-12-20  Filip Pizlo  <fpizlo@apple.com>

        Value Profiles for arguments should be more easily accessible to the interpreter
        https://bugs.webkit.org/show_bug.cgi?id=74984
        <rdar://problem/10611364>

        Reviewed by Gavin Barraclough.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        (JSC::CodeBlock::shouldOptimizeNow):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setArgumentValueProfileSize):
        (JSC::CodeBlock::numberOfArgumentValueProfiles):
        (JSC::CodeBlock::valueProfileForArgument):
        (JSC::CodeBlock::addValueProfile):
        (JSC::CodeBlock::valueProfile):
        (JSC::CodeBlock::valueProfileForBytecodeOffset):
        (JSC::CodeBlock::totalNumberOfValueProfiles):
        (JSC::CodeBlock::getFromAllValueProfiles):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::ValueProfile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):

2011-12-20  Gavin Barraclough  <barraclough@apple.com>

        JSC shell should accept utf8 input.

        Reviewed by Filip Pizlo.

        * jsc.cpp:
        (jscSource):
        (functionRun):
        (functionLoad):
        (functionCheckSyntax):
        (runWithScripts):
        (runInteractive):

2011-12-20  Gavin Barraclough  <barraclough@apple.com>

        Rubber Stamped by Sam Weinig

        * runtime/JSGlobalData.cpp:
            - removed some dead code.

2011-12-19  Geoffrey Garen  <ggaren@apple.com>

        Tightened up Vector<T>::append
        https://bugs.webkit.org/show_bug.cgi?id=74906

        Reviewed by Sam Weinig.

        Not a measurable speedup, but code inspection shows better code generated,
        and I believe this is a step toward turning off -fomit-frame-pointer.

        * wtf/Vector.h:
        (WTF::::append):
        (WTF::::appendSlowCase): Split out the slow case into a separate function
        to keep unnecessary instructions off the hot path. This means the hot
        path can now be inlined more often.
        
        Removed some old MSVC7 cruft. Hopefully, we don't need to hang on to a
        compiler work-around from 2007.

2011-12-19  Yuqiang Xian  <yuqiang.xian@intel.com>

        Temporary GPR should not be lazily allocated in DFG JIT on X86
        https://bugs.webkit.org/show_bug.cgi?id=74908

        Reviewed by Filip Pizlo.

        On X86, we used to allocate a temporary GPR lazily when it's really
        used rather than defined. This may cause potential issues of
        allocating registers inside control flow and result in problems in
        subsequent code generation, for example the DFG JIT may think an
        operand already being spilled (to satisfy the allocation request) and
        generate code to read the data from memory, but the allocation and
        spilling are in a branch which is not taken at runtime, so the
        generated code is incorrect.

        Although current DFG JIT code doesn't have this problematic pattern,
        it's better to cut-off the root to avoid any potential issues in the
        future.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::GPRTemporary::GPRTemporary):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::GPRTemporary::gpr):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-19  Yuqiang Xian  <yuqiang.xian@intel.com>

        Remove unused code for non-speculative Arith operations from DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=74905

        Reviewed by Filip Pizlo.

        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:

2011-12-19  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=74903
        Exceptions not thrown correctly from DFG JIT on 32bit

        Reviewed by Oliver Hunt.

        Arguments for lookupExceptionHandler are not setup correctly.
        In the case of ARMv7 we rely on lr being preserved over a call,
        this in invalid. On x86 we don't should be poking the arguments onto the stack!

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
        * dfg/DFGGPRInfo.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileBody):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addExceptionCheck):
        (JSC::DFG::JITCompiler::addFastExceptionCheck):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:

2011-12-19  Filip Pizlo  <fpizlo@apple.com>

        If we detect that we can use the JIT, don't use computed opcode lookups
        https://bugs.webkit.org/show_bug.cgi?id=74899
        <rdar://problem/10604551>

        Reviewed by Gavin Barraclough.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::initialize):
        (JSC::Interpreter::privateExecute):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::getOpcode):
        (JSC::Interpreter::getOpcodeID):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):

2011-12-19  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Qt build.

        Unreviewed.

        * wtf/ThreadSpecific.h: #include!

2011-12-18  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to change the value of an Options variable without recompiling the world
        https://bugs.webkit.org/show_bug.cgi?id=74807

        Reviewed by Gavin Barraclough.

        * runtime/Options.cpp:
        (JSC::Options::initializeOptions):
        * runtime/Options.h:

2011-12-19  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r103250.
        http://trac.webkit.org/changeset/103250
        https://bugs.webkit.org/show_bug.cgi?id=74877

        it still breaks codegen (Requested by olliej on #webkit).

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::byValIsPure):
        (JSC::DFG::Propagator::clobbersWorld):
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-16  Oliver Hunt  <oliver@apple.com>

        Rolling r103120 back in with merge errors corrected.

        PutByVal[Alias] unnecessarily reloads the storage buffer
        https://bugs.webkit.org/show_bug.cgi?id=74747

        Reviewed by Gavin Barraclough.

        Make PutByVal use GetIndexedStorage to load the storage buffer.
        This required switching PutByVal to a vararg node (which is
        responsible for most of the noise in this patch).  This fixes the
        remaining portion of the kraken regression caused by the GetByVal
        storage load elimination, and a 1-5% win on some of the sub tests of
        the typed array benchmark at:
        http://stepheneb.github.com/webgl-matrix-benchmarks/matrix_benchmark.html

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::byValIndexIsPure):
        (JSC::DFG::Propagator::clobbersWorld):
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-15  Geoffrey Garen  <ggaren@apple.com>

        Placement new does an unnecessary NULL check
        https://bugs.webkit.org/show_bug.cgi?id=74676

        Reviewed by Sam Weinig.

        We can define our own version, which skips the NULL check.
        
        Not a measurable speedup, but code inspection shows better code generated,
        and I believe this is a step toward turning off -fomit-frame-pointer.

        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::create):
        * API/JSCallbackFunction.h:
        (JSC::JSCallbackFunction::create): Use the NotNull version of placement
        new to skip the NULL check.

        * API/JSCallbackObject.h: Removed a conflicting, unnecessaray placement new.

        (JSC::JSCallbackObject::create):
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::create):
        * heap/HandleHeap.cpp:
        (JSC::HandleHeap::grow):
        * heap/HandleHeap.h:
        (JSC::HandleHeap::allocate):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::create):
        (JSC::MarkedBlock::recycle):
        * jit/JITCode.h:
        (JSC::JITCode::clear):
        * jsc.cpp:
        (GlobalObject::create):
        * profiler/CallIdentifier.h:
        * runtime/Arguments.h:
        (JSC::Arguments::create):
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::create):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::create):
        * runtime/BooleanConstructor.h:
        (JSC::BooleanConstructor::create):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::create):
        * runtime/BooleanPrototype.h:
        (JSC::BooleanPrototype::create):
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::create):
        * runtime/DateInstance.h:
        (JSC::DateInstance::create):
        * runtime/DatePrototype.h:
        (JSC::DatePrototype::create):
        * runtime/Error.h:
        (JSC::StrictModeTypeErrorFunction::create):
        * runtime/ErrorConstructor.h:
        (JSC::ErrorConstructor::create):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::create):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::create):
        * runtime/ExceptionHelpers.h:
        (JSC::InterruptedExecutionError::create):
        (JSC::TerminatedExecutionError::create):
        * runtime/Executable.h:
        (JSC::NativeExecutable::create):
        (JSC::EvalExecutable::create):
        (JSC::ProgramExecutable::create):
        (JSC::FunctionExecutable::create):
        * runtime/FunctionConstructor.h:
        (JSC::FunctionConstructor::create):
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::create):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::create):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::create):
        * runtime/JSActivation.h:
        (JSC::JSActivation::create):
        * runtime/JSArray.h:
        (JSC::JSArray::create):
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::create):
        * runtime/JSByteArray.h:
        (JSC::JSByteArray::create): Use the NotNull version of placement
        new to skip the NULL check.

        * runtime/JSCell.h: Removed a conflicting, unnecessaray placement new.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        * runtime/JSFunction.h:
        (JSC::JSFunction::create):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::create):
        * runtime/JSGlobalThis.h:
        (JSC::JSGlobalThis::create):
        * runtime/JSNotAnObject.h:
        (JSC::JSNotAnObject::create):
        * runtime/JSONObject.h:
        (JSC::JSONObject::create):
        * runtime/JSObject.h:
        (JSC::JSFinalObject::create):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::create):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::create):
        * runtime/JSString.cpp:
        (JSC::StringObject::create):
        * runtime/JSString.h:
        (JSC::RopeBuilder::createNull):
        (JSC::RopeBuilder::create):
        (JSC::RopeBuilder::createHasOtherOwner):
        * runtime/MathObject.h:
        (JSC::MathObject::create):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::create):
        * runtime/NativeErrorPrototype.h:
        (JSC::NativeErrorPrototype::create):
        * runtime/NumberConstructor.h:
        (JSC::NumberConstructor::create):
        * runtime/NumberObject.h:
        (JSC::NumberObject::create):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::create):
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::create):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::create):
        * runtime/RegExp.cpp:
        (JSC::RegExp::createWithoutCaching):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::create):
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::create):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::create):
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::create):
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::create):
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::create):
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::create):
        * runtime/StringObject.h:
        (JSC::StringObject::create):
        * runtime/StringPrototype.h:
        (JSC::StringPrototype::create):
        * runtime/Structure.h:
        (JSC::Structure::create):
        (JSC::Structure::createStructure):
        * runtime/StructureChain.h:
        (JSC::StructureChain::create):
        * testRegExp.cpp:
        (GlobalObject::create):
        * wtf/BitVector.cpp:
        (WTF::BitVector::OutOfLineBits::create): Use the NotNull version of placement
        new to skip the NULL check.

        * wtf/BumpPointerAllocator.h:
        (WTF::BumpPointerPool::create): Standardized spacing to make grep easier.

        * wtf/ByteArray.cpp:
        (WTF::ByteArray::create):
        * wtf/Deque.h:
        (WTF::::append):
        (WTF::::prepend): Use NotNull, as above.

        * wtf/FastAllocBase.h: Added a placement new, since this class would otherwise
        hide the name of the global placement new.

        (WTF::fastNew): Standardized spacing. Most of these functions don't need
        NotNull, since they check for NULL, and the optimizer can see that.

        * wtf/HashTable.h:
        * wtf/HashTraits.h:
        (WTF::SimpleClassHashTraits::constructDeletedValue):
        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocator::allocFreeSpaceNode): NotNull, as above.

        * wtf/StdLibExtras.h:
        (throw): This is our NotNull placement new. Declaring that we throw is
        the C++ way to say that operator new will not return NULL.

        * wtf/ThreadSpecific.h:
        (WTF::T):
        * wtf/Vector.h:
        (WTF::::append):
        (WTF::::tryAppend):
        (WTF::::uncheckedAppend):
        (WTF::::insert):
        * wtf/text/AtomicStringHash.h:
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::createUninitialized):
        (WTF::StringImpl::reallocate):
        * wtf/text/StringImpl.h:
        (WTF::StringImpl::tryCreateUninitialized):
        * wtf/text/StringStatics.cpp:
        (WTF::AtomicString::init): Use NotNull, as above.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::allocDisjunctionContext):
        (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
        (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext): Standardized
        spacing for easy grep.

2011-12-19  Eric Carlson  <eric.carlson@apple.com>

        Enable <track> for Mac build
        https://bugs.webkit.org/show_bug.cgi?id=74838

        Reviewed by Darin Adler.

        * wtf/Platform.h:

2011-12-18  Filip Pizlo  <fpizlo@apple.com>

        DFG is too sloppy with register allocation
        https://bugs.webkit.org/show_bug.cgi?id=74835

        Reviewed by Gavin Barraclough.
        
        Added assertions that at the end of a successfully generated basic block,
        all use counts should be zero. This revealed a number of bugs:
        
        - Array length optimizations were turning a must-generate node into one
          that is not must-generate, but failing to change the ref count
          accordingly.
          
        - Indexed property storage optimizations were failing to deref their
          children, or to deref the indexed property storage node itself. Also,
          they used the Phantom node as a replacement. But the Phantom node is
          must-generate, which was causing bizarre issues. So this introduces a
          Nop node, which should be used in cases where you want a node that is
          skipped and has no children.
          
        This does not have any significant performance effect, but it should
        relieve some register pressure. The main thing this patch adds, though,
        are the assertions, which should make it easier to do register allocation
        related changes in the future.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::initConstant):
        (JSC::DFG::GenerationInfo::initInteger):
        (JSC::DFG::GenerationInfo::initJSValue):
        (JSC::DFG::GenerationInfo::initCell):
        (JSC::DFG::GenerationInfo::initBoolean):
        (JSC::DFG::GenerationInfo::initDouble):
        (JSC::DFG::GenerationInfo::initStorage):
        (JSC::DFG::GenerationInfo::use):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::clearAndDerefChild1):
        (JSC::DFG::Graph::clearAndDerefChild2):
        (JSC::DFG::Graph::clearAndDerefChild3):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::deref):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-18  Benjamin Poulain  <bpoulain@apple.com>

        Remove the duplicated code from ASCIICType.h
        https://bugs.webkit.org/show_bug.cgi?id=74771

        Reviewed by Andreas Kling.

        Use isASCIIDigit() and isASCIIAlpha() instead of copying the code.

        * wtf/ASCIICType.h:
        (WTF::isASCIIDigit):
        (WTF::isASCIIAlphanumeric):
        (WTF::isASCIIHexDigit):

2011-12-18  Anders Carlsson  <andersca@apple.com>

        Set the main frame view scroll position asynchronously
        https://bugs.webkit.org/show_bug.cgi?id=74823

        Reviewed by Sam Weinig.

        * JavaScriptCore.exp:

2011-12-10  Andreas Kling  <kling@webkit.org>

        OpaqueJSClass: Remove RVCT2 workarounds.
        <http://webkit.org/b/74250>

        Reviewed by Benjamin Poulain.

        We no longer need workarounds for the RVCT2 compiler since it was
        only used for the Symbian port of WebKit which is now defunct.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::OpaqueJSClass):
        (OpaqueJSClassContextData::OpaqueJSClassContextData):

2011-12-16  Benjamin Poulain  <bpoulain@apple.com>

        Remove the duplicated code from ASCIICType.h
        https://bugs.webkit.org/show_bug.cgi?id=74771

        Reviewed by Andreas Kling.

        The functions were sharing similar code and were defined for the various input types.
        Use templates instead to avoid code duplication.

        * wtf/ASCIICType.h:
        (WTF::isASCII):
        (WTF::isASCIIAlpha):
        (WTF::isASCIIAlphanumeric):
        (WTF::isASCIIDigit):
        (WTF::isASCIIHexDigit):
        (WTF::isASCIILower):
        (WTF::isASCIIOctalDigit):
        (WTF::isASCIIPrintable):
        (WTF::isASCIISpace):
        (WTF::isASCIIUpper):
        (WTF::toASCIILower):
        (WTF::toASCIIUpper):
        (WTF::toASCIIHexValue):
        (WTF::lowerNibbleToASCIIHexDigit):
        (WTF::upperNibbleToASCIIHexDigit):

2011-12-16  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit may get confused about where in the scratch buffer it stored a value
        https://bugs.webkit.org/show_bug.cgi?id=74695

        Reviewed by Oliver Hunt.
        
        The code that reads from the scratch buffer now explicitly knows which locations to
        read from. No new tests, since this patch covers a case so uncommon that I don't know
        how to make a test for it.

        * dfg/DFGOSRExitCompiler.h:
        (JSC::DFG::OSRExitCompiler::badIndex):
        (JSC::DFG::OSRExitCompiler::initializePoisoned):
        (JSC::DFG::OSRExitCompiler::poisonIndex):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):

2011-12-16  Oliver Hunt  <oliver@apple.com>

        PutByVal[Alias] unnecessarily reloads the storage buffer
        https://bugs.webkit.org/show_bug.cgi?id=74747

        Reviewed by Gavin Barraclough.

        Make PutByVal use GetIndexedStorage to load the storage buffer.
        This required switching PutByVal to a vararg node (which is
        responsible for most of the noise in this patch).  This fixes the
        remaining portion of the kraken regression caused by the GetByVal
        storage load elimination, and a 1-5% win on some of the sub tests of
        the typed array benchmark at:
        http://stepheneb.github.com/webgl-matrix-benchmarks/matrix_benchmark.html

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::byValIndexIsPure):
        (JSC::DFG::Propagator::clobbersWorld):
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-16  Daniel Bates  <dbates@rim.com>

        Include BlackBerryPlatformLog.h instead of BlackBerryPlatformMisc.h

        Rubber-stamped by Antonio Gomes.

        BlackBerry::Platform::logV() is declared in BlackBerryPlatformLog.h. That is, it isn't
        declared in BlackBerryPlatformMisc.h. Hence, we should include BlackBerryPlatformLog.h
        instead of BlackBerryPlatformMisc.h.

        * wtf/Assertions.cpp:

2011-12-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize destructors
        https://bugs.webkit.org/show_bug.cgi?id=74331

        Reviewed by Geoffrey Garen.

        This is a megapatch which frees us from the chains of virtual destructors.

        In order to remove the virtual destructors, which are the last of the virtual 
        functions, from the JSCell hierarchy, we need to add the ClassInfo pointer to 
        the cell rather than to the structure because in order to be able to lazily call 
        the static destroy() functions that will replace the virtual destructors, we 
        need to be able to access the ClassInfo without the danger of the object's 
        Structure being collected before the object itself.

        After adding the ClassInfo to the cell, we can then begin to remove our use 
        of vptrs for optimizations within the JIT and the GC.  When we have removed 
        all of the stored vptrs from JSGlobalData, we can then also remove all of 
        the related VPtrStealingHack code.

        The replacement for virtual destructors will be to add a static destroy function 
        pointer to the MethodTable stored in ClassInfo.  Any subclass of JSCell that has 
        a non-trivial destructor will require its own static destroy function to static 
        call its corresponding destructor, which will now be non-virtual.  In future 
        patches we will slowly move away from destructors altogether as we make more and 
        more objects backed by GC memory rather than malloc-ed memory.  The GC will now 
        call the static destroy method rather than the virtual destructor.

        As we go through the hierarchy and add static destroy functions to classes, 
        we will also add a new assert, ASSERT_HAS_TRIVIAL_DESTRUCTOR, to those classes 
        to which it applies.  The future goal is to eventually have every class have that assert.

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::destroy): Add a destroy function to statically call 
        ~JSCallbackConstructor because it has some extra destruction logic.
        * API/JSCallbackConstructor.h:
        * API/JSCallbackFunction.cpp: Add trivial destructor assert for JSCallbackFunction.
        * API/JSCallbackObject.cpp: Add a destroy function to statically call ~JSCallbackObject 
        because it has a member OwnPtr that needs destruction.
        (JSC::::destroy):
        * API/JSCallbackObject.h:
        * JavaScriptCore.exp: Add/remove necessary symbols for JSC.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Same for Windows symbols.
        * debugger/DebuggerActivation.cpp: DebuggerActivation, for some strange reason, didn't 
        have its own ClassInfo despite the fact that it overrides a number of MethodTable 
        methods.  Added the ClassInfo, along with an assertion that its destructor is trivial.
        * debugger/DebuggerActivation.h:
        * dfg/DFGOperations.cpp: Remove global data first argument to isJSArray, isJSByteArray, 
        isJSString, as it is no longer necessary.
        (JSC::DFG::putByVal):
        * dfg/DFGRepatch.cpp:  Ditto.  Also remove uses of jsArrayVPtr in favor of using the 
        JSArray ClassInfo pointer.
        (JSC::DFG::tryCacheGetByID):
        * dfg/DFGSpeculativeJIT.cpp:  Replace uses of the old vptrs with new ClassInfo 
        comparisons since we don't have vptrs anymore.
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayLength):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT.h: Ditto.
        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
        * dfg/DFGSpeculativeJIT32_64.cpp: Ditto.
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp: Ditto.
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * heap/Heap.cpp: Remove all uses of vptrs in GC optimizations and replace them with 
        ClassInfo comparisons.
        (JSC::Heap::Heap):
        * heap/MarkStack.cpp: Ditto.
        (JSC::MarkStackThreadSharedData::markingThreadMain):
        (JSC::visitChildren):
        (JSC::SlotVisitor::drain):
        * heap/MarkStack.h: Ditto.
        (JSC::MarkStack::MarkStack):
        * heap/MarkedBlock.cpp: Ditto.
        (JSC::MarkedBlock::callDestructor):
        (JSC::MarkedBlock::specializedSweep):
        * heap/MarkedBlock.h: Ditto.
        * heap/SlotVisitor.h: Ditto.
        (JSC::SlotVisitor::SlotVisitor):
        * heap/VTableSpectrum.cpp: Now that we don't have vptrs, we can't count them.  
        We'll have to rename this class and make it use ClassInfo ptrs in a future patch.
        (JSC::VTableSpectrum::count):
        * interpreter/Interpreter.cpp: Remove all global data arguments from isJSArray, 
        etc. functions.
        (JSC::loadVarargs):
        (JSC::Interpreter::tryCacheGetByID):
        (JSC::Interpreter::privateExecute):
        * jit/JIT.h: Remove vptr argument from emitAllocateBasicJSObject 
        * jit/JITInlineMethods.h: Remove vptr planting, and add ClassInfo planting, 
        remove all vtable related code.
        (JSC::JIT::emitLoadCharacterString):
        (JSC::JIT::emitAllocateBasicJSObject):
        (JSC::JIT::emitAllocateJSFinalObject):
        (JSC::JIT::emitAllocateJSFunction):
        * jit/JITOpcodes.cpp: Replace vptr related branch code with corresponding ClassInfo.
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emit_op_convert_this):
        * jit/JITOpcodes32_64.cpp: Ditto.
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emit_op_convert_this):
        * jit/JITPropertyAccess.cpp: Ditto.
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        * jit/JITPropertyAccess32_64.cpp: Ditto.
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        * jit/JITStubs.cpp: Remove global data argument from isJSString, etc.
        (JSC::JITThunks::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/SpecializedThunkJIT.h: Replace vptr related stuff with ClassInfo stuff.
        (JSC::SpecializedThunkJIT::loadJSStringArgument):
        * runtime/ArrayConstructor.cpp: Add trivial destructor assert.
        * runtime/ArrayPrototype.cpp: Remove global data argument from isJSArray.
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        (JSC::arrayProtoFuncEvery):
        (JSC::arrayProtoFuncForEach):
        (JSC::arrayProtoFuncSome):
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):
        * runtime/BooleanConstructor.cpp: Add trivial destructor assert.
        * runtime/BooleanObject.cpp: Ditto.
        * runtime/BooleanPrototype.cpp: Ditto.
        * runtime/ClassInfo.h: Add destroy function pointer to MethodTable.
        * runtime/DateConstructor.cpp: Add trivial destructor assert.
        * runtime/DateInstance.cpp: Add destroy function for DateInstance because it has a RefPtr 
        that needs destruction.
        (JSC::DateInstance::destroy):
        * runtime/DateInstance.h:
        * runtime/Error.cpp: Ditto (because of UString member).
        (JSC::StrictModeTypeErrorFunction::destroy):
        * runtime/Error.h:
        * runtime/ErrorConstructor.cpp: Add trivial destructor assert.
        * runtime/ErrorInstance.cpp: Ditto.
        * runtime/ExceptionHelpers.cpp: Ditto.
        * runtime/Executable.cpp: Add destroy functions for ExecutableBase and subclasses.
        (JSC::ExecutableBase::destroy):
        (JSC::NativeExecutable::destroy):
        (JSC::ScriptExecutable::destroy):
        (JSC::EvalExecutable::destroy):
        (JSC::ProgramExecutable::destroy):
        (JSC::FunctionExecutable::destroy):
        * runtime/Executable.h:
        * runtime/FunctionConstructor.cpp: Add trivial destructor assert.
        * runtime/FunctionPrototype.cpp: Ditto. Also remove global data first arg from isJSArray.
        (JSC::functionProtoFuncApply):
        * runtime/GetterSetter.cpp: Ditto.
        * runtime/InitializeThreading.cpp: Remove call to JSGlobalData::storeVPtrs since it no 
        longer exists.
        (JSC::initializeThreadingOnce):
        * runtime/InternalFunction.cpp: Remove vtableAnchor function, add trivial destructor assert, 
        remove first arg from isJSString.
        (JSC::InternalFunction::displayName):
        * runtime/InternalFunction.h: Remove VPtrStealingHack.
        * runtime/JSAPIValueWrapper.cpp: Add trivial destructor assert.
        * runtime/JSArray.cpp: Add static destroy to call ~JSArray.  Replace vptr checks in 
        destructor with ClassInfo checks.
        (JSC::JSArray::~JSArray):
        (JSC::JSArray::destroy):
        * runtime/JSArray.h: Remove VPtrStealingHack.  Remove globalData argument from isJSArray 
        and change them to check the ClassInfo rather than the vptrs.
        (JSC::isJSArray):
        * runtime/JSBoundFunction.cpp: Add trival destructor assert. Remove first arg from isJSArray.
        (JSC::boundFunctionCall):
        (JSC::boundFunctionConstruct):
        * runtime/JSByteArray.cpp: Add static destroy function, replace vptr checks with ClassInfo checks.
        (JSC::JSByteArray::~JSByteArray):
        (JSC::JSByteArray::destroy):
        * runtime/JSByteArray.h: Remove VPtrStealingHack code.
        (JSC::isJSByteArray):
        * runtime/JSCell.cpp: Add trivial destructor assert.  Add static destroy function.
        (JSC::JSCell::destroy):
        * runtime/JSCell.h: Remove VPtrStealingHack code.  Add function for returning the offset 
        of the ClassInfo pointer in the object for use by the JIT.  Add the ClassInfo pointer to 
        the JSCell itself, and grab it from the Structure.  Remove the vptr and setVPtr functions, 
        as they are no longer used.  Add a validatedClassInfo function to JSCell for any clients 
        that want to verify, while in Debug mode, that the ClassInfo contained in the cell is the 
        same one as that contained in the Structure.  This isn't used too often, because most of 
        the places where we compare the ClassInfo to things can be called during destruction.  
        Since the Structure is unreliable during the phase when destructors are being called, 
        we can't call validatedClassInfo.
        (JSC::JSCell::classInfoOffset):
        (JSC::JSCell::structure):
        (JSC::JSCell::classInfo):
        * runtime/JSFunction.cpp: Remove VPtrStealingHack code.  Add static destroy, remove vtableAnchor, 
        remove first arg from call to isJSString.
        (JSC::JSFunction::destroy):
        (JSC::JSFunction::displayName):
        * runtime/JSFunction.h: 
        * runtime/JSGlobalData.cpp: Remove all VPtr stealing code and storage, including storeVPtrs, 
        as these vptrs are no longer needed in the codebase.
        * runtime/JSGlobalData.h:
        (JSC::TypedArrayDescriptor::TypedArrayDescriptor): Changed the TypedArrayDescriptor to use 
        ClassInfo rather than the vptr.
        * runtime/JSGlobalObject.cpp: Add static destroy function.
        (JSC::JSGlobalObject::destroy):
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalThis.cpp: Add trivial destructor assert.
        * runtime/JSNotAnObject.cpp: Ditto.
        * runtime/JSONObject.cpp: Ditto. Remove first arg from isJSArray calls.
        (JSC::Stringifier::Holder::appendNextProperty):
        (JSC::Walker::walk):
        * runtime/JSObject.cpp: 
        (JSC::JSFinalObject::destroy):
        (JSC::JSNonFinalObject::destroy):
        (JSC::JSObject::destroy):
        * runtime/JSObject.h: Add trivial destructor assert for JSObject, remove vtableAnchor 
        from JSNonFinalObject and JSFinalObject, add static destroy for JSFinalObject and 
        JSNonFinalObject, add isJSFinalObject utility function similar to isJSArray, remove all VPtrStealingHack code.
        (JSC::JSObject::finishCreation):
        (JSC::JSNonFinalObject::finishCreation):
        (JSC::JSFinalObject::finishCreation):
        (JSC::isJSFinalObject):
        * runtime/JSPropertyNameIterator.cpp: Add static destroy.
        (JSC::JSPropertyNameIterator::destroy):
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSStaticScopeObject.cpp: Ditto.
        (JSC::JSStaticScopeObject::destroy):
        * runtime/JSStaticScopeObject.h: Ditto. 
        * runtime/JSString.cpp:
        (JSC::JSString::destroy):
        * runtime/JSString.h: Ditto. Remove VPtrStealingHack code. Also remove fixupVPtr code, 
        since we no longer need to fixup vptrs.
        (JSC::jsSingleCharacterString):
        (JSC::jsSingleCharacterSubstring):
        (JSC::jsNontrivialString):
        (JSC::jsString):
        (JSC::jsSubstring8):
        (JSC::jsSubstring):
        (JSC::jsOwnedString):
        (JSC::jsStringBuilder):
        (JSC::isJSString):
        * runtime/JSVariableObject.cpp: 
        (JSC::JSVariableObject::destroy):
        * runtime/JSVariableObject.h: Ditto.
        * runtime/JSWrapperObject.cpp:
        * runtime/JSWrapperObject.h: Add trivial destructor assert.
        * runtime/MathObject.cpp: Ditto.
        * runtime/NativeErrorConstructor.cpp: Ditto.
        * runtime/NumberConstructor.cpp: Ditto.
        * runtime/NumberObject.cpp: Ditto.
        * runtime/NumberPrototype.cpp: Ditto.
        * runtime/ObjectConstructor.cpp: Ditto.
        * runtime/ObjectPrototype.cpp: Ditto.
        * runtime/Operations.h: Remove calls to fixupVPtr, remove first arg to isJSString.
        (JSC::jsString):
        (JSC::jsLess):
        (JSC::jsLessEq):
        * runtime/RegExp.cpp: Add static destroy.
        (JSC::RegExp::destroy):
        * runtime/RegExp.h:
        * runtime/RegExpConstructor.cpp: Add static destroy for RegExpConstructor and RegExpMatchesArray.
        (JSC::RegExpConstructor::destroy):
        (JSC::RegExpMatchesArray::destroy):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        * runtime/RegExpObject.cpp: Add static destroy.
        (JSC::RegExpObject::destroy):
        * runtime/RegExpObject.h:
        * runtime/ScopeChain.cpp: Add trivial destructor assert.
        * runtime/ScopeChain.h:
        * runtime/StrictEvalActivation.cpp: Ditto.
        * runtime/StringConstructor.cpp:
        * runtime/StringObject.cpp: Ditto. Remove vtableAnchor.
        * runtime/StringObject.h:
        * runtime/StringPrototype.cpp: Ditto.
        * runtime/Structure.cpp: Add static destroy.
        (JSC::Structure::destroy):
        * runtime/Structure.h: Move JSCell::finishCreation and JSCell constructor into Structure.h 
        because they need to have the full Structure type to access the ClassInfo to store in the JSCell.
        (JSC::JSCell::setStructure):
        (JSC::JSCell::validatedClassInfo):
        (JSC::JSCell::JSCell):
        (JSC::JSCell::finishCreation):
        * runtime/StructureChain.cpp: Add static destroy.
        (JSC::StructureChain::destroy):
        * runtime/StructureChain.h:
        * wtf/Assertions.h: Add new assertion ASSERT_HAS_TRIVIAL_DESTRUCTOR, which uses clangs 
        ability to tell us when a class has a trivial destructor. We will use this assert 
        more in future patches as we move toward having all JSC objects backed by GC memory, 
        which means moving away from using destructors/finalizers.

2011-12-15  Martin Robinson  <mrobinson@igalia.com>

        Fix 'make dist' in preparation for the GTK+ release.

        * GNUmakefile.list.am: Add missing header.

2011-12-15  Sam Weinig  <sam@webkit.org>

        <rdar://problem/10552550> JavaScriptCore uses obsolete 'cpy' mnemonic in ARM assembly

        Reviewed by Gavin Barraclough.

        Original patch by Jim Grosbach.

        * jit/JITStubs.cpp:
        (JSC::ctiTrampoline):
        (JSC::ctiVMThrowTrampoline):
        Replace uses of the 'cpy' mnemonic with 'mov'.

2011-12-15  Filip Pizlo  <fpizlo@apple.com>

        Value profiling should distinguished between NaN and non-NaN doubles
        https://bugs.webkit.org/show_bug.cgi?id=74682

        Reviewed by Gavin Barraclough.
        
        Added PredictDoubleReal and PredictDoubleNaN. PredictDouble is now the union
        of the two.

        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        (JSC::predictionFromValue):
        * bytecode/PredictedType.h:
        (JSC::isDoubleRealPrediction):
        (JSC::isDoublePrediction):

2011-12-15  Anders Carlsson  <andersca@apple.com>

        Regression (r102866): Navigating away from or closing a page with a plugin crashes
        https://bugs.webkit.org/show_bug.cgi?id=74655
        <rdar://problem/10590024>

        Reviewed by Sam Weinig.

        Rewrite HasRefAndDeref to work if ref and deref are implemented in base classes,
        using a modified version of the technique described here:
        http://groups.google.com/group/comp.lang.c++.moderated/msg/e5fbc9305539f699
        
        * wtf/Functional.h:

2011-12-15  Andy Wingo  <wingo@igalia.com>

        Warnings fixes in Interpreter.cpp and PrivateExecute.cpp
        https://bugs.webkit.org/show_bug.cgi?id=74624

        Reviewed by Darin Adler.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute): Fix variables unused in
        release mode.
        * wtf/ParallelJobsGeneric.cpp:
        (WTF::ParallelEnvironment::ParallelEnvironment): Fix
        signed/unsigned comparison warning, with a cast.

2011-12-15  Andy Wingo  <wingo@igalia.com>

        Use more macrology in JSC::Options
        https://bugs.webkit.org/show_bug.cgi?id=72938

        Reviewed by Filip Pizlo.

        * runtime/Options.cpp:
        (JSC::Options::initializeOptions):
        * runtime/Options.h: Use macros to ensure that all heuristics are
        declared and have initializers.

2011-12-15  Anders Carlsson  <andersca@apple.com>

        Add ScrollingCoordinator class and ENABLE_THREADED_SCROLLING define
        https://bugs.webkit.org/show_bug.cgi?id=74639

        Reviewed by Andreas Kling.

        Add ENABLE_THREADED_SCROLLING #define.

        * wtf/Platform.h:

2011-12-15  Anders Carlsson  <andersca@apple.com>

        EventDispatcher should handle wheel events on the connection queue
        https://bugs.webkit.org/show_bug.cgi?id=74627

        Reviewed by Andreas Kling.

        Add a BoundFunctionImpl specialization that takes three parameters.

        * wtf/Functional.h:
        (WTF::C::):
        (WTF::R):
        (WTF::bind):

2011-12-14  Anders Carlsson  <andersca@apple.com>

        Add WTF::Function to wtf/Forward.h
        https://bugs.webkit.org/show_bug.cgi?id=74576

        Reviewed by Adam Roben.

        * jsc.cpp:
        Work around a name conflict in the readline library.

        * wtf/Forward.h:
        Add Function.

2011-12-15  Igor Oliveira  <igor.oliveira@openbossa.org>

        [Qt] Support requestAnimationFrame API
        https://bugs.webkit.org/show_bug.cgi?id=74528

        Let Qt port use REQUEST_ANIMATION_FRAME_TIMER.

        Reviewed by Kenneth Rohde Christiansen.

        * wtf/Platform.h:

2011-12-15  Andy Wingo  <wingo@igalia.com>

        Minor refactor to Parser::parseTryStatement
        https://bugs.webkit.org/show_bug.cgi?id=74507

        Reviewed by Geoffrey Garen.

        * parser/Parser.cpp (JSC::Parser::parseTryStatement): Use the
        Parser's declareVariable instead of going directly to the scope.
        This will facilitate future checks related to harmony block
        scoping.

2011-12-15  Andy Wingo  <wingo@igalia.com>

        Rename JSC::Heuristics to JSC::Options
        https://bugs.webkit.org/show_bug.cgi?id=72889

        Reviewed by Filip Pizlo.

        * runtime/Options.cpp: Renamed from Source/JavaScriptCore/runtime/Heuristics.cpp.
        * runtime/Options.h: Renamed from Source/JavaScriptCore/runtime/Heuristics.h.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::shouldOptimizeNow):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::likelyToTakeSlowCase):
        (JSC::CodeBlock::couldTakeSlowCase):
        (JSC::CodeBlock::likelyToTakeSpecialFastCase):
        (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
        (JSC::CodeBlock::likelyToTakeAnySlowCase):
        (JSC::CodeBlock::reoptimizationRetryCounter):
        (JSC::CodeBlock::countReoptimization):
        (JSC::CodeBlock::counterValueForOptimizeAfterWarmUp):
        (JSC::CodeBlock::counterValueForOptimizeAfterLongWarmUp):
        (JSC::CodeBlock::optimizeNextInvocation):
        (JSC::CodeBlock::dontOptimizeAnytimeSoon):
        (JSC::CodeBlock::optimizeSoon):
        (JSC::CodeBlock::largeFailCountThreshold):
        (JSC::CodeBlock::largeFailCountThresholdForLoop):
        (JSC::CodeBlock::shouldReoptimizeNow):
        (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::mightCompileEval):
        (JSC::DFG::mightCompileProgram):
        (JSC::DFG::mightCompileFunctionForCall):
        (JSC::DFG::mightCompileFunctionForConstruct):
        (JSC::DFG::mightInlineFunctionForCall):
        (JSC::DFG::mightInlineFunctionForConstruct):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
        * heap/MarkStack.cpp:
        (JSC::MarkStackSegmentAllocator::allocate):
        (JSC::MarkStackSegmentAllocator::shrinkReserve):
        (JSC::MarkStackArray::MarkStackArray):
        (JSC::MarkStackArray::donateSomeCellsTo):
        (JSC::MarkStackArray::stealSomeCellsFrom):
        (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
        (JSC::SlotVisitor::donateSlow):
        (JSC::SlotVisitor::drain):
        (JSC::SlotVisitor::drainFromShared):
        * heap/MarkStack.h:
        (JSC::MarkStack::mergeOpaqueRootsIfProfitable):
        (JSC::MarkStack::addOpaqueRoot):
        (JSC::MarkStackArray::canDonateSomeCells):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::donate):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce): Adapt callers and build systems.

        * testRegExp.cpp:
        (CommandLine::CommandLine):
        * jsc.cpp:
        (CommandLine::CommandLine):
        Rename from Options, to avoid name conflict.

2011-12-14  Sam Weinig  <sam@webkit.org>

        Revert unintentional change to JavaScriptCore.def

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-12-14  Sam Weinig  <weinig@apple.com>

        Remove whitespace from InheritedPropertySheets attributes in
        vsprops files to appease the Visual Studio project migrator.

        Reviewed by Adam Roben.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebug.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebugAll.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebug.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugAll.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedProduction.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedRelease.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleasePGO.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreProduction.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreRelease.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGOOptimize.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFDebug.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFDebugAll.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFProduction.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFRelease.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFReleasePGO.vsprops:
        * JavaScriptCore.vcproj/jsc/jscDebug.vsprops:
        * JavaScriptCore.vcproj/jsc/jscDebugAll.vsprops:
        * JavaScriptCore.vcproj/jsc/jscDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/jsc/jscProduction.vsprops:
        * JavaScriptCore.vcproj/jsc/jscRelease.vsprops:
        * JavaScriptCore.vcproj/jsc/jscReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebug.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebugAll.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpProduction.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpRelease.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiDebug.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiDebugAll.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiProduction.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiRelease.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiReleaseCairoCFLite.vsprops:

2011-12-14  Anders Carlsson  <andersca@apple.com>

        binding a member function should ref/deref the object pointer if needed
        https://bugs.webkit.org/show_bug.cgi?id=74552

        Reviewed by Sam Weinig.

        Add a HasRefAndDeref helper class template which checks if a given class type has ref and deref
        member functions which the right type. Use this to determine if we should ref/deref the first parameter.

        * wtf/Functional.h:
        (WTF::R):
        (WTF::C::):
        (WTF::RefAndDeref::ref):
        (WTF::RefAndDeref::deref):

2011-12-14  Hajime Morrita  <morrita@chromium.org>

        JS_INLINE and WTF_INLINE should be visible from WebCore
        https://bugs.webkit.org/show_bug.cgi?id=73191

        - Moved Export related macro definitions from config.h to ExportMacros.h and JSExportMacros.h.
        - Moved WTF_USE_JSC and WTF_USE_V8 from various config.h family to Platform.h.
        - Replaced JS_EXPORTDATA in wtf moudule with newly introduced WTF_EXPORTDATA.

        Reviewed by Kevin Ollivier.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * config.h:
        * runtime/JSExportMacros.h: Added.
        * wtf/ExportMacros.h:
        * wtf/Platform.h:
        * wtf/WTFThreadData.h:
        * wtf/text/AtomicString.h:
        * wtf/text/StringStatics.cpp:

2011-12-14  Anders Carlsson  <andersca@apple.com>

        Work around a bug in the MSVC2005 compiler
        https://bugs.webkit.org/show_bug.cgi?id=74550

        Reviewed by Sam Weinig.

        Add template parameters for the return types of the partial specializations of BoundFunctionImpl.

        * wtf/Functional.h:
        (WTF::R):

2011-12-13  Jon Lee  <jonlee@apple.com>

        Enable notifications on Mac.

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:

2011-12-14  David Kilzer  <ddkilzer@apple.com>

        Remove definition of old ENABLE(YARR) macro
        <http://webkit.org/b/74532>

        Reviewed by Darin Adler.

        * wtf/Platform.h: Removed ENABLE_YARR macros.

2011-12-14  Anders Carlsson  <andersca@apple.com>

        bind should handle member functions
        https://bugs.webkit.org/show_bug.cgi?id=74529

        Reviewed by Sam Weinig.

        Add FunctionWrapper partial specializations for member function pointers.

        * wtf/Functional.h:
        (WTF::C::):

2011-12-14  Gavin Barraclough  <barraclough@apple.com>

        DFG relies on returning a struct in registers
        https://bugs.webkit.org/show_bug.cgi?id=74527

        Reviewed by Geoff Garen.

        This will not work on all platforms. Returning a uint64_t will more reliably achieve
        what we want, on 32-bit platforms (on 64-bit, stick with the struct return).

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        (JSC::DFG::DFGHandler::dfgHandlerEncoded):

2011-12-14  Anders Carlsson  <andersca@apple.com>

        Add unary and binary bind overloads
        https://bugs.webkit.org/show_bug.cgi?id=74524

        Reviewed by Sam Weinig.

        * wtf/Functional.h:
        (WTF::R):
        (WTF::FunctionWrapper::ResultType):
        (WTF::bind):

2011-12-14  Anders Carlsson  <andersca@apple.com>

        Add back the callOnMainThread overload that takes a WTF::Function
        https://bugs.webkit.org/show_bug.cgi?id=74512

        Reviewed by Darin Adler.

        Add back the overload; the changes to WebCore should hopefully keep Windows building.

        * wtf/MainThread.cpp:
        (WTF::callFunctionObject):
        (WTF::callOnMainThread):
        * wtf/MainThread.h:

2011-12-13  Filip Pizlo  <fpizlo@apple.com>

        DFG should infer when local variables are doubles
        https://bugs.webkit.org/show_bug.cgi?id=74480

        Reviewed by Oliver Hunt.
        
        Introduced the notion that a local variable (though not an argument, yet!) can
        be stored as a double, and will be guaranteed to always contain a double. This
        requires more magic in the OSR (conversion in both entry and exit). The inference
        is quite unorthodox: all uses of a variable vote on whether they think it should
        be a double or a JSValue, based on how they use it. If they use it in an integer
        or boxed value context, they vote JSValue. If they use it in a double context,
        they vote double. This voting is interleaved in the propagator's fixpoint, so
        that variables voted double then have a double prediction propagated from them.
        This interleaving is needed because a variable that actually always contains an
        integer that always gets used in arithmetic that involves doubles may end up
        being voted double, which then means that all uses of the variable will see a
        double rather than an integer.
        
        This is worth 18% to SunSpider/3d-cube, 7% to Kraken/audio-beat-detection, 7%
        to Kraken/audio-fft, 6% to Kraken/imaging-darkroom, 20% to
        Kraken/imaging-gaussian-blur, and just over 1% to Kraken/json-parse-financial.
        It results in a 1% speed-up on SunSpider and a 4% speed-up in Kraken.  Similar
        results on JSVALUE32_64, though with a bigger win on Kraken (5%) and no overall
        win on SunSpider.

        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::alreadyInRegisterFileAsUnboxedDouble):
        (JSC::ValueRecovery::dump):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::boxDouble):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntry.h:
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::vote):
        (JSC::DFG::Propagator::doRoundOfDoubleVoting):
        (JSC::DFG::Propagator::propagatePredictions):
        (JSC::DFG::Propagator::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::ValueSource::dump):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::clearVotes):
        (JSC::DFG::VariableAccessData::vote):
        (JSC::DFG::VariableAccessData::doubleVoteRatio):
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
        (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOff):
        * runtime/Heuristics.cpp:
        (JSC::Heuristics::initializeHeuristics):
        * runtime/Heuristics.h:

2011-12-13  Anders Carlsson  <andersca@apple.com>

        Try to fix the Windows build.

        Remove the callOnMainThread overload that takes a WTF::Function since it's not being used.

        * wtf/MainThread.cpp:
        * wtf/MainThread.h:

2011-12-13  Anders Carlsson  <andersca@apple.com>

        Add a very bare-bones implementation of bind and Function to WTF
        https://bugs.webkit.org/show_bug.cgi?id=74462

        Reviewed by Sam Weinig.

        In order to make it easier to package up function calls and send them across
        threads, add a (currently very simple) implementation of WTF::bind and WTF::Function to a new
        wtf/Functional.h header.

        Currently, all bind can do is bind a nullary function and return a Function object that can be called and copied,
        but I'll add more as the need arises.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/Functional.h: Added.
        (WTF::R):
        (WTF::FunctionImplBase::~FunctionImplBase):
        (WTF::FunctionWrapper::ResultType):
        (WTF::FunctionBase::isNull):
        (WTF::FunctionBase::FunctionBase):
        (WTF::FunctionBase::impl):
        (WTF::bind):
        * wtf/MainThread.cpp:
        (WTF::callFunctionObject):
        (WTF::callOnMainThread):
        * wtf/MainThread.h:
        * wtf/wtf.pro:

2011-12-13  Geoffrey Garen  <ggaren@apple.com>

        <rdar://problem/10577239> GC Crash introduced in r102545

        Reviewed by Gavin Barraclough.
        
        MarkedArgumentBuffer was still marking items in forwards order, even though
        the argument order has been reversed.
        
        I fixed this bug, and replaced address calculation code with some helper
        functions -- mallocBase() and slotFor() -- so it stays fixed everywhere.

        * runtime/ArgList.cpp:
        (JSC::MarkedArgumentBuffer::markLists):
        (JSC::MarkedArgumentBuffer::slowAppend):
        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
        (JSC::MarkedArgumentBuffer::at):
        (JSC::MarkedArgumentBuffer::append):
        (JSC::MarkedArgumentBuffer::last):
        (JSC::MarkedArgumentBuffer::slotFor):
        (JSC::MarkedArgumentBuffer::mallocBase):

2011-12-13  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit for UInt32ToNumber should roll forward, not roll backward
        https://bugs.webkit.org/show_bug.cgi?id=74463

        Reviewed by Gavin Barraclough.
        
        Implements roll-forward OSR exit for UInt32ToNumber, which requires ValueRecoveries knowing
        how to execute the slow path of UInt32ToNumber.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::lastOSRExit):
        * bytecode/CodeOrigin.h:
        (JSC::CodeOrigin::operator!=):
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::uint32InGPR):
        (JSC::ValueRecovery::gpr):
        (JSC::ValueRecovery::dump):
        * dfg/DFGAssemblyHelpers.cpp:
        * dfg/DFGAssemblyHelpers.h:
        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExit::valueRecoveryForOperand):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-13  Oliver Hunt  <oliver@apple.com>

        Arguments object doesn't handle mutation of length property correctly
        https://bugs.webkit.org/show_bug.cgi?id=74454

        Reviewed by Gavin Barraclough.

        Correct handling of arguments objects with overridden length property

        * interpreter/Interpreter.cpp:
        (JSC::loadVarargs):
        * runtime/Arguments.cpp:
        (JSC::Arguments::copyToArguments):
        (JSC::Arguments::fillArgList):

2011-12-13  Filip Pizlo  <fpizlo@apple.com>

        DFG GetByVal CSE rule should match PutByValAlias
        https://bugs.webkit.org/show_bug.cgi?id=74390

        Reviewed by Geoff Garen.
        
        Tiny win on some benchmarks. Maybe a 0.2% win on SunSpider.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::getByValLoadElimination):

2011-12-13  Andy Wingo  <wingo@igalia.com>

        Fix interpreter debug build.
        https://bugs.webkit.org/show_bug.cgi?id=74439

        Reviewed by Geoffrey Garen.

        * bytecode/ValueRecovery.h: Include stdio.h on debug builds.

2011-12-13  Filip Pizlo  <fpizlo@apple.com>

        DFG should know exactly why recompilation was triggered
        https://bugs.webkit.org/show_bug.cgi?id=74362

        Reviewed by Oliver Hunt.
        
        Each OSR exit is now individually counted, as well as counting the total number 
        of OSR exits that occurred in a code block. If recompilation is triggered, we
        check to see if there are OSR exit sites that make up a sufficiently large
        portion of the total OSR exits that occurred. For any such OSR exit sites, we
        add a description of the site (bytecode index, kind) to a data structure in the
        corresponding baseline CodeBlock. Then, when we recompile the code, we immediately
        know which speculations would be unwise based on the fact that previous such
        speculations proved to be fruitless.
        
        This means 2% win on two of the SunSpider string tests, a 4% win on V8's deltablue,
        and 5% on Kraken's imaging-darkroom. It is only a minor win in the averages, less
        than 0.5%.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::tallyFrequentExitSites):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addFrequentExitSite):
        (JSC::CodeBlock::exitProfile):
        (JSC::CodeBlock::reoptimize):
        (JSC::CodeBlock::tallyFrequentExitSites):
        * bytecode/DFGExitProfile.cpp: Added.
        (JSC::DFG::ExitProfile::ExitProfile):
        (JSC::DFG::ExitProfile::~ExitProfile):
        (JSC::DFG::ExitProfile::add):
        (JSC::DFG::QueryableExitProfile::QueryableExitProfile):
        (JSC::DFG::QueryableExitProfile::~QueryableExitProfile):
        * bytecode/DFGExitProfile.h: Added.
        (JSC::DFG::exitKindToString):
        (JSC::DFG::exitKindIsCountable):
        (JSC::DFG::FrequentExitSite::FrequentExitSite):
        (JSC::DFG::FrequentExitSite::operator!):
        (JSC::DFG::FrequentExitSite::operator==):
        (JSC::DFG::FrequentExitSite::hash):
        (JSC::DFG::FrequentExitSite::bytecodeOffset):
        (JSC::DFG::FrequentExitSite::kind):
        (JSC::DFG::FrequentExitSite::isHashTableDeletedValue):
        (JSC::DFG::FrequentExitSiteHash::hash):
        (JSC::DFG::FrequentExitSiteHash::equal):
        (JSC::DFG::QueryableExitProfile::hasExitSite):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::baselineCodeBlockForOriginAndBaselineCodeBlock):
        (JSC::DFG::AssemblyHelpers::baselineCodeBlockFor):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnByteArray):
        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayLength):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/Heuristics.cpp:
        (JSC::Heuristics::initializeHeuristics):
        * runtime/Heuristics.h:

2011-12-13  Michael Saboff  <msaboff@apple.com>

        Cleanup of StringImpl::equal in r102631 post commit
        https://bugs.webkit.org/show_bug.cgi?id=74421

        Reviewed by Darin Adler.

        * wtf/text/AtomicString.h:
        (WTF::operator==): Removed cast no longer needed.
        * wtf/text/StringImpl.h:
        (WTF::equal): Changed template to several overloaded methods.

2011-12-12  Michael Saboff  <msaboff@apple.com>

        Eliminate Duplicate word at a time equal code in StringImpl.cpp and StringHash.h
        https://bugs.webkit.org/show_bug.cgi?id=73622

        Reviewed by Oliver Hunt.

        Moved equal(charType1 *, charType2, unsigned) template methods
        from static StringImpl.cpp to StringImpl.h and then replaced the
        processor specific character comparison code in StringHash::equal
        with calls to these methods.

        This change is worth 3% on SunSpider string-unpack-code as reported
        by the SunSpider command line harness.  No other tests appear to
        have measurable performance changes.

        * wtf/text/AtomicString.h:
        (WTF::operator==):
        * wtf/text/StringHash.h:
        (WTF::StringHash::equal):
        * wtf/text/StringImpl.cpp:
        * wtf/text/StringImpl.h:
        (WTF::LChar):
        (WTF::UChar):
        (WTF::equal):

2011-12-12  Filip Pizlo  <fpizlo@apple.com>

        ARMv7 version of DFG soft modulo does register allocation inside of control flow
        https://bugs.webkit.org/show_bug.cgi?id=74354

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):

2011-12-12  Andy Wingo  <wingo@igalia.com>

        Simplify autotools configure.ac
        https://bugs.webkit.org/show_bug.cgi?id=74312

        Reviewed by Martin Robinson.

        * GNUmakefile.am: Add JSC_CPPFLAGS to javascriptcore_cppflags.

2011-12-12  Filip Pizlo  <fpizlo@apple.com>

        DFG GetByVal CSE incorrectly assumes that a non-matching PutByVal cannot clobber
        https://bugs.webkit.org/show_bug.cgi?id=74329

        Reviewed by Gavin Barraclough.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::getByValLoadElimination):

2011-12-09  Alexander Pavlov  <apavlov@chromium.org>

        WebKit does not enumerate over CSS properties in HTMLElement.style
        https://bugs.webkit.org/show_bug.cgi?id=23946

        Reviewed by Darin Adler.

        Add a few exports to follow the JSCSSStyleDeclaration.cpp changes,
        introduce an std::sort() comparator function.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/text/WTFString.h:
        (WTF::codePointCompareLessThan): Used by std::sort() to sort properties.

2011-12-12  Alexander Pavlov  <apavlov@chromium.org>

        Unreviewed, build fix.

        Revert r102570 which broke SnowLeopard builders.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/text/WTFString.h:

2011-12-09  Alexander Pavlov  <apavlov@chromium.org>

        WebKit does not enumerate over CSS properties in HTMLElement.style
        https://bugs.webkit.org/show_bug.cgi?id=23946

        Reviewed by Darin Adler.

        Add a few exports to follow the JSCSSStyleDeclaration.cpp changes,
        introduce an std::sort() comparator function.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/text/WTFString.h:
        (WTF::codePointCompareLessThan): Used by std::sort() to sort properties.

2011-12-12  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck issues.

        * GNUmakefile.list.am:

2011-12-11  Sam Weinig  <sam@webkit.org>

        Fix another signed vs. unsigned warning

        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):

2011-12-11  Sam Weinig  <sam@webkit.org>

        Fix a signed vs. unsigned warning.

        * runtime/ArgList.cpp:
        (JSC::MarkedArgumentBuffer::slowAppend):
        Cast inlineCapacity to an int to appease the warning. This is known OK
        since inlineCapacity is defined to be 8.

2011-12-11  Geoffrey Garen  <ggaren@apple.com>

        Rolled out *another* debugging change I committed accidentally.

        Unreviewed.

        * Configurations/Base.xcconfig:

2011-12-11  Geoffrey Garen  <ggaren@apple.com>
        
        Rolled out a debug counter I committed accidentally.

        Unreviewed.

        * jit/JITStubs.cpp:
        (JSC::arityCheckFor):

2011-12-10  Geoffrey Garen  <ggaren@apple.com>

        v8 benchmark takes 12-13 million function call slow paths due to extra arguments
        https://bugs.webkit.org/show_bug.cgi?id=74244

        Reviewed by Filip Pizlo.
        
        .arguments function of order the Reversed
        
        10% speedup on v8-raytrace, 1.7% speedup on v8 overall, neutral on Kraken
        and SunSpider.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::valueProfileForArgument): Clarified that the interface
        to this function is an argument number.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        (JSC::BytecodeGenerator::isArgumentNumber): Switched to using CallFrame
        helper functions for computing offsets for arguments, rather than doing
        the math by hand.
        
        Switched to iterating argument offsets backwards (--) instead of forwards (++).

        * bytecompiler/BytecodeGenerator.h:
        (JSC::CallArguments::thisRegister):
        (JSC::CallArguments::argumentRegister):
        (JSC::CallArguments::registerOffset): Updated for arguments being reversed.

        * bytecompiler/NodesCodegen.cpp: Allocate arguments in reverse order.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::flush):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack): Use abstract argument indices
        that just-in-time convert to bytecode operands (i.e., indexes in the register
        file) through helper functions. This means only one piece of code needs
        to know how arguments are laid out in the register file.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump): Ditto.

        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueProfileFor): Ditto.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction): The whole point of this patch:
        Treat too many arguments as an arity match.

        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExit::variableForIndex):
        (JSC::DFG::OSRExit::operandForIndex): Use helper functions, as above.

        * dfg/DFGOperands.h:
        (JSC::DFG::operandToArgument):
        (JSC::DFG::argumentToOperand): These are now the only two lines of code in
        the DFG compiler that know how arguments are laid out in memory.

        (JSC::DFG::Operands::operand):
        (JSC::DFG::Operands::setOperand): Use helper functions, as above.

        * dfg/DFGOperations.cpp: The whole point of this patch:
        Treat too many arguments as an arity match.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall): Use helper functions, as above.
        
        Also, don't tag the caller frame slot as a cell, because it's not a cell.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall): Use helper functions, as above.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Use helper functions, as above.

        (JSC::DFG::SpeculativeJIT::checkArgumentTypes): Use already-computed
        argument virtual register instead of recomputing by hand.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callFrameSlot):
        (JSC::DFG::SpeculativeJIT::argumentSlot):
        (JSC::DFG::SpeculativeJIT::callFrameTagSlot):
        (JSC::DFG::SpeculativeJIT::callFramePayloadSlot):
        (JSC::DFG::SpeculativeJIT::argumentTagSlot):
        (JSC::DFG::SpeculativeJIT::argumentPayloadSlot): Added a few helper
        functions for dealing with callee arguments specifically. These still
        build on top of our other helper functions, and have no direct knowledge
        of how arguments are laid out in the register file.

        (JSC::DFG::SpeculativeJIT::resetCallArguments):
        (JSC::DFG::SpeculativeJIT::addCallArgument): Renamed argumentIndex to
        argumentOffset to match CallFrame naming.

        (JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand): Use helper
        functions, as above.

        * interpreter/CallFrame.h:
        (JSC::ExecState::argumentOffset):
        (JSC::ExecState::argumentOffsetIncludingThis):
        (JSC::ExecState::argument):
        (JSC::ExecState::setArgument):
        (JSC::ExecState::thisArgumentOffset):
        (JSC::ExecState::thisValue):
        (JSC::ExecState::setThisValue):
        (JSC::ExecState::offsetFor):
        (JSC::ExecState::hostThisRegister):
        (JSC::ExecState::hostThisValue): Added a bunch of helper functions for
        computing where an argument is in the register file. Anything in the
        runtime that needs to access arguments should use these helpers.

        * interpreter/CallFrameClosure.h:
        (JSC::CallFrameClosure::setThis):
        (JSC::CallFrameClosure::setArgument):
        (JSC::CallFrameClosure::resetCallFrame): This stuff is a lot simpler, now
        that too many arguments counts as an arity match and doesn't require
        preserving two copies of our arguments.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::slideRegisterWindowForCall): Only need to do something
        special if the caller provided too few arguments.
        
        Key simplification: We never need to maintain two copies of our arguments
        anymore.

        (JSC::eval):
        (JSC::loadVarargs): Use helper functions.

        (JSC::Interpreter::unwindCallFrame): Updated for new interface.

        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall): Seriously, though: use helper
        functions.

        (JSC::Interpreter::privateExecute): No need to check for stack overflow
        when calling host functions because they have zero callee registers.

        (JSC::Interpreter::retrieveArguments): Explicitly tear off the arguments
        object, since there's no special constructor for this anymore.

        * interpreter/Interpreter.h: Reduced the C++ re-entry depth because some
        workers tests were hitting stack overflow in some of my testing. We should
        make this test more exact in future.

        * interpreter/RegisterFile.h: Death to all runtime knowledge of argument
        location that does not belong to the CallFrame class!

        * jit/JIT.cpp:
        (JSC::JIT::privateCompile): I am a broken record and I use helper functions.
        
        Also, the whole point of this patch: Treat too many arguments as an arity match.

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs): Updated the argument copying math to use
        helper functions, for backwards-correctness. Removed the condition
        pertaining to declared argument count because, now that arguments are
        always in just one place, this optimization is valid for all functions.
        Standardized the if predicate for each line of the optimization. This might
        fix a bug, but I couldn't get the bug to crash in practice.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emit_op_get_argument_by_val):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emit_op_get_argument_by_val):
        (JSC::JIT::emitSlow_op_get_argument_by_val): Removed cti_op_create_arguments_no_params
        optimization because it's no longer an optimization, now that arguments
        are always contiguous in a known location.
        
        Updated argument access opcode math for backwards-correctness.

        * jit/JITStubs.cpp:
        (JSC::arityCheckFor): Updated just like slideRegisterWindowForCall. This
        function is slightly different because it copies the call frame in
        addition to the arguments. (In the Interpreter, the call frame is not
        set up by this point.)

        (JSC::lazyLinkFor): The whole point of this patch: Treat too many
        arguments as an arity match.

        (JSC::DEFINE_STUB_FUNCTION): Updated for new iterface to tearOff().

        * jit/JITStubs.h:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::loadDoubleArgument):
        (JSC::SpecializedThunkJIT::loadCellArgument):
        (JSC::SpecializedThunkJIT::loadInt32Argument): Use helper functions! They
        build strong bones and teeth!

        * runtime/ArgList.cpp:
        (JSC::ArgList::getSlice):
        (JSC::MarkedArgumentBuffer::slowAppend):
        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::MarkedArgumentBuffer):
        (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
        (JSC::MarkedArgumentBuffer::at):
        (JSC::MarkedArgumentBuffer::clear):
        (JSC::MarkedArgumentBuffer::append):
        (JSC::MarkedArgumentBuffer::removeLast):
        (JSC::MarkedArgumentBuffer::last):
        (JSC::ArgList::ArgList):
        (JSC::ArgList::at): Updated for backwards-correctness. WTF::Vector doesn't
        play nice with backwards-ness, so I changed to using manual allocation.
        
        Fixed a FIXME about not all values being marked in the case of out-of-line
        arguments. I had to rewrite the loop anyway, and I didn't feel like
        maintaining fidelity to its old bugs.

        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildren):
        (JSC::Arguments::copyToArguments):
        (JSC::Arguments::fillArgList):
        (JSC::Arguments::getOwnPropertySlotByIndex):
        (JSC::Arguments::getOwnPropertySlot):
        (JSC::Arguments::getOwnPropertyDescriptor):
        (JSC::Arguments::putByIndex):
        (JSC::Arguments::put):
        (JSC::Arguments::tearOff):
        * runtime/Arguments.h:
        (JSC::Arguments::create):
        (JSC::Arguments::Arguments):
        (JSC::Arguments::argument):
        (JSC::Arguments::finishCreation): Secondary benefit of this patch: deleted
        lots of tricky code designed to maintain two different copies of function
        arguments. Now that arguments are always contiguous in one place in memory,
        this complexity can go away.
        
        Reduced down to one create function for the Arguments class, from three.

        Moved tearOff() into an out-of-line function because it's huge.
        
        Moved logic about whether to tear off eagerly into the Arguments class,
        so we didn't have to duplicate it elsewhere.

        * runtime/JSActivation.cpp:
        (JSC::JSActivation::JSActivation):
        (JSC::JSActivation::visitChildren): Renamed m_numParametersMinusThis to
        m_numCapturedArgs because if the value really were m_numParametersMinusThis
        we would be marking too much. (We shouldn't mark 'this' because it can't
        be captured.) Also, use helper functions.

        * runtime/JSActivation.h:
        (JSC::JSActivation::tearOff): Use helper functions.

        * runtime/JSArray.cpp:
        (JSC::JSArray::copyToArguments):
        * runtime/JSArray.h: Use helper functions, as above.

2011-12-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSC testapi is crashing on Windows
        https://bugs.webkit.org/show_bug.cgi?id=74233

        Reviewed by Sam Weinig.

        Same error we've encountered before where we are calling the wrong version of 
        visitChildren and objects that are still reachable aren't getting marked.
        This problem will go away soon with the removal of vptrs for these sorts of 
        optimizations in favor of using the ClassInfo, but for now we can simply give 
        JSFinalObject a bogus virtual method that Visual Studio can't optimize away to
        ensure that JSFinalObject will always have a unique vptr.  We don't have to worry 
        about JSString or JSArray right now, which are the other two special cases for
        visitChildren, since they already have their own virtual functions.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSObject.cpp:
        (JSC::JSFinalObject::vtableAnchor):
        * runtime/JSObject.h:

2011-12-10  Alexis Menard  <alexis.menard@openbossa.org>

        Unused variable in YarrJIT.cpp.
        https://bugs.webkit.org/show_bug.cgi?id=74237

        Reviewed by Andreas Kling.

        Variable is set but not used so we can remove it.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):

2011-12-09  Filip Pizlo  <fpizlo@apple.com>

        DFG ArithMul power-of-two case does not check for overflow
        https://bugs.webkit.org/show_bug.cgi?id=74230

        Reviewed by Gavin Barraclough.
        
        Disabled power-of-2 peephole optimization for multiplication, because it was wrong,
        and any attempt to fix it would likely introduce code bloat and register pressure.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMul):

2011-12-09  David Levin  <levin@chromium.org>

        REGRESSION(r101863-r102042): Assertion hit: m_verifier.isSafeToUse() in RefCountedBase::ref in FunctionCodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=73886

        Reviewed by Darin Adler.

        * runtime/SymbolTable.h:
        (JSC::SharedSymbolTable::SharedSymbolTable): Added deprecatedTurnOffVerifier for
        another JavaScriptObject, since JavaScriptCore objects allow use on multiple threads.
        Bug 58091 is about changing these deprecated calls to something else but that something
        else will still need to be in all of these places.

2011-12-09  Konrad Piascik  <kpiascik@rim.com>

        Remove unnecessary file DissasemblerARM.cpp from build system
        https://bugs.webkit.org/show_bug.cgi?id=74184

        Reviewed by Daniel Bates.

        * PlatformBlackBerry.cmake:

2011-12-09  Filip Pizlo  <fpizlo@apple.com>

        DFG's interpretation of rare case profiles should be frequency-based not count-based
        https://bugs.webkit.org/show_bug.cgi?id=74170

        Reviewed by Geoff Garen.
        
        DFG optimizes for rare cases only when the rare case counter is above some threshold
        and it also constitutes a large enough fraction of total function executions. Also
        added some minor debug logic.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::likelyToTakeSlowCase):
        (JSC::CodeBlock::couldTakeSlowCase):
        (JSC::CodeBlock::likelyToTakeSpecialFastCase):
        (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
        (JSC::CodeBlock::likelyToTakeAnySlowCase):
        (JSC::CodeBlock::executionEntryCount):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * runtime/Heuristics.cpp:
        (JSC::Heuristics::initializeHeuristics):
        * runtime/Heuristics.h:

2011-12-09  Oliver Hunt  <oliver@apple.com>

        PutByValAlias unnecessarily clobbers GetIndexedPropertyStorage
        https://bugs.webkit.org/show_bug.cgi?id=74223

        Reviewed by Geoffrey Garen.

        Don't clobber GetIndexedPropertyStorage when we see PutByValAlias

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::getIndexedPropertyStorageLoadElimination):

2011-12-09  David Levin  <levin@chromium.org>

        Hash* iterators should allow comparison between const and const versions.
        https://bugs.webkit.org/show_bug.cgi?id=73370

        Reviewed by Darin Adler.

        * wtf/HashTable.h: Add the operators needed to do this.
        (WTF::HashTableConstIterator::operator==):
        (WTF::HashTableConstIterator::operator!=):
        (WTF::HashTableIterator::operator==):
        (WTF::HashTableIterator::operator!=):
        (WTF::operator==):
        (WTF::operator!=):

2011-12-09  Michael Saboff  <msaboff@apple.com>

        YARR: Multi-character read optimization for 8bit strings
        https://bugs.webkit.org/show_bug.cgi?id=74191

        Reviewed by Oliver Hunt.

        Changed generatePatternCharacterOnce to generate
        code for 1 to 4 characters in the 8 bit case.
        This is worth 29% improvement on SunSpider regexp-dna test.
        It provides no benefit to v8-regexp.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
        (JSC::Yarr::YarrGenerator::generate): Spelling fix in comment.

2011-12-09  David Levin  <levin@chromium.org>

        Regression(r53595): Sync xhr requests in workers aren't terminated on worker close.
        https://bugs.webkit.org/show_bug.cgi?id=71695

        Reviewed by Zoltan Herczeg.

        * wtf/MessageQueue.h:
        (WTF::MessageQueue::tryGetMessageIgnoringKilled): Added a way to get messages
        even after the queue has been killed. This is useful when one wants to
        kill a queue but then go through it to run clean up tasks from it.

2011-12-09  Adrienne Walker  <enne@google.com>

        Fix HashMap<..., OwnPtr<...> >::add compilation errors
        https://bugs.webkit.org/show_bug.cgi?id=74159

        Reviewed by Darin Adler.

        Add a constructor to OwnPtr that takes the empty value (nullptr_t)
        from HashTraits so that this function can compile.

        * wtf/OwnPtr.h:
        (WTF::OwnPtr::OwnPtr):

2011-12-09  Oliver Hunt  <oliver@apple.com>

        Avoid reloading storage pointer for indexed properties unnecessarily
        https://bugs.webkit.org/show_bug.cgi?id=74136

        Reviewed by Filip Pizlo.

        Add a node to represent loading property storage for indexed properties.
        This allows us to reduce code generated for sequential access of arrays,
        strings, etc.  This results in up to 5% improvement in code that is 
        very heavy on indexed reads, such as matrix operations in typed arrays
        and 20% faster on microbenchmarks.

        Currently this is only supported by GetByVal and other similar indexed reads.

        * bytecode/PredictedType.h:
        (JSC::isFixedIndexedStorageObjectPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnByteArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-08  Fady Samuel  <fsamuel@chromium.org>

        [Chromium] Enable viewport metatag
        https://bugs.webkit.org/show_bug.cgi?id=73495

        Reviewed by Darin Fisher.

        * wtf/Platform.h: Added ENABLE(VIEWPORT) tag.

2011-12-08  Adam Klein  <adamk@chromium.org>

        Use HashMap<Node*, OwnPtr<...>> in ChildListMutationScope
        https://bugs.webkit.org/show_bug.cgi?id=73964

        Reviewed by Darin Adler.

        * wtf/HashTraits.h: Add passOut(std::nullptr_t) to allow callers to use HashMap::take on a HashMap of OwnPtrs.

2011-12-08  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        https://bugs.webkit.org/show_bug.cgi?id=74005
        fix unaligned access memory in generatePatternCharacterOnce function
        for SH4 platforms.

        Reviewed by Gavin Barraclough.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::load16Unaligned):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::load16Unaligned):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::load16Unaligned):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::lshift32):
        (JSC::MacroAssemblerSH4::load8):
        (JSC::MacroAssemblerSH4::load16):
        (JSC::MacroAssemblerSH4::load16Unaligned):
        (JSC::MacroAssemblerSH4::branch8):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::load16Unaligned):
        * jit/JIT.h:
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):

2011-12-08  Michael Saboff  <msaboff@apple.com>

        Add 8 bit paths for StringTypeAdapter classes
        https://bugs.webkit.org/show_bug.cgi?id=73882

        Reviewed by Darin Adler.

        Added is8Bit() method and writeTo(LChar*) methods
        to StringTypeAdapter<> classes.  The writeTo(LChar*)
        method can be used if is8Bit() returns true.  The
        non-native 8 bit classes contain ASSERT(is8Bit())
        in their writeTo(LChar*).

        Updated all of the various versions of tryMakeString() to
        use 8 bit processing in the updated StringTypeAdapter<>
        classes.

        This has slight if any performance improvement on kraken.

        * runtime/UStringConcatenate.h:
        * wtf/text/StringConcatenate.h:
        (WTF::tryMakeString):
        * wtf/text/StringOperators.h:
        (WTF::StringAppend::is8Bit):
        (WTF::StringAppend::writeTo):

2011-12-07  Filip Pizlo  <fpizlo@apple.com>

        DFG CSE should know that CheckFunction is pure
        https://bugs.webkit.org/show_bug.cgi?id=74044

        Reviewed by Oliver Hunt.
        
        Possible slight win on V8, no regressions.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::checkFunctionElimination):

2011-12-07  Michael Saboff  <msaboff@apple.com>

        StringBuilderTest.Append and StringBuilderTest.ToStringPreserveCapacity are failing.
        https://bugs.webkit.org/show_bug.cgi?id=73995

        Reviewed by Geoffrey Garen.

        Problem was that a call to characters on an StringImpl associated
        with a StringBuilder that is being appended to gets stale.
        Added a new m_valid16BitShadowlen that keeps the length of
        the 16 bit shadow that has been upconverted or will be up converted
        with the first getCharacters().  When StringBuilder::characters or
        ::reifyString is called, further characters are upconverted if
        we have a shadow16bit copy and the m_valid16BitShadowlen is updated.

        * JavaScriptCore.exp:
        * wtf/text/StringBuilder.cpp:
        (WTF::StringBuilder::reifyString):
        * wtf/text/StringBuilder.h:
        (WTF::StringBuilder::StringBuilder):
        (WTF::StringBuilder::characters):
        (WTF::StringBuilder::clear): Cleaned up as part of the change.
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::getData16SlowCase):
        (WTF::StringImpl::upconvertCharacters):
        * wtf/text/StringImpl.h:

2011-12-07  Filip Pizlo  <fpizlo@apple.com>

        Compare and Swap should be enabled on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=74023

        Reviewed by Geoff Garen.
        
        Implemented weakCompareAndSwap in terms of LDREX/STREX and enabled PARALLEL_GC.
        It gives the expected speed-up on multi-core ARMv7 devices.

        * wtf/Atomics.h:
        (WTF::weakCompareAndSwap):
        * wtf/Platform.h:

2011-12-07  Filip Pizlo  <fpizlo@apple.com>

        DFG CSE is overzealous with GetByVal
        https://bugs.webkit.org/show_bug.cgi?id=74042

        Reviewed by Oliver Hunt.
        
        Made sure that the purity of GetByVal and the limited-clobber-itude of PutByVal
        is tested in all places that matter.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::byValIsPure):
        (JSC::DFG::Propagator::clobbersWorld):
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):

2011-12-07  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r102267.
        http://trac.webkit.org/changeset/102267
        https://bugs.webkit.org/show_bug.cgi?id=74032

        Breaks build on Chromium Mac Debug (Requested by aklein on
        #webkit).

        * wtf/HashTraits.h:

2011-12-07  Adam Klein  <adamk@chromium.org>

        Use HashMap<Node*, OwnPtr<...>> in ChildListMutationScope
        https://bugs.webkit.org/show_bug.cgi?id=73964

        Reviewed by Ryosuke Niwa.

        * wtf/HashTraits.h: Add passOut(std::nullptr_t) to allow callers to use HashMap::take on an entry whose value is null.

2011-12-07  Filip Pizlo  <fpizlo@apple.com>

        Non-Mac devices should benefit from a larger heap
        https://bugs.webkit.org/show_bug.cgi?id=74015

        Reviewed by Geoff Garen.
        
        Removed the ENABLE(LARGE_HEAP) option from Platform.h, since it was only used in
        Heap.cpp, and got in the way of having more granular, per-platform control over
        what the heap size should be. Bumped the heap size to 8MB on iOS (was 512KB).

        * heap/Heap.cpp:
        (JSC::GCTimer::heapSizeForHint):
        * wtf/Platform.h:

2011-11-30  Simon Hausmann  <simon.hausmann@nokia.com>

        [Qt] V8 build fixes.

        Reviewed by Tor Arne Vestbø.

        * yarr/yarr.pri: Don't rely on Source/JavaScriptCore being in
        VPATH. Prefix SOURCES correctly and make sure that runtime/ is
        in the include search path when building with v8.

2011-12-06  Filip Pizlo  <fpizlo@apple.com>

        Zapping a block that is Marked leads to dead objects being mistaken for live ones
        https://bugs.webkit.org/show_bug.cgi?id=73982

        Reviewed by Geoff Garen.
        
        Changed the zapping code to ignore blocks that are Marked or Zapped. Additionally,
        the code asserts that:
        
        - If we zap a Marked or Zapped block then the free list is empty, because this
          can only happen if the block was never free-listed.
          
        - Zapping can only happen for Marked, Zapped, or FreeListed blocks, since Allocated
          blocks are those that cannot be referred to by SizeClass::currentBlock (since
          SizeClass::currentBlock only refers to blocks that are candidates for allocation,
          and Allocated blocks are those who have been exhausted by allocation and will not
          be allocated from again), and New blocks cannot be referred to by anything except
          during a brief window inside the allocation slow-path.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::zapFreeList):

2011-12-06  Filip Pizlo  <fpizlo@apple.com>

        DFG 32_64 call linking does not handle non-cell callees correctly
        https://bugs.webkit.org/show_bug.cgi?id=73965

        Reviewed by Sam Weinig.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):

2011-12-06  Sam Weinig  <sam@webkit.org>

        Remove unintentional type name shadowing in the Interpreter
        https://bugs.webkit.org/show_bug.cgi?id=73963

        Reviewed by Oliver Hunt.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::prepareForRepeatCall): Replace the parameter name FunctionExecutable,
        which shadows the FunctionExecutable type name, with functionExecutable.

2011-12-06  Michael Saboff  <msaboff@apple.com>

        r102146 from 73875 broke fast/js/encode-URI-test.html
        https://bugs.webkit.org/show_bug.cgi?id=73950

        Reviewed by Gavin Barraclough.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncUnescape): Restructured to handle
        the %uHHHH case to output the resulting character
        and continue so that a failure in finding 4 hex
        digits will fall through and output the '%'.
        Due to style check, changed the temporary
        character variable to a more descriptive name.

2011-12-06  Filip Pizlo  <fpizlo@apple.com>

        GC zapping logic could benefit from some more assertions
        https://bugs.webkit.org/show_bug.cgi?id=73947

        Reviewed by Gavin Barraclough.
        
        - If you're in a zapped block and you're zapped, then your mark bit should
          never be set.
          
        - If you're being marked, then you should never be zapped.

        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::isLive):
        * runtime/Structure.h:
        (JSC::MarkStack::internalAppend):

2011-12-06  Oliver Hunt  <oliver@apple.com>

        Don't allocate register in typedarray control flow
        https://bugs.webkit.org/show_bug.cgi?id=73944

        Reviewed by Gavin Barraclough.

        Move a temporary allocation outside of control flow.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):

2011-12-06  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=68328
        The generator and intrinsic fields in HashTableValue/HashEntry and associated structures and methods are redundant

        Reviewed by Geoff Garen.

        Move the instrinsic enum out of the DFG, into runtime. Add entires for all host functions
        that have an intrinsic in the form of a generated thunk. Remove the thunk pointer from the
        hashtable, and make Intrinsic field no longer ifdef on JIT/DFG. In getHostFunction select
        a thunk genertaor to use based on the Intrinsic.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * create_hash_table:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGCapabilities.h:
        * dfg/DFGIntrinsic.h: Removed.
        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITStubs.h:
        * runtime/Executable.cpp:
        (JSC::ExecutableBase::intrinsic):
        (JSC::NativeExecutable::intrinsic):
        * runtime/Executable.h:
        (JSC::ExecutableBase::intrinsicFor):
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::finishCreation):
        * runtime/Intrinsic.h: Copied from Source/JavaScriptCore/dfg/DFGIntrinsic.h.
        * runtime/JSGlobalData.cpp:
        (JSC::thunkGeneratorForIntrinsic):
        (JSC::JSGlobalData::getHostFunction):
        * runtime/JSGlobalData.h:
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashEntry::initialize):
        (JSC::HashEntry::intrinsic):

2011-12-06  Michael Saboff  <msaboff@apple.com>

        Add 8 bit paths to global object functions
        https://bugs.webkit.org/show_bug.cgi?id=73875

        Added 8 bit paths for converions methods.

        This is worth 1.5% on kraken audio-oscillator,
        1.6% on stanford-crypto-ccm and 2.5% on
        stanford-crypto-sha256-iterative.  See bug for
        a full report.

        Reviewed by Oliver Hunt.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::decode): Split into a templated helper.
        (JSC::parseInt): Split into a templated helper.
        (JSC::parseFloat): Added an 8 bit path
        (JSC::globalFuncEscape): Added 8 bit path
        (JSC::globalFuncUnescape): Added 8 bit path
        * runtime/JSStringBuilder.h:
        (JSC::JSStringBuilder::append): New append for LChar
        * wtf/text/StringBuilder.h:
        (WTF::StringBuilder::append): New append for LChar

2011-11-21  Balazs Kelemen  <kbalazs@webkit.org>

        Enable ParallelJobs by default
        https://bugs.webkit.org/show_bug.cgi?id=70032

        Reviewed by Zoltan Herczeg.

        According to measurements on Mac and Linux it is a
        considerable speedup for SVG on multicore.

        Remove the ENABLE(PARALLEL_JOBS) guard.
        Fix build on Windows and Chromium.

        * JavaScriptCore.gypi:  Add the files to the build. It was
        missing for the gyp build system.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        Export symbols.
        * wtf/ParallelJobs.h:
        * wtf/ParallelJobsGeneric.cpp:
        (WTF::ParallelEnvironment::ParallelEnvironment):
        (WTF::ParallelEnvironment::execute):
        Deinline these to avoid exporting a lot of symbols.
        These are non-trivial and called only once on a given object
        so it doesn't seems to be worthwile to inline them.
        Additionally fix a signed-unsigned comparison in the constructor.
        * wtf/ParallelJobsGeneric.h:
        * wtf/Platform.h:

2011-12-06  Simon Hausmann  <simon.hausmann@nokia.com>

        [Qt] build-jsc script doesn't work
        https://bugs.webkit.org/show_bug.cgi?id=73910

        Reviewed by Tor Arne Vestbø.

        * JavaScriptCore.pro: Build WTF before JavaScriptCore and JSC
        (moved from top-level WebKit.pro). Also add v8 scopes to only build
        WTF during v8 builds.

2011-12-05  Anders Carlsson  <andersca@apple.com>

        Add HashMap::keys() and HashMap::values() for easy iteration of hash map keys and values in C++11.

        Reviewed by Darin Adler.

        * wtf/HashMap.h:

2011-12-05  Michael Saboff  <msaboff@apple.com>

        Create StringImpl::empty() as an 8 bit string
        https://bugs.webkit.org/show_bug.cgi?id=73871

        Reviewed by Oliver Hunt.

        * wtf/text/StringStatics.cpp:
        (WTF::StringImpl::empty): Changed to be an 8 bit string.

2011-12-05  Darin Adler  <darin@apple.com>

        Convert JSClassRef to use HashMap<OwnPtr>
        https://bugs.webkit.org/show_bug.cgi?id=73780

        Reviewed by Andreas Kling.

        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject::getOwnPropertyNames): Use get() on the hash map
        entries because the hash map now has an OwnPtr instead of a raw pointer.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::OpaqueJSClass): No need to initialize m_staticValues and
        m_staticFunctions since they are now OwnPtr. Use adoptPtr when allocating.
        Removed the code that gets and deletes existing entries, and just use set,
        which now handles deletion automatically due to it being OwnPtr.
        (OpaqueJSClass::~OpaqueJSClass): Replaced code to do all the deletion
        with assertion-only NDEBUG-only code.
        (OpaqueJSClassContextData::OpaqueJSClassContextData): Use adoptPtr when
        allocating. Use OwnPtr when adding. Removed unneeded code to set
        staticValues and staticFunctions to 0. Removed unneeded destructor.
        (OpaqueJSClass::staticValues): Added get call. Also removed unneeded local.
        (OpaqueJSClass::staticFunctions): Ditto.
        (OpaqueJSClass::prototype): Added use of adoptPtr.

        * API/JSClassRef.h: Made the static values and static functions tables
        use OwnPtr for the entries. Also used OwnPtr for the pointers to the
        tables themselves. Also removed ~OpaqueJSClassContextData(), letting
        the compiler generate it.

2011-12-05  Oliver Hunt  <oliver@apple.com>

        Land uncommitted bit of float array support
        https://bugs.webkit.org/show_bug.cgi?id=73873

        Reviewed by Filip Pizlo.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):

2011-12-05  Benjamin Poulain  <benjamin@webkit.org>

        Update String::containsOnlyASCII() to handle 8 bits strings
        https://bugs.webkit.org/show_bug.cgi?id=73799

        Reviewed by Darin Adler.

        Implement String::containsOnlyASCII() so that it does not
        call String::characters().

        * wtf/text/WTFString.h:
        (WTF::String::containsOnlyASCII):

2011-12-05  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for non-DFG platforms.

        * dfg/DFGRepatch.h:

2011-12-05  Filip Pizlo  <fpizlo@apple.com>

        Old JIT emits 32-bit offsets for put_by_id but sometimes patches them as if they
        were compact offsets
        https://bugs.webkit.org/show_bug.cgi?id=73861

        Reviewed by Gavin Barraclough.

        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::resetPatchPutById):

2011-12-05  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, build fixes for ARM.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::unreachableForPlatform):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::loadDouble):
        (JSC::MacroAssemblerARMv7::loadFloat):
        (JSC::MacroAssemblerARMv7::storeFloat):
        (JSC::MacroAssemblerARMv7::convertFloatToDouble):
        (JSC::MacroAssemblerARMv7::convertDoubleToFloat):

2011-12-05  Benjamin Poulain  <benjamin@webkit.org>

        Update String::containsOnlyLatin1() to avoid converting to 16 bits
        https://bugs.webkit.org/show_bug.cgi?id=73797

        Reviewed by Andreas Kling.

        When the String use 8bits StringImpl, there is no need to iterate
        over the string.

        The function charactersAreAllLatin1() is removed because it is not
        used anywhere.

        * wtf/text/WTFString.h:
        (WTF::String::containsOnlyLatin1):

2011-12-05  Michael Saboff  <msaboff@apple.com>

        8 bit string work slows down Kraken json-stringify-tinderbox
        https://bugs.webkit.org/show_bug.cgi?id=73457

        Added 8 bit path to StringBuilder.  StringBuilder starts
        assuming 8 bit contents and gets converted to 16 bit upon
        seeing the first 16 bit character or string.  Split
        appendUninitialiezed into an inlined fast and function call
        slow case.

        Factored out the processing of the UString argument from
        Stringifier::appendQuotedString() to a static templated function
        based on character size.

        This change eliminates 5% of the 7% slowdown to json-stringify-tinderbox.
        This change introduces a 4.8% slowdown to json-parse-financial.
        This slowdown will be addressed in a subsequent patch to StringImpl::equal.

        Reviewed by Oliver Hunt.

        * runtime/JSONObject.cpp:
        (JSC::appendStringToUStringBuilder):
        (JSC::Stringifier::appendQuotedString):
        * wtf/text/StringBuilder.cpp:
        (WTF::StringBuilder::resize):
        (WTF::StringBuilder::allocateBuffer):
        (WTF::StringBuilder::allocateBufferUpConvert):
        (WTF::LChar):
        (WTF::UChar):
        (WTF::StringBuilder::reserveCapacity):
        (WTF::StringBuilder::appendUninitialized):
        (WTF::StringBuilder::appendUninitializedSlow):
        (WTF::StringBuilder::append):
        (WTF::StringBuilder::shrinkToFit):
        * wtf/text/StringBuilder.h:
        (WTF::StringBuilder::StringBuilder):
        (WTF::StringBuilder::append):
        (WTF::StringBuilder::operator[]):
        (WTF::StringBuilder::characters8):
        (WTF::StringBuilder::characters16):
        (WTF::StringBuilder::charactersBlah):
        (WTF::LChar):
        (WTF::UChar):

2011-12-01  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=73624
        JIT + INTERPRETER builds are broken

        Reviewed by Geoff Garen, Sam Weinig.

        These don't fallback to the interpreter correctly.
        Thunk creation assumes that is the JIT is compiled in, then it is enabled.

        * jit/JITStubs.cpp:
        (JSC::JITThunks::JITThunks):
        * runtime/Executable.h:
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::finishCreation):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::getHostFunction):

2011-12-05  Zoltan Herczeg  <zherczeg@webkit.org>

        MacroAssemblerSH4 does not implement readCallTarget
        https://bugs.webkit.org/show_bug.cgi?id=73434

        Reviewed by Csaba Osztrogonác.

        * assembler/MacroAssemblerSH4.h: Support for SH4.
        (JSC::MacroAssemblerSH4::readCallTarget):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::readCallTarget):

2011-12-04  Filip Pizlo  <fpizlo@apple.com>

        DFG should optimize strict equality
        https://bugs.webkit.org/show_bug.cgi?id=73764

        Reviewed by Oliver Hunt.
        
        1% speed-up on V8.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
        (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
        (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-03  Darin Adler  <darin@apple.com>

        Use HashMap<OwnPtr> for ScriptSampleRecordMap
        https://bugs.webkit.org/show_bug.cgi?id=73758

        Reviewed by Andreas Kling.

        * bytecode/SamplingTool.cpp:
        (JSC::SamplingTool::notifyOfScope): Added adoptPtr.
        (JSC::SamplingTool::dump): Added get.
        * bytecode/SamplingTool.h: Changed the value type of ScriptSampleRecordMap to be OwnPtr.

2011-12-03  Darin Adler  <darin@apple.com>

        Use HashMap<OwnPtr> for the opaqueJSClassData map
        https://bugs.webkit.org/show_bug.cgi?id=73759

        Reviewed by Andreas Kling.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::contextData): Update types.
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::~JSGlobalData): Add an explicit clear of opaqueJSClassData to keep the
        timing the same. If we didn't care about the order of operations, we could remove this, too.
        * runtime/JSGlobalData.h: Use OwnPtr instead of raw pointer for the mapped type in the
        opaqueJSClassData map.

2011-12-03  Darin Adler  <darin@apple.com>

        Change HashMap implementation to use the pass type and peek type from traits for the mapped value
        https://bugs.webkit.org/show_bug.cgi?id=72474

        Reviewed by Anders Carlsson.

        * wtf/HashMap.h: Added ReferenceTypeMaker struct template. Get PassInType, PassOutType,
        and PeekType from the traits of the mapped value instead of hard-coding them here.
        Changed inlineAdd to take a reference to the PassInType instead of the PassInType itself,
        to accomodate a PassInType that can't be copied. Use the store, peek, and passOut
        functions from the traits as well.

        * wtf/HashTraits.h: Updated GenericHashTraits and HashTraits for OwnPtr to include
        PassInType, PassOutType, PeekType, store, passOut, and peek. Before this, the file had
        an earlier version that was just PassType, PeekType, pass, and peek. Also commented
        the HashTraits for RefPtr to foreshadow some work we can do there.

        * wtf/RefPtrHashMap.h: Same changes as HashMap.h.

2011-12-02  David Levin  <levin@chromium.org>

        Rename WTF class from TemporarilyChange to TemporaryChange.
        https://bugs.webkit.org/show_bug.cgi?id=73479

        Reviewed by Eric Seidel.

        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/TemporaryChange.h: Renamed from Source/JavaScriptCore/wtf/TemporarilyChange.h.
        (WTF::TemporaryChange::TemporaryChange):
        (WTF::TemporaryChange::~TemporaryChange):

2011-12-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        REGRESSION (r99754): All layout tests crash on Windows
        https://bugs.webkit.org/show_bug.cgi?id=72305

        Reviewed by Geoffrey Garen.

        Fixes a crash in release builds on Windows.  Windows was optimizing the out-of-line virtual destructor in 
        JSFunction away, which left it with no virtual functions.  Its vtable ptr was then identical to that of 
        a different class, therefore the optimization in the visitChildren helper function in MarkedStack.cpp was calling an 
        incorrect version of visitChildren on the object, which left its children unmarked, causing them to be 
        collected when they were still reachable.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::vtableAnchor): Add a virtual function to JSFunction that Visual Studio can't optimize away.
        * runtime/JSFunction.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::storeVPtrs): Add checks to make sure that all virtual pointers that we rely on for optimization
        purposes are distinct from one another.

2011-12-02  Oliver Hunt  <oliver@apple.com>

        Improve float array support in the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=73722

        Reviewed by Gavin Barraclough.

        Add basic support for float typed arrays in JSC.  This is currently
        less optimal than it could be in the following ways:
         * float32Array1[0] = float32Array2[0] (eg. an element by element copy) 
           promotes float to double and then back to float.
         * float64Array[0] will always perform NaN tests in order to prevent
           signalling NaNs from entering the engine.

        We also don't support Float32Array on ARMv7

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::loadDouble):
        (JSC::MacroAssemblerARMv7::loadFloat):
        (JSC::MacroAssemblerARMv7::storeDouble):
        (JSC::MacroAssemblerARMv7::storeFloat):
        (JSC::MacroAssemblerARMv7::convertFloatToDouble):
        (JSC::MacroAssemblerARMv7::convertDoubleToFloat):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::loadDouble):
        (JSC::MacroAssemblerX86Common::loadFloat):
        (JSC::MacroAssemblerX86Common::storeDouble):
        (JSC::MacroAssemblerX86Common::storeFloat):
        (JSC::MacroAssemblerX86Common::convertDoubleToFloat):
        (JSC::MacroAssemblerX86Common::convertFloatToDouble):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::cvtsd2ss_rr):
        (JSC::X86Assembler::cvtss2sd_rr):
        (JSC::X86Assembler::movsd_rm):
        (JSC::X86Assembler::movss_rm):
        (JSC::X86Assembler::movsd_mr):
        (JSC::X86Assembler::movss_mr):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateFloat32Array):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-02  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r101801.
        http://trac.webkit.org/changeset/101801
        https://bugs.webkit.org/show_bug.cgi?id=73667

        Build is still broken (Requested by Ossy on #webkit).

        * assembler/SH4Assembler.h:

2011-12-01  Darin Adler  <darin@apple.com>

        Prepare to deploy pass and peek types in the HashMap class
        https://bugs.webkit.org/show_bug.cgi?id=73477

        Reviewed by Adam Roben.

        This patch adds private typedefs inside the HashMap class,
        and uses them as appropriate. A future patch will actually
        tie those typedefs to hash traits, which will allow us to
        make HashMap work with OwnPtr mapped values and to optimize
        how HashMap works with RefPtr mapped values.

        Also changed the hash translator and adapter struct templates
        to use template functions to simplify them and make them more
        flexible.

        Also removed some unused template arguments.

        This goes out of its way to not change behavior. Future patches
        will change the peek type to be a reference type, which will
        reduce reference count churn a bit for hash tables with RefPtr
        mapped values, and then do further optimizations for RefPtr
        and OwnPtr by getting types from the hash traits.

        * wtf/HashMap.h: Added MappedPassInType, MappedPassOutType,
        and MappedPeekType typedefs, and used them for the arguments
        and return types of the get, set, add, take, and inlineAdd
        functions.
        (WTF::HashMapTranslator): Changed this struct template to take
        fewer arguments, and changed its member functions to be
        function templates instead. This allows the compiler to
        determine types more flexibly and also simplifies use of it.
        (WTF::HashMapTranslatorAdapter): Ditto.
        (WTF::HashMap::find): Updated to use new HashMapTranslatorAdapter.
        Also reduced the arguments passed to the HashTable function template.
        (WTF::HashMap::contains): Ditto.
        (WTF::HashMap::inlineAdd): Ditto. Also take MappedPassInType.
        (WTF::HashMap::set): Ditto.
        (WTF::HashMap::add): Ditto.
        (WTF::HashMap::inlineGet): Ditto, but return MappedPeekType.
        (WTF::HashMap::get): Ditto.
        (WTF::HashMap::take): Ditto, but return MappedPassOutType and use
        that type in the implementation.
        (WTF::deleteAllValues): Removed unneeded template arguments from
        call to deleteAllPairSeconds.
        (WTF::deleteAllKeys): Removed unneeded template arguments from
        call to deleteAllPairFirsts.

        * wtf/HashSet.h:
        (WTF::IdentityExtractor): Changed this to be a struct rather than
        a struct template, and replaced the extract function with a function
        template. This allows the compiler to deduce the type.
        (WTF::HashSetTranslatorAdapter): Changed this struct template to take
        fewer arguments, and changed its member functions to be
        function templates instead. This allows the compiler to
        determine types more flexibly and also simplifies use of it.
        (WTF::HashSet::find): Updated to use new HashSetTranslatorAdapter.
        Also reduced the arguments passed to the HashTable function template.
        (WTF::HashSet::contains): Ditto.
        (WTF::HashSet::add): Ditto.

        * wtf/HashTable.h:
        (WTF::IdentityHashTranslator): Changed this struct template to take
        fewer arguments, and changed its member functions to be
        function templates instead. This allows the compiler to
        determine types more flexibly and also simplifies use of it.
        (WTF::HashTable::add): Reduced arguments passed to the function template.
        (WTF::HashTable::find): Ditto, also reversed the template arguments so the
        translator comes first so the compiler can deduce the other type.
        (WTF::HashTable::contains): Ditto.
        (WTF::HashTable::lookup): Ditto.
        (WTF::HashTable::lookupForWriting): Ditto.
        (WTF::HashTable::checkKey): Ditto.
        (WTF::HashTable::fullLookupForWriting): Ditto.
        (WTF::HashTable::add): Ditto.
        (WTF::HashTable::addPassingHashCode): Ditto.
        (WTF::HashTable::find): Ditto.
        (WTF::HashTable::contains): Ditto.

        * wtf/ListHashSet.h:
        (WTF::ListHashSetNodeHashFunctions): Changed this struct template to take
        fewer arguments, and changed its member functions to be function templates
        instead. This allows the compiler to determine types more flexibly and
        also simplifies use of it.
        (WTF::ListHashSet::find): Reduced the arguments passed to the HashTable
        functon template.
        (WTF::ListHashSetTranslatorAdapter): Changed this struct template in the
        same way we changed ListHashSetNodeHashFunctions above.
        (WTF::ListHashSetTranslatorAdapter::equal):
        (WTF::::contains):
        (WTF::::add):
        (WTF::::insertBefore):

        * wtf/RefPtrHashMap.h: Updated comments. Removed the
        RefPtrHashMapRawKeyTranslator struct template; we can use the
        HashMapTranslator struct template from HashMap.h instead now that
        it is more flexible. Added MappedPassInType, MappedPassOutType,
        and MappedPeekType typedefs, and used them for the arguments
        and return types of the get, inlineGet, set, add, take, and inlineAdd
        functions. Changed the name of the RawKeyTranslator type to
        Translator since it's now a class that can handle both raw keys
        and conventional keys.
        (WTF::HashMap::find): Changed to use Translator instead of RawKeyTranslator.
        Reduced the arguments passed to the HashTable function template.
        (WTF::HashMap::contains): Ditto.
        (WTF::HashMap::inlineAdd): Ditto. Also take MappedPassInType.
        (WTF::HashMap::set): Ditto.
        (WTF::HashMap::add): Ditto.
        (WTF::HashMap::inlineGet): Ditto, but return MappedPeekType.
        (WTF::HashMap::get): Ditto.
        (WTF::HashMap::take): Ditto, but return MappedPassOutType and use
        that type in the implementation.
        (WTF::deleteAllValues): Removed unneeded template arguments from
        call to deleteAllPairSeconds.
        (WTF::deleteAllKeys): Removed unneeded template arguments from
        call to deleteAllPairFirsts.

2011-12-02  Zoltan Herczeg  <zherczeg@webkit.org>

        MacroAssemblerSH4 does not implement readCallTarget
        https://bugs.webkit.org/show_bug.cgi?id=73434

        Reviewed by Csaba Osztrogonác.

        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::readCallTarget): Support for SH4.

2011-12-02  Hajime Morrita  <morrita@chromium.org>

        Unreviewed, rolling out r101751 and r101775.
        http://trac.webkit.org/changeset/101751
        http://trac.webkit.org/changeset/101775
        https://bugs.webkit.org/show_bug.cgi?id=73191

        breaks Windows build

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * config.h:
        * runtime/JSExportMacros.h: Removed.
        * wtf/ExportMacros.h:
        * wtf/Platform.h:
        * wtf/WTFThreadData.h:
        * wtf/text/AtomicString.h:
        * wtf/text/StringStatics.cpp:

2011-12-01  Hajime Morrita  <morrita@chromium.org>

        JS_INLINE and WTF_INLINE should be visible from WebCore
        https://bugs.webkit.org/show_bug.cgi?id=73191

        - Moved Export related macro definitions from config.h to ExportMacros.h and JSExportMacros.h.
        - Moved WTF_USE_JSC and WTF_USE_V8 from various config.h family to Platform.h.
        - Replaced JS_EXPORTDATA in wtf moudule with newly introduced WTF_EXPORTDATA.

        Reviewed by Kevin Ollivier.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * config.h:
        * runtime/JSExportMacros.h: Added.
        * wtf/ExportMacros.h:
        * wtf/Platform.h:
        * wtf/WTFThreadData.h:
        * wtf/text/AtomicString.h:
        * wtf/text/StringStatics.cpp:

2011-12-01  Michael Saboff  <msaboff@apple.com>

        Changes proposed for 73457 slow down Kraken json-parse-financial
        https://bugs.webkit.org/show_bug.cgi?id=73584

        Restructured StringImpl::equal to take advantage of 8 or 4 bytes
        at a time when possible.

        This is worth ~3% on Kraken json-parse-financial. It provides 
        ~2% on SunSpider string-unpack-code.

        Reviewed by Sam Weinig.

        * wtf/text/StringImpl.cpp:
        (WTF::equal):

2011-12-01  Oliver Hunt  <oliver@apple.com>

        Support integer typed arrays in the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=73608

        Reviewed by Filip Pizlo.

        Add support for all the integral typed arrays in the DFG JIT.
        Currently this loads the contents of Uint32 arrays as doubles,
        which is clearly not as efficient as it could be, but this is
        still in the order of 10-20x faster than the existing behaviour.

        This needed us to add support for writing 16bit values to the
        macroassembler, and also to support double<->unsigned conversion.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::strh):
        (JSC::ARMv7Assembler::vcvt_floatingPointToUnsigned):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::store16):
        (JSC::MacroAssemblerARMv7::truncateDoubleToUint32):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::store16):
        (JSC::MacroAssemblerX86Common::truncateDoubleToUint32):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movw_rm):
        (JSC::X86Assembler::cvttsd2siq_rr):
        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        (JSC::predictionFromClassInfo):
        * bytecode/PredictedType.h:
        (JSC::isInt8ArrayPrediction):
        (JSC::isInt16ArrayPrediction):
        (JSC::isInt32ArrayPrediction):
        (JSC::isUint8ArrayPrediction):
        (JSC::isUint16ArrayPrediction):
        (JSC::isUint32ArrayPrediction):
        (JSC::isFloat32ArrayPrediction):
        (JSC::isFloat64ArrayPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateInt8Array):
        (JSC::DFG::Node::shouldSpeculateInt16Array):
        (JSC::DFG::Node::shouldSpeculateInt32Array):
        (JSC::DFG::Node::shouldSpeculateUint8Array):
        (JSC::DFG::Node::shouldSpeculateUint16Array):
        (JSC::DFG::Node::shouldSpeculateUint32Array):
        (JSC::DFG::Node::shouldSpeculateFloat32Array):
        (JSC::DFG::Node::shouldSpeculateFloat64Array):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayLength):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSGlobalData.h:

2011-12-01  Benjamin Poulain  <benjamin@webkit.org>

        URLs are encoded in UTF-8, then decoded as if they are Latin1
        https://bugs.webkit.org/show_bug.cgi?id=71758

        Reviewed by Darin Adler.

        Add the operator == between a String and a Vector of char. The implementation
        is the same as the comparison of String and char* but adds the length as a
        parameter for comparing the strings.

        * JavaScriptCore.exp:
        * wtf/text/StringImpl.h:
        (WTF::equal):
        * wtf/text/WTFString.h:
        (WTF::operator==):
        (WTF::operator!=):

2011-12-01  Martin Robinson  <mrobinson@igalia.com>

        [GTK] Read fonts from the jhbuild root
        https://bugs.webkit.org/show_bug.cgi?id=73487

        Reviewed by Gustavo Noronha Silva.

        Read fonts from the jhbuild root instead of from the system. This will ensure
        that all testers use the same fonts instead of leaving this up to luck.

        * wtf/gobject/GlibUtilities.h: Add Assertions.h which was required for the WebKit2TestRunner.

2011-12-01  Martin Robinson  <mrobinson@igalia.com>

        [GTK] Add a helper function to find the current executable's path
        https://bugs.webkit.org/show_bug.cgi?id=73473

        Reviewed by Gustavo Noronha Silva.

        Add a WTF helper which gets the binary path. This is currently only used
        in WebKit2.

        * GNUmakefile.list.am: Add the new file to the source list.
        * wtf/gobject/GlibUtilities.cpp: Added.
        (getCurrentExecutablePath):
        * wtf/gobject/GlibUtilities.h: Added.

2011-12-01  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r101691.
        http://trac.webkit.org/changeset/101691
        https://bugs.webkit.org/show_bug.cgi?id=73588

        Tests fail on Chromium bots, early warning system warned
        committer, please adjust test_expectations in patch (Requested
        by scheib on #webkit).

        * JavaScriptCore.exp:
        * wtf/text/StringImpl.h:
        * wtf/text/WTFString.h:

2011-12-01  Filip Pizlo  <fpizlo@apple.com>

        ARMv7 only allows for one-shot patching of compact offsets, while the
        JIT expects to be able to repatch
        https://bugs.webkit.org/show_bug.cgi?id=73548

        Reviewed by Oliver Hunt.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::setUInt7ForLoad):

2011-11-30  Benjamin Poulain  <benjamin@webkit.org>

        URLs are encoded in UTF-8, then decoded as if they are Latin1
        https://bugs.webkit.org/show_bug.cgi?id=71758

        Reviewed by Darin Adler.

        Add the operator == between a String and a Vector of char. The implementation
        is the same as the comparison of String and char* but adds the length as a
        parameter for comparing the strings.

        * JavaScriptCore.exp:
        * wtf/text/StringImpl.h:
        (WTF::equal):
        * wtf/text/WTFString.h:
        (WTF::operator==):
        (WTF::operator!=):

2011-11-30  Dmitry Lomov  <dslomov@google.com>

        https://bugs.webkit.org/show_bug.cgi?id=73503
        [Chromium][V8] Implement ArrayBuffer transfer in chromium.
        Portions of this patch come from Luke Zarko.

        Reviewed by David Levin.

        * wtf/ArrayBuffer.cpp:
        (WTF::ArrayBuffer::transfer): Changed prototype from pointers to RefPtr.
        * wtf/ArrayBuffer.h:
        (WTF::ArrayBufferContents::transfer): Changed prototype from pointers to RefPtr.
        (WTF::ArrayBuffer::isNeutered):
        * wtf/TypedArrayBase.h:
        (WTF::TypedArrayBase::neuter):

2011-12-01  Chao-ying Fu  <fu@mips.com>

        MacroAssemblerMIPS does not implement readCallTarget
        https://bugs.webkit.org/show_bug.cgi?id=73432

        Reviewed by Zoltan Herczeg.

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::readCallTarget):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::readCallTarget):

2011-12-01  Noel Gordon  <noel.gordon@gmail.com>

        [chromium] Remove wtf/qt/ThreadingQt.cpp from the gyp projects
        https://bugs.webkit.org/show_bug.cgi?id=73527

        Reviewed by Simon Hausmann.

        wtf/qt/ThreadingQt.cpp was removed in r101477

        * JavaScriptCore.gypi: remove wtf/qt/ThreadingQt.cpp

2011-12-01  Filip Pizlo  <fpizlo@apple.com>

        BitVector isInline check could fail
        https://bugs.webkit.org/show_bug.cgi?id=70691

        Reviewed by Gavin Barraclough.
        
        Switch back to using the high bit as the inline marker, to make
        all of the bit indexing operations simpler. Computing the size in
        words and in bytes of a bitvector, using the number of bits as
        input is error-prone enough; and with the current approach to
        solving the X86 bug we end up getting it wrong. Making it right
        seems hard.
        
        So instead, to solve the original problem (the high bit may be
        meaningful on 32-bit systems), the out-of-line storage pointer is
        right-shifted by 1. Compared to the original BitVector code, this
        is a much smaller change (just three lines).
        
        This solves a bug where the DFG was corrupting its call frame
        because BitVector lost track of some bits.

        * wtf/BitVector.cpp:
        (WTF::BitVector::setSlow):
        (WTF::BitVector::resizeOutOfLine):
        * wtf/BitVector.h:
        (WTF::BitVector::quickGet):
        (WTF::BitVector::quickSet):
        (WTF::BitVector::quickClear):
        (WTF::BitVector::makeInlineBits):
        (WTF::BitVector::isInline):
        (WTF::BitVector::outOfLineBits):

2011-11-30  Filip Pizlo  <fpizlo@apple.com>

        DFG should make it easier to notice node boundaries in disassembly
        https://bugs.webkit.org/show_bug.cgi?id=73509

        Rubber-stamped by Gavin Barraclough
        
        If you set XOR_DEBUG_AID to 1 in DFGCommon.h, a pair of xor's will
        be emitted at node boundaries, where the immediate being xor'd is the
        node index.

        * dfg/DFGCommon.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-11-30  Geoffrey Garen  <ggaren@apple.com>

        Removed ArgList iterators.

        Reviewed by Gavin Barraclough.
        
        Another step toward reversing the argument order.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct): Switched from iterator to int.

        * runtime/ArgList.h:
        (JSC::ArgList::ArgList):
        (JSC::ArgList::isEmpty): Removed iterators.

        * runtime/JSArray.cpp:
        (JSC::JSArray::finishCreation): Switched from iterator to int.

2011-11-30  Yuqiang Xian  <yuqiang.xian@intel.com>

        32 bit DFG should handle logicalNot slow case instead of simply bailing out
        https://bugs.webkit.org/show_bug.cgi?id=73515

        Reviewed by Filip Pizlo.

        This improves Kraken performance by 14%, mainly due to ~3X improvement
        on imaging-desaturate.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):

2011-11-30  Max Vujovic  <mvujovic@adobe.com>

        Some date values not handled consistently with IE/Firefox
        https://bugs.webkit.org/show_bug.cgi?id=14176

        Reviewed by Gavin Barraclough.

        Changed time zone offset parsing behavior to match IE/Firefox/Opera's in
        implementation dependent cases like "GMT-4".

        * wtf/DateMath.cpp:
        (WTF::parseDateFromNullTerminatedCharacters):

2011-11-30  Mark Hahnenberg  <mhahnenberg@apple.com>

        toStringCallback and valueOfCallback do not check the entire prototype chain for convertToType callback
        https://bugs.webkit.org/show_bug.cgi?id=73368

        Reviewed by Darin Adler.

        We need to search the entire prototype chain for the convertToType callback, rather than just calling whatever
        happens to be in the first class of the chain, which potentially could be null.

        <rdar://problem/10493218>

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::toStringCallback):
        (JSC::JSCallbackFunction::valueOfCallback):

2011-11-29  Sam Weinig  <sam@webkit.org>

        Add adoptCF and adoptNS convenience functions to RetainPtr.h
        https://bugs.webkit.org/show_bug.cgi?id=73399

        Reviewed by Anders Carlsson.

        * wtf/RetainPtr.h:
        (WTF::adoptCF):
        (WTF::adoptNS):
        These adoption functions match the pattern we use in other
        smart pointer classes.

2011-11-30  Adam Roben  <aroben@apple.com>

        Fix RetainPtr's move assignment operators

        Fixes <http://webkit.org/b/73449> RetainPtr's move assignment operators don't modify the
        pointer being assigned to

        I didn't write a test for this because we don't have a way of unit testing C++11 code (see
        <http://webkit.org/b/73448>).

        Reviewed by Anders Carlsson.

        * wtf/RetainPtr.h:
        (WTF::RetainPtr::operator=): Adopt the passed-in RetainPtr's underlying pointer, not our own
        pointer.

2011-11-30  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed rolling out incorrect r101481.

        * assembler/MIPSAssembler.h:
        * assembler/MacroAssemblerMIPS.h:

2011-11-30  Simon Hausmann  <simon.hausmann@nokia.com>

        Fix compilation with MingW.

        Reviewed by Csaba Osztrogonác.

        * wtf/ThreadingWin.cpp:
        (WTF::initializeCurrentThreadInternal): MingW doesn't support MSVC exception handling, so for
        the time being make the thread name setting unimplemented for MingW.

2011-11-30  Simon Hausmann  <simon.hausmann@nokia.com>

        Unreviewed propective build fix for Qt/Windows part 2 after r101477.

        * wtf/ThreadSpecific.h: Fix the OS(WINDOWS) defines for the friend declaration for ThreadSpecific<T>::Data

2011-11-30  Simon Hausmann  <simon.hausmann@nokia.com>

        Unreviewed propective build fix for Qt/Windows after r101477.

        * wtf/ThreadSpecific.h: Use OS(WINDOWS) for declaring "destructor", as it's
        only referenced from within another OS(WINDOWS) section.

2011-11-30  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed speculative buildfix after r101457.

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::readCallTarget):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::readCallTarget):

2011-11-30  Andrew Wason  <rectalogic@rectalogic.com>

        Replace Qt QThread threading back-end with pthread/Win32 threading back-ends
        https://bugs.webkit.org/show_bug.cgi?id=72155

        Reviewed by Simon Hausmann.

        Use ThreadingPthreads and ThreadingWin instead of ThreadingQt.

        * heap/MachineStackMarker.cpp:
        * wtf/MainThread.cpp:
        (WTF::initializeMainThread):
        * wtf/Platform.h:
        * wtf/ThreadSpecific.h: Drop QThreadStorage related code.
        (WTF::::destroy):
        * wtf/ThreadingPrimitives.h:
        * wtf/qt/MainThreadQt.cpp: Drop Qt specific isMainThread().
        (WTF::initializeMainThreadPlatform): Initialize MainThreadInvoker on main thread to avoid infecting secondary thread with QAdoptedThread.
        (WTF::scheduleDispatchFunctionsOnMainThread):
        * wtf/qt/ThreadingQt.cpp: Removed.
        * wtf/wtf.pro:

2011-11-30  Csaba Osztrogonác  <ossy@webkit.org>

        MacroAssemblerARM does not implement readCallTarget
        https://bugs.webkit.org/show_bug.cgi?id=73413

        Based on Filip Pizlo's patch.

        Buildfix. Rubber-stamped by Gabor Loki.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::readCallTarget):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::readCallTarget):

2011-11-29  Filip Pizlo  <fpizlo@apple.com>

        Resetting a put_by_id inline cache should preserve the "isDirect" bit
        https://bugs.webkit.org/show_bug.cgi?id=73375

        Reviewed by Gavin Barraclough.
        
        For the replace case, we can find out if it was direct by looking at the
        slow call. For the transition case, we explicitly remember if it was
        direct.

        * bytecode/CodeBlock.cpp:
        (JSC::printStructureStubInfo):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        (JSC::isPutByIdAccess):
        (JSC::StructureStubInfo::initPutByIdTransition):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCachePutByID):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::resetPatchPutById):
        (JSC::JIT::isDirectPutById):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::resetPatchPutById):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::tryCachePutByID):

2011-11-29  Sam Weinig  <sam@webkit.org>

        Remove RetainPtr::releaseRef
        https://bugs.webkit.org/show_bug.cgi?id=73396

        Reviewed by Dan Bernstein.

        * wtf/RetainPtr.h:
        Be gone releaseRef! Long live leakRef!

2011-11-29  Sam Weinig  <sam@webkit.org>

        Add move semantics to RetainPtr
        https://bugs.webkit.org/show_bug.cgi?id=73393

        Reviewed by Anders Carlsson.

        * wtf/RetainPtr.h:
        (WTF::RetainPtr::RetainPtr):
        Add a move constructor and move enabled assignment operators
        to RetainPtr if the compiler being used supports rvalue
        references. If the compiler does not support it, we fallback
        to the copy semantics we have always had.

2011-11-29  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG local CSE may cause incorrect reference counting for a node
        https://bugs.webkit.org/show_bug.cgi?id=73390

        Reviewed by Filip Pizlo.

        When performing a node substitution, the ref count of the replaced
        child will be increased, no matter whether the user node is skipped in
        code generation or not. This will cause the reference count of the
        replaced child never get the chance to become zero and so the
        registers occupied by it cannot be reused simply without spilling, if
        it's used by a "skipped" node.
        This is a 1% gain on V8 benchmark, tested on IA32 Linux.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::performSubstitution):
        (JSC::DFG::Propagator::performNodeCSE):

2011-11-29  David Levin  <levin@chromium.org>

        Add a way to revert a variable to its previous value after leaving a scope.
        https://bugs.webkit.org/show_bug.cgi?id=73371

        Reviewed by Adam Barth.

        In case anyone from Chromium sees this, it is nearly identical to AutoReset
        but if the same name were used, it causes unnecessary ambiguity.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/TemporarilyChange.h: Added.
        (WTF::TemporarilyChange::TemporarilyChange):
        (WTF::TemporarilyChange::~TemporarilyChange):

2011-11-29  Sam Weinig  <sam@webkit.org>

        Add COMPILER_SUPPORTS macro to allow for compiler feature testing
        https://bugs.webkit.org/show_bug.cgi?id=73386

        Reviewed by Anders Carlsson.

        * wtf/Compiler.h:
        Add COMPILER_SUPPORTS and #defines for C++11 variadic templates and
        rvalue references for Clang.

2011-11-29  Oliver Hunt  <oliver@apple.com>

        Allow WebCore to describe typed arrays to JSC
        https://bugs.webkit.org/show_bug.cgi?id=73355

        Reviewed by Gavin Barraclough.

        Allow globaldata to track the structure of typed arrays.

        * runtime/JSGlobalData.h:
        (JSC::TypedArrayDescriptor::TypedArrayDescriptor):

2011-11-28  Filip Pizlo  <fpizlo@apple.com>

        DFG debugCall() mechanism only works on X86 and X86-64
        https://bugs.webkit.org/show_bug.cgi?id=73282

        Reviewed by Oliver Hunt.

        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::debugCall):

2011-11-28  Filip Pizlo  <fpizlo@apple.com>

        DFG non-X86 ArithDiv does speculation failure after mutating state,
        without a value recovery
        https://bugs.webkit.org/show_bug.cgi?id=73286

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-11-28  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fixes for ARM.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::readCallTarget):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::setupArgumentsWithExecState):

2011-11-20  Roland Steiner  <rolandsteiner@chromium.org>

        <style scoped>: add ENABLE(STYLE_SCOPED) flag to WebKit
        https://bugs.webkit.org/show_bug.cgi?id=72848

        Add ENABLE_STYLE_SCOPED flag.

        Reviewed by Dimitri Glazkov.

        * Configurations/FeatureDefines.xcconfig:

2011-11-28  Jon Lee  <jonlee@apple.com>

        Create skeleton framework for notifications support in WK2
        https://bugs.webkit.org/show_bug.cgi?id=73253
        <rdar://problem/10356943>

        * Configurations/FeatureDefines.xcconfig: Split out ENABLE_NOTIFICATIONS based on platform.

2011-11-28  Oliver Hunt  <oliver@apple.com>

        Fix windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-11-28  Oliver Hunt  <oliver@apple.com>

        Fix gyp build

        * JavaScriptCore.gypi:

2011-11-28  Filip Pizlo  <fpizlo@apple.com>

        GetById should not always speculate cell
        https://bugs.webkit.org/show_bug.cgi?id=73181

        Reviewed by Gavin Barraclough.
        
        GetById will now speculate cell if the predictions of the base are cell.
        Otherwise it will do like the old JIT (and like the old non-speculative
        DFG JIT): if not cell, go straight to slow-path but otherwise don't OSR
        out. This is a 1% speed-up on SunSpider.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::setupArgumentsWithExecState):
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-11-28  Oliver Hunt  <oliver@apple.com>

        Move typed array implementations into wtf
        https://bugs.webkit.org/show_bug.cgi?id=73248

        Reviewed by Sam Weinig.

        Move typed array implementation files from WebCore to wtf.  Inline the
        .cpp files for each of the array views to cut down on unnecessary exports
        and function call overhead for trivial operations.

        Added files to all the project files.

        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/ArrayBuffer.cpp: Renamed from Source/WebCore/html/canvas/Float32Array.cpp.
        (WTF::ArrayBuffer::transfer):
        (WTF::ArrayBuffer::addView):
        (WTF::ArrayBuffer::removeView):
        * wtf/ArrayBuffer.h: Renamed from Source/WebCore/html/canvas/ArrayBuffer.cpp.
        (WTF::ArrayBufferContents::ArrayBufferContents):
        (WTF::ArrayBufferContents::data):
        (WTF::ArrayBufferContents::sizeInBytes):
        (WTF::ArrayBufferContents::transfer):
        (WTF::ArrayBuffer::~ArrayBuffer):
        (WTF::ArrayBuffer::clampValue):
        (WTF::ArrayBuffer::create):
        (WTF::ArrayBuffer::ArrayBuffer):
        (WTF::ArrayBuffer::data):
        (WTF::ArrayBuffer::byteLength):
        (WTF::ArrayBuffer::slice):
        (WTF::ArrayBuffer::sliceImpl):
        (WTF::ArrayBuffer::clampIndex):
        (WTF::ArrayBufferContents::tryAllocate):
        (WTF::ArrayBufferContents::~ArrayBufferContents):
        * wtf/ArrayBufferView.cpp: Copied from Source/WebCore/bindings/js/JSArrayBufferCustom.cpp.
        (WTF::ArrayBufferView::ArrayBufferView):
        (WTF::ArrayBufferView::~ArrayBufferView):
        (WTF::ArrayBufferView::neuter):
        * wtf/ArrayBufferView.h: Renamed from Source/WebCore/html/canvas/ArrayBufferView.h.
        (WTF::ArrayBufferView::isByteArray):
        (WTF::ArrayBufferView::isUnsignedByteArray):
        (WTF::ArrayBufferView::isShortArray):
        (WTF::ArrayBufferView::isUnsignedShortArray):
        (WTF::ArrayBufferView::isIntArray):
        (WTF::ArrayBufferView::isUnsignedIntArray):
        (WTF::ArrayBufferView::isFloatArray):
        (WTF::ArrayBufferView::isDoubleArray):
        (WTF::ArrayBufferView::isDataView):
        (WTF::ArrayBufferView::buffer):
        (WTF::ArrayBufferView::baseAddress):
        (WTF::ArrayBufferView::byteOffset):
        (WTF::ArrayBufferView::verifySubRange):
        (WTF::ArrayBufferView::clampOffsetAndNumElements):
        (WTF::ArrayBufferView::setImpl):
        (WTF::ArrayBufferView::setRangeImpl):
        (WTF::ArrayBufferView::zeroRangeImpl):
        (WTF::ArrayBufferView::calculateOffsetAndLength):
        * wtf/CMakeLists.txt:
        * wtf/Float32Array.h: Renamed from Source/WebCore/html/canvas/Float32Array.h.
        (WTF::Float32Array::set):
        (WTF::Float32Array::item):
        (WTF::Float32Array::isFloatArray):
        (WTF::Float32Array::create):
        (WTF::Float32Array::Float32Array):
        (WTF::Float32Array::subarray):
        * wtf/Float64Array.h: Renamed from Source/WebCore/html/canvas/Float64Array.h.
        (WTF::Float64Array::set):
        (WTF::Float64Array::item):
        (WTF::Float64Array::isDoubleArray):
        (WTF::Float64Array::create):
        (WTF::Float64Array::Float64Array):
        (WTF::Float64Array::subarray):
        * wtf/Int16Array.h: Renamed from Source/WebCore/html/canvas/Int16Array.cpp.
        (WTF::Int16Array::set):
        (WTF::Int16Array::isShortArray):
        (WTF::Int16Array::create):
        (WTF::Int16Array::Int16Array):
        (WTF::Int16Array::subarray):
        * wtf/Int32Array.h: Renamed from Source/WebCore/html/canvas/Int32Array.cpp.
        (WTF::Int32Array::set):
        (WTF::Int32Array::isIntArray):
        (WTF::Int32Array::create):
        (WTF::Int32Array::Int32Array):
        (WTF::Int32Array::subarray):
        * wtf/Int8Array.h: Renamed from Source/WebCore/html/canvas/Int8Array.cpp.
        (WTF::Int8Array::set):
        (WTF::Int8Array::isByteArray):
        (WTF::Int8Array::create):
        (WTF::Int8Array::Int8Array):
        (WTF::Int8Array::subarray):
        * wtf/IntegralTypedArrayBase.h: Renamed from Source/WebCore/html/canvas/IntegralTypedArrayBase.h.
        (WTF::IntegralTypedArrayBase::set):
        (WTF::IntegralTypedArrayBase::item):
        (WTF::IntegralTypedArrayBase::IntegralTypedArrayBase):
        * wtf/TypedArrayBase.h: Renamed from Source/WebCore/html/canvas/TypedArrayBase.h.
        (WTF::TypedArrayBase::data):
        (WTF::TypedArrayBase::set):
        (WTF::TypedArrayBase::setRange):
        (WTF::TypedArrayBase::zeroRange):
        (WTF::TypedArrayBase::length):
        (WTF::TypedArrayBase::byteLength):
        (WTF::TypedArrayBase::TypedArrayBase):
        (WTF::TypedArrayBase::create):
        (WTF::TypedArrayBase::subarrayImpl):
        * wtf/Uint16Array.h: Renamed from Source/WebCore/html/canvas/Uint16Array.cpp.
        (WTF::Uint16Array::set):
        (WTF::Uint16Array::isUnsignedShortArray):
        (WTF::Uint16Array::create):
        (WTF::Uint16Array::Uint16Array):
        (WTF::Uint16Array::subarray):
        * wtf/Uint32Array.h: Renamed from Source/WebCore/html/canvas/Uint32Array.cpp.
        (WTF::Uint32Array::set):
        (WTF::Uint32Array::isUnsignedIntArray):
        (WTF::Uint32Array::create):
        (WTF::Uint32Array::Uint32Array):
        (WTF::Uint32Array::subarray):
        * wtf/Uint8Array.h: Renamed from Source/WebCore/html/canvas/Uint8Array.h.
        (WTF::Uint8Array::set):
        (WTF::Uint8Array::isUnsignedByteArray):
        (WTF::Uint8Array::create):
        (WTF::Uint8Array::Uint8Array):
        (WTF::Uint8Array::subarray):
        * wtf/wtf.pro:

2011-11-27  Filip Pizlo  <fpizlo@apple.com>

        Don't try to optimize huge code blocks
        https://bugs.webkit.org/show_bug.cgi?id=73187

        Reviewed by Oliver Hunt.
        
        This unifies the heuristics used for deciding if a code block is too big
        to optimize, and sets this heuristic to 1000, which is intuitively better
        than numeric_limits<unsigned>::max(). It also results in what looks like
        a speed-up on both SunSpider and V8 (in Tools/Scripts/bencher).

        * dfg/DFGCapabilities.h:
        (JSC::DFG::mightCompileEval):
        (JSC::DFG::mightCompileProgram):
        (JSC::DFG::mightCompileFunctionForCall):
        (JSC::DFG::mightCompileFunctionForConstruct):
        * runtime/Heuristics.cpp:
        (JSC::Heuristics::initializeHeuristics):
        * runtime/Heuristics.h:

2011-11-28  Filip Pizlo  <fpizlo@apple.com>

        Either remove the GetMethod node from the DFG backend, or find a use for it
        https://bugs.webkit.org/show_bug.cgi?id=73178

        Reviewed by Gavin Barraclough.
        
        More testing seemed to imply that the GetMethod code was indeed not profitable
        in any major test. So, it's probably best to just remove it.

        * bytecode/CodeBlock.cpp:
        (JSC::MethodCallLinkInfo::reset):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGRepatch.cpp:
        * dfg/DFGRepatch.h:
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::compile):

2011-11-28  Michael Saboff  <msaboff@apple.com>

        Change set 101187 from bug 73154 removed already lower case optimization
        https://bugs.webkit.org/show_bug.cgi?id=73174

        Added back the "string is already lower case" optimization.

        Reviewed by Geoffrey Garen.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncToLowerCase):

2011-11-28  Simon Hausmann  <simon.hausmann@nokia.com>

        Unreviewed prospective build fix. Touch the file to trigger correct
        rebuild on the Qt mips/sh4/sl bot.

        * wtf/unicode/qt4/UnicodeQt4.h:

2011-11-28  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>

        [Qt] Remove cruft from project file

        Reviewed by Simon Hausmann.

        * Target.pri:

2011-11-28  Simon Hausmann  <simon.hausmann@nokia.com>

        [Qt] WTF should be built as separate static library
        https://bugs.webkit.org/show_bug.cgi?id=73201

        Reviewed by Tor Arne Vestbø.

        * Target.pri: Don't claim to build WTF, as that would cause
        the debug-with-shlibs build to not link in wtf.
        * jsc.pro: Require wtf.
        * wtf/wtf.pri: Removed.
        * wtf/wtf.pro: Added. Pro file to build wtf statically.

2011-11-28  Martin Robinson  <mrobinson@igalia.com>

        [GTK] JavaScriptCore generated sources should build in the DerivedSources directory
        https://bugs.webkit.org/show_bug.cgi?id=73197

        Reviewed by Philippe Normand.

        Build all JavaScriptCore generated sources in DerivedSources.

        * GNUmakefile.am: Update generation rules.
        * GNUmakefile.list.am: Update source lists.

2011-11-27  Filip Pizlo  <fpizlo@apple.com>

        DFG should not emit GetMethod node
        https://bugs.webkit.org/show_bug.cgi?id=73175

        Reviewed by Gavin Barraclough.
        
        Replaces all instances of the GetMethod node with GetById. This appears to
        be a slight win on V8. This patch leaves GetMethod support in the code-base,
        making this decision easy to reverse, for now.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2011-11-26  Hajime Morrita  <morrita@chromium.org>

        Needs WTF_INLINE and JS_INLINE
        https://bugs.webkit.org/show_bug.cgi?id=72853

        Reviewed by Kevin Ollivier.

        Added WTF_HIDDEN, WTF_INLINE and JS_INLINE which
        indirect __attribute__((visibility("hidden"))

        * config.h:
        * wtf/ExportMacros.h:

2011-11-25  Michael Saboff  <msaboff@apple.com>

        String.prototype.toLower should be optimized for 8 bit strings
        https://bugs.webkit.org/show_bug.cgi?id=73154

        Changed stringProtoFuncToLowerCase to use StringImpl::lower() which has
        been optimized for 8 bit strings.

        This is worth ~7% to sunspider string.tagcloud.

        Reviewed by Filip Pizlo.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncToLowerCase):

2011-11-25  Michael Saboff  <msaboff@apple.com>

        Array.toString always uses StringImpl::characters()
        https://bugs.webkit.org/show_bug.cgi?id=72969

        If all component strings are 8 bit, create an 8 bit result string for toString().

        This appears to be performance neutral to sunspider and v8.

        Reviewed by Filip Pizlo.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):

2011-11-24  Michael Saboff  <msaboff@apple.com>

        UString methods are not character size aware
        https://bugs.webkit.org/show_bug.cgi?id=72975

        Changed the UString number constructors to build 8 bit strings.
        Modified the other methods to check string bitness and process
        with 8 bits wherre appropriate.

        * runtime/UString.cpp:
        (JSC::UString::number):
        (JSC::operator==):
        (JSC::operator<):
        (JSC::UString::ascii):

2011-11-24  Michael Saboff  <msaboff@apple.com>

        JavaScript string to number conversion functions use characters()
        https://bugs.webkit.org/show_bug.cgi?id=72974

        Change the various JS to number routines to process strings
        using characters8() or characters16() as appropriate.
        Implemented using static template methods.

        Reviewed by Filip Pizlo.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::isInfinity):
        (JSC::jsHexIntegerLiteral):
        (JSC::jsStrDecimalLiteral):
        (JSC::toDouble):
        (JSC::jsToNumber):

2011-11-24  Michael Saboff  <msaboff@apple.com>

        Empty JSStrings are created as 16 bit
        https://bugs.webkit.org/show_bug.cgi?id=72968

        Clear m_is8Bit flag for empty strings.

        Reviewed by Filip Pizlo.

        * runtime/JSString.h:
        (JSC::RopeBuilder::finishCreation):

2011-11-24  Michael Saboff  <msaboff@apple.com>

        Tune JSStringBuilder for 8 bit Strings
        https://bugs.webkit.org/show_bug.cgi?id=72683

        Changed JSStringBuilder to use 8 bit buffers until 16 bit data is added.
        When 16 bit data is to be added, the 8 bit buffer is converted to 16 bit
        and building continues with a 16 bit buffer.

        Reviewed by Filip Pizlo.

        * runtime/JSStringBuilder.h:
        (JSC::JSStringBuilder::JSStringBuilder):
        (JSC::JSStringBuilder::append):
        (JSC::JSStringBuilder::upConvert):
        (JSC::JSStringBuilder::build):
        * runtime/UString.h:
        (JSC::UString::adopt):
        * wtf/text/StringImpl.h:
        (WTF::StringImpl::adopt):

2011-11-24  Zeno Albisser  <zeno@webkit.org>

        [Qt]WK2][Mac] Use Mac port's IPC implementation instead of Unix sockets
        https://bugs.webkit.org/show_bug.cgi?id=72495

        Update defines to not use Unix Domain Sockets for platform Qt on Mac.
        This enables Qt to reuse existing code for mach ports and Grand
        Central Dispatch based IPC.

        Reviewed by Simon Hausmann.

        * wtf/Platform.h:

2011-11-24  Simon Hausmann  <simon.hausmann@nokia.com>

        [Qt] REGRESSION(r101131): WTF::scheduleDispatchFunctionsOnMainThread() doesn't work reliably

        Reviewed by Andreas Kling.

        We must make sure that the MainThreadInvoker object lives in the gui thread. There are a few
        ways of doing that and this fix seems like the least intrusive one by simply pushing the
        invoker to the gui thread if it's not there already.

        * wtf/qt/MainThreadQt.cpp:
        (WTF::scheduleDispatchFunctionsOnMainThread):

2011-11-24  Patrick Gansterer  <paroga@webkit.org>

        [Qt] Use QEvent for dispatchFunctionsFromMainThread()
        https://bugs.webkit.org/show_bug.cgi?id=72704

        Reviewed by Simon Hausmann.

        Replace QMetaObject::invokeMethod with QCoreApplication::postEvent.
        This is the same as what invokeMethod does internally, but reduces
        the dependency on some internal QThread stuff.

        * wtf/qt/MainThreadQt.cpp:
        (WTF::MainThreadInvoker::MainThreadInvoker):
        (WTF::MainThreadInvoker::event):
        (WTF::scheduleDispatchFunctionsOnMainThread):

2011-11-23  George Staikos  <staikos@webkit.org>

        Remove BlackBerry OS support from RandomNumberSeed, making QNX=UNIX.
        https://bugs.webkit.org/show_bug.cgi?id=73028

        Reviewed by Daniel Bates.

        * wtf/RandomNumberSeed.h:
        (WTF::initializeRandomNumberGenerator):

2011-11-23  Nikolas Zimmermann  <nzimmermann@rim.com>

        Add flags/precision arguments to String::number(double) to allow fine-grained control over the result string
        https://bugs.webkit.org/show_bug.cgi?id=72793

        Reviewed by Zoltan Herczeg.

        This new code will be used in follow-up patches to replace the String::format("%.2f") usage in
        platform/text/TextStream.cpp, and String::format("%.6lg") usage in svg/SVGPathStringBuilder.cpp.

        The String::number(double) currently calls String::format("%.6lg") in trunk. In order to replace
        this by a variant that properly rounds to six significant figures, JSC code could be refactored.
        JSCs Number.toPrecision/toFixed uses wtf/dtoa/double-conversion which provides all features we need,
        except truncating trailing zeros, needed to mimic the "g" format, which is either f or e but with
        trailing zeros removed, producing shorter results. Changed the default signature to:

        "static String number(double, unsigned = ShouldRoundSignificantFigures | ShouldTruncateTrailingZeros, unsigned precision = 6);".

        In WebCore we can now replace String::format() calls like this:
        String::format("%.2f", f) -> String::number(f, ShouldRoundDecimalPlaces, 2)
        String::format("%.6lg", f) -> String::number(f)

        The default parameters for precison & flags exactly match the format of the string produced now, except that the result
        is rounded according to the rounding mode / formatting mode and precision. This paves the way towards reliable results
        in the d="" attribute dumps of SVG paths  across platforms. The dtoa rounding code enforces a unique zero, resolving
        all 0.0 vs. -0.0 issues currently seen on Windows, and some Gtk/Qt bots.

        This patch needs a rebaseline of svg/dom/length-list-parser.html as we don't perfecly mimic the String::format() "lg" mode
        result for exponentials, we used to return eg. "e-7" and now return "e-07" - the trailing zero truncation hasn't been
        implemented for exponentials, as this really affects only this test and thus wasn't worth the trouble - in contrary the
        trailing zero truncation is needed for thousands of other results in "f" notation, and thus needed to match the DRT results.

        Here's a performance comparision using a JSC release build and some arbitary numbers:
        Converting 123.456 using old approach took 95.527100ms. avg 0.000955ms/call.
        Converting 123.456 using new approach took 28.126953ms. avg 0.000281ms/call.

        Converting 123 using old approach took 85.411133ms. avg 0.000854ms/call.
        Converting 123 using new approach took 24.190186ms. avg 0.000242ms/call.

        Converting 0.1 using old approach took 92.622803ms. avg 0.000926ms/call.
        Converting 0.1 using new approach took 23.317871ms. avg 0.000233ms/call.

        Converting 1/i using old approach took 106.893066ms. avg 0.001069ms/call.
        Converting 1/i using new approach took 27.164062ms. avg 0.000272ms/call.

        For all numbers I've tested in RoundingSignificantFigures mode and 6 digit precision the speedup was at least 250%.

        * JavaScriptCore.exp: Change String::number(double) signature.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Ditto.
        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToFixed): Refactor this into numberToFixedPrecisionString(), move to wtf/dtoa.cpp.
        (JSC::numberProtoFuncToPrecision): Ditto, refactor this into numberToFixedWidthString.
        * wtf/dtoa.cpp: Moved fixedWidth/Precision helpers into dtoa, extend numberToFixedPrecisionString(). Add a mode which allows to truncate trailing zeros/decimal point.
                        to make it possible to use them to generate strings that match the output from String::format("%6.lg"), while using our dtoas rounding facilities.
        * wtf/dtoa.h:
        * wtf/dtoa/utils.h: Expose new helper method, which allows us to truncate the result, before generating the output const char*.
        (WTF::double_conversion::StringBuilder::SetPosition):
        * wtf/text/WTFString.cpp:
        (WTF::String::number): Remove String::format("%6.lg") usage! Switch to rounding to six significant figures, while matching the output of String::format.
        * wtf/text/WTFString.h:

2011-11-23  Hajime Morrita  <morrita@chromium.org>

        WTF::String has extra WTF_EXPORT_PRIVATE
        https://bugs.webkit.org/show_bug.cgi?id=72858

        Reviewed by Kevin Ollivier.

        * wtf/text/WTFString.h:
        (WTF::String::String):

2011-11-23  Raphael Kubo da Costa  <kubo@profusion.mobi>

        [CMake] Move the top-level logic to the top-level directory.
        https://bugs.webkit.org/show_bug.cgi?id=72685

        Reviewed by Brent Fulgham.

        * CMakeLists.txt: Point to the right Source/ directory.
        * wtf/CMakeLists.txt: Ditto.

2011-11-22  Yuqiang Xian  <yuqiang.xian@intel.com>

        Strength reduction for Mul and Mod operations for known constants in DFG
        https://bugs.webkit.org/show_bug.cgi?id=72878

        Reviewed by Filip Pizlo.

        Also the code should be commonly shared by both 32_64 and 64.

        * dfg/DFGNode.h:
        (JSC::DFG::nodeMayOverflow):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::fmodAsDFGOperation):
        (JSC::DFG::SpeculativeJIT::compileInstanceOf):
        (JSC::DFG::isPowerOfTwo):
        (JSC::DFG::logTwo):
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-11-22  Daniel Bates  <dbates@rim.com>

        Add WTF infrastructure for the BlackBerry port
        https://bugs.webkit.org/show_bug.cgi?id=72970

        Reviewed by Antonio Gomes.

        * wtf/Assertions.cpp: Added BlackBerry-specific logging directive.
        * wtf/MathExtras.h:
        (abs): Added; stdlib doesn't contain abs() on QNX.
        * wtf/Platform.h: Define WTF_PLATFORM_BLACKBERRY and enable some platform features.
        * wtf/RandomNumberSeed.h:
        (WTF::initializeRandomNumberGenerator): For the BlackBerry port, we initialize
        the bad pseudo random number generator using time(3) before initializing the
        Mersenne Twister random number generator.
        * wtf/ThreadingPthreads.cpp:
        (WTF::createThreadInternal): Added.
        * wtf/blackberry: Added.
        * wtf/blackberry/MainThreadBlackBerry.cpp: Added.
        (WTF::initializeMainThreadPlatform):
        (WTF::scheduleDispatchFunctionsOnMainThread):
        * wtf/text/WTFString.h: Added constructor and conversion operator for
        BlackBerry WebString string object.

2011-11-22  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r100988.
        http://trac.webkit.org/changeset/100988
        https://bugs.webkit.org/show_bug.cgi?id=72941

        "Broke pixel tests on Chromium-Linux" (Requested by kbalazs on
        #webkit).

        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/ParallelJobs.h:
        * wtf/ParallelJobsGeneric.cpp:
        * wtf/ParallelJobsGeneric.h:
        (WTF::ParallelEnvironment::ParallelEnvironment):
        (WTF::ParallelEnvironment::execute):
        * wtf/Platform.h:

2011-11-21  Balazs Kelemen  <kbalazs@webkit.org>

        Enable ParallelJobs by default
        https://bugs.webkit.org/show_bug.cgi?id=70032

        Reviewed by Zoltan Herczeg.

        According to measurements on Mac and Linux it is a
        considerable speedup for SVG on multicore.

        Remove the ENABLE(PARALLEL_JOBS) guard.
        Fix build on Windows and Chromium.

        * JavaScriptCore.gypi:  Add the files to the build. It was
        missing for the gyp build system.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        Export symbols.
        * wtf/ParallelJobs.h:
        * wtf/ParallelJobsGeneric.cpp:
        (WTF::ParallelEnvironment::ParallelEnvironment):
        (WTF::ParallelEnvironment::execute):
        Deinline these to avoid exporting a lot of symbols.
        These are non-trivial and called only once on a given object
        so it doesn't seems to be worthwile to inline them.
        Additionally fix a signed-unsigned comparison in the constructor.
        * wtf/ParallelJobsGeneric.h:
        * wtf/Platform.h:

2011-11-21  Filip Pizlo  <fpizlo@apple.com>

        DFG should have richer debug output for CFA and phi processing
        https://bugs.webkit.org/show_bug.cgi?id=72922

        Reviewed by Gavin Barraclough.
        
        In the default verbose mode, we now print information about variable
        state at the bottom of basic blocks in addition to the top, and we
        also print local variable linking. In the verbose propagation mode,
        the state of phi processing is dumped more richly and CFA merging (the
        most subtle part of CFA) is traced as well.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::endBasicBlock):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::StructureAbstractValue::dump):
        (JSC::DFG::AbstractValue::dump):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCommon.h:
        (JSC::DFG::NodeIndexTraits::dump):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::dumpChildren):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOperands.h:
        (JSC::DFG::OperandValueTraits::dump):
        (JSC::DFG::dumpOperands):

2011-11-21  Filip Pizlo  <fpizlo@apple.com>

        Showing the data overlay in OpenStreetMap doesn't work, zooming partially broken
        https://bugs.webkit.org/show_bug.cgi?id=71505

        Reviewed by Gavin Barraclough.
        
        It turns out that we were corrupting phi nodes in case of overflow. The bug is
        really obvious, but producing a test case that causes the badness is hard. Even
        when the phi nodes do get corrupt, there's more that has to happen before it
        causes incorrect execution - and I wasn't able to reproduce in any kind of
        sensible reduced case.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::processPhiStack):

2011-11-21  Simon Hausmann  <simon.hausmann@nokia.com>

        [Qt] Speed up debug builds.
        https://bugs.webkit.org/show_bug.cgi?id=72882

        Reviewed by Tor Arne Vestbø.

        * Target.pri: Make BUILDING_JavaScriptCore available earlier, so it can be
        used by the build system.

2011-11-21  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r100913.
        http://trac.webkit.org/changeset/100913
        https://bugs.webkit.org/show_bug.cgi?id=72885

        "Break Windows build" (Requested by kbalazs on #webkit).

        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/ParallelJobs.h:
        * wtf/ParallelJobsGeneric.cpp:
        * wtf/ParallelJobsGeneric.h:
        (WTF::ParallelEnvironment::ParallelEnvironment):
        (WTF::ParallelEnvironment::execute):
        * wtf/Platform.h:

2011-11-21  Balazs Kelemen  <kbalazs@webkit.org>

        Enable ParallelJobs by default
        https://bugs.webkit.org/show_bug.cgi?id=70032

        Reviewed by Zoltan Herczeg.

        According to measurements on Mac and Linux it is a
        considerable speedup for SVG on multicore.

        Remove the ENABLE(PARALLEL_JOBS) guard.
        Fix build on Windows and Chromium.

        * JavaScriptCore.gypi:  Add the files to the build. It was
        missing for the gyp build system.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        Export symbols.
        * wtf/ParallelJobs.h:
        * wtf/ParallelJobsGeneric.cpp:
        (WTF::ParallelEnvironment::ParallelEnvironment):
        (WTF::ParallelEnvironment::execute):
        Deinline these to avoid exporting a lot of symbols.
        These are non-trivial and called only once on a given object
        so it doesn't seems to be worthwile to inline them.
        Additionally fix a signed-unsigned comparison in the constructor.
        * wtf/ParallelJobsGeneric.h:
        * wtf/Platform.h:

2011-11-21  Andy Wingo  <wingo@igalia.com>

        Add .dir-locals.el file for better Emacs defaults
        https://bugs.webkit.org/show_bug.cgi?id=72483

        Reviewed by Xan Lopez.

        * .dir-locals.el: Set appropriate directory-local variables for Emacs.

2011-11-21  Filip Pizlo  <fpizlo@apple.com>
        
        Another attempt at a build fix.

        * dfg/DFGRepatch.h:
        (JSC::DFG::dfgResetGetByID):
        (JSC::DFG::dfgResetPutByID):

2011-11-20  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed interpreter build fix.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally):
        * dfg/DFGRepatch.h:

2011-11-20  Yuqiang Xian  <yuqiang.xian@intel.com>

        Improve modulo operation on 32bit platforms
        https://bugs.webkit.org/show_bug.cgi?id=72501

        Reviewed by Filip Pizlo.

        Extend softModulo to support X86 and MIPS in baseline JIT.
        Apply the same optimization to 32bit DFG JIT.
        1% gain on Kraken, tested on Linux Core i7 Nehalem 32bit.

        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::softModulo):
        * wtf/Platform.h:

2011-11-18  Filip Pizlo  <fpizlo@apple.com>

        Inline caches that refer to otherwise dead objects should be cleared
        https://bugs.webkit.org/show_bug.cgi?id=72311

        Reviewed by Geoff Garen.

        DFG code blocks now participate in the weak reference harvester fixpoint
        so that they only consider themselves to be live if either they are
        currently executing, or their owner is live and all of their weak references
        are live. If not, the relevant code blocks are jettisoned.

        Inline caches in both the old JIT and the DFG are now cleared if any of
        their references are not marked at the end of a GC.

        This is performance-neutral on SunSpider, V8, and Kraken. With the clear-
        all-code-on-GC policy that we currently have, it shows a slight reduction
        in memory usage. If we turn that policy off, it's pretty easy to come up
        with an example program that will cause ToT to experience linear heap
        growth, while with this patch, the heap stays small and remains at a
        constant size.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::readCallTarget):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::readCallTarget):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::readCallTarget):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::readCallTarget):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        (JSC::CodeBlock::performTracingFixpointIteration):
        (JSC::CodeBlock::visitWeakReferences):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        (JSC::MethodCallLinkInfo::reset):
        (JSC::ProgramCodeBlock::jettison):
        (JSC::EvalCodeBlock::jettison):
        (JSC::FunctionCodeBlock::jettison):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::reoptimize):
        (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
        * bytecode/Instruction.h:
        (JSC::PolymorphicAccessStructureList::visitWeak):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        (JSC::isGetByIdAccess):
        (JSC::isPutByIdAccess):
        (JSC::StructureStubInfo::reset):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGOperations.cpp:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgRepatchByIdSelfAccess):
        (JSC::DFG::dfgResetGetByID):
        (JSC::DFG::dfgResetPutByID):
        * dfg/DFGRepatch.h:
        (JSC::DFG::dfgResetGetByID):
        (JSC::DFG::dfgResetPutByID):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::resetPatchGetById):
        (JSC::JIT::resetPatchPutById):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::resetPatchGetById):
        (JSC::JIT::resetPatchPutById):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITWriteBarrier.h:
        (JSC::JITWriteBarrierBase::clearToMaxUnsigned):

2011-11-20  Filip Pizlo  <fpizlo@apple.com>

        Showing the data overlay in OpenStreetMap doesn't work, zooming partially broken
        https://bugs.webkit.org/show_bug.cgi?id=71505

        Reviewed by Oliver Hunt.
        
        The bytecode generator was assuming that call_varargs never reuses the base register
        (i.e. the function being called) for the result. This is no longer true.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCallVarargs):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ApplyFunctionCallDotNode::emitBytecode):

2011-11-20  Filip Pizlo  <fpizlo@apple.com>

        DFG 32_64 should directly store double virtual registers on SetLocal
        https://bugs.webkit.org/show_bug.cgi?id=72845

        Reviewed by Oliver Hunt.
        
        2% win on Kraken.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-11-20  Noel Gordon  <noel.gordon@gmail.com>

        [chromium] Remove DFG::JITCodeGenerator from the gyp projects
        https://bugs.webkit.org/show_bug.cgi?id=72842

        Reviewed by Filip Pizlo.

        dfg/DFGJITCodeGenerator.{h,cpp} were removed in r100244

        * JavaScriptCore.gypi: remove dfg/DFGJITCodeGenerator.{h,cpp}

2011-11-18  Daniel Bates  <dbates@rim.com>

        Add CMake build infrastructure for the BlackBerry port
        https://bugs.webkit.org/show_bug.cgi?id=72768

        Reviewed by Antonio Gomes.

        * PlatformBlackBerry.cmake: Added.
        * shell/PlatformBlackBerry.cmake: Added.
        * wtf/PlatformBlackBerry.cmake: Added.

2011-11-18  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT fails speculation on InstanceOf if the base is not an object
        https://bugs.webkit.org/show_bug.cgi?id=72709

        Reviewed by Geoff Garen.
        
        InstanceOf already leverages the fact that we only allow the default
        hasInstance implementation. So, if the base is predicted to possibly
        be not an object and the CFA has not yet proven otherwise, InstanceOf
        will abstain from speculating cell and instead return false if the
        base is not a cell.
        
        This appears to be a 1% speed-up on V8 on the V8 harness. 3-4% or so
        speed-up in earley-boyer. Neutral according to bencher on SunSpider,
        V8, and Kraken. In 32-bit, it's a 0.5% win on SunSpider and a 1.9%
        win on V8 even on my harness, due to a 12.5% win on earley-boyer.
        
        I also took this opportunity to make the code for InstanceOf common
        between the two JITs. This was partially successful, in that the
        "common code" has a bunch of #if's, but overall it seems like a code
        size reduction.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
        (JSC::DFG::SpeculativeJIT::compileInstanceOf):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-11-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        Forgot to completely de-virtualize isDynamicScope
        https://bugs.webkit.org/show_bug.cgi?id=72763

        Reviewed by Darin Adler.

        * runtime/JSActivation.h: Removed virtual keyword.

2011-11-18  Filip Pizlo  <fpizlo@apple.com>

        Crash in JSC::DFG::OSRExitCompiler::compileExit(JSC::DFG::OSRExit const&, JSC::DFG::SpeculationRecovery*)
        https://bugs.webkit.org/show_bug.cgi?id=72292

        Reviewed by Darin Adler.
        
        Fix this for 32_64.

        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):

2011-11-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize ExecutableBase::intrinsic
        https://bugs.webkit.org/show_bug.cgi?id=72548

        Reviewed by Oliver Hunt.

        * runtime/Executable.cpp:
        (JSC::ExecutableBase::intrinsic): Dynamic cast to NativeExecutable. If successful, call intrinsic, otherwise return default value. 
        * runtime/Executable.h:
        * runtime/JSCell.h:
        (JSC::jsDynamicCast): Add jsDynamicCast that duplicates the functionality of dynamic_cast in C++ but uses ClassInfo
        rather than requiring C++ RTTI.

2011-11-18  Patrick Gansterer  <paroga@webkit.org>

        [CMake] Remove duplicate dtoa files from CMakeLists.txt
        https://bugs.webkit.org/show_bug.cgi?id=72711

        Reviewed by Brent Fulgham.

        * wtf/CMakeLists.txt:

2011-11-17  Michael Saboff  <msaboff@apple.com>

        [Qt] REGRESSION(r100510): Enable 8 Bit Strings in JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=72602

        Fixed StringImpl::foldCase by adding return in the case we need to handle
        folding of 8 bit strings with Latin-1 characters.

        Fixed case where StringImpl::replace was using a char temp instead of an
        LChar temp.

        Because of the second change, I changed other uses of char or
        unsigned char to LChar.

        Reviewed by Zoltan Herczeg.

        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::upper):
        (WTF::StringImpl::foldCase):
        (WTF::equal):
        (WTF::equalIgnoringCase):
        (WTF::StringImpl::replace):

2011-11-17  Patrick Gansterer  <paroga@webkit.org>

        [CMake] Move FAST_MALLOC specific lines from Platform*.cmake to CMakeLists.txt
        https://bugs.webkit.org/show_bug.cgi?id=72644

        Reviewed by Brent Fulgham.

        All ports need to do the same determination about fast malloc. Move the CMake code from
        platform specific files into the generic one, so that additional ports can reuse it.

        * wtf/CMakeLists.txt:
        * wtf/PlatformEfl.cmake:
        * wtf/PlatformWinCE.cmake:

2011-11-17  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add finalizer to JSActivation
        https://bugs.webkit.org/show_bug.cgi?id=72575

        Reviewed by Geoffrey Garen.

        * runtime/JSActivation.cpp:
        (JSC::JSActivation::finishCreation): Attach finalize function to objects during creation.
        (JSC::JSActivation::finalize):
        * runtime/JSActivation.h: Replaced virtual destructor with static finalize function.

2011-11-15  Filip Pizlo  <fpizlo@apple.com>

        Code block jettisoning should be part of the GC's transitive closure
        https://bugs.webkit.org/show_bug.cgi?id=72467

        Reviewed by Geoff Garen.
        
        Replaced JettisonedCodeBlocks with DFGCodeBlocks. The latter knows about all
        DFG code blocks (i.e. those that may be jettisoned, and may have inlined weak
        references) and helps track what state each of those code blocks is in during
        GC. The state consists of two flags; mayBeExecuting, which tells if the code block
        is live from call frames; and isJettisoned, which tells if the code block is
        not owned by any executable and thus should be deleted as soon as it is not
        mayBeExecuting.
        
        - Not executing, Not jettisoned: The code block may or may not be reachable from
          any executables, but it is owned by an executable, and hence should be
          kept alive if its executable is live and if all of its weak references are
          live. Otherwise it should be deleted during the current GC cycle, and its
          outgoing references should not be scanned.
          
        - Not executing but jettisoned: The code block should be deleted as soon as
          possible and none of its outgoing references should be scanned.
          
        - Executing but not jettisoned: The code block should be kept alive during this
          GC cycle, and all of its outgoing references (including the weak ones)
          should be scanned and marked strongly. The mayBeExecuting bit will be cleared at
          the end of the GC cycle.
          
        - Executing and jettisoned: The code block should be kept alive during this
          GC cycle, and all of its outgoing references (including the weak ones)
          should be scanned and marked strongly. However, on the next GC cycle, it
          will have its mayBeExecuting bit cleared and hence it will become a candidate
          for immediate deletion provided it is not executing again.

        This is performance-neutral.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::~CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setJITCode):
        (JSC::CodeBlock::DFGData::DFGData):
        (JSC::DFGCodeBlocks::mark):
        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::add):
        * heap/ConservativeRoots.h:
        * heap/DFGCodeBlocks.cpp: Added.
        (JSC::DFGCodeBlocks::DFGCodeBlocks):
        (JSC::DFGCodeBlocks::~DFGCodeBlocks):
        (JSC::DFGCodeBlocks::jettison):
        (JSC::DFGCodeBlocks::clearMarks):
        (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks):
        (JSC::DFGCodeBlocks::traceMarkedCodeBlocks):
        * heap/DFGCodeBlocks.h: Added.
        * heap/Heap.cpp:
        (JSC::Heap::jettisonDFGCodeBlock):
        (JSC::Heap::markRoots):
        (JSC::Heap::collect):
        * heap/Heap.h:
        * heap/JettisonedCodeBlocks.cpp: Removed.
        * heap/JettisonedCodeBlocks.h: Removed.
        * interpreter/RegisterFile.cpp:
        (JSC::RegisterFile::gatherConservativeRoots):
        * interpreter/RegisterFile.h:
        * runtime/Executable.cpp:
        (JSC::jettisonCodeBlock):

2011-11-16  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, build fix for 32-bit.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-11-16  Geoffrey Garen  <ggaren@apple.com>

        Some CachedCall cleanup, in preparation for reversing argument order.

        Reviewed by Gavin Barraclough.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::stronglyVisitWeakReferences): A build fix for the interpreter,
        so I can test it.

        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall): Renamed argCount to argumentCount because
        we are not that desperate for character saving.

        (JSC::CachedCall::setThis):
        (JSC::CachedCall::setArgument): Adopted new 0-based argument indexing for
        CallFrameClosure.

        * interpreter/CallFrameClosure.h:
        (JSC::CallFrameClosure::setThis):
        (JSC::CallFrameClosure::setArgument):
        (JSC::CallFrameClosure::resetCallFrame): Provide 0-based argument indexing,
        with an explicit setter for 'this', since that's how most clients think.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::prepareForRepeatCall):
        * interpreter/Interpreter.h: Change argCount to argumentCountIncludingThis,
        for clarity.

2011-11-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize ScriptExecutable::unlinkCalls
        https://bugs.webkit.org/show_bug.cgi?id=72546

        Reviewed by Geoffrey Garen.

        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::~FunctionExecutable): Added an empty explicit virtual destructor to prevent a very odd compilation error
        due to the fact that the compiler was trying to generate the implicit inline destructor in every translation unit, some of which 
        didn't have complete type information on the things that needed to be destructed in the implicit destructor.
        * runtime/Executable.h:
        (JSC::EvalExecutable::createStructure): Used new type value from JSType
        (JSC::ProgramExecutable::createStructure): Ditto
        (JSC::FunctionExecutable::createStructure): Ditto
        (JSC::ScriptExecutable::unlinkCalls): Condition upon the type value, cast and call the corresponding unlinkCalls implementation.
        * runtime/JSType.h: Added new values for EvalExecutable, ProgramExecutable, and FunctionExecutable.  Remove explicit numbers, since 
        that just adds noise to patches and they currently have no significance.

2011-11-16  Filip Pizlo  <fpizlo@apple.com>

        JSC::CodeBlock should know which references generated by the DFG are weak
        https://bugs.webkit.org/show_bug.cgi?id=72563

        Reviewed by Geoff Garen.
        
        CodeBlock::m_dfgData now tracks weak references and weak reference transitions
        (like ephemerons) generated by the DFG. The DFG makes sure to notify the
        CodeBlock of all uses of weak references and weak reference transitions.
        CodeBlock currently marks them strongly, since the weak marking logic is not
        in place, yet.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        (JSC::CodeBlock::stronglyVisitWeakReferences):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::appendWeakReference):
        (JSC::CodeBlock::shrinkWeakReferencesToFit):
        (JSC::CodeBlock::appendWeakReferenceTransition):
        (JSC::CodeBlock::shrinkWeakReferenceTransitionsToFit):
        (JSC::CodeBlock::WeakReferenceTransition::WeakReferenceTransition):
        * bytecode/CodeOrigin.h:
        (JSC::CodeOrigin::codeOriginOwner):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addWeakReference):
        (JSC::DFG::JITCompiler::addWeakReferenceTransition):
        (JSC::DFG::JITCompiler::branchWeakPtr):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::compile):

2011-11-16  Michael Saboff  <msaboff@apple.com>

        LayoutTests for Debug Builds Crashes in JavaScriptCore/yarr/YarrInterpreter.cpp(185)
        https://bugs.webkit.org/show_bug.cgi?id=72561

        Removed #if USE(JSC) and therefore the ASSERT_NOT_REACHED().
        Simplified the code in the process.

        Reviewed by James Robinson.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::CharAccess::CharAccess):
        (JSC::Yarr::Interpreter::CharAccess::~CharAccess):

2011-11-16  Geoffrey Garen  <ggaren@apple.com>

        Interpreter build fixes.

        * bytecode/CodeBlock.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2011-11-16  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed. Build fix for !ENABLE(JIT) after r100363.

        * bytecode/CodeBlock.h:

2011-11-16  Geoffrey Garen  <ggaren@apple.com>

        Rolled back in r100375 and r100385 with 32-bit build fixed.

        * dfg/DFGOperations.cpp:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/ArgList.cpp:
        (JSC::ArgList::getSlice):
        * runtime/ArgList.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::finishCreation):
        * runtime/JSArray.h:
        (JSC::JSArray::create):
        * runtime/JSGlobalObject.h:
        (JSC::constructArray):

2011-11-16  Filip Pizlo  <fpizlo@apple.com>

        DFG global variable CSE mishandles the cross-global-object inlining corner case
        https://bugs.webkit.org/show_bug.cgi?id=72542

        Reviewed by Geoff Garen.
        
        Moved code to get the global object for a code origin into CodeBlock, so it is
        more broadly accessible. Fixed CSE to compare both the variable number, and the
        global object, before deciding to perform elimination.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::globalObjectFor):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::globalObjectFor):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::globalVarLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):

2011-11-16  Michael Saboff  <msaboff@apple.com>

        Enable 8 Bit Strings in JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=71337

        This patch turns on 8 bit strings in StringImpl and enables
        their use in JavaScriptCore. Some of the changes are to
        turn on code that had been staged (Lexer.cpp, Identifier.cpp,
        SmallStrings.cpp and some of StringImpl.{h,cpp}).
        Other changes are minor fixes to make 8 bit strings work
        (UString.h, StringImpl::getData16SlowCase()).
        Changed StringBuffer to be a templated class based on character
        type.  This change rippled into WebCore code as well.

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.exp:
        * parser/Lexer.cpp:
        (JSC::::append8): Changed to use 8 bit buffers.
        (JSC::::parseIdentifier): Changed to use 8 bit buffers.
        (JSC::::parseString): Changed to use 8 bit buffers.
        * runtime/Identifier.cpp:
        (JSC::IdentifierCStringTranslator::translate): 8 bit version keeps data 8 bit
        (JSC::Identifier::toUInt32FromCharacters): Templated helper.
        (JSC::Identifier::toUInt32): Added 8 bit optimized path.
        * runtime/SmallStrings.cpp:
        (JSC::SmallStringsStorage::SmallStringsStorage): Changed to be 8 bit strings
        * runtime/UString.h:
        (JSC::UString::characters): Now calls StringImpl::characters()
        * wtf/Forward.h:
        * wtf/text/StringBuffer.h: Made StringBuffer a template base on character type.
        (WTF::StringBuffer::StringBuffer):
        (WTF::StringBuffer::characters):
        (WTF::StringBuffer::release):
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::create):
        (WTF::StringImpl::getData16SlowCase): Fixed null terminated case.
        (WTF::StringImpl::removeCharacters): Added 8 bit path.
        (WTF::StringImpl::simplifyMatchedCharactersToSpace):
        (WTF::StringImpl::simplifyWhiteSpace):
        (WTF::equal): Removed bug from code copied from null terminated version.
        (WTF::StringImpl::adopt): Added 8 bit path.
        (WTF::StringImpl::createWithTerminatingNullCharacter): Fixed 8 bi flag propagation.
        * wtf/text/StringImpl.h:
        (WTF::StringImpl::StringImpl): Added new 8 bit constructor.
        (WTF::StringImpl::characters8): Removed ASSERT_NOT_REACHED().
        (WTF::getCharacters<LChar>): Added templated accessor for 8 bit strings.
        (WTF::getCharacters<UChar>): Added templated accessor for 16 bit strings.
        * wtf/text/WTFString.h:
        (WTF::String::adopt): Changed to use StringBuffer template.

2011-11-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize ExecutableBase::clearCodeVirtual
        https://bugs.webkit.org/show_bug.cgi?id=72337

        Reviewed by Darin Adler.

        Added static finalize functions to the subclasses of ExecutableBase that provide an implementation 
        of clearCodeVirtual, changed all of the clearCodeVirtual methods to non-virtual clearCode method,
        and had the finalize functions call the corresponding clearCode methods.

        * runtime/Executable.cpp:
        (JSC::ExecutableBase::clearCode):
        (JSC::NativeExecutable::finalize):
        (JSC::EvalExecutable::finalize):
        (JSC::EvalExecutable::clearCode):
        (JSC::ProgramExecutable::finalize):
        (JSC::ProgramExecutable::clearCode):
        (JSC::FunctionExecutable::discardCode):
        (JSC::FunctionExecutable::finalize):
        (JSC::FunctionExecutable::clearCode):
        * runtime/Executable.h:
        (JSC::ExecutableBase::finishCreation):
        (JSC::NativeExecutable::create):
        (JSC::EvalExecutable::create):
        (JSC::ProgramExecutable::create):
        (JSC::FunctionExecutable::create):

2011-11-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        String new RegExp('\n').toString() returns is invalid RegularExpressionLiteral
        https://bugs.webkit.org/show_bug.cgi?id=71572

        Reviewed by Gavin Barraclough and Darin Adler.

        * runtime/RegExpObject.cpp:
        (JSC::regExpObjectSource):

2011-11-16  Darin Adler  <darin@apple.com>

        Specialize HashTraits for OwnPtr to use PassOwnPtr and raw pointer
        https://bugs.webkit.org/show_bug.cgi?id=72475

        Reviewed by Adam Roben.

        * wtf/HashTraits.h: Specialize HashTraits for OwnPtr.
        Do overloads so we can pass a nullptr and also be sure to get the
        raw pointer type from the OwnPtr template so we handle both forms
        of OwnPtr: OwnPtr<T> and OwnPtr<T*>.

2011-11-16  Simon Hausmann  <simon.hausmann@nokia.com>

        [Qt] Centralize hide_symbols and ensure all libs are built with symbol visibility & bsymbolic_functions

        Reviewed by Tor Arne Vestbø.

        * Target.pri: Eliminate duplicated symbol stuff that lives now in default_post.prf.

2011-11-16  Simon Hausmann  <simon.hausmann@nokia.com>

        Unreviewed, rolling out r100266.
        http://trac.webkit.org/changeset/100266

        Broke WTR.

        * Target.pri:

2011-11-16  Darin Adler  <darin@apple.com>

        Add a "pass type" and "peek type" concept to HashTraits
        https://bugs.webkit.org/show_bug.cgi?id=72473

        Reviewed by Filip Pizlo.

        * wtf/HashTraits.h: Added the pass type and peek type.
        For OwnPtr, the pass type will be PassOwnPtr and the peek
        type will be a raw pointer.

2011-11-16  Darin Adler  <darin@apple.com>

        Fix some hash traits that don't derive from the base hash traits
        https://bugs.webkit.org/show_bug.cgi?id=72470

        Reviewed by Filip Pizlo.

        Hash traits structures need to derive from the base hash traits in
        HashTraits.h, but some were not. This is needed for compatibility with
        some additional traits we will be adding to make OwnPtr work with HashMap.

        * runtime/Identifier.h: Make IdentifierMapIndexHashTraits derive from
        HashTraits<int>. This enabled removal of all the members except for the
        ones that control the empty value, because this is otherwise the same
        as the standard int hash.

        * runtime/SymbolTable.h: Changed SymbolTableIndexHashTraits to derive
        from HashTraits<SymbolTableEntry> and removed redundant members.

2011-11-15  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r100375 and r100385.
        http://trac.webkit.org/changeset/100375
        http://trac.webkit.org/changeset/100385
        https://bugs.webkit.org/show_bug.cgi?id=72465

        They broke 32 bit builds on Qt (Requested by ossy on #webkit).

        * dfg/DFGOperations.cpp:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/ArgList.cpp:
        (JSC::ArgList::getSlice):
        * runtime/ArgList.h:
        (JSC::ArgList::ArgList):
        * runtime/JSArray.cpp:
        * runtime/JSArray.h:
        * runtime/JSGlobalObject.h:

2011-11-15  George Staikos  <staikos@webkit.org>

        Remove the guard page from the addressable stack region on QNX.
        https://bugs.webkit.org/show_bug.cgi?id=72455

        Reviewed by Daniel Bates.

        * wtf/StackBounds.cpp:
        (WTF::StackBounds::initialize):

2011-11-15  Michael Saboff  <msaboff@apple.com>

        Towards 8 bit Strings - Update utf8() and ascii() methods for 8 bit strings
        https://bugs.webkit.org/show_bug.cgi?id=72323

        Added 8 bit optimized paths for String and UString ascii() and utf8() methods.

        Added String::characters8(), characters16() and is8Bit() helper methods.

        Added an new Unicode::convertLatin1ToUTF8() method that works on
        LChar (8 bit) strings that is a stripped down version of convertUTF16ToUTF8().

        Reviewed by Geoff Garen.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/UString.cpp:
        (JSC::UString::utf8):
        * wtf/text/WTFString.cpp:
        (WTF::String::ascii):
        (WTF::String::utf8):
        * wtf/text/WTFString.h:
        (WTF::String::characters8):
        (WTF::String::characters16):
        (WTF::String::is8Bit):
        (WTF::LChar):
        (WTF::UChar):
        * wtf/unicode/UTF8.cpp:
        (WTF::Unicode::convertLatin1ToUTF8):
        * wtf/unicode/UTF8.h:
        * wtf/unicode/Unicode.h:

2011-11-15  Darin Adler  <darin@apple.com>

        REGRESSION (r98887): ParserArena and Keywords leaking
        https://bugs.webkit.org/show_bug.cgi?id=72428

        Reviewed by Sam Weinig.

        * parser/Lexer.h: Made Keywords destructor public since OwnPtr and PassOwnPtr
        need to be able to destroy it.

        * parser/Parser.cpp:
        (JSC::Parser::Parser): Use get now that parserArena is an OwnPtr.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData): Use adoptPtr to initialize OwnPtr members.

        * runtime/JSGlobalData.h: Make parserArena and keywords be OwnPtr.

2011-11-15  Geoffrey Garen  <ggaren@apple.com>

        Removed another use of ArgList that baked in the assumption that arguments
        are forward in the regiter file.

        Reviewed by Sam Weinig.

        * dfg/DFGOperations.cpp:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION): Use our new array creation API, instead of
        working through ArgList.

        * runtime/ArgList.h: Removed!

2011-11-15  Geoffrey Garen  <ggaren@apple.com>

        Removed a use of ArgList that baked in the assumption that arguments
        are forward in the regiter file.

        Reviewed by Sam Weinig.

        * dfg/DFGOperations.cpp:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION): Use new API.

        * runtime/ArgList.cpp:
        (JSC::ArgList::getSlice): No need to provide an arbitrary constructor --
        getSlice can do the right thing by using its rights to private data.

        * runtime/ArgList.h: Removed constructor that took a forward-contiguous
        set of arguments.

        * runtime/JSArray.cpp:
        (JSC::JSArray::finishCreation):
        * runtime/JSArray.h:
        (JSC::JSArray::create):
        * runtime/JSGlobalObject.h:
        (JSC::constructArray): Added explicit support for creating an array from
        a pre-allocated set of values, so we could stop relying on the ArgList
        API we want to remove.

2011-11-15  Filip Pizlo  <fpizlo@apple.com>

        Crash in JSC::DFG::OSRExitCompiler::compileExit(JSC::DFG::OSRExit const&, JSC::DFG::SpeculationRecovery*)
        https://bugs.webkit.org/show_bug.cgi?id=72292

        Reviewed by Geoff Garen.
        
        We need to be careful about how we look for the baseline CodeBlock if we're lazy-compiling
        an OSR exit after our CodeBlock has been jettisoned. In short, use CodeBlock::baselineVersion()
        instead of CodeBlock::alternative().
        
        No performance effect.
        
        No tests because all of our heuristics work very hard to make sure that this never happens in
        the first place. OSR exits are rare by design, and jettisoning of CodeBlocks (i.e. recompilation)
        is even rarer. Furthermore, OSR exits after a CodeBlock has been jettisoned is rarer still
        because the whole point of jettisoning is to bring the probability of future OSR exits to as
        close to zero as possible. But even that isn't enough to trigger this bug; it requires the OSR
        exit after a jettison to be the first of its kind; our whole design tries to ensure that
        CodeBlocks tend to OSR exit at a handful (i.e. 1 in most cases) of points, and since jettisoning
        is triggered by OSR, in most sane cases the OSR exits after jettison will not require lazy OSR
        compilation. So this is a truly evil case, and any test for it would be quite fragile.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::specializationKind):
        (JSC::CodeBlock::largeFailCountThreshold):
        (JSC::CodeBlock::largeFailCountThresholdForLoop):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::AssemblyHelpers):
        (JSC::DFG::AssemblyHelpers::baselineCodeBlockFor):
        (JSC::DFG::AssemblyHelpers::baselineCodeBlock):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):

2011-11-15  Geoffrey Garen  <ggaren@apple.com>

        Use MarkedArgumentBuffer to avoid making assumptions about argument order
        https://bugs.webkit.org/show_bug.cgi?id=72418

        Reviewed by Sam Weinig.
        
        A step toward reversing the argument order.

        * runtime/JSONObject.cpp:
        (JSC::Stringifier::toJSON):
        (JSC::Stringifier::appendStringifiedValue):
        (JSC::Walker::callReviver): Don't assume that ArgList wants to point
        at arguments in forward order. Instead, use MarkedArgumentBuffer, which
        will make the decision for us.

2011-11-15  Filip Pizlo  <fpizlo@apple.com>

        DFG should distinguish between constants in the constant pool and weak
        constants added as artifacts of code generation
        https://bugs.webkit.org/show_bug.cgi?id=72367

        Reviewed by Geoff Garen.
        
        Added the notion of a WeakJSConstant, which is like a JSConstant except that
        it can only refer to JSCell*. Currently all WeakJSConstants are also backed
        by constants in the constant pool, since weak references originated from
        machine code are not yet properly handled.
        
        Replaced CheckMethod, and MethodCheckData, with a combination of WeakJSConstant
        and CheckStructure. This results in improved CSE, leading to a 1% win on V8.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::cellConstant):
        (JSC::DFG::ByteCodeParser::prepareToParseBlock):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::getJSConstantPrediction):
        (JSC::DFG::Graph::valueOfJSConstant):
        (JSC::DFG::Graph::valueOfInt32Constant):
        (JSC::DFG::Graph::valueOfNumberConstant):
        (JSC::DFG::Graph::valueOfBooleanConstant):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isWeakConstant):
        (JSC::DFG::Node::hasConstant):
        (JSC::DFG::Node::weakConstant):
        (JSC::DFG::Node::valueOfJSConstant):
        (JSC::DFG::Node::isInt32Constant):
        (JSC::DFG::Node::isDoubleConstant):
        (JSC::DFG::Node::isNumberConstant):
        (JSC::DFG::Node::isBooleanConstant):
        (JSC::DFG::Node::hasIdentifier):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-11-15  Michael Saboff  <msaboff@apple.com>

        Towards 8 bit Strings - Initial JS String Tuning
        https://bugs.webkit.org/show_bug.cgi?id=72326

        Added 8 bit optimized paths for the methods below.

        Reviewed by Geoffrey Garen.

        * runtime/JSString.h:
        (JSC::jsSubstring8):
        * runtime/StringPrototype.cpp:
        (JSC::jsSpliceSubstrings):
        (JSC::jsSpliceSubstringsWithSeparators):
        (JSC::stringProtoFuncReplace):
        (JSC::stringProtoFuncCharCodeAt):

2011-11-15  Gavin Barraclough  <barraclough@apple.com>

        Result of Error.prototype.toString not ES5 conformant
        https://bugs.webkit.org/show_bug.cgi?id=70889

        Reviewed by Oliver Hunt.

        * runtime/ErrorPrototype.cpp:
        (JSC::errorProtoFuncToString):

2011-11-15  Simon Hausmann  <simon.hausmann@nokia.com>

        [Qt] Centralize hide_symbols and ensure all libs are built with symbol visibility & bsymbolic_functions

        Reviewed by Tor Arne Vestbø.

        * Target.pri: Eliminate duplicated symbol stuff that lives now in default_post.prf.

2011-11-15  Yuqiang Xian  <yuqiang.xian@intel.com>

        Remove DFGJITCompilerInlineMethods
        https://bugs.webkit.org/show_bug.cgi?id=72366

        Reviewed by Filip Pizlo.

        Those methods are actually seldom used. Modify the few such places and
        remove DFGJITCompilerInlineMethods stuffs totally.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addressOfDoubleConstant):
        * dfg/DFGJITCompilerInlineMethods.h: Removed.
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentFillFPR):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::cachedGetMethod):

2011-11-14  Filip Pizlo  <fpizlo@apple.com>

        DFG::SpeculativeJIT and DFG::JITCodeGenerator should be combined
        https://bugs.webkit.org/show_bug.cgi?id=72348

        Reviewed by Gavin Barraclough.
        
        Moved all of JITCodeGenerator into SpeculativeJIT.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGJITCodeGenerator.cpp: Removed.
        * dfg/DFGJITCodeGenerator.h: Removed.
        * dfg/DFGJITCodeGenerator32_64.cpp: Removed.
        * dfg/DFGJITCodeGenerator64.cpp: Removed.
        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryCachePutByID):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::clearGenerationInfo):
        (JSC::DFG::SpeculativeJIT::fillStorage):
        (JSC::DFG::SpeculativeJIT::useChildren):
        (JSC::DFG::SpeculativeJIT::isStrictInt32):
        (JSC::DFG::SpeculativeJIT::isKnownInteger):
        (JSC::DFG::SpeculativeJIT::isKnownNumeric):
        (JSC::DFG::SpeculativeJIT::isKnownCell):
        (JSC::DFG::SpeculativeJIT::isKnownNotCell):
        (JSC::DFG::SpeculativeJIT::isKnownNotInteger):
        (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
        (JSC::DFG::SpeculativeJIT::isKnownBoolean):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        (JSC::DFG::SpeculativeJIT::markCellCard):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
        (JSC::DFG::dataFormatString):
        (JSC::DFG::SpeculativeJIT::dump):
        (JSC::DFG::SpeculativeJIT::checkConsistency):
        (JSC::DFG::GPRTemporary::GPRTemporary):
        (JSC::DFG::GPRTemporary::adopt):
        (JSC::DFG::FPRTemporary::FPRTemporary):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::at):
        (JSC::DFG::SpeculativeJIT::lock):
        (JSC::DFG::SpeculativeJIT::unlock):
        (JSC::DFG::SpeculativeJIT::canReuse):
        (JSC::DFG::SpeculativeJIT::reuse):
        (JSC::DFG::SpeculativeJIT::allocate):
        (JSC::DFG::SpeculativeJIT::tryAllocate):
        (JSC::DFG::SpeculativeJIT::fprAllocate):
        (JSC::DFG::SpeculativeJIT::isFilled):
        (JSC::DFG::SpeculativeJIT::isFilledDouble):
        (JSC::DFG::SpeculativeJIT::use):
        (JSC::DFG::SpeculativeJIT::selectScratchGPR):
        (JSC::DFG::SpeculativeJIT::silentSpillGPR):
        (JSC::DFG::SpeculativeJIT::silentSpillFPR):
        (JSC::DFG::SpeculativeJIT::silentFillGPR):
        (JSC::DFG::SpeculativeJIT::silentFillFPR):
        (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
        (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
        (JSC::DFG::SpeculativeJIT::boxDouble):
        (JSC::DFG::SpeculativeJIT::unboxDouble):
        (JSC::DFG::SpeculativeJIT::spill):
        (JSC::DFG::SpeculativeJIT::isConstant):
        (JSC::DFG::SpeculativeJIT::isJSConstant):
        (JSC::DFG::SpeculativeJIT::isInt32Constant):
        (JSC::DFG::SpeculativeJIT::isDoubleConstant):
        (JSC::DFG::SpeculativeJIT::isNumberConstant):
        (JSC::DFG::SpeculativeJIT::isBooleanConstant):
        (JSC::DFG::SpeculativeJIT::isFunctionConstant):
        (JSC::DFG::SpeculativeJIT::valueOfInt32Constant):
        (JSC::DFG::SpeculativeJIT::valueOfNumberConstant):
        (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant):
        (JSC::DFG::SpeculativeJIT::valueOfJSConstant):
        (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant):
        (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant):
        (JSC::DFG::SpeculativeJIT::isNullConstant):
        (JSC::DFG::SpeculativeJIT::identifier):
        (JSC::DFG::SpeculativeJIT::flushRegisters):
        (JSC::DFG::SpeculativeJIT::isFlushed):
        (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImmPtr):
        (JSC::DFG::SpeculativeJIT::bitOp):
        (JSC::DFG::SpeculativeJIT::shiftOp):
        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::addressOfCallData):
        (JSC::DFG::SpeculativeJIT::tagOfCallData):
        (JSC::DFG::SpeculativeJIT::payloadOfCallData):
        (JSC::DFG::SpeculativeJIT::integerResult):
        (JSC::DFG::SpeculativeJIT::noResult):
        (JSC::DFG::SpeculativeJIT::cellResult):
        (JSC::DFG::SpeculativeJIT::booleanResult):
        (JSC::DFG::SpeculativeJIT::jsValueResult):
        (JSC::DFG::SpeculativeJIT::storageResult):
        (JSC::DFG::SpeculativeJIT::doubleResult):
        (JSC::DFG::SpeculativeJIT::initConstantInfo):
        (JSC::DFG::SpeculativeJIT::resetCallArguments):
        (JSC::DFG::SpeculativeJIT::addCallArgument):
        (JSC::DFG::SpeculativeJIT::setupArguments):
        (JSC::DFG::SpeculativeJIT::setupArgumentsExecState):
        (JSC::DFG::SpeculativeJIT::setupArgumentsWithExecState):
        (JSC::DFG::SpeculativeJIT::setupTwoStubArgs):
        (JSC::DFG::SpeculativeJIT::setupStubArguments):
        (JSC::DFG::SpeculativeJIT::callOperation):
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
        (JSC::DFG::SpeculativeJIT::setupResults):
        (JSC::DFG::SpeculativeJIT::appendCallSetResult):
        (JSC::DFG::SpeculativeJIT::addBranch):
        (JSC::DFG::SpeculativeJIT::linkBranches):
        (JSC::DFG::SpeculativeJIT::block):
        (JSC::DFG::SpeculativeJIT::checkConsistency):
        (JSC::DFG::SpeculativeJIT::BranchRecord::BranchRecord):
        (JSC::DFG::IntegerOperand::IntegerOperand):
        (JSC::DFG::IntegerOperand::~IntegerOperand):
        (JSC::DFG::IntegerOperand::index):
        (JSC::DFG::IntegerOperand::format):
        (JSC::DFG::IntegerOperand::gpr):
        (JSC::DFG::IntegerOperand::use):
        (JSC::DFG::DoubleOperand::DoubleOperand):
        (JSC::DFG::DoubleOperand::~DoubleOperand):
        (JSC::DFG::DoubleOperand::index):
        (JSC::DFG::DoubleOperand::fpr):
        (JSC::DFG::DoubleOperand::use):
        (JSC::DFG::JSValueOperand::JSValueOperand):
        (JSC::DFG::JSValueOperand::~JSValueOperand):
        (JSC::DFG::JSValueOperand::index):
        (JSC::DFG::JSValueOperand::gpr):
        (JSC::DFG::JSValueOperand::jsValueRegs):
        (JSC::DFG::JSValueOperand::isDouble):
        (JSC::DFG::JSValueOperand::fill):
        (JSC::DFG::JSValueOperand::tagGPR):
        (JSC::DFG::JSValueOperand::payloadGPR):
        (JSC::DFG::JSValueOperand::fpr):
        (JSC::DFG::JSValueOperand::use):
        (JSC::DFG::StorageOperand::StorageOperand):
        (JSC::DFG::StorageOperand::~StorageOperand):
        (JSC::DFG::StorageOperand::index):
        (JSC::DFG::StorageOperand::gpr):
        (JSC::DFG::StorageOperand::use):
        (JSC::DFG::GPRTemporary::~GPRTemporary):
        (JSC::DFG::GPRTemporary::gpr):
        (JSC::DFG::FPRTemporary::~FPRTemporary):
        (JSC::DFG::FPRTemporary::fpr):
        (JSC::DFG::FPRTemporary::FPRTemporary):
        (JSC::DFG::GPRResult::GPRResult):
        (JSC::DFG::GPRResult2::GPRResult2):
        (JSC::DFG::FPRResult::FPRResult):
        (JSC::DFG::FPRResult::lockedResult):
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillDouble):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeKnownConstantArithOp):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeBasicArithOp):
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::cachedGetMethod):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillDouble):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeValueToInt32):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeKnownConstantArithOp):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeBasicArithOp):
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::cachedGetMethod):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::emitCall):
        * runtime/JSFunction.h:

2011-11-14  Filip Pizlo  <fpizlo@apple.com>

        Weak reference harvesters should run to fixpoint
        https://bugs.webkit.org/show_bug.cgi?id=72346

        Reviewed by Oliver Hunt.

        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * heap/ListableHandler.h:
        (JSC::ListableHandler::next):
        (JSC::ListableHandler::List::head):
        (JSC::ListableHandler::List::removeNext):
        (JSC::ListableHandler::List::removeAll):
        * heap/MarkStack.cpp:
        (JSC::MarkStackThreadSharedData::reset):
        (JSC::SlotVisitor::harvestWeakReferences):
        * heap/MarkStack.h:
        (JSC::MarkStack::isEmpty):

2011-11-14  Oliver Hunt  <oliver@apple.com>

        Start migrating typed array impl types to WTF
        https://bugs.webkit.org/show_bug.cgi?id=72336

        Reviewed by Geoffrey Garen.

        Add typed array impls to WTF forwarding header.

        * wtf/Forward.h:

2011-11-14  Julien Chaffraix  <jchaffraix@webkit.org>

        Add --css-grid-layout to build-webkit and the build systems
        https://bugs.webkit.org/show_bug.cgi?id=72320

        Reviewed by Ojan Vafai.

        * Configurations/FeatureDefines.xcconfig:

2011-11-14  Geoffrey Garen  <ggaren@apple.com>

        A little bit of arguments / activation cleanup
        https://bugs.webkit.org/show_bug.cgi?id=72339

        Reviewed by Gavin Barraclough.
        
        Renamed copyRegisters => tearOff to match bytecode and other terminology.
        
        Renamed setActivation => didTearOffActivation to indicate that this is a
        notification the object may choose to ignore. Moved "Should I ignore?"
        code into the arguments object to avoid duplication elsewhere.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::unwindCallFrame):
        (JSC::Interpreter::privateExecute):
        (JSC::Interpreter::retrieveArguments):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Arguments.h:
        (JSC::Arguments::createAndTearOff):
        (JSC::Arguments::didTearOffActivation):
        (JSC::Arguments::finishCreationButDontTearOff):
        (JSC::Arguments::finishCreation):
        (JSC::Arguments::finishCreationAndTearOff):
        (JSC::Arguments::tearOff):

        * runtime/JSActivation.h:
        (JSC::JSActivation::tearOff): Moved Activation's code into its own header
        because that's where it belongs.

2011-11-14  Gavin Barraclough  <barraclough@apple.com>

        Should sign the jsc binary
        https://bugs.webkit.org/show_bug.cgi?id=72332

        Reviewed by David Kilzer.

        * Configurations/JSC.xcconfig:
        * entitlements.plist: Added.

2011-11-14  Filip Pizlo  <fpizlo@apple.com>

        DFG's inline references to objects should be tracked
        https://bugs.webkit.org/show_bug.cgi?id=72313

        Reviewed by Gavin Barraclough.
        
        Added a pinCell() method in the parser that currently creates a
        dummy constant in CodeBlock. Added calls to pinCell() wherever the
        DFG would inline a constant reference that the original code would
        not have referred to.
        
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getCellConstantIndex):
        (JSC::DFG::ByteCodeParser::pinCell):
        (JSC::DFG::ByteCodeParser::cellConstant):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):

2011-11-14  Filip Pizlo  <fpizlo@apple.com>

        DFG put_by_id transition optimizations test the wrong structures
        https://bugs.webkit.org/show_bug.cgi?id=72324

        Reviewed by Gavin Barraclough.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::structureChainIsStillValid):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):

2011-11-14  Michael Saboff  <msaboff@apple.com>

        Further changes and cleanup to JSString.h and cpp.

        Reviewed by Darin Adler.

        * runtime/JSString.cpp:
        (JSC::JSString::resolveRope): Change PassRefPtr to RefPtr.  Eliminated exec in slow case calls.
        (JSC::JSString::resolveRopeSlowCase8): Darin and I agreed that this should have 8 in name.
        (JSC::JSString::resolveRopeSlowCase): Removed exec parameter.
        * runtime/JSString.h:

2011-11-14  Adam Barth  <abarth@webkit.org>

        DateMath.cpp should not depend on JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=71747

        Reviewed by Darin Adler.

        This patch moves the JSC-specific parts of DateMath into JSDateMath in
        JavaScriptCore.  There shouldn't be any behavior change.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * runtime/DateConstructor.cpp:
        * runtime/DateConversion.cpp:
        * runtime/DateInstance.cpp:
        * runtime/DateInstanceCache.h:
        * runtime/DatePrototype.cpp:
        * runtime/InitializeThreading.cpp:
        * runtime/JSDateMath.cpp: Copied from Source/JavaScriptCore/wtf/DateMath.cpp.
        (JSC::timeToMS):
        (JSC::msToSeconds):
        * runtime/JSDateMath.h: Copied from Source/JavaScriptCore/wtf/DateMath.h.
        * wtf/DateMath.cpp:
        (WTF::isLeapYear):
        (WTF::msToDays):
        (WTF::msToMinutes):
        (WTF::msToHours):
        (WTF::parseDateFromNullTerminatedCharacters):
        (WTF::makeRFC2822DateString):
        * wtf/DateMath.h:

2011-11-14  Michael Saboff  <msaboff@apple.com>

        Towards 8 bit strings - Add 8 bit handling to JSString Ropes
        https://bugs.webkit.org/show_bug.cgi?id=72317

        Added bit to track that a rope is made up of all 8 bit fibers.
        Created an 8 bit path (fast and slow cases) to handle 8 bit 
        only ropes.

        Reviewed by Oliver Hunt.

        * runtime/JSString.cpp:
        (JSC::JSString::resolveRope):
        (JSC::JSString::resolveRopeSlowCase8):
        (JSC::JSString::resolveRopeSlowCase16):
        * runtime/JSString.h:
        (JSC::RopeBuilder::finishCreation):
        (JSC::RopeBuilder::is8Bit):
        (JSC::jsSubstring8):

2011-11-14  Geoffrey Garen  <ggaren@apple.com>

        A little bit of function call cleanup
        https://bugs.webkit.org/show_bug.cgi?id=72314

        Reviewed by Oliver Hunt.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCall): Renamed callFrame to registerOffset
        because this value doesn't give you the offset of the callee's call frame.

        (JSC::BytecodeGenerator::emitReturn): Tightened to use equality instead
        of greater-than. Removed comment since its reasoning was wrong.
        
        (JSC::BytecodeGenerator::emitConstruct): Updated for rename mentioned above.

        (JSC::BytecodeGenerator::isArgumentNumber): Provided a more precise way
        to ask this question, giving the bytecode generator more freedom to change
        internal implementation details.
        
        * bytecompiler/BytecodeGenerator.h: Reduced default vector capacity because
        16 was overkill.
        (JSC::CallArguments::registerOffset): Updated for rename mentioned above.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallArguments::CallArguments):
        (JSC::CallArguments::newArgument): Factored out argument allocation into
        a helper function, so I can change it later.

        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::FunctionBodyNode::emitBytecode): Use helper function mentioned above.

2011-11-14  Tony Chang  <tony@chromium.org>

        Remove the CSS3_FLEXBOX compile time flag and enable on all ports
        https://bugs.webkit.org/show_bug.cgi?id=72196

        Reviewed by Ojan Vafai.

        * Configurations/FeatureDefines.xcconfig:

2011-11-14  Mark Rowe  <mrowe@apple.com>

        <rdar://problem/10424154> testRegExp should not be installed as part of JavaScriptCore

        testRegExp and testapi.js were being installed in the JavaScriptCore framework.
        As test-only tools they shouldn't be installed there by default, only when
        FORCE_TOOL_INSTALL is set to YES.

        This patch incorprorates a few related changes:
        1) Make the jsc and testRegExp targets be configured via .xcconfig files.
        2) Sets up testRegExp so that SKIP_INSTALL is YES by default, and only NO when
           FORCE_TOOL_INSTALL is YES.
        3) Switches the testapi target to using a script build phase to install testapi.js
           so that the installation will be skipped when SKIP_INSTALL is YES. I'm not sure
           why this isn't the built-in behavior when a Copy Files build phase has "Copy only
           when installing" checked, but it doesn't seem to be.
        4) Other random cleanup such as removing a bogus group that refers to files that do
           not exist, moving testRegExp.cpp in to the tests group, etc.

        Reviewed by Geoff Garen.

        * Configurations/JSC.xcconfig: Added.
        * Configurations/TestRegExp.xcconfig: Added.
        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-11-14  Michael Saboff  <msaboff@apple.com>

        Towards 8 bit strings - Add 8 bit paths to StringImpl methods
        https://bugs.webkit.org/show_bug.cgi?id=72290

        Added 8 bit patchs to StringImpl to number and find methods.

        Reviewed by Oliver Hunt.

        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::toIntStrict):
        (WTF::StringImpl::toUIntStrict):
        (WTF::StringImpl::toInt64Strict):
        (WTF::StringImpl::toUInt64Strict):
        (WTF::StringImpl::toIntPtrStrict):
        (WTF::StringImpl::toInt):
        (WTF::StringImpl::toUInt):
        (WTF::StringImpl::toInt64):
        (WTF::StringImpl::toUInt64):
        (WTF::StringImpl::toIntPtr):
        (WTF::StringImpl::toDouble):
        (WTF::StringImpl::toFloat):
        (WTF::StringImpl::find):
        (WTF::StringImpl::reverseFind):
        * wtf/text/WTFString.cpp:
        (WTF::toIntegralType):
        (WTF::lengthOfCharactersAsInteger):
        (WTF::charactersToIntStrict):
        (WTF::charactersToUIntStrict):
        (WTF::charactersToInt64Strict):
        (WTF::charactersToUInt64Strict):
        (WTF::charactersToIntPtrStrict):
        (WTF::charactersToInt):
        (WTF::charactersToUInt):
        (WTF::charactersToInt64):
        (WTF::charactersToUInt64):
        (WTF::charactersToIntPtr):
        (WTF::toDoubleType):
        (WTF::charactersToDouble):
        (WTF::charactersToFloat):
        * wtf/text/WTFString.h:
        (WTF::find):
        (WTF::reverseFind):

2011-11-14  Vincent Scheib  <scheib@chromium.org>

        Mouse Lock: Renaming to 'Pointer Lock': ENABLE Flags
        https://bugs.webkit.org/show_bug.cgi?id=72286

        Reviewed by Adam Barth.

        * wtf/Platform.h:

2011-11-14  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=72280

        Rubber stamped by Geoff Garen.

        Fix 32-bit Lion.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit):

2011-11-14  Geoffrey Garen  <ggaren@apple.com>

        32-bit Build fix: declare virtual register indices to be int rather than
        unsigned, since they can be positive or negative.
        
        For better clarity, explicitly use ReturnPC instead of -1 as the "invalid"
        state, since we'll never load and operate on the ReturnPC as a JS value.

        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        * jit/JIT.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitLoadTag):
        (JSC::JIT::emitLoadPayload):
        (JSC::JIT::emitLoad):
        (JSC::JIT::emitLoad2):
        (JSC::JIT::emitLoadDouble):
        (JSC::JIT::emitLoadInt32ToDouble):
        (JSC::JIT::emitStore):
        (JSC::JIT::emitStoreInt32):
        (JSC::JIT::emitStoreAndMapInt32):
        (JSC::JIT::emitStoreCell):
        (JSC::JIT::emitStoreBool):
        (JSC::JIT::emitStoreDouble):
        (JSC::JIT::map):
        (JSC::JIT::unmap):
        (JSC::JIT::isMapped):
        (JSC::JIT::getMappedPayload):
        (JSC::JIT::getMappedTag):
        (JSC::JIT::emitJumpSlowCaseIfNotJSCell):

2011-11-14  Michael Saboff  <msaboff@apple.com>

        Remove unused m_data member from UStringSourceProvider
        https://bugs.webkit.org/show_bug.cgi?id=72289

        Removed unused m_data member from UStringSourceProvider.

        Reviewed by Oliver Hunt.

        * parser/SourceProvider.h:
        (JSC::UStringSourceProvider::UStringSourceProvider):

2011-11-14  Michael Saboff  <msaboff@apple.com>

        Towards 8 Bit Strings: Templatize YARR Parser
        https://bugs.webkit.org/show_bug.cgi?id=72288

        Changed Yarr::Parser to be a template based on character type.

        Reviewed by Oliver Hunt.

        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::Parser):
        (JSC::Yarr::parse):

2011-11-14  Geoffrey Garen  <ggaren@apple.com>

        32-bit build fix: Removed unused declaration.

        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):

2011-11-12  Geoffrey Garen  <ggaren@apple.com>

        Standardized the JS calling convention
        https://bugs.webkit.org/show_bug.cgi?id=72221
        
        Reviewed by Oliver Hunt.

        This patch standardizes the calling convention so that the caller always
        sets up the callee's CallFrame. Adjustments for call type, callee type,
        argument count, etc. now always take place after that initial setup.
        
        This is a step toward reversing the argument order, but also has these
        immediate benefits (measured on x64):
        
        (1) 1% benchmark speedup across the board.
        
        (2) 50% code size reduction in baseline JIT function calls.
        
        (3) 1.5x speedup for single-dispatch .apply forwarding.
        
        (4) 1.1x speedup for multi-dispatch .apply forwarding.

        This change affected the baseline JIT most, since the baseline JIT had
        lots of ad hoc calling conventions for different caller / callee types.

        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::branchPtr):
        (JSC::MacroAssemblerX86_64::branchAddPtr): Optimize compare to 0 into
        a test, like other assemblers do. (I added some compares to 0, and didn't
        want them to be slow.)

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump): Merged op_load_varargs into op_call_varargs so
        op_call_varargs could share code generation with other forms of op_call.
        This is also a small optimization, since op_*varargs no longer have to
        pass arguments to each other through the register file.

        (JSC::CallLinkInfo::unlink):
        * bytecode/CodeBlock.h: Added a new call type: CallVarargs. This allows
        us to link functions called through .apply syntax. We need to distinguish
        CallVarargs from Call because CallVarargs changes its argument count
        on each inovcation, so we must always link to the argument count checking
        version of the callee.

        * bytecode/Opcode.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCallVarargs):
        * bytecompiler/BytecodeGenerator.h: Merged op_load_varargs into op_call_varargs.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ApplyFunctionCallDotNode::emitBytecode): Ditto. Also, simplified
        some of this bytecode generation to remove redundant copies.

        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall): Added a new call type: CallVarargs.
        DFG doesn't support this type, but its code needs to change slightly
        to accomodate a 3-state variable.

        Stopped passing the argument count in regT1 because this is non-standard.
        (The argument count goes in the CallFrame. This trades speed on the slow
        path for speed and code size on the fast path, and simplicity on all paths.
        A good trade, in my opinion.)

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction): Tweaked code to make CallFrame
        setup more obvious when single-stepping. Also, updated for argument count
        not being in regT1.

        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addJSCall):
        (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord): Added a new call
        type: CallVarargs.

        * dfg/DFGOperations.cpp: Do finish CallFrame setup in one place before
        doing anything else. Don't check for stack overflow because we have no callee
        registers, and our caller has already checked for its own registers.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgLinkFor): We can link to our callee even if our argument
        count doesn't match -- we just need to link to the argument count checking
        version.

        * interpreter/CallFrameClosure.h:
        (JSC::CallFrameClosure::setArgument): BUG FIX: When supplying too many
        arguments from C++, we need to supply a full copy of the arguments prior
        to the subset copy that matches our callee's argument count. (That is what
        the standard calling convention would have produced in JS.) I would have
        split this into its own patch, but I couldn't find a way to get the JIT
        to fail a regression test in this area without my patch applied.

        * interpreter/Interpreter.cpp: Let the true code bomb begin!

        (JSC::eval): Fixed up this helper function to operate on eval()'s CallFrame,
        and not eval()'s caller frame. We no longer leave the CallFrame pointing
        to eval()'s caller during a call to eval(), since that is not standard.

        (JSC::loadVarargs): Factored out a shared helper function for use by JIT
        and interpreter because half the code means one quarter the bugs -- in my
        programming, at least.

        (JSC::Interpreter::execute): Removed a now-unused way to invoke eval.
        
        (JSC::Interpreter::privateExecute): Removed an invalid ASSERT following
        putDirect, because it got in the way of my testing. (When putting a
        function, the cached base of a PutPropertySlot can be 0 to signify "do
        not optimize".)
        
        op_call_eval: Updated for new, standard eval calling convention.
        
        op_load_varargs: Merged op_load_varargs into op_call_varargs.

        op_call_varags: Updated for new, standard eval calling convention. Don't
        check for stack overflow because the loadVarargs helper function already
        checked.

        * interpreter/Interpreter.h:
        (JSC::Interpreter::execute): Headers are fun and educational!

        * interpreter/RegisterFile.cpp:
        (JSC::RegisterFile::growSlowCase):
        * interpreter/RegisterFile.h:
        (JSC::RegisterFile::grow): Factored out the slow case into a slow
        case because it was cramping the style of my fast case.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompile): Moved initialization of
        RegisterFile::CodeBlock to make it more obvious when debugging. Removed
        assumption that argument count is in regT1, as above. Removed call to
        restoreArgumentReference() because the JITStubCall abstraction does this for us.

        (JSC::JIT::linkFor): Link even if we miss on argument count, as above.

        * jit/JIT.h:
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emitSlow_op_call):
        (JSC::JIT::emitSlow_op_call_eval):
        (JSC::JIT::emitSlow_op_call_varargs):
        (JSC::JIT::emitSlow_op_construct):
        (JSC::JIT::emit_op_call_eval):
        (JSC::JIT::emit_op_call_varargs): Share all function call code generation.
        Don't count call_eval when accounting for linkable function calls because
        eval doesn't link. (Its fast path is to perform the eval.)

        (JSC::JIT::compileLoadVarargs): Ported this inline copying optimization
        to our new calling convention. The key to this optimization is the
        observation that, in a function that declares no arguments, if any
        arguments are passed, they all end up right behind 'this'.

        (JSC::JIT::compileCallEval):
        (JSC::JIT::compileCallEvalSlowCase): Factored out eval for a little clarity.

        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase): If you are still with me, dear reader,
        this is the whole point of my patch. The caller now unconditionally moves
        the CallFrame forward and fills in the data it knows before taking any
        branches to deal with weird caller/callee pairs.
        
        This also means that there is almost no slow path for calls -- it all
        gets folded into the shared virtual call stub. The only things remaining
        in the slow path are the rare case counter and a call to the stub.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::privateCompileCTINativeCall): Updated for values being in
        different registers or in memory, based on our new standard calling
        convention.
        
        Added a shared path for calling out to CTI helper functions for non-JS
        calls.

        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_method_check): method_check emits its own code and
        the following get_by_id's code, so it needs to add both when informing
        result chaining of its result. This is important because the standard
        calling convention can now take advantage of this chaining.

        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        (JSC::JIT::compileCallEval):
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::emit_op_call_eval):
        (JSC::JIT::emit_op_call_varargs):
        (JSC::JIT::emitSlow_op_call):
        (JSC::JIT::emitSlow_op_call_eval):
        (JSC::JIT::emitSlow_op_call_varargs):
        (JSC::JIT::emitSlow_op_construct): Observe, as I write all of my code a
        second time, now with 64 bits.

        * jit/JITStubs.cpp:
        (JSC::throwExceptionFromOpCall):
        (JSC::jitCompileFor):
        (JSC::arityCheckFor):
        (JSC::lazyLinkFor): A lot of mechanical changes here for one purpose:
        Exceptions thrown in the middle of a function call now use a shared helper
        function (throwExceptionFromOpCall). This function understands that the
        CallFrame currently points to the callEE, and the exception must be
        thrown by the callER. (The old calling convention would often still have
        the CallFrame pointing at the callER at the point of an exception. That
        is not the way of our new, standard calling convention.)

        (JSC::op_call_eval): Finish standard CallFrame setup before calling 
        our eval helper function, which now depends on that setup.

        * runtime/Arguments.h:
        (JSC::Arguments::length): Renamed numProvidedArguments() to length()
        because that's what other objects call it, and the difference made our
        new loadVarargs helper function hard to read.

        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal): Interpreter build
        fixes.

        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncApply): Honor Arguments::MaxArguments even when
        the .apply call_varargs optimization fails. (This bug appears on layout
        tests when you disable the optimization.)

2011-11-11  Jer Noble  <jer.noble@apple.com>

        Implement MediaController.
        https://bugs.webkit.org/show_bug.cgi?id=71408

        Reviewed by Eric Carlson.

        Change the definition of WTF_USE_COREAUDIO to exclude Windows completely, as 
        CoreAudioClock.h is not available there.

        * wtf/Platform.h:

2011-11-14  Patrick Gansterer  <paroga@webkit.org>

        [WIN] Remove dependency on pthread from FastMalloc
        https://bugs.webkit.org/show_bug.cgi?id=72098

        Reviewed by Adam Roben.

        All pthread calls are already ported to native Windows calls.
        Use the native version for all OS(WINDOWS) to remove the
        runtime dependency on the pthread dll.

        * wtf/FastMalloc.cpp:

2011-11-14  Simon Hausmann  <simon.hausmann@nokia.com>

        [Qt] Replace use of QApplication with QGuiApplication.

        Reviewed by Tor Arne Vestbø.

        * wtf/qt/compat/qguiapplication.h:
        (QGuiApplication::styleHints): Introduce styleHints wrapper hack.

2011-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck build.

        * GNUmakefile.list.am: Add missing files.

2011-11-11  Yury Semikhatsky  <yurys@chromium.org>

        Web Inspector: function remote objetct should provide access to function position in the script
        https://bugs.webkit.org/show_bug.cgi?id=71808

        Exposed accessor for function source code.

        Reviewed by Pavel Feldman.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::sourceCode):
        * runtime/JSFunction.h:

2011-11-13  Yuqiang Xian  <yuqiang.xian@intel.com>

        Fix silent spilling/filling GPRs in DFG 32_64
        https://bugs.webkit.org/show_bug.cgi?id=72201

        Reviewed by Gavin Barraclough.

        Current silentSpillGPR/silentFillGPR may not work as expected for some
        cases in 32_64. If there's a JSValue which was retained by two GPRs,
        we may end up failing to spill/fill some GPRs or redundantly
        spilling/filling some GPRs. For example, if we tend to exclude "eax"
        from spilling while a JSValue is retained by both "eax" and "edx",
        then "edx" won't be spilled as well (wrong). And if another JSValue is
        retained by "ecx" and "ebx", both "ecx" and "ebx" will be spilled
        twice. The similar problem applies to silentFillGPR.
        The fix is to make silentSpillGPR/silentFillGPR more straightforward,
        i.e., spilling/filling based on the GPR instead of the virtual
        register. FPR spilling/filling is also modified accordingly to make it
        consistent with GPR spilling/filling.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentSpillGPR):
        (JSC::DFG::JITCodeGenerator::silentSpillFPR):
        (JSC::DFG::JITCodeGenerator::silentFillGPR):
        (JSC::DFG::JITCodeGenerator::silentFillFPR):
        (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
        (JSC::DFG::JITCodeGenerator::silentFillAllRegisters):

2011-11-12  Laszlo Gombos  <laszlo.1.gombos@nokia.com>

        [Qt][Symbian] Remove support for WINSCW compiler
        https://bugs.webkit.org/show_bug.cgi?id=70178

        Reviewed by Chang Shu.

        * API/JSStringRef.h:
        * create_hash_table: Revert r45553.
        * runtime/JSGlobalData.cpp: Revert r45553.
        * runtime/LiteralParser.cpp: Remove WINSCW comment.
        (JSC::LiteralParser::Lexer::lexString):
        * runtime/Lookup.h: Revert r45553.
        * runtime/Structure.h: Revert r48461.
        * wtf/Alignment.h:
        * wtf/Assertions.h: Revert r52337.
        * wtf/Compiler.h:
        * wtf/ListRefPtr.h: Revert r48988.
        (WTF::ListRefPtr::~ListRefPtr):
        * wtf/OwnArrayPtr.h: Revert r45911.
        (WTF::OwnArrayPtr::operator UnspecifiedBoolType):
        * wtf/PassOwnArrayPtr.h:
        (WTF::PassOwnArrayPtr::operator UnspecifiedBoolType):
        * wtf/PassRefPtr.h:
        * wtf/StaticConstructors.h:
        * wtf/unicode/qt4/UnicodeQt4.h:

2011-11-12  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed. Add ENABLE(DFG_JIT) around DFGCorrectableJumpPoint code.

        * dfg/DFGCorrectableJumpPoint.cpp:
        * dfg/DFGCorrectableJumpPoint.h:

2011-11-12  Patrick Gansterer  <paroga@webkit.org>

        [CMake] Move list of DFG source files into correct file
        https://bugs.webkit.org/show_bug.cgi?id=72212

        Reviewed by Daniel Bates.

        The DFG files are platform independent. So move them from
        the EFL specific file into the general CMakeLists.txt.

        * CMakeLists.txt:
        * PlatformEfl.cmake:

2011-11-12  Patrick Gansterer  <paroga@webkit.org>

        Fix "unused variable" warning in JSLock
        https://bugs.webkit.org/show_bug.cgi?id=72213

        Reviewed by Anders Carlsson.

        Use ASSERT_UNUSED() instead of ASSERT() to make sure
        that the variable is also used in the release build.

        * runtime/JSLock.cpp:
        (JSC::JSLock::lock):
        (JSC::JSLock::unlock):

2011-11-11  Gavin Barraclough  <barraclough@apple.com>

        Update iOS compiler version.

        Reviewed by David Kilzer.

        * Configurations/CompilerVersion.xcconfig:
            - Update compiler version.

2011-11-11  Gavin Barraclough  <barraclough@apple.com>

        Update iOS port's configuration setting, particularly in Platform.h
        https://bugs.webkit.org/show_bug.cgi?id=72187
        
        Reviewed by David Kilzer.

        * interpreter/Interpreter.h:
            - Lower the reentry depth.
        * runtime/DatePrototype.cpp:
            - iOS also uses CF.
        * wtf/FastMalloc.cpp:
        (WTF::TCMalloc_PageHeap::IncrementalScavenge):
            - Update fastmalloc configuration for iOS.
        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit):
            - Added flag.
        * wtf/Platform.h:
            - Update platform configuration for iOS.

2011-11-11  David Kilzer  <ddkilzer@apple.com>

        Only define BUILDING_ON_* and TARGETING_* macros when building for Mac OS X
        <http://webkit.org/b/72175>

        Reviewed by Joseph Pecoraro.

        * wtf/Platform.h: Move the definition of the BUILDING_ON_* and
        TARGETING_* macros to where the WTF_OS_MAC_OS_X macro is defined
        so that they're only defined on Mac OS X builds.  Also include
        Availability.h, which is needed on iOS builds.

2011-11-11  Darin Adler  <darin@apple.com>

        Remove all releaseRef implementations except for RetainPtr
        https://bugs.webkit.org/show_bug.cgi?id=71423

        Reviewed by Julien Chaffraix.

        * API/JSRetainPtr.h: Removed releaseRef.
        * wtf/PassRefPtr.h: Removed releaseRef.

2011-11-11  Darin Adler  <darin@apple.com>

        * JavaScriptCore.xcodeproj/project.pbxproj: Let a newer Xcode update this file.
        If an older Xcode downgrades this file and we have a risk of some kind of
        oscillating commit situation, please contact me so I know not to do this again.

2011-11-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add jsCast to replace static_cast
        https://bugs.webkit.org/show_bug.cgi?id=72071

        Reviewed by Geoffrey Garen.

        Added new jsCast and changed all of the static_cast sites in functions that 
        are in the MethodTable to use jsCast instead.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::toStringCallback):
        (JSC::JSCallbackFunction::valueOfCallback):
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::visitChildren):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::className):
        (JSC::::getOwnPropertySlot):
        (JSC::::getOwnPropertyDescriptor):
        (JSC::::put):
        (JSC::::deleteProperty):
        (JSC::::deletePropertyByIndex):
        (JSC::::getConstructData):
        (JSC::::hasInstance):
        (JSC::::getCallData):
        (JSC::::getOwnPropertyNames):
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::visitChildren):
        (JSC::DebuggerActivation::className):
        (JSC::DebuggerActivation::getOwnPropertySlot):
        (JSC::DebuggerActivation::put):
        (JSC::DebuggerActivation::putWithAttributes):
        (JSC::DebuggerActivation::deleteProperty):
        (JSC::DebuggerActivation::getOwnPropertyNames):
        (JSC::DebuggerActivation::getOwnPropertyDescriptor):
        (JSC::DebuggerActivation::defineGetter):
        (JSC::DebuggerActivation::defineSetter):
        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildren):
        (JSC::Arguments::getOwnPropertySlotByIndex):
        (JSC::Arguments::getOwnPropertySlot):
        (JSC::Arguments::getOwnPropertyDescriptor):
        (JSC::Arguments::getOwnPropertyNames):
        (JSC::Arguments::putByIndex):
        (JSC::Arguments::put):
        (JSC::Arguments::deletePropertyByIndex):
        (JSC::Arguments::deleteProperty):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::getOwnPropertySlot):
        (JSC::ArrayConstructor::getOwnPropertyDescriptor):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::getOwnPropertySlot):
        (JSC::ArrayPrototype::getOwnPropertyDescriptor):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::getOwnPropertySlot):
        (JSC::BooleanPrototype::getOwnPropertyDescriptor):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::getOwnPropertySlot):
        (JSC::DateConstructor::getOwnPropertyDescriptor):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::getOwnPropertySlot):
        (JSC::DatePrototype::getOwnPropertyDescriptor):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::getOwnPropertySlot):
        (JSC::ErrorPrototype::getOwnPropertyDescriptor):
        * runtime/Executable.cpp:
        (JSC::ExecutableBase::clearCode):
        (JSC::EvalExecutable::visitChildren):
        (JSC::ProgramExecutable::visitChildren):
        (JSC::FunctionExecutable::visitChildren):
        * runtime/GetterSetter.cpp:
        (JSC::GetterSetter::visitChildren):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::visitChildren):
        (JSC::JSActivation::getOwnPropertyNames):
        (JSC::JSActivation::getOwnPropertySlot):
        (JSC::JSActivation::put):
        (JSC::JSActivation::putWithAttributes):
        * runtime/JSArray.cpp:
        (JSC::JSArray::getOwnPropertySlotByIndex):
        (JSC::JSArray::getOwnPropertySlot):
        (JSC::JSArray::getOwnPropertyDescriptor):
        (JSC::JSArray::put):
        (JSC::JSArray::putByIndex):
        (JSC::JSArray::deleteProperty):
        (JSC::JSArray::deletePropertyByIndex):
        (JSC::JSArray::getOwnPropertyNames):
        (JSC::JSArray::visitChildren):
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::hasInstance):
        (JSC::JSBoundFunction::visitChildren):
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::getOwnPropertySlot):
        (JSC::JSByteArray::getOwnPropertyDescriptor):
        (JSC::JSByteArray::getOwnPropertySlotByIndex):
        (JSC::JSByteArray::put):
        (JSC::JSByteArray::putByIndex):
        (JSC::JSByteArray::getOwnPropertyNames):
        * runtime/JSCell.h:
        (JSC::JSCell::visitChildren):
        (JSC::jsCast):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::visitChildren):
        (JSC::JSFunction::getCallData):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::getOwnPropertyDescriptor):
        (JSC::JSFunction::getOwnPropertyNames):
        (JSC::JSFunction::put):
        (JSC::JSFunction::deleteProperty):
        (JSC::JSFunction::getConstructData):
        * runtime/JSGlobalData.cpp:
        (JSC::StackPreservingRecompiler::operator()):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::put):
        (JSC::JSGlobalObject::putWithAttributes):
        (JSC::JSGlobalObject::defineGetter):
        (JSC::JSGlobalObject::defineSetter):
        (JSC::JSGlobalObject::visitChildren):
        (JSC::JSGlobalObject::getOwnPropertySlot):
        (JSC::JSGlobalObject::getOwnPropertyDescriptor):
        (JSC::JSGlobalObject::clearRareData):
        * runtime/JSGlobalThis.cpp:
        (JSC::JSGlobalThis::visitChildren):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::getOwnPropertySlot):
        (JSC::JSONObject::getOwnPropertyDescriptor):
        * runtime/JSObject.cpp:
        (JSC::JSObject::finalize):
        (JSC::JSObject::visitChildren):
        (JSC::JSObject::getOwnPropertySlotByIndex):
        (JSC::JSObject::put):
        (JSC::JSObject::putByIndex):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::deletePropertyByIndex):
        * runtime/JSObject.h:
        (JSC::JSObject::getOwnPropertySlot):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::visitChildren):
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::visitChildren):
        (JSC::JSStaticScopeObject::put):
        (JSC::JSStaticScopeObject::putWithAttributes):
        (JSC::JSStaticScopeObject::getOwnPropertySlot):
        * runtime/JSString.cpp:
        (JSC::JSString::visitChildren):
        (JSC::JSString::toThisObject):
        (JSC::JSString::getOwnPropertySlot):
        (JSC::JSString::getOwnPropertySlotByIndex):
        * runtime/JSVariableObject.cpp:
        (JSC::JSVariableObject::deleteProperty):
        (JSC::JSVariableObject::getOwnPropertyNames):
        * runtime/JSWrapperObject.cpp:
        (JSC::JSWrapperObject::visitChildren):
        * runtime/MathObject.cpp:
        (JSC::MathObject::getOwnPropertySlot):
        (JSC::MathObject::getOwnPropertyDescriptor):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::visitChildren):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getOwnPropertySlot):
        (JSC::NumberConstructor::getOwnPropertyDescriptor):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::getOwnPropertySlot):
        (JSC::NumberPrototype::getOwnPropertyDescriptor):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::getOwnPropertySlot):
        (JSC::ObjectConstructor::getOwnPropertyDescriptor):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::put):
        (JSC::ObjectPrototype::getOwnPropertySlotByIndex):
        (JSC::ObjectPrototype::getOwnPropertySlot):
        (JSC::ObjectPrototype::getOwnPropertyDescriptor):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getOwnPropertySlot):
        (JSC::RegExpConstructor::getOwnPropertyDescriptor):
        (JSC::RegExpConstructor::put):
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::getOwnPropertySlot):
        (JSC::RegExpMatchesArray::getOwnPropertySlotByIndex):
        (JSC::RegExpMatchesArray::getOwnPropertyDescriptor):
        (JSC::RegExpMatchesArray::put):
        (JSC::RegExpMatchesArray::putByIndex):
        (JSC::RegExpMatchesArray::deleteProperty):
        (JSC::RegExpMatchesArray::deletePropertyByIndex):
        (JSC::RegExpMatchesArray::getOwnPropertyNames):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::visitChildren):
        (JSC::RegExpObject::getOwnPropertySlot):
        (JSC::RegExpObject::getOwnPropertyDescriptor):
        (JSC::RegExpObject::put):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::getOwnPropertySlot):
        (JSC::RegExpPrototype::getOwnPropertyDescriptor):
        * runtime/ScopeChain.cpp:
        (JSC::ScopeChainNode::visitChildren):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::getOwnPropertySlot):
        (JSC::StringConstructor::getOwnPropertyDescriptor):
        * runtime/StringObject.cpp:
        (JSC::StringObject::getOwnPropertySlot):
        (JSC::StringObject::getOwnPropertySlotByIndex):
        (JSC::StringObject::getOwnPropertyDescriptor):
        (JSC::StringObject::deleteProperty):
        (JSC::StringObject::getOwnPropertyNames):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::getOwnPropertySlot):
        (JSC::StringPrototype::getOwnPropertyDescriptor):
        * runtime/Structure.cpp:
        (JSC::Structure::visitChildren):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::visitChildren):

2011-11-11  Gavin Barraclough  <barraclough@apple.com>

        Enable DFG JIT for ARMv7/iOS.

        Rubber stamped by Oliver Hunt.

        * wtf/Platform.h:
            - enable DFG JIT for ARMv7/iOS.

2011-11-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize supportsProfiling, supportsRichSourceInfo, shouldInterruptScript in JSGlobalObject
        https://bugs.webkit.org/show_bug.cgi?id=72035

        Reviewed by Geoffrey Garen.

        De-virtualized the methods through the use of a new method table just for JSGlobalObject and subclasses.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * bytecompiler/BytecodeGenerator.cpp: Changed call sites to use the new GlobalObjectMethodTable.
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * interpreter/Interpreter.cpp: Ditto.
        (JSC::Interpreter::execute):
        * runtime/JSGlobalObject.cpp: Added a static const GlobalObjectMethodTable with the correct function pointers.
        * runtime/JSGlobalObject.h: Added a field in JSGlobalObject to keep track of the current method table.
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::globalObjectMethodTable): The new struct to contain the function pointers.
        (JSC::JSGlobalObject::supportsProfiling): Made static to put in the method table.
        (JSC::JSGlobalObject::supportsRichSourceInfo): Ditto.
        (JSC::JSGlobalObject::shouldInterruptScript): Ditto.
        * runtime/TimeoutChecker.cpp: Changed call sites to use the new GlobalObjectMethodTable for lookup.
        (JSC::TimeoutChecker::didTimeOut):

2011-11-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSGlobalObject::allowsAccessFrom
        https://bugs.webkit.org/show_bug.cgi?id=71969

        Reviewed by Darin Adler.

        * runtime/JSGlobalObject.h: Removed allowsAccessFrom from JSGlobalObject since it is exclusive to 
        JSDOMWindowBase and WebScriptObject.

2011-11-11  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r99950.
        http://trac.webkit.org/changeset/99950
        https://bugs.webkit.org/show_bug.cgi?id=72117

        "Landed wrong patch by mistake" (Requested by yurys on
        #webkit).

        * JavaScriptCore.exp:
        * runtime/JSFunction.cpp:
        * runtime/JSFunction.h:

2011-11-11  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed. Build fix for !ENABLE(JIT) after r99898.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):

2011-11-10  Dan Bernstein  <mitz@apple.com>

        Disabling assertions breaks the debug build
        https://bugs.webkit.org/show_bug.cgi?id=72091

        Reviewed by Geoff Garen.

        * dfg/DFGNode.h: Made hasIdentifier() available when assertions are
        disabled. It is used in Graph::dump().
        * runtime/JSObject.cpp:
        (JSC::JSObject::visitChildren): Update m_isCheckingForDefaultMarkViolation
        only if assertions are enabled.
        * wtf/Deque.h:
        (WTF::::checkIndexValidity): Changed ASSERT to ASSERT_UNUSED.
        * wtf/ThreadRestrictionVerifier.h:
        (WTF::ThreadRestrictionVerifier::setShared): Guarded the definition of
        a local variable that is only used in an assertion.

2011-11-10  Filip Pizlo  <fpizlo@apple.com>

        JSString forgets to clear m_fibers when resolving ropes
        https://bugs.webkit.org/show_bug.cgi?id=72089

        Reviewed by Geoff Garen.

        * runtime/JSString.cpp:
        (JSC::JSString::resolveRopeSlowCase):

2011-11-09  Filip Pizlo  <fpizlo@apple.com>

        DFG byte array support sometimes clamps values incorrectly
        https://bugs.webkit.org/show_bug.cgi?id=71975

        Reviewed by Oliver Hunt.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):

2011-11-10  Filip Pizlo  <fpizlo@apple.com>

        ValueProfile/PredictedType contains dead code, and doesn't recognize functions
        https://bugs.webkit.org/show_bug.cgi?id=72065

        Reviewed by Gavin Barraclough and Geoff Garen.
        
        Added PredictFunction support, and did some cleaning up along the way.
        ValueProfile no longer has statistics machinery, because we never used
        it. Rearranged some bits in PredictedType to more easily make room for
        one more object type. Changed some debug code to use more consistent
        conventions (ByteArray becomes Bytearray so that if we ever have a
        "Byte" prediction we don't get confused between a prediction that is
        the union of Byte and Array and a prediction that indicates precisely
        a ByteArray).

        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        (JSC::predictionFromClassInfo):
        * bytecode/PredictedType.h:
        (JSC::isFunctionPrediction):
        * bytecode/ValueProfile.cpp:
        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::dump):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):

2011-11-10  David Kilzer  <ddkilzer@apple.com>

        <http://webkit.org/b/72049> Specify testapi.js install path using JAVASCRIPTCORE_FRAMEWORKS_DIR

        Reviewed by Joseph Pecoraro.

        * JavaScriptCore.xcodeproj/project.pbxproj: The testapi.js
        script should use JAVASCRIPTCORE_FRAMEWORKS_DIR in its dstPath
        for installation.  Also removed "Versions/A/" from the path
        since this is unneeded due the default symlinks present in the
        framework.

2011-11-10  Gavin Barraclough  <barraclough@apple.com>

        Add ARMv7 support to the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=72061

        Reviewed by Geoff Garen.

        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
        (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
        (JSC::DFG::AssemblyHelpers::emitPutImmediateToCallFrameHeader):
        (JSC::DFG::AssemblyHelpers::boxDouble):
        (JSC::DFG::AssemblyHelpers::unboxDouble):
            - Add CPU(ARM) copies of these functions.
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::spill):
            - Fix matching of '}' re #if blocks, makes some tools happy.
        (JSC::DFG::JITCodeGenerator::setupArguments):
        (JSC::DFG::JITCodeGenerator::setupArgumentsWithExecState):
        (JSC::DFG::JITCodeGenerator::appendCallWithExceptionCheckSetResult):
        (JSC::DFG::JITCodeGenerator::appendCallSetResult):
            - Add CPU(ARM) / 4 argument register copies of these functions.
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
            - Should use callOperation to plant a call to a DFG_OPERATION.
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        (JSC::DFG::JITCodeGenerator::cachedPutById):
            - These methods need to plant a relinkable jump; we currently do so
              using beginUninterruptedSequence() / endUninterruptedSequence().
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
            - Should use callOperation to plant a call to a DFG_OPERATION.
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
            - This method needs to plant a relinkable jump; we currently do so
              using beginUninterruptedSequence() / endUninterruptedSequence().
        (JSC::DFG::JITCompiler::compileBody):
            - Add abstraction to retrieve the pc after a call.
        * dfg/DFGOSRExitCompiler.cpp:
            - Fix a bug - CodeLocationLabel needs a data address rather than an
              executable one, but can just take a MacroAssemblerCodePtr instead!
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::compileClampDoubleToByte):
            - Add FIXME comment to come back to! - bug#72054.
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::speculationCheck):
            - Add missing method (ooops, required by bug#72047)
        * dfg/DFGSpeculativeJIT32_64.cpp:
            - Need to wrap fmod on ARMv7.


2011-11-10  Filip Pizlo  <fpizlo@apple.com>

        DFG should not reparse code that was just parsed
        https://bugs.webkit.org/show_bug.cgi?id=71977

        Reviewed by Geoff Garen.
        
        The instruction stream of a code block is now kept around until
        the next GC. When doing either an optimizing compilation of an
        executable, or inlining of an executable, we now try to find the
        already preexisting bytecode. If we find it, we don't have to parse.
        If we don't find it, we parse as before. Inlining takes the extra
        step of caching code blocks, so if the same executable gets inlined
        multiple times into the same caller, then we parse it at most once
        even if prior to inlining that executable did not have any code
        blocks with an instruction stream.
        
        Also fixed a silly bug where the strict mode for various operations
        was being determined by looking at the machine code block rather
        than the inlinee.

        To enable the delete-on-next-GC policy, I introduced the notion
        of an ultra weak finalizer, which anyone can register during
        tracing. This is thread-safe (for parallel GC) and
        stop-the-world-safe (so calls to free() are postponed until the
        world is resumed). This required reusing some facilities previously
        created for WeakReferenceHarvester, so I created a common utility
        class. I also retweaked the handling of WeakReferenceHarvesters,
        since they should be executed during stop-the-world since in the
        future we may want to allow them to call drain().
        
        2% win on SunSpider. 2% win on V8, when run in my harness. Neutral
        elsewhere.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::visitAggregate):
        (JSC::CodeBlock::copyPostParseDataFrom):
        (JSC::CodeBlock::copyPostParseDataFromAlternative):
        (JSC::CodeBlock::finalizeUnconditionally):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::canProduceCopyWithBytecode):
        (JSC::CodeBlock::discardBytecodeLater):
        (JSC::CodeBlock::handleBytecodeDiscardingOpportunity):
        (JSC::GlobalCodeBlock::GlobalCodeBlock):
        (JSC::ProgramCodeBlock::ProgramCodeBlock):
        (JSC::EvalCodeBlock::EvalCodeBlock):
        (JSC::FunctionCodeBlock::FunctionCodeBlock):
        (JSC::BytecodeDestructionBlocker::BytecodeDestructionBlocker):
        (JSC::BytecodeDestructionBlocker::~BytecodeDestructionBlocker):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::strictModeFor):
        * dfg/DFGByteCodeCache.h: Added.
        (JSC::DFG::CodeBlockKey::CodeBlockKey):
        (JSC::DFG::CodeBlockKey::operator==):
        (JSC::DFG::CodeBlockKey::hash):
        (JSC::DFG::CodeBlockKey::executable):
        (JSC::DFG::CodeBlockKey::kind):
        (JSC::DFG::CodeBlockKey::isHashTableDeletedValue):
        (JSC::DFG::CodeBlockKeyHash::hash):
        (JSC::DFG::CodeBlockKeyHash::equal):
        (JSC::DFG::ByteCodeCache::ByteCodeCache):
        (JSC::DFG::ByteCodeCache::~ByteCodeCache):
        (JSC::DFG::ByteCodeCache::get):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * heap/Heap.cpp:
        (JSC::Heap::finalizeUnconditionally):
        (JSC::Heap::markRoots):
        (JSC::Heap::collect):
        * heap/Heap.h:
        * heap/ListableHandler.h: Added.
        (JSC::ListableHandler::ListableHandler):
        (JSC::ListableHandler::~ListableHandler):
        (JSC::ListableHandler::List::List):
        (JSC::ListableHandler::List::addNotThreadSafe):
        (JSC::ListableHandler::List::addThreadSafe):
        (JSC::ListableHandler::List::hasNext):
        (JSC::ListableHandler::List::removeNext):
        * heap/MarkStack.cpp:
        (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
        (JSC::SlotVisitor::harvestWeakReferences):
        (JSC::SlotVisitor::finalizeUnconditionally):
        * heap/MarkStack.h:
        (JSC::MarkStack::addWeakReferenceHarvester):
        (JSC::MarkStack::addUnconditionalFinalizer):
        * heap/SlotVisitor.h:
        * heap/UnconditionalFinalizer.h: Added.
        (JSC::UnconditionalFinalizer::~UnconditionalFinalizer):
        * heap/WeakReferenceHarvester.h:
        (JSC::WeakReferenceHarvester::WeakReferenceHarvester):
        (JSC::WeakReferenceHarvester::~WeakReferenceHarvester):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::baselineCodeBlockFor):
        (JSC::FunctionExecutable::codeBlockWithBytecodeFor):
        (JSC::FunctionExecutable::produceCodeBlockFor):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::profiledCodeBlockFor):

2011-11-10  Gavin Barraclough  <barraclough@apple.com>

        Add ARMv7 register info for the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=72050

        Reviewed by Geoff Garen.

        * dfg/DFGFPRInfo.h:
        (JSC::DFG::FPRInfo::toRegister):
        (JSC::DFG::FPRInfo::toIndex):
        (JSC::DFG::FPRInfo::debugName):
        * dfg/DFGGPRInfo.h:
        (JSC::DFG::GPRInfo::toRegister):
        (JSC::DFG::GPRInfo::toIndex):
        (JSC::DFG::GPRInfo::debugName):

2011-11-10  Gavin Barraclough  <barraclough@apple.com>

        #ifdef CPU(X86) specific div/mod code in DFGSpeculativeJIT32_64
        https://bugs.webkit.org/show_bug.cgi?id=72047

        Reviewed by Geoff Garen.

        We currently don't attempt to abstract divide through the macro assembler,
        due to these instructions commonly having specific requirements. This means
        there is architecture specific code in the JIT - #ifdef it, and provide a
        common implementation.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::fmodAsDFGOperation):
        (JSC::DFG::SpeculativeJIT::compile):

2011-11-10  Gavin Barraclough  <barraclough@apple.com>

        Add ENABLE_VALUE_PROFILER support for ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=72043

        Reviewed by Geoff Garen.

        This requires us to make a bucketCounterRegister available; to do so we'll need to spill more registers on entry to JIT code.

        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSlow_op_mod):
            - cleanup location of UNUSED_PARAM
        * jit/JITStubs.cpp:
        (JSC::ctiTrampoline):
        (JSC::ctiVMThrowTrampoline):
        (JSC::ctiOpThrowNotCaught):
        (JSC::JITThunks::JITThunks):
        * jit/JITStubs.h:
            - Update JITStackFrame structure & asm code to spill more registers.
        * jit/JSInterfaceJIT.h:
            - Assign a bucketCounterRegister.

2011-11-10  Gavin Barraclough  <barraclough@apple.com>

        Fix sampling counters on ARMv7, move add64 functionality to macro assembler
        https://bugs.webkit.org/show_bug.cgi?id=72040

        Reviewed by Geoff Garen.

        The ability to add an integer to a uint64_t in memory is poorly copied in
        multiple places & ifdef'ed on architecture, addWithCarry32 is also a badly
        designed interface since add32 is not required to set flags (we have no
        concept of flags in the macro assembler interface).

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::add64):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::add64):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::add64):
        * dfg/DFGAssemblyHelpers.cpp:
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::emitCount):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::writeBarrier):
        * jit/JIT.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitCount):

011-11-10  Ryuan Choi  <ryuan.choi@samsung.com>

        [CMAKE] Refactoring CMakeLists${PORT}.txt to Platform${PORT}.cmake
        https://bugs.webkit.org/show_bug.cgi?id=56705

        Reviewed by Adam Roben.

        * CMakeLists.txt:
        * PlatformEfl.cmake: Renamed from Source/JavaScriptCore/CMakeListsEfl.txt.
        * PlatformWinCE.cmake: Renamed from Source/JavaScriptCore/CMakeListsWinCE.txt.
        * shell/CMakeLists.txt:
        * shell/PlatformEfl.cmake: Renamed from Source/JavaScriptCore/shell/CMakeListsEfl.txt.
        * shell/PlatformWinCE.cmake: Renamed from Source/JavaScriptCore/shell/CMakeListsWinCE.txt.
        * wtf/CMakeLists.txt:
        * wtf/PlatformEfl.cmake: Renamed from Source/JavaScriptCore/wtf/CMakeListsEfl.txt.
        * wtf/PlatformWinCE.cmake: Renamed from Source/JavaScriptCore/wtf/CMakeListsWinCE.txt.

2011-11-10  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck build.

        * GNUmakefile.list.am: Add missing files.

2011-11-09  Michael Saboff  <msaboff@apple.com>

        Towards 8 Bit Strings: Templatize JSC::LiteralParser class by character type
        https://bugs.webkit.org/show_bug.cgi?id=71862

        Changed LiteralParser to be templatized of character type.

        Moved five enums out of class definition to work around a clang compiler defect.

        Added lexIdentifier templated method to break out character specific versions.
        Added static setParserTokenString templated method to handle setting approriately
        sized string pointer.

        To keep code in LiteralParser.cpp and keep LiteralParser.h small, the two
        flavors of LiteralParser are explicitly instantiated at the end of
        LiteralParser.cpp.

        Reviewed by Oliver Hunt.

        * API/JSValueRef.cpp:
        (JSValueMakeFromJSONString):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::callEval):
        (JSC::Interpreter::execute):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * runtime/JSONObject.cpp:
        (JSC::JSONProtoFuncParse):
        * runtime/LiteralParser.cpp:
        (JSC::isJSONWhiteSpace):
        (JSC::::tryJSONPParse):
        (JSC::::makeIdentifier):
        (JSC::::Lexer::lex):
        (JSC::::Lexer::lexIdentifier):
        (JSC::::Lexer::next):
        (JSC::LChar):
        (JSC::UChar):
        (JSC::isSafeStringCharacter):
        (JSC::::Lexer::lexString):
        (JSC::::Lexer::lexNumber):
        (JSC::::parse):
        * runtime/LiteralParser.h:
        (JSC::LiteralParser::LiteralParser):
        (JSC::LiteralParser::getErrorMessage):
        (JSC::LiteralParser::tryLiteralParse):
        (JSC::LiteralParser::Lexer::Lexer):
        (JSC::LiteralParser::Lexer::currentToken):
        (JSC::LiteralParser::Lexer::getErrorMessage):
        * runtime/UString.h:
        (JSC::LChar):
        (JSC::UChar):
        * wtf/text/StringBuilder.cpp:
        (WTF::StringBuilder::append):
        * wtf/text/StringBuilder.h:
        (WTF::StringBuilder::append):

2011-11-09  Filip Pizlo  <fpizlo@apple.com>

        Multiple CodeBlock should be able to share the same instruction
        stream without copying
        https://bugs.webkit.org/show_bug.cgi?id=71978

        Reviewed by Oliver Hunt.
        
        This refactors CodeBlock::m_instructions to be a Vector boxed in a
        ref-counted object, but otherwise does not take advantage of this.
        
        This is performance neutral.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printStructure):
        (JSC::CodeBlock::printStructures):
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::visitAggregate):
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::hasInstructions):
        (JSC::CodeBlock::numberOfInstructions):
        (JSC::CodeBlock::instructions):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):

2011-11-09  Gavin Barraclough  <barraclough@apple.com>

        Renovate ARMv7 assembler/macro-assembler
        https://bugs.webkit.org/show_bug.cgi?id=71982

        Reviewed by Geoff Garen.

        ARMv7Assembler:
        * add support for strb (byte stores)
        * rename the VMOV_CtoS opcodes (there are currently backwards!)
        * add support for adc (add with carry)
        * add support for vsqrt, vabs
        * add support for vmov (between FPRs, and to/from GPR pairs).
        * remove '_F64' postfixes from instructions (these aren't helpful, functions can already be distinguished by their signatures).
        * rename vcvt_F64_S32  to vcvt_signedToFloatingPoint, the prior postfix was unhelpful in failing to distinguish the types (S32 indicates a single precision register, but the type could be float, int32, or uint32).
        * rename vcvtr_S32_F64 to vcvt_floatingPointToSigned, as for previous, also vcvtr was the incorrect name for the operation (the emitted instruction truncates).

        MacroAssemblerARMv7:
        * add 3-operand versions of and32, lshift32, or32, rshift32, urshift32, sub32, xor32, 
        * add store8, and store32 imm to base-index.
        * fix load32WithCompactAddressOffsetPatch to work for all gprs (the fix is a little kludgy but functional; to do better we'll have to also fix the repatching code).
        * Update supportsFloating* flags (all features now supported).
        * add moveDouble, storeDouble to absolute address, addDouble to absolute address
        * add 3-operand double operations.
        * implement sqrtDouble/absDouble
        * add branchTruncateDoubleToInt32, implement truncateDoubleToInt32
        * move should do nothing if src == dest
        * branchTest8-on-memory can be implemented in terms of branchTest32-on-register (branchTest8-on-register has been removed).
        * add 3-operand branchAdd32, branchSub32, also branchAdd32 absolute address.

2011-11-09  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=71873

        Reviewed by Geoff Garen.

        Incrementally re-landing these changes, trying to determine what went wrong.
        (The whole patch failed tests on the build bot but worked locally.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):

2011-11-09  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit code should be lazily generated
        https://bugs.webkit.org/show_bug.cgi?id=71744

        Reviewed by Gavin Barraclough.
        
        The OSR exit code is now generated the first time it is executed,
        rather than right after speculative compilation. Because most OSR
        exits are never taken, this should greatly reduce both code size
        and compilation time.
        
        This is a 1% win on SunSpider, and a 1% win on V8 when running in
        my harness. No change in V8 in V8's harness (due to the long runs,
        so compile time is not an issue) and no change in Kraken (again,
        long runs of small code so compile time has no measurable effect).

        * CMakeListsEfl.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/AbstractMacroAssembler.h:
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::jump):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::jump):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::jmp_m):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::createDFGDataIfNecessary):
        (JSC::CodeBlock::appendDFGOSREntryData):
        (JSC::CodeBlock::numberOfDFGOSREntries):
        (JSC::CodeBlock::dfgOSREntryData):
        (JSC::CodeBlock::dfgOSREntryDataForBytecodeIndex):
        (JSC::CodeBlock::appendOSRExit):
        (JSC::CodeBlock::appendSpeculationRecovery):
        (JSC::CodeBlock::numberOfOSRExits):
        (JSC::CodeBlock::numberOfSpeculationRecoveries):
        (JSC::CodeBlock::osrExit):
        (JSC::CodeBlock::speculationRecovery):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::debugCall):
        * dfg/DFGCorrectableJumpPoint.cpp: Added.
        (JSC::DFG::CorrectableJumpPoint::codeLocationForRepatch):
        * dfg/DFGCorrectableJumpPoint.h: Added.
        (JSC::DFG::CorrectableJumpPoint::CorrectableJumpPoint):
        (JSC::DFG::CorrectableJumpPoint::switchToLateJump):
        (JSC::DFG::CorrectableJumpPoint::correctInitialJump):
        (JSC::DFG::CorrectableJumpPoint::correctLateJump):
        (JSC::DFG::CorrectableJumpPoint::initialJump):
        (JSC::DFG::CorrectableJumpPoint::lateJump):
        (JSC::DFG::CorrectableJumpPoint::correctJump):
        (JSC::DFG::CorrectableJumpPoint::getJump):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        * dfg/DFGOSRExit.cpp: Added.
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::OSRExit::dump):
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompiler.cpp: Added.
        * dfg/DFGOSRExitCompiler.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        * dfg/DFGThunks.cpp: Added.
        (JSC::DFG::osrExitGenerationThunkGenerator):
        * dfg/DFGThunks.h: Added.
        * jit/JITCode.h:
        (JSC::JITCode::dataAddressAtOffset):
        * runtime/JSGlobalData.h:

2011-11-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fixing build breakage

        Unreviewed build fix

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-11-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSVariableObject::isDynamicScope
        https://bugs.webkit.org/show_bug.cgi?id=71933

        Reviewed by Geoffrey Garen.

        * runtime/JSActivation.cpp:
        * runtime/JSActivation.h: Inlined and de-virtualized isDynamicScope
        (JSC::JSActivation::isDynamicScope):
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h: Inlined and de-virtualized isDynamicScope
        (JSC::JSGlobalObject::isDynamicScope):
        * runtime/JSStaticScopeObject.cpp:
        * runtime/JSStaticScopeObject.h: Inlined and de-virtualized isDynamicScope
        (JSC::JSStaticScopeObject::createStructure): Changed createStructure to use new JSType
        (JSC::JSStaticScopeObject::isDynamicScope):
        * runtime/JSType.h: Added new type for JSStaticScopeObject
        * runtime/JSVariableObject.cpp: De-virtualized and added an implementation that checks the 
        object's type and calls the corresponding implementation.
        (JSC::JSVariableObject::isDynamicScope):
        * runtime/JSVariableObject.h:

2011-11-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSGlobalObject::hasOwnPropertyForWrite
        https://bugs.webkit.org/show_bug.cgi?id=71934

        Reviewed by Geoffrey Garen.

        * runtime/JSGlobalObject.h: Removed the virtual-ness of hasOwnPropertyForWrite since nobody overrides it.

2011-11-09  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=71873

        Reviewed by Geoff Garen.

        Incrementally re-landing these changes, trying to determine what went wrong.
        (The whole patch failed tests on the build bot but worked locally.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::absDouble):
        * assembler/MacroAssemblerARMv7.h:
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::absDouble):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::absDouble):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::absDouble):
        * assembler/MacroAssemblerX86Common.h:
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::absDouble):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/ThunkGenerators.cpp:
        (JSC::absThunkGenerator):

2011-11-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSObject::getOwnPropertyDescriptor
        https://bugs.webkit.org/show_bug.cgi?id=71523

        Reviewed by Sam Weinig.

        Added getOwnPropertyDescriptor to the MethodTable, changed all of the 
        virtual versions of getOwnPropertyDescriptor to static ones, and 
        changed all of the call sites to the corresponding lookup in the MethodTable.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::getOwnPropertyDescriptor):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::getOwnPropertyDescriptor):
        * debugger/DebuggerActivation.h:
        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertyDescriptor):
        * runtime/Arguments.h:
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::getOwnPropertyDescriptor):
        * runtime/ArrayConstructor.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::getOwnPropertyDescriptor):
        * runtime/ArrayPrototype.h:
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::getOwnPropertyDescriptor):
        * runtime/BooleanPrototype.h:
        * runtime/ClassInfo.h:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::getOwnPropertyDescriptor):
        * runtime/DateConstructor.h:
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::getOwnPropertyDescriptor):
        * runtime/DatePrototype.h:
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::getOwnPropertyDescriptor):
        * runtime/ErrorPrototype.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::getOwnPropertyDescriptor):
        * runtime/JSArray.h:
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::getOwnPropertyDescriptor):
        * runtime/JSByteArray.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::getOwnPropertyDescriptor):
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertyDescriptor):
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::getOwnPropertyDescriptor):
        * runtime/JSGlobalObject.h:
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::getOwnPropertyDescriptor):
        * runtime/JSNotAnObject.h:
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::getOwnPropertyDescriptor):
        * runtime/JSONObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::vtableAnchor):
        (JSC::JSObject::propertyIsEnumerable):
        (JSC::JSObject::getOwnPropertyDescriptor):
        (JSC::JSObject::getPropertyDescriptor):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        * runtime/JSString.cpp: Removed getOwnPropertyDescriptor, since this seems to be a relic from a 
        bygone era when getOwnPropertyDescriptor was rooted in JSCell rather than JSObject.  There were 
        no call sites for this version of getOwnPropertyDescriptor in the entire project.
        * runtime/JSString.h:
        * runtime/Lookup.h:
        (JSC::getStaticPropertyDescriptor):
        (JSC::getStaticFunctionDescriptor):
        (JSC::getStaticValueDescriptor):
        * runtime/MathObject.cpp:
        (JSC::MathObject::getOwnPropertyDescriptor):
        * runtime/MathObject.h:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getOwnPropertyDescriptor):
        * runtime/NumberConstructor.h:
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::getOwnPropertyDescriptor):
        * runtime/NumberPrototype.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::getOwnPropertyDescriptor):
        (JSC::objectConstructorGetOwnPropertyDescriptor):
        * runtime/ObjectConstructor.h:
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::getOwnPropertyDescriptor):
        * runtime/ObjectPrototype.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getOwnPropertyDescriptor):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::getOwnPropertyDescriptor):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::getOwnPropertyDescriptor):
        * runtime/RegExpObject.h:
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::getOwnPropertyDescriptor):
        * runtime/RegExpPrototype.h:
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::getOwnPropertyDescriptor):
        * runtime/StringConstructor.h:
        * runtime/StringObject.cpp:
        (JSC::StringObject::vtableAnchor): Added to prevent a weak vtable.
        (JSC::StringObject::getOwnPropertyDescriptor):
        * runtime/StringObject.h:
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::getOwnPropertyDescriptor):
        * runtime/StringPrototype.h:

2011-11-09  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=71873

        Reviewed by Geoff Garen.

        Incrementally re-landing these changes, trying to determine what went wrong.
        (The whole patch failed tests on the build bot but worked locally.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::supportsFloatingPoint):
        (JSC::MacroAssemblerARM::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerARM::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerARM::supportsFloatingPointAbs):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::supportsFloatingPoint):
        (JSC::MacroAssemblerARMv7::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerARMv7::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerARMv7::supportsFloatingPointAbs):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::supportsFloatingPoint):
        (JSC::MacroAssemblerMIPS::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerMIPS::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerMIPS::supportsFloatingPointAbs):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::supportsFloatingPoint):
        (JSC::MacroAssemblerSH4::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerSH4::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerSH4::supportsFloatingPointAbs):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::supportsFloatingPoint):
        (JSC::MacroAssemblerX86::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerX86::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerX86::supportsFloatingPointAbs):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::supportsFloatingPoint):
        (JSC::MacroAssemblerX86_64::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerX86_64::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerX86_64::supportsFloatingPointAbs):
        * jit/ThunkGenerators.cpp:
        (JSC::absThunkGenerator):

2011-11-08  Darin Adler  <darin@apple.com>

        Add code path in HashTable for emptyValueIsZero that does not require copying the empty value
        https://bugs.webkit.org/show_bug.cgi?id=71875

        Reviewed by Anders Carlsson.

        This is a step along the path of making OwnPtr work as HashMap value types.

        * wtf/Alignment.h: Moved the AlignedBufferChar and AlignedBuffer types from Vector.h here.
        Also fixed include style. To include other WTF headers inside WTF, we use "" includes.
        I did not change the code to fix style checker complaints.

        * wtf/HashTable.h: Added includes as needed and fixed include style.
        (WTF::doubleHash): Removed the uneeeded and inappropriate "static" in this function, which
        gave it internal linkage for no good reason.
        (WTF::HashTable::checkKey): Made this use AlignedBuffer for the deleted value check to avoid
        construction/destruction problems instead of doing the trick where we construct and destroy
        an empty value twice. It's cleaner and simpler and avoids copying the empty value.
        (WTF::HashTable::initializeBucket): Specialized initializeBucket to use memset when the
        empty value is zero rather than copying an empty value.

        * wtf/Vector.h: Moved the AlignedBufferChar and AlignedBuffer types into Alignment.h.

2011-11-09  Gabor Rapcsanyi  <rgabor@webkit.org>

        Buildfix for 32bit debug mode.

        Reviewed by Csaba Osztrogonác.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::dump):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):

2011-11-09  Andy Wingo  <wingo@igalia.com>

        Enable the DFG JIT on X86-64 Linux platforms
        https://bugs.webkit.org/show_bug.cgi?id=71373

        Reviewed by Csaba Osztrogonác.

        * wtf/Platform.h (ENABLE_DFG_JIT): Enable the DFG JIT on the
        x86-64 GNU/Linux platform.
        * CMakeListsEfl.txt: Add JSValue64 implementations to EFL build.

2011-11-09  Csaba Osztrogonác  <ossy@webkit.org>

        Enable the DFG JIT on x86-64 Linux platforms
        https://bugs.webkit.org/show_bug.cgi?id=71373

        Enable DFG JIT by default on X86 Linux and Mac platforms
        https://bugs.webkit.org/show_bug.cgi?id=71686

        Buildfix for stricter compilers: -Werror=unused-but-set-variable

        Reviewed by Zoltan Herczeg.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-11-09  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r99678.
        http://trac.webkit.org/changeset/99678
        https://bugs.webkit.org/show_bug.cgi?id=71882

        broke the build with -Werror=unused-but-set-variable
        (Requested by tronical_ on #webkit).

        * CMakeListsEfl.txt:
        * wtf/Platform.h:

2011-11-09  Andy Wingo  <wingo@igalia.com>

        Enable the DFG JIT on X86-64 Linux platforms
        https://bugs.webkit.org/show_bug.cgi?id=71373

        Reviewed by Filip Pizlo.

        * wtf/Platform.h (ENABLE_DFG_JIT): Enable the DFG JIT on the
        x86-64 GNU/Linux platform.
        * CMakeListsEfl.txt: Add JSValue64 implementations to EFL build.

2011-11-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSObject::defineOwnProperty
        https://bugs.webkit.org/show_bug.cgi?id=71429

        Reviewed by Geoffrey Garen.

        Added defineOwnProperty to the MethodTable, changed all the virtual 
        implementations of defineOwnProperty to static ones, and replaced 
        all call sites with corresponding lookups in the MethodTable.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/Arguments.cpp:
        (JSC::Arguments::createStrictModeCallerIfNecessary):
        (JSC::Arguments::createStrictModeCalleeIfNecessary):
        * runtime/ClassInfo.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::defineOwnProperty):
        * runtime/JSCell.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorDefineProperty):
        (JSC::defineProperties):

2011-11-09  Simon Hausmann  <simon.hausmann@nokia.com>

        [Qt] Build system cleanup
        https://bugs.webkit.org/show_bug.cgi?id=71815

        Reviewed by Kenneth Rohde Christiansen.

        * wtf/wtf.pri: Moved the glib dependency to javascriptcore.prf.

2011-11-08  Simon Hausmann  <simon.hausmann@nokia.com>

        [Qt] Replace use of QApplication with QGuiApplication
        https://bugs.webkit.org/show_bug.cgi?id=71794

        Reviewed by Andreas Kling.

        Add compat headers for use when building with Qt 4: QGuiApplication
        is typedef'ed to QApplication.

        * wtf/qt/compat/QGuiApplication: Added.
        * wtf/qt/compat/qguiapplication.h: Added.

2011-11-08  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r99647.
        http://trac.webkit.org/changeset/99647
        https://bugs.webkit.org/show_bug.cgi?id=71876

        It broke jsc and layout tests on all bot (Requested by
        Ossy_night on #webkit).

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::supportsFloatingPoint):
        (JSC::MacroAssemblerARM::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerARM::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerARM::supportsDoubleBitops):
        (JSC::MacroAssemblerARM::andnotDouble):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::supportsFloatingPoint):
        (JSC::MacroAssemblerARMv7::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerARMv7::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerARMv7::supportsDoubleBitops):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::andnotDouble):
        (JSC::MacroAssemblerMIPS::supportsFloatingPoint):
        (JSC::MacroAssemblerMIPS::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerMIPS::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerMIPS::supportsDoubleBitops):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::supportsFloatingPoint):
        (JSC::MacroAssemblerSH4::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerSH4::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerSH4::supportsDoubleBitops):
        (JSC::MacroAssemblerSH4::andnotDouble):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::MacroAssemblerX86):
        (JSC::MacroAssemblerX86::supportsFloatingPoint):
        (JSC::MacroAssemblerX86::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerX86::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerX86::supportsDoubleBitops):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::andnotDouble):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::supportsFloatingPoint):
        (JSC::MacroAssemblerX86_64::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerX86_64::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerX86_64::supportsDoubleBitops):
        * assembler/X86Assembler.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/ThunkGenerators.cpp:
        (JSC::absThunkGenerator):
        * runtime/JSGlobalData.cpp:

2011-11-08  Gavin Barraclough  <barraclough@apple.com>

        Better abstract 'abs' operation through the MacroAssembler.
        https://bugs.webkit.org/show_bug.cgi?id=71873

        Reviewed by Geoff Garen.

        Currently the x86 specific instruction sequence to perform a double abs
        is duplicated throughout the JITs / thunk generators.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::supportsFloatingPoint):
        (JSC::MacroAssemblerARM::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerARM::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerARM::supportsFloatingPointAbs):
        (JSC::MacroAssemblerARM::absDouble):
            - Renamed supportsFloatingPointAbs, make these methods static so that
              we can check the JIT's capabilites before we begin compilation.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::supportsFloatingPoint):
        (JSC::MacroAssemblerARMv7::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerARMv7::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerARMv7::supportsFloatingPointAbs):
            - Renamed supportsFloatingPointAbs, make these methods static so that
              we can check the JIT's capabilites before we begin compilation.
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::absDouble):
        (JSC::MacroAssemblerMIPS::supportsFloatingPoint):
        (JSC::MacroAssemblerMIPS::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerMIPS::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerMIPS::supportsFloatingPointAbs):
            - Renamed supportsFloatingPointAbs, make these methods static so that
              we can check the JIT's capabilites before we begin compilation.
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::supportsFloatingPoint):
        (JSC::MacroAssemblerSH4::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerSH4::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerSH4::supportsFloatingPointAbs):
        (JSC::MacroAssemblerSH4::absDouble):
            - Renamed supportsFloatingPointAbs, make these methods static so that
              we can check the JIT's capabilites before we begin compilation.
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::absDouble):
        (JSC::MacroAssemblerX86::supportsFloatingPoint):
        (JSC::MacroAssemblerX86::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerX86::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerX86::supportsFloatingPointAbs):
            - Made supports* methods static so that we can check the JIT's
              capabilites before we begin compilation. Added absDouble.
        * assembler/MacroAssemblerX86Common.h:
            - Removed andnotDouble, added s_maskSignBit.
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::absDouble):
        (JSC::MacroAssemblerX86_64::supportsFloatingPoint):
        (JSC::MacroAssemblerX86_64::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerX86_64::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerX86_64::supportsFloatingPointAbs):
            - Made supports* methods static so that we can check the JIT's
              capabilites before we begin compilation. Added absDouble.
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::andpd_rr):
        (JSC::X86Assembler::andpd_mr):
            - Added support for andpd instruction.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
            - Added checks for supportsFloatingPointAbs, supportsFloatingPointSqrt.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
            - Switched to use doubleAbs, we can now also reuse the operand register for the result.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
            - Switched to use doubleAbs, we can now also reuse the operand register for the result.
        * jit/ThunkGenerators.cpp:
            - Switched to use doubleAbs.
        (JSC::absThunkGenerator):
        * runtime/JSGlobalData.cpp:
            - Declared MacroAssemblerX86Common::s_maskSignBit here.
              This is a little ugly, but it doesn't seem worth adding a whole extra .cpp
              to the compile for just one constant.

2011-11-08  Gavin Barraclough  <barraclough@apple.com>

        Move duplicates of SYMBOL_STRING* macros to the single location
        https://bugs.webkit.org/show_bug.cgi?id=71456

        Reviewed by Sam Weinig.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGOperations.cpp:
        * jit/JITStubs.cpp:
        * wtf/InlineASM.h: Added.
            - Moved asm related macros.

2011-11-08  Gavin Barraclough  <barraclough@apple.com>

        Move code to handle 8bit regs from X86Assembler to MacroAssembler
        https://bugs.webkit.org/show_bug.cgi?id=71867

        Reviewed by Oliver Hunt.

        This code is fine, but is in the wrong place really. X86 assembler should
        basically just format up exactly the instruction you request - not expand
        out to a set of instructions (that is what the macro assembler layer is
        for!). For other 8-bit ops, on X86 we don't guard against clients accessing
        the XH registers.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::store8):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movb_rm):
            - moved some code.

2011-11-08  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for GTK.

        * GNUmakefile.list.am:

2011-11-08  Gavin Barraclough  <barraclough@apple.com>

        Build fix.

        * assembler/X86Assembler.h:

2011-11-08  Gavin Barraclough  <barraclough@apple.com>

        Errrk, failed to commit this in last change.

        * assembler/X86Assembler.h:

2011-11-08  Gavin Barraclough  <barraclough@apple.com>

        Remove an unused method.

        Rubber stamped by Geoff Garen.

        * assembler/AbstractMacroAssembler.h:
        * assembler/AssemblerBuffer.h:
            - removed rewindToLabel.

2011-11-08  Gavin Barraclough  <barraclough@apple.com>

        Fix OSR entry points to calculate offsets correctly WRT to branch compaction.
        https://bugs.webkit.org/show_bug.cgi?id=71864

        Reviewed by Filip Pizlo.

        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::offsetOf):
            - We use this to return the offsets into the code of the entry points.
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
            - Move the construction of the speculative JIT outside of
              compileBody, such that it is still available to link the
              OSR entry points at the point we are linking.
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):
            - Pass the label of the block & linkbuffer into noticeOSREntry.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::linkOSREntries):
            - Moved call to noticeOSREntry until we we linking.
        * dfg/DFGSpeculativeJIT.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
            - Moved calculation of entries until we we linking.
        * jit/JIT.h:
            - Removed some members.

2011-11-08  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit code should be generated by a separate compiler, not
        related to DFG::JITCompiler
        https://bugs.webkit.org/show_bug.cgi?id=71787

        Reviewed by Gavin Barraclough.
        
        Moves the exitSpeculativeWithOSR() method from JITCompiler to
        OSRExitCompiler::compileExit().

        * CMakeListsEfl.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        * dfg/DFGJITCompiler32_64.cpp: Removed.
        * dfg/DFGOSRExitCompiler.h: Added.
        (JSC::DFG::OSRExitCompiler::OSRExitCompiler):
        * dfg/DFGOSRExitCompiler32_64.cpp: Added.
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp: Added.
        (JSC::DFG::OSRExitCompiler::compileExit):
        * runtime/JSValue.h:

2011-11-08  Filip Pizlo  <fpizlo@apple.com>

        Basic DFG definitions should be moved out of DFGNode.h
        https://bugs.webkit.org/show_bug.cgi?id=71861

        Rubber-stamped by Gavin Barraclough.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGCommon.h: Added.
        (JSC::DFG::NodeIndexTraits::defaultValue):
        * dfg/DFGNode.h:
        * dfg/DFGOSRExit.h:
        * dfg/DFGRegisterBank.h:

2011-11-08  Michael Saboff  <msaboff@apple.com>

        Towards 8 Bit Strings: Templatize JSC::Parser class by Lexer type
        https://bugs.webkit.org/show_bug.cgi?id=71761

        Templatized Parser based on Lexer<T>. Moved two enums,
        SourceElementsMode and FunctionRequirements out of Parser definition
        to work around a clang compiler defect.

        Cleaned up SourceCode data() to return StringImpl* and eliminated
        the recently added stringData() virtual method.

        To keep code in Parser.cpp and keep Parser.h small, the two flavors
        of Parser are explicitly instantiated at the end of Parser.cpp.

        Reviewed by Gavin Barraclough.

        * interpreter/Interpreter.cpp:
        (JSC::appendSourceToError):
        * parser/Lexer.cpp:
        (JSC::::setCode):
        (JSC::::sourceCode):
        * parser/Parser.cpp:
        (JSC::::Parser):
        (JSC::::~Parser):
        (JSC::::parseInner):
        (JSC::::didFinishParsing):
        (JSC::::allowAutomaticSemicolon):
        (JSC::::parseSourceElements):
        (JSC::::parseVarDeclaration):
        (JSC::::parseConstDeclaration):
        (JSC::::parseDoWhileStatement):
        (JSC::::parseWhileStatement):
        (JSC::::parseVarDeclarationList):
        (JSC::::parseConstDeclarationList):
        (JSC::::parseForStatement):
        (JSC::::parseBreakStatement):
        (JSC::::parseContinueStatement):
        (JSC::::parseReturnStatement):
        (JSC::::parseThrowStatement):
        (JSC::::parseWithStatement):
        (JSC::::parseSwitchStatement):
        (JSC::::parseSwitchClauses):
        (JSC::::parseSwitchDefaultClause):
        (JSC::::parseTryStatement):
        (JSC::::parseDebuggerStatement):
        (JSC::::parseBlockStatement):
        (JSC::::parseStatement):
        (JSC::::parseFormalParameters):
        (JSC::::parseFunctionBody):
        (JSC::::parseFunctionInfo):
        (JSC::::parseFunctionDeclaration):
        (JSC::::parseExpressionOrLabelStatement):
        (JSC::::parseExpressionStatement):
        (JSC::::parseIfStatement):
        (JSC::::parseExpression):
        (JSC::::parseAssignmentExpression):
        (JSC::::parseConditionalExpression):
        (JSC::::isBinaryOperator):
        (JSC::::parseBinaryExpression):
        (JSC::::parseProperty):
        (JSC::::parseObjectLiteral):
        (JSC::::parseStrictObjectLiteral):
        (JSC::::parseArrayLiteral):
        (JSC::::parsePrimaryExpression):
        (JSC::::parseArguments):
        (JSC::::parseMemberExpression):
        (JSC::::parseUnaryExpression):
        * parser/Parser.h:
        (JSC::::parse):
        (JSC::parse):
        * parser/SourceCode.h:
        (JSC::SourceCode::data):
        (JSC::SourceCode::subExpression):
        * parser/SourceProvider.h:
        (JSC::UStringSourceProvider::data):

2011-11-08  Gavin Barraclough  <barraclough@apple.com>

        Fix PropertyAccessRecords in DFG JIT to take account of branch compaction.
        https://bugs.webkit.org/show_bug.cgi?id=71855

        Reviewed by Filip Pizlo.

        The DFG JIT presently calculates a set of offsets early, before branches have been compacted.
        This won't work on ARMv7.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::locationOf):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
        (JSC::DFG::JITCompiler::addPropertyAccess):

2011-11-08  Gavin Barraclough  <barraclough@apple.com>

        DFG JIT calculation of OSR entry points is not THUMB2 safe
        https://bugs.webkit.org/show_bug.cgi?id=71852

        Reviewed by Oliver Hunt.

        Executable addresses are tagged with a low bit set to distinguish
        between THUMB2 and traditional ARM.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGJITCompiler32_64.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * jit/JITCode.h:
        (JSC::JITCode::executableAddressAtOffset):
        (JSC::JITCode::start):
        (JSC::JITCode::size):

2011-11-08  Michael Saboff  <msaboff@apple.com>

        JSC::Parser::Parser leaks Lexer member
        https://bugs.webkit.org/show_bug.cgi?id=71847

        Changed m_lexer member of Parser to be OwnPtr to fix a memory leak.

        Reviewed by Oliver Hunt.

        * parser/Parser.cpp:
        (JSC::Parser::Parser):
        (JSC::Parser::parseFunctionBody):
        * parser/Parser.h:

2011-11-08  Yuqiang Xian  <yuqiang.xian@intel.com>

        Enable DFG JIT by default on X86 Linux and Mac platforms
        https://bugs.webkit.org/show_bug.cgi?id=71686

        Reviewed by Filip Pizlo.

        We can get 9% on SunSpider, 89% on Kraken and 37% on V8, on Linux X86.

        * wtf/Platform.h:

2011-11-08  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG 32_64 - update make lists for efl, gtk, and Qt ports with DFG change r99519
        https://bugs.webkit.org/show_bug.cgi?id=71768

        Reviewed by Geoffrey Garen.

        Also includes a fix to make the newly introduced AssemblyHelpers
        friend of JSValue as we need the Tag definitions.

        * CMakeListsEfl.txt:
        * GNUmakefile.list.am:
        * Target.pri:
        * runtime/JSValue.h:

2011-11-07  Yuqiang Xian  <yuqiang.xian@intel.com>

        Fix gcc 4.4 compilation warnings in DFG 32_64
        https://bugs.webkit.org/show_bug.cgi?id=71762

        Reviewed by Filip Pizlo.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::registersMatched):

2011-11-07  Filip Pizlo  <fpizlo@apple.com>

        DFG code base should allow for classes not related to DFG::JITCompiler
        to use DFG idioms
        https://bugs.webkit.org/show_bug.cgi?id=71746

        Reviewed by Gavin Barraclough.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAssemblyHelpers.cpp: Added.
        (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
        (JSC::DFG::AssemblyHelpers::emitCount):
        (JSC::DFG::AssemblyHelpers::setSamplingFlag):
        (JSC::DFG::AssemblyHelpers::clearSamplingFlag):
        (JSC::DFG::AssemblyHelpers::jitAssertIsInt32):
        (JSC::DFG::AssemblyHelpers::jitAssertIsJSInt32):
        (JSC::DFG::AssemblyHelpers::jitAssertIsJSNumber):
        (JSC::DFG::AssemblyHelpers::jitAssertIsJSDouble):
        (JSC::DFG::AssemblyHelpers::jitAssertIsCell):
        * dfg/DFGAssemblyHelpers.h: Added.
        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::JITCompiler):
        (JSC::DFG::JITCompiler::graph):
        * dfg/DFGJITCompiler32_64.cpp:
        * dfg/DFGOSRExit.h: Added.
        (JSC::DFG::SpeculationRecovery::SpeculationRecovery):
        (JSC::DFG::SpeculationRecovery::type):
        (JSC::DFG::SpeculationRecovery::dest):
        (JSC::DFG::SpeculationRecovery::src):
        (JSC::DFG::OSRExit::numberOfRecoveries):
        (JSC::DFG::OSRExit::valueRecovery):
        (JSC::DFG::OSRExit::isArgument):
        (JSC::DFG::OSRExit::isVariable):
        (JSC::DFG::OSRExit::argumentForIndex):
        (JSC::DFG::OSRExit::variableForIndex):
        (JSC::DFG::OSRExit::operandForArgument):
        (JSC::DFG::OSRExit::operandForIndex):
        * dfg/DFGSpeculativeJIT.h:

2011-11-07  Filip Pizlo  <fpizlo@apple.com>

        Switch back to 1+1 value profiling buckets, since it didn't help on arewefastyet,
        but it appears to help on other benchmarks.

        Rubber stamped by Oliver Hunt.

        * bytecode/ValueProfile.h:

2011-11-07  Ariya Hidayat  <ariya@sencha.com>

        "use strict" can not contain escape sequences or line continuation
        https://bugs.webkit.org/show_bug.cgi?id=71532

        Reviewed by Darin Adler.

        Store the actual literal length (before the escapes and line
        continuation are encoded) while parsing the directive and use it
        for the directive comparison.

        * parser/Parser.cpp:
        (JSC::Parser::parseSourceElements):
        (JSC::Parser::parseStatement):
        * parser/Parser.h:

2011-11-06  Filip Pizlo  <fpizlo@apple.com>

        DFG operationCreateThis slow path may get the wrong callee in case of inlining
        https://bugs.webkit.org/show_bug.cgi?id=71647

        Reviewed by Oliver Hunt.
        
        No new tests because I only saw this manifest itself when I had other bugs
        leading to spurious slow path executions.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-11-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSObject::putWithAttributes
        https://bugs.webkit.org/show_bug.cgi?id=71716

        Reviewed by Darin Adler.

        Added putWithAttributes to the MethodTable, changed all the virtual 
        implementations of putWithAttributes to static ones, and replaced 
        all call sites with corresponding lookups in the MethodTable.

        * API/JSObjectRef.cpp:
        (JSObjectSetProperty):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::putWithAttributes):
        * debugger/DebuggerActivation.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * runtime/ClassInfo.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::putWithAttributes):
        * runtime/JSActivation.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::putWithAttributes):
        * runtime/JSCell.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::putWithAttributes):
        * runtime/JSGlobalObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::putWithAttributes):
        (JSC::putDescriptor):
        * runtime/JSObject.h:
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::putWithAttributes):
        * runtime/JSStaticScopeObject.h:
        * runtime/JSVariableObject.cpp:
        (JSC::JSVariableObject::putWithAttributes):
        * runtime/JSVariableObject.h:

2011-11-07  Dmitry Lomov  <dslomov@google.com>

        Unreviewed. Release build fix.

        * parser/Lexer.cpp:
        (JSC::assertCharIsIn8BitRange):

2011-11-07  Filip Pizlo  <fpizlo@apple.com>

        Switch the value profiler back to 8 buckets, because we suspect that while this
        is more expensive it's also more stable.

        Rubber stamped by Geoff Garen.

        * bytecode/ValueProfile.h:

2011-11-07  Andrew Wason  <rectalogic@rectalogic.com>

        Uninitialized Heap member var
        https://bugs.webkit.org/show_bug.cgi?id=71722

        Reviewed by Filip Pizlo.

        * heap/Heap.cpp:
        (JSC::Heap::Heap): Initialize m_blockFreeingThreadShouldQuit

2011-11-07  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG 32_64 - registers cannot be reused arbitrarily if speculation failures are possible
        https://bugs.webkit.org/show_bug.cgi?id=71684

        Reviewed by Filip Pizlo.

        Currently in DFG JIT, we try to reuse the physical register of an
        operand for temporary usage if the current use of the operand is the
        last use. But sometimes this can be wrong, for example if there are
        possible speculation failures and we need to fallback to baseline JIT,
        the value of the operand which is supposed to be hold in the physical
        register can be modified by register reusing. The fixes the last
        inspector failures in layout test on Mac 32-bit if switching on DFG.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):

2011-11-07  Ryosuke Niwa  <rniwa@webkit.org>

        REGRESSION(r99436): Broke Snow Leopard debug build
        https://bugs.webkit.org/show_bug.cgi?id=71713

        Reviewed by Darin Adler.

        Put the assertion in a template and use template specialization
        to avoid warning when instantiated with UChar or LChar.

        In the long term, we should have traits for unsigned integral types
        and use that to specialize template instead of specializing it for UChar and LChar.

        * parser/Lexer.cpp:
        (JSC::assertCharIsIn8BitRange):
        (JSC::::append8):

2011-11-07  ChangSeok Oh  <shivamidow@gmail.com>

        [EFL] Support requestAnimationFrame API
        https://bugs.webkit.org/show_bug.cgi?id=67112

        Reviewed by Andreas Kling.

        Let EFL port use REQUEST_ANIMATION_FRAME_TIMER.

        * wtf/Platform.h:

2011-11-07  Michael Saboff  <msaboff@apple.com>

        Towards 8 Bit Strings: Templatize JSC::Lexer class by character type
        https://bugs.webkit.org/show_bug.cgi?id=71331

        Change the Lexer class to be a template class based on the character
        type of the source.  In the process updated the parseIdentifier()
        and parseString() methods to create 8 bit strings where possible.
        Also added some helper methods for accumulating temporary string
        data in the 8 and 16 bit vectors.

        Changed the SourceProvider::data() virtual method to return a
        StringImpl* instead of a UChar*.

        Updated the KeywordLookup generator to create code to match keywords
        for both 8 and 16 bit source strings.

        Due to a compiler bug (<rdar://problem/10194295>) moved enum
        definition outside of Lexer class declaration.  Remove second enum
        no longer needed.

        Reviewed by Darin Adler.

        * KeywordLookupGenerator.py:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::callEval):
        * parser/Lexer.cpp:
        (JSC::::Lexer):
        (JSC::::~Lexer):
        (JSC::::getInvalidCharMessage):
        (JSC::::currentCharacter):
        (JSC::::setCode):
        (JSC::::internalShift):
        (JSC::::shift):
        (JSC::::peek):
        (JSC::::getUnicodeCharacter):
        (JSC::::shiftLineTerminator):
        (JSC::::lastTokenWasRestrKeyword):
        (JSC::::record8):
        (JSC::::append8):
        (JSC::::append16):
        (JSC::::record16):
        (JSC::::parseIdentifier):
        (JSC::::parseIdentifierSlowCase):
        (JSC::::parseString):
        (JSC::::parseStringSlowCase):
        (JSC::::parseHex):
        (JSC::::parseOctal):
        (JSC::::parseDecimal):
        (JSC::::parseNumberAfterDecimalPoint):
        (JSC::::parseNumberAfterExponentIndicator):
        (JSC::::parseMultilineComment):
        (JSC::::nextTokenIsColon):
        (JSC::::lex):
        (JSC::::scanRegExp):
        (JSC::::skipRegExp):
        (JSC::::clear):
        (JSC::::sourceCode):
        * parser/Lexer.h:
        (JSC::Lexer::append16):
        (JSC::Lexer::currentOffset):
        (JSC::Lexer::setOffsetFromCharOffset):
        (JSC::::isWhiteSpace):
        (JSC::::isLineTerminator):
        (JSC::::convertHex):
        (JSC::::convertUnicode):
        (JSC::::makeIdentifier):
        (JSC::::setCodeStart):
        (JSC::::makeIdentifierLCharFromUChar):
        (JSC::::lexExpectIdentifier):
        * parser/Parser.cpp:
        (JSC::Parser::Parser):
        (JSC::Parser::parseProperty):
        (JSC::Parser::parseMemberExpression):
        * parser/Parser.h:
        (JSC::Parser::next):
        (JSC::Parser::nextExpectIdentifier):
        * parser/ParserArena.h:
        (JSC::IdentifierArena::makeIdentifier):
        (JSC::IdentifierArena::makeIdentifierLCharFromUChar):
        * parser/SourceCode.h:
        (JSC::SourceCode::subExpression):
        * parser/SourceProvider.h:
        (JSC::UStringSourceProvider::stringData):
        * parser/SourceProviderCache.h:
        * parser/SyntaxChecker.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::insertSemicolonIfNeeded):
        * runtime/Identifier.cpp:
        (JSC::IdentifierTable::add):
        (JSC::IdentifierLCharFromUCharTranslator::hash):
        (JSC::IdentifierLCharFromUCharTranslator::equal):
        (JSC::IdentifierLCharFromUCharTranslator::translate):
        (JSC::Identifier::add8):
        * runtime/Identifier.h:
        (JSC::Identifier::Identifier):
        (JSC::Identifier::createLCharFromUChar):
        (JSC::Identifier::canUseSingleCharacterString):
        (JSC::IdentifierCharBufferTranslator::hash):
        (JSC::IdentifierCharBufferTranslator::equal):
        (JSC::IdentifierCharBufferTranslator::translate):
        (JSC::Identifier::add):
        (JSC::Identifier::equal):
        (JSC::IdentifierTable::add):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::decode):
        (JSC::parseIntOverflow):
        (JSC::globalFuncUnescape):
        * runtime/JSGlobalObjectFunctions.h:
        (JSC::parseIntOverflow):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser::tryJSONPParse):
        (JSC::LiteralParser::Lexer::lexString):
        * wtf/text/StringImpl.h:

2011-11-07  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>

        [Qt] Put the jsc binary in 'bin' instead of leaving it deep in the build tree

        Allows us to not package up the whole Source/JavaScriptCore directory for the
        buildbots.

        Reviewed-by Simon Hausmann.

        * jsc.pro:

2011-11-06  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r99374): GTK+ build of the jsc binary doesn't like the call
        to initializeMainThread, and crashes
        https://bugs.webkit.org/show_bug.cgi?id=71643

        Reviewed by Sam Weinig.

        * jsc.cpp:
        (main):

2011-11-06  Sam Weinig  <sam@webkit.org>

        Add space missing from some class declarations
        https://bugs.webkit.org/show_bug.cgi?id=71632

        Reviewed by Anders Carlsson.

        * assembler/AssemblerBufferWithConstantPool.h:
        * bytecode/CodeBlock.h:
        * dfg/DFGVariableAccessData.h:
        * heap/VTableSpectrum.h:
        * jit/ExecutableAllocator.cpp:
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        * wtf/MetaAllocatorHandle.h:
        * wtf/UnionFind.h:

2011-11-06  Sam Weinig  <sam@webkit.org>

        Allow use of FINAL in JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=71630

        Reviewed by Anders Carlsson.

        * Configurations/Base.xcconfig:
        Don't warn about C++11 extensions used in C++98 mode.

2011-11-05  Filip Pizlo  <fpizlo@apple.com>

        Value profiling should just use two buckets
        https://bugs.webkit.org/show_bug.cgi?id=71619

        Reviewed by Gavin Barraclough.
        
        Added one more configuration options (like Heuristics::minimumOptimizationDelay),
        improved debugging in JIT optimization support, changed the number of buckets
        in the value profile from 9 to 2, and wrote a more optimal value profiling path
        in the old JIT to take advantage of this. It's still possible to play around with
        larger numbers of buckets, and we should probably keep this for a little while
        until we convince ourselves that using just two buckets is the right call.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::shouldOptimizeNow):
        * bytecode/ValueProfile.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Heuristics.cpp:
        (JSC::Heuristics::initializeHeuristics):
        * runtime/Heuristics.h:

2011-11-03  Filip Pizlo  <fpizlo@apple.com>

        JSC should be able to sample itself in a more flexible way than just sampling flags
        https://bugs.webkit.org/show_bug.cgi?id=71522

        Reviewed by Gavin Barraclough.
        
        Added a construct that looks like SamplingRegion samplingRegion("name").

        * JavaScriptCore.exp:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/SamplingTool.cpp:
        (JSC::SamplingRegion::Locker::Locker):
        (JSC::SamplingRegion::Locker::~Locker):
        (JSC::SamplingRegion::sample):
        (JSC::SamplingRegion::dump):
        (JSC::SamplingRegion::dumpInternal):
        (JSC::SamplingThread::threadStartFunc):
        * bytecode/SamplingTool.h:
        (JSC::SamplingRegion::SamplingRegion):
        (JSC::SamplingRegion::~SamplingRegion):
        (JSC::SamplingRegion::exchangeCurrent):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::collect):
        * heap/VTableSpectrum.cpp:
        (JSC::VTableSpectrum::countVPtr):
        (JSC::VTableSpectrum::dump):
        * heap/VTableSpectrum.h:
        * jsc.cpp:
        (main):
        (runWithScripts):
        * parser/Parser.h:
        (JSC::parse):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * wtf/Atomics.h:
        (WTF::weakCompareAndSwap):
        * wtf/Platform.h:
        * wtf/Spectrum.h: Added.
        (WTF::Spectrum::Spectrum):
        (WTF::Spectrum::add):
        (WTF::Spectrum::get):
        (WTF::Spectrum::begin):
        (WTF::Spectrum::end):
        (WTF::Spectrum::KeyAndCount::KeyAndCount):
        (WTF::Spectrum::KeyAndCount::operator<):
        (WTF::Spectrum::buildList):
        * wtf/wtf.pri:

2011-11-05  Sam Weinig  <sam@webkit.org>

        Fix windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-11-04  Sam Weinig  <sam@webkit.org>

        Reduce the number of putWithAttributes
        https://bugs.webkit.org/show_bug.cgi?id=71597

        Reviewed by Adam Roben.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        Remove exports of removed functions.

        * runtime/JSActivation.cpp:
        (JSC::JSActivation::putWithAttributes):
        Calling the overload without the extra parameters does the same thing.

        * runtime/JSObject.cpp:
        (JSC::JSObject::putWithAttributes):
        * runtime/JSObject.h:
        Remove four unused JSObject::putWithAttributes overloads and make one of the remaining
        two overloads not virtual, since no one overrides it.

2011-11-04  Pratik Solanki  <psolanki@apple.com>

        sqrtDouble and andnotDouble should be declared noreturn
        https://bugs.webkit.org/show_bug.cgi?id=71592

        Reviewed by Sam Weinig.

        * assembler/MacroAssemblerARMv7.h:

2011-11-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSObject::hasInstance
        https://bugs.webkit.org/show_bug.cgi?id=71430

        Reviewed by Darin Adler.

        Added hasInstance to the MethodTable, changed all the virtual 
        implementations of hasInstance to static ones, and replaced 
        all call sites with corresponding lookups in the MethodTable.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::hasInstance):
        * API/JSValueRef.cpp:
        (JSValueIsInstanceOfConstructor):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/ClassInfo.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::hasInstance):
        * runtime/JSBoundFunction.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::hasInstance):
        * runtime/JSCell.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::hasInstance):
        * runtime/JSObject.h:

2011-11-04  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>

        [Qt] Refactor and clean up the qmake build system

        The qmake build system has accumulated a bit of cruft and redundancy
        over time. There's also a fairly tight coupling between how to build
        the various targets, and _what_ to build, making it harder to add new
        rules or sources. This patch aims to elevate these issues somewhat.

        This is a short-list of the changes:

          * The rules for how to build targets are now mostly contained as
            prf-files in Tools/qmake/mkspecs/features. Using mkspecs also
            allows us to do pre- and post-processing of each project file,
            which helps to clean up the actual project files.

          * Derived sources are no longer generated as a separate make-step
            but is part of each target's project file as a subdir. Makefile
            rules are used to ensure that we run make on the derived sources
            before running qmake on the actual target makefile. This makes
            it easier to keep a proper dependency between derived sources
            and the target.

          * We use GNU make and the compiler to generate dependencies on
            UNIX-based systems running Qt 5. This allows us to lessen the
            need to run qmake, which should reduce compile time.

          * WebKit2 is now build by default if building with Qt 5. It can
            be disabled by passing --no-webkit2 to build-webkit.

        The result of these changes are hopefully a cleaner and easier
        build system to modify, and faster build times due to no longer
        running qmake on every single build. It's also a first step
        towards possibly generating the list of sources using another
        build system.

        https://bugs.webkit.org/show_bug.cgi?id=71222

        Reviewed by Simon Hausmann.

        * DerivedSources.pri: Added.
        * DerivedSources.pro: Removed.
        * JavaScriptCore.pro:
        * Target.pri: Copied from Source/JavaScriptCore/JavaScriptCore.pro.
        * headers.pri: Removed.
        * jsc.pro:
        * wtf/wtf.pri:
        * yarr/yarr.pri:

2011-11-04  Yuqiang Xian  <yuqiang.xian@intel.com>

        More code clean-up in DFG 32_64
        https://bugs.webkit.org/show_bug.cgi?id=71540

        Remove unnecessary code duplications, and fix compilation warnings.

        Reviewed by Gavin Barraclough.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::emitCount):
        (JSC::DFG::JITCompiler::setSamplingFlag):
        (JSC::DFG::JITCompiler::clearSamplingFlag):
        (JSC::DFG::JITCompiler::jitAssertIsCell):
        * dfg/DFGJITCompiler32_64.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-11-04  Csaba Osztrogonác  <ossy@webkit.org>

        De-virtualize JSObject::hasInstance
        https://bugs.webkit.org/show_bug.cgi?id=71430

        Unreviewed rolling out r99238, because it made a test crash on all platform.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::hasInstance):
        * API/JSValueRef.cpp:
        (JSValueIsInstanceOfConstructor):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/ClassInfo.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::hasInstance):
        * runtime/JSBoundFunction.h:
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::hasInstance):
        * runtime/JSObject.h:

2011-11-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSObject::getPropertyNames
        https://bugs.webkit.org/show_bug.cgi?id=71306

        Reviewed by Darin Adler.

        Added getPropertyNames to the MethodTable, changed all the virtual 
        implementations of getPropertyNames to static ones, and replaced 
        all call sites with corresponding lookups in the MethodTable.

        * API/JSObjectRef.cpp:
        (JSObjectCopyPropertyNames):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::getOwnPropertyNames):
        * runtime/ClassInfo.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::getPropertyNames):
        * runtime/JSCell.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::getPropertyNames):
        (JSC::JSObject::getOwnPropertyNames):
        * runtime/JSObject.h:
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):
        * runtime/ScopeChain.cpp:
        (JSC::ScopeChainNode::print):
        * runtime/Structure.cpp:
        (JSC::Structure::getPropertyNamesFromStructure):
        * runtime/Structure.h:

2011-11-03  Darin Adler  <darin@apple.com>

        Change remaining callers of releaseRef to call leakRef
        https://bugs.webkit.org/show_bug.cgi?id=71422

        * wtf/text/AtomicString.cpp:
        (WTF::HashAndUTF8CharactersTranslator::translate): Use leakRef.

2011-11-02  Darin Adler  <darin@apple.com>

        Change remaining callers of releaseRef to call leakRef
        https://bugs.webkit.org/show_bug.cgi?id=71422

        * wtf/text/AtomicString.cpp:
        (WTF::HashAndUTF8CharactersTranslator::translate): Use leakRef.

2011-11-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSObject::hasInstance
        https://bugs.webkit.org/show_bug.cgi?id=71430

        Reviewed by Darin Adler.

        Added hasInstance to the MethodTable, changed all the virtual 
        implementations of hasInstance to static ones, and replaced 
        all call sites with corresponding lookups in the MethodTable.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::hasInstance):
        * API/JSValueRef.cpp:
        (JSValueIsInstanceOfConstructor):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/ClassInfo.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::hasInstance):
        * runtime/JSBoundFunction.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::hasInstance):
        * runtime/JSCell.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::hasInstance):
        * runtime/JSObject.h:

2011-11-03  Filip Pizlo  <fpizlo@apple.com>

        JIT-specific code should be able to refer to register types even on JIT-disabled builds
        https://bugs.webkit.org/show_bug.cgi?id=71498

        Reviewed by Gavin Barraclough.

        * assembler/MacroAssembler.h:
        (MacroAssembler::MacroAssembler):

2011-11-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSObject::className
        https://bugs.webkit.org/show_bug.cgi?id=71428

        Reviewed by Sam Weinig.

        Added className to the MethodTable, changed all the virtual 
        implementations of className to static ones, and replaced 
        all call sites with corresponding lookups in the MethodTable.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::className):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::className):
        * debugger/DebuggerActivation.h:
        * jsc.cpp:
        (GlobalObject::createStructure):
        * profiler/Profiler.cpp:
        (JSC::Profiler::createCallIdentifier):
        * runtime/ClassInfo.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::className):
        * runtime/JSCell.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::className):
        * runtime/JSObject.h:
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToString):
        * testRegExp.cpp:
        (GlobalObject::createStructure):

2011-11-02  Jer Noble  <jer.noble@apple.com>

        Add Clock class and platform-specific implementations.
        https://bugs.webkit.org/show_bug.cgi?id=71341

        Reviewed by Sam Weinig.

        Add WTF_USE_COREAUDIO macro for use by PlatformClockCA.

        * wtf/Platform.h:

2011-11-03  Pavel Feldman  <pfeldman@chromium.org>

        Not reviewed: fixing win build. step2.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-11-03  Pavel Feldman  <pfeldman@chromium.org>

        Not reviewed: fix windows build, step1

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-11-03  Pavel Feldman  <pfeldman@google.com>

        Web Inspector: preserve script location for inline handlers.
        https://bugs.webkit.org/show_bug.cgi?id=71367

        Makes SourceCode factories receive TextPosition instead of the line number;
        Stores consistent position values in SourceCode and SourceProvider;

        Reviewed by Yury Semikhatsky.

        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        * parser/SourceCode.h:
        (JSC::makeSource):
        * parser/SourceProvider.h:
        (JSC::SourceProvider::SourceProvider):
        (JSC::SourceProvider::startPosition):
        (JSC::UStringSourceProvider::create):
        (JSC::UStringSourceProvider::UStringSourceProvider):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunction):
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionConstructor.h:

2011-11-03  Kentaro Hara  <haraken@chromium.org>

        Fixed wrong implementation of doubleValue % 2^{64}.
        https://bugs.webkit.org/show_bug.cgi?id=67980

        Reviewed by Hajime Morita.

        fast/events/constructors/progress-event-constructor.html was failing
        because of the wrong implementation of conversion from an ECMAScript value
        to an IDL unsigned long long value (Spec: http://www.w3.org/TR/WebIDL/#es-unsigned-long-long).
        In particular, the calculation of doubleValue % 2^{64} was wrong.
        This patch implemented it correctly in doubleToInteger() in wtf/MathExtras.h.

        * wtf/MathExtras.h:
        (doubleToInteger): Implemented the spec correctly.

2011-11-03  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r99089.
        http://trac.webkit.org/changeset/99089
        https://bugs.webkit.org/show_bug.cgi?id=71448

        @plt postfix for math functions cause crash on Linux 32 (the
        symbol is defined but it points to NULL) (Requested by
        zherczeg on #webkit).

        * dfg/DFGOperations.cpp:
        * jit/JITStubs.cpp:
        * jit/ThunkGenerators.cpp:

2011-11-02  Filip Pizlo  <fpizlo@apple.com>

        DFG inlining breaks function.arguments[something] if the argument being
        retrieved was subjected to DFG's unboxing optimizations
        https://bugs.webkit.org/show_bug.cgi?id=71436

        Reviewed by Oliver Hunt.
        
        This makes inlined arguments retrieval use some of the same machinery as
        OSR to determine where from, and how, to retrieve a value that the DFG
        might have somehow squirreled away while the old JIT would put it in its
        obvious location, using an obvious format.
        
        To that end, previously DFG-internal notions such as DataFormat,
        VirtualRegister, and ValueRecovery are now in bytecode/ since they are
        stored as part of InlineCallFrames.

        * bytecode/CodeOrigin.h:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGJITCompiler32_64.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::trueCallerFrame):
        * interpreter/CallFrame.h:
        (JSC::ExecState::inlineCallFrame):
        * interpreter/Register.h:
        (JSC::Register::asInlineCallFrame):
        (JSC::Register::unboxedInt32):
        (JSC::Register::unboxedBoolean):
        (JSC::Register::unboxedCell):
        * runtime/Arguments.h:
        (JSC::Arguments::finishCreationAndCopyRegisters):

2011-11-02  Filip Pizlo  <fpizlo@apple.com>

        ValueRecovery should be moved out of the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=71439

        Reviewed by Oliver Hunt.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/DataFormat.h: Added.
        (JSC::dataFormatToString):
        (JSC::needDataFormatConversion):
        (JSC::isJSFormat):
        (JSC::isJSInteger):
        (JSC::isJSDouble):
        (JSC::isJSCell):
        (JSC::isJSBoolean):
        * bytecode/ValueRecovery.h: Added.
        (JSC::ValueRecovery::ValueRecovery):
        (JSC::ValueRecovery::alreadyInRegisterFile):
        (JSC::ValueRecovery::alreadyInRegisterFileAsUnboxedInt32):
        (JSC::ValueRecovery::alreadyInRegisterFileAsUnboxedCell):
        (JSC::ValueRecovery::alreadyInRegisterFileAsUnboxedBoolean):
        (JSC::ValueRecovery::inGPR):
        (JSC::ValueRecovery::inPair):
        (JSC::ValueRecovery::inFPR):
        (JSC::ValueRecovery::displacedInRegisterFile):
        (JSC::ValueRecovery::constant):
        (JSC::ValueRecovery::technique):
        (JSC::ValueRecovery::isInRegisters):
        (JSC::ValueRecovery::gpr):
        (JSC::ValueRecovery::tagGPR):
        (JSC::ValueRecovery::payloadGPR):
        (JSC::ValueRecovery::fpr):
        (JSC::ValueRecovery::virtualRegister):
        (JSC::ValueRecovery::dump):
        * bytecode/VirtualRegister.h: Added.
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::isJSFormat):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::ValueSource::dump):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGVariableAccessData.h:

2011-11-02  Sam Weinig  <sam@webkit.org>

        Object.getOwnPropertyDescriptor() does not retrieve the getter/setter from a property on the window that has been overridden with a getter/setter
        https://bugs.webkit.org/show_bug.cgi?id=71333

        Reviewed by Gavin Barraclough.

        Tested by fast/dom/getter-on-window-object2.html

        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::setDescriptor):
        The attributes returned from Structure::get do not include Getter or Setter, so
        instead check if the value is a GetterSetter like we do elsewhere. If it is, update
        the descriptor's attributes accordingly.

2011-11-02  Yuqiang Xian  <yuqiang.xian@intel.com>

        FunctionPtr should accept FASTCALL functions on X86
        https://bugs.webkit.org/show_bug.cgi?id=71434

        Reviewed by Filip Pizlo.

        On X86 we sometimes use FASTCALL convention functions, for example the
        cti functions, and we may need the pointers to such functions, e.g.,
        in current DFG register file check and arity check, though long term
        we may avoid such usage of cti calls in DFG.

        * assembler/MacroAssemblerCodeRef.h:
        (JSC::FunctionPtr::FunctionPtr):

2011-11-02  Filip Pizlo  <fpizlo@apple.com>

        Inlined uses of the global object should use the right global object
        https://bugs.webkit.org/show_bug.cgi?id=71427

        Reviewed by Oliver Hunt.

        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::globalObjectFor):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-11-02  Yuqiang Xian  <yuqiang.xian@intel.com>

        Remove some unnecessary loads/stores in DFG JIT 32_64
        https://bugs.webkit.org/show_bug.cgi?id=71090

        Reviewed by Filip Pizlo.

        In fillSpeculateCell and OSR exit, some unnecessary loads/stores can
        be eliminated.

        * dfg/DFGJITCompiler32_64.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):

2011-11-02  Adam Klein  <adamk@chromium.org>

        Replace usage of StringImpl with String where possible in CharacterData and Text
        https://bugs.webkit.org/show_bug.cgi?id=71383

        Reviewed by Darin Adler.

        * wtf/text/WTFString.h:
        (WTF::String::containsOnlyWhitespace): Added new method.

2011-11-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSObject::getOwnPropertyNames
        https://bugs.webkit.org/show_bug.cgi?id=71307

        Reviewed by Darin Adler.

        Added getOwnPropertyNames to the MethodTable, changed all the virtual 
        implementations of getOwnPropertyNames to static ones, and replaced 
        all call sites with corresponding lookups in the MethodTable.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::getOwnPropertyNames):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::getOwnPropertyNames):
        * debugger/DebuggerActivation.h:
        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertyNames):
        * runtime/Arguments.h:
        * runtime/ClassInfo.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::getOwnPropertyNames):
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::getOwnPropertyNames):
        * runtime/JSArray.h:
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::getOwnPropertyNames):
        * runtime/JSByteArray.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::getOwnPropertyNames):
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertyNames):
        * runtime/JSFunction.h:
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::getOwnPropertyNames):
        * runtime/JSNotAnObject.h:
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Holder::appendNextProperty):
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::JSObject::getPropertyNames):
        (JSC::JSObject::getOwnPropertyNames):
        * runtime/JSObject.h:
        * runtime/JSVariableObject.cpp:
        (JSC::JSVariableObject::~JSVariableObject):
        (JSC::JSVariableObject::getOwnPropertyNames):
        * runtime/JSVariableObject.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyNames):
        (JSC::objectConstructorKeys):
        (JSC::defineProperties):
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::getOwnPropertyNames):
        * runtime/StringObject.cpp:
        (JSC::StringObject::getOwnPropertyNames):
        * runtime/StringObject.h:
        * runtime/Structure.h:

2011-11-02  Dean Jackson  <dino@apple.com>

        Add ENABLE_CSS_SHADERS flag
        https://bugs.webkit.org/show_bug.cgi?id=71394

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:

2011-11-02  Alexey Shabalin  <a.shabalin@gmail.com>

        TEXTREL in libjavascriptcoregtk-1.0.so.0.11.0 on x86 (or i586)
        https://bugs.webkit.org/show_bug.cgi?id=70610

        Reviewed by Martin Robinson.

        Properly annotate ASM on BSD and Linux x86 systems.

        * dfg/DFGOperations.cpp: Add annotation for X86.
        * jit/JITStubs.cpp: Ditto.
        * jit/ThunkGenerators.cpp: Ditto.

2011-11-02  Xianzhu Wang  <wangxianzhu@chromium.org>

        Missing Force8BitConstructor in 8-bit version of StringImpl::reallocate()
        https://bugs.webkit.org/show_bug.cgi?id=71347

        Reviewed by Geoffrey Garen.

        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::reallocate):

2011-11-01  Darin Adler  <darin@apple.com>

        Cut down on malloc/free a bit in the parser arena
        https://bugs.webkit.org/show_bug.cgi?id=71343

        Reviewed by Oliver Hunt.

        * parser/ParserArena.cpp:
        (JSC::ParserArena::deallocateObjects): Call the destructors of
        the deletable objects before freeing the pools. Don't call
        fastFree on the deletable objects any more.

        * parser/ParserArena.h:
        (JSC::ParserArena::allocateDeletable): Use allocateFreeable
        instead of fastMalloc here.

2011-11-01  Sam Weinig  <sam@webkit.org>

        Implement __lookupGetter__/__lookupSetter__ in terms of getPropertyDescriptor
        https://bugs.webkit.org/show_bug.cgi?id=71336

        Reviewed by Darin Adler.

        * debugger/DebuggerActivation.cpp:
        * debugger/DebuggerActivation.h:
        Remove overrides of lookupGetter/lookupSetter, which are no longer needed
        due to implementing getPropertyDescriptor.

        * runtime/JSObject.cpp:
        (JSC::JSObject::lookupGetter):
        (JSC::JSObject::lookupSetter):
        * runtime/JSObject.h:
        De-virtualize lookupGetter/lookupSetter, and implement them in terms of
        getPropertyDescriptor.

2011-11-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSObject::defineSetter
        https://bugs.webkit.org/show_bug.cgi?id=71303

        Reviewed by Darin Adler.

        Added defineSetter to the MethodTable, changed all the virtual 
        implementations of defineSetter to static ones, and replaced 
        all call sites with corresponding lookups in the MethodTable.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::defineSetter):
        * debugger/DebuggerActivation.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/ClassInfo.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::defineSetter):
        * runtime/JSCell.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::defineSetter):
        * runtime/JSGlobalObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::defineSetter):
        (JSC::putDescriptor):
        * runtime/JSObject.h:
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncDefineSetter):

2011-11-01  Filip Pizlo  <fpizlo@apple.com>

        DFG inlining breaks function.arguments
        https://bugs.webkit.org/show_bug.cgi?id=71329

        Reviewed by Oliver Hunt.
        
        The DFG was forgetting to store code origin mappings for inlined
        call sites. Some of the fast-path optimizations for
        CallFrame::trueCallerFrame() were wrong. An assertion in Arguments
        was wrong.
        
        I also took the opportunity to decrease code duplication between
        DFG64 and DFG32_64, because I didn't feel like writing the same
        code twice.

        * bytecode/CodeBlock.h:
        (JSC::ExecState::isInlineCallFrame):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler32_64.cpp:
        * dfg/DFGNode.h:
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::trueCallerFrame):
        * interpreter/CallFrame.h:
        * runtime/Arguments.h:
        (JSC::Arguments::getArgumentsData):

2011-11-01  Xianzhu Wang  <wangxianzhu@chromium.org>

        StringImpl::reallocate() should have a 8-bit version
        https://bugs.webkit.org/show_bug.cgi?id=71210

        Reviewed by Geoffrey Garen.

        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::reallocate):
        * wtf/text/StringImpl.h:

2011-10-31  Filip Pizlo  <fpizlo@apple.com>

        The GC should be parallel
        https://bugs.webkit.org/show_bug.cgi?id=70995

        Reviewed by Geoff Garen.
        
        Added parallel tracing to the GC. This works by having local mark
        stacks per thread, and a global shared one. Threads sometimes
        donate cells from the mark stack to the global one if the heuristics
        tell them that it's affordable to do so. Threads that have depleted
        their local mark stacks try to steal some from the shared one.

        Marking is now done using an atomic weak relaxed CAS (compare-and-swap).
        
        This is a 23% speed-up on V8-splay when I use 4 marking threads,
        leading to a 3.5% speed-up on V8.
        
        It also appears that this reduces GC pause times on real websites by
        more than half.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::~Heap):
        (JSC::Heap::markRoots):
        * heap/Heap.h:
        * heap/MarkStack.cpp:
        (JSC::MarkStackSegmentAllocator::MarkStackSegmentAllocator):
        (JSC::MarkStackSegmentAllocator::~MarkStackSegmentAllocator):
        (JSC::MarkStackSegmentAllocator::allocate):
        (JSC::MarkStackSegmentAllocator::release):
        (JSC::MarkStackSegmentAllocator::shrinkReserve):
        (JSC::MarkStackArray::MarkStackArray):
        (JSC::MarkStackArray::~MarkStackArray):
        (JSC::MarkStackArray::expand):
        (JSC::MarkStackArray::refill):
        (JSC::MarkStackArray::donateSomeCellsTo):
        (JSC::MarkStackArray::stealSomeCellsFrom):
        (JSC::MarkStackThreadSharedData::markingThreadMain):
        (JSC::MarkStackThreadSharedData::markingThreadStartFunc):
        (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
        (JSC::MarkStackThreadSharedData::~MarkStackThreadSharedData):
        (JSC::MarkStackThreadSharedData::reset):
        (JSC::MarkStack::reset):
        (JSC::SlotVisitor::donateSlow):
        (JSC::SlotVisitor::drain):
        (JSC::SlotVisitor::drainFromShared):
        (JSC::MarkStack::mergeOpaqueRoots):
        (JSC::SlotVisitor::harvestWeakReferences):
        * heap/MarkStack.h:
        (JSC::MarkStackSegment::data):
        (JSC::MarkStackSegment::capacityFromSize):
        (JSC::MarkStackSegment::sizeFromCapacity):
        (JSC::MarkStackArray::postIncTop):
        (JSC::MarkStackArray::preDecTop):
        (JSC::MarkStackArray::setTopForFullSegment):
        (JSC::MarkStackArray::setTopForEmptySegment):
        (JSC::MarkStackArray::top):
        (JSC::MarkStackArray::validatePrevious):
        (JSC::MarkStack::addWeakReferenceHarvester):
        (JSC::MarkStack::mergeOpaqueRootsIfNecessary):
        (JSC::MarkStack::mergeOpaqueRootsIfProfitable):
        (JSC::MarkStack::MarkStack):
        (JSC::MarkStack::addOpaqueRoot):
        (JSC::MarkStack::containsOpaqueRoot):
        (JSC::MarkStack::opaqueRootCount):
        (JSC::MarkStackArray::append):
        (JSC::MarkStackArray::canRemoveLast):
        (JSC::MarkStackArray::removeLast):
        (JSC::MarkStackArray::isEmpty):
        (JSC::MarkStackArray::canDonateSomeCells):
        (JSC::MarkStackArray::size):
        (JSC::ParallelModeEnabler::ParallelModeEnabler):
        (JSC::ParallelModeEnabler::~ParallelModeEnabler):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::testAndSetMarked):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::donate):
        (JSC::SlotVisitor::donateAndDrain):
        (JSC::SlotVisitor::donateKnownParallel):
        (JSC::SlotVisitor::SlotVisitor):
        * heap/WeakReferenceHarvester.h:
        * runtime/Heuristics.cpp:
        (JSC::Heuristics::initializeHeuristics):
        * runtime/Heuristics.h:
        * wtf/Atomics.h:
        (WTF::weakCompareAndSwap):
        * wtf/Bitmap.h:
        (WTF::::Bitmap):
        (WTF::::get):
        (WTF::::set):
        (WTF::::testAndSet):
        (WTF::::testAndClear):
        (WTF::::concurrentTestAndSet):
        (WTF::::concurrentTestAndClear):
        (WTF::::clear):
        (WTF::::clearAll):
        (WTF::::nextPossiblyUnset):
        (WTF::::findRunOfZeros):
        (WTF::::count):
        (WTF::::isEmpty):
        (WTF::::isFull):
        * wtf/MainThread.h:
        (WTF::isMainThreadOrGCThread):
        * wtf/Platform.h:
        * wtf/ThreadSpecific.h:
        (WTF::::isSet):
        * wtf/mac/MainThreadMac.mm:
        (WTF::initializeGCThreads):
        (WTF::initializeMainThreadPlatform):
        (WTF::initializeMainThreadToProcessMainThreadPlatform):
        (WTF::registerGCThread):
        (WTF::isMainThreadOrGCThread):

2011-10-31  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSObject::defaultValue
        https://bugs.webkit.org/show_bug.cgi?id=71146

        Reviewed by Sam Weinig.

        Added defaultValue to the MethodTable.  Replaced all virtual versions of 
        defaultValue with static versions.  Replaced all call sites with lookups in the 
        MethodTable.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/ClassInfo.h:
        * runtime/ExceptionHelpers.cpp:
        (JSC::InterruptedExecutionError::defaultValue):
        (JSC::TerminatedExecutionError::defaultValue):
        * runtime/ExceptionHelpers.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::defaultValue):
        * runtime/JSCell.h:
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::defaultValue):
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::getPrimitiveNumber):
        (JSC::JSObject::defaultValue):
        * runtime/JSObject.h:
        (JSC::JSObject::toPrimitive):

2011-10-31  Mark Hahnenberg  <mhahnenberg@apple.com>

        Interpreter build fix

        Unreviewed build fix

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):

2011-10-31  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exits should add to value profiles
        https://bugs.webkit.org/show_bug.cgi?id=71202

        Reviewed by Oliver Hunt.
        
        Value profiles now have an extra special slot not used by the old JIT's
        profiling, which is reserved for OSR exits.
        
        The DFG's OSR exit code now knows which register, node index, and value
        profiling site was responsible for the (possibly flawed) information that
        led to the OSR failure. This is somewhat opportunistic and imperfect;
        if there's a lot of control flow between the value profiling site and the
        OSR failure point, then this mechanism simply gives up. It also gives up
        if the OSR failure is caused by either known deficiencies in the DFG
        (like that we always assume that the index in a strict charCodeAt access
        is within bounds) or where the OSR failure would be catalogues and
        profiled through other means (like slow case counters).
        
        This patch also adds the notion of a JSValueRegs, which is either a
        single register in JSVALUE64 or a pair in JSVALUE32_64. We should
        probably move the 32_64 DFG towards using this, since it often makes it
        easier to share code between 64 and 32_64.
        
        Also fixed a number of pathologies that this uncovered. op_method_check 
        didn't have a value profiling site on the slow path. GetById should not
        always force OSR exit if it never executed in the old JIT; we may be
        able to infer its type if it's a array or string length get. Finally,
        these changes benefit from a slight tweak to optimization delay
        heuristics (profile fullness is now 0.35 instead of 0.25).
        
        3.8% speed-up on Kraken, mostly due to ~35% on both stanford-crypto-aes
        and imaging-darkroom.

        * bytecode/ValueProfile.cpp:
        (JSC::ValueProfile::computeStatistics):
        (JSC::ValueProfile::computeUpdatedPrediction):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::ValueProfile):
        (JSC::ValueProfile::specFailBucket):
        (JSC::ValueProfile::numberOfSamples):
        (JSC::ValueProfile::isLive):
        (JSC::ValueProfile::numberOfInt32s):
        (JSC::ValueProfile::numberOfDoubles):
        (JSC::ValueProfile::numberOfCells):
        (JSC::ValueProfile::numberOfObjects):
        (JSC::ValueProfile::numberOfFinalObjects):
        (JSC::ValueProfile::numberOfStrings):
        (JSC::ValueProfile::numberOfArrays):
        (JSC::ValueProfile::numberOfBooleans):
        (JSC::ValueProfile::dump):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        (JSC::DFG::ByteCodeParser::getPrediction):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGPRInfo.h:
        (JSC::DFG::JSValueRegs::JSValueRegs):
        (JSC::DFG::JSValueRegs::operator!):
        (JSC::DFG::JSValueRegs::gpr):
        (JSC::DFG::JSValueSource::JSValueSource):
        (JSC::DFG::JSValueSource::unboxedCell):
        (JSC::DFG::JSValueSource::operator!):
        (JSC::DFG::JSValueSource::isAddress):
        (JSC::DFG::JSValueSource::offset):
        (JSC::DFG::JSValueSource::base):
        (JSC::DFG::JSValueSource::gpr):
        (JSC::DFG::JSValueSource::asAddress):
        (JSC::DFG::JSValueSource::notAddress):
        (JSC::DFG::JSValueRegs::tagGPR):
        (JSC::DFG::JSValueRegs::payloadGPR):
        (JSC::DFG::JSValueSource::tagGPR):
        (JSC::DFG::JSValueSource::payloadGPR):
        (JSC::DFG::JSValueSource::hasKnownTag):
        (JSC::DFG::JSValueSource::tag):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::jsValueRegs):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueProfileFor):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::JSValueOperand::jsValueRegs):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::valueProfileFor):
        * dfg/DFGJITCompiler32_64.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnByteArray):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_method_check):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_method_check):
        * runtime/Heuristics.cpp:
        (JSC::Heuristics::initializeHeuristics):
        * runtime/JSValue.h:

2011-10-31  Sam Weinig  <sam@webkit.org>

        Remove need for virtual JSObject::unwrappedObject
        https://bugs.webkit.org/show_bug.cgi?id=71034

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.exp:
        Update exports.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add JSGlobalThis.cpp.

        * runtime/JSGlobalThis.cpp: Added.
        (JSC::JSGlobalThis::visitChildren):
        (JSC::JSGlobalThis::unwrappedObject):
        * runtime/JSGlobalThis.h:
        (JSC::JSGlobalThis::createStructure):
        Move underlying object from JSDOMWindowShell down to JSGlobalThis
        and corresponding visitChildren method.

        * runtime/JSObject.cpp:
        (JSC::JSObject::unwrappedObject):
        Change unwrappedObject from virtual, to just needing an if check.

        * runtime/JSObject.h:
        (JSC::JSObject::isGlobalThis):
        * runtime/JSType.h:
        Add isGlobalThis predicate and type.

2011-10-31  Xianzhu Wang  <wangxianzhu@chromium.org>

        WTF::StringImpl::create(const char*, unsigned) calls itself
        https://bugs.webkit.org/show_bug.cgi?id=71206

        The original implementation just calls itself, causing infinite recursion.
        Cast the first parameter to const LChar* to fix that.

        Reviewed by Ryosuke Niwa.

        * wtf/text/StringImpl.h:
        (WTF::StringImpl::create):

2011-10-31  Andy Wingo  <wingo@igalia.com>

        Fix DFG JIT compilation on Linux targets.
        https://bugs.webkit.org/show_bug.cgi?id=70904

        Reviewed by Darin Adler.

        * jit/JITStubs.cpp (SYMBOL_STRING_RELOCATION): Simplify this
        macro.

        * dfg/DFGOperations.cpp (SYMBOL_STRING_RELOCATION): Copy the
        simplified definition from jit/JITStubs.cpp.
        (FUNCTION_WRAPPER_WITH_RETURN_ADDRESS, getHostCallReturnValue):
        Use the macro to access trampoline targets through the PLT on PIC
        systems, instead of introducing a text relocation.  Otherwise, the
        library fails to link.

2011-10-31  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSObject::defineGetter
        https://bugs.webkit.org/show_bug.cgi?id=71134

        Reviewed by Darin Adler.

        Added defineGetter to the MethodTable.  Replaced all virtual versions of defineGetter
        with static versions.  Replaced all call sites with lookups in the MethodTable.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::defineGetter):
        * debugger/DebuggerActivation.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/ClassInfo.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::defineGetter):
        * runtime/JSCell.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::defineGetter):
        * runtime/JSGlobalObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::defineGetter):
        (JSC::putDescriptor):
        * runtime/JSObject.h:
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncDefineGetter):

2011-10-31  Michael Saboff  <msaboff@apple.com>

        Towards 8-bit Strings: Move Lexer and Parser Objects out of JSGlobalData
        https://bugs.webkit.org/show_bug.cgi?id=71138

        Restructure and movement of Lexer and Parser code.
        Moved Lexer and Parser objects out of JSGlobalData.
        Added a new ParserTokens class and instance to JSGlobalData that
        have JavaScript token related definitions.
        Replaced JSGlobalData arguments to Node classes with lineNumber,
        as that was the only use of the JSGlobalData.
        Combined JSParser and Parser classes into one class,
        eliminating JSParser.h and .cpp.
        Various supporting #include changes.

        These mostly mechanical changes are done in preparation to
        making the Lexer and Parser template classes.

        Reviewed by Darin Adler.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::toArgumentList):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::ASTBuilder):
        (JSC::ASTBuilder::createSourceElements):
        (JSC::ASTBuilder::createCommaExpr):
        (JSC::ASTBuilder::createLogicalNot):
        (JSC::ASTBuilder::createUnaryPlus):
        (JSC::ASTBuilder::createVoid):
        (JSC::ASTBuilder::thisExpr):
        (JSC::ASTBuilder::createResolve):
        (JSC::ASTBuilder::createObjectLiteral):
        (JSC::ASTBuilder::createArray):
        (JSC::ASTBuilder::createNumberExpr):
        (JSC::ASTBuilder::createString):
        (JSC::ASTBuilder::createBoolean):
        (JSC::ASTBuilder::createNull):
        (JSC::ASTBuilder::createBracketAccess):
        (JSC::ASTBuilder::createDotAccess):
        (JSC::ASTBuilder::createRegExp):
        (JSC::ASTBuilder::createNewExpr):
        (JSC::ASTBuilder::createConditionalExpr):
        (JSC::ASTBuilder::createAssignResolve):
        (JSC::ASTBuilder::createFunctionExpr):
        (JSC::ASTBuilder::createFunctionBody):
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createArguments):
        (JSC::ASTBuilder::createArgumentsList):
        (JSC::ASTBuilder::createPropertyList):
        (JSC::ASTBuilder::createElementList):
        (JSC::ASTBuilder::createFormalParameterList):
        (JSC::ASTBuilder::createClause):
        (JSC::ASTBuilder::createClauseList):
        (JSC::ASTBuilder::createFuncDeclStatement):
        (JSC::ASTBuilder::createBlockStatement):
        (JSC::ASTBuilder::createExprStatement):
        (JSC::ASTBuilder::createIfStatement):
        (JSC::ASTBuilder::createForLoop):
        (JSC::ASTBuilder::createForInLoop):
        (JSC::ASTBuilder::createEmptyStatement):
        (JSC::ASTBuilder::createVarStatement):
        (JSC::ASTBuilder::createReturnStatement):
        (JSC::ASTBuilder::createBreakStatement):
        (JSC::ASTBuilder::createContinueStatement):
        (JSC::ASTBuilder::createTryStatement):
        (JSC::ASTBuilder::createSwitchStatement):
        (JSC::ASTBuilder::createWhileStatement):
        (JSC::ASTBuilder::createDoWhileStatement):
        (JSC::ASTBuilder::createLabelStatement):
        (JSC::ASTBuilder::createWithStatement):
        (JSC::ASTBuilder::createThrowStatement):
        (JSC::ASTBuilder::createDebugger):
        (JSC::ASTBuilder::createConstStatement):
        (JSC::ASTBuilder::appendConstDecl):
        (JSC::ASTBuilder::combineCommaNodes):
        (JSC::ASTBuilder::appendBinaryOperation):
        (JSC::ASTBuilder::createAssignment):
        (JSC::ASTBuilder::createNumber):
        (JSC::ASTBuilder::makeTypeOfNode):
        (JSC::ASTBuilder::makeDeleteNode):
        (JSC::ASTBuilder::makeNegateNode):
        (JSC::ASTBuilder::makeBitwiseNotNode):
        (JSC::ASTBuilder::makeMultNode):
        (JSC::ASTBuilder::makeDivNode):
        (JSC::ASTBuilder::makeModNode):
        (JSC::ASTBuilder::makeAddNode):
        (JSC::ASTBuilder::makeSubNode):
        (JSC::ASTBuilder::makeLeftShiftNode):
        (JSC::ASTBuilder::makeRightShiftNode):
        (JSC::ASTBuilder::makeURightShiftNode):
        (JSC::ASTBuilder::makeBitOrNode):
        (JSC::ASTBuilder::makeBitAndNode):
        (JSC::ASTBuilder::makeBitXOrNode):
        (JSC::ASTBuilder::makeFunctionCallNode):
        (JSC::ASTBuilder::makeBinaryNode):
        (JSC::ASTBuilder::makeAssignNode):
        (JSC::ASTBuilder::makePrefixNode):
        (JSC::ASTBuilder::makePostfixNode):
        * parser/JSParser.cpp: Removed.
        * parser/JSParser.h: Removed.
        * parser/Lexer.cpp:
        (JSC::Keywords::Keywords):
        (JSC::Lexer::Lexer):
        (JSC::Lexer::~Lexer):
        (JSC::Lexer::setCode):
        (JSC::Lexer::parseIdentifier):
        * parser/Lexer.h:
        (JSC::Keywords::isKeyword):
        (JSC::Keywords::getKeyword):
        (JSC::Keywords::~Keywords):
        (JSC::Lexer::setIsReparsing):
        (JSC::Lexer::isReparsing):
        (JSC::Lexer::lineNumber):
        (JSC::Lexer::setLastLineNumber):
        (JSC::Lexer::lastLineNumber):
        (JSC::Lexer::prevTerminator):
        (JSC::Lexer::sawError):
        (JSC::Lexer::getErrorMessage):
        (JSC::Lexer::currentOffset):
        (JSC::Lexer::setOffset):
        (JSC::Lexer::setLineNumber):
        (JSC::Lexer::sourceProvider):
        (JSC::Lexer::isWhiteSpace):
        (JSC::Lexer::isLineTerminator):
        (JSC::Lexer::convertHex):
        (JSC::Lexer::convertUnicode):
        (JSC::Lexer::makeIdentifier):
        (JSC::Lexer::lexExpectIdentifier):
        * parser/NodeConstructors.h:
        (JSC::ParserArenaFreeable::operator new):
        (JSC::ParserArenaDeletable::operator new):
        (JSC::ParserArenaRefCounted::ParserArenaRefCounted):
        (JSC::Node::Node):
        (JSC::ExpressionNode::ExpressionNode):
        (JSC::StatementNode::StatementNode):
        (JSC::NullNode::NullNode):
        (JSC::BooleanNode::BooleanNode):
        (JSC::NumberNode::NumberNode):
        (JSC::StringNode::StringNode):
        (JSC::RegExpNode::RegExpNode):
        (JSC::ThisNode::ThisNode):
        (JSC::ResolveNode::ResolveNode):
        (JSC::ElementNode::ElementNode):
        (JSC::ArrayNode::ArrayNode):
        (JSC::PropertyNode::PropertyNode):
        (JSC::PropertyListNode::PropertyListNode):
        (JSC::ObjectLiteralNode::ObjectLiteralNode):
        (JSC::BracketAccessorNode::BracketAccessorNode):
        (JSC::DotAccessorNode::DotAccessorNode):
        (JSC::ArgumentListNode::ArgumentListNode):
        (JSC::ArgumentsNode::ArgumentsNode):
        (JSC::NewExprNode::NewExprNode):
        (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
        (JSC::FunctionCallValueNode::FunctionCallValueNode):
        (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
        (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
        (JSC::FunctionCallDotNode::FunctionCallDotNode):
        (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
        (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
        (JSC::PrePostResolveNode::PrePostResolveNode):
        (JSC::PostfixResolveNode::PostfixResolveNode):
        (JSC::PostfixBracketNode::PostfixBracketNode):
        (JSC::PostfixDotNode::PostfixDotNode):
        (JSC::PostfixErrorNode::PostfixErrorNode):
        (JSC::DeleteResolveNode::DeleteResolveNode):
        (JSC::DeleteBracketNode::DeleteBracketNode):
        (JSC::DeleteDotNode::DeleteDotNode):
        (JSC::DeleteValueNode::DeleteValueNode):
        (JSC::VoidNode::VoidNode):
        (JSC::TypeOfResolveNode::TypeOfResolveNode):
        (JSC::TypeOfValueNode::TypeOfValueNode):
        (JSC::PrefixResolveNode::PrefixResolveNode):
        (JSC::PrefixBracketNode::PrefixBracketNode):
        (JSC::PrefixDotNode::PrefixDotNode):
        (JSC::PrefixErrorNode::PrefixErrorNode):
        (JSC::UnaryOpNode::UnaryOpNode):
        (JSC::UnaryPlusNode::UnaryPlusNode):
        (JSC::NegateNode::NegateNode):
        (JSC::BitwiseNotNode::BitwiseNotNode):
        (JSC::LogicalNotNode::LogicalNotNode):
        (JSC::BinaryOpNode::BinaryOpNode):
        (JSC::MultNode::MultNode):
        (JSC::DivNode::DivNode):
        (JSC::ModNode::ModNode):
        (JSC::AddNode::AddNode):
        (JSC::SubNode::SubNode):
        (JSC::LeftShiftNode::LeftShiftNode):
        (JSC::RightShiftNode::RightShiftNode):
        (JSC::UnsignedRightShiftNode::UnsignedRightShiftNode):
        (JSC::LessNode::LessNode):
        (JSC::GreaterNode::GreaterNode):
        (JSC::LessEqNode::LessEqNode):
        (JSC::GreaterEqNode::GreaterEqNode):
        (JSC::ThrowableBinaryOpNode::ThrowableBinaryOpNode):
        (JSC::InstanceOfNode::InstanceOfNode):
        (JSC::InNode::InNode):
        (JSC::EqualNode::EqualNode):
        (JSC::NotEqualNode::NotEqualNode):
        (JSC::StrictEqualNode::StrictEqualNode):
        (JSC::NotStrictEqualNode::NotStrictEqualNode):
        (JSC::BitAndNode::BitAndNode):
        (JSC::BitOrNode::BitOrNode):
        (JSC::BitXOrNode::BitXOrNode):
        (JSC::LogicalOpNode::LogicalOpNode):
        (JSC::ConditionalNode::ConditionalNode):
        (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
        (JSC::AssignResolveNode::AssignResolveNode):
        (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
        (JSC::AssignBracketNode::AssignBracketNode):
        (JSC::AssignDotNode::AssignDotNode):
        (JSC::ReadModifyDotNode::ReadModifyDotNode):
        (JSC::AssignErrorNode::AssignErrorNode):
        (JSC::CommaNode::CommaNode):
        (JSC::ConstStatementNode::ConstStatementNode):
        (JSC::SourceElements::SourceElements):
        (JSC::EmptyStatementNode::EmptyStatementNode):
        (JSC::DebuggerStatementNode::DebuggerStatementNode):
        (JSC::ExprStatementNode::ExprStatementNode):
        (JSC::VarStatementNode::VarStatementNode):
        (JSC::IfNode::IfNode):
        (JSC::IfElseNode::IfElseNode):
        (JSC::DoWhileNode::DoWhileNode):
        (JSC::WhileNode::WhileNode):
        (JSC::ForNode::ForNode):
        (JSC::ContinueNode::ContinueNode):
        (JSC::BreakNode::BreakNode):
        (JSC::ReturnNode::ReturnNode):
        (JSC::WithNode::WithNode):
        (JSC::LabelNode::LabelNode):
        (JSC::ThrowNode::ThrowNode):
        (JSC::TryNode::TryNode):
        (JSC::ParameterNode::ParameterNode):
        (JSC::FuncExprNode::FuncExprNode):
        (JSC::FuncDeclNode::FuncDeclNode):
        (JSC::CaseClauseNode::CaseClauseNode):
        (JSC::ClauseListNode::ClauseListNode):
        (JSC::CaseBlockNode::CaseBlockNode):
        (JSC::SwitchNode::SwitchNode):
        (JSC::ConstDeclNode::ConstDeclNode):
        (JSC::BlockNode::BlockNode):
        (JSC::ForInNode::ForInNode):
        * parser/NodeInfo.h:
        * parser/Nodes.cpp:
        (JSC::StatementNode::setLoc):
        (JSC::ScopeNode::ScopeNode):
        (JSC::ProgramNode::ProgramNode):
        (JSC::ProgramNode::create):
        (JSC::EvalNode::EvalNode):
        (JSC::EvalNode::create):
        (JSC::FunctionBodyNode::FunctionBodyNode):
        (JSC::FunctionBodyNode::create):
        * parser/Nodes.h:
        (JSC::Node::lineNo):
        * parser/Parser.cpp:
        (JSC::Parser::Parser):
        (JSC::Parser::~Parser):
        (JSC::Parser::parseInner):
        (JSC::Parser::allowAutomaticSemicolon):
        (JSC::Parser::parseSourceElements):
        (JSC::Parser::parseVarDeclaration):
        (JSC::Parser::parseConstDeclaration):
        (JSC::Parser::parseDoWhileStatement):
        (JSC::Parser::parseWhileStatement):
        (JSC::Parser::parseVarDeclarationList):
        (JSC::Parser::parseConstDeclarationList):
        (JSC::Parser::parseForStatement):
        (JSC::Parser::parseBreakStatement):
        (JSC::Parser::parseContinueStatement):
        (JSC::Parser::parseReturnStatement):
        (JSC::Parser::parseThrowStatement):
        (JSC::Parser::parseWithStatement):
        (JSC::Parser::parseSwitchStatement):
        (JSC::Parser::parseSwitchClauses):
        (JSC::Parser::parseSwitchDefaultClause):
        (JSC::Parser::parseTryStatement):
        (JSC::Parser::parseDebuggerStatement):
        (JSC::Parser::parseBlockStatement):
        (JSC::Parser::parseStatement):
        (JSC::Parser::parseFormalParameters):
        (JSC::Parser::parseFunctionBody):
        (JSC::Parser::parseFunctionInfo):
        (JSC::Parser::parseFunctionDeclaration):
        (JSC::LabelInfo::LabelInfo):
        (JSC::Parser::parseExpressionOrLabelStatement):
        (JSC::Parser::parseExpressionStatement):
        (JSC::Parser::parseIfStatement):
        (JSC::Parser::parseExpression):
        (JSC::Parser::parseAssignmentExpression):
        (JSC::Parser::parseConditionalExpression):
        (JSC::isUnaryOp):
        (JSC::Parser::isBinaryOperator):
        (JSC::Parser::parseBinaryExpression):
        (JSC::Parser::parseProperty):
        (JSC::Parser::parseObjectLiteral):
        (JSC::Parser::parseStrictObjectLiteral):
        (JSC::Parser::parseArrayLiteral):
        (JSC::Parser::parsePrimaryExpression):
        (JSC::Parser::parseArguments):
        (JSC::Parser::parseMemberExpression):
        (JSC::Parser::parseUnaryExpression):
        * parser/Parser.h:
        (JSC::isEvalNode):
        (JSC::EvalNode):
        (JSC::DepthManager::DepthManager):
        (JSC::DepthManager::~DepthManager):
        (JSC::ScopeLabelInfo::ScopeLabelInfo):
        (JSC::Scope::Scope):
        (JSC::Scope::startSwitch):
        (JSC::Scope::endSwitch):
        (JSC::Scope::startLoop):
        (JSC::Scope::endLoop):
        (JSC::Scope::inLoop):
        (JSC::Scope::breakIsValid):
        (JSC::Scope::continueIsValid):
        (JSC::Scope::pushLabel):
        (JSC::Scope::popLabel):
        (JSC::Scope::getLabel):
        (JSC::Scope::setIsFunction):
        (JSC::Scope::isFunction):
        (JSC::Scope::isFunctionBoundary):
        (JSC::Scope::declareVariable):
        (JSC::Scope::declareWrite):
        (JSC::Scope::preventNewDecls):
        (JSC::Scope::allowsNewDecls):
        (JSC::Scope::declareParameter):
        (JSC::Scope::useVariable):
        (JSC::Scope::setNeedsFullActivation):
        (JSC::Scope::collectFreeVariables):
        (JSC::Scope::getUncapturedWrittenVariables):
        (JSC::Scope::getCapturedVariables):
        (JSC::Scope::setStrictMode):
        (JSC::Scope::strictMode):
        (JSC::Scope::isValidStrictMode):
        (JSC::Scope::shadowsArguments):
        (JSC::Scope::copyCapturedVariablesToVector):
        (JSC::Scope::saveFunctionInfo):
        (JSC::Scope::restoreFunctionInfo):
        (JSC::ScopeRef::ScopeRef):
        (JSC::ScopeRef::operator->):
        (JSC::ScopeRef::index):
        (JSC::ScopeRef::hasContainingScope):
        (JSC::ScopeRef::containingScope):
        (JSC::Parser::AllowInOverride::AllowInOverride):
        (JSC::Parser::AllowInOverride::~AllowInOverride):
        (JSC::Parser::AutoPopScopeRef::AutoPopScopeRef):
        (JSC::Parser::AutoPopScopeRef::~AutoPopScopeRef):
        (JSC::Parser::AutoPopScopeRef::setPopped):
        (JSC::Parser::currentScope):
        (JSC::Parser::pushScope):
        (JSC::Parser::popScopeInternal):
        (JSC::Parser::popScope):
        (JSC::Parser::declareVariable):
        (JSC::Parser::declareWrite):
        (JSC::Parser::findCachedFunctionInfo):
        (JSC::Parser::isFunctionBodyNode):
        (JSC::Parser::next):
        (JSC::Parser::nextExpectIdentifier):
        (JSC::Parser::nextTokenIsColon):
        (JSC::Parser::consume):
        (JSC::Parser::getToken):
        (JSC::Parser::match):
        (JSC::Parser::tokenStart):
        (JSC::Parser::tokenLine):
        (JSC::Parser::tokenEnd):
        (JSC::Parser::getTokenName):
        (JSC::Parser::updateErrorMessageSpecialCase):
        (JSC::Parser::updateErrorMessage):
        (JSC::Parser::updateErrorWithNameAndMessage):
        (JSC::Parser::startLoop):
        (JSC::Parser::endLoop):
        (JSC::Parser::startSwitch):
        (JSC::Parser::endSwitch):
        (JSC::Parser::setStrictMode):
        (JSC::Parser::strictMode):
        (JSC::Parser::isValidStrictMode):
        (JSC::Parser::declareParameter):
        (JSC::Parser::breakIsValid):
        (JSC::Parser::continueIsValid):
        (JSC::Parser::pushLabel):
        (JSC::Parser::popLabel):
        (JSC::Parser::getLabel):
        (JSC::Parser::autoSemiColon):
        (JSC::Parser::canRecurse):
        (JSC::Parser::lastTokenEnd):
        (JSC::Parser::DepthManager::DepthManager):
        (JSC::Parser::DepthManager::~DepthManager):
        (JSC::Parser::parse):
        (JSC::parse):
        * parser/ParserTokens.h: Added.
        (JSC::JSTokenInfo::JSTokenInfo):
        * parser/SourceCode.h:
        (JSC::SourceCode::subExpression):
        * parser/SourceProviderCacheItem.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::SyntaxChecker):
        (JSC::SyntaxChecker::makeFunctionCallNode):
        (JSC::SyntaxChecker::createCommaExpr):
        (JSC::SyntaxChecker::makeAssignNode):
        (JSC::SyntaxChecker::makePrefixNode):
        (JSC::SyntaxChecker::makePostfixNode):
        (JSC::SyntaxChecker::makeTypeOfNode):
        (JSC::SyntaxChecker::makeDeleteNode):
        (JSC::SyntaxChecker::makeNegateNode):
        (JSC::SyntaxChecker::makeBitwiseNotNode):
        (JSC::SyntaxChecker::createLogicalNot):
        (JSC::SyntaxChecker::createUnaryPlus):
        (JSC::SyntaxChecker::createVoid):
        (JSC::SyntaxChecker::thisExpr):
        (JSC::SyntaxChecker::createResolve):
        (JSC::SyntaxChecker::createObjectLiteral):
        (JSC::SyntaxChecker::createArray):
        (JSC::SyntaxChecker::createNumberExpr):
        (JSC::SyntaxChecker::createString):
        (JSC::SyntaxChecker::createBoolean):
        (JSC::SyntaxChecker::createNull):
        (JSC::SyntaxChecker::createBracketAccess):
        (JSC::SyntaxChecker::createDotAccess):
        (JSC::SyntaxChecker::createRegExp):
        (JSC::SyntaxChecker::createNewExpr):
        (JSC::SyntaxChecker::createConditionalExpr):
        (JSC::SyntaxChecker::createAssignResolve):
        (JSC::SyntaxChecker::createFunctionExpr):
        (JSC::SyntaxChecker::createFunctionBody):
        (JSC::SyntaxChecker::createArguments):
        (JSC::SyntaxChecker::createArgumentsList):
        (JSC::SyntaxChecker::createProperty):
        (JSC::SyntaxChecker::createPropertyList):
        (JSC::SyntaxChecker::createFuncDeclStatement):
        (JSC::SyntaxChecker::createBlockStatement):
        (JSC::SyntaxChecker::createExprStatement):
        (JSC::SyntaxChecker::createIfStatement):
        (JSC::SyntaxChecker::createForLoop):
        (JSC::SyntaxChecker::createForInLoop):
        (JSC::SyntaxChecker::createEmptyStatement):
        (JSC::SyntaxChecker::createVarStatement):
        (JSC::SyntaxChecker::createReturnStatement):
        (JSC::SyntaxChecker::createBreakStatement):
        (JSC::SyntaxChecker::createContinueStatement):
        (JSC::SyntaxChecker::createTryStatement):
        (JSC::SyntaxChecker::createSwitchStatement):
        (JSC::SyntaxChecker::createWhileStatement):
        (JSC::SyntaxChecker::createWithStatement):
        (JSC::SyntaxChecker::createDoWhileStatement):
        (JSC::SyntaxChecker::createLabelStatement):
        (JSC::SyntaxChecker::createThrowStatement):
        (JSC::SyntaxChecker::createDebugger):
        (JSC::SyntaxChecker::createConstStatement):
        (JSC::SyntaxChecker::appendConstDecl):
        (JSC::SyntaxChecker::createGetterOrSetterProperty):
        (JSC::SyntaxChecker::combineCommaNodes):
        (JSC::SyntaxChecker::operatorStackPop):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::checkSyntax):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::produceCodeBlockFor):
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser::tryJSONPParse):

2011-10-31  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION (r97118): Reproducible crash in JSCell::toPrimitive when adding
        https://bugs.webkit.org/show_bug.cgi?id=71227

        Reviewed by Oliver Hunt.
        
        No new tests, since while I can see exactly where the DFG went wrong on the
        site in question from looking at the generated machine code, and while I can
        certainly believe that such a scenario would happen, I cannot visualize how
        to make it happen reproducibly. It requires an odd combination of double
        values getting spilled and then refilled, but then reboxed at just the right
        time so that the spilled value is an unboxed double while the in-register
        value is a boxed double.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentFillGPR):

2011-10-30  Filip Pizlo  <fpizlo@apple.com>

        JSParser::parsePrimaryExpression should have an overflow check
        https://bugs.webkit.org/show_bug.cgi?id=71197

        Reviewed by Geoff Garen.

        * parser/JSParser.cpp:
        (JSC::JSParser::parsePrimaryExpression):

2011-10-30  Filip Pizlo  <fpizlo@apple.com>

        DFG ValueAdd(string, int) should not fail speculation
        https://bugs.webkit.org/show_bug.cgi?id=71195

        Reviewed by Geoff Garen.
        
        1% speed-up on V8.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldNotSpeculateInteger):
        (JSC::DFG::Node::shouldSpeculateInteger):

2011-10-30  Filip Pizlo  <fpizlo@apple.com>

        The DFG inliner should not flush the callee
        https://bugs.webkit.org/show_bug.cgi?id=71191

        Reviewed by Oliver Hunt.
        
        0.6% speed-up on V8.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * bytecode/CodeOrigin.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::flush):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGJITCompiler32_64.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::trueCallerFrameSlow):

2011-10-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize isGlobalObject, isVariableObject, isActivationObject, and isErrorInstance in JSObject
        https://bugs.webkit.org/show_bug.cgi?id=70968

        Reviewed by Geoffrey Garen.

        * API/JSCallbackObject.cpp: Added two specializations for createStructure that use different JSTypes in their
        TypeInfo.  Had to also create a specialization for JSNonFinalObject, even JSGlobalObject was the only that 
        needed it because Windows wouldn't build without it.
        (JSC::::createStructure):
        * API/JSCallbackObject.h:
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/ErrorInstance.h: Removed virtual function and changed JSType provided to TypeInfo in createStructure. 
        (JSC::ErrorInstance::createStructure):
        * runtime/ErrorPrototype.h: Ditto
        (JSC::ErrorPrototype::createStructure):
        * runtime/JSActivation.h: Ditto
        (JSC::JSActivation::createStructure):
        * runtime/JSGlobalObject.h: Ditto
        (JSC::JSGlobalObject::createStructure):
        * runtime/JSObject.h: De-virtualized functions.  They now check the JSType of the object for the corresponding type.
        (JSC::JSObject::isGlobalObject):
        (JSC::JSObject::isVariableObject):
        (JSC::JSObject::isActivationObject):
        (JSC::JSObject::isErrorInstance):
        * runtime/JSType.h: Added new types for GlobalObject, VariableObject, ActivationObject, and ErrorInstance.
        * runtime/JSVariableObject.cpp: Removed virtual function.
        * runtime/JSVariableObject.h: Changed JSType provided to TypeInfo in createStructure.
        (JSC::JSVariableObject::createStructure):

2011-10-28  Pavel Feldman  <pfeldman@google.com>

        Reset line numbers for scripts generated with document.write.
        https://bugs.webkit.org/show_bug.cgi?id=71099

        Reviewed by Yury Semikhatsky.

        * wtf/text/TextPosition.h:
        (WTF::OrdinalNumber::OrdinalNumber):

2011-10-27  Daniel Bates  <dbates@rim.com>

        CMake: Add support to optionally install the built JavaScript shell
        https://bugs.webkit.org/show_bug.cgi?id=71062

        Reviewed by Antonio Gomes.

        Generate an installation rule for installing the JavaScript shell in
        /bin (with respect to the prefix path) when SHOULD_INSTALL_JS_SHELL
        is defined.

        * shell/CMakeLists.txt:

2011-10-27  Kentaro Hara  <haraken@chromium.org>

        Generate WebKitCSSMatrix constructor for JSC by [Constructor] IDL
        https://bugs.webkit.org/show_bug.cgi?id=70215

        Reviewed by Adam Barth.

        Added a method that judges if a given JSValue is empty.

        Tests: transforms/svg-vs-css.xhtml
               transforms/cssmatrix-2d-interface.xhtml
               transforms/cssmatrix-3d-interface.xhtml

        * runtime/JSValue.h:
        * runtime/JSValueInlineMethods.h:
        (JSC::JSValue::isEmpty):

2011-10-27  Michael Saboff  <msaboff@apple.com>

        ENH: Add 8 bit string support to JSC JIT
        https://bugs.webkit.org/show_bug.cgi?id=71073

        Changed the JIT String character access generation to create code
        to check the character size and load8() or load16() as approriate.

        Reviewed by Gavin Barraclough.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::load8):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movzbl_mr):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitLoadCharacterString):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        * jit/JSInterfaceJIT.h:
        (JSC::ThunkHelpers::stringImplFlagsOffset):
        (JSC::ThunkHelpers::stringImpl8BitFlag):
        * jit/ThunkGenerators.cpp:
        (JSC::stringCharLoad):

2011-10-27  Filip Pizlo  <fpizlo@apple.com>

        If the bytecode generator emits code after the return in the first basic block,
        DFG's inliner crashes
        https://bugs.webkit.org/show_bug.cgi?id=71071

        Reviewed by Gavin Barraclough.
        
        Removed some cruft dealing with parsing failures due to unsupported functionality
        (that's never reached anymore due to it being caught in DFGCapabilities). This
        allowed me to repurpose the bool return from parseBlock() to mean: true if we
        should continue to parse, or false if we've already parsed all live code.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):

2011-10-27  Joseph Pecoraro  <pecoraro@apple.com>

        Reviewed by David Kilzer.

        Make FeatureDefines Identical Across OS X Projects
        https://bugs.webkit.org/show_bug.cgi?id=71051

        * Configurations/FeatureDefines.xcconfig:

2011-10-27  Filip Pizlo  <fpizlo@apple.com>

        Crash in JSC::Structure::materializePropertyMap when viewing Garden-O-Matic
        https://bugs.webkit.org/show_bug.cgi?id=71045

        Reviewed by Geoff Garen.
        
        Make sure that if a structure is pinned, it also has a property map.

        * runtime/Structure.cpp:
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::getterSetterTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::pin):
        (JSC::Structure::copyPropertyTableForPinning):
        * runtime/Structure.h:
        (JSC::Structure::materializePropertyMapIfNecessaryForPinning):

2011-10-27  Michael Saboff  <msaboff@apple.com>

        32bit build failure after r98624
        https://bugs.webkit.org/show_bug.cgi?id=71064

        Disambiguated operator overload with unsigned index (0u).

        Reviewed by Sam Weinig.

        * runtime/UString.h:
        (JSC::operator==):

2011-10-27  Gustavo Noronha Silva  <gns@gnome.org>

        Fix building on GNU/kFreeBSD
        https://bugs.webkit.org/show_bug.cgi?id=71005

        Reviewed by Darin Adler.

        * config.h:
        * wtf/Platform.h:

2011-10-27  Michael Saboff  <msaboff@apple.com>

        Investigate storing strings in 8-bit buffers when possible
        https://bugs.webkit.org/show_bug.cgi?id=66161

        Investigate storing strings in 8-bit buffers when possible
        https://bugs.webkit.org/show_bug.cgi?id=66161

        Added support for 8 bit string data in StringImpl.  Changed
        (UChar*) m_data to m_data16.  Added char* m_data8 as a union
        with m_data16.  Added UChar* m_copyData16 to the other union
        to store a 16 bit copy of an 8 bit string when needed.
        Added characters8() and characters16() accessor methods
        that assume the caller has checked the underlying string type
        via the new is8Bit() method. The characters() method will
        return a UChar* of the string, materializing a 16 bit copy if the
        string is an 8 bit string.  Added two flags, one for 8 bit buffer
        and a second for a 16 bit copy for an 8 bit string.

        Fixed method name typo (StringHasher::defaultCoverter()).

        Over time the goal is to eliminate calls to characters() and
        us the character8() and characters16() accessors.

        This patch does not include changes that actually create 8 bit
        strings. This is the first of at least 8 patches.  Subsequent
        patches will be submitted for JIT changes, making the JSC lexer,
        parser and literal parser, JavaScript string changes and
        then changes in webcore to take advantage of the 8 bit strings.

        This change is performance neutral for SunSpider and V8 when
        run from the command line with "jsc".

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::callEval):
        * parser/SourceProvider.h:
        (JSC::UStringSourceProvider::data):
        (JSC::UStringSourceProvider::UStringSourceProvider):
        * runtime/Identifier.cpp:
        (JSC::IdentifierCStringTranslator::hash):
        (JSC::IdentifierCStringTranslator::equal):
        (JSC::IdentifierCStringTranslator::translate):
        (JSC::Identifier::add):
        (JSC::Identifier::toUInt32):
        * runtime/Identifier.h:
        (JSC::Identifier::equal):
        (JSC::operator==):
        (JSC::operator!=):
        * runtime/JSString.cpp:
        (JSC::JSString::resolveRope):
        (JSC::JSString::resolveRopeSlowCase):
        * runtime/RegExp.cpp:
        (JSC::RegExp::match):
        * runtime/StringPrototype.cpp:
        (JSC::jsSpliceSubstringsWithSeparators):
        * runtime/UString.cpp:
        (JSC::UString::UString):
        (JSC::equalSlowCase):
        (JSC::UString::utf8):
        * runtime/UString.h:
        (JSC::UString::characters):
        (JSC::UString::characters8):
        (JSC::UString::characters16):
        (JSC::UString::is8Bit):
        (JSC::UString::operator[]):
        (JSC::UString::find):
        (JSC::operator==):
        * wtf/StringHasher.h:
        (WTF::StringHasher::computeHash):
        (WTF::StringHasher::defaultConverter):
        * wtf/text/AtomicString.cpp:
        (WTF::CStringTranslator::hash):
        (WTF::CStringTranslator::equal):
        (WTF::CStringTranslator::translate):
        (WTF::AtomicString::add):
        * wtf/text/AtomicString.h:
        (WTF::AtomicString::AtomicString):
        (WTF::AtomicString::contains):
        (WTF::AtomicString::find):
        (WTF::AtomicString::add):
        (WTF::operator==):
        (WTF::operator!=):
        (WTF::equalIgnoringCase):
        * wtf/text/StringConcatenate.h:
        * wtf/text/StringHash.h:
        (WTF::StringHash::equal):
        (WTF::CaseFoldingHash::hash):
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::~StringImpl):
        (WTF::StringImpl::createUninitialized):
        (WTF::StringImpl::create):
        (WTF::StringImpl::getData16SlowCase):
        (WTF::StringImpl::containsOnlyWhitespace):
        (WTF::StringImpl::substring):
        (WTF::StringImpl::characterStartingAt):
        (WTF::StringImpl::lower):
        (WTF::StringImpl::upper):
        (WTF::StringImpl::fill):
        (WTF::StringImpl::foldCase):
        (WTF::StringImpl::stripMatchedCharacters):
        (WTF::StringImpl::removeCharacters):
        (WTF::StringImpl::simplifyMatchedCharactersToSpace):
        (WTF::StringImpl::toIntStrict):
        (WTF::StringImpl::toUIntStrict):
        (WTF::StringImpl::toInt64Strict):
        (WTF::StringImpl::toUInt64Strict):
        (WTF::StringImpl::toIntPtrStrict):
        (WTF::StringImpl::toInt):
        (WTF::StringImpl::toUInt):
        (WTF::StringImpl::toInt64):
        (WTF::StringImpl::toUInt64):
        (WTF::StringImpl::toIntPtr):
        (WTF::StringImpl::toDouble):
        (WTF::StringImpl::toFloat):
        (WTF::equal):
        (WTF::equalIgnoringCase):
        (WTF::StringImpl::find):
        (WTF::StringImpl::findIgnoringCase):
        (WTF::StringImpl::reverseFind):
        (WTF::StringImpl::replace):
        (WTF::StringImpl::defaultWritingDirection):
        (WTF::StringImpl::adopt):
        (WTF::StringImpl::createWithTerminatingNullCharacter):
        * wtf/text/StringImpl.h:
        (WTF::StringImpl::StringImpl):
        (WTF::StringImpl::create):
        (WTF::StringImpl::create8):
        (WTF::StringImpl::tryCreateUninitialized):
        (WTF::StringImpl::flagsOffset):
        (WTF::StringImpl::flagIs8Bit):
        (WTF::StringImpl::dataOffset):
        (WTF::StringImpl::is8Bit):
        (WTF::StringImpl::characters8):
        (WTF::StringImpl::characters16):
        (WTF::StringImpl::characters):
        (WTF::StringImpl::has16BitShadow):
        (WTF::StringImpl::setHash):
        (WTF::StringImpl::hash):
        (WTF::StringImpl::copyChars):
        (WTF::StringImpl::operator[]):
        (WTF::StringImpl::find):
        (WTF::StringImpl::findIgnoringCase):
        (WTF::equal):
        (WTF::equalIgnoringCase):
        (WTF::StringImpl::isolatedCopy):
        * wtf/text/WTFString.cpp:
        (WTF::String::String):
        (WTF::String::append):
        (WTF::String::format):
        (WTF::String::fromUTF8):
        (WTF::String::fromUTF8WithLatin1Fallback):
        * wtf/text/WTFString.h:
        (WTF::String::find):
        (WTF::String::findIgnoringCase):
        (WTF::String::contains):
        (WTF::String::append):
        (WTF::String::fromUTF8):
        (WTF::String::fromUTF8WithLatin1Fallback):
        (WTF::operator==):
        (WTF::operator!=):
        (WTF::equalIgnoringCase):
        * wtf/unicode/Unicode.h:
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::execute):
        * yarr/YarrJIT.h:
        (JSC::Yarr::YarrCodeBlock::execute):
        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::Parser):

2011-10-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fixing windows build

        Unreviewed build fix

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-10-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add ability to check for presence of static members at compile time
        https://bugs.webkit.org/show_bug.cgi?id=70986

        Reviewed by Geoffrey Garen.

        Added new CREATE_MEMBER_CHECKER macro to instantiate the template and the 
        HAS_MEMBER_NAMED macro to use that template to check if the specified class 
        does indeed have a method with that name.  This mechanism is not currently 
        used anywhere, but will be in the future when adding virtual methods from 
        JSObject to the MethodTable.

        * runtime/ClassInfo.h:

2011-10-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSCell::toThisObject
        https://bugs.webkit.org/show_bug.cgi?id=70958

        Reviewed by Geoffrey Garen.

        Converted all instances of toThisObject to static functions, 
        added toThisObject to the MethodTable, and replaced all call sites
        with a corresponding lookup in the MethodTable.

        * API/JSContextRef.cpp:
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/ClassInfo.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::toThisObject):
        * runtime/JSActivation.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::toThisObject):
        * runtime/JSCell.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::toThisObject):
        * runtime/JSObject.h:
        (JSC::JSValue::toThisObject):
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::toThisObject):
        * runtime/JSStaticScopeObject.h:
        * runtime/JSString.cpp:
        (JSC::JSString::toThisObject):
        * runtime/JSString.h:
        * runtime/StrictEvalActivation.cpp:
        (JSC::StrictEvalActivation::toThisObject):
        * runtime/StrictEvalActivation.h:

2011-10-27  Yuqiang Xian  <yuqiang.xian@intel.com>

        Fix a small bug in callOperation after r98431
        https://bugs.webkit.org/show_bug.cgi?id=70984

        Reviewed by Geoffrey Garen.

        TrustedImmPtr is not expecting "int" type parameters.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):

2011-10-26  Oliver Hunt  <oliver@apple.com>

        Restore structure-clearing behaviour of allocateCell<>
        https://bugs.webkit.org/show_bug.cgi?id=70976

        Reviewed by Geoffrey Garen.

        This restores the logic that allows the markstack to filter
        live objects that have not yet been initialised.

        * runtime/JSCell.h:
        (JSC::JSCell::clearStructure):
           Validation-safe method to clear a cell's structure.
        (JSC::allocateCell):
           Call the above method.
        * runtime/Structure.h:
        (JSC::MarkStack::internalAppend):
           Don't visit cells that haven't been initialised.

2011-10-26  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION (r97030): Cannot log in to progressive.com
        https://bugs.webkit.org/show_bug.cgi?id=70094

        Reviewed by Oliver Hunt.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):

2011-10-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove getOwnPropertySlotVirtual
        https://bugs.webkit.org/show_bug.cgi?id=70741

        Reviewed by Geoffrey Garen.

        Removed all declarations and definitions of getOwnPropertySlotVirtual.
        Also replaced all call sites to getOwnPropertyVirtualVirtual with a 
        corresponding lookup in the MethodTable.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::getOwnPropertyDescriptor):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::getOwnPropertySlot):
        * debugger/DebuggerActivation.h:
        * runtime/Arguments.cpp:
        * runtime/Arguments.h:
        * runtime/ArrayConstructor.cpp:
        * runtime/ArrayConstructor.h:
        * runtime/ArrayPrototype.cpp:
        * runtime/ArrayPrototype.h:
        * runtime/BooleanPrototype.cpp:
        * runtime/BooleanPrototype.h:
        * runtime/DateConstructor.cpp:
        * runtime/DateConstructor.h:
        * runtime/DatePrototype.cpp:
        * runtime/DatePrototype.h:
        (JSC::DatePrototype::create):
        * runtime/ErrorPrototype.cpp:
        * runtime/ErrorPrototype.h:
        * runtime/JSActivation.cpp:
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::getOwnPropertySlotByIndex):
        * runtime/JSArray.h:
        * runtime/JSByteArray.cpp:
        * runtime/JSByteArray.h:
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertyDescriptor):
        (JSC::JSFunction::getOwnPropertyNames):
        (JSC::JSFunction::put):
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSNotAnObject.h:
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Holder::appendNextProperty):
        (JSC::Walker::walk):
        * runtime/JSONObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnPropertySlotByIndex):
        (JSC::JSObject::hasOwnProperty):
        * runtime/JSObject.h:
        (JSC::JSCell::fastGetOwnPropertySlot):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSValue::get):
        * runtime/JSStaticScopeObject.cpp:
        * runtime/JSStaticScopeObject.h:
        * runtime/JSString.cpp:
        (JSC::JSString::getOwnPropertySlot):
        * runtime/JSString.h:
        * runtime/MathObject.cpp:
        * runtime/MathObject.h:
        (JSC::MathObject::create):
        * runtime/NumberConstructor.cpp:
        * runtime/NumberConstructor.h:
        * runtime/NumberPrototype.cpp:
        * runtime/NumberPrototype.h:
        * runtime/ObjectConstructor.cpp:
        * runtime/ObjectConstructor.h:
        * runtime/ObjectPrototype.cpp:
        * runtime/ObjectPrototype.h:
        * runtime/RegExpConstructor.cpp:
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::createStructure):
        * runtime/RegExpObject.cpp:
        * runtime/RegExpObject.h:
        * runtime/RegExpPrototype.cpp:
        * runtime/RegExpPrototype.h:
        * runtime/StringConstructor.cpp:
        * runtime/StringConstructor.h:
        * runtime/StringObject.cpp:
        * runtime/StringObject.h:
        * runtime/StringPrototype.cpp:
        * runtime/StringPrototype.h:

2011-10-26  Alejandro G. Castro  <alex@igalia.com>

        [GTK] [WK2] Add WebKit2 distcheck support
        https://bugs.webkit.org/show_bug.cgi?id=70933

        Reviewed by Martin Robinson.

        * GNUmakefile.list.am: Add MemoryStatistics.h to the sources list.

2011-10-26  Michael Saboff  <msaboff@apple.com>

        Increase StringImpl Flag Bits for 8 bit Strings
        https://bugs.webkit.org/show_bug.cgi?id=70937

        Increased the number of bits used for flags in StringImpl
        from 6 to 8 bits. This frees up 2 flag bits that will be
        used for 8-bit string support. Updated hash methods accordingly.
        Changed hash value masking from the low bits to the high
        bits.

        Reviewed by Darin Adler.

        * create_hash_table:
        * wtf/StringHasher.h:
        (WTF::StringHasher::hash):
        * wtf/text/StringImpl.h:

2011-10-26  Dan Bernstein  <mitz@apple.com>

        Build fix.

        Reverted r98488, which caused the scripts’ status messages to be included in the generated
        files.

        * create_hash_table:
        * create_jit_stubs:

2011-10-26  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>

        Don't print regular output to STDERR when generating hashtables and JIT stubs

        Reviewed by Simon Hausmann.

        * create_hash_table:
        * create_jit_stubs:

2011-10-25  Gavin Barraclough  <barraclough@apple.com>

        Split DFGJITCodeGenerator::callOperation methods
        https://bugs.webkit.org/show_bug.cgi?id=70870

        Reviewed by Filip Pizlo.

        The DFGJITCodeGenerator currently contains two sets of callOperation methods.
        One set works with the JSVALUE64 value representation and passes arguments in
        registers (suitable for use on x86-64), and one set works with the JSVALUE32_64
        value representation and passes arguments in memory  (suitable for use on x86).
        By refactoring out the representation and calling convention specific aspects
        of the code we can also configure the DFG JIT to operator on platforms that use
        the JSVALUE32_64 value representation but pass arguments in registers.

        On platforms supported by the JIT, the payload precedes the tag of a value in
        argument/result ordering, as such, in order to make the setupResults method
        generally applicable to return the results of a function that are returned in
        two registers, the ordering of arguments to this function has been reversed -
        as is the ordering of augments passed to setupArguments methods, with respect
        to the ordering with which they are passed in to callOperation.
        This inconsistency will be resolved in a later change when we combine the pairs
        of arguments passed into callOperation, such that the function signatures can
        be made consistent across the two value representations (the callOperation
        methods will be passed a reference to a struct representing the JSValue
        temporary, this will consist of two gprs on 32_64 and one on 64).

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::resetCallArguments):
        (JSC::DFG::addCallArgument):
            - moved, removed tag,payload version of this method.
        (JSC::DFG::setupArguments):
        (JSC::DFG::setupArgumentsExecState):
        (JSC::DFG::setupArgumentsWithExecState):
            - Calling convention specific portion of callOperation refactored out into these methods.
        (JSC::DFG::callOperation):
            - updated these methods to use setupArguments* methods.
        (JSC::DFG::setupResults):
            - setupResults is now passed payload,tag.
        (JSC::DFG::appendCallWithExceptionCheckSetResult):
            - Added fpr versions of this function.
        (JSC::DFG::appendCallSetResult):
            - Added versions of this function without exception check.
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):
            - setupResults is now passed payload,tag.

2011-10-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove deletePropertyVirtual
        https://bugs.webkit.org/show_bug.cgi?id=70738

        Reviewed by Geoffrey Garen.

        Removed all declarations and definitions of deletePropertyVirtual.
        Also replaced all call sites to deletePropertyVirtual with a 
        corresponding lookup in the MethodTable.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::deletePropertyByIndex):
        * API/JSObjectRef.cpp:
        (JSObjectDeleteProperty):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::deleteProperty):
        * debugger/DebuggerActivation.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Arguments.cpp:
        * runtime/Arguments.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        * runtime/JSActivation.cpp:
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::deleteProperty):
        (JSC::JSArray::deletePropertyByIndex):
        * runtime/JSArray.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::deleteProperty):
        (JSC::JSCell::deletePropertyByIndex):
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        * runtime/JSFunction.h:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSNotAnObject.h:
        * runtime/JSONObject.cpp:
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::JSObject::deletePropertyByIndex):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        * runtime/JSVariableObject.cpp:
        * runtime/JSVariableObject.h:
        * runtime/RegExpMatchesArray.h:
        * runtime/StrictEvalActivation.cpp:
        * runtime/StrictEvalActivation.h:
        * runtime/StringObject.cpp:
        * runtime/StringObject.h:

2011-10-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove putVirtual
        https://bugs.webkit.org/show_bug.cgi?id=70740

        Reviewed by Geoffrey Garen.

        Removed all declarations and definitions of putVirtual.
        Also replaced all call sites to putVirtual with a 
        corresponding lookup in the MethodTable.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        * API/JSObjectRef.cpp:
        (JSObjectSetProperty):
        (JSObjectSetPropertyAtIndex):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::put):
        * debugger/DebuggerActivation.h:
        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::privateExecute):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        * runtime/Arguments.cpp:
        * runtime/Arguments.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::putProperty):
        (JSC::arrayProtoFuncConcat):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        * runtime/JSActivation.cpp:
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::putSlowCase):
        (JSC::JSArray::push):
        (JSC::JSArray::shiftCount):
        (JSC::JSArray::unshiftCount):
        * runtime/JSArray.h:
        * runtime/JSByteArray.cpp:
        * runtime/JSByteArray.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::put):
        (JSC::JSCell::putByIndex):
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSNotAnObject.h:
        * runtime/JSONObject.cpp:
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putByIndex):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        (JSC::JSValue::put):
        * runtime/JSStaticScopeObject.cpp:
        * runtime/JSStaticScopeObject.h:
        * runtime/ObjectPrototype.cpp:
        * runtime/ObjectPrototype.h:
        * runtime/RegExpConstructor.cpp:
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        * runtime/RegExpObject.cpp:
        * runtime/RegExpObject.h:
        * runtime/StringObject.cpp:
        * runtime/StringObject.h:
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSplit):

2011-10-25  Gavin Barraclough  <barraclough@apple.com>

        Separate out function linking & exception check data structures.
        https://bugs.webkit.org/show_bug.cgi?id=70858

        Reviewed by Oliver Hunt.

        This will make it easier to refactor the callOperation methods to spilt the value
        representation specific handling from the cpu/calling-convention implementation.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::appendCallWithExceptionCheck):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::CallLinkRecord::CallLinkRecord):
        (JSC::DFG::CallExceptionRecord::CallExceptionRecord):
        (JSC::DFG::JITCompiler::JITCompiler):
        (JSC::DFG::JITCompiler::notifyCall):
        (JSC::DFG::JITCompiler::appendCall):
        (JSC::DFG::JITCompiler::addExceptionCheck):
        (JSC::DFG::JITCompiler::addFastExceptionCheck):
        * dfg/DFGJITCompiler32_64.cpp:
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::link):

2011-10-25  Filip Pizlo  <fpizlo@apple.com>

        Tiered compilation may introduce dangling pointers in constant buffers
        https://bugs.webkit.org/show_bug.cgi?id=70854

        Reviewed by Oliver Hunt.
        
        Tiered compilation now copies constant buffers, which fixes the regression in
        https://bugs.webkit.org/show_bug.cgi?id=70246. No new tests because this
        regression relies on a subtle interleaving of optimized compilation and garbage
        collection, and cannot be reproduced in a simple test.
        
        This also adds some new debug support, which was used to fix this bug and is
        likely to be useful in the future.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::copyDataFrom):
        (JSC::CodeBlock::usesOpcode):
        * bytecode/CodeBlock.h:
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):

2011-10-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fixing Windows build after r98367

        Unreviewed build fix

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-10-25  Yuqiang Xian  <yuqiang.xian@intel.com>

        Add missing DFG file entries to the make lists for GTK and Qt ports
        https://bugs.webkit.org/show_bug.cgi?id=70806

        Reviewed by Darin Adler.

        * GNUmakefile.list.am:
        * JavaScriptCore.pro:

2011-10-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add getOwnPropertySlot to MethodTable
        https://bugs.webkit.org/show_bug.cgi?id=69807

        Reviewed by Oliver Hunt.

        * JavaScriptCore.exp:
        * runtime/ClassInfo.h: Added both versions of getOwnPropertySlot to the MethodTable.
        * runtime/JSCell.h: Changed getOwnPropertySlot to be protected so other classes can 
        reference it in their MethodTables.

2011-10-25  Oliver Hunt  <oliver@apple.com>

        Need to support marking of multiple nested codeblocks when compiling
        https://bugs.webkit.org/show_bug.cgi?id=70832

        Reviewed by Gavin Barraclough.

        When inlining a function we end up with multiple codeblocks being
        compiled at the same time, so we need to support a list of live
        codeblocks.

        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::startedCompiling):
        (JSC::JSGlobalData::finishedCompiling):

2011-10-24  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG JIT 32_64 - fillInteger should accept DataFormatJSInteger
        https://bugs.webkit.org/show_bug.cgi?id=70798

        Reviewed by Filip Pizlo.

        When filling an integer for a known integer node (not speculated), it
        should accept DataFormatJSInteger as well.

        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::fillInteger):

2011-10-24  Geoffrey Garen  <ggaren@apple.com>

        Build fix: removed some cases of threadsafeCopy() that I missed in
        my previous patch.

        * JavaScriptCore.order:

2011-10-24  Geoffrey Garen  <ggaren@apple.com>

        Removed SharedUChar and tightened language around its previous uses
        https://bugs.webkit.org/show_bug.cgi?id=70698

        Reviewed by David Levin.

        - Removed SharedUChar because most of its functionality has moved into
        other abstraction layers, and we want remaining clients to choose their
        abstractions explicitly instead of relying on StringImpl to provide this
        behavior implicitly, since we think they can sometimes make more efficient
        choices.

        - Renamed "threadSafeCopy" and "crossThreadCopy" to "isolatedCopy" because
        the former names could give the impression that the resulting object was
        thread-safe, but actually it's just an isolated copy, which is not
        thread-safe by itself, but can be used to implement a thread-safe
        algorithm through isolation.

        * wtf/CrossThreadRefCounted.h: Removed.

        * JavaScriptCore.exp: Export!

        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::~StringImpl): Removed the stuff mentioned above.

        * wtf/text/StringImpl.h:
        (WTF::StringImpl::length): Ditto.

        (WTF::StringImpl::isolatedCopy): Inlined this, since it's now trivial.

        * wtf/text/WTFString.cpp:
        (WTF::String::isolatedCopy):
        * wtf/text/WTFString.h: Updated for StringImpl changes.

        * API/OpaqueJSString.h:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.order:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CMakeLists.txt:
        * wtf/OwnFastMallocPtr.h:
        * wtf/RefCounted.h:
        * wtf/SizeLimits.cpp:
        * wtf/ThreadSafeRefCounted.h:
        * wtf/wtf.pri:
        * yarr/YarrPattern.h: Updated these files to accomodate removal of
        CrossThreadRefCounted.h.

2011-10-24  Oliver Hunt  <oliver@apple.com>

        Crash in void JSC::validateCell<JSC::RegExp*>(JSC::RegExp*)
        https://bugs.webkit.org/show_bug.cgi?id=70689

        Reviewed by Filip Pizlo.

        While performing codegen we need to make the GlobalData explicitly
        aware of the codeblock being compiled, as compilation may trigger GC
        and CodeBlock holds GC values, but has not yet been assigned to its
        owner executable.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::~BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        * heap/AllocationSpace.cpp:
        (JSC::AllocationSpace::allocateSlowCase):
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::startedCompiling):
        (JSC::JSGlobalData::finishedCompiling):

2011-10-24  Filip Pizlo  <fpizlo@apple.com>

        Object-or-other branch speculation may corrupt the state for OSR if the child of the
        branch is an integer
        https://bugs.webkit.org/show_bug.cgi?id=70777

        Reviewed by Oliver Hunt.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):

2011-10-24  Filip Pizlo  <fpizlo@apple.com>

        op_new_array_buffer is not inlined correctly
        https://bugs.webkit.org/show_bug.cgi?id=70770

        Reviewed by Oliver Hunt.
        
        Disabled inlining of op_new_array_buffer, for now.

        * dfg/DFGCapabilities.h:
        (JSC::DFG::canInlineOpcode):

2011-10-24  Yuqiang Xian  <yuqiang.xian@intel.com>

        Add boolean speculations to DFG JIT 32_64
        https://bugs.webkit.org/show_bug.cgi?id=70706

        Reviewed by Filip Pizlo.

        Different from the boolean speculations in DFG 64, the boolean
        speculations in DFG 32_64 will use a 32bit GPR to hold the primitive
        boolean instead of a JSBoolean. This choice is not only for
        performance, but also to save a register as we're short of registers on
        X86.
        To accomplish this we make use of DataFormatBoolean, allow a value to
        be represented as a primitive boolean and converted from/to a
        JSBoolean.
        This patch also fixes SpillOrder in 32_64, which should be different
        from 64, and fixes needDataFormatConversion logic in 32_64.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::branchTest32):
            We don't expect byte test actually as it doesn't work for registers
            esp..edi on X86.
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::needDataFormatConversion):
        (JSC::DFG::GenerationInfo::initBoolean):
        (JSC::DFG::GenerationInfo::gpr):
        (JSC::DFG::GenerationInfo::fillInteger):
        (JSC::DFG::GenerationInfo::fillBoolean):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::checkConsistency):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::use):
        (JSC::DFG::JITCodeGenerator::silentSpillGPR):
        (JSC::DFG::JITCodeGenerator::silentFillGPR):
        (JSC::DFG::JITCodeGenerator::spill):
        (JSC::DFG::cellResult):
        (JSC::DFG::booleanResult):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
        * dfg/DFGJITCompiler32_64.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::ValueSource::dump):
        (JSC::DFG::ValueRecovery::dump):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::ValueSource::forPrediction):
        (JSC::DFG::ValueRecovery::alreadyInRegisterFileAsUnboxedBoolean):
        (JSC::DFG::ValueRecovery::inGPR):
        (JSC::DFG::ValueRecovery::gpr):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-24  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fixing Windows build

        Unreviewed build fix

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-10-24  Yuqiang Xian  <yuqiang.xian@intel.com>

        BitVector isInline check could fail
        https://bugs.webkit.org/show_bug.cgi?id=70691

        Reviewed by Geoffrey Garen.

        Current BitVector uses the highest bit of m_bitsOrPointer to indicate
        whether it's an inlined bit set or a pointer to an outOfLine bit set.
        This check may fail in case the pointer also has the highest bit set,
        which is surely possible on IA32 (Linux).
        In this case the check failure can result in unexpected behaviors,
        for example if the BitVector is incorrectly determined as having an
        inlined bit set, then setting a bit exceeding maxInlineBits will wrongly
        modify the memory adjacent to the BitVector object.
        This fix is to use the lowest bit of m_bitsOrPointer to indicate inline
        or outofline, based on the assumption that the pointer to OutOfLineBits
        should be 4 or 8 byte aligned.
        We could mark the lowest bit (bit 0) with 1 for inlined bit set,
        and bits 1~bitsInPointer are used for bit set/test.
        In this case we need do one bit more shift for bit set/test.

        * wtf/BitVector.cpp:
        (WTF::BitVector::resizeOutOfLine):
        * wtf/BitVector.h:
        (WTF::BitVector::quickGet):
        (WTF::BitVector::quickSet):
        (WTF::BitVector::quickClear):
        (WTF::BitVector::makeInlineBits):
        (WTF::BitVector::isInline):

2011-10-24  Mark Hahnenberg  <mhahnenberg@apple.com>

        Rename static getOwnPropertySlot to getOwnPropertySlotByIndex
        https://bugs.webkit.org/show_bug.cgi?id=70271

        Reviewed by Darin Adler.

        Renaming versions of getOwnPropertySlot that use an unsigned as the property
        name to "getOwnPropertySlotByIndex" in preparation for adding them to the 
        MethodTable, which requires unique names for each method.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertySlotVirtual):
        (JSC::Arguments::getOwnPropertySlotByIndex):
        * runtime/Arguments.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::getOwnPropertySlotVirtual):
        (JSC::JSArray::getOwnPropertySlotByIndex):
        (JSC::JSArray::getOwnPropertySlot):
        * runtime/JSArray.h:
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::getOwnPropertySlotVirtual):
        (JSC::JSByteArray::getOwnPropertySlotByIndex):
        * runtime/JSByteArray.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::getOwnPropertySlotVirtual):
        (JSC::JSCell::getOwnPropertySlotByIndex):
        * runtime/JSCell.h:
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::getOwnPropertySlotVirtual):
        (JSC::JSNotAnObject::getOwnPropertySlotByIndex):
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnPropertySlotVirtual):
        (JSC::JSObject::getOwnPropertySlotByIndex):
        * runtime/JSObject.h:
        * runtime/JSString.cpp:
        (JSC::JSString::getOwnPropertySlotVirtual):
        (JSC::JSString::getOwnPropertySlotByIndex):
        * runtime/JSString.h:
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::getOwnPropertySlotVirtual):
        (JSC::ObjectPrototype::getOwnPropertySlotByIndex):
        * runtime/ObjectPrototype.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::getOwnPropertySlotVirtual):
        (JSC::RegExpMatchesArray::getOwnPropertySlotByIndex):
        * runtime/StringObject.cpp:
        (JSC::StringObject::getOwnPropertySlotVirtual):
        (JSC::StringObject::getOwnPropertySlotByIndex):
        * runtime/StringObject.h:

2011-10-24  Patrick Gansterer  <paroga@webkit.org>

        Interpreter build fix after r98179.

        * bytecode/CodeBlock.h:
        Moved CodeBlock::baselineVersion() into ENABLE(JIT) block,
        since it is only used there.

2011-10-23  Geoffrey Garen  <ggaren@apple.com>

        Fixed a typo Darin spotted.

        * wtf/StringHasher.h:
        (WTF::StringHasher::hash): Expelliarmus!

2011-10-23  Geoffrey Garen  <ggaren@apple.com>

        Removed StringImpl::createStrippingNullCharacters
        https://bugs.webkit.org/show_bug.cgi?id=70700

        Reviewed by David Levin.
        
        It was unused.

        * JavaScriptCore.exp:
        * wtf/text/StringImpl.cpp:
        * wtf/text/StringImpl.h:

2011-10-22  Filip Pizlo  <fpizlo@apple.com>

        DFG should inline constructors
        https://bugs.webkit.org/show_bug.cgi?id=70675

        Reviewed by Oliver Hunt.
        
        Adds support for inlining constructors. Also fixes two pathologies
        uncovered along the way: CheckMethod claimed that it never returned a
        result (causing CheckMethod -> SetLocal -> GetLocal sequences to
        result in the GetLocal doing OSR exit), and get_by_id parsing never
        checked if it was hot in slow path. Also fiddled with inlining
        heuristics; it appears that for now, the more inlining, the happier
        V8 is. Finally, a bug was uncovered where a silent spill of a boxed
        integer that had previously been spilled unboxed causes the silent
        fill to forget to unbox.
        
        This appears to be a 4% speed-up on V8 in their harness, or a 1%
        speed-up in my harness. The difference is due to warm-up: in my
        harness we see significant amounts of time spent in compilation, but
        in V8's harness compilation gets amortizes. Profiling indicates that
        we have the potential for a 5% win from basic optimizations like
        generating OSR exits lazily and holding onto bytecode longer.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::mightInlineFunctionForConstruct):
        (JSC::DFG::canInlineOpcode):
        (JSC::DFG::mightInlineFunctionFor):
        (JSC::DFG::canInlineFunctionFor):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentFillGPR):
        * runtime/Executable.h:
        (JSC::isCall):
        (JSC::ExecutableBase::intrinsicFor):
        * runtime/Heuristics.cpp:
        (JSC::Heuristics::initializeHeuristics):
        * runtime/Heuristics.h:

2011-10-23  Noel Gordon  <noel.gordon@gmail.com>

        [chromium] Remove RopeImpl.{h,cpp} from the gyp projects
        https://bugs.webkit.org/show_bug.cgi?id=70703

        Reviewed by Kent Tamura.

        runtime/RopeImpl.{h,cpp} were removed in r97872, remove references
        to these files from the gyp project files.

        * JavaScriptCore.gypi:

2011-10-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add deleteProperty to the MethodTable
        https://bugs.webkit.org/show_bug.cgi?id=70162

        Reviewed by Sam Weinig.

        * JavaScriptCore.exp:
        * runtime/ClassInfo.h: Added both versions of deleteProperty to the MethodTable.
        * runtime/JSFunction.h: Changed JSFunction::deleteProperty to 
        be protected rather than private for subclasses who don't provide their own
        implementation.

2011-10-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove getConstructDataVirtual
        https://bugs.webkit.org/show_bug.cgi?id=70638

        Reviewed by Darin Adler.

        Removed all declarations and definitions of getConstructDataVirtual.
        Also replaced all call sites to getConstructDataVirtual with a 
        corresponding lookup in the MethodTable.

        * API/JSCallbackConstructor.cpp:
        * API/JSCallbackConstructor.h:
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        * API/JSObjectRef.cpp:
        (JSObjectIsConstructor):
        (JSObjectCallAsConstructor):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/ArrayConstructor.cpp:
        * runtime/ArrayConstructor.h:
        * runtime/BooleanConstructor.cpp:
        * runtime/BooleanConstructor.h:
        * runtime/DateConstructor.cpp:
        * runtime/DateConstructor.h:
        * runtime/Error.h:
        (JSC::StrictModeTypeErrorFunction::getConstructData):
        * runtime/ErrorConstructor.cpp:
        * runtime/ErrorConstructor.h:
        * runtime/FunctionConstructor.cpp:
        * runtime/FunctionConstructor.h:
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        * runtime/JSFunction.h:
        * runtime/JSObject.h:
        (JSC::getConstructData):
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NativeErrorConstructor.h:
        * runtime/NumberConstructor.cpp:
        * runtime/NumberConstructor.h:
        * runtime/ObjectConstructor.cpp:
        * runtime/ObjectConstructor.h:
        * runtime/RegExpConstructor.cpp:
        * runtime/RegExpConstructor.h:
        * runtime/StringConstructor.cpp:
        * runtime/StringConstructor.h:

2011-10-23  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the SL build.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): Cast
        away int vs unisgned warning.

2011-10-21  Geoffrey Garen  <ggaren@apple.com>

        Separated string lifetime bits from character buffer state bits
        https://bugs.webkit.org/show_bug.cgi?id=70673

        Reviewed by Anders Carlsson.
        
        Moved the static/immortal bit into the bottom bit of the refcount, and
        moved all other bits into the high bits of the hash code.
        
        This is the first step toward a new Characters/PassString class, and it
        makes ref/deref slightly more efficient.

        * create_hash_table:
        * wtf/StringHasher.h:
        (WTF::StringHasher::hash): Tweaked the string hashing function to leave
        the top bits clear, so they can be used as flags.
        
        Fixed some small differences between the PERL copy of this function and
        the C++ copy of this function, which could have in theory caused subtle
        crashes.

        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::sharedBuffer):
        (WTF::StringImpl::createWithTerminatingNullCharacter):
        * wtf/text/StringImpl.h:
        (WTF::StringImpl::StringImpl):
        (WTF::StringImpl::cost): Renamed s_refCountFlagShouldReportedCost to
        s_didReportExtraCost, since the original name was both self-contradictory
        and used as a double-negative.

        (WTF::StringImpl::isIdentifier):
        (WTF::StringImpl::setIsIdentifier):
        (WTF::StringImpl::hasTerminatingNullCharacter):
        (WTF::StringImpl::isAtomic):
        (WTF::StringImpl::setIsAtomic):
        (WTF::StringImpl::setHash):
        (WTF::StringImpl::rawHash):
        (WTF::StringImpl::hasHash):
        (WTF::StringImpl::existingHash):
        (WTF::StringImpl::hash):
        (WTF::StringImpl::hasOneRef):
        (WTF::StringImpl::ref):
        (WTF::StringImpl::deref):
        (WTF::StringImpl::bufferOwnership):
        (WTF::StringImpl::isStatic): Moved the static/immortal bit into the bottom
        bit of the refcount. Now, all lifetime information lives in the refcount
        field. Moved the other bits into the hash code field.

2011-10-21  Filip Pizlo  <fpizlo@apple.com>

        DFG inlining sometimes fails to reset constant references
        https://bugs.webkit.org/show_bug.cgi?id=70668

        Reviewed by Anders Carlsson.
        
        Reset constant references when we need to (new block created) and not
        when we don't (change of inlining depth).

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::prepareToParseBlock):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):

2011-10-21  Filip Pizlo  <fpizlo@apple.com>

        DFG should have inlining
        https://bugs.webkit.org/show_bug.cgi?id=69996

        Reviewed by Oliver Hunt.
        
        Implements inlining that's hooked into the bytecode parser. Only
        works for calls, for now, though nothing fundamentally prevents us
        from inlining constructor calls. 2% overall speed-up on all
        benchmarks. 7% speed-up on V8 (around 34% and 27% on deltablue and
        richards respectively), neutral on Kraken and SunSpider. 
        
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::baselineVersion):
        (JSC::CodeBlock::setInstructionCount):
        (JSC::CodeBlock::likelyToTakeSlowCase):
        (JSC::CodeBlock::couldTakeSlowCase):
        (JSC::CodeBlock::likelyToTakeSpecialFastCase):
        (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
        (JSC::CodeBlock::likelyToTakeAnySlowCase):
        * bytecode/CodeOrigin.h:
        (JSC::CodeOrigin::inlineDepthForCallFrame):
        (JSC::CodeOrigin::inlineDepth):
        (JSC::CodeOrigin::operator==):
        (JSC::CodeOrigin::inlineStack):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::beginBasicBlock):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::BasicBlock):
        (JSC::DFG::BasicBlock::ensureLocals):
        (JSC::DFG::UnlinkedBlock::UnlinkedBlock):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::getDirect):
        (JSC::DFG::ByteCodeParser::get):
        (JSC::DFG::ByteCodeParser::setDirect):
        (JSC::DFG::ByteCodeParser::set):
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::flush):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::linkBlock):
        (JSC::DFG::ByteCodeParser::linkBlocks):
        (JSC::DFG::ByteCodeParser::handleSuccessor):
        (JSC::DFG::ByteCodeParser::determineReachability):
        (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::canHandleOpcodes):
        (JSC::DFG::canCompileOpcodes):
        (JSC::DFG::canInlineOpcodes):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::mightCompileEval):
        (JSC::DFG::mightCompileProgram):
        (JSC::DFG::mightCompileFunctionForCall):
        (JSC::DFG::mightCompileFunctionForConstruct):
        (JSC::DFG::mightInlineFunctionForCall):
        (JSC::DFG::mightInlineFunctionForConstruct):
        (JSC::DFG::canInlineOpcode):
        (JSC::DFG::canInlineOpcodes):
        (JSC::DFG::canInlineFunctionForCall):
        (JSC::DFG::canInlineFunctionForConstruct):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::printWhiteSpace):
        (JSC::DFG::Graph::dumpCodeOrigin):
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::GetBytecodeBeginForBlock::operator()):
        (JSC::DFG::Graph::blockIndexForBytecodeOffset):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::decodedCodeMapFor):
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::debugCall):
        (JSC::DFG::JITCompiler::baselineCodeBlockFor):
        * dfg/DFGJITCompiler32_64.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasVariableAccessData):
        (JSC::DFG::Node::shouldGenerate):
        * dfg/DFGOperands.h:
        (JSC::DFG::Operands::ensureLocals):
        (JSC::DFG::Operands::setLocal):
        (JSC::DFG::Operands::getLocal):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::trueCallerFrameSlow):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::baselineCodeBlockFor):
        (JSC::FunctionExecutable::produceCodeBlockFor):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::profiledCodeBlockFor):
        (JSC::FunctionExecutable::parameterCount):
        * runtime/Heuristics.cpp:
        (JSC::Heuristics::initializeHeuristics):
        * runtime/Heuristics.h:
        * runtime/JSFunction.h:

2011-10-21  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add put to the MethodTable
        https://bugs.webkit.org/show_bug.cgi?id=70439

        Reviewed by Oliver Hunt.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/ClassInfo.h: Added put and putByIndex to the MethodTable.
        * runtime/JSFunction.h: Changed access modifier for put to protected since some
        subclasses of JSFunction need to reference it in their MethodTables.

2011-10-21  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add finalizer to JSObject
        https://bugs.webkit.org/show_bug.cgi?id=70336

        Reviewed by Darin Adler.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::callDestructor): Skip the call to the destructor 
        if we're a JSFinalObject, since the finalizer takes care of things.
        * runtime/JSCell.h:
        (JSC::JSCell::~JSCell): Remove the GC validation due to a conflict with 
        future changes and the fact that we no longer always call the destructor, making 
        the information provided less useful.
        * runtime/JSObject.cpp:
        (JSC::JSObject::finalize): Add finalizer for JSObject.
        (JSC::JSObject::allocatePropertyStorage): The first time we need to allocate out-of-line
        property storage, we add a finalizer to ourself.
        * runtime/JSObject.h:

2011-10-21  Simon Hausmann  <simon.hausmann@nokia.com>

        Remove QtScript source code from WebKit.
        https://bugs.webkit.org/show_bug.cgi?id=64088

        Reviewed by Tor Arne Vestbø.

        Removed dead code that isn't developed anymore.

        * JavaScriptCore.gypi:
        * JavaScriptCore.pri:
        * qt/api/QtScript.pro: Removed.
        * qt/api/qscriptconverter_p.h: Removed.
        * qt/api/qscriptengine.cpp: Removed.
        * qt/api/qscriptengine.h: Removed.
        * qt/api/qscriptengine_p.cpp: Removed.
        * qt/api/qscriptengine_p.h: Removed.
        * qt/api/qscriptfunction.cpp: Removed.
        * qt/api/qscriptfunction_p.h: Removed.
        * qt/api/qscriptoriginalglobalobject_p.h: Removed.
        * qt/api/qscriptprogram.cpp: Removed.
        * qt/api/qscriptprogram.h: Removed.
        * qt/api/qscriptprogram_p.h: Removed.
        * qt/api/qscriptstring.cpp: Removed.
        * qt/api/qscriptstring.h: Removed.
        * qt/api/qscriptstring_p.h: Removed.
        * qt/api/qscriptsyntaxcheckresult.cpp: Removed.
        * qt/api/qscriptsyntaxcheckresult.h: Removed.
        * qt/api/qscriptsyntaxcheckresult_p.h: Removed.
        * qt/api/qscriptvalue.cpp: Removed.
        * qt/api/qscriptvalue.h: Removed.
        * qt/api/qscriptvalue_p.h: Removed.
        * qt/api/qscriptvalueiterator.cpp: Removed.
        * qt/api/qscriptvalueiterator.h: Removed.
        * qt/api/qscriptvalueiterator_p.h: Removed.
        * qt/api/qtscriptglobal.h: Removed.
        * qt/benchmarks/benchmarks.pri: Removed.
        * qt/benchmarks/benchmarks.pro: Removed.
        * qt/benchmarks/qscriptengine/qscriptengine.pro: Removed.
        * qt/benchmarks/qscriptengine/tst_qscriptengine.cpp: Removed.
        * qt/benchmarks/qscriptvalue/qscriptvalue.pro: Removed.
        * qt/benchmarks/qscriptvalue/tst_qscriptvalue.cpp: Removed.
        * qt/tests/qscriptengine/qscriptengine.pro: Removed.
        * qt/tests/qscriptengine/tst_qscriptengine.cpp: Removed.
        * qt/tests/qscriptstring/qscriptstring.pro: Removed.
        * qt/tests/qscriptstring/tst_qscriptstring.cpp: Removed.
        * qt/tests/qscriptvalue/qscriptvalue.pro: Removed.
        * qt/tests/qscriptvalue/tst_qscriptvalue.cpp: Removed.
        * qt/tests/qscriptvalue/tst_qscriptvalue.h: Removed.
        * qt/tests/qscriptvalue/tst_qscriptvalue_generated_comparison.cpp: Removed.
        * qt/tests/qscriptvalue/tst_qscriptvalue_generated_init.cpp: Removed.
        * qt/tests/qscriptvalue/tst_qscriptvalue_generated_istype.cpp: Removed.
        * qt/tests/qscriptvalue/tst_qscriptvalue_generated_totype.cpp: Removed.
        * qt/tests/qscriptvalueiterator/qscriptvalueiterator.pro: Removed.
        * qt/tests/qscriptvalueiterator/tst_qscriptvalueiterator.cpp: Removed.
        * qt/tests/tests.pri: Removed.
        * qt/tests/tests.pro: Removed.

2011-10-21  Zheng Liu  <zheng.z.liu@intel.com>

        bytecompiler sometimes generates incorrect bytecode for put_by_id
        https://bugs.webkit.org/show_bug.cgi?id=70403

        Reviewed by Filip Pizlo.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::AssignDotNode::emitBytecode):
        (JSC::AssignBracketNode::emitBytecode):

2011-10-20  Filip Pizlo  <fpizlo@apple.com>

        DFG should not try to predict argument types by looking at the values of
        argument registers at the time of compilation
        https://bugs.webkit.org/show_bug.cgi?id=70578

        Reviewed by Oliver Hunt.

        * bytecode/CodeBlock.cpp:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        * dfg/DFGDriver.h:
        (JSC::DFG::tryCompileFunction):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGGraph.h:
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::compileOptimizedForCall):
        (JSC::FunctionExecutable::compileOptimizedForConstruct):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::compileForCall):
        (JSC::FunctionExecutable::compileForConstruct):
        (JSC::FunctionExecutable::compileFor):
        (JSC::FunctionExecutable::compileOptimizedFor):

2011-10-20  Filip Pizlo  <fpizlo@apple.com>

        DFG call optimization handling will fail if the call had been unlinked due
        to the callee being optimized
        https://bugs.webkit.org/show_bug.cgi?id=70468

        Reviewed by Geoff Garen.
        
        If a call had ever been linked, we remember this fact as well as the function
        to which it was linked even if unlinkIncomingCalls() or unlinkCalls() are
        called.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * bytecode/CodeBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgLinkFor):
        * jit/JIT.cpp:
        (JSC::JIT::linkFor):

2011-10-20  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG JIT 32_64 - Fix ByteArray speculation
        https://bugs.webkit.org/show_bug.cgi?id=70571

        Reviewed by Filip Pizlo.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::ValueSource::forPrediction):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-20  Vincent Scheib  <scheib@chromium.org>

        MouseLock compile and run time flags.
        https://bugs.webkit.org/show_bug.cgi?id=70530

        Reviewed by Darin Fisher.

        * wtf/Platform.h:

2011-10-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Rename static deleteProperty to deletePropertyByIndex
        https://bugs.webkit.org/show_bug.cgi?id=70257

        Reviewed by Geoffrey Garen.

        Renaming versions of deleteProperty that use an unsigned as the property
        name to "deletePropertyByIndex" in preparation for adding them to the 
        MethodTable, which requires unique names for each method.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::deletePropertyVirtual):
        (JSC::::deletePropertyByIndex):
        * runtime/Arguments.cpp:
        (JSC::Arguments::deletePropertyVirtual):
        (JSC::Arguments::deletePropertyByIndex):
        * runtime/Arguments.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::deletePropertyVirtual):
        (JSC::JSArray::deletePropertyByIndex):
        * runtime/JSArray.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::deletePropertyVirtual):
        (JSC::JSCell::deletePropertyByIndex):
        * runtime/JSCell.h:
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::deletePropertyVirtual):
        (JSC::JSNotAnObject::deletePropertyByIndex):
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::deletePropertyVirtual):
        (JSC::JSObject::deletePropertyByIndex):
        * runtime/JSObject.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::deletePropertyVirtual):
        (JSC::RegExpMatchesArray::deletePropertyByIndex):

2011-10-20  Filip Pizlo  <fpizlo@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=70482
        DFG-related stubs in the old JIT should not be built if the DFG is disabled

        Reviewed by Zoltan Herczeg.
        
        Aiming for a slight code size/build time reduction if the DFG is not in
        play. This should also make further DFG development slightly easier since
        the bodies of these JIT stubs can now safely refer to things that are only
        declared when the DFG is enabled.

        * jit/JITStubs.cpp:
        * jit/JITStubs.h:

2011-10-19  Filip Pizlo  <fpizlo@apple.com>

        DFG ConvertThis emits slow code when the source node is known to be,
        but not predicted to be, a final object
        https://bugs.webkit.org/show_bug.cgi?id=70466

        Reviewed by Oliver Hunt.
        
        Added a new case in ConvertThis compilation.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-19  Filip Pizlo  <fpizlo@apple.com>

        Optimization triggers in the old JIT may sometimes fire repeatedly even
        though there is no optimization to be done
        https://bugs.webkit.org/show_bug.cgi?id=70467

        Reviewed by Oliver Hunt.
        
        If optimize_from_ret does nothing, it delays the next optimization trigger.
        This is performance-neutral.

        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Heuristics.cpp:
        (JSC::Heuristics::initializeHeuristics):

2011-10-19  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG JIT 32_64 - remove unnecessary double unboxings in fillDouble/fillSpeculateDouble
        https://bugs.webkit.org/show_bug.cgi?id=70460

        Reviewed by Filip Pizlo.

        As pointed out by Gavin in bug #70418, when a value is already in memory
        we can avoid loading it to two GPRs at first and then unboxing them to a FPR.
        This gives 9% improvement on Kraken if without the change in bug #70418,
        and 1% if based on the code with bug #70418 change.
        Performance is neutral in V8 and SunSpider.

        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::fillDouble):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):

2011-10-19  Gavin Barraclough  <barraclough@apple.com>

        Poisoning of strict caller,arguments inappropriately poisoning "in"
        https://bugs.webkit.org/show_bug.cgi?id=63398

        Reviewed by Oliver Hunt.

        This fixes the problem by correctly implementing the spec -
        the error should actually be being thrown from a standard JS getter/setter.
        This implements spec correct behaviour for strict mode JS functions & bound
        functions, I'll follow up with a patch to do the same for arguments.

        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::finishCreation):
            - Add the poisoned caller/arguments properties.
        * runtime/JSBoundFunction.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::finishCreation):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::getOwnPropertyDescriptor):
        (JSC::JSFunction::put):
            - If the caller/arguments are accessed on a strict mode function, lazily add the ThrowTypeError getter.
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createThrowTypeError):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::throwTypeErrorGetterSetter):
            - Add a ThrowTypeError type, per ES5 13.2.3.
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncThrowTypeError):
        * runtime/JSGlobalObjectFunctions.h:
            - Implementation of ThrowTypeError.
        * runtime/JSObject.cpp:
        (JSC::JSObject::initializeGetterSetterProperty):
        * runtime/JSObject.h:
            - This function adds a new property (must not exist already) that is an initialized getter/setter.

2011-10-19  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG JIT 32_64 - improve double boxing/unboxing
        https://bugs.webkit.org/show_bug.cgi?id=70418

        Reviewed by Gavin Barraclough.

        Double boxing/unboxing in DFG JIT 32_64 is currently implemented inefficiently,
        which tries to exchange data through memory.
        On X86 some SSE instructions can help us on such operations with better performance.
        This improves 32-bit DFG performance by 29% on Kraken, 7% on SunSpider,
        and 2% on V8, tested on Linux X86 (Core i7 Nehalem).

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::lshiftPacked):
        (JSC::MacroAssemblerX86Common::rshiftPacked):
        (JSC::MacroAssemblerX86Common::orPacked):
        (JSC::MacroAssemblerX86Common::moveInt32ToPacked):
        (JSC::MacroAssemblerX86Common::movePackedToInt32):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movd_rr):
        (JSC::X86Assembler::psllq_i8r):
        (JSC::X86Assembler::psrlq_i8r):
        (JSC::X86Assembler::por_rr):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::boxDouble):
        (JSC::DFG::JITCodeGenerator::unboxDouble):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::boxDouble):
        (JSC::DFG::JITCompiler::unboxDouble):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::convertToDouble):
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-19  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        [EFL] Fix DSO linkage of wtf_efl.

        Unreviewed build fix.

        Need to add -ldl to jsc_efl (requested by dladdr).

        * wtf/CMakeListsEfl.txt:

2011-10-19  Geoffrey Garen  <ggaren@apple.com>

        Removed StringImplBase, fusing it into StringImpl
        https://bugs.webkit.org/show_bug.cgi?id=70443

        Reviewed by Gavin Barraclough.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.order:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CMakeLists.txt:
        * wtf/text/StringImpl.h:
        (WTF::StringImpl::StringImpl):
        (WTF::StringImpl::ref):
        (WTF::StringImpl::length):
        * wtf/text/StringImplBase.h: Removed.
        * wtf/wtf.pri: Removed!

2011-10-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add getConstructData to the MethodTable
        https://bugs.webkit.org/show_bug.cgi?id=70163

        Reviewed by Geoffrey Garen.

        Adding getConstructData to the MethodTable in order to be able to 
        remove all calls to getConstructDataVirtual soon.  Part of the process 
        of de-virtualizing JSCell.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/ClassInfo.h:

2011-10-18  Oliver Hunt  <oliver@apple.com>

        Support CanvasPixelArray in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=70384

        Reviewed by Filip Pizlo.

        Add support for the old CanvasPixelArray optimisations to the
        DFG.  This removes the regression seen in the DFG when using
        a CPA.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::store8):
        (JSC::MacroAssemblerX86Common::truncateDoubleToInt32):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movb_rm):
        (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8):
        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        (JSC::predictionFromClassInfo):
        * bytecode/PredictedType.h:
        (JSC::isByteArrayPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateByteArray):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::compileClampDoubleToByte):
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnByteArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSByteArray.h:
        (JSC::JSByteArray::offsetOfStorage):
        * wtf/ByteArray.cpp:
        * wtf/ByteArray.h:
        (WTF::ByteArray::offsetOfSize):
        (WTF::ByteArray::offsetOfData):

2011-10-18  Geoffrey Garen  <ggaren@apple.com>

        Some rope cleanup following r97827
        https://bugs.webkit.org/show_bug.cgi?id=70398

        Reviewed by Oliver Hunt.

        9% speedup on date-format-xparb, neutral overall.
        
        - Removed RopeImpl*.
        - Removed JSString::m_fiberCount, since this can be deduced from other data.
        - Renamed a jsString() variant to jsStringFromArguments for clarity.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.order:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj: Removed RopeImpl*.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitLoadCharacterString):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::loadJSStringArgument):
        * jit/ThunkGenerators.cpp:
        (JSC::stringCharLoad): Use a NULL m_value to signal rope-iness, instead
        of testing m_fiberCount, since m_fiberCount is gone now.

        * runtime/JSString.cpp:
        (JSC::JSString::RopeBuilder::expand):
        (JSC::JSString::visitChildren):
        (JSC::JSString::resolveRope):
        (JSC::JSString::resolveRopeSlowCase):
        (JSC::JSString::outOfMemory): Use a NULL fiber to indicate "last fiber
        in the vector" instead of testing m_fiberCount, since m_fiberCount is gone now.

        * runtime/JSString.h:
        (JSC::RopeBuilder::JSString):
        (JSC::RopeBuilder::finishCreation):
        (JSC::RopeBuilder::offsetOfLength):
        (JSC::RopeBuilder::isRope):
        (JSC::RopeBuilder::string): Removed m_fiberCount. Renamed
        jsString => jsStringFromArguments for clarity.

        * runtime/Operations.h:
        (JSC::jsStringFromArguments): Renamed.

        * runtime/RopeImpl.cpp: Removed.
        * runtime/RopeImpl.h: Removed.

        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::createEmptyString): Switched to StringImpl::empty,
        which is slightly faster.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncConcat): Updated for rename.

        * wtf/text/StringImplBase.h:
        (WTF::StringImplBase::StringImplBase): Removed the concept of an invalid
        StringImpl, since this was only used by RopeImpl, which is now gone.

2011-10-19  Rafael Antognolli  <antognolli@profusion.mobi>

        [EFL] Fix DSO linkage of jsc_efl.
        https://bugs.webkit.org/show_bug.cgi?id=70412

        Unreviewed build fix.

        Need to add -ldl to jsc_efl (requested by dladdr).

        * shell/CMakeListsEfl.txt:

2011-10-18  Geoffrey Garen  <ggaren@apple.com>

        Rolled out last Windows build fix because it was wrong.

2011-10-18  Geoffrey Garen  <ggaren@apple.com>

        Rolled out last Windows build fix because it was wrong.

2011-10-18  Geoffrey Garen  <ggaren@apple.com>

        Try to fix part of the Windows build.
        
        Export!

2011-10-18  Geoffrey Garen  <ggaren@apple.com>

        Switched ropes from malloc memory to GC memory
        https://bugs.webkit.org/show_bug.cgi?id=70364

        Reviewed by Gavin Barraclough.

        ~1% SunSpider speedup. Neutral elsewhere. Removes one cause for strings
        having C++ destructors.

        * heap/MarkStack.cpp:
        (JSC::visitChildren): Call the JSString visitChildren function now,
        since it's no longer a no-op.

        * runtime/JSString.cpp:
        (JSC::JSString::~JSString): Moved this destructor out of line because
        it's called virtually, so there's no value to inlining.

        (JSC::JSString::RopeBuilder::expand): Switched RopeBuilder to be a thin
        initializing wrapper around JSString. JSString now represents ropes
        directly, rather than relying on an underlying malloc object.

        (JSC::JSString::visitChildren): Visit our rope fibers, since they're GC
        objects now.

        (JSC::JSString::resolveRope):
        (JSC::JSString::resolveRopeSlowCase):
        (JSC::JSString::outOfMemory): Updated for operating on JSStrings instead
        of malloc objects.

        (JSC::JSString::replaceCharacter): Removed optimizations for substringing
        ropes and replacing subsections of ropes. We want to reimplement versions
        of these optimizations in the future, but this patch already has good
        performance without them.

        * runtime/JSString.h:
        (JSC::RopeBuilder::JSString):
        (JSC::RopeBuilder::finishCreation):
        (JSC::RopeBuilder::createNull):
        (JSC::RopeBuilder::create):
        (JSC::RopeBuilder::createHasOtherOwner):
        (JSC::jsSingleCharacterString):
        (JSC::jsSingleCharacterSubstring):
        (JSC::jsNontrivialString):
        (JSC::jsString):
        (JSC::jsSubstring):
        (JSC::jsOwnedString): Lots of mechanical changes here. The two important
        things are: (1) The fibers in JSString::m_fibers are JSStrings now, not
        malloc objects; (2) I simplified the JSString constructor interface to
        only accept PassRefPtr<StringImpl>, instead of variations on that like
        UString, reducing refcount churn.

        * runtime/JSValue.h:
        * runtime/JSValue.cpp:
        (JSC::JSValue::toPrimitiveString): Updated this function to return a
        JSString instead of a UString, since that's what clients want now.

        * runtime/Operations.cpp:
        (JSC::jsAddSlowCase):
        * runtime/Operations.h:
        (JSC::jsString):
        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::createEmptyString): Updated for interface changes above.

        * runtime/StringConstructor.cpp:
        (JSC::constructWithStringConstructor):
        * runtime/StringObject.h:
        (JSC::StringObject::create): Don't create a new JSString if we already
        have a JSString.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncConcat): Updated for interface changes above.

2011-10-18  Gavin Barraclough  <barraclough@apple.com>

        Errrk, fix partial commit of r97825!

        * runtime/DatePrototype.cpp:
        (JSC::dateProtoFuncToISOString):

2011-10-18  Gavin Barraclough  <barraclough@apple.com>

        Date.prototype.toISOString fails to throw exception
        https://bugs.webkit.org/show_bug.cgi?id=70394

        Reviewed by Sam Weinig.

        * runtime/DatePrototype.cpp:
        (JSC::dateProtoFuncToISOString):
            - Should throw a range error if the internal value is not finite.

2011-10-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        Rename static put to putByIndex
        https://bugs.webkit.org/show_bug.cgi?id=70281

        Reviewed by Geoffrey Garen.

        Renaming versions of deleteProperty that use an unsigned as the property
        name to "deletePropertyByIndex" in preparation for adding them to the 
        MethodTable, which requires unique names for each method.

        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Arguments.cpp:
        (JSC::Arguments::putVirtual):
        (JSC::Arguments::putByIndex):
        * runtime/Arguments.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncMap):
        * runtime/JSArray.cpp:
        (JSC::JSArray::put):
        (JSC::JSArray::putVirtual):
        (JSC::JSArray::putByIndex):
        * runtime/JSArray.h:
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::putVirtual):
        (JSC::JSByteArray::putByIndex):
        * runtime/JSByteArray.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::putVirtual):
        (JSC::JSCell::putByIndex):
        * runtime/JSCell.h:
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::putVirtual):
        (JSC::JSNotAnObject::putByIndex):
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::putVirtual):
        (JSC::JSObject::putByIndex):
        * runtime/JSObject.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpMatchesArray::fillArrayInstance):
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::putVirtual):
        (JSC::RegExpMatchesArray::putByIndex):

2011-10-18  Gavin Barraclough  <barraclough@apple.com>

        Array.prototype methods missing exception checks
        https://bugs.webkit.org/show_bug.cgi?id=70360

        Reviewed by Geoff Garen.

        Missing exception checks after calls to the static getProperty helper,
        these may result in the wrong exception being thrown (or an ASSERT being hit,
        as is currently the case running test-262).

        No performance impact.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncConcat):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):
        (JSC::arrayProtoFuncIndexOf):
        (JSC::arrayProtoFuncLastIndexOf):

2011-10-18  Adam Barth  <abarth@webkit.org>

        Always enable ENABLE(XPATH)
        https://bugs.webkit.org/show_bug.cgi?id=70217

        Reviewed by Eric Seidel.

        * Configurations/FeatureDefines.xcconfig:

2011-10-18  Gavin Barraclough  <barraclough@apple.com>

        Indexed arguments on the Arguments object should be enumerable.
        https://bugs.webkit.org/show_bug.cgi?id=70302

        Reviewed by Sam Weinig.

        See ECMA-262 5.1 chapter 10.6 step 11b.
        This is visible through a number of means, including Object.keys, Object.getOwnPropertyDescriptor, and operator in.

        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertyDescriptor):
            - The 'enumerable' property should be true for indexed arguments.
        (JSC::Arguments::getOwnPropertyNames):
            - Don't guard the adding of indexed properties with 'IncludeDontEnumProperties'.

2011-10-18  Gustavo Noronha Silva  <gns@gnome.org>

        Fix distcheck.

        * GNUmakefile.list.am: fix a typo and add a missing header to the
        list.

2011-10-18  Balazs Kelemen  <kbalazs@webkit.org>

        ParallelJobs: maximum number of threads should be determined dynamically
        https://bugs.webkit.org/show_bug.cgi?id=68540

        Reviewed by Zoltan Herczeg.

        Add logic to determine the number of cores and use this as
        the maximum number of threads. The implementation currently
        covers Linux, Darwin, Windows, AIX, Solaris, OpenBSD and NetBSD.
        The patch was tested on Linux, Mac and Windows which was enough to
        cover all code path. It should work on the rest accoring to the
        documentation of those OS's. The hard coded constant is still used
        on uncovered OS's which should be fixed in the future.

        * wtf/ParallelJobs.h: Removed the default value of the requestedJobNumber
        argument because clients should always fill it and the 0 default value
        was incorrect anyway.
        (WTF::ParallelJobs::ParallelJobs):
        * wtf/ParallelJobsGeneric.cpp:
        (WTF::ParallelEnvironment::determineMaxNumberOfParallelThreads):
        * wtf/ParallelJobsGeneric.h:
        (WTF::ParallelEnvironment::ParallelEnvironment):

2011-10-17  Gavin Barraclough  <barraclough@apple.com>

        Reverted r997709, this caused test failures.

        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSObject.cpp:
        (JSC::JSObject::hasProperty):
        (JSC::JSObject::hasOwnProperty):

2011-10-17  Ryosuke Niwa  <rniwa@webkit.org>

        Rename deregister* to unregister*
        https://bugs.webkit.org/show_bug.cgi?id=70272

        Reviewed by Darin Adler.

        Renamed deregisterWeakMap to unregisterWeakMap.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::unregisterWeakMap):

2011-10-17  Gavin Barraclough  <barraclough@apple.com>

        Poisoning of strict caller/arguments inappropriately poisoning "in"
        https://bugs.webkit.org/show_bug.cgi?id=63398

        Reviewed by Sam Weinig.

        The problem here is that the has[Own]Property methods get the slot rather than
        the descriptor, and getting the slot may cause the property to be eagerly accessed.

        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
            - We don't expect hasProperty to ever throw. If it does, it won't get caught
              (since it is after the exception check), so ASSERT to guard against this.
        * runtime/JSObject.cpp:
        (JSC::JSObject::hasProperty):
        (JSC::JSObject::hasOwnProperty):
            - These methods should not check for the presence of the descriptor; never get the value.

2011-10-17  Gavin Barraclough  <barraclough@apple.com>

        Exception ordering in String.prototype.replace
        https://bugs.webkit.org/show_bug.cgi?id=70290

        If pattern is not a regexp, it should be converted toString before the replacement value has it's toString conversion called.

        Reviewed by Oliver Hunt.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncReplace):

2011-10-17  Filip Pizlo  <fpizlo@apple.com>

        DFG bytecode parser should understand inline stacks
        https://bugs.webkit.org/show_bug.cgi?id=70278

        Reviewed by Oliver Hunt.
        
        The DFG bytecode parser is now capable of parsing multiple code blocks at
        once. This remains turned off since not all inlining functionality is
        implemented.       
        
        This required making a few changes elsewhere in the system. The bytecode
        parser now may do some of the same things that the bytecode generator does,
        like allocating constants and identifiers. Basic block linking relies on
        bytecode indices, which are only meaningful within the context of one basic
        block. This is fine, so long as linking is done eagerly whenever switching
        from one code block to another.

        * bytecode/CodeOrigin.h:
        (JSC::CodeOrigin::CodeOrigin):
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGBasicBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::get):
        (JSC::DFG::ByteCodeParser::set):
        (JSC::DFG::ByteCodeParser::getThis):
        (JSC::DFG::ByteCodeParser::setThis):
        (JSC::DFG::ByteCodeParser::currentCodeOrigin):
        (JSC::DFG::ByteCodeParser::getPrediction):
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::executable):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::linkBlock):
        (JSC::DFG::ByteCodeParser::linkBlocks):
        (JSC::DFG::ByteCodeParser::setupPredecessors):
        (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.h:
        (JSC::DFG::GetBytecodeBeginForBlock::GetBytecodeBeginForBlock):
        (JSC::DFG::GetBytecodeBeginForBlock::operator()):
        (JSC::DFG::Graph::blockIndexForBytecodeOffset):
        * dfg/DFGNode.h:
        * runtime/Identifier.h:
        (JSC::IdentifierMapIndexHashTraits::emptyValue):
        * runtime/JSValue.h:
        * wtf/StdLibExtras.h:
        (WTF::binarySearchWithFunctor):

2011-10-17  Gavin Barraclough  <barraclough@apple.com>

        Incorrect behavior from String match/search & undefined pattern
        https://bugs.webkit.org/show_bug.cgi?id=70286

        Reviewed by Sam weinig.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncMatch):
            - In case of undefined, pattern is "".
        (JSC::stringProtoFuncSearch):
            - In case of undefined, pattern is "".

2011-10-17  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=70207
        After deleting __defineSetter__, it is absent but appears in name list

        Reviewed by Darin Adler.

        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnPropertyNames):
            - This should check whether static functions have been reified.

2011-10-17  Geoffrey Garen  <ggaren@apple.com>

        Mac build fix.

        * JavaScriptCore.exp: Export!

2011-10-17  Geoffrey Garen  <ggaren@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Export!

2011-10-17  Geoffrey Garen  <ggaren@apple.com>

        Windows build fix.

        * heap/HandleStack.cpp: Added a missing #include.

2011-10-17  Geoffrey Garen  <ggaren@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed no
        longer existant symbol.

        * heap/MarkStack.cpp:
        (JSC::MarkStackArray::shrinkAllocation): Cast to the right type.

2011-10-17  Geoffrey Garen  <ggaren@apple.com>

        Simplified GC marking logic
        https://bugs.webkit.org/show_bug.cgi?id=70258

        Reviewed by Filip Pizlo.
        
        No perf. change.
        
        This is a first step toward GC allocating string backing stores, starting
        with ropes. It also enables future simplifications and optimizations.
        
        - Replaced some complex mark stack logic with a simple linear stack of
        JSCell pointers.
        
        - Replaced logic for short-circuiting marking based on JSType and/or
        Structure flags with special cases for object, array, and string.
        
        - Fiddled with inlining for better codegen.

        * JavaScriptCore.exp:
        * heap/HandleStack.cpp: Build!

        * heap/Heap.cpp:
        (JSC::Heap::Heap): Provide more vptrs to SlotVisitor, for use in marking.

        * heap/HeapRootVisitor.h: Removed unused functions that no longer build.

        * heap/MarkStack.cpp:
        (JSC::MarkStackArray::MarkStackArray):
        (JSC::MarkStackArray::~MarkStackArray):
        (JSC::MarkStackArray::expand):
        (JSC::MarkStackArray::shrinkAllocation):
        (JSC::MarkStack::reset):
        (JSC::visitChildren):
        (JSC::SlotVisitor::drain):
        * heap/MarkStack.h:
        (JSC::MarkStack::MarkStack):
        (JSC::MarkStack::~MarkStack):
        (JSC::MarkStackArray::append):
        (JSC::MarkStackArray::removeLast):
        (JSC::MarkStackArray::isEmpty):
        (JSC::MarkStack::append):
        (JSC::MarkStack::appendUnbarrieredPointer):
        (JSC::MarkStack::internalAppend): Replaced complex mark set logic with
        simple linear stack.

        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::SlotVisitor): Updated for above changes.

        * runtime/JSArray.cpp:
        (JSC::JSArray::visitChildren):
        * runtime/JSArray.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::visitChildren):
        * runtime/JSObject.h: Don't inline visitChildren; it's too big.

        * runtime/Structure.h:
        (JSC::MarkStack::internalAppend): Nixed the short-circuit for CompoundType
        because it prevented strings from owning GC pointers.

        * runtime/WriteBarrier.h:
        (JSC::MarkStack::appendValues): No need to validate; internalAppend will
        do that for us.

2011-10-17  Adam Roben  <aroben@apple.com>

        Windows build fix after r97536, part 3

        * runtime/JSAPIValueWrapper.h:
        * runtime/JSObject.h:
        Use JS_EXPORTDATA to export the s_info members.

2011-10-17  Adam Roben  <aroben@apple.com>

        Interpreter build fix after r97564

        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        Moved declaration of globalData variable into ENABLE(JIT) blocks, since it is only used
        there.

2011-10-17  Adam Roben  <aroben@apple.com>

        Windows build fix after r97536, part 2

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Added back
        JSC::setUpStaticFunctionSlot with its new mangled name. SOrted the rest of the file while I
        was at it.

2011-10-17  Adam Roben  <aroben@apple.com>

        Windows build fix after r97536

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed export of
        JSC::setUpStaticFunctionSlot, which no longer exists. Also removed incorrect exports of
        s_info members, which need to be exported via JS_EXPORTDATA instead.

2011-10-17  Patrick Gansterer  <paroga@webkit.org>

        Interpreter build fix after r97436, r97506, r97532 and r97537.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2011-10-16  Adam Barth  <abarth@webkit.org>

        Always disable ENABLE(ON_FIRST_TEXTAREA_FOCUS_SELECT_ALL) and delete associated code
        https://bugs.webkit.org/show_bug.cgi?id=70216

        Reviewed by Eric Seidel.

        * wtf/Platform.h:

2011-10-16  Noel Gordon  <noel.gordon@gmail.com>

        [chromium] Remove PageAllocatorSymbian.h, OSAllocatorSymbian.cpp, gtk/ThreadingGtk.cpp from gyp project files
        https://bugs.webkit.org/show_bug.cgi?id=70205

        Reviewed by James Robinson.

        wtf/PageAllocatorSymbian.h and wtf/OSAllocatorSymbian.cpp were removed in r97557.
        wtf/gtk/ThreadingGtk.cpp was removed in r97269.

        * JavaScriptCore.gypi:

2011-10-16  Adam Barth  <abarth@webkit.org>

        Always enable ENABLE(DOM_STORAGE)
        https://bugs.webkit.org/show_bug.cgi?id=70189

        Reviewed by Eric Seidel.

        * Configurations/FeatureDefines.xcconfig:

2011-10-15  Dan Horák <dan@danny.cz>

        The s390 and s390x architectures both use 64-bit double type
        that conforms to the IEEE-754 standard.

        https://bugs.webkit.org/show_bug.cgi?id=69940

        Reviewed by Gavin Barraclough.

        * wtf/dtoa/utils.h:

2011-10-14  Filip Pizlo  <fpizlo@apple.com>

        FunctionExecutable should expose the ability to create unattached FunctionCodeBlocks
        https://bugs.webkit.org/show_bug.cgi?id=70157

        Reviewed by Geoff Garen.
        
        Added FunctionExecutable::produceCodeBlockFor() and rewired compileForCallInternal()
        and compileForConstructInternal() to use this method. This required more cleanly
        exposing some of CodeBlock's tiering functionality and moving the CompilationKind
        enum to Executable.h, as this was the easiest way to make it available to the
        declarations/definitions of CodeBlock, FunctionExecutable, and BytecodeGenerator.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::copyDataFrom):
        (JSC::CodeBlock::copyDataFromAlternative):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setAlternative):
        * bytecompiler/BytecodeGenerator.h:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::produceCodeBlockFor):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::codeBlockFor):

2011-10-15  Laszlo Gombos  <laszlo.1.gombos@nokia.com>

        [Qt] [Symbian] Remove support for the Symbian platform for the QtWebKit port
        https://bugs.webkit.org/show_bug.cgi?id=69920

        Reviewed by Kenneth Rohde Christiansen.

        * JavaScriptCore.pri:
        * JavaScriptCore.pro:
        * heap/MarkStack.h:
        (JSC::::shrinkAllocation):
        * jit/ExecutableAllocator.cpp:
        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::cacheFlush):
        * jit/JITStubs.cpp:
        * jsc.pro:
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        * runtime/DatePrototype.cpp:
        (JSC::formatLocaleDate):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncLastIndexOf):
        * runtime/TimeoutChecker.cpp:
        (JSC::getCPUTime):
        * wtf/Assertions.cpp:
        * wtf/Assertions.h:
        * wtf/Atomics.h:
        * wtf/MathExtras.h:
        * wtf/OSAllocator.h:
        (WTF::OSAllocator::decommitAndRelease):
        * wtf/OSAllocatorSymbian.cpp: Removed.
        * wtf/OSRandomSource.cpp:
        (WTF::cryptographicallyRandomValuesFromOS):
        * wtf/PageAllocation.h:
        * wtf/PageAllocatorSymbian.h: Removed.
        * wtf/PageBlock.cpp:
        * wtf/Platform.h:
        * wtf/StackBounds.cpp:
        * wtf/wtf.pri:

2011-10-15  Yuqiang Xian  <yuqiang.xian@intel.com>

        Trivial fix for a missing change in r97512
        https://bugs.webkit.org/show_bug.cgi?id=70166

        Reviewed by Gavin Barraclough.

        * dfg/DFGJITCompiler32_64.cpp:
        (JSC::DFG::JITCompiler::link):

2011-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Rename getOwnPropertySlot to getOwnPropertySlotVirtual
        https://bugs.webkit.org/show_bug.cgi?id=69810

        Reviewed by Geoffrey Garen.

        Renamed the virtual version of getOwnPropertySlot to getOwnPropertySlotVirtual
        in preparation for when we add the static getOwnPropertySlot to the MethodTable 
        in ClassInfo.

        Also added a few static getOwnPropertySlot functions where they had been overlooked 
        before (especially in CodeGeneratorJS.pm).

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::getOwnPropertySlotVirtual):
        (JSC::::getOwnPropertySlot):
        (JSC::::getOwnPropertyDescriptor):
        (JSC::::staticFunctionGetter):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::getOwnPropertySlotVirtual):
        (JSC::DebuggerActivation::getOwnPropertySlot):
        * debugger/DebuggerActivation.h:
        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertySlotVirtual):
        (JSC::Arguments::getOwnPropertySlot):
        * runtime/Arguments.h:
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::getOwnPropertySlotVirtual):
        (JSC::ArrayConstructor::getOwnPropertySlot):
        * runtime/ArrayConstructor.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::getOwnPropertySlotVirtual):
        * runtime/ArrayPrototype.h:
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::getOwnPropertySlotVirtual):
        * runtime/BooleanPrototype.h:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::getOwnPropertySlotVirtual):
        * runtime/DateConstructor.h:
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::getOwnPropertySlotVirtual):
        * runtime/DatePrototype.h:
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::getOwnPropertySlotVirtual):
        * runtime/ErrorPrototype.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::getOwnPropertySlotVirtual):
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::getOwnPropertySlotVirtual):
        (JSC::JSArray::getOwnPropertySlot):
        * runtime/JSArray.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::getOwnPropertySlotVirtual):
        * runtime/JSBoundFunction.h:
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::getOwnPropertySlotVirtual):
        * runtime/JSByteArray.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::getOwnPropertySlotVirtual):
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlotVirtual):
        (JSC::JSFunction::getOwnPropertyDescriptor):
        (JSC::JSFunction::getOwnPropertyNames):
        (JSC::JSFunction::put):
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::getOwnPropertySlotVirtual):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::hasOwnPropertyForWrite):
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::getOwnPropertySlotVirtual):
        * runtime/JSNotAnObject.h:
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Holder::appendNextProperty):
        (JSC::JSONObject::getOwnPropertySlotVirtual):
        (JSC::Walker::walk):
        * runtime/JSONObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnPropertySlotVirtual):
        (JSC::JSObject::getOwnPropertySlot):
        (JSC::JSObject::hasOwnProperty):
        * runtime/JSObject.h:
        (JSC::JSObject::getOwnPropertySlotVirtual):
        (JSC::JSCell::fastGetOwnPropertySlot):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSValue::get):
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::getOwnPropertySlotVirtual):
        * runtime/JSStaticScopeObject.h:
        * runtime/JSString.cpp:
        (JSC::JSString::getOwnPropertySlotVirtual):
        (JSC::JSString::getOwnPropertySlot):
        * runtime/JSString.h:
        * runtime/Lookup.h:
        (JSC::getStaticPropertySlot):
        (JSC::getStaticFunctionSlot):
        (JSC::getStaticValueSlot):
        * runtime/MathObject.cpp:
        (JSC::MathObject::getOwnPropertySlotVirtual):
        * runtime/MathObject.h:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getOwnPropertySlotVirtual):
        * runtime/NumberConstructor.h:
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::getOwnPropertySlotVirtual):
        * runtime/NumberPrototype.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::getOwnPropertySlotVirtual):
        * runtime/ObjectConstructor.h:
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::getOwnPropertySlotVirtual):
        * runtime/ObjectPrototype.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getOwnPropertySlotVirtual):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::getOwnPropertySlotVirtual):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::getOwnPropertySlotVirtual):
        * runtime/RegExpObject.h:
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::getOwnPropertySlotVirtual):
        * runtime/RegExpPrototype.h:
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::getOwnPropertySlotVirtual):
        * runtime/StringConstructor.h:
        * runtime/StringObject.cpp:
        (JSC::StringObject::getOwnPropertySlotVirtual):
        * runtime/StringObject.h:
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::getOwnPropertySlotVirtual):
        * runtime/StringPrototype.h:

2011-10-14  Gavin Barraclough  <baraclough@apple.com>

        Most built-in properties are not deletable
        https://bugs.webkit.org/show_bug.cgi?id=61014

        Reviewed by Filip Pizlo.

        Our static hash tables don't allow for deleting properties.
        This is the cause of a bunch of expected failures in LayoutTests/sputnik.

        This fixes the problem by reifying all static functions immediately prior
        to the first deletion.  Reification is tracked by a flag on the structure,
        so properties will no longer 'bounce-back' on later access.

        Theoretically there could probably also be an issue with custom accessor
        properties, but we probably do not really require any of these to be
        Configurable anyway. I'll follow up with a separate patch to address this.

        * runtime/ClassInfo.h:
        (JSC::ClassInfo::hasStaticProperties):
            - detects static property tables.
        * runtime/JSObject.cpp:
        (JSC::JSObject::deleteProperty):
            - call reifyStaticFunctions before deletion.
        (JSC::JSObject::reifyStaticFunctions):
            - If the class has static functions, set them up now.
        * runtime/JSObject.h:
        (JSC::JSObject::staticFunctionsReified):
            - returns true if static functions have been reified,
              and as such should no longer be added.
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
            - If static functions have been reified do not add.
        * runtime/Lookup.h:
        (JSC::HashTable::ConstIterator::ConstIterator):
        (JSC::HashTable::ConstIterator::operator->):
        (JSC::HashTable::ConstIterator::operator*):
        (JSC::HashTable::ConstIterator::operator!=):
        (JSC::HashTable::ConstIterator::operator++):
        (JSC::HashTable::ConstIterator::skipInvalidKeys):
        (JSC::HashTable::begin):
        (JSC::HashTable::end):
        (JSC::getStaticPropertySlot):
        (JSC::getStaticPropertyDescriptor):
        (JSC::getStaticFunctionSlot):
        (JSC::getStaticFunctionDescriptor):
            - setUpStaticFunctionSlot may not add, returns a bool.
        (JSC::lookupPut):
            - remove redundant branch.
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
            - initialize new flag in constructors.
        * runtime/Structure.h:
        (JSC::Structure::staticFunctionsReified):
        (JSC::Structure::setStaticFunctionsReified):
            - added flag

2011-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Rename virtual put to putVirtual
        https://bugs.webkit.org/show_bug.cgi?id=69851

        Reviewed by Darin Adler.

        Renamed virtual versions of put to putVirtual in prepration for 
        adding the static put to the MethodTable in ClassInfo since the 
        compiler gets mad if the virtual and static versions have the same 
        name.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::putVirtual):
        * API/JSObjectRef.cpp:
        (JSObjectSetProperty):
        (JSObjectSetPropertyAtIndex):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::putVirtual):
        (JSC::DebuggerActivation::put):
        * debugger/DebuggerActivation.h:
        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        * runtime/Arguments.cpp:
        (JSC::Arguments::putVirtual):
        * runtime/Arguments.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::putProperty):
        (JSC::arrayProtoFuncConcat):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::putVirtual):
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::putVirtual):
        (JSC::JSArray::putSlowCase):
        (JSC::JSArray::push):
        (JSC::JSArray::shiftCount):
        (JSC::JSArray::unshiftCount):
        * runtime/JSArray.h:
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::putVirtual):
        * runtime/JSByteArray.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::putVirtual):
        (JSC::JSCell::put):
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::putVirtual):
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::putVirtual):
        (JSC::JSGlobalObject::putWithAttributes):
        * runtime/JSGlobalObject.h:
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::putVirtual):
        * runtime/JSNotAnObject.h:
        * runtime/JSONObject.cpp:
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putVirtual):
        (JSC::JSObject::put):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        (JSC::JSValue::put):
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::putVirtual):
        * runtime/JSStaticScopeObject.h:
        * runtime/Lookup.h:
        (JSC::lookupPut):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::putVirtual):
        * runtime/ObjectPrototype.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpMatchesArray::fillArrayInstance):
        (JSC::RegExpConstructor::putVirtual):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::putVirtual):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::putVirtual):
        * runtime/RegExpObject.h:
        * runtime/StringObject.cpp:
        (JSC::StringObject::putVirtual):
        * runtime/StringObject.h:
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSplit):

2011-10-13  Filip Pizlo  <fpizlo@apple.com>

        Reflective Arguments retrieval should be hardened for the
        possibility of inlining
        https://bugs.webkit.org/show_bug.cgi?id=70068

        Reviewed by Oliver Hunt.
        
        CodeBlock can now track, as part of its RareData, the virtual inline
        stack at callsites. CallFrame walking can now rematerialize "inline"
        CallFrames by combining the meta-data in CodeBlock with the information
        already in the JS stack. Arguments can now safely retrieve the
        arguments from inline CallFrames.
        
        The DFG already had the notion of a "CodeOrigin" in preparation for
        inlining. This notion will now be saved into the CodeBlock, if the DFG
        had done inlining. So, CodeOrigin has been moved to bytecode/ and has
        been changed to behave more like a struct since that is how it's
        meant to be used.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::inlineCallFrames):
        (JSC::CodeBlock::codeOrigins):
        (JSC::CodeBlock::hasCodeOrigins):
        (JSC::CodeBlock::codeOriginForReturn):
        * bytecode/CodeOrigin.h: Added.
        (JSC::CodeOrigin::CodeOrigin):
        (JSC::CodeOrigin::isSet):
        (JSC::getCallReturnOffsetForCodeOrigin):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGNode.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::isInlineCallFrame):
        (JSC::CallFrame::trueCallerFrame):
        * interpreter/CallFrame.h:
        (JSC::ExecState::inlineCallFrame):
        (JSC::ExecState::setInlineCallFrame):
        (JSC::ExecState::isInlineCallFrame):
        (JSC::ExecState::trueCallerFrame):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::findFunctionCallFrame):
        * interpreter/Register.h:
        (JSC::Register::operator=):
        (JSC::Register::inlineCallFrame):
        * runtime/Arguments.h:
        (JSC::Arguments::getArgumentsData):
        (JSC::Arguments::finishCreationButDontCopyRegisters):
        (JSC::Arguments::finishCreation):
        (JSC::Arguments::finishCreationAndCopyRegisters):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::parameterCount):

2011-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Rename virtual deleteProperty to deletePropertyVirtual
        https://bugs.webkit.org/show_bug.cgi?id=69884

        Reviewed by Darin Adler.

        Renamed virtual versions of deleteProperty to deletePropertyVirtual in prepration for 
        adding the static deleteProperty to the MethodTable in ClassInfo since the 
        compiler gets mad if the virtual and static versions have the same name.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::deletePropertyVirtual):
        (JSC::::deleteProperty):
        * API/JSObjectRef.cpp:
        (JSObjectDeleteProperty):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::deletePropertyVirtual):
        (JSC::DebuggerActivation::deleteProperty):
        * debugger/DebuggerActivation.h:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Arguments.cpp:
        (JSC::Arguments::deletePropertyVirtual):
        * runtime/Arguments.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::deletePropertyVirtual):
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::deletePropertyVirtual):
        (JSC::JSArray::deleteProperty):
        * runtime/JSArray.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::deletePropertyVirtual):
        (JSC::JSCell::deleteProperty):
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::deletePropertyVirtual):
        * runtime/JSFunction.h:
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::deletePropertyVirtual):
        * runtime/JSNotAnObject.h:
        * runtime/JSONObject.cpp:
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::JSObject::deletePropertyVirtual):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        * runtime/JSVariableObject.cpp:
        (JSC::JSVariableObject::deletePropertyVirtual):
        * runtime/JSVariableObject.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::deletePropertyVirtual):
        * runtime/StrictEvalActivation.cpp:
        (JSC::StrictEvalActivation::deletePropertyVirtual):
        * runtime/StrictEvalActivation.h:
        * runtime/StringObject.cpp:
        (JSC::StringObject::deletePropertyVirtual):
        * runtime/StringObject.h:

2011-10-14  Peter Beverloo  <peter@chromium.org>

        [Chromium] Inherit settings from Chromium's envsetup.sh, address a NDK todo
        https://bugs.webkit.org/show_bug.cgi?id=70028

        Reviewed by Adam Barth.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2011-10-14  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG JIT 32_64 - Performance fix for ResolveGlobal
        https://bugs.webkit.org/show_bug.cgi?id=70096

        Reviewed by Gavin Barraclough.

        Structure check of global object should be a pointer comparison
        instead of a tag and payload pair comparison. This fix improves
        SunSpider by 7% on Linux 32, with bitops-bitwise-and improved by 4.75X.
        Also two trivial fixes for successful 32-bit build are included.

        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-13  Filip Pizlo  <fpizlo@apple.com>

        Speculation failures in ValueToInt32 are causing a 2x slow-down
        in Kraken/stanford-crypto-pbkdf2
        https://bugs.webkit.org/show_bug.cgi?id=70089

        Reviewed by Gavin Barraclough.
        
        If we can't truncate to Int32 using machine code, then don't fail
        speculation. Just call JSC::toInt32.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        Rename virtual getConstructData to getConstructDataVirtual
        https://bugs.webkit.org/show_bug.cgi?id=69872

        Reviewed by Geoffrey Garen.

        Renamed virtual getConstructData functions to getConstructDataVirtual to 
        avoid conflicts when we add static getConstructData to the MethodTable.

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::getConstructDataVirtual):
        * API/JSCallbackConstructor.h:
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::getConstructDataVirtual):
        * API/JSObjectRef.cpp:
        (JSObjectIsConstructor):
        (JSObjectCallAsConstructor):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * dfg/DFGOperations.cpp:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::getConstructDataVirtual):
        * runtime/ArrayConstructor.h:
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::getConstructDataVirtual):
        * runtime/BooleanConstructor.h:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::getConstructDataVirtual):
        * runtime/DateConstructor.h:
        * runtime/Error.h:
        (JSC::StrictModeTypeErrorFunction::getConstructDataVirtual):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::getConstructDataVirtual):
        * runtime/ErrorConstructor.h:
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::getConstructDataVirtual):
        * runtime/FunctionConstructor.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::getConstructDataVirtual):
        * runtime/JSCell.h:
        (JSC::getConstructData):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getConstructDataVirtual):
        * runtime/JSFunction.h:
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::getConstructDataVirtual):
        * runtime/NativeErrorConstructor.h:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getConstructDataVirtual):
        * runtime/NumberConstructor.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::getConstructDataVirtual):
        * runtime/ObjectConstructor.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getConstructDataVirtual):
        * runtime/RegExpConstructor.h:
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::getConstructDataVirtual):
        * runtime/StringConstructor.h:

2011-10-13  Filip Pizlo  <fpizlo@apple.com>

        Rubber stamped Stephanie Lewis.
        
        DFG_ENABLE() macro was always returning false.

        * dfg/DFGNode.h:

2011-10-13  Gavin Barraclough  <baraclough@apple.com>

        Speculative build fix for !DFG builds.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):

2011-10-13  Oliver Hunt  <oliver@apple.com>

        Fix performance of ValueToInt32 node when predicting double
        https://bugs.webkit.org/show_bug.cgi?id=70063

        Reviewed by Filip Pizlo.

        Currently we fail to inline double to int conversion when
        performing a ValueToInt32 operation on a value we predict
        to be a double.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
           Apply correct filter for the double prediction path
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
           Support double parameters even when value has been spilled.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
           Moved old valueToInt32 code to this function, and added
           path for double prediction
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
           Made the two implementations of ValueToInt32 call a single
           shared compileValueToInt32 function.

2011-10-13  Chris Marrin  <cmarrin@apple.com>

        Sync requestAnimationFrame callback to CVDisplayLink on Mac
        https://bugs.webkit.org/show_bug.cgi?id=68911

        Reviewed by Simon Fraser.

        Add REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR for implementations
        that use the DisplayRefreshMonitor logic.

        * wtf/Platform.h:

2011-10-13  Gavin Barraclough  <baraclough@apple.com>

        DFG JIT should not be using ENABLE macro to enable features
        https://bugs.webkit.org/show_bug.cgi?id=70060

        Reviewed by Oliver Hunt.

        The ENABLE macro is only intended to be used to detect features that are configured
        in Platform.h. Using its to detect settings defined in other headers is an error.

        The problem is that the ENABLE macro checks if the value is defined, so will silently
        return false if you fail to include the header defining the switch. This is not a problem
        if (1) the settings are defined in the same header that defines the macro that tests them,
        or (2) the header is included everywhere.  In the case of ENABLE settings defined in
        Platform.h, both are true! To make this clear, add an explicit DFG_ENABLE macro.

        * bytecode/CodeBlock.cpp:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getPrediction):
        (JSC::DFG::ByteCodeParser::makeSafe):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGJITCodeGenerator.cpp:
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGJITCompiler32_64.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGNode.h:
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::propagateArithNodeFlagsForward):
        (JSC::DFG::Propagator::propagateArithNodeFlagsBackward):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::propagatePredictionsForward):
        (JSC::DFG::Propagator::propagatePredictionsBackward):
        (JSC::DFG::Propagator::propagatePredictions):
        (JSC::DFG::Propagator::toDouble):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::fixup):
        (JSC::DFG::Propagator::startIndexForChildren):
        (JSC::DFG::Propagator::endIndexForPureCSE):
        (JSC::DFG::Propagator::setReplacement):
        (JSC::DFG::Propagator::eliminate):
        (JSC::DFG::Propagator::performNodeCSE):
        (JSC::DFG::Propagator::localCSE):
        (JSC::DFG::Propagator::allocateVirtualRegisters):
        (JSC::DFG::Propagator::performBlockCFA):
        (JSC::DFG::Propagator::performForwardCFA):
        (JSC::DFG::Propagator::globalCFA):
        * dfg/DFGScoreBoard.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):

2011-10-13  Gavin Barraclough  <baraclough@apple.com>

        terminateSpeculativeExecution for fillSpeculateDouble with DataFormatCell

        Rubber stamped by Filip Pizlo

        This is breaking fast/canvas/canvas-composite-alpha.html on 32_64 DFG JIT.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):

2011-10-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualized JSCell::toNumber
        https://bugs.webkit.org/show_bug.cgi?id=69858

        Reviewed by Sam Weinig.


        Removed JSCallbackObject::toNumber because its no longer necessary since 
        JSObject::toNumber now suffices since we implicitly add valueOf to an object's
        prototype whenever a convertToType callback is provided.
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

        De-virtualized JSCell::toNumber, JSObject::toNumber, and JSString::toNumber.
        * runtime/JSCell.cpp:
        (JSC::JSCell::toNumber):
        * runtime/JSCell.h:
        * runtime/JSObject.h:
        * runtime/JSString.h:

        Removed JSNotAnObject::toNumber because its result doesn't matter and it implements 
        defaultValue, therefore JSObject::toNumber can cover its case.
        * runtime/JSNotAnObject.cpp:
        * runtime/JSNotAnObject.h:

2011-10-13  Xianzhu Wang  <wangxianzhu@chromium.org>

        Use realloc() to expand/shrink StringBuilder buffer
        https://bugs.webkit.org/show_bug.cgi?id=69913

        Reviewed by Darin Adler.

        * wtf/text/StringBuilder.cpp:
        (WTF::StringBuilder::reserveCapacity):
        (WTF::StringBuilder::reallocateBuffer):
        (WTF::StringBuilder::appendUninitialized):
        (WTF::StringBuilder::shrinkToFit):
        * wtf/text/StringBuilder.h:
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::reallocate): Added to allow StringBuilder to reallocate the buffer.
        * wtf/text/StringImpl.h:

2011-10-12  Filip Pizlo  <fpizlo@apple.com>

        If an Arguments object is being used to copy the arguments, then
        make this explicit
        https://bugs.webkit.org/show_bug.cgi?id=69995

        Reviewed by Sam Weinig.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::retrieveArguments):
        * runtime/Arguments.h:
        (JSC::Arguments::createAndCopyRegisters):
        (JSC::Arguments::finishCreationButDontCopyRegisters):
        (JSC::Arguments::finishCreation):
        (JSC::Arguments::finishCreationAndCopyRegisters):

2011-10-12  Filip Pizlo  <fpizlo@apple.com>

        DFG CFA does not filter structures aggressively enough.
        https://bugs.webkit.org/show_bug.cgi?id=69989

        Reviewed by Oliver Hunt.

        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::clear):
        (JSC::DFG::AbstractValue::makeTop):
        (JSC::DFG::AbstractValue::clobberStructures):
        (JSC::DFG::AbstractValue::set):
        (JSC::DFG::AbstractValue::merge):
        (JSC::DFG::AbstractValue::filter):
        (JSC::DFG::AbstractValue::checkConsistency):

2011-10-12  Adam Barth  <abarth@webkit.org>

        Remove ENABLE(XHTMLMP) and associated code
        https://bugs.webkit.org/show_bug.cgi?id=69729

        Reviewed by David Levin.

        * Configurations/FeatureDefines.xcconfig:

2011-10-12  Gavin Barraclough  <baraclough@apple.com>

        MacroAssemblerX86 8-bit register ops unsafe on CPU(X86)
        https://bugs.webkit.org/show_bug.cgi?id=69978

        Reviewed by Filip Pizlo.

        Certain ops are unsafe if the register passed is esp..edi (will instead test/set the ).

        compare32/test8/test32 Call setCC, which sets an 8-bit register - we can fix this by adding
        a couple of xchg instructions.

        branchTest8 with a register argument is also affected. In all cases this is currently used
        this is testing a value that is correct to 32 or more bits, so we can simply switch these
        to branchTest32 & remove the corresponding branchTest8 (this is desirable anyway, since the
        32-bit form is cheaper to implement on platforms that don't have an 8-bit compare instruction).

        This fixes the remaining fast/js failures with the DFG JIT 32_64.

        * assembler/MacroAssemblerARMv7.h
            - removed branchTest8.
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::compare32):
        (JSC::MacroAssemblerX86Common::test8):
        (JSC::MacroAssemblerX86Common::test32):
        (JSC::MacroAssemblerX86Common::set32):
            - added set32 helper that is 'h' register safe.
            - removed branchTest8.
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
            - switch uses of branchTest8 to branchTest32.
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
            - switch uses of branchTest8 to branchTest32.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitBranch):
            - switch uses of branchTest8 to branchTest32.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitBranch):
            - switch uses of branchTest8 to branchTest32.

2011-10-12  Gavin Barraclough  <baraclough@apple.com>

        Errrk, revert accidental commit!

        * wtf/Platform.h:

2011-10-12  Gavin Barraclough  <baraclough@apple.com>

        Unreviewed, re-land changes from #69890, #69903.

        These were reverted due to bug #69897, but #69903 fixed this problem.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentFillGPR):

2011-10-12  Filip Pizlo  <fpizlo@apple.com>

        ValueProfile::computeUpdatedPrediction doesn't merge statistics correctly
        https://bugs.webkit.org/show_bug.cgi?id=69906

        Reviewed by Gavin Barraclough.
        
        It turns out that the simplest fix is to switch computeUpdatedPredictions()
        to using predictionFromValue() combined with mergePrediction(). Doing so
        allowed me to kill off weakBuckets and visitWeakReferences(). Hence this
        not only fixes a performance bug but kills off a lot of code that I never
        liked to begin with.
        
        This appears to be a 1% win on V8.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * bytecode/CodeBlock.h:
        * bytecode/PredictedType.cpp:
        (JSC::predictionFromValue):
        * bytecode/ValueProfile.cpp:
        (JSC::ValueProfile::computeStatistics):
        (JSC::ValueProfile::computeUpdatedPrediction):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::classInfo):
        (JSC::ValueProfile::numberOfSamples):
        (JSC::ValueProfile::isLive):
        (JSC::ValueProfile::dump):

2011-10-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSCell::toString
        https://bugs.webkit.org/show_bug.cgi?id=69677

        Reviewed by Sam Weinig.

        Removed toString from JSCallbackObject, since it is no 
        longer necessary since we now implicitly add toString and valueOf
        functions to object prototypes when a convertToType callback 
        is provided, which is now the standard way to override toString 
        and valueOf in the JSC C API.
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

        Removed toString from InterruptedExecutionError and 
        TerminatedExecutionError and replaced it with defaultValue,
        which JSObject::toString calls.  We'll probably have to de-virtualize 
        defaultValue eventually, but we'll cross that bridge when we 
        come to it.
        * runtime/ExceptionHelpers.cpp:
        (JSC::InterruptedExecutionError::defaultValue):
        (JSC::TerminatedExecutionError::defaultValue):
        * runtime/ExceptionHelpers.h:

        Removed toString from JSNotAnObject, since its return value doesn't
        actually matter and JSObject::toString can cover it.
        * runtime/JSNotAnObject.cpp:
        * runtime/JSNotAnObject.h:

        De-virtualized JSCell::toString, JSObject::toString and JSString::toString.
        Added handling of all cases for JSCell to JSCell::toString.
        * runtime/JSObject.h:
        * runtime/JSString.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::toString):
        * runtime/JSCell.h:

2011-10-12  Oliver Hunt  <oliver@apple.com>

        Global stringStructure caches its prototype chain, abandoning a web page
        https://bugs.webkit.org/show_bug.cgi?id=69952

        Reviewed by Filip Pizlo.

        When visiting a structure, we don't keep the prototype chain
        alive if we're not the structure for an object type.

        * runtime/Structure.cpp:
        (JSC::Structure::visitChildren):

2011-10-12  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG JIT 32_64 - Fix ArrayPop
        https://bugs.webkit.org/show_bug.cgi?id=69918

        Reviewed by Filip Pizlo.

        The storageLengthGPR is polluted by EmptyValueTag and later used to
        index the array, which results in abnormal behaviors in execution.
        This fix makes 32_64 DFG pass v8-deltablue and kraken
        crypto-sha256-iterative on Linux ia32.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::store32):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movl_i32m):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-12  Gustavo Noronha Silva  <gustavo.noronha@collabora.co.uk>

        Fix build with GLib 2.31
        https://bugs.webkit.org/show_bug.cgi?id=69840

        Reviewed by Martin Robinson.

        * GNUmakefile.list.am: removed ThreadingGtk.cpp.
        * wtf/ThreadingPrimitives.h: remove GTK+-specific definitions.
        * wtf/gobject/GOwnPtr.cpp: remove GCond and GMutex specializations.
        * wtf/gobject/GOwnPtr.h: ditto.
        * wtf/gobject/GTypedefs.h: remove GCond and GMutex forward declarations.
        * wtf/gtk/ThreadingGtk.cpp: Removed.

2011-10-12  Filip Pizlo  <fpizlo@apple.com>

        Layout tests crashing in DFG JIT code
        https://bugs.webkit.org/show_bug.cgi?id=69897

        Reviewed by Gavin Barraclough.
        
        Abstract value filtration didn't take into account cases where a structure
        set filter, combined with predicted type knowledge, could lead to a stronger
        filter for the structure abstract value.
        
        This bug would have been benign in release builds; it would have just meant
        that the analysis was less precise and some optimization opportunities would
        be missed. I have an ASSERT that is meant to catch such cases, and it was
        triggering sporadically in one of the LayoutTests.

        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::filter):

2011-10-11  Gavin Barraclough  <baraclough@apple.com>

        Unreviewed, temporarily reverted r97216 due to bug #69897.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentFillGPR):

2011-10-11  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG 32_64 - fix silentFillGPR
        https://bugs.webkit.org/show_bug.cgi?id=69903

        Reviewed by Filip Pizlo.

        Fix a small bug in silentFillGPR,
        and add the newly introduced DFG file to CMakeListsEfl.

        * CMakeListsEfl.txt:
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentFillGPR):

2011-10-08  Filip Pizlo  <fpizlo@apple.com>

        DFG does not have flow-sensitive intraprocedural control flow analysis
        https://bugs.webkit.org/show_bug.cgi?id=69690

        Reviewed by Gavin Barraclough.

        Implemented a control flow analysis (CFA). It currently propagates type
        proofs only. For example, if all predecessors to a basic block have
        checks that variable X is a JSFinalObject with structure 0xabcdef, then
        this basic block will now know this fact and will know that it does not
        have to emit either JSFinalObject checks or any structure checks since
        the structure is precisely known. The CFA takes heap side-effects into
        account (though somewhat conservatively), so that if the object pointed
        to by variable X could have possibly undergone a structure transition
        then this is reflected: the analysis may simply say that X's structure
        is unknown.
        
        This also propagates a wealth of other type information which is
        currently not being used. For example, we now know when a variable can
        only hold doubles. Even if a variable may hold other types at different
        points in its live range, we can still prove exactly when it will only
        be double.
        
        There's a bunch of stuff that the CFA could do that it still does not
        do, like precise handling of PutStructure (i.e. structure transitions),
        precise handling of CheckFunction and CheckMethod, etc. So this is
        very much intended to be a starting point rather than an end unto
        itself.
        
        This is a 1% win on V8 (mostly due to a 3% win on richards and deltablue)
        and a 1% win on Kraken (mostly due to a 6% win on imaging-desaturate).
        Neutral on SunSpider.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/ActionablePrediction.h: Removed.
        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        * bytecode/PredictedType.h:
        * dfg/DFGAbstractState.cpp: Added.
        (JSC::DFG::AbstractState::AbstractState):
        (JSC::DFG::AbstractState::~AbstractState):
        (JSC::DFG::AbstractState::beginBasicBlock):
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::endBasicBlock):
        (JSC::DFG::AbstractState::reset):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::clobberStructures):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        (JSC::DFG::AbstractState::merge):
        (JSC::DFG::AbstractState::mergeToSuccessors):
        (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
        (JSC::DFG::AbstractState::dump):
        * dfg/DFGAbstractState.h: Added.
        (JSC::DFG::AbstractState::forNode):
        (JSC::DFG::AbstractState::isValid):
        * dfg/DFGAbstractValue.h: Added.
        (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
        (JSC::DFG::StructureAbstractValue::clear):
        (JSC::DFG::StructureAbstractValue::makeTop):
        (JSC::DFG::StructureAbstractValue::top):
        (JSC::DFG::StructureAbstractValue::add):
        (JSC::DFG::StructureAbstractValue::addAll):
        (JSC::DFG::StructureAbstractValue::contains):
        (JSC::DFG::StructureAbstractValue::isSubsetOf):
        (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan):
        (JSC::DFG::StructureAbstractValue::isSupersetOf):
        (JSC::DFG::StructureAbstractValue::filter):
        (JSC::DFG::StructureAbstractValue::isClear):
        (JSC::DFG::StructureAbstractValue::isTop):
        (JSC::DFG::StructureAbstractValue::size):
        (JSC::DFG::StructureAbstractValue::at):
        (JSC::DFG::StructureAbstractValue::operator[]):
        (JSC::DFG::StructureAbstractValue::last):
        (JSC::DFG::StructureAbstractValue::predictionFromStructures):
        (JSC::DFG::StructureAbstractValue::operator==):
        (JSC::DFG::StructureAbstractValue::dump):
        (JSC::DFG::AbstractValue::AbstractValue):
        (JSC::DFG::AbstractValue::clear):
        (JSC::DFG::AbstractValue::isClear):
        (JSC::DFG::AbstractValue::makeTop):
        (JSC::DFG::AbstractValue::clobberStructures):
        (JSC::DFG::AbstractValue::isTop):
        (JSC::DFG::AbstractValue::top):
        (JSC::DFG::AbstractValue::set):
        (JSC::DFG::AbstractValue::operator==):
        (JSC::DFG::AbstractValue::merge):
        (JSC::DFG::AbstractValue::filter):
        (JSC::DFG::AbstractValue::validate):
        (JSC::DFG::AbstractValue::dump):
        * dfg/DFGBasicBlock.h: Added.
        (JSC::DFG::BasicBlock::BasicBlock):
        (JSC::DFG::BasicBlock::getBytecodeBegin):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::setupPredecessors):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::block):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGNode.h:
        (JSC::DFG::NodeIndexTraits::defaultValue):
        (JSC::DFG::Node::variableAccessData):
        (JSC::DFG::Node::takenBytecodeOffsetDuringParsing):
        (JSC::DFG::Node::notTakenBytecodeOffsetDuringParsing):
        (JSC::DFG::Node::setTakenBlockIndex):
        (JSC::DFG::Node::setNotTakenBlockIndex):
        (JSC::DFG::Node::takenBlockIndex):
        (JSC::DFG::Node::notTakenBlockIndex):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntry.h:
        * dfg/DFGOperands.h: Added.
        (JSC::DFG::operandIsArgument):
        (JSC::DFG::OperandValueTraits::defaultValue):
        (JSC::DFG::Operands::Operands):
        (JSC::DFG::Operands::numberOfArguments):
        (JSC::DFG::Operands::numberOfLocals):
        (JSC::DFG::Operands::argument):
        (JSC::DFG::Operands::local):
        (JSC::DFG::Operands::setLocal):
        (JSC::DFG::Operands::setArgumentFirstTime):
        (JSC::DFG::Operands::setLocalFirstTime):
        (JSC::DFG::Operands::operand):
        (JSC::DFG::Operands::setOperand):
        (JSC::DFG::Operands::clear):
        (JSC::DFG::dumpOperands):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::propagatePredictions):
        (JSC::DFG::Propagator::performBlockCFA):
        (JSC::DFG::Propagator::performForwardCFA):
        (JSC::DFG::Propagator::globalCFA):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureSet.h:
        (JSC::DFG::StructureSet::clear):
        (JSC::DFG::StructureSet::predictionFromStructures):
        (JSC::DFG::StructureSet::operator==):
        (JSC::DFG::StructureSet::dump):
        * dfg/DFGVariableAccessData.h: Added.

2011-10-11  Gavin Barraclough  <baraclough@apple.com>

        DFG JIT 32_64 - Fix silentFillGPR for non-integer constants.
        https://bugs.webkit.org/show_bug.cgi?id=69890

        Reviewed by Oliver Hunt.

        Cell constants are currently hitting the valueOfInt32Constant case, there is no constant handling for JSValues.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentFillGPR):

2011-10-11  Ryosuke Niwa  <rniwa@webkit.org>

        GTK build fix attempt after r97197.

        * wtf/BitVector.h:

2011-10-11  Oliver Hunt  <oliver@apple.com>

        Remove unintentional logging.

        * heap/Heap.cpp:

2011-10-11  Oliver Hunt  <oliver@apple.com>

        Tidy up card walking logic
        https://bugs.webkit.org/show_bug.cgi?id=69883

        Reviewed by Gavin Barraclough.

        Special case common cell sizes when walking a block's
        cards.

        * heap/CardSet.h:
        (JSC::::testAndClear):
        * heap/Heap.cpp:
        (JSC::GCTimer::GCCounter::GCCounter):
        (JSC::GCTimer::GCCounter::count):
        (JSC::GCTimer::GCCounter::~GCCounter):
        (JSC::Heap::markRoots):
        * heap/MarkStack.cpp:
        (JSC::MarkStack::reset):
        * heap/MarkStack.h:
        (JSC::MarkStack::visitCount):
        (JSC::MarkStack::MarkStack):
        (JSC::MarkStack::append):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::gatherDirtyCellsWithSize):
        (JSC::MarkedBlock::gatherDirtyCells):
        * runtime/Structure.h:
        (JSC::MarkStack::internalAppend):

2011-10-11  Filip Pizlo  <fpizlo@apple.com>

        DFG virtual register allocator should be more aggressive in
        reusing temporary slots
        https://bugs.webkit.org/show_bug.cgi?id=69868

        Reviewed by Oliver Hunt.
        
        1.2% win on V8, neutral elsewhere. The win is probably because it
        increases precision of GC conservative scans.
        
        This required making the DFG::ScoreBoard operate over a bitvector
        of preserved variables, rather than just a preserved variable
        threshold. To do this, I improved the WTF::BitVector class to make
        it more user-friendly. It still retains all previous functionality.
        Also made changes to PackedIntVector to accomodate those changes.
        Finally, this adds more debugging to the virtual register allocator
        and to the OSR exit code, as this was necessary to track down bugs
        in an earlier version of this patch.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::getLocal):
        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::allocateVirtualRegisters):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::ScoreBoard):
        (JSC::DFG::ScoreBoard::~ScoreBoard):
        (JSC::DFG::ScoreBoard::allocate):
        (JSC::DFG::ScoreBoard::use):
        (JSC::DFG::ScoreBoard::highWatermark):
        (JSC::DFG::ScoreBoard::dump):
        (JSC::DFG::ScoreBoard::max):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::ValueRecovery::dump):
        * wtf/BitVector.cpp:
        (WTF::BitVector::setSlow):
        (WTF::BitVector::resizeOutOfLine):
        (WTF::BitVector::dump):
        * wtf/BitVector.h:
        (WTF::BitVector::BitVector):
        (WTF::BitVector::operator=):
        (WTF::BitVector::quickGet):
        (WTF::BitVector::quickSet):
        (WTF::BitVector::quickClear):
        (WTF::BitVector::get):
        (WTF::BitVector::set):
        (WTF::BitVector::clear):
        * wtf/PackedIntVector.h:
        (WTF::PackedIntVector::get):
        (WTF::PackedIntVector::set):

2011-10-11  Gavin Barraclough  <baraclough@apple.com>

        DFG JIT 32_64 - Switch to cdecl calling convention.
        https://bugs.webkit.org/show_bug.cgi?id=69863

        Reviewed by Oliver Hunt.

        This makes it easier to keep the stack correctly aligned, which is required on OS X.

        * assembler/MacroAssemblerCodeRef.h:
        (JSC::FunctionPtr::FunctionPtr):
            - Provide default FunctionPtr constructors for CDECL functions on STDCALL platforms.
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):
            - Switch calls to poke arguments rather than pushing them.
        (JSC::DFG::resetCallArguments):
        (JSC::DFG::addCallArgument):
        (JSC::DFG::addCallArgumentBoxed):
            - Helper functions to stack up call arguments on X86.
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):
            - Don't push, poke!
        * dfg/DFGJITCompiler32_64.cpp:
        (JSC::DFG::JITCompiler::compileBody):
            - Don't push, poke!
        * dfg/DFGOperations.cpp:
            - Switch ReturnAddress wrappers to push return address last, update asm trampolines.
        * dfg/DFGOperations.h:
            - switch DFG_OPERATION to assert CDECL on STDCALL platforms.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::fmodWithCDecl):
        (JSC::DFG::SpeculativeJIT::compile):
            - On STDCALL platforms wrap fmod, since DFG_OPERATION wrappers are CDECL.

2011-10-11  Gavin Barraclough  <baraclough@apple.com>

        Switch RegisterSizedBoolean/dfgConvertJSValueToInt32 return type to size_t
        https://bugs.webkit.org/show_bug.cgi?id=69821

        Reviewed by Filip Pizlo.

        Operations returning types Z (int32_t) and B (RegisterSizedBoolean - implemented as an
        intptr_t) are indistinguishable on 32-bit Linux, preventing the DFG JIT from building.

        dfgConvertJSValueToInt32 would be better returning a value known to be register sized, for
        JSVALUE64 (we currently zero-extend in JIT code, potentially introducing an unnecessary
        move), so by switching all associated operations to return a size_t we can fix the type
        problem on Linux & make it a small tweak that removes an unnecessary instruction.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
            - comparisons now return a size_t.
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):
            - Removed Z_DFGOperation_EJ form.
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
            - comparisons now return a size_t.
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
            - comparisons now return a size_t.
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
            - Change return types for comparison operations & dfgConvertJSValueToInt32 to size_t,
              Both need to return values zero extended to fill a register.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
            - comparisons now return a size_t.
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compare):
            - comparisons now return a size_t.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compare):
            - comparisons now return a size_t.

2011-10-11  Tor Arne Vestbø  <tor.arne.vestbo@nokia.com>

        [Qt] Remove all references to QTDIR_build and standalone_package

        Qt is now modularized, which means we no longer import WebKit into
        the Qt source tree. Instead we use git submodules, and building
        QtWebKit as "part of Qt" is really building QtWebKit as from trunk.

        To decrease the number of buildsystem configurations we also remove
        the standalone_package code-path used when we were providing tarballs
        with the derived sources pre-generated.

        Reviewed by Simon Hausmann.

        * DerivedSources.pro:
        * JavaScriptCore.pri:
        * JavaScriptCore.pro:

2011-10-11  Yuqiang Xian  <yuqiang.xian@intel.com>

        Add missing copyright notice in DFG JIT files
        https://bugs.webkit.org/show_bug.cgi?id=69809

        Reviewed by Gavin Barraclough.

        * dfg/DFGJITCodeGenerator32_64.cpp:
        * dfg/DFGJITCompiler32_64.cpp:
        * dfg/DFGJITCompilerInlineMethods.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:

2011-10-10  Filip Pizlo  <fpizlo@apple.com>

        DFG JSVALUE64 spill/fill code should not box integers and doubles
        https://bugs.webkit.org/show_bug.cgi?id=69782

        Reviewed by Oliver Hunt.
        
        Added the notion of DataFormatInteger and DataFormatDouble to the spillFormat.
        This required changing all of the places that spill registers (both silently
        and not) and filling registers (both silently and on demand). It also required
        changing OSR exit to recognize that a spilled value (DisplacedInRegisterFile)
        may have the wrong format for the old JIT (unboxed int or double).
        
        This is a slight win on Kraken (0.25%) and neutral elsewhere.

        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::spill):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentFillFPR):
        (JSC::DFG::JITCodeGenerator::spill):
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::fillInteger):
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::ValueRecovery::displacedInRegisterFile):
        (JSC::DFG::ValueRecovery::virtualRegister):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):

2011-10-10  Gavin Barraclough  <baraclough@apple.com>

        DFG JIT switch dfgConvert methods to use callOperation
        https://bugs.webkit.org/show_bug.cgi?id=69806

        Reviewed by Filip Pizlo.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
        * dfg/DFGOperations.h:

2011-10-10  Gavin Barraclough  <baraclough@apple.com>

        Remove some unused methods from the DFG JIT.

        Rubber stamped by Oliver Hunt

        Thee methods were only used by the non-speculative JIT, and can be removed.

        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGJITCodeGenerator32_64.cpp:
        * dfg/DFGJITCodeGenerator64.cpp:
            - removed:
                nonSpeculativeAdd
                nonSpeculativeArithSub
                nonSpeculativeArithMod
                nonSpeculativeCheckHasInstance
                nonSpeculativeInstanceOf
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
            - removed:
                operationArithMod
                operationInstanceOf
                operationThrowHasInstanceError

2011-10-10  Gavin Barraclough  <baraclough@apple.com>

        Switch most calls in DFGJITCodeGenerator to use callOperation.
        https://bugs.webkit.org/show_bug.cgi?id=69802

        Reviewed by Oliver Hunt.

        Compares, add, mod are the easy cases.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:

2011-10-10  Gavin Barraclough  <baraclough@apple.com>

        DFG: Switch GetById / PutById to use callOperation
        https://bugs.webkit.org/show_bug.cgi?id=69795

        Reviewed by Oliver Hunt.

        Also make the take base as a cell, so 32_64 doesn't have to set up the cell tag.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::appropriatePutByIdFunction):

2011-10-10  Filip Pizlo  <fpizlo@apple.com>

        REGRESSIoN (r95399): Web process hangs when opening documents on Google Docs
        https://bugs.webkit.org/show_bug.cgi?id=69412

        Reviewed by Oliver Hunt.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:

2011-10-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove getCallDataVirtual methods
        https://bugs.webkit.org/show_bug.cgi?id=69186

        Reviewed by Geoffrey Garen.

        Removed all getCallDataVirtual methods and replaced their call sites 
        with an explicit lookup in the MethodTable.

        * API/JSCallbackFunction.cpp:
        * API/JSCallbackFunction.h:
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        * API/JSObjectRef.cpp:
        (JSObjectIsFunction):
        (JSObjectCallAsFunction):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/ArrayConstructor.cpp:
        * runtime/ArrayConstructor.h:
        * runtime/BooleanConstructor.cpp:
        * runtime/BooleanConstructor.h:
        * runtime/DateConstructor.cpp:
        * runtime/DateConstructor.h:

        Moved StrictModeTypeErrorFunction to Error.h in order to be able to include 
        the class definition in JSGlobalObject.cpp.
        * runtime/Error.cpp:
        (JSC::createTypeErrorFunction):
        * runtime/Error.h:
        (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
        (JSC::StrictModeTypeErrorFunction::create):
        (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
        (JSC::StrictModeTypeErrorFunction::getConstructData):
        (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
        (JSC::StrictModeTypeErrorFunction::getCallData):
        (JSC::StrictModeTypeErrorFunction::createStructure):
        * runtime/ErrorConstructor.cpp:
        * runtime/ErrorConstructor.h:
        * runtime/FunctionConstructor.cpp:
        * runtime/FunctionConstructor.h:
        * runtime/FunctionPrototype.cpp:
        * runtime/FunctionPrototype.h:

        To allow subclasses of InternalFunction (e.g. QtRuntimeMethod) to not have 
        to declare their own ClassInfo if they don't override getCallData, provided 
        an implementation that calls ASSERT_NOT_REACHED if called, providing roughly the same 
        functionality as of the pure virtual method InternalFunction used to have.
        Also made this new implementation protected rather than private for the same reason.
        Also added an ASSERT in InternalFunction::finishCreation to make sure that whatever 
        object is being created provides their own implementation of getCallData.  This 
        just makes execution fail earlier in a place where the source of the error is 
        easy to trace.  These ASSERTs are better than putting a null in the MethodTable because
        they appear much more intentional to anybody who fails to provide their own 
        implementation or who tries to explicitly call InternalFunction::getCallData.
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::finishCreation):
        (JSC::InternalFunction::getCallData):
        * runtime/InternalFunction.h:
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        * runtime/JSFunction.h:

        Added a global structure to JSGlobalObject for StrictModeTypeErrorFunction to enable 
        it to be reused rather than creating a new Structure every time we instantiate it.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::strictModeTypeErrorFunctionStructure):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Stringifier):
        (JSC::Stringifier::toJSON):
        (JSC::Stringifier::appendStringifiedValue):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        * runtime/JSObject.h:
        (JSC::getCallData):
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NativeErrorConstructor.h:
        * runtime/NumberConstructor.cpp:
        * runtime/NumberConstructor.h:
        * runtime/ObjectConstructor.cpp:
        * runtime/ObjectConstructor.h:
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        (JSC::jsIsObjectType):
        (JSC::jsIsFunctionType):
        * runtime/PropertySlot.cpp:
        (JSC::PropertySlot::functionGetter):
        * runtime/RegExpConstructor.cpp:
        * runtime/RegExpConstructor.h:
        * runtime/StringConstructor.cpp:
        * runtime/StringConstructor.h:
        * runtime/Structure.h:

2011-10-10  Gavin Barraclough  <barraclough@apple.com>

        Switch last calls from DFGSpeculativeJIT to use callOperation.
        https://bugs.webkit.org/show_bug.cgi?id=69780

        Reviewed by Oliver Hunt.

        Also, rename type in operations for booleans from Z to B, since Z is the mathematical symbol for integers.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compile):
        * wtf/Platform.h:

2011-10-10  Yuqiang Xian  <yuqiang.xian@intel.com>

        JSVALUE32_64 DFG JIT - bug fix for V8 benchmark cases "crypto" and "raytrace"
        https://bugs.webkit.org/show_bug.cgi?id=69748

        Reviewed by Filip Pizlo.

        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::cachedGetMethod):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):

2011-10-10  Adam Roben  <aroben@apple.com>

        Build fix

        * wtf/MainThread.h: Pull in Platform.h since this file uses PLATFORM() macros.

2011-10-10  Yuqiang Xian  <yuqiang.xian@intel.com>

        JSVALUE32_64 DFG JIT - Bug fix for BranchNull
        https://bugs.webkit.org/show_bug.cgi?id=69743

        Reviewed by Darin Adler.

        This fixes the error in access-binary-trees. All SunSpider cases passed.

        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):

2011-10-07  Gavin Barraclough  <barraclough@apple.com>

        DFG JIT: callOperation should return the Call.
        https://bugs.webkit.org/show_bug.cgi?id=69682

        Reviewed by Oliver Hunt.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):
        (JSC::DFG::appendCallWithExceptionCheckSetResult):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::appendCall):
        * wtf/Platform.h:

2011-10-10  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r97045.
        http://trac.webkit.org/changeset/97045
        https://bugs.webkit.org/show_bug.cgi?id=69746

        makes apple bots very crashy :( (Requested by kling on
        #webkit).

        * config.h:

2011-10-10  Andreas Kling  <kling@webkit.org>

        Shrink BorderValue.
        https://bugs.webkit.org/show_bug.cgi?id=69521

        Reviewed by Antti Koivisto.

        * config.h: Touch to force full rebuild.

2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>

        Improve Null or Undefined test in 32_64 DFG
        https://bugs.webkit.org/show_bug.cgi?id=69734

        Reviewed by Darin Adler.

        Currently Null or Undefined value test in 32_64 DFG will check
        Null and Undefined tag separately and introduce one more branch.
        It can be improved in the way how the baseline JIT is doing - by
        relying on the fact that "UndefinedTag + 1 == NullTag and NullTag & 1".

        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):

2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>

        JSVALUE32_64 DFG JIT - Bug fix for ConvertThis
        https://bugs.webkit.org/show_bug.cgi?id=69721

        Reviewed by Darin Adler.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>

        Remove unused callOperation code of DFG JIT on X86
        https://bugs.webkit.org/show_bug.cgi?id=69722

        Reviewed by Filip Pizlo.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):

2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>

        JSVALUE32_64 DFG JIT - fillJSValue with a pair of GPRs should not set the registerFormat to be DataFormatJSDouble
        https://bugs.webkit.org/show_bug.cgi?id=69720

        Reviewed by Filip Pizlo.

        In JSVALUE32_64 DFG, DataFormatJSDouble is assumed to be represented by
        a FPR and will be used for further optimizations, though we currently
        don't fully utilize it. For now when filling a JS value which was
        spilled as a JSDouble with a pair of GPRs, we'll set the registerFormat
        to DataFormatJS to avoid compilation errors.

        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::fillJSValue):

2011-10-09  Filip Pizlo  <fpizlo@apple.com>

        DFG should not always speculate that a ByVal access has an integer index
        https://bugs.webkit.org/show_bug.cgi?id=69716

        Reviewed by Oliver Hunt.
        
        1% win on SunSpider, neutral elsewhere.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):
        * dfg/DFGNode.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::byValHasIntBase):
        (JSC::DFG::Propagator::clobbersWorld):
        (JSC::DFG::Propagator::getMethodLoadElimination):
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>

        Fix value profiling in 32_64 JIT
        https://bugs.webkit.org/show_bug.cgi?id=69717

        Reviewed by Filip Pizlo.

        Current value profiling for 32_64 JIT is broken and cannot record
        correct predicated types, which results in many speculation failures
        in the 32_64 DFG JIT, fallbacks to baseline JIT, and re-optimizations
        again and again. 
        With this fix 32_64 DFG JIT can demonstrate real performance gains.

        * bytecode/ValueProfile.cpp:
        (JSC::ValueProfile::computeStatistics):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::classInfo):
        (JSC::ValueProfile::numberOfSamples):
        (JSC::ValueProfile::isLive):
        (JSC::ValueProfile::numberOfInt32s):
        (JSC::ValueProfile::numberOfDoubles):
        (JSC::ValueProfile::numberOfBooleans):
        (JSC::ValueProfile::dump):
            Empty value check should be performed on decoded JSValue,
            as for 32_64 empty value is not identical to encoded 0.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):
        * jit/JITStubCall.h:
        (JSC::JITStubCall::callWithValueProfiling):
            Record the right profiling result for 32_64.

2011-10-09  Yuqiang Xian  <yuqiang.xian@intel.com>

        Remove 32 bit restrictions in DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=69711

        Reviewed by Filip Pizlo.

        op_call/op_construct support was disabled for 32 bit DFG JIT because
        there was regression in javascriptcore tests. Now the bugs are fixed
        and there should be no regression. This makes 32 bit DFG have the same
        capability as 64 bit DFG, and improves the coverage.

        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):

2011-10-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add static version of JSCell::getConstructData
        https://bugs.webkit.org/show_bug.cgi?id=69673

        Reviewed by Geoffrey Garen.

        Added static version of getConstructData to all classes that 
        override it and changed the virtual versions to call the static 
        versions.  This is the first step in de-virtualizing JSCell::getConstructData.

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::getConstructData):
        * API/JSCallbackConstructor.h:
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::getConstructData):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::getConstructData):
        * runtime/ArrayConstructor.h:
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::getConstructData):
        * runtime/BooleanConstructor.h:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::getConstructData):
        * runtime/DateConstructor.h:
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::getConstructData):
        * runtime/ErrorConstructor.h:
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::getConstructData):
        * runtime/FunctionConstructor.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::getConstructData):
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getConstructData):
        * runtime/JSFunction.h:
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::getConstructData):
        * runtime/NativeErrorConstructor.h:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getConstructData):
        * runtime/NumberConstructor.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::getConstructData):
        * runtime/ObjectConstructor.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getConstructData):
        * runtime/RegExpConstructor.h:
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::getConstructData):
        * runtime/StringConstructor.h:

2011-10-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add static version of JSCell::getOwnPropertySlot
        https://bugs.webkit.org/show_bug.cgi?id=69593

        Reviewed by Geoffrey Garen.

        Added static version of getOwnPropertySlot to every class that overrides
        JSCell::getOwnPropertySlot.  The virtual versions now call the static versions.
        This is the first step in de-virtualizing JSCell::getOwnPropertySlot.

        * JavaScriptCore.exp:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::getOwnPropertySlot):
        * debugger/DebuggerActivation.h:
        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertySlot):
        * runtime/Arguments.h:
        * runtime/ArrayConstructor.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::getOwnPropertySlot):
        * runtime/ArrayPrototype.h:
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::getOwnPropertySlot):
        * runtime/BooleanPrototype.h:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::getOwnPropertySlot):
        * runtime/DateConstructor.h:
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::getOwnPropertySlot):
        * runtime/DatePrototype.h:
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::getOwnPropertySlot):
        * runtime/ErrorPrototype.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::getOwnPropertySlot):
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::getOwnPropertySlot):
        * runtime/JSArray.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::getOwnPropertySlot):
        * runtime/JSBoundFunction.h:
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::getOwnPropertySlot):
        * runtime/JSByteArray.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::getOwnPropertySlot):
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::getOwnPropertySlot):
        * runtime/JSGlobalObject.h:
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::getOwnPropertySlot):
        * runtime/JSNotAnObject.h:
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::getOwnPropertySlot):
        * runtime/JSONObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnPropertySlot):
        * runtime/JSObject.h:
        (JSC::JSObject::getOwnPropertySlot):
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::getOwnPropertySlot):
        * runtime/JSStaticScopeObject.h:
        * runtime/JSString.cpp:
        (JSC::JSString::getOwnPropertySlot):
        * runtime/JSString.h:
        * runtime/MathObject.cpp:
        (JSC::MathObject::getOwnPropertySlot):
        * runtime/MathObject.h:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getOwnPropertySlot):
        * runtime/NumberConstructor.h:
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::getOwnPropertySlot):
        * runtime/NumberPrototype.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::getOwnPropertySlot):
        * runtime/ObjectConstructor.h:
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::getOwnPropertySlot):
        * runtime/ObjectPrototype.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getOwnPropertySlot):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::getOwnPropertySlot):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::getOwnPropertySlot):
        * runtime/RegExpObject.h:
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::getOwnPropertySlot):
        * runtime/RegExpPrototype.h:
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::getOwnPropertySlot):
        * runtime/StringConstructor.h:
        * runtime/StringObject.cpp:
        (JSC::StringObject::getOwnPropertySlot):
        * runtime/StringObject.h:
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::getOwnPropertySlot):
        * runtime/StringPrototype.h:

2011-10-08  Yuqiang Xian  <yuqiang.xian@intel.com>

        JSVALUE32_64 DFG JIT - GetLocal should produce a cell result for Array predictions
        https://bugs.webkit.org/show_bug.cgi?id=69699

        Reviewed by Filip Pizlo.

        It should match SetLocal where only payload is stored for array predictions.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-08  Yuqiang Xian  <yuqiang.xian@intel.com>

        JSVALUE32_64 DFG JIT - Bug fixes for Branch and LogicalNot
        https://bugs.webkit.org/show_bug.cgi?id=69702

        Reviewed by Filip Pizlo.

        There are some errors in generating code for Branch and LogicalNot,
        when the operand is predicted as ObjectOrOther.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):

2011-10-08  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r96996.
        http://trac.webkit.org/changeset/96996
        https://bugs.webkit.org/show_bug.cgi?id=69697

        It broke all tests on the Qt bot (Requested by Ossy_night on
        #webkit).

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::getCallDataVirtual):
        * API/JSCallbackFunction.h:
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::getCallDataVirtual):
        * API/JSObjectRef.cpp:
        (JSObjectIsFunction):
        (JSObjectCallAsFunction):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::getCallDataVirtual):
        * runtime/ArrayConstructor.h:
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::getCallDataVirtual):
        * runtime/BooleanConstructor.h:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::getCallDataVirtual):
        * runtime/DateConstructor.h:
        * runtime/Error.cpp:
        (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
        (JSC::StrictModeTypeErrorFunction::create):
        (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
        (JSC::StrictModeTypeErrorFunction::getConstructData):
        (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
        (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
        (JSC::StrictModeTypeErrorFunction::getCallData):
        (JSC::StrictModeTypeErrorFunction::createStructure):
        (JSC::createTypeErrorFunction):
        * runtime/Error.h:
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::getCallDataVirtual):
        * runtime/ErrorConstructor.h:
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::getCallDataVirtual):
        * runtime/FunctionConstructor.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::getCallDataVirtual):
        * runtime/FunctionPrototype.h:
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::finishCreation):
        * runtime/InternalFunction.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::getCallDataVirtual):
        * runtime/JSCell.h:
        (JSC::getCallData):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getCallDataVirtual):
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Stringifier):
        (JSC::Stringifier::toJSON):
        (JSC::Stringifier::appendStringifiedValue):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        * runtime/JSObject.h:
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::getCallDataVirtual):
        * runtime/NativeErrorConstructor.h:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getCallDataVirtual):
        * runtime/NumberConstructor.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::getCallDataVirtual):
        * runtime/ObjectConstructor.h:
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        (JSC::jsIsObjectType):
        (JSC::jsIsFunctionType):
        * runtime/PropertySlot.cpp:
        (JSC::PropertySlot::functionGetter):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getCallDataVirtual):
        * runtime/RegExpConstructor.h:
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::getCallDataVirtual):
        * runtime/StringConstructor.h:
        * runtime/Structure.h:

2011-10-08  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG JIT - only Array predictions can result in unboxed cells in register file
        https://bugs.webkit.org/show_bug.cgi?id=69695

        Reviewed by Filip Pizlo.

        In current DFG JIT, only array predictions can result in unboxed cells
        in register file, not for the other cell predictions.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::ValueSource::forPrediction):

2011-10-07  Yuqiang Xian  <yuqiang.xian@intel.com>

        bug fixes for ArrayPush and ArrayPop in 32_64 DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=69696

        Reviewed by Filip Pizlo.

        On 32-bit, we should use TimesEight (8) instead of ScalePtr (4)
        to compute the address of a JS array element.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add static version of JSCell::deleteProperty
        https://bugs.webkit.org/show_bug.cgi?id=69659

        Reviewed by Geoffrey Garen.

        Added static version of both versions of put to all classes that 
        override them and changed the virtual versions to call the static 
        versions.  This is the first step in de-virtualizing JSCell::deleteProperty.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::deleteProperty):
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::deleteProperty):
        * debugger/DebuggerActivation.h:
        * runtime/Arguments.cpp:
        (JSC::Arguments::deleteProperty):
        * runtime/Arguments.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::deleteProperty):
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::deleteProperty):
        * runtime/JSArray.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::deleteProperty):
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::deleteProperty):
        * runtime/JSFunction.h:
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::deleteProperty):
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::deleteProperty):
        * runtime/JSObject.h:
        * runtime/JSVariableObject.cpp:
        (JSC::JSVariableObject::deleteProperty):
        * runtime/JSVariableObject.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::deleteProperty):
        * runtime/StrictEvalActivation.cpp:
        (JSC::StrictEvalActivation::deleteProperty):
        * runtime/StrictEvalActivation.h:
        * runtime/StringObject.cpp:
        (JSC::StringObject::deleteProperty):
        * runtime/StringObject.h:

2011-10-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove getCallDataVirtual methods
        https://bugs.webkit.org/show_bug.cgi?id=69186

        Reviewed by Geoffrey Garen.

        Removed all getCallDataVirtual methods and replaced their call sites 
        with an explicit lookup in the MethodTable.

        * API/JSCallbackFunction.cpp:
        * API/JSCallbackFunction.h:
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        * API/JSObjectRef.cpp:
        (JSObjectIsFunction):
        (JSObjectCallAsFunction):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/ArrayConstructor.cpp:
        * runtime/ArrayConstructor.h:
        * runtime/BooleanConstructor.cpp:
        * runtime/BooleanConstructor.h:
        * runtime/DateConstructor.cpp:
        * runtime/DateConstructor.h:
        * runtime/Error.cpp:
        (JSC::createTypeErrorFunction):

        Moved StrictModeTypeErrorFunction to Error.h in order to be able to include 
        the class definition in JSGlobalObject.cpp.
        * runtime/Error.h:
        (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
        (JSC::StrictModeTypeErrorFunction::create):
        (JSC::StrictModeTypeErrorFunction::constructThrowTypeError):
        (JSC::StrictModeTypeErrorFunction::getConstructData):
        (JSC::StrictModeTypeErrorFunction::callThrowTypeError):
        (JSC::StrictModeTypeErrorFunction::getCallData):
        (JSC::StrictModeTypeErrorFunction::createStructure):
        * runtime/ErrorConstructor.cpp:
        * runtime/ErrorConstructor.h:
        * runtime/FunctionConstructor.cpp:
        * runtime/FunctionConstructor.h:
        * runtime/FunctionPrototype.cpp:
        * runtime/FunctionPrototype.h:

        To allow subclasses of InternalFunction (e.g. QtRuntimeMethod) to not have 
        to declare their own ClassInfo if they don't override getCallData, provided 
        an implementation that calls ASSERT_NOT_REACHED if called, providing roughly the same 
        functionality as of the pure virtual method InternalFunction used to have.
        Also made this new implementation protected rather than private for the same reason.
        Also added an ASSERT in InternalFunction::finishCreation to make sure that whatever 
        object is being created provides their own implementation of getCallData.  This 
        just makes execution fail earlier in a place where the source of the error is 
        easy to trace.  These ASSERTs are better than putting a null in the MethodTable because
        they appear much more intentional to anybody who fails to provide their own 
        implementation or who tries to explicitly call InternalFunction::getCallData.
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::finishCreation):
        (JSC::InternalFunction::getCallData):
        * runtime/InternalFunction.h:
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        * runtime/JSFunction.h:

        Added a global structure to JSGlobalObject for StrictModeTypeErrorFunction to enable 
        it to be reused rather than creating a new Structure every time we instantiate it.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::strictModeTypeErrorFunctionStructure):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Stringifier):
        (JSC::Stringifier::toJSON):
        (JSC::Stringifier::appendStringifiedValue):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        * runtime/JSObject.h:
        (JSC::getCallData):
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NativeErrorConstructor.h:
        * runtime/NumberConstructor.cpp:
        * runtime/NumberConstructor.h:
        * runtime/ObjectConstructor.cpp:
        * runtime/ObjectConstructor.h:
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        (JSC::jsIsObjectType):
        (JSC::jsIsFunctionType):
        * runtime/PropertySlot.cpp:
        (JSC::PropertySlot::functionGetter):
        * runtime/RegExpConstructor.cpp:
        * runtime/RegExpConstructor.h:
        * runtime/StringConstructor.cpp:
        * runtime/StringConstructor.h:
        * runtime/Structure.h:

2011-10-07  Oliver Hunt  <oliver@apple.com>

        Add missing break statement.

        Reviewed by Gavin Barraclough.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):

2011-10-07  Oliver Hunt  <oliver@apple.com>

        Support some string intrinsics in the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=69678

        Reviewed by Gavin Barraclough.

        Add support for charAt and charCodeAt intrinsics in the DFG.

        * create_hash_table:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGIntrinsic.h:
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add static version of JSCell::put
        https://bugs.webkit.org/show_bug.cgi?id=69382

        Reviewed by Geoffrey Garen.

        Added static version of both versions of put to all classes that 
        override them and changed the virtual versions to call the static 
        versions.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::put):
        * JavaScriptCore.exp:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::put):
        * debugger/DebuggerActivation.h:
        * runtime/Arguments.cpp:
        (JSC::Arguments::put):
        * runtime/Arguments.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::put):
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::put):
        * runtime/JSArray.h:
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::put):
        * runtime/JSByteArray.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::put):
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::put):
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::put):
        * runtime/JSGlobalObject.h:
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::put):
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        * runtime/JSObject.h:
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::put):
        * runtime/JSStaticScopeObject.h:
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::put):
        * runtime/ObjectPrototype.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::put):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::put):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::put):
        * runtime/RegExpObject.h:
        * runtime/StringObject.cpp:
        (JSC::StringObject::put):
        * runtime/StringObject.h:

2011-10-07  Gavin Barraclough  <barraclough@apple.com>

        Refactor DFG to make for use of callOperation
        https://bugs.webkit.org/show_bug.cgi?id=69672

        Reviewed by Oliver Hunt.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):
            - Added new callOperation calls, don't ASSERT flushed (use helpers for unexpected calls, too).
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
            - Switch operationNewObject/operationCreateThis to return Cells,
            - Added C_DFGOperation_E/C_DFGOperation_EC/J_DFGOperation_EA/J_DFGOperation_EJA call types.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
            - Replace code plating calls to operations to with calls to callOperation.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
            - Replace code plating calls to operations to with calls to callOperation.

2011-10-07  Oliver Hunt  <oliver@apple.com>

        Support string indexing in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=69671

        Reviewed by Gavin Barraclough.

        Emit code to support inline indexing of strings 

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
            Shared code to perform string indexing.
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
            Use compileGetByValOnString if we predict that the base object
            is a string in GetByVal.
        * runtime/JSString.h:
        (JSC::JSString::offsetOfFiberCount):
        (JSC::JSString::offsetOfValue):

2011-10-07  Filip Pizlo  <fpizlo@apple.com>

        DFG ConvertThis speculation logic is wrong
        https://bugs.webkit.org/show_bug.cgi?id=69663

        Reviewed by Oliver Hunt.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::fixupNode):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-07  Oliver Hunt  <oliver@apple.com>

        Verify that our call speculation is valid.

        Reviewed by Filip Pizlo.

        Before specialising an intrinsic we need to verify that
        we our speculation is correct.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2011-10-07  Brent Fulgham  <bfulgham@webkit.org>

        [WinCairo] Unreviewed build correction for the build bot.

        * JavaScriptCore.vcproj/JavaScriptCore.sln: Add the missing
        Release_Cairo_CFLite and Debug_Cairo_CFLite targets so that
        build-jsc can find the target it needs to run the JSC tests.

2011-10-07  Oliver Hunt  <oliver@apple.com>

        Fix 32-bit build.

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):

2011-10-07  Oliver Hunt  <oliver@apple.com>

        Support direct calls to intrinsic functions
        https://bugs.webkit.org/show_bug.cgi?id=69646

        Reviewed by Gavin Barraclough.

        Add support for optimising non-method_check calls
        to intrinsic functions (eg. when Math.abs, etc are
        cached in local variables). 

        * bytecode/CodeBlock.h:
        (JSC::getCallLinkInfoBytecodeIndex):
            Support searching CallLinkInfos by bytecode index
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
            Add support for linked calls in addition to method_check
            when searching for intrinsics
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasFunctionCheckData):
        (JSC::DFG::Node::function):
            Add ability to store a JSFunction* in a node - this is safe
            as the function will be marked by the codeblock we're compiling
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::checkFunctionElimination):
        (JSC::DFG::Propagator::performNodeCSE):
            Add support for new CheckFunction node, and implement CSE pass.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
            Rather trivial implementation of CheckFunction
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
            Need to propagate bytecode index for calls now.

2011-10-07  Dominic Cooney  <dominicc@chromium.org>

        [JSC] Disable ThreadRestrictionVerifier for JIT ExecutableMemoryHandles
        https://bugs.webkit.org/show_bug.cgi?id=69599

        Reviewed by Sam Weinig.

        DFG JIT manipulates MetaAllocatorHandles across threads, eg in
        allocating JITCode buffers on a background thread to execute a
        proxy autoconfiguration PAC file but garbage collecting it in
        response to allocation on the main thread. Disabling
        ThreadRestrictionVerification until there is a verification scheme
        that understands this handoff.

        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocator::allocate):

2011-10-06  Filip Pizlo  <fpizlo@apple.com>

        DFG should not always speculate that ConvertThis is operating on an object
        https://bugs.webkit.org/show_bug.cgi?id=69570

        Reviewed by Oliver Hunt.
        
        Mostly neutral, but with a slight regression in Kraken since it increases
        coverage in DFG and thus reveals some performance pathologies (which I
        prefer to think of as performance opportunities, in a good way).

        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        * bytecode/PredictedType.h:
        (JSC::isOtherPrediction):
        (JSC::mergePredictions):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Windows build fix

        Unreviewed build fix.  Weird runtime failures on Windows due to 
        linking issues caused by the ClassInfo struct in JSByteArray not 
        being declared with JS_EXPORTDATA.

        * runtime/JSByteArray.h:

2011-10-06  Filip Pizlo  <fpizlo@apple.com>

        Structure does not reset m_previous when pinning the property map
        https://bugs.webkit.org/show_bug.cgi?id=69583

        Reviewed by Gavin Barraclough.
        
        This is an 0.6% performance improvement in V8, and 0.2% overall.

        * runtime/Structure.cpp:
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::getterSetterTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::pin):
        * runtime/Structure.h:

2011-10-06  Anders Carlsson  <andersca@apple.com>

        When building with clang, enable -Wglobal-constructors and -Wexit-time-destructors
        https://bugs.webkit.org/show_bug.cgi?id=69586

        Reviewed by Darin Adler.

        * Configurations/Base.xcconfig:
        Add -Wglobal-constructors and -Wexit-time-destructors when building with clang.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        When building with clang, we don't need to run the check-for-global-initializers and
        check-for-exit-time-destructors anymore.

        * jsc.cpp:
        (runInteractive):
        Move interpreterName into runInteractive.

        * wtf/StdLibExtras.h:
        When building with clang, disable the -Wglobal-constructors and -Wexit-time-destructors
        warnings around the variable declaration.

2011-10-06  Anders Carlsson  <andersca@apple.com>

        Add DEFINE_DEBUG_ONLY_GLOBAL for globals that should be defined in debug builds
        https://bugs.webkit.org/show_bug.cgi?id=69584

        Reviewed by Darin Adler.

        Add DEFINE_DEBUG_ONLY_GLOBAL macro.

        * wtf/StdLibExtras.h:

2011-10-06  Oliver Hunt  <oliver@apple.com>

        Write barrier shouldn't allocate temporaries inside control flow
        https://bugs.webkit.org/show_bug.cgi?id=69582

        Reviewed by Gavin Barraclough.

        Reorder the code to avoid spill-related badness.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::writeBarrier):

2011-10-06  Filip Pizlo  <fpizlo@apple.com>

        DFG::shouldSpeculate methods are too complicated
        https://bugs.webkit.org/show_bug.cgi?id=69560

        Reviewed by Geoffrey Garen.
        
        Moved shouldSpeculate methods to DFG::Node, and cleaned them up to
        just use node predictions.
        
        By itself this would have meant that SpeculativeJIT code would have
        had to say things like m_jit.graph()[nodeIndex].shouldSpeculateXYZ().
        So this adds an at(NodeIndex) method to JITCodeGenerator. I replaced
        all uses of the m_jit.graph()[nodeIndex] idiom with at(nodeIndex).
        
        This is an 0.4% progression overall that shows up in all benchmarks,
        for reasons unknown.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::at):
        (JSC::DFG::JITCodeGenerator::canReuse):
        (JSC::DFG::JITCodeGenerator::isFilled):
        (JSC::DFG::JITCodeGenerator::isFilledDouble):
        (JSC::DFG::JITCodeGenerator::use):
        (JSC::DFG::JITCodeGenerator::silentSpillFPR):
        (JSC::DFG::JITCodeGenerator::silentFillGPR):
        (JSC::DFG::JITCodeGenerator::silentFillFPR):
        (JSC::DFG::detectPeepHoleBranch):
        (JSC::DFG::integerResult):
        (JSC::DFG::noResult):
        (JSC::DFG::cellResult):
        (JSC::DFG::jsValueResult):
        (JSC::DFG::storageResult):
        (JSC::DFG::doubleResult):
        (JSC::DFG::initConstantInfo):
        (JSC::DFG::appendCallWithExceptionCheck):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::fillInteger):
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::fillInteger):
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateInteger):
        (JSC::DFG::Node::shouldSpeculateDouble):
        (JSC::DFG::Node::shouldSpeculateNumber):
        (JSC::DFG::Node::shouldNotSpeculateInteger):
        (JSC::DFG::Node::shouldSpeculateFinalObject):
        (JSC::DFG::Node::shouldSpeculateFinalObjectOrOther):
        (JSC::DFG::Node::shouldSpeculateArray):
        (JSC::DFG::Node::shouldSpeculateArrayOrOther):
        (JSC::DFG::Node::shouldSpeculateObject):
        (JSC::DFG::Node::shouldSpeculateCell):
        (JSC::DFG::Node::canSpeculateInteger):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isInteger):
        (JSC::DFG::SpeculativeJIT::isKnownArray):
        (JSC::DFG::SpeculativeJIT::isKnownString):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::convertToDouble):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-06  Gavin Peters  <gavinp@chromium.org>

        REGRESSION (r96595): First frame in assertion backtraces is no longer labeled "1"
        https://bugs.webkit.org/show_bug.cgi?id=69556

        Reviewed by Adam Roben.

        * wtf/Assertions.cpp:

2011-10-06  Filip Pizlo  <fpizlo@apple.com>

        DFG implementation of UInt32ToNumber is missing a break statement
        https://bugs.webkit.org/show_bug.cgi?id=69552

        Reviewed by Oliver Hunt.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-06  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed build fix for DFG JIT 32_64 release builds.

        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGJITCompiler.h:
        * dfg/DFGJITCompiler32_64.cpp:
            - Remove three unused methods.

2011-10-06  Gavin Barraclough  <barraclough@apple.com>

        DFG JIT 32_64 should check type of values being filled by fillSpeculateInt
        https://bugs.webkit.org/show_bug.cgi?id=69549

        Reviewed by Oliver Hunt.

        This breaks sunspider/3d-cube.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
            - Speculation check on the tag. 

2011-10-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Snow Leopard build fix

        Unreviewed build fix

        * JavaScriptCore.exp:

2011-10-05  Gavin Barraclough  <barraclough@apple.com>

        Add explicit JSGlobalThis type.
        https://bugs.webkit.org/show_bug.cgi?id=69478

        Reviewed by Darin Adler.

        JSC supports a split global object, as used by WebCore for the Window. As a stage
        of making this visible to JSC, make it so that if the global this value is not the
        global object itself, it must be a subclass of JSGlobalThis.

        * API/JSCallbackObjectFunctions.h:
        (JSC::::finishCreation):
            - Don't pass the thisValue to JSGlobalObject::finishCreation.
        * JavaScriptCore.xcodeproj/project.pbxproj:
            - Added JSGlobalThis.h
        * jsc.cpp:
        (GlobalObject::finishCreation):
            - Don't pass the thisValue to JSGlobalObject::finishCreation.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::create):
        (JSC::JSGlobalObject::finishCreation):
            - finishCreation takes a JSGlobalThis, or thisValue is implicit.
        * runtime/JSGlobalThis.h: Added.
        (JSC::JSGlobalThis::create):
        (JSC::JSGlobalThis::JSGlobalThis):
        (JSC::JSGlobalThis::finishCreation):
            - Thin wrapper on JSNonFinalObject to allow type checking.
        * testRegExp.cpp:
        (GlobalObject::finishCreation):
            - Don't pass the thisValue to JSGlobalObject::finishCreation.

2011-10-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSC objects need to know their own cell size at runtime.
        https://bugs.webkit.org/show_bug.cgi?id=69390

        Reviewed by Geoffrey Garen.

        Added the cellSize field to ClassInfo and the static calculation of 
        size of each class to the CREATE_METHOD_TABLE macro, which will be 
        renamed in a followup patch to make its name match its broader use.

        Also added a few ClassInfo structs so that each object that is allocated has its 
        correct size.  

        * JavaScriptCore.exp:
        * runtime/ClassInfo.h:

        Changed JSByteArray s_defaultInfo to s_info so that the template will get the 
        correct ClassInfo struct from it when it's allocated.
        * runtime/JSByteArray.cpp:
        * runtime/JSByteArray.h:
        * runtime/JSCell.h:
        (JSC::allocateCell):
        * runtime/JSNotAnObject.cpp:
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.cpp:
        * runtime/JSObject.h:
        (JSC::JSCell::cellSize):
        * runtime/JSStaticScopeObject.cpp:
        * runtime/JSStaticScopeObject.h:
        * runtime/StrictEvalActivation.cpp:
        * runtime/StrictEvalActivation.h:

2011-10-06  Gavin Peters  <gavinp@chromium.org>

        export new stack dumping method
        https://bugs.webkit.org/show_bug.cgi?id=69018

        The original landing of bug 69018 didn't export WTFGetBacktrace, so that when bug 69453 landed, the first use
        of this function, many builds broke.  So here we add the exports, so that the function is usable.

        Reviewed by Adam Roben.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-10-06  Csaba Osztrogonác  <ossy@webkit.org>

        REGRESSION(r96347): Build is broken with MSVC compiler if !PLATFORM(WINDOWS)
        https://bugs.webkit.org/show_bug.cgi?id=69413

        Reviewed by Darin Adler.

        * assembler/MacroAssemblerCodeRef.h: Define STDCALL for MSVC in a proper way.

2011-10-05  Filip Pizlo  <fpizlo@apple.com>

        SpeculativeJIT::isKnownString() is wrong
        https://bugs.webkit.org/show_bug.cgi?id=69501

        Reviewed by Oliver Hunt.
        
        Removed the wrong case (GetLocal predicted String) and added a case that
        works (StrCat).

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isKnownString):

2011-10-05  Ryosuke Niwa  <rniwa@webkit.org>

        Windows build fix attempt after r96760.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-10-05  Chris Rogers  <crogers@google.com>

        Define a log2f() function for Windows in wtf/MathExtras.h
        https://bugs.webkit.org/show_bug.cgi?id=69491

        Reviewed by Darin Adler.

        * wtf/MathExtras.h:
        (log2f):

2011-10-05  Jer Noble  <jer.noble@apple.com>

        Enable WEB_AUDIO by default in the WebKit/mac port.
        https://bugs.webkit.org/show_bug.cgi?id=68587

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2011-10-05  Filip Pizlo  <fpizlo@apple.com>

        Assertion hit in JSC::DFG::SpeculativeJIT::compile on SL bots
        https://bugs.webkit.org/show_bug.cgi?id=69346

        Reviewed by Oliver Hunt.
        
        Removed the assertion, since it was completely wrong for op_post_inc.
        Short of having specialized PostInc nodes in the DFG, there is no
        robust way of asserting what this assertion was trying to assert while
        also supporting op_post_inc.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-05  Geoffrey Garen  <ggaren@apple.com>

        Added a simpler mechanism for registering one-off finalizers
        https://bugs.webkit.org/show_bug.cgi?id=69466

        Reviewed by Oliver Hunt.

        * heap/Heap.cpp:
        (JSC::Heap::addFinalizer):
        (JSC::Heap::FinalizerOwner::finalize):
        * heap/Heap.h: New function for adding an arbitrary finalizer for an
        arbitrary cell without declaring any special classes or Handles yourself.

        * JavaScriptCore.exp: Fix build.

        * runtime/Executable.cpp:
        (JSC::ExecutableBase::clearCode):
        (JSC::ExecutableBase::clearCodeVirtual):
        (JSC::EvalExecutable::clearCodeVirtual):
        (JSC::ProgramExecutable::clearCodeVirtual):
        (JSC::FunctionExecutable::discardCode):
        (JSC::FunctionExecutable::clearCodeVirtual):
        * runtime/Executable.h:
        (JSC::ExecutableBase::finishCreation): Use the new mechanism for eager
        finalization of executables.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::clearRareData):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::createRareDataIfNeeded):
        (JSC::JSGlobalObject::registerWeakMap): Use the new mechanism for eager
        finalization of weak maps.

2011-10-05  Adam Roben  <aroben@apple.com>

        Ensure RetainPtr::hashTableDeletedValue returns a pointer, not a pointer to a pointer

        RetainPtr's behavior of allowing the template parameter to be either a pointer type or a
        pointed-to type confused us when we implemented hashTableDeletedValue.

        Fixes <http://webkit.org/b/69414> <rdar://problem/10236833> Using RetainPtr as the key type
        in HashMap/HashSet fails to compile

        Reviewed by John Sullivan.

        * wtf/RetainPtr.h:
        (WTF::RetainPtr::hashTableDeletedValue): Changed to use the PtrType typedef rather than T*,
        since T might itself be a pointer.

        (WTF::PtrHash<RetainPtr<P> >): Updated this to use PtrType everywhere, even though T* didn't
        seem to be causing a problem.

2011-10-05  Oliver Hunt  <oliver@apple.com>

        Remove last vestiges of anonymous storage.

        Reviewed by Gavin Barraclough.

        One anonymous storage function escaped my prior purge of
        this feature, this patch removes it.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::finishCreation):
        * runtime/JSObject.h:

2011-10-04  Filip Pizlo  <fpizlo@apple.com>

        DFG should be capable of a broader range of speculations on branch and not
        https://bugs.webkit.org/show_bug.cgi?id=69322

        Reviewed by Oliver Hunt.
        
        * bytecode/PredictedType.h:
        (JSC::isFinalObjectOrOtherPrediction):
        (JSC::isArrayOrOtherPrediction):
        * dfg/DFGJITCodeGenerator.cpp:
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::JITCodeGenerator):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObjectOrOther):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateArrayOrOther):
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitBranch):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):

2011-10-05  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r96733.
        http://trac.webkit.org/changeset/96733
        https://bugs.webkit.org/show_bug.cgi?id=69454

        Broke GCC for some reason (Requested by andersca on #webkit).

        * wtf/ListHashSet.h:
        (WTF::ListHashSetReverseIterator::ListHashSetReverseIterator):
        (WTF::ListHashSetReverseIterator::get):
        (WTF::ListHashSetReverseIterator::operator*):
        (WTF::ListHashSetReverseIterator::operator->):
        (WTF::ListHashSetReverseIterator::operator++):
        (WTF::ListHashSetReverseIterator::operator--):
        (WTF::ListHashSetReverseIterator::operator==):
        (WTF::ListHashSetReverseIterator::operator!=):
        (WTF::ListHashSetReverseIterator::operator const_reverse_iterator):
        (WTF::ListHashSetReverseIterator::node):
        (WTF::ListHashSetConstReverseIterator::ListHashSetConstReverseIterator):
        (WTF::ListHashSetConstReverseIterator::get):
        (WTF::ListHashSetConstReverseIterator::operator*):
        (WTF::ListHashSetConstReverseIterator::operator->):
        (WTF::ListHashSetConstReverseIterator::operator++):
        (WTF::ListHashSetConstReverseIterator::operator--):
        (WTF::ListHashSetConstReverseIterator::operator==):
        (WTF::ListHashSetConstReverseIterator::operator!=):
        (WTF::ListHashSetConstReverseIterator::node):
        (WTF::::rbegin):
        (WTF::::rend):
        (WTF::::makeReverseIterator):
        (WTF::::makeConstReverseIterator):

2011-10-04  Oliver Hunt  <oliver@apple.com>

        Add rudimentary filtering to write barriers
        https://bugs.webkit.org/show_bug.cgi?id=69392

        Reviewed by Filip Pizlo.

        Add approximate filtering for write barriers based on the
        target's mark bit.  Also add some macros to support dumping
        GC phase timings.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::markCellCard):
        * heap/Heap.cpp:
        (JSC::GCTimer::GCTimerScope::GCTimerScope):
        (JSC::GCTimer::GCTimerScope::~GCTimerScope):
        (JSC::Heap::markRoots):
        (JSC::Heap::collect):
           Add phase timing information.
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::offsetOfMarks):
        (JSC::MarkedBlock::gatherDirtyCells):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitWriteBarrier):

2011-10-05  Anders Carlsson  <andersca@apple.com>

        Use std::reverse_iterator for ListHashSet reverse iterators
        https://bugs.webkit.org/show_bug.cgi?id=69446

        Reviewed by Darin Adler.

        * wtf/ListHashSet.h:
        Use the std::reverse_iterator iterator adaptor for the ListHashSet reverse iterators
        and get rid of the ListHashSetReverseIterator and ListHashSetConstReverseIterator classes.

2011-10-04  Gavin Barraclough  <barraclough@apple.com>

        Make Object.prototype getter/setter methods match ES5 behaviour
        https://bugs.webkit.org/show_bug.cgi?id=69393

        Reviewed by Sam Weinig.

        The rest of Object.prototype no longer substitute Null/Undefined with the global object,
        this is old ES3 behaviour. Remove it here too.

        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):

2011-10-05  Patrick Gansterer  <paroga@webkit.org>

        Get rid of posixThread in MachineStackMarker::Thread
        https://bugs.webkit.org/show_bug.cgi?id=54836

        Reviewed by Oliver Hunt.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::Thread::Thread):
        (JSC::getCurrentPlatformThread):
        (JSC::equalThread):
        (JSC::MachineThreads::addCurrentThread):
        (JSC::MachineThreads::removeCurrentThread):
        (JSC::MachineThreads::gatherConservativeRoots):

2011-10-04  Geoffrey Garen  <ggaren@apple.com>

        Removed JSValue::toJSNumber
        https://bugs.webkit.org/show_bug.cgi?id=69399

        No perf. change.

        toJSNumber() used to provide an implicit fast path for immediate numbers,
        but those fast paths are all explicit now, so it's just cruft.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSValue.h:
        * runtime/JSValueInlineMethods.h:

2011-10-05  Gavin Peters  <gavinp@chromium.org>

        REGRESSION (r96595): WTFReportBacktrace listed as the top frame in all assertion backtraces
        https://bugs.webkit.org/show_bug.cgi?id=69424

        Skip an extra frame in WTFReportBacktrace.  As well, I now don't count skipped frames in maxFrames,
        so I've updated maxFrames to 31, as with one skipped frame the previous value was effectively
        31 reported frames.

        Reviewed by Adam Roben.

        * wtf/Assertions.cpp:
        * wtf/Assertions.h:

2011-10-05  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed WinCE build fix for r96595.

        * wtf/Assertions.cpp:
        RtlCaptureStackBackTrace() isn't available on WinCE.

2011-10-04  Kent Tamura  <tkent@chromium.org>

        Introduce feature flags for incomplete input types
        https://bugs.webkit.org/show_bug.cgi?id=68971

        Reviewed by Hajime Morita.

        * Configurations/FeatureDefines.xcconfig:
        Add ENABLE_INPUT_TYPE_* flags. They are enabled only for iOS.

2011-10-04  Geoffrey Garen  <ggaren@apple.com>

        Build fix.

        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION): Use an explicit cast when shortening.

2011-10-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add static ClassInfo structs to classes that override JSCell::getCallData
        https://bugs.webkit.org/show_bug.cgi?id=69311

        Reviewed by Darin Adler.

        Added ClassInfo structs to each class that defined its own getCallData 
        function but did not already have its own ClassInfo struct.  This is a 
        necessary addition for when we switch over to looking up getCallData from 
        the MethodTable in ClassInfo rather than doing the virtual call (which we 
        are removing).  These new ClassInfo structs are public because we often 
        use these structs in other areas of the code to uniquely identify JSC classes and 
        to enforce runtime invariants based on those class identities using ASSERTs.
        Also added new createStructure methods to those classes that didn't have 
        them so that the new ClassInfo structs would be used when creating the Structures 
        in these classes.

        * runtime/BooleanConstructor.cpp:
        * runtime/BooleanConstructor.h:
        (JSC::BooleanConstructor::createStructure):

        getCallData was not marked as static in StrictModeTypeErrorFunction.  
        * runtime/Error.cpp:
        (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
        (JSC::StrictModeTypeErrorFunction::getCallData):
        (JSC::StrictModeTypeErrorFunction::createStructure):
        * runtime/ErrorConstructor.cpp:
        * runtime/ErrorConstructor.h:
        (JSC::ErrorConstructor::createStructure):
        * runtime/FunctionConstructor.cpp:
        * runtime/FunctionConstructor.h:
        (JSC::FunctionConstructor::createStructure):
        * runtime/FunctionPrototype.cpp:
        * runtime/FunctionPrototype.h:

2011-10-03  Geoffrey Garen  <ggaren@apple.com>

        Some JSValue cleanup
        https://bugs.webkit.org/show_bug.cgi?id=69320

        Reviewed by Darin Adler.
        
        No measurable performance change.

        Removed some JSValue::get* functions. get* used to be an optimization
        when every value operation was a virtual function call: get* would combine
        two virtual calls into one. Now, with non-virtual, inlined functions, get*
        isn't faster, and may be slightly slower.

        Merged getBoolean(bool&) and getBoolean() into asBoolean().

        Merged uncheckedGetNumber(), getJSNumber() and getNumber() into
        asNumber().

        * runtime/JSValue.h:
        * runtime/JSValueInlineMethods.h:
        (JSC::JSValue::asNumber):
        (JSC::JSValue::asBoolean): As promised!

        * runtime/NumberPrototype.cpp:
        (JSC::toThisNumber):
        (JSC::numberProtoFuncToExponential):
        (JSC::numberProtoFuncToFixed):
        (JSC::numberProtoFuncToPrecision):
        (JSC::numberProtoFuncToString):
        (JSC::numberProtoFuncToLocaleString):
        (JSC::numberProtoFuncValueOf): Removed a bunch of uses of getJSNumber()
        by switching to toThisNumber().

        * API/JSCallbackObjectFunctions.h:
        (JSC::::toNumber):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueOfNumberConstant):
        (JSC::DFG::Graph::valueOfBooleanConstant):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/DateInstance.h:
        (JSC::DateInstance::internalNumber):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncBind):
        * runtime/JSArray.cpp:
        (JSC::compareNumbersForQSort): Replaced getNumber() => isNumber() / asNumber().
        getBoolean() => isBoolean() / asBoolean(), uncheckedGetNumber() => asNumber().

        * runtime/JSCell.cpp:
        * runtime/JSCell.h: Nixed getJSNumber().

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncParseInt):
        * runtime/JSONObject.cpp:
        (JSC::gap):
        (JSC::Stringifier::Stringifier):
        (JSC::Stringifier::appendStringifiedValue):
        * runtime/NumberObject.cpp:
        * runtime/NumberObject.h:
        (JSC::NumberObject::createStructure):
        * runtime/Operations.h:
        (JSC::JSValue::equalSlowCaseInline):
        (JSC::JSValue::strictEqual):
        (JSC::jsLess):
        (JSC::jsLessEq):
        (JSC::jsAdd): Replaced getNumber() => isNumber() / asNumber().
        getBoolean() => isBoolean() / asBoolean(), uncheckedGetNumber() => asNumber().

2011-10-04  Scott Graham  <scottmg@chromium.org>

        Add GAMEPAD feature flag
        https://bugs.webkit.org/show_bug.cgi?id=66859

        Reviewed by Darin Fisher.

        * Configurations/FeatureDefines.xcconfig:

2011-10-03  Filip Pizlo  <fpizlo@apple.com>

        JITCodeGenerator should no longer have code that tries too hard
        to be both speculative and non-speculative
        https://bugs.webkit.org/show_bug.cgi?id=69321

        Reviewed by Gavin Barraclough.
        
        Removed m_isSpeculative and speculationCheck() from JITCodeGenerator.
        This required moving emitBranch() to SpeculativeJIT, since it was
        the main user of that field and method. Other than trvial clean-ups
        in emitBranch(), the code is unchanged (and still has some disparity
        between 64 and 32_64, and still lacks some obvious optimizations).

        * dfg/DFGJITCodeGenerator.cpp:
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::JITCodeGenerator):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        * dfg/DFGJITCodeGenerator64.cpp:
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitBranch):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitBranch):

2011-10-04  David Hyatt  <hyatt@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=69372
        
        [CSS3 Regions] Make sure overflow:visible lets content spill out of regions.
        
        Add support for reverse iteration to ListHashSet to support being able to walk them
        backwards easily.

        Reviewed by Anders Carlsson.

        * wtf/ListHashSet.h:
        (WTF::ListHashSetReverseIterator::ListHashSetReverseIterator):
        (WTF::ListHashSetReverseIterator::get):
        (WTF::ListHashSetReverseIterator::operator*):
        (WTF::ListHashSetReverseIterator::operator->):
        (WTF::ListHashSetReverseIterator::operator++):
        (WTF::ListHashSetReverseIterator::operator--):
        (WTF::ListHashSetReverseIterator::operator==):
        (WTF::ListHashSetReverseIterator::operator!=):
        (WTF::ListHashSetReverseIterator::operator const_reverse_iterator):
        (WTF::ListHashSetReverseIterator::node):
        (WTF::ListHashSetConstReverseIterator::ListHashSetConstReverseIterator):
        (WTF::ListHashSetConstReverseIterator::get):
        (WTF::ListHashSetConstReverseIterator::operator*):
        (WTF::ListHashSetConstReverseIterator::operator->):
        (WTF::ListHashSetConstReverseIterator::operator++):
        (WTF::ListHashSetConstReverseIterator::operator--):
        (WTF::ListHashSetConstReverseIterator::operator==):
        (WTF::ListHashSetConstReverseIterator::operator!=):
        (WTF::ListHashSetConstReverseIterator::node):
        (WTF::::rbegin):
        (WTF::::rend):
        (WTF::::makeReverseIterator):
        (WTF::::makeConstReverseIterator):
        (WTF::::makeConstIterator):

2011-10-04  Gavin Peters  <gavinp@chromium.org>

        fix gtk breakage caused by changeset 96595
        https://bugs.webkit.org/show_bug.cgi?id=69371

        ews did not catch build breakage in the gtk WebKitPluginProcess target; this patch removes
        the pretty printer on gtk, which should fix the build on that platform.

        Reviewed by NOBODY, this is a build fix.

        * wtf/Assertions.cpp:

2011-10-04  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r96630.
        http://trac.webkit.org/changeset/96630
        https://bugs.webkit.org/show_bug.cgi?id=69368

        Caused assertion failures in validateCell (Requested by
        mhahnenberg on #webkit).

        * runtime/BooleanConstructor.cpp:
        * runtime/BooleanConstructor.h:
        * runtime/Error.cpp:
        (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
        (JSC::StrictModeTypeErrorFunction::getCallData):
        * runtime/ErrorConstructor.cpp:
        * runtime/ErrorConstructor.h:
        * runtime/FunctionConstructor.cpp:
        * runtime/FunctionConstructor.h:
        * runtime/FunctionPrototype.cpp:
        * runtime/FunctionPrototype.h:

2011-10-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add static ClassInfo structs to classes that override JSCell::getCallData
        https://bugs.webkit.org/show_bug.cgi?id=69311

        Reviewed by Darin Adler.

        Added ClassInfo structs to each class that defined its own getCallData 
        function but did not already have its own ClassInfo struct.  This is a 
        necessary addition for when we switch over to looking up getCallData from 
        the MethodTable in ClassInfo rather than doing the virtual call (which we 
        are removing).  These new ClassInfo structs are public because we often 
        use these structs in other areas of the code to uniquely identify JSC classes and 
        to enforce runtime invariants based on those class identities using ASSERTs.

        * runtime/BooleanConstructor.cpp:
        * runtime/BooleanConstructor.h:

        getCallData was not marked as static is StrictModeTypeErrorFunction.  
        * runtime/Error.cpp:
        (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
        (JSC::StrictModeTypeErrorFunction::getCallData):
        * runtime/ErrorConstructor.cpp:
        * runtime/ErrorConstructor.h:
        * runtime/FunctionConstructor.cpp:
        * runtime/FunctionConstructor.h:
        * runtime/FunctionPrototype.cpp:
        * runtime/FunctionPrototype.h:

2011-10-04  Ryosuke Niwa  <rniwa@webkit.org>

        Leopard build fix after r96613.

        * wtf/Platform.h:

2011-10-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Implicitly add toString and valueOf to prototype when convertToType callback is provided
        https://bugs.webkit.org/show_bug.cgi?id=69156

        Reviewed by Geoffrey Garen.

        Added callbacks for toString and valueOf which are implicitly added to a client object's
        prototype if they provide a convertToType callback when declaring their class through 
        the JSC API.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::toStringCallback):
        (JSC::JSCallbackFunction::valueOfCallback):
        * API/JSCallbackFunction.h:
        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype):
        * API/tests/testapi.js:

2011-10-03  Jon Lee  <jonlee@apple.com>

        Extend DOM WheelEvent to differentiate between physical and logical scroll directions
        https://bugs.webkit.org/show_bug.cgi?id=68959
        <rdar://problem/10036688>

        Reviewed by Sam Weinig.

        * wtf/Platform.h: Added HAVE_INVERTED_WHEEL_EVENTS for Lion and later.

2011-10-04  Csaba Osztrogonác  <ossy@webkit.org>

        MinGW warning fix after r96286.

        Avoid redefining STDCALL, because STDCALL is also defined in mingw32/include/windef.h:
        #define __stdcall __attribute__((stdcall))
        #define STDCALL __stdcall

        Reviewed by Tor Arne Vestbø.

        * assembler/MacroAssemblerCodeRef.h:

2011-10-04  Gavin Peters  <gavinp@chromium.org>

       add more stack dumping methods
       https://bugs.webkit.org/show_bug.cgi?id=69018

       In addition to WTFReportBacktrace, this adds the cross-platform WTFGetBacktrace, which lets
       WebKit programmatically retrieve the current stack.  This is useful if you need to add more
       reporting to field crash report uploads, if you're tracking down an irreproducable bug,
       for instance.

       Reviewed by Darin Adler.

       * wtf/Assertions.cpp:
       * wtf/Assertions.h:

2011-10-03  Filip Pizlo  <fpizlo@apple.com>

        DFG should inline Array.push and Array.pop
        https://bugs.webkit.org/show_bug.cgi?id=69314

        Reviewed by Geoff Garen.
        
        Fix 32-bit.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-03  Filip Pizlo  <fpizlo@apple.com>

        DFG should inline Array.push and Array.pop
        https://bugs.webkit.org/show_bug.cgi?id=69314

        Reviewed by Oliver Hunt.
        
        1% speed-up in V8 due to 6% speed-up in V8-deltablue.

        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::storePtr):
        * create_hash_table:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGIntrinsic.h:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::getMethodLoadElimination):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-03  Filip Pizlo  <fpizlo@apple.com>

        JSC ASSERT Opening the Web Inspector
        https://bugs.webkit.org/show_bug.cgi?id=69293

        Reviewed by Oliver Hunt.
        
        If a polymorphic access structure list has a duplicated structure, then
        don't crash.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2011-10-03  Gavin Barraclough  <barraclough@apple.com>

        On X86, switch bucketCount into a register, timeoutCheck into memory
        https://bugs.webkit.org/show_bug.cgi?id=69299

        Reviewed by Geoff Garen.

        We don't have sufficient registers to keep both in registers, and DFG JIT will trample esi;
        it doesn't matter if the bucketCount gets stomped on (in fact it may add to randomness!),
        but it if the timeoutCheck gets trashed we may make calls out to the timout_check stub
        function too frequently (regressing performance). This patch has no perf impact on sunspider.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::branchAdd32):
        (JSC::MacroAssemblerX86::branchSub32):
            - Added branchSub32 with AbsoluteAddress.
        * jit/JIT.cpp:
        (JSC::JIT::emitTimeoutCheck):
            - Keep timeout count in memory on X86.
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):
            - remove X86 specific code, switch bucket count back into a register.
        * jit/JITStubs.cpp:
            - Stop initializing esi (it is no longer the timeoutCheck!)
        * jit/JSInterfaceJIT.h:
            - change definition of esi to be the bucketCountRegister.
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
            - Add timeoutCount as a property to global data (the counter should be per-thread).

2011-10-03  Filip Pizlo  <fpizlo@apple.com>

        DFG backends don't have access to per-node predictions from the propagator
        https://bugs.webkit.org/show_bug.cgi?id=69291

        Reviewed by Oliver Hunt.
        
        Nodes now have two notion of predictions: the heap prediction, which is
        what came directly from value profiling, and the propagator's predictions,
        which arise out of abstract interpretation. Every node has a propagator
        prediction, but not every node has a heap prediction; and there is no
        guarantee that a node that has both will keep them consistent as the
        propagator may have additional information available to it.
        
        This is performance neutral.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::getPrediction):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::getHeapPrediction):
        (JSC::DFG::Node::predictHeap):
        (JSC::DFG::Node::prediction):
        (JSC::DFG::Node::predict):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::Propagator):
        (JSC::DFG::Propagator::setPrediction):
        (JSC::DFG::Propagator::mergePrediction):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::isPredictedNumerical):
        (JSC::DFG::Propagator::logicalNotIsPure):
        (JSC::DFG::Propagator::setReplacement):

2011-10-03  Jer Noble  <jer.noble@apple.com>

        Unreviewed, rolling out r96526.
        http://trac.webkit.org/changeset/96526
        https://bugs.webkit.org/show_bug.cgi?id=68587

        WEB_AUDIO has numerous 64->32 bit casting warnings, causing
        build breakages where -Wall is enabled.

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2011-10-03  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed build fix for DFG JIT 32_64.

        * dfg/DFGJITCompiler32_64.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-10-02  Filip Pizlo  <fpizlo@apple.com>

        DFG should speculate more aggressively on obvious cases on
        polymorphic get_by_id
        https://bugs.webkit.org/show_bug.cgi?id=69235

        Reviewed by Oliver Hunt.
        
        This implements trivial polymorphic get_by_id. It also fixes
        problems in the CSE for CheckStructure in the put_by_id
        transition case.
        
        Doing this required knowing whether a polymorphic get_by_id stub
        was doing a direct access rather than a call of some kind.
        
        Slight speed-up on Kraken and SunSpider. 0.5% speed-up in the
        scaled mean of all benchmarks.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/Instruction.h:
        (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
        (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::cellConstant):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addStructureSet):
        (JSC::DFG::Graph::addStructureTransitionData):
        * dfg/DFGNode.h:
        (JSC::DFG::StructureTransitionData::StructureTransitionData):
        (JSC::DFG::Node::hasStructureTransitionData):
        (JSC::DFG::Node::structureTransitionData):
        (JSC::DFG::Node::hasStructureSet):
        (JSC::DFG::Node::structureSet):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::tryBuildGetByIDProtoList):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureSet.h: Added.
        (JSC::DFG::StructureSet::StructureSet):
        (JSC::DFG::StructureSet::add):
        (JSC::DFG::StructureSet::addAll):
        (JSC::DFG::StructureSet::remove):
        (JSC::DFG::StructureSet::contains):
        (JSC::DFG::StructureSet::isSubsetOf):
        (JSC::DFG::StructureSet::isSupersetOf):
        (JSC::DFG::StructureSet::size):
        (JSC::DFG::StructureSet::at):
        (JSC::DFG::StructureSet::operator[]):
        (JSC::DFG::StructureSet::last):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::getPolymorphicAccessStructureListSlot):

2011-10-03  Jer Noble  <jer.noble@apple.com>

        Enable WEB_AUDIO by default in the WebKit/mac port.
        https://bugs.webkit.org/show_bug.cgi?id=68587

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2011-10-03  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Fix make distcheck build
        https://bugs.webkit.org/show_bug.cgi?id=69243

        Reviewed by Martin Robinson.

        * GNUmakefile.list.am:

2011-10-03  Pierre Rossi  <pierre.rossi@gmail.com>

        [Qt] Build fix: Qt::escape is deprecated in Qt5
        https://bugs.webkit.org/show_bug.cgi?id=69162

        Use QString::toHtmlEscaped in the Qt5 case.

        Reviewed by Andreas Kling.

        * JavaScriptCore.pri:
        * wtf/qt/UtilsQt.h: Added.
        (escapeHtml):
        * wtf/wtf.pri:

2011-10-03  Balazs Kelemen  <kbalazs@webkit.org>

        libdispatch based ParallelJobs is not enough parallel
        https://bugs.webkit.org/show_bug.cgi?id=66378

        Reviewed by Zoltan Herczeg.

        Use the appropriate libdispatch API for our use case.
        Throw away the hard coded limit of parallel threads
        and use dispatch_apply with the default priority normal
        queue istead of using our own custom serial queue (which
        was a misuse of the API). Enabling PARALLEL_JOBS is now
        a 60% win (2.63x as fast) on the methanol benchmark
        (https://gitorious.org/methanol) with an SVG centric test set
        while the old implementation was almost identical (less than 5% win).

        * wtf/ParallelJobsLibdispatch.h:
        (WTF::ParallelEnvironment::ParallelEnvironment):
        (WTF::ParallelEnvironment::execute):

2011-10-02  Zoltan Herczeg  <zherczeg@webkit.org>

        [Qt]REGRESSION(r95912): It made sputnik tests flakey
        https://bugs.webkit.org/show_bug.cgi?id=68990

        Reviewed by Geoffrey Garen.

        Changing signed char to int in r96354 solved the
        problem. However transitionCount still returns
        with a signed char and should be changed to int.

        * runtime/Structure.h:
        (JSC::Structure::transitionCount):

2011-10-02  Filip Pizlo  <fpizlo@apple.com>

        DFG misses some obvious opportunities for common subexpression elimination
        https://bugs.webkit.org/show_bug.cgi?id=69233

        Reviewed by Oliver Hunt.
        
        0.7% speed-up on SunSpider.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::getMethodLoadElimination):
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):

2011-10-02  Gavin Barraclough  <barraclough@apple.com>

        Bug 67455 - Different regular expression result

        Reviewed by Darin Adler.
        
        Fix a regression introduced in r72140. A return was added to the backtracking loop for
        backtrackParentheses with QuantifierNonGreedy, so it always returns after one iteration.
        This is incorrect. The additional return should only trigger to force an early return if
        an error has occured.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::matchParentheses):
            - Simplify some nested if else logic.
        (JSC::Yarr::Interpreter::backtrackParentheses):
            - Simplify some nested if else logic.
            - Only return early from backtrackParentheses on success/error, not on failure.

2011-10-01  Geoffrey Garen  <ggaren@apple.com>

        Removed redundant helper functions for allocating Strong handles
        https://bugs.webkit.org/show_bug.cgi?id=69218

        Reviewed by Sam Weinig.

        * heap/Heap.h:
        (JSC::Heap::handleHeap):
        * runtime/JSGlobalData.h: Removed these helper functions, since they
        just created indirection.

        * heap/StrongInlines.h: Added. Broke out a header for inline functions
        to resolve circular dependencies created by inlining. I'm told this is
        the future for JavaScriptCore.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj: Go forth and build.

        * API/JSCallbackObjectFunctions.h:
        (JSC::::init):
        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::add):
        (JSC::WeakGCMap::set):
        * runtime/StructureTransitionTable.h:
        (JSC::StructureTransitionTable::setSingleTransition):
        * heap/Local.h:
        (JSC::::Local):
        * heap/Strong.h:
        (JSC::::Strong):
        (JSC::::set):
        * heap/Weak.h:
        (JSC::Weak::Weak):
        (JSC::Weak::set): Allocate handles directly instead of going through a
        chain of forwarding functions.

        * bytecompiler/BytecodeGenerator.cpp:
        * runtime/JSGlobalData.cpp:
        * runtime/LiteralParser.cpp:
        * runtime/RegExpCache.cpp: Updated for header changes.

2011-09-30  Filip Pizlo  <fpizlo@apple.com>

        All of JSC's heuristics should be in one place for easier tuning
        https://bugs.webkit.org/show_bug.cgi?id=69201

        Reviewed by Oliver Hunt.
        
        This makes it possible to change tiered compilation heuristics in
        one place (Heuristics.cpp) without recompiling the whole project.
        
        It also makes it possible to enable setting heuristics using
        environment variables. This is off by default. When turned on, it
        makes tuning the system much easier.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::shouldOptimizeNow):
        * bytecode/CodeBlock.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):
        * runtime/Heuristics.cpp: Added.
        (JSC::Heuristics::parse):
        (JSC::Heuristics::setHeuristic):
        (JSC::Heuristics::initializeHeuristics):
        * runtime/Heuristics.h: Added.
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):

2011-10-01  Oliver Hunt  <oliver@apple.com>

        Support string length in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=69215

        Reviewed by Geoff Garen.

        Adds a GetStringLength node to the DFG so that we can support
        string.length inline.

        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isKnownString):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSString.h:
        (JSC::JSString::offsetOfLength):

2011-10-01  Yuqiang Xian  <yuqiang.xian@intel.com>

        JSVALUE32_64 DFG JIT - unboxed integers and cells in register file must be reboxed before exiting from DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=69205

        Reviewed by Gavin Barraclough.

        If there are unboxed integers and cells in register file (e.g. by SetLocal), 
        they must be reboxed before exiting from the speculative DFG JIT execution.
        This patch also adds a new ValueSourceKind (CellInRegisterFile) and a new
        ValueRecoveryTechnique (AlreadyInRegisterFileAsCell).

        * dfg/DFGJITCompiler32_64.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::ValueSource::dump):
        (JSC::DFG::ValueRecovery::dump):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::ValueSource::forPrediction):
        (JSC::DFG::ValueRecovery::alreadyInRegisterFileAsUnboxedCell):

2011-10-01  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r96421.
        http://trac.webkit.org/changeset/96421
        https://bugs.webkit.org/show_bug.cgi?id=69206

        It broke Qt-WK2 build (Requested by ossy on #webkit).

        * JavaScriptCore.pri:
        * wtf/qt/UtilsQt.h: Removed.
        * wtf/wtf.pri:

2011-09-30  Daniel Bates  <dbates@webkit.org>

        Attempt to fix the Apple Windows and WinCairo Debug builds after
        <http://trac.webkit.org/changeset/96446> (https://bugs.webkit.org/show_bug.cgi?id=69203).

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Remove the symbol
        ?toStrictThisObject@JSObject@JSC@@UBE?AVJSValue@2@PAVExecState@2@@Z since the
        corresponding function, JSValue::toStrictThisObject(), was removed.

2011-09-30  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG operation results are not set correctly in JSVALUE32_64 DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=69126

        Reviewed by Gavin Barraclough.

        The setupResults routine has the bug of reversing the source and destination. 
        Also some other trivial (but stupid) bugs need to be fixed in JSVALUE32_64 DFG JIT.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::setupTwoStubArgs):
        (JSC::DFG::setupResults):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):

2011-09-30  Gavin Barraclough  <barraclough@apple.com>

        Remove toStrictThisObject, toThisString, toThisJSString
        https://bugs.webkit.org/show_bug.cgi?id=69203

        Rubber stamped by Sam Weinig

        These are no longer used.

        * JavaScriptCore.exp:
        * runtime/JSActivation.cpp:
        * runtime/JSActivation.h:
        * runtime/JSObject.cpp:
        * runtime/JSObject.h:
        * runtime/JSStaticScopeObject.cpp:
        * runtime/JSStaticScopeObject.h:
        * runtime/JSValue.h:
        * runtime/StrictEvalActivation.cpp:
        * runtime/StrictEvalActivation.h:

2011-09-30  Filip Pizlo  <fpizlo@apple.com>

        DFG does not speculate aggressively enough on put_by_id
        https://bugs.webkit.org/show_bug.cgi?id=69114

        Reviewed by Oliver Hunt.

        This adds new nodes along with optimizations for those nodes:
        
        GetPropertyStorage: CheckStructure used to do both the structure
        check and retrieve the storage pointer. Now CheckStructure just
        checks the structure, and GetPropertyStorage retrieves the
        storage pointer.
        
        PutStructure: Changes the structure, and has the expected store
        to load optimization with CheckStructure.
        
        PutByOffset: Directly sets the value. Has store to load
        optimization with GetByOffset.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::cellConstant):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::writeBarrier):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasStructure):
        (JSC::DFG::Node::hasStorageAccessData):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::impureCSE):
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::eliminate):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-30  Gavin Barraclough  <barraclough@apple.com>

        StringRecursionChecker should not work in terms of EncodedJSValue
        https://bugs.webkit.org/show_bug.cgi?id=69188

        Reviewed by Oliver Hunt.

        0 is not the empty value on 32_64.
        Code that casts literals to EncodedJSValues may be unsafe if we change our internal representation.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        * runtime/ErrorPrototype.cpp:
        (JSC::errorProtoFuncToString):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncToString):
        * runtime/StringRecursionChecker.cpp:
        (JSC::StringRecursionChecker::throwStackOverflowError):
        (JSC::StringRecursionChecker::emptyString):
        * runtime/StringRecursionChecker.h:
        (JSC::StringRecursionChecker::performCheck):
        (JSC::StringRecursionChecker::earlyReturnValue):

2011-09-30  Gavin Barraclough  <barraclough@apple.com>

        DFG JIT, Branch on integer can always be a 32-bit compare.
        https://bugs.webkit.org/show_bug.cgi?id=69174

        Reviewed by Sam Weinig.

        if (shouldSpeculateInteger(node.child1()) && !isStrictInt32(node.child1())),
        the JSVALUE64 JIT will currently compare all 64bits in the register, but in
        these cases the DataFormat is always a JS boxed integer. In these cases we
        can just compare the low 32bits anyway - no need to check the tag.
        This allows the code to be unified with the JSVALUE32_64 JIT.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-30  Oliver Hunt  <oliver@apple.com>

        Need a sensible GGC policy

        Reviewed by Geoff Garen.

        This replaces the existing random collection policy
        with a deterministic policy based on nursery size.

        * heap/AllocationSpace.cpp:
        (JSC::AllocationSpace::allocateSlowCase):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::markRoots):
        (JSC::Heap::collect):
        * heap/Heap.h:
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::resetAllocator):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::nurseryWaterMark):
        (JSC::MarkedSpace::allocate):

2011-09-30  Filip Pizlo  <fpizlo@apple.com>

        DFG 32-bit support for op_call and op_construct causes
        run-javascriptcore-tests to fail
        https://bugs.webkit.org/show_bug.cgi?id=69171

        Reviewed by Gavin Barraclough.
        
        This fixes one obvious bug that was causing test failures (no
        support for dummy slow case for op_add in 32_64), and disables
        op_call and op_construct by default.        

        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_add):
        (JSC::JIT::emitSlow_op_add):

2011-09-30  Geoffrey Garen  <ggaren@apple.com>

        Crash due to out of bounds read/write in MarkedSpace
        https://bugs.webkit.org/show_bug.cgi?id=69148
        
        This was a case of being surprised by a poorly aritulcated cell size limit,
        plus an incorrect ASSERT guarding the cell size limit.

        Reviewed by Oliver Hunt.

        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::sizeClassFor): Changed heap size ranges to be inclusive,
        since it makes the ranges easier to understand.
        
        Bumped up the max cell size to support the use case in this bug. Since the
        atomSize is much bigger than it used to be, there isn't much accounting
        cost to handling more size classes.
        
        Switched to FixedArray, to help catch SizeClass indexing bugs in the future.

        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::resetAllocator):
        (JSC::MarkedSpace::canonicalizeCellLivenessData): Updated for size ranges
        being inclusive.

2011-09-30  Pierre Rossi  <pierre.rossi@gmail.com>

        [Qt] Build fix: Qt::escape is deprecated in Qt5
        https://bugs.webkit.org/show_bug.cgi?id=69162

        Use QString::toHtmlEscaped in the Qt5 case.

        Reviewed by Andreas Kling.

        * JavaScriptCore.pri:
        * wtf/qt/UtilsQt.h: Added.
        (escapeHtml):
        * wtf/wtf.pri:

2011-09-30  Yuqiang Xian  <yuqiang.xian@intel.com>

        Fix bug in getHostCallReturnValue of DFG JIT on X86
        https://bugs.webkit.org/show_bug.cgi?id=69133

        Reviewed by Gavin Barraclough.

        We need to insert the additional argument in the stack slot before
        return address instead of simply pushing it afterwards.
        Also getHostCallReturnValue* should be attributed as stdcall
        to make the stack cleaned up by the callee.

        * dfg/DFGOperations.cpp:

2011-09-30  Pierre Rossi  <pierre.rossi@gmail.com>

        [Qt] wtf header files are unknown to Qt Creator
        https://bugs.webkit.org/show_bug.cgi?id=69158

        Adding the HEADERS variable in wtf.pri so that
        the header files can be accessed easily.

        Reviewed by Andreas Kling.

        * wtf/wtf.pri:

2011-09-30  Gavin Barraclough  <barraclough@apple.com>

        Merge some more of DFGSpeculativeJIT 32_64/64
        https://bugs.webkit.org/show_bug.cgi?id=69164

        Reviewed by Oliver Hunt.

        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGJITCodeGenerator32_64.cpp:
        * dfg/DFGJITCodeGenerator64.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileValueAdd):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileValueAdd):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-30  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add getCallData to MethodTable in ClassInfo
        https://bugs.webkit.org/show_bug.cgi?id=69024

        Reviewed by Sam Weinig.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

        Added the getCallData to the MethodTable in the ClassInfo struct.
        * runtime/ClassInfo.h:

2011-09-29  Yuqiang Xian  <yuqiang.xian@intel.com>

        Add op_call/op_constructor support to JSVALUE32_64 DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=69120

        Reviewed by Gavin Barraclough.

        Improve the coverage of JSVALUE32_64 DFG JIT.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::tagOfCallData):
        (JSC::DFG::payloadOfCallData):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):

2011-09-29  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG JIT - register not unlocked after usage in ArithDiv
        https://bugs.webkit.org/show_bug.cgi?id=69122

        Reviewed by Geoffrey Garen.

        Some allocated register is not unlocked after the usage in ArithDiv. 
        Also there's a typo in "ENBALE_DFG_CONSISTENTCY_CHECK".

        * dfg/DFGNode.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSCell::toObject
        https://bugs.webkit.org/show_bug.cgi?id=68937

        Reviewed by Darin Adler.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

        De-virtualized JSCell::toObject and changed its implementation to manually check the 
        cases for JSString and JSObject rather than leaving it up to the virtual method call.
        * runtime/JSCell.cpp:
        (JSC::JSCell::toObject):
        * runtime/JSCell.h:

        Removed JSNotAnObject::toObject because the case for JSObject works for it.
        Also removed JSObject::toObject because it was essentially the identity function,
        which is not necessary since toObject is no longer virtual.
        * runtime/JSNotAnObject.cpp:
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.cpp:
        * runtime/JSObject.h:

        De-virtualized JSObject::toObject and JSString::toObject.
        * runtime/JSString.h:

2011-09-29  Gavin Barraclough  <barraclough@apple.com>

        Start refactoring DFGSpeculativeJIT
        https://bugs.webkit.org/show_bug.cgi?id=69112

        Reviewed by Oliver Hunt.

        Again, move JSVALUE64 code into a DFJSpeculativeJIT64.cpp

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::ValueSource::dump):
        (JSC::DFG::ValueRecovery::dump):
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::OSRExit::dump):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compare):
        * dfg/DFGSpeculativeJIT64.cpp: Copied from Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp.
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-29  Gavin Barraclough  <barraclough@apple.com>

        Refactor out trivially duplicated code in DFGJITCodeGenerator.
        https://bugs.webkit.org/show_bug.cgi?id=69109

        Reviewed by Oliver Hunt.

        Some code is trivially redundant between DFGJITCodeGenerator.cpp & DFGJITCodeGenerator32_64.cpp

        Basically move a JSVALUE64 specific code into a new DFGJITCodeGenerator64.cpp, leave common code
        in DFGJITCodeGenerator.cpp, and remove copies from DFGJITCodeGenerator32_64.cpp.

        For some function differences are trivial & make more sense to ifdef individually, and some
        Operand methods make more sense left in DFGJITCodeGenerator.cpp alongside similar constructors.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
        (JSC::DFG::JITCodeGenerator::isKnownBoolean):
        (JSC::DFG::JITCodeGenerator::writeBarrier):
        (JSC::DFG::JITCodeGenerator::dump):
        (JSC::DFG::JITCodeGenerator::checkConsistency):
        (JSC::DFG::GPRTemporary::GPRTemporary):
        (JSC::DFG::FPRTemporary::FPRTemporary):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        * dfg/DFGJITCodeGenerator64.cpp: Copied from Source/JavaScriptCore/dfg/DFGJITCodeGenerator.cpp.
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::branchIfNotCell):
        * dfg/DFGJITCompilerInlineMethods.h:

2011-09-28  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT should infer which uses of a variable are not aliased
        https://bugs.webkit.org/show_bug.cgi?id=68593

        Reviewed by Oliver Hunt.
        
        This separates how a variable is stored (i.e. its virtual register)
        from how it's predicted. Each variable now takes a
        VariableAccessData as its operand, instead of the virtual register.
        The VariableAccessData stores the operand and the prediction. If
        multiple uses of a variable are aliased, their VariableAccessDatas
        are unified.
        
        This also adds tracking of which argument values are used. It
        correctly observes that an argument value is not used, if the
        argument is assigned to inside the function before being used.
        
        This also adds tracking of which variables are live at the head of
        a basic block, and separates that from a variable being live at the
        tail.
        
        Finally, this communicates to both OSR entry and OSR exit code how
        a variable is predicted at a particular point in the code, rather
        than just communicating how it was predicted in the entire code
        block (since with this patch there is no longer the notion of a
        variable having just one prediction for a code block).

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/ActionablePrediction.h: Added.
        (JSC::actionablePredictionFromPredictedType):
        (JSC::valueObeysPrediction):
        (JSC::actionablePredictionToString):
        (JSC::ActionablePredictions::ActionablePredictions):
        (JSC::ActionablePredictions::setArgument):
        (JSC::ActionablePredictions::argument):
        (JSC::ActionablePredictions::setVariable):
        (JSC::ActionablePredictions::variable):
        (JSC::ActionablePredictions::argumentUpperBound):
        (JSC::ActionablePredictions::variableUpperBound):
        (JSC::ActionablePredictions::pack):
        (JSC::ActionablePredictions::packVector):
        * bytecode/CodeBlock.h:
        * bytecode/PredictionTracker.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::newVariableAccessData):
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::nameOfVariableAccessData):
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGGraph.h:
        (JSC::DFG::operandIsArgument):
        (JSC::DFG::VariableRecord::setFirstTime):
        (JSC::DFG::BasicBlock::BasicBlock):
        (JSC::DFG::Graph::predict):
        (JSC::DFG::Graph::getPrediction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasVariableAccessData):
        (JSC::DFG::Node::hasLocal):
        (JSC::DFG::Node::variableAccessData):
        (JSC::DFG::Node::local):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntry.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::ValueSource::dump):
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::ValueSource::ValueSource):
        (JSC::DFG::ValueSource::forPrediction):
        (JSC::DFG::ValueSource::isSet):
        (JSC::DFG::ValueSource::kind):
        (JSC::DFG::ValueSource::nodeIndex):
        (JSC::DFG::ValueSource::nodeIndexFromKind):
        (JSC::DFG::ValueSource::kindFromNodeIndex):
        (JSC::DFG::SpeculativeJIT::isKnownArray):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * wtf/PackedIntVector.h: Added.
        (WTF::PackedIntVector::PackedIntVector):
        (WTF::PackedIntVector::operator=):
        (WTF::PackedIntVector::size):
        (WTF::PackedIntVector::ensureSize):
        (WTF::PackedIntVector::resize):
        (WTF::PackedIntVector::clearAll):
        (WTF::PackedIntVector::get):
        (WTF::PackedIntVector::set):
        (WTF::PackedIntVector::mask):
        * wtf/Platform.h:
        * wtf/UnionFind.h: Added.
        (WTF::UnionFind::UnionFind):
        (WTF::UnionFind::find):
        (WTF::UnionFind::unify):

2011-09-29  Oliver Hunt  <oliver@apple.com>

        Build fix.

        * heap/AllocationSpace.h:

2011-09-29  Oliver Hunt  <oliver@apple.com>

        Add logic to collect dirty objects as roots
        https://bugs.webkit.org/show_bug.cgi?id=69100

        Reviewed by Geoff Garen.

        This gives us the ability to walk all the MarkedBlocks in an
        AllocationSpace and collect the dirty objects, and then use
        them as GC roots.
        
        I also rearranged the order of these instructions because it
        makes them smaller on some platforms with some card sizes.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::markCellCard):
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::markCellCard):
        * heap/AllocationSpace.cpp:
           Tidy up the write barrier logic a bit.
        (JSC::MarkedBlock::gatherDirtyObjects):
        (JSC::TakeIfDirty::returnValue):
        (JSC::TakeIfDirty::TakeIfDirty):
        (JSC::TakeIfDirty::operator()):
        (JSC::AllocationSpace::gatherDirtyObjects):
        * heap/AllocationSpace.h:
        * heap/CardSet.h:
        (JSC::::isCardMarked):
        (JSC::::clearCard):
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * heap/Heap.h:
        (JSC::Heap::writeBarrier):
        * heap/MarkStack.cpp:
        (JSC::SlotVisitor::visitChildren):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::setDirtyObject):
        (JSC::MarkedBlock::addressOfCardFor):
        * heap/SlotVisitor.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitWriteBarrier):
           Tidy the write barrier a bit.

2011-09-29  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed windows build fix.

        * assembler/MacroAssemblerCodeRef.h:
        * dfg/DFGOperations.h:

2011-09-29  Filip Pizlo  <fpizlo@apple.com>

        Structure transitions involving many (> 64) properties sometimes cause structure corruption
        https://bugs.webkit.org/show_bug.cgi?id=69102

        Reviewed by Darin Adler.
        
        Made m_offset an int instead of a signed char. Changed the code to ensure that transitions
        don't lead to the dictionary kind being forgotten.
        
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        * runtime/Structure.h:

2011-09-29  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG operation calls should be stdcall in Linux JSVALUE32_64 DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=69058

        Reviewed by Gavin Barraclough.

        Also Fixed the stdcall FunctionPtr constructors to make them compiled correctly on Linux

        * assembler/MacroAssemblerCodeRef.h:
        (JSC::FunctionPtr::FunctionPtr):

2011-09-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSCell::visitChildrenVirtual and remove all other visitChildrenVirtual methods
        https://bugs.webkit.org/show_bug.cgi?id=68839

        Reviewed by Geoffrey Garen.

        Removed the remaining visitChildrenVirtual methods.  This patch completes the process of 
        de-virtualizing visitChildren.

        * API/JSCallbackObject.h:
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        * debugger/DebuggerActivation.h:
        * runtime/Arguments.cpp:
        * runtime/Arguments.h:
        * runtime/Executable.cpp:
        * runtime/Executable.h:
        * runtime/GetterSetter.cpp:
        * runtime/GetterSetter.h:
        * runtime/JSActivation.cpp:
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        * runtime/JSArray.h:
        * runtime/JSFunction.cpp:
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSObject.cpp:
        * runtime/JSPropertyNameIterator.cpp:
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSStaticScopeObject.cpp:
        * runtime/JSStaticScopeObject.h:
        * runtime/JSValue.h:
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NativeErrorConstructor.h:
        * runtime/RegExpObject.cpp:
        * runtime/RegExpObject.h:
        * runtime/Structure.cpp:
        * runtime/Structure.h:
        * runtime/StructureChain.cpp:
        * runtime/StructureChain.h:

        Inlined the method table access and call to the visitChildren function (the only call sites 
        to visitChildren are here).
        * heap/MarkStack.cpp:
        (JSC::SlotVisitor::visitChildren):

        Changed the field name for the visitChildren function pointer to visitChildren (from 
        visitChildrenFunctionPtr) to make call sites less verbose.
        * runtime/ClassInfo.h:

        Discovered JSBoundFunction doesn't have its own ClassInfo (it used JSFunction's ClassInfo) but 
        overrides visitChildren, so it needs to have its own ClassInfo.
        * runtime/JSBoundFunction.cpp:
        * runtime/JSBoundFunction.h:

        Had to move className up to make sure that the virtual destructor in JSObject wasn't 
        the first non-inline virtual method in JSObject (as per the comment in the file).
        Also moved JSCell::visitChildrenVirtual into JSObject.h in order for it be inline-able
        to mitigate the cost of an extra method call.

        Also added a convenience accessor function methodTable() to JSCell to return the MethodTable to make 
        call sites more concise.  Implementation is inline in JSObject.h.
        * runtime/JSObject.h:
        (JSC::JSCell::methodTable):
        * runtime/JSCell.h:

        Added an out of line virtual destructor to JSWrapperObject and ScopeChainNode to 
        appease the vtable gods.  It refused to compile if there were no virtual methods in 
        both of these classes due to the presence of a weak vtable pointer.
        * runtime/JSWrapperObject.cpp:
        (JSC::JSWrapperObject::~JSWrapperObject):
        * runtime/JSWrapperObject.h:
        * runtime/ScopeChain.cpp:
        (JSC::ScopeChainNode::~ScopeChainNode):
        * runtime/ScopeChain.h:

2011-09-29  Yuqiang Xian  <yuqiang.xian@intel.com>

        Bug fixes for CreateThis, NewObject and GetByOffset in JSVALUE32_64 DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=69075

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-29  Yuqiang Xian  <yuqiang.xian@intel.com>

        JSVALUE32_64 DFG JIT failed to be built on 32-bit Linux due to incorrect overloaded OpInfo constructor
        https://bugs.webkit.org/show_bug.cgi?id=69054

        Reviewed by Gavin Barraclough.

        size_t is equal to uint32_t on most 32-bit platforms, except for Mac OS.

        * dfg/DFGNode.h:

2011-09-28  Filip Pizlo  <fpizlo@apple.com>

        DFG checkArgumentTypes fails to check boolean predictions
        https://bugs.webkit.org/show_bug.cgi?id=69059

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):

2011-09-28  Gavin Barraclough  <barraclough@apple.com>

        Build fix pt 2 for r96286.

        * assembler/MacroAssemblerCodeRef.h:

2011-09-28  Ryosuke Niwa  <rniwa@webkit.org>

        Build fix attempt for r96286.

        * assembler/MacroAssemblerCodeRef.h:

2011-09-28  Gavin Barraclough  <barraclough@apple.com>

        DFG JIT Operations on 32_64 should use stdcall calling convention.
        https://bugs.webkit.org/show_bug.cgi?id=69046

        Reviewed by Sam Weinig.

        All calls out are expecting stdcall conventions, but the default on OS X are cdecl.
        Leave D_DFGOperation_DD calls as the one exception, since we want to be able to link
        directly to std library functions like fmod - leave these calls obeying the default
        platform calling convention.

        * assembler/MacroAssemblerCodeRef.h:
        (JSC::FunctionPtr::FunctionPtr):
            - Add implicit constructors for std calls.
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):
            - Make this work non-Mac platforms.
        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        * dfg/DFGOperations.h:
            - Mark all operations as stdcalls.

2011-09-28  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT falls back on numerical comparisons when it does not
        recognize a prediction
        https://bugs.webkit.org/show_bug.cgi?id=68977

        Reviewed by Geoffrey Garen.
        
        This fixes both the way comparison implementations are selected. It
        also fixes a bug where comparisons other than equality (like < or >)
        on objects are compiled as if the comparison was equality.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compare):

2011-09-28  Gavin Barraclough  <barraclough@apple.com>

        Implement callOperation(D_DFGOperation_DD) for DFG JIT 32_64
        https://bugs.webkit.org/show_bug.cgi?id=69026

        Reviewed by Sam Weinig.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::fstpl):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):

2011-09-28  Gavin Barraclough  <barraclough@apple.com>

        Merge bug#68580, bug#68932 for DFG JIT with JSVALUE32_64
        https://bugs.webkit.org/show_bug.cgi?id=69017

        Reviewed by Oliver Hunt.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-28  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64679
        Fix bugs in Array.prototype this handling.

        Reviewed by Oliver Hunt.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncConcat):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        (JSC::arrayProtoFuncEvery):
        (JSC::arrayProtoFuncForEach):
        (JSC::arrayProtoFuncSome):
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):
        (JSC::arrayProtoFuncIndexOf):
        (JSC::arrayProtoFuncLastIndexOf):
            - These methods should throw if this value is undefined.

2011-09-27  Yuqiang Xian  <yuqiang.xian@intel.com>

        Value profiling in baseline JIT for JSVALUE32_64
        https://bugs.webkit.org/show_bug.cgi?id=68750

        Reviewed by Geoff Garen.

        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_mul):
        (JSC::JIT::emit_op_div):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emit_op_call_put_result):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_resolve):
        (JSC::JIT::emit_op_resolve_base):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emit_op_resolve_global):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC::JIT::emit_op_get_global_var):
        * jit/JITStubCall.h:
        (JSC::JITStubCall::callWithValueProfiling):

2011-09-28  Yuqiang Xian  <yuqiang.xian@intel.com>

        Wrong integer checks in JSVALUE32_64 DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=68985

        Reviewed by Geoffrey Garen.

        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::fillDouble):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):

2011-09-28  Adam Barth  <abarth@webkit.org>

        Remove empty directories.

        * wtf/brew: Removed.
        * wtf/unicode/brew: Removed.

2011-09-27  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT cannot compile op_new_object, op_new_array,
        op_new_array_buffer, or op_new_regexp
        https://bugs.webkit.org/show_bug.cgi?id=68580

        Reviewed by Oliver Hunt.
        
        This implements all four opcodes, but has op_new_regexp turns off
        by default because it unveils some bad speculation logic when
        compiling string-validate-input.
        
        With op_new_regexp turned off, this is a 5% win on Kraken and a
        0.7% speed-up on V8. Neutral on SunSpider.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::callOperation):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasConstantBuffer):
        (JSC::DFG::Node::startConstant):
        (JSC::DFG::Node::numConstants):
        (JSC::DFG::Node::hasRegexpIndex):
        (JSC::DFG::Node::regexpIndex):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isKnownArray):

2011-09-27  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT should speculate more aggressively on reads of array.length
        https://bugs.webkit.org/show_bug.cgi?id=68932

        Reviewed by Oliver Hunt.
        
        This is a 2% speed-up on Kraken, neutral elsewhere.

        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-27  Gavin Barraclough  <barraclough@apple.com>

        DFG JIT - merge changes between 95905 - 96175
        https://bugs.webkit.org/show_bug.cgi?id=68963

        Reviewed by Sam Weinig.

        Merge missing changes from bug#68677, bug#68784, bug#68785.

        * dfg/DFGJITCompiler32_64.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::compileBody):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-27  Gavin Barraclough  <barraclough@apple.com>

        Get JSVALUE32_64 DFG JIT building on OS X.
        https://bugs.webkit.org/show_bug.cgi?id=68961

        Reviewed by Geoff Garen.

        * Merge bug #68763 (DFG JIT should not eagerly initialize integer tags in the register file).
        * Forward-declare functions in DFGOperations.cpp
        * UNUSED_PARAM for unused arguments
        * NO_RETURN for unimplemented function that ASSERT_NOT_REACHED
        * Fix argument types handled by OpInfo constructor.
        * Use SYMBOL_STRING instead of STRINGIZE for asm symbols.
        * Add files to Xcode project.

2011-09-27  Yuqiang Xian  <yuqiang.xian@intel.com>

        Bug fixes for GetById, PutById, and GetByOffset in JSVALUE32_64 DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=68755

        Reviewed by Gavin Barraclough.

        We need to load/store and repatch both tag and payload of a property
        for GetById/PutById. Also reorder the loads of tag and payload for
        GetByOffset as the result tag GPR could reuse the storage GPR.

        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCodeGenerator32_64.cpp:
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addPropertyAccess):
        (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
        * dfg/DFGJITCompiler32_64.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgRepatchByIdSelfAccess):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-24  Gavin Barraclough  <barraclough@apple.com>

        Macro assembler branch8 & 16 methods vary in treatment of upper bits
        https://bugs.webkit.org/show_bug.cgi?id=68301

        Reviewed by Sam Weinig.

        Fix for branch16 - remove it!
        No performance impact.

        * assembler/MacroAssembler.h:
        * assembler/MacroAssemblerARM.h:
        * assembler/MacroAssemblerARMv7.h:
        * assembler/MacroAssemblerMIPS.h:
        * assembler/MacroAssemblerSH4.h:
        * assembler/MacroAssemblerX86Common.h:
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):

2011-09-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add static version of JSCell::getCallData
        https://bugs.webkit.org/show_bug.cgi?id=68741

        Reviewed by Darin Adler.

        In this patch we just extract the bodies of the virtual getCallData methods
        throughout the JSCell inheritance hierarchy out into static methods, which are 
        now called from the virtual methods.  This is an intermediate step in trying to 
        move the virtual-ness of getCallData into our own method table stored in 
        ClassInfo.  We need to convert the methods to static methods because static methods 
        can be represented as function pointers rather than pointers to member functions, and
        function pointers are smaller and faster to call than pointers to member functions.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::getCallDataVirtual):
        (JSC::JSCallbackFunction::getCallData):
        * API/JSCallbackFunction.h:
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::getCallDataVirtual):
        (JSC::::getCallData):
        * API/JSObjectRef.cpp:
        (JSObjectIsFunction):
        (JSObjectCallAsFunction):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::getCallDataVirtual):
        (JSC::ArrayConstructor::getCallData):
        * runtime/ArrayConstructor.h:
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::getCallDataVirtual):
        (JSC::BooleanConstructor::getCallData):
        * runtime/BooleanConstructor.h:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::getCallDataVirtual):
        (JSC::DateConstructor::getCallData):
        * runtime/DateConstructor.h:
        * runtime/Error.cpp:
        (JSC::StrictModeTypeErrorFunction::getCallDataVirtual):
        (JSC::StrictModeTypeErrorFunction::getCallData):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::getCallDataVirtual):
        (JSC::ErrorConstructor::getCallData):
        * runtime/ErrorConstructor.h:
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::getCallDataVirtual):
        (JSC::FunctionConstructor::getCallData):
        * runtime/FunctionConstructor.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::getCallDataVirtual):
        (JSC::FunctionPrototype::getCallData):
        * runtime/FunctionPrototype.h:
        * runtime/InternalFunction.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::getCallDataVirtual):
        (JSC::JSCell::getCallData):
        * runtime/JSCell.h:
        (JSC::getCallData):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getCallDataVirtual):
        (JSC::JSFunction::getCallData):
        * runtime/JSFunction.h:
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Stringifier):
        (JSC::Stringifier::toJSON):
        (JSC::Stringifier::appendStringifiedValue):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::getCallDataVirtual):
        (JSC::NativeErrorConstructor::getCallData):
        * runtime/NativeErrorConstructor.h:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getCallDataVirtual):
        (JSC::NumberConstructor::getCallData):
        * runtime/NumberConstructor.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::getCallDataVirtual):
        (JSC::ObjectConstructor::getCallData):
        * runtime/ObjectConstructor.h:
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        (JSC::jsIsObjectType):
        (JSC::jsIsFunctionType):
        * runtime/PropertySlot.cpp:
        (JSC::PropertySlot::functionGetter):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getCallDataVirtual):
        (JSC::RegExpConstructor::getCallData):
        * runtime/RegExpConstructor.h:
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::getCallDataVirtual):
        (JSC::StringConstructor::getCallData):
        * runtime/StringConstructor.h:

2011-09-27  Tim Horton  <timothy_horton@apple.com>

        Rapidly refreshing a feMorphology[erode] with r=0 can sometimes cause display corruption
        https://bugs.webkit.org/show_bug.cgi?id=68816
        <rdar://problem/10186468>

        Reviewed by Simon Fraser.
        
        Add ByteArray::clear, which zeros the memory in the ByteArray.

        * wtf/ByteArray.h:
        (WTF::ByteArray::clear): Added.

2011-09-27  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r96131.
        http://trac.webkit.org/changeset/96131
        https://bugs.webkit.org/show_bug.cgi?id=68927

        It made 18+ tests crash on all platform (Requested by
        Ossy_night on #webkit).

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):
        * interpreter/Interpreter.h:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        * parser/Parser.h:
        (JSC::Parser::parse):
        * runtime/CommonIdentifiers.h:
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        * runtime/Error.h:

2011-09-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSCell::getPrimitiveNumber
        https://bugs.webkit.org/show_bug.cgi?id=68851

        Reviewed by Darin Adler.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

        Changed JSCell::getPrimitiveNumber to manually handle the dispatch for 
        JSCells (JSObject and JSString in this case).
        * runtime/JSCell.cpp:
        (JSC::JSCell::getPrimitiveNumber):
        * runtime/JSCell.h:

        Removed JSNotAnObject::getPrimitiveNumber since its return value doesn't 
        matter and it already implements defaultValue, so JSObject::getPrimitiveNumber
        can cover the case for JSNotAnObject.
        * runtime/JSNotAnObject.cpp:
        * runtime/JSNotAnObject.h:

        De-virtualized JSObject::getPrimitiveNumber and JSString::getPrimitiveNumber 
        and changed them to be const.  Also made JSString::getPrimitiveNumber public 
        because it needs to be called from JSCell::getPrimitiveNumber and also since it's 
        no longer virtual, we want people who have a more specific pointer (JSString* 
        instead of JSCell*) to not have to pay the cost of a virtual method call.
        * runtime/JSObject.cpp:
        (JSC::JSObject::getPrimitiveNumber):
        * runtime/JSObject.h:
        * runtime/JSString.cpp:
        (JSC::JSString::getPrimitiveNumber):
        * runtime/JSString.h:

2011-09-27  Juan Carlos Montemayor Elosua  <j.mont@me.com>

        Implement Error.stack
        https://bugs.webkit.org/show_bug.cgi?id=66994

        Reviewed by Oliver Hunt.

        This patch utilizes topCallFrame to create a stack trace when
        an error is thrown. Users will also be able to use the stack()
        command in jsc to get arrays with stack trace information.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::getCallerLine):
        (JSC::getSourceURLFromCallFrame):
        (JSC::getStackFrameCodeType):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::throwException):
        * interpreter/Interpreter.h:
        (JSC::StackFrame::toString):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionJSCStack):
        * parser/Parser.h:
        (JSC::Parser::parse):
        * runtime/CommonIdentifiers.h:
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        * runtime/Error.h:

2011-09-27  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Reorganize header files
        https://bugs.webkit.org/show_bug.cgi?id=65616

        Reviewed by Martin Robinson.

        Install header files under $libwebkitgtkincludedir/JavaScriptCore.

        * GNUmakefile.am: Use $libwebkitgtkincludedir.
        * javascriptcoregtk.pc.in: Use webkitgtk-<api-version> as include dir.

2011-09-26  Geoffrey Garen  <ggaren@apple.com>

        REGRESSION (r95912): Conservative marking doesn't filter out pointers to
        MarkedBlock metadata
        https://bugs.webkit.org/show_bug.cgi?id=68860

        Reviewed by Oliver Hunt.
        
        Bencher says no performance change, maybe a 7% speedup on kraken-imaging-darkroom.

        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::isAtomAligned): Renamed atomMask to atomAlignment mask
        because the mask doesn't produce the actual atom number.

        (JSC::MarkedBlock::isLiveCell): Testing just for alignment isn't good
        enough; we also need to test that a pointer is beyond the metadata section
        of a MarkedBlock, to avoid treating random metadata as a JSCell.

2011-09-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        Make JSCell::toBoolean non-virtual
        https://bugs.webkit.org/show_bug.cgi?id=67727

        Reviewed by Geoffrey Garen.

        JSCell::toBoolean now manually performs the toBoolean check for objects and strings (where 
        before it was simply virtual and would crash if its implementation was called). 
        Its descendants in JSObject and JSString have also been made non-virtual.  JSCell now
        explicitly covers all cases of toBoolean, so having a virtual implementation of 
        JSCell::toBoolean is no longer necessary.  This is part of a larger process of un-virtualizing JSCell.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.h:
        * runtime/JSString.h:
        (JSC::JSCell::toBoolean):
        (JSC::JSValue::toBoolean):

2011-09-26  Chris Marrin  <cmarrin@apple.com>

        Enable requestAnimationFrame on Windows
        https://bugs.webkit.org/show_bug.cgi?id=68397

        Reviewed by Simon Fraser.

        Enabled REQUEST_ANIMATION_FRAME_TIMER for Windows

        * wtf/Platform.h:

2011-09-26  Noel Gordon  <noel.gordon@gmail.com>

        [Chromium] Remove DFGAliasTracker.h references from gyp project files
        https://bugs.webkit.org/show_bug.cgi?id=68787

        Reviewed by Geoffrey Garen.

        DFG/DFGAliasTracker.h was removed in r95389.  Cleanup (remove) references
        to that file from the gyp project files.

        * JavaScriptCore.gypi:

2011-09-26  Zoltan Herczeg  <zherczeg@webkit.org>

        [Qt]REGRESSION(r95865): It made 4 tests crash
        https://bugs.webkit.org/show_bug.cgi?id=68780
        
        Reviewed by Oliver Hunt.

        emitJumpSlowCaseIfNotJSCell(...) cannot be moved
        away since the next load depends on it.

        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_val):

2011-09-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add custom vtable struct to ClassInfo struct
        https://bugs.webkit.org/show_bug.cgi?id=68567

        Reviewed by Oliver Hunt.

        Declared/defined the MethodTable struct and added it to the ClassInfo struct.
        Also defined the CREATE_METHOD_TABLE macro to generate these method tables 
        succinctly where they need to be defined.

        Also added to it the first function to use this macro, visitChildren. 

        This is part of the process of getting rid of all C++ virtual methods in JSCell.  
        Eventually all virtual functions in JSCell that can't easily be converted to 
        non-virtual functions will be put into this custom vtable structure.
        * runtime/ClassInfo.h:

        Added the CREATE_METHOD_TABLE macro call as the last argument to each of the 
        ClassInfo structs declared in these classes.  This saves us from having to visit 
        each s_info definition in the future when we add more methods to the MethodTable.
        * API/JSCallbackConstructor.cpp:
        * API/JSCallbackFunction.cpp:
        * API/JSCallbackObject.cpp:
        * JavaScriptCore.exp:
        * runtime/Arguments.cpp:
        * runtime/ArrayConstructor.cpp:
        * runtime/ArrayPrototype.cpp:
        * runtime/BooleanObject.cpp:
        * runtime/BooleanPrototype.cpp:
        * runtime/DateConstructor.cpp:
        * runtime/DateInstance.cpp:
        * runtime/DatePrototype.cpp:
        * runtime/ErrorInstance.cpp:
        * runtime/ErrorPrototype.cpp:
        * runtime/ExceptionHelpers.cpp:
        * runtime/Executable.cpp:
        * runtime/GetterSetter.cpp:
        * runtime/InternalFunction.cpp:
        * runtime/JSAPIValueWrapper.cpp:
        * runtime/JSActivation.cpp:
        * runtime/JSArray.cpp:
        * runtime/JSByteArray.cpp:
        * runtime/JSFunction.cpp:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSONObject.cpp:
        * runtime/JSObject.cpp:
        * runtime/JSPropertyNameIterator.cpp:
        * runtime/JSString.cpp:
        * runtime/MathObject.cpp:
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NumberConstructor.cpp:
        * runtime/NumberObject.cpp:
        * runtime/NumberPrototype.cpp:
        * runtime/ObjectConstructor.cpp:
        * runtime/ObjectPrototype.cpp:
        * runtime/RegExp.cpp:
        * runtime/RegExpConstructor.cpp:
        * runtime/RegExpObject.cpp:
        * runtime/RegExpPrototype.cpp:
        * runtime/ScopeChain.cpp:
        * runtime/StringConstructor.cpp:
        * runtime/StringObject.cpp:
        * runtime/StringPrototype.cpp:
        * runtime/Structure.cpp:
        * runtime/StructureChain.cpp:

        Had to make visitChildren and visitChildrenVirtual protected instead of private
        because some of the subclasses of JSWrapperObject need access to JSWrapperObject's
        visitChildren function pointer in their vtable since they don't provide their own
        implementation. Same for RegExpObject.
        * runtime/JSWrapperObject.h:
        * runtime/RegExpObject.h:

2011-09-25  Adam Barth  <abarth@webkit.org>

        Finish removing PLATFORM(BREWMP) by removing associated code
        https://bugs.webkit.org/show_bug.cgi?id=68779

        Reviewed by Sam Weinig.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * JavaScriptCore.gypi:
        * gyp/JavaScriptCore.gyp:
        * wscript:
        * wtf/FastMalloc.cpp:
        (WTF::fastMallocSize):
        * wtf/Vector.h:
        * wtf/brew: Removed.
        * wtf/brew/MainThreadBrew.cpp: Removed.
        * wtf/brew/OwnPtrBrew.cpp: Removed.
        * wtf/brew/RefPtrBrew.h: Removed.
        * wtf/brew/ShellBrew.h: Removed.
        * wtf/brew/StringBrew.cpp: Removed.
        * wtf/brew/SystemMallocBrew.h: Removed.
        * wtf/unicode/brew: Removed.
        * wtf/unicode/brew/UnicodeBrew.cpp: Removed.
        * wtf/unicode/brew/UnicodeBrew.h: Removed.

2011-09-25  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not count speculation successes correctly
        https://bugs.webkit.org/show_bug.cgi?id=68785

        Reviewed by Geoffrey Garen.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::compileBody):
        * dfg/DFGOperations.cpp:

2011-09-25  Filip Pizlo  <fpizlo@apple.com>

        DFG support for op_resolve_global is not enabled
        https://bugs.webkit.org/show_bug.cgi?id=68786

        Reviewed by Geoffrey Garen.

        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):

2011-09-25  Filip Pizlo  <fpizlo@apple.com>

        DFG static prediction code is no longer needed and should be removed
        https://bugs.webkit.org/show_bug.cgi?id=68784

        Reviewed by Oliver Hunt.
        
        This gets rid of static prediction code, and ensures that we do not
        try to compile code where dynamic predictions are not available.
        This is accomplished by immediately performing an OSR exit wherever
        a value is retrieved for which no predictions exist.
        
        This also adds value profiling for this on functions used for calls.
        
        The heuristics for deciding when to optimize code are also tweaked,
        since it is now profitable to optimize sooner. This may need to be
        tweaked further, but this patch only makes minimal changes.
        
        This results in a 16% speed-up on Kraken/ai-astar, leading to a 3%
        overall win on Kraken.  It's neutral elsewhere.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::shouldOptimizeNow):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/CodeBlock.h:
        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        * bytecode/PredictedType.h:
        (JSC::isCellPrediction):
        (JSC::isObjectPrediction):
        (JSC::isFinalObjectPrediction):
        (JSC::isStringPrediction):
        (JSC::isArrayPrediction):
        (JSC::isInt32Prediction):
        (JSC::isDoublePrediction):
        (JSC::isNumberPrediction):
        (JSC::isBooleanPrediction):
        (JSC::mergePredictions):
        * bytecode/PredictionTracker.h:
        (JSC::PredictionTracker::predictArgument):
        (JSC::PredictionTracker::predict):
        (JSC::PredictionTracker::predictGlobalVar):
        * bytecode/ValueProfile.cpp:
        (JSC::ValueProfile::computeUpdatedPrediction):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::set):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::getPrediction):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predict):
        (JSC::DFG::Graph::predictGlobalVar):
        (JSC::DFG::Graph::getMethodCheckPrediction):
        (JSC::DFG::Graph::getJSConstantPrediction):
        (JSC::DFG::Graph::getPrediction):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::writeBarrier):
        (JSC::DFG::JITCodeGenerator::emitBranch):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::getPrediction):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::valueOfJSConstantNode):
        (JSC::DFG::Node::isInt32Constant):
        (JSC::DFG::Node::isDoubleConstant):
        (JSC::DFG::Node::isNumberConstant):
        (JSC::DFG::Node::isBooleanConstant):
        (JSC::DFG::Node::predict):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::Propagator):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::isPredictedNumerical):
        (JSC::DFG::Propagator::logicalNotIsPure):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateNumber):
        (JSC::DFG::SpeculativeJIT::shouldNotSpeculateInteger):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateObject):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateCell):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):

2011-09-25  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT Construct opcode takes a this argument even though it's
        not passed
        https://bugs.webkit.org/show_bug.cgi?id=68782

        Reviewed by Oliver Hunt.
        
        This is performance-neutral, mostly. It's a slight speed-up on
        v8-splay.
        
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addCall):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):

2011-09-25  Filip Pizlo  <fpizlo@apple.com>

        DFG tracking of the value in cachedResultRegister does not handle
        op_mov correctly
        https://bugs.webkit.org/show_bug.cgi?id=68781

        Reviewed by Oliver Hunt.
        
        This takes the simplest approach: it makes the old JIT dumber rather
        than making the DFG JIT smarter. This is performance-neutral.

        * jit/JIT.h:
        (JSC::JIT::canBeOptimized):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_mov):

2011-09-25  Adam Barth  <abarth@webkit.org>

        Remove PLATFORM(HAIKU) and associated code
        https://bugs.webkit.org/show_bug.cgi?id=68774

        Reviewed by Sam Weinig.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * JavaScriptCore.gypi:
        * gyp/JavaScriptCore.gyp:
        * heap/MachineStackMarker.cpp:
        * wtf/PageAllocation.h:
        * wtf/Platform.h:
        * wtf/StackBounds.cpp:
        * wtf/haiku: Removed.
        * wtf/haiku/MainThreadHaiku.cpp: Removed.
        * wtf/haiku/StringHaiku.cpp: Removed.
        * wtf/text/WTFString.h:

2011-09-24  Adam Barth  <abarth@webkit.org>

        Always enable ENABLE(OFFLINE_WEB_APPLICATIONS)
        https://bugs.webkit.org/show_bug.cgi?id=68767

        Reviewed by Eric Seidel.

        * Configurations/FeatureDefines.xcconfig:

2011-09-24  Filip Pizlo  <fpizlo@apple.com>

        JIT implementation of put_by_val increments m_length instead of setting
        it to index+1
        https://bugs.webkit.org/show_bug.cgi?id=68766

        Reviewed by Geoffrey Garen.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_val):

2011-09-24  Geoffrey Garen  <ggaren@apple.com>

        More build fixage.

        * heap/ConservativeRoots.cpp: Our system of #includes, it is chaos.

2011-09-24  Filip Pizlo  <fpizlo@apple.com>

        The DFG should not attempt to guess types in the absence of value
        profiles
        https://bugs.webkit.org/show_bug.cgi?id=68677

        Reviewed by Oliver Hunt.
        
        This adds the ForceOSRExit node, which is ignored by the propagator
        and virtual register allocator (and hence ensuring that liveness analysis
        works correctly), but forces terminateSpeculativeExecution() in the
        back-end. This appears to be a slight speed-up on benchmark averages,
        with ~5% swings on individual benchmarks, in both directions. But it's
        never a regression on any average, and appears to be a ~1% progression
        in the SunSpider average.
        
        This also adds a bit better debugging support in the old JIT and in DFG,
        as this was necessary to debug the much more frequent OSR transitions
        that occur with this change.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::getStrongPrediction):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:

2011-09-24  Geoffrey Garen  <ggaren@apple.com>

        Some Windows build fixage.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::sweep):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::isLive): Show the compiler that all control paths
        return a value. There, there, compiler. Everything's going to be OK.

        * runtime/JSCell.h:
        (JSC::JSCell::setVPtr): Oops! Unrename this function.

2011-09-24  Geoffrey Garen  <ggaren@apple.com>

        Allocate new objects unmarked
        https://bugs.webkit.org/show_bug.cgi?id=68764

        Reviewed by Oliver Hunt.
        
        This is a pre-requisite to using the mark bit to determine object age.

        ~2% v8 speedup, mostly due to a 12% v8-splay speedup.

        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::isLive):
        (JSC::MarkedBlock::isLiveCell): These two functions are the reason for
        this patch. They can now determine object liveness without relying on
        newly allocated objects having their mark bits set. Each MarkedBlock
        now has a state variable that tells us how to determine whether its
        cells are live. (This new state variable supercedes the old one about
        destructor state. The rest of this patch is just refactoring to support
        the invariants of this new state variable without introducing a
        performance regression.)

        (JSC::MarkedBlock::didConsumeFreeList): New function for updating interal
        state when a block becomes fully allocated.

        (JSC::MarkedBlock::clearMarks): Folded a state change to 'Marked' into
        this function because, logically, clearing all mark bits is the first
        step in saying "mark bits now exactly reflect object liveness".

        (JSC::MarkedBlock::markCountIsZero): Renamed from isEmpty() to clarify
        that this function only tells you about the mark bits, so it's only
        meaningful if you've put the mark bits into a meaningful state before
        calling it.

        (JSC::MarkedBlock::forEachCell): Changed to use isLive() helper function
        instead of testing mark bits, since mark bits are not always the right
        way to find out if an object is live anymore. (New objects are live, but
        not marked.)

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::recycle):
        (JSC::MarkedBlock::MarkedBlock): Folded all initialization -- even
        initialization when recycling an old block -- into the MarkedBlock
        constructor, for simplicity.

        (JSC::MarkedBlock::callDestructor): Inlined for speed. Always check for
        a zapped cell before running a destructor, and always zap after
        running a destructor. This does not seem to be expensive, and the
        alternative just creates a too-confusing matrix of possible cell states
        ((zombie undestructed cell + zombie destructed cell + zapped destructed
        cell) * 5! permutations for progressing through block states = "Oh my!").

        (JSC::MarkedBlock::specializedSweep):
        (JSC::MarkedBlock::sweep): Maintained and expanded a pre-existing
        optimization to use template specialization to constant fold lots of
        branches and elide certain operations entirely during a sweep. Merged
        four or five functions that were logically about sweeping into this one
        function pair, so there's only one way to do things now, it's
        automatically correct, and it's always fast.

        (JSC::MarkedBlock::zapFreeList): Renamed this function to be more explicit
        about exactly what it does, and to honor the new block state system.

        * heap/AllocationSpace.cpp:
        (JSC::AllocationSpace::allocateBlock): Updated for rename.

        (JSC::AllocationSpace::freeBlocks): Updated for changed interface.

        (JSC::TakeIfUnmarked::TakeIfUnmarked):
        (JSC::TakeIfUnmarked::operator()):
        (JSC::TakeIfUnmarked::returnValue): Just like isEmpty() above, renamed
        to clarify that this functor only tests the mark bits, so it's only
        valid if you've put the mark bits into a meaningful state before
        calling it.
        
        (JSC::AllocationSpace::shrink): Updated for rename.

        * heap/AllocationSpace.h:
        (JSC::AllocationSpace::canonicalizeCellLivenessData): Renamed to be a
        little more specific about what we're making canonical.

        (JSC::AllocationSpace::forEachCell): Updated for rename.

        (JSC::AllocationSpace::forEachBlock): No need to canonicalize cell
        liveness data before iterating blocks -- clients that want iterated
        blocks to have valid cell lieveness data should make this call for
        themselves. (And not all clients want it.)

        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::genericAddPointer): Updated for rename. Removed
        obsolete comment.

        * heap/Heap.cpp:
        (JSC::CountFunctor::ClearMarks::operator()): Removed call to notify...()
        because clearMarks() now does that implicitly.

        (JSC::Heap::destroy): Make sure to canonicalize before tear-down, since
        tear-down tests cell liveness when running destructors.

        (JSC::Heap::markRoots):
        (JSC::Heap::collect): Moved weak reference harvesting out of markRoots()
        and into collect, since it strictly depends on root marking, and does
        not contribute to root marking.

        (JSC::Heap::canonicalizeCellLivenessData): Renamed to be a little more
        specific about what we're making canonical.

        * heap/Heap.h:
        (JSC::Heap::forEachProtectedCell): No need to canonicalize cell liveness
        data before iterating protected cells, since we know they're all live,
        and don't need to test for it.

        * heap/Local.h:
        (JSC::::set): Can't make the same ASSERT we used to because we just don't
        have the mark bits for it anymore. Perhaps we can bring this ASSERT back
        in a weaker form in the future.

        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::addBlock):
        (JSC::MarkedSpace::removeBlock): Updated for interface change.
        (JSC::MarkedSpace::canonicalizeCellLivenessData): Renamed to be a little more
        specific about what we're making canonical.

        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::allocate):
        (JSC::MarkedSpace::SizeClass::SizeClass):
        (JSC::MarkedSpace::SizeClass::resetAllocator):
        (JSC::MarkedSpace::SizeClass::zapFreeList): Simplified this allocator
        functionality a bit. We now track only one block -- "currentBlock" --
        and rely on its internal state to know whether it has more cells to
        allocate.

        * heap/Weak.h:
        (JSC::Weak::set): Can't make the same ASSERT we used to because we just don't
        have the mark bits for it anymore. Perhaps we can bring this ASSERT back
        in a weaker form in the future.

        * runtime/JSCell.h:
        (JSC::JSCell::vptr):
        (JSC::JSCell::zap):
        (JSC::JSCell::isZapped):
        (JSC::isZapped): Made zapping a property of JSCell, for a little abstraction.
        In the future, exactly how a JSCell zaps itself will change, as the
        internal representation of JSCell changes.

2011-09-24  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT should not eagerly initialize integer tags in the register file
        https://bugs.webkit.org/show_bug.cgi?id=68763

        Reviewed by Oliver Hunt.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::ValueRecovery::dump):
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::ValueRecovery::alreadyInRegisterFileAsUnboxedInt32):
        (JSC::DFG::OSRExit::operandForArgument):
        (JSC::DFG::OSRExit::operandForIndex):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):

2011-09-23  Yuqiang Xian  <yuqiang.xian@intel.com>

        Add JSVALUE32_64 support to DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=67460

        Reviewed by Gavin Barraclough.

        This is the initial attempt to add JSVALUE32_64 support to DFG JIT.
        It's tested on IA32 Linux EFL port currently. It still cannot run
        all the test cases and benchmarks so should be turned off now.
        
        The major work includes:
        1) dealing with JSVALUE32_64 data format in DFG JIT;
        2) bindings between 64-bit JS Value and 32-bit registers;
        3) handling of function calls. Currently for DFG operation function
        calls we follow the X86 cdecl calling convention on Linux, and the
        implementation is in a naive way by pushing the arguments into stack
        one by one.
        
        The known issues include:
        1) some code duplicates unnecessarily, especially in Speculative JIT
        code generation, where most of the operations on SpeculataInteger /
        SpeculateDouble should be identical to the JSVALUE64 code. Refactoring
        is needed in the future;
        2) lack of op_call and op_construct support, comparing to current
        JSVALUE64 DFG;
        3) currently integer speculations assume to be StrictInt32;
        4) lack of JSBoolean speculations;
        5) boxing and unboxing doubles could be improved;
        6) DFG X86 register description is different with the baseline JIT,
        the timeoutCheckRegister is used for general purpose usage;
        7) calls to runtime functions with primitive double parameters (e.g.
        fmod) don't work. Support needs to be added to the assembler to
        implement the mechanism of passing double parameters for X86 cdecl
        convention.
        
        And there should be many other hidden bugs which should be exposed and
        resolved in later debugging process.

        * CMakeListsEfl.txt:
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::loadDouble):
        (JSC::MacroAssemblerX86::storeDouble):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movsd_rm):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGFPRInfo.h:
        (JSC::DFG::FPRInfo::debugName):
        * dfg/DFGGPRInfo.h:
        (JSC::DFG::GPRInfo::toRegister):
        (JSC::DFG::GPRInfo::toIndex):
        (JSC::DFG::GPRInfo::debugName):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::needDataFormatConversion):
        (JSC::DFG::GenerationInfo::initJSValue):
        (JSC::DFG::GenerationInfo::initDouble):
        (JSC::DFG::GenerationInfo::gpr):
        (JSC::DFG::GenerationInfo::tagGPR):
        (JSC::DFG::GenerationInfo::payloadGPR):
        (JSC::DFG::GenerationInfo::fpr):
        (JSC::DFG::GenerationInfo::fillJSValue):
        (JSC::DFG::GenerationInfo::fillCell):
        (JSC::DFG::GenerationInfo::fillDouble):
        * dfg/DFGJITCodeGenerator.cpp:
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::allocate):
        (JSC::DFG::JITCodeGenerator::use):
        (JSC::DFG::JITCodeGenerator::registersMatched):
        (JSC::DFG::JITCodeGenerator::silentSpillGPR):
        (JSC::DFG::JITCodeGenerator::silentFillGPR):
        (JSC::DFG::JITCodeGenerator::silentFillFPR):
        (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
        (JSC::DFG::JITCodeGenerator::silentFillAllRegisters):
        (JSC::DFG::JITCodeGenerator::boxDouble):
        (JSC::DFG::JITCodeGenerator::unboxDouble):
        (JSC::DFG::JITCodeGenerator::spill):
        (JSC::DFG::addressOfDoubleConstant):
        (JSC::DFG::integerResult):
        (JSC::DFG::jsValueResult):
        (JSC::DFG::setupResults):
        (JSC::DFG::callOperation):
        (JSC::JSValueOperand::JSValueOperand):
        (JSC::JSValueOperand::~JSValueOperand):
        (JSC::JSValueOperand::isDouble):
        (JSC::JSValueOperand::fill):
        (JSC::JSValueOperand::tagGPR):
        (JSC::JSValueOperand::payloadGPR):
        (JSC::JSValueOperand::fpr):
        (JSC::GPRTemporary::~GPRTemporary):
        (JSC::GPRTemporary::gpr):
        (JSC::GPRResult2::GPRResult2):
        * dfg/DFGJITCodeGenerator32_64.cpp: Added.
        (JSC::DFG::JITCodeGenerator::clearGenerationInfo):
        (JSC::DFG::JITCodeGenerator::fillInteger):
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::fillStorage):
        (JSC::DFG::JITCodeGenerator::useChildren):
        (JSC::DFG::JITCodeGenerator::isStrictInt32):
        (JSC::DFG::JITCodeGenerator::isKnownInteger):
        (JSC::DFG::JITCodeGenerator::isKnownNumeric):
        (JSC::DFG::JITCodeGenerator::isKnownCell):
        (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
        (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
        (JSC::DFG::JITCodeGenerator::isKnownBoolean):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeCheckHasInstance):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeInstanceOf):
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        (JSC::DFG::JITCodeGenerator::writeBarrier):
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        (JSC::DFG::JITCodeGenerator::cachedGetMethod):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeCompareNull):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq):
        (JSC::DFG::JITCodeGenerator::emitBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeLogicalNot):
        (JSC::DFG::JITCodeGenerator::emitCall):
        (JSC::DFG::JITCodeGenerator::speculationCheck):
        (JSC::DFG::dataFormatString):
        (JSC::DFG::JITCodeGenerator::dump):
        (JSC::DFG::JITCodeGenerator::checkConsistency):
        (JSC::DFG::GPRTemporary::GPRTemporary):
        (JSC::DFG::FPRTemporary::FPRTemporary):
        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::tagForGlobalVar):
        (JSC::DFG::JITCompiler::payloadForGlobalVar):
        (JSC::DFG::JITCompiler::appendCallWithExceptionCheck):
        (JSC::DFG::JITCompiler::addressOfDoubleConstant):
        (JSC::DFG::JITCompiler::boxDouble):
        (JSC::DFG::JITCompiler::unboxDouble):
        (JSC::DFG::JITCompiler::addPropertyAccess):
        (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
        * dfg/DFGJITCompiler32_64.cpp: Added.
        (JSC::DFG::JITCompiler::fillNumericToDouble):
        (JSC::DFG::JITCompiler::fillInt32ToInteger):
        (JSC::DFG::JITCompiler::fillToJS):
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::jitAssertIsInt32):
        (JSC::DFG::JITCompiler::jitAssertIsJSInt32):
        (JSC::DFG::JITCompiler::jitAssertIsJSNumber):
        (JSC::DFG::JITCompiler::jitAssertIsJSDouble):
        (JSC::DFG::JITCompiler::jitAssertIsCell):
        (JSC::DFG::JITCompiler::emitCount):
        (JSC::DFG::JITCompiler::setSamplingFlag):
        (JSC::DFG::JITCompiler::clearSamplingFlag):
        * dfg/DFGJITCompilerInlineMethods.h: Added.
        (JSC::DFG::JITCompiler::emitLoadTag):
        (JSC::DFG::JITCompiler::emitLoadPayload):
        (JSC::DFG::JITCompiler::emitLoad):
        (JSC::DFG::JITCompiler::emitLoad2):
        (JSC::DFG::JITCompiler::emitLoadDouble):
        (JSC::DFG::JITCompiler::emitLoadInt32ToDouble):
        (JSC::DFG::JITCompiler::emitStore):
        (JSC::DFG::JITCompiler::emitStoreInt32):
        (JSC::DFG::JITCompiler::emitStoreCell):
        (JSC::DFG::JITCompiler::emitStoreBool):
        (JSC::DFG::JITCompiler::emitStoreDouble):
        * dfg/DFGNode.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::tryCachePutByID):
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::ValueRecovery::inGPR):
        (JSC::DFG::ValueRecovery::inPair):
        (JSC::DFG::ValueRecovery::tagGPR):
        (JSC::DFG::ValueRecovery::payloadGPR):
        * dfg/DFGSpeculativeJIT32_64.cpp: Added.
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::ValueSource::dump):
        (JSC::DFG::ValueRecovery::dump):
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::OSRExit::dump):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::convertToDouble):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::initializeVariableTypes):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * runtime/JSValue.h:

2011-09-23  Filip Pizlo  <fpizlo@apple.com>

        wtf/BitVector.h has a variety of bugs which manifest when the
        vector grows beyond 63 bits
        https://bugs.webkit.org/show_bug.cgi?id=68746

        Reviewed by Oliver Hunt.
        
        Out-of-lined slow path code in BitVector so that not every user
        of CodeBlock ends up having to compile it. Fixed a variety of
        index computation and size computation bugs.
        
        I have not seen these issues manifest themselves, but they are
        blocking a patch that uses BitVector more aggressively.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/BitVector.cpp: Added.
        (BitVector::BitVector):
        (BitVector::operator=):
        (BitVector::resize):
        (BitVector::clearAll):
        (BitVector::OutOfLineBits::create):
        (BitVector::OutOfLineBits::destroy):
        (BitVector::resizeOutOfLine):
        * wtf/BitVector.h:
        (WTF::BitVector::ensureSize):
        (WTF::BitVector::get):
        (WTF::BitVector::set):
        (WTF::BitVector::clear):
        (WTF::BitVector::byteCount):
        (WTF::BitVector::OutOfLineBits::numWords):
        (WTF::BitVector::OutOfLineBits::bits):
        (WTF::BitVector::outOfLineBits):
        * wtf/CMakeLists.txt:
        * wtf/wtf.pri:

2011-09-23  Adam Klein  <adamk@chromium.org>

        Add ENABLE_MUTATION_OBSERVERS feature flag
        https://bugs.webkit.org/show_bug.cgi?id=68732

        Reviewed by Ojan Vafai.

        This flag will guard an implementation of the "Mutation Observers" proposed in
        http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/1622.html

        * Configurations/FeatureDefines.xcconfig:

2011-09-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSCell::getJSNumber
        https://bugs.webkit.org/show_bug.cgi?id=68651

        Reviewed by Oliver Hunt.

        Added a new JSType to check whether or not something is a 
        NumberObject (which includes NumberPrototype) in TypeInfo::isNumberObject because there's not 
        currently a better way to determine whether something is indeed a NumberObject.
        Also de-virtualized JSCell::getJSNumber, having it check the TypeInfo 
        for whether the object is a NumberObject or not.  This patch is part of 
        the larger process of de-virtualizing JSCell.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSCell.cpp:
        (JSC::JSCell::getJSNumber):
        * runtime/JSCell.h:
        (JSC::JSValue::getJSNumber):
        * runtime/JSType.h:
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::isNumberObject):
        * runtime/JSValue.h:
        * runtime/NumberObject.cpp:
        (JSC::NumberObject::getJSNumber):
        * runtime/NumberObject.h:
        (JSC::NumberObject::createStructure):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::createStructure):

2011-09-23  Filip Pizlo  <fpizlo@apple.com>

        Resolve opcodes should have value profiling.
        https://bugs.webkit.org/show_bug.cgi?id=68723

        Reviewed by Oliver Hunt.
        
        This adds value profiling to all forms of op_resolve in the
        old JIT, and patches that information into the DFG along with
        performing the appropriate type propagation.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predict):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::resolveGlobalDataIndex):
        (JSC::DFG::Node::hasPrediction):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_resolve):
        (JSC::JIT::emit_op_resolve_base):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emit_op_resolve_global):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        (JSC::JIT::emitSlow_op_resolve_global_dynamic):
        * jit/JITStubCall.h:
        (JSC::JITStubCall::callWithValueProfiling):

2011-09-23  Oliver Hunt  <oliver@apple.com>

        Fix windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-09-23  Gavin Barraclough  <barraclough@apple.com>

        Strict mode does not work in non-trivial nested functions.
        https://bugs.webkit.org/show_bug.cgi?id=68740

        Reviewed by Oliver Hunt.

        Function-info caching does not preserve all state that it should.

        * parser/JSParser.cpp:
        (JSC::JSParser::Scope::saveFunctionInfo):
        (JSC::JSParser::Scope::restoreFunctionInfo):
        (JSC::JSParser::parseFunctionInfo):
        * parser/SourceProviderCacheItem.h:

2011-09-23  Filip Pizlo  <fpizlo@apple.com>

        ValueToDouble handling in prediction propagation should be ASSERT_NOT_REACHED
        https://bugs.webkit.org/show_bug.cgi?id=68724

        Reviewed by Oliver Hunt.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):

2011-09-23  Oliver Hunt  <oliver@apple.com>

        Build fix.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-09-23  Filip Pizlo  <fpizlo@apple.com>

        DFG implementation of PutScopedVar corrupts register allocation
        https://bugs.webkit.org/show_bug.cgi?id=68735

        Reviewed by Oliver Hunt.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-23  Oliver Hunt  <oliver@apple.com>

        Make write barriers actually do something when enabled
        https://bugs.webkit.org/show_bug.cgi?id=68717

        Reviewed by Geoffrey Garen.

        Add a basic card marking style write barrier to JSC (currently
        turned off).  This requires two scratch registers in the JIT
        so there was some register re-arranging to satisfy that requirement.
        Happily this produced a minor perf bump in sunspider (~0.5%).

        Turning the barriers on causes an overall regression of around 1.5%

        * JavaScriptCore.exp:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::store8):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movb_i8m):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::isKnownNotCell):
        (JSC::DFG::JITCodeGenerator::writeBarrier):
        (JSC::DFG::JITCodeGenerator::markCellCard):
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCachePutByID):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * heap/CardSet.h: Added.
        (JSC::CardSet::CardSet):
        (JSC::::cardForAtom):
        (JSC::::cardMarkedForAtom):
        (JSC::::markCardForAtom):
        * heap/Heap.cpp:
        * heap/Heap.h:
        (JSC::Heap::addressOfCardFor):
        (JSC::Heap::writeBarrierFastCase):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::setDirtyObject):
        (JSC::MarkedBlock::addressOfCardFor):
        (JSC::MarkedBlock::offsetOfCards):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_put_global_var):
        (JSC::JIT::emitWriteBarrier):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_put_global_var):

2011-09-23  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        https://bugs.webkit.org/show_bug.cgi?id=68077
        SH4 assemblers doesn't refer to executable memory handle.

        Reviewed by Gavin Barraclough.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::branch8):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::executableCopy):

2011-09-23  Oliver Hunt  <oliver@apple.com>

        PutScopedVar nodes should report that it has a var number
        https://bugs.webkit.org/show_bug.cgi?id=68721

        Reviewed by Anders Carlsson.

        Another assertion fix.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasVarNumber):

2011-09-23  Oliver Hunt  <oliver@apple.com>

        Add a bunch of unhandled node types to the propagator
        https://bugs.webkit.org/show_bug.cgi?id=68716

        Reviewed by Darin Adler.

        Remove the ASSERT_NOT_REACHED() default for debug builds in the
        prediction propagator, this way unhandled nodes will just cause
        compile time failures rather than failing at some point in the
        future.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):

2011-09-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add static version of JSCell::visitChildren
        https://bugs.webkit.org/show_bug.cgi?id=68404

        Reviewed by Darin Adler.

        In this patch we just extract the bodies of the virtual visitChildren methods
        throughout the JSCell inheritance hierarchy out into static methods, which are 
        now called from the virtual methods.  This is an intermediate step in trying to 
        move the virtual-ness of visitChildren into our own custom vtable stored in 
        ClassInfo.  We need to convert the methods to static methods in order to be 
        able to more easily store and refer to them in our custom vtable since normal 
        member methods store some implicit information in their types, making it 
        impossible to store them generically in ClassInfo.

        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::visitChildrenVirtual):
        (JSC::JSCallbackObject::visitChildren):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::visitChildrenVirtual):
        (JSC::DebuggerActivation::visitChildren):
        * debugger/DebuggerActivation.h:
        * heap/MarkStack.cpp:
        (JSC::SlotVisitor::visitChildren):
        (JSC::SlotVisitor::drain):
        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildrenVirtual):
        (JSC::Arguments::visitChildren):
        * runtime/Arguments.h:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::visitChildrenVirtual):
        (JSC::EvalExecutable::visitChildren):
        (JSC::ProgramExecutable::visitChildrenVirtual):
        (JSC::ProgramExecutable::visitChildren):
        (JSC::FunctionExecutable::visitChildrenVirtual):
        (JSC::FunctionExecutable::visitChildren):
        * runtime/Executable.h:
        * runtime/GetterSetter.cpp:
        (JSC::GetterSetter::visitChildrenVirtual):
        (JSC::GetterSetter::visitChildren):
        * runtime/GetterSetter.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::visitChildrenVirtual):
        (JSC::JSActivation::visitChildren):
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::visitChildrenVirtual):
        (JSC::JSArray::visitChildren):
        * runtime/JSArray.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::visitChildrenVirtual):
        (JSC::JSBoundFunction::visitChildren):
        * runtime/JSBoundFunction.h:
        * runtime/JSCell.h:
        (JSC::JSCell::visitChildrenVirtual):
        (JSC::JSCell::visitChildren):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::visitChildrenVirtual):
        (JSC::JSFunction::visitChildren):
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::visitChildrenVirtual):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::visitChildrenVirtual):
        (JSC::JSObject::visitChildren):
        * runtime/JSObject.h:
        (JSC::JSObject::visitChildrenDirect):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::visitChildrenVirtual):
        (JSC::JSPropertyNameIterator::visitChildren):
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::visitChildrenVirtual):
        (JSC::JSStaticScopeObject::visitChildren):
        * runtime/JSStaticScopeObject.h:
        * runtime/JSWrapperObject.cpp:
        (JSC::JSWrapperObject::visitChildrenVirtual):
        (JSC::JSWrapperObject::visitChildren):
        * runtime/JSWrapperObject.h:
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::visitChildrenVirtual):
        (JSC::NativeErrorConstructor::visitChildren):
        * runtime/NativeErrorConstructor.h:
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::visitChildrenVirtual):
        (JSC::RegExpObject::visitChildren):
        * runtime/RegExpObject.h:
        * runtime/ScopeChain.cpp:
        (JSC::ScopeChainNode::visitChildrenVirtual):
        (JSC::ScopeChainNode::visitChildren):
        * runtime/ScopeChain.h:
        * runtime/Structure.cpp:
        (JSC::Structure::visitChildrenVirtual):
        (JSC::Structure::visitChildren):
        * runtime/Structure.h:
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::visitChildrenVirtual):
        (JSC::StructureChain::visitChildren):
        * runtime/StructureChain.h:

2011-09-23  Oliver Hunt  <oliver@apple.com>

        Node propagation doesn't handle PutScopedVar
        https://bugs.webkit.org/show_bug.cgi?id=68713

        Reviewed by Sam Weinig.

        This was causing assertion failures.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):

2011-09-23  Anders Carlsson  <andersca@apple.com>

        Make sure to define OVERRIDE and FINAL for older builds of clang.

        * wtf/Compiler.h:

2011-09-23  Gavin Barraclough  <barraclough@apple.com>

        Implement op_resolve_global in the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=68704

        Reviewed by Oliver Hunt.

        This is performance neutral, but increases coverage.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::resolveInfoIndex):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-23  Mark Rowe  <mrowe@apple.com>

        Define BUILDING_ON_LION / TARGETING_LION when appropriate in Platform.h.

        * wtf/Platform.h:

2011-09-22  Anders Carlsson  <andersca@apple.com>

        We should add support for OVERRIDE and FINAL annotations
        https://bugs.webkit.org/show_bug.cgi?id=68654

        Reviewed by David Hyatt.

        Add OVERRIDE and FINAL macros for compilers that support them.

        * wtf/Compiler.h:

2011-09-22  Filip Pizlo  <fpizlo@apple.com>

        GetScopedVar should have value profiling
        https://bugs.webkit.org/show_bug.cgi?id=68676

        Reviewed by Oliver Hunt.
        
        Added GetScopedVar value profiling and predictin propagation.
        Added GetScopeChain to CSE.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predict):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasPrediction):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::getScopeChainLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_scoped_var):

2011-09-22  Filip Pizlo  <fpizlo@apple.com>

        PPC build fix, part 3.

        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::compileForConstructInternal):

2011-09-22  Filip Pizlo  <fpizlo@apple.com>

        Another PPC build fix.

        * runtime/Executable.cpp:
        * runtime/Executable.h:

2011-09-22  Dean Jackson  <dino@apple.com>

        Add ENABLE_CSS_FILTERS
        https://bugs.webkit.org/show_bug.cgi?id=68652

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig:

2011-09-22  Gavin Barraclough  <barraclough@apple.com>

        Incorrect this value passed to callbacks.
        https://bugs.webkit.org/show_bug.cgi?id=68668

        Reviewed by Oliver Hunt.

        From Array/String prototype function.  Should be undefined, but
        global object is passed instead (this is visible for strict callbacks).

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        (JSC::arrayProtoFuncEvery):
        (JSC::arrayProtoFuncForEach):
        (JSC::arrayProtoFuncSome):
        * runtime/JSArray.cpp:
        (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
        (JSC::JSArray::sort):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncReplace):

2011-09-22  Gavin Barraclough  <barraclough@apple.com>

        Function.prototype.bind.length shoudl be 1.

        Rubber stamped by Olier Hunt.

        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::addFunctionProperties):

2011-09-22  Filip Pizlo  <fpizlo@apple.com>

        PPC build fix.

        * bytecode/CodeBlock.h:

2011-09-22  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix pt. 2

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-09-22  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix pt. 1

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-09-21  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not support to_primitive or strcat
        https://bugs.webkit.org/show_bug.cgi?id=68582

        Reviewed by Darin Adler.
        
        This adds functional support for to_primitive and strcat. It focuses
        on minimizing the amount of code emitted on to_primitive (if we know
        that it is a primitive or can speculate cheaply, then we omit the
        slow path) and on keeping the implementation of strcat simple while
        leveraging whatever optimizations we have already. In particular,
        unlike the Call and Construct nodes which require extending the size
        of the DFG's callee registers, StrCat takes advantage of the fact
        that no JS code can run while StrCat is in progress and uses a
        scratch buffer, rather than the register file, to store the list of
        values to concatenate. This was done mainly to keep the code simple,
        but there are probably other benefits to keeping call frame sizes
        down. Essentially, this patch ensures that the presence of an
        op_strcat does not mess up any other optimizations we might do while
        ensuring that if you do execute it, it'll work about as well as you'd
        expect.
        
        When combined with the previous patch for integer division, this is a
        14% speed-up on Kraken. Without it, it would have been a 2% loss.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::callOperation):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGNode.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::scratchBufferForSize):

2011-09-22  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT should support integer division
        https://bugs.webkit.org/show_bug.cgi?id=68597

        Reviewed by Darin Adler.
        
        This adds support for ArithDiv speculating integer, and speculating
        that the result is integer (i.e. remainder = 0).
        
        This is a 4% win on Kraken and a 1% loss on V8.

        * bytecode/CodeBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasArithNodeFlags):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_div):

2011-09-22  Oliver Hunt  <oliver@apple.com>

        Implement put_scoped_var in the DFG jit
        https://bugs.webkit.org/show_bug.cgi?id=68653

        Reviewed by Gavin Barraclough.

        Naive implementation of put_scoped_var.  Same story as the
        get_scoped_var implementation, although I've hoisted scope
        object acquisition into a separate dfg node.  Ideally in the
        future we would reuse the resolved scope chain object, but
        for now we don't.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasScopeChainDepth):
        (JSC::DFG::Node::scopeChainDepth):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-22  Gavin Barraclough  <barraclough@apple.com>

        Implement Function.prototype.bind
        https://bugs.webkit.org/show_bug.cgi?id=26382

        Reviewed by Sam Weinig.

        This patch provides a basic functional implementation
        for Function.bind. It should (hopefully!) be fully
        functionally correct, and the bound functions can be
        called to quickly (since they are a subclass of
        JSFunction, not InternalFunction), but we'll probably
        want to follow up with some optimization work to keep
        bound calls in JIT code.

        * JavaScriptCore.JSVALUE32_64only.exp:
        * JavaScriptCore.JSVALUE64only.exp:
        * JavaScriptCore.exp:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITStubs.h:
        * jsc.cpp:
        (GlobalObject::addFunction):
        * runtime/CommonIdentifiers.h:
        * runtime/ConstructData.h:
        * runtime/Executable.h:
        (JSC::NativeExecutable::NativeExecutable):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::addFunctionProperties):
        (JSC::functionProtoFuncBind):
        * runtime/FunctionPrototype.h:
        * runtime/JSBoundFunction.cpp: Added.
        (JSC::boundFunctionCall):
        (JSC::boundFunctionConstruct):
        (JSC::JSBoundFunction::create):
        (JSC::JSBoundFunction::hasInstance):
        (JSC::JSBoundFunction::getOwnPropertySlot):
        (JSC::JSBoundFunction::getOwnPropertyDescriptor):
        (JSC::JSBoundFunction::JSBoundFunction):
        (JSC::JSBoundFunction::finishCreation):
        * runtime/JSBoundFunction.h: Added.
        (JSC::JSBoundFunction::targetFunction):
        (JSC::JSBoundFunction::boundThis):
        (JSC::JSBoundFunction::boundArgs):
        (JSC::JSBoundFunction::createStructure):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        (JSC::JSFunction::finishCreation):
        (JSC::createDescriptorForThrowingProperty):
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSFunction.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::getHostFunction):
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::boundFunctionStructure):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):

2011-09-22  Oliver Hunt  <oliver@apple.com>

        Implement get_scoped_var in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=68640

        Reviewed by Gavin Barraclough.

        Naive implementation of get_scoped_var in the DFG.  Essentially this
        is the bare minimum required to get correct behaviour, so there's no
        load/store coalescing or type profiling involved, even though these
        would be wins.  No impact on SunSpider or V8.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasVarNumber):
        (JSC::DFG::Node::hasScopeChainDepth):
        (JSC::DFG::Node::scopeChainDepth):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-22  Adam Roben  <aroben@apple.com>

        Remove FindSafari from all our .sln files

        It isn't used anymore, so there's no point in building it.

        Part of <http://webkit.org/b/68628> Remove FindSafari

        Reviewed by Steve Falkenburg.

        * JavaScriptCore.vcproj/JavaScriptCore.sln:

2011-09-22  Filip Pizlo  <fpizlo@apple.com>

        32-bit call code clobbers the function cell tag
        https://bugs.webkit.org/show_bug.cgi?id=68606

        Reviewed by Csaba Osztrogonác.
        
        This is a minimalistic fix: it simply emits code to restore the
        cell tag on the slow path, if we know that we failed due to
        emitCallIfNotType.

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCallVarargsSlowCase):
        (JSC::JIT::compileOpCallSlowCase):

2011-09-21  Gavin Barraclough  <barraclough@apple.com>

        Add missing addPtr->add32 mapping for X86.

        Rubber stamped by Sam Weinig.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::addPtr):

2011-09-21  Gavin Barraclough  <barraclough@apple.com>

        Add missing addDouble for AbsoluteAddress to X86

        Rubber stamped by Geoff Garen.

        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::addDouble):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::addsd_mr):
        (JSC::X86Assembler::cvtsi2sd_rr):
        (JSC::X86Assembler::cvtsi2sd_mr):

2011-09-21  Gavin Barraclough  <barraclough@apple.com>

        Build fix following fix for bug #68586.

        * jit/JIT.cpp:
        * jit/JITInlineMethods.h:

2011-09-21  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT should be able to compile op_throw
        https://bugs.webkit.org/show_bug.cgi?id=68571

        Reviewed by Geoffrey Garen.
        
        This compiles op_throw in the simplest way possible: it's an OSR
        point back to the old JIT. This is a good step towards increasing
        coverage, particularly on Kraken, but it's neutral because the
        same functions that do throw also use some other unsupported
        opcodes.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-21  Filip Pizlo  <fpizlo@apple.com>

        DFG should support continuous optimization
        https://bugs.webkit.org/show_bug.cgi?id=68329

        Reviewed by Geoffrey Garen.
        
        This adds the ability to reoptimize a code block if speculation
        failures happen frequently. 6% speed-up on Kraken, 1% slow-down
        on V8, neutral on SunSpider.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::ProgramCodeBlock::jettison):
        (JSC::EvalCodeBlock::jettison):
        (JSC::FunctionCodeBlock::jettison):
        (JSC::CodeBlock::shouldOptimizeNow):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/CodeBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getStrongPrediction):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::compileBody):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntry.h:
        (JSC::DFG::getOSREntryDataBytecodeIndex):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::ConservativeRoots):
        (JSC::ConservativeRoots::~ConservativeRoots):
        (JSC::DummyMarkHook::mark):
        (JSC::ConservativeRoots::genericAddPointer):
        (JSC::ConservativeRoots::genericAddSpan):
        (JSC::ConservativeRoots::add):
        * heap/ConservativeRoots.h:
        * heap/Heap.cpp:
        (JSC::Heap::addJettisonCodeBlock):
        (JSC::Heap::markRoots):
        * heap/Heap.h:
        * heap/JettisonedCodeBlocks.cpp: Added.
        (JSC::JettisonedCodeBlocks::JettisonedCodeBlocks):
        (JSC::JettisonedCodeBlocks::~JettisonedCodeBlocks):
        (JSC::JettisonedCodeBlocks::addCodeBlock):
        (JSC::JettisonedCodeBlocks::clearMarks):
        (JSC::JettisonedCodeBlocks::deleteUnmarkedCodeBlocks):
        (JSC::JettisonedCodeBlocks::traceCodeBlocks):
        * heap/JettisonedCodeBlocks.h: Added.
        (JSC::JettisonedCodeBlocks::mark):
        * interpreter/RegisterFile.cpp:
        (JSC::RegisterFile::gatherConservativeRoots):
        * interpreter/RegisterFile.h:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Executable.cpp:
        (JSC::jettisonCodeBlock):
        (JSC::EvalExecutable::jettisonOptimizedCode):
        (JSC::ProgramExecutable::jettisonOptimizedCode):
        (JSC::FunctionExecutable::jettisonOptimizedCodeForCall):
        (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
        * wtf/BitVector.h: Added.
        (WTF::BitVector::BitVector):
        (WTF::BitVector::~BitVector):
        (WTF::BitVector::operator=):
        (WTF::BitVector::size):
        (WTF::BitVector::ensureSize):
        (WTF::BitVector::resize):
        (WTF::BitVector::clearAll):
        (WTF::BitVector::get):
        (WTF::BitVector::set):
        (WTF::BitVector::clear):
        (WTF::BitVector::bitsInPointer):
        (WTF::BitVector::maxInlineBits):
        (WTF::BitVector::byteCount):
        (WTF::BitVector::makeInlineBits):
        (WTF::BitVector::OutOfLineBits::numBits):
        (WTF::BitVector::OutOfLineBits::numWords):
        (WTF::BitVector::OutOfLineBits::bits):
        (WTF::BitVector::OutOfLineBits::create):
        (WTF::BitVector::OutOfLineBits::destroy):
        (WTF::BitVector::OutOfLineBits::OutOfLineBits):
        (WTF::BitVector::isInline):
        (WTF::BitVector::outOfLineBits):
        (WTF::BitVector::resizeOutOfLine):
        (WTF::BitVector::bits):

2011-09-21  Gavin Barraclough  <barraclough@apple.com>

        Add X86 GPRInfo for DFG JIT.
        https://bugs.webkit.org/show_bug.cgi?id=68586

        Reviewed by Geoff Garen.

        * dfg/DFGGPRInfo.h:
        (JSC::DFG::GPRInfo::toRegister):
        (JSC::DFG::GPRInfo::toIndex):
        (JSC::DFG::GPRInfo::debugName):

2011-09-21  Gavin Barraclough  <barraclough@apple.com>

        Should support value profiling on CPU(X86)
        https://bugs.webkit.org/show_bug.cgi?id=68575

        Reviewed by Sam Weinig.

        Fix verbose profiling in ToT (SlowCaseProfile had been
        partially renamed to RareCaseProfile), add in-memory
        bucket counter for CPU(X86), move JIT::m_canBeOptimized
        out of the DFG_JIT ifdef.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::resetRareCaseProfiles):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/CodeBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):

2011-09-21  Filip Pizlo  <fpizlo@apple.com>

        DFG does not support compiling functions as constructors
        https://bugs.webkit.org/show_bug.cgi?id=68500

        Reviewed by Oliver Hunt.
        
        This adds support for compiling constructors to the DFG. It's a
        1% speed-up on V8, mostly due to a 6% speed-up on early-boyer.
        It's also a 13% win on access-binary-trees, but it's neutral in
        the SunSpider and Kraken averages.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::mightCompileFunctionForConstruct):
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGNode.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::compileOptimizedForConstruct):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::compileForConstruct):
        (JSC::FunctionExecutable::compileFor):
        (JSC::FunctionExecutable::compileOptimizedFor):

2011-09-21  Gavin Barraclough  <barraclough@apple.com>

        Replace jsFunctionVPtr compares with a type check on the Structure.
        https://bugs.webkit.org/show_bug.cgi?id=68557

        Reviewed by Oliver Hunt.

        This will permit calls to still optimize to subclasses of JSFunction
        that have the correct type (but a different C++ vptr).

        This patch stops passing the globalData into numerous functions.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::isFunctionConstant):
        (JSC::DFG::Graph::valueOfFunctionConstant):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::isFunctionConstant):
        (JSC::DFG::JITCompiler::valueOfFunctionConstant):
        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCallVarargs):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCallVarargs):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitJumpIfNotType):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Executable.h:
        (JSC::isHostFunction):
        * runtime/JSFunction.h:
        (JSC::JSFunction::createStructure):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::putWithAttributes):
        * runtime/JSObject.h:
        (JSC::getJSFunction):
        (JSC::JSObject::putDirect):
        (JSC::JSObject::putDirectWithoutTransition):
        * runtime/JSType.h:

2011-09-21  Geoffrey Garen  <ggaren@apple.com>

        Removed WTFTHREADDATA_MULTITHREADED, making it always true
        https://bugs.webkit.org/show_bug.cgi?id=68549

        Reviewed by Darin Adler.
        
        Another part of making threads exist in WebKit.

        * wtf/WTFThreadData.cpp:
        * wtf/WTFThreadData.h:
        (WTF::wtfThreadData):

2011-09-21  Dan Bernstein  <mitz@apple.com>

        JavaScriptCore Part of: Prevent the WebKit frameworks from defining inappropriately-named Objective-C classes
        https://bugs.webkit.org/show_bug.cgi?id=68451

        Reviewed by Darin Adler.

        * JavaScriptCore.xcodeproj/project.pbxproj: Added a script build phase that invokes
        check-for-inappropriate-objc-class-names, allowing only class names prefixed with "JS".

2011-09-20  Gavin Barraclough  <barraclough@apple.com>

        MacroAssembler fixes.
        https://bugs.webkit.org/show_bug.cgi?id=68494

        Reviewed by Sam Weinig.

        Add X86-64's 3 operand or32 to other MacroAssembler, fix load32's [const] void* mismatch

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::orPtr):
        (JSC::MacroAssembler::loadPtr):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::or32):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::or32):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::or32):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::or32):
        (JSC::MacroAssemblerSH4::load32):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::load32):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::load32):

2011-09-20  Geoffrey Garen  <ggaren@apple.com>

        Some Heap cleanup.

        Reviewed by Beth Dakin.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::blessNewBlock): Removed blessNewBlockForSlowPath()
        because it was unused; renamed blessNewBlockForFastPath() to blessNewBlock()
        since there is only one now.

        * heap/MarkedBlock.h: Removed ownerSet-related stuff since it was unused.
        Updated mark bit overhead calculation. Deployed atomsPerBlock in one
        place where we were recalculating it.

        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::addBlock): Updated for rename.

2011-09-20  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT always speculates integer on modulo
        https://bugs.webkit.org/show_bug.cgi?id=68485

        Reviewed by Oliver Hunt.
        
        Added support for double modulo, which is a call to fmod().
        Also added support for recording the old JIT's statistics
        on op_mod and propagating them along the graph. Finally,
        fixed a goof in the ArithNodeFlags propagation logic that
        was made obvious when I started testing ArithMod.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasArithNodeFlags):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-20  ChangSeok Oh  <shivamidow@gmail.com>

        [GTK] requestAnimationFrame support for gtk port
        https://bugs.webkit.org/show_bug.cgi?id=66280

        Reviewed by Martin Robinson.

        Let GTK port use REQUEST_ANIMATION_FRAME_TIMER.

        * wtf/Platform.h:

2011-09-20  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT performs too many negative zero checks, and too many
        overflow checks
        https://bugs.webkit.org/show_bug.cgi?id=68430

        Reviewed by Oliver Hunt.
        
        This adds comprehensive support for deciding how to perform an
        arithmetic operations based on a combination of overflow profiling,
        negative zero profiling, value profiling, and a static analysis of
        how the results of these operations get used.
        
        This is a 72% speed-up on stanford-crypto-sha256-iterative, and a
        2.5% speed-up on the Kraken average, a 1.4% speed-up on the V8
        geomean, and neutral on SunSpider. It's also an 8.5% speed-up on
        V8-crypto, because apparenty everything we do speeds up crypto.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::toInt32):
        (JSC::DFG::ByteCodeParser::toNumber):
        (JSC::DFG::ByteCodeParser::isSmallInt32Constant):
        (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
        (JSC::DFG::ByteCodeParser::weaklyPredictInt32):
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
        * dfg/DFGNode.h:
        (JSC::DFG::nodeUsedAsNumber):
        (JSC::DFG::nodeCanTruncateInteger):
        (JSC::DFG::nodeCanIgnoreNegativeZero):
        (JSC::DFG::nodeCanSpeculateInteger):
        (JSC::DFG::arithNodeFlagsAsString):
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::hasArithNodeFlags):
        (JSC::DFG::Node::rawArithNodeFlags):
        (JSC::DFG::Node::arithNodeFlags):
        (JSC::DFG::Node::arithNodeFlagsForCompare):
        (JSC::DFG::Node::setArithNodeFlag):
        (JSC::DFG::Node::mergeArithNodeFlags):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::isNotNegZero):
        (JSC::DFG::Propagator::isNotZero):
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::propagateArithNodeFlagsForward):
        (JSC::DFG::Propagator::propagateArithNodeFlagsBackward):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::propagatePredictionsForward):
        (JSC::DFG::Propagator::propagatePredictionsBackward):
        (JSC::DFG::Propagator::toDouble):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::fixup):
        (JSC::DFG::Propagator::startIndexForChildren):
        (JSC::DFG::Propagator::endIndexForPureCSE):
        (JSC::DFG::Propagator::pureCSE):
        (JSC::DFG::Propagator::clobbersWorld):
        (JSC::DFG::Propagator::setReplacement):
        (JSC::DFG::Propagator::performNodeCSE):
        (JSC::DFG::Propagator::localCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):

2011-09-19  Oliver Hunt  <oliver@apple.com>

        Refactor Heap allocation logic into separate AllocationSpace class
        https://bugs.webkit.org/show_bug.cgi?id=68409

        Reviewed by Gavin Barraclough.

        This patch hoists direct manipulation of the MarkedSpace and related
        data out of Heap and into a separate class.  This will allow us to
        have multiple allocation spaces in future, so easing the way towards
        having GC'd backing stores for objects.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/Debugger.cpp:
        (JSC::Debugger::recompileAllJSFunctions):
        * heap/AllocationSpace.cpp: Added.
        (JSC::AllocationSpace::tryAllocate):
        (JSC::AllocationSpace::allocateSlowCase):
        (JSC::AllocationSpace::allocateBlock):
        (JSC::AllocationSpace::freeBlocks):
        (JSC::TakeIfEmpty::TakeIfEmpty):
        (JSC::TakeIfEmpty::operator()):
        (JSC::TakeIfEmpty::returnValue):
        (JSC::AllocationSpace::shrink):
        * heap/AllocationSpace.h: Added.
        (JSC::AllocationSpace::AllocationSpace):
        (JSC::AllocationSpace::blocks):
        (JSC::AllocationSpace::sizeClassFor):
        (JSC::AllocationSpace::setHighWaterMark):
        (JSC::AllocationSpace::highWaterMark):
        (JSC::AllocationSpace::canonicalizeBlocks):
        (JSC::AllocationSpace::resetAllocator):
        (JSC::AllocationSpace::forEachCell):
        (JSC::AllocationSpace::forEachBlock):
        (JSC::AllocationSpace::allocate):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::reportExtraMemoryCostSlowCase):
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::markRoots):
        (JSC::Heap::clearMarks):
        (JSC::Heap::sweep):
        (JSC::Heap::objectCount):
        (JSC::Heap::size):
        (JSC::Heap::capacity):
        (JSC::Heap::globalObjectCount):
        (JSC::Heap::objectTypeCounts):
        (JSC::Heap::collect):
        (JSC::Heap::canonicalizeBlocks):
        (JSC::Heap::resetAllocator):
        (JSC::Heap::freeBlocks):
        (JSC::Heap::shrink):
        * heap/Heap.h:
        (JSC::Heap::objectSpace):
        (JSC::Heap::sizeClassForObject):
        (JSC::Heap::allocate):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicJSObject):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::recompileAllJSFunctions):
        (JSC::JSGlobalData::releaseExecutableMemory):

2011-09-19  Geoffrey Garen  <ggaren@apple.com>

        Removed BREWMP* platform #ifdefs
        https://bugs.webkit.org/show_bug.cgi?id=68425
        
        BREWMP* has no maintainer, and this is dead code.

        Reviewed by Darin Adler.

        * heap/MarkStack.h:
        (JSC::::shrinkAllocation):
        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::cacheFlush):
        * runtime/TimeoutChecker.cpp:
        (JSC::getCPUTime):
        * wtf/Assertions.cpp:
        * wtf/Assertions.h:
        * wtf/CurrentTime.cpp:
        * wtf/DateMath.cpp:
        (WTF::calculateUTCOffset):
        * wtf/FastMalloc.cpp:
        (WTF::fastMalloc):
        (WTF::fastCalloc):
        (WTF::fastMallocSize):
        * wtf/FastMalloc.h:
        * wtf/MainThread.cpp:
        * wtf/MathExtras.h:
        * wtf/OwnPtrCommon.h:
        * wtf/Platform.h:
        * wtf/RandomNumber.cpp:
        (WTF::randomNumber):
        * wtf/RandomNumberSeed.h:
        (WTF::initializeRandomNumberGenerator):
        * wtf/text/WTFString.h:
        * wtf/unicode/Unicode.h:

2011-09-20  Adam Roben  <aroben@apple.com>

        Windows build fix after r95523

        * wtf/CheckedArithmetic.h: Added stdint.h so we can have int64_t defined.

2011-09-18  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not speculate aggressively enough on GetById
        https://bugs.webkit.org/show_bug.cgi?id=68320

        Reviewed by Oliver Hunt.
        
        This adds the ability to access properties directly, by offset.
        This optimization kicks in when at the time of DFG compilation,
        it appears that the given get_by_id is self-cached by the old JIT.
        Two new opcodes get introduced: CheckStructure and GetByOffset.
        CheckStructure performs a speculation check on the object's
        structure, and returns the storage pointer. GetByOffset performs
        a direct read of the field from the storage pointer. Both
        CheckStructure and GetByOffset can be CSE'd, so that we can
        eliminate redundant structure checks, and redundant reads of the
        same field.
        
        This is a 4% speed-up on V8, a 2% slow-down on Kraken, and
        neutral on SunSpider.

        * bytecode/PredictedType.cpp:
        (JSC::predictionFromClassInfo):
        (JSC::predictionFromStructure):
        (JSC::predictionFromCell):
        * bytecode/PredictedType.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::dataFormatToString):
        (JSC::DFG::needDataFormatConversion):
        (JSC::DFG::GenerationInfo::initStorage):
        (JSC::DFG::GenerationInfo::spill):
        (JSC::DFG::GenerationInfo::fillStorage):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predict):
        (JSC::DFG::Graph::getPrediction):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillInteger):
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::fillStorage):
        (JSC::DFG::GPRTemporary::GPRTemporary):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentSpillGPR):
        (JSC::DFG::JITCodeGenerator::silentFillGPR):
        (JSC::DFG::JITCodeGenerator::spill):
        (JSC::DFG::JITCodeGenerator::storageResult):
        (JSC::DFG::StorageOperand::StorageOperand):
        (JSC::DFG::StorageOperand::~StorageOperand):
        (JSC::DFG::StorageOperand::index):
        (JSC::DFG::StorageOperand::gpr):
        (JSC::DFG::StorageOperand::use):
        * dfg/DFGNode.h:
        (JSC::DFG::OpInfo::OpInfo):
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::hasPrediction):
        (JSC::DFG::Node::hasStructure):
        (JSC::DFG::Node::structure):
        (JSC::DFG::Node::hasStorageAccessData):
        (JSC::DFG::Node::storageAccessDataIndex):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNode):
        (JSC::DFG::Propagator::globalVarLoadElimination):
        (JSC::DFG::Propagator::getMethodLoadElimination):
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * wtf/StdLibExtras.h:
        (WTF::safeCast):

2011-09-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove toPrimitive from JSCell
        https://bugs.webkit.org/show_bug.cgi?id=67875

        Reviewed by Darin Adler.

        Part of the refactoring process to un-virtualize JSCell.  We move 
        all of the implicit functionality provided by the virtual toPrimitive method 
        in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while 
        also de-virtualizing JSCell::toPrimitive.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSCell.cpp:
        (JSC::JSCell::toPrimitive):
        * runtime/JSCell.h:

        We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from 
        JSObject.  This pushes the virtual method further down, enabling us to get rid 
        of the virtual call in JSCell.  Eventually we'll probably have to deal with this
        again, but we'll cross that bridge when we come to it.
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::defaultValue):
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.h:
        * runtime/JSString.h:

2011-09-19  Geoffrey Garen  <ggaren@apple.com>

        Removed ENABLE_LAZY_BLOCK_FREEING and related #ifdefs
        https://bugs.webkit.org/show_bug.cgi?id=68424

        As discussed on webkit-dev. All ports build with threads enabled in JSC now.
        
        This may break WinCE and other ports that have not built and tested with
        this configuration. I've filed bugs for port maintainers. It's time for
        WebKit to move forward.

        Reviewed by Mark Rowe.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::~Heap):
        (JSC::Heap::destroy):
        (JSC::Heap::blockFreeingThreadMain):
        (JSC::Heap::allocateBlock):
        (JSC::Heap::freeBlocks):
        (JSC::Heap::releaseFreeBlocks):
        * heap/Heap.h:
        * wtf/Platform.h:

2011-09-19  Geoffrey Garen  <ggaren@apple.com>

        Removed ENABLE_WTF_MULTIPLE_THREADS and related #ifdefs
        https://bugs.webkit.org/show_bug.cgi?id=68423

        As discussed on webkit-dev. All ports build with threads enabled in WTF now.
        
        This may break WinCE and other ports that have not built and tested with
        this configuration. I've filed bugs for port maintainers. It's time for
        WebKit to move forward.

        Reviewed by Mark Rowe.

        * wtf/CryptographicallyRandomNumber.cpp:
        (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomNumber):
        (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomValues):
        * wtf/FastMalloc.cpp:
        * wtf/Platform.h:
        * wtf/RandomNumber.cpp:
        (WTF::randomNumber):
        * wtf/RefCountedLeakCounter.cpp:
        (WTF::RefCountedLeakCounter::increment):
        (WTF::RefCountedLeakCounter::decrement):
        * wtf/ThreadingPthreads.cpp:
        (WTF::initializeThreading):
        * wtf/ThreadingWin.cpp:
        (WTF::initializeThreading):
        * wtf/dtoa.cpp:
        (WTF::pow5mult):
        * wtf/gtk/ThreadingGtk.cpp:
        (WTF::initializeThreading):
        * wtf/qt/ThreadingQt.cpp:
        (WTF::initializeThreading):

2011-09-19  Geoffrey Garen  <ggaren@apple.com>

        Removed ENABLE_JSC_MULTIPLE_THREADS and related #ifdefs.
        https://bugs.webkit.org/show_bug.cgi?id=68422
        
        As discussed on webkit-dev. All ports build with threads enabled in JSC now.
        
        This may break WinCE and other ports that have not built and tested with
        this configuration. I've filed bugs for port maintainers. It's time for
        WebKit to move forward.

        Reviewed by Sam Weinig.

        * API/APIShims.h:
        (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
        * API/JSContextRef.cpp:
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::MachineThreads):
        (JSC::MachineThreads::~MachineThreads):
        (JSC::MachineThreads::gatherConservativeRoots):
        * heap/MachineStackMarker.h:
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        (JSC::initializeThreading):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::sharedInstance):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::makeUsableFromMultipleThreads):
        * runtime/JSLock.cpp:
        * runtime/Structure.cpp:
        * wtf/Platform.h:

2011-09-19  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r95493 and r95496.
        http://trac.webkit.org/changeset/95493
        http://trac.webkit.org/changeset/95496
        https://bugs.webkit.org/show_bug.cgi?id=68418

        Broke Windows build (Requested by rniwa on #webkit).

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/Debugger.cpp:
        (JSC::Debugger::recompileAllJSFunctions):
        * heap/AllocationSpace.cpp: Removed.
        * heap/AllocationSpace.h: Removed.
        * heap/Heap.cpp:
        (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty):
        (JSC::CountFunctor::TakeIfEmpty::operator()):
        (JSC::CountFunctor::TakeIfEmpty::returnValue):
        (JSC::Heap::Heap):
        (JSC::Heap::reportExtraMemoryCostSlowCase):
        (JSC::Heap::tryAllocate):
        (JSC::Heap::allocateSlowCase):
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::markRoots):
        (JSC::Heap::clearMarks):
        (JSC::Heap::sweep):
        (JSC::Heap::objectCount):
        (JSC::Heap::size):
        (JSC::Heap::capacity):
        (JSC::Heap::globalObjectCount):
        (JSC::Heap::objectTypeCounts):
        (JSC::Heap::collect):
        (JSC::Heap::canonicalizeBlocks):
        (JSC::Heap::resetAllocator):
        (JSC::Heap::allocateBlock):
        (JSC::Heap::freeBlocks):
        (JSC::Heap::shrink):
        * heap/Heap.h:
        (JSC::Heap::markedSpace):
        (JSC::Heap::forEachCell):
        (JSC::Heap::forEachBlock):
        (JSC::Heap::sizeClassFor):
        (JSC::Heap::allocate):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicJSObject):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::recompileAllJSFunctions):
        (JSC::JSGlobalData::releaseExecutableMemory):

2011-09-19  Gavin Barraclough  <barraclough@apple.com>

        Errrk, missed stylebot comments in last commit.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSplit):

2011-09-19  Gavin Barraclough  <barraclough@apple.com>

        String#split is buggy
        https://bugs.webkit.org/show_bug.cgi?id=68348

        Reviewed by Sam Weinig.

        * runtime/StringPrototype.cpp:
        (JSC::jsStringWithReuse):
            - added helper function to reuse original JSString value.
        (JSC::stringProtoFuncSplit):
            - Rewritten from the spec.
        * tests/mozilla/ecma/String/15.5.4.8-2.js:
        (getTestCases):
            - This test is not ES5 compliant.

2011-09-19  Geoffrey Garen  <ggaren@apple.com>

        Removed lots of friend declarations from JSCell, so we can more
        effectively make use of private and protected.

        Reviewed by Sam Weinig.

        * runtime/JSCell.h: Removed MSVCBugWorkaround because it was a lot of
        confusion for not much safety.
        (JSC::JSCell::operator new): Made this public because it is used by a
        few clients, and not really dangerous.

        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::defineGetter):
        (JSC::JSObject::defineSetter):
        (JSC::JSObject::getPropertySpecificValue):
        (JSC::JSObject::getOwnPropertyNames):
        (JSC::JSObject::seal):
        (JSC::JSObject::freeze):
        (JSC::JSObject::preventExtensions):
        (JSC::JSObject::removeDirect):
        (JSC::JSObject::createInheritorID):
        (JSC::JSObject::allocatePropertyStorage):
        (JSC::JSObject::getOwnPropertyDescriptor):
        * runtime/JSObject.h:
        (JSC::JSObject::getDirect):
        (JSC::JSObject::getDirectLocation):
        (JSC::JSObject::hasCustomProperties):
        (JSC::JSObject::hasGetterSetterProperties):
        (JSC::JSObject::isSealed):
        (JSC::JSObject::isFrozen):
        (JSC::JSObject::isExtensible):
        (JSC::JSObject::flattenDictionaryObject):
        (JSC::JSObject::finishCreation):
        (JSC::JSObject::prototype):
        (JSC::JSObject::setPrototype):
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSCell::fastGetOwnProperty):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putDirectWithoutTransition):
        (JSC::JSObject::transitionTo):
        (JSC::JSObject::visitChildrenDirect): Changed all use of m_structure to
        structure() / setStructure(), so we don't have to be a friend of JSCell.

        * runtime/Structure.h:
        (JSC::JSCell::setStructure): Added, to avoid direct access by JSObject
        to JSCell::m_structure.

2011-09-19  Adam Barth  <abarth@webkit.org>

        Always enable ENABLE(EVENTSOURCE)
        https://bugs.webkit.org/show_bug.cgi?id=68414

        Reviewed by Eric Seidel.

        * Configurations/FeatureDefines.xcconfig:

2011-09-19  Eli Fidler  <efidler@rim.com>

        Enable JSC_MULTIPLE_THREADS for OS(QNX).
        https://bugs.webkit.org/show_bug.cgi?id=68047

        Reviewed by Daniel Bates.

        SA_RESTART was required for SIGUSR2-based debugging, but is not
        present on QNX. This debugging doesn't seem critical to
        JSC_MULTIPLE_THREADS, so allow it to proceed.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::Thread::Thread):
        (JSC::getPlatformThreadRegisters):
        (JSC::otherThreadStackPointer):
        (JSC::freePlatformThreadRegisters):
        * wtf/Platform.h: enable PTHREADS for OS(QNX)

2011-09-19  Oliver Hunt  <oliver@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-09-19  Oliver Hunt  <oliver@apple.com>

        Refactor Heap allocation logic into separate AllocationSpace class
        https://bugs.webkit.org/show_bug.cgi?id=68409

        Reviewed by Gavin Barraclough.

        This patch hoists direct manipulation of the MarkedSpace and related
        data out of Heap and into a separate class.  This will allow us to
        have multiple allocation spaces in future, so easing the way towards
        having GC'd backing stores for objects.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/Debugger.cpp:
        (JSC::Debugger::recompileAllJSFunctions):
        * heap/AllocationSpace.cpp: Added.
        (JSC::AllocationSpace::tryAllocate):
        (JSC::AllocationSpace::allocateSlowCase):
        (JSC::AllocationSpace::allocateBlock):
        (JSC::AllocationSpace::freeBlocks):
        (JSC::TakeIfEmpty::TakeIfEmpty):
        (JSC::TakeIfEmpty::operator()):
        (JSC::TakeIfEmpty::returnValue):
        (JSC::AllocationSpace::shrink):
        * heap/AllocationSpace.h: Added.
        (JSC::AllocationSpace::AllocationSpace):
        (JSC::AllocationSpace::blocks):
        (JSC::AllocationSpace::sizeClassFor):
        (JSC::AllocationSpace::setHighWaterMark):
        (JSC::AllocationSpace::highWaterMark):
        (JSC::AllocationSpace::canonicalizeBlocks):
        (JSC::AllocationSpace::resetAllocator):
        (JSC::AllocationSpace::forEachCell):
        (JSC::AllocationSpace::forEachBlock):
        (JSC::AllocationSpace::allocate):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::reportExtraMemoryCostSlowCase):
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::markRoots):
        (JSC::Heap::clearMarks):
        (JSC::Heap::sweep):
        (JSC::Heap::objectCount):
        (JSC::Heap::size):
        (JSC::Heap::capacity):
        (JSC::Heap::globalObjectCount):
        (JSC::Heap::objectTypeCounts):
        (JSC::Heap::collect):
        (JSC::Heap::canonicalizeBlocks):
        (JSC::Heap::resetAllocator):
        (JSC::Heap::freeBlocks):
        (JSC::Heap::shrink):
        * heap/Heap.h:
        (JSC::Heap::objectSpace):
        (JSC::Heap::sizeClassForObject):
        (JSC::Heap::allocate):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicJSObject):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::recompileAllJSFunctions):
        (JSC::JSGlobalData::releaseExecutableMemory):

2011-09-19  Adam Roben  <aroben@apple.com>

        Windows build fix after r95310

        * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Added
        include\private\JavaScriptCore to the include path so DFGIntrinsic.h can be found.

2011-09-19  Filip Pizlo  <fpizlo@apple.com>

        DFG speculation failures should act as additional value profiles
        https://bugs.webkit.org/show_bug.cgi?id=68335

        Reviewed by Oliver Hunt.
        
        This adds slow-case counters to the old JIT. It also ensures that
        negative zero in multiply is handled carefully. The old JIT
        previously took slow path if the result of a multiply was zero,
        which, without any changes, would cause the DFG to think that
        every such multiply produced a double result.
        
        This also fixes a bug in the old JIT's handling of decrements. It
        would take the slow path if the result was zero, but not if it
        underflowed.
        
        By itself, this would be a 1% slow-down on V8 and Kraken. But then
        I wrote optimizations in the DFG that take advantage of this new
        information. It's no longer the case that every multiply needs to
        do a check for negative zero; it only happens if the negative
        zero is ignored.
        
        This results in a 12% speed-up on v8-crypto, for a 1.4% geomean
        speed-up in V8. It's mostly neutral on Kraken. I can see an
        0.5% slow-down and it appears to be significant.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::resetRareCaseProfiles):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/CodeBlock.h:
        * bytecode/ValueProfile.h:
        (JSC::RareCaseProfile::RareCaseProfile):
        (JSC::getRareCaseProfileBytecodeOffset):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::toInt32):
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::GPRTemporary::GPRTemporary):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNode):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::clobbersWorld):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JSC::JIT::linkDummySlowCase):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_post_dec):
        (JSC::JIT::emit_op_pre_dec):
        (JSC::JIT::compileBinaryArithOp):
        (JSC::JIT::emit_op_add):
        (JSC::JIT::emitSlow_op_add):
        * jit/JITInlineMethods.h:
        (JSC::JIT::addSlowCase):

2011-09-19  Adam Roben  <aroben@apple.com>

        Windows build fix after r94575

        * JavaScriptCore.vcproj/JavaScriptCore.sln: Relinearized project dependencies. testRegExp
        now builds just before FindSafari.

2011-09-19  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r95466.
        http://trac.webkit.org/changeset/95466
        https://bugs.webkit.org/show_bug.cgi?id=68389

        Incorrect version of the patch. (Requested by mhahnenberg on
        #webkit).

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSCell.cpp:
        (JSC::JSCell::toPrimitive):
        * runtime/JSCell.h:
        (JSC::JSCell::JSValue::toPrimitive):
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::toPrimitive):
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.h:
        * runtime/JSString.h:

2011-09-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove toPrimitive from JSCell
        https://bugs.webkit.org/show_bug.cgi?id=67875

        Reviewed by Geoffrey Garen.

        Part of the refactoring process to un-virtualize JSCell.  We move 
        all of the implicit functionality provided by the virtual toPrimitive method 
        in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while 
        also de-virtualizing JSCell::toPrimitive.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSCell.cpp:
        (JSC::JSCell::toPrimitive):
        * runtime/JSCell.h:

        We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from 
        JSObject.  This pushes the virtual method further down, enabling us to get rid 
        of the virtual call in JSCell.  Eventually we'll probably have to deal with this
        again, but we'll cross that bridge when we come to it.
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::defaultValue):
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.h:
        * runtime/JSString.h:
        (JSC::JSValue::toPrimitive):

2011-09-19  Oliver Hunt  <oliver@apple.com>

        Build fix.

        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::compileGetDirectOffset):

2011-09-19  Oliver Hunt  <oliver@apple.com>

        Rename NewSpace.{h,cpp} to MarkedSpace.{h,cpp}
        https://bugs.webkit.org/show_bug.cgi?id=68376

        Reviewed by Gavin Barraclough.

        Renamed the the MarkedSpace files to match new name, and
        updated the relevant references.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.h:
        * heap/MarkedSpace.cpp: Renamed from Source/JavaScriptCore/heap/NewSpace.cpp.
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::addBlock):
        (JSC::MarkedSpace::removeBlock):
        (JSC::MarkedSpace::resetAllocator):
        (JSC::MarkedSpace::canonicalizeBlocks):
        * heap/MarkedSpace.h: Renamed from Source/JavaScriptCore/heap/NewSpace.h.
        (JSC::MarkedSpace::waterMark):
        (JSC::MarkedSpace::highWaterMark):
        (JSC::MarkedSpace::setHighWaterMark):
        (JSC::MarkedSpace::sizeClassFor):
        (JSC::MarkedSpace::allocate):
        (JSC::MarkedSpace::forEachBlock):
        (JSC::MarkedSpace::SizeClass::SizeClass):
        (JSC::MarkedSpace::SizeClass::resetAllocator):
        (JSC::MarkedSpace::SizeClass::canonicalizeBlock):
        * runtime/JSCell.h:

2011-09-19  Oliver Hunt  <oliver@apple.com>

        Rename NewSpace to MarkedSpace
        https://bugs.webkit.org/show_bug.cgi?id=68375

        Reviewed by Gavin Barraclough.

        Rename NewSpace to a more accurate name, and update all uses.
        This patch doesn't rename the files themselves as that will
        just make the patch appear bigger than it is.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * heap/Heap.cpp:
        (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty):
        (JSC::CountFunctor::TakeIfEmpty::operator()):
        (JSC::Heap::Heap):
        (JSC::Heap::reportExtraMemoryCostSlowCase):
        (JSC::Heap::tryAllocate):
        (JSC::Heap::allocateSlowCase):
        (JSC::Heap::collect):
        (JSC::Heap::canonicalizeBlocks):
        (JSC::Heap::resetAllocator):
        (JSC::Heap::isValidAllocation):
        (JSC::Heap::shrink):
        * heap/Heap.h:
        (JSC::Heap::markedSpace):
        (JSC::Heap::sizeClassFor):
        (JSC::Heap::allocate):
        * heap/NewSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::addBlock):
        (JSC::MarkedSpace::removeBlock):
        (JSC::MarkedSpace::resetAllocator):
        (JSC::MarkedSpace::canonicalizeBlocks):
        * heap/NewSpace.h:
        (JSC::MarkedSpace::waterMark):
        (JSC::MarkedSpace::highWaterMark):
        (JSC::MarkedSpace::setHighWaterMark):
        (JSC::MarkedSpace::sizeClassFor):
        (JSC::MarkedSpace::allocate):
        (JSC::MarkedSpace::forEachBlock):
        (JSC::MarkedSpace::SizeClass::SizeClass):
        (JSC::MarkedSpace::SizeClass::resetAllocator):
        (JSC::MarkedSpace::SizeClass::canonicalizeBlock):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicJSObject):

2011-09-19  Peter Rybin  <peter.rybin@gmail.com>

        TextPosition refactoring: Merge ZeroBasedNumber and OneBasedNumber classes
        https://bugs.webkit.org/show_bug.cgi?id=63541

        Reviewed by Adam Barth.

        * parser/SourceProvider.h:
        (JSC::SourceProvider::startPosition):
        * wtf/text/TextPosition.h:
        (WTF::OrdinalNumber::fromZeroBasedInt):
        (WTF::OrdinalNumber::fromOneBasedInt):
        (WTF::OrdinalNumber::OrdinalNumber):
        (WTF::OrdinalNumber::zeroBasedInt):
        (WTF::OrdinalNumber::oneBasedInt):
        (WTF::OrdinalNumber::operator==):
        (WTF::OrdinalNumber::operator!=):
        (WTF::OrdinalNumber::first):
        (WTF::OrdinalNumber::beforeFirst):
        (WTF::TextPosition::TextPosition):
        (WTF::TextPosition::minimumPosition):
        (WTF::TextPosition::belowRangePosition):

2011-09-19  Dan Bernstein  <mitz@apple.com>

        JavaScriptCore part of [mac] WebKit contains Objective-C classes that are not prefixed with its standard prefixes
        https://bugs.webkit.org/show_bug.cgi?id=68323

        Reviewed by Sam Weinig.

        Renamed WTFMainThreadCaller to JSWTFMainThreadCaller.

        * wtf/mac/MainThreadMac.mm:
        (WTF::initializeMainThreadPlatform):
        (WTF::initializeMainThreadToProcessMainThreadPlatform):

2011-09-19  Oliver Hunt  <oliver@apple.com>

        Remove direct property slot pointers from the instruction stream
        https://bugs.webkit.org/show_bug.cgi?id=68373

        Reviewed by Gavin Barraclough.

        Use an indirect load to access prototype properties rather than directly
        storing the property address in the instruction stream.  This should allow
        further optimisations in future, and also provides a 0.5% win to sunspider.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::generateProtoChainAccessStub):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::compileGetDirectOffset):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::compileGetDirectOffset):
        * runtime/JSObject.h:
        (JSC::JSObject::addressOfPropertyStorage):

2011-09-19  Oliver Hunt  <oliver@apple.com>

        Remove bump allocator
        https://bugs.webkit.org/show_bug.cgi?id=68370

        Reviewed by Sam Weinig.

        Can't do anything with this allocator currently, and it's
        increasing the complexity of the GC code.  Slight progression
        on SunSpider, slight regression (undoing the original progression)
        in V8.

        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * heap/Heap.h:
        * heap/NewSpace.cpp:
        (JSC::NewSpace::NewSpace):
        * heap/NewSpace.h:
        (JSC::NewSpace::allocate):
        * runtime/JSObject.cpp:
        (JSC::JSObject::allocatePropertyStorage):
        * runtime/JSObject.h:
        (JSC::JSObject::~JSObject):
        (JSC::JSObject::visitChildrenDirect):
        * runtime/StorageBarrier.h:
        (JSC::StorageBarrier::set):

2011-09-19  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Fix distcheck build
        https://bugs.webkit.org/show_bug.cgi?id=68346

        Reviewed by Philippe Normand.

        * GNUmakefile.list.am:

2011-09-19  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Fix distcheck build
        https://bugs.webkit.org/show_bug.cgi?id=68241

        Reviewed by Martin Robinson.

        * GNUmakefile.list.am:

2011-09-18  Dan Bernstein  <mitz@apple.com>

        Removed ProfilerServer.

        Reviewed by Mark Rowe.

        * JavaScriptCore.gypi:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * profiler/ProfilerServer.h: Removed.
        * profiler/ProfilerServer.mm: Removed.
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * wscript:

2011-09-17  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT should inline Math.min, Math.max, and Math.sqrt
        https://bugs.webkit.org/show_bug.cgi?id=68318

        Reviewed by Gavin Barraclough.
        
        Adds Math.min, Math.max, and Math.sqrt intrinsics. Adds support for
        a function to have an intrinsic but not a thunk generator. This is
        a 7% speed-up on access-nbody, and neutral elsewhere, mainly because
        we're still not DFG compiling the bulk of the hot code in Kraken audio
        benchmarks.

        * create_hash_table:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGIntrinsic.h:
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNode):
        (JSC::DFG::Propagator::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):

2011-09-18  Nico Weber  <thakis@chromium.org>

        Remove two files from JavaScriptCore.gypi that were removed in r95240
        https://bugs.webkit.org/show_bug.cgi?id=68327

        Unreviewed, build warning fix.

        * JavaScriptCore.gypi:

2011-09-17  Oliver Hunt  <oliver@apple.com>

        Remove special case handling of inline storage from the JIT
        https://bugs.webkit.org/show_bug.cgi?id=68319

        Reviewed by Gavin Barraclough.

        Simplify logic used for reading and writing to property storage
        by removing the special cases for inline storage.  This has no
        perf impact.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryBuildGetByIDList):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::compilePutDirectOffset):
        (JSC::JIT::compileGetDirectOffset):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompileGetByIdSelfList):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::compilePutDirectOffset):
        (JSC::JIT::compileGetDirectOffset):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompileGetByIdSelfList):

2011-09-17  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not have full block-local CSE
        https://bugs.webkit.org/show_bug.cgi?id=68316

        Reviewed by Oliver Hunt.
        
        This adds block-local CSE to the DFG. CSE runs in the propagator just after
        type propagation. It is part of the propagator itself because it needs to
        use the propagator's internal data structures to determine which operations
        may have side effects. Because it changes the live-ranges of nodes, the
        virtual register allocator had to be moved into the propagator so that it
        runs after CSE. To ensure that the back-end knows to keep the inputs to
        any eliminated node alive for OSR, a new node type, Phantom, was introduced.
        It is a no-op but prolonges the live-range of its inputs.
        
        This is an 80% speed-up on imaging-gaussian-blur, and a 10% speed-up on
        Kraken.
        
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAliasTracker.h: Removed.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::MethodCheckData::operator==):
        (JSC::DFG::MethodCheckData::operator!=):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasVirtualRegister):
        (JSC::DFG::Node::setRefCount):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::Propagator):
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::propagateNode):
        (JSC::DFG::Propagator::canonicalize):
        (JSC::DFG::Propagator::computeStartIndex):
        (JSC::DFG::Propagator::startIndex):
        (JSC::DFG::Propagator::pureCSE):
        (JSC::DFG::Propagator::globalVarLoadElimination):
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::getMethodLoadElimination):
        (JSC::DFG::Propagator::performSubstitution):
        (JSC::DFG::Propagator::setReplacement):
        (JSC::DFG::Propagator::performNodeCSE):
        (JSC::DFG::Propagator::performBlockCSE):
        (JSC::DFG::Propagator::localCSE):
        (JSC::DFG::Propagator::allocateVirtualRegisters):
        (JSC::DFG::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-16  Filip Pizlo  <fpizlo@apple.com>

        method_check should repatch itself if it finds that the new structure(s)
        are the result of transitions from the old structure(s)
        https://bugs.webkit.org/show_bug.cgi?id=68294

        Reviewed by Gavin Barraclough.
        
        Previously a patched method_check would slow-path to get_by_id. Now it
        slow-paths to method_check_update, which attempts to correct the
        method_check due to structure transitions before bailing to get_by_id.
        
        This is a 1-2% speed-up on some benchmarks and is not a slow-down
        anywhere, leading to a 0.6% speed-up on the Kraken geomean.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::patchMethodCallProto):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        * runtime/Structure.h:
        (JSC::Structure::transitivelyTransitionedFrom):

2011-09-16  Ryosuke Niwa  <rniwa@webkit.org>

        Touch Platform.h in the hope to fix SnowLeopard Intel Release (WebKit2 Tests).

        * wtf/Platform.h:

2011-09-16  Sam Weinig  <sam@webkit.org>

        Rename APIValueWrapper type to APIValueWrapperType for consistency
        https://bugs.webkit.org/show_bug.cgi?id=68306

        Reviewed by Anders Carlsson.

        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        Update name.

        * runtime/JSType.h:
        Update name and un-indent.

        * runtime/Structure.h:
        (JSC::JSCell::isAPIValueWrapper):
        Update name.

2011-09-16  Sam Weinig  <sam@webkit.org>

        Remove unused isStrictModeFunction function
        https://bugs.webkit.org/show_bug.cgi?id=68305

        Reviewed by Anders Carlsson.

        * runtime/JSObject.h:
        (JSC::JSObject::isStrictModeFunction):

2011-09-16  Sam Weinig  <sam@webkit.org>

        Cleanup JSTypeInfo a bit
        https://bugs.webkit.org/show_bug.cgi?id=68289

        Reviewed by Anders Carlsson.

        * dfg/DFGOperations.cpp:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        Replace direct access to flags() with predicate.

        * runtime/JSObject.h:
        (JSC::JSFinalObject::createStructure):
        Pass FinalObjectType instead of using special IsJSFinalObject.

        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::TypeInfo):
        Add additional assert that you should no object should OverridesHasInstance but not have ImplementsHasInstance set.

        (JSC::TypeInfo::isFinalObject):
        Added.

        (JSC::TypeInfo::masqueradesAsUndefined):
        (JSC::TypeInfo::implementsHasInstance):
        (JSC::TypeInfo::isEnvironmentRecord):
        (JSC::TypeInfo::overridesHasInstance):
        (JSC::TypeInfo::implementsDefaultHasInstance):
        (JSC::TypeInfo::overridesGetOwnPropertySlot):
        (JSC::TypeInfo::overridesVisitChildren):
        (JSC::TypeInfo::overridesGetPropertyNames):
        (JSC::TypeInfo::prohibitsPropertyCaching):
        (JSC::TypeInfo::isSetOnFlags1):
        (JSC::TypeInfo::isSetOnFlags2):
        Replace direct bit twiddling with helper functions.

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        Use new isFinalObject() predicate.

2011-09-16  Gavin Barraclough  <barraclough@apple.com>

        Unsigned bit shift fails under certain conditions in 32 bit builds
        https://bugs.webkit.org/show_bug.cgi?id=68166

        Reviewed by Geoff Garen.

        The major bug here is that the slow case (which handles shifts of
        doubles) doesn't check for negative results from an unsigned shift
        (which should be unsigned, and as such can't be represented by a
        signed integer immediate).  The implementation is also flawed for
        shifts by negative shift amounts (treats as shift by zero).

        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitRightShift):
        (JSC::JIT::emitRightShiftSlowCase):

2011-09-16  Geoffrey Garen  <ggaren@apple.com>

        Removed undetectable style.filter.

        Reviewed by Sam Weinig.
        
        This feature was added in http://trac.webkit.org/changeset/15557 to
        support housingmaps.com. But housingmaps.com no longer needs this hack,
        we don't know of other websites that need it, and we don't know of
        any other browsers that have implemented this feature.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSTypeInfo.h:
        * runtime/StringObjectThatMasqueradesAsUndefined.h: Removed.

2011-09-15  Sam Weinig  <sam@webkit.org>

        Prepare JSTypes for more Object subtypes
        https://bugs.webkit.org/show_bug.cgi?id=68200

        Reviewed by Gavin Barraclough.

        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::branchIfNotObject):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitJumpIfNotObject):
        * runtime/JSGlobalObject.h:
        (JSC::Structure::prototypeForLookup):
        * runtime/JSObject.h:
        (JSC::JSObject::finishCreation):
        * runtime/JSType.h:
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::type):
        (JSC::TypeInfo::isObject):
        (JSC::TypeInfo::isFinal):
        (JSC::TypeInfo::prohibitsPropertyCaching):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::finishCreation):
        * runtime/Operations.cpp:
        (JSC::jsIsObjectType):
        * runtime/Structure.cpp:
        (JSC::Structure::addPropertyTransitionToExistingStructure):
        (JSC::Structure::addPropertyTransition):
        * runtime/Structure.h:
        (JSC::Structure::isObject):
        (JSC::JSCell::isObject):

2011-09-16  Geoffrey Garen  <ggaren@apple.com>

        Rolled back in r95201 with test failure fixed.
        
        I missed two cases of jumpSlowToHot in rshift -- these cases need to be
        sure to initialize regT1 to the int tag, since it will otherwise hold
        the top 32 bits of a double.

        * jit/JIT.h:
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_lshift):
        (JSC::JIT::emitRightShift):
        (JSC::JIT::emitRightShiftSlowCase):
        (JSC::JIT::emit_op_bitand):
        (JSC::JIT::emit_op_bitor):
        (JSC::JIT::emit_op_bitxor):
        (JSC::JIT::emit_op_bitnot):
        (JSC::JIT::emit_op_post_inc):
        (JSC::JIT::emit_op_post_dec):
        (JSC::JIT::emit_op_pre_inc):
        (JSC::JIT::emit_op_pre_dec):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitStoreAndMapInt32):

2011-09-16  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed Windows build fix after 95318.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-09-16  Adam Roben  <aroben@apple.com>

        Windows build fix after r95310

        * JavaScriptCore.vcproj/jsc/jscCommon.vsprops: Added include\private\JavaScriptCore to the
        include path so DFGIntrinsic.h can be found.

2011-09-16  Gavin Barraclough  <barraclough@apple.com>

        Rationalize JSObject::putDirect* methods
        https://bugs.webkit.org/show_bug.cgi?id=68274

        Reviewed by Sam Weinig.
        
        Delete the *Function variants. These are overall inefficient,
        in the way they get the name back from the function rather
        than just passing it in.

        * JavaScriptCore.exp:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (GlobalObject::addFunction):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::addFunctionProperties):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::putWithAttributes):
        (JSC::JSObject::defineGetter):
        (JSC::JSObject::defineSetter):
        * runtime/JSObject.h:
        (JSC::JSObject::putDirect):
        (JSC::JSObject::putDirectWithoutTransition):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::lookupPut):

2011-09-16  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for Windows.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:

2011-09-16  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for non-DFG builds.

        * runtime/Executable.h:
        (JSC::NativeExecutable::finishCreation):

2011-09-16  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT should inline Math.abs
        https://bugs.webkit.org/show_bug.cgi?id=68227

        Reviewed by Oliver Hunt.
        
        This adds the ability to track intrinsic functions throughout the
        host function infrastructure, so that the DFG can easily query
        whether or not a call's target is intrinsic, and if so, which
        intrinsic it is.
        
        On top of this, it adds Math.abs intrinsics to DFG. Call(Math.abs)
        is transformed into ValueToNumber<-ArithAbs nodes. These nodes
        then get optimized using the usual tricks.
        
        Also had to make a completely unrelated change to
        DateInstanceCache.h in order to fix a preexisting alphabetical
        sorting problem in JSGlobalData.h
        
        This results in a big win in imaging-gaussian-blur: 61% faster
        than before. The net win on Kraken is around 13%.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * create_hash_table:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::isFunctionConstant):
        (JSC::DFG::Graph::valueOfFunctionConstant):
        * dfg/DFGIntrinsic.h: Added.
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::isFunctionConstant):
        (JSC::DFG::JITCodeGenerator::valueOfFunctionConstant):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::isFunctionConstant):
        (JSC::DFG::JITCompiler::valueOfFunctionConstant):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITStubs.h:
        * runtime/DateInstanceCache.h:
        * runtime/Executable.cpp:
        (JSC::ExecutableBase::intrinsic):
        (JSC::NativeExecutable::intrinsic):
        * runtime/Executable.h:
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::finishCreation):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::getHostFunction):
        * runtime/JSGlobalData.h:
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashEntry::initialize):
        (JSC::HashEntry::intrinsic):

2011-09-16  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION: Reproducible crash below SlotVisitor::harvestWeakReferences
        using Domino's online ordering
        https://bugs.webkit.org/show_bug.cgi?id=68220

        Reviewed by Oliver Hunt.
        
        Weak handle processing can result in new objects being marked, which
        results in new WeakReferencesHarvesters being added. But weak
        reference harvesters are only processed before weak handle processing,
        so there's the risk that a weak reference harvester will persist
        until the next collection, by which time it may have been deleted.

        * heap/Heap.cpp:
        (JSC::Heap::markRoots):

2011-09-16  Csaba Osztrogonác  <ossy@webkit.org>

        REGRESSION(r95201): It made two tests fail
        https://bugs.webkit.org/show_bug.cgi?id=68230

        Unreviewed rolling out r95201.

        * jit/JIT.h:
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_lshift):
        (JSC::JIT::emitRightShift):
        (JSC::JIT::emit_op_bitand):
        (JSC::JIT::emit_op_bitor):
        (JSC::JIT::emit_op_bitxor):
        (JSC::JIT::emit_op_bitnot):
        (JSC::JIT::emit_op_post_inc):
        (JSC::JIT::emit_op_post_dec):
        (JSC::JIT::emit_op_pre_inc):
        (JSC::JIT::emit_op_pre_dec):
        * jit/JITInlineMethods.h:

2011-09-15  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not optimize method_check
        https://bugs.webkit.org/show_bug.cgi?id=68215

        Reviewed by Oliver Hunt.
        
        MethodCallLinkInfo and StructureStubInfo are now searchable by
        bytecodeIndex, so that DFG::ByteCodeParser can use that information
        to determine how to optimize GetMethod.
        
        A new node op has been added to DFG: CheckMethod. This is a variant
        of GetMethod that has been optimized for the case that GetMethod
        always takes the fast path. CheckMethod results in only a very
        small amount of code (two loads and two branches in the worst case,
        one load and one branch in the best case). CheckMethod behaves as
        if it were a constant.  
        
        Introduced the notion that a DFG node that is not JSConstant
        behaves as a constant. CheckMethod uses this functionality.
        
        This is a 3% speed-up on Kraken, and a small speed-up on V8.
        Appears to be neutral on SunSpider.

        * bytecode/CodeBlock.h:
        (JSC::getStructureStubInfoBytecodeIndex):
        (JSC::getMethodCallLinkInfoBytecodeIndex):
        * bytecode/PredictedType.cpp:
        (JSC::predictionFromCell):
        (JSC::predictionFromValue):
        * bytecode/PredictedType.h:
        * bytecode/StructureStubInfo.h:
        * dfg/DFGAliasTracker.h:
        (JSC::DFG::AliasTracker::recordGetMethod):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::getMethodCheckPrediction):
        (JSC::DFG::Graph::getPrediction):
        (JSC::DFG::Graph::isConstant):
        (JSC::DFG::Graph::isJSConstant):
        (JSC::DFG::Graph::valueOfJSConstant):
        (JSC::DFG::Graph::valueOfInt32Constant):
        (JSC::DFG::Graph::valueOfNumberConstant):
        (JSC::DFG::Graph::valueOfBooleanConstant):
        (JSC::DFG::Graph::valueOfJSConstantNode):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillInteger):
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
        (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentSpillFPR):
        (JSC::DFG::JITCodeGenerator::silentFillGPR):
        (JSC::DFG::JITCodeGenerator::silentFillFPR):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::fillNumericToDouble):
        (JSC::DFG::JITCompiler::fillInt32ToInteger):
        (JSC::DFG::JITCompiler::fillToJS):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasConstant):
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::hasMethodCheckData):
        (JSC::DFG::Node::methodCheckDataIndex):
        (JSC::DFG::Node::valueOfJSConstant):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
        (JSC::MethodCallCompilationInfo::MethodCallCompilationInfo):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::emit_op_put_by_id):
        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::structureAddress):

2011-09-15  Adam Barth  <abarth@webkit.org>

        Rename ENABLE(DATABASE) to ENABLE(SQL_DATABASE)
        https://bugs.webkit.org/show_bug.cgi?id=68205

        Reviewed by Eric Seidel.

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2011-09-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Unzip initialization lists and constructors in JSCell hierarchy (7/7)
        https://bugs.webkit.org/show_bug.cgi?id=68122

        Reviewed by Geoffrey Garen.

        Completed the seventh and final level of the refactoring to add finishCreation() 
        methods to all classes within the JSCell hierarchy with non-trivial 
        constructor bodies.

        JSCallbackObject was missed in previous patches due to the fact that 
        it's non-obvious (at least to my script) that it is in the JSCell hierarchy, so 
        this is just a bit of retroactive cleanup.

        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::create):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::JSCallbackObject):

2011-09-15  Filip Pizlo  <fpizlo@apple.com>

        The DFG non-speculative JIT is no longer used and should be removed.
        https://bugs.webkit.org/show_bug.cgi?id=68177

        Reviewed by Geoffrey Garen.
        
        This removes the non-speculative JIT and everything that relied on it,
        including the ability to turn on DFG but not tiered compilation the,
        ability to perform speculation failure into non-speculative JIT code,
        and the ability to statically terminate speculation.

        * GNUmakefile.list.am:
        * JavaScriptCore.pro:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitLoopHint):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::getStrongPrediction):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGenerationInfo.h:
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGJITCodeGenerator.cpp:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::compileBody):
        * dfg/DFGJITCompiler.h:
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp: Removed.
        * dfg/DFGNonSpeculativeJIT.h: Removed.
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGPropagator.cpp:
        * dfg/DFGPropagator.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::osrExits):
        (JSC::DFG::SpeculativeJIT::speculationRecovery):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITCode.h:
        (JSC::JITCode::bottomTierJIT):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        * wtf/Platform.h:

2011-09-15  Eric Seidel  <eric@webkit.org>

        Remove ENABLE(SVG_AS_IMAGE) since all major ports have it on by default
        https://bugs.webkit.org/show_bug.cgi?id=68182

        Reviewed by Adam Barth.

        * Configurations/FeatureDefines.xcconfig:

2011-09-15  Filip Pizlo  <fpizlo@apple.com>

        DFG speculative JIT sometimes asserts that a value is not a number
        even when it doesn't know anything about the number
        https://bugs.webkit.org/show_bug.cgi?id=68189

        Reviewed by Oliver Hunt.

        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::isUnknownJS):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::isKnownNotNumber):

2011-09-15  Filip Pizlo  <fpizlo@apple.com>

        All of the functionality in the non-speculative JIT should be
        available to the speculative JIT via helper methods
        https://bugs.webkit.org/show_bug.cgi?id=68186

        Reviewed by Oliver Hunt.
        
        Stole all of the goodness from NonSpeculativeJIT and placed it
        in JITCodeGenerator.  Left all of the badness (i.e. subtle code
        duplication with SpeculativeJIT, etc).  This is in preparation
        for removing the NonSpeculativeJIT entirely, but having its
        goodness available for reuse in the SpeculativeJIT if necessary.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeCheckHasInstance):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeInstanceOf):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeAdd):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeArithSub):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGNonSpeculativeJIT.h:

2011-09-15  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r95167.
        http://trac.webkit.org/changeset/95167
        https://bugs.webkit.org/show_bug.cgi?id=68191

        Patch needs further work. (Requested by mhahnenberg on
        #webkit).

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSCell.cpp:
        (JSC::JSCell::toBoolean):
        * runtime/JSCell.h:
        (JSC::JSCell::JSValue::toBoolean):
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::toBoolean):
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.h:
        * runtime/JSString.h:
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::toBoolean):

2011-09-15  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for platforms that expect a linkable symbol
        for primitive static const's.

        * bytecode/CodeBlock.h:
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):

2011-09-15  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for assertion on existence of alternative
        CodeBlock.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        Value profiles collect no information for global variables
        https://bugs.webkit.org/show_bug.cgi?id=68143

        Reviewed by Geoffrey Garen.
        
        17% speed-up on string-fasta.  Neutral elsewhere.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getStrongPrediction):
        (JSC::DFG::ByteCodeParser::stronglyPredict):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_global_var):

2011-09-15  Eric Seidel  <eric@webkit.org>

        Remove ENABLE_SVG_ANIMATION as all major ports have it on by default
        https://bugs.webkit.org/show_bug.cgi?id=68022

        Reviewed by Ryosuke Niwa.

        * Configurations/FeatureDefines.xcconfig:

2011-09-15  Gavin Barraclough  <barraclough@apple.com>

        Ooops, revert accidentally commited unreviewed changes.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emit_op_jtrue):
        * jit/JSInterfaceJIT.h:
        * runtime/JSValue.h:

2011-09-15  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r95163.
        http://trac.webkit.org/changeset/95163
        https://bugs.webkit.org/show_bug.cgi?id=68180

        [Qt] The QT_GCC_X variables were removed in Qt5 by accident.
        (Requested by darktears on #webkit).

        * JavaScriptCore.pro:

2011-09-15  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix p1.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emit_op_jtrue):
        * jit/JSInterfaceJIT.h:
        * runtime/JSValue.h:

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        Tiered compilation should be enabled by default on platforms
        that support the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=68136

        Reviewed by Sam Weinig.
        
        Neutral on SunSpider, 4% speed-up on V8, and 19% speed-up on
        Kraken.  Large progressions on some benchmarks, including
        3x on imaging-desaturate.

        * wtf/Platform.h:

2011-09-15  Gavin Barraclough  <barraclough@apple.com>

        devirtualize preventExtensions
        https://bugs.webkit.org/show_bug.cgi?id=68176

        Reviewed by Oliver Hunt.

        This is virtual due to problems in JSFunction putting the prototype
        property, but we can fix this problem a different way, just setting
        the checkReadOnly flag to false in the put.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSFunction.h:
        * runtime/JSObject.h:

2011-09-15  Geoffrey Garen  <ggaren@apple.com>

        Value chaining for JSValue32_64 bitops.

        Reviewed by Sam Weinig.
        
        SunSpider says 2.3% faster, v8 ~1% faster (mostly due to crypto).

        * jit/JIT.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitStoreAndMapInt32): New int32 helper function for stores
        that can chain their results, which is the common case.

        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_lshift):
        (JSC::JIT::emitRightShift):
        (JSC::JIT::emit_op_bitand):
        (JSC::JIT::emit_op_bitor):
        (JSC::JIT::emit_op_bitxor):
        (JSC::JIT::emit_op_bitnot):
        (JSC::JIT::emit_op_pre_inc):
        (JSC::JIT::emit_op_pre_dec): Deployed new function.
        (JSC::JIT::emit_op_post_inc):
        (JSC::JIT::emit_op_post_dec): Had to reorder these functions so they
        computed their result values last, to make them elligible for chaining.

2011-09-15  Adam Roben  <aroben@apple.com>

        Clang build fix after r95172

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
        Added parentheses to make precendence clear.

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        DFG does not speculate aggressively enough on comparisons
        https://bugs.webkit.org/show_bug.cgi?id=68138

        Reviewed by Oliver Hunt.
        
        This is a 75% speed-up on Kraken/ai-astar.  It's a 1% win on
        V8 and an 8.5% win on Kraken.  Neutral on SunSpider.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compare):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateObject):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateCell):

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not leverage integer speculations on branches
        https://bugs.webkit.org/show_bug.cgi?id=68140

        Reviewed by Oliver Hunt.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::isStrictInt32):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-14  Gavin Barraclough  <barraclough@apple.com>

        [n]stricteq code is bogus in JSValue32_64 JIT
        https://bugs.webkit.org/show_bug.cgi?id=68141

        Reviewed by Sam Weinig.

        The code tries to check for both ints or cells, but this check also
        catches cases where values that are undefined, null, etc (probably
        was incorrectly assuming cell was the 2nd highest tag?).

        Also, there is no need not to handle int on the fast path.
        stricteq is just a case of comparing the payloads, if we:
            * handle cases of differing tags on a slow path
            * handle doubles a slow path
            * handle both-are-string on a slow path

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emitSlow_op_stricteq):
        (JSC::JIT::emitSlow_op_nstricteq):

2011-09-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Make JSCell::toBoolean non-virtual
        https://bugs.webkit.org/show_bug.cgi?id=67727

        Reviewed by Sam Weinig.

        JSCell::toBoolean now manually performs the toBoolean check for objects and strings (where 
        before it was simply virtual and would crash if its implementation was called). 
        Its descendants in JSObject and JSString have also been made non-virtual.  JSCell now
        explicitly covers all cases of toBoolean, so having a virtual implementation of 
        JSCell::toBoolean is no longer necessary.  This is part of a larger process of un-virtualizing JSCell.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.h:
        * runtime/JSString.h:
        (JSC::JSCell::toBoolean):
        (JSC::JSValue::toBoolean):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:

2011-09-14  Alexis Menard  <alexis.menard@openbossa.org>

        [Qt] Replace QT_GCC_X as they don't exist in Qt5 anymore.
        https://bugs.webkit.org/show_bug.cgi?id=68114

        Reviewed by Kenneth Rohde Christiansen.

        Use the new GCC_X variables defined in WebKit.pri to replace
        the usage of QT_GCC_X.

        * JavaScriptCore.pro:

2011-09-14  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r95145.
        http://trac.webkit.org/changeset/95145
        https://bugs.webkit.org/show_bug.cgi?id=68139

        The GTK+ build is working now, so revert this trial build fix.
        (Requested by mrobinson on #webkit).

        * GNUmakefile.list.am:

2011-09-14  Patrick Gansterer  <paroga@webkit.org>

        Port MachineStackMarker to Windows ARM and MIPS
        https://bugs.webkit.org/show_bug.cgi?id=68068

        Reviewed by Geoffrey Garen.

        Use the correct memeber of the CONTEXT struct for the stackpointer for CPU(ARM) and CPU(MIPS).
        Only query CONTEXT_INTEGER and CONTEXT_CONTROL, since CONTEXT_SEGMENTS isn't defined for
        CPU(ARM) and CPU(MIPS) and the stackpointer is defined in the CONTEXT_CONTROL section for
        CPU(ARM), CPU(X86) and CPU(X86_64) and in the CONTEXT_INTEGER section for CPU(MIPS).

        * heap/MachineStackMarker.cpp:
        (JSC::getPlatformThreadRegisters):
        (JSC::otherThreadStackPointer):

2011-09-12  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT always speculates that ValueAdd is a numeric addition
        https://bugs.webkit.org/show_bug.cgi?id=67956

        Reviewed by Geoffrey Garen.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
        (JSC::DFG::NonSpeculativeJIT::basicArithOp):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::shouldSpeculateNumber):

2011-09-14  Anders Carlsson  <andersca@apple.com>

        Stop building BinarySemaphore to see if that's what's breaking the GTK+ build.

        * GNUmakefile.list.am:

2011-09-14  Anders Carlsson  <andersca@apple.com>

        This is getting old. Yet another build fix attempt.

        * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:

2011-09-14  Anders Carlsson  <andersca@apple.com>

        Yet another build fix attempt.

        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:

2011-09-14  Anders Carlsson  <andersca@apple.com>

        How I &quot;love&quot; Visual Studio...

        Try to fix build again.

        * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:

2011-09-14  Anders Carlsson  <andersca@apple.com>

        Try to fix Windows build.

        * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:

2011-09-14  Anders Carlsson  <andersca@apple.com>

        Add BinarySemaphore class from WebKit2 to WTF
        https://bugs.webkit.org/show_bug.cgi?id=68132

        Reviewed by Sam Weinig.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CMakeLists.txt:
        Update build systems.

        * wtf/threads: Added.
        * wtf/threads/BinarySemaphore.cpp: Copied from Source/WebKit2/Platform/CoreIPC/BinarySemaphore.cpp.
        * wtf/threads/BinarySemaphore.h: Copied from Source/WebKit2/Platform/CoreIPC/BinarySemaphore.h.
        * wtf/threads/win: Added.
        * wtf/threads/win/BinarySemaphoreWin.cpp: Copied from Source/WebKit2/Platform/CoreIPC/win/BinarySemaphoreWin.cpp.

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for Interpreter.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2011-09-14  Anders Carlsson  <andersca@apple.com>

        Add wtf/threads and wtf/threads/win, so we can be sure that the EWS
        bots can correctly build the patch in https://bugs.webkit.org/show_bug.cgi?id=68132

        Rubber-stamped by Sam Weinig.

        * wtf/threads: Added.
        * wtf/threads/win: Added.

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT should not speculate integer if the value is always going to be
        used as a double anyway
        https://bugs.webkit.org/show_bug.cgi?id=68127

        Reviewed by Oliver Hunt.
        
        Added a ValueToDouble node, which is a variant of ValueToNumber that
        hints that it will only be used as a double and never as an integer.
        Thus, it turns off integer speculation even if the value profiler
        told us that the value source is an int. The logic for converting a
        ValueToNumber into a ValueToDouble is found in Propagator.
        
        This appears to be a 22% speed-up in imaging-darkroom.

        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::toDouble):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::fixup):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        Tiered compilation heuristics do not account for value profile fullness
        https://bugs.webkit.org/show_bug.cgi?id=68116

        Reviewed by Oliver Hunt.
        
        Tiered compilation avoids invoking the DFG JIT if it finds that value
        profiles contain insufficient information. Instead, it produces a
        prediction from the current value profile, and then clears the value
        profile. This allows the value profile to heat up from scratch for
        some number of additional executions. The new profiles will then be
        merged with the previous prediction. Once the amount of information
        in predictions is enough according to heuristics in CodeBlock.cpp,
        DFG optimization is allowed to proceed.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::visitAggregate):
        (JSC::CodeBlock::visitWeakReferences):
        (JSC::CodeBlock::shouldOptimizeNow):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/CodeBlock.h:
        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        * bytecode/PredictedType.h:
        * bytecode/ValueProfile.cpp: Added.
        (JSC::ValueProfile::computeStatistics):
        (JSC::ValueProfile::computeUpdatedPrediction):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::ValueProfile):
        (JSC::ValueProfile::classInfo):
        (JSC::ValueProfile::numberOfSamples):
        (JSC::ValueProfile::totalNumberOfSamples):
        (JSC::ValueProfile::isLive):
        (JSC::ValueProfile::numberOfInt32s):
        (JSC::ValueProfile::numberOfDoubles):
        (JSC::ValueProfile::numberOfBooleans):
        (JSC::ValueProfile::dump):
        (JSC::getValueProfileBytecodeOffset):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::stronglyPredict):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        DFG should not speculate that the child of LogicalNot is a boolean if
        predictions tell us otherwise
        https://bugs.webkit.org/show_bug.cgi?id=68118

        Reviewed by Geoffrey Garen.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeLogicalNot):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix.  Turn off tiered compilation.

        * wtf/Platform.h:

2011-09-13  Filip Pizlo  <fpizlo@apple.com>

        Prediction tracking is not precise enough
        https://bugs.webkit.org/show_bug.cgi?id=67993

        Reviewed by Oliver Hunt.
        
        Added a richer set of type predictions, including JSFinalObject, JSString,
        object that is not a JSFinalObject or JSArray (ObjectOther), some object
        but we don't or care know what kind (SomeObject), definitely an object,
        cell that is not an object or JSString, an value that is none of the above
        (so either Undefined or Null). Made the propagator and value profiler work
        with the new types.
        
        Performance is neutral, because the DFG JIT does not take advantage of this
        new knowledge yet.
        
        In the process of writing predictionToString() (which is now considerably
        more complex) I decided to finally add a BoundsCheckedPointer, which
        should come in handy in other places, like at least the OSR scratch buffer
        and the CompactJITCodeMap. It's great for cases where you want to
        do pointer arithmetic, you want to have assertions about the
        pointer not going out of bounds, but you don't want to write those
        assertions yourself.
        
        This also required refactoring inherits(), since the ValueProfiler may
        want to do the equivalent of inherits() but given two ClassInfo's.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PredictedType.cpp: Added.
        (JSC::predictionToString):
        (JSC::makePrediction):
        (JSC::predictionFromValue):
        * bytecode/PredictedType.h:
        (JSC::isCellPrediction):
        (JSC::isObjectPrediction):
        (JSC::isFinalObjectPrediction):
        (JSC::isStringPrediction):
        (JSC::mergePredictions):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::numberOfObjects):
        (JSC::ValueProfile::numberOfFinalObjects):
        (JSC::ValueProfile::numberOfStrings):
        (JSC::ValueProfile::probabilityOfObject):
        (JSC::ValueProfile::probabilityOfFinalObject):
        (JSC::ValueProfile::probabilityOfString):
        (JSC::ValueProfile::dump):
        (JSC::ValueProfile::Statistics::Statistics):
        (JSC::ValueProfile::computeStatistics):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::stronglyPredict):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::predict):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNode):
        * runtime/ClassInfo.h:
        (JSC::ClassInfo::isSubClassOf):
        * runtime/JSObject.h:
        (JSC::JSCell::inherits):
        * wtf/BoundsCheckedPointer.h: Added.
        (WTF::BoundsCheckedPointer::BoundsCheckedPointer):
        (WTF::BoundsCheckedPointer::operator=):
        (WTF::BoundsCheckedPointer::operator+=):
        (WTF::BoundsCheckedPointer::operator-=):
        (WTF::BoundsCheckedPointer::operator+):
        (WTF::BoundsCheckedPointer::operator-):
        (WTF::BoundsCheckedPointer::operator++):
        (WTF::BoundsCheckedPointer::operator--):
        (WTF::BoundsCheckedPointer::operator<):
        (WTF::BoundsCheckedPointer::operator<=):
        (WTF::BoundsCheckedPointer::operator>):
        (WTF::BoundsCheckedPointer::operator>=):
        (WTF::BoundsCheckedPointer::operator==):
        (WTF::BoundsCheckedPointer::operator!=):
        (WTF::BoundsCheckedPointer::operator!):
        (WTF::BoundsCheckedPointer::get):
        (WTF::BoundsCheckedPointer::operator*):
        (WTF::BoundsCheckedPointer::operator[]):
        (WTF::BoundsCheckedPointer::strcat):
        (WTF::BoundsCheckedPointer::validate):
        * wtf/CMakeLists.txt:

2011-09-14  Csaba Osztrogonác  <ossy@webkit.org>

        [Qt] Win32 builds with threads turned off
        https://bugs.webkit.org/show_bug.cgi?id=67864

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.pri: Link pthread library on Windows platform.
        * wtf/Platform.h: Enable multiple threads.

2011-09-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Unzip initialization lists and constructors in JSCell hierarchy (6/7)
        https://bugs.webkit.org/show_bug.cgi?id=67692

        Reviewed by Geoffrey Garen.

        Completed the sixth level of the refactoring to add finishCreation() 
        methods to all classes within the JSCell hierarchy with non-trivial 
        constructor bodies.

        This primarily consists of pushing the calls to finishCreation() down 
        into the constructors of the subclasses of the fifth level of the hierarchy 
        as well as pulling the finishCreation() calls out into the class's corresponding
        create() method if it has one.  Doing both simultaneously allows us to 
        maintain the invariant that the finishCreation() method chain is called exactly 
        once during the creation of an object, since calling it any other number of 
        times (0, 2, or more) will cause an assertion failure.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::JSCallbackFunction):
        * API/JSCallbackFunction.h:
        (JSC::JSCallbackFunction::create):
        * jsc.cpp:
        (GlobalObject::create):
        (GlobalObject::GlobalObject):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::ArrayConstructor):
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::create):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::BooleanConstructor):
        * runtime/BooleanConstructor.h:
        (JSC::BooleanConstructor::create):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::BooleanPrototype):
        * runtime/BooleanPrototype.h:
        (JSC::BooleanPrototype::create):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::DateConstructor):
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::create):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::DatePrototype):
        * runtime/DatePrototype.h:
        (JSC::DatePrototype::create):
        * runtime/Error.cpp:
        (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
        (JSC::StrictModeTypeErrorFunction::create):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::ErrorConstructor):
        * runtime/ErrorConstructor.h:
        (JSC::ErrorConstructor::create):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::FunctionConstructor):
        * runtime/FunctionConstructor.h:
        (JSC::FunctionConstructor::create):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::FunctionPrototype):
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::create):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::NativeErrorConstructor):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::create):
        * runtime/NativeErrorPrototype.cpp:
        (JSC::NativeErrorPrototype::NativeErrorPrototype):
        (JSC::NativeErrorPrototype::finishCreation):
        * runtime/NativeErrorPrototype.h:
        (JSC::NativeErrorPrototype::create):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::NumberConstructor):
        * runtime/NumberConstructor.h:
        (JSC::NumberConstructor::create):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::NumberPrototype):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::create):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::ObjectConstructor):
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::create):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::RegExpConstructor):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::create):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::RegExpPrototype):
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::create):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::StringConstructor):
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::create):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::create):
        (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::StringPrototype):
        * runtime/StringPrototype.h:
        (JSC::StringPrototype::create):

2011-09-13  Eric Seidel  <eric@webkit.org>

        Remove ENABLE_SVG_USE as <use> is required by HTML5
        https://bugs.webkit.org/show_bug.cgi?id=68019

        Reviewed by Ryosuke Niwa.

        * Configurations/FeatureDefines.xcconfig:

2011-09-14  Iain Merrick  <husky@google.com>

        HashTraits.h should include template specialization for WTF::String
        https://bugs.webkit.org/show_bug.cgi?id=67851

        Ensure that the template specialization for HashTraits<String> is always
        picked up. (Previously it was possible to include HashSet and String but
        not the correct HashTraits, so you would get an inefficient template
        instantiation.)

        Reviewed by Darin Adler.

        * wtf/HashTraits.h:
        * wtf/text/StringHash.h:

2011-09-13  Filip Pizlo  <fpizlo@apple.com>

        SpeculativeJIT::shouldSpeculateInteger(NodeIndex, NodeIndex) should
        return false if either node can be double
        https://bugs.webkit.org/show_bug.cgi?id=67985

        Reviewed by Geoffrey Garen.
        
        This is a 17% speed-up on 3d-cube.
        
        This required allowing us to check if a constant is double but not
        integer, and making the shouldSpeculateInteger() check test for
        any hints of doubly-ness in its operands. This also required
        changing some terminology: previously "isDouble" often meant
        "isDouble or isInt32".  Now "isDouble" means exactly what the name
        suggests, and "isNumber" means "isDouble or isInt32".

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::toNumber):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::isJSFormat):
        (JSC::DFG::isJSInteger):
        (JSC::DFG::isJSDouble):
        (JSC::DFG::isJSCell):
        (JSC::DFG::isJSBoolean):
        (JSC::DFG::GenerationInfo::isJSFormat):
        (JSC::DFG::GenerationInfo::isJSInteger):
        (JSC::DFG::GenerationInfo::isJSDouble):
        (JSC::DFG::GenerationInfo::isJSCell):
        (JSC::DFG::GenerationInfo::isJSBoolean):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::isNumberConstant):
        (JSC::DFG::Graph::valueOfNumberConstant):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillInteger):
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::isKnownInteger):
        (JSC::DFG::JITCodeGenerator::isKnownNumeric):
        (JSC::DFG::JITCodeGenerator::isKnownCell):
        (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
        (JSC::DFG::JITCodeGenerator::isKnownBoolean):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentFillFPR):
        (JSC::DFG::JITCodeGenerator::isNumberConstant):
        (JSC::DFG::JITCodeGenerator::valueOfNumberConstant):
        (JSC::DFG::JITCodeGenerator::initConstantInfo):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::fillNumericToDouble):
        (JSC::DFG::JITCompiler::fillToJS):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::isNumberConstant):
        (JSC::DFG::JITCompiler::valueOfNumberConstant):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isDoubleConstant):
        (JSC::DFG::Node::isNumberConstant):
        (JSC::DFG::Node::valueOfNumberConstant):
        (JSC::DFG::Node::hasNumberResult):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isInteger):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::shouldNotSpeculateInteger):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):

2011-09-13  Anders Carlsson  <andersca@apple.com>

        Disable C++ exceptions when building with clang
        https://bugs.webkit.org/show_bug.cgi?id=68031
        <rdar://problem/9556880>

        Reviewed by Mark Rowe.

        * Configurations/Base.xcconfig:

2011-09-13  Eric Seidel  <eric@webkit.org>

        Remove ENABLE_SVG_FOREIGN_OBJECT as it is a required part of HTML5
        https://bugs.webkit.org/show_bug.cgi?id=68018

        Reviewed by Ryosuke Niwa.

        * Configurations/FeatureDefines.xcconfig:

2011-09-13  Sam Weinig  <sam@webkit.org>

        Object.getPrototypeOf should use JSValue::get()
        https://bugs.webkit.org/show_bug.cgi?id=67973

        Reviewed by Darin Adler.

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetPrototypeOf):
        Pipe through JSValue::get() to allow overrides.

2011-09-12  Filip Pizlo  <fpizlo@apple.com>

        JavaScriptCore does not have baseline->speculative OSR
        https://bugs.webkit.org/show_bug.cgi?id=67920

        Reviewed by Oliver Hunt.
        
        This adds the ability to on-stack-replace (OSR) from code that is
        running hot in the old JIT to code compiled by the new JIT.  This
        ensures that long-running loops benefit from DFG optimization.
        It also ensures that if code experiences a speculation failure
        in DFG code, it has an opportunity to reenter the DFG once every
        1,000 loop iterations or so.
        
        This results in a 2.88x speed-up on Kraken/imaging-desaturate,
        and is a pure win on the main three benchmark suites (SunSpider,
        V8, Kraken), when tiered compilation is enabled.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::CodeBlock):
        (JSC::ProgramCodeBlock::compileOptimized):
        (JSC::EvalCodeBlock::compileOptimized):
        (JSC::FunctionCodeBlock::compileOptimized):
        * bytecode/CodeBlock.h:
        * bytecode/Opcode.h:
        * bytecode/PredictedType.h: Added.
        (JSC::isCellPrediction):
        (JSC::isArrayPrediction):
        (JSC::isInt32Prediction):
        (JSC::isDoublePrediction):
        (JSC::isNumberPrediction):
        (JSC::isBooleanPrediction):
        (JSC::isStrongPrediction):
        (JSC::predictionToString):
        (JSC::mergePredictions):
        (JSC::mergePrediction):
        (JSC::makePrediction):
        * bytecode/PredictionTracker.h: Added.
        (JSC::operandIsArgument):
        (JSC::PredictionSlot::PredictionSlot):
        (JSC::PredictionTracker::PredictionTracker):
        (JSC::PredictionTracker::initializeSimilarTo):
        (JSC::PredictionTracker::copyLocalsFrom):
        (JSC::PredictionTracker::numberOfArguments):
        (JSC::PredictionTracker::numberOfVariables):
        (JSC::PredictionTracker::argumentOffsetForOperand):
        (JSC::PredictionTracker::predictArgument):
        (JSC::PredictionTracker::predict):
        (JSC::PredictionTracker::predictGlobalVar):
        (JSC::PredictionTracker::getArgumentPrediction):
        (JSC::PredictionTracker::getPrediction):
        (JSC::PredictionTracker::getGlobalVarPrediction):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitLoopHint):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::DoWhileNode::emitBytecode):
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):
        (JSC::ForInNode::emitBytecode):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::BasicBlock::BasicBlock):
        (JSC::DFG::Graph::predict):
        (JSC::DFG::Graph::getPrediction):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::compileBody):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGNode.h:
        * dfg/DFGOSREntry.cpp: Added.
        (JSC::DFG::predictionIsValid):
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntry.h: Added.
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGPredictionTracker.h: Removed.
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::mergeUse):
        (JSC::DFG::Propagator::mergePrediction):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/CompactJITCodeMap.h:
        (JSC::CompactJITCodeMap::numberOfEntries):
        (JSC::CompactJITCodeMap::decode):
        (JSC::CompactJITCodeMap::Decoder::Decoder):
        (JSC::CompactJITCodeMap::Decoder::numberOfEntriesRemaining):
        (JSC::CompactJITCodeMap::Decoder::read):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):
        (JSC::JIT::emitTimeoutCheck):
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        (JSC::JIT::emit_op_loop_hint):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):

2011-09-12  Sam Weinig  <sam@webkit.org>

        Don't allow setting __proto__ to be a getter or setter
        https://bugs.webkit.org/show_bug.cgi?id=67982

        Reviewed by Gavin Barraclough.

        * runtime/JSObject.cpp:
        (JSC::JSObject::defineGetter):
        (JSC::JSObject::defineSetter):
        Disallow setting a getter or setter on __proto__.

2011-09-12  James Robinson  <jamesr@chromium.org>

        Unreviewed build fix for chromium.

        Guard access to UString::latin1() with USE(JSC) since it is defined in JavaScriptCore/runtime/UString.cpp, which
        is currently only compiled in by ports that use JavaScriptCore.  This code is currently unreachable in builds so
        no change in functionality.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::CharAccess::CharAccess):

2011-09-09  Filip Pizlo  <fpizlo@apple.com>

        JavaScriptCore does not have speculative->baseline OSR
        https://bugs.webkit.org/show_bug.cgi?id=67826

        Reviewed by Oliver Hunt.
        
        This adds the ability to bail out of DFG speculative JIT execution by
        performing an on-stack replacement (OSR) that results in the control
        flow going to the equivalent code generated by the old JIT.
        
        This required a number of new features, as well as taking advantage of
        some features that happened to already be present:
        
        We already had a policy of storing the bytecode index for which a DFG
        node was generated inside the DFG::Node class. This was previously
        called exceptionInfo. It's now renamed to codeOrigin to reflect that
        it's used for more than just excpetions. OSR uses this to figure out
        which bytecode index to use to look up the machine code location in
        the code generated by the old JIT that we should be jumping to.
        
        CodeBlock now stores a mapping between bytecode indices and machine
        code offsets for code generated by the old JIT. This is implemented
        by CompactJITCodeMap, which tries to compress this data a bit.  The
        OSR compiler decodes this and uses it to find the machine code
        locations it should be jumping to.
        
        We already had a mechanism that emitted SetLocal nodes in the DFG graph
        that told us the time at which the old JIT would have stored something
        into its register file, and the DFG::Node that corresponds to the value
        that it would have stored. These SetLocal's were mostly dead-code-
        eliminated, but our DCE leaves the nodes intact except for making them
        have 0 as the ref count. This allows the OSR compiler to construct a
        mapping between the state as it would have been seen by the old JIT
        and the state as the DFG JIT sees it. The OSR compiler uses this to
        generate code that reshapes the call frame so that it is like what the
        old JIT would expect.
        
        Finally, when DFG_OSR is enabled (the default for TIERED_COMPILATION)
        we no longer emit the non-speculative path.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::currentCodeOrigin):
        (JSC::DFG::ByteCodeParser::addToGraph):
        * dfg/DFGGPRInfo.h:
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::alive):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::appendCallWithExceptionCheck):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::CallRecord::CallRecord):
        (JSC::DFG::JITCompiler::notifyCall):
        (JSC::DFG::JITCompiler::appendCallWithExceptionCheck):
        (JSC::DFG::JITCompiler::appendCallWithFastExceptionCheck):
        (JSC::DFG::JITCompiler::addJSCall):
        (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
        * dfg/DFGNode.h:
        (JSC::DFG::CodeOrigin::CodeOrigin):
        (JSC::DFG::CodeOrigin::isSet):
        (JSC::DFG::CodeOrigin::bytecodeIndex):
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::child1Unchecked):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::ValueSource::dump):
        (JSC::DFG::ValueRecovery::dump):
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::ValueSource::ValueSource):
        (JSC::DFG::ValueSource::isSet):
        (JSC::DFG::ValueSource::nodeIndex):
        (JSC::DFG::ValueRecovery::ValueRecovery):
        (JSC::DFG::ValueRecovery::alreadyInRegisterFile):
        (JSC::DFG::ValueRecovery::inGPR):
        (JSC::DFG::ValueRecovery::inFPR):
        (JSC::DFG::ValueRecovery::displacedInRegisterFile):
        (JSC::DFG::ValueRecovery::constant):
        (JSC::DFG::ValueRecovery::technique):
        (JSC::DFG::ValueRecovery::gpr):
        (JSC::DFG::ValueRecovery::fpr):
        (JSC::DFG::ValueRecovery::virtualRegister):
        (JSC::DFG::OSRExit::numberOfRecoveries):
        (JSC::DFG::OSRExit::valueRecovery):
        (JSC::DFG::OSRExit::isArgument):
        (JSC::DFG::OSRExit::argumentForIndex):
        (JSC::DFG::OSRExit::variableForIndex):
        (JSC::DFG::OSRExit::operandForIndex):
        (JSC::DFG::SpeculativeJIT::osrExits):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::valueSourceForOperand):
        (JSC::DFG::SpeculativeJIT::setNodeIndexForOperand):
        (JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculationCheckIndexIterator::SpeculationCheckIndexIterator):
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        * jit/CompactJITCodeMap.h: Added.
        (JSC::BytecodeAndMachineOffset::BytecodeAndMachineOffset):
        (JSC::BytecodeAndMachineOffset::getBytecodeIndex):
        (JSC::BytecodeAndMachineOffset::getMachineCodeOffset):
        (JSC::CompactJITCodeMap::~CompactJITCodeMap):
        (JSC::CompactJITCodeMap::decode):
        (JSC::CompactJITCodeMap::CompactJITCodeMap):
        (JSC::CompactJITCodeMap::at):
        (JSC::CompactJITCodeMap::decodeNumber):
        (JSC::CompactJITCodeMap::Encoder::Encoder):
        (JSC::CompactJITCodeMap::Encoder::~Encoder):
        (JSC::CompactJITCodeMap::Encoder::append):
        (JSC::CompactJITCodeMap::Encoder::finish):
        (JSC::CompactJITCodeMap::Encoder::appendByte):
        (JSC::CompactJITCodeMap::Encoder::encodeNumber):
        (JSC::CompactJITCodeMap::Encoder::ensureCapacityFor):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::osrScratchBufferForSize):
        * runtime/JSValue.cpp:
        (JSC::JSValue::description):

2011-09-12  Geoffrey Garen  <ggaren@apple.com>

        Re-enabled ENABLE(LAZY_BLOCK_FREEING).
        
        Reviewed by Stephanie Lewis.

        I accidentally disabled this in r94890, causing a big performance regression.

        * wtf/Platform.h:

2011-09-12  Michael Saboff  <msaboff@apple.com>

        Broken Build for ARM - lshift32() needs TrustedImm32 arg
        https://bugs.webkit.org/show_bug.cgi?id=67965

        Change lshift32(16, ARMRegisters::S1); to lshift32(TrustedImm32(16), ARMRegisters::S1);

        Reviewed by Anders Carlsson.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branch16):

2011-09-12  Michael Saboff  <msaboff@apple.com>

        Broken ARM build - missing semicolon in JavaScriptCore/assembler/MacroAssemblerARM.h
        https://bugs.webkit.org/show_bug.cgi?id=67961

        Added missing semicolon.

        Reviewed by Ryosuke Niwa.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branch16):

2011-09-12  Michael Saboff  <msaboff@apple.com>

        Update RegExp and related classes to use 8 bit strings when available
        https://bugs.webkit.org/show_bug.cgi?id=67337

        Modified both the Yarr interpreter and JIT to handle 8 bit subject strings.
        The code paths are triggered by the UString::is8bit() method which currently
        returns false.  Implemented JIT changes for all current architectures.
        Tested X86_64 and ARM v7.

        This includes some code that will likely change as we complete the
        8 bit string changes.  This includes the way the raw buffer pointers
        are accessed as well as replacing the CharAccess class with a
        string interator returned from UString.

        Fixed build breakage in testRegExp.cpp due to globalObject construction
        changes.

        Reviewed by Gavin Barraclough.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * testRegExp.cpp:
        (GlobalObject::finishCreation):
        (GlobalObject::GlobalObject):
        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::baseIndexTransfer32):
        * assembler/ARMAssembler.h:
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::ubfx):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg40Imm3Reg4Imm20Imm5):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::load8):
        (JSC::MacroAssemblerARM::branch8):
        (JSC::MacroAssemblerARM::branch16):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::load8):
        (JSC::MacroAssemblerARMv7::branch16):
        (JSC::MacroAssemblerARMv7::branch8):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::load8):
        (JSC::MacroAssemblerMIPS::branch8):
        (JSC::MacroAssemblerMIPS::branch16):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::load8):
        (JSC::MacroAssemblerSH4::branch8):
        (JSC::MacroAssemblerSH4::branch16):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::load8):
        (JSC::MacroAssemblerX86Common::branch16):
        (JSC::MacroAssemblerX86Common::branch8):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::extub):
        (JSC::SH4Assembler::printInstr):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::cmpw_ir):
        (JSC::X86Assembler::movzbl_mr):
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::compileIfNecessary):
        (JSC::RegExp::match):
        (JSC::RegExp::matchCompareWithInterpreter):
        * runtime/RegExp.h:
        * runtime/UString.h:
        (JSC::UString::is8Bit):
        * yarr/Yarr.h:
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::CharAccess::CharAccess):
        (JSC::Yarr::Interpreter::CharAccess::~CharAccess):
        (JSC::Yarr::Interpreter::CharAccess::operator[]):
        (JSC::Yarr::Interpreter::InputStream::InputStream):
        (JSC::Yarr::Interpreter::Interpreter):
        (JSC::Yarr::interpret):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
        (JSC::Yarr::YarrGenerator::readCharacter):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
        (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
        (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
        (JSC::Yarr::YarrGenerator::YarrGenerator):
        (JSC::Yarr::YarrGenerator::compile):
        (JSC::Yarr::jitCompile):
        (JSC::Yarr::execute):
        * yarr/YarrJIT.h:
        (JSC::Yarr::YarrCodeBlock::has8BitCode):
        (JSC::Yarr::YarrCodeBlock::has16BitCode):
        (JSC::Yarr::YarrCodeBlock::set8BitCode):
        (JSC::Yarr::YarrCodeBlock::set16BitCode):
        (JSC::Yarr::YarrCodeBlock::execute):
        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::Parser):

2011-09-12  Andras Becsi  <andras.becsi@nokia.com>

        [Qt] Build fails after r94920 with strict compiler
        https://bugs.webkit.org/show_bug.cgi?id=67928

        Reviewed by Csaba Osztrogonác.

        * wtf/RedBlackTree.h:
        (WTF::RedBlackTree::insert): Remove dead variables updateStart and newSubTreeRoot.

2011-09-12  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed build fix after r94871.

        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * wtf/FastMalloc.cpp:
        * wtf/RefCountedLeakCounter.h:

2011-09-11  Filip Pizlo  <fpizlo@apple.com>

        DFGNode.h has macros that indicate the enabling of a feature, but
        they do not use the ENABLE() idiom.
        https://bugs.webkit.org/show_bug.cgi?id=67907

        Reviewed by Oliver Hunt.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::stronglyPredict):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGJITCodeGenerator.cpp:
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::fillInt32ToInteger):
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::propagateNode):
        (JSC::DFG::Propagator::propagateForward):
        (JSC::DFG::Propagator::propagateBackward):
        (JSC::DFG::propagate):
        * dfg/DFGScoreBoard.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):

2011-09-11  Fumitoshi Ukai  <ukai@chromium.org>

        Unreviewed build fix for chromium/mac & clang.

        Fix the macro redefinition error by r94927, because chromium set
        ENABLE_JSC_MULTIPLE_THREADS=0 in WebKit/chromium/features.gypi and
        it is not PLATFORM(QT).
         ../../JavaScriptCore/wtf/Platform.h:512:9: error: 'ENABLE_JSC_MULTIPLE_THREADS' macro redefined [-Werror]
         #define ENABLE_JSC_MULTIPLE_THREADS 1
         <command line>:43:9: note: previous definition is here
         #define ENABLE_JSC_MULTIPLE_THREADS 0
         1 error generated.

        * wtf/Platform.h:

2011-09-11  Sam Weinig  <sam@webkit.org>

        Remove JSCell::isPropertyNameIterator(), it is unused
        https://bugs.webkit.org/show_bug.cgi?id=67911

        Reviewed by Oliver Hunt.

        * runtime/JSCell.h:
        * runtime/JSPropertyNameIterator.h:

2011-09-11  Sam Weinig  <sam@webkit.org>

        De-virtualize JSCell::isAPIValueWrapper
        https://bugs.webkit.org/show_bug.cgi?id=67909

        Reviewed by Oliver Hunt.

        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        Set the correct type on structure creation.

        * runtime/JSCell.h:
        Remove virtual keyword and default implementation.

        * runtime/JSType.h:
        Add type for APIValueWrapper. It must come after CompoundType since
        the APIValueWrapper has children in need of marking.

        * runtime/Structure.h:
        (JSC::JSCell::isAPIValueWrapper):
        Implement predicate using type info.

2011-09-10  Sam Weinig  <sam@webkit.org>

        De-virtualize JSCell::isGetterSetter, type information is available for it
        https://bugs.webkit.org/show_bug.cgi?id=67902

        Reviewed by Dan Bernstein.

        * runtime/GetterSetter.cpp:
        * runtime/GetterSetter.h:
        Remove override of isGetterSetter.

        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        De-virtualize and remove silly base implementation.

        * runtime/Structure.h:
        (JSC::JSCell::isGetterSetter):
        Use type info to determine getter-setter-hood.

2011-09-09  Oliver Hunt  <oliver@apple.com>

        Remove support for anonymous storage from jsobjects
        https://bugs.webkit.org/show_bug.cgi?id=67881

        Reviewed by Sam Weinig.

        Remove all use of anonymous slots, essentially a mechanical change
        in JavaScriptCore

        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::createStructure):
        * API/JSCallbackFunction.h:
        (JSC::JSCallbackFunction::createStructure):
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::createStructure):
        * JavaScriptCore.exp:
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::createStructure):
        * heap/MarkStack.cpp:
        (JSC::MarkStack::validateValue):
        * heap/MarkStack.h:
        * runtime/Arguments.h:
        (JSC::Arguments::createStructure):
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::createStructure):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::createStructure):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::createStructure):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::BooleanPrototype):
        * runtime/BooleanPrototype.h:
        (JSC::BooleanPrototype::createStructure):
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::createStructure):
        * runtime/DateInstance.h:
        (JSC::DateInstance::createStructure):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::DatePrototype):
        * runtime/DatePrototype.h:
        (JSC::DatePrototype::createStructure):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::createStructure):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::finishCreation):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::createStructure):
        * runtime/ExceptionHelpers.h:
        (JSC::InterruptedExecutionError::createStructure):
        (JSC::TerminatedExecutionError::createStructure):
        * runtime/Executable.h:
        (JSC::ExecutableBase::createStructure):
        (JSC::NativeExecutable::createStructure):
        (JSC::EvalExecutable::createStructure):
        (JSC::ProgramExecutable::createStructure):
        (JSC::FunctionExecutable::createStructure):
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::createStructure):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::createStructure):
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::createStructure):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        * runtime/JSActivation.h:
        (JSC::JSActivation::createStructure):
        * runtime/JSArray.h:
        (JSC::JSArray::createStructure):
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::createStructure):
        * runtime/JSCell.h:
        * runtime/JSFunction.h:
        (JSC::JSFunction::createStructure):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::finishCreation):
        (JSC::JSGlobalObject::createStructure):
        * runtime/JSNotAnObject.h:
        (JSC::JSNotAnObject::createStructure):
        * runtime/JSONObject.h:
        (JSC::JSONObject::createStructure):
        * runtime/JSObject.h:
        (JSC::JSObject::createStructure):
        (JSC::JSNonFinalObject::createStructure):
        (JSC::JSFinalObject::createStructure):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::createStructure):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::createStructure):
        * runtime/JSString.h:
        (JSC::RopeBuilder::createStructure):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::createStructure):
        * runtime/JSWrapperObject.h:
        (JSC::JSWrapperObject::createStructure):
        * runtime/MathObject.h:
        (JSC::MathObject::createStructure):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::createStructure):
        * runtime/NumberConstructor.h:
        (JSC::NumberConstructor::createStructure):
        * runtime/NumberObject.h:
        (JSC::NumberObject::createStructure):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::NumberPrototype):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::createStructure):
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::createStructure):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::finishCreation):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::createStructure):
        * runtime/RegExp.h:
        (JSC::RegExp::createStructure):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::createStructure):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::createStructure):
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::createStructure):
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::createStructure):
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::createStructure):
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::createStructure):
        * runtime/StringObject.h:
        (JSC::StringObject::createStructure):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::createStructure):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::StringPrototype):
        * runtime/StringPrototype.h:
        (JSC::StringPrototype::createStructure):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::addPropertyTransitionToExistingStructure):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::removePropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::getterSetterTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::get):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::remove):
        (JSC::Structure::checkConsistency):
        * runtime/Structure.h:
        (JSC::Structure::create):
        (JSC::Structure::propertyStorageSize):
        (JSC::Structure::get):
        * runtime/StructureChain.h:
        (JSC::StructureChain::createStructure):

2011-09-11  Jarred Nicholls  <jarred@sencha.com>

        [Qt] Win32 build broken due to MachineStackMarker.cpp/.o failing to link against pthreads library
        https://bugs.webkit.org/show_bug.cgi?id=67864
        
        Qt Win32 is not pthread compatible and cannot participate in multithreaded JSC or it fails to build.

        Reviewed by Csaba Osztrogonác.

        * wtf/Platform.h:

2011-09-11  Filip Pizlo  <fpizlo@apple.com>

        ARM and MIPS assemblers still refer to executable pools.
        https://bugs.webkit.org/show_bug.cgi?id=67903

        Reviewed by Csaba Osztrogonác.

        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::executableCopy):
        * assembler/ARMAssembler.h:
        * assembler/AssemblerBufferWithConstantPool.h:
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::executableCopy):

2011-09-08  Filip Pizlo  <fpizlo@apple.com>

        The executable allocator makes it difficult to free individual
        chunks of executable memory
        https://bugs.webkit.org/show_bug.cgi?id=66363

        Reviewed by Oliver Hunt.
        
        Introduced a best-fit, balanced-tree based allocator. The allocator
        required a balanced tree that does not allocate memory and that
        permits the removal of individual nodes directly (as opposed to by
        key); neither AVLTree nor WebCore's PODRedBlackTree supported this.
        Changed all references to executable code to use a reference counted
        handle.

        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerBuffer::executableCopy):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::finalizeCode):
        (JSC::LinkBuffer::linkCode):
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
        (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
        (JSC::MacroAssemblerCodeRef::executableMemory):
        (JSC::MacroAssemblerCodeRef::code):
        (JSC::MacroAssemblerCodeRef::size):
        (JSC::MacroAssemblerCodeRef::operator!):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::executableCopy):
        (JSC::X86Assembler::X86InstructionFormatter::executableCopy):
        * bytecode/CodeBlock.h:
        * bytecode/Instruction.h:
        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::tryBuildGetByIDProtoList):
        (JSC::DFG::tryCachePutByID):
        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::initializeAllocator):
        (JSC::ExecutableAllocator::ExecutableAllocator):
        (JSC::ExecutableAllocator::allocate):
        (JSC::ExecutableAllocator::committedByteCount):
        (JSC::ExecutableAllocator::dumpProfile):
        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::dumpProfile):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::initializeAllocator):
        (JSC::ExecutableAllocator::ExecutableAllocator):
        (JSC::ExecutableAllocator::isValid):
        (JSC::ExecutableAllocator::underMemoryPressure):
        (JSC::ExecutableAllocator::allocate):
        (JSC::ExecutableAllocator::committedByteCount):
        (JSC::ExecutableAllocator::dumpProfile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::JIT::compileCTIMachineTrampolines):
        (JSC::JIT::compileCTINativeCall):
        * jit/JITCode.h:
        (JSC::JITCode::operator !):
        (JSC::JITCode::addressForCall):
        (JSC::JITCode::offsetOf):
        (JSC::JITCode::execute):
        (JSC::JITCode::start):
        (JSC::JITCode::size):
        (JSC::JITCode::getExecutableMemory):
        (JSC::JITCode::HostFunction):
        (JSC::JITCode::JITCode):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::JITThunks):
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::getPolymorphicAccessStructureListSlot):
        (JSC::JITThunks::ctiStub):
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITStubs.h:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
        (JSC::SpecializedThunkJIT::finalize):
        * jit/ThunkGenerators.cpp:
        (JSC::charCodeAtThunkGenerator):
        (JSC::charAtThunkGenerator):
        (JSC::fromCharCodeThunkGenerator):
        (JSC::sqrtThunkGenerator):
        (JSC::floorThunkGenerator):
        (JSC::ceilThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::expThunkGenerator):
        (JSC::logThunkGenerator):
        (JSC::absThunkGenerator):
        (JSC::powThunkGenerator):
        * jit/ThunkGenerators.h:
        * runtime/Executable.h:
        (JSC::NativeExecutable::create):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::dumpSampleData):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::getCTIStub):
        * wtf/CMakeLists.txt:
        * wtf/MetaAllocator.cpp: Added.
        (WTF::MetaAllocatorHandle::MetaAllocatorHandle):
        (WTF::MetaAllocatorHandle::~MetaAllocatorHandle):
        (WTF::MetaAllocatorHandle::shrink):
        (WTF::MetaAllocator::MetaAllocator):
        (WTF::MetaAllocator::allocate):
        (WTF::MetaAllocator::currentStatistics):
        (WTF::MetaAllocator::findAndRemoveFreeSpace):
        (WTF::MetaAllocator::addFreeSpaceFromReleasedHandle):
        (WTF::MetaAllocator::addFreshFreeSpace):
        (WTF::MetaAllocator::debugFreeSpaceSize):
        (WTF::MetaAllocator::addFreeSpace):
        (WTF::MetaAllocator::incrementPageOccupancy):
        (WTF::MetaAllocator::decrementPageOccupancy):
        (WTF::MetaAllocator::roundUp):
        (WTF::MetaAllocator::allocFreeSpaceNode):
        (WTF::MetaAllocator::freeFreeSpaceNode):
        (WTF::MetaAllocator::dumpProfile):
        * wtf/MetaAllocator.h: Added.
        (WTF::MetaAllocator::bytesAllocated):
        (WTF::MetaAllocator::bytesReserved):
        (WTF::MetaAllocator::bytesCommitted):
        (WTF::MetaAllocator::dumpProfile):
        (WTF::MetaAllocator::~MetaAllocator):
        * wtf/MetaAllocatorHandle.h: Added.
        * wtf/RedBlackTree.h: Added.
        (WTF::RedBlackTree::Node::Node):
        (WTF::RedBlackTree::Node::successor):
        (WTF::RedBlackTree::Node::predecessor):
        (WTF::RedBlackTree::Node::reset):
        (WTF::RedBlackTree::Node::parent):
        (WTF::RedBlackTree::Node::setParent):
        (WTF::RedBlackTree::Node::left):
        (WTF::RedBlackTree::Node::setLeft):
        (WTF::RedBlackTree::Node::right):
        (WTF::RedBlackTree::Node::setRight):
        (WTF::RedBlackTree::Node::color):
        (WTF::RedBlackTree::Node::setColor):
        (WTF::RedBlackTree::RedBlackTree):
        (WTF::RedBlackTree::insert):
        (WTF::RedBlackTree::remove):
        (WTF::RedBlackTree::findExact):
        (WTF::RedBlackTree::findLeastGreaterThanOrEqual):
        (WTF::RedBlackTree::findGreatestLessThanOrEqual):
        (WTF::RedBlackTree::first):
        (WTF::RedBlackTree::last):
        (WTF::RedBlackTree::size):
        (WTF::RedBlackTree::isEmpty):
        (WTF::RedBlackTree::treeMinimum):
        (WTF::RedBlackTree::treeMaximum):
        (WTF::RedBlackTree::treeInsert):
        (WTF::RedBlackTree::leftRotate):
        (WTF::RedBlackTree::rightRotate):
        (WTF::RedBlackTree::removeFixup):
        * wtf/wtf.pri:
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::compile):
        * yarr/YarrJIT.h:
        (JSC::Yarr::YarrCodeBlock::execute):
        (JSC::Yarr::YarrCodeBlock::getAddr):

2011-09-10  Sam Weinig  <sam@webkit.org>

        Remove JSC::isZombie() function, it did nothing and was called by no-one.
        https://bugs.webkit.org/show_bug.cgi?id=67901

        Reviewed by Andy Estes.

        * JavaScriptCore.exp:
        * runtime/JSCell.cpp:
        * runtime/JSValue.h:

2011-09-10  Sam Weinig  <sam@webkit.org>

        Add isInterruptedExecutionException and isTerminatedExecutionException predicates
        https://bugs.webkit.org/show_bug.cgi?id=67892

        Reviewed by Andy "First Time Reviewer" Estes.

        * JavaScriptCore.exp:
        Add symbols.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):
        Use new predicates.

        * runtime/ExceptionHelpers.cpp:
        (JSC::createInterruptedExecutionException):
        (JSC::isInterruptedExecutionException):
        (JSC::createTerminatedExecutionException):
        (JSC::isTerminatedExecutionException):
        * runtime/ExceptionHelpers.h:
        (JSC::InterruptedExecutionError::InterruptedExecutionError):
        Add predicates.

2011-09-10  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT completely undoes speculative compilation even in the case of
        a partial static speculation failure
        https://bugs.webkit.org/show_bug.cgi?id=67798

        Reviewed by Geoffrey Garen.
        
        This is a regression with static speculation, so it is turned off by
        default.  But it is a necessary prerequisite for further work on
        dynamic speculation.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::clearGenerationInfo):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):

2011-09-09  Chris Marrin  <cmarrin@apple.com>

        requestAnimationFrame doesn't throttle on Mac
        https://bugs.webkit.org/show_bug.cgi?id=67171

        Reviewed by Simon Fraser.

        Added WTF_USE_REQUEST_ANIMATION_FRAME_TIMER to allow any platform to run
        requestAnimationFrame callbacks on a Timer defined in ScriptedAnimationController.
        Currently only enabled for PLATFORM(MAC)

        * wtf/Platform.h:

2011-09-09  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Dan Bernstein.

        Removed ENABLE(SINGLE_THREADED) support, since it is always false
        https://bugs.webkit.org/show_bug.cgi?id=67862

        Next step toward making the baseline platform assumption that threads exist.

        * wtf/wtf.pri:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj: Removed references to
        ThreadingNone.cpp, which was only compiled in single-threaded mode.

        * wtf/Platform.h:
        * wtf/ThreadSpecific.h:
        (WTF::::destroy):
        * wtf/qt/ThreadingQt.cpp: Removed now-dead code.

        * wtf/ThreadingNone.cpp: Removed.

2011-09-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        Unzip initialization lists and constructors in JSCell hierarchy (5/7)
        https://bugs.webkit.org/show_bug.cgi?id=67420

        Reviewed by Geoffrey Garen.

        Completed the fifth level of the refactoring to add finishCreation() 
        methods to all classes within the JSCell hierarchy with non-trivial 
        constructor bodies.

        This primarily consists of pushing the calls to finishCreation() down 
        into the constructors of the subclasses of the second level of the hierarchy 
        as well as pulling the finishCreation() calls out into the class's corresponding
        create() method if it has one.  Doing both simultaneously allows us to 
        maintain the invariant that the finishCreation() method chain is called exactly 
        once during the creation of an object, since calling it any other number of 
        times (0, 2, or more) will cause an assertion failure.

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::JSCallbackConstructor):
        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::create):
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::JSCallbackFunction):
        (JSC::JSCallbackFunction::finishCreation):
        * API/JSCallbackFunction.h:
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::JSCallbackObject):
        (JSC::::finishCreation):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::create):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (GlobalObject::GlobalObject):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::ArrayConstructor):
        (JSC::ArrayConstructor::finishCreation):
        * runtime/ArrayConstructor.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::ArrayPrototype):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::create):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::BooleanConstructor):
        (JSC::BooleanConstructor::finishCreation):
        * runtime/BooleanConstructor.h:
        * runtime/BooleanObject.cpp:
        (JSC::BooleanObject::BooleanObject):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::create):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::BooleanPrototype):
        (JSC::BooleanPrototype::finishCreation):
        * runtime/BooleanPrototype.h:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::DateConstructor):
        (JSC::DateConstructor::finishCreation):
        * runtime/DateConstructor.h:
        * runtime/DateInstance.cpp:
        (JSC::DateInstance::DateInstance):
        * runtime/DateInstance.h:
        (JSC::DateInstance::create):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::DatePrototype):
        (JSC::DatePrototype::finishCreation):
        * runtime/DatePrototype.h:
        * runtime/Error.cpp:
        (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::ErrorConstructor):
        (JSC::ErrorConstructor::finishCreation):
        * runtime/ErrorConstructor.h:
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::create):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::FunctionConstructor):
        (JSC::FunctionConstructor::finishCreation):
        * runtime/FunctionConstructor.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::FunctionPrototype):
        (JSC::FunctionPrototype::finishCreation):
        * runtime/FunctionPrototype.h:
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        * runtime/InternalFunction.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::JSActivation):
        * runtime/JSActivation.h:
        (JSC::JSActivation::create):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::create):
        (JSC::JSGlobalObject::JSGlobalObject):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::JSONObject):
        * runtime/JSONObject.h:
        (JSC::JSONObject::create):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::create):
        (JSC::JSStaticScopeObject::JSStaticScopeObject):
        * runtime/JSString.cpp:
        (JSC::StringObject::create):
        * runtime/MathObject.cpp:
        (JSC::MathObject::MathObject):
        * runtime/MathObject.h:
        (JSC::MathObject::create):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::NativeErrorConstructor):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::finishCreation):
        * runtime/NativeErrorPrototype.cpp:
        (JSC::NativeErrorPrototype::NativeErrorPrototype):
        (JSC::NativeErrorPrototype::finishCreation):
        * runtime/NativeErrorPrototype.h:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::NumberConstructor):
        (JSC::NumberConstructor::finishCreation):
        * runtime/NumberConstructor.h:
        * runtime/NumberObject.cpp:
        (JSC::NumberObject::NumberObject):
        * runtime/NumberObject.h:
        (JSC::NumberObject::create):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::NumberPrototype):
        (JSC::NumberPrototype::finishCreation):
        * runtime/NumberPrototype.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::ObjectConstructor):
        (JSC::ObjectConstructor::finishCreation):
        * runtime/ObjectConstructor.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::RegExpConstructor):
        (JSC::RegExpConstructor::finishCreation):
        (JSC::RegExpMatchesArray::RegExpMatchesArray):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::create):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::RegExpObject):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::create):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::RegExpPrototype):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::StringConstructor):
        (JSC::StringConstructor::finishCreation):
        * runtime/StringConstructor.h:
        * runtime/StringObject.cpp:
        (JSC::StringObject::StringObject):
        * runtime/StringObject.h:
        (JSC::StringObject::create):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::StringPrototype):
        (JSC::StringPrototype::finishCreation):
        * runtime/StringPrototype.h:

2011-09-09  Geoffrey Garen  <ggaren@apple.com>

        Build fix: Guard against double-#define for something already #defined
        by the build system.

        * wtf/Platform.h:

2011-09-09  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Dan Bernstein.

        Never #define ENABLE_SINGLE_THREADED, !ENABLE_JSC_MULTIPLE_THREADS, or
        !ENABLE_WTF_MULTIPLE_THREADS
        https://bugs.webkit.org/show_bug.cgi?id=67860

        First step toward making the baseline platform assumption that threads
        exist: Never #define ENABLE_SINGLE_THREADED, !ENABLE_JSC_MULTIPLE_THREADS,
        or !ENABLE_WTF_MULTIPLE_THREADS.

        * wtf/Platform.h:

2011-09-09  Laszlo Gombos  <laszlo.1.gombos@nokia.com>

        [Qt] Remove common.pri
        https://bugs.webkit.org/show_bug.cgi?id=67814

        Reviewed by Andreas Kling.

        * JavaScriptCore.pri:

2011-09-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        REGRESSION(r94811): Assertion failure in 2 worker tests
        https://bugs.webkit.org/show_bug.cgi?id=67829

        Reviewed by Sam Weinig.

        Fixing a couple tests that were broken due to the wrong values being 
        set in the parent class pointers in the ClassInfo structs for 
        TerminatedExecutionError and InterruptedExecutionError.

        * runtime/ExceptionHelpers.cpp:

2011-09-08  Oliver Hunt  <oliver@apple.com>

        Use bump allocator for initial property storage
        https://bugs.webkit.org/show_bug.cgi?id=67494

        Reviewed by Geoffrey Garen.

        Use a bump allocator for initial allocation of property storage,
        and promote to fastMalloc memory only if it survives a GC pass.

        Comes out as a 1% win on v8, and is a useful step on the way to
        GC allocation of all property storage.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * heap/Heap.h:
        (JSC::Heap::allocatePropertyStorage):
        (JSC::Heap::inPropertyStorageNursery):
        * heap/MarkedBlock.h:
        * heap/NewSpace.cpp:
        (JSC::NewSpace::NewSpace):
        * heap/NewSpace.h:
        (JSC::NewSpace::resetPropertyStorageNursery):
        (JSC::NewSpace::allocatePropertyStorage):
        (JSC::NewSpace::inPropertyStorageNursery):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSObject.cpp:
        (JSC::JSObject::allocatePropertyStorage):
        * runtime/JSObject.h:
        (JSC::JSObject::isUsingInlineStorage):
        (JSC::JSObject::JSObject):
        (JSC::JSObject::propertyStorage):
        (JSC::JSObject::~JSObject):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putDirectWithoutTransition):
        (JSC::JSObject::putDirectFunctionWithoutTransition):
        (JSC::JSObject::transitionTo):
        (JSC::JSObject::visitChildrenDirect):
        * runtime/StorageBarrier.h: Added.
        (JSC::StorageBarrier::StorageBarrier):
        (JSC::StorageBarrier::set):
        (JSC::StorageBarrier::operator->):
        (JSC::StorageBarrier::operator*):
        (JSC::StorageBarrier::operator[]):
        (JSC::StorageBarrier::get):

2011-09-08  Sam Weinig  <sam@webkit.org>

        Remove the Completion object from JSC, I have never liked it
        https://bugs.webkit.org/show_bug.cgi?id=67755

        Reviewed by Gavin Barraclough.

        - Removes the Completion object and replaces its use with out parameter exceptions.
        - Remove ComplType and virtual exceptionType() function on JSObject. Replace with
          ClassInfo for InterruptedExecutionError and TerminatedExecutionError.

        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):
        * jsc.cpp:
        (functionLoad):
        (functionCheckSyntax):
        (runWithScripts):
        (runInteractive):
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        (JSC::evaluate):
        * runtime/Completion.h:
        * runtime/ExceptionHelpers.cpp:
        (JSC::InterruptedExecutionError::toString):
        (JSC::TerminatedExecutionError::toString):
        (JSC::createInterruptedExecutionException):
        * runtime/ExceptionHelpers.h:
        (JSC::InterruptedExecutionError::InterruptedExecutionError):
        (JSC::InterruptedExecutionError::create):
        (JSC::InterruptedExecutionError::createStructure):
        (JSC::TerminatedExecutionError::TerminatedExecutionError):
        (JSC::TerminatedExecutionError::create):
        (JSC::TerminatedExecutionError::createStructure):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSObject.h:

2011-09-08  Ryosuke Niwa  <rniwa@webkit.org>

        Build fix.

        * dfg/DFGCapabilities.cpp:

2011-09-08  Filip Pizlo  <fpizlo@apple.com>

        Value profling and execution count profiling is performed even for
        code that cannot be optimized
        https://bugs.webkit.org/show_bug.cgi?id=67694

        Reviewed by Gavin Barraclough.
        
        This is a 2% speed-up on V8 when tiered compilation is enabled.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::ProgramCodeBlock::canCompileWithDFG):
        (JSC::EvalCodeBlock::canCompileWithDFG):
        (JSC::FunctionCodeBlock::canCompileWithDFG):
        * bytecode/CodeBlock.h:
        * dfg/DFGCapabilities.cpp: Added.
        (JSC::DFG::canCompileOpcodes):
        * dfg/DFGCapabilities.h: Added.
        (JSC::DFG::mightCompileEval):
        (JSC::DFG::mightCompileProgram):
        (JSC::DFG::mightCompileFunctionForCall):
        (JSC::DFG::mightCompileFunctionForConstruct):
        (JSC::DFG::canCompileOpcode):
        (JSC::DFG::canCompileEval):
        (JSC::DFG::canCompileProgram):
        (JSC::DFG::canCompileFunctionForCall):
        (JSC::DFG::canCompileFunctionForConstruct):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::JIT::shouldEmitProfiling):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):

2011-09-08  Filip Pizlo  <fpizlo@apple.com>

        DFG speculative JIT does not initialize integer tags for PredictInt32 temporaries
        https://bugs.webkit.org/show_bug.cgi?id=67840

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::initializeVariableTypes):

2011-09-08  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        https://bugs.webkit.org/show_bug.cgi?id=67771

        Fix sequenceGetByIdSlowCaseInstructionSpace, sequenceGetByIdSlowCaseConstantSpace
        and patchOffsetGetByIdSlowCaseCall
        and enables DOUBLE_CONVERSION_CORRECT_DOUBLE_OPERATIONS flag for SH4 platforms.

        Reviewed by Gavin Barraclough.

        * jit/JIT.h:
        * wtf/dtoa/utils.h:

2011-09-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove getUInt32 from JSCell
        https://bugs.webkit.org/show_bug.cgi?id=67691

        Reviewed by Oliver Hunt.

         We don't use JSCell::getUInt32 anymore, so it has been removed.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:

2011-09-07  Filip Pizlo  <fpizlo@apple.com>

        PPC build fix.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::~CodeBlock):

2011-09-07  Oliver Hunt  <oliver@apple.com>

        Release mode build fix.

        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::create):

2011-09-06  Oliver Hunt  <oliver@apple.com>

        Remove JSObjectWithGlobalObject
        https://bugs.webkit.org/show_bug.cgi?id=67689

        Reviewed by Geoff Garen.

        Remove JSObjectWithGlobalObject, and update code to stop using anonymous
        storage to access the global object that a JSObject comes from.  Largely
        mechanical change to remove the use of anonymous storage and JSObjectWithGlobalObject.

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::JSCallbackConstructor):
        (JSC::JSCallbackConstructor::finishCreation):
        * API/JSCallbackConstructor.h:
        * API/JSCallbackObject.cpp:
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::create):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::JSCallbackObject):
        (JSC::::finishCreation):
        (JSC::::staticFunctionGetter):
        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype):
        * API/JSObjectRef.cpp:
        (JSObjectMake):
        (JSObjectGetPrivate):
        (JSObjectSetPrivate):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        * API/JSValueRef.cpp:
        (JSValueIsObjectOfClass):
        * API/JSWeakObjectMapRefPrivate.cpp:
        * JavaScriptCore.exp:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgRepatchGetMethodFast):
        (JSC::DFG::tryCacheGetMethod):
        * jit/JIT.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateJSFunction):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::patchMethodCallProto):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/DatePrototype.cpp:
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        (JSC::InternalFunction::finishCreation):
        * runtime/InternalFunction.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::finishCreation):
        * runtime/JSFunction.h:
        (JSC::JSFunction::create):
        (JSC::JSFunction::createStructure):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::JSONObject):
        (JSC::JSONObject::finishCreation):
        * runtime/JSONObject.h:
        * runtime/JSObject.h:
        (JSC::JSObject::globalObject):
        * runtime/JSObjectWithGlobalObject.cpp: Removed.
        * runtime/JSObjectWithGlobalObject.h: Removed.
        * runtime/JSValue.cpp:
        (JSC::JSValue::isValidCallee):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        * runtime/MathObject.cpp:
        (JSC::MathObject::MathObject):
        (JSC::MathObject::finishCreation):
        * runtime/MathObject.h:
        * runtime/NumberPrototype.cpp:
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::RegExpObject):
        (JSC::RegExpObject::finishCreation):
        * runtime/RegExpObject.h:
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        * runtime/Structure.h:
        (JSC::Structure::create):
        (JSC::Structure::globalObject):

2011-09-07  Gavin Barraclough  <barraclough@apple.com>

        Refactor JIT checks for ObjectType into helper functions.

        Rubber stamped by Sam Weinig.

        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::branchIfNotObject):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.h:
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emit_op_ret_object_or_this):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitJumpIfNotObject):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emit_op_ret_object_or_this):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_create_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_create_this):

2011-09-07  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r94627 and r94632.
        http://trac.webkit.org/changeset/94627
        http://trac.webkit.org/changeset/94632
        https://bugs.webkit.org/show_bug.cgi?id=67698

        It broke tests on GTK and Qt (Requested by Ossy on #webkit).

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::JSCallbackConstructor):
        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::create):
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::JSCallbackFunction):
        * API/JSCallbackFunction.h:
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::create):
        * debugger/DebuggerActivation.h:
        * jsc.cpp:
        (GlobalObject::constructorBody):
        (GlobalObject::GlobalObject):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::ArrayConstructor):
        * runtime/ArrayConstructor.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::ArrayPrototype):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::create):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::BooleanConstructor):
        * runtime/BooleanConstructor.h:
        * runtime/BooleanObject.cpp:
        (JSC::BooleanObject::BooleanObject):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::create):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::BooleanPrototype):
        * runtime/BooleanPrototype.h:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::DateConstructor):
        * runtime/DateConstructor.h:
        * runtime/DateInstance.cpp:
        (JSC::DateInstance::DateInstance):
        * runtime/DateInstance.h:
        (JSC::DateInstance::create):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::DatePrototype):
        * runtime/DatePrototype.h:
        * runtime/Error.cpp:
        (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::ErrorConstructor):
        * runtime/ErrorConstructor.h:
        (JSC::ErrorConstructor::create):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::create):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::FunctionConstructor):
        * runtime/FunctionConstructor.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::FunctionPrototype):
        * runtime/FunctionPrototype.h:
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        * runtime/InternalFunction.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::JSActivation):
        * runtime/JSActivation.h:
        (JSC::JSActivation::create):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::create):
        (JSC::JSGlobalObject::JSGlobalObject):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::JSONObject):
        * runtime/JSONObject.h:
        (JSC::JSONObject::create):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::create):
        (JSC::JSStaticScopeObject::JSStaticScopeObject):
        * runtime/JSString.cpp:
        (JSC::StringObject::create):
        * runtime/MathObject.cpp:
        (JSC::MathObject::MathObject):
        * runtime/MathObject.h:
        (JSC::MathObject::create):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::NativeErrorConstructor):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::constructorBody):
        * runtime/NativeErrorPrototype.cpp:
        (JSC::NativeErrorPrototype::NativeErrorPrototype):
        (JSC::NativeErrorPrototype::constructorBody):
        * runtime/NativeErrorPrototype.h:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::NumberConstructor):
        * runtime/NumberConstructor.h:
        * runtime/NumberObject.cpp:
        (JSC::NumberObject::NumberObject):
        * runtime/NumberObject.h:
        (JSC::NumberObject::create):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::NumberPrototype):
        * runtime/NumberPrototype.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::ObjectConstructor):
        * runtime/ObjectConstructor.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::RegExpConstructor):
        (JSC::RegExpMatchesArray::RegExpMatchesArray):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::create):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::RegExpObject):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::create):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::RegExpPrototype):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::StringConstructor):
        * runtime/StringConstructor.h:
        * runtime/StringObject.cpp:
        (JSC::StringObject::StringObject):
        * runtime/StringObject.h:
        (JSC::StringObject::create):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::StringPrototype):
        * runtime/StringPrototype.h:

2011-09-06  Xianzhu Wang  <wangxianzhu@chromium.org>

        Replace usages of Vector<UChar> with existing StringBuilder
        https://bugs.webkit.org/show_bug.cgi?id=67079

        Reviewed by Gavin Barraclough.

        This is part of work to support 8-bit string buffers.
        Adds StringBuilder::characters() because the original Vector<UChar>::data()
        is widely used.
        Sets the minimum size of buffer to 16 to prevent possible performance
        regression. Further performance investigation should be done in
        https://bugs.webkit.org/show_bug.cgi?id=67084.

        * wtf/Forward.h:
        * wtf/text/StringBuilder.cpp:
        (WTF::StringBuilder::appendUninitialized): Sets minimum buffer size to 16 bytes.
        * wtf/text/StringBuilder.h:
        (WTF::StringBuilder::operator[]):
        (WTF::StringBuilder::characters): Added.

2011-09-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix broken snow leopard build
        https://bugs.webkit.org/show_bug.cgi?id=67693

        Reviewed by Daniel Bates.

        Removed unnecessary symbol export.

        * JavaScriptCore.exp:

2011-09-06  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not optimize booleans
        https://bugs.webkit.org/show_bug.cgi?id=67670

        Reviewed by Gavin Barraclough.
        
        This adds boolean value profiling, boolean prediction in the DFG,
        boolean forward flow propagation in the DFGPropagator, boolean
        data format in DFG generation info, and comprehensive optimizations
        based on both boolean prediction and boolean generation info.
        This is brings the speed-up on v8-richards to 12%, and gives slight
        speed-ups elsewhere as well.
        
        Making this work right required navigating some subtleties in
        value profiling.  Some functions get compiled with insufficient
        information because some important path of the function never
        executed.  In these cases, we wish to fall back on static
        speculation.  But to do so, we need to ensure that predictions that
        are inherent in the code (like that GetById almost certainly takes
        a cell operand) are reflected in predictions that we make in
        DFGPropagator.  Thus, DFGPropagator now does both backward and
        forward flow, using a both forward and backward fixpoint.
        
        The backward flow in DFGPropagator is a separate static analysis,
        and needs to keep a set of backward flow abstract values for
        variables, arguments, and globals.  To make this easy, this patch
        factors out DFGGraph's prediction tracking capability into
        DFGPredictionTracker, which now gets used by both DFGGraph (for
        forward flow predictions) and DFGPropagator (for backward flow
        predictions).  Backward flow predictions eventually get merged
        into forward flow ones, but the two are not equivalent: a forward
        flow prediction is a superset of the backward flow prediction.
        
        Debugging these prediction issues required a better understanding
        of where we fail speculation, and what our value predictions look
        like.  This patch also adds optional verbose speculation failure
        (so an informative printf fires whenever speculation failure occurs)
        and slight improvements to the verbosity in other places.

        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::numberOfBooleans):
        (JSC::ValueProfile::probabilityOfBoolean):
        (JSC::ValueProfile::dump):
        (JSC::ValueProfile::computeStatistics):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::stronglyPredict):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::dataFormatToString):
        (JSC::DFG::needDataFormatConversion):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::predictions):
        (JSC::DFG::Graph::predict):
        (JSC::DFG::Graph::predictGlobalVar):
        (JSC::DFG::Graph::getPrediction):
        (JSC::DFG::Graph::getGlobalVarPrediction):
        (JSC::DFG::Graph::isBooleanConstant):
        (JSC::DFG::Graph::valueOfBooleanConstant):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillInteger):
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
        (JSC::DFG::JITCodeGenerator::isKnownBoolean):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::JITCodeGenerator::emitBranch):
        (JSC::DFG::JITCodeGenerator::speculationCheck):
        (JSC::DFG::GPRTemporary::GPRTemporary):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::isBooleanConstant):
        (JSC::DFG::JITCodeGenerator::valueOfBooleanConstant):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::debugCall):
        (JSC::DFG::JITCompiler::isBooleanConstant):
        (JSC::DFG::JITCompiler::valueOfBooleanConstant):
        * dfg/DFGNode.h:
        (JSC::DFG::isBooleanPrediction):
        (JSC::DFG::predictionToString):
        (JSC::DFG::mergePredictions):
        (JSC::DFG::makePrediction):
        (JSC::DFG::Node::isBooleanConstant):
        (JSC::DFG::Node::valueOfBooleanConstant):
        (JSC::DFG::Node::hasBooleanResult):
        (JSC::DFG::Node::hasNumericResult):
        (JSC::DFG::Node::predict):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionTracker.h: Added.
        (JSC::DFG::operandIsArgument):
        (JSC::DFG::PredictionSlot::PredictionSlot):
        (JSC::DFG::PredictionTracker::PredictionTracker):
        (JSC::DFG::PredictionTracker::initializeSimilarTo):
        (JSC::DFG::PredictionTracker::numberOfArguments):
        (JSC::DFG::PredictionTracker::numberOfVariables):
        (JSC::DFG::PredictionTracker::argumentOffsetForOperand):
        (JSC::DFG::PredictionTracker::predictArgument):
        (JSC::DFG::PredictionTracker::predict):
        (JSC::DFG::PredictionTracker::predictGlobalVar):
        (JSC::DFG::PredictionTracker::getArgumentPrediction):
        (JSC::DFG::PredictionTracker::getPrediction):
        (JSC::DFG::PredictionTracker::getGlobalVarPrediction):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::Propagator):
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::setPrediction):
        (JSC::DFG::Propagator::mergeUse):
        (JSC::DFG::Propagator::mergePrediction):
        (JSC::DFG::Propagator::propagateNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        (JSC::DFG::SpeculateBooleanOperand::~SpeculateBooleanOperand):
        (JSC::DFG::SpeculateBooleanOperand::index):
        (JSC::DFG::SpeculateBooleanOperand::gpr):
        (JSC::DFG::SpeculateBooleanOperand::use):
        * runtime/JSGlobalData.h:
        * runtime/JSValue.cpp:
        (JSC::JSValue::description):

2011-09-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Unzip initialization lists and constructors in JSCell hierarchy (5/7)
        https://bugs.webkit.org/show_bug.cgi?id=67420

        Reviewed by Geoffrey Garen.

        Completed the fifth level of the refactoring to add finishCreation() 
        methods to all classes within the JSCell hierarchy with non-trivial 
        constructor bodies.

        This primarily consists of pushing the calls to finishCreation() down 
        into the constructors of the subclasses of the second level of the hierarchy 
        as well as pulling the finishCreation() calls out into the class's corresponding
        create() method if it has one.  Doing both simultaneously allows us to 
        maintain the invariant that the finishCreation() method chain is called exactly 
        once during the creation of an object, since calling it any other number of 
        times (0, 2, or more) will cause an assertion failure.

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::JSCallbackConstructor):
        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::create):
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::JSCallbackFunction):
        (JSC::JSCallbackFunction::finishCreation):
        * API/JSCallbackFunction.h:
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::create):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (GlobalObject::GlobalObject):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::ArrayConstructor):
        (JSC::ArrayConstructor::finishCreation):
        * runtime/ArrayConstructor.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::ArrayPrototype):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::create):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::BooleanConstructor):
        (JSC::BooleanConstructor::finishCreation):
        * runtime/BooleanConstructor.h:
        * runtime/BooleanObject.cpp:
        (JSC::BooleanObject::BooleanObject):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::create):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::BooleanPrototype):
        (JSC::BooleanPrototype::finishCreation):
        * runtime/BooleanPrototype.h:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::DateConstructor):
        (JSC::DateConstructor::finishCreation):
        * runtime/DateConstructor.h:
        * runtime/DateInstance.cpp:
        (JSC::DateInstance::DateInstance):
        * runtime/DateInstance.h:
        (JSC::DateInstance::create):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::DatePrototype):
        (JSC::DatePrototype::finishCreation):
        * runtime/DatePrototype.h:
        * runtime/Error.cpp:
        (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::ErrorConstructor):
        (JSC::ErrorConstructor::finishCreation):
        * runtime/ErrorConstructor.h:
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::create):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::FunctionConstructor):
        (JSC::FunctionConstructor::finishCreation):
        * runtime/FunctionConstructor.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::FunctionPrototype):
        (JSC::FunctionPrototype::finishCreation):
        * runtime/FunctionPrototype.h:
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        * runtime/InternalFunction.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::JSActivation):
        * runtime/JSActivation.h:
        (JSC::JSActivation::create):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::create):
        (JSC::JSGlobalObject::JSGlobalObject):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::JSONObject):
        * runtime/JSONObject.h:
        (JSC::JSONObject::create):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::create):
        (JSC::JSStaticScopeObject::JSStaticScopeObject):
        * runtime/JSString.cpp:
        (JSC::StringObject::create):
        * runtime/MathObject.cpp:
        (JSC::MathObject::MathObject):
        * runtime/MathObject.h:
        (JSC::MathObject::create):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::NativeErrorConstructor):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::finishCreation):
        * runtime/NativeErrorPrototype.cpp:
        (JSC::NativeErrorPrototype::NativeErrorPrototype):
        (JSC::NativeErrorPrototype::finishCreation):
        * runtime/NativeErrorPrototype.h:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::NumberConstructor):
        (JSC::NumberConstructor::finishCreation):
        * runtime/NumberConstructor.h:
        * runtime/NumberObject.cpp:
        (JSC::NumberObject::NumberObject):
        * runtime/NumberObject.h:
        (JSC::NumberObject::create):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::NumberPrototype):
        (JSC::NumberPrototype::finishCreation):
        * runtime/NumberPrototype.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::ObjectConstructor):
        (JSC::ObjectConstructor::finishCreation):
        * runtime/ObjectConstructor.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::RegExpConstructor):
        (JSC::RegExpConstructor::finishCreation):
        (JSC::RegExpMatchesArray::RegExpMatchesArray):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::create):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::RegExpObject):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::create):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::RegExpPrototype):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::StringConstructor):
        (JSC::StringConstructor::finishCreation):
        * runtime/StringConstructor.h:
        * runtime/StringObject.cpp:
        (JSC::StringObject::StringObject):
        * runtime/StringObject.h:
        (JSC::StringObject::create):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::StringPrototype):
        (JSC::StringPrototype::finishCreation):
        * runtime/StringPrototype.h:

2011-09-06  Filip Pizlo  <fpizlo@apple.com>

        Accessibility tests crashing in BasicRawSentinelNode code
        https://bugs.webkit.org/show_bug.cgi?id=67682

        Reviewed by Geoffrey Garen.
        
        A CodeBlock should ensure that no other CodeBlocks have references to it after
        it is destroyed.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::~CodeBlock):

2011-09-06  Yong Li  <yoli@rim.com>

        https://bugs.webkit.org/show_bug.cgi?id=67486
        This reverts r65993 which gives wrong results for rshift
        in some corner cases (see the test).

        Reviewed by Gavin Barraclough.

        New test: fast/js/floating-point-truncate-rshift.html

        * assembler/ARMAssembler.h:
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):

2011-09-06  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for r94559.
        
        Marked the relevant parameters as unused if !ENABLE(JIT), and surrounded
        new out-of-line JIT-specific method definitions with !ENABLE(JIT).

        * bytecode/CodeBlock.cpp:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):

2011-09-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix broken PPC build due to new dtoa library
        https://bugs.webkit.org/show_bug.cgi?id=67654

        Reviewed by Dan Bernstein.

        Added condition for PPC in the new dtoa compatibility check so that
        building won't fail.

        * wtf/dtoa/utils.h:

2011-09-05  Oliver Hunt  <oliver@apple.com>

        An object's structure should reference the global object responsible for its creation
        https://bugs.webkit.org/show_bug.cgi?id=67624

        Reviewed by Gavin Barraclough.

        Add a reference to a GlobalObject to Structure, and update all calls to
        Structure::create() to pass the global object that is the origin for that
        structure.  For objects where the appropriate global object isn't available
        at construction time (global object prototypes, etc), or objects that
        logically don't have a global object (strings, etc) we just pass null.

        This change is largely mechanical (passing a new globalObject parameter
        around).

        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::createStructure):
        * API/JSCallbackFunction.h:
        (JSC::JSCallbackFunction::createStructure):
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::createStructure):
        * API/JSContextRef.cpp:
        * JavaScriptCore.exp:
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::createStructure):
        * runtime/Arguments.h:
        (JSC::Arguments::createStructure):
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::createStructure):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::createStructure):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::createStructure):
        * runtime/BooleanPrototype.h:
        (JSC::BooleanPrototype::createStructure):
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::createStructure):
        * runtime/DateInstance.h:
        (JSC::DateInstance::createStructure):
        * runtime/DatePrototype.h:
        (JSC::DatePrototype::createStructure):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::createStructure):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::createStructure):
        * runtime/Executable.h:
        (JSC::ExecutableBase::createStructure):
        (JSC::NativeExecutable::createStructure):
        (JSC::EvalExecutable::createStructure):
        (JSC::ProgramExecutable::createStructure):
        (JSC::FunctionExecutable::createStructure):
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::createStructure):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::createStructure):
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::createStructure):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        * runtime/JSActivation.h:
        (JSC::JSActivation::createStructure):
        * runtime/JSArray.h:
        (JSC::JSArray::createStructure):
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::createStructure):
        * runtime/JSByteArray.h:
        * runtime/JSFunction.h:
        (JSC::JSFunction::createStructure):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::finishCreation):
        (JSC::JSGlobalObject::createStructure):
        * runtime/JSNotAnObject.h:
        (JSC::JSNotAnObject::createStructure):
        * runtime/JSONObject.h:
        (JSC::JSONObject::createStructure):
        * runtime/JSObject.cpp:
        (JSC::JSObject::createInheritorID):
        * runtime/JSObject.h:
        (JSC::JSObject::createStructure):
        (JSC::JSNonFinalObject::createStructure):
        (JSC::JSFinalObject::createStructure):
        (JSC::createEmptyObjectStructure):
        * runtime/JSObjectWithGlobalObject.h:
        (JSC::JSObjectWithGlobalObject::createStructure):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::createStructure):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::createStructure):
        * runtime/JSString.h:
        (JSC::RopeBuilder::createStructure):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::createStructure):
        * runtime/JSWrapperObject.h:
        (JSC::JSWrapperObject::createStructure):
        * runtime/MathObject.h:
        (JSC::MathObject::createStructure):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::createStructure):
        (JSC::NativeErrorConstructor::constructorBody):
        * runtime/NumberConstructor.h:
        (JSC::NumberConstructor::createStructure):
        * runtime/NumberObject.h:
        (JSC::NumberObject::createStructure):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::createStructure):
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::createStructure):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::createStructure):
        * runtime/RegExp.h:
        (JSC::RegExp::createStructure):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::createStructure):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::createStructure):
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::createStructure):
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::createStructure):
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::createStructure):
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::createStructure):
        * runtime/StringObject.h:
        (JSC::StringObject::createStructure):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::create):
        (JSC::StringObjectThatMasqueradesAsUndefined::createStructure):
        * runtime/StringPrototype.h:
        (JSC::StringPrototype::createStructure):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::visitChildren):
        * runtime/Structure.h:
        (JSC::Structure::create):
        (JSC::Structure::globalObject):
        (JSC::Structure::setGlobalObject):
        * runtime/StructureChain.h:
        (JSC::StructureChain::createStructure):

2011-09-06  Michael Saboff  <msaboff@apple.com>

        Add windows changes for JSC:RegExp functional tests
        https://bugs.webkit.org/show_bug.cgi?id=67521

        Windows build changes for regular expression functional test.

        Rubber-stamped by Gavin Barraclough.

        * JavaScriptCore.vcproj/JavaScriptCore.sln:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/testRegExp: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExp.vcproj: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebug.vsprops: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebugAll.vsprops: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebugCairoCFLite.vsprops: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpPostBuild.cmd: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpPreBuild.cmd: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpPreLink.cmd: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpProduction.vsprops: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpRelease.vsprops: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpReleaseCairoCFLite.vsprops: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops: Added.

2011-09-06  Filip Pizlo  <fpizlo@apple.com>

        JavaScriptCore does not have tiered compilation
        https://bugs.webkit.org/show_bug.cgi?id=67176

        Reviewed by Gavin Barraclough.
        
        This adds the ability to have multiple CodeBlocks associated with
        a particular role in an Executable.  These are stored in
        descending order of compiler tier.  CodeBlocks are optimized when
        a counter (m_executeCounter) that is incremented in loops and
        epilogues becomes positive.  Optimizing means that all calls to
        the old CodeBlock are unlinked.
        
        The DFG can now pull in predictions from ValueProfiles, and
        propagate them along the graph.  To support the new phase while
        maintaing some level of abstraction, a DFGDriver was introduced
        that encapsulates how to run the DFG compiler.
        
        This is turned off by default because it's not yet a performance
        win on all benchmarks.  It speeds up crypto and richards by
        10% and 6% respectively, but still does not do as good of a job
        as it could.  Notably, the DFG backend has not changed, and
        is largely oblivious to the new information being made available
        to it.
        
        When turned off (the default), this patch is performance neutral.

        * CMakeLists.txt:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::branchAdd32):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::branchAdd32):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::visitAggregate):
        (JSC::CallLinkInfo::unlink):
        (JSC::CodeBlock::unlinkCalls):
        (JSC::CodeBlock::unlinkIncomingCalls):
        (JSC::CodeBlock::clearEvalCache):
        (JSC::replaceExistingEntries):
        (JSC::CodeBlock::copyDataFromAlternative):
        (JSC::ProgramCodeBlock::replacement):
        (JSC::EvalCodeBlock::replacement):
        (JSC::FunctionCodeBlock::replacement):
        (JSC::ProgramCodeBlock::compileOptimized):
        (JSC::EvalCodeBlock::compileOptimized):
        (JSC::FunctionCodeBlock::compileOptimized):
        * bytecode/CodeBlock.h:
        (JSC::GlobalCodeBlock::GlobalCodeBlock):
        (JSC::ProgramCodeBlock::ProgramCodeBlock):
        (JSC::EvalCodeBlock::EvalCodeBlock):
        (JSC::FunctionCodeBlock::FunctionCodeBlock):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::dump):
        (JSC::ValueProfile::computeStatistics):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::dynamicallyPredict):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::parse):
        * dfg/DFGDriver.cpp: Added.
        (JSC::DFG::compile):
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        * dfg/DFGDriver.h: Added.
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predict):
        (JSC::DFG::Graph::predictGlobalVar):
        (JSC::DFG::Graph::isConstant):
        (JSC::DFG::Graph::isJSConstant):
        (JSC::DFG::Graph::isInt32Constant):
        (JSC::DFG::Graph::isDoubleConstant):
        (JSC::DFG::Graph::valueOfJSConstant):
        (JSC::DFG::Graph::valueOfInt32Constant):
        (JSC::DFG::Graph::valueOfDoubleConstant):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::isConstant):
        (JSC::DFG::JITCompiler::isJSConstant):
        (JSC::DFG::JITCompiler::isInt32Constant):
        (JSC::DFG::JITCompiler::isDoubleConstant):
        (JSC::DFG::JITCompiler::valueOfJSConstant):
        (JSC::DFG::JITCompiler::valueOfInt32Constant):
        (JSC::DFG::JITCompiler::valueOfDoubleConstant):
        * dfg/DFGNode.h:
        (JSC::DFG::isCellPrediction):
        (JSC::DFG::isNumberPrediction):
        (JSC::DFG::predictionToString):
        (JSC::DFG::mergePrediction):
        (JSC::DFG::makePrediction):
        (JSC::DFG::Node::valueOfJSConstant):
        (JSC::DFG::Node::isInt32Constant):
        (JSC::DFG::Node::isDoubleConstant):
        (JSC::DFG::Node::valueOfInt32Constant):
        (JSC::DFG::Node::valueOfDoubleConstant):
        (JSC::DFG::Node::predict):
        * dfg/DFGPropagation.cpp: Added.
        (JSC::DFG::Propagator::Propagator):
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::setPrediction):
        (JSC::DFG::Propagator::mergePrediction):
        (JSC::DFG::Propagator::propagateNode):
        (JSC::DFG::Propagator::propagateForward):
        (JSC::DFG::Propagator::propagateBackward):
        (JSC::DFG::propagate):
        * dfg/DFGPropagation.h: Added.
        (JSC::DFG::propagate):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgLinkFor):
        * heap/HandleHeap.h:
        (JSC::HandleHeap::Node::Node):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):
        (JSC::JIT::emitTimeoutCheck):
        (JSC::JIT::privateCompile):
        (JSC::JIT::linkFor):
        * jit/JIT.h:
        (JSC::JIT::emitOptimizationCheck):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::emit_op_ret_object_or_this):
        * jit/JITCode.h:
        (JSC::JITCode::JITCode):
        (JSC::JITCode::bottomTierJIT):
        (JSC::JITCode::topTierJIT):
        (JSC::JITCode::nextTierJIT):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::emit_op_ret_object_or_this):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileOptimized):
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileOptimized):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileOptimizedForCall):
        (JSC::FunctionExecutable::compileOptimizedForConstruct):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (JSC::EvalExecutable::compile):
        (JSC::ProgramExecutable::compile):
        (JSC::FunctionExecutable::compileForCall):
        (JSC::FunctionExecutable::compileForConstruct):
        (JSC::FunctionExecutable::compileOptimizedFor):
        * wtf/Platform.h:
        * wtf/SentinelLinkedList.h:
        (WTF::BasicRawSentinelNode::BasicRawSentinelNode):
        (WTF::BasicRawSentinelNode::setPrev):
        (WTF::BasicRawSentinelNode::setNext):
        (WTF::BasicRawSentinelNode::prev):
        (WTF::BasicRawSentinelNode::next):
        (WTF::BasicRawSentinelNode::isOnList):
        (WTF::::remove):
        (WTF::::SentinelLinkedList):
        (WTF::::begin):
        (WTF::::end):
        (WTF::::push):

2011-09-05  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r94445 and r94448.
        http://trac.webkit.org/changeset/94445
        http://trac.webkit.org/changeset/94448
        https://bugs.webkit.org/show_bug.cgi?id=67595

        It broke everything (Requested by ossy on #webkit).

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * heap/Heap.h:
        * heap/NewSpace.cpp:
        (JSC::NewSpace::NewSpace):
        * heap/NewSpace.h:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSObject.cpp:
        (JSC::JSObject::allocatePropertyStorage):
        * runtime/JSObject.h:
        (JSC::JSObject::~JSObject):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putDirectWithoutTransition):
        (JSC::JSObject::putDirectFunctionWithoutTransition):
        (JSC::JSObject::transitionTo):
        (JSC::JSObject::visitChildrenDirect):

2011-09-05  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed build fix for r94452.

        Add config.h as the first header to the cc files as required by the coding style.
        Reuse macros from Assertions.h instead of adding addional #ifdefs.

        * wtf/dtoa/bignum-dtoa.cc:
        * wtf/dtoa/bignum.cc:
        * wtf/dtoa/cached-powers.cc:
        * wtf/dtoa/diy-fp.cc:
        * wtf/dtoa/double-conversion.cc:
        * wtf/dtoa/fast-dtoa.cc:
        * wtf/dtoa/fixed-dtoa.cc:
        * wtf/dtoa/strtod.cc:
        * wtf/dtoa/utils.h:

2011-09-05  Andras Becsi  <andras.becsi@nokia.com>

        [Qt][WK2] Fix the build

        Rubber-stamped by Csaba Osztrogonác.

        * wtf/dtoa/double-conversion.cc: Remove dead variable in file added in r94452.
        The variable fractional_part is only set but never used.

2011-09-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        REGRESSION (r94452): 20 http/tests tests failing on Qt Linux Release
        https://bugs.webkit.org/show_bug.cgi?id=67562

        Reviewed by Darin Adler.

        Fixing the build (again which was broken by the dtoa patch.  Needed 
        to make sure WTF::double_conversion::initialize() is called for Qt
        as well as adding a check for WinCE in dtoa/utils.h

        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * wtf/dtoa/cached-powers.cc:
        * wtf/dtoa/utils.h:

2011-09-03  Filip Pizlo  <fpizlo@apple.com>

        ThunkGenerators does not convert positive double zero into integer zero
        https://bugs.webkit.org/show_bug.cgi?id=67553

        Reviewed by Gavin Barraclough.
        
        This is an 0.5% speed-up on V8 and neutral elsewhere.

        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::returnDouble):

2011-09-03  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed build fix. Add wtf/dtoa directory to build.

        * wscript:

2011-09-03  Filip Pizlo  <fpizlo@apple.com>

        DFG variable predictions only work for local variables, not temporaries
        https://bugs.webkit.org/show_bug.cgi?id=67554

        Reviewed by Gavin Barraclough.
        
        This appears to be a slight speed-up in Kraken (0.3% but significant)
        and neutral elsewhere.

        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predict):

2011-09-02  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT speculation failure does recovery of additions in reverse and
        doesn't rebox
        https://bugs.webkit.org/show_bug.cgi?id=67551

        Reviewed by Sam Weinig.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):

2011-09-02  Filip Pizlo  <fpizlo@apple.com>

        ValueProfile does not make it safe to introspect cell values
        after garbage collection
        https://bugs.webkit.org/show_bug.cgi?id=67354

        Reviewed by Gavin Barraclough.
        
        ValueProfile buckets are now weak references, implemented using a
        light-weight weak reference mechanism that this patch also adds (the
        WeakReferenceHarvester).  If a cell stored in a ValueProfile bucket
        is not marked, then the bucket is transformed into a Structure
        pointer.  If the Structure is not marked either, then it is turned
        into a ClassInfo pointer.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::visitAggregate):
        (JSC::CodeBlock::visitWeakReferences):
        * bytecode/CodeBlock.h:
        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::ValueProfile):
        (JSC::ValueProfile::classInfo):
        (JSC::ValueProfile::numberOfInt32s):
        (JSC::ValueProfile::numberOfDoubles):
        (JSC::ValueProfile::numberOfCells):
        (JSC::ValueProfile::numberOfArrays):
        (JSC::ValueProfile::probabilityOfArray):
        (JSC::ValueProfile::WeakBucket::WeakBucket):
        (JSC::ValueProfile::WeakBucket::operator!):
        (JSC::ValueProfile::WeakBucket::isEmpty):
        (JSC::ValueProfile::WeakBucket::isClassInfo):
        (JSC::ValueProfile::WeakBucket::isStructure):
        (JSC::ValueProfile::WeakBucket::asStructure):
        (JSC::ValueProfile::WeakBucket::asClassInfo):
        (JSC::ValueProfile::WeakBucket::getClassInfo):
        * heap/Heap.cpp:
        (JSC::Heap::harvestWeakReferences):
        (JSC::Heap::markRoots):
        * heap/Heap.h:
        * heap/MarkStack.cpp:
        (JSC::SlotVisitor::drain):
        (JSC::SlotVisitor::harvestWeakReferences):
        * heap/MarkStack.h:
        (JSC::MarkStack::addWeakReferenceHarvester):
        (JSC::MarkStack::MarkStack):
        (JSC::MarkStack::appendUnbarrieredPointer):
        * heap/SlotVisitor.h:
        * heap/WeakReferenceHarvester.h: Added.
        (JSC::WeakReferenceHarvester::WeakReferenceHarvester):
        (JSC::WeakReferenceHarvester::~WeakReferenceHarvester):

2011-09-02  Michael Saboff  <msaboff@apple.com>

        Replace local implementation of string equals() methods with UString versions
        https://bugs.webkit.org/show_bug.cgi?id=67342

        In preparation to allowing StringImpl to be backed by 8 bit 
        characters when appropriate, we need to eliminate or change the
        usage of StringImpl::characters(). Change the uses of characters()
        that are used to implement redundant equals() methods.

        Reviewed by Gavin Barraclough.

        * runtime/Identifier.cpp:
        (JSC::Identifier::equal):
        * runtime/Identifier.h:
        (JSC::Identifier::equal):
        * wtf/text/AtomicString.cpp:
        (WTF::CStringTranslator::equal): Moved an optimized method to here.
        (WTF::operator==):
        * wtf/text/StringImpl.cpp:
        (WTF::equal):
        * wtf/text/StringImpl.h:

2011-09-02  Michael Saboff  <msaboff@apple.com>

        Add JSC:RegExp functional tests
        https://bugs.webkit.org/show_bug.cgi?id=67339

        Added new test driver program (testRegExp) and corresponding data file
        along with build scripts changes.

        Reviewed by Gavin Barraclough.

        * JavaScriptCore.exp:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * testRegExp.cpp: Added.
        (Options::Options):
        (StopWatch::start):
        (StopWatch::stop):
        (StopWatch::getElapsedMS):
        (RegExpTest::RegExpTest):
        (GlobalObject::create):
        (GlobalObject::className):
        (GlobalObject::GlobalObject):
        (main):
        (cleanupGlobalData):
        (testOneRegExp):
        (scanString):
        (parseRegExpLine):
        (parseTestLine):
        (runFromFiles):
        (printUsageStatement):
        (parseArguments):
        (realMain):
        * tests/regexp: Added.
        * tests/regexp/RegExpTest.data: Added.

2011-09-02  Michael Saboff  <msaboff@apple.com>

        Add JSC:RegExp functional test data generator
        https://bugs.webkit.org/show_bug.cgi?id=67519

        Add a data generator for regular expressions.  To enable, change the
        #undef REGEXP_FUNC_TEST_DATA_GEN to #define.  Then compile and use
        regular expressions.  The resulting data will be in /tmp/RegExpTestsData.

        Reviewed by Gavin Barraclough.

        * runtime/RegExp.cpp:
        (JSC::regExpFlags):
        (JSC::RegExpFunctionalTestCollector::clearRegExp):
        (JSC::RegExpFunctionalTestCollector::get):
        (JSC::RegExpFunctionalTestCollector::outputOneTest):
        (JSC::RegExpFunctionalTestCollector::RegExpFunctionalTestCollector):
        (JSC::RegExpFunctionalTestCollector::~RegExpFunctionalTestCollector):
        (JSC::RegExpFunctionalTestCollector::outputEscapedUString):
        (JSC::RegExp::~RegExp):
        (JSC::RegExp::compile):
        (JSC::RegExp::match):
        (JSC::RegExp::matchCompareWithInterpreter):

2011-09-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix the broken build due to dtoa patch
        https://bugs.webkit.org/show_bug.cgi?id=67534

        Reviewed by Oliver Hunt.

        Fixing the build.

        * GNUmakefile.list.am:
        * wtf/dtoa/bignum.cc:
        * wtf/dtoa/fast-dtoa.cc:
        * wtf/dtoa/utils.h:

2011-09-02  Oliver Hunt  <oliver@apple.com>

        Remove OldSpace classes
        https://bugs.webkit.org/show_bug.cgi?id=67533

        Reviewed by Gavin Barraclough.

        Remove the unused OldSpace classes

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.cpp:
        (JSC::Heap::writeBarrierSlowCase):
        * heap/MarkedBlock.h:
        * heap/OldSpace.cpp: Removed.
        * heap/OldSpace.h: Removed.

2011-09-02  James Robinson  <jamesr@chromium.org>

        Compile fix for mac build.

        * wtf/CheckedArithmetic.h:
        (WTF::operator+):
        (WTF::operator-):
        (WTF::operator*):

2011-08-30  Matthew Delaney  <mdelaney@apple.com>

        Read out of bounds in sUnpremultiplyData_RGBA8888 / ImageBufferData::getData
        https://bugs.webkit.org/show_bug.cgi?id=65352

        Reviewed by Simon Fraser.

        New test: fast/canvas/canvas-getImageData-large-crash.html

        This patch prevents overflows from happening in getImageData, createImageData, and canvas creation
        calls that specify widths and heights that end up overflowing the ints that we store those values in
        as well as derived values such as area and maxX / maxY of the bounding rects involved. Overflow of integer
        arithmetic is detected via the use of the new Checked type that was introduced in r94207. The change to JSC
        is just to add a new helper method described below.

        * wtf/MathExtras.h:
        (isWithinIntRange): Reports if a float's value is within the range expressible by an int.

2011-09-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        Incorporate newer, faster dtoa library
        https://bugs.webkit.org/show_bug.cgi?id=66346

        Reviewed by Oliver Hunt.

        Added new dtoa library at http://code.google.com/p/double-conversion/.
        Replaced old call to dtoa.  The new library is much faster than the old one.
        We still use the old dtoa for some stuff in WebCore as well as the old strtod, 
        but we can phase these out eventually as well.

        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/InitializeThreading.cpp:
        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToExponential):
        (JSC::numberProtoFuncToFixed):
        (JSC::numberProtoFuncToPrecision):
        * runtime/UString.cpp:
        (JSC::UString::number):
        * wtf/CMakeLists.txt:
        * wtf/ThreadingPthreads.cpp:
        (WTF::initializeThreading):
        * wtf/ThreadingWin.cpp:
        (WTF::initializeThreading):
        * wtf/dtoa.cpp:
        (WTF::dtoa):
        * wtf/dtoa.h:
        * wtf/dtoa/COPYING: Added.
        * wtf/dtoa/LICENSE: Added.
        * wtf/dtoa/README: Added.
        * wtf/dtoa/bignum-dtoa.cc: Added.
        * wtf/dtoa/bignum-dtoa.h: Added.
        * wtf/dtoa/bignum.cc: Added.
        * wtf/dtoa/bignum.h: Added.
        (WTF::double_conversion::Bignum::Times10):
        (WTF::double_conversion::Bignum::Equal):
        (WTF::double_conversion::Bignum::LessEqual):
        (WTF::double_conversion::Bignum::Less):
        (WTF::double_conversion::Bignum::PlusEqual):
        (WTF::double_conversion::Bignum::PlusLessEqual):
        (WTF::double_conversion::Bignum::PlusLess):
        (WTF::double_conversion::Bignum::EnsureCapacity):
        (WTF::double_conversion::Bignum::BigitLength):
        * wtf/dtoa/cached-powers.cc: Added.
        * wtf/dtoa/cached-powers.h: Added.
        * wtf/dtoa/diy-fp.cc: Added.
        * wtf/dtoa/diy-fp.h: Added.
        (WTF::double_conversion::DiyFp::DiyFp):
        (WTF::double_conversion::DiyFp::Subtract):
        (WTF::double_conversion::DiyFp::Minus):
        (WTF::double_conversion::DiyFp::Times):
        (WTF::double_conversion::DiyFp::Normalize):
        (WTF::double_conversion::DiyFp::f):
        (WTF::double_conversion::DiyFp::e):
        (WTF::double_conversion::DiyFp::set_f):
        (WTF::double_conversion::DiyFp::set_e):
        * wtf/dtoa/double-conversion.cc: Added.
        * wtf/dtoa/double-conversion.h: Added.
        (WTF::double_conversion::DoubleToStringConverter::DoubleToStringConverter):
        (WTF::double_conversion::StringToDoubleConverter::StringToDoubleConverter):
        * wtf/dtoa/double.h: Added.
        (WTF::double_conversion::double_to_uint64):
        (WTF::double_conversion::uint64_to_double):
        (WTF::double_conversion::Double::Double):
        (WTF::double_conversion::Double::AsDiyFp):
        (WTF::double_conversion::Double::AsNormalizedDiyFp):
        (WTF::double_conversion::Double::AsUint64):
        (WTF::double_conversion::Double::NextDouble):
        (WTF::double_conversion::Double::Exponent):
        (WTF::double_conversion::Double::Significand):
        (WTF::double_conversion::Double::IsDenormal):
        (WTF::double_conversion::Double::IsSpecial):
        (WTF::double_conversion::Double::IsNan):
        (WTF::double_conversion::Double::IsInfinite):
        (WTF::double_conversion::Double::Sign):
        (WTF::double_conversion::Double::UpperBoundary):
        (WTF::double_conversion::Double::NormalizedBoundaries):
        (WTF::double_conversion::Double::value):
        (WTF::double_conversion::Double::SignificandSizeForOrderOfMagnitude):
        (WTF::double_conversion::Double::Infinity):
        (WTF::double_conversion::Double::NaN):
        (WTF::double_conversion::Double::DiyFpToUint64):
        * wtf/dtoa/fast-dtoa.cc: Added.
        * wtf/dtoa/fast-dtoa.h: Added.
        * wtf/dtoa/fixed-dtoa.cc: Added.
        * wtf/dtoa/fixed-dtoa.h: Added.
        * wtf/dtoa/strtod.cc: Added.
        * wtf/dtoa/strtod.h: Added.
        * wtf/dtoa/utils.h: Added.
        (WTF::double_conversion::Max):
        (WTF::double_conversion::Min):
        (WTF::double_conversion::StrLength):
        (WTF::double_conversion::Vector::Vector):
        (WTF::double_conversion::Vector::SubVector):
        (WTF::double_conversion::Vector::length):
        (WTF::double_conversion::Vector::is_empty):
        (WTF::double_conversion::Vector::start):
        (WTF::double_conversion::Vector::operator[]):
        (WTF::double_conversion::Vector::first):
        (WTF::double_conversion::Vector::last):
        (WTF::double_conversion::StringBuilder::StringBuilder):
        (WTF::double_conversion::StringBuilder::~StringBuilder):
        (WTF::double_conversion::StringBuilder::size):
        (WTF::double_conversion::StringBuilder::position):
        (WTF::double_conversion::StringBuilder::Reset):
        (WTF::double_conversion::StringBuilder::AddCharacter):
        (WTF::double_conversion::StringBuilder::AddString):
        (WTF::double_conversion::StringBuilder::AddSubstring):
        (WTF::double_conversion::StringBuilder::AddPadding):
        (WTF::double_conversion::StringBuilder::Finalize):
        (WTF::double_conversion::StringBuilder::is_finalized):
        (WTF::double_conversion::BitCast):
        * wtf/wtf.pri:

2011-09-02  Filip Pizlo  <fpizlo@apple.com>

        DFG graph has no way of distinguishing or reconciling between static
        and dynamic predictions
        https://bugs.webkit.org/show_bug.cgi?id=67343

        Reviewed by Gavin Barraclough.
        
        PredictedType now stores the source of the prediction.  Merging predictions,
        which was previously done with a bitwise or, is now done via the
        mergePredictions (equivalent to |) and mergePrediction (equivalent to |=)
        functions, which correctly handle combinations of static and dynamic.
        
        This is performance-neutral, since all predictions are currently static and
        so the code has no visible effects.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::set):
        (JSC::DFG::ByteCodeParser::staticallyPredictArray):
        (JSC::DFG::ByteCodeParser::staticallyPredictInt32):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predict):
        (JSC::DFG::Graph::predictGlobalVar):
        * dfg/DFGNode.h:
        (JSC::DFG::isArrayPrediction):
        (JSC::DFG::isInt32Prediction):
        (JSC::DFG::isDoublePrediction):
        (JSC::DFG::isDynamicPrediction):
        (JSC::DFG::mergePredictions):
        (JSC::DFG::mergePrediction):
        (JSC::DFG::makePrediction):
        (JSC::DFG::Node::predict):

2011-09-02  Oliver Hunt  <oliver@apple.com>

        Fix 32bit build.

        * heap/NewSpace.h:
        (JSC::NewSpace::allocatePropertyStorage):
        (JSC::NewSpace::inPropertyStorageNursery):

2011-09-02  Oliver Hunt  <oliver@apple.com>

        Use bump allocator for initial property storage
        https://bugs.webkit.org/show_bug.cgi?id=67494

        Reviewed by Gavin Barraclough.

        Switch to a bump allocator for the initial out of line
        property storage.  This gives us slightly faster allocation
        for short lived objects that need out of line storage at
        the cost of an additional memcpy when the object survives
        a GC pass.

        No performance impact.

        * JavaScriptCore.exp:
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * heap/Heap.h:
        (JSC::Heap::allocatePropertyStorage):
        (JSC::Heap::inPropertyStorageNursary):
        * heap/NewSpace.cpp:
        (JSC::NewSpace::NewSpace):
        * heap/NewSpace.h:
        (JSC::NewSpace::resetPropertyStorageNursary):
        (JSC::NewSpace::allocatePropertyStorage):
        (JSC::NewSpace::inPropertyStorageNursary):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSObject.cpp:
        (JSC::JSObject::allocatePropertyStorage):
        * runtime/JSObject.h:
        (JSC::JSObject::~JSObject):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putDirectWithoutTransition):
        (JSC::JSObject::putDirectFunctionWithoutTransition):
        (JSC::JSObject::transitionTo):
        (JSC::JSObject::visitChildrenDirect):

2011-09-01  Mark Rowe  <mrowe@apple.com>

        Fix the build.

        * JavaScriptCore.JSVALUE32_64only.exp:
        * JavaScriptCore.JSVALUE64only.exp:
        * JavaScriptCore.exp:

2011-09-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        Unzip initialization lists and constructors in JSCell hierarchy (4/7)
        https://bugs.webkit.org/show_bug.cgi?id=67174

        Reviewed by Oliver Hunt.

        Completed the fourth level of the refactoring to add finishCreation() 
        methods to all classes within the JSCell hierarchy with non-trivial 
        constructor bodies.

        This primarily consists of pushing the calls to finishCreation() down 
        into the constructors of the subclasses of the second level of the hierarchy 
        as well as pulling the finishCreation() calls out into the class's corresponding
        create() method if it has one.  Doing both simultaneously allows us to 
        maintain the invariant that the finishCreation() method chain is called exactly 
        once during the creation of an object, since calling it any other number of 
        times (0, 2, or more) will cause an assertion failure.

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::JSCallbackConstructor):
        (JSC::JSCallbackConstructor::finishCreation):
        * API/JSCallbackConstructor.h:
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::create):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::JSCallbackObject):
        (JSC::::finishCreation):
        * JavaScriptCore.JSVALUE64only.exp:
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::DebuggerActivation):
        (JSC::DebuggerActivation::create):
        * debugger/DebuggerActivation.h:
        * runtime/Arguments.h:
        (JSC::Arguments::create):
        (JSC::Arguments::createNoParameters):
        (JSC::Arguments::Arguments):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::ArrayPrototype):
        (JSC::ArrayPrototype::finishCreation):
        * runtime/ArrayPrototype.h:
        * runtime/BooleanObject.cpp:
        (JSC::BooleanObject::BooleanObject):
        (JSC::BooleanObject::finishCreation):
        * runtime/BooleanObject.h:
        * runtime/DateInstance.cpp:
        (JSC::DateInstance::DateInstance):
        (JSC::DateInstance::finishCreation):
        * runtime/DateInstance.h:
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::ErrorInstance):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::create):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        (JSC::ErrorPrototype::finishCreation):
        * runtime/ErrorPrototype.h:
        * runtime/ExceptionHelpers.cpp:
        (JSC::InterruptedExecutionError::InterruptedExecutionError):
        (JSC::InterruptedExecutionError::create):
        (JSC::TerminatedExecutionError::TerminatedExecutionError):
        (JSC::TerminatedExecutionError::create):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::EvalExecutable):
        (JSC::ProgramExecutable::ProgramExecutable):
        (JSC::FunctionExecutable::FunctionExecutable):
        * runtime/Executable.h:
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::NativeExecutable):
        (JSC::EvalExecutable::create):
        (JSC::ProgramExecutable::create):
        (JSC::FunctionExecutable::create):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        (JSC::InternalFunction::finishCreation):
        * runtime/InternalFunction.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::JSActivation):
        (JSC::JSActivation::finishCreation):
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::JSArray):
        * runtime/JSArray.h:
        (JSC::JSArray::create):
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::JSByteArray):
        * runtime/JSByteArray.h:
        (JSC::JSByteArray::create):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::finishCreation):
        * runtime/JSFunction.h:
        (JSC::JSFunction::create):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::finishCreation):
        * runtime/JSNotAnObject.h:
        (JSC::JSNotAnObject::JSNotAnObject):
        (JSC::JSNotAnObject::create):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::JSONObject):
        (JSC::JSONObject::finishCreation):
        * runtime/JSONObject.h:
        * runtime/JSObjectWithGlobalObject.cpp:
        (JSC::JSObjectWithGlobalObject::JSObjectWithGlobalObject):
        * runtime/JSObjectWithGlobalObject.h:
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::create):
        (JSC::JSStaticScopeObject::finishCreation):
        (JSC::JSStaticScopeObject::JSStaticScopeObject):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::JSVariableObject):
        * runtime/JSWrapperObject.h:
        (JSC::JSWrapperObject::JSWrapperObject):
        * runtime/MathObject.cpp:
        (JSC::MathObject::MathObject):
        (JSC::MathObject::finishCreation):
        * runtime/MathObject.h:
        * runtime/NumberObject.cpp:
        (JSC::NumberObject::NumberObject):
        (JSC::NumberObject::finishCreation):
        * runtime/NumberObject.h:
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::ObjectPrototype):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::create):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpMatchesArray::RegExpMatchesArray):
        (JSC::RegExpMatchesArray::finishCreation):
        * runtime/RegExpMatchesArray.h:
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::RegExpObject):
        (JSC::RegExpObject::finishCreation):
        * runtime/RegExpObject.h:
        * runtime/StrictEvalActivation.cpp:
        (JSC::StrictEvalActivation::StrictEvalActivation):
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::create):
        * runtime/StringObject.cpp:
        (JSC::StringObject::StringObject):
        (JSC::StringObject::finishCreation):
        * runtime/StringObject.h:

2011-09-01  Daniel Bates  <dbates@rim.com>

        QNX GCC distribution doesn't support vasprintf()
        https://bugs.webkit.org/show_bug.cgi?id=67423

        Reviewed by Antonio Gomes.

        * wtf/Platform.h: Don't enable HAVE_VASPRINTF when building with GCC on QNX.

2011-09-01  Michael Saboff  <msaboff@apple.com>

        Remove simple usage of UString::characters() from JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=67340

        In preparation to allowing StringImpl to be backed by 8 bit 
        characters when appropriate, we need to eliminate or change the
        usage of StringImpl::characters().  Most of the changes below
        change s->characters()[0] to s[0].

        Reviewed by Geoffrey Garen.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::keyForCharacterSwitch):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::processClauseList):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Identifier.cpp:
        (JSC::Identifier::addSlowCase):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::jsToNumber):
        (JSC::parseFloat):
        * runtime/JSString.cpp:
        (JSC::JSString::substringFromRope):
        * runtime/JSString.h:
        (JSC::jsSingleCharacterSubstring):
        (JSC::jsString):
        (JSC::jsSubstring):
        (JSC::jsOwnedString):
        * runtime/RegExp.cpp:
        (JSC::regExpFlags):
        * wtf/text/StringBuilder.h:
        (WTF::StringBuilder::operator[]):

2011-09-01  Ada Chan  <adachan@apple.com>

        Export fastMallocStatistics and Heap::objectTypeCounts for https://bugs.webkit.org/show_bug.cgi?id=67160.

        Reviewed by Darin Adler.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-09-01  Hao Zheng  <zhenghao@chromium.org>

        Define PTHREAD_KEYS_MAX to fix Android port build.
        https://bugs.webkit.org/show_bug.cgi?id=67362

        Reviewed by Adam Barth.

        PTHREAD_KEYS_MAX is not defined in bionic, so explicitly define it.

        * wtf/ThreadIdentifierDataPthreads.cpp:

2011-08-31  Oliver Hunt  <oliver@apple.com>

        Fix build.

        * wtf/CheckedArithmetic.h:
        (WTF::Checked::Checked):
        (WTF::Checked::operator=):

2011-08-31  Oliver Hunt  <oliver@apple.com>

        fast/regex/overflow.html asserts in debug builds
        https://bugs.webkit.org/show_bug.cgi?id=67326

        Reviewed by Gavin Barraclough.

        The deliberate overflows in these expressions don't interact nicely
        with Checked<32bit-type> so we just bump up to Checked<int64_t> for the
        intermediate calculations.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
        (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):

2011-08-31  Jeff Miller  <jeffm@apple.com>

        REGRESSION(92210): AVFoundation media engine is disabled on OS X
        https://bugs.webkit.org/show_bug.cgi?id=67316

        Move the definition of WTF_USE_AVFOUNDATION on the Mac back to JavaScriptCore/wtf/Platform.h,
        since WebKit2 doesn't have access to WebCore/config.h on this platform. This reverts the
        changes that were made in r92210.

        Reviewed by Darin Adler.

        * wtf/Platform.h: Added definition of WTF_USE_AVFOUNDATION on the Mac.

2011-08-31  Peter Beverloo  <peter@chromium.org>

        Add Android's platform specification and the right atomic functions.
        https://bugs.webkit.org/show_bug.cgi?id=66687

        Reviewed by Adam Barth.

        * wtf/Atomics.h:
        (WTF::atomicIncrement):
        (WTF::atomicDecrement):
        * wtf/Platform.h:

2011-08-30  Oliver Hunt  <oliver@apple.com>

        Add support for checked arithmetic
        https://bugs.webkit.org/show_bug.cgi?id=67095

        Reviewed by Sam Weinig.

        Add a checked arithmetic class Checked<T> that provides overflow-safe
        arithmetic over all integral types.  Checked<T> supports addition, subtraction
        and multiplication, along with "bool" conversions and equality operators.

        Checked<> can be used in either CRASH() on overflow or delayed failure modes,
        although the default is to CRASH().

        To ensure the code is actually in use (rather than checking in dead code) I've
        made a couple of properties in YARR use Checked<int> and Checked<unsigned>
        instead of raw value arithmetic.  This has resulted in a moderate set of changes,
        to YARR - mostly adding .get() calls, but a couple of casts from unsigned long
        to unsigned for some uses of sizeof, as Checked<> currently does not support
        mixed signed-ness of types wider that 32 bits.

        Happily the increased type safety of Checked<> means that it's not possible to
        accidentally assign away precision, nor accidentally call integer overload of
        a function instead of the bool version.

        No measurable regression in performance, and SunSpider claims this patch to be
        a progression of 0.3%.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CheckedArithmetic.h: Added.
        (WTF::CrashOnOverflow::overflowed):
        (WTF::CrashOnOverflow::clearOverflow):
        (WTF::CrashOnOverflow::hasOverflowed):
        (WTF::RecordOverflow::RecordOverflow):
        (WTF::RecordOverflow::overflowed):
        (WTF::RecordOverflow::clearOverflow):
        (WTF::RecordOverflow::hasOverflowed):
        (WTF::isInBounds):
        (WTF::safeAdd):
        (WTF::safeSub):
        (WTF::safeMultiply):
        (WTF::safeEquals):
        (WTF::workAroundClangBug):
        (WTF::Checked::Checked):
        (WTF::Checked::operator=):
        (WTF::Checked::operator++):
        (WTF::Checked::operator--):
        (WTF::Checked::operator!):
        (WTF::Checked::operator UnspecifiedBoolType*):
        (WTF::Checked::get):
        (WTF::Checked::operator+=):
        (WTF::Checked::operator-=):
        (WTF::Checked::operator*=):
        (WTF::Checked::operator==):
        (WTF::Checked::operator!=):
        (WTF::operator+):
        (WTF::operator-):
        (WTF::operator*):
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::atomPatternCharacter):
        (JSC::Yarr::ByteCompiler::atomCharacterClass):
        (JSC::Yarr::ByteCompiler::atomBackReference):
        (JSC::Yarr::ByteCompiler::atomParentheticalAssertionEnd):
        (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
        (JSC::Yarr::ByteCompiler::atomParenthesesOnceEnd):
        (JSC::Yarr::ByteCompiler::atomParenthesesTerminalEnd):
        * yarr/YarrInterpreter.h:
        (JSC::Yarr::ByteTerm::ByteTerm):
        (JSC::Yarr::ByteTerm::CheckInput):
        (JSC::Yarr::ByteTerm::UncheckInput):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generateAssertionEOL):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
        (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
        (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
        (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
        (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
        * yarr/YarrPattern.h:

2011-08-31  Andrei Popescu  <andreip@google.com>

        Investigate current uses of OS(ANDROID)
        https://bugs.webkit.org/show_bug.cgi?id=66761

        Unreviewed, build fix for ARM platforms.

        * wtf/Platform.h:

2011-08-31  Andrei Popescu  <andreip@google.com>

        Investigate current uses of OS(ANDROID)
        https://bugs.webkit.org/show_bug.cgi?id=66761

        Reviewed by Darin Adler.

        Remove the last legacy Android code.

        No new tests needed as the code wasn't tested in the first place.

        * wtf/Atomics.h:
        * wtf/Platform.h:
        * wtf/ThreadingPthreads.cpp:
        (WTF::createThreadInternal):

2011-08-30  Aaron Colwell  <acolwell@chromium.org>

        Add MediaSource API to HTMLMediaElement
        https://bugs.webkit.org/show_bug.cgi?id=64731

        Reviewed by Eric Carlson.

        * Configurations/FeatureDefines.xcconfig:

2011-08-30  Oliver Hunt  <oliver@apple.com>

        TypedArrays don't ensure that denormalised values are normalised
        https://bugs.webkit.org/show_bug.cgi?id=67178

        Reviewed by Gavin Barraclough.

        Add a couple of assertions to jsNumber() to ensure that
        we block signaling NaNs

        * runtime/JSValue.h:
        (JSC::jsDoubleNumber):
        (JSC::jsNumber):

2011-08-30  Ademar de Souza Reis Jr.  <ademar.reis@openbossa.org>

        [Qt] Do not unconditionally use pkg-config in .pro files
        https://bugs.webkit.org/show_bug.cgi?id=67055

        Reviewed by Andreas Kling.

        Original patch from Rohan McGovern <rohan.mcgovern@nokia.com>

        Using the first pkg-config in PATH is prone to errors when cross
        compiling inside the Qt repository (using Qt's build-system).

        This patch protect calls for pkg-config with
        !contains(QT_CONFIG, no-pkg-config). no-pkg-config is added to
        QT_CONFIG by Qt's 'configure' when cross-compiling on systems
        without pkg-config.

        The respective change in Qt's configure has been submited already.

        No new tests as this is just a build change.

        * wtf/wtf.pri: protect pkg-config calls

2011-08-29  Daniel Bates  <dbates@webkit.org>

        Add HAVE(VASPRINTF) macro to test for vasprintf() support
        https://bugs.webkit.org/show_bug.cgi?id=67156

        Reviewed by Darin Adler.

        Encapsulate testing of vasprintf() support in a HAVE macro
        instead of hardcoding the list of supported/unsupported
        compilers at the call site.

        * wtf/Platform.h:

2011-08-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        Unzip initialization lists and constructors in JSCell hierarchy (3/7)
        https://bugs.webkit.org/show_bug.cgi?id=67064

        Reviewed by Darin Adler.

        Completed the third level of the refactoring to add finishCreation() 
        methods to all classes within the JSCell hierarchy with non-trivial 
        constructor bodies.

        This primarily consists of pushing the calls to finishCreation() down 
        into the constructors of the subclasses of the second level of the hierarchy 
        as well as pulling the finishCreation() calls out into the class's corresponding
        create() method if it has one.  Doing both simultaneously allows us to 
        maintain the invariant that the finishCreation() method chain is called exactly 
        once during the creation of an object, since calling it any other number of 
        times (0, 2, or more) will cause an assertion failure.

        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::DebuggerActivation):
        (JSC::DebuggerActivation::finishCreation):
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::create):
        * runtime/Arguments.h:
        (JSC::Arguments::create):
        (JSC::Arguments::createNoParameters):
        (JSC::Arguments::Arguments):
        (JSC::Arguments::finishCreation):
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::ErrorInstance):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::finishCreation):
        * runtime/ExceptionHelpers.cpp:
        (JSC::InterruptedExecutionError::InterruptedExecutionError):
        (JSC::TerminatedExecutionError::TerminatedExecutionError):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::EvalExecutable):
        (JSC::ProgramExecutable::ProgramExecutable):
        (JSC::FunctionExecutable::FunctionExecutable):
        Moved the assignment of m_firstLine and m_lastLine into the 
        FunctionExecutable::finishCreation() method in Executable.h
        * runtime/Executable.h:
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::EvalExecutable::create):
        (JSC::ProgramExecutable::create):
        (JSC::FunctionExecutable::create):
        (JSC::FunctionExecutable::finishCreation):
        * runtime/JSArray.cpp:
        (JSC::JSArray::JSArray):
        (JSC::JSArray::finishCreation):
        * runtime/JSArray.h:
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::JSByteArray):
        * runtime/JSByteArray.h:
        (JSC::JSByteArray::finishCreation):
        * runtime/JSNotAnObject.h:
        (JSC::JSNotAnObject::JSNotAnObject):
        * runtime/JSObject.h:
        (JSC::JSNonFinalObject::JSNonFinalObject):
        * runtime/JSObjectWithGlobalObject.cpp:
        (JSC::JSObjectWithGlobalObject::JSObjectWithGlobalObject):
        (JSC::JSObjectWithGlobalObject::finishCreation):
        * runtime/JSObjectWithGlobalObject.h:
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::JSVariableObject):
        (JSC::JSVariableObject::finishCreation):
        * runtime/JSWrapperObject.h:
        (JSC::JSWrapperObject::JSWrapperObject):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::ObjectPrototype):
        (JSC::ObjectPrototype::finishCreation):
        * runtime/ObjectPrototype.h:
        * runtime/StrictEvalActivation.cpp:
        (JSC::StrictEvalActivation::StrictEvalActivation):

2011-08-29  Andreas Kling  <kling@webkit.org>

        Unreviewed build fix after r93990.

        * wtf/HashTable.h:

2011-08-29  Andreas Kling  <kling@webkit.org>

        Viewing a post on reddit.com wastes a lot of memory on event listeners.
        https://bugs.webkit.org/show_bug.cgi?id=67133

        Reviewed by Darin Adler.

        Add a minimum table size to the HashTraits, instead of having it hard coded.
        The default value remains at 64, but can now be specialized.

        * runtime/StructureTransitionTable.h:
        * wtf/HashTable.h:
        (WTF::HashTable::shouldShrink):
        (WTF::::expand):
        (WTF::::checkTableConsistencyExceptSize):
        * wtf/HashTraits.h:

2011-08-28  Jonathan Liu  <net147@gmail.com>

        Fix build error when compiling with MinGW-w64 by disabling JIT
        on Windows 64-bit
        https://bugs.webkit.org/show_bug.cgi?id=61235

        Reviewed by Gavin Barraclough.

        The fixed mmap executable allocator for JIT on x86_64 requires
        sys/mman.h which is not available on Windows.

        * wtf/Platform.h:

2011-08-27  Filip Pizlo  <fpizlo@apple.com>

        JSC::Executable is inconsistent about using weak handle finalizers
        and destructors for releasing memory
        https://bugs.webkit.org/show_bug.cgi?id=67072

        Reviewed by Darin Adler.
        
        Moved more of the destruction of Executable state into the finalizer,
        which also resulted in an opportunity to mostly combine this with
        discardCode().  This also means that the finalizer is now enabled even
        when the JIT is turned off.  This is performance neutral on SunSpider,
        V8, and Kraken.

        * runtime/Executable.cpp:
        (JSC::ExecutableBase::clearCode):
        (JSC::ExecutableFinalizer::finalize):
        (JSC::EvalExecutable::clearCode):
        (JSC::ProgramExecutable::clearCode):
        (JSC::FunctionExecutable::discardCode):
        (JSC::FunctionExecutable::clearCode):
        * runtime/Executable.h:
        (JSC::ExecutableBase::finishCreation):

2011-08-26  Gavin Barraclough  <barraclough@apple.com>

        DFG JIT - ArithMod may clobber operands.
        https://bugs.webkit.org/show_bug.cgi?id=67085

        Reviewed by Sam Weinig.

        unboxDouble must be called on a temporary.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillDouble):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::boxDouble):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):

2011-08-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        Unzip initialization lists and constructors in JSCell hierarchy (2/7)
        https://bugs.webkit.org/show_bug.cgi?id=66957

        Reviewed by Darin Adler.

        Completed the second level of the refactoring to add finishCreation()
        methods to all classes within the JSCell hierarchy with non-trivial 
        constructor bodies.

        * runtime/Executable.h:
        (JSC::ExecutableBase::ExecutableBase):
        (JSC::ExecutableBase::create):
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::finishCreation):
        (JSC::NativeExecutable::NativeExecutable):
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::ScriptExecutable::finishCreation):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::GetterSetter):
        (JSC::GetterSetter::create):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::create):
        (JSC::JSAPIValueWrapper::JSAPIValueWrapper):
        * runtime/JSObject.h:
        (JSC::JSNonFinalObject::JSNonFinalObject):
        (JSC::JSNonFinalObject::finishCreation):
        (JSC::JSFinalObject::create):
        (JSC::JSFinalObject::finishCreation):
        (JSC::JSFinalObject::JSFinalObject):
        (JSC::JSObject::JSObject):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
        (JSC::JSPropertyNameIterator::create):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::create):
        * runtime/RegExp.cpp:
        (JSC::RegExp::RegExp):
        (JSC::RegExp::createWithoutCaching):
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::ScopeChainNode):
        (JSC::ScopeChainNode::create):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        * runtime/Structure.h:
        (JSC::Structure::create):
        (JSC::Structure::finishCreation):
        (JSC::Structure::createStructure):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::StructureChain):
        * runtime/StructureChain.h:
        (JSC::StructureChain::create):

2011-08-26  Filip Pizlo  <fpizlo@apple.com>

        The GC does not have a facility for profiling the kinds of objects
        that occupy the heap
        https://bugs.webkit.org/show_bug.cgi?id=66849

        Reviewed by Geoffrey Garen.
        
        Destructor calls and object scans are now optionally counted, per
        vtable. When the heap is destroyed and profiling is enabled, the
        counts are dumped, with care taken to print the names of classes
        (modulo C++ mangling) sorted in descending commonality.

        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.cpp:
        (JSC::Heap::destroy):
        * heap/Heap.h:
        * heap/MarkStack.cpp:
        (JSC::SlotVisitor::visitChildren):
        (JSC::SlotVisitor::drain):
        * heap/MarkStack.h:
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::callDestructor):
        * heap/MarkedBlock.h:
        * heap/VTableSpectrum.cpp: Added.
        (JSC::VTableSpectrum::VTableSpectrum):
        (JSC::VTableSpectrum::~VTableSpectrum):
        (JSC::VTableSpectrum::countVPtr):
        (JSC::VTableSpectrum::count):
        (JSC::VTableAndCount::VTableAndCount):
        (JSC::VTableAndCount::operator<):
        (JSC::VTableSpectrum::dump):
        * heap/VTableSpectrum.h: Added.
        * wtf/Platform.h:

2011-08-26  Juan C. Montemayor  <jmont@apple.com>

        Update topCallFrame when calling host functions in the JIT
        https://bugs.webkit.org/show_bug.cgi?id=67010

        Reviewed by Oliver Hunt.
        
        The topCallFrame is not being updated when a host function is
        called by the JIT. This causes problems when trying to create a
        stack trace (https://bugs.webkit.org/show_bug.cgi?id=66994).

        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::privateCompileCTINativeCall):

2011-08-26  Alexey Proskuryakov  <ap@apple.com>

        Get rid of frame life support timer
        https://bugs.webkit.org/show_bug.cgi?id=66874

        Reviewed by Geoff Garen.

        * runtime/JSGlobalObject.h:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        globalExec() no longer needs to be virtual, its only override was in JSDOMWindowBase.

2011-08-26  Chao-ying Fu  <fu@mips.com>

        Fix MIPS patchOffsetGetByIdSlowCaseCall
        https://bugs.webkit.org/show_bug.cgi?id=67046

        Reviewed by Gavin Barraclough.

        * jit/JIT.h:

2011-08-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fixing broken build due to unused variables in release mode
        https://bugs.webkit.org/show_bug.cgi?id=67004

        Unreviewed, release build fix.

        Fixing broken build due to unused variables in ASSERTs in release build.

        * runtime/JSObject.h:
        (JSC::JSObject::finishCreation):
        * runtime/JSString.h:
        (JSC::RopeBuilder::finishCreation):
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::finishCreation):

2011-08-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        Unzip initialization lists and constructors in JSCell hierarchy (1/7)
        https://bugs.webkit.org/show_bug.cgi?id=66827

        Reviewed by Geoffrey Garen.

        Added finishCreation() methods to all immediately subclasses of JSCell with
        non-empty constructors.  Part of a larger refactoring to "unzip" initialization
        lists and constructor bodies.  Also renamed JSCell's constructorBody() method
        to finishCreation().

        * runtime/Executable.h:
        (JSC::ExecutableBase::ExecutableBase):
        (JSC::ExecutableBase::constructorBody):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::GetterSetter):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::constructorBody):
        (JSC::JSAPIValueWrapper::JSAPIValueWrapper):
        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::JSCell):
        (JSC::JSCell::JSCell::constructorBody):
        * runtime/JSObject.h:
        (JSC::JSObject::constructorBody):
        (JSC::JSObject::JSObject):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::constructorBody):
        * runtime/JSString.h:
        (JSC::RopeBuilder::JSString):
        (JSC::RopeBuilder::constructorBody):
        * runtime/RegExp.cpp:
        (JSC::RegExp::RegExp):
        (JSC::RegExp::constructorBody):
        * runtime/RegExp.h:
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::ScopeChainNode):
        (JSC::ScopeChainNode::constructorBody):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::StructureChain):
        * runtime/StructureChain.h:
        (JSC::StructureChain::create):
        (JSC::StructureChain::constructorBody):

2011-08-25  Gabor Loki  <loki@webkit.org>

        REGRESSION(r93755): It made 14 jsc test and ~500 layout test fail on Qt-ARM bot
        https://bugs.webkit.org/show_bug.cgi?id=66956

        Rebaseline constants for patching GetByIdSlowCaseCall on ARM.

        Reviewed by Oliver Hunt.

        * jit/JIT.h:

2011-08-24  Juan C. Montemayor  <jmont@apple.com>

        Keep track of topCallFrame for Stack traces
        https://bugs.webkit.org/show_bug.cgi?id=66571

        Reviewed by Geoffrey Garen.

        This patch adds a TopCallFrame to JSC in order to have that information
        when an error is thrown to create a stack trace. The TopCallFrame is
        updated throughout select points in the Interpreter and the JSC.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::unwindCallFrame):
        (JSC::Interpreter::throwException):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::privateExecute):
        * interpreter/Interpreter.h:
        (JSC::TopCallFrameSetter::TopCallFrameSetter):
        (JSC::TopCallFrameSetter::~TopCallFrameSetter):
        * jit/JIT.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::updateTopCallFrame):
        * jit/JITStubCall.h:
        (JSC::JITStubCall::call):
        * jit/JITStubs.cpp:
        (JSC::throwExceptionFromOpCall):
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::arityCheckFor):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:

2011-08-24  Filip Pizlo  <fpizlo@apple.com>

        ErrorInstance::create sometimes has two heap object constructions
        in flight at once
        https://bugs.webkit.org/show_bug.cgi?id=66845

        Reviewed by Darin Adler.
        
        The fix is simple since there is already a second create() method
        that takes a UString.

        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::create):

2011-08-24  Filip Pizlo  <fpizlo@apple.com>

        There is no facility for profiling how the write barrier is used
        https://bugs.webkit.org/show_bug.cgi?id=66747

        Reviewed by Geoffrey Garen.
        
        Added facilities for the JIT to specify the kind of write barrier
        being executed.  Added code for profiling the number of each kind
        of barrier encountered.

        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::writeBarrier):
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::emitCount):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::emitCount):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCachePutByID):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * heap/Heap.h:
        (JSC::Heap::writeBarrier):
        * heap/WriteBarrierSupport.cpp: Added.
        (JSC::WriteBarrierCounters::initialize):
        * heap/WriteBarrierSupport.h: Added.
        (JSC::WriteBarrierCounters::WriteBarrierCounters):
        (JSC::WriteBarrierCounters::jitCounterFor):
        (JSC::WriteBarrierCounters::countWriteBarrier):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_put_global_var):
        (JSC::JIT::emitWriteBarrier):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_put_global_var):
        (JSC::JIT::emitWriteBarrier):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase::setWithoutWriteBarrier):

2011-08-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add checks to ensure allocation does not take place during initialization of GC-managed objects
        https://bugs.webkit.org/show_bug.cgi?id=65288

        Reviewed by Darin Adler.

        Adding the new validation functionality.  In its current state, it will performs checks, 
        but they don't fail unless you do allocation in the arguments to the parent constructor in the 
        initialization list of a class.  The allocateCell() method turns on the global flag disallowing any new 
        allocations, and the constructorBody() method in JSCell turns it off.  This way, allocation is still 
        allowed in constructor bodies while other refactoring efforts continue.

        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::constructorBody):
        (JSC::JSCell::JSCell::JSCell):
        (JSC::JSCell::allocateCell):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::isInitializingObject):
        (JSC::JSGlobalData::setInitializingObject):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::create):

2011-08-23  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=55347
        "name" and "message" enumerable on *Error.prototype

        Reviewed by Sam Weinig.

        The default value of a NativeErrorPrototype's message
        property is "", not the name of the error.

        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::NativeErrorConstructor):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::create):
        (JSC::NativeErrorConstructor::constructorBody):
        * runtime/NativeErrorPrototype.cpp:
        (JSC::NativeErrorPrototype::NativeErrorPrototype):
        (JSC::NativeErrorPrototype::constructorBody):
        * runtime/NativeErrorPrototype.h:
        (JSC::NativeErrorPrototype::create):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::StringPrototype):
        * runtime/StringPrototype.h:
        (JSC::StringPrototype::create):

2011-08-23  Steve Block  <steveblock@google.com>

        Remove last occurrences of PLATFORM(ANDROID)
        https://bugs.webkit.org/show_bug.cgi?id=66763

        Reviewed by Tony Gentilcore.

        * wtf/Platform.h:

2011-08-23  Steve Block  <steveblock@google.com>

        Remove all mention of removed Android files from build scripts
        https://bugs.webkit.org/show_bug.cgi?id=66755

        Reviewed by Tony Gentilcore.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * JavaScriptCore.gypi:
        * gyp/JavaScriptCore.gyp:

2011-08-23  Adam Barth  <abarth@webkit.org>

        Remove WebCore/editing/android and other Android-specific directories
        https://bugs.webkit.org/show_bug.cgi?id=66739

        Reviewed by Steve Block.

        Now that Android shares more code with Chromium, we don't need these
        Android-specific files.

        * wtf/android: Removed.
        * wtf/android/AndroidThreading.h: Removed.
        * wtf/android/MainThreadAndroid.cpp: Removed.

2011-08-23  Ilya Tikhonovsky  <loislo@chromium.org>

        Unreviewed build fix for compile error on Windows for r93560.

        * runtime/SamplingCounter.h:

2011-08-22  Filip Pizlo  <fpizlo@apple.com>

        Sampling counter support is in the bytecode directory
        https://bugs.webkit.org/show_bug.cgi?id=66724

        Reviewed by Darin Adler.
        
        Moved SamplingCounter to a separate header in runtime/.

        * GNUmakefile.list.am:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/SamplingTool.cpp:
        * bytecode/SamplingTool.h:
        * runtime/SamplingCounter.cpp: Added.
        (JSC::AbstractSamplingCounter::dump):
        * runtime/SamplingCounter.h: Added.
        (JSC::AbstractSamplingCounter::count):
        (JSC::AbstractSamplingCounter::addressOfCounter):
        (JSC::AbstractSamplingCounter::init):
        (JSC::SamplingCounter::SamplingCounter):
        (JSC::GlobalSamplingCounter::name):
        (JSC::DeletableSamplingCounter::DeletableSamplingCounter):
        (JSC::DeletableSamplingCounter::~DeletableSamplingCounter):

2011-08-21  Martin Robinson  <mrobinson@igalia.com>

        Fix 'make dist' for WebKitGTK+.

        * GNUmakefile.list.am: Add a missing header to the sources list.

2011-08-20  Filip Pizlo  <fpizlo@apple.com>

        JavaScriptCore bytecompiler does not compute scope depth correctly
        in the case of constant declarations
        https://bugs.webkit.org/show_bug.cgi?id=66572

        Reviewed by Oliver Hunt.
        
        Changed the handling of const to add the dynamic scope depth.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ConstDeclNode::emitCodeSingle):

2011-08-19  Daniel Bates  <dbates@webkit.org>

        Only #include <signal.h> and require SA_RESTART when building with JSC_MULTIPLE_THREADS
        https://bugs.webkit.org/show_bug.cgi?id=66617

        Both <signal.h> and SA_RESTART usage are guarded behind ENABLE(JSC_MULTIPLE_THREADS).
        But we cause a compile error if the platform doesn't support SA_RESTART regardless of
        whether JSC_MULTIPLE_THREADS is enabled for the port. Instead, we shouldn't require
        SA_RESTART support unless we are building with JSC_MULTIPLE_THREADS enabled.

        Reviewed by Antonio Gomes.

        * heap/MachineStackMarker.cpp:

2011-08-19  Filip Pizlo  <fpizlo@apple.com>

        The JSC JIT currently has no facility to profile and report
        the types of values
        https://bugs.webkit.org/show_bug.cgi?id=65901

        Reviewed by Gavin Barraclough.
        
        Added the ability to profile the values seen at function calls (both
        arguments and results) and heap loads.  This is done with emphasis
        on performance.  A value profiling site consists of: add, and,
        move, and store; no branching is necessary.  Each value profiling
        site (called a ValueProfile) has a ring buffer of 8 recently-seen
        values.  ValueProfiles are stored in the CodeBlock; there will be
        one for each argument (excluding this) and each heap load or callsite.
        Each time a value profiling site executes, it stores the value into
        a pseudo-random element in the ValueProfile buffer.  The point is
        that for frequently executed code, we will have 8 somewhat recent
        values in the buffer and will be able to not only figure out what
        type it is, but also to be able to reason about the actual values
        if we wish to do so.
        
        This feature is currently disabled by default.  When enabled, it
        results in a 3.7% slow-down on SunSpider.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::~CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addValueProfile):
        (JSC::CodeBlock::numberOfValueProfiles):
        (JSC::CodeBlock::valueProfile):
        (JSC::CodeBlock::valueProfileForBytecodeOffset):
        * bytecode/ValueProfile.h: Added.
        (JSC::ValueProfile::ValueProfile):
        (JSC::ValueProfile::numberOfSamples):
        (JSC::ValueProfile::computeProbability):
        (JSC::ValueProfile::numberOfInt32s):
        (JSC::ValueProfile::numberOfDoubles):
        (JSC::ValueProfile::numberOfCells):
        (JSC::ValueProfile::probabilityOfInt32):
        (JSC::ValueProfile::probabilityOfDouble):
        (JSC::ValueProfile::probabilityOfCell):
        (JSC::getValueProfileBytecodeOffset):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::JIT::emitValueProfilingSite):
        * jit/JITCall.cpp:
        (JSC::JIT::emit_op_call_put_result):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        * jit/JSInterfaceJIT.h:
        * wtf/Platform.h:
        * wtf/StdLibExtras.h:
        (WTF::binarySearch):
        (WTF::genericBinarySearch):

2011-08-19  Daniel Bates  <dbates@webkit.org>

        Don't include DisallowCType.h when building on QNX
        https://bugs.webkit.org/show_bug.cgi?id=66616

        Reviewed by Antonio Gomes.

        * config.h:

2011-08-19  Daniel Bates  <dbates@webkit.org>

        Implement ExecutableAllocator::cacheFlush() for QNX
        https://bugs.webkit.org/show_bug.cgi?id=66611

        Reviewed by Antonio Gomes.

        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::cacheFlush):

2011-08-19  Daniel Bates  <dbates@webkit.org>

        Implement WTF::atomic{Increment, Decrement}() for QNX
        https://bugs.webkit.org/show_bug.cgi?id=66605

        Reviewed by Darin Adler.

        * wtf/Atomics.h:
        (WTF::atomicIncrement):
        (WTF::atomicDecrement):

2011-08-19  Beth Dakin  <bdakin@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=66590
        Re-name scrollbar painter types

        Reviewed by Sam Weinig.

        WTF_USE_WK_SCROLLBAR_PAINTER is now WTF_USE_SCROLLBAR_PAINTER since WK no longer 
        applies.
        * wtf/Platform.h:

2011-08-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        Move allocation in constructors into separate constructorBody() methods
        https://bugs.webkit.org/show_bug.cgi?id=66265

        Reviewed by Oliver Hunt.

        Refactoring to put all allocations that need to be done after the object's 
        initialization list has executed but before the object is ready for use 
        into a separate constructorBody() method.  This method is still called by the constructor, 
        so the patch doesn't resolve any potential issues, it's just to set up the code for further refactoring.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * jsc.cpp:
        (GlobalObject::constructorBody):
        (GlobalObject::GlobalObject):
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::ErrorInstance):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::constructorBody):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        (JSC::ErrorPrototype::constructorBody):
        * runtime/ErrorPrototype.h:
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::constructorBody):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::constructorBody):
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::JSByteArray):
        * runtime/JSByteArray.h:
        (JSC::JSByteArray::constructorBody):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::constructorBody):
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::constructorBody):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::constructorBody):
        * runtime/JSString.h:
        (JSC::RopeBuilder::JSString):
        (JSC::RopeBuilder::constructorBody):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::NativeErrorConstructor):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::constructorBody):
        * runtime/NativeErrorPrototype.cpp:
        (JSC::NativeErrorPrototype::NativeErrorPrototype):
        (JSC::NativeErrorPrototype::constructorBody):
        * runtime/NativeErrorPrototype.h:
        * runtime/StringObject.cpp:
        * runtime/StringObject.h:
        (JSC::StringObject::create):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::create):
        (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::StringPrototype):
        * runtime/StringPrototype.h:
        (JSC::StringPrototype::create):

2011-08-10  Filip Pizlo  <fpizlo@apple.com>

        DFG non-speculative JIT does not inline the double case of ValueAdd
        https://bugs.webkit.org/show_bug.cgi?id=66025

        Reviewed by Gavin Barraclough.
        
        This is a 1.3% win on Kraken overall, with >=8% speed-ups on a few
        benchmarks (imaging-darkroom, stanford-crypto-pbkdf2,
        stanford-crypto-sha256-iterative).  It looks like it might have
        a speed-up in SunSpider (though not statistically significant or
        particularly reproducible) and a slight slow-down in V8 (0.14%,
        not statistically significant).  It does slow down v8-crypto by
        1.5%.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::isKnownInteger):
        (JSC::DFG::JITCodeGenerator::isKnownNumeric):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
        (JSC::DFG::NonSpeculativeJIT::basicArithOp):
        * dfg/DFGOperations.cpp:

2011-08-18  Filip Pizlo  <fpizlo@apple.com>

        [jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly
        https://bugs.webkit.org/show_bug.cgi?id=66426

        Reviewed by Oliver Hunt.
        
        Changed the branchTestPtr to branchTest32.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-08-17  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        https://bugs.webkit.org/show_bug.cgi?id=66379
        implements load32WithCompactAddressOffsetPatch function 
        and fixes store32 and moveWithPatch functions for SH4 platforms.

        Reviewed by Gavin Barraclough.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::rshift32):
        (JSC::MacroAssemblerSH4::store32):
        (JSC::MacroAssemblerSH4::load32WithCompactAddressOffsetPatch):
        (JSC::MacroAssemblerSH4::moveWithPatch):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::movlMemRegCompact):
        (JSC::SH4Assembler::readPointer):
        (JSC::SH4Assembler::repatchCompact):
        * jit/JIT.h:

2011-08-17  Filip Pizlo  <fpizlo@apple.com>

        JSC verbose debugging output sometimes doesn't work as expected.
        https://bugs.webkit.org/show_bug.cgi?id=66107

        Reviewed by Gavin Barraclough.
        
        Hardened the CodeBlock::dump() code so that it no longer crashes.  Improved
        the DFG verbose code so that it prints slightly more useful information.

        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::debugSize):
        * bytecode/CodeBlock.cpp:
        (JSC::valueToSourceString):
        (JSC::CodeBlock::dump):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::numberOfRegExps):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):

2011-08-16  Michael Saboff  <msaboff@apple.com>

        Crash in Structure::visitChildren running iAd.js regression test suite under memory pressure
        https://bugs.webkit.org/show_bug.cgi?id=66351

        JIT::privateCompilePutByIdTransition expects that regT0 and regT1
        have the basePayload and baseTag respectively.  In some cases,
        we may get to this generated code with one or both of these
        registers trash.  One know case is that regT0 on ARM may be
        trashed as regT0 (r0) is also arg0 and can be overrun with sp due
        to calls to JIT::restoreReturnAddress().  This patch uses the
        values on the stack.  A longer term solution is to work out all
        cases so that the register entry assumptions can assured.

        While fixing this, also determined that the additional stack offset
        of sizeof(void*) is not needed for ARM.

        Reviewed by Gavin Barraclough.

        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):

2011-08-15  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=66263
        DFG JIT does not always zero extend boolean result of DFG operations

        Reviewed by Sam Weinig.

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
            - Change bool return values to a 64-bit type.

2011-08-15  Gavin Barraclough  <barraclough@apple.com>

        Crash accessing static property on sealed object
        https://bugs.webkit.org/show_bug.cgi?id=66242

        Reviewed by Sam Weinig.

        * runtime/JSObject.h:
        (JSC::JSObject::putDirectInternal):
            - should only check isExtensible if checkReadOnly.

2011-08-15  Sam Weinig  <sam@webkit.org>

        Fix release build when building with Clang.

        Reviewed by Anders Carlsson.

        * runtime/Identifier.cpp:
        (JSC::Identifier::checkCurrentIdentifierTable):
        Add NO_RETURN_DUE_TO_CRASH.

2011-08-15  Oliver Varga  <Varga.Oliver@stud.u-szeged.hu>

        Reviewed by Nikolas Zimmermann.

        Speed up SVGSMILElement::findInstanceTime.
        https://bugs.webkit.org/show_bug.cgi?id=61025

        Add a new parameter to StdlibExtras.h::binarySerarch function
        to also handle cases when the array does not contain the key value.
        This is needed for an svg function.

        * wtf/StdLibExtras.h:
        (WTF::binarySearch):

2011-08-13  Sam Weinig  <sam@webkit.org>

        Add back 0xbbadbeef to CRASH to allow for old habits
        https://bugs.webkit.org/show_bug.cgi?id=66190

        Reviewed by David Kilzer.

        * wtf/Assertions.h:
        Add back the assignment to the memory address 0xbbadbeef in the CRASH
        macro, as it does not cause issue in the clang static analyzer and many
        people use its presence in crash reports to easily identify ASSERTs. 

2011-08-13  Sam Weinig  <sam@webkit.org>

        Fix a bunch of minor bugs caught by the clang static analyzer in JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=66182

        Reviewed by Dan Bernstein.

        Fixes 10 warnings in JavaScriptCore and 2 in testapi.

        * API/tests/testapi.c:
        (main):
        Remove dead variables.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        Initialize hasPrinted and silence an unused warning by casting to void (Ok here
        since it is debug code and I want to keep it clear that if other cases are added,
        the hasPrinted flag would be needed).

        * wtf/dtoa.cpp:
        (WTF::d2b):
        The variable "de" in the else block is always zero, so there is no reason to
        use it.

2011-08-12  Sam Weinig  <sam@webkit.org>

        Use __builtin_trap() for CRASH when building with clang
        https://bugs.webkit.org/show_bug.cgi?id=66152

        Reviewed by Anders Carlsson.

        * wtf/Assertions.h:
        Add Clang specific CRASH macro that calls __builtin_trap() instead
        of silly techniques to crash. This allows the static analyzer to understand
        that we are intentionally crashing. As a result, we need to mark some functions
        as not returning.

        Also adds a macros that annotates a function as never returning due to ASSERT or CRASH.

        * wtf/Compiler.h:
        Add COMPILIER(CLANG) and fix some formatting and spelling mistakes.

        * wtf/FastMalloc.cpp:
        (WTF::Internal::fastMallocMatchFailed):
        Add NO_RETURN_DUE_TO_CRASH.

        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::CharacterClassParserDelegate::assertionWordBoundary):
        (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBackReference):
        Add NO_RETURN_DUE_TO_ASSERT.

2011-08-12  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT has inconsistent use of boxDouble and unboxDouble,
        inconsistent use of assertions regarding doubles, and those
        assertions are not turned on in debug builds
        https://bugs.webkit.org/show_bug.cgi?id=66160

        Reviewed by Gavin Barraclough.
        
        JIT assertions are now turned on in debug builds.  JIT
        assertions are now used for boxing and unboxing doubles, and boxing
        and unboxing no longer involves code duplication.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillDouble):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::boxDouble):
        (JSC::DFG::JITCodeGenerator::unboxDouble):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::fillNumericToDouble):
        (JSC::DFG::GeneralizedRegister::moveTo):
        (JSC::DFG::GeneralizedRegister::swapWith):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::boxDouble):
        (JSC::DFG::JITCompiler::unboxDouble):
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::convertToDouble):

2011-08-12  Mark Rowe  <mrowe@apple.com>

        Be more forward-looking in the choice of compiler.

        Rubber-stamped by Jon Honeycutt.

        * Configurations/CompilerVersion.xcconfig:

2011-08-12  Kalev Lember  <kalevlember@gmail.com>

        [GTK] Fix non-pthreads build after r91906.
        https://bugs.webkit.org/show_bug.cgi?id=66151

        Reviewed by David Levin.

        r91906 broke the non-pthreads GTK+ build by including a header which
        doesn't exist. Fix it by including DateMath.h instead of DateMap.h.

        * wtf/gtk/ThreadingGtk.cpp:

2011-08-12  Mark Rowe  <mrowe@apple.com>

        Update some configuration settings that were missed back in r92432.

        * Configurations/CompilerVersion.xcconfig:

2011-08-12  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION (r91610?): Bing Maps fail to initialize (InvalidOperation:
        Matrix3D.invert)
        https://bugs.webkit.org/show_bug.cgi?id=66038

        Reviewed by Gavin Barraclough.
        
        Simplest and lowest-impact fix for the case where the spilled format
        of a DFG node differs from the register format: if the format is
        converted then indicate that the spilled value is no longer valid
        ("kill the spill").

        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::killSpilled):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillDouble):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):

2011-08-12  Sam Weinig  <sam@webkit.org>

        Move compiler specific macros to their own header
        https://bugs.webkit.org/show_bug.cgi?id=66119

        Reviewed by Anders Carlsson.

        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CMakeLists.txt:
        Add Compiler.h

        * wtf/AlwaysInline.h:
        Move the contents of this file (which no longer was just about ALWAYS_INLINE) to
        Compiler.h.  We can remove this file in a later commit.

        * wtf/Compiler.h: Added.
        Put all compiler specific checks and features in this file.

        * wtf/Platform.h:
        Move COMPILER macro and definitions (and the odd WARN_UNUSED_RETURN compiler feature)
        to Compiler.h.  Include Compiler.h since it is necessary.

2011-08-11  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT-specific structure stub info code offset fields are signed
        8-bit, but it is possible for the offsets to be greater than 127
        https://bugs.webkit.org/show_bug.cgi?id=66122

        Reviewed by Gavin Barraclough.

        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        (JSC::DFG::JITCodeGenerator::cachedPutById):

2011-08-11  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT speculation failure code sometimes picks the wrong register
        as a scratch register.
        https://bugs.webkit.org/show_bug.cgi?id=66104

        Reviewed by Gavin Barraclough.
        
        Hardened the code with more assertions and fixed the bug.  Now a
        spilled register is only used for scratch if it also isn't being
        used for shuffling.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::ShuffledRegister::handleNonCyclingPermutation):
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):

2011-08-11  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r92880.
        http://trac.webkit.org/changeset/92880
        https://bugs.webkit.org/show_bug.cgi?id=66123

        Breaks compile in VS2010 (Requested by jamesr_ on #webkit).

        * wtf/PassRefPtr.h:

2011-08-11  Mark Rowe  <mrowe@apple.com>

        Don't conditionalize the use of -fomit-frame-pointer on compiler version as
        all of our supported compilers are now new enough to have the same, sane behavior.

        Rubber-stamped by Sam Weinig.

        * Configurations/JavaScriptCore.xcconfig:

2011-08-11  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT verbose mode does not report the generated types of nodes
        https://bugs.webkit.org/show_bug.cgi?id=65830

        Reviewed by Sam Weinig.
        
        Added code that prints the type selected for each node's result.

        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::dataFormatToString):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-08-11  James Robinson  <jamesr@chromium.org>

        nullptr can't be used for PassRefPtr
        https://bugs.webkit.org/show_bug.cgi?id=66024

        Reviewed by Anders Carlsson.

        * wtf/PassRefPtr.h:
        (WTF::PassRefPtr::PassRefPtr):

2011-08-11  Daniel Bates  <dbates@rim.com>

        Removed unused variable in StackBounds::initialize() to resolve
        compiler warning when building on QNX.
        https://bugs.webkit.org/show_bug.cgi?id=66072

        Reviewed by Antonio Gomes.

        * wtf/StackBounds.cpp:
        (WTF::StackBounds::initialize):

2011-08-11  Devdatta Deshpande  <pwjd73@motorola.com>

        Implementation of monotonically increasing clock on GTK
        https://bugs.webkit.org/show_bug.cgi?id=62175

        Reviewed by Martin Robinson.

        * wtf/CurrentTime.cpp:
        (WTF::monotonicallyIncreasingTime):
        The default implementation of monotonicallyIncreasingTime only
        guarantees the result to be non-decreasing.
        If the system time is changed to past then default implementation will
        still fail and WebCore timers will not fire.

2011-08-10  Geoffrey Garen  <ggaren@apple.com>

        Removed some incorrect code that was dead.

        Reviewed by Oliver Hunt.

        clearSingleTransition() wasn't resetting m_data. Luckily,
        no one cares, because its caller was unused. Removed both.

        * runtime/Structure.cpp:
        * runtime/StructureTransitionTable.h:
        (JSC::StructureTransitionTable::~StructureTransitionTable):

2011-08-10  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r92670-r92744): WebKit crashes when opening Gmail
        https://bugs.webkit.org/show_bug.cgi?id=66010

        Reviewed by Oliver Hunt.
        
        Made sure that Construct calls use() on the this argument.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):

2011-08-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSC should always throw when function arg list is too long
        https://bugs.webkit.org/show_bug.cgi?id=65869

        Reviewed by Oliver Hunt.

        Changed the behavior of the interpreter and JIT to throw an exception 
        when too many arguments are passed rather than truncating the list.  Added 
        a new method to create a "Too many arguments." exception used by this 
        new functionality.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/ExceptionHelpers.cpp:
        (JSC::createTooManyParamsError):
        * runtime/ExceptionHelpers.h:

2011-08-10  Oliver Hunt  <oliver@apple.com>

        Make GC checks more aggressive in release builds
        https://bugs.webkit.org/show_bug.cgi?id=66001

        Reviewed by Gavin Barraclough.

        * heap/HandleHeap.cpp:
        (JSC::HandleHeap::visitStrongHandles):
        (JSC::HandleHeap::visitWeakHandles):
        (JSC::HandleHeap::finalizeWeakHandles):
        (JSC::HandleHeap::writeBarrier):
        (JSC::HandleHeap::isLiveNode):
        (JSC::HandleHeap::isValidWeakNode):
           Increase handle heap validation logic, and make some of
           the crashes trigger in release builds as well as debug.
        * heap/HandleHeap.h:
        (JSC::HandleHeap::allocate):
        (JSC::HandleHeap::makeWeak):
           Ditto
        * runtime/JSGlobalData.cpp:
        (WTF::Recompiler::operator()):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::visitChildren):
           Fix GC bugs found while testing this patch

2011-08-10  Oliver Hunt  <oliver@apple.com>

        JSEvaluteScript does not return the correct object when given JSONP data
        https://bugs.webkit.org/show_bug.cgi?id=66003

        Reviewed by Gavin Barraclough.

        Make sure we propagate the result of the function call rather than the
        argument.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):

2011-08-10  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT heap prediction causes regressions when combined with
        aggressive integer prediction
        https://bugs.webkit.org/show_bug.cgi?id=65954

        Reviewed by Gavin Barraclough.
        
        Disabled heap prediction, but did not remove the capability.
        This improves V8 crypto performance by 20%.

        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predict):

2011-08-09  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not speculative integers as aggressively as it should
        https://bugs.webkit.org/show_bug.cgi?id=65949

        Reviewed by Gavin Barraclough.
        
        Added a tree walk to propagate integer predictions through arithmetic
        expressions.
        
        This is a 71% speed-up on Kraken's imaging-gaussian-blur, which
        translates to a 19% speed-up on Kraken overall.  It's neutral on
        other benchmarks.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::predictInt32):

2011-08-09  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT has no way of propagating predictions to loads and calls
        https://bugs.webkit.org/show_bug.cgi?id=65883

        Reviewed by Gavin Barraclough.
        
        This introduces the capability to store predictions on graph
        nodes.  To save space while being somewhat consistent, the
        prediction is always stored in the second OpInfo slot (since
        a GetById will use the first one for the identifier).  This
        change is a natural extension of r92593 (global variable
        prediction).
        
        This is a 1.5% win on V8 in the arithmetic mean, and a 0.6%
        win on V8 in the geometric mean.  It is neutral on SunSpider
        and Kraken.  Interestingly, on V8 it regresses crypto by 3%
        while progressing deltablue and richards by 2.6% and 4.3%,
        respectively.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predict):
        (JSC::DFG::Graph::getPrediction):
        * dfg/DFGNode.h:
        (JSC::DFG::isCellPrediction):
        (JSC::DFG::isArrayPrediction):
        (JSC::DFG::isInt32Prediction):
        (JSC::DFG::isDoublePrediction):
        (JSC::DFG::isNumberPrediction):
        (JSC::DFG::predictionToString):
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::hasPrediction):
        (JSC::DFG::Node::getPrediction):
        (JSC::DFG::Node::predict):

2011-08-09  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT passes the this argument to constructors even though
        it's not necessary
        https://bugs.webkit.org/show_bug.cgi?id=65943

        Reviewed by Gavin Barraclough.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):

2011-08-09  Chao-ying Fu  <fu@mips.com>

        Fix one MIPS instruction to call JITStubThunked_##op
        https://bugs.webkit.org/show_bug.cgi?id=65942

        Reviewed by Gavin Barraclough.

        Changed "bal" to "jalr" for a possible processor mode change from
        MIPS32 to MIPS16.

        * jit/JITStubs.cpp:

2011-08-09  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT failure loading web site
        https://bugs.webkit.org/show_bug.cgi?id=65930

        Reviewed by Oliver Hunt.
        
        Put the use() call after the fpr()/gpr() calls, since doing otherwise
        breaks the register allocator.

        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):

2011-08-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add ParentClass typedef in all JSC classes
        https://bugs.webkit.org/show_bug.cgi?id=65731

        Reviewed by Oliver Hunt.

        Just added the Base typedefs in all the classes that are a subclass of JSCell 
        to point at their parent classes.  This is a change to support future changes to the way
        constructors and destructors are implemented in JS objects, among other things.

        * API/JSCallbackConstructor.h:
        * API/JSCallbackFunction.h:
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::createStructure):
        (JSC::JSCallbackObject::visitChildren):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::asCallbackObject):
        (JSC::::JSCallbackObject):
        (JSC::::init):
        (JSC::::className):
        (JSC::::getOwnPropertySlot):
        (JSC::::getOwnPropertyDescriptor):
        (JSC::::put):
        (JSC::::deleteProperty):
        (JSC::::getConstructData):
        (JSC::::construct):
        (JSC::::hasInstance):
        (JSC::::getCallData):
        (JSC::::call):
        (JSC::::getOwnPropertyNames):
        (JSC::::toNumber):
        (JSC::::toString):
        (JSC::::setPrivate):
        (JSC::::getPrivate):
        (JSC::::inherits):
        (JSC::::getStaticValue):
        (JSC::::staticFunctionGetter):
        (JSC::::callbackGetter):
        * debugger/DebuggerActivation.h:
        * jsc.cpp:
        * runtime/Arguments.h:
        * runtime/ArrayConstructor.h:
        * runtime/ArrayPrototype.h:
        * runtime/BooleanConstructor.h:
        * runtime/BooleanObject.h:
        * runtime/BooleanPrototype.h:
        * runtime/DateConstructor.h:
        * runtime/DateInstance.h:
        * runtime/DatePrototype.h:
        * runtime/Error.cpp:
        * runtime/ErrorConstructor.h:
        * runtime/ErrorInstance.h:
        * runtime/ErrorPrototype.h:
        * runtime/ExceptionHelpers.cpp:
        * runtime/Executable.h:
        * runtime/FunctionConstructor.h:
        * runtime/FunctionPrototype.h:
        * runtime/GetterSetter.h:
        * runtime/InternalFunction.h:
        * runtime/JSAPIValueWrapper.h:
        * runtime/JSActivation.h:
        * runtime/JSArray.h:
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.h:
        * runtime/JSNotAnObject.h:
        * runtime/JSONObject.h:
        * runtime/JSObject.h:
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSStaticScopeObject.h:
        * runtime/JSString.h:
        * runtime/JSVariableObject.h:
        * runtime/JSWrapperObject.h:
        * runtime/MathObject.h:
        * runtime/NativeErrorConstructor.h:
        * runtime/NativeErrorPrototype.h:
        * runtime/NumberConstructor.h:
        * runtime/NumberObject.h:
        * runtime/NumberPrototype.h:
        * runtime/ObjectConstructor.h:
        * runtime/ObjectPrototype.h:
        * runtime/RegExp.h:
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::create):
        * runtime/RegExpPrototype.h:
        * runtime/ScopeChain.h:
        * runtime/StrictEvalActivation.h:
        * runtime/StringConstructor.h:
        * runtime/StringObject.h:
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        * runtime/StringPrototype.h:
        * runtime/Structure.h:
        * runtime/StructureChain.h:

2011-08-08  Oliver Hunt  <oliver@apple.com>

        Using mprotect to create guard pages breaks our use of madvise to release executable memory
        https://bugs.webkit.org/show_bug.cgi?id=65870

        Reviewed by Gavin Barraclough.

        Use mmap rather than mprotect to clear guard page permissions.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit):

2011-08-08  Oliver Hunt  <oliver@apple.com>

        Non-extensibility does not prevent mutating [[Prototype]]
        https://bugs.webkit.org/show_bug.cgi?id=65832

        Reviewed by Gavin Barraclough.

        Disallow mutation of __proto__ on objects that are not extensible.

        * runtime/JSObject.cpp:
        (JSC::JSObject::put):

2011-08-08  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not track speculation decisions for global variables
        https://bugs.webkit.org/show_bug.cgi?id=65825

        Reviewed by Gavin Barraclough.
        
        Added the capability to track predictions for global variables, and
        ensured that code can abstract over the source of prediction (local
        versus global variable) wherever it is appropriate to do so.  Also
        cleaned up the code in SpeculativeJIT that decides how to speculate
        based on recorded predictions (for example instead of using isInteger,
        which makes sense for local predictions where the GetLocal would
        return an integer value, we now tend to use shouldSpeculateInteger,
        which checks if the value is either already an integer or should be
        speculated to be an integer).
        
        This is an 0.8% win on SunSpider, almost entirely thanks to a 25%
        win on controlflow-recursive.  It's also a 4.8% win on v8-crypto.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::predictArray):
        (JSC::DFG::ByteCodeParser::predictInt32):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predictGlobalVar):
        (JSC::DFG::Graph::predict):
        (JSC::DFG::Graph::getGlobalVarPrediction):
        (JSC::DFG::Graph::getPrediction):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble):

2011-08-07  Martin Robinson  <mrobinson@igalia.com>

        Distribution fix for GTK+.

        * GNUmakefile.list.am: Strip removed files from the source list.

2011-08-06  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=65821
        Don't form identifiers the first time a string is used as a property name.

        Reviewed by Oliver Hunt.

        This is a 1% win on SunSpider.

        * dfg/DFGOperations.cpp:
            - Use fastGetOwnProperty.
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
            - Use fastGetOwnProperty.
        * runtime/JSCell.h:
        * runtime/JSObject.h:
        (JSC::JSCell::fastGetOwnProperty):
            - Fast call to get a property without creating an identifier the first time.
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::find):
        (JSC::PropertyTable::findWithString):
            - Add interface to look up by either strinsg or identifiers.
        * runtime/Structure.h:
        (JSC::Structure::get):
            - Add a get() call that takes a UString, not an Identifier.
        * wtf/text/StringImpl.h:
        (WTF::StringImpl::hasHash):
            - Add a call to check if the has has been set (to detect the first use as a property name).

2011-08-06  Aron Rosenberg  <arosenberg@logitech.com>

        Reviewed by Benjamin Poulain.

        [Qt] Fix build with Intel compiler on Windows
        https://bugs.webkit.org/show_bug.cgi?id=65088

        Intel compiler needs .lib suffixes instead of .a
        Intel compiler doesn't support nullptr
        Intel compiler supports unsized arrays

        * JavaScriptCore.pri:
        * jsc.cpp:
        * wtf/ByteArray.h:
        * wtf/NullPtr.h:

2011-08-05  Gavin Barraclough  <barraclough@apple.com>

        String replace with the empty string means string removal
        https://bugs.webkit.org/show_bug.cgi?id=65799

        Reviewed by Sam Weinig.

        Optimization for String.prototype.replace([RegExp], ""), this improves v8-regexp by ~3%.

        * runtime/StringPrototype.cpp:
        (JSC::jsSpliceSubstrings):
        (JSC::stringProtoFuncReplace):

2011-08-05  Noel Gordon  <noel.gordon@gmail.com>

        [Chromium] Remove JSZombie references from gyp project files.
        https://bugs.webkit.org/show_bug.cgi?id=65798

        JSC runtime/JSZombie.{cpp,h} were removed in r92046.  Remove references to these
        file names from the gyp projects.

        Reviewed by Darin Adler.

        * JavaScriptCore.gypi: zombies be gone.

2011-08-05  Mark Rowe  <mrowe@apple.com>

        <http://webkit.org/b/65785> ThreadRestrictionVerifier needs a mode where an object
        is tied to a particular dispatch queue

        A RefCounted object can be opted in to this mode by calling setDispatchQueueForVerifier
        with the dispatch queue it will be tied to. This will cause ThreadRestrictionVerifier
        to ensure that all operations are performed on the given dispatch queue.

        Reviewed by Anders Carlsson.

        * wtf/RefCounted.h:
        (WTF::RefCountedBase::setDispatchQueueForVerifier):
        * wtf/ThreadRestrictionVerifier.h:
        (WTF::ThreadRestrictionVerifier::ThreadRestrictionVerifier):
        (WTF::ThreadRestrictionVerifier::~ThreadRestrictionVerifier):
        (WTF::ThreadRestrictionVerifier::setDispatchQueueMode):
        (WTF::ThreadRestrictionVerifier::setShared):
        (WTF::ThreadRestrictionVerifier::isSafeToUse):

2011-08-05  Oliver Hunt  <oliver@apple.com>

        Inline allocation of function objects
        https://bugs.webkit.org/show_bug.cgi?id=65779

        Reviewed by Gavin Barraclough.

        Inline allocation and initilisation of function objects
        in generated code.  This ended up being a 60-70% improvement
        in function allocation performance.  This improvement shows
        up as a ~2% improvement in 32bit sunspider and V8, but is a
        wash on 64-bit.

        We currently don't inline the allocation of named function
        expressions, as that requires being able to gc allocate a
        variable object.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JSC::JIT::emitStoreCell):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicJSObject):
        (JSC::JIT::emitAllocateJSFinalObject):
        (JSC::JIT::emitAllocateJSFunction):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_func):
        (JSC::JIT::emitSlow_op_new_func):
        (JSC::JIT::emit_op_new_func_exp):
        (JSC::JIT::emitSlow_op_new_func_exp):
        * jit/JITOpcodes32_64.cpp:
            Removed duplicate implementation of op_new_func and op_new_func_exp
        * runtime/JSFunction.h:
        (JSC::JSFunction::offsetOfScopeChain):
        (JSC::JSFunction::offsetOfExecutable):

2011-08-04  David Levin  <levin@chromium.org>

        CStringBuffer should have thread safety checks turned on.
        https://bugs.webkit.org/show_bug.cgi?id=58093

        Reviewed by Dmitry Titov.

        * wtf/text/CString.h:
        (WTF::CStringBuffer::CStringBuffer): Removed the ifdef that
        turned this off for Chromium.

2011-08-04  Mark Rowe  <mrowe@apple.com>

        Future-proof Xcode configuration settings.

        * Configurations/Base.xcconfig:
        * Configurations/DebugRelease.xcconfig:
        * Configurations/JavaScriptCore.xcconfig:
        * Configurations/Version.xcconfig:

2011-08-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Interpreter can potentially GC in the middle of initializing a structure chain
        https://bugs.webkit.org/show_bug.cgi?id=65638

        Reviewed by Oliver Hunt.

        Moved the allocation of a prototype StructureChain before the initialization of 
        the structure chain within the interpreter that was causing intermittent GC crashes.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::tryCachePutByID):
        * wtf/Platform.h:

2011-08-04  Filip Pizlo  <fpizlo@apple.com>

        Eval handling attempts literal parsing even when the eval
        string is in the cache
        https://bugs.webkit.org/show_bug.cgi?id=65675

        Reviewed by Oliver Hunt.
        
        This is a 25% speed-up on date-format-tofte and a 1.5% speed-up overall
        in SunSpider.  It's neutral on V8.

        * bytecode/EvalCodeCache.h:
        (JSC::EvalCodeCache::tryGet):
        (JSC::EvalCodeCache::getSlow):
        (JSC::EvalCodeCache::get):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::callEval):

2011-08-03  Mark Rowe  <mrowe@apple.com>

        Bring some order to FeatureDefines.xcconfig to make it easier to follow.

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:

2011-08-03  Mark Rowe  <mrowe@apple.com>

        Clean up FeatureDefines.xcconfig to remove some unnecessary conditional settings

        Reviewed by Dave Kilzer.

        * Configurations/FeatureDefines.xcconfig:

2011-08-03  Filip Pizlo  <fpizlo@apple.com>

        JSC GC heap size improvement breaks build on some platforms due to
        unused parameter
        https://bugs.webkit.org/show_bug.cgi?id=65641

        Reviewed by Darin Adler.
        
        Fix build on non-x86 platforms, by ensuring that the relevant
        parameter always appears to be used even when it isn't.

        * heap/Heap.cpp:

2011-08-03  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Reorganize pkg-config files
        https://bugs.webkit.org/show_bug.cgi?id=65548

        Reviewed by Martin Robinson.

        * GNUmakefile.am:
        * javascriptcoregtk.pc.in: Renamed from Source/WebKit/gtk/javascriptcoregtk.pc.in.

2011-08-01  David Levin  <levin@chromium.org>

        Add asserts to RefCounted to make sure ref/deref happens on the right thread.
        https://bugs.webkit.org/show_bug.cgi?id=31639

        Reviewed by Dmitry Titov.

        * GNUmakefile.list.am: Added new files to the build.
        * JavaScriptCore.gypi: Ditto.
        * JavaScriptCore.vcproj/WTF/WTF.vcproj: Ditto.
        * JavaScriptCore.xcodeproj/project.pbxproj: Ditto.
        * jit/ExecutableAllocator.h:
        (JSC::ExecutablePool::ExecutablePool): Turned off checks for this
        due to not being able to figure out what was guarding it (bug 58091).
        * parser/SourceProvider.h:
        (JSC::SourceProvider::SourceProvider): Ditto.
        * wtf/CMakeLists.txt: Added new files to the build.
        * wtf/ThreadRestrictionVerifier.h: Added.
        Everything is done in the header to avoid the issue with exports
        that are only useful in debug but still needing to export them.
        * wtf/RefCounted.h:
        (WTF::RefCountedBase::ref): Added checks using the non thread safe verifier.
        and filed bug 58171 about making it stricter.
        (WTF::RefCountedBase::hasOneRef): Ditto.
        (WTF::RefCountedBase::refCount): Ditto.
        (WTF::RefCountedBase::setMutexForVerifier): Expose a way to change the checks to be based
        on a mutex. This is in the header to avoid adding more exports from JavaScriptCore.
        (WTF::RefCountedBase::deprecatedTurnOffVerifier): Temporary way to turn off verification.
        Filed bug 58174 to remove this method.
        (WTF::RefCountedBase::derefBase):
        * wtf/SizeLimits.cpp: Adjusted the debug size check for RefCounted.
        * wtf/text/CString.h:
        (WTF::CStringBuffer::CStringBuffer): Turned off checks for this while a fix is being
        done in Chromium (bug 58093).

2011-08-02  Filip Pizlo  <fpizlo@apple.com>

        JSC GC may not be able to reuse partially-free blocks after a
        full collection
        https://bugs.webkit.org/show_bug.cgi?id=65585

        Reviewed by Darin Adler.
        
        This fixes the linked list management bug.  This fix is performance
        neutral on SunSpider.

        * heap/NewSpace.cpp:
        (JSC::NewSpace::removeBlock):

2011-07-30  Oliver Hunt  <oliver@apple.com>

        Simplify JSFunction creation for functions written in JS
        https://bugs.webkit.org/show_bug.cgi?id=65422

        Reviewed by Gavin Barraclough.

        Remove hash lookups used to write name property and transition
        function structure by caching the resultant structure and property
        offset in JSGlobalObject.  This doesn't impact performance, but
        we can use this change to make other improvements later.

        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::FunctionExecutable::jsName):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::namedFunctionStructure):
        (JSC::JSGlobalObject::functionNameOffset):

2011-08-02  Filip Pizlo  <fpizlo@apple.com>

        JSC GC uses dummy cells to avoid having to remember which cells
        it has already destroyed
        https://bugs.webkit.org/show_bug.cgi?id=65556

        Reviewed by Oliver Hunt.
        
        This gets rid of dummy cells, and ensures that it's not necessary
        to invoke a destructor on cells that have already been swept.  In
        the common case, a block knows that either all of its free cells
        still need to have destructors called, or none of them do, which
        minimizes the amount of branching that needs to happen per cell
        when performing a sweep.
        
        This is performance neutral on SunSpider and V8.  It is meant as
        a stepping stone to simplify the implementation of more
        sophisticated sweeping algorithms.

        * heap/Heap.cpp:
        (JSC::CountFunctor::ClearMarks::operator()):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::initForCellSize):
        (JSC::MarkedBlock::callDestructor):
        (JSC::MarkedBlock::specializedReset):
        (JSC::MarkedBlock::reset):
        (JSC::MarkedBlock::specializedSweep):
        (JSC::MarkedBlock::sweep):
        (JSC::MarkedBlock::produceFreeList):
        (JSC::MarkedBlock::lazySweep):
        (JSC::MarkedBlock::blessNewBlockForFastPath):
        (JSC::MarkedBlock::blessNewBlockForSlowPath):
        (JSC::MarkedBlock::canonicalizeBlock):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::FreeCell::setNoObject):
        (JSC::MarkedBlock::setDestructorState):
        (JSC::MarkedBlock::destructorState):
        (JSC::MarkedBlock::notifyMayHaveFreshFreeCells):
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::JSCell):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::clearBuiltinStructures):
        * runtime/JSGlobalData.h:
        * runtime/Structure.h:

2011-08-01  Michael Saboff  <msaboff@apple.com>

        Virtual copying of FastMalloc allocated memory causes madvise MADV_FREE_REUSABLE errors
        https://bugs.webkit.org/show_bug.cgi?id=65502

        Reviewed by Anders Carlsson.

        With the fix of the issues causing madvise MADV_FREE_REUSABLE to fail,
        added an assert to the return code of madvise to catch any regressions.

        * wtf/TCSystemAlloc.cpp:
        (TCMalloc_SystemRelease):

2011-08-02  Anders Carlsson  <andersca@apple.com>

        Fix Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-08-02  Anders Carlsson  <andersca@apple.com>

        Fix a Windows build error.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-08-02  Filip Pizlo  <fpizlo@apple.com>

        JSC GC is far too conservative about growing the heap size, particularly
        on desktop platforms
        https://bugs.webkit.org/show_bug.cgi?id=65438

        Reviewed by Oliver Hunt.

        The minimum heap size is now 16MB instead of 512KB, provided all of the
        following are true:
        a) ENABLE(LARGE_HEAP) is set, which currently only happens on
           x86 targets, but could reasonably happen on any platform that is
           known to have a decent amount of RAM.
        b) JSGlobalData is initialized with HeapSize = LargeHeap, which
           currently only happens when it's the JSDOMWindowBase in WebCore or
           in the jsc command-line tool.
           
        This is a 4.1% speed-up on SunSpider.

        * JavaScriptCore.exp:
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::collect):
        * heap/Heap.h:
        * jsc.cpp:
        (main):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::createContextGroup):
        (JSC::JSGlobalData::create):
        (JSC::JSGlobalData::createLeaked):
        (JSC::JSGlobalData::sharedInstance):
        * runtime/JSGlobalData.h:
        * wtf/Platform.h:

2011-08-02  Filip Pizlo  <fpizlo@apple.com>

        JSC does a GC even when the heap still has free pages
        https://bugs.webkit.org/show_bug.cgi?id=65445

        Reviewed by Oliver Hunt.
        
        If the high watermark is not reached, then we allocate new blocks as
        before.  If the current watermark does reach (or exceed) the high
        watermark, then we check if there is a block on the free block pool.
        If there is, we simply allocation from it.  If there isn't, we
        invoke a collectin as before.  This effectively couples the elastic
        scavenging to the collector's decision function.  That is, if an
        application rapidly varies its heap usage (sometimes using more and
        sometimes less) then the collector will not thrash as it used to.
        But if heap usage drops and stays low then the scavenger thread and
        the GC will eventually reach a kind of consensus: the GC will set
        the watermark low because of low heap usage, and the scavenger thread
        will steadily eliminate pages from the free page pool, until the size
        of the free pool is below the high watermark.
        
        On command-line, this is neutral on SunSpider and Kraken and a 3% win
        on V8.  In browser, this is a 1% win on V8 and neutral on the other
        two.

        * heap/Heap.cpp:
        (JSC::Heap::allocateSlowCase):
        (JSC::Heap::allocateBlock):
        * heap/Heap.h:

2011-08-02  Jeff Miller  <jeffm@apple.com>

        Move WTF_USE_AVFOUNDATION from JavaScriptCore/wtf/platform.h to WebCore/config.h
        https://bugs.webkit.org/show_bug.cgi?id=65552
        
        Since this is a WebCore feature, there's no need to define it in JavaScriptCore/wtf/platform.h.

        Reviewed by Adam Roben.

        * wtf/Platform.h: Removed WTF_USE_AVFOUNDATION.

2011-08-01  Jean-luc Brouillet  <jeanluc@chromium.org>

        Removing old source files in gyp files that slow build
        https://bugs.webkit.org/show_bug.cgi?id=65503

        Reviewed by Adam Barth.

        A number of stale files are listed in the gyp files. These slow the
        build on Visual Studio 2010. Removing them.

        * JavaScriptCore.gypi:

2011-07-14  David Levin  <levin@chromium.org>

        currentThread is too slow!
        https://bugs.webkit.org/show_bug.cgi?id=64577

        Reviewed by Darin Adler and Dmitry Titov.

        The problem is that currentThread results in a pthread_once call which always takes a lock.
        With this change, currentThread is 10% faster than isMainThread in release mode and only
        5% slower than isMainThread in debug.

        * wtf/ThreadIdentifierDataPthreads.cpp:
        (WTF::ThreadIdentifierData::initializeOnce): Remove the pthread once stuff
        which is no longer needed because this is called from initializeThreading().
        (WTF::ThreadIdentifierData::identifier): Remove the initializeKeyOnce call because
        intialization of the pthread key should already be done.
        (WTF::ThreadIdentifierData::initialize): Ditto.
        * wtf/ThreadIdentifierDataPthreads.h:
        * wtf/ThreadingPthreads.cpp:
        (WTF::initializeThreading): Acquire the pthread key here.

2011-08-01  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT sometimes creates speculation check data structures that have
        invalid information about the format of a register
        https://bugs.webkit.org/show_bug.cgi?id=65490

        Reviewed by Gavin Barraclough.
        
        The code now makes sure to (1) always have correct and up-to-date
        information about register format at the time that a speculation
        check is emitted, (2) assert that speculation data is correct
        inside the speculation check implementation, and (3) avoid creating
        speculation data altogether if compilation has already failed, since
        at that point the format data is almost guaranteed to be bogus.

        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::EntryLocation::EntryLocation):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculationCheck::SpeculationCheck):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::speculationCheck):

2011-08-01  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r92092): Build fails on 64 bit
        https://bugs.webkit.org/show_bug.cgi?id=65458

        Reviewed by Oliver Hunt.
        
        The build was broken because some compilers were smart enough to see
        an array index out of bounds due to the decision fuction for when to
        go from precise size classes to imprecise size classes being broken:
        it would assume that sizes in the range 97..128 belonged to a precise
        size class when in fact they belonged to an imprecise one.
        
        In fact, the code would have run correctly, by way of a fluke, because
        though the 4th precise size class (for 97..128) didn't exist, the next
        array over from m_preciseSizeClasses was m_impreciseSizeClasses, and
        its first entry would have been a size class that is appropriate for
        allocations in the range 97..128.  However, this relies on specific
        ordering of fields in NewSpace, so it's still a bug.
        
        This fixes the bug by ensuring that allocations larger than 96 use
        the imprecise size classes.

        * heap/NewSpace.h:
        (JSC::NewSpace::sizeClassFor):

2011-07-31  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64679
        Fix bugs in Array.prototype this handling.

        Unreviewed - rolling out r91290.

        Looks like the wild wild web isn't ready for this yet.

        This change broke http://slides.html5rocks.com/#landing-slide.
        Interestingly, this might only be due to our lack of bind support -
        it looks like this site is calling  Array.prototype.slice as a part
        of its bind implementation.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncConcat):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        (JSC::arrayProtoFuncEvery):
        (JSC::arrayProtoFuncForEach):
        (JSC::arrayProtoFuncSome):
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):
        (JSC::arrayProtoFuncIndexOf):
        (JSC::arrayProtoFuncLastIndexOf):

2011-07-31  Filip Pizlo  <fpizlo@apple.com>

        JSC GC lays out size classes under wrong assumptions about expected
        object size.
        https://bugs.webkit.org/show_bug.cgi?id=65437

        Reviewed by Oliver Hunt.
        
        Changed the atom size - which is both the smallest allocation size and
        the smallest possible stepping unit for size class spacing - from
        8 bytes to 4 pointer-size words.  This is a 1% win on SunSpider.

        * heap/MarkedBlock.h:

2011-07-31  Filip Pizlo  <fpizlo@apple.com>

        DFG non-speculative JIT does not optimize PutByVal
        https://bugs.webkit.org/show_bug.cgi?id=65424

        Reviewed by Gavin Barraclough.
        
        Added code to emit PutByVal inline fast path.

        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):

2011-07-31  Filip Pizlo  <fpizlo@apple.com>

        The JSC garbage collector returns memory to the operating system too
        eagerly.
        https://bugs.webkit.org/show_bug.cgi?id=65382

        Reviewed by Oliver Hunt.
        
        This introduces a memory reuse model similar to the one in FastMalloc.
        A periodic scavenger thread runs in the background and returns half the
        free memory to the OS on each timer fire.  New block allocations first
        attempt to get the memory from the collector's internal pool, reverting
        to OS allocation only when this pool is empty.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::~Heap):
        (JSC::Heap::destroy):
        (JSC::Heap::waitForRelativeTimeWhileHoldingLock):
        (JSC::Heap::waitForRelativeTime):
        (JSC::Heap::blockFreeingThreadStartFunc):
        (JSC::Heap::blockFreeingThreadMain):
        (JSC::Heap::allocateBlock):
        (JSC::Heap::freeBlocks):
        (JSC::Heap::releaseFreeBlocks):
        * heap/Heap.h:
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::destroy):
        (JSC::MarkedBlock::MarkedBlock):
        (JSC::MarkedBlock::initForCellSize):
        (JSC::MarkedBlock::reset):
        * heap/MarkedBlock.h:
        * wtf/Platform.h:

2011-07-30  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT speculation failure pass sometimes forgets to emit code to
        move certain registers.
        https://bugs.webkit.org/show_bug.cgi?id=65421

        Reviewed by Oliver Hunt.
        
        Restructured the offending loops (for gprs and fprs).  It's once again
        possible to use spreadsheets on docs.google.com.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):

2011-07-30  Patrick Gansterer  <paroga@webkit.org>

        Remove inclusion of MainThread.h from Threading.h
        https://bugs.webkit.org/show_bug.cgi?id=65081

        Reviewed by Darin Adler.

        Add missing and remove unneeded include statements for MainThread.

        * wtf/CryptographicallyRandomNumber.cpp:
        * wtf/Threading.h:
        * wtf/ThreadingPthreads.cpp:
        * wtf/text/StringStatics.cpp:

2011-07-30  Oliver Hunt  <oliver@apple.com>

        Reduce the size of JSGlobalObject slightly
        https://bugs.webkit.org/show_bug.cgi?id=65417

        Reviewed by Dan Bernstein.

        Push a few members that either aren't commonly used,
        or aren't frequently accessed into a separate struct.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::WeakMapsFinalizer::finalize):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
        (JSC::JSGlobalObject::createRareDataIfNeeded):
        (JSC::JSGlobalObject::setProfileGroup):
        (JSC::JSGlobalObject::profileGroup):
        (JSC::JSGlobalObject::registerWeakMap):
        (JSC::JSGlobalObject::deregisterWeakMap):

2011-07-30  Balazs Kelemen  <kbalazs@webkit.org>

        MessageQueue::waitForMessageFilteredWithTimeout can triggers an assertion
        https://bugs.webkit.org/show_bug.cgi?id=65263

        Reviewed by Dmitry Titov.

        * wtf/Deque.h:
        (WTF::::operator): Don't check the validity of an iterator
        that will be reassigned right now.
        * wtf/MessageQueue.h:
        (WTF::::removeIf): Revert r51198 as I beleave this is the better
        solution for the problem that was solved by that.

2011-07-29  Filip Pizlo  <fpizlo@apple.com>

        JSC GC zombie support no longer works, and is likely no longer needed.
        https://bugs.webkit.org/show_bug.cgi?id=65404

        Reviewed by Darin Adler.
        
        This removes zombies, because they no longer work, are not tested, are
        probably not needed, and are getting in the way of GC optimization
        work.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Handle.h:
        (JSC::HandleConverter::operator->):
        (JSC::HandleConverter::operator*):
        * heap/HandleHeap.cpp:
        (JSC::HandleHeap::isValidWeakNode):
        * heap/Heap.cpp:
        (JSC::Heap::destroy):
        (JSC::Heap::collect):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::sweep):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::clearMarks):
        * interpreter/Register.h:
        (JSC::Register::Register):
        (JSC::Register::operator=):
        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::append):
        (JSC::ArgList::ArgList):
        * runtime/JSCell.cpp:
        (JSC::isZombie):
        * runtime/JSCell.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::clearBuiltinStructures):
        * runtime/JSGlobalData.h:
        * runtime/JSValue.h:
        * runtime/JSValueInlineMethods.h:
        (JSC::JSValue::JSValue):
        * runtime/JSZombie.cpp: Removed.
        * runtime/JSZombie.h: Removed.
        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase::setEarlyValue):
        (JSC::WriteBarrierBase::operator*):
        (JSC::WriteBarrierBase::setWithoutWriteBarrier):
        * wtf/Platform.h:

2011-07-29  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT verbose mode provides no details about predictions
        https://bugs.webkit.org/show_bug.cgi?id=65389

        Reviewed by Darin Adler.
        
        Added a print-out of the predictions to the IR dump, with names as follows:
        "p-bottom" = the parser made no predictions
        "p-int32" = the parser predicted int32
        ... (same for array, cell, double, number)
        "p-top" = the parser made conflicting predictions which will be ignored.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::predictionToString):

2011-07-29  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not have any way of undoing double speculation.
        https://bugs.webkit.org/show_bug.cgi?id=65334

        Reviewed by Gavin Barraclough.
        
        This adds code to do a branchConvertDoubleToInt on specualtion failure.
        This is performance-neutral on most benchmarks but does result in
        a slight improvement in Kraken.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::GeneralizedRegister::moveTo):
        (JSC::DFG::GeneralizedRegister::swapWith):
        (JSC::DFG::ShuffledRegister::handleNonCyclingPermutation):
        (JSC::DFG::ShuffledRegister::handleCyclingPermutation):
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):

2011-07-29  Filip Pizlo  <fpizlo@apple.com>

        Crash when opening docs.google.com
        https://bugs.webkit.org/show_bug.cgi?id=65327

        Reviewed by Gavin Barraclough.
        
        The speculative JIT was only checking whether a value is an array when
        we had already checked that it was, rather then when we hadn't.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-28  Oliver Hunt  <oliver@apple.com>

        *_list instructions are only used in one place, where the code is wrong.
        https://bugs.webkit.org/show_bug.cgi?id=65348

        Reviewed by Darin Adler.

        Simply remove the instructions and all users.  Speeds up the interpreter
        slightly due to code motion, but otherwise has no effect (because none
        of the _list instructions are ever used).

        * bytecode/CodeBlock.cpp:
        (JSC::isPropertyAccess):
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::visitStructures):
        * bytecode/Instruction.h:
        * bytecode/Opcode.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):

2011-07-28  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=65325
        Performance tweak to parseInt

        Reviewed by Oliver Hunt.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncParseInt):
            - This change may an existing optimization redundant,
              cleanup from Darin's comments, plus fix existing bugs.

2011-07-28  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=65325
        Performance tweak to parseInt

        Reviewed by Oliver Hunt.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncParseInt):
            - parseInt applied to small positive numbers = floor.

2011-07-28  Dan Bernstein  <mitz@apple.com>

        Build fix.

        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::compileForCallInternal):

2011-07-28  Kent Tamura  <tkent@chromium.org>

        Improve StringImpl::stripWhiteSpace() and simplifyWhiteSpace().
        https://bugs.webkit.org/show_bug.cgi?id=65300

        Reviewed by Darin Adler.

        r91837 had performance regression of StringImpl::stripWhiteSpace()
        and simplifyWhiteSpace(). This changes the code so that compilers
        generates code equivalent to r91836 or piror.

        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::stripMatchedCharacters):
        A template member function for stripWhiteSpace(). This function takes a functor.
        (WTF::UCharPredicate):
        A functor for generic predicate for single UChar argument.
        (WTF::SpaceOrNewlinePredicate):
        A special functor for isSpaceOrNewline().
        (WTF::StringImpl::stripWhiteSpace):
        Use stripmatchedCharacters().
        (WTF::StringImpl::simplifyMatchedCharactersToSpace):
        A template member function for simplifyWhiteSpace().
        (WTF::StringImpl::simplifyWhiteSpace):
        Use simplifyMatchedCharactersToSpace().
        * wtf/text/StringImpl.h:

2011-07-27  Dmitry Lomov  <dslomov@google.com>

        [chromium] Turn on WTF_MULTIPLE_THREADS.
        https://bugs.webkit.org/show_bug.cgi?id=61017
        The patch turns on WTF_MULTIPLE_THREADS in chromium and 
        pushes some relevant initializations from JSC::initializeThreading
        to WTF::initializeThreading.

        Reviewed by David Levin.

        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * wtf/FastMalloc.cpp:
        (WTF::isForbidden):
        (WTF::fastMallocForbid):
        (WTF::fastMallocAllow):
        * wtf/Platform.h:
        * wtf/ThreadingPthreads.cpp:
        (WTF::initializeThreading):
        * wtf/ThreadingWin.cpp:
        (WTF::initializeThreading):
        * wtf/gtk/ThreadingGtk.cpp:
        (WTF::initializeThreading):
        * wtf/qt/ThreadingQt.cpp:
        (WTF::initializeThreading):

2011-07-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove operator new from JSCell
        https://bugs.webkit.org/show_bug.cgi?id=64999

        Reviewed by Oliver Hunt.

        Removed the implementation of operator new in JSCell, so any further uses
        will not successfully link.  Also removed any remaining uses of operator new.

        * API/JSContextRef.cpp:
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::create):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::createExceptionScope):
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSCell.h:
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::create):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::create):
        (JSC::JSStaticScopeObject::JSStaticScopeObject):
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::create):

2011-07-27  Filip Pizlo  <fpizlo@apple.com>

        DFG graph has no notion of double prediction.
        https://bugs.webkit.org/show_bug.cgi?id=65234

        Reviewed by Gavin Barraclough.
        
        Added the notion of PredictDouble, and PredictNumber, which is the least
        upper bound of PredictInt32 and PredictDouble.  Least upper bound is
        defined as the bitwise-or of two predictions.  Bottom is defined as 0,
        and Top is defined as all bits being set.  Added the ability to explicitly
        distinguish between a node having had a prediction associated with it,
        and that prediction still being valid (i.e. no conflicting predictions
        have also been added).  Used this to guard the speculative JIT from
        speculating Int32 in cases where the graph knows that the value is
        double, which currently only happens for GetLocal nodes on arguments
        which were double at compile-time.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGGraph.h:
        (JSC::DFG::isCellPrediction):
        (JSC::DFG::isArrayPrediction):
        (JSC::DFG::isInt32Prediction):
        (JSC::DFG::isDoublePrediction):
        (JSC::DFG::isNumberPrediction):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::initializeVariableTypes):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isRegisterDataFormatDouble):

2011-07-27  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=65294
        DFG JIT - may speculate based on wrong arguments.

        Reviewed by Oliver Hunt

        In the case of a DFG compiled function calling to and compiling a second function that
        also compiles through the DFG JIT (i.e. compilation triggered with DFGOperations.cpp),
        we call compileFor passing the caller functions exec state, rather than the callee's.
        This may lead to mis-optimization, since the DFG compiler will example the exec state's
        arguments on the assumption that these will be passed to the callee - it is wanting the
        callee exec state, not the caller's exec state.

        Fixing this for all cases of compilation is tricksy, due to the way the numeric sort
        function is compiled, & the structure of the calls in the Interpreter::execute methods.
        Only fix for compilation from the JIT, in other calls don't speculate based on arguments
        for now.

        * dfg/DFGOperations.cpp:
        * runtime/Executable.cpp:
        (JSC::tryDFGCompile):
        (JSC::tryDFGCompileFunction):
        (JSC::FunctionExecutable::compileForCallInternal):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::compileForCall):
        (JSC::FunctionExecutable::compileFor):

2011-07-27  Oliver Hunt  <oliver@apple.com>

        Handle callback oriented JSONP
        https://bugs.webkit.org/show_bug.cgi?id=65271

        Reviewed by Gavin Barraclough.

        Handle the callback oriented versions of JSONP.  The Literal parser
        now handles <Identifier> (. <Identifier>)* (jsonData).

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser::tryJSONPParse):
        (JSC::LiteralParser::Lexer::lex):
        * runtime/LiteralParser.h:

2011-07-27  Stephanie Lewis  <slewis@apple.com>

        Revert http://trac.webkit.org/changeset/90415.
        Caused a 5% sunspider regression in-browser.

        Unreviewed rollout.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage):
        * heap/MarkStack.h:
        (JSC::MarkStack::MarkStack):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::releaseExecutableMemory):
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::invalidateCode):
        * runtime/RegExp.h:

2011-07-27  Shinya Kawanaka  <shinyak@google.com>

        Added an interface to take IsWhiteSpaceFunctionPtr.
        https://bugs.webkit.org/show_bug.cgi?id=57746

        Reviewed by Kent Tamura.

        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::stripWhiteSpace):
          Added an interface to take IsWhiteSpaceFunctionPtr.
        (WTF::StringImpl::simplifyWhiteSpace): ditto.
        * wtf/text/StringImpl.h:
        * wtf/text/WTFString.cpp:
        (WTF::String::stripWhiteSpace): ditto.
        (WTF::String::simplifyWhiteSpace): ditto.
        * wtf/text/WTFString.h:

2011-07-27  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT speculation failure code performs incorrect conversions in
        the case where two registers need to be swapped.
        https://bugs.webkit.org/show_bug.cgi?id=65233

        Reviewed by Gavin Barraclough.
        
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::GeneralizedRegister::swapWith):

2011-07-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        reduce and reduceRight bind callback's this to null rather than undefined
        https://bugs.webkit.org/show_bug.cgi?id=62264

        Reviewed by Oliver Hunt.

        Fixed Array.prototype.reduce and Array.prototype.reduceRight so that they behave correctly
        when calling the callback function without an argument for this, which means it should 
        be undefined according to ES 15.4.4.21 and 15.4.4.22.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):

2011-07-26  Filip Pizlo  <fpizlo@apple.com>

        JSC command-line tool does not come with any facility for
        measuring time precisely.
        https://bugs.webkit.org/show_bug.cgi?id=65223

        Reviewed by Gavin Barraclough.
        
        Exposed WTF::currentTime() as currentTimePrecise().

        * jsc.cpp:
        (GlobalObject::GlobalObject):
        (functionPreciseTime):

2011-07-26  Filip Pizlo  <fpizlo@apple.com>

        DFG speculative JIT never emits inline double comparisons, even when it
        would be obvious more efficient to do so.
        https://bugs.webkit.org/show_bug.cgi?id=65212

        Reviewed by Gavin Barraclough.
        
        This handles the obvious case of inlining double comparisons: it only addresses
        the speculative JIT, and only for fused compare/branch sequences.  But it does
        handle the case where both operands are double (and there is no slow path),
        or where one operand is double and the other is unknown type (in which case it
        attempts to unbox the double, otherwise taking slow path).  This is an 0.8%
        speed-up on SunSpider.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::convertToDouble):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isRegisterDataFormatDouble):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):

2011-07-26  Filip Pizlo  <fpizlo@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64969
        DFG JIT generates inefficient code for speculation failures.

        Reviewed by Gavin Barraclough.
        
        This implements a speculation failure strategy where (1) values spilled on
        non-speculative but not spilled on speculative are spilled, (2) values that
        are in registers on both paths are rearranged without ever touching memory,
        and (3) values spilled on speculative but not spilled on non-speculative are
        filled.
        
        The register shuffling is the most interesting part of this patch.  It
        constructs a permutation graph for registers.  Each node represents a
        register, and each directed edge corresponds to the register's value having
        to be moved to a different register as part of the shuffling.  This is a
        directed graph where each node may only have 0 or 1 incoming edges, and
        0 or 1 outgoing edges.  The algorithm then first finds maximal non-cyclic
        subgraphs where all nodes in the subgraph are reachable from a start node.
        Such subgraphs always resemble linked lists, and correspond to simply
        moving the value in the second-to-last register into the last register, and
        then moving the value in the third-to-last register into the second-to-last
        register, and so on.  Once these subgraphs are taken care of, the remaining
        subgraphs are cycles, and are handled using either (a) conversion or no-op
        if the cycle involves one node, (b) swap if it involves two nodes, or (c)
        a cyclic shuffle involving a scratch register if there are three or more
        nodes.
        
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::needDataFormatConversion):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::GeneralizedRegister::GeneralizedRegister):
        (JSC::DFG::GeneralizedRegister::createGPR):
        (JSC::DFG::GeneralizedRegister::createFPR):
        (JSC::DFG::GeneralizedRegister::dump):
        (JSC::DFG::GeneralizedRegister::findInSpeculationCheck):
        (JSC::DFG::GeneralizedRegister::findInEntryLocation):
        (JSC::DFG::GeneralizedRegister::previousDataFormat):
        (JSC::DFG::GeneralizedRegister::nextDataFormat):
        (JSC::DFG::GeneralizedRegister::convert):
        (JSC::DFG::GeneralizedRegister::moveTo):
        (JSC::DFG::GeneralizedRegister::swapWith):
        (JSC::DFG::ShuffledRegister::ShuffledRegister):
        (JSC::DFG::ShuffledRegister::isEndOfNonCyclingPermutation):
        (JSC::DFG::ShuffledRegister::handleNonCyclingPermutation):
        (JSC::DFG::ShuffledRegister::handleCyclingPermutation):
        (JSC::DFG::ShuffledRegister::lookup):
        (JSC::DFG::lookupForRegister):
        (JSC::DFG::NodeToRegisterMap::Tuple::Tuple):
        (JSC::DFG::NodeToRegisterMap::NodeToRegisterMap):
        (JSC::DFG::NodeToRegisterMap::set):
        (JSC::DFG::NodeToRegisterMap::end):
        (JSC::DFG::NodeToRegisterMap::find):
        (JSC::DFG::NodeToRegisterMap::clear):
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
        (JSC::DFG::JITCompiler::linkSpeculationChecks):
        * dfg/DFGJITCompiler.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::EntryLocation::EntryLocation):
        * dfg/DFGNonSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculationCheck::SpeculationCheck):
        * dfg/DFGSpeculativeJIT.h:

2011-07-26  Oliver Hunt  <oliver@apple.com>

        Buffer overflow creating error messages for JSON.parse
        https://bugs.webkit.org/show_bug.cgi?id=65211

        Reviewed by Darin Adler.

        Parse string length to the UString constructor.

        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser::parse):

2011-07-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        Refactor automatically generated JS DOM bindings to replace operator new with static create methods
        https://bugs.webkit.org/show_bug.cgi?id=64732

        Reviewed by Oliver Hunt.

        Replacing the public constructors in the automatically generated JS DOM bindings with static 
        create methods.  JSByteArray is used by several of these bindings in WebCore.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::create):
        * runtime/JSByteArray.h:

2011-07-26  Alexis Menard  <alexis.menard@openbossa.org>

        Unreviewed build fix for Qt/Linux.

        On platforms with no glib and gstreamer we should not build javascriptcore
        with the Glib support. This is related to http://trac.webkit.org/changeset/91752.

        * wtf/wtf.pri:

2011-07-26  Juan C. Montemayor  <jmont@apple.com>

        JSON errors should be informative
        https://bugs.webkit.org/show_bug.cgi?id=63339

        Added error messages to the JSON Parser.

        Reviewed by Oliver Hunt.

        * runtime/JSONObject.cpp:
        (JSC::JSONProtoFuncParse):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser::Lexer::lex):
        (JSC::LiteralParser::Lexer::lexString):
        (JSC::LiteralParser::Lexer::lexNumber):
        (JSC::LiteralParser::parse):
        * runtime/LiteralParser.h:
        (JSC::LiteralParser::getErrorMessage):
        (JSC::LiteralParser::Lexer::sawError):
        (JSC::LiteralParser::Lexer::getErrorMessage):

2011-07-26  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r91746.
        http://trac.webkit.org/changeset/91746
        https://bugs.webkit.org/show_bug.cgi?id=65180

        It broke SL build (Requested by Ossy on #webkit).

        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::stripWhiteSpace):
        (WTF::StringImpl::simplifyWhiteSpace):
        * wtf/text/StringImpl.h:
        * wtf/text/WTFString.cpp:
        * wtf/text/WTFString.h:

2011-07-26  Alexis Menard  <alexis.menard@openbossa.org>

        Reviewed by Andreas Kling.

        [Qt] Change default backend to use GStreamer on Linux and QuickTime on Mac.
        https://bugs.webkit.org/show_bug.cgi?id=63472

        Enable the bits needed for GStreamer only when QtMultimedia is not used.

        * wtf/wtf.pri:

2011-07-26  Shinya Kawanaka  <shinyak@google.com>

        Added an interface to take IsWhiteSpaceFunctionPtr.
        https://bugs.webkit.org/show_bug.cgi?id=57746

        Reviewed by Kent Tamura.

        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::stripWhiteSpace):
          Added an interface to take IsWhiteSpaceFunctionPtr.
        (WTF::StringImpl::simplifyWhiteSpace): ditto.
        * wtf/text/StringImpl.h:
        * wtf/text/WTFString.cpp:
        (WTF::String::stripWhiteSpace): ditto.
        (WTF::String::simplifyWhiteSpace): ditto.
        * wtf/text/WTFString.h:

2011-07-25  Filip Pizlo  <fpizlo@apple.com>

        DFG non-speculative JIT emits inefficient code for arithmetic
        involving two registers
        https://bugs.webkit.org/show_bug.cgi?id=65160

        Reviewed by Gavin Barraclough.
        
        The non-speculative JIT now emits inline code for double arithmetic, but
        still attempts integer arithmetic first.  This is a speed-up on SunSpider
        (albeit a small one), and a large speed-up on Kraken.

        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::basicArithOp):

2011-07-25  Ryuan Choi  <ryuan.choi@samsung.com>

        [EFL] Build break with --debug after r89153.
        https://bugs.webkit.org/show_bug.cgi?id=65150

        Unreviewed build fix.

        * wtf/CMakeListsEfl.txt: Add missing libraries.

2011-07-25  Filip Pizlo  <fpizlo@apple.com>

        DFG non-speculative JIT emits obviously inefficient code for arithmetic
        where one operand is a constant.
        https://bugs.webkit.org/show_bug.cgi?id=65146

        Reviewed by Gavin Barraclough.
        
        Changed the code to emit double arithmetic inline.

        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):

2011-07-25  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT bytecode parser misuses pointers into objects allocated as part of a
        WTF::Vector.
        https://bugs.webkit.org/show_bug.cgi?id=65128

        Reviewed by Gavin Barraclough.
        
        The bytecode parser code seems to be right to have a DFGNode& phiNode reference
        into the graph, since this makes the code greatly more readable.  This patch
        thus makes the minimal change necessary to make the code right: it uses a
        pointer (to disambiguate between reloading the pointer and performing a
        copy from one location of the vector to another) and reloads it after the
        calls to addToGraph().

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::processPhiStack):

2011-07-25  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r91686.
        http://trac.webkit.org/changeset/91686
        https://bugs.webkit.org/show_bug.cgi?id=65144

        1.5% regression in JSC (Requested by jmontemayor on #webkit).

        * runtime/JSONObject.cpp:
        (JSC::JSONProtoFuncParse):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser::Lexer::lex):
        (JSC::LiteralParser::Lexer::lexString):
        (JSC::LiteralParser::Lexer::lexNumber):
        (JSC::LiteralParser::parse):
        * runtime/LiteralParser.h:

2011-07-25  Jon Lee  <jonlee@apple.com>

        Assertion called in ExecutableBase::generatedJITCodeForCall() when JIT is not available
        https://bugs.webkit.org/show_bug.cgi?id=65132
        <rdar://problem/9836297>
        
        Reviewed by Oliver Hunt.
        
        Make sure the JIT is available to use before running the following calls:

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::unlinkCalls): Added check, return early if JIT is not available.
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addMethodCallLinkInfos): Added assertion.

2011-07-25  Juan C. Montemayor  <jmont@apple.com>

        JSON errors should be informative
        https://bugs.webkit.org/show_bug.cgi?id=63339

        Added error messages to the JSON Parser.

        Reviewed by Oliver Hunt.

        * runtime/JSONObject.cpp:
        (JSC::JSONProtoFuncParse):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser::Lexer::lex):
        (JSC::LiteralParser::Lexer::lexString):
        (JSC::LiteralParser::Lexer::lexNumber):
        (JSC::LiteralParser::parse):
        * runtime/LiteralParser.h:
        (JSC::LiteralParser::getErrorMessage):
        (JSC::LiteralParser::Lexer::sawError):
        (JSC::LiteralParser::Lexer::getErrorMessage):

2011-07-25  Filip Pizlo  <fpizlo@apple.com>

        X86-64 assembler emits three instructions instead of two for certain
        loads and stores.
        https://bugs.webkit.org/show_bug.cgi?id=65095

        Reviewed by Gavin Barraclough.
        
        Simply made these four methods in the assembler use the scratch register,
        which they were previously avoiding.  It still optimizes for the case where
        an absolute address memory accesses is using EAX.  This results in a slight
        performance improvement.

        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::load32):
        (JSC::MacroAssemblerX86_64::store32):
        (JSC::MacroAssemblerX86_64::loadPtr):
        (JSC::MacroAssemblerX86_64::storePtr):

2011-07-25  Ryuan Choi  <ryuan.choi@samsung.com>

        [EFL] Implement EFL-specific current time and monotonicallyIncreasingTime.
        https://bugs.webkit.org/show_bug.cgi?id=64354

        Use ecore_time_unix_get which returns unix time as double type for currentTime
        and ecore_time_get which uses monotonic clock for monotonicallyIncreasingTime.

        Reviewed by Kent Tamura.

        * wtf/CurrentTime.cpp:
        (WTF::currentTime):
        (WTF::monotonicallyIncreasingTime):

2011-07-22  Sommer Panage  <panage@apple.com>

        Reviewed by Oliver Hunt.

        export JSContextCreateBacktrace as SPI in JSContextRefPrivate.h
        https://bugs.webkit.org/show_bug.cgi?id=64981

        UIAutomation for iOS would like to support a Javascript backtrace in our error logs.
        Currently, the C API does not provide the tools to do this. However, the private API
        does expose the necessary functionality to get a backtrace
        (via Interpreter::retrieveLastCaller). We recognize this information may result in
        failure in the cases of programs run by 'eval', stack frames beneath host function
        call frames, and in programs run from other programs. Thus, we propose exporting our
        JSContextCreateBacktrace in JSContextRefPrivate.h. This will provide us with the tools
        we need while not advertising an API that isn't really ready for full use.

        * API/JSContextRef.cpp:
        * API/JSContextRefPrivate.h:
        * JavaScriptCore.exp:


2011-07-22  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=65051
        DFG JIT - Enable by default for mac platform on x86-64.

        Rubber Stamped by Geoff Garen.

        This is now a performance progression.

        * wtf/Platform.h:
            - Removed definition of ENABLE_DFG_JIT_RESTRICTIONS.

2011-07-22  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=65047
        DFG JIT - Add support for op_resolve/op_resolve_base

        Reviewed by Sam Weinig.

        These are necessary for any significant eval code coverage
        (and as such increase LayoutTest coverage).

        * dfg/DFGAliasTracker.h:
        (JSC::DFG::AliasTracker::recordResolve):
            - Conservatively blow aliasing optimizations for now.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
            - Add support for op_resolve/op_resolve_base.
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::callOperation):
            - Add call with exec, identifer aguments.
        * dfg/DFGNode.h:
            - Add new node types.
        (JSC::DFG::Node::hasIdentifier):
            - Resolve nodes have identifiers, too!
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
            - Add generation for new Nodes.
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
            - Added new operations.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
            - Add generation for new Nodes.

2011-07-22  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=65036
        Messing with the register allocation within flow control = badness.

        Reviewed by Sam Weinig.

        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
            - Fix register allocation.

2011-07-22  Mark Hahnenberg  <mhahnenberg@apple.com>

        Date.prototype.toISOString doesn't handle negative years or years > 9999 correctly.
        https://bugs.webkit.org/show_bug.cgi?id=63986

        Reviewed by Geoffrey Garen.

        Changed the implementation of Date.prototype.toISOString() to use the extended year
        format (+/-yyyyyy) for years outside of [0,9999] to be in compliance with ES 15.9.1.15.1.

        * runtime/DatePrototype.cpp:
        (JSC::dateProtoFuncToISOString):

2011-07-21  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-07-21  Ryosuke Niwa  <rniwa@webkit.org>

        Build fix after r91555.

        * JavaScriptCore.exp:

2011-07-21  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=19271
        eliminate PIC branches by changing NaN handling in JSValue::toNumber

        Reviewed by Sam Weinig.

        Moving the non-numeric cases out of line seems to be a consistent
        win on SunSpider for me, to the order of about 0.5%.

        * runtime/JSCell.h:
        (JSC::JSCell::JSValue::toNumber):
            - Changed to only handle values that are already numbers, moce non-numeric cases out of line.
        * runtime/JSValue.cpp:
        (JSC::JSValue::toNumberSlowCase):
            - Added toNumberSlowCase, handling non-numeric cases.
        * runtime/JSValue.h:
            - Add declaration of toNumberSlowCase.

2011-07-21  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64875
        Use of `yield` keyword is broken

        Reviewed by Sam Weinig.

        * parser/Lexer.cpp:
        (JSC::Lexer::parseIdentifier):
            - The bug here is that a successful match of a RESERVED_IF_STRICT token from
              parseKeyword is being nullified back to IDENT. The problem is that in the
              case of IDENT matches parseKeyword should not move the lexer's input
              position, but in the case of RESERVED_IF_STRICT it has done so.

2011-07-21  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64900
        Function.prototype.apply should accept an array-like object as its second argument

        Reviewed by Sam Weinig.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncApply):
            - Remove the type error if object is not an array.

2011-07-21  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64964
        DFG JIT - Enable support for eval code

        Reviewed by Sam Weinig.

        This is basically the same as program code, to the JIT!

        * bytecode/Opcode.cpp:
        * bytecode/Opcode.h:
            - Enable opcodeNames in !NDEBUG builds.
        * dfg/DFGOperations.cpp:
            - Fix a bug exposed by eval support, throw correct type error for new.
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
            - Enable DFG JIT for eval code.

2011-07-20  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r91380.
        http://trac.webkit.org/changeset/91380
        https://bugs.webkit.org/show_bug.cgi?id=64924

        Caused assertion failures in Chromium's IndexedDB tests
        (Requested by rniwa on #webkit).

        * wtf/ThreadIdentifierDataPthreads.cpp:
        (WTF::ThreadIdentifierData::identifier):
        (WTF::ThreadIdentifierData::initialize):
        (WTF::ThreadIdentifierData::initializeKeyOnceHelper):
        (WTF::ThreadIdentifierData::initializeKeyOnce):
        * wtf/ThreadIdentifierDataPthreads.h:
        * wtf/ThreadingPthreads.cpp:
        (WTF::initializeThreading):

2011-07-20  Filip Pizlo  <fpizlo@apple.com>

        DFG non-speculative JIT does not use() the aliased GetByVal,
        resulting in bloated use counts.
        https://bugs.webkit.org/show_bug.cgi?id=64911

        Reviewed by Gavin Barraclough.
        
        Inserted a call to use() for the aliased GetByVal.

        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):

2011-07-20  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64909
        DFG JIT - Missing ToInt32 conversions for double constants.

        Reviewed by Sam Weinig.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::toInt32):
            - We cannot trivially omit ToInt32 conversions on double constants.

2011-07-20  Filip Pizlo  <fpizlo@apple.com>

        DFG speculative JIT sometimes claims to use compare operands twice, leading to
        use count corruption.
        https://bugs.webkit.org/show_bug.cgi?id=64903

        Reviewed by Gavin Barraclough.
        
        Move the calls to use() in SpeculativeJIT::compare() so that they only happen
        if the JITCodeGenerator's helper method (which also calls use()) is not called.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compare):

2011-07-20  Oliver Hunt  <oliver@apple.com>

        Don't throw away code when JSGarbageCollect API is called
        https://bugs.webkit.org/show_bug.cgi?id=64894

        Reviewed by Sam Weinig.

        Just call collectAllGarbage.  That will clean up all unneeded
        code without causing any pathological recompilation problems.

        * API/JSBase.cpp:
        (JSGarbageCollect):

2011-07-20  Oliver Hunt  <oliver@apple.com>

        Codeblock doesn't visit cached structures in global resolve instructions
        https://bugs.webkit.org/show_bug.cgi?id=64889

        Reviewed by Sam Weinig.

        Visit the global resolve instructions.  This fixes a couple
        of random crashes seen in the jquery tests when using the
        interpreter.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):

2011-07-20  James Robinson  <jamesr@chromium.org>

        Revert worker and WebKit2 runloops to use currentTime() for scheduling instead of the monotonic clock
        https://bugs.webkit.org/show_bug.cgi?id=64841

        Reviewed by Mark Rowe.

        http://trac.webkit.org/changeset/91206 converted most of WebKit's deferred work scheduling to using the
        monotonic clock instead of WTF::currentTime().  This broke many plugin tests on WebKit2 for reasons that are
        unclear.  This reverts everything except for WebCore::ThreadTimers back to the previous behavior.

        * wtf/ThreadingPthreads.cpp:
        (WTF::ThreadCondition::timedWait):
        * wtf/ThreadingWin.cpp:
        (WTF::absoluteTimeToWaitTimeoutInterval):
        * wtf/gtk/ThreadingGtk.cpp:
        (WTF::ThreadCondition::timedWait):
        * wtf/qt/ThreadingQt.cpp:
        (WTF::ThreadCondition::timedWait):

2011-07-14  David Levin  <levin@chromium.org>

        currentThread is too slow!
        https://bugs.webkit.org/show_bug.cgi?id=64577

        Reviewed by Darin Adler and Dmitry Titov.

        The problem is that currentThread results in a pthread_once call which always takes a lock.
        With this change, currentThread is 10% faster than isMainThread in release mode and only
        5% slower than isMainThread in debug.

        * wtf/ThreadIdentifierDataPthreads.cpp:
        (WTF::ThreadIdentifierData::initializeOnce): Remove the pthread once stuff
        which is no longer needed because this is called from initializeThreading().
        (WTF::ThreadIdentifierData::identifier): Remove the initializeKeyOnce call because
        intialization of the pthread key should already be done.
        (WTF::ThreadIdentifierData::initialize): Ditto.
        * wtf/ThreadIdentifierDataPthreads.h:
        * wtf/ThreadingPthreads.cpp:
        (WTF::initializeThreading): Acquire the pthread key here.

2011-07-20  Mark Rowe  <mrowe@apple.com>

        Fix the 32-bit build.

        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToString):

2011-07-19  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64678
        Fix bugs in Object.prototype this handling.

        Reviewed by Darin Adler.

        Fix ES5.1 correctness issues identified by Mads Ager.

        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToString):
            - ES5.1 expects toString of undefined/null to produce "[object Undefined]"/"[object Null]".

2011-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        [JSC] WebKit allocates gigabytes of memory when doing repeated string concatenation
        https://bugs.webkit.org/show_bug.cgi?id=63918

        Reviewed by Darin Adler.

        When allocating JSStrings during concatenation, we needed to call the Heap's reportExtraMemoryCost
        method due to additional string copying within several of the constructors when dealing with 
        UStrings.  This has been added to the UString version of the appendStringInConstruct method 
        within the JSString class.

        * runtime/JSString.h:
        (JSC::RopeBuilder::JSString):
        (JSC::RopeBuilder::appendStringInConstruct):

2011-07-19  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64679
        Fix bugs in Array.prototype this handling.

        Reviewed by Oliver Hunt.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncConcat):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        (JSC::arrayProtoFuncEvery):
        (JSC::arrayProtoFuncForEach):
        (JSC::arrayProtoFuncSome):
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):
        (JSC::arrayProtoFuncIndexOf):
        (JSC::arrayProtoFuncLastIndexOf):
            - These methods should throw if this value is undefined.

2011-07-19  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64677
        Fix bugs in String.prototype this handling.

        Reviewed by Oliver Hunt.

        undefined/null this values should throw TypeErrors, not convert to
        the global object, and primitive values should not be converted via
        object types.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncReplace):
        (JSC::stringProtoFuncCharAt):
        (JSC::stringProtoFuncCharCodeAt):
        (JSC::stringProtoFuncIndexOf):
        (JSC::stringProtoFuncLastIndexOf):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
        (JSC::stringProtoFuncSlice):
        (JSC::stringProtoFuncSplit):
        (JSC::stringProtoFuncSubstr):
        (JSC::stringProtoFuncSubstring):
        (JSC::stringProtoFuncToLowerCase):
        (JSC::stringProtoFuncToUpperCase):
        (JSC::stringProtoFuncLocaleCompare):
        (JSC::stringProtoFuncBig):
        (JSC::stringProtoFuncSmall):
        (JSC::stringProtoFuncBlink):
        (JSC::stringProtoFuncBold):
        (JSC::stringProtoFuncFixed):
        (JSC::stringProtoFuncItalics):
        (JSC::stringProtoFuncStrike):
        (JSC::stringProtoFuncSub):
        (JSC::stringProtoFuncSup):
        (JSC::stringProtoFuncFontcolor):
        (JSC::stringProtoFuncFontsize):
        (JSC::stringProtoFuncAnchor):
        (JSC::stringProtoFuncLink):
        (JSC::trimString):
            - These methods should throw if this value is undefined,
              convert ToString directly, not via ToObject.

2011-07-19  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT sometimes emits spill code even when the respective values
        are never needed.
        https://bugs.webkit.org/show_bug.cgi?id=64774

        Reviewed by Gavin Barraclough.
        
        The main high-level change is that it is now easier to call use() on a
        virtual register.  JSValueOperand and its other-typed relatives now have
        a handy use() method, and jsValueResult() and friends now make it easier to
        pass UseChildrenCalledExplicitly.
        
        The rest of this patch hoists the call to use() as high as possible for
        all of those cases where either flushRegisters() or silentSpillAllRegisters()
        may be called.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        (JSC::DFG::JITCodeGenerator::cachedGetMethod):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq):
        (JSC::DFG::JITCodeGenerator::emitBranch):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::use):
        (JSC::DFG::JITCodeGenerator::integerResult):
        (JSC::DFG::JITCodeGenerator::jsValueResult):
        (JSC::DFG::IntegerOperand::use):
        (JSC::DFG::DoubleOperand::use):
        (JSC::DFG::JSValueOperand::use):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::valueToNumber):
        (JSC::DFG::NonSpeculativeJIT::valueToInt32):
        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
        (JSC::DFG::NonSpeculativeJIT::basicArithOp):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculateStrictInt32Operand::use):
        (JSC::DFG::SpeculateCellOperand::use):

2011-07-19  Xan Lopez  <xlopez@igalia.com>

        ARMv7 backend broken, lacks 3 parameter rshift32 method
        https://bugs.webkit.org/show_bug.cgi?id=64571

        Reviewed by Zoltan Herczeg.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::rshift32): add missing rshift32 method.

2011-07-18  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not optimize strict equality as effectively as the old JIT does.
        https://bugs.webkit.org/show_bug.cgi?id=64759

        Reviewed by Gavin Barraclough.
        
        This adds a more complete set of strict equality optimizations.  If either
        operand is known numeric, then the code reverts to the old style of optimizing
        (first try integer comparison).  Otherwise it uses the old JIT's trick of
        first simultaneously checking if both operands are either numbers or cells;
        if not then a fast path is taken.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-18  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64760
        DFG JIT - Should be able to compile program code.

        Reviewed by Geoff Garen.

        Add support for op_end, hooks to compile program code in Executable.cpp.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
            - Add support for op_end
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::link):
            - Added, separate out steps of compileFunction.
        (JSC::DFG::JITCompiler::compile):
            - Added, compile program code.
        (JSC::DFG::JITCompiler::compileFunction):
            - Sections separated out to helper functions.
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::JITCompiler):
            - Added m_exceptionCheckCount.
        * runtime/Executable.cpp:
        (JSC::tryDFGCompile):
        (JSC::tryDFGCompileFunction):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):
            - Renamed tryDFGCompile to tryDFGCompileFunction, added tryDFGCompile to compile program code.

2011-07-18  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64678
        Fix bugs in Object.prototype this handling.

        Reviewed by Oliver Hunt.

        undefined/null this values should throw TypeErrors, not convert to the global object,
        also, to toLocaleString should be calling the ToObject & invoking the object's toString
        function, even for values that are already strings.

        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncValueOf):
        (JSC::objectProtoFuncHasOwnProperty):
        (JSC::objectProtoFuncIsPrototypeOf):
        (JSC::objectProtoFuncPropertyIsEnumerable):
        (JSC::objectProtoFuncToLocaleString):
        (JSC::objectProtoFuncToString):

2011-07-18  Filip Pizlo  <fpizlo@apple.com>

        JSC GC lazy sweep does not inline the common cases of cell destruction.
        https://bugs.webkit.org/show_bug.cgi?id=64745

        Reviewed by Oliver Hunt.
        
        This inlines the case of JSFinalObject destruction.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::lazySweep):

2011-07-18  Oliver Hunt  <oliver@apple.com>

        Interpreter build-fix

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2011-07-18  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not optimize equal-null comparisons and branches.
        https://bugs.webkit.org/show_bug.cgi?id=64659

        Reviewed by Gavin Barraclough.
        
        Added a peephole-aware compare-to-null implementation to JITCodeGenerator,
        which is used by both the speculative and non-speculative JIT.  Through
        the use of the new isNullConstant helper, the two JITs invoke the
        nonSpecualtiveCompareNull() helper instead of their regular comparison
        helpers when compiling CompareEq.  Through the use of the new isKnownCell
        helper, the compare-null code will skip the is-a-cell check if the
        speculative JIT had been speculating cell.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::isKnownCell):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeCompareNull):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::isNullConstant):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-18  James Robinson  <jamesr@chromium.org>

        Timer scheduling should be based off the monotonic clock
        https://bugs.webkit.org/show_bug.cgi?id=64544

        Reviewed by Darin Adler.

        Switches ThreadCondition::timedWait and related utility functions from currentTime() to
        monotonicallyIncreasingTime().

        Add WTF::monotonicallyIncreasingTime() to list of exported functions so it can be accessed from WebCore/WebKit.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/ThreadingPthreads.cpp:
        (WTF::ThreadCondition::timedWait):
        * wtf/ThreadingWin.cpp:
        (WTF::absoluteTimeToWaitTimeoutInterval):
        * wtf/gtk/ThreadingGtk.cpp:
        (WTF::ThreadCondition::timedWait):
        * wtf/qt/ThreadingQt.cpp:
        (WTF::ThreadCondition::timedWait):

2011-07-18  Filip Pizlo  <fpizlo@apple.com>

        JSC JIT does not inline GC allocation fast paths
        https://bugs.webkit.org/show_bug.cgi?id=64582

        Reviewed by Oliver Hunt.

        This addresses inlining allocation for the easiest-to-allocate cases:
        op_new_object and op_create_this.  Inlining GC allocation fast paths
        required three changes.  First, the JSGlobalData now saves the vtable
        pointer of JSFinalObject, since that's what op_new_object and
        op_create_this allocate.  Second, the Heap exposes a reference to
        the appropriate SizeClass, so that the JIT may inline accesses
        directly to the SizeClass for JSFinalObject allocations.  And third,
        the JIT is extended with code to emit inline fast paths for GC
        allocation.  A stub call is emitted in the case where the inline fast
        path fails.

        * heap/Heap.h:
        (JSC::Heap::sizeClassFor):
        (JSC::Heap::allocate):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateJSFinalObject):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emitSlow_op_new_object):
        (JSC::JIT::emit_op_create_this):
        (JSC::JIT::emitSlow_op_create_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emitSlow_op_new_object):
        (JSC::JIT::emit_op_create_this):
        (JSC::JIT::emitSlow_op_create_this):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::storeVPtrs):
        * runtime/JSGlobalData.h:
        * runtime/JSObject.h:
        (JSC::JSFinalObject::JSFinalObject):
        (JSC::JSObject::offsetOfInheritorID):

2011-07-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        Refactor JSC to replace JSCell::operator new with static create method
        https://bugs.webkit.org/show_bug.cgi?id=64466

        Reviewed by Oliver Hunt (oliver@apple.com) and Darin Adler (darin@apple.com).

        First step in a longer refactoring process to remove the use of
        operator new overloading in order to allocate GC objects and to replace
        this method with static create methods for each individual type of heap-allocated
        JS object.  This particular patch only deals with replacing uses of
        operator new within JSC proper.  Future patches will remove it from the
        parts that interface with the DOM.  Due to the DOM's continued dependence
        on it, operator new has not actually been removed from JSCell.

        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::create):
        * API/JSCallbackFunction.h:
        (JSC::JSCallbackFunction::create):
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::operator new):
        (JSC::JSCallbackObject::create):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::staticFunctionGetter):
        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype):
        * API/JSContextRef.cpp:
        * API/JSObjectRef.cpp:
        (JSObjectMake):
        (JSObjectMakeFunctionWithCallback):
        (JSObjectMakeConstructor):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::createActivation):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::makeFunction):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::RegExpNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        (JSC::Interpreter::retrieveArguments):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jsc.cpp:
        (GlobalObject::create):
        (GlobalObject::GlobalObject):
        (functionRun):
        (jscmain):
        * runtime/Arguments.h:
        (JSC::Arguments::create):
        (JSC::Arguments::createNoParameters):
        * runtime/ArrayConstructor.cpp:
        (JSC::constructArrayWithSizeQuirk):
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::create):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSplice):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::create):
        * runtime/BooleanConstructor.cpp:
        (JSC::constructBoolean):
        (JSC::constructBooleanFromImmediateBoolean):
        * runtime/BooleanConstructor.h:
        (JSC::BooleanConstructor::create):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::create):
        * runtime/BooleanPrototype.h:
        (JSC::BooleanPrototype::create):
        * runtime/DateConstructor.cpp:
        (JSC::constructDate):
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::create):
        * runtime/DateInstance.h:
        (JSC::DateInstance::create):
        * runtime/DatePrototype.h:
        (JSC::DatePrototype::create):
        * runtime/Error.cpp:
        (JSC::createError):
        (JSC::createEvalError):
        (JSC::createRangeError):
        (JSC::createReferenceError):
        (JSC::createSyntaxError):
        (JSC::createTypeError):
        (JSC::createURIError):
        (JSC::StrictModeTypeErrorFunction::create):
        (JSC::createTypeErrorFunction):
        * runtime/ErrorConstructor.h:
        (JSC::ErrorConstructor::create):
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::ErrorInstance):
        (JSC::ErrorInstance::create):
        * runtime/ErrorInstance.h:
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::create):
        * runtime/ExceptionHelpers.cpp:
        (JSC::InterruptedExecutionError::InterruptedExecutionError):
        (JSC::InterruptedExecutionError::create):
        (JSC::createInterruptedExecutionException):
        (JSC::TerminatedExecutionError::TerminatedExecutionError):
        (JSC::TerminatedExecutionError::create):
        (JSC::createTerminatedExecutionException):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/Executable.h:
        (JSC::ExecutableBase::create):
        (JSC::NativeExecutable::create):
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::EvalExecutable::create):
        (JSC::ProgramExecutable::create):
        (JSC::FunctionExecutable::create):
        (JSC::FunctionExecutable::make):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionConstructor.h:
        (JSC::FunctionConstructor::create):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::addFunctionProperties):
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::create):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::create):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::create):
        (JSC::jsAPIValueWrapper):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::argumentsGetter):
        * runtime/JSActivation.h:
        (JSC::JSActivation::create):
        * runtime/JSArray.h:
        (JSC::JSArray::create):
        * runtime/JSCell.h:
        (JSC::JSCell::allocateCell):
        * runtime/JSFunction.h:
        (JSC::JSFunction::create):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObject.h:
        (JSC::constructEmptyArray):
        (JSC::constructArray):
        * runtime/JSNotAnObject.h:
        (JSC::JSNotAnObject::create):
        * runtime/JSONObject.h:
        (JSC::JSONObject::create):
        * runtime/JSObject.cpp:
        (JSC::JSObject::defineGetter):
        (JSC::JSObject::defineSetter):
        (JSC::putDescriptor):
        * runtime/JSObject.h:
        (JSC::JSFinalObject::create):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::create):
        * runtime/JSString.cpp:
        (JSC::JSString::substringFromRope):
        (JSC::JSString::replaceCharacter):
        (JSC::StringObject::create):
        * runtime/JSString.h:
        (JSC::RopeBuilder::JSString):
        (JSC::RopeBuilder::create):
        (JSC::RopeBuilder::createHasOtherOwner):
        (JSC::jsSingleCharacterString):
        (JSC::jsSingleCharacterSubstring):
        (JSC::jsNontrivialString):
        (JSC::jsString):
        (JSC::jsSubstring):
        (JSC::jsOwnedString):
        * runtime/JSValue.cpp:
        (JSC::JSValue::toObjectSlowCase):
        (JSC::JSValue::synthesizeObject):
        (JSC::JSValue::synthesizePrototype):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/MathObject.h:
        (JSC::MathObject::create):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::NativeErrorConstructor):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::create):
        * runtime/NativeErrorPrototype.h:
        (JSC::NativeErrorPrototype::create):
        * runtime/NumberConstructor.cpp:
        (JSC::constructWithNumberConstructor):
        * runtime/NumberConstructor.h:
        (JSC::NumberConstructor::create):
        * runtime/NumberObject.cpp:
        (JSC::constructNumber):
        * runtime/NumberObject.h:
        (JSC::NumberObject::create):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::create):
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::create):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::create):
        * runtime/Operations.h:
        (JSC::jsString):
        * runtime/RegExp.cpp:
        (JSC::RegExp::RegExp):
        (JSC::RegExp::createWithoutCaching):
        (JSC::RegExp::create):
        * runtime/RegExp.h:
        * runtime/RegExpCache.cpp:
        (JSC::RegExpCache::lookupOrCreate):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::arrayOfMatches):
        (JSC::constructRegExp):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::create):
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::create):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::create):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncCompile):
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::create):
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::create):
        (JSC::ScopeChainNode::push):
        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::createEmptyString):
        (JSC::SmallStrings::createSingleCharacterString):
        * runtime/StringConstructor.cpp:
        (JSC::constructWithStringConstructor):
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::create):
        * runtime/StringObject.h:
        (JSC::StringObject::create):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::create):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
        * runtime/StringPrototype.h:
        (JSC::StringPrototype::create):
        * runtime/Structure.h:
        (JSC::Structure::create):
        (JSC::Structure::createStructure):
        * runtime/StructureChain.h:
        (JSC::StructureChain::create):

2011-07-17  Ryuan Choi  <ryuan.choi@samsung.com>

        [EFL] Refactor scheduleDispatchFunctionsOnMainThread to fix crash.
        https://bugs.webkit.org/show_bug.cgi?id=64337

        Replace ecore_timer_add to Ecore_Pipe.
        This is needed because ecore_timer should not be called in a child thread,
        but in the main thread.

        Reviewed by Antonio Gomes.

        * wtf/efl/MainThreadEfl.cpp:
        (WTF::pipeObject):
        (WTF::monitorDispatchFunctions):
        (WTF::initializeMainThreadPlatform):
        (WTF::scheduleDispatchFunctionsOnMainThread):

2011-07-17  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT operationCompareEqual does not inline JSValue::equalSlowCaseInline.
        https://bugs.webkit.org/show_bug.cgi?id=64637

        Reviewed by Gavin Barraclough.

        * dfg/DFGOperations.cpp:

2011-07-16  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64657
        Converted this value not preserved when accessed via direct eval.

        Reviewed by Oliver Hunt.

        Upon entry into a non-strict function, primitive this values should be boxed as Object types
        (or substituted with the global object) - which is done by op_convert_this. However we only
        do so where this is used lexically within the function (we omit the conversion op if not).
        The problem comes if a direct eval (running within the function's scope) accesses the this
        value.

        We are safe in the case of a single eval, since the this object will be converted within
        callEval, however the converted value is not preserved, and a new wrapper object is allocated
        each time eval is invoked. This is inefficient and incorrect, since any changes to the wrapper
        object will be lost between eval statements.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
            - If a function uses eval, we always need to convert this.
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
            - Don't convert primitive values here - this is too late!
        (JSC::Interpreter::privateExecute):
            - Changed op_convert_this to call new isPrimitive method.
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
            - Changed op_convert_this to call new isPrimitive method.
        * runtime/JSCell.h:
        (JSC::JSCell::JSValue::isPrimitive):
            - Added JSValue::isPrimitive.
        * runtime/JSValue.h:
            - Added JSValue::isPrimitive.

2011-07-16  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT compare/branch code emits is-integer tests even when a value is
        definitely not an integer.
        https://bugs.webkit.org/show_bug.cgi?id=64654

        Reviewed by Gavin Barraclough.
        
        Added the isKnownNotInteger() method, which returns true if a node is
        definitely not an integer and will always fail any is-integer test.  Then
        modified the compare and branch code to use this method; if it returns
        true then is-int tests are omitted and the compiler always emits a slow
        call.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compare):

2011-07-16  Filip Pizlo  <fpizlo@apple.com>

        DFG speculative JIT has dead code for slow calls for branches.
        https://bugs.webkit.org/show_bug.cgi?id=64653

        Reviewed by Gavin Barraclough.
        
        Removed SpeculativeJIT::compilePeepHoleCall.

        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT.h:

2011-07-15  Mark Rowe  <mrowe@apple.com>

        Fix the build.

        * dfg/DFGGraph.h:

2011-07-15  Gavin Barraclough  <barraclough@apple.com>

        NativeError.prototype objects have [[Class]] of "Object" but should be "Error"
        https://bugs.webkit.org/show_bug.cgi?id=55346

        Reviewed by Sam Weinig.

        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
            - Switch to putDirect since we're not the only ones tranitioning this Structure now.
        * runtime/NativeErrorPrototype.cpp:
        (JSC::NativeErrorPrototype::NativeErrorPrototype):
        * runtime/NativeErrorPrototype.h:
            - Switch base class to ErrorPrototype.

2011-07-15  Gavin Barraclough  <barraclough@apple.com>

        DFG JIT - Where arguments passed are integers, speculate this.
        https://bugs.webkit.org/show_bug.cgi?id=64630

        Reviewed by Sam Weinig.

        Presently the DFG JIT is overly aggressively predicting double.
        Use a bit of dynamic information, and curtail this a little.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
            - Check for integer arguments.
        * dfg/DFGGraph.h:
            - Function declaration.
        * runtime/Executable.cpp:
        (JSC::tryDFGCompile):
        (JSC::FunctionExecutable::compileForCallInternal):
            - Add call to predictArgumentTypes.

2011-07-15  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT is inconsistent about fusing branches and speculating
        integer comparisons for branches.
        https://bugs.webkit.org/show_bug.cgi?id=64573

        Reviewed by Gavin Barraclough.
        
        This patch moves some of NonSpeculativeJIT's functionality up into the
        JITCodeGenerator superclass so that it can be used from both JITs.  Now,
        in cases where the speculative JIT doesn't want to speculate but still
        wants to emit good code, it can reliably emit the same code sequence as
        the non-speculative JIT.  This patch also extends the non-speculative
        JIT's compare optimizations to include compare/branch fusing, and
        extends the speculative JIT's compare optimizations to cover StrictEqual.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::isKnownInteger):
        (JSC::DFG::JITCodeGenerator::isKnownNumeric):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::detectPeepHoleBranch):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGNonSpeculativeJIT.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        * wtf/Platform.h:

2011-07-14  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64250
        Global strict mode function leaking global object as "this".

        Reviewed by Oliver Hunt.

        The root problem here is that we pass the wrong values into
        calls, and then try to fix them up in the callee. Correct
        behaviour per the spec is to pass in the value undefined,
        as this unless either (1) the function call is based on an
        explicit property access or (2) the base of the call comes
        directly from a 'with'.

        This change does away with the need for this conversion of
        objects (non strict code should only box primitives), and
        does away with all this conversion for strict functions.

        This patch may have web compatibility ramifications, and may
        require some advocacy.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * bytecode/Opcode.h:
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitResolveWithThis):
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * bytecompiler/BytecodeGenerator.h:
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::EvalFunctionCallNode::emitBytecode):
        (JSC::FunctionCallResolveNode::emitBytecode):
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
            - Change NeedsThisConversion check to test for JSString's vptr
              (objects no longer need conversion).
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::resolveThisAndProperty):
            - Based on resolveBaseAndProperty, but produce correct this value.
        (JSC::Interpreter::privateExecute):
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * interpreter/Interpreter.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_resolve_with_this):
            - Removed op_convert_this_strict, added op_resolve_with_this.
        (JSC::JIT::emit_op_convert_this):
        (JSC::JIT::emitSlow_op_convert_this):
            - Change NeedsThisConversion check to test for JSString's vptr
              (objects no longer need conversion).
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_resolve_with_this):
            - Removed op_convert_this_strict, added op_resolve_with_this.
        (JSC::JIT::emit_op_convert_this):
        (JSC::JIT::emitSlow_op_convert_this):
            - Change NeedsThisConversion check to test for JSString's vptr
              (objects no longer need conversion).
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * jit/JITStubs.h:
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * runtime/JSActivation.h:
            - removed NeedsThisConversion flag, added IsEnvironmentRecord.
        * runtime/JSStaticScopeObject.h:
            - removed NeedsThisConversion flag, added IsEnvironmentRecord.
        * runtime/JSString.h:
        (JSC::RopeBuilder::createStructure):
            - removed NeedsThisConversion.
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::isEnvironmentRecord):
        (JSC::TypeInfo::overridesHasInstance):
            - removed NeedsThisConversion flag, added IsEnvironmentRecord.
        * runtime/JSValue.h:
            - removed NeedsThisConversion.
        * runtime/JSVariableObject.h:
            - Corrected StructureFlags inheritance.
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::createStructure):
            - Added IsEnvironmentRecord to StructureFlags, addded createStructure.
        * runtime/Structure.h:
            - removed NeedsThisConversion.
        * tests/mozilla/ecma/String/15.5.4.6-2.js:
        (getTestCases):
            - Removed invalid test case.

2011-07-15  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r91082, r91087, and r91089.
        http://trac.webkit.org/changeset/91082
        http://trac.webkit.org/changeset/91087
        http://trac.webkit.org/changeset/91089
        https://bugs.webkit.org/show_bug.cgi?id=64616

        gtk tests are failing a lot after this change. (Requested by
        dave_levin on #webkit).

        * wtf/ThreadIdentifierDataPthreads.cpp:
        (WTF::ThreadIdentifierData::identifier):
        (WTF::ThreadIdentifierData::initialize):
        (WTF::ThreadIdentifierData::initializeKeyOnceHelper):
        (WTF::ThreadIdentifierData::initializeKeyOnce):
        * wtf/ThreadIdentifierDataPthreads.h:
        * wtf/ThreadingPthreads.cpp:
        (WTF::initializeThreading):

2011-07-15  David Levin  <levin@chromium.org>

        Another attempted build fix.

        * wtf/ThreadIdentifierDataPthreads.cpp: Add include to pick
        up the definition of PTHREAD_KEYS_MAX.

2011-07-15  David Levin  <levin@chromium.org>

        Chromium build fix.

        * wtf/ThreadIdentifierDataPthreads.cpp: Add include to pick
        up the definition of PTHREAD_KEYS_MAX.

2011-07-14  David Levin  <levin@chromium.org>

        currentThread is too slow!
        https://bugs.webkit.org/show_bug.cgi?id=64577

        Reviewed by Darin Adler and Dmitry Titov.

        The problem is that currentThread results in a pthread_once call which always takes a lock.
        With this change, currentThread is 10% faster than isMainThread in release mode and only
        5% slower than isMainThread in debug.

        * wtf/ThreadIdentifierDataPthreads.cpp:
        (WTF::ThreadIdentifierData::initializeOnce): Remove the pthread once stuff
        which is no longer needed because this is called from initializeThreading().
        (WTF::ThreadIdentifierData::identifier): Remove the initializeKeyOnce call because
        intialization of the pthread key should already be done.
        (WTF::ThreadIdentifierData::initialize): Ditto.
        * wtf/ThreadIdentifierDataPthreads.h:
        * wtf/ThreadingPthreads.cpp:
        (WTF::initializeThreading): Acquire the pthread key here.

2011-07-14  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not optimize Branch as well as it could.
        https://bugs.webkit.org/show_bug.cgi?id=64574

        Reviewed by Gavin Barraclough.
        
        This creates a common code path for emitting unfused branches, which does
        no speculation, and only performs a slow call if absolutely necessary.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::emitBranch):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-14  Filip Pizlo  <fpizlo@apple.com>

        GC allocation fast path has too many operations.
        https://bugs.webkit.org/show_bug.cgi?id=64493

        Reviewed by Darin Adler.
        
        Changed the timing of the lazy sweep so that it occurs when we land on
        a previously-unsweeped block, rather than whenever we land on an unsweeped
        cell.  After the per-block lazy sweep occurs, the block is turned into a
        singly linked list of free cells.  The allocation fast path is now just a
        load-branch-store to remove a cell from the head of the list.
        
        Additionally, this changes the way new blocks are allocated.  Previously,
        they would be populated with dummy cells.  With this patch, they are
        turned into a free list, which means that there will never be destructor
        calls for allocations in fresh blocks.
        
        These changes result in a 1.9% speed-up on V8, and a 0.6% speed-up on
        SunSpider.  There are no observed statistically significant slow-downs
        on any individual benchmark.

        * JavaScriptCore.exp:
        * heap/Heap.cpp:
        (JSC::Heap::allocateSlowCase):
        (JSC::Heap::collect):
        (JSC::Heap::canonicalizeBlocks):
        (JSC::Heap::resetAllocator):
        * heap/Heap.h:
        (JSC::Heap::forEachProtectedCell):
        (JSC::Heap::forEachCell):
        (JSC::Heap::forEachBlock):
        (JSC::Heap::allocate):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        (JSC::MarkedBlock::lazySweep):
        (JSC::MarkedBlock::blessNewBlockForFastPath):
        (JSC::MarkedBlock::blessNewBlockForSlowPath):
        (JSC::MarkedBlock::canonicalizeBlock):
        * heap/MarkedBlock.h:
        * heap/NewSpace.cpp:
        (JSC::NewSpace::addBlock):
        (JSC::NewSpace::canonicalizeBlocks):
        * heap/NewSpace.h:
        (JSC::NewSpace::allocate):
        (JSC::NewSpace::SizeClass::SizeClass):
        (JSC::NewSpace::SizeClass::canonicalizeBlock):
        * heap/OldSpace.cpp:
        (JSC::OldSpace::addBlock):

2011-07-14  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT crashes on host constructor calls in debug mode.
        https://bugs.webkit.org/show_bug.cgi?id=64562
        
        Reviewed by Gavin Barraclough.
        
        Fixed the relevant ASSERT.

        * dfg/DFGOperations.cpp:

2011-07-14  Filip Pizlo  <fpizlo@apple.com>

        DFG speculative JIT contains a FIXME for rewinding speculative code generation that
        has already been fixed.
        https://bugs.webkit.org/show_bug.cgi?id=64022

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):

2011-07-14  Ryuan Choi  <ryuan.choi@samsung.com>

        [EFL] Add OwnPtr specialization for Ecore_Pipe.
        https://bugs.webkit.org/show_bug.cgi?id=64515

        Add an overload for deleteOwnedPtr(Ecore_Pipe*) on EFL port.

        Reviewed by Xan Lopez.

        * wtf/OwnPtrCommon.h:
        * wtf/efl/OwnPtrEfl.cpp:
        (WTF::deleteOwnedPtr):

2011-07-14  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT unnecessarily boxes and unboxes values during silent spilling.
        https://bugs.webkit.org/show_bug.cgi?id=64068

        Reviewed by Gavin Barraclough.
        
        Silent spilling and filling of registers is done during slow-path C
        function calls.  The silent spill/fill logic does not affect register
        allocation on paths that don't involve the C function call.
        
        This changes the silent spilling code to spill in unboxed form.  The
        silent fill will refill in whatever form the register was spilled in.
        For example, the silent spill code may choose not to spill the register
        because it was already spilled previously, which would imply that it
        was spilled in boxed form.  The filling code detects this and either
        unboxes, or not, depending on what is appropriate.
        
        This change also results in a simplification of the silent spill/fill
        API: silent spilling no longer needs to know about the set of registers
        that cannot be trampled, since it never does boxing and hence does not
        need a temporary register.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentSpillGPR):
        (JSC::DFG::JITCodeGenerator::silentSpillFPR):
        (JSC::DFG::JITCodeGenerator::silentFillFPR):
        (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::valueToNumber):
        (JSC::DFG::NonSpeculativeJIT::valueToInt32):
        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
        (JSC::DFG::NonSpeculativeJIT::basicArithOp):
        (JSC::DFG::NonSpeculativeJIT::compare):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-13  Michael Saboff  <msaboff@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64202
        Enh: Improve handling of RegExp in the form of /.*blah.*/

        Reviewed by Gavin Barraclough.

        Added code to both the Yarr interpreter and JIT to handle
        these expressions a little differently.  First off, the terms
        in between the leading and trailing .*'s cannot capture and
        also this enhancement is limited to single alternative expressions.
        If an expression is of the right form with the aforementioned
        restrictions, we process the inner terms and then look for the
        beginning of the string and end of the string.  There is handling 
        for multiline expressions to allow the beginning and end to be 
        right after and right before newlines.

        This enhancement speeds up expressions of this type 12x on
        a MacBookPro.

        Cleaned up 'case' statement indentation.

        A new set of tests was added as LayoutTests/fast/regex/dotstar.html

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::InputStream::end):
        (JSC::Yarr::Interpreter::matchDotStarEnclosure):
        (JSC::Yarr::Interpreter::matchDisjunction):
        (JSC::Yarr::ByteCompiler::assertionDotStarEnclosure):
        (JSC::Yarr::ByteCompiler::emitDisjunction):
        * yarr/YarrInterpreter.h:
        (JSC::Yarr::ByteTerm::DotStarEnclosure):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
        (JSC::Yarr::YarrGenerator::backtrackDotStarEnclosure):
        (JSC::Yarr::YarrGenerator::generateTerm):
        (JSC::Yarr::YarrGenerator::backtrackTerm):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
        (JSC::Yarr::YarrPatternConstructor::containsCapturingTerms):
        (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
        (JSC::Yarr::YarrPattern::compile):
        * yarr/YarrPattern.h:
        (JSC::Yarr::PatternTerm::PatternTerm):

2011-07-13  Xan Lopez  <xlopez@igalia.com>

        [GTK] Fix distcheck

        Reviewed by Martin Robinson.

        * GNUmakefile.list.am: add missing files.

2011-07-13  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not implement prototype chain or list caching for get_by_id.
        https://bugs.webkit.org/show_bug.cgi?id=64147

        Reviewed by Gavin Barraclough.
        
        This implements unified support for prototype caching, prototype chain
        caching, and polymorphic (i.e. list) prototype and prototype chain
        caching.  This is done by creating common code for emitting prototype
        or chain access stubs, and having it factored out into
        generateProtoChainAccessStub().  This function is called by
        tryCacheGetByID once the latter determines that some form of prototype
        access caching is necessary (i.e. the slot being accessed is not on the
        base value but on some other object).
        
        Direct prototype list, and prototype chain list, caching is implemented by
        linking the slow path to operationGetByIdProtoBuildList(), which uses the
        same helper function (generateProtoChainAccessStub()) as tryCacheGetByID.
        
        This change required ensuring that the value in the scratchGPR field in
        StructureStubInfo is preserved even after the stub info is in the
        chain, or proto_list, states.  Hence scratchGPR was moved out of the union
        and into the top-level of StructureStubInfo.
        
        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::emitRestoreScratch):
        (JSC::DFG::linkRestoreScratch):
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDProtoList):
        (JSC::DFG::dfgBuildGetByIDProtoList):
        (JSC::DFG::tryCachePutByID):
        * dfg/DFGRepatch.h:

2011-07-12  Brent Fulgham  <bfulgham@webkit.org>

        Standardize WinCairo conditionalized code under PLATFORM macro.
        https://bugs.webkit.org/show_bug.cgi?id=64377

        Reviewed by Maciej Stachowiak.

        * wtf/Platform.h: Update to use PLATFORM(WIN_CAIRO) for tests.

2011-07-13  David Levin  <levin@chromium.org>

        Possible race condition in ThreadIdentifierData::initializeKeyOnce and shouldCallRealDebugger.
        https://bugs.webkit.org/show_bug.cgi?id=64465

        Reviewed by Dmitry Titov.

        There isn't a good way to test this as it is very highly unlikely to occur.

        * wtf/ThreadIdentifierDataPthreads.cpp:
        (WTF::ThreadIdentifierData::initializeKeyOnce): Since scoped static initialization
        isn't thread-safe, change the initialization to be global.

2011-07-12  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64424
        Our direct eval behaviour deviates slightly from the spec.

        Reviewed by Oliver Hunt.

        The ES5 spec defines a concept of 'Direct Call to Eval' (see section 15.1.2.1.1), where
        behaviour will differ from that of an indirect call (e.g. " { eval: window.eval }.eval();"
        or "var a = eval; a();" are indirect calls), particularly in non-strict scopes variables
        may be introduced into the caller's environment.

        ES5 direct calls are any call where the callee function is provided by a reference, a base
        of that Reference is an EnvironmentRecord (this corresponds to all productions
        "PrimaryExpression: Identifier", see 10.2.2.1 GetIdentifierReference), and where the name
        of the reference is "eval". This means any expression of the form "eval(...)", and that
        calls the standard built in eval method from on the Global Object, is considered to be
        direct.

        In JavaScriptCore we are currently overly restrictive. We also check that the
        EnvironmentRecord that is the base of the reference is the Declaractive Environment Record
        at the root of the scope chain, corresponding to the Global Object - an "eval(..)" statement
        that hits a var eval in a nested scope is not considered to be direct. This behaviour does
        not emanate from the spec, and is incorrect.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
            - Fixed direct eval check in op_call_eval.
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
            - Fixed direct eval check in op_call_eval.
        * runtime/Executable.h:
        (JSC::isHostFunction):
            - Added check for host function with specific NativeFunction.

2011-07-13  Ademar de Souza Reis Jr.  <ademar.reis@openbossa.org>

        Reviewed by Andreas Kling.

        Broken build on QNX
        https://bugs.webkit.org/show_bug.cgi?id=63717

        QNX doesn't support pthread's SA_RESTART (required by
        JSC_MULTIPLE_THREADS), JIT is broken at runtime and there a
        few minor compilation errors here and there.

        Original patch by Ritt Konstantin <ritt.ks@gmail.com>, also
        tested by him on QNX v6.5 (x86)

        * wtf/DateMath.cpp: fix usage of abs/labs
        * wtf/Platform.h: Disable JIT and JSC_MULTIPLE_THREADS
        * wtf/StackBounds.cpp: Add a couple of missing includes (and sort them)

2011-07-12  Anders Carlsson  <andersca@apple.com>

        If a compiler has nullptr support, include <cstddef> to get the nullptr_t definition
        https://bugs.webkit.org/show_bug.cgi?id=64429

        Include the cstddef which has the nullptr_t typedef according to the C++0x standard.

        * wtf/NullPtr.h:

2011-07-13  MORITA Hajime  <morrita@google.com>

        Refactoring: Ignored ExceptionCode value should be less annoying.
        https://bugs.webkit.org/show_bug.cgi?id=63688

        Added ASSERT_AT macro.

        Reviewed by Darin Adler.

        * wtf/Assertions.h:

2011-07-12  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not implement op_construct.
        https://bugs.webkit.org/show_bug.cgi?id=64066

        Reviewed by Gavin Barraclough.
        
        This is a fixed implementation of op_construct.  Constructor calls are implemented
        by reusing almost all of the code for Call, with care taken to make sure that
        where the are differences (like selecting different code blocks), those differences
        are respected.  The two fixes over the last patch are: (1) make sure the
        CodeBlock::unlinkCalls respects differences between Call and Construct, and (2)
        make sure that virtualFor() in DFGOperations respects the CodeSpecializationKind
        (either CodeForCall or CodeForConstruct) when invoking the compiler.

        * dfg/DFGAliasTracker.h:
        (JSC::DFG::AliasTracker::recordConstruct):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgLinkFor):
        * dfg/DFGRepatch.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/CodeBlock.cpp:
        (JSC::CodeBlock::unlinkCalls):

2011-07-12  Oliver Hunt  <oliver@apple.com>

        Overzealous type validation in method_check
        https://bugs.webkit.org/show_bug.cgi?id=64415

        Reviewed by Gavin Barraclough.

        method_check is essentially just a value look up
        optimisation, but it internally stores the value
        as a JSFunction, even though it never relies on
        this fact.  Under GC validation however we end up
        trying to enforce that assumption.  The fix is
        simply to store the value as a correct supertype.

        * bytecode/CodeBlock.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgRepatchGetMethodFast):
        (JSC::DFG::tryCacheGetMethod):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::patchMethodCallProto):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2011-07-12  Filip Pizlo  <fpizlo@apple.com>

        COLLECT_ON_EVERY_ALLOCATION no longer works.
        https://bugs.webkit.org/show_bug.cgi?id=64388

        Reviewed by Oliver Hunt.
        
        Added a flag to Heap that determines if it's safe to collect (which for now means that
        JSGlobalObject has actually been initialized, but it should work for other things, too).
        This allows JSGlobalObject to allocate even if the allocator wants to GC; instead of
        GCing it just grows the heap, if necessary.
        
        Then changed Heap::allocate() to not recurse ad infinitum when
        COLLECT_ON_EVERY_ALLOCATION is set.  This also makes the allocator generally more
        resilient against bugs; this change allowed me to put in handy assertions, such as that
        an allocation must succeed after either a collection or after a new block was added.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::tryAllocate):
        (JSC::Heap::allocate):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::collect):
        * heap/Heap.h:
        (JSC::Heap::notifyIsSafeToCollect):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):

2011-07-12  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT put_by_id transition caching does not inform the GC about the structure and
        prototype chain that it is referencing.
        https://bugs.webkit.org/show_bug.cgi?id=64387

        Reviewed by Gavin Barraclough.
        
        Fixed the relevant code in DFGRepatch to call StructureStubInfo::initPutByIdTransition().

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCachePutByID):

2011-07-12  Adam Roben  <aroben@apple.com>

        Ensure no intermediate WTF::Strings are created when concatenating with string literals

        Fixes <http://webkit.org/b/63330> Concatenating string literals and WTF::Strings using
        operator+ is suboptimal

        Reviewed by Darin Adler.

        * wtf/text/StringConcatenate.h:
        (WTF::StringTypeAdapter<String>::writeTo): Added a macro that can be used for testing how
        many WTF::Strings get copied while evaluating an operator+ expression.

        * wtf/text/StringOperators.h:
        (WTF::operator+): Changed the overload that takes a StringAppend to take it on the left-hand
        side, since operator+ is left-associative. Having the StringAppend on the right-hand side
        was causing us to make intermediate WTF::Strings when evaluating expressions that contained
        multiple calls to operator+. Added some more overloads for that take a left-hand side of
        const char* to resolve overload ambiguity for certain expressions. Added overloads that take
        a left-hand side of const UChar* (matching the const char* overloads) so that wide string
        literals don't first have to be converted to a WTF::String in operator+ expressions.

2011-07-12  Adam Roben  <aroben@apple.com>

        Unreviewed, rolling out r90811.
        http://trac.webkit.org/changeset/90811
        https://bugs.webkit.org/show_bug.cgi?id=61025

        Several svg tests failing assertions beneath
        SVGSMILElement::findInstanceTime

        * wtf/StdLibExtras.h:
        (WTF::binarySearch):

2011-07-12  Oliver Varga  <Varga.Oliver@stud.u-szeged.hu>

        Reviewed by Nikolas Zimmermann.

        Speed up SVGSMILElement::findInstanceTime.
        https://bugs.webkit.org/show_bug.cgi?id=61025

        Add a new parameter to StdlibExtras.h::binarySerarch function
        to also handle cases when the array does not contain the key value.
        This is needed for an svg function.

        * wtf/StdLibExtras.h:
        (WTF::binarySearch):

2011-07-11  Filip Pizlo  <fpizlo@apple.com>

        DFG speculative JIT does not guard itself against floating point speculation
        failures on non-floating-point constants.
        https://bugs.webkit.org/show_bug.cgi?id=64330

        Reviewed by Gavin Barraclough.
        
        Made fillSpeculateDouble immediate invoke terminateSpeculativeExecution() as
        soon as it notices that it's speculating on something that is a non-numeric
        JSConstant.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):

2011-07-11  Filip Pizlo  <fpizlo@apple.com>

        DFG Speculative JIT does not always insert speculation checks when speculating
        arrays.
        https://bugs.webkit.org/show_bug.cgi?id=64254

        Reviewed by Gavin Barraclough.
        
        Changed the SetLocal instruction to always validate that the value being stored
        into the local variable is an array, if that variable was marked PredictArray.
        This is necessary since uses of arrays assume that if a PredictArray value is
        in a local variable then the speculation check validating that the value is an
        array was already performed.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-11  Gabor Loki  <loki@webkit.org>

        Fix the condition of the optimized code in doubleTransfer
        https://bugs.webkit.org/show_bug.cgi?id=64261

        Reviewed by Zoltan Herczeg.

        The condition of the optimized code in doubleTransfer is wrong. The
        data transfer should be executed with four bytes aligned address.
        VFP cannot perform unaligned memory access.

        Reported by Jacob Bramley.

        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::doubleTransfer):

2011-07-11  Gabor Loki  <loki@webkit.org>

        Signed arithmetic bug in dataTransfer32.
        https://bugs.webkit.org/show_bug.cgi?id=64257

        Reviewed by Zoltan Herczeg.

        An arithmetic bug is fixed. If the offset of dataTransfer is half of the
        addressable memory space on a 32-bit machine (-2147483648 = 0x80000000)
        a load instruction is emitted with a wrong zero offset.

        Inspired by Jacob Bramley's patch from JaegerMonkey.

        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::dataTransfer32):

2011-07-09  Thouraya Andolsi  <thouraya.andolsi@st.com>

        Fix unaligned userspace access for SH4 platforms. 
        https://bugs.webkit.org/show_bug.cgi?id=62993

        * wtf/Platform.h:

2011-07-09  Chao-ying Fu  <fu@mips.com>

        Fix MIPS build due to readInt32 and readPointer
        https://bugs.webkit.org/show_bug.cgi?id=63962

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::readInt32):
        (JSC::MIPSAssembler::readPointer):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::rshift32):

2011-07-08  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64181
        REGRESSION (r90602): Gmail doesn't load

        Rolling out r90601, r90602.

        * dfg/DFGAliasTracker.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addVarArgChild):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::dfgLinkCall):
        * dfg/DFGRepatch.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSObject.h:
        (JSC::JSObject::isUsingInlineStorage):

2011-07-08  Kalev Lember  <kalev@smartlink.ee>

        Reviewed by Adam Roben.

        Add missing _WIN32_WINNT and WINVER definitions
        https://bugs.webkit.org/show_bug.cgi?id=59702

        Moved _WIN32_WINNT and WINVER definitions to config.h so that they are
        available for all source files.

        In particular, wtf/FastMalloc.cpp uses CreateTimerQueueTimer and
        DeleteTimerQueueTimer which are both guarded by
        #if (_WIN32_WINNT >= 0x0500)
        in MinGW headers.

        * config.h:
        * wtf/Assertions.cpp:

2011-07-08  Chang Shu  <cshu@webkit.org>

        Rename "makeSecure" to "fill" and remove the support for displaying last character
        to avoid layering violatation.
        https://bugs.webkit.org/show_bug.cgi?id=59114

        Reviewed by Alexey Proskuryakov.

        * JavaScriptCore.exp:
        * JavaScriptCore.order:
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::fill):
        * wtf/text/StringImpl.h:
        * wtf/text/WTFString.h:
        (WTF::String::fill):

2011-07-08  Benjamin Poulain  <benjamin@webkit.org>

        [WK2] Do not forward touch events to the web process when it does not need them
        https://bugs.webkit.org/show_bug.cgi?id=64164

        Reviewed by Kenneth Rohde Christiansen.

        Add a convenience function to obtain a reference to the last element of a Deque.

        * wtf/Deque.h:
        (WTF::Deque::last):

2011-07-07  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not implement op_construct.
        https://bugs.webkit.org/show_bug.cgi?id=64066

        Reviewed by Gavin Barraclough.

        * dfg/DFGAliasTracker.h:
        (JSC::DFG::AliasTracker::recordConstruct):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgLinkFor):
        * dfg/DFGRepatch.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-07  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not implement get_by_id prototype caching.
        https://bugs.webkit.org/show_bug.cgi?id=64077

        Reviewed by Gavin Barraclough.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::emitRestoreScratch):
        (JSC::DFG::linkRestoreScratch):
        (JSC::DFG::tryCacheGetByID):
        * runtime/JSObject.h:
        (JSC::JSObject::addressOfPropertyAtOffset):

2011-07-07  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT method_check implementation does not link to optimized get_by_id
        slow path.
        https://bugs.webkit.org/show_bug.cgi?id=64073

        Reviewed by Gavin Barraclough.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgRepatchGetMethodFast):

2011-07-07  Oliver Hunt  <oliver@apple.com>

        Encode jump and link sizes into the appropriate enums
        https://bugs.webkit.org/show_bug.cgi?id=64123

        Reviewed by Sam Weinig.

        Finally kill off the out of line jump and link size arrays, 
        so we can avoid icky loads and constant fold the linking arithmetic.

        * assembler/ARMv7Assembler.cpp:
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::jumpSizeDelta):
        (JSC::ARMv7Assembler::computeJumpType):

2011-07-06  Juan C. Montemayor  <jmont@apple.com>

        ASSERT_NOT_REACHED running test 262
        https://bugs.webkit.org/show_bug.cgi?id=63951
        
        Added a case to the switch statement where the code was failing. Fixed
        some logic as well that gave faulty error messages.

        Reviewed by Gavin Barraclough.

        * parser/JSParser.cpp:
        (JSC::JSParser::getTokenName):
        (JSC::JSParser::updateErrorMessageSpecialCase):
        (JSC::JSParser::updateErrorMessage):

2011-07-06  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT implementation of op_call results in regressions on sunspider
        controlflow-recursive.
        https://bugs.webkit.org/show_bug.cgi?id=64039

        Reviewed by Gavin Barraclough.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::isSmallInt32Constant):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isInteger):

2011-07-06  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not support method_check
        https://bugs.webkit.org/show_bug.cgi?id=63972

        Reviewed by Gavin Barraclough.

        * assembler/CodeLocation.h:
        (JSC::CodeLocationPossiblyNearCall::CodeLocationPossiblyNearCall):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * bytecode/CodeBlock.h:
        (JSC::MethodCallLinkInfo::MethodCallLinkInfo):
        (JSC::MethodCallLinkInfo::seenOnce):
        (JSC::MethodCallLinkInfo::setSeen):
        * dfg/DFGAliasTracker.h:
        (JSC::DFG::AliasTracker::recordGetMethod):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        (JSC::DFG::JITCodeGenerator::cachedGetMethod):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addMethodGet):
        (JSC::DFG::JITCompiler::MethodGetRecord::MethodGetRecord):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgRepatchGetMethodFast):
        (JSC::DFG::tryCacheGetMethod):
        (JSC::DFG::dfgRepatchGetMethod):
        * dfg/DFGRepatch.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITWriteBarrier.h:
        (JSC::JITWriteBarrier::set):

2011-07-06  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT op_call implementation will flush registers even when those registers are dead
        https://bugs.webkit.org/show_bug.cgi?id=64023

        Reviewed by Gavin Barraclough.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::integerResult):
        (JSC::DFG::JITCodeGenerator::noResult):
        (JSC::DFG::JITCodeGenerator::cellResult):
        (JSC::DFG::JITCodeGenerator::jsValueResult):
        (JSC::DFG::JITCodeGenerator::doubleResult):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-06  Filip Pizlo  <fpizlo@apple.com>

        DFG speculative JIT may crash when speculating int on a non-int JSConstant.
        https://bugs.webkit.org/show_bug.cgi?id=64017

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-06  Dmitriy Vyukov  <dvyukov@google.com>

        Reviewed by David Levin.

        Allow substitution of dynamic annotations and prevent identical code folding by the linker.
        https://bugs.webkit.org/show_bug.cgi?id=62443

        * wtf/DynamicAnnotations.cpp:
        (WTFAnnotateBenignRaceSized):
        (WTFAnnotateHappensBefore):
        (WTFAnnotateHappensAfter):

2011-07-06  Zoltan Herczeg  <zherczeg@inf.u-szeged.hu>

        Calls on 32 bit machines are failed after r90423
        https://bugs.webkit.org/show_bug.cgi?id=63980

        Reviewed by Gavin Barraclough.

        Copy the necessary lines from JITCall.cpp.

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):

2011-07-05  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT virtual call implementation is inefficient.
        https://bugs.webkit.org/show_bug.cgi?id=63974

        Reviewed by Gavin Barraclough.

        * dfg/DFGOperations.cpp:
        * runtime/Executable.h:
        (JSC::ExecutableBase::generatedJITCodeForCallWithArityCheck):
        (JSC::ExecutableBase::generatedJITCodeForConstructWithArityCheck):
        (JSC::ExecutableBase::generatedJITCodeWithArityCheckFor):
        (JSC::ExecutableBase::hasJITCodeForCall):
        (JSC::ExecutableBase::hasJITCodeForConstruct):
        (JSC::ExecutableBase::hasJITCodeFor):
        * runtime/JSFunction.h:
        (JSC::JSFunction::scopeUnchecked):

2011-07-05  Oliver Hunt  <oliver@apple.com>

        Force inlining of simple functions that show up as not being inlined
        https://bugs.webkit.org/show_bug.cgi?id=63964

        Reviewed by Gavin Barraclough.

        Looking at profile data indicates the gcc is failing to inline a
        number of trivial functions.  This patch hits the ones that show
        up in profiles with the ALWAYS_INLINE hammer.

        We also replace the memcpy() call in linking with a manual loop.
        Apparently memcpy() is almost never faster than an inlined loop.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::add):
        (JSC::ARMv7Assembler::add_S):
        (JSC::ARMv7Assembler::ARM_and):
        (JSC::ARMv7Assembler::asr):
        (JSC::ARMv7Assembler::b):
        (JSC::ARMv7Assembler::blx):
        (JSC::ARMv7Assembler::bx):
        (JSC::ARMv7Assembler::clz):
        (JSC::ARMv7Assembler::cmn):
        (JSC::ARMv7Assembler::cmp):
        (JSC::ARMv7Assembler::eor):
        (JSC::ARMv7Assembler::it):
        (JSC::ARMv7Assembler::ldr):
        (JSC::ARMv7Assembler::ldrCompact):
        (JSC::ARMv7Assembler::ldrh):
        (JSC::ARMv7Assembler::ldrb):
        (JSC::ARMv7Assembler::lsl):
        (JSC::ARMv7Assembler::lsr):
        (JSC::ARMv7Assembler::movT3):
        (JSC::ARMv7Assembler::mov):
        (JSC::ARMv7Assembler::movt):
        (JSC::ARMv7Assembler::mvn):
        (JSC::ARMv7Assembler::neg):
        (JSC::ARMv7Assembler::orr):
        (JSC::ARMv7Assembler::orr_S):
        (JSC::ARMv7Assembler::ror):
        (JSC::ARMv7Assembler::smull):
        (JSC::ARMv7Assembler::str):
        (JSC::ARMv7Assembler::sub):
        (JSC::ARMv7Assembler::sub_S):
        (JSC::ARMv7Assembler::tst):
        (JSC::ARMv7Assembler::linkRecordSourceComparator):
        (JSC::ARMv7Assembler::link):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp5Reg3Imm8):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp5Imm5Reg3Reg3):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Reg3Reg3Reg3):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp8Imm8):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp8RegReg143):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp9Imm7):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp10Reg3Reg3):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg4FourFours):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp16FourFours):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp16Op16):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp5i6Imm4Reg4EncodedImm):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg4Reg4Imm12):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::vfpOp):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::vfpMemOp):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::linkCode):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::nearCall):
        (JSC::MacroAssemblerARMv7::call):
        (JSC::MacroAssemblerARMv7::ret):
        (JSC::MacroAssemblerARMv7::moveWithPatch):
        (JSC::MacroAssemblerARMv7::branchPtrWithPatch):
        (JSC::MacroAssemblerARMv7::storePtrWithPatch):
        (JSC::MacroAssemblerARMv7::tailRecursiveCall):
        (JSC::MacroAssemblerARMv7::makeTailRecursiveCall):
        (JSC::MacroAssemblerARMv7::jump):
        (JSC::MacroAssemblerARMv7::makeBranch):

2011-07-05  Zoltan Herczeg  <zherczeg@inf.u-szeged.hu>

        Make "Add optimised paths for a few maths functions" work on Qt
        https://bugs.webkit.org/show_bug.cgi?id=63893

        Reviewed by Oliver Hunt.

        Move the generated code to the .text section instead of .data section.
        Fix alignment for the 32 bit thunk code.

        * jit/ThunkGenerators.cpp:

2011-07-05  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not implement op_call.
        https://bugs.webkit.org/show_bug.cgi?id=63858

        Reviewed by Gavin Barraclough.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::unlinkCalls):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setNumberOfCallLinkInfos):
        (JSC::CodeBlock::numberOfCallLinkInfos):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        * dfg/DFGAliasTracker.h:
        (JSC::DFG::AliasTracker::lookupGetByVal):
        (JSC::DFG::AliasTracker::recordCall):
        (JSC::DFG::AliasTracker::equalIgnoringLaterNumericConversion):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::toInt32):
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::addVarArgChild):
        (JSC::DFG::ByteCodeParser::predictInt32):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::allocateVirtualRegisters):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::opName):
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::refChildren):
        * dfg/DFGGraph.h:
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::useChildren):
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::addressOfCallData):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::CallRecord::CallRecord):
        (JSC::DFG::JITCompiler::notifyCall):
        (JSC::DFG::JITCompiler::appendCallWithFastExceptionCheck):
        (JSC::DFG::JITCompiler::addJSCall):
        (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
        (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::child1):
        (JSC::DFG::Node::child2):
        (JSC::DFG::Node::child3):
        (JSC::DFG::Node::firstChild):
        (JSC::DFG::Node::numChildren):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::basicArithOp):
        (JSC::DFG::NonSpeculativeJIT::compare):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgLinkCall):
        * dfg/DFGRepatch.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
        * interpreter/CallFrame.h:
        (JSC::ExecState::calleeAsValue):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        (JSC::JIT::linkCall):
        (JSC::JIT::linkConstruct):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCode.h:
        (JSC::JITCode::JITCode):
        (JSC::JITCode::jitType):
        (JSC::JITCode::HostFunction):
        * runtime/JSFunction.h:
        * runtime/JSGlobalData.h:

2011-07-05  Oliver Hunt  <oliver@apple.com>

        Initialize new MarkStack member

        * heap/MarkStack.h:
        (JSC::MarkStack::MarkStack):

2011-07-05  Oliver Hunt  <oliver@apple.com>

        Don't throw out compiled code repeatedly
        https://bugs.webkit.org/show_bug.cgi?id=63960

        Reviewed by Gavin Barraclough.

        Stop throwing away all compiled code every time
        we're told to do a full GC.  Instead unlink all
        callsites during such GC passes to maximise the
        number of collectable functions, but otherwise
        leave compiled functions alone.

        * API/JSBase.cpp:
        (JSGarbageCollect):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage):
        * heap/MarkStack.h:
        (JSC::MarkStack::shouldUnlinkCalls):
        (JSC::MarkStack::setShouldUnlinkCalls):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::recompileAllJSFunctions):
        (JSC::JSGlobalData::releaseExecutableMemory):
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::invalidateCode):
        * runtime/RegExp.h:

2011-07-05  Filip Pizlo  <fpizlo@apple.com>

        JSC JIT has code duplication for the handling of call and construct
        https://bugs.webkit.org/show_bug.cgi?id=63957

        Reviewed by Gavin Barraclough.

        * jit/JIT.cpp:
        (JSC::JIT::linkFor):
        * jit/JIT.h:
        * jit/JITStubs.cpp:
        (JSC::jitCompileFor):
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::arityCheckFor):
        (JSC::lazyLinkFor):
        * runtime/Executable.h:
        (JSC::ExecutableBase::generatedJITCodeFor):
        (JSC::FunctionExecutable::compileFor):
        (JSC::FunctionExecutable::isGeneratedFor):
        (JSC::FunctionExecutable::generatedBytecodeFor):
        (JSC::FunctionExecutable::generatedJITCodeWithArityCheckFor):

2011-07-05  Gavin Barraclough  <barraclough@apple.com>

        Build fix following last patch.

        * runtime/JSFunction.cpp:
        (JSC::createPrototypeProperty):

2011-07-05  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=63947
        ASSERT running Object.preventExtensions(Math.sin)

        Reviewed by Oliver Hunt.

        This is due to calling scope() on a hostFunction as a part of
        calling createPrototypeProperty to reify the prototype property.
        But host functions don't have a prototype property anyway!

        Prevent callling createPrototypeProperty on a host function.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::createPrototypeProperty):
        (JSC::JSFunction::preventExtensions):

2011-07-04  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=63880
        Evaluation order of conversions of operands to >, >= incorrect.

        Reviewed by Sam Weinig.

        Add 'leftFirst' parameter to jsLess, jsLessEq matching that described in the ES5
        spec. This allows these methods to be reused to perform >, >= relational compares
        with correct ordering of type conversions.

        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Operations.h:
        (JSC::jsLess):
        (JSC::jsLessEq):

2011-07-04  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=16652
        Firefox and JavaScriptCore differ in Number.toString(integer)

        Our arbitrary radix (2..36) toString conversion is inaccurate.
        This is partly because it uses doubles to perform math that requires
        higher accuracy, and partly becasue it does not attempt to correctly
        detect where to terminate, instead relying on a simple 'epsilon'.

        * runtime/NumberPrototype.cpp:
        (JSC::decomposeDouble):
            - helper function to extract sign, exponent, mantissa from IEEE doubles.
        (JSC::Uint16WithFraction::Uint16WithFraction):
            - helper class, u16int with infinite precision fraction, used to convert
              the fractional part of the number to a string.
        (JSC::Uint16WithFraction::operator*=):
            - Multiply by a uint16.
        (JSC::Uint16WithFraction::operator<):
            - Compare two Uint16WithFractions.
        (JSC::Uint16WithFraction::floorAndSubtract):
            - Extract the integer portion of the number, and subtract it (clears the integer portion).
        (JSC::Uint16WithFraction::comparePoint5):
            - Compare to 0.5.
        (JSC::Uint16WithFraction::sumGreaterThanOne):
            - Passed a second Uint16WithFraction, returns true if the result of adding
              the two values would be greater than one.
        (JSC::Uint16WithFraction::isNormalized):
            - Used by ASSERTs to consistency check internal representation.
        (JSC::BigInteger::BigInteger):
            - helper class, unbounded integer value, used to convert the integer part
              of the number to a string.
        (JSC::BigInteger::divide):
            - Divide this value through by a uint32.
        (JSC::BigInteger::operator!):
            - test for zero.
        (JSC::toStringWithRadix):
            - Performs number to string conversion, with the given radix (2..36).
        (JSC::numberProtoFuncToString):
            - Changed to use toStringWithRadix.

2011-07-04  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=63881
        Need separate bytecodes for handling >, >= comparisons.

        Reviewed by Oliver Hunt.

        This clears the way to fix Bug#63880. We currently handle greater-than comparisons
        as being using the corresponding op_less, etc opcodes.  This is incorrect with
        respect to evaluation ordering of the implicit conversions performed on operands -
        we should be calling ToPrimitive on the LHS and RHS operands to the greater than,
        but instead convert RHS then LHS.

        This patch adds opcodes for greater-than comparisons mirroring existing ones used
        for less-than.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitJumpIfTrue):
        (JSC::BytecodeGenerator::emitJumpIfFalse):
        * bytecompiler/NodesCodegen.cpp:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compare):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGNonSpeculativeJIT.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JSC::JIT::emit_op_loop_if_greater):
        (JSC::JIT::emitSlow_op_loop_if_greater):
        (JSC::JIT::emit_op_loop_if_greatereq):
        (JSC::JIT::emitSlow_op_loop_if_greatereq):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_jgreater):
        (JSC::JIT::emit_op_jgreatereq):
        (JSC::JIT::emit_op_jngreater):
        (JSC::JIT::emit_op_jngreatereq):
        (JSC::JIT::emitSlow_op_jgreater):
        (JSC::JIT::emitSlow_op_jgreatereq):
        (JSC::JIT::emitSlow_op_jngreater):
        (JSC::JIT::emitSlow_op_jngreatereq):
        (JSC::JIT::emit_compareAndJumpSlow):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitBinaryDoubleOp):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        * parser/NodeConstructors.h:
        (JSC::GreaterNode::GreaterNode):
        (JSC::GreaterEqNode::GreaterEqNode):
        * parser/Nodes.h:

2011-07-03  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=63879
        Reduce code duplication for op_jless, op_jlesseq, op_jnless, op_jnlesseq.

        Reviewed by Sam Weinig.
        
        There is a lot of copy & paste code here; we can reduce duplication by making
        a shared implementation.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::branch32):
        (JSC::MacroAssembler::commute):
            - Make these function platform agnostic.
        * assembler/MacroAssemblerX86Common.h:
            - Moved branch32/commute up to MacroAssembler.
        * jit/JIT.h:
        (JSC::JIT::emit_op_loop_if_lesseq):
        (JSC::JIT::emitSlow_op_loop_if_lesseq):
            - Add an implementation matching that for op_loop_if_less, which just calls op_jless.
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_jless):
        (JSC::JIT::emit_op_jlesseq):
        (JSC::JIT::emit_op_jnless):
        (JSC::JIT::emit_op_jnlesseq):
        (JSC::JIT::emitSlow_op_jless):
        (JSC::JIT::emitSlow_op_jlesseq):
        (JSC::JIT::emitSlow_op_jnless):
        (JSC::JIT::emitSlow_op_jnlesseq):
            - Common implmentations of these methods for JSVALUE64 & JSVALUE32_64.
        (JSC::JIT::emit_compareAndJump):
        (JSC::JIT::emit_compareAndJumpSlow):
            - Internal implmementation of jless etc for JSVALUE64.
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_compareAndJump):
        (JSC::JIT::emit_compareAndJumpSlow):
            - Internal implmementation of jless etc for JSVALUE32_64.
        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
            - Remove old implementation of emit_op_loop_if_lesseq.

2011-07-03  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r90347.
        http://trac.webkit.org/changeset/90347
        https://bugs.webkit.org/show_bug.cgi?id=63886

        Build breaks on Leopard, Chromium-win, WinCairo, and WinCE.
        (Requested by tkent on #webkit).

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/BigInteger.h: Removed.
        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToPrecision):
        (JSC::numberProtoFuncToString):
        * runtime/Uint16WithFraction.h: Removed.
        * wtf/MathExtras.h:

2011-06-30  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=16652
        Firefox and JavaScriptCore differ in Number.toString(integer)

        Our arbitrary radix (2..36) toString conversion is inaccurate.
        This is partly because it uses doubles to perform math that requires
        higher accuracy, and partly becasue it does not attempt to correctly
        detect where to terminate, instead relying on a simple 'epsilon'.

        * runtime/NumberPrototype.cpp:
        (JSC::decomposeDouble):
            - helper function to extract sign, exponent, mantissa from IEEE doubles.
        (JSC::Uint16WithFraction::Uint16WithFraction):
            - helper class, u16int with infinite precision fraction, used to convert
              the fractional part of the number to a string.
        (JSC::Uint16WithFraction::operator*=):
            - Multiply by a uint16.
        (JSC::Uint16WithFraction::operator<):
            - Compare two Uint16WithFractions.
        (JSC::Uint16WithFraction::floorAndSubtract):
            - Extract the integer portion of the number, and subtract it (clears the integer portion).
        (JSC::Uint16WithFraction::comparePoint5):
            - Compare to 0.5.
        (JSC::Uint16WithFraction::sumGreaterThanOne):
            - Passed a second Uint16WithFraction, returns true if the result of adding
              the two values would be greater than one.
        (JSC::Uint16WithFraction::isNormalized):
            - Used by ASSERTs to consistency check internal representation.
        (JSC::BigInteger::BigInteger):
            - helper class, unbounded integer value, used to convert the integer part
              of the number to a string.
        (JSC::BigInteger::divide):
            - Divide this value through by a uint32.
        (JSC::BigInteger::operator!):
            - test for zero.
        (JSC::toStringWithRadix):
            - Performs number to string conversion, with the given radix (2..36).
        (JSC::numberProtoFuncToString):
            - Changed to use toStringWithRadix.

2011-07-02  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=63866
        DFG JIT - implement instanceof

        Reviewed by Sam Weinig.

        Add ops CheckHasInstance & InstanceOf to implement bytecodes
        op_check_has_instance & op_instanceof. This is an initial
        functional implementation, performance is a wash. We can
        follow up with changes to fuse the InstanceOf node with
        a subsequant branch, as we do with other comparisons.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::jitAssertIsCell):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::jitAssertIsCell):
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-01  Oliver Hunt  <oliver@apple.com>

        IE Web Workers demo crashes in JSC::SlotVisitor::visitChildren()
        https://bugs.webkit.org/show_bug.cgi?id=63732

        Reviewed by Gavin Barraclough.

        Initialise the memory at the head of the new storage so that
        GC is safe if triggered by reportExtraMemoryCost.

        * runtime/JSArray.cpp:
        (JSC::JSArray::increaseVectorPrefixLength):

2011-07-01  Oliver Hunt  <oliver@apple.com>

        GC sweep can occur before an object is completely initialised
        https://bugs.webkit.org/show_bug.cgi?id=63836

        Reviewed by Gavin Barraclough.

        In rare cases it's possible for a GC sweep to occur while a
        live, but not completely initialised object is on the stack.
        In such a case we may incorrectly choose to mark it, even
        though it has no children that need marking.

        We resolve this by always zeroing out the structure of any
        value returned from JSCell::operator new(), and making the
        markstack tolerant of a null structure. 

        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::~JSCell):
        (JSC::JSCell::JSCell::operator new):
        * runtime/Structure.h:
        (JSC::MarkStack::internalAppend):

2011-07-01  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        DFG non-speculative JIT always performs slow C calls for div and mod.
        https://bugs.webkit.org/show_bug.cgi?id=63684

        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):

2011-07-01  Juan C. Montemayor  <jmont@apple.com>

        Reviewed by Oliver Hunt.

        Lexer error messages are currently appalling
        https://bugs.webkit.org/show_bug.cgi?id=63340

        Added error messages for the Lexer. These messages will be displayed
        instead of the lexer error messages from the parser that are currently
        shown.

        * parser/Lexer.cpp:
        (JSC::Lexer::getInvalidCharMessage):
        (JSC::Lexer::setCode):
        (JSC::Lexer::parseString):
        (JSC::Lexer::lex):
        (JSC::Lexer::clear):
        * parser/Lexer.h:
        (JSC::Lexer::getErrorMessage):
        (JSC::Lexer::setOffset):
        * parser/Parser.cpp:
        (JSC::Parser::parse):

2011-07-01  Jungshik Shin  <jshin@chromium.org>

        Reviewed by Alexey Proskuryakov.

        Add ScriptCodesFromICU.h to wtf/unicode and make necessary changes in
        build files for ports not using ICU.
        Add icu/unicode/uscript.h for ports using ICU. It's taken from 
        ICU 3.6 (the version used on Mac OS 10.5)

        http://bugs.webkit.org/show_bug.cgi?id=20797

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * icu/unicode/uscript.h: Added for UScriptCode enum.
        * wtf/unicode/ScriptCodesFromICU.h: UScriptCode enum added.
        * wtf/unicode/icu/UnicodeIcu.h:
        * wtf/unicode/brew/UnicodeBrew.h:
        * wtf/unicode/glib/UnicodeGLib.h:
        * wtf/unicode/qt4/UnicodeQt4.h:
        * wtf/unicode/wince/UnicodeWinCE.h:

2011-07-01  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=63819
        Escaping of forwardslashes in strings incorrect if multiple exist.

        The bug is in the parameters passed to a substring - should be
        start & length, but we're passing start & end indices!

        * runtime/RegExpObject.cpp:
        (JSC::regExpObjectSource):

2011-07-01  Adam Roben  <aroben@apple.com>

        Roll out r90194
        http://trac.webkit.org/changeset/90194
        https://bugs.webkit.org/show_bug.cgi?id=63778

        Fixes <http://webkit.org/b/63812> REGRESSION (r90194): Multiple tests intermittently failing
        assertions in WriteBarrierBase<JSC::Structure>::get

        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::~JSCell):

2011-06-30  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Add optimised paths for a few maths functions
        https://bugs.webkit.org/show_bug.cgi?id=63757

        Relanding as a Mac only patch.

        This adds specialised thunks for Math.abs, Math.round, Math.ceil,
        Math.floor, Math.log, and Math.exp as they are apparently more
        important in real web content than we thought, which is somewhat
        mind-boggling.  On average doubles the performance of the common
        cases (eg. actually passing numbers in).  They're not as efficient
        as they could be, but this way gives them the most portability.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::supportsDoubleBitops):
        (JSC::MacroAssemblerARM::andnotDouble):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::supportsDoubleBitops):
        (JSC::MacroAssemblerARMv7::andnotDouble):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::andnotDouble):
        (JSC::MacroAssemblerMIPS::supportsDoubleBitops):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::supportsDoubleBitops):
        (JSC::MacroAssemblerSH4::andnotDouble):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::supportsDoubleBitops):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::andnotDouble):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::supportsDoubleBitops):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::andnpd_rr):
        * create_hash_table:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::finalize):
        (JSC::SpecializedThunkJIT::callDoubleToDouble):
        * jit/ThunkGenerators.cpp:
        (JSC::floorThunkGenerator):
        (JSC::ceilThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::expThunkGenerator):
        (JSC::logThunkGenerator):
        (JSC::absThunkGenerator):
        * jit/ThunkGenerators.h:

2011-07-01  David Kilzer  <ddkilzer@apple.com>

        <http://webkit.org/b/63814> Fix clang build error in JITOpcodes32_64.cpp

        Fixes the following build error in clang:

            JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36:{741:9-741:35}: error: operator '?:' has lower precedence than '+'; '+' will be evaluated first [-Werror,-Wparentheses,3]
                 map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
                     ~~~~~~~~~~~~~~~~~~~~~~~~~~ ^
            JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36: note: place parentheses around the '+' expression to silence this warning [3]
                 map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
                                                ^
                     (                         )
            fix-it:"JavaScriptCore/jit/JITOpcodes32_64.cpp":{741:9-741:9}:"("
            fix-it:"JavaScriptCore/jit/JITOpcodes32_64.cpp":{741:35-741:35}:")"
            JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36:{741:28-741:94}: note: place parentheses around the '?:' expression to evaluate it first [3]
                 map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
                                        ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            1 error generated.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_resolve_global): Add parenthesis to make the
        tertiary expression evaluate first.

2011-07-01  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r90177 and r90179.
        http://trac.webkit.org/changeset/90177
        http://trac.webkit.org/changeset/90179
        https://bugs.webkit.org/show_bug.cgi?id=63790

        It caused crashes on Qt in debug mode (Requested by Ossy on
        #webkit).

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::rshift32):
        (JSC::MacroAssemblerARM::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerARM::sqrtDouble):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerARMv7::sqrtDouble):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::sqrtDouble):
        (JSC::MacroAssemblerMIPS::supportsFloatingPointSqrt):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::sqrtDouble):
        * assembler/MacroAssemblerX86.h:
        * assembler/MacroAssemblerX86Common.h:
        * assembler/MacroAssemblerX86_64.h:
        * assembler/X86Assembler.h:
        * create_hash_table:
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::emitLoadDouble):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::finalize):
        * jit/ThunkGenerators.cpp:
        * jit/ThunkGenerators.h:

2011-06-30  Oliver Hunt  <oliver@apple.com>

        Reviewed by Beth Dakin.

        Make GC validation clear cell structure on destruction
        https://bugs.webkit.org/show_bug.cgi?id=63778

        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::~JSCell):

2011-06-30  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Gavin Barraclough.

        Added write barrier that was missing from put_by_id_transition
        https://bugs.webkit.org/show_bug.cgi?id=63775

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::writeBarrier): Made this static with a
        MacroAssembler& argument so our patching functions could use it.

        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile): Updated for signature change.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCachePutByID): Missing barrier!

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Updated for signature change.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        * jit/JSInterfaceJIT.h: Same game here. Removed storePtrWithWriteBarrier
        because its meaning isn't clear -- maybe in the future we'll have a
        clear way to pass all stores through a common function that guarantees
        a write barrier, but that's not the case right now.

2011-06-30  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        DFG non-speculative JIT does not reuse registers when compiling comparisons.
        https://bugs.webkit.org/show_bug.cgi?id=63565

        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
        (JSC::DFG::NonSpeculativeJIT::basicArithOp):
        (JSC::DFG::NonSpeculativeJIT::compare):

2011-06-30  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Gavin Barraclough.

        Added empty write barrier stubs in all the right places in the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=63764
        
        SunSpider thinks this might be a 0.5% speedup. Meh.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::writeBarrier): Le stub.

        (JSC::DFG::JITCodeGenerator::cachedPutById): Don't do anything special
        for the case where base == scratch, since we now require base and scratch
        to be not equal, for the sake of the write barrier.

        * dfg/DFGJITCodeGenerator.h: Le stub.

        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile): Don't reuse the base register
        as the scratch register, since that's incompatible with the write barrier,
        which needs a distinct base and scratch.
        
        Do put the global object into a register before loading its var storage,
        since it needs to be in a register for the write barrier to operate on it.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitWriteBarrier): Second verse, same as the first.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_put_global_var): Deployed offsetOfRegisters() to more
        places.

        (JSC::JIT::emitWriteBarrier): Added a teeny tiny ASSERT so this function
        is a little more than meaningless.

        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_put_global_var): Deployed offsetOfRegisters() to more
        places.

        (JSC::JIT::emitWriteBarrier): Added a teeny tiny ASSERT so this function
        is a little more than meaningless.

        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::offsetOfRegisters): Now used by the JIT, since
        we put the global object in a register and only then load its var storage
        by offset.

        (JSC::JIT::emitWriteBarrier):

2011-06-30  Oliver Hunt  <oliver@apple.com>

        Fix ARMv6 build

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::rshift32):

2011-06-30  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Add optimised paths for a few maths functions
        https://bugs.webkit.org/show_bug.cgi?id=63757

        This adds specialised thunks for Math.abs, Math.round, Math.ceil,
        Math.floor, Math.log, and Math.exp as they are apparently more
        important in real web content than we thought, which is somewhat
        mind-boggling.  On average doubles the performance of the common
        cases (eg. actually passing numbers in).  They're not as efficient
        as they could be, but this way gives them the most portability.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::supportsDoubleBitops):
        (JSC::MacroAssemblerARM::andnotDouble):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::supportsDoubleBitops):
        (JSC::MacroAssemblerARMv7::andnotDouble):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::andnotDouble):
        (JSC::MacroAssemblerMIPS::supportsDoubleBitops):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::supportsDoubleBitops):
        (JSC::MacroAssemblerSH4::andnotDouble):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::supportsDoubleBitops):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::andnotDouble):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::supportsDoubleBitops):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::andnpd_rr):
        * create_hash_table:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::finalize):
        (JSC::SpecializedThunkJIT::callDoubleToDouble):
        * jit/ThunkGenerators.cpp:
        (JSC::floorThunkGenerator):
        (JSC::ceilThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::expThunkGenerator):
        (JSC::logThunkGenerator):
        (JSC::absThunkGenerator):
        * jit/ThunkGenerators.h:

2011-06-30  Cary Clark  <caryclark@google.com>

        Reviewed by James Robinson.

        Use Skia if Skia on Mac Chrome is enabled
        https://bugs.webkit.org/show_bug.cgi?id=62999

        * wtf/Platform.h:
        Add switch to use Skia if, externally,
        Skia has been enabled by a gyp define.

2011-06-30  Juan C. Montemayor  <jmont@apple.com>

        Reviewed by Geoffrey Garen.

        Web Inspector fails to display source for eval with syntax error
        https://bugs.webkit.org/show_bug.cgi?id=63583

        Web Inspector now displays a link to an eval statement that contains
        a syntax error.

        * parser/Parser.h:
        (JSC::isEvalNode):
        (JSC::EvalNode):
        (JSC::Parser::parse):

2011-06-30  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        X86Assembler does not encode byte registers in 64-bit mode correctly.
        https://bugs.webkit.org/show_bug.cgi?id=63665

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::testb_rr):
        (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8):

2011-06-30  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r90102.
        http://trac.webkit.org/changeset/90102
        https://bugs.webkit.org/show_bug.cgi?id=63714

        Lots of tests asserting beneath
        SVGSMILElement::findInstanceTime (Requested by aroben on
        #webkit).

        * wtf/StdLibExtras.h:
        (WTF::binarySearch):

2011-06-30  Oliver Varga  <Varga.Oliver@stud.u-szeged.hu>

        Reviewed by Nikolas Zimmermann.

        Speed up SVGSMILElement::findInstanceTime.
        https://bugs.webkit.org/show_bug.cgi?id=61025

        Add a new parameter to StdlibExtras.h::binarySerarch function
        to also handle cases when the array does not contain the key value.
        This is needed for an svg function.

        * wtf/StdLibExtras.h:
        (WTF::binarySearch):

2011-06-29  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.

        https://bugs.webkit.org/show_bug.cgi?id=63669
        DFG JIT - fix spectral-norm regression

        The problem is a mis-speculation leading to us falling off the speculative path.
        Make the speculation logic slightly smarter, don't predict int if one of the
        operands is already loaded as a double (we use this logic already for compares).

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):

2011-06-29  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        DFG JIT does not do put_by_id transition caching.
        https://bugs.webkit.org/show_bug.cgi?id=63662

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addPropertyAccess):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::testPrototype):
        (JSC::DFG::tryCachePutByID):

2011-06-29  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Added a dummy write barrier emitting function in all the right places in the old JIT
        https://bugs.webkit.org/show_bug.cgi?id=63667
        
        SunSpider reports no change.

        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emit_op_put_scoped_var): Do it.

        (JSC::JIT::emit_op_put_global_var): Global object needs to be in a register
        for the sake of the write barrier.

        (JSC::JIT::emitWriteBarrier): Empty for now. Not for long!

        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emit_op_put_scoped_var): Do it.

        (JSC::JIT::emit_op_put_global_var): Global object needs to be in a register
        for the sake of the write barrier.

        (JSC::JIT::emitWriteBarrier): Empty for now. Not for long!

2011-06-29  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        DFG JIT does not perform get_by_id self list caching.
        https://bugs.webkit.org/show_bug.cgi?id=63605

        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::dfgBuildGetByIDList):
        * dfg/DFGRepatch.h:

2011-06-28  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        DFG JIT lacks array.length caching.
        https://bugs.webkit.org/show_bug.cgi?id=63505

        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::tryAllocate):
        (JSC::DFG::JITCodeGenerator::selectScratchGPR):
        (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addPropertyAccess):
        (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
        * dfg/DFGRegisterBank.h:
        (JSC::DFG::RegisterBank::tryAllocate):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):

2011-06-28  Pierre Rossi  <pierre.rossi@gmail.com>

        Reviewed by Eric Seidel.

        Warnings in JSC's JIT on 32 bit
        https://bugs.webkit.org/show_bug.cgi?id=63259

        Fairly straightforward, just use ASSERT_JIT_OFFSET_UNUSED when it applies.

        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::emit_op_put_by_id):

2011-06-28  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r89968.
        http://trac.webkit.org/changeset/89968
        https://bugs.webkit.org/show_bug.cgi?id=63581

        Broke chromium windows compile (Requested by jamesr on
        #webkit).

        * wtf/Platform.h:

2011-06-28  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Fix sampling build
        https://bugs.webkit.org/show_bug.cgi?id=63579

        Gets opcode sampling building again, doesn't seem to work alas

        * bytecode/SamplingTool.cpp:
        (JSC::SamplingTool::notifyOfScope):
        * bytecode/SamplingTool.h:
        (JSC::SamplingTool::SamplingTool):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::enableSampler):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::ScriptExecutable):

2011-06-28  Cary Clark  <caryclark@google.com>

        Reviewed by James Robinson.

        Use Skia if Skia on Mac Chrome is enabled
        https://bugs.webkit.org/show_bug.cgi?id=62999

        * wtf/Platform.h:
        Add switch to use Skia if, externally,
        Skia has been enabled by a gyp define.

2011-06-28  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        ASSERT when launching debug builds with interpreter and jit enabled
        https://bugs.webkit.org/show_bug.cgi?id=63566

        Add appropriate guards to the various Executable's memory reporting
        logic.

        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):

2011-06-28  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=63563
        DFG JIT - add support for double arith to speculative path

        Add integer support for div & mod, add double support for div, mod,
        add, sub & mul, dynamically selecting based on operand types.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::FPRTemporary::FPRTemporary):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::assembler):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (JSC::DFG::SpeculateDoubleOperand::~SpeculateDoubleOperand):
        (JSC::DFG::SpeculateDoubleOperand::index):
        (JSC::DFG::SpeculateDoubleOperand::fpr):

2011-06-28  Oliver Hunt  <oliver@apple.com>

        Fix interpreter build.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2011-06-28  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=63561
        DFG JIT - don't always assume integer in relational compare

        If neither operand is known integer, or either is in double representation,
        then at least use a function call (don't bail off the speculative path).

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isDataFormatDouble):
        (JSC::DFG::SpeculativeJIT::compareIsInteger):

2011-06-28  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Make constant array optimisation less strict about what constitutes a constant
        https://bugs.webkit.org/show_bug.cgi?id=63554

        Now allow string constants in array literals to actually be considered constant,
        and so avoid codegen in array literals with strings in them.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addConstantBuffer):
        (JSC::CodeBlock::constantBuffer):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addConstantBuffer):
        (JSC::BytecodeGenerator::addStringConstant):
        (JSC::BytecodeGenerator::emitNewArray):
        * bytecompiler/BytecodeGenerator.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2011-06-28  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=63560
        DFG_JIT allow allocation of specific machine registers

        This allow us to allocate the registers necessary to perform x86
        idiv instructions for div/mod, and may be useful for shifts, too.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::GPRTemporary::GPRTemporary):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::allocate):
        (JSC::DFG::GPRResult::GPRResult):
        * dfg/DFGRegisterBank.h:
        (JSC::DFG::RegisterBank::allocateSpecific):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isInteger):

2011-06-28  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=55040
        RegExp constructor returns the argument regexp instead of a new object

        Per 15.10.3.1, our current behaviour is correct if called as a function,
        but incorrect when called as a constructor.

        * runtime/RegExpConstructor.cpp:
        (JSC::constructRegExp):
        (JSC::constructWithRegExpConstructor):
        * runtime/RegExpConstructor.h:

2011-06-28  Luke Macpherson   <macpherson@chromium.org>

        Reviewed by Darin Adler.

        Clean up integer clamping functions in MathExtras.h and support arbitrary numeric types and limits.
        https://bugs.webkit.org/show_bug.cgi?id=63469

        * wtf/MathExtras.h:
        (defaultMinimumForClamp):
        Version of std::numeric_limits::min() that returns the largest negative value for floating point types.
        (defaultMaximumForClamp):
        Symmetric alias for std::numeric_limits::max()
        (clampTo):
        New templated clamping function that supports arbitrary output types.
        (clampToInteger):
        Use new clampTo template.
        (clampToFloat):
        Use new clampTo template.
        (clampToPositiveInteger):
        Use new clampTo template.

2011-06-28  Adam Roben  <aroben@apple.com>

        Windows Debug build fix after r89885

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Exported
        JSGlobalData::releaseExecutableMemory for jsc.exe's benefit.

2011-06-28  Shinya Kawanaka  <shinyak@google.com>

        Reviewed by Kent Tamura.

        Add const to show() method in WTFString and AtomicString.
        https://bugs.webkit.org/show_bug.cgi?id=63515

        The lack of const in show() method is painful when
        doing something like printf-debug.

        * wtf/text/AtomicString.cpp:
        (WTF::AtomicString::show):
        * wtf/text/AtomicString.h:
        * wtf/text/WTFString.cpp:
        (String::show):
        * wtf/text/WTFString.h:

2011-06-27  Ryosuke Niwa  <rniwa@webkit.org>

        Build fix attempt after r89885.

        * JavaScriptCore.exp:
        * jsc.cpp:

2011-06-27  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Support throwing away non-running code even while other code is running
        https://bugs.webkit.org/show_bug.cgi?id=63485

        Add a function to CodeBlock to support unlinking direct linked callsites,
        and then with that in place add logic to discard code from any function
        that is not currently on the stack.

        The unlinking completely reverts any optimized call sites, such that they
        may be relinked again in future.

        * JavaScriptCore.exp:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::unlinkCalls):
        (JSC::CodeBlock::clearEvalCache):
        * bytecode/CodeBlock.h:
        (JSC::CallLinkInfo::CallLinkInfo):
        (JSC::CallLinkInfo::unlink):
        * bytecode/EvalCodeCache.h:
        (JSC::EvalCodeCache::clear):
        * heap/Heap.cpp:
        (JSC::Heap::getConservativeRegisterRoots):
        * heap/Heap.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITWriteBarrier.h:
        (JSC::JITWriteBarrierBase::clear):
        * jsc.cpp:
        (GlobalObject::GlobalObject):
        (functionReleaseExecutableMemory):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::unlinkCalls):
        (JSC::ProgramExecutable::unlinkCalls):
        (JSC::FunctionExecutable::discardCode):
        (JSC::FunctionExecutable::unlinkCalls):
        * runtime/Executable.h:
        * runtime/JSGlobalData.cpp:
        (JSC::SafeRecompiler::returnValue):
        (JSC::SafeRecompiler::operator()):
        (JSC::JSGlobalData::releaseExecutableMemory):

2011-06-27  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Darin Adler & Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=50554
        RegExp.prototype.toString does not escape slashes

        The problem here is that we don't escape forwards slashes when converting
        a RegExp to a string. This means that RegExp("/").toString() is "///",
        which is not a valid RegExp literal. Also, we return an invalid literal
        for RegExp.prototype.toString() ("//", which is an empty single-line comment).

        From ES5:
        "NOTE: The returned String has the form of a RegularExpressionLiteral that
        evaluates to another RegExp object with the same behaviour as this object."

        * runtime/RegExpObject.cpp:
        (JSC::regExpObjectSource):
            - Escape forward slashes when getting the source of a RegExp.
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncToString):
            - Remove unnecessary and erroneous hack to return "//" as the string
            representation of RegExp.prototype. This is not a valid RegExp literal
            (it is an empty single-line comment).

2011-06-27  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=63497
        Add DEBUG_WITH_BREAKPOINT support to the DFG JIT.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-06-27  Juan C. Montemayor  <jmont@apple.com>

        Reviewed by Mark Rowe.

        Indirectly including TextPosition.h and XPathGrammar.h causes compile errors
        https://bugs.webkit.org/show_bug.cgi?id=63392
        
        When both TextPosition.h and XPathGrammar.h are included a compile-error
        is caused, since XPathGrammar.h defines a macro called NUMBER and 
        TextPosition has a typedef named NUMBER.

        * wtf/text/TextPosition.h:
        (WTF::TextPosition::TextPosition):
        (WTF::TextPosition::minimumPosition):
        (WTF::TextPosition::belowRangePosition):

2011-06-27  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        DFG JIT does not perform put_by_id caching.
        https://bugs.webkit.org/show_bug.cgi?id=63409

        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addPropertyAccess):
        (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgRepatchByIdSelfAccess):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::appropriatePutByIdFunction):
        (JSC::DFG::tryCachePutByID):
        (JSC::DFG::dfgRepatchPutByID):
        * dfg/DFGRepatch.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-06-27  Gustavo Noronha Silva  <gns@gnome.org>

        Unreviewed build fix. One more filed missing during distcheck, for
        the MIPS build.

        * GNUmakefile.list.am:

2011-06-26  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        DFG non-speculative JIT has potentially harmful speculations with respect to arithmetic operations.
        https://bugs.webkit.org/show_bug.cgi?id=63347

        * dfg/DFGNonSpeculativeJIT.cpp:
            - Changed arithmetic operations to speculate in favor of integers.
        (JSC::DFG::NonSpeculativeJIT::valueToNumber):
        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
        (JSC::DFG::NonSpeculativeJIT::basicArithOp):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGNonSpeculativeJIT.h:
        * dfg/DFGOperations.cpp:
            - Added slow-path routines for arithmetic that perform no speculation; the
              non-speculative JIT will generate calls to these in cases where its
              speculation fails.
        * dfg/DFGOperations.h:

2011-06-24  Nikolas Zimmermann  <nzimmermann@rim.com>

        Reviewed by Rob Buis.

        Integrate SVG Fonts within GlyphPage concept, removing the special SVG code paths from Font, making it possible to reuse the simple text code path for SVG Fonts
        https://bugs.webkit.org/show_bug.cgi?id=59085

        * wtf/Platform.h: Force Qt-EWS into a full rebuild, otherwhise this patch breaks the EWS.

2011-06-24  Michael Saboff  <msaboff@apple.com>

        Reviewed by Gavin Barraclough.

        Arm Assembler, Immediate stack offset values truncated to 8 bits for add & sub
        https://bugs.webkit.org/show_bug.cgi?id=63345

        The methods ARMThumbImmediate::getUInt9 and ARMThumbImmediate::getUInt10
        return 9 and 10 bit quantities, therefore changed their return type from
        uint8_t to uint16_t.  Also casted the places where they are used as they
        are currently shifted and used as 7 or 8 bit values.

        These methods are currently used for literals for stack offsets, 
        including creating and destroying stack frames.  The prior truncation of
        the upper bits caused stack frames to be too small, thus allowing a
        JIT'ed function to access and overwrite stack space outside of the
        incorrectly sized stack frame.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMThumbImmediate::getUInt9):
        (JSC::ARMThumbImmediate::getUInt10):
        (JSC::ARMv7Assembler::add):
        (JSC::ARMv7Assembler::ldr):
        (JSC::ARMv7Assembler::str):
        (JSC::ARMv7Assembler::sub):
        (JSC::ARMv7Assembler::sub_S):

2011-06-24  Michael Saboff  <msaboff@apple.com>

        Reviewed by Geoffrey Garen.

        releaseFastMallocFreeMemory doesn't adjust free counts for scavenger
        https://bugs.webkit.org/show_bug.cgi?id=63015

        Added code to adjust class TCMalloc_PageHeap variables free_committed_pages_ and
        min_free_committed_pages_since_last_scavenge_ in ReleaseFreeList().  These 
        adjustments are a bug.  These need to reflect the pages that are released
        in ReleaseFreeLsit so that scavenge doesn't try to free that many pages as well.
        Made ReleaseFreeList a member of TCMalloc_PageHeap in the process.  Updated
        Check() and helper method CheckList() to check the number of actual free pages
        with free_committed_pages_.

        The symptom of the problem of the existing code is that the scavenger may
        run unneccesarily without any real work to do, i.e. pages on the free lists.
        The scanvenger would also end up freeing too many pages, that is going below 
        the current 528 target free pages.

        Note that the style of the changes was kept consistent with the
        existing style.

        * wtf/FastMalloc.cpp:
        (WTF::TCMalloc_PageHeap::Check):
        (WTF::TCMalloc_PageHeap::CheckList):
        (WTF::TCMalloc_PageHeap::ReleaseFreeList):

2011-06-24  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Darin Adler.

        Match other clampTo* functions in style with clampToInteger(float)
        function.
        https://bugs.webkit.org/show_bug.cgi?id=53449

        * wtf/MathExtras.h:
        (clampToInteger):
        (clampToFloat):
        (clampToPositiveInteger):

2011-06-24  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r89594.
        http://trac.webkit.org/changeset/89594
        https://bugs.webkit.org/show_bug.cgi?id=63316

        It broke 5 tests on the Qt bot (Requested by Ossy_DC on
        #webkit).

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * icu/unicode/uscript.h: Removed.
        * wtf/unicode/ScriptCodesFromICU.h: Removed.
        * wtf/unicode/brew/UnicodeBrew.h:
        * wtf/unicode/glib/UnicodeGLib.h:
        * wtf/unicode/icu/UnicodeIcu.h:
        * wtf/unicode/qt4/UnicodeQt4.h:
        * wtf/unicode/wince/UnicodeWinCE.h:

2011-06-23  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        DFG non-speculative JIT should have obvious optimizations for GetById and GetByVal
        https://bugs.webkit.org/show_bug.cgi?id=63173

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-06-23  Oliver Hunt  <oliver@apple.com>

        Fix Qt again.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::readPointer):

2011-06-23  Oliver Hunt  <oliver@apple.com>

        Fix Qt Build

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::readPointer):

2011-06-23  Stephanie Lewis  <slewis@apple.com>

        Reviewed by Darin Adler.

        https://bugs.webkit.org/show_bug.cgi?id=63298
        Replace Malloc with FastMalloc to match the rest of wtf.

        * wtf/BlockStack.h:
        (WTF::::~BlockStack):
        (WTF::::grow):
        (WTF::::shrink):

2011-06-23  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Add the ability to dynamically modify linked call sites
        https://bugs.webkit.org/show_bug.cgi?id=63291

        Add JITWriteBarrier as a writebarrier class that allows
        reading and writing directly into the code stream.

        This required adding logic to all the assemblers to allow
        us to read values back out of the instruction stream.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::readPointer):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::readPointer):
        (JSC::ARMv7Assembler::readInt32):
        (JSC::ARMv7Assembler::decodeTwoWordOp5i6Imm4Reg4EncodedImmFirst):
        (JSC::ARMv7Assembler::decodeTwoWordOp5i6Imm4Reg4EncodedImmSecond):
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::readPointer):
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::readInt32):
        (JSC::MIPSAssembler::readPointer):
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodePtr::operator!):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::readPCrelativeAddress):
        (JSC::SH4Assembler::readPointer):
        (JSC::SH4Assembler::readInt32):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::readPointer):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * bytecode/CodeBlock.h:
        (JSC::MethodCallLinkInfo::seenOnce):
        (JSC::MethodCallLinkInfo::setSeen):
        * heap/MarkStack.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        (JSC::JIT::linkCall):
        (JSC::JIT::linkConstruct):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::patchMethodCallProto):
        * jit/JITPropertyAccess32_64.cpp:
        * jit/JITWriteBarrier.h: Added.
        (JSC::JITWriteBarrierBase::operator UnspecifiedBoolType*):
        (JSC::JITWriteBarrierBase::operator!):
        (JSC::JITWriteBarrierBase::setFlagOnBarrier):
        (JSC::JITWriteBarrierBase::isFlagged):
        (JSC::JITWriteBarrierBase::setLocation):
        (JSC::JITWriteBarrierBase::location):
        (JSC::JITWriteBarrierBase::JITWriteBarrierBase):
        (JSC::JITWriteBarrierBase::set):
        (JSC::JITWriteBarrierBase::get):
        (JSC::JITWriteBarrier::JITWriteBarrier):
        (JSC::JITWriteBarrier::set):
        (JSC::JITWriteBarrier::get):
        (JSC::MarkStack::append):

2011-06-23  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=61585
        Crash running regexp /(?:(?=g))|(?:m).{2147483648,}/

        This is due to use of int instead of unsigned, bad math around
        the 2^31 boundary.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::emitDisjunction):
            - Change some uses of int to unsigned, refactor compare logic to
              restrict to the range 0..2^32-1 (rather than -2^32-1..2^32-1).
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generate):
        (JSC::Yarr::YarrGenerator::backtrack):
            - Ditto.

2011-06-22  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=63218
        DFG JIT - remove machine type guarantees from graph

        The DFG JIT currently makes assumptions about the types of machine registers
        that certain nodes will be loaded into. This will be broken as we generate
        nodes to produce both integer and double code paths. Remove int<->double
        conversions nodes. This design decision also gave rise to multiple types of
        constant nodes, requiring separate handling for each type. Merge these back
        into JSConstant.

        * dfg/DFGAliasTracker.h:
        (JSC::DFG::AliasTracker::equalIgnoringLaterNumericConversion):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getToInt32):
        (JSC::DFG::ByteCodeParser::getToNumber):
        (JSC::DFG::ByteCodeParser::toInt32):
        (JSC::DFG::ByteCodeParser::toNumber):
        (JSC::DFG::ByteCodeParser::isInt32Constant):
        (JSC::DFG::ByteCodeParser::isDoubleConstant):
        (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
        (JSC::DFG::ByteCodeParser::valueOfDoubleConstant):
        (JSC::DFG::ByteCodeParser::one):
        (JSC::DFG::ByteCodeParser::predictInt32):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentFillGPR):
        (JSC::DFG::JITCodeGenerator::silentFillFPR):
        (JSC::DFG::JITCodeGenerator::isJSConstant):
        (JSC::DFG::JITCodeGenerator::isDoubleConstant):
        (JSC::DFG::JITCodeGenerator::valueOfJSConstantAsImmPtr):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::fillNumericToDouble):
        (JSC::DFG::JITCompiler::fillInt32ToInteger):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::isJSConstant):
        (JSC::DFG::JITCompiler::isInt32Constant):
        (JSC::DFG::JITCompiler::isDoubleConstant):
        (JSC::DFG::JITCompiler::valueOfJSConstant):
        (JSC::DFG::JITCompiler::valueOfInt32Constant):
        (JSC::DFG::JITCompiler::valueOfDoubleConstant):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::isConstant):
        (JSC::DFG::Node::notTakenBytecodeOffset):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::isKnownInteger):
        (JSC::DFG::NonSpeculativeJIT::isKnownNumeric):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::compile):

2011-06-23  Jungshik Shin  <jshin@chromium.org>

        Reviewed by Alexey Proskuryakov.

        Add ScriptCodesFromICU.h to wtf/unicode and make necessary changes in
        build files for ports not using ICU.
        Add icu/unicode/uscript.h for ports using ICU. It's taken from 
        ICU 3.6 (the version used on Mac OS 10.5)

        http://bugs.webkit.org/show_bug.cgi?id=20797

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * icu/unicode/uscript.h: Added for UScriptCode enum.
        * wtf/unicode/ScriptCodesFromICU.h: UScriptCode enum added.
        * wtf/unicode/icu/UnicodeIcu.h:
        * wtf/unicode/brew/UnicodeBrew.h:
        * wtf/unicode/glib/UnicodeGLib.h:
        * wtf/unicode/qt4/UnicodeQt4.h:
        * wtf/unicode/wince/UnicodeWinCE.h:

2011-06-23  Ryuan Choi  <ryuan.choi@samsung.com>

        Reviewed by Andreas Kling.

        [EFL][WK2] Add PLATFORM(EFL) to use UNIX_DOMAIN_SOCKETS.
        https://bugs.webkit.org/show_bug.cgi?id=63228

        * wtf/Platform.h: Add PLATFORM(EFL) guard.

2011-06-23  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r89547.
        http://trac.webkit.org/changeset/89547
        https://bugs.webkit.org/show_bug.cgi?id=63252

        "Chrmium crash on start" (Requested by yurys on #webkit).

        * wtf/DynamicAnnotations.cpp:
        (WTFAnnotateBenignRaceSized):
        (WTFAnnotateHappensBefore):
        (WTFAnnotateHappensAfter):
        * wtf/DynamicAnnotations.h:

2011-06-23  Timur Iskhodzhanov  <timurrrr@google.com>

        Reviewed by David Levin.

        Make dynamic annotations weak symbols and prevent identical code folding by the linker
        https://bugs.webkit.org/show_bug.cgi?id=62443

        * wtf/DynamicAnnotations.cpp:
        (WTFAnnotateBenignRaceSized):
        (WTFAnnotateHappensBefore):
        (WTFAnnotateHappensAfter):
        * wtf/DynamicAnnotations.h:

2011-06-22  Yael Aharon  <yael.aharon@nokia.com>

        Reviewed by Andreas Kling.

        [Qt] Add a build flag for building with libxml2 and libxslt.
        https://bugs.webkit.org/show_bug.cgi?id=63113

        * wtf/Platform.h:

2011-06-22  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r89489.
        http://trac.webkit.org/changeset/89489
        https://bugs.webkit.org/show_bug.cgi?id=63203

        Broke chromium mac build on build.webkit.org (Requested by
        abarth on #webkit).

        * wtf/Platform.h:

2011-06-22  Cary Clark  <caryclark@google.com>

        Reviewed by Darin Fisher.

        Use Skia if Skia on Mac Chrome is enabled
        https://bugs.webkit.org/show_bug.cgi?id=62999

        * wtf/Platform.h:
        Add switch to use Skia if, externally,
        Skia has been enabled by a gyp define.

2011-06-22  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        * interpreter/RegisterFile.h: Removed unnecessary #include <stdio.h>.

2011-06-22  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Removed the conceit that global variables are local variables when running global code
        https://bugs.webkit.org/show_bug.cgi?id=63106
        
        This is required for write barrier correctness.
        
        SunSpider reports about a 0.5% regression, mostly from bitops-bitwise-and.js.
        I was able to reduce the regression with a tiny peephole optimization in
        the bytecompiler, but not eliminate it. I'm committing this assuming
        that turning on generational GC will win back at least 0.5%.

        (FWIW, the DFG JIT can easily eliminate any regression by sharing loads of
        the global object's var storage. I considered doing the same kind of
        optimization in the existing JIT, but it seemed like moving in the wrong
        direction.)

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addGlobalVar):
        (JSC::BytecodeGenerator::BytecodeGenerator): Don't give global variables
        negative indices, since they're no longer negatively offset from the
        current stack frame.
        
        Do give global variables monotonically increasing positive indices, since
        that's much easier to work with.
        
        Don't limit the number of optimizable global variables, since it's no
        longer limited by the register file, since they're no longer stored in
        the register file.

        (JSC::BytecodeGenerator::registerFor): Global code never has any local
        registers because a var in global code is actually a property of the
        global object.

        (JSC::BytecodeGenerator::constRegisterFor): Ditto.

        (JSC::BytecodeGenerator::emitResolve): Did a tiny bit of constant
        propagation and dead code elimination to speed up our compiles and
        reduce WTFs / minute.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::registerFor): Removed special handling of globals.

        (JSC::BytecodeGenerator::shouldOptimizeLocals): Don't optimize locals in
        global code, since there are none.

        (JSC::BytecodeGenerator::canOptimizeNonLocals): Do optimize non-locals
        in global code (i.e., global vars), since there are some.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::callEval):
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::dumpRegisters):
        (JSC::Interpreter::execute):
        * interpreter/Interpreter.h: Updated for deleted / renamed code.

        * interpreter/RegisterFile.cpp:
        (JSC::RegisterFile::gatherConservativeRoots):
        (JSC::RegisterFile::releaseExcessCapacity): Updated for deleted / renamed
        data members.

        * interpreter/RegisterFile.h:
        (JSC::RegisterFile::begin):
        (JSC::RegisterFile::size):
        (JSC::RegisterFile::RegisterFile):
        (JSC::RegisterFile::shrink): Removed all code and comments dealing with
        global variables stored in the register file.

        (JSC::RegisterFile::grow): Updated for same.
        
        Also, a slight correctness fix: Test the VM commit end, and not just the
        in-use end, when checking for stack overflow. In theory, it's invalid to
        commit past the end of your allocation, even if you never touch that
        memory. This makes the usable size of the stack slightly smaller. No test
        because we don't know of any case in practice where this crashes.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData): Updated for changes above.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::resizeRegisters):
        (JSC::JSGlobalObject::addStaticGlobals):
        * runtime/JSGlobalObject.h: Simplified globals to have monotonically 
        increasing indexes, always located in our external storage.

2011-06-21  MORITA Hajime  <morrita@google.com>

        Unreviewed, rolling out r89401 and r89403.
        http://trac.webkit.org/changeset/89401
        http://trac.webkit.org/changeset/89403
        https://bugs.webkit.org/show_bug.cgi?id=62970

        Breaks mac build and mistakenly enables the spellcheck API

        * Configurations/FeatureDefines.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-06-21  Kent Tamura  <tkent@chromium.org>

        [Mac] Sort Xcode project files.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-06-20  MORITA Hajime  <morrita@google.com>

        Reviewed by Kent Tamura.

        Spellcheck API should be build-able.
        https://bugs.webkit.org/show_bug.cgi?id=62970

        No new tests, changing only build related files
        
        * Configurations/FeatureDefines.xcconfig:

2011-06-21  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Moved 'const' off the global-variable-as-local-variable crack pipe
        https://bugs.webkit.org/show_bug.cgi?id=63105
        
        This is necessary for moving the rest of the code off of same.
        
        Many problems remain in our handling of const. I have fixed none of them.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::scopeChain): New accessor, needed to enable
        const to directly implement its unique scoping rules.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::PrefixResolveNode::emitBytecode): Do specify that our resolve is
        for writing, so we don't overwrite const variables.

        (JSC::ConstDeclNode::emitCodeSingle): Don't assume that all declared const
        variables are available as local variables, since this won't be the case
        once global variables are not available as local variables. Instead, use
        put_scoped_var in the case where there is no local variable. Like a local
        variable, put_scoped_var succeeds even though const properties are
        read-only, since put_scoped_var skips read-only checks. (Yay?)

2011-06-21  Oliver Hunt  <oliver@apple.com>

        Reviewed by Alexey Proskuryakov.

        REGRESSION(r89257): It broke 2 jscore tests (Requested by Ossy_away on #webkit).
        https://bugs.webkit.org/show_bug.cgi?id=63052

        Release mode only failure, the stack overflow guards were getting there error
        handling inlined, so that they were essentially causing their own demise.

        * parser/JSParser.cpp:
        (JSC::JSParser::updateErrorMessage):
        (JSC::JSParser::updateErrorWithNameAndMessage):

2011-06-20  Kenneth Russell  <kbr@google.com>

        Unreviewed.

        Rolled out r89233 and r89235 because of crashes in http/tests/misc/acid3.html on Snow Leopard and other platforms
        https://bugs.webkit.org/show_bug.cgi?id=63022

        * wtf/Platform.h:

2011-06-18  Anders Carlsson  <andersca@apple.com>

        Reviewed by Darin Adler.

        Disallow assigning into PassOwnArrayPtr, PassOwnPtr and PassRefPtr
        https://bugs.webkit.org/show_bug.cgi?id=62940

        Remove clear() and all assignment operators except one which now has a COMPILE_ASSERT.

        * wtf/PassOwnArrayPtr.h:
        (WTF::PassOwnArrayPtr::operator=):
        * wtf/PassOwnPtr.h:
        (WTF::PassOwnPtr::operator=):
        * wtf/PassRefPtr.h:
        (WTF::PassRefPtr::operator=):
        (WTF::NonNullPassRefPtr::operator=):

2011-06-20  Oliver Hunt  <oliver@apple.com>

        Reviewed by Darin Adler.

        REGRESSION (r79060): Searching for a flight at united.com fails
        https://bugs.webkit.org/show_bug.cgi?id=63003

        This original change also broke Twitter, and we attempted to refine the fix to 
        address that problem (http://trac.webkit.org/changeset/80542), but since it still breaks United,
        we need to revert the change until we understand the problem better.

        * wtf/DateMath.cpp:
        (WTF::parseDateFromNullTerminatedCharacters):

2011-06-20  Juan C. Montemayor  <jmont@apple.com>

        Reviewed by Oliver Hunt.

        No context for javascript parse errors.
        https://bugs.webkit.org/show_bug.cgi?id=62613
        
        Parse errors now show more details like:
        "Unexpected token: ]"
        or
        "Expected token: while"
        
        For reserved names, numbers, indentifiers, strings, lexer errors, 
        and EOFs, the following error messages are printed:
        
        "Use of reserved word: super"
        "Unexpected number: 42"
        "Unexpected identifier: "
        "Unexpected string: "foobar""
        "Invalid token character sequence: \u4023"
        "Unexpected EOF"

        * parser/JSParser.cpp:
        (JSC::JSParser::consume):
        (JSC::JSParser::getToken):
        (JSC::JSParser::getTokenName):
        (JSC::JSParser::updateErrorMessageSpecialCase):
        (JSC::JSParser::updateErrorMessage):
        (JSC::JSParser::updateErrorWithNameAndMessage):
        (JSC::jsParse):
        (JSC::JSParser::JSParser):
        (JSC::JSParser::parseProgram):
        (JSC::JSParser::parseVarDeclarationList):
        (JSC::JSParser::parseForStatement):
        (JSC::JSParser::parseBreakStatement):
        (JSC::JSParser::parseContinueStatement):
        (JSC::JSParser::parseWithStatement):
        (JSC::JSParser::parseTryStatement):
        (JSC::JSParser::parseStatement):
        (JSC::JSParser::parseFormalParameters):
        (JSC::JSParser::parseFunctionInfo):
        (JSC::JSParser::parseAssignmentExpression):
        (JSC::JSParser::parsePrimaryExpression):
        (JSC::JSParser::parseMemberExpression):
        (JSC::JSParser::parseUnaryExpression):
        * parser/JSParser.h:
        * parser/Lexer.cpp:
        (JSC::Lexer::lex):
        * parser/Parser.cpp:
        (JSC::Parser::parse):

2011-06-20  Nikolas Zimmermann  <nzimmermann@rim.com>

        Reviewed by Rob Buis.

        Integrate SVG Fonts within GlyphPage concept, removing the special SVG code paths from Font, making it possible to reuse the simple text code path for SVG Fonts
        https://bugs.webkit.org/show_bug.cgi?id=59085

        * wtf/Platform.h: Force Qt-EWS into a full rebuild, otherwhise this patch breaks the EWS.

2011-06-19  Oliver Hunt  <oliver@apple.com>

        Reviewed by Sam Weinig.

        Correct logic for putting errors on the correct line when handling JSONP
        https://bugs.webkit.org/show_bug.cgi?id=62962

        Minor fix for the minor fix.  *sigh*

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):

2011-06-19  Oliver Hunt  <oliver@apple.com>

        Minor fix to correct layout test results.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):

2011-06-17  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        JSONP is unnecessarily slow
        https://bugs.webkit.org/show_bug.cgi?id=62920

        JSONP has unfortunately become a fairly common idiom online, yet
        it triggers very poor performance in JSC as we end up doing codegen
        for a large number of property accesses that will
           * only be run once, so the vast amount of logic we dump to handle
             caching of accesses is unnecessary.
           * We are doing codegen that is directly proportional to just
             creating the object in the first place.

        This patch extends the use of the literal parser to JSONP-like structures
        in global code, handling a number of different forms I have seen online.
        In an extreme case this improves performance of JSONP by more than 2x
        due to removal of code generation and execution time, and a few optimisations
        that I made to the parser itself.

        * API/JSValueRef.cpp:
        (JSValueMakeFromJSONString):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::callEval):
        (JSC::Interpreter::execute):
        * parser/Lexer.cpp:
        (JSC::Lexer::isKeyword):
        * parser/Lexer.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * runtime/JSONObject.cpp:
        (JSC::JSONProtoFuncParse):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser::tryJSONPParse):
        (JSC::LiteralParser::makeIdentifier):
        (JSC::LiteralParser::Lexer::lex):
        (JSC::LiteralParser::Lexer::next):
        (JSC::isSafeStringCharacter):
        (JSC::LiteralParser::Lexer::lexString):
        (JSC::LiteralParser::Lexer::lexNumber):
        (JSC::LiteralParser::parse):
        * runtime/LiteralParser.h:
        (JSC::LiteralParser::LiteralParser):
        (JSC::LiteralParser::tryLiteralParse):
        (JSC::LiteralParser::Lexer::Lexer):

2011-06-18  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r89184.
        http://trac.webkit.org/changeset/89184
        https://bugs.webkit.org/show_bug.cgi?id=62927

        It broke 22 tests on all bot (Requested by Ossy_weekend on
        #webkit).

        * API/JSValueRef.cpp:
        (JSValueMakeFromJSONString):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::callEval):
        (JSC::Interpreter::execute):
        * parser/Lexer.cpp:
        * parser/Lexer.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * runtime/JSONObject.cpp:
        (JSC::JSONProtoFuncParse):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser::Lexer::lex):
        (JSC::isSafeStringCharacter):
        (JSC::LiteralParser::Lexer::lexString):
        (JSC::LiteralParser::Lexer::lexNumber):
        (JSC::LiteralParser::parse):
        * runtime/LiteralParser.h:
        (JSC::LiteralParser::LiteralParser):
        (JSC::LiteralParser::tryLiteralParse):
        (JSC::LiteralParser::Lexer::Lexer):
        (JSC::LiteralParser::Lexer::next):

2011-06-17  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        JSONP is unnecessarily slow
        https://bugs.webkit.org/show_bug.cgi?id=62920

        JSONP has unfortunately become a fairly common idiom online, yet
        it triggers very poor performance in JSC as we end up doing codegen
        for a large number of property accesses that will
           * only be run once, so the vast amount of logic we dump to handle
             caching of accesses is unnecessary.
           * We are doing codegen that is directly proportional to just
             creating the object in the first place.

        This patch extends the use of the literal parser to JSONP-like structures
        in global code, handling a number of different forms I have seen online.
        In an extreme case this improves performance of JSONP by more than 2x
        due to removal of code generation and execution time, and a few optimisations
        that I made to the parser itself.

        * API/JSValueRef.cpp:
        (JSValueMakeFromJSONString):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::callEval):
        (JSC::Interpreter::execute):
        * parser/Lexer.cpp:
        (JSC::Lexer::isKeyword):
        * parser/Lexer.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * runtime/JSONObject.cpp:
        (JSC::JSONProtoFuncParse):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser::tryJSONPParse):
        (JSC::LiteralParser::makeIdentifier):
        (JSC::LiteralParser::Lexer::lex):
        (JSC::LiteralParser::Lexer::next):
        (JSC::isSafeStringCharacter):
        (JSC::LiteralParser::Lexer::lexString):
        (JSC::LiteralParser::Lexer::lexNumber):
        (JSC::LiteralParser::parse):
        * runtime/LiteralParser.h:
        (JSC::LiteralParser::LiteralParser):
        (JSC::LiteralParser::tryLiteralParse):
        (JSC::LiteralParser::Lexer::Lexer):

2011-06-17  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Moved some property access JIT code into property access JIT files
        https://bugs.webkit.org/show_bug.cgi?id=62906

        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_get_global_var):
        (JSC::JIT::emit_op_put_global_var):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_get_global_var):
        (JSC::JIT::emit_op_put_global_var):

2011-06-17  Anders Carlsson  <andersca@apple.com>

        Build fix.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-06-17  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Leopard build?

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-06-16  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Added some write barrier action, compiled out by default
        https://bugs.webkit.org/show_bug.cgi?id=62844

        * JavaScriptCore.exp: Build!

        * JavaScriptCore.xcodeproj/project.pbxproj: Fixed an incremental build
        issue with Heap.cpp.

        * heap/Heap.cpp:
        (JSC::Heap::writeBarrierSlowCase):
        * heap/Heap.h:
        (JSC::Heap::writeBarrier):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::isAtomAligned):
        (JSC::MarkedBlock::blockFor):
        (JSC::MarkedBlock::atomNumber):
        (JSC::MarkedBlock::ownerSetNumber):
        (JSC::MarkedBlock::addOldSpaceOwner):
        (JSC::MarkedBlock::OwnerSet::OwnerSet):
        (JSC::MarkedBlock::OwnerSet::add):
        (JSC::MarkedBlock::OwnerSet::clear):
        (JSC::MarkedBlock::OwnerSet::size):
        (JSC::MarkedBlock::OwnerSet::didOverflow):
        (JSC::MarkedBlock::OwnerSet::owners): Added a basic write barrier that
        tracks owners for regions within blocks. Currently unused.

2011-06-17  Raphael Kubo da Costa  <kubo@profusion.mobi>

        Reviewed by Eric Seidel.

        [EFL] Add some OwnPtr specializations for EFL types.
        For now there are specializations for Ecore_Evas and Evas_Object.
        https://bugs.webkit.org/show_bug.cgi?id=62877

        * wtf/CMakeListsEfl.txt:
        * wtf/OwnPtrCommon.h:
        * wtf/efl/OwnPtrEfl.cpp: Added.
        (WTF::deleteOwnedPtr):

2011-06-17  Joone Hur  <joone.hur@collabora.co.uk>

        Reviewed by Martin Robinson.

        [GTK] Replace GdkRectangle by cairo_rectangle_int_t
        https://bugs.webkit.org/show_bug.cgi?id=60687

        Replace GdkRectangle by cairo_rectangle_int_t.

        * wtf/gobject/GTypedefs.h: Replace GdkRectangle by cairo_rectangle_int_t.

2011-06-16  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=53014
        ES5 strict mode keyword restrictions aren't implemented

        The following are future restricted words is strict mode code:
            implements, interface, let, package, private, protected, public, static, yield

        * parser/JSParser.h:
            - Add RESERVED_IF_STRICT token.
        * parser/Keywords.table:
            - Add new future restricted words.
        * parser/Lexer.cpp:
        (JSC::Lexer::parseIdentifier):
            - Check for RESERVED_IF_STRICT; in nonstrict code this is converted to IDENT.
        (JSC::Lexer::lex):
            - Pass strictMode flag to parseIdentifier.
        * parser/Lexer.h:
            - parseIdentifier needs a strictMode flag.
        * runtime/CommonIdentifiers.h:
            - Add identifiers for new reserved words.

2011-06-16  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=23611
        Multiline Javascript comments cause incorrect parsing of following script.

        From the spec:
        "A MultiLineComment [is] simply discarded if it contains no line terminator,
        but if a MultiLineComment contains one or more line terminators, then it is
        replaced with a single line terminator, which becomes part of the stream of
        inputs for the syntactic grammar." 

        This may result in behavioural changes, due to automatic semicolon insertion.

        * parser/Lexer.cpp:
        (JSC::Lexer::parseMultilineComment):
            - Set m_terminator is we see a line terminator in a multiline comment.

2011-06-16  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=62824
        DFG JIT - add support for branch-fusion of compareEq, JSValue comparisons in SpeculativeJIT

        CompareEq of non-integer values is the most common cause of speculation failure.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
            - Support Equals.
        (JSC::DFG::SpeculativeJIT::compilePeepHoleEq):
            - new! - peephole optimized Eq of JSValues.
        (JSC::DFG::SpeculativeJIT::compile):
            - Add peephole optimization for CompareEq.
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
            - Add support for dead nodes between compare & branch.
        (JSC::DFG::SpeculativeJIT::isInteger):
            - Added to determine which form of peephole to do in CompareEq.

2011-06-16  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Export another
        symbol.

        * bytecode/EvalCodeCache.h:
        * heap/HandleHeap.h:
        * heap/HeapRootVisitor.h:
        * heap/NewSpace.h:
        * runtime/ArgList.h:
        * runtime/ScopeChain.h:
        * runtime/SmallStrings.h:
        * runtime/Structure.h: Stop forward-declaring things that don't really
        exist anymore.

2011-06-16  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Mac build: Removed and re-added SlotVisitor.h to the Xcode
        project while crossing my fingers and facing west.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-06-16  Geoffrey Garen  <ggaren@apple.com>

        Build fix: Removed an incorrect symbol on Windows.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-06-16  Geoffrey Garen  <ggaren@apple.com>

        Build fix: Removed an accidental commit from the future.

        * CMakeLists.txt:

2011-06-16  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Introduced SlotVisitor into the project
        https://bugs.webkit.org/show_bug.cgi?id=62820
        
        This resolves a class vs typedef forward declaration issue, and gives all
        exported symbols the correct names.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.xcodeproj/project.pbxproj: Build!

        * bytecode/EvalCodeCache.h:
        * heap/HandleHeap.h:
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::markRoots):
        * heap/Heap.h:
        * heap/HeapRootVisitor.h: Replaced MarkStack with SlotVisitor. Now no
        clients operate on a MarkStack.

        * heap/MarkStack.cpp:
        (JSC::SlotVisitor::visitChildren):
        (JSC::SlotVisitor::drain):
        * heap/SlotVisitor.h: Added.
        (JSC::SlotVisitor::SlotVisitor): Used 'protected' and a little cheesy
        inheritance to give SlotVisitor all the attributes of MarkStack without
        making this change giant. Over time, we will move more behavior into
        SlotVisitor and its subclasses.

        * heap/MarkStack.h:
        * heap/NewSpace.h: Replaced MarkStack with SlotVisitor. Now no
        clients operate on a MarkStack.

        * runtime/ArgList.h:
        * runtime/JSCell.h:
        * runtime/JSObject.h:
        * runtime/ScopeChain.h:
        * runtime/SmallStrings.h:
        * runtime/Structure.h: Replaced MarkStack with SlotVisitor. Now no
        clients operate on a MarkStack.

2011-06-15  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Reduce memory usage of resolve_global
        https://bugs.webkit.org/show_bug.cgi?id=62765

        If we have a large number of resolve_globals in a single
        block start planting plain resolve instructions instead 
        whenever we aren't in a loop.  This allows us to reduce
        the code size for extremely large functions without
        losing the performance benefits of op_resolve_global.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::globalResolveInfoCount):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveWithBase):
        * bytecompiler/BytecodeGenerator.h:

2011-06-16  Qi Zhang  <qi.2.zhang@nokia.com>

        Reviewed by Laszlo Gombos.

        [Qt] Fix building with CONFIG(use_system_icu)
        https://bugs.webkit.org/show_bug.cgi?id=62744

        Do not define WTF_USE_QT4_UNICODE if WTF_USE_ICU_UNICODE is set.

        * wtf/Platform.h:

2011-06-15  Darin Adler  <darin@apple.com>

        Reviewed by Adam Barth.

        Remove obsolete LOOSE_OWN_PTR code
        https://bugs.webkit.org/show_bug.cgi?id=59909

        The internal Apple dependency on this is gone now.

        * wtf/OwnArrayPtr.h: Removed constructor that takes a raw pointer,
        set function that takes a raw pointer.

        * wtf/OwnPtr.h: Removed constructor that takes a raw pointer,
        set functino that takes a raw pointer.

        * wtf/PassOwnArrayPtr.h: Made constructor that takes a nullptr
        and assignment operator that takes a nullptr unconditional.
        Made constructor that takes a raw pointer private and explicit,
        and removed assignment operator that takes a raw pointer.

        * wtf/PassOwnPtr.h: Made assignment operator that takes a nullptr
        unconditional. Made constructor that takes a raw pointer private
        and explicit, and removed assignment operator that takes a raw pointer.

2011-06-15  Sam Weinig  <sam@webkit.org>

        Reviewed by Geoffrey Garen and Gavin Barraclough.

        Make access-nseive ~9x faster on the non-speculative path by
        adding special casing for doubles that can lossless-ly be converted
        to a uint32_t in getByVal and putByVal. This avoids calls to stringification
        and the hash lookup.  Long term, we should try and get property of a getByVal
        and putByVal to be an integer immediate even in the non-speculative path.

        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        (JSC::DFG::operationPutByValInternal):

2011-06-15  Oliver Hunt  <oliver@apple.com>

        Reviewed by Darin Adler.

        REGRESSION (r88719): 5by5.tv schedule is not visible
        https://bugs.webkit.org/show_bug.cgi?id=62720

        Problem here is that the lexer wasn't considering '$' to be
        a valid character in an identifier.

        * parser/Lexer.h:
        (JSC::Lexer::lexExpectIdentifier):

2011-06-15  Oliver Hunt  <oliver@apple.com>

        Reviewed by Sam Weinig.

        Reduce the size of global_resolve
        https://bugs.webkit.org/show_bug.cgi?id=62738

        Reduce the code size of global_resolve in the JIT by replacing
        multiple pointer loads with a single pointer move + two offset
        loads.

        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_resolve_global):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_resolve_global):

2011-06-14  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Dan Bernstein.

        Fixed an inavlid ASSERT I found while investigating
        <rdar://problem/9580254> Crash in JSC::HandleHeap::finalizeWeakHandles + 92
        https://bugs.webkit.org/show_bug.cgi?id=62699        

        No test since we don't know of a way to get WebCore to deallocate the
        next-to-finalize handle, which is also the last handle in the list,
        while finalizing the second-to-last handle in the list.

        * heap/HandleHeap.h:
        (JSC::HandleHeap::deallocate): Don't ASSERT that m_nextToFinalize has a
        non-0 next() after updating it, since it is valid to update m_nextToFinalize
        to point to the tail sentinel.
        
        Do ASSERT that m_nextToFinalize has a non-0 next() before updating it,
        since it is not valid to update m_nextToFinalize to point past the tail
        sentinel.
        
        Also, use m_nextToFinalize consistently for clarity.

2011-06-14  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=43841
        SegmentedVector::operator== typo

        * wtf/SegmentedVector.h:
        (WTF::SegmentedVectorIterator::operator==):
        (WTF::SegmentedVectorIterator::operator!=):

2011-06-14  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Constant array literals result in unnecessarily large amounts of code
        https://bugs.webkit.org/show_bug.cgi?id=62658

        Add a new version of op_new_array that simply copies values from a buffer
        we hang off of the CodeBlock, rather than generating code to place each
        entry into the registerfile, and then copying it from the registerfile into
        the array.  This is a slight improvement on some sunspider tests, but no
        measurable overall change.  That's okay though as our goal was to reduce
        code size without hurting performance.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addImmediateBuffer):
        (JSC::CodeBlock::immediateBuffer):
        * bytecode/Opcode.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addImmediateBuffer):
        (JSC::BytecodeGenerator::emitNewArray):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_array):
        (JSC::JIT::emit_op_new_array_buffer):
        * jit/JITOpcodes32_64.cpp:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:

2011-06-14  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r88841.
        http://trac.webkit.org/changeset/88841
        https://bugs.webkit.org/show_bug.cgi?id=62672

        Caused many tests to crash (Requested by rniwa on #webkit).

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/CodeBlock.h:
        * bytecode/Opcode.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitNewArray):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_array):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_new_array):
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:

2011-06-14  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Constant array literals result in unnecessarily large amounts of code
        https://bugs.webkit.org/show_bug.cgi?id=62658

        Add a new version of op_new_array that simply copies values from a buffer
        we hang off of the CodeBlock, rather than generating code to place each
        entry into the registerfile, and then copying it from the registerfile into
        the array.  This is a slight improvement on some sunspider tests, but no
        measurable overall change.  That's okay though as our goal was to reduce
        code size without hurting performance.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addImmediateBuffer):
        (JSC::CodeBlock::immediateBuffer):
        * bytecode/Opcode.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addImmediateBuffer):
        (JSC::BytecodeGenerator::emitNewArray):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_array):
        (JSC::JIT::emit_op_new_array_buffer):
        * jit/JITOpcodes32_64.cpp:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:

2011-06-14  Stephanie Lewis  <slewis@apple.com>

        Rubber stamped by Oliver Hunt.

        <rdar://problem/9511169>
        Update order files.

        * JavaScriptCore.order:

2011-06-14  Sam Weinig  <sam@webkit.org>

        Reviewed by Geoffrey Garen.

        Fix dumping of constants to have the correct constant number.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):

2011-06-14  Benjamin Poulain  <benjamin@webkit.org>

        Reviewed by Eric Seidel.

        KeywordLookupGenerator's Trie does not work with Python 3
        https://bugs.webkit.org/show_bug.cgi?id=62635

        With Python 3, dict.items() return an iterator. Since the iterator
        protocol changed between Python 2 and 3, the easiest way to get the
        values is to have something that use the iterator implicitely, like a
        for() loop.

        * KeywordLookupGenerator.py:

2011-06-13  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Fix llocp and lvalp names in the lexer to something more meaningful
        https://bugs.webkit.org/show_bug.cgi?id=62605

        A simple rename

        * parser/Lexer.cpp:
        (JSC::Lexer::parseIdentifier):
        (JSC::Lexer::parseString):
        (JSC::Lexer::lex):
        * parser/Lexer.h:
        (JSC::Lexer::lexExpectIdentifier):

2011-06-13  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Make it possible to inline the common case of identifier lexing
        https://bugs.webkit.org/show_bug.cgi?id=62600

        Add a lexing function that expects to lex an "normal" alpha numeric
        identifier (that ignores keywords) so it's possible to inline the
        common parsing cases.  This comes out as a reasonable parsing speed
        boost.

        * parser/JSParser.cpp:
        (JSC::JSParser::nextExpectIdentifier):
        (JSC::JSParser::parseProperty):
        (JSC::JSParser::parseMemberExpression):
        * parser/Lexer.cpp:
        * parser/Lexer.h:
        (JSC::Lexer::makeIdentifier):
        (JSC::Lexer::lexExpectIdentifier):

2011-06-13  Xan Lopez  <xlopez@igalia.com>

        Reviewed by Martin Robinson.

        Distcheck fixes.

        * GNUmakefile.am:
        * GNUmakefile.list.am:

2011-06-13  Oliver Hunt  <oliver@apple.com>

        Reviewed by Simon Fraser.

        Make it possible to inline Identifier::equal
        https://bugs.webkit.org/show_bug.cgi?id=62584

        Move Identifier::equal to the Identifier header file.

        * runtime/Identifier.cpp:
        * runtime/Identifier.h:
        (JSC::Identifier::equal):

2011-06-13  Tony Chang  <tony@chromium.org>

        Reviewed by Dimitri Glazkov.

        rename ENABLE_NEW_FLEXBOX to ENABLE_CSS3_FLEXBOX
        https://bugs.webkit.org/show_bug.cgi?id=62578

        * Configurations/FeatureDefines.xcconfig:

2011-06-13  Tony Chang  <tony@chromium.org>

        Reviewed by Adam Barth.

        rename ENABLE_FLEXBOX to ENABLE_NEW_FLEXBOX
        https://bugs.webkit.org/show_bug.cgi?id=62545

        * Configurations/FeatureDefines.xcconfig:

2011-06-12  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed. Build fix for !ENABLE(JIT) after r88604.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):

2011-06-11  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Darin Adler.

        https://bugs.webkit.org/show_bug.cgi?id=16777

        Remove #define NaN per Darin's comments.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::parseIntOverflow):
        (JSC::parseInt):
        (JSC::jsStrDecimalLiteral):
        (JSC::jsToNumber):
        (JSC::parseFloat):
        * wtf/DateMath.cpp:
        (WTF::equivalentYearForDST):
        (WTF::parseES5DateFromNullTerminatedCharacters):
        (WTF::parseDateFromNullTerminatedCharacters):
        (WTF::timeClip):
        (JSC::parseDateFromNullTerminatedCharacters):

2011-06-11  Gavin Barraclough  <barraclough@apple.com>

        Rubber stamped by Geoff Garen.

        https://bugs.webkit.org/show_bug.cgi?id=62503
        Remove JIT_OPTIMIZE_* switches

        The alternative code paths are untested, and not well maintained.
        These were useful when there was more churn in the JIT, but now
        are a maintenance overhead. Time to move on, removing.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        (JSC::JIT::linkConstruct):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        * jit/JITCall32_64.cpp:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::softModulo):
        * jit/JITPropertyAccess.cpp:
        * jit/JITPropertyAccess32_64.cpp:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        * wtf/Platform.h:

2011-06-10  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=16777
        Eliminate JSC::NaN and JSC::Inf

        There's no good reason for -K-J-S- JSC to have its own NAN and infinity constants.
        The ones in std::numeric_limits are perfectly good.
        Remove JSC::Inf, JSC::NaN, switch some cases of (isnan || isinf) to !isfinite.

        * API/JSCallbackObjectFunctions.h:
        (JSC::::toNumber):
        * API/JSValueRef.cpp:
        (JSValueMakeNumber):
        (JSValueToNumber):
        * JavaScriptCore.exp:
        * runtime/CachedTranscendentalFunction.h:
        (JSC::CachedTranscendentalFunction::initialize):
        * runtime/DateConstructor.cpp:
        (JSC::constructDate):
        * runtime/DateInstanceCache.h:
        (JSC::DateInstanceData::DateInstanceData):
        (JSC::DateInstanceCache::reset):
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        (JSC::JSCell::JSValue::getPrimitiveNumber):
        (JSC::JSCell::JSValue::toNumber):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::resetDateCache):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncParseInt):
        (JSC::globalFuncIsFinite):
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::toNumber):
        * runtime/JSValue.cpp:
        * runtime/JSValue.h:
        * runtime/JSValueInlineMethods.h:
        (JSC::jsNaN):
        * runtime/MathObject.cpp:
        (JSC::mathProtoFuncMax):
        (JSC::mathProtoFuncMin):
        * runtime/NumberConstructor.cpp:
        (JSC::numberConstructorNegInfinity):
        (JSC::numberConstructorPosInfinity):
        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToExponential):
        (JSC::numberProtoFuncToFixed):
        (JSC::numberProtoFuncToPrecision):
        (JSC::numberProtoFuncToString):
        * runtime/UString.cpp:
        * wtf/DecimalNumber.h:
        (WTF::DecimalNumber::DecimalNumber):
        * wtf/dtoa.cpp:
        (WTF::dtoa):

2011-06-10  Tony Chang  <tony@chromium.org>

        Reviewed by Ojan Vafai.

        add a compile guard ENABLE(FLEXBOX)
        https://bugs.webkit.org/show_bug.cgi?id=62049

        * Configurations/FeatureDefines.xcconfig:

2011-06-10  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=55347
        "name" and "message" enumerable on *Error.prototype

        This arises from chapter 15 of the spec:
            "Every other property described in this clause has the attributes
            { [[Writable]]: true, [[Enumerable]]: false, [[Configurable]]: true }
            unless otherwise specified."
        Standardized properties are not enumerable.

        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::ErrorInstance):
        * runtime/NativeErrorPrototype.cpp:
        (JSC::NativeErrorPrototype::NativeErrorPrototype):

2011-06-09  Geoffrey Garen  <ggaren@apple.com>

        Build fix: Corrected header spelling.

        * heap/OldSpace.h:

2011-06-09  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Added OldSpace to the project
        https://bugs.webkit.org/show_bug.cgi?id=62417
        
        Currently unused.
        
        Added OldSpace, the ability to iterate NewSpace vs OldSpace, and a
        per-block flag for testing whether you're in NewSpace vs OldSpace.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj: Build!

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::inNewSpace):
        (JSC::MarkedBlock::setInNewSpace): Added inNewSpace flag, for use in
        write barrier.

        * heap/NewSpace.cpp:
        (JSC::NewSpace::addBlock):
        (JSC::NewSpace::removeBlock):
        * heap/NewSpace.h:
        (JSC::NewSpace::forEachBlock): Added forEachBlock, to use for
        NewSpace-specific operations.

        * heap/OldSpace.cpp: Added.
        (JSC::OldSpace::OldSpace):
        (JSC::OldSpace::addBlock):
        (JSC::OldSpace::removeBlock):
        * heap/OldSpace.h: Added.
        (JSC::OldSpace::forEachBlock): New class for holding promoted blocks.
        Not in use yet.

2011-06-09  Hyowon Kim  <hw1008.kim@samsung.com>

        Reviewed by Antonio Gomes.

        [EFL] Make accelerated compositing build in Webkit-EFL
        https://bugs.webkit.org/show_bug.cgi?id=62361

        Add PLATFORM(EFL) to enable ACCELERATED_COMPOSITING on EFL port.

        * wtf/Platform.h:

2011-06-09  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.

        Bug 62405 - Fix integer overflow in Array.prototype.push

        Fix geoff's review comments re static_cast.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncPush):

2011-06-09  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Factored MarkedBlock set management into a helper class with a fast case Bloom filter
        https://bugs.webkit.org/show_bug.cgi?id=62413
        
        SunSpider reports a small speedup.
        
        This is in preparation for having ConservativeSet operate on arbitrary
        sets of MarkedBlocks, and in preparation for conservative scanning
        becoming proportionally more important than other GC activities.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.xcodeproj/project.pbxproj: Build-o.

        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::add):
        * heap/ConservativeRoots.h:
        (JSC::ConservativeRoots::ConservativeRoots): Operate on a MarkedBlockSet
        directly, instead of a Heap, so we can operate on subsets of the Heap
        instead.
        
        Use a TinyBloomFilter for single-cycle exclusion of most pointers. This
        is particularly important since we expect not to find our subject pointer
        in the MarkedBlock hash, and hash misses are more expensive than typical
        hash lookups because they have high collision rates.
        
        No need for single-pointer add() to be public anymore, since nobody uses it.

        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * heap/Heap.h:
        (JSC::Heap::forEachCell):
        (JSC::Heap::forEachBlock): Use MarkedBlockSet since that's what
        ConservativeRoots relies on.
        
        Nixed contains(), since nobody uses it anymore.

        * heap/MarkedBlock.h:
        (WTF::MarkedBlockHash::hash): Added a faster hash taking advantage of
        the VM layout properties of MarkedBlocks.

        * heap/MarkedBlockSet.h: Added.
        (JSC::MarkedBlockSet::add):
        (JSC::MarkedBlockSet::remove):
        (JSC::MarkedBlockSet::recomputeFilter):
        (JSC::MarkedBlockSet::filter):
        (JSC::MarkedBlockSet::set):
        * heap/TinyBloomFilter.h: Added.
        (JSC::TinyBloomFilter::TinyBloomFilter):
        (JSC::TinyBloomFilter::add):
        (JSC::TinyBloomFilter::ruleOut): New helper class, used above.

        * interpreter/RegisterFile.cpp:
        (JSC::RegisterFile::gatherConservativeRoots): No need to specifically
        exclude values by tag -- the tiny bloom filter is already a register-register
        compare, so adding another "rule out" factor just slows things down.

2011-06-09  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        Bug 62405 - Fix integer overflow in Array.prototype.push

        There are three integer overflows here, leading to safe (not a security risk)
        but incorrect (non-spec-compliant) behaviour.

        Two overflows occur when calculating the new length after pushing (one in the
        fast version of push in JSArray, one in the generic version in ArrayPrototype).
        The other occurs calculating indices to write to when multiple items are pushed.

        These errors result in three test-262 failures.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncPush):
        * runtime/JSArray.cpp:
        (JSC::JSArray::put):
        (JSC::JSArray::push):

2011-06-09  Dan Bernstein  <mitz@apple.com>

        Reviewed by Anders Carlsson.

        Add Vector::reverse()
        https://bugs.webkit.org/show_bug.cgi?id=62393

        * wtf/Vector.h:
        (WTF::Vector::reverse): Added

2011-06-08  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Factored a bunch of Heap functionality into stand-alone functors
        https://bugs.webkit.org/show_bug.cgi?id=62337
        
        This is in preparation for making these functors operate on arbitrary
        sets of MarkedBlocks.

        * JavaScriptCore.exp: This file is a small tragedy.

        * debugger/Debugger.cpp:
        (JSC::Debugger::recompileAllJSFunctions): Updated for type change and rename.

        * heap/HandleHeap.h:
        (JSC::HandleHeap::forEachStrongHandle): New function for iterating all
        strong handles, so we can play along in the functor game.

        * heap/Heap.cpp:
        (JSC::CountFunctor::CountFunctor::CountFunctor):
        (JSC::CountFunctor::CountFunctor::count):
        (JSC::CountFunctor::CountFunctor::returnValue):
        (JSC::CountFunctor::ClearMarks::operator()):
        (JSC::CountFunctor::ResetAllocator::operator()):
        (JSC::CountFunctor::Sweep::operator()):
        (JSC::CountFunctor::MarkCount::operator()):
        (JSC::CountFunctor::Size::operator()):
        (JSC::CountFunctor::Capacity::operator()):
        (JSC::CountFunctor::Count::operator()):
        (JSC::CountFunctor::CountIfGlobalObject::operator()):
        (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty):
        (JSC::CountFunctor::TakeIfEmpty::operator()):
        (JSC::CountFunctor::TakeIfEmpty::returnValue):
        (JSC::CountFunctor::RecordType::RecordType):
        (JSC::CountFunctor::RecordType::typeName):
        (JSC::CountFunctor::RecordType::operator()):
        (JSC::CountFunctor::RecordType::returnValue): These functors factor out
        behavior that used to be in the functions below.

        (JSC::Heap::clearMarks):
        (JSC::Heap::sweep):
        (JSC::Heap::objectCount):
        (JSC::Heap::size):
        (JSC::Heap::capacity):
        (JSC::Heap::protectedGlobalObjectCount):
        (JSC::Heap::protectedObjectCount):
        (JSC::Heap::protectedObjectTypeCounts):
        (JSC::Heap::objectTypeCounts):
        (JSC::Heap::resetAllocator):
        (JSC::Heap::freeBlocks):
        (JSC::Heap::shrink): Factored out behavior into the functors above.

        * heap/Heap.h:
        (JSC::Heap::forEachProtectedCell):
        (JSC::Heap::forEachCell):
        (JSC::Heap::forEachBlock): Added forEach* iteration templates. I chose
        functor-based templates instead of plain iterators because they're simpler
        to implement in this case and they require a lot less code at the call site.

        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::VoidFunctor::returnValue): Default parent class for
        trivial functors.

        (JSC::MarkedBlock::forEachCell): Renamed forEach to forEachCell because
        we have a few different kind of "for each" now.

        * runtime/JSGlobalData.cpp:
        (WTF::Recompile::operator()):
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::recompileAllJSFunctions): Updated for type change and rename.

        * runtime/JSGlobalData.h: Removed globalObjectCount because it was unused.

2011-06-08  Mikołaj Małecki  <m.malecki@samsung.com>

        Reviewed by Pavel Feldman.

        Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.
        https://bugs.webkit.org/show_bug.cgi?id=52791

        No new tests. The problem can be reproduced by trying to create InspectorValue
        from 1.0e-100 and call ->toJSONString() on this.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        export 2 functions DecimalNumber::bufferLengthForStringExponential and
        DecimalNumber::toStringExponential.

2011-06-08  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r88404.
        http://trac.webkit.org/changeset/88404
        https://bugs.webkit.org/show_bug.cgi?id=62342

        broke win and mac build (Requested by tony^work on #webkit).

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2011-06-08  Evan Martin  <evan@chromium.org>

        Reviewed by Adam Barth.

        [chromium] use gyp 'settings' type for settings target
        https://bugs.webkit.org/show_bug.cgi?id=62323

        The 'settings' gyp target type is for targets that exist solely
        for their settings (no build rules).  The comment above this target
        says it's for this, but it incorrectly uses 'none'.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2011-06-08  Sailesh Agrawal  <sail@chromium.org>

        Reviewed by Mihai Parparita.

        Chromium Mac: Enable overlay scrollbars
        https://bugs.webkit.org/show_bug.cgi?id=59756

        Enable WTF_USE_WK_SCROLLBAR_PAINTER for Chromium Mac. This allows us to use overlay scrollbars on future versions of Mac OS X.

        * wtf/Platform.h:

2011-06-08  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Add faster lookup cache for multi character identifiers
        https://bugs.webkit.org/show_bug.cgi?id=62327

        Add a non-hash lookup for mutiple character identifiers.  This saves us from
        adding repeated identifiers to the ParserArena's identifier list as people
        tend to not start all their variables and properties with the same character
        and happily identifier locality works in our favour.

        * parser/ParserArena.h:
        (JSC::IdentifierArena::isEmpty):
        (JSC::IdentifierArena::clear):
        (JSC::IdentifierArena::makeIdentifier):

2011-06-08  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Took some responsibilities away from NewSpace
        https://bugs.webkit.org/show_bug.cgi?id=62325
        
        NewSpace is basically just an allocator now.
        
        Heap acts as a controller, responsible for managing the set of all
        MarkedBlocks.
        
        This is in preparation for moving parts of the controller logic into
        separate helper classes that can act on arbitrary sets of MarkedBlocks
        that may or may not be in NewSpace.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::destroy):
        (JSC::Heap::allocate):
        (JSC::Heap::markRoots):
        (JSC::Heap::clearMarks):
        (JSC::Heap::sweep):
        (JSC::Heap::objectCount):
        (JSC::Heap::size):
        (JSC::Heap::capacity):
        (JSC::Heap::collect):
        (JSC::Heap::resetAllocator):
        (JSC::Heap::allocateBlock):
        (JSC::Heap::freeBlocks):
        (JSC::Heap::shrink): Moved the set of MarkedBlocks from NewSpace to Heap,
        along with all functions that operate on the set of MarkedBlocks. Also
        moved responsibility for deciding whether to allocate a new MarkedBlock,
        and for allocating it.

        * heap/Heap.h:
        (JSC::Heap::contains):
        (JSC::Heap::forEach): Ditto.

        * heap/NewSpace.cpp:
        (JSC::NewSpace::addBlock):
        (JSC::NewSpace::removeBlock):
        (JSC::NewSpace::resetAllocator):
        * heap/NewSpace.h:
        (JSC::NewSpace::waterMark):
        (JSC::NewSpace::allocate): Ditto.

2011-06-08  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Some more MarkedSpace => NewSpace renaming
        https://bugs.webkit.org/show_bug.cgi?id=62305

        * JavaScriptCore.exp:
        * JavaScriptCore.order:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::destroy):
        (JSC::Heap::reportExtraMemoryCostSlowCase):
        (JSC::Heap::allocate):
        (JSC::Heap::markRoots):
        (JSC::Heap::objectCount):
        (JSC::Heap::size):
        (JSC::Heap::capacity):
        (JSC::Heap::collect):
        (JSC::Heap::isValidAllocation):
        * heap/Heap.h:
        (JSC::Heap::markedSpace):
        (JSC::Heap::contains):
        (JSC::Heap::forEach):
        (JSC::Heap::allocate):
        * runtime/JSCell.h:

2011-06-08  Kevin Ollivier  <kevino@theolliviers.com>

        Reviewed by Eric Seidel.

        Add export macros to profiler headers.
        https://bugs.webkit.org/show_bug.cgi?id=27551

        * profiler/Profiler.h:

2011-06-08  Kevin Ollivier  <kevino@theolliviers.com>

        Reviewed by Eric Seidel.

        Add export symbols to parser headers.
        https://bugs.webkit.org/show_bug.cgi?id=27551

        * parser/SourceProviderCache.h:

2011-06-08  Kevin Ollivier  <kevino@theolliviers.com>

        Reviewed by Eric Seidel.

        Add export symbols to interpreter headers.
        https://bugs.webkit.org/show_bug.cgi?id=27551

        * interpreter/Interpreter.h:

2011-06-08  Kevin Ollivier  <kevino@theolliviers.com>

        Reviewed by Eric Seidel.

        Add export symbols to debugger headers.
        https://bugs.webkit.org/show_bug.cgi?id=27551

        * debugger/Debugger.h:
        * debugger/DebuggerCallFrame.h:

2011-06-08  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Darin Adler.

        Moved MarkedSpace.* to NewSpace.* in preparation for more renaming
        https://bugs.webkit.org/show_bug.cgi?id=62268

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.h:
        * heap/MarkedBlock.h:
        * heap/MarkedSpace.cpp: Removed.
        * heap/MarkedSpace.h: Removed.
        * heap/NewSpace.cpp: Copied from Source/JavaScriptCore/heap/MarkedSpace.cpp.
        * heap/NewSpace.h: Copied from Source/JavaScriptCore/heap/MarkedSpace.h.

2011-06-08  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r88365.
        http://trac.webkit.org/changeset/88365
        https://bugs.webkit.org/show_bug.cgi?id=62301

        windows bots broken (Requested by loislo_ on #webkit).

        * JavaScriptCore.exp:

2011-06-08  Ryan Sleevi  <rsleevi@chromium.org>

        Reviewed by Tony Chang.

        Suppress C++0x compat warnings when compiling Chromium port with GCC 4.6

        Compiling Chromium port under GCC 4.6 produces warnings about nullptr
        https://bugs.webkit.org/show_bug.cgi?id=62242

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2011-06-08  Ademar de Souza Reis Jr.  <ademar.reis@openbossa.org>

        Reviewed by Andreas Kling.

        Webkit on SPARC Solaris has wrong endian
        https://bugs.webkit.org/show_bug.cgi?id=29407

        Bug 57256 fixed one crash on misaligned reads on sparc/solaris, but
        there are more ocurrences of the same code pattern in webkit.

        This patch includes the check on these other parts of the code.

        This is a speculative fix, I don't have a sparc machine to test and
        don't know which kind of test would trigger a crash (but it's quite
        obvious that it's the same code duplicated in different files).

        * runtime/UString.h:
        (JSC::UStringHash::equal):
        * wtf/text/StringHash.h:
        (WTF::StringHash::equal):

2011-06-08  Yael Aharon  <yael.aharon@nokia.com>

        Reviewed by Andreas Kling.

        [Qt] Build fix for building QtWebKit inside of Qt.
        https://bugs.webkit.org/show_bug.cgi?id=62280

        Remove CONFIG=staticlib, because it causes the configure script to add -ljavascriptcore
        into QtWebKit.prl.

        No new tests, as this is just a build fix.

        * JavaScriptCore.pri:

2011-06-07  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Split 'reset' into 'collect' and 'resetAllocator'
        https://bugs.webkit.org/show_bug.cgi?id=62267

        * heap/Heap.cpp:
        (JSC::Heap::allocate):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::collect):
        * heap/Heap.h:
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::resetAllocator):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::resetAllocator):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::SizeClass::resetAllocator):

2011-06-07  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Sam Weinig.

        Renamed some more marks to visits
        https://bugs.webkit.org/show_bug.cgi?id=62254

        * heap/HandleHeap.cpp:
        (JSC::HandleHeap::visitStrongHandles):
        (JSC::HandleHeap::visitWeakHandles):
        * heap/HandleHeap.h:
        * heap/HandleStack.cpp:
        (JSC::HandleStack::visit):
        * heap/HandleStack.h:
        * heap/Heap.cpp:
        (JSC::Heap::markProtectedObjects):
        (JSC::Heap::markTempSortVectors):
        (JSC::Heap::markRoots):
        * heap/HeapRootVisitor.h:
        (JSC::HeapRootVisitor::visit):
        * runtime/ArgList.cpp:
        (JSC::MarkedArgumentBuffer::markLists):

2011-06-07  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig

        https://bugs.webkit.org/show_bug.cgi?id=55537
        Functions claim to have 'callee' which they actually don't (and shouldn't)

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertyNames):

2011-06-07  Juan C. Montemayor  <jmont@apple.com>

        Reviewed by Darin Adler.

        Make JSStaticFunction and JSStaticValue less "const"
        https://bugs.webkit.org/show_bug.cgi?id=62222

        * API/JSObjectRef.h:
        * API/tests/testapi.c:
        (checkConstnessInJSObjectNames):
        (main):
        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-06-07  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=62240
        DFG JIT - add support for for-loop array initialization.

        Support put by val beyond vector length.
        Add a operationPutByValBeyondArrayBounds operation, make
        PutValVal call this if the vector length check fails.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentSpillGPR):
        (JSC::DFG::JITCodeGenerator::silentFillGPR):
        (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
        (JSC::DFG::JITCodeGenerator::isDoubleConstantWithInt32Value):
        (JSC::DFG::JITCodeGenerator::isJSConstantWithInt32Value):
        (JSC::DFG::JITCodeGenerator::isIntegerConstant):
        (JSC::DFG::JITCodeGenerator::valueOfIntegerConstant):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:

2011-06-06  James Simonsen  <simonjam@chromium.org>

        Reviewed by James Robinson.

        Add monotonicallyIncreasingTime() to get monotonically increasing time
        https://bugs.webkit.org/show_bug.cgi?id=37743

        * wtf/CurrentTime.cpp: Add monotonicallyIncreasingTime() for mac and a fallback implementation that just wraps currentTime().
        (WTF::monotonicallyIncreasingTime):
        * wtf/CurrentTime.h: Add monotonicallyIncreasingTime().

2011-06-06  Alexandru Chiculita  <achicu@adobe.com>

        Reviewed by Kent Tamura.

        Add ENABLE_CSS_EXCLUSIONS support for build-webkit script
        https://bugs.webkit.org/show_bug.cgi?id=61628

        * Configurations/FeatureDefines.xcconfig:

2011-06-06  Mihnea Ovidenie  <mihnea@adobe.com>

        Reviewed by Kent Tamura.

        Add ENABLE(CSS_REGIONS) guard for CSS Regions support
        https://bugs.webkit.org/show_bug.cgi?id=61631

        * Configurations/FeatureDefines.xcconfig:

2011-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix the GTK+ build.

        * GNUmakefile.am: Add javascriptcore_cflags variable.

2011-06-04  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed build fix. Restore the PPC build and allow users to specify architectures
        to build on Mac.

        * wtf/Platform.h:

2011-06-04  Gustavo Noronha Silva  <gns@gnome.org>

        Unreviewed, MIPS build fix.

        WebKitGTK+ tarball fails to build on MIPS.
        https://buildd.debian.org/status/fetch.php?pkg=webkitgtk%2B&arch=mips&ver=1.4.0-1&stamp=1304786691

        * GNUmakefile.list.am: Add missing MIPS-related file to the list
        of files that are added to the tarball on make dist, and fix
        sorting.

2011-06-04  Sam Weinig  <sam@webkit.org>

        Reviewed by Darin Adler.

        Fix formatting of the output generated by KeywordLookupGenerator.py
        https://bugs.webkit.org/show_bug.cgi?id=62083

        - Uses correct year for copyright.
        - Puts ending brace on same line as "else if"
        - Puts starting brace of function on its own line.
        - Adds some tasteful whitespace.
        - Adds comments to make clear that scopes are ending
        - Make macros actually split on two lines.

        * KeywordLookupGenerator.py:

2011-06-04  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        KeywordLookupGenerator.py spams stdout in Chromium Linux build
        https://bugs.webkit.org/show_bug.cgi?id=62087

        This action does not appear to be needed.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2011-06-03  Oliver Hunt  <oliver@apple.com>

        Reviewed by Maciej Stachowiak.

        Lexer needs to provide Identifier for reserved words
        https://bugs.webkit.org/show_bug.cgi?id=62086

        Alas it is necessary to provide an Identifier reference for keywords
        so that we can do the right thing when they're used in object literals.
        We now keep Identifiers for all reserved words in the CommonIdentifiers
        structure so that we can access them without a hash lookup.

        * KeywordLookupGenerator.py:
        * parser/Lexer.cpp:
        (JSC::Lexer::parseIdentifier):
        * parser/Lexer.h:
        * runtime/CommonIdentifiers.cpp:
        (JSC::CommonIdentifiers::CommonIdentifiers):
        * runtime/CommonIdentifiers.h:

2011-06-03  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Add debug code to break on speculation failures.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGNode.h:

2011-06-03  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=62082
        DFG JIT - bug passing arguments that need swap

        This is really just a typo.
        When setting up the arguments for a call out to a C operation, we'll
        fail to swap arguments where this is necessary. For example, in the
        case of 2 arg calls, where the first argument is in %rdx & the second
        is in %rsi we should swap (exec will be passed in %rdi), but we don't.

        This can also affect function calls passing three arguments.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::setupTwoStubArgs):
            - Call swap with the correct arguments.

2011-06-03  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Force inlining of some hot lexer functions
        https://bugs.webkit.org/show_bug.cgi?id=62079

        Fix more GCC stupidity

        * parser/Lexer.h:
        (JSC::Lexer::isWhiteSpace):
        (JSC::Lexer::isLineTerminator):

2011-06-03  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        GCC not inlining some functions that it really should be
        https://bugs.webkit.org/show_bug.cgi?id=62075

        Add ALWAYS_INLINE to a number of parsing and lexing functions
        that should always be inlined.  This gets us ~1.4% on my ad hoc
        parser test.

        * KeywordLookupGenerator.py:
        * parser/JSParser.cpp:
        (JSC::JSParser::next):
        (JSC::JSParser::nextTokenIsColon):
        (JSC::JSParser::consume):
        (JSC::JSParser::match):
        (JSC::JSParser::tokenStart):
        (JSC::JSParser::tokenLine):
        (JSC::JSParser::tokenEnd):
        * parser/Lexer.cpp:
        (JSC::isIdentPart):

2011-06-03  Oliver Hunt  <oliver@apple.com>

        Whoops, fix last minute bug.

        * parser/Lexer.cpp:
        (JSC::Lexer::parseIdentifier):

2011-06-03  Martin Robinson  <mrobinson@igalia.com>

        Try to fix the GTK+ build.

        * GNUmakefile.am: Clean up some spaces that should be tabs.
        * GNUmakefile.list.am: Add KeywordLookup.h to the source list
        and clean up some spaces that should be tabs.

2011-06-03  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Improve keyword lookup
        https://bugs.webkit.org/show_bug.cgi?id=61913

        Rather than doing multiple hash lookups as we currently
        do when trying to identify keywords we now use an 
        automatically generated decision tree (essentially it's
        a hard coded patricia trie).  We still use the regular
        lookup table for the last few characters of an input as
        this allows us to completely skip all bounds checks.

        * CMakeLists.txt:
        * DerivedSources.make:
        * DerivedSources.pro:
        * GNUmakefile.am:
        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * KeywordLookupGenerator.py: Added.
        * make-generated-sources.sh:
        * parser/Lexer.cpp:
        (JSC::Lexer::internalShift):
        (JSC::Lexer::shift):
        (JSC::Lexer::parseIdentifier):
        * parser/Lexer.h:

2011-06-03  Siddharth Mathur  <siddharth.mathur@nokia.com>

        Reviewed by Benjamin Poulain.

        [Qt] Build flag for experimental ICU library support
        https://bugs.webkit.org/show_bug.cgi?id=60786

        Adds a build-time flag (CONFIG+=use_system_icu) that enables experimental 
        ICU powered Unicode support. 

        * JavaScriptCore.pri: Support for use_system_icu CONFIG flag.
        * wtf/unicode/qt4/UnicodeQt4.h: Guard an include file with USE(ICU_UNICODE). 

2011-06-03  Alexis Menard  <alexis.menard@openbossa.org>

        Reviewed by Benjamin Poulain.

        [Qt] Build fix of QtWebKit 2.2 when inside Qt tree with GCC 4.6.
        https://bugs.webkit.org/show_bug.cgi?id=61957

        When building inside the Qt source tree, qmake always append the mkspecs
        defines after ours. We have to workaround and make sure that we append 
        our flags after the qmake variable used inside Qt. This workaround was provided 
        by our qmake folks. We need to append in both case because qmake behave differently
        when called with -spec or via SUBDIR+=. This patch unbreak r87950 on Mac for Qt port.

        * JavaScriptCore.pro:

2011-06-02  Jay Civelli  <jcivelli@chromium.org>

        Reviewed by Adam Barth.

        Added a method to generate RFC 2822 compliant date strings.
        https://bugs.webkit.org/show_bug.cgi?id=7169

        * wtf/DateMath.cpp:
        (WTF::twoDigitStringFromNumber):
        (WTF::makeRFC2822DateString):
        * wtf/DateMath.h:

2011-06-02  Alexis Menard  <alexis.menard@openbossa.org>

        Reviewed by Andreas Kling.

        [Qt] Build fix of QtWebKit 2.2 when inside Qt tree with GCC 4.6.
        https://bugs.webkit.org/show_bug.cgi?id=61957

        When building inside the Qt source tree, qmake always append the mkspecs
        defines after ours. We have to workaround and make sure that we append  
        our flags after the qmake variable used inside Qt. This workaround was provided
        by our qmake folks.

        * JavaScriptCore.pro:

2011-06-01  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Add single character lookup cache to IdentifierArena
        https://bugs.webkit.org/show_bug.cgi?id=61879

        Add a simple lookup cache for single ascii character
        identifiers.  Produces around a 2% improvement in parse
        time for my adhoc parser test.

        * parser/ParserArena.h:
        (JSC::IdentifierArena::IdentifierArena):
        (JSC::IdentifierArena::clear):
        (JSC::IdentifierArena::makeIdentifier):

2011-05-31  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Freezing a function and its prototype causes browser to crash.
        https://bugs.webkit.org/show_bug.cgi?id=61758

        Make JSObject::preventExtensions virtual so that we can override it
        and instantiate all lazy

        * JavaScriptCore.exp:
        * runtime/JSFunction.cpp:
        (JSC::createPrototypeProperty):
        (JSC::JSFunction::preventExtensions):
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSFunction.h:
        * runtime/JSObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::seal):
        (JSC::JSObject::seal):

2011-06-01  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r87788.
        http://trac.webkit.org/changeset/87788
        https://bugs.webkit.org/show_bug.cgi?id=61856

        breaks windows chromium canary (Requested by jknotten on
        #webkit).

        * wtf/DateMath.cpp:
        (WTF::timeClip):
        * wtf/DateMath.h:

2011-06-01  Jay Civelli  <jcivelli@chromium.org>

        Reviewed by Adam Barth.

        Added a method to generate RFC 2822 compliant date strings.
        https://bugs.webkit.org/show_bug.cgi?id=7169

        * wtf/DateMath.cpp:
        (WTF::twoDigitStringFromNumber):
        (WTF::makeRFC2822DateString):
        * wtf/DateMath.h:

2011-05-31  Yong Li  <yoli@rim.com>

        Reviewed by Eric Seidel.

        https://bugs.webkit.org/show_bug.cgi?id=54807
        We have been assuming plain bitfields (like "int a : 31") are always signed integers.
        However some compilers can treat them as unsigned. For example, RVCT 4.0 states plain
        bitfields (declared without either signed or unsigned qualifiers) are treats as unsigned.
        http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0348c/Babjddhe.html
        Although we can use "--signed-bitfields" flag to make RVCT 4.0 behave as most other compilers,
        always using "signed"/"unsigned" qualifier to declare integral type bitfields is still a good
        rule we should have in order to make our code independent from compilers and compiler flags.

        No new test added because this change is not known to fix any issue.

        * bytecode/StructureStubInfo.h:

2011-05-30  Hojong Han  <hojong.han@samsung.com>

        Reviewed by Geoffrey Garen.

        [JSC] malfunction during arithmetic condition check with negative number (-2147483648)
        https://bugs.webkit.org/show_bug.cgi?id=61416

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branch32):
        * tests/mozilla/ecma/Expressions/11.12-1.js:
        (getTestCases):

2011-05-29  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Sam Weinig.

        Some heap refactoring
        https://bugs.webkit.org/show_bug.cgi?id=61704
        
        SunSpider says no change.

        * JavaScriptCore.exp: Export!

        * heap/Heap.cpp: COLLECT_ON_EVERY_ALLOCATION can actually do so now.

        (JSC::Heap::Heap): Changed Heap sub-objects to point to the heap.

        (JSC::Heap::allocate): Changed inline allocation code to only select the
        size class, since this can be optimized out at compile time -- everything
        else is now inlined into this out-of-line function.
        
        No need to duplicate ASSERTs made in our caller.

        * heap/Heap.h:
        (JSC::Heap::heap):
        (JSC::Heap::isMarked):
        (JSC::Heap::testAndSetMarked):
        (JSC::Heap::testAndClearMarked):
        (JSC::Heap::setMarked): Call directly into MarkedBlock instead of adding
        a layer of indirection through MarkedSpace.

        (JSC::Heap::allocate): See above.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::create):
        (JSC::MarkedBlock::MarkedBlock):
        * heap/MarkedBlock.h: Changed Heap sub-objects to point to the heap.

        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::allocateBlock):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::allocate): Updated to match changes above.

2011-05-28  David Kilzer  <ddkilzer@apple.com>

        BUILD FIX when building only the interpreter

        Fixes the following compiler warning:

            JavaScriptCore/runtime/JSGlobalData.cpp:462:6: error: no previous prototype for function 'releaseExecutableMemory' [-Werror,-Wmissing-prototypes,3]
             void releaseExecutableMemory(JSGlobalData& globalData)
                  ^

        * jit/ExecutableAllocator.h: Moved declaration of
        JSC::releaseExecutableMemory().

2011-05-28  David Kilzer  <ddkilzer@apple.com>

        BUILD FIX after r87527 with ENABLE(BRANCH_COMPACTION)

        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::linkCode): Added missing argument.

2011-05-27  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        JS API is too aggressive about throwing exceptions for NULL get or set operations
        https://bugs.webkit.org/show_bug.cgi?id=61678

        * API/JSCallbackObject.h: Changed our staticValueGetter to a regular
        function that returns a JSValue, so it can fail and still forward to
        normal property lookup.

        * API/JSCallbackObjectFunctions.h:
        (JSC::::getOwnPropertySlot): Don't throw an exception when failing to
        access a static property -- just forward the access. This allows objects
        to observe get/set operations but still let the JS object manage lifetime.

        (JSC::::put): Ditto.

        (JSC::::getStaticValue): Same as JSCallbackObject.h.

        * API/tests/testapi.c:
        (MyObject_set_nullGetForwardSet):
        * API/tests/testapi.js: Updated tests to reflect slightly less strict
        behavior, which matches headerdoc claims.

2011-05-27  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Property caching is too aggressive for API objects
        https://bugs.webkit.org/show_bug.cgi?id=61677

        * API/JSCallbackObject.h: Opt in to ProhibitsPropertyCaching, since our
        callback APIs allow the client to change its mind about our propertis at
        any time.

        * API/tests/testapi.c:
        (PropertyCatchalls_getProperty):
        (PropertyCatchalls_setProperty):
        (PropertyCatchalls_getPropertyNames):
        (PropertyCatchalls_class):
        (main):
        * API/tests/testapi.js: Some tests for dynamic API objects.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::tryCachePutByID):
        (JSC::Interpreter::tryCacheGetByID):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::tryCachePutByID):
        (JSC::JITThunks::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION): Opt out of property caching if the client
        requires it.

        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::TypeInfo):
        (JSC::TypeInfo::isFinal):
        (JSC::TypeInfo::prohibitsPropertyCaching):
        (JSC::TypeInfo::flags): Added a flag to track opting out of property
        caching. Fixed an "&&" vs "&" typo that was previously harmless, but
        is now harmful since m_flags2 can have more than one bit set.

2011-05-27  Stephanie Lewis  <slewis@apple.com>

        Unreviewed.

        Fix a typo in the order_file flag.

        * Configurations/Base.xcconfig:

2011-05-27  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed. Build fix for !ENABLE(ASSEMBLER) after r87527.

        * runtime/JSGlobalData.cpp:
        (JSGlobalData::JSGlobalData):

2011-05-27  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Add a few validity assertions to JSCallbackObject
        https://bugs.webkit.org/show_bug.cgi?id=61659

        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::visitChildren):

2011-05-27  Oliver Hunt  <oliver@apple.com>

        Build fix

        * runtime/RegExpCache.cpp:
        (JSC::RegExpCache::invalidateCode):

2011-05-27  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Try to release unused executable memory when the FixedVMPool allocator is under pressure
        https://bugs.webkit.org/show_bug.cgi?id=61651

        Rather than crashing when full the FixedVMPool allocator now returns a null
        allocation.  We replace the code that used to CRASH() on null allocations
        with logic that asks the provided globalData to release any executable memory
        that it can.  Currently this just means throwing away all regexp code, but
        in future we'll try to be more aggressive.

        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::executableCopy):
        * assembler/ARMAssembler.h:
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerBuffer::executableCopy):
        * assembler/AssemblerBufferWithConstantPool.h:
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::linkCode):
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::executableCopy):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::executableCopy):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::executableCopy):
        (JSC::X86Assembler::X86InstructionFormatter::executableCopy):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * jit/ExecutableAllocator.h:
        (JSC::ExecutablePool::create):
        (JSC::ExecutablePool::alloc):
        (JSC::ExecutableAllocator::ExecutableAllocator):
        (JSC::ExecutableAllocator::poolForSize):
        (JSC::ExecutablePool::ExecutablePool):
        (JSC::ExecutablePool::poolAllocate):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolAllocator::alloc):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::finalize):
        * jit/ThunkGenerators.cpp:
        (JSC::charCodeAtThunkGenerator):
        (JSC::charAtThunkGenerator):
        (JSC::fromCharCodeThunkGenerator):
        (JSC::sqrtThunkGenerator):
        (JSC::powThunkGenerator):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::releaseExecutableMemory):
        (JSC::releaseExecutableMemory):
        * runtime/JSGlobalData.h:
        * runtime/RegExpCache.cpp:
        (JSC::RegExpCache::invalidateCode):
        * runtime/RegExpCache.h:
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::compile):

2011-05-26  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Optimized ConservativeSet to avoid double-visiting objects
        https://bugs.webkit.org/show_bug.cgi?id=61592
        
        SunSpider thinks this might be a 1% speedup

        * heap/ConservativeRoots.h:
        (JSC::ConservativeRoots::add): Use testAndClearMarked to avoid double-visiting
        an object.

        * heap/Heap.h:
        (JSC::Heap::isMarked):
        (JSC::Heap::testAndSetMarked):
        (JSC::Heap::testAndClearMarked):
        (JSC::Heap::setMarked): Added testAndClearMarked. Changed argument type
        to void*, since clients want to ask questions about arbitrary pointers
        into the heap, even when they aren't known to be JSCells.

        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::testAndClearMarked):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::isMarked):
        (JSC::MarkedSpace::testAndSetMarked):
        (JSC::MarkedSpace::testAndClearMarked):
        (JSC::MarkedSpace::setMarked):
        (JSC::MarkedSpace::contains): Ditto.

        * wtf/Bitmap.h:
        (WTF::::testAndClear): New function for ConservativeRoots's inverted
        marking pass.

2011-05-27  Stephanie Lewis  <slewis@apple.com>

        Rubber Stamped by Adam Roben.

        Update Order Files.  Use -order_file flag since it can order more of the binary.

        * Configurations/Base.xcconfig:
        * JavaScriptCore.order:

2011-05-26  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Renamed heapRootMarker to heapRootVisitor to match its class name
        https://bugs.webkit.org/show_bug.cgi?id=61584

        * heap/Heap.cpp:
        (JSC::Heap::markProtectedObjects):
        (JSC::Heap::markTempSortVectors):
        (JSC::Heap::markRoots):

2011-05-26  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Removed some interdependency between Heap and SmallStrings by simplifying
        the SmallStrings lifetime model
        https://bugs.webkit.org/show_bug.cgi?id=61579
        
        SunSpider reports no change.
        
        Using Weak<T> could accomplish this too, but we're not sure it will give
        us the performance we need. This is a first step, and it accomplishes
        most of the value of using Weak<T>.

        * heap/Heap.cpp:
        (JSC::Heap::destroy):
        (JSC::Heap::markRoots):
        (JSC::Heap::reset): Finalize small strings just like other weak handles.

        * runtime/SmallStrings.cpp:
        (JSC::finalize):
        (JSC::SmallStrings::finalizeSmallStrings):
        * runtime/SmallStrings.h: Make all small strings trivially weak, instead
        of having an "all for one, one for all" memory model.

2011-05-26  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make RegExpCache a weak map
        https://bugs.webkit.org/show_bug.cgi?id=61554

        Switch to a weak map for the regexp cache, and hide that
        behaviour behind RegExp::create.

        When a RegExp is compiled it attempts to add itself to
        the "strong" cache.  This cache is a simple round-robin
        buffer as was the old strong cache.  Happily this can
        be smaller than the old strong cache as RegExps are only
        added when they're compiled so it is under less pressure
        to evict.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::RegExpNode::emitBytecode):
        * runtime/RegExp.cpp:
        (JSC::RegExp::RegExp):
        (JSC::RegExp::create):
        (JSC::RegExp::match):
        * runtime/RegExp.h:
        (JSC::RegExp::gcShouldInvalidateCode):
        (JSC::RegExp::hasCode):
        (JSC::RegExp::key):
        * runtime/RegExpCache.cpp:
        (JSC::RegExpCache::lookupOrCreate):
        (JSC::RegExpCache::RegExpCache):
        (JSC::RegExpCache::isReachableFromOpaqueRoots):
        (JSC::RegExpCache::finalize):
        * runtime/RegExpCache.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::constructRegExp):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncCompile):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):

2011-05-26  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Moved Heap-related functions out of JSCell.h and into respective header files
        https://bugs.webkit.org/show_bug.cgi?id=61567

        * heap/Heap.h:
        (JSC::Heap::allocate):
        (JSC::Heap::heap):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::allocate):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::sizeClassFor):
        (JSC::MarkedSpace::allocate):
        * runtime/JSCell.h:
        (JSC::JSCell::destructor):

2011-05-26  Geoffrey Garen  <ggaren@apple.com>

        Try to fix Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-05-26  Ryosuke Niwa  <rniwa@webkit.org>

        Reviewed by Eric Seidel.

        [debug feature] WTFString should have show() method
        https://bugs.webkit.org/show_bug.cgi?id=61149

        Added String::show and AtomicString::show in NDEBUG.

        * wtf/text/AtomicString.cpp:
        (WTF::AtomicString::show):
        * wtf/text/AtomicString.h:
        * wtf/text/WTFString.cpp:
        (String::show):
        * wtf/text/WTFString.h:

2011-05-26  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Geoffrey Garen.

        Factored out some Heap ASSERTs
        https://bugs.webkit.org/show_bug.cgi?id=61565

        * JavaScriptCore.exp:
        * heap/Heap.cpp:
        (JSC::isValidSharedInstanceThreadState):
        (JSC::isValidThreadState):
        (JSC::Heap::markRoots):
        (JSC::Heap::isValidAllocation):
        * heap/Heap.h:
        * runtime/JSCell.h:
        (JSC::JSCell::Heap::allocate):

2011-05-26  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.

        https://bugs.webkit.org/show_bug.cgi?id=61508
        DFG JIT - Add support for get by id self caching.

        Change the call out to be an unexpected call (using silent spill/fill functions),
        add a structure check & compact load to the JIT code, and add repatching mechanisms.
        Since DFGOperations may want to be be implemented in asm, make these symbols be extern
        "C". Add an asm wrapper to pass the return address to the optimizing get-by-id operation,
        so that it can look up its StructureStubInfo.

        * JavaScriptCore.xcodeproj/project.pbxproj:
            - Added new files.
        * bytecode/StructureStubInfo.h:
            - Added 'unset' entries to union.
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::appendCallWithExceptionCheck):
            - Return the call, we need this to populate the StructureStubInfo.
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
            - Populate the CodebBlock's StructureStubInfo Vector.
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::appendCallWithExceptionCheck):
            - Return the call, we need this to populate the StructureStubInfo.
        (JSC::DFG::JITCompiler::addPropertyAccess):
        (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
            - Add structures to record property access info during compilation.
        * dfg/DFGOperations.cpp:
            - Made all external methods extern "C".
        (JSC::DFG::operationPutByValInternal):
            - Moved outside of the extern "C" block.
        * dfg/DFGOperations.h:
            - Made all external methods extern "C".
        * dfg/DFGRepatch.cpp: Added.
        (JSC::DFG::dfgRepatchCall):
            - repatch a call to link to a new callee function.
        (JSC::DFG::dfgRepatchGetByIdSelf):
            - Modify the JIT code to optimize self accesses.
        (JSC::DFG::tryCacheGetByID):
            - Internal implementation of dfgRepatchGetByID (factor out failing cases).
        (JSC::DFG::dfgRepatchGetByID):
            - Used to optimize 'operationGetByIdOptimize' - repatches to 'operationGetById', and tries to optimize self accesses!
        * dfg/DFGRepatch.h: Added.
            - Expose dfgRepatchGetByID.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
            - Changed implementation of GetById ops.

2011-05-26  Geoffrey Garen  <ggaren@apple.com>

        Rolled back in http://trac.webkit.org/changeset/87408 with Windows build fixed.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        * heap/MarkedBlock.h:
        * wtf/DoublyLinkedList.h:
        (WTF::::DoublyLinkedListNode):
        (WTF::::setPrev):
        (WTF::::setNext):
        (WTF::::prev):
        (WTF::::next):
        (WTF::::DoublyLinkedList):
        (WTF::::isEmpty):
        (WTF::::size):
        (WTF::::clear):
        (WTF::::head):
        (WTF::::append):
        (WTF::::remove):
        (WTF::::removeHead):

2011-05-26  Geoffrey Garen  <ggaren@apple.com>

        Rolled out http://trac.webkit.org/changeset/87408 because it broke the
        Windows build.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::setPrev):
        (JSC::MarkedBlock::setNext):
        (JSC::MarkedBlock::prev):
        (JSC::MarkedBlock::next):
        * wtf/DoublyLinkedList.h:
        (WTF::::DoublyLinkedList):
        (WTF::::isEmpty):
        (WTF::::head):
        (WTF::::append):
        (WTF::::remove):

2011-05-26  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Provide a real owner when copying a property table, for the sake of
        write barriers.
        https://bugs.webkit.org/show_bug.cgi?id=61547
        
        No test because we can't enable the writeBarrier() ASSERT just yet.

        * runtime/Structure.cpp:
        (JSC::Structure::addPropertyTransition):

2011-05-26  Adam Roben  <aroben@apple.com>

        Windows build fix after r87346

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Fixed up exports to match
        reality.

2011-05-26  Patrick Gansterer  <paroga@webkit.org>

        Reviewed by Adam Barth.

        ASSERT(isMainThread()) when using single threaded jsc executable
        https://bugs.webkit.org/show_bug.cgi?id=60846

        Remove the ASSERT since we do not have the concept of MainThread in JSC.

        * wtf/CryptographicallyRandomNumber.cpp:
        (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomNumber):
        (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomValues):

2011-05-25  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=61506

        Move the silent spill/fill methods in the DFG JIT to the JITCodeGenerator
        so that they are available to the SpeculativeJIT.

        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentSpillGPR):
        (JSC::DFG::JITCodeGenerator::silentSpillFPR):
        (JSC::DFG::JITCodeGenerator::silentFillGPR):
        (JSC::DFG::JITCodeGenerator::silentFillFPR):
        (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
        (JSC::DFG::JITCodeGenerator::silentFillAllRegisters):
        * dfg/DFGNonSpeculativeJIT.h:

2011-05-25  Ryosuke Niwa  <rniwa@webkit.org>

        An attempt to revive Windows bots.

        * runtime/RegExp.cpp:
        * runtime/RegExp.h:

2011-05-25  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Bug 61503 - Move population of CodeBlock::m_structureStubInfos into JIT

        This data structure, used at runtime by the JIT, is currently unnecessarily populated
        with default entries during byte compilation.

        Aside from meaning that there is JIT specific code in the bytecompiler, this also ties
        us to one entry per corresponding bytecode op, which may be undesirable. Instead,
        populate this array from the JIT.

        The type StructureStubInfo has two unused states, one for gets & one for puts. Unify
        these, so that the class can have a default constructor (and to simply switch statements
        in code walking over the table).

        This change has ramification for the DFG JIT, in that the DFG JIT used this datastructure
        to check for functions containing property access. Instead do so in the DFGByteCodeParser.

        * bytecode/CodeBlock.cpp:
        (JSC::printStructureStubInfo):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setNumberOfStructureStubInfos):
        (JSC::CodeBlock::numberOfStructureStubInfos):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        (JSC::StructureStubInfo::visitAggregate):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::StructureStubInfo):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetById):
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitDirectPutById):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::compileGetByIdSlowCase):
        (JSC::JIT::emitSlow_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::compileGetByIdSlowCase):
        * runtime/Executable.cpp:
        (JSC::tryDFGCompile):

2011-05-25  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Bug 61501 - Unify AbstractMacroAssembler::differenceBetween methods.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::Call::Call):
        (JSC::AbstractMacroAssembler::Call::fromTailJump):
        (JSC::AbstractMacroAssembler::Jump::Jump):
        (JSC::AbstractMacroAssembler::Jump::link):
        (JSC::AbstractMacroAssembler::Jump::linkTo):
        (JSC::AbstractMacroAssembler::Jump::isSet):
        (JSC::AbstractMacroAssembler::differenceBetween):
        (JSC::AbstractMacroAssembler::linkJump):
        (JSC::AbstractMacroAssembler::getLinkerCallReturnOffset):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::link):
        (JSC::LinkBuffer::locationOf):
        (JSC::LinkBuffer::locationOfNearCall):
        (JSC::LinkBuffer::returnAddressOffset):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::linkCall):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::linkCall):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::linkCall):
        * assembler/MacroAssemblerSH4.cpp:
        (JSC::MacroAssemblerSH4::linkCall):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::linkCall):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::linkCall):

2011-05-25  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=61500
        Add JSObject::offsetOfPropertyStorage

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::compileGetDirectOffset):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::compilePutDirectOffset):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::compilePutDirectOffset):
        (JSC::JIT::compileGetDirectOffset):
        * runtime/JSObject.h:
        (JSC::JSObject::offsetOfPropertyStorage):

2011-05-25  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make RegExp GC allocated
        https://bugs.webkit.org/show_bug.cgi?id=61490

        Make RegExp GC allocated.  Basically mechanical change to replace
        most use of [Pass]RefPtr<RegExp> with RegExp* or WriteBarrier<RegExp>
        where actual ownership happens.

        Made the RegExpCache use Strong<> references currently to avoid any
        changes in behaviour.

        * JavaScriptCore.exp:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addRegExp):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addRegExp):
        (JSC::BytecodeGenerator::emitNewRegExp):
        * bytecompiler/BytecodeGenerator.h:
        * runtime/JSCell.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::clearBuiltinStructures):
        (JSC::JSGlobalData::addRegExpToTrace):
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/RegExp.cpp:
        (JSC::RegExp::RegExp):
        (JSC::RegExp::create):
        (JSC::RegExp::invalidateCode):
        * runtime/RegExp.h:
        (JSC::RegExp::createStructure):
        * runtime/RegExpCache.cpp:
        (JSC::RegExpCache::lookupOrCreate):
        (JSC::RegExpCache::create):
        * runtime/RegExpCache.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::constructRegExp):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::RegExpObject):
        (JSC::RegExpObject::visitChildren):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::setRegExp):
        (JSC::RegExpObject::RegExpObjectData::RegExpObjectData):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::RegExpPrototype):
        (JSC::regExpProtoFuncCompile):
        * runtime/RegExpPrototype.h:
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):

2011-05-25  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Generate regexp code lazily
        https://bugs.webkit.org/show_bug.cgi?id=61476

        RegExp construction now simply validates the RegExp, it does
        not perform actual codegen.

        * runtime/RegExp.cpp:
        (JSC::RegExp::RegExp):
        (JSC::RegExp::recompile):
        (JSC::RegExp::compile):
        (JSC::RegExp::match):
        * runtime/RegExp.h:
        (JSC::RegExp::recompileIfNecessary):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::performMatch):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::match):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncReplace):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
        (JSC::stringProtoFuncSplit):

2011-05-24  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Geoffrey Garen.

        Removed MarkSetProperties because it was unused
        https://bugs.webkit.org/show_bug.cgi?id=61418

        * heap/MarkStack.h:
        (JSC::MarkSet::MarkSet):
        (JSC::MarkStack::append):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::visitChildren):
        * runtime/JSArray.h:
        (JSC::JSArray::visitChildrenDirect):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::visitChildren):
        * runtime/WriteBarrier.h:
        (JSC::MarkStack::appendValues):

2011-05-25  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make allocations with guard pages ensure that the allocation succeeded
        https://bugs.webkit.org/show_bug.cgi?id=61453

        Add null checks, and make PageBlock's operator bool() use
        the realbase, rather than the start of usable memory.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit):
        * wtf/PageBlock.h:
        (WTF::PageBlock::operator bool):
        (WTF::PageBlock::PageBlock):

2011-04-10  Kevin Ollivier  <kevino@theolliviers.com>

        Reviewed by Eric Seidel.

        Add JS_EXPORT_PRIVATE macro for exported methods in bytecompiler headers.
        
        https://bugs.webkit.org/show_bug.cgi?id=27551

        * bytecompiler/BytecodeGenerator.h:

2011-05-24  Keishi Hattori  <keishi@webkit.org>

        Reviewed by Kent Tamura.

        Disable textfield implementation of <input type=color>. Add INPUT_COLOR feature flag. Add input color sanitizer.
        https://bugs.webkit.org/show_bug.cgi?id=61273

        * Configurations/FeatureDefines.xcconfig: Added COLOR_INPUT feature flag.

2011-05-24  Kevin Ollivier  <kevino@theolliviers.com>

        Reviewed by Eric Seidel.

        Add export macros to WTFString.h.
        
        https://bugs.webkit.org/show_bug.cgi?id=27551

        * wtf/text/WTFString.h:
        (WTF::String::String):
        (WTF::String::findIgnoringCase):
        (WTF::String::isHashTableDeletedValue):

2011-05-24  Geoffrey Garen  <ggaren@apple.com>

        Maybe fix the Mac build now?

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-05-24  Geoffrey Garen  <ggaren@apple.com>

        Maybe fix the Mac build?
        
        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-05-24  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Split HeapRootVisitor into its own class
        https://bugs.webkit.org/show_bug.cgi?id=61399

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/HandleHeap.cpp:
        * heap/HandleStack.cpp:
        * heap/Heap.cpp:
        * heap/HeapRootVisitor.h: Copied from Source/JavaScriptCore/heap/MarkStack.h.
        * heap/MarkStack.h:
        * runtime/ArgList.cpp:
        * runtime/SmallStrings.cpp:

2011-05-24  Jay Civelli  <jcivelli@chromium.org>

        Rubberstamped by David Kilzer.

        Updated some files that I forgot in my previous MHTML CL.

        * Configurations/FeatureDefines.xcconfig:

2011-05-24  Geoffrey Garen  <ggaren@apple.com>

        Fix the Mac build: Yes, please do remove these files, svn.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-05-24  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Let's just have one way to get the system page size, bokay?
        https://bugs.webkit.org/show_bug.cgi?id=61384

        * CMakeListsEfl.txt:
        * CMakeListsWinCE.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: MarkStack[Platform].cpp
        is gone completely now, since it only existed to provide a duplicate way
        to access the system page size.

        * heap/MarkStack.cpp:
        (JSC::MarkStack::reset):
        * heap/MarkStack.h:
        (JSC::::MarkStackArray):
        (JSC::::shrinkAllocation): Use WTF::pageSize.

        * heap/MarkStackPosix.cpp:
        * heap/MarkStackSymbian.cpp:
        * heap/MarkStackWin.cpp: Removed now-empty files.

        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::reprotectRegion):
        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::ExecutableAllocator):
        (JSC::ExecutablePool::ExecutablePool):
        (JSC::ExecutablePool::poolAllocate):
        * jit/ExecutableAllocatorFixedVMPool.cpp: Use WTF::pageSize.

        * wscript: Removed now-empty files.

        * wtf/PageBlock.cpp:
        (WTF::systemPageSize): Integrated questionable Symbian page size rule
        from ExecutableAllocator, because that seems like what the original
        author should have done.

2011-05-24  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Interpreter crashes with gc validation enabled due to failure to mark initial cache structure
        https://bugs.webkit.org/show_bug.cgi?id=61385

        The interpreter uses the structure slot of get_by_id and put_by_id to hold
        the initial structure it encountered so that it can identify whether a
        given access is stable.

        When marking though we only visit the slot when we've decided to cache, and
        so this value could die.  This was "safe" as the value was only used for a
        pointer compare, but it was incorrect.  We now just mark the slot like we
        should have been doing already.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitStructures):

2011-05-24  Adam Roben  <aroben@apple.com>

        Windows build fix

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed now-inline functions.

2011-05-24  Geoffrey Garen  <ggaren@apple.com>

        Windows build fix: update the #if OS(WINDOWS) section to match my last patch.

        * heap/MarkStack.h:
        (JSC::::shrinkAllocation):

2011-05-24  Geoffrey Garen  <ggaren@apple.com>

        Rubber-stamped by Oliver Hunt.

        Split out function definitions and class definitions from class
        declarations in MarkStack.h, for readability.

        * heap/MarkStack.h:
        (JSC::MarkStack::MarkStack):
        (JSC::MarkStack::~MarkStack):
        (JSC::MarkStack::addOpaqueRoot):
        (JSC::MarkStack::containsOpaqueRoot):
        (JSC::MarkStack::opaqueRootCount):
        (JSC::MarkSet::MarkSet):
        (JSC::MarkStack::allocateStack):
        (JSC::MarkStack::releaseStack):
        (JSC::MarkStack::pageSize):
        (JSC::::MarkStackArray):
        (JSC::::~MarkStackArray):
        (JSC::::expand):
        (JSC::::append):
        (JSC::::removeLast):
        (JSC::::last):
        (JSC::::isEmpty):
        (JSC::::size):
        (JSC::::shrinkAllocation):

2011-05-24  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Avoid creating unnecessary identifiers and strings in the syntax checker
        https://bugs.webkit.org/show_bug.cgi?id=61378

        Selectively tell the lexer that there are some places it does not need to
        do the real work of creating Identifiers for IDENT and STRING tokens.

        Make parseString and parseIdentifier templatized on whether they should
        do real work, or merely validate the tokens.

        SunSpider --parse-only reports ~5-8% win depending on hardware.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createDotAccess):
        * parser/JSParser.cpp:
        (JSC::JSParser::next):
        (JSC::JSParser::consume):
        (JSC::JSParser::parseVarDeclarationList):
        (JSC::JSParser::parseConstDeclarationList):
        (JSC::JSParser::parseExpression):
        (JSC::JSParser::parseAssignmentExpression):
        (JSC::JSParser::parseConditionalExpression):
        (JSC::JSParser::parseBinaryExpression):
        (JSC::JSParser::parseProperty):
        (JSC::JSParser::parseObjectLiteral):
        (JSC::JSParser::parseArrayLiteral):
        (JSC::JSParser::parseArguments):
        (JSC::JSParser::parseMemberExpression):
        * parser/Lexer.cpp:
        (JSC::Lexer::parseIdentifier):
        (JSC::Lexer::parseString):
        (JSC::Lexer::lex):
        * parser/Lexer.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createDotAccess):
        (JSC::SyntaxChecker::createProperty):

2011-05-23  Michael Saboff  <msaboff@apple.com>

        Reviewed by Mark Rowe.

        Safari often freezes when clicking "Return free memory" in Caches dialog
        https://bugs.webkit.org/show_bug.cgi?id=61325

        There are two fixes and improvement in instrumentation code used to find 
        one of the problems.
        Changed ReleaseFreeList() to set the "decommitted" bit when releasing
        pages to the system and moving Spans from the normal list to the returned 
        list.
        Added a "not making forward progress" check to TCMalloc_PageHeap::scavenge
        to eliminate an infinite loop if we can't meet the pagesToRelease target.
        Added a check for the decommitted bit being set properly in 
        TCMalloc_PageHeap::CheckList.

        * wtf/FastMalloc.cpp:
        (WTF::TCMalloc_PageHeap::scavenge):
        (WTF::TCMalloc_PageHeap::Check):
        (WTF::TCMalloc_PageHeap::CheckList):
        (WTF::ReleaseFreeList):

2011-05-23  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.

        https://bugs.webkit.org/show_bug.cgi?id=61306

        The begin characters optimization currently has issues (#61129),
        and does not appear to still be a performance win. The prudent
        next step seems to be to disable while we ascertain whether this
        is still a useful performance optimization.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::matchDisjunction):
        (JSC::Yarr::Interpreter::interpret):
        * yarr/YarrInterpreter.h:
        (JSC::Yarr::BytecodePattern::BytecodePattern):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
        (JSC::Yarr::YarrPattern::compile):
        (JSC::Yarr::YarrPattern::YarrPattern):
        * yarr/YarrPattern.h:
        (JSC::Yarr::YarrPattern::reset):

2011-05-23  Matthew Delaney  <mdelaney@apple.com>

        Reviewed by Simon Fraser.

        Remove safeFloatToInt() in FloatRect.cpp and replace with working version of clampToInteger()
        https://bugs.webkit.org/show_bug.cgi?id=58216

        * wtf/MathExtras.h:
        (clampToInteger):
        (clampToPositiveInteger):

2011-05-23  Ruben  <chromium@hybridsource.org>

        Reviewed by Tony Chang.

        Chromium gyp patch to use new POSIX defines toolkit_uses_gtk and os_posix
        https://bugs.webkit.org/show_bug.cgi?id=61219

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2011-05-23  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        Reviewed by Gavin Barraclough.

        [SH4] AssemblerLabel does not name a type
        https://bugs.webkit.org/show_bug.cgi?id=59927

        SH4Assembler.h file shoold be included before AbstractMacroAssembler.h.

        * assembler/MacroAssemblerSH4.h:

2011-05-23  Ryuan Choi  <ryuan.choi@samsung.com>

        Rubber stamped by Eric Seidel.

        [CMAKE] Refactoring wtf related code.
        https://bugs.webkit.org/show_bug.cgi?id=60146

        Move wtf-files to Source/JavaScriptCore/wtf/CMakeLists.txt.

        * CMakeLists.txt:
        * CMakeListsEfl.txt:
        * wtf/CMakeLists.txt:
        * wtf/CMakeListsEfl.txt:

2011-05-22  Adam Barth  <abarth@webkit.org>

        Enable strict PassOwnPtr for everyone.  I expect this patch will need
        some followups to make the GTK and EFL bots green again.

        * wtf/PassOwnPtr.h:

2011-05-20  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Reduce size of inline cache path of get_by_id on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=61221

        This reduces the code size of get_by_id by 20 bytes

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::ldrCompact):
        (JSC::ARMv7Assembler::repatchCompact):
        (JSC::ARMv7Assembler::setUInt7ForLoad):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::load32WithCompactAddressOffsetPatch):
        * jit/JIT.h:

2011-05-20  Zoltan Herczeg  <zherczeg@inf.u-szeged.hu>

        Reviewed by Oliver Hunt.

        Zombies should "live" forever
        https://bugs.webkit.org/show_bug.cgi?id=61170

        Reusing zombie cells could still hide garbage
        collected cell related bugs.

        * JavaScriptCore.pro:
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::clearMarks):
        * heap/MarkedBlock.h:
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::destroy):
        * runtime/JSCell.h:
        (JSC::JSCell::JSValue::isZombie):
        * runtime/JSZombie.h:
        (JSC::JSZombie::~JSZombie):
        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase::setWithoutWriteBarrier):

2011-05-20  Brady Eidson  <beidson@apple.com>

        Reviewed by Sam Weinig.

        <rdar://problem/9472883> and https://bugs.webkit.org/show_bug.cgi?id=61203
        Horrendous bug in callOnMainThreadAndWait

        * wtf/MainThread.cpp:
        (WTF::dispatchFunctionsFromMainThread): Before signaling the background thread with the
          syncFlag condition, reacquire the mutex first.

2011-05-20  Oliver Hunt  <oliver@apple.com>

        Reviewed by Sam Weinig.

        Remove unnecessary double->int conversion at the end of op_div
        https://bugs.webkit.org/show_bug.cgi?id=61198

        We don't attempt this conversion on 64bit, removing it actually speeds
        up sunspider and v8 slightly, and it reduces code size.

        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_div):

2011-05-19  Evan Martin  <evan@chromium.org>

        Reviewed by Tony Chang.

        [chromium] remove <(library) variable
        https://bugs.webkit.org/show_bug.cgi?id=61158

        This was for a build experiment; we can just use the correct value now.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2011-05-20  Oliver Hunt  <oliver@apple.com>

        Reviewed by Sam Weinig.

        Interpreter uses wrong bytecode offset for determining exception handler
        https://bugs.webkit.org/show_bug.cgi?id=61191

        The bytecode offset given for the returnPC from the JIT is
        actually the offset for the start of the instruction triggering
        the call, whereas in the interpreter it is the actual return
        VPC.  This means if the next instruction following a call was
        in an exception region we would incorrectly redirect to its
        handler.  Long term we want to completely redo how exceptions
        are handled anyway so the simplest and lowest risk fix here is
        to simply subtract one from the return vPC so that we have an
        offset in the triggering instruction.

        It turns out this is caught by a couple of tests already.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::unwindCallFrame):

2011-05-20  Xan Lopez  <xlopez@igalia.com>

        Reviewed by Oliver Hunt.

        JIT requires VM overcommit (particularly on x86-64), Linux does not by default support this without swap?
        https://bugs.webkit.org/show_bug.cgi?id=42756

        Use the MAP_NORESERVE flag for mmap on Linux to skip the kernel
        check of the available memory. This should give us an
        overcommit-like behavior in most systems, which is what we want.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit): pass MAP_NORSERVE to mmap.

2011-05-19  Gabor Loki  <loki@webkit.org>

        Fix ARM build after r86919

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::nop):

2011-05-19  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Randomise code starting location a little
        https://bugs.webkit.org/show_bug.cgi?id=61161

        Add a nop() function to the Assemblers so that we
        can randomise code offsets slightly at no real cost.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::nop):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::nop):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::nop):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::nop):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::nop):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::nop):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::nop):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::nop):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * runtime/WeakRandom.h:
        (JSC::WeakRandom::getUint32):

2011-05-19  Oliver Hunt  <oliver@apple.com>

        Fix windows build.

        * wtf/OSAllocatorWin.cpp:
        (WTF::OSAllocator::reserveUncommitted):
        (WTF::OSAllocator::reserveAndCommit):

2011-05-19  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Add guard pages to each end of the memory region used by the fixedvm allocator
        https://bugs.webkit.org/show_bug.cgi?id=61150

        Add mechanism to notify the OSAllocator that pages at either end of an
        allocation should be considered guard pages.  Update PageReservation,
        PageAllocation, etc to handle this.

        * JavaScriptCore.exp:
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolAllocator::FixedVMPoolAllocator):
        * wtf/OSAllocator.h:
        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveUncommitted):
        (WTF::OSAllocator::reserveAndCommit):
        * wtf/PageAllocation.h:
        (WTF::PageAllocation::PageAllocation):
        * wtf/PageAllocationAligned.h:
        (WTF::PageAllocationAligned::PageAllocationAligned):
        * wtf/PageBlock.h:
        (WTF::PageBlock::PageBlock):
        * wtf/PageReservation.h:
        (WTF::PageReservation::reserve):
        (WTF::PageReservation::reserveWithGuardPages):
            Add a new function to make a reservation that will add guard
            pages to the ends of an allocation.
        (WTF::PageReservation::PageReservation):

2011-05-19  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make Executables release their JIT code as soon as they become dead
        https://bugs.webkit.org/show_bug.cgi?id=61134

        Add an ability to clear an Executable's jit code without requiring
        it to be destroyed, and then call that from a finalizer.

        * heap/Weak.h:
        (JSC::Weak::Weak):
        (JSC::Weak::leak):
        * jit/JITCode.h:
        (JSC::JITCode::clear):
        * runtime/Executable.cpp:
        (JSC::ExecutableFinalizer::finalize):
        (JSC::ExecutableBase::executableFinalizer):
        * runtime/Executable.h:
        (JSC::ExecutableBase::ExecutableBase):
        (JSC::ExecutableBase::clearExecutableCode):

2011-05-19  Adam Roben  <aroben@apple.com>

        Remove a redundant and broken data export

        Data can't be exported from JavaScriptCore.dll by listing it in the .def file. The
        JS_EXPORTDATA macro must be used instead. (In this case it was already being used, leading
        to a linker warning about multiple definitions.)

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed JSGlobalData::s_info.

2011-05-18  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Some tests crashing in JSC::MarkStack::validateValue beneath ScriptController::clearWindowShell on SnowLeopard Intel Release (WebKit2 Tests)
        https://bugs.webkit.org/show_bug.cgi?id=61064

        Switch NonFinalObject to using WriteBarrier<> rather than WriteBarrierBase<>
        for its inline storage.  This resolves the problem of GC occurring before
        a subclass has initialised its anonymous storage.

        * runtime/JSObject.h:

2011-05-18  Adam Barth  <abarth@webkit.org>

        Reviewed by Sam Weinig.

        Delete WTFURL
        https://bugs.webkit.org/show_bug.cgi?id=61084

        It's been a year and we've failed to complete this project.  It's time
        to throw in the towel.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/url: Removed.
        * wtf/url/api: Removed.
        * wtf/url/api/ParsedURL.cpp: Removed.
        * wtf/url/api/ParsedURL.h: Removed.
        * wtf/url/api/URLString.h: Removed.
        * wtf/url/src: Removed.
        * wtf/url/src/RawURLBuffer.h: Removed.
        * wtf/url/src/URLBuffer.h: Removed.
        * wtf/url/src/URLCharacterTypes.cpp: Removed.
        * wtf/url/src/URLCharacterTypes.h: Removed.
        * wtf/url/src/URLComponent.h: Removed.
        * wtf/url/src/URLEscape.cpp: Removed.
        * wtf/url/src/URLEscape.h: Removed.
        * wtf/url/src/URLParser.h: Removed.
        * wtf/url/src/URLQueryCanonicalizer.h: Removed.
        * wtf/url/src/URLSegments.cpp: Removed.
        * wtf/url/src/URLSegments.h: Removed.
        * wtf/url/wtfurl.gyp: Removed.

2011-05-18  Oliver Hunt  <oliver@apple.com>

        Reviewed by Sam Weinig.

        JSGlobalObject and some others do GC allocation during initialization, which can cause heap corruption
        https://bugs.webkit.org/show_bug.cgi?id=61090

        Remove the Structure-free JSGlobalObject constructor and instead always
        pass the structure into the JSGlobalObject constructor.
        Stop DebuggerActivation creating a new structure every time, and simply
        use a single shared structure held by the GlobalData.

        * API/JSContextRef.cpp:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::DebuggerActivation):
        * jsc.cpp:
        (GlobalObject::GlobalObject):
        (functionRun):
        (jscmain):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::clearBuiltinStructures):
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.h:

2011-05-18  Oliver Hunt  <oliver@apple.com>

        Reviewed by Adam Roben.

        Disable gc validation in release builds
        https://bugs.webkit.org/show_bug.cgi?id=60680

        Add back the NDEBUG check

        * wtf/Platform.h:

2011-05-17  Geoffrey Garen  <ggaren@apple.com>

        Rolled out attempts to fix EFL build because they're not enough -- the
        build script needs to be fixed.

        * runtime/BooleanPrototype.cpp:
        * runtime/DateConstructor.cpp:
        * runtime/ErrorPrototype.cpp:

2011-05-17  Geoffrey Garen  <ggaren@apple.com>

        More attempts to work around the EFL build system being borken.

        * runtime/DateConstructor.cpp:
        * runtime/ErrorPrototype.cpp:

2011-05-17  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the EFL build.

        * runtime/BooleanPrototype.cpp:

2011-05-16  Geoffrey Garen  <ggaren@apple.com>

        Rolling back in r86653 with build fixed.

        Reviewed by Gavin Barraclough and Oliver Hunt.

        Global object initialization is expensive
        https://bugs.webkit.org/show_bug.cgi?id=60933
        
        Changed a bunch of globals to allocate their properties lazily, and changed
        the global object to allocate a bunch of its globals lazily.
        
        This reduces the footprint of a global object from 287 objects with 58
        functions for 24K to 173 objects with 20 functions for 15K.

        Large patch, but it's all mechanical.

        * DerivedSources.make:
        * JavaScriptCore.exp: Build!

        * create_hash_table: Added a special case for fromCharCode, since it uses
        a custom "thunk generator".

        * heap/Heap.cpp:
        (JSC::TypeCounter::operator()): Fixed a bug where the type counter would
        overcount objects that were owned through more than one mechanism because
        it was getting in the way of counting the results for this patch.

        * interpreter/CallFrame.h:
        (JSC::ExecState::arrayConstructorTable):
        (JSC::ExecState::arrayPrototypeTable):
        (JSC::ExecState::booleanPrototypeTable):
        (JSC::ExecState::dateConstructorTable):
        (JSC::ExecState::errorPrototypeTable):
        (JSC::ExecState::globalObjectTable):
        (JSC::ExecState::numberConstructorTable):
        (JSC::ExecState::numberPrototypeTable):
        (JSC::ExecState::objectPrototypeTable):
        (JSC::ExecState::regExpPrototypeTable):
        (JSC::ExecState::stringConstructorTable): Added new tables.

        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::ArrayConstructor):
        (JSC::ArrayConstructor::getOwnPropertySlot):
        (JSC::ArrayConstructor::getOwnPropertyDescriptor):
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::createStructure):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::getOwnPropertySlot):
        (JSC::ArrayPrototype::getOwnPropertyDescriptor):
        * runtime/ArrayPrototype.h:
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::BooleanPrototype):
        (JSC::BooleanPrototype::getOwnPropertySlot):
        (JSC::BooleanPrototype::getOwnPropertyDescriptor):
        * runtime/BooleanPrototype.h:
        (JSC::BooleanPrototype::createStructure):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::DateConstructor):
        (JSC::DateConstructor::getOwnPropertySlot):
        (JSC::DateConstructor::getOwnPropertyDescriptor):
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::createStructure):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        (JSC::ErrorPrototype::getOwnPropertySlot):
        (JSC::ErrorPrototype::getOwnPropertyDescriptor):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::createStructure): Standardized these objects
        to use static tables for function properties.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h: Added new tables.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::addStaticGlobals):
        (JSC::JSGlobalObject::getOwnPropertySlot):
        (JSC::JSGlobalObject::getOwnPropertyDescriptor):
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        * runtime/JSGlobalObjectFunctions.h: Changed JSGlobalObject to use a
        static table for its global functions. This required uninlining some
        things to avoid a circular header dependency. However, those things
        probably shouldn't have been inlined in the first place.
        
        Even more global object properties can be made lazy, but that requires
        more in-depth changes.

        * runtime/MathObject.cpp:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getOwnPropertySlot):
        (JSC::NumberConstructor::getOwnPropertyDescriptor):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::NumberPrototype):
        (JSC::NumberPrototype::getOwnPropertySlot):
        (JSC::NumberPrototype::getOwnPropertyDescriptor):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::createStructure):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::ObjectPrototype):
        (JSC::ObjectPrototype::put):
        (JSC::ObjectPrototype::getOwnPropertySlot):
        (JSC::ObjectPrototype::getOwnPropertyDescriptor):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::createStructure):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::RegExpPrototype):
        (JSC::RegExpPrototype::getOwnPropertySlot):
        (JSC::RegExpPrototype::getOwnPropertyDescriptor):
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::createStructure):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::StringConstructor):
        (JSC::StringConstructor::getOwnPropertySlot):
        (JSC::StringConstructor::getOwnPropertyDescriptor):
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::createStructure): Standardized these objects
        to use static tables for function properties.

2011-05-17  Sam Weinig  <sam@webkit.org>

        Reviewed by Oliver Hunt.

        JSGlobalContextRelease should not trigger a synchronous garbage collection
        https://bugs.webkit.org/show_bug.cgi?id=60990

        * API/JSContextRef.cpp:
        Change synchronous call to collectAllGarbage to a call to trigger the
        activityCallback.

2011-05-16  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Reduce code size for inline cache
        https://bugs.webkit.org/show_bug.cgi?id=60942

        This patch introduces the concept of a "compact" address that
        allows individual architectures to control the maximum offset
        used for the inline path of get_by_id.  This reduces the code
        size of get_by_id by 3 bytes on x86 and x86_64 and slightly
        improves performance on v8 tests.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::repatchCompact):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::repatchCompact):
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::DataLabelCompact::DataLabelCompact):
        (JSC::AbstractMacroAssembler::differenceBetween):
        (JSC::AbstractMacroAssembler::repatchCompact):
        * assembler/CodeLocation.h:
        (JSC::CodeLocationDataLabelCompact::CodeLocationDataLabelCompact):
        (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::locationOf):
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::repatchCompact):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::loadPtrWithCompactAddressOffsetPatch):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::load32WithCompactAddressOffsetPatch):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::load32WithCompactAddressOffsetPatch):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::load32WithCompactAddressOffsetPatch):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::load32WithAddressOffsetPatch):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::repatchCompact):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::loadCompactWithAddressOffsetPatch):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::loadPtrWithCompactAddressOffsetPatch):
        * assembler/RepatchBuffer.h:
        (JSC::RepatchBuffer::repatch):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::repatchCompact):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movl_mr_disp8):
        (JSC::X86Assembler::movq_mr_disp8):
        (JSC::X86Assembler::repatchCompact):
        (JSC::X86Assembler::setInt8):
        (JSC::X86Assembler::X86InstructionFormatter::oneByteOp_disp8):
        (JSC::X86Assembler::X86InstructionFormatter::oneByteOp64_disp8):
        (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::patchGetByIdSelf):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::patchGetByIdSelf):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::tryCacheGetByID):

2011-05-16  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r86653.
        http://trac.webkit.org/changeset/86653
        https://bugs.webkit.org/show_bug.cgi?id=60944

        "Caused regressions on Windows, OSX and EFL" (Requested by
        yutak on #webkit).

        * DerivedSources.make:
        * DerivedSources.pro:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * create_hash_table:
        * heap/Heap.cpp:
        (JSC::TypeCounter::operator()):
        * interpreter/CallFrame.h:
        (JSC::ExecState::arrayTable):
        (JSC::ExecState::numberTable):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::ArrayConstructor):
        * runtime/ArrayConstructor.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::getOwnPropertySlot):
        (JSC::ArrayPrototype::getOwnPropertyDescriptor):
        * runtime/ArrayPrototype.h:
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::BooleanPrototype):
        * runtime/BooleanPrototype.h:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::DateConstructor):
        * runtime/DateConstructor.h:
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        * runtime/ErrorPrototype.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::addStaticGlobals):
        (JSC::JSGlobalObject::getOwnPropertySlot):
        (JSC::JSGlobalObject::getOwnPropertyDescriptor):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncJSCPrint):
        * runtime/JSGlobalObjectFunctions.h:
        * runtime/MathObject.cpp:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getOwnPropertySlot):
        (JSC::NumberConstructor::getOwnPropertyDescriptor):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::NumberPrototype):
        * runtime/NumberPrototype.h:
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::ObjectPrototype):
        (JSC::ObjectPrototype::put):
        (JSC::ObjectPrototype::getOwnPropertySlot):
        * runtime/ObjectPrototype.h:
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::RegExpPrototype):
        * runtime/RegExpPrototype.h:
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::StringConstructor):
        * runtime/StringConstructor.h:

2011-05-16  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Geoffrey Garen.

        Global object initialization is expensive
        https://bugs.webkit.org/show_bug.cgi?id=60933
        
        Changed a bunch of globals to allocate their properties lazily, and changed
        the global object to allocate a bunch of its globals lazily.
        
        This reduces the footprint of a global object from 287 objects with 58
        functions for 24K to 173 objects with 20 functions for 15K.

        Large patch, but it's all mechanical.

        * DerivedSources.make:
        * JavaScriptCore.exp: Build!

        * create_hash_table: Added a special case for fromCharCode, since it uses
        a custom "thunk generator".

        * heap/Heap.cpp:
        (JSC::TypeCounter::operator()): Fixed a bug where the type counter would
        overcount objects that were owned through more than one mechanism because
        it was getting in the way of counting the results for this patch.

        * interpreter/CallFrame.h:
        (JSC::ExecState::arrayConstructorTable):
        (JSC::ExecState::arrayPrototypeTable):
        (JSC::ExecState::booleanPrototypeTable):
        (JSC::ExecState::dateConstructorTable):
        (JSC::ExecState::errorPrototypeTable):
        (JSC::ExecState::globalObjectTable):
        (JSC::ExecState::numberConstructorTable):
        (JSC::ExecState::numberPrototypeTable):
        (JSC::ExecState::objectPrototypeTable):
        (JSC::ExecState::regExpPrototypeTable):
        (JSC::ExecState::stringConstructorTable): Added new tables.

        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::ArrayConstructor):
        (JSC::ArrayConstructor::getOwnPropertySlot):
        (JSC::ArrayConstructor::getOwnPropertyDescriptor):
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::createStructure):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::getOwnPropertySlot):
        (JSC::ArrayPrototype::getOwnPropertyDescriptor):
        * runtime/ArrayPrototype.h:
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::BooleanPrototype):
        (JSC::BooleanPrototype::getOwnPropertySlot):
        (JSC::BooleanPrototype::getOwnPropertyDescriptor):
        * runtime/BooleanPrototype.h:
        (JSC::BooleanPrototype::createStructure):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::DateConstructor):
        (JSC::DateConstructor::getOwnPropertySlot):
        (JSC::DateConstructor::getOwnPropertyDescriptor):
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::createStructure):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        (JSC::ErrorPrototype::getOwnPropertySlot):
        (JSC::ErrorPrototype::getOwnPropertyDescriptor):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::createStructure): Standardized these objects
        to use static tables for function properties.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h: Added new tables.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::addStaticGlobals):
        (JSC::JSGlobalObject::getOwnPropertySlot):
        (JSC::JSGlobalObject::getOwnPropertyDescriptor):
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        * runtime/JSGlobalObjectFunctions.h: Changed JSGlobalObject to use a
        static table for its global functions. This required uninlining some
        things to avoid a circular header dependency. However, those things
        probably shouldn't have been inlined in the first place.
        
        Even more global object properties can be made lazy, but that requires
        more in-depth changes.

        * runtime/MathObject.cpp:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getOwnPropertySlot):
        (JSC::NumberConstructor::getOwnPropertyDescriptor):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::NumberPrototype):
        (JSC::NumberPrototype::getOwnPropertySlot):
        (JSC::NumberPrototype::getOwnPropertyDescriptor):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::createStructure):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::ObjectPrototype):
        (JSC::ObjectPrototype::put):
        (JSC::ObjectPrototype::getOwnPropertySlot):
        (JSC::ObjectPrototype::getOwnPropertyDescriptor):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::createStructure):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::RegExpPrototype):
        (JSC::RegExpPrototype::getOwnPropertySlot):
        (JSC::RegExpPrototype::getOwnPropertyDescriptor):
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::createStructure):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::StringConstructor):
        (JSC::StringConstructor::getOwnPropertySlot):
        (JSC::StringConstructor::getOwnPropertyDescriptor):
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::createStructure): Standardized these objects
        to use static tables for function properties.

2011-05-16  David Kilzer  <ddkilzer@apple.com>

        <http://webkit.org/b/60913> C++ exceptions should not be enabled when building with llvm-gcc-4.2
        <rdar://problem/9446430>

        Reviewed by Mark Rowe.

        * Configurations/Base.xcconfig: Fixed typo.

2011-05-16  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        JSWeakObjectMap finalisation may occur while gc is in inconsistent state
        https://bugs.webkit.org/show_bug.cgi?id=60908
        <rdar://problem/9409491>

        We need to ensure that we have called all the weak map finalizers while
        the global object (and hence global context) is still in a consistent
        state.  The best way to achieve this is to simply use a weak handle and
        finalizer on the global object.

        * JavaScriptCore.exp:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::WeakMapFinalizer::finalize):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::registerWeakMap):

2011-05-16  Siddharth Mathur  <siddharth.mathur@nokia.com>

        Reviewed by Laszlo Gombos.

        [Qt][WK2][Symbian] Shared memory implementation for Symbian
        https://bugs.webkit.org/show_bug.cgi?id=55875

        * wtf/Platform.h: Exclude Symbian OS from USE(UNIX_DOMAIN_SOCKETS) users

2011-05-16  Gavin Barraclough  <barraclough@apple.com>

        Rubber stamped by Geoff Garen.

        https://bugs.webkit.org/show_bug.cgi?id=60866
        Evaluation order broken for empty alternatives in subpatterns

        Reverting https://bugs.webkit.org/show_bug.cgi?id=51395

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::atomParenthesesEnd):

2011-05-15  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen & Michael Saboff.

        https://bugs.webkit.org/show_bug.cgi?id=60860
        Simplify backtracking in YARR JIT

        YARR JIT currently performs a single pass of code generation over the pattern,
        with special handling to allow the code generation for some backtracking code
        out of line. We can simplify things by moving to a common mechanism whereby all
        forwards matching code is generated in one pass, and all backtracking code is
        generated in another. Backtracking code can be generated in reverse order, to
        optimized the common fall-through case.

        To make it easier to walk over the pattern, we can first convert to a more
        byte-code like format before JIT generating. In time we should unify this with
        the YARR interpreter to more closely unify the two.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::jumpIfNoAvailableInput):
        (JSC::Yarr::YarrGenerator::YarrOp::YarrOp):
        (JSC::Yarr::YarrGenerator::BacktrackingState::BacktrackingState):
        (JSC::Yarr::YarrGenerator::BacktrackingState::append):
        (JSC::Yarr::YarrGenerator::BacktrackingState::fallthrough):
        (JSC::Yarr::YarrGenerator::BacktrackingState::link):
        (JSC::Yarr::YarrGenerator::BacktrackingState::linkTo):
        (JSC::Yarr::YarrGenerator::BacktrackingState::takeBacktracksToJumpList):
        (JSC::Yarr::YarrGenerator::BacktrackingState::isEmpty):
        (JSC::Yarr::YarrGenerator::BacktrackingState::linkDataLabels):
        (JSC::Yarr::YarrGenerator::BacktrackingState::ReturnAddressRecord::ReturnAddressRecord):
        (JSC::Yarr::YarrGenerator::generateAssertionBOL):
        (JSC::Yarr::YarrGenerator::backtrackAssertionBOL):
        (JSC::Yarr::YarrGenerator::generateAssertionEOL):
        (JSC::Yarr::YarrGenerator::backtrackAssertionEOL):
        (JSC::Yarr::YarrGenerator::matchAssertionWordchar):
        (JSC::Yarr::YarrGenerator::generateAssertionWordBoundary):
        (JSC::Yarr::YarrGenerator::backtrackAssertionWordBoundary):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterOnce):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterFixed):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterGreedy):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterNonGreedy):
        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
        (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
        (JSC::Yarr::YarrGenerator::backtrackCharacterClassOnce):
        (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
        (JSC::Yarr::YarrGenerator::backtrackCharacterClassFixed):
        (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
        (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
        (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
        (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
        (JSC::Yarr::YarrGenerator::generateTerm):
        (JSC::Yarr::YarrGenerator::backtrackTerm):
        (JSC::Yarr::YarrGenerator::generate):
        (JSC::Yarr::YarrGenerator::backtrack):
        (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
        (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
        (JSC::Yarr::YarrGenerator::opCompileAlternative):
        (JSC::Yarr::YarrGenerator::opCompileBody):
        (JSC::Yarr::YarrGenerator::YarrGenerator):
        (JSC::Yarr::YarrGenerator::compile):

2011-05-15  Adam Barth  <abarth@webkit.org>

        Enable strict PassOwnPtr on Qt.  (Build fixes to follow.)

        * wtf/PassOwnPtr.h:

2011-05-15  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Maciej Stachowiak.

        Partial fix for <rdar://problem/9417875> REGRESSION: SunSpider ~17% slower
        in browser than on command line
        
        This patch fixes a few issues in generated code that could unreasonably
        prolong object lifetimes.

        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage): Throw away all function code before doing
        a major collection. We want to clear polymorphic caches, since they can
        keep alive large object graphs that have gone "stale". For the same reason,
        but to a lesser extent, we also want to clear linked functions and other
        one-off caches.

        This has the side-benefit of reducing memory footprint from run-once
        functions, and of allowing predictions and caches that have failed to
        re-specialize.

        Eventually, if compilation costs rise far enough, we may want a more
        limited strategy for de-specializing code without throwing it away
        completely, but this works for now, and it's the simplest solution.

        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITStubs.h:
        * runtime/JSFunction.cpp: Made the host function stub cache weak --
        otherwise it's effectively a memory leak that can seriously fragment the
        GC and JIT heaps.

        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::visitChildren): Cleared up some comments that confused
        me when working with this code.

2011-05-13  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make GC validation more aggressive
        https://bugs.webkit.org/show_bug.cgi?id=60802

        This patch makes the checks performed under GC_VALIDATION
        much more aggressive, and adds the checks to more places
        in order to allow us to catch GC bugs much closer to the
        point of failure.

        * JavaScriptCore.exp:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::visitChildren):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        * heap/MarkedSpace.cpp:
        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildren):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::visitChildren):
        (JSC::ProgramExecutable::visitChildren):
        (JSC::FunctionExecutable::visitChildren):
        * runtime/Executable.h:
        * runtime/GetterSetter.cpp:
        (JSC::GetterSetter::visitChildren):
        * runtime/GetterSetter.h:
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        (JSC::JSAPIValueWrapper::JSAPIValueWrapper):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::visitChildren):
        * runtime/JSArray.cpp:
        (JSC::JSArray::visitChildren):
        * runtime/JSCell.cpp:
        (JSC::slowValidateCell):
        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::unvalidatedStructure):
        (JSC::JSCell::JSCell::JSCell):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::visitChildren):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::visitChildren):
        (JSC::slowValidateCell):
        * runtime/JSONObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::visitChildren):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::visitChildren):
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::visitChildren):
        * runtime/JSString.h:
        (JSC::RopeBuilder::JSString):
        * runtime/JSWrapperObject.cpp:
        (JSC::JSWrapperObject::visitChildren):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::visitChildren):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyMapEntry::PropertyMapEntry):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::visitChildren):
        * runtime/ScopeChain.cpp:
        (JSC::ScopeChainNode::visitChildren):
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::ScopeChainNode):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::visitChildren):
        * runtime/Structure.h:
        (JSC::JSCell::classInfo):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::visitChildren):
        * runtime/StructureChain.h:
        * runtime/WriteBarrier.h:
        (JSC::validateCell):
        (JSC::JSCell):
        (JSC::JSGlobalObject):
        (JSC::WriteBarrierBase::set):
        (JSC::WriteBarrierBase::setMayBeNull):
        (JSC::WriteBarrierBase::setEarlyValue):
        (JSC::WriteBarrierBase::get):
        (JSC::WriteBarrierBase::operator*):
        (JSC::WriteBarrierBase::operator->):
        (JSC::WriteBarrierBase::unvalidatedGet):
        (JSC::WriteBarrier::WriteBarrier):
        * wtf/Assertions.h:

2011-05-13  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make GC validation more aggressive
        https://bugs.webkit.org/show_bug.cgi?id=60802

        This patch makes the checks performed under GC_VALIDATION
        much more aggressive, and adds the checks to more places
        in order to allow us to catch GC bugs much closer to the
        point of failure.

        * JavaScriptCore.exp:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::visitChildren):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        * heap/MarkedSpace.cpp:
        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildren):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::visitChildren):
        (JSC::ProgramExecutable::visitChildren):
        (JSC::FunctionExecutable::visitChildren):
        * runtime/Executable.h:
        * runtime/GetterSetter.cpp:
        (JSC::GetterSetter::visitChildren):
        * runtime/GetterSetter.h:
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        (JSC::JSAPIValueWrapper::JSAPIValueWrapper):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::visitChildren):
        * runtime/JSArray.cpp:
        (JSC::JSArray::visitChildren):
        * runtime/JSCell.cpp:
        (JSC::slowValidateCell):
        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::unvalidatedStructure):
        (JSC::JSCell::JSCell::JSCell):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::visitChildren):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::visitChildren):
        (JSC::slowValidateCell):
        * runtime/JSONObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::visitChildren):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::visitChildren):
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::visitChildren):
        * runtime/JSString.h:
        (JSC::RopeBuilder::JSString):
        * runtime/JSWrapperObject.cpp:
        (JSC::JSWrapperObject::visitChildren):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::visitChildren):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyMapEntry::PropertyMapEntry):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::visitChildren):
        * runtime/ScopeChain.cpp:
        (JSC::ScopeChainNode::visitChildren):
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::ScopeChainNode):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::visitChildren):
        * runtime/Structure.h:
        (JSC::JSCell::classInfo):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::visitChildren):
        * runtime/StructureChain.h:
        * runtime/WriteBarrier.h:
        (JSC::validateCell):
        (JSC::JSCell):
        (JSC::JSGlobalObject):
        (JSC::WriteBarrierBase::set):
        (JSC::WriteBarrierBase::setMayBeNull):
        (JSC::WriteBarrierBase::setEarlyValue):
        (JSC::WriteBarrierBase::get):
        (JSC::WriteBarrierBase::operator*):
        (JSC::WriteBarrierBase::operator->):
        (JSC::WriteBarrierBase::unvalidatedGet):
        (JSC::WriteBarrier::WriteBarrier):
        * wtf/Assertions.h:

2011-05-14  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed, rolling out r86469 and r86471, because they made hundreds tests crash on Qt.

        Make GC validation more aggressive
        https://bugs.webkit.org/show_bug.cgi?id=60802

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::visitChildren):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        * heap/MarkedSpace.cpp:
        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildren):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::visitChildren):
        (JSC::ProgramExecutable::visitChildren):
        (JSC::FunctionExecutable::visitChildren):
        * runtime/Executable.h:
        (JSC::ProgramExecutable::createStructure):
        (JSC::FunctionExecutable::createStructure):
        * runtime/GetterSetter.cpp:
        (JSC::GetterSetter::visitChildren):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::createStructure):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::visitChildren):
        * runtime/JSArray.cpp:
        (JSC::JSArray::visitChildren):
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::JSCell):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::visitChildren):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSONObject.h:
        (JSC::JSONObject::createStructure):
        * runtime/JSObject.cpp:
        (JSC::JSObject::visitChildren):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::visitChildren):
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::visitChildren):
        * runtime/JSString.h:
        (JSC::RopeBuilder::createStructure):
        * runtime/JSWrapperObject.cpp:
        (JSC::JSWrapperObject::visitChildren):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::visitChildren):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyMapEntry::PropertyMapEntry):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::visitChildren):
        * runtime/ScopeChain.cpp:
        (JSC::ScopeChainNode::visitChildren):
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::ScopeChainNode):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::visitChildren):
        * runtime/Structure.h:
        (JSC::Structure::createStructure):
        (JSC::JSCell::classInfo):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::visitChildren):
        * runtime/StructureChain.h:
        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase::set):
        (JSC::WriteBarrierBase::get):
        (JSC::WriteBarrierBase::operator*):
        (JSC::WriteBarrierBase::operator->):
        (JSC::WriteBarrier::WriteBarrier):
        * wtf/Assertions.h:

2011-05-13  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make GC validation more aggressive
        https://bugs.webkit.org/show_bug.cgi?id=60802

        This patch makes the checks performed under GC_VALIDATION
        much more aggressive, and adds the checks to more places
        in order to allow us to catch GC bugs much closer to the
        point of failure.

        * JavaScriptCore.exp:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::visitChildren):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        * heap/MarkedSpace.cpp:
        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildren):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::visitChildren):
        (JSC::ProgramExecutable::visitChildren):
        (JSC::FunctionExecutable::visitChildren):
        * runtime/Executable.h:
        * runtime/GetterSetter.cpp:
        (JSC::GetterSetter::visitChildren):
        * runtime/GetterSetter.h:
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        (JSC::JSAPIValueWrapper::JSAPIValueWrapper):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::visitChildren):
        * runtime/JSArray.cpp:
        (JSC::JSArray::visitChildren):
        * runtime/JSCell.cpp:
        (JSC::slowValidateCell):
        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::unvalidatedStructure):
        (JSC::JSCell::JSCell::JSCell):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::visitChildren):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::visitChildren):
        (JSC::slowValidateCell):
        * runtime/JSONObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::visitChildren):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::visitChildren):
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::visitChildren):
        * runtime/JSString.h:
        (JSC::RopeBuilder::JSString):
        * runtime/JSWrapperObject.cpp:
        (JSC::JSWrapperObject::visitChildren):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::visitChildren):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyMapEntry::PropertyMapEntry):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::visitChildren):
        * runtime/ScopeChain.cpp:
        (JSC::ScopeChainNode::visitChildren):
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::ScopeChainNode):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::visitChildren):
        * runtime/Structure.h:
        (JSC::JSCell::classInfo):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::visitChildren):
        * runtime/StructureChain.h:
        * runtime/WriteBarrier.h:
        (JSC::validateCell):
        (JSC::JSCell):
        (JSC::JSGlobalObject):
        (JSC::WriteBarrierBase::set):
        (JSC::WriteBarrierBase::setMayBeNull):
        (JSC::WriteBarrierBase::setEarlyValue):
        (JSC::WriteBarrierBase::get):
        (JSC::WriteBarrierBase::operator*):
        (JSC::WriteBarrierBase::operator->):
        (JSC::WriteBarrierBase::unvalidatedGet):
        (JSC::WriteBarrier::WriteBarrier):
        * wtf/Assertions.h:

2011-05-01  Holger Hans Peter Freyther  <holger@moiji-mobile.com>

        Reviewed by Steve Block.

        [android] OS(ANDROID) does not imply PLATFORM(ANDROID)
        https://bugs.webkit.org/show_bug.cgi?id=59888

        It is possible to build QtWebKit and others for OS(ANDROID). Let
        the buildsystem decide which platform is to be build.

        * wtf/Platform.h:

2011-05-12  Maciej Stachowiak  <mjs@apple.com>

        Reviewed by Darin Adler.

        XMLDocumentParserLibxml2 should play nice with strict OwnPtrs
        https://bugs.webkit.org/show_bug.cgi?id=59394

        This portion of the change introduces a PassTraits template, which
        is used to enable takeFirst() to work for a Deque holding OwnPtrs,
        and optimize it for a Deque holding RefPtrs. In the future it can
        be deployed elsewhere to make our data structures work better with
        our smart pointers.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CMakeLists.txt:
        * wtf/Deque.h:
        (WTF::::takeFirst):
        * wtf/PassTraits.h: Added.
        (WTF::PassTraits::transfer):

2011-05-12  Nikolas Zimmermann  <nzimmermann@rim.com>

        Not reviewed.

        Revert r86334, it broke the win build. WinCE build is fixed even without this patch. WinCairo remains broken atm, everything else works.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-05-12  Nikolas Zimmermann  <nzimmermann@rim.com>

        Not reviewed.

        String operator+ reallocates unnecessarily when concatting > 2 strings
        https://bugs.webkit.org/show_bug.cgi?id=58420

        Try to fix WinCE/WinCairo linking by exporting three symbols, not sure whether it's correct though. Win worked just fine before.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-05-12  Nikolas Zimmermann  <nzimmermann@rim.com>

        Reviewed by Darin Adler.

        String operator+ reallocates unnecessarily when concatting > 2 strings
        https://bugs.webkit.org/show_bug.cgi?id=58420

        Provide a faster String append operator.
        Up until now, "String operator+(const String& a, const String& b)" copied String a into a temporary
        object, and used a.append(b), which reallocates a new buffer of aLength+bLength. When concatting
        N strings using operator+, this leads to N-1 reallocations.

        Replace this with a flexible operator+ implementation, that avoids these reallocations.
        When concatting a 'String' with any string type (char*, UChar, Vector<char>, String, AtomicString, etc..)
        a StringAppend<String, T> object is created, which holds the intermediate string objects, and delays
        creation of the final string, until operator String() is invoked.

        template<typename T>
        StringAppend<String, T> operator+(const String& string1, T string2)
        {
            return StringAppend<String, T>(string1, string2);
        }

        template<typename U, typename V, typename W>
        StringAppend<U, StringAppend<V, W> > operator+(U string1, const StringAppend<V, W>& string2)
        {
            return StringAppend<U, StringAppend<V, W> >(string1, string2);
        }

        When concatting three strings - "String a, b, c; String result = a + b + c;" following happens:
        first a StringAppend<String, String> object is created by operator+(const String& string1, String string2).
        Then operator+(String string1, const StringAppend<String, String>& string2) is invoked, which returns
        a StringAppend<String, StringAppend<String, String> > object.
        Then operator String() is invoked, which allocates a StringImpl object, once, large enough to hold the
        final string - it uses tryMakeString provided by StringConcatenate.h under the hoods, which guards us
        against too big string allocations, etc.

        Note that the second template, defines a recursive way to concat an arbitary number of strings
        into a single String with just one allocation.

        * GNUmakefile.list.am: Add StringOperators.h to build.
        * JavaScriptCore.exp: Export WTF::emptyString(). Remove no longer needed symbols.
        * JavaScriptCore.gypi: Add StringOperators.h to build.
        * JavaScriptCore.vcproj/WTF/WTF.vcproj: Ditto.
        * JavaScriptCore.xcodeproj/project.pbxproj: Ditto.
        * wtf/text/AtomicString.h: Pull in StringConcatenate.h at the end of the file.
        * wtf/text/StringConcatenate.h: Conditionally include AtomicString.h to avoid a cyclic dependency. Pull in StringOperators.h at the end of the file.
        * wtf/text/StringOperators.h: Added. This is never meant to be included directly, including either WTFString.h or AtomicString.h automatically pulls in this file.
        (WTF::StringAppend::StringAppend):
        (WTF::StringAppend::operator String):
        (WTF::StringAppend::operator AtomicString):
        (WTF::StringAppend::writeTo):
        (WTF::StringAppend::length):
        (WTF::operator+):
        * wtf/text/WTFString.cpp: Remove operator+ implementations that use String::append(). 
        (WTF::emptyString): Add new shared empty string free function.
        * wtf/text/WTFString.h: Replace operator+ implementations by StringAppend template solution. Pull in AtomicString.h at the end of the file.

2011-05-12  Philippe Normand  <pnormand@igalia.com>

        Unreviewed, GTK build fix.

        * wtf/Platform.h:

2011-05-12  Keith Kyzivat  <keith.kyzivat@nokia.com>

        Reviewed by Csaba Osztrogonác.

        [Qt] Arm debug build failing on ARMAssembler::debugOffset()
        https://bugs.webkit.org/show_bug.cgi?id=60688

        Related to svn rev 85523

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::debugOffset):

2011-05-11  Igor Oliveira  <igor.oliveira@openbossa.org>

        Reviewed by Eric Seidel.

        WebKit does not build with GCCE
        https://bugs.webkit.org/show_bug.cgi?id=60667

        Allow compile WebKit with GCCE

        * wtf/Alignment.h:
        * wtf/Platform.h:

2011-05-11  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Enable strict PassOwnPtr on Mac
        https://bugs.webkit.org/show_bug.cgi?id=60684

        This should build cleanly now.

        * wtf/PassOwnPtr.h:

2011-05-11  Oliver Hunt  <oliver@apple.com>

        Reviewed by Darin Adler.

        Protect JSC from WebCore executing JS during JS wrapper finalization
        https://bugs.webkit.org/show_bug.cgi?id=60672
        <rdar://problem/9350997>

        Detect when we're trying to execute JS during GC and prevent the
        execution from happening.  We also assert that this isn't happening
        as it implies incorrect behaviour of an object's destructor.

        * JavaScriptCore.exp:
        * heap/Heap.cpp:
        * heap/Heap.h:
        (JSC::Heap::isBusy):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::isCollectorBusy):

2011-05-11  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Enable gc mark validation in temporarily in release builds
        https://bugs.webkit.org/show_bug.cgi?id=60678

        Make it easier to turn the gc mark validation on and off, and
        temporarily turn it on for all builds.

        * heap/MarkStack.cpp:
        * heap/MarkStack.h:
        (JSC::MarkStack::append):
        (JSC::MarkStack::internalAppend):
        * runtime/WriteBarrier.h:
        (JSC::MarkStack::appendValues):
        * wtf/Platform.h:

2011-05-11  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        <rdar://problem/9331651> REGRESSION: RPRVT grows by 1MB / sec @ dvd2blu.com
        
        SunSpider reports no change.

        This bug was caused by changing Structure and Executable to being GC
        objects, and by a long-standing bug that would thrash the global object
        between dictionary and non-dictionary states.

        * runtime/BatchedTransitionOptimizer.h:
        (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer): Don't
        eagerly transition to dictionary -- this can cause pathological dictionary
        churn, and it's not necessary, since objects know how to automatically
        transition to dictionary when necessary.

        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal): Be sure to report
        extra cost from compilation, because it can be quite high. This is especially
        important for program code, since DOM timers can repeatedly allocate
        program code without allocating any other objects.

        * runtime/JSObject.cpp:
        (JSC::JSObject::removeDirect): Don't transition to the uncacheable state
        if the thing we're trying to remove doesn't exist. This can happen during
        compilation, since the compiler needs to ensure that no pre-existing
        conflicting definitions exist for certain declarations.

2011-05-11  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Make mark stack validation functions do something useful in a release build
        https://bugs.webkit.org/show_bug.cgi?id=60645

        Turn ASSERTs into actual if(...) CRASH(); statements.

        * heap/MarkStack.cpp:
        (JSC::MarkStack::validateValue):

2011-05-11  Xan Lopez  <xlopez@igalia.com>

        Reviewed by Martin Robinson.

        Fix copy&paste error in comment.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator): the value is stored in
        regT2, not regT1.

2011-05-11  Adam Roben  <aroben@apple.com>

        WinCE build fixes for strict PassOwnPtr

        * wtf/unicode/CollatorDefault.cpp:
        (WTF::Collator::userDefault): Use adoptPtr.

2011-05-11  Holger Hans Peter Freyther  <holger@moiji-mobile.com>

        Unreviewed build fix.

        [MIPS] Fix compilation of the MIPS JIT

        Include the MIPSAssembler.h first to indirectly include
        AssemblerBuffer.h before the AbstractMacroAssembler.h. This
        order is used for the ARM and X86 MacroAssembler*.h

        * assembler/MacroAssemblerMIPS.h:

2011-05-11  Adam Roben  <aroben@apple.com>

        Turn on strict PassOwnPtr on Windows

        Fixes <http://webkit.org/b/60632> Windows should build with strict PassOwnPtr enabled

        Reviewed by Adam Barth.

        * wtf/PassOwnPtr.h:

2011-05-10  Stephanie Lewis  <slewis@apple.com>

        Unreviewed.

        Revert accidental JavaScriptCore change in http://trac.webkit.org/changeset/86130

        * Configurations/JavaScriptCore.xcconfig:

2011-05-10  Adam Barth  <abarth@webkit.org>

        Reviewed by David Levin.

        Enable strict PassOwnPtr on Chromium
        https://bugs.webkit.org/show_bug.cgi?id=60502

        Other platforms to follow.

        * wtf/PassOwnPtr.h:

2011-05-10  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Darin Adler.

        Fixed up some #include dependencies so the WriteBarrier class can actually call Heap::writeBarrier
        https://bugs.webkit.org/show_bug.cgi?id=60532

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.xcodeproj/project.pbxproj: Build!

        * heap/Handle.h: Moved HandleTypes to its own header because that's the
        WebKit style, and it was necessary to resolve a circular dependency
        between Handle.h and WriteBarrier.h.

        * heap/Heap.h:
        (JSC::Heap::writeBarrier): Added an inline no-op writeBarrier(), to
        verify that all the code is in the right place.

        * heap/MarkStack.h: Moved WriteBarrier operations to WriteBarrier.h to
        resolve a circular dependency.

        * runtime/ArgList.h:
        * runtime/JSCell.h: #include WriteBarrier.h since we don't get it for
        free anymore.

        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::PropertyTable): Call the real writeBarrier()
        function, now that it exists.

        * runtime/SmallStrings.h: Removed a stray #include to resolve a circular
        dependency.

        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase::set):
        (JSC::MarkStack::append):
        (JSC::MarkStack::appendValues): Updated to match the changes above.

2011-05-10  Oliver Hunt  <oliver@apple.com>

        Build fix.

        * heap/MarkStack.cpp:
        (JSC::MarkStack::validateValue):

2011-05-10  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Add some aggressive GC validation to debug builds.
        https://bugs.webkit.org/show_bug.cgi?id=60601

        When assertions are enabled we now do some validity checking
        of objects being added to the mark stack.

        * bytecode/Instruction.h:
        (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::PolymorphicStubInfo):
        (JSC::PolymorphicAccessStructureList::visitAggregate):
        * heap/MarkStack.cpp:
        (JSC::MarkStack::validateSet):
        (JSC::MarkStack::validateValue):
        * heap/MarkStack.h:
        (JSC::MarkStack::appendValues):
        (JSC::MarkStack::append):
        (JSC::MarkStack::internalAppend):

2011-05-09  Darin Adler  <darin@apple.com>

        Reviewed by Oliver Hunt.

        http://bugs.webkit.org/show_bug.cgi?id=60509
        Wrong type used for return value from strlen

        * wtf/FastMalloc.cpp:
        (WTF::fastStrDup): Use size_t. Also don't bother checking for failure since
        fastMalloc won't return if it fails.

2011-05-09  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        CSP should block Function constructor
        https://bugs.webkit.org/show_bug.cgi?id=60240

        When eval is disabled, we need to block the use of the function
        constructor.  However, the WebCore JSC bindings call the function
        constructor directly to create inline event listeners.  To support that
        use, this patch adds an entrypoint that bypasses the check for whether
        eval is enabled.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunction):
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionConstructor.h:

2011-05-09  Adam Roben  <aroben@apple.com>

        Automatically touch WebKit.idl whenever any other WebKit1 IDL file changes

        Fixes <http://webkit.org/b/60468> WebKit.idl needs to be manually touched whenever any other
        WebKit1 IDL file changes to avoid build errors

        Reviewed by Tim Hatcher.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.make:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj:
        Updated for script rename.

        * JavaScriptCore.vcproj/JavaScriptCore/react-to-vsprops-changes.py: Removed.
        * JavaScriptCore.vcproj/JavaScriptCore/work-around-vs-dependency-tracking-bugs.py: Renamed
        from react-to-vsprops-changes.py.
        (top level): Moved a constant here from main.
        (main): Moved most code from here to react_to_vsprops_changes. Added a call to the new
        react_to_webkit1_interface_changes function.
        (react_to_vsprops_changes): Moved code here from main. Updated to use the
        TOP_LEVEL_DIRECTORY global. Moved some code from here to mtime_of_newest_file_matching_globa
        and touch_if_older_than.
        (react_to_webkit1_interface_changes): Added. Touches WebKit.idl if any other WebKit1 IDL
        file has changed.
        (mtime_of_newest_file_matching_glob): Added. Code came from main.
        (touch_if_older_than): Added. Code came from main.

2011-05-08  Jessie Berlin  <jberlin@apple.com>

        Reviewed by Dan Bernstein.

        Make JSRetainPtr work with JSGlobalContextRefs.
        https://bugs.webkit.org/show_bug.cgi?id=60452

        Add specialized functions for JSRetain and JSRelease when dealing with JSGlobalContextRefs.

        * API/JSRetainPtr.h:
        (JSRetain):
        (JSRelease):

2011-05-07  Dawit Alemayehu  <adawit@kde.org>

        Reviewed by Daniel Bates.

        Fix compile with GCC 4.6.0
        https://bugs.webkit.org/show_bug.cgi?id=60380

        Remove unused local variable from code.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncMatch):

2011-05-06  Alexis Menard  <alexis.menard@openbossa.org>

        Unreviewed build fix with gcc 4.6.0 on linux and c++0x support.

        std::tr1::has_trivial_constructor is in <tr1/memory>.

        * wtf/TypeTraits.h:

2011-05-05  Jay Civelli  <jcivelli@chromium.org>

        Reviewed by Adam Barth.

        Added convenience methods to convert from a byte to hex ASCII digit
        characters and vice-versa.
        https://bugs.webkit.org/show_bug.cgi?id=59834

        * wtf/ASCIICType.h:
        (WTF::toASCIIHexValue):
        (WTF::lowerNibbleToASCIIHexDigit):
        (WTF::upperNibbleToASCIIHexDigit):

2011-05-05  Alexis Menard  <alexis.menard@openbossa.org>

        Reviewed by Benjamin Poulain.

        [Qt] Make QtWebKit build when using gcc 4.6.0
        https://bugs.webkit.org/show_bug.cgi?id=60265

        If QtWebKit is compiled with gcc 4.6.0 or later we don't want to deactivate
        the c++0x support because it works.

        * JavaScriptCore.pro:

2011-05-04  Fridrich Strba  <fridrich.strba@bluewin.ch>

        Reviewed by Geoffrey Garen.

        Port MachineStackMarker.cpp to Windows x64
        https://bugs.webkit.org/show_bug.cgi?id=60216

        * heap/MachineStackMarker.cpp:
        (JSC::getPlatformThreadRegisters): the CONTEXT struct is usable also
        on 64-bit Windows.
        (JSC::otherThreadStackPointer): return the Rsp register on Windows x64.

2011-05-04  Fridrich Strba  <fridrich.strba@bluewin.ch>

        Reviewed by Martin Robinson.

        Link libjavascriptcoregtk on Windows with winmm.dll
        https://bugs.webkit.org/show_bug.cgi?id=60215

        * GNUmakefile.am:

2011-05-04  Tao Bai  <michaelbai@chromium.org>

        Reviewed by David Kilzer.

        Populate touch-icon url to FrameLoaderClient
        https://bugs.webkit.org/show_bug.cgi?id=59143

        * Configurations/FeatureDefines.xcconfig:

2011-05-03  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Darin Adler.

        <rdar://problem/9366557> Various crashes due to bad DFG codegen at canalplus.fr

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes): Removed a stray line of
        code that accidentally survived the conversion to a switch statement,
        causing a lot of important code not to run most of the time.

        Since this is not a trivial finger-picking mistake, I will not call it a
        typo.

2011-05-04  Adam Roben  <aroben@apple.com>

        Another attempted build fix

        * wtf/OwnPtr.h:
        (WTF::OwnPtr::operator==):
        (WTF::OwnPtr::operator!=):
        * wtf/PassOwnPtr.h:
        (WTF::PassOwnPtr::operator==):
        (WTF::PassOwnPtr::operator!=):
        Added a return statement. And made a tweak based on a suggestion from Anders Carlsson.

2011-05-04  Adam Roben  <aroben@apple.com>

        Try to fix Leopard, Qt, and probably others

        * wtf/OwnPtr.h:
        (WTF::OwnPtr::operator==):
        (WTF::OwnPtr::operator!=):
        * wtf/PassOwnPtr.h:
        (WTF::PassOwnPtr::operator==):
        (WTF::PassOwnPtr::operator!=):
        Try to get the compiler not to instantiate these function templates unnecessarily.

2011-05-03  Adam Roben  <aroben@apple.com>

        Disallow equality comparisons between [Pass]OwnPtrs

        If you have two OwnPtrs that are equal, you've already lost. (Unless you're doing something
        really sneaky, in which case you should stop!)

        Fixes <http://webkit.org/b/60053> Testing OwnPtrs for equality should cause a compiler error

        Reviewed by Anders Carlsson and Antti Koivisto.

        * wtf/OwnPtr.h:
        (WTF::OwnPtr::operator==):
        (WTF::OwnPtr::operator!=):
        * wtf/PassOwnPtr.h:
        (WTF::PassOwnPtr::operator==):
        (WTF::PassOwnPtr::operator!=):
        Added private equality operators that fail to compile when used. (When not used, the
        compiler will skip over them because they are function templates.)

2011-05-04  Alexis Menard  <alexis.menard@openbossa.org>

        Reviewed by Gavin Barraclough.

        JITArithmetic.cpp produces a warning on a unused variable.
        https://bugs.webkit.org/show_bug.cgi?id=60060

        Just properly use what we already have converted.

        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitSlow_op_add):
        (JSC::JIT::emitSlow_op_mul):

2011-05-04  Alexis Menard  <alexis.menard@openbossa.org>

        Reviewed by Geoffrey Garen.

        JITPropertyAccess produces a unused but set variable warning in gcc 4.6.0.
        https://bugs.webkit.org/show_bug.cgi?id=60050

        This patch fix a compilation warning. The new warning scenario -Wunused-but-set-variable
        in gcc 4.6.0 is included in -Wall and therefore stops the compilation when warnings are treated
        as errors. The patch introduces a new macro ASSERT_JIT_OFFSET_UNUSED and ASSERT_WITH_MESSAGE_UNUSED
        which copy the idea of ASSERT_UNUSED.

        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::emit_op_put_by_id):
        * wtf/Assertions.h:
        (assertWithMessageUnused):

2011-04-29  Jer Noble  <jer.noble@apple.com>

        Reviewed by Eric Seidel.

        Implement FULLSCREEN_API on Windows, Part 4: Enable it
        https://bugs.webkit.org/show_bug.cgi?id=59798

        * wtf/Platform.h: Set ENABLE_FULLSCREEN_API on win.

2011-05-03  Alexis Menard  <alexis.menard@openbossa.org>

        Reviewed by Eric Seidel.

        Unused but set variable warning in MacroAssemberX86_64
        https://bugs.webkit.org/show_bug.cgi?id=59482

        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::call):
        (JSC::MacroAssemblerX86_64::tailRecursiveCall):
        (JSC::MacroAssemblerX86_64::makeTailRecursiveCall):

2011-05-03  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make malloc validation useful
        https://bugs.webkit.org/show_bug.cgi?id=57502

        Reland this patch (rolled out in 82905) without
        turning it on by default.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/FastMalloc.cpp:
        (WTF::tryFastMalloc):
        (WTF::fastMalloc):
        (WTF::tryFastCalloc):
        (WTF::fastCalloc):
        (WTF::fastFree):
        (WTF::tryFastRealloc):
        (WTF::fastRealloc):
        (WTF::fastMallocSize):
        (WTF::TCMalloc_PageHeap::isScavengerSuspended):
        (WTF::TCMalloc_PageHeap::scheduleScavenger):
        (WTF::TCMalloc_PageHeap::suspendScavenger):
        (WTF::TCMalloc_PageHeap::signalScavenger):
        (WTF::TCMallocStats::malloc):
        (WTF::TCMallocStats::free):
        (WTF::TCMallocStats::fastCalloc):
        (WTF::TCMallocStats::tryFastCalloc):
        (WTF::TCMallocStats::calloc):
        (WTF::TCMallocStats::fastRealloc):
        (WTF::TCMallocStats::tryFastRealloc):
        (WTF::TCMallocStats::realloc):
        (WTF::TCMallocStats::fastMallocSize):
        * wtf/FastMalloc.h:
        (WTF::Internal::fastMallocValidationHeader):
        (WTF::Internal::fastMallocValidationSuffix):
        (WTF::Internal::fastMallocMatchValidationType):
        (WTF::Internal::setFastMallocMatchValidationType):
        (WTF::fastMallocMatchValidateFree):
        (WTF::fastMallocValidate):

2011-05-03  Xan Lopez  <xlopez@igalia.com>

        Reviewed by Anders Carlsson.

        Compile error with GCC 4.6.0, tries to assign unsigned& to bitfield
        https://bugs.webkit.org/show_bug.cgi?id=59261

        Use unary '+' to force proper type detection in template arguments
        with GCC 4.6.0. See bug report for more details.

        * runtime/Structure.cpp:
        (JSC::StructureTransitionTable::remove): Use '+' to force precise type detection.
        (JSC::StructureTransitionTable::add): ditto.
        * runtime/Structure.h:
        (JSC::StructureTransitionTable::keyForWeakGCMapFinalizer): ditto.

2011-05-03  Jessie Berlin  <jberlin@apple.com>

        Rubber-stamped by Adam Roben.

        Revert r85550 and r85575.

        Variables cannot be exported via the .def file. Instead, they should be annotated with
        JS_EXPORTDATA.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/Structure.cpp:
        (JSC::Structure::materializePropertyMap):
        * runtime/Structure.h:
        (JSC::Structure::typeInfo):
        (JSC::Structure::previousID):
        (JSC::Structure::propertyStorageCapacity):
        (JSC::Structure::propertyStorageSize):
        (JSC::Structure::get):
        (JSC::Structure::materializePropertyMapIfNecessary):

2011-05-02  Adam Roben  <aroben@apple.com>

        Allow implicit conversion from nullptr_t to PassOwnPtr

        This makes it a lot easier to write code that just wants a null PassOwnPtr, especially in
        strict PassOwnPtr mode.

        Fixes <http://webkit.org/b/59964> Implicit conversion from std::nullptr_t to PassOwnPtr
        doesn't work, but should

        Reviewed by Adam Barth.

        * wtf/PassOwnPtr.h:
        (WTF::PassOwnPtr::PassOwnPtr): Added a non-explicit constructor that takes a nullptr_t.

        * wtf/MessageQueue.h:
        (WTF::::waitForMessageFilteredWithTimeout):
        (WTF::::tryGetMessage):
        Use the new implicit conversion.

2011-05-02  Jessie Berlin  <jberlin@apple.com>

        Rubber-stamped by Oliver Hunt.

        Remove an assertion that Windows was hitting on launch.

        * runtime/Structure.cpp:
        (JSC::Structure::materializePropertyMap):
        * runtime/Structure.h:
        (JSC::Structure::typeInfo):
        (JSC::Structure::previousID):
        (JSC::Structure::propertyStorageCapacity):
        (JSC::Structure::propertyStorageSize):
        (JSC::Structure::get):
        (JSC::Structure::materializePropertyMapIfNecessary):

2011-05-02  Mark Rowe  <mrowe@apple.com>

        Reviewed by Geoff Garen.

        <rdar://problem/9371948> JavaScriptCore should build with GCC 4.2

        * Configurations/CompilerVersion.xcconfig:

2011-05-02  Gavin Barraclough  <barraclough@apple.com>

        ARMv7 build fix.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::Jump::link):
        (JSC::AbstractMacroAssembler::Jump::linkTo):

2011-05-02  Oliver Hunt  <oliver@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-05-02  Michael Saboff  <msaboff@apple.com>

        Reviewed by Geoffrey Garen.

        crash in JSC::RegExp::match
        https://bugs.webkit.org/show_bug.cgi?id=58922

        Cleared chained backtrack data label when linking label even if that 
        label doesn't chain itself.  This is needed so that subsequent 
        backtrack data labels point to the next outer paren and not within 
        the current paren.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::TermGenerationState::linkDataLabelToBacktrackIfExists):

2011-05-02  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Tiny bit of heap cleanup.

        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::contains): Tightened up an assertion and a comment.

        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::globalData):
        (JSC::MarkedSpace::highWaterMark):
        (JSC::MarkedSpace::setHighWaterMark): Moved inlines out of the class
        definition, for better clarity.

2011-05-02  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Correct marking of interpreter data in mixed mode builds
        https://bugs.webkit.org/show_bug.cgi?id=59962

        We had a few places in mixed mode builds where we would not
        track data used by the interpreter for marking.  This patch
        corrects the problem and adds a number of assertions to catch
        live Structures being collected.

        * JavaScriptCore.exp:
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::ARMInstructionFormatter::debugOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addPropertyAccessInstruction):
        (JSC::CodeBlock::addGlobalResolveInstruction):
        (JSC::CodeBlock::addStructureStubInfo):
        (JSC::CodeBlock::addGlobalResolveInfo):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveWithBase):
        (JSC::BytecodeGenerator::emitGetById):
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitDirectPutById):
        * runtime/Structure.cpp:
        (JSC::Structure::materializePropertyMap):
        * runtime/Structure.h:
        (JSC::Structure::typeInfo):
        (JSC::Structure::previousID):
        (JSC::Structure::propertyStorageCapacity):
        (JSC::Structure::propertyStorageSize):
        (JSC::Structure::get):
        (JSC::Structure::materializePropertyMapIfNecessary):

2011-05-02  Xan Lopez  <xlopez@igalia.com>

        Reviewed by Alexey Proskuryakov.

        Use native NullPtr when using GCC 4.6.0 and C++0x
        https://bugs.webkit.org/show_bug.cgi?id=59252

        GCC 4.6.0 has nullptr support, use it when possible.

        * wtf/NullPtr.cpp: include config.h to pull in Platform.h before
        NullPtr.h, since we need the GCC_VERSION_AT_LEAST definition.
        * wtf/NullPtr.h: check for GCC >= 4.6.0 and C++0x in order to
        use native nullptr.

2011-05-02  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=59950
        Clean up AssemblerBuffer to use a Vector internally.

        AssemblerBuffer handles reallocing a byte array itself - stop that.

        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::executableCopy):
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerLabel::AssemblerLabel):
        (JSC::AssemblerLabel::labelAtOffset):
        (JSC::AssemblerBuffer::AssemblerBuffer):
        (JSC::AssemblerBuffer::~AssemblerBuffer):
        (JSC::AssemblerBuffer::isAvailable):
        (JSC::AssemblerBuffer::ensureSpace):
        (JSC::AssemblerBuffer::isAligned):
        (JSC::AssemblerBuffer::putIntegral):
        (JSC::AssemblerBuffer::putIntegralUnchecked):
        (JSC::AssemblerBuffer::putByteUnchecked):
        (JSC::AssemblerBuffer::putByte):
        (JSC::AssemblerBuffer::putShortUnchecked):
        (JSC::AssemblerBuffer::putShort):
        (JSC::AssemblerBuffer::putIntUnchecked):
        (JSC::AssemblerBuffer::putInt):
        (JSC::AssemblerBuffer::putInt64Unchecked):
        (JSC::AssemblerBuffer::putInt64):
        (JSC::AssemblerBuffer::codeSize):
        (JSC::AssemblerBuffer::label):
        (JSC::AssemblerBuffer::executableCopy):
        (JSC::AssemblerBuffer::rewindToLabel):
        (JSC::AssemblerBuffer::debugOffset):
        (JSC::AssemblerBuffer::append):
        (JSC::AssemblerBuffer::grow):
        * assembler/AssemblerBufferWithConstantPool.h:
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::linkCall):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::X86InstructionFormatter::rewindToLabel):

2011-05-02  Jeff Miller  <jeffm@apple.com>

        Reviewed by Alexy Proskuryakov.

        Avoid potential buffer overflow in WTFLog() and WTFLogVerbose()
        https://bugs.webkit.org/show_bug.cgi?id=59949

        * wtf/Assertions.cpp: Check for 0 or empty format string in WTFLog() and WTFLogVerbose().

2011-05-02  Adam Barth  <abarth@webkit.org>

        Reviewed by Alexey Proskuryakov.

        StringImpl::endsWith has some insane code
        https://bugs.webkit.org/show_bug.cgi?id=59900

        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::endsWith):
            - m_data shadows a member variable of the same name.

2011-05-02  Gabor Loki  <loki@webkit.org>

        Buildfix for ARM after r85448

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::loadBranchTarget):

2011-05-01  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Strict-mode only reserved words not reserved
        https://bugs.webkit.org/show_bug.cgi?id=55342

        Fix line number tracking when we rollback the lexer.

        * parser/JSParser.cpp:
        (JSC::JSParser::parseSourceElements):

2011-05-01  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        ES5 Strict mode does not allow getter and setter for same propId
        https://bugs.webkit.org/show_bug.cgi?id=57295

        Simplify and correct the logic for strict mode object literals.

        * parser/JSParser.cpp:
        (JSC::JSParser::parseStrictObjectLiteral):

2011-05-01  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Assigning to function identifier under strict should throw
        https://bugs.webkit.org/show_bug.cgi?id=59289

        Add logic to StaticScopeObject to ensure we don't silently consume
        writes to constant properties.

        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::put):

2011-05-01  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=59903
        Use AssemblerLabel throughout Assembler classes, AssemblerBuffer

        Creating a lable() into the AssemblerBuffer should return an AssemblerLabel,
        not an unsigned int.

        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::executableCopy):
        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::blx):
        (JSC::ARMAssembler::label):
        (JSC::ARMAssembler::loadBranchTarget):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::b):
        (JSC::ARMv7Assembler::blx):
        (JSC::ARMv7Assembler::bx):
        (JSC::ARMv7Assembler::label):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::label):
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerBuffer::label):
        * assembler/AssemblerBufferWithConstantPool.h:
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::label):
        (JSC::MIPSAssembler::relocateJumps):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::loadConstant):
        (JSC::SH4Assembler::loadConstantUnReusable):
        (JSC::SH4Assembler::call):
        (JSC::SH4Assembler::jmp):
        (JSC::SH4Assembler::jne):
        (JSC::SH4Assembler::je):
        (JSC::SH4Assembler::label):
        (JSC::SH4Assembler::oneShortOp):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::call):
        (JSC::X86Assembler::jmp_r):
        (JSC::X86Assembler::label):
        (JSC::X86Assembler::X86InstructionFormatter::immediateRel32):
        (JSC::X86Assembler::X86InstructionFormatter::label):

2011-05-01  Adam Barth  <abarth@webkit.org>

        Reviewed by David Levin.

        Enable strict mode for OwnPtr and PassOwnPtr
        https://bugs.webkit.org/show_bug.cgi?id=59428

        * wtf/OwnPtr.h:

2011-05-01  Patrick Gansterer  <paroga@webkit.org>

        Reviewed by Adam Barth.

        Enable strict OwnPtr for PLATFORM(WIN)
        https://bugs.webkit.org/show_bug.cgi?id=59881

        * wtf/OwnPtr.h:

2011-05-01  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=59896
        Remove JmpSrc/JmpDst types.

        The JmpSrc/JmpDst classes predate the MacroAssembler interface. Having these
        object be per-assembler in unhelpful, causes unnecessary code duplication,
        and prevents the AssemblerBuffer from providing a richer type for labels.
        The limited semantic meaning that they did convey is undermined by the manner
        in which their meanings have been overloaded (use of JmpSrc for Call, JmpDst
        for data labels).

        Jumps on ARMv7 have had additional information added to the object via the
        ARMv7 JmpSrc. This data should probably be in the instruction stream. This
        patch does not fix the problem, and moves the data (ifdefed) to
        AbstractMacroAssembler::Jump (which is effectively where it was before!).
        This at least closes the hole such that no further data may be added to JmpSrc,
        but this is unfortunate, and should be cleaned up.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::blx):
        (JSC::ARMAssembler::label):
        (JSC::ARMAssembler::align):
        (JSC::ARMAssembler::loadBranchTarget):
        (JSC::ARMAssembler::jmp):
        (JSC::ARMAssembler::linkPointer):
        (JSC::ARMAssembler::linkJump):
        (JSC::ARMAssembler::linkCall):
        (JSC::ARMAssembler::getRelocatedAddress):
        (JSC::ARMAssembler::getDifferenceBetweenLabels):
        (JSC::ARMAssembler::getCallReturnOffset):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::b):
        (JSC::ARMv7Assembler::blx):
        (JSC::ARMv7Assembler::bx):
        (JSC::ARMv7Assembler::label):
        (JSC::ARMv7Assembler::align):
        (JSC::ARMv7Assembler::getRelocatedAddress):
        (JSC::ARMv7Assembler::getDifferenceBetweenLabels):
        (JSC::ARMv7Assembler::getCallReturnOffset):
        (JSC::ARMv7Assembler::linkJump):
        (JSC::ARMv7Assembler::linkCall):
        (JSC::ARMv7Assembler::linkPointer):
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::Label::isSet):
        (JSC::AbstractMacroAssembler::Call::Call):
        (JSC::AbstractMacroAssembler::Jump::Jump):
        (JSC::AbstractMacroAssembler::Jump::link):
        (JSC::AbstractMacroAssembler::Jump::linkTo):
        (JSC::AbstractMacroAssembler::linkPointer):
        (JSC::AbstractMacroAssembler::getLinkerAddress):
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerLabel::AssemblerLabel):
        (JSC::AssemblerLabel::isSet):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::patch):
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::label):
        (JSC::MIPSAssembler::align):
        (JSC::MIPSAssembler::getRelocatedAddress):
        (JSC::MIPSAssembler::getDifferenceBetweenLabels):
        (JSC::MIPSAssembler::getCallReturnOffset):
        (JSC::MIPSAssembler::linkJump):
        (JSC::MIPSAssembler::linkCall):
        (JSC::MIPSAssembler::linkPointer):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branchDouble):
        (JSC::MacroAssemblerARMv7::branchDoubleZeroOrNaN):
        (JSC::MacroAssemblerARMv7::jump):
        (JSC::MacroAssemblerARMv7::nearCall):
        (JSC::MacroAssemblerARMv7::call):
        (JSC::MacroAssemblerARMv7::ret):
        (JSC::MacroAssemblerARMv7::tailRecursiveCall):
        (JSC::MacroAssemblerARMv7::makeBranch):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::nearCall):
        (JSC::MacroAssemblerMIPS::call):
        (JSC::MacroAssemblerMIPS::tailRecursiveCall):
        (JSC::MacroAssemblerMIPS::branchTrue):
        (JSC::MacroAssemblerMIPS::branchFalse):
        (JSC::MacroAssemblerMIPS::branchEqual):
        (JSC::MacroAssemblerMIPS::branchNotEqual):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::call):
        (JSC::SH4Assembler::jmp):
        (JSC::SH4Assembler::jne):
        (JSC::SH4Assembler::je):
        (JSC::SH4Assembler::label):
        (JSC::SH4Assembler::align):
        (JSC::SH4Assembler::linkJump):
        (JSC::SH4Assembler::linkCall):
        (JSC::SH4Assembler::linkPointer):
        (JSC::SH4Assembler::getCallReturnOffset):
        (JSC::SH4Assembler::getRelocatedAddress):
        (JSC::SH4Assembler::getDifferenceBetweenLabels):
        (JSC::SH4Assembler::patchPointer):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::call):
        (JSC::X86Assembler::jmp):
        (JSC::X86Assembler::jmp_r):
        (JSC::X86Assembler::jne):
        (JSC::X86Assembler::jnz):
        (JSC::X86Assembler::je):
        (JSC::X86Assembler::jz):
        (JSC::X86Assembler::jl):
        (JSC::X86Assembler::jb):
        (JSC::X86Assembler::jle):
        (JSC::X86Assembler::jbe):
        (JSC::X86Assembler::jge):
        (JSC::X86Assembler::jg):
        (JSC::X86Assembler::ja):
        (JSC::X86Assembler::jae):
        (JSC::X86Assembler::jo):
        (JSC::X86Assembler::jp):
        (JSC::X86Assembler::js):
        (JSC::X86Assembler::jCC):
        (JSC::X86Assembler::label):
        (JSC::X86Assembler::labelFor):
        (JSC::X86Assembler::align):
        (JSC::X86Assembler::linkJump):
        (JSC::X86Assembler::linkCall):
        (JSC::X86Assembler::linkPointer):
        (JSC::X86Assembler::getCallReturnOffset):
        (JSC::X86Assembler::getRelocatedAddress):
        (JSC::X86Assembler::getDifferenceBetweenLabels):
        (JSC::X86Assembler::rewindToLabel):
        (JSC::X86Assembler::X86InstructionFormatter::immediateRel32):
        (JSC::X86Assembler::X86InstructionFormatter::rewindToLabel):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::atJumpTarget):
        (JSC::JIT::emitGetVirtualRegister):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_jmp):
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emit_op_jneq_ptr):
        (JSC::JIT::emit_op_jsr):
        (JSC::JIT::emit_op_jtrue):
        (JSC::JIT::emit_op_jmp_scopes):

2011-05-01  Chao-ying Fu  <fu@mips.com>

        Reviewed by Eric Seidel.

        Fix MIPS build due to the split of "Condition" enum
        https://bugs.webkit.org/show_bug.cgi?id=59407

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::debugOffset):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::branch32):
        (JSC::MacroAssemblerMIPS::compare32):

2011-04-30  Adam Barth  <abarth@webkit.org>

        Reviewed by Adam Barth.

        Enable strict OwnPtr for GTK
        https://bugs.webkit.org/show_bug.cgi?id=59861

        * wtf/OwnPtr.h:

2011-04-30  Gavin Barraclough  <barraclough@apple.com>

        ARMv7 build fix.

        * assembler/AssemblerBufferWithConstantPool.h:

2011-04-30  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        Bug 59869 - AssemblerBuffer cleanup - disambiguate size()

        The method size() is called on the AssemblerBuffer both to acquire
        the complete size of the code, and to get a position to use as a
        label into the code. Instead, add an explicit 'label' method.

        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::executableCopy):
        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::blx):
        (JSC::ARMAssembler::codeSize):
        (JSC::ARMAssembler::label):
        (JSC::ARMAssembler::loadBranchTarget):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::b):
        (JSC::ARMv7Assembler::blx):
        (JSC::ARMv7Assembler::bx):
        (JSC::ARMv7Assembler::label):
        (JSC::ARMv7Assembler::codeSize):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::codeSize):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::data):
        * assembler/AbstractMacroAssembler.h:
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerBuffer::codeSize):
        (JSC::AssemblerBuffer::label):
        * assembler/AssemblerBufferWithConstantPool.h:
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::linkCode):
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::newJmpSrc):
        (JSC::MIPSAssembler::appendJump):
        (JSC::MIPSAssembler::label):
        (JSC::MIPSAssembler::codeSize):
        (JSC::MIPSAssembler::relocateJumps):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::loadConstant):
        (JSC::SH4Assembler::loadConstantUnReusable):
        (JSC::SH4Assembler::call):
        (JSC::SH4Assembler::jmp):
        (JSC::SH4Assembler::jne):
        (JSC::SH4Assembler::je):
        (JSC::SH4Assembler::label):
        (JSC::SH4Assembler::executableCopy):
        (JSC::SH4Assembler::oneShortOp):
        (JSC::SH4Assembler::codeSize):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::call):
        (JSC::X86Assembler::jmp_r):
        (JSC::X86Assembler::codeSize):
        (JSC::X86Assembler::label):
        (JSC::X86Assembler::executableCopy):
        (JSC::X86Assembler::X86InstructionFormatter::immediateRel32):
        (JSC::X86Assembler::X86InstructionFormatter::codeSize):
        (JSC::X86Assembler::X86InstructionFormatter::label):
        (JSC::X86Assembler::X86InstructionFormatter::executableCopy):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::compile):

2011-04-29  Adam Barth  <abarth@webkit.org>

        Attempt to fix the Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-04-29  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        CSP script-src should block eval
        https://bugs.webkit.org/show_bug.cgi?id=59850

        ggaren recommend a different approach to this patch, essentially
        installing a new function for function-eval and changing the AST
        representation of operator-eval to call function-eval.  However, I'm
        not sure that approach is workable because the ASTBuilder doesn't know
        about global objects, and there is added complication due to the cache.

        This approach is more dynamic, adding a branch in EvalExecutable to
        detect whether eval is current disabled in the lexical scope.  The spec
        is slightly unclear about whether we should return undefined or throw
        an exception.  I've asked Brandon to clarify the spec, but throwing an
        exception seems natural.

        * JavaScriptCore.exp:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::disableEval):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::isEvalEnabled):

2011-04-29  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=59847
        Remove linkOffset from LinkBuffer

        This is redundant since removal of recompilation for exception info.

        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::linkCode):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::JIT::compile):
        (JSC::JIT::compileCTIMachineTrampolines):
        (JSC::JIT::compileCTINativeCall):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::finalize):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::compile):

2011-04-29  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt & Geoff Garen.

        https://bugs.webkit.org/show_bug.cgi?id=59221
        [RegexFuzz] Regression blocking testing

        Okay, so the bug here is that when, in the case of a TypeParentheticalAssertion
        node, emitDisjunction recursively calls to itself to emit the nested disjunction
        the value of parenthesesInputCountAlreadyChecked is bogus (doesn't take into
        account the uncheck that has just taken place).

        Also, the special handling given to countToCheck in the case of parenthetical
        assertions is nonsense, delete it, along with the isParentheticalAssertion argument.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::emitDisjunction):

2011-04-29  Csaba Osztrogonác  <ossy@webkit.org>

        Reviewed by Adam Barth.

        Enable strict OwnPtr for Qt
        https://bugs.webkit.org/show_bug.cgi?id=59667

        * wtf/OwnPtr.h:

2011-04-29  Dean Jackson  <dino@apple.com>

        Reviewed by Simon Fraser.

        Add ENABLE macro for WebKitAnimation
        https://bugs.webkit.org/show_bug.cgi?id=59729

        Add new feature to toggle WebKit Animation API.

        * Configurations/FeatureDefines.xcconfig:

2011-04-28  Sam Weinig  <sam@webkit.org>

        Reviewed by Mark Rowe.

        Install testapi.js along side testapi
        https://bugs.webkit.org/show_bug.cgi?id=59773

        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add new build phase to copy testapi.js to install path of testapi
        on install.

2011-04-28  David Levin  <levin@chromium.org>

        Reviewed by Adam Barth.

        Remove IMAGE_RESIZER related code.
        https://bugs.webkit.org/show_bug.cgi?id=59735

        * Configurations/FeatureDefines.xcconfig:

2011-04-28  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=59763
        DFG JIT - Unify FPRReg & FPRegisterID

        (Following on from GPRReg/RegisterID unification).

        * dfg/DFGFPRInfo.h:
        (JSC::DFG::FPRInfo::toRegister):
        (JSC::DFG::FPRInfo::debugName):
        * dfg/DFGGPRInfo.h:
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::checkConsistency):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::boxDouble):
        (JSC::DFG::JITCodeGenerator::unboxDouble):
        (JSC::DFG::JITCodeGenerator::flushRegisters):
        (JSC::DFG::JITCodeGenerator::isFlushed):
        (JSC::DFG::JITCodeGenerator::setupTwoStubArgs):
        (JSC::DFG::JITCodeGenerator::setupStubArguments):
        (JSC::DFG::JITCodeGenerator::callOperation):
        (JSC::DFG::GPRResult::lockedResult):
        (JSC::DFG::FPRResult::lockedResult):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::fillNumericToDouble):
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::EntryLocation::EntryLocation):
        (JSC::DFG::NonSpeculativeJIT::valueToNumber):
        (JSC::DFG::NonSpeculativeJIT::valueToInt32):
        (JSC::DFG::NonSpeculativeJIT::numberToInt32):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGNonSpeculativeJIT.h:
        (JSC::DFG::NonSpeculativeJIT::silentSpillAllRegisters):
        (JSC::DFG::NonSpeculativeJIT::silentFillAllRegisters):
        * dfg/DFGRegisterBank.h:
        (JSC::DFG::RegisterBank::iterator::regID):
        (JSC::DFG::RegisterBank::iterator::debugName):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculationCheck::SpeculationCheck):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:

2011-04-28  David Kilzer  <ddkilzer@apple.com>

        Revert "<http://webkit.org/b/59705> WTF::postTimer() leaks a CFRunLoopTimerRef every time it's called"

        This reverts commit r85195.  It was crashing DumpRenderTree on Lion.

        * wtf/mac/MainThreadMac.mm:
        (WTF::postTimer):

2011-04-28  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Remove WML
        https://bugs.webkit.org/show_bug.cgi?id=59678

        Remove the WML configuration option from the Mac build system.

        * Configurations/FeatureDefines.xcconfig:

2011-04-28  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r85233 and r85235.
        http://trac.webkit.org/changeset/85233
        http://trac.webkit.org/changeset/85235
        https://bugs.webkit.org/show_bug.cgi?id=59754

        Causes issues with jsc. (Requested by dave_levin on #webkit).

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jit/ExecutableAllocator.h:
        (JSC::ExecutablePool::ExecutablePool):
        * parser/SourceProvider.h:
        (JSC::SourceProvider::SourceProvider):
        * runtime/RegExp.cpp:
        (JSC::RegExp::RegExp):
        * wtf/CMakeLists.txt:
        * wtf/RefCounted.h:
        (WTF::RefCountedBase::ref):
        (WTF::RefCountedBase::hasOneRef):
        (WTF::RefCountedBase::refCount):
        (WTF::RefCountedBase::derefBase):
        * wtf/SizeLimits.cpp:
        * wtf/ThreadRestrictionVerifier.h: Removed.
        * wtf/text/CString.h:
        (WTF::CStringBuffer::CStringBuffer):

2011-04-28  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        Bug 59740 - DFG JIT - Unify GPRReg & RegisterID

        Currently we use a mix of enum values throughout the DFG JIT to  represent
        gpr registers - the RegisterID provided by the MacroAssembler, and the
        GPRReg enum giving the sequential register set over which the RegisterBank
        allocates. Unify the two.

        Patch to unify FPRReg in a similar fashion will follow.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGFPRInfo.h: Added.
        (JSC::DFG::next):
        (JSC::DFG::FPRBankInfo::toRegister):
        (JSC::DFG::FPRBankInfo::toIndex):
        * dfg/DFGGPRInfo.h: Added.
        (JSC::DFG::GPRInfo::toRegister):
        (JSC::DFG::GPRInfo::toIndex):
        (JSC::DFG::GPRInfo::debugName):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillInteger):
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::dump):
        (JSC::DFG::JITCodeGenerator::checkConsistency):
        (JSC::DFG::GPRTemporary::GPRTemporary):
        (JSC::DFG::FPRTemporary::FPRTemporary):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::boxDouble):
        (JSC::DFG::JITCodeGenerator::unboxDouble):
        (JSC::DFG::JITCodeGenerator::spill):
        (JSC::DFG::JITCodeGenerator::flushRegisters):
        (JSC::DFG::JITCodeGenerator::isFlushed):
        (JSC::DFG::JITCodeGenerator::bitOp):
        (JSC::DFG::JITCodeGenerator::shiftOp):
        (JSC::DFG::JITCodeGenerator::setupTwoStubArgs):
        (JSC::DFG::JITCodeGenerator::setupStubArguments):
        (JSC::DFG::JITCodeGenerator::callOperation):
        (JSC::DFG::IntegerOperand::gpr):
        (JSC::DFG::DoubleOperand::gpr):
        (JSC::DFG::GPRTemporary::gpr):
        (JSC::DFG::FPRTemporary::gpr):
        (JSC::DFG::GPRResult::lockedResult):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::fillNumericToDouble):
        (JSC::DFG::JITCompiler::fillInt32ToInteger):
        (JSC::DFG::JITCompiler::fillToJS):
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::jitAssertIsInt32):
        (JSC::DFG::JITCompiler::jitAssertIsJSInt32):
        (JSC::DFG::JITCompiler::jitAssertIsJSNumber):
        (JSC::DFG::JITCompiler::jitAssertIsJSDouble):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::preserveReturnAddressAfterCall):
        (JSC::DFG::JITCompiler::restoreReturnAddressBeforeReturn):
        (JSC::DFG::JITCompiler::emitGetFromCallFrameHeaderPtr):
        (JSC::DFG::JITCompiler::emitPutToCallFrameHeader):
        (JSC::DFG::JITCompiler::emitPutImmediateToCallFrameHeader):
        (JSC::DFG::JITCompiler::addressForGlobalVar):
        (JSC::DFG::JITCompiler::addressFor):
        (JSC::DFG::JITCompiler::tagFor):
        (JSC::DFG::JITCompiler::payloadFor):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::EntryLocation::EntryLocation):
        (JSC::DFG::NonSpeculativeJIT::valueToNumber):
        (JSC::DFG::NonSpeculativeJIT::valueToInt32):
        (JSC::DFG::NonSpeculativeJIT::numberToInt32):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGNonSpeculativeJIT.h:
        (JSC::DFG::NonSpeculativeJIT::silentSpillGPR):
        (JSC::DFG::NonSpeculativeJIT::silentSpillFPR):
        (JSC::DFG::NonSpeculativeJIT::silentFillGPR):
        (JSC::DFG::NonSpeculativeJIT::silentFillFPR):
        (JSC::DFG::NonSpeculativeJIT::silentSpillAllRegisters):
        (JSC::DFG::NonSpeculativeJIT::silentFillAllRegisters):
        * dfg/DFGRegisterBank.h:
        (JSC::DFG::RegisterBank::allocate):
        (JSC::DFG::RegisterBank::retain):
        (JSC::DFG::RegisterBank::release):
        (JSC::DFG::RegisterBank::lock):
        (JSC::DFG::RegisterBank::unlock):
        (JSC::DFG::RegisterBank::isLocked):
        (JSC::DFG::RegisterBank::name):
        (JSC::DFG::RegisterBank::iterator::name):
        (JSC::DFG::RegisterBank::iterator::isLocked):
        (JSC::DFG::RegisterBank::iterator::release):
        (JSC::DFG::RegisterBank::iterator::gpr):
        (JSC::DFG::RegisterBank::iterator::debugName):
        (JSC::DFG::RegisterBank::iterator::operator++):
        (JSC::DFG::RegisterBank::iterator::operator!=):
        (JSC::DFG::RegisterBank::iterator::index):
        (JSC::DFG::RegisterBank::iterator::iterator):
        (JSC::DFG::RegisterBank::begin):
        (JSC::DFG::RegisterBank::end):
        (JSC::DFG::RegisterBank::isLockedAtIndex):
        (JSC::DFG::RegisterBank::nameAtIndex):
        (JSC::DFG::RegisterBank::releaseAtIndex):
        (JSC::DFG::RegisterBank::allocateInternal):
        (JSC::DFG::RegisterBank::MapEntry::MapEntry):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::~ScoreBoard):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculationCheck::SpeculationCheck):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::initializeVariableTypes):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculateIntegerOperand::gpr):

2011-04-28  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Remove evil addressOfStructure() function
        https://bugs.webkit.org/show_bug.cgi?id=59739

        Remove the addressOfStructure function from JSCell, and update
        callsites to use the same logic as testPrototype()

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdProtoList):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdProtoList):
        * runtime/JSCell.h:

2011-04-28  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Clean up testPrototype()
        https://bugs.webkit.org/show_bug.cgi?id=59734

        Remove direct pointer to the inside of a GC object and just do
        the indirect load manually.  Doesn't effect sunspider but does
        clean up the code quite a bit, and simplifies the handling of
        GC values.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::testPrototype):

2011-04-28  David Levin  <levin@chromium.org>

        Build fix.

        * wtf/RefCounted.h: Fix inverted ifdef.

2011-04-07  David Levin  <levin@chromium.org>

        Reviewed by Darin Adler.

        Add asserts to RefCounted to make sure ref/deref happens on the right thread.
        https://bugs.webkit.org/show_bug.cgi?id=31639

        * GNUmakefile.list.am: Added new files to the build.
        * JavaScriptCore.gypi: Ditto.
        * JavaScriptCore.vcproj/WTF/WTF.vcproj: Ditto.
        * JavaScriptCore.xcodeproj/project.pbxproj: Ditto.
        * jit/ExecutableAllocator.h:
        (JSC::ExecutablePool::ExecutablePool): Turned off checks for this
        due to not being able to figure out what was guarding it (bug 58091).
        * parser/SourceProvider.h:
        (JSC::SourceProvider::SourceProvider): Ditto.
        * runtime/RegExp.cpp:
        (JSC::RegExp::RegExp): Ditto.
        * wtf/CMakeLists.txt: Added new files to the build.
        * wtf/ThreadRestrictionVerifier.h: Added.
        Everything is done in the header to avoid the issue with exports
        that are only useful in debug but still needing to export them.
        * wtf/RefCounted.h:
        (WTF::RefCountedBase::ref): Added checks using the non thread safe verifier.
        and filed bug 58171 about making it stricter.
        (WTF::RefCountedBase::hasOneRef): Ditto.
        (WTF::RefCountedBase::refCount): Ditto.
        (WTF::RefCountedBase::setMutexForVerifier): Expose a way to change the checks to be based
        on a mutex. This is in the header to avoid adding more exports from JavaScriptCore.
        (WTF::RefCountedBase::deprecatedTurnOffVerifier): Temporary way to turn off verification.
        Filed bug 58174 to remove this method.
        (WTF::RefCountedBase::derefBase):
        * wtf/SizeLimits.cpp: Adjusted the debug size check for RefCounted.
        * wtf/text/CString.h:
        (WTF::CStringBuffer::CStringBuffer): Turned off checks for this while a fix is being
        done in Chromium's test_shell (bug 58093).

2011-04-28  Xan Lopez  <xlopez@igalia.com>

        Unreviewed attempt to fix the build.

        * GNUmakefile.am: add -lpthread.

2011-04-28  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Only need a single implementation of testPrototype
        https://bugs.webkit.org/show_bug.cgi?id=59724

        Remove excess copy of identical testPrototype() code

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::testPrototype):
        * jit/JITPropertyAccess32_64.cpp:

2011-04-28  Xan Lopez  <xlopez@igalia.com>

        Reviewed by Martin Robinson.

        [Gtk] Split JSC and WebCore builds
        https://bugs.webkit.org/show_bug.cgi?id=19428

        Build JavaScriptCore as a libtool shared library instead of a
        private convenience library.

        * GNUmakefile.am: define new jsc library and adapt to new name for
        javascriptcore target.
        * GNUmakefile.list.am: ditto.

2011-04-28  David Kilzer  <ddkilzer@apple.com>

        <http://webkit.org/b/59705> WTF::postTimer() leaks a CFRunLoopTimerRef every time it's called

        Reviewed by Simon Fraser.

        * wtf/mac/MainThreadMac.mm:
        (WTF::postTimer): Use RetainPtr to plug the leak.

2011-04-27  Sam Weinig  <sam@webkit.org>

        Reviewed by David Kilzer.

        Add way to install testapi in production builds
        https://bugs.webkit.org/show_bug.cgi?id=59674

        * Configurations/TestAPI.xcconfig: Copied from Configurations/JavaScriptCore.xcconfig.
        Add configuration file for TestAPI. In addition to name, we now specify an install path
        and allow SKIP_INSTALL to be overridden by setting FORCE_TOOL_INSTALL.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        Remove in-project build settings and add missing configuration files. Added missing CompilerVersion.xcconfig
        file.

2011-04-27  Adam Barth  <abarth@webkit.org>

        Reviewed by David Levin.

        Enable strict OwnPtrs for Chromium
        https://bugs.webkit.org/show_bug.cgi?id=59666

        * wtf/OwnPtr.h:

2011-04-27  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Add ability to remove keys from weakmap API
        https://bugs.webkit.org/show_bug.cgi?id=59645

        Add JSWeakObjectMapRemove API

        * API/JSWeakObjectMapRefPrivate.cpp:
        * API/JSWeakObjectMapRefPrivate.h:
        * JavaScriptCore.exp:

2011-04-27  Adam Barth  <abarth@webkit.org>

        Reviewed by David Levin.

        Enable strict mode for OwnPtr
        https://bugs.webkit.org/show_bug.cgi?id=59428

        This patch enables strict mode for OwnPtr on PLATFORM(MAC) only.

        * wtf/OwnPtr.h:

2011-04-27  Steve Block  <steveblock@google.com>

        Reviewed by David Levin.

        Remove Android build system
        https://bugs.webkit.org/show_bug.cgi?id=48111

        This is to avoid the maintenance burden until the Android port is
        fully upstreamed.

        * Android.mk: Removed.
        * Android.v8.wtf.mk: Removed.

2011-04-27  Mark Rowe  <mrowe@apple.com>

        Fix 32-bit build after r85036.

        * wtf/Platform.h: USE(PLUGIN_HOST_PROCESS) is only true for 64-bit.

2011-04-27  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed buildfix after r85036.

        Readd non-dead code.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit):

2011-04-27  Adam Barth  <abarth@webkit.org>

        Reviewed by Kenneth Russell.

        OwnPtr assignment operator should be private
        https://bugs.webkit.org/show_bug.cgi?id=59487

        Unfortunately we can't remove the copy constructor because of some
        detail about gcc.  (The issue is documented in a comment already.)

        * wtf/OwnPtr.h:

2011-04-26  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r84977.
        http://trac.webkit.org/changeset/84977
        https://bugs.webkit.org/show_bug.cgi?id=59568

        caused crashes on the SL WK2 bots (Requested by jessieberlin
        on #webkit).

        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::call):
        (JSC::MacroAssemblerX86_64::tailRecursiveCall):
        (JSC::MacroAssemblerX86_64::makeTailRecursiveCall):

2011-04-26  Kevin Ollivier  <kevino@theolliviers.com>

        Rubberstamped by Eric Seidel.

        Enable waf to be used to build other ports
        https://bugs.webkit.org/show_bug.cgi?id=58213

        * wscript:

2011-04-26  Sam Weinig  <sam@webkit.org>

        Reviewed by David Hyatt.

        Remove Datagrid from the tree
        https://bugs.webkit.org/show_bug.cgi?id=59543

        * Configurations/FeatureDefines.xcconfig:
        Remove feature.

2011-04-26  Adrienne Walker  <enne@google.com>

        Reviewed by Geoffrey Garen.

        Fix incorrect use of OwnPtr<T*> in GCActivityCallback
        https://bugs.webkit.org/show_bug.cgi?id=59559

        * runtime/GCActivityCallback.h:

2011-04-26  Xan Lopez  <xlopez@igalia.com>

        Reviewed by Daniel Bates.

        Unused but set variable warning in MacroAssembelX86_64
        https://bugs.webkit.org/show_bug.cgi?id=59482

        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::call): do not declare the label
        variable if we are not going to use it.
        (JSC::MacroAssemblerX86_64::tailRecursiveCall): ditto.
        (JSC::MacroAssemblerX86_64::makeTailRecursiveCall): ditto.

2011-04-26  Dan Bernstein  <mitz@apple.com>

        Reviewed by Mark Rowe.

        Choose the compiler based on the Xcode version for Snow Leopard debug builds.

        * Configurations/Base.xcconfig:
        * Configurations/CompilerVersion.xcconfig: Added.

2011-04-25  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Nixed special finalizer handling for WebCore strings
        https://bugs.webkit.org/show_bug.cgi?id=59425
        
        SunSpider reports no change.
        
        Not needed anymore, since weak handles have finalizers.

        * runtime/JSString.cpp:
        (JSC::JSString::resolveRope):
        (JSC::JSString::resolveRopeSlowCase):
        (JSC::JSString::outOfMemory):
        (JSC::JSString::substringFromRope):
        (JSC::JSString::replaceCharacter): Updated for removal of union.

        * runtime/JSString.h:
        (JSC::RopeBuilder::JSString):
        (JSC::RopeBuilder::~JSString):
        (JSC::RopeBuilder::appendStringInConstruct):
        (JSC::RopeBuilder::appendValueInConstructAndIncrementLength): No need for
        union or special constructor anymore.

2011-04-26  Gabor Loki  <loki@webkit.org>

        Reviewed by Csaba Osztrogonác.

        Speeding up SVG filters with multicore (SMP) support
        https://bugs.webkit.org/show_bug.cgi?id=43903

        Some SVG filters execute a huge number of pixel manipulations, which
        cannot be sped up by graphics accelerators, since their algorithm is
        too complex. Using the power of Symmetric Multi Processing (SMP) we
        can split up a task to smaller (data independent) tasks, which can be
        executed independently.

        The ParallelJobs framework provides a simple way for distributed
        programming. The framework is based on WebKit's threading infrastructure,
        Open Multi-Processing's (OpenMP) API, and libdispatch API.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CMakeLists.txt:
        * wtf/ParallelJobs.h: Added.
        (WTF::ParallelJobs::ParallelJobs):
        (WTF::ParallelJobs::numberOfJobs):
        (WTF::ParallelJobs::parameterForJob):
        (WTF::ParallelJobs::executeJobs):
        * wtf/ParallelJobsGeneric.cpp: Added.
        (WTF::ParallelEnvironment::ThreadPrivate::tryLockFor):
        (WTF::ParallelEnvironment::ThreadPrivate::executeJob):
        (WTF::ParallelEnvironment::ThreadPrivate::waitForFinish):
        (WTF::ParallelEnvironment::ThreadPrivate::workerThread):
        * wtf/ParallelJobsGeneric.h: Added.
        (WTF::ParallelEnvironment::ParallelEnvironment):
        (WTF::ParallelEnvironment::numberOfJobs):
        (WTF::ParallelEnvironment::parameterForJob):
        (WTF::ParallelEnvironment::executeJobs):
        (WTF::ParallelEnvironment::ThreadPrivate::ThreadPrivate):
        (WTF::ParallelEnvironment::ThreadPrivate::create):
        * wtf/ParallelJobsLibdispatch.h: Added.
        (WTF::ParallelEnvironment::ParallelEnvironment):
        (WTF::ParallelEnvironment::numberOfJobs):
        (WTF::ParallelEnvironment::parameterForJob):
        (WTF::ParallelEnvironment::executeJobs):
        * wtf/ParallelJobsOpenMP.h: Added.
        (WTF::ParallelEnvironment::ParallelEnvironment):
        (WTF::ParallelEnvironment::numberOfJobs):
        (WTF::ParallelEnvironment::parameterForJob):
        (WTF::ParallelEnvironment::executeJobs):
        * wtf/Platform.h:
        * wtf/wtf.pri:

2011-04-26  Mihai Parparita  <mihaip@chromium.org>

        Reviewed by Adam Barth.

        Turn off make built-in implicit rules for derived sources makefile
        https://bugs.webkit.org/show_bug.cgi?id=59418
        
        We don't use any of make's built-in implicit rules, turning them off
        speeds up parsing of the makefile.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * gyp/generate-derived-sources.sh:

2011-04-25  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Custom prototypes on DOM objects don't persist after garbage collection
        https://bugs.webkit.org/show_bug.cgi?id=59412
        
        SunSpider reports no change.
        
        The hasCustomProperties() check didn't check for a custom prototype.

        * runtime/JSObject.h:
        (JSC::JSObject::hasCustomProperties): Changed to delegate to Structure
        because it is the "truth" about an object's pedigree.

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        * runtime/Structure.h:
        (JSC::Structure::didTransition): Track whether a Structure has ever
        transitioned for any reason. If so, we have to assume that the object
        holding it is custom in some way.

2011-04-25  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.

        https://bugs.webkit.org/show_bug.cgi?id=59405
        DFG JIT - add type speculation for integer & array types, for vars & args.

        If a var or argument is used as the base for a GetByVal or PutByVal access
        we are speculating that it is of type Array (we only generate code on the
        speculative path to perform array accesses). By typing the var or args slot
        as Array, and checking on entry to the function (in the case of args), and
        each time the local is written to, we can avoid a type check at each point
        the array is accessed. This will typically hoist type checks out of loops.

        Similarly, any local that is incremented or decremented, or is the input or
        output or a bitwise operator, is likely to be an integer. By typing the
        local as int32 we can avoid speculation checks on access, and tagging when
        writing to the slot. All accesses can become 32bit instead of 64.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::set):
        (JSC::DFG::ByteCodeParser::predictArray):
        (JSC::DFG::ByteCodeParser::predictInt32):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.h:
        (JSC::DFG::PredictionSlot::PredictionSlot):
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::predict):
        (JSC::DFG::Graph::getPrediction):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::tagFor):
        (JSC::DFG::JITCompiler::payloadFor):
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::initializeVariableTypes):
        * dfg/DFGSpeculativeJIT.h:
        * runtime/Executable.cpp:
        (JSC::tryDFGCompile):

2011-04-25  David Levin  <levin@chromium.org>

        Reviewed by James Robinson.

        Fix OwnPtr strict mode violation in MessageQueue.h
        https://bugs.webkit.org/show_bug.cgi?id=59400

        * wtf/MessageQueue.h:
        (WTF::::waitForMessage):
        (WTF::::waitForMessageFilteredWithTimeout):
        (WTF::::tryGetMessage):

2011-04-25  Adam Barth  <abarth@webkit.org>

        Reviewed by Darin Adler.

        JavaScriptCore should play nice strict OwnPtrs
        https://bugs.webkit.org/show_bug.cgi?id=59401

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parse):
        * heap/Heap.cpp:
        (JSC::TypeCounter::TypeCounter):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::JITThunks):
        * parser/JSParser.cpp:
        (JSC::JSParser::Scope::Scope):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::GenerationState::addParenthesesTail):

2011-04-25  Mark Rowe  <mrowe@apple.com>

        Build fix.

        * wtf/ListHashSet.h:

2011-04-25  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        Bug 59370 - DFG JIT - fix leak of BlocksBlocks
        (put the blocks immediately into an OwnPtr).

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parse):

2011-04-25  James Robinson  <jamesr@chromium.org>

        Reviewed by David Levin.

        Fix strict OwnPtr violations in ListHashSet and RenderLayerCompositor
        https://bugs.webkit.org/show_bug.cgi?id=59353

        * wtf/ListHashSet.h:
        (WTF::::ListHashSet):

2011-04-25  David Levin  <levin@chromium.org>

        Reviewed by Adam Barth.

        Fix PassOwnPtr issues in Structure and JSGlobalData.cpp
        https://bugs.webkit.org/show_bug.cgi?id=59347

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/Structure.cpp:
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::createPropertyMap):
        * runtime/Structure.h:

2011-04-25  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make ClassInfo required when creating a Structure
        https://bugs.webkit.org/show_bug.cgi?id=59340

        Add ClassInfo to all those types which currently don't
        have it, and add an assertion to Structure::create to
        ensure that the provided classInfo is not null.

        * runtime/Executable.h:
        (JSC::EvalExecutable::createStructure):
        (JSC::ProgramExecutable::createStructure):
        (JSC::FunctionExecutable::createStructure):
        * runtime/GetterSetter.cpp:
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::createStructure):
        * runtime/JSAPIValueWrapper.cpp:
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        * runtime/JSString.cpp:
        * runtime/JSString.h:
        (JSC::RopeBuilder::createStructure):
        * runtime/Structure.h:
        (JSC::Structure::create):
        (JSC::JSCell::createDummyStructure):

2011-04-25  David Levin  <levin@chromium.org>

        Reviewed by Adam Barth.

        PropertyMapHashTable.h should use adoptPtr instead of implicit conversions to PassRefPtr.
        https://bugs.webkit.org/show_bug.cgi?id=59342

        This patch is to prepare for the strict OwnPtr hack-a-thon.

        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::copy):

2011-04-25  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        Reviewed by Gavin Barraclough.

        Rationalize MacroAssembler branch methods
        https://bugs.webkit.org/show_bug.cgi?id=58950

        split out the 'Condition' enum into 'RelationalCondition' and 'ResultCondition' 
        and apply related changes (only for SH4 platforms).

        * assembler/MacroAssemblerSH4.cpp:
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::compare32):
        (JSC::MacroAssemblerSH4::branch32WithUnalignedHalfWords):
        (JSC::MacroAssemblerSH4::branchDouble):
        (JSC::MacroAssemblerSH4::branch32):
        (JSC::MacroAssemblerSH4::branchTest8):
        (JSC::MacroAssemblerSH4::branch8):
        (JSC::MacroAssemblerSH4::branchTruncateDoubleToInt32):
        (JSC::MacroAssemblerSH4::test8):
        (JSC::MacroAssemblerSH4::branch16):
        (JSC::MacroAssemblerSH4::branchTest32):
        (JSC::MacroAssemblerSH4::branchAdd32):
        (JSC::MacroAssemblerSH4::branchMul32):
        (JSC::MacroAssemblerSH4::branchSub32):
        (JSC::MacroAssemblerSH4::branchOr32):
        (JSC::MacroAssemblerSH4::branchConvertDoubleToInt32):
        (JSC::MacroAssemblerSH4::branchPtrWithPatch):
        (JSC::MacroAssemblerSH4::SH4Condition):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::cmpEqImmR0):

2011-04-25  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        PropertyMapHashTable should work with strict OwnPtr
        https://bugs.webkit.org/show_bug.cgi?id=59337

        This patch is in preparation for the strict OwnPtr hack-a-thon.

        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::PropertyTable):
        (JSC::PropertyTable::addDeletedOffset):

2011-04-25  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Sam Weinig.

        Nixed MarkStack::deprecatedAppend, since it has no clients left.

        * heap/MarkStack.h:

2011-04-23  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        Bug 59287 - DFG JIT - Handle temporaries as vars, allowing support for ?:

        SetLocals to temporaries will only be generated if they are used within other
        blocks, due to the SSA based DCE.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::get):
        (JSC::DFG::ByteCodeParser::set):
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::allocateVirtualRegisters):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.h:
        (JSC::DFG::BasicBlock::BasicBlock):

2011-04-22  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig & Geoff Garen.

        Bug 59266 - DFG JIT - Add SSA style DCE

        This works by making GetLocal nodes reference SetLocal nodes from prior blocks,
        via intermediate Phi nodes. Whenever we add a GetLocal to the graph, also add a
        matching child Phi, and add the Phi to a work queue to add references to prior
        definitions once we have the full CFG & can determine predecessors. This process
        is iterative, inserting new phis into predecessors as necessary.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getVariable):
        (JSC::DFG::ByteCodeParser::setVariable):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processWorkQueue):
        (JSC::DFG::ByteCodeParser::allocateVirtualRegisters):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::refChildren):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::ref):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::ref):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::~ScoreBoard):
        (JSC::DFG::ScoreBoard::dump):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-04-22  Vitaly Repeshko  <vitalyr@chromium.org>

        Reviewed by Adam Barth.

        Add missing default constructors for HashMap iterator specializations.
        https://bugs.webkit.org/show_bug.cgi?id=59250

        * wtf/HashIterators.h:
        * wtf/HashTable.h:
        (WTF::HashTableConstIterator::HashTableConstIterator): Added cast
        to help compiler find the function template.

2011-04-22  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Bug 59262 - DFG JIT - reduce size of VariableRecord

        We never need both the get & set node, only the most recent
        (which is always a set, if both exist).

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getVariable):
        (JSC::DFG::ByteCodeParser::setVariable):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.h:
        (JSC::DFG::VariableRecord::VariableRecord):

2011-04-22  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoffrey Garen.

        Bug 59254 - DFG JIT - retain VariableRecords for args/var in all basic blocks,
        such that this information is available for DCE.  Also, since this enlarges the
        size of BasicBlock, make Graph hold a vector of pointers to basic blocks, not a
        vector of blocks.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::get):
        (JSC::DFG::ByteCodeParser::set):
        (JSC::DFG::ByteCodeParser::getVariable):
        (JSC::DFG::ByteCodeParser::setVariable):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::setupPredecessors):
        (JSC::DFG::ByteCodeParser::allocateVirtualRegisters):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::VariableRecord::VariableRecord):
        (JSC::DFG::BasicBlock::BasicBlock):
        (JSC::DFG::BasicBlock::getBytecodeBegin):
        (JSC::DFG::Graph::blockIndexForBytecodeOffset):
        (JSC::DFG::Graph::blockForBytecodeOffset):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):

2011-04-22  Gavin Barraclough  <barraclough@apple.com>

        Errk, build fix.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-04-22  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Quick cleanup to SpeculativeJIT/NonSpeculativeJIT compile loop,
        move out the call to checkConsistency().

        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):

2011-04-21  Vitaly Repeshko  <vitalyr@chromium.org>

        Reviewed by Adam Barth.

        Provide default constructors for HashMap iterators.
        https://bugs.webkit.org/show_bug.cgi?id=59151

        These will be used to implement an iterator over EventTarget's
        listeners.

        * wtf/HashTable.h:
        (WTF::HashTableConstIteratorAdapter::HashTableConstIteratorAdapter):
        (WTF::HashTableIteratorAdapter::HashTableIteratorAdapter):

2011-04-22  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.

        Bug 59232 - DFG JIT - Add predecessor links to BasicBlocks

        These will be necessary for DCE support.
        Also factor allocateVirtualRegisters out into its own method.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::setupPredecessors):
        (JSC::DFG::ByteCodeParser::allocateVirtualRegisters):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::blockForBytecodeOffset):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isTerminal):

2011-04-22  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Object.create creates uncachable objects
        https://bugs.webkit.org/show_bug.cgi?id=59164

        Use the prototype object's inheritorID, as we
        should always have done

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::nullPrototypeObjectStructure):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorCreate):

2011-04-22  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Bug 59222 - DFG JIT - don't allocate virtual registers to nodes with no result

        We currently allocate virtual registers to nodes which have no result - these are
        clearly unused, and may result in us allocating a larger than necessary stack frame.

        Encapsulate Node::virtualRegister such that we can ASSERT this is only called on
        nodes that have results, and improve the quality of output from the consistency check.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::ref):
        (JSC::DFG::Graph::deref):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillInteger):
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::dump):
        (JSC::DFG::JITCodeGenerator::checkConsistency):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::canReuse):
        (JSC::DFG::JITCodeGenerator::isFilled):
        (JSC::DFG::JITCodeGenerator::isFilledDouble):
        (JSC::DFG::JITCodeGenerator::use):
        (JSC::DFG::JITCodeGenerator::integerResult):
        (JSC::DFG::JITCodeGenerator::noResult):
        (JSC::DFG::JITCodeGenerator::cellResult):
        (JSC::DFG::JITCodeGenerator::jsValueResult):
        (JSC::DFG::JITCodeGenerator::doubleResult):
        (JSC::DFG::JITCodeGenerator::initConstantInfo):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::fillNumericToDouble):
        (JSC::DFG::JITCompiler::fillInt32ToInteger):
        (JSC::DFG::JITCompiler::fillToJS):
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::hasResult):
        (JSC::DFG::Node::virtualRegister):
        (JSC::DFG::Node::setVirtualRegister):
        (JSC::DFG::Node::refCount):
        (JSC::DFG::Node::ref):
        (JSC::DFG::Node::deref):
        (JSC::DFG::Node::adjustedRefCount):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::isKnownInteger):
        (JSC::DFG::NonSpeculativeJIT::isKnownNumeric):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::use):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compile):

2011-04-22  Sam Weinig  <sam@webkit.org>

        Reviewed by Gavin Barraclough and Oliver Hunt.

        Arrays should participate in global object forwarding fun
        https://bugs.webkit.org/show_bug.cgi?id=59215

        * runtime/JSGlobalObject.h:
        (JSC::constructEmptyArray):
        (JSC::constructArray):
        Add variants of constructArray that take a global object.

2011-04-22  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r84650 and r84654.
        http://trac.webkit.org/changeset/84650
        http://trac.webkit.org/changeset/84654
        https://bugs.webkit.org/show_bug.cgi?id=59218

        Broke Windows build (Requested by bweinstein on #webkit).

        * API/JSCallbackObjectFunctions.h:
        (JSC::::init):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * heap/Handle.h:
        (JSC::HandleBase::operator!):
        (JSC::HandleBase::operator UnspecifiedBoolType*):
        (JSC::HandleTypes::getFromSlot):
        * heap/HandleHeap.cpp:
        (JSC::HandleHeap::markStrongHandles):
        (JSC::HandleHeap::markWeakHandles):
        (JSC::HandleHeap::finalizeWeakHandles):
        (JSC::HandleHeap::writeBarrier):
        (JSC::HandleHeap::protectedGlobalObjectCount):
        (JSC::HandleHeap::isValidWeakNode):
        * heap/HandleHeap.h:
        (JSC::HandleHeap::copyWeak):
        (JSC::HandleHeap::makeWeak):
        (JSC::HandleHeap::Node::slot):
        * heap/HandleStack.cpp:
        (JSC::HandleStack::mark):
        (JSC::HandleStack::grow):
        * heap/HandleStack.h:
        (JSC::HandleStack::zapTo):
        (JSC::HandleStack::push):
        * heap/Heap.cpp:
        (JSC::HandleHeap::protectedObjectTypeCounts):
        * heap/Local.h:
        (JSC::::set):
        * heap/Strong.h:
        (JSC::Strong::set):
        * heap/Weak.h:
        (JSC::Weak::set):
        * runtime/StructureTransitionTable.h:
        (JSC::StructureTransitionTable::singleTransition):
        (JSC::StructureTransitionTable::setSingleTransition):
        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::add):
        (JSC::WeakGCMap::set):
        * runtime/WriteBarrier.h:

2011-04-22  Brian Weinstein  <bweinstein@apple.com>

        Part of Windows build fix from r84650.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-04-22  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make it harder to use HandleSlot incorrectly
        https://bugs.webkit.org/show_bug.cgi?id=59205

        Just add a little type fudging to make it harder to
        incorrectly assign through a HandleSlot.

        * API/JSCallbackObjectFunctions.h:
        (JSC::::init):
        * JavaScriptCore.exp:
        * heap/Handle.h:
        (JSC::HandleBase::operator!):
        (JSC::HandleBase::operator UnspecifiedBoolType*):
        (JSC::HandleTypes::getFromSlot):
        * heap/HandleHeap.cpp:
        (JSC::HandleHeap::markStrongHandles):
        (JSC::HandleHeap::markWeakHandles):
        (JSC::HandleHeap::finalizeWeakHandles):
        (JSC::HandleHeap::writeBarrier):
        (JSC::HandleHeap::protectedGlobalObjectCount):
        (JSC::HandleHeap::isValidWeakNode):
        * heap/HandleHeap.h:
        (JSC::HandleHeap::copyWeak):
        (JSC::HandleHeap::makeWeak):
        (JSC::HandleHeap::Node::slot):
        * heap/HandleStack.cpp:
        (JSC::HandleStack::mark):
        (JSC::HandleStack::grow):
        * heap/HandleStack.h:
        (JSC::HandleStack::zapTo):
        (JSC::HandleStack::push):
        * heap/Heap.cpp:
        (JSC::HandleHeap::protectedObjectTypeCounts):
        * heap/Local.h:
        (JSC::::set):
        * heap/Strong.h:
        (JSC::Strong::set):
        * heap/Weak.h:
        (JSC::Weak::set):
        * runtime/StructureTransitionTable.h:
        (JSC::StructureTransitionTable::singleTransition):
        (JSC::StructureTransitionTable::setSingleTransition):
        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::add):
        (JSC::WeakGCMap::set):
        * runtime/WriteBarrier.h:
        (JSC::OpaqueJSValue::toJSValue):
        (JSC::OpaqueJSValue::toJSValueRef):
        (JSC::OpaqueJSValue::fromJSValue):

2011-04-22  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed. Build fix for ENABLE(INTERPRETER) after r84556.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):

2011-04-21  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r84583.
        http://trac.webkit.org/changeset/84583
        https://bugs.webkit.org/show_bug.cgi?id=59173

        "broke
        http://trac.webkit.org/export/84593/trunk/LayoutTests/fast/js
        /Object-create.html" (Requested by ggaren on #webkit).

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorCreate):

2011-04-21  Maciej Stachowiak  <mjs@apple.com>

        Reviewed by Adam Roben.

        Add a feature define to allow <details> and <summary> to be disabled
        https://bugs.webkit.org/show_bug.cgi?id=59118
        <rdar://problem/9257045>

        * Configurations/FeatureDefines.xcconfig:

2011-04-21  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Object.create creates uncachable objects
        https://bugs.webkit.org/show_bug.cgi?id=59164

        Use the prototype object's inheritorID, as we
        should always have done

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorCreate):

2011-04-21  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Start moving to a general visitor pattern for GC traversal
        https://bugs.webkit.org/show_bug.cgi?id=59141

        This is just a rename:
            markChildren -> visitChildren
            markAggregate -> visitAggregate
            markStack -> visitor
            MarkStack -> typedef'd to SlotVisitor

        * API/JSCallbackObject.h:
        (JSC::JSCallbackObjectData::visitChildren):
        (JSC::JSCallbackObjectData::JSPrivatePropertyMap::visitChildren):
        (JSC::JSCallbackObject::visitChildren):
        * JavaScriptCore.exp:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitStructures):
        (JSC::EvalCodeCache::visitAggregate):
        (JSC::CodeBlock::visitAggregate):
        * bytecode/CodeBlock.h:
        * bytecode/EvalCodeCache.h:
        * bytecode/Instruction.h:
        (JSC::PolymorphicAccessStructureList::visitAggregate):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::visitAggregate):
        * bytecode/StructureStubInfo.h:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::visitChildren):
        * debugger/DebuggerActivation.h:
        * heap/HandleHeap.cpp:
        (JSC::WeakHandleOwner::isReachableFromOpaqueRoots):
        (JSC::HandleHeap::markStrongHandles):
        (JSC::HandleHeap::markWeakHandles):
        * heap/HandleHeap.h:
        * heap/HandleStack.cpp:
        (JSC::HandleStack::mark):
        * heap/HandleStack.h:
        * heap/Heap.cpp:
        (JSC::Heap::markProtectedObjects):
        (JSC::Heap::markTempSortVectors):
        (JSC::Heap::markRoots):
        * heap/Heap.h:
        * heap/MarkStack.cpp:
        (JSC::MarkStack::visitChildren):
        (JSC::MarkStack::drain):
        * heap/MarkStack.h:
        (JSC::HeapRootVisitor::HeapRootVisitor):
        (JSC::HeapRootVisitor::mark):
        (JSC::HeapRootVisitor::visitor):
        * heap/MarkedSpace.h:
        * runtime/ArgList.cpp:
        (JSC::MarkedArgumentBuffer::markLists):
        * runtime/ArgList.h:
        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildren):
        * runtime/Arguments.h:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::visitChildren):
        (JSC::ProgramExecutable::visitChildren):
        (JSC::FunctionExecutable::visitChildren):
        * runtime/Executable.h:
        * runtime/GetterSetter.cpp:
        (JSC::GetterSetter::visitChildren):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::createStructure):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::visitChildren):
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::visitChildren):
        * runtime/JSArray.h:
        (JSC::JSArray::visitDirect):
        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::visitChildren):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::visitChildren):
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::visitIfNeeded):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        * runtime/JSONObject.cpp:
        * runtime/JSObject.cpp:
        (JSC::JSObject::visitChildren):
        * runtime/JSObject.h:
        (JSC::JSObject::visitDirect):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::visitChildren):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::createStructure):
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::visitChildren):
        * runtime/JSStaticScopeObject.h:
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::TypeInfo):
        (JSC::TypeInfo::overridesVisitChildren):
        * runtime/JSWrapperObject.cpp:
        (JSC::JSWrapperObject::visitChildren):
        * runtime/JSWrapperObject.h:
        * runtime/JSZombie.h:
        (JSC::JSZombie::visitChildren):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::visitChildren):
        * runtime/NativeErrorConstructor.h:
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::visitChildren):
        * runtime/RegExpObject.h:
        * runtime/ScopeChain.cpp:
        (JSC::ScopeChainNode::visitChildren):
        * runtime/ScopeChain.h:
        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::visitChildren):
        * runtime/SmallStrings.h:
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::visitChildren):
        * runtime/Structure.h:
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::visitChildren):
        * runtime/StructureChain.h:
        (JSC::StructureChain::createStructure):

2011-04-21  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r84548.
        http://trac.webkit.org/changeset/84548
        https://bugs.webkit.org/show_bug.cgi?id=59144

        Broke chromium-win build (Requested by aklein on #webkit).

        * wtf/Platform.h:

2011-04-21  Adam Klein  <adamk@chromium.org>

        Reviewed by David Levin.

        [fileapi] Worker File API calls that create Blobs fail in debug builds due to random number generator thread assertion
        https://bugs.webkit.org/show_bug.cgi?id=55728

        Enable WTF_MULTIPLE_THREADS for Chromium.

        * wtf/Platform.h:

2011-04-20  Michael Saboff  <msaboff@apple.com>

        Reviewed by Geoff Garen.

        JSString::resolveRope inefficient for common 2 fiber case
        https://bugs.webkit.org/show_bug.cgi?id=58994

        Split JSString::resolveRope into three routines.
        resolveRope allocates the new buffer and handles the 1 or 2
        fiber case with single level fibers.
        resolveRopeSlowCase handles the general case.
        outOfMemory handles the rare out of memory exception case.

        * runtime/JSString.cpp:
        (JSC::JSString::resolveRope):
        (JSC::JSString::resolveRopeSlowCase):
        (JSC::JSString::outOfMemory):
        * runtime/JSString.h:

2011-04-20  Adam Klein  <adamk@chromium.org>

        Reviewed by David Levin.

        Rename all uses of JSC_MULTIPLE_THREADS under wtf/... to WTF_MULTIPLE_THREADS
        https://bugs.webkit.org/show_bug.cgi?id=59040

        This will be used to fix https://bugs.webkit.org/show_bug.cgi?id=55728
        by enabling WTF_MULTIPLE_THREADS for Chromium.

        * wtf/CryptographicallyRandomNumber.cpp:
        (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomNumber):
        (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomValues):
        * wtf/FastMalloc.cpp:
        * wtf/Platform.h:
        Enable WTF_MULTIPLE_THREADS whenever JSC_MULTIPLE_THREADS is enabled.
        * wtf/RandomNumber.cpp:
        (WTF::randomNumber):
        * wtf/RefCountedLeakCounter.cpp:
        (WTF::RefCountedLeakCounter::increment):
        (WTF::RefCountedLeakCounter::decrement):
        * wtf/dtoa.cpp:
        (WTF::pow5mult):

2011-04-20  Gavin Barraclough  <barraclough@apple.com>

        Rubber stamped by Geoff Garen

        Bug 59069 - DFG JIT - register allocate r8, r9, r10

        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::gprToRegisterID):

2011-04-20  Gavin Barraclough  <barraclough@apple.com>

        Build fix - revert accidental change.

        * wtf/Platform.h:

2011-04-20  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Add SAMPLING_FLAGS tool to DFG JIT.

        * bytecode/SamplingTool.h:
        (JSC::SamplingFlags::addressOfFlags):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::setSamplingFlag):
        (JSC::DFG::JITCompiler::clearSamplingFlag):
        * dfg/DFGJITCompiler.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::setSamplingFlag):
        (JSC::JIT::clearSamplingFlag):
        * wtf/Platform.h:

2011-04-20  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        Bug 59022 - DFG JIT - Optimize branch-on-relational-compare

        If a relational compare (< or <=) is immediately followed by a branch,
        we can combine the two, avoiding generation of a boolean into a register.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::branch32):
        (JSC::MacroAssemblerX86Common::invert):
        (JSC::MacroAssemblerX86Common::commute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::adjustedRefCount):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isJSConstantWithInt32Value):
        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):

2011-04-20  Gavin Barraclough  <barraclough@apple.com>

        ARMv7 build fix II.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::softModulo):

2011-04-20  Gavin Barraclough  <barraclough@apple.com>

        ARMv7 build fix.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::test8):

2011-04-19  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        Rationalize MacroAssembler branch methods
        https://bugs.webkit.org/show_bug.cgi?id=58950

        The MacroAssembler currently exposes x86's weird behaviour that the 'setcc'
        instruction only sets the low 8 bits of a register. Stop that.

        Having done so, to clarify remove the 'set32' prefix from test & compare
        instructions - these methods all now set a full 32/64 bit register (Ptr size).
        The size in the function name should indicate the amount of data being compared.

        Also split out the 'Condition' enum into 'RelationalCondition' and
        'ResultCondition'. The former is used in binary comparison, the latter is a unary
        condition check on the result of an operation.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::branchPtr):
        (JSC::MacroAssembler::branch32):
        (JSC::MacroAssembler::branch16):
        (JSC::MacroAssembler::branchTestPtr):
        (JSC::MacroAssembler::comparePtr):
        (JSC::MacroAssembler::branchAddPtr):
        (JSC::MacroAssembler::branchSubPtr):
        (JSC::MacroAssembler::branchTest8):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branch8):
        (JSC::MacroAssemblerARM::branch32):
        (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
        (JSC::MacroAssemblerARM::branch16):
        (JSC::MacroAssemblerARM::branchTest8):
        (JSC::MacroAssemblerARM::branchTest32):
        (JSC::MacroAssemblerARM::branchAdd32):
        (JSC::MacroAssemblerARM::branchMul32):
        (JSC::MacroAssemblerARM::branchSub32):
        (JSC::MacroAssemblerARM::branchNeg32):
        (JSC::MacroAssemblerARM::branchOr32):
        (JSC::MacroAssemblerARM::compare32):
        (JSC::MacroAssemblerARM::test32):
        (JSC::MacroAssemblerARM::test8):
        (JSC::MacroAssemblerARM::branchPtrWithPatch):
        (JSC::MacroAssemblerARM::ARMCondition):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branch32):
        (JSC::MacroAssemblerARMv7::branch32WithUnalignedHalfWords):
        (JSC::MacroAssemblerARMv7::branch16):
        (JSC::MacroAssemblerARMv7::branch8):
        (JSC::MacroAssemblerARMv7::branchTest32):
        (JSC::MacroAssemblerARMv7::branchTest8):
        (JSC::MacroAssemblerARMv7::branchAdd32):
        (JSC::MacroAssemblerARMv7::branchMul32):
        (JSC::MacroAssemblerARMv7::branchOr32):
        (JSC::MacroAssemblerARMv7::branchSub32):
        (JSC::MacroAssemblerARMv7::compare32):
        (JSC::MacroAssemblerARMv7::test32):
        (JSC::MacroAssemblerARMv7::test8):
        (JSC::MacroAssemblerARMv7::branchPtrWithPatch):
        (JSC::MacroAssemblerARMv7::makeBranch):
        (JSC::MacroAssemblerARMv7::armV7Condition):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::branch8):
        (JSC::MacroAssemblerMIPS::branch32):
        (JSC::MacroAssemblerMIPS::branch32WithUnalignedHalfWords):
        (JSC::MacroAssemblerMIPS::branch16):
        (JSC::MacroAssemblerMIPS::branchTest32):
        (JSC::MacroAssemblerMIPS::branchTest8):
        (JSC::MacroAssemblerMIPS::branchAdd32):
        (JSC::MacroAssemblerMIPS::branchMul32):
        (JSC::MacroAssemblerMIPS::branchSub32):
        (JSC::MacroAssemblerMIPS::branchOr32):
        (JSC::MacroAssemblerMIPS::compare32):
        (JSC::MacroAssemblerMIPS::test8):
        (JSC::MacroAssemblerMIPS::test32):
        (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::branch32):
        (JSC::MacroAssemblerX86::branchPtrWithPatch):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::branch8):
        (JSC::MacroAssemblerX86Common::branch32):
        (JSC::MacroAssemblerX86Common::branch32WithUnalignedHalfWords):
        (JSC::MacroAssemblerX86Common::branch16):
        (JSC::MacroAssemblerX86Common::branchTest32):
        (JSC::MacroAssemblerX86Common::branchTest8):
        (JSC::MacroAssemblerX86Common::branchAdd32):
        (JSC::MacroAssemblerX86Common::branchMul32):
        (JSC::MacroAssemblerX86Common::branchSub32):
        (JSC::MacroAssemblerX86Common::branchNeg32):
        (JSC::MacroAssemblerX86Common::branchOr32):
        (JSC::MacroAssemblerX86Common::compare32):
        (JSC::MacroAssemblerX86Common::test8):
        (JSC::MacroAssemblerX86Common::test32):
        (JSC::MacroAssemblerX86Common::x86Condition):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::comparePtr):
        (JSC::MacroAssemblerX86_64::branchPtr):
        (JSC::MacroAssemblerX86_64::branchTestPtr):
        (JSC::MacroAssemblerX86_64::branchAddPtr):
        (JSC::MacroAssemblerX86_64::branchSubPtr):
        (JSC::MacroAssemblerX86_64::branchPtrWithPatch):
        (JSC::MacroAssemblerX86_64::branchTest8):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_eq):
        (JSC::JIT::emit_op_neq):
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_eq):
        (JSC::JIT::emit_op_neq):
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):

2011-04-20  Balazs Kelemen  <kbalazs@webkit.org>

        Reviewed by Csaba Osztrogonác.

        [Qt] Cleanup includepath adjustment for generated files
        https://bugs.webkit.org/show_bug.cgi?id=58869

        * JavaScriptCore.pri:  Add the directory of generated files to the include
        path with absolute path to make it valid in the final build step.

2011-04-19  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Remove unneeded deprecated methods from MarkStack
        https://bugs.webkit.org/show_bug.cgi?id=58853

        Remove deprecated methods

        * heap/MarkStack.h:

2011-04-19  Mark Rowe  <mrowe@apple.com>

        Things work best when the Xcode project refers to the file at a path that exists.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-04-19  Renata Hodovan  <reni@webkit.org>

        Reviewed by Eric Seidel.

        Move the alignment related macros in Vector.h to new Alignment.h.
        https://bugs.webkit.org/show_bug.cgi?id=56000

        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/Alignment.h: Added.
        * wtf/CMakeLists.txt:
        * wtf/Vector.h:

2011-04-19  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Remove DeprecatedPtr
        https://bugs.webkit.org/show_bug.cgi?id=58718

        Remove the class an all functions that still exist to support it.

        * heap/MarkStack.h:
        (JSC::MarkStack::append):
        * runtime/JSValue.h:
        * runtime/WriteBarrier.h:

2011-04-19  Jungshik Shin  <jshin@chromium.org>

        Reviewed by David Levin

        Add U+FEFF (Zero width no-break space) to CharacterNames.h.
        It's added to the list of characters to treat as zero-width
        in WebCore.

        https://bugs.webkit.org/show_bug.cgi?id=48860

        * wtf/unicode/CharacterNames.h:

2011-04-19  Csaba Osztrogonác  <ossy@webkit.org>

        [Qt] REGRESSION(84176): http/tests/xmlhttprequest/event-listener-gc.html fails
        https://bugs.webkit.org/show_bug.cgi?id=58871

        Unreviewed, rolling out r84176, r84178, r84186, r84212 and r84231.
        http://trac.webkit.org/changeset/84176 (original patch)
        http://trac.webkit.org/changeset/84178 (original patch - part 2)
        http://trac.webkit.org/changeset/84186 (build fix)
        http://trac.webkit.org/changeset/84212
        http://trac.webkit.org/changeset/84231 (skip failing test)

        original bugs:
         - https://bugs.webkit.org/show_bug.cgi?id=58718
         - https://bugs.webkit.org/show_bug.cgi?id=58853

        * heap/MarkStack.h:
        (JSC::MarkStack::deprecatedAppendValues):
        (JSC::MarkStack::append):
        (JSC::MarkStack::deprecatedAppend):
        * runtime/JSValue.h:
        * runtime/WriteBarrier.h:
        (JSC::DeprecatedPtr::DeprecatedPtr):
        (JSC::DeprecatedPtr::get):
        (JSC::DeprecatedPtr::operator*):
        (JSC::DeprecatedPtr::operator->):
        (JSC::DeprecatedPtr::slot):
        (JSC::DeprecatedPtr::operator UnspecifiedBoolType*):
        (JSC::DeprecatedPtr::operator!):
        (JSC::operator==):

2011-04-18  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Remove unneeded deprecated methods from MarkStack
        https://bugs.webkit.org/show_bug.cgi?id=58853

        Remove deprecated methods

        * heap/MarkStack.h:

2011-04-18  Oliver Hunt  <oliver@apple.com>

        Reviewed by Adam Roben.

        Off by one initialising repeat callframe
        https://bugs.webkit.org/show_bug.cgi?id=58838
        <rdar://problem/8756810>

        If the end of a callframe made for a repeat call landed on
        a page boundary the following page may not have been committed
        which means that the off by one could lead to a crash.  However
        it could only happen in this case and only on windows which is
        why it was so hard to repro.  Alas given the steps needed to
        reproduce are such that it's not really possible to make a
        testcase.

        This fix makes the code a little less squirrely by not trying
        to avoid the unnecessary initialisation of |this|.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::prepareForRepeatCall):

2011-04-18  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.

        Bug 58829 - DFG JIT - Optimize add/sub immediate, multiply.

        Add code generation for add/subtract instruction with immediate operands
        (where a child is a constant), and don't bail to non-speculative if an
        integer multiple results in a +0 result (only if it should be generating -0).

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isDoubleConstantWithInt32Value):

2011-04-18  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.

        Bug 58817 - DFG JIT - if speculative compilation fails, throw away code.

        If we detect a logical conflict, throw away generated code,
        and only compile through the NonSpeculativeJIT.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::rewindToLabel):
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerBuffer::rewindToOffset):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::branchAdd32):
        (JSC::MacroAssemblerX86Common::branchSub32):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::rewindToLabel):
        (JSC::X86Assembler::X86InstructionFormatter::rewindToLabel):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkSpeculationChecks):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculationCheckIndexIterator::SpeculationCheckIndexIterator):

2011-04-18  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Remove DeprecatedPtr
        https://bugs.webkit.org/show_bug.cgi?id=58718

        As simple as it sounds.

        * runtime/JSValue.h:
        * runtime/WriteBarrier.h:

2011-04-17  Cameron Zwarich  <zwarich@apple.com>

        Reviewed by Dan Bernstein.

        JSC no longer builds with Clang due to -Woverloaded-virtual warning
        https://bugs.webkit.org/show_bug.cgi?id=58760

        Rename Structure's specificValue overload of put to putSpecificValue to avoid
        Clang's warning for overloading a virtual function.

        * runtime/Structure.cpp:
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::putSpecificValue):
        * runtime/Structure.h:

2011-04-17  Patrick Gansterer  <paroga@webkit.org>

        Reviewed by Adam Barth.

        Remove WTF_PLATFORM_SGL
        https://bugs.webkit.org/show_bug.cgi?id=58743

        WTF_PLATFORM_SGL and PLATFORM(SGL) are not used in the code anywhere.

        * wtf/Platform.h:

2011-04-17  Patrick Gansterer  <paroga@webkit.org>

        Reviewed by Adam Barth.

        Rename PLATFORM(CA) to USE(CA)
        https://bugs.webkit.org/show_bug.cgi?id=58742

        * wtf/Platform.h:

2011-04-17  Patrick Gansterer  <paroga@webkit.org>

        Reviewed by Adam Barth.

        Rename PLATFORM(CG) to USE(CG)
        https://bugs.webkit.org/show_bug.cgi?id=58729

        * wtf/Platform.h:

2011-04-16  Patrick Gansterer  <paroga@webkit.org>

        Reviewed by Eric Seidel.

        Rename PLATFORM(CAIRO) to USE(CAIRO)
        https://bugs.webkit.org/show_bug.cgi?id=55192

        * wtf/Platform.h:
        * wtf/gobject/GTypedefs.h:

2011-04-15  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r84067.
        http://trac.webkit.org/changeset/84067
        https://bugs.webkit.org/show_bug.cgi?id=58724

        qt build are failing. (Requested by loislo2 on #webkit).

        * heap/MarkStack.h:
        (JSC::MarkStack::append):
        * runtime/JSValue.h:
        * runtime/WriteBarrier.h:
        (JSC::DeprecatedPtr::DeprecatedPtr):
        (JSC::DeprecatedPtr::get):
        (JSC::DeprecatedPtr::operator*):
        (JSC::DeprecatedPtr::operator->):
        (JSC::DeprecatedPtr::slot):
        (JSC::DeprecatedPtr::operator UnspecifiedBoolType*):
        (JSC::DeprecatedPtr::operator!):
        (JSC::operator==):

2011-04-15  Shishir Agrawal  <shishir@chromium.org>

        Reviewed by James Robinson.

        Add a flag to guard Page Visibility API changes.
        https://bugs.webkit.org/show_bug.cgi?id=58464

        * Configurations/FeatureDefines.xcconfig:

2011-04-15  Gavin Barraclough  <barraclough@apple.com>

        Errrk! - build fix from !x86-64.

        * dfg/DFGNode.h:

2011-04-15  David Levin  <levin@chromium.org>

        Revert of r83974.

        JavaScriptCore shouldn't depend on ../ThirdParty/gtest/xcode/gtest.xcodeproj
        https://bugs.webkit.org/show_bug.cgi?id=58716

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/tests/RunAllWtfTests.cpp: Removed.
        * wtf/tests/StringTests.cpp: Removed.

2011-04-15  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Remove DeprecatedPtr
        https://bugs.webkit.org/show_bug.cgi?id=58718

        As simple as it sounds.

        * heap/MarkStack.h:
        (JSC::MarkStack::append):
        * runtime/JSValue.h:
        * runtime/WriteBarrier.h:

2011-04-15  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        Add a simple tool to gather statistics on whether functions
        are completed through the new or old JIT.

        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):

2011-04-15  Oliver Hunt  <oliver@apple.com>

        GC allocate Structure
        https://bugs.webkit.org/show_bug.cgi?id=58483

        Rolling r83894 r83827 r83810 r83809 r83808 back in with
        a workaround for the gcc bug seen by the gtk bots

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::JSCallbackConstructor):
        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::createStructure):
        * API/JSCallbackFunction.h:
        (JSC::JSCallbackFunction::createStructure):
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::createStructure):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::JSCallbackObject):
        * API/JSContextRef.cpp:
        * JavaScriptCore.JSVALUE32_64only.exp:
        * JavaScriptCore.JSVALUE64only.exp:
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::markStructures):
        (JSC::CodeBlock::markAggregate):
        * bytecode/CodeBlock.h:
        (JSC::MethodCallLinkInfo::setSeen):
        (JSC::GlobalResolveInfo::GlobalResolveInfo):
        * bytecode/Instruction.h:
        (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
        (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
        (JSC::PolymorphicAccessStructureList::markAggregate):
        (JSC::Instruction::Instruction):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        (JSC::StructureStubInfo::markAggregate):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::initGetByIdSelf):
        (JSC::StructureStubInfo::initGetByIdProto):
        (JSC::StructureStubInfo::initGetByIdChain):
        (JSC::StructureStubInfo::initPutByIdTransition):
        (JSC::StructureStubInfo::initPutByIdReplace):
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::DebuggerActivation):
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::createStructure):
        * heap/Handle.h:
        * heap/MarkStack.cpp:
        (JSC::MarkStack::markChildren):
        (JSC::MarkStack::drain):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        (JSC::MarkedBlock::sweep):
        * heap/Strong.h:
        (JSC::Strong::Strong):
        (JSC::Strong::set):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::resolveGlobal):
        (JSC::Interpreter::resolveGlobalDynamic):
        (JSC::Interpreter::tryCachePutByID):
        (JSC::Interpreter::uncachePutByID):
        (JSC::Interpreter::tryCacheGetByID):
        (JSC::Interpreter::uncacheGetByID):
        (JSC::Interpreter::privateExecute):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::patchMethodCallProto):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::patchMethodCallProto):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::tryCachePutByID):
        (JSC::JITThunks::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::getPolymorphicAccessStructureListSlot):
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::storePtrWithWriteBarrier):
        * jsc.cpp:
        (cleanupGlobalData):
        * runtime/Arguments.h:
        (JSC::Arguments::createStructure):
        (JSC::Arguments::Arguments):
        (JSC::JSActivation::copyRegisters):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::ArrayConstructor):
        (JSC::constructArrayWithSizeQuirk):
        * runtime/ArrayConstructor.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::ArrayPrototype):
        (JSC::arrayProtoFuncSplice):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::createStructure):
        * runtime/BatchedTransitionOptimizer.h:
        (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::BooleanConstructor):
        * runtime/BooleanConstructor.h:
        * runtime/BooleanObject.cpp:
        (JSC::BooleanObject::BooleanObject):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::createStructure):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::BooleanPrototype):
        * runtime/BooleanPrototype.h:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::DateConstructor):
        * runtime/DateConstructor.h:
        * runtime/DateInstance.cpp:
        (JSC::DateInstance::DateInstance):
        * runtime/DateInstance.h:
        (JSC::DateInstance::createStructure):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::DatePrototype):
        * runtime/DatePrototype.h:
        (JSC::DatePrototype::createStructure):
        * runtime/Error.cpp:
        (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::ErrorConstructor):
        * runtime/ErrorConstructor.h:
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::ErrorInstance):
        (JSC::ErrorInstance::create):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::createStructure):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        * runtime/ErrorPrototype.h:
        * runtime/ExceptionHelpers.cpp:
        (JSC::InterruptedExecutionError::InterruptedExecutionError):
        (JSC::TerminatedExecutionError::TerminatedExecutionError):
        * runtime/Executable.cpp:
        * runtime/Executable.h:
        (JSC::ExecutableBase::ExecutableBase):
        (JSC::ExecutableBase::createStructure):
        (JSC::NativeExecutable::createStructure):
        (JSC::NativeExecutable::NativeExecutable):
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::EvalExecutable::createStructure):
        (JSC::ProgramExecutable::createStructure):
        (JSC::FunctionExecutable::createStructure):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::FunctionConstructor):
        * runtime/FunctionConstructor.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::FunctionPrototype):
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::createStructure):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::GetterSetter):
        (JSC::GetterSetter::createStructure):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::createStructure):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        (JSC::JSAPIValueWrapper::JSAPIValueWrapper):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::JSActivation):
        * runtime/JSActivation.h:
        (JSC::JSActivation::createStructure):
        * runtime/JSArray.cpp:
        (JSC::JSArray::JSArray):
        * runtime/JSArray.h:
        (JSC::JSArray::createStructure):
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::JSByteArray):
        (JSC::JSByteArray::createStructure):
        * runtime/JSByteArray.h:
        (JSC::JSByteArray::JSByteArray):
        * runtime/JSCell.cpp:
        (JSC::isZombie):
        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::JSCell):
        (JSC::JSCell::JSCell::addressOfStructure):
        (JSC::JSCell::JSCell::structure):
        (JSC::JSCell::JSCell::markChildren):
        (JSC::JSCell::JSValue::isZombie):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        * runtime/JSFunction.h:
        (JSC::JSFunction::createStructure):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::storeVPtrs):
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::clearBuiltinStructures):
        (JSC::JSGlobalData::createLeaked):
        * runtime/JSGlobalData.h:
        (JSC::allocateGlobalHandle):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::markChildren):
        (JSC::JSGlobalObject::copyGlobalsFrom):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::createStructure):
        (JSC::Structure::prototypeChain):
        (JSC::Structure::isValid):
        (JSC::constructEmptyArray):
        * runtime/JSNotAnObject.h:
        (JSC::JSNotAnObject::JSNotAnObject):
        (JSC::JSNotAnObject::createStructure):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::JSONObject):
        * runtime/JSONObject.h:
        (JSC::JSONObject::createStructure):
        * runtime/JSObject.cpp:
        (JSC::JSObject::defineGetter):
        (JSC::JSObject::defineSetter):
        (JSC::JSObject::seal):
        (JSC::JSObject::freeze):
        (JSC::JSObject::preventExtensions):
        (JSC::JSObject::removeDirect):
        (JSC::JSObject::createInheritorID):
        * runtime/JSObject.h:
        (JSC::JSObject::createStructure):
        (JSC::JSObject::JSObject):
        (JSC::JSNonFinalObject::createStructure):
        (JSC::JSNonFinalObject::JSNonFinalObject):
        (JSC::JSFinalObject::create):
        (JSC::JSFinalObject::createStructure):
        (JSC::JSFinalObject::JSFinalObject):
        (JSC::constructEmptyObject):
        (JSC::createEmptyObjectStructure):
        (JSC::JSObject::~JSObject):
        (JSC::JSObject::setPrototype):
        (JSC::JSObject::setStructure):
        (JSC::JSObject::inheritorID):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::transitionTo):
        (JSC::JSObject::markChildrenDirect):
        * runtime/JSObjectWithGlobalObject.cpp:
        (JSC::JSObjectWithGlobalObject::JSObjectWithGlobalObject):
        * runtime/JSObjectWithGlobalObject.h:
        (JSC::JSObjectWithGlobalObject::createStructure):
        (JSC::JSObjectWithGlobalObject::JSObjectWithGlobalObject):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
        (JSC::JSPropertyNameIterator::create):
        (JSC::JSPropertyNameIterator::get):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::createStructure):
        (JSC::JSPropertyNameIterator::setCachedStructure):
        (JSC::Structure::setEnumerationCache):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::JSStaticScopeObject):
        (JSC::JSStaticScopeObject::createStructure):
        * runtime/JSString.h:
        (JSC::RopeBuilder::JSString):
        (JSC::RopeBuilder::createStructure):
        * runtime/JSType.h:
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::TypeInfo):
        * runtime/JSValue.h:
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::createStructure):
        (JSC::JSVariableObject::JSVariableObject):
        (JSC::JSVariableObject::copyRegisterArray):
        * runtime/JSWrapperObject.h:
        (JSC::JSWrapperObject::createStructure):
        (JSC::JSWrapperObject::JSWrapperObject):
        * runtime/JSZombie.cpp:
        * runtime/JSZombie.h:
        (JSC::JSZombie::JSZombie):
        (JSC::JSZombie::createStructure):
        * runtime/MathObject.cpp:
        (JSC::MathObject::MathObject):
        * runtime/MathObject.h:
        (JSC::MathObject::createStructure):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::NativeErrorConstructor):
        (JSC::NativeErrorConstructor::markChildren):
        (JSC::constructWithNativeErrorConstructor):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::createStructure):
        * runtime/NativeErrorPrototype.cpp:
        (JSC::NativeErrorPrototype::NativeErrorPrototype):
        * runtime/NativeErrorPrototype.h:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::NumberConstructor):
        * runtime/NumberConstructor.h:
        (JSC::NumberConstructor::createStructure):
        * runtime/NumberObject.cpp:
        (JSC::NumberObject::NumberObject):
        * runtime/NumberObject.h:
        (JSC::NumberObject::createStructure):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::NumberPrototype):
        * runtime/NumberPrototype.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::ObjectConstructor):
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::createStructure):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::ObjectPrototype):
        * runtime/ObjectPrototype.h:
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::PropertyTable):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::RegExpConstructor):
        (JSC::RegExpMatchesArray::RegExpMatchesArray):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::createStructure):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::RegExpObject):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::createStructure):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::RegExpPrototype):
        * runtime/RegExpPrototype.h:
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::ScopeChainNode):
        (JSC::ScopeChainNode::createStructure):
        * runtime/StrictEvalActivation.cpp:
        (JSC::StrictEvalActivation::StrictEvalActivation):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::StringConstructor):
        * runtime/StringConstructor.h:
        * runtime/StringObject.cpp:
        (JSC::StringObject::StringObject):
        * runtime/StringObject.h:
        (JSC::StringObject::createStructure):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined):
        (JSC::StringObjectThatMasqueradesAsUndefined::createStructure):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::StringPrototype):
        * runtime/StringPrototype.h:
        (JSC::StringPrototype::createStructure):
        * runtime/Structure.cpp:
        (JSC::StructureTransitionTable::remove):
        (JSC::StructureTransitionTable::add):
        (JSC::Structure::Structure):
        (JSC::Structure::~Structure):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::addPropertyTransitionToExistingStructure):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::removePropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::getterSetterTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::toCacheableDictionaryTransition):
        (JSC::Structure::toUncacheableDictionaryTransition):
        (JSC::Structure::sealTransition):
        (JSC::Structure::freezeTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::put):
        (JSC::Structure::markChildren):
        * runtime/Structure.h:
        (JSC::Structure::create):
        (JSC::Structure::setPrototypeWithoutTransition):
        (JSC::Structure::createStructure):
        (JSC::JSCell::createDummyStructure):
        (JSC::StructureTransitionTable::keyForWeakGCMapFinalizer):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::StructureChain):
        (JSC::StructureChain::markChildren):
        * runtime/StructureChain.h:
        (JSC::StructureChain::create):
        (JSC::StructureChain::head):
        (JSC::StructureChain::createStructure):
        * runtime/StructureTransitionTable.h:
        (JSC::StructureTransitionTable::WeakGCMapFinalizerCallback::finalizerContextFor):
        (JSC::StructureTransitionTable::WeakGCMapFinalizerCallback::keyForFinalizer):
        (JSC::StructureTransitionTable::~StructureTransitionTable):
        (JSC::StructureTransitionTable::slot):
        (JSC::StructureTransitionTable::setMap):
        (JSC::StructureTransitionTable::singleTransition):
        (JSC::StructureTransitionTable::clearSingleTransition):
        (JSC::StructureTransitionTable::setSingleTransition):
        * runtime/WeakGCMap.h:
        (JSC::DefaultWeakGCMapFinalizerCallback::finalizerContextFor):
        (JSC::DefaultWeakGCMapFinalizerCallback::keyForFinalizer):
        (JSC::WeakGCMap::contains):
        (JSC::WeakGCMap::find):
        (JSC::WeakGCMap::remove):
        (JSC::WeakGCMap::add):
        (JSC::WeakGCMap::set):
        (JSC::WeakGCMap::finalize):
        * runtime/WriteBarrier.h:
        (JSC::writeBarrier):
        (JSC::WriteBarrierBase::set):
        (JSC::WriteBarrierBase::operator*):
        (JSC::WriteBarrierBase::operator->):
        (JSC::WriteBarrierBase::setWithoutWriteBarrier):

2011-04-15  Fridrich Strba  <fridrich.strba@bluewin.ch>

        Reviewed by Gavin Barraclough.

        Correctly prefix symbols. Since gcc 4.5.0, Windows x64 symbols
        are not prefixed by underscore anymore. This is consistent with
        what MSVC does.
        https://bugs.webkit.org/show_bug.cgi?id=58573

        * jit/JITStubs.cpp:

2011-04-15  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.

        Bug 58705 - DFG JIT Add support for flow control (branch, jump).

        Add support for control flow by breaking the CodeBlock up into multiple
        basic blocks, generating code for each basic block in turn through the
        speculative JIT & then the non-speculative JIT.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::setTemporary):
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::BasicBlock::BasicBlock):
        (JSC::DFG::BasicBlock::getBytecodeOffset):
        (JSC::DFG::Graph::blockIndexForBytecodeOffset):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::JITCodeGenerator):
        (JSC::DFG::JITCodeGenerator::addBranch):
        (JSC::DFG::JITCodeGenerator::linkBranches):
        (JSC::DFG::JITCodeGenerator::BranchRecord::BranchRecord):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::isJump):
        (JSC::DFG::Node::isBranch):
        (JSC::DFG::Node::takenBytecodeOffset):
        (JSC::DFG::Node::notTakenBytecodeOffset):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGNonSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:

2011-04-15  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.

        Bug 58701 - DFG JIT - add GetLocal/SetLocal nodes

        Use these for both access to arguments & local variables, adds ability
        to set locals, such that values will persist between basic blocks.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::get):
        (JSC::DFG::ByteCodeParser::set):
        (JSC::DFG::ByteCodeParser::getVariable):
        (JSC::DFG::ByteCodeParser::setVariable):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::getThis):
        (JSC::DFG::ByteCodeParser::setThis):
        (JSC::DFG::ByteCodeParser::VariableRecord::VariableRecord):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::derefChildren):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::ref):
        (JSC::DFG::Graph::deref):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasLocal):
        (JSC::DFG::Node::local):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-04-15  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Bug 58696 - DFG JIT split handling of vars/temporaries

        Presently all callee registers are treated as having single block scope,
        since the DFG JIT can only compile single block functions. In order to
        expand the JIT to support control flow we will need to change to retaining
        locals (but not temporaries) across basic block boundaries.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::get):
        (JSC::DFG::ByteCodeParser::set):
        (JSC::DFG::ByteCodeParser::getVariable):
        (JSC::DFG::ByteCodeParser::setVariable):
        (JSC::DFG::ByteCodeParser::getTemporary):
        (JSC::DFG::ByteCodeParser::setTemporary):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::getInt32Constant):
        (JSC::DFG::ByteCodeParser::getDoubleConstant):
        (JSC::DFG::ByteCodeParser::getJSConstant):
        (JSC::DFG::ByteCodeParser::constantUndefined):
        (JSC::DFG::ByteCodeParser::constantNull):
        (JSC::DFG::ByteCodeParser::one):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parse):
        (JSC::DFG::parse):
        * dfg/DFGNode.h:
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::ScoreBoard):
        (JSC::DFG::ScoreBoard::~ScoreBoard):
        (JSC::DFG::ScoreBoard::allocate):
        (JSC::DFG::ScoreBoard::use):

2011-04-15  Michael Saboff  <msaboff@apple.com>

        Reviewed by Oliver Hunt.

        globalObject moved to JSObjectWithGlobalObject.cpp inhibits inlining
        https://bugs.webkit.org/show_bug.cgi?id=58677

        Moved JSObjectWithGlobalObject::globalObject() to 
        runtime/JSObjectWithGlobalObject.h to allow the compiler to inline
        it for a performance benefit.  An equivalent instance had been in
        a header file before r60057.

        * JavaScriptCore.exp:
        * runtime/JSObjectWithGlobalObject.cpp:
        * runtime/JSObjectWithGlobalObject.h:
        (JSC::JSObjectWithGlobalObject::globalObject):

2011-04-14  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make JSNodeFilterCondition handle its lifetime correctly
        https://bugs.webkit.org/show_bug.cgi?id=58622

        Add export

        * JavaScriptCore.exp:

2011-04-14  Alexey Proskuryakov  <ap@apple.com>

        Reviewed by Dan Bernstein.

        WebKit2: Password field input does not switch to ASCII-compatible source
        https://bugs.webkit.org/show_bug.cgi?id=58583
        <rdar://problem/9059651>

        * wtf/Platform.h: Removed WTF_USE_CARBON_SECURE_INPUT_MODE. It's now only used by Chromium,
        and shouldn't be enabled on any other platforms, so there is no reason to make it
        configurable via Platform.h.

2011-04-15  Dmitry Lomov  <dslomov@google.com>

        Reviewed by David Levin.

        Add a sample test case for GTest framework
        https://bugs.webkit.org/show_bug.cgi?id=58509

        Add an example of GTest testcase, complete with a runner, to JavaScriptCore.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/tests/RunAllWtfTests.cpp: Added.
        (main):
        * wtf/tests/StringTests.cpp: Added.

2011-04-15  Anna Cavender  <annacc@chromium.org>

        Reviewed by Eric Carlson.

        Renaming TRACK feature define to VIDEO_TRACK
        https://bugs.webkit.org/show_bug.cgi?id=53556

        * Configurations/FeatureDefines.xcconfig:

2011-04-14  Gavin Barraclough  <barraclough@apple.com>

        Rubber stamped by Geoffrey Garen.

        Hide DFG_JIT_RESTRICTIONS behind ARITHMETIC_OP() macro, and rename
        m_regressionGuard to m_parseFailed, such that it can be reused for
        other failure cases.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::parse):

2011-04-14  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoffrey Garen.

        Bug 58620 - DFG JIT - loading of arguments should not be lazy

        This optimization is overly simplistic. It only works because we never
        write out definitions to arguments (since we currently only compile
        single block functions). Revert this for now, we may want to reintroduce
        something like this again in the future, but it will need to be aware
        how to schedule definitions to arguments versus lazy loads that have not
        yet been performed.

        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::needsSpill):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillInteger):
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::initConstantInfo):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::fillNumericToDouble):
        (JSC::DFG::JITCompiler::fillInt32ToInteger):
        (JSC::DFG::JITCompiler::fillToJS):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::isKnownInteger):
        (JSC::DFG::NonSpeculativeJIT::isKnownNumeric):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compile):

2011-04-14  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoffrey Garen.

        Bug 58600 - DFG JIT bugs in ValueToInt, PutByVal

        The bug in PutByVal is that an operand is in JSValueOperand - when this
        locks an integer into a register it will always retag the value without
        checking if the register is already locked. This is a problem where the
        value being stored by a PutByVal is the same as the subscript.
        The subscript is locked into a register first, as a strict integer.
        Locking the value results in the subscript being modified.

        The bug in ValueToInt related to the function of sillentFillAllRegisters.
        The problem is that this method will restore all register values from
        prior to the call, overwriting the result of the call out. Allow a
        register to be passed to specifically be excluded from being preserved.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::debugOffset):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::ARMInstructionFormatter::debugOffset):
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::debugOffset):
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerBuffer::debugOffset):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::debugAddress):
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::debugOffset):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::orPtr):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::debugOffset):
        (JSC::X86Assembler::X86InstructionFormatter::debugOffset):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGenerationInfo.h:
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::isConstant):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::isConstant):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::valueToNumber):
        (JSC::DFG::NonSpeculativeJIT::valueToInt32):
        (JSC::DFG::NonSpeculativeJIT::numberToInt32):
        (JSC::DFG::NonSpeculativeJIT::isKnownInteger):
        (JSC::DFG::NonSpeculativeJIT::isKnownNumeric):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGNonSpeculativeJIT.h:
        (JSC::DFG::NonSpeculativeJIT::silentSpillGPR):
        (JSC::DFG::NonSpeculativeJIT::silentSpillFPR):
        (JSC::DFG::NonSpeculativeJIT::silentFillGPR):
        (JSC::DFG::NonSpeculativeJIT::silentFillFPR):
        (JSC::DFG::NonSpeculativeJIT::silentSpillAllRegisters):
        (JSC::DFG::NonSpeculativeJIT::silentFillAllRegisters):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-04-14  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Drain the mark stack while marking weak handles, not after.
        https://bugs.webkit.org/show_bug.cgi?id=58574

        Otherwise, items that would have caused more weak handle marking are
        processed after all weak handle marking has finished, and referenced
        weak handles get recycled.

        * heap/HandleHeap.cpp:
        (JSC::HandleHeap::markWeakHandles): Removed looping from here, since we
        want Heap::markRoots to be responsible for draining the mark stack.

        * heap/Heap.cpp:
        (JSC::Heap::markRoots): Moved looping to here, as explained above.
        
        For efficiency's sake, drain the mark stack before starting to mark weak
        handles. Otherwise, items drained while marking weak handles may force
        an extra trip through the weak handle list.

        For correctness's sake, drain the mark stack each time through the weak
        handle list. Otherwise, opaque roots that would make weak handles reachable
        are not discovered until after weak handle marking is over.

2011-04-14  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make protected object list in caches window reflect reality
        https://bugs.webkit.org/show_bug.cgi?id=58565

        Make sure the heap includes objects protected by Strong handles
        in its list of protected objects.

        * heap/HandleHeap.h:
        * heap/Heap.cpp:
        (JSC::HandleHeap::protectedObjectTypeCounts):

2011-04-14  Satish Sampath  <satish@chromium.org>

        Reviewed by Anders Carlsson.

        Don't emit RegExp tables for chromium where they are not used
        https://bugs.webkit.org/show_bug.cgi?id=58544

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * create_regex_tables: Added the "--notables" command line argument.

2011-04-13  Geoffrey Garen  <ggaren@apple.com>

        Try to fix ASSERTs seen on Windows bots.

        * wtf/HashTable.h:
        (WTF::hashTableSwap): Force MSVC to use the right version of swap.

2011-04-13  Ryuan Choi  <ryuan.choi@samsung.com>

        Reviewed by Kenneth Rohde Christiansen.

        [CMAKE] Separate DerivedSources.
        https://bugs.webkit.org/show_bug.cgi?id=58427

        * CMakeLists.txt: Change DERIVED_SOURCES_DIR to DERIVED_SOURCES_JAVASCRIPTCORE_DIR.

2011-04-13  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Switched DOM wrappers to use HashMap of Weak<T> instead of WeakGCMap<T>
        https://bugs.webkit.org/show_bug.cgi?id=58482
        
        This will allow wrappers to make individual decisions about their lifetimes.

        * heap/HandleHeap.h:
        (JSC::HandleHeap::copyWeak): New function for copying a weak handle.
        It's wasn't previously possible to perform this operation using HandleHeap
        API because the HandleHeap doesn't expose its underlying Node structure.

        * heap/Local.h:
        (JSC::::set):
        * heap/Strong.h:
        (JSC::Strong::set): Added ASSERTs to verify that dead objects are not
        resurrected by placement into handles.

        (JSC::swap): Added a swap helper, so use of Strong<T> inside a hash table
        is efficient.

        * heap/Weak.h:
        (JSC::Weak::Weak): Fixed a bug where copying a weak pointer would not
        copy its weak callback and context.

        (JSC::Weak::operator=): Added an assignment operator, since the default
        C++ assignment operator did the wrong thing.

        (JSC::Weak::set): Added ASSERTs to verify that dead objects are not
        resurrected by placement into handles.

        (JSC::swap): Added a swap helper, so use of Strong<T> inside a hash table
        is efficient, and can be done without copying, which is illegal during
        the handle finalization phase.

2011-04-13  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Make PropertyMapEntry use a WriteBarrier for specificValue
        https://bugs.webkit.org/show_bug.cgi?id=58407

        Make PropertyMapEntry use a WriteBarrier for specificValue, and then
        propagate the required JSGlobalData through all the methods it ends
        up being needed.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype):
        * API/JSContextRef.cpp:
        * API/JSObjectRef.cpp:
        (JSObjectMake):
        (JSObjectSetPrototype):
        * JavaScriptCore.exp:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * interpreter/Interpreter.cpp:
        (JSC::appendSourceToError):
        (JSC::Interpreter::tryCacheGetByID):
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/BatchedTransitionOptimizer.h:
        (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::name):
        (JSC::InternalFunction::displayName):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::getOwnPropertySlot):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::name):
        (JSC::JSFunction::displayName):
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::putWithAttributes):
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::resetPrototype):
        * runtime/JSGlobalObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::defineGetter):
        (JSC::JSObject::defineSetter):
        (JSC::JSObject::lookupGetter):
        (JSC::JSObject::lookupSetter):
        (JSC::JSObject::getPropertySpecificValue):
        (JSC::JSObject::getOwnPropertyNames):
        (JSC::JSObject::seal):
        (JSC::JSObject::freeze):
        (JSC::JSObject::preventExtensions):
        (JSC::JSObject::removeDirect):
        (JSC::JSObject::getOwnPropertyDescriptor):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        (JSC::JSObject::getDirect):
        (JSC::JSObject::getDirectLocation):
        (JSC::JSObject::isSealed):
        (JSC::JSObject::isFrozen):
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::JSObject::setPrototype):
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putDirectWithoutTransition):
        (JSC::JSObject::putDirectFunctionWithoutTransition):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorCreate):
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::objectConstructorPreventExtensions):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
        * runtime/Operations.h:
        (JSC::normalizePrototypeChain):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyMapEntry::PropertyMapEntry):
        (JSC::PropertyTable::PropertyTable):
        (JSC::PropertyTable::copy):
        * runtime/Structure.cpp:
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::removePropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::getterSetterTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::toCacheableDictionaryTransition):
        (JSC::Structure::toUncacheableDictionaryTransition):
        (JSC::Structure::sealTransition):
        (JSC::Structure::freezeTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::isSealed):
        (JSC::Structure::isFrozen):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        (JSC::Structure::despecifyAllFunctions):
        (JSC::Structure::put):
        (JSC::Structure::getPropertyNames):
        * runtime/Structure.h:
        (JSC::Structure::get):
        (JSC::Structure::materializePropertyMapIfNecessary):

2011-04-13  Paul Knight  <pknight@apple.com>

        Reviewed by Gavin Barraclough.

        BACKTRACE() macro should check for Debug configuration in macro, not WTFReportBacktrace definition
        https://bugs.webkit.org/show_bug.cgi?id=58405

        The BACKTRACE() macro requires JavaScriptCore be built with a Debug
        configuration in order for it to be enabled. Move the NDEBUG check to
        the header so it will be enabled when the calling framework or
        application is built with a Debug configuration, similar to how
        ASSERT() and friends work.

        * wtf/Assertions.cpp:
        * wtf/Assertions.h:

2011-04-12  Ben Taylor  <bentaylor.solx86@gmail.com>

        Reviewed by Alexey Proskuryakov.

        https://bugs.webkit.org/show_bug.cgi?id=58131

        Provide a workaround for an obscure Studio 12 compiler bug, which
        couldn't call src->~T() on a const T *src.

        * wtf/Vector.h:

2011-04-12  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=58395
        Exceptions thrown from property getters called from Array prototype functions can be missed

        This is caught by an ASSERT in the top of Interpreter::executeCall.
        Check for exceptions after accessing properties that could be getters.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        (JSC::arrayProtoFuncEvery):
        (JSC::arrayProtoFuncForEach):
        (JSC::arrayProtoFuncSome):
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):
            - Add exception checks.

2011-04-12  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make API callback objects use weak handles to run their finalizers
        https://bugs.webkit.org/show_bug.cgi?id=58389

        Make the API object's private data struct act as a finalizer for
        an api object if the callback object has a API defined finalizer.

        * API/JSCallbackObject.cpp:
        (JSC::JSCallbackObjectData::finalize):
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::init):
        * heap/Handle.h:

2011-04-12  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Geoffrey Garen.

        Cleaned up hash traits, and added hash traits for handles
        https://bugs.webkit.org/show_bug.cgi?id=58381

        * heap/Handle.h:
        (JSC::HandleBase::swap):
        (JSC::Handle::Handle):
        (JSC::Handle::swap): Implemented swap, so we can rehash efficiently, and
        without creating new handles (which is not allowed during handle finalization).

        * heap/Strong.h:
        (JSC::Strong::swap): Use new SimpleClassHashTraits to avoid duplication.

        * heap/Weak.h:
        (JSC::Weak::isHashTableDeletedValue):
        (JSC::Weak::Weak):
        (JSC::Weak::swap):
        (JSC::Weak::hashTableDeletedValue): Ditto.

        * wtf/HashTraits.h:
        (WTF::SimpleClassHashTraits::constructDeletedValue):
        (WTF::SimpleClassHashTraits::isDeletedValue): Added SimpleClassHashTraits,
        which are analogous to SimpleClassVectorTraits, since they are used in a
        bunch of places.

        * wtf/RetainPtr.h: Use new SimpleClassHashTraits to avoid duplication.

        * wtf/text/StringHash.h: Use new SimpleClassHashTraits to avoid duplication.

2011-04-12  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Sam Weinig.

        Cleaned up some Vector traits, and added missing Vector traits for handles
        https://bugs.webkit.org/show_bug.cgi?id=58372

        * heap/Local.h: Inherit from SimpleClassVectorTraits to avoid duplication.

        * heap/Strong.h: Ditto.

        * heap/Weak.h: Ditto.

        * parser/JSParser.cpp: Fixed a traits error. No test case because this
        particular trait is not currently exercised by the parser.

        * runtime/UString.h: No need to override canInitializeWithMemset, since
        our base class sets it to true.

        * wtf/VectorTraits.h: Inherit from VectorTraitsBase to avoid duplication.

        * wtf/text/WTFString.h: No need to override canInitializeWithMemset, since
        our base class sets it to true.

2011-04-12  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        Reviewed by Eric Seidel.

        [Qt] Enable JIT build for SH4 platforms.
        https://bugs.webkit.org/show_bug.cgi?id=58317
        enable JIT build for QT backend  for SH4 platforms.

        * JavaScriptCore.pro:
        * wtf/Platform.h:

2011-04-11  Ben Taylor  <bentaylor.solx86@gmail.com>

        Reviewed by Alexey Proskuryakov.

        https://bugs.webkit.org/show_bug.cgi?id=58289

        Fix compilation on Solaris/Studio 12 C++ in wtf/FastMalloc.cpp,
        WTF::TCMalloc_PageHeap::runScavengerThread(void*) expected to return a value.

        * wtf/FastMalloc.cpp:
        (WTF::TCMalloc_PageHeap::runScavengerThread):

2011-04-11  Mark Rowe  <mrowe@apple.com>

        Fix the build.

        * JavaScriptCore.xcodeproj/project.pbxproj: Headers used outside of JavaScriptCore need to be marked as private.

2011-04-11  Anna Cavender  <annacc@chromium.org>

        Reviewed by Eric Carlson.

        Setup ENABLE(TRACK) feature define
        https://bugs.webkit.org/show_bug.cgi?id=53556


        * Configurations/FeatureDefines.xcconfig:

2011-04-11  Geoffrey Garen  <ggaren@apple.com>

        Try to fix a few builds.
        
        Updated a few more build configurations for file moves.

        * CMakeListsWinCE.txt:

2011-04-11  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Bug 58263 - Use EncodedValueDescriptor on both JSVALUE32_64, JSVALUE64

        The JSJITInterface already uses EncodedValueDescriptor to access the tag/payload
        separately on JSVALUE64, even though EncodedValueDescriptor is not used in
        JSVALUE64's implementation of JSValue. Remove the separate definition for m_ptr
        on X86_64. Using the union allows us to remove a layer of makeImmediate()/
        immedaiteValue() methods.

        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitTagAsBoolImmediate):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_not):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):
        (JSC::JIT::emitSlow_op_not):
        * runtime/JSCell.h:
        * runtime/JSValue.h:
        * runtime/JSValueInlineMethods.h:
        (JSC::JSValue::encode):
        (JSC::JSValue::decode):
        (JSC::JSValue::operator==):
        (JSC::JSValue::operator!=):
        (JSC::JSValue::JSValue):
        (JSC::JSValue::operator bool):
        (JSC::JSValue::asInt32):
        (JSC::JSValue::isUndefinedOrNull):
        (JSC::JSValue::isBoolean):
        (JSC::JSValue::isCell):
        (JSC::JSValue::isInt32):
        (JSC::JSValue::asDouble):
        (JSC::JSValue::isNumber):
        (JSC::JSValue::asCell):

2011-04-11  Geoffrey Garen  <ggaren@apple.com>

        Try to fix a few builds.
        
        Updated a few more build configurations for file moves.

        * CMakeListsEfl.txt:
        * wscript:

2011-04-11  Geoffrey Garen  <ggaren@apple.com>

        Build fix: Updated a file name.

        * CMakeLists.txt:

2011-04-11  Geoffrey Garen  <ggaren@apple.com>

        Rubber-stamped by Sam Weinig.
        
        Moved remaining heap implementation files to the heap folder.

        * Android.mk:
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/ConservativeRoots.cpp: Copied from runtime/ConservativeSet.cpp.
        * heap/ConservativeRoots.h: Copied from runtime/ConservativeSet.h.
        * heap/Handle.h:
        * heap/Heap.cpp:
        * heap/MachineStackMarker.cpp: Copied from runtime/MachineStackMarker.cpp.
        * heap/MachineStackMarker.h: Copied from runtime/MachineStackMarker.h.
        * heap/MarkStack.cpp: Copied from runtime/MarkStack.cpp.
        * heap/MarkStack.h: Copied from runtime/MarkStack.h.
        * heap/MarkStackPosix.cpp: Copied from runtime/MarkStackPosix.cpp.
        * heap/MarkStackSymbian.cpp: Copied from runtime/MarkStackSymbian.cpp.
        * heap/MarkStackWin.cpp: Copied from runtime/MarkStackWin.cpp.
        * heap/MarkedBlock.cpp: Copied from runtime/MarkedBlock.cpp.
        * heap/MarkedBlock.h: Copied from runtime/MarkedBlock.h.
        * heap/MarkedSpace.cpp: Copied from runtime/MarkedSpace.cpp.
        * heap/MarkedSpace.h: Copied from runtime/MarkedSpace.h.
        * interpreter/RegisterFile.cpp:
        * runtime/ConservativeSet.cpp: Removed.
        * runtime/ConservativeSet.h: Removed.
        * runtime/MachineStackMarker.cpp: Removed.
        * runtime/MachineStackMarker.h: Removed.
        * runtime/MarkStack.cpp: Removed.
        * runtime/MarkStack.h: Removed.
        * runtime/MarkStackPosix.cpp: Removed.
        * runtime/MarkStackSymbian.cpp: Removed.
        * runtime/MarkStackWin.cpp: Removed.
        * runtime/MarkedBlock.cpp: Removed.
        * runtime/MarkedBlock.h: Removed.
        * runtime/MarkedSpace.cpp: Removed.
        * runtime/MarkedSpace.h: Removed.

2011-04-11  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-04-09  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Bug 58198 - Clean up JSValue implementation for JSVALUE64

        Remove JSNumberCell, JSImmediate, unify some methods between JSVALUE32_64/JSVALUE64

        JSNumberCell.h largely just contained the constructors for JSValue on JSVALUE64,
        which should not have been here.  JSImmediate mostly contained uncalled methods,
        along with the internal implementation of the JSValue constructors split unnecessarily
        across a number of layers of function calls. These could largely be merged back
        together. Many methods and constructors from JSVALUE32_64 and JSVALUE64 can by unified.

        The .cpp files were empty.

        Moving all these methods into JSValue.h seems to be a repro measurable regression, so
        I have kept these methods in a separate JSValueInlineMethods.h. Adding the 64-bit tag
        values as static const members of JSValue also measures as a repro regression, so I
        have made these #defines.

        * Android.mk:
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
            - Removed JSImmediate.h, JSNumberCell.h.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitLoad):
            - Removed class JSImmediate.
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
            - Removed class JSImmediate.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
            - Removed class JSImmediate.
        * jit/JITArithmetic.cpp:
        (JSC::JIT::compileBinaryArithOpSlowCase):
            - Removed class JSImmediate.
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitJumpIfJSCell):
        (JSC::JIT::emitJumpIfNotJSCell):
        (JSC::JIT::emitJumpIfImmediateInteger):
        (JSC::JIT::emitJumpIfNotImmediateInteger):
        (JSC::JIT::emitFastArithDeTagImmediate):
        (JSC::JIT::emitFastArithDeTagImmediateJumpIfZero):
        (JSC::JIT::emitFastArithReTagImmediate):
        (JSC::JIT::emitTagAsBoolImmediate):
            - Removed class JSImmediate.
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_not):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):
        (JSC::JIT::emitSlow_op_not):
            - Removed class JSImmediate.
        * jit/JSInterfaceJIT.h:
            - Removed class JSImmediate.
        * runtime/JSCell.h:
            - Removed JSImmediate.h, JSNumberCell.h.
        * runtime/JSImmediate.cpp: Removed.
        * runtime/JSImmediate.h: Removed.
        * runtime/JSNumberCell.cpp: Removed.
        * runtime/JSNumberCell.h: Removed.
            - Removed.
        * runtime/JSObject.h:
            - Removed JSImmediate.h, JSNumberCell.h.
        * runtime/JSString.h:
            - Removed JSImmediate.h, JSNumberCell.h.
        * runtime/JSValue.h:
            - Added tags for JSVALUE64, moved out some JSVALUE32_64 methods, unified with JSVALUE64.
        * runtime/JSValueInlineMethods.h: Added.
        (JSC::JSValue::toInt32):
        (JSC::JSValue::toUInt32):
        (JSC::JSValue::isUInt32):
        (JSC::JSValue::asUInt32):
        (JSC::JSValue::uncheckedGetNumber):
        (JSC::JSValue::toJSNumber):
        (JSC::jsNaN):
        (JSC::JSValue::getNumber):
        (JSC::JSValue::getBoolean):
        (JSC::JSValue::JSValue):
        (JSC::JSValue::encode):
        (JSC::JSValue::decode):
        (JSC::JSValue::operator bool):
        (JSC::JSValue::operator==):
        (JSC::JSValue::operator!=):
        (JSC::JSValue::isUndefined):
        (JSC::JSValue::isNull):
        (JSC::JSValue::isUndefinedOrNull):
        (JSC::JSValue::isCell):
        (JSC::JSValue::isInt32):
        (JSC::JSValue::isDouble):
        (JSC::JSValue::isTrue):
        (JSC::JSValue::isFalse):
        (JSC::JSValue::tag):
        (JSC::JSValue::payload):
        (JSC::JSValue::asInt32):
        (JSC::JSValue::asDouble):
        (JSC::JSValue::asCell):
        (JSC::JSValue::isNumber):
        (JSC::JSValue::isBoolean):
        (JSC::JSValue::makeImmediate):
        (JSC::JSValue::immediateValue):
        (JSC::reinterpretDoubleToIntptr):
        (JSC::reinterpretIntptrToDouble):
            - Methods moved here from JSImmediate.h/JSNumberCell.h/JSValue.h.
        * runtime/Operations.h:
            - Removed JSImmediate.h, JSNumberCell.h.
        * wtf/StdLibExtras.h:
            - Export bitwise_cast.

2011-04-11  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        Reviewed by Oliver Hunt.

        SH4 JIT SUPPORT.
        https://bugs.webkit.org/show_bug.cgi?id=44329

        Add JIT remaining part for SH4 platforms.

        * assembler/MacroAssemblerSH4.h:
        * jit/JIT.h:
        * jit/JITInlineMethods.h:
        * jit/JITOpcodes32_64.cpp:
        * jit/JITPropertyAccess32_64.cpp:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JSInterfaceJIT.h:

2011-04-10  Geoffrey Garen  <ggaren@apple.com>

        Rubber-stamped by Beth Dakin.

        Moved Heap.h and Heap.cpp to the heap folder, because anything less 
        would be uncivilized.

        * Android.mk:
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.cpp: Copied from JavaScriptCore/runtime/Heap.cpp.
        * heap/Heap.h: Copied from JavaScriptCore/runtime/Heap.h.
        * runtime/Heap.cpp: Removed.
        * runtime/Heap.h: Removed.

2011-04-10  Patrick Gansterer  <paroga@webkit.org>

        Reviewed by Darin Adler.

        Remove duplicated code from AtomicString::fromUTF8()
        https://bugs.webkit.org/show_bug.cgi?id=53711

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/text/AtomicString.cpp:
        (WTF::AtomicString::fromUTF8Internal):
        * wtf/text/AtomicString.h:
        (WTF::AtomicString::fromUTF8):
        * wtf/unicode/UTF8.cpp:
        (WTF::Unicode::calculateStringHashAndLengthFromUTF8):
        * wtf/unicode/UTF8.h:

2011-04-10  Maciej Stachowiak  <mjs@apple.com>

        Not reviewed.

        Fix build (at least on Lion) by adding some newish header files to
        PrivateHeaders.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-04-09  Geoffrey Garen  <ggaren@apple.com>

        Not reviewed.

        Try recommitting some things svn left out of its last commit.

        * heap/Handle.h:
        (JSC::HandleBase::operator!):
        (JSC::HandleBase::HandleBase):
        (JSC::HandleBase::slot):
        (JSC::HandleBase::setSlot):
        (JSC::Handle::Handle):
        * heap/HandleHeap.cpp:
        (JSC::HandleHeap::markWeakHandles):
        (JSC::HandleHeap::finalizeWeakHandles):
        (JSC::HandleHeap::isValidWeakNode):
        * heap/HandleHeap.h:
        (JSC::HandleHeap::globalData):

2011-04-08  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        A few heap-related renames and file moves.
        
        WeakGCPtr<T> => Weak<T>
        Global<T> => Strong<T>
        collector/ => heap/
        collector/* => heap/*
        runtime/WeakGCPtr.h => heap/Weak.h
        
        (Eventually, even more files should move into the heap directory. Like
        Heap.h and Heap.cpp, for example.)

        * API/JSClassRef.h:
        * CMakeLists.txt:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pri:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.vcproj/jsc/jscCommon.vsprops:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/SamplingTool.h:
        * bytecompiler/BytecodeGenerator.h:
        * collector: Removed.
        * collector/handles: Removed.
        * collector/handles/Global.h: Removed.
        * collector/handles/Handle.h: Removed.
        * collector/handles/HandleHeap.cpp: Removed.
        * collector/handles/HandleHeap.h: Removed.
        * collector/handles/HandleStack.cpp: Removed.
        * collector/handles/HandleStack.h: Removed.
        * collector/handles/Local.h: Removed.
        * collector/handles/LocalScope.h: Removed.
        * heap: Copied from collector.
        * heap/Handle.h: Copied from collector/handles/Handle.h.
        * heap/HandleHeap.cpp: Copied from collector/handles/HandleHeap.cpp.
        * heap/HandleHeap.h: Copied from collector/handles/HandleHeap.h.
        * heap/HandleStack.cpp: Copied from collector/handles/HandleStack.cpp.
        * heap/HandleStack.h: Copied from collector/handles/HandleStack.h.
        * heap/Local.h: Copied from collector/handles/Local.h.
        * heap/LocalScope.h: Copied from collector/handles/LocalScope.h.
        * heap/Strong.h: Copied from collector/handles/Global.h.
        (JSC::Strong::Strong):
        (JSC::Strong::~Strong):
        (JSC::Strong::operator=):
        * heap/Weak.h: Copied from runtime/WeakGCPtr.h.
        (JSC::Weak::Weak):
        (JSC::Weak::~Weak):
        * heap/handles: Removed.
        * interpreter/RegisterFile.h:
        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITStubs.h:
        * runtime/Structure.h:
        * runtime/WeakGCPtr.h: Removed.

2011-04-08  Alpha Lam  <hclam@chromium.org>

        Unreviewed, rolling out r83335.
        http://trac.webkit.org/changeset/83335
        https://bugs.webkit.org/show_bug.cgi?id=53556

        GTK and QT bots are broken

        * Configurations/FeatureDefines.xcconfig:

2011-04-08  Gavin Barraclough  <barraclough@apple.com>

        Ooops, typo, build fix.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parse):

2011-04-08  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        Bug 58154 - Add support for comparison operators to the DFG JIT.

        Add support for <, <=, ==, ===, and also !.  Add support for all corresponding
        bytecode ops, including the not- and -null forms.  Initially add functionally
        correct support, we'll revisit the performance.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::constantNull):
        (JSC::DFG::ByteCodeParser::parse):
            - Add support for parsing of bytecode opcodes, 
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::callOperation):
            - Add new operation call types, return bool values.
        * dfg/DFGNode.h:
            - Add new node types.
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
            - Add code generation for new nodes.
        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationCompareLess):
        (JSC::DFG::operationCompareLessEq):
        (JSC::DFG::operationCompareEq):
        (JSC::DFG::operationCompareStrictEq):
        (JSC::DFG::dfgConvertJSValueToBoolean):
        * dfg/DFGOperations.h:
            - Add operation callbacks to implement new ops.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
            - Add code generation for new nodes.
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
            - Switched to a simpler <0 check, rather than relying on an internal value in JSImmediate.
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompilePatchGetArrayLength):
            - Switched to a simpler <0 check, rather than relying on an internal value in JSImmediate.
        * runtime/JSImmediate.h:
            - Make tag values public, rather than relying on a friend - this matches JSVALUE32_64.

2011-04-07  Anna Cavender  <annacc@chromium.org>

        Reviewed by Eric Carlson.

        Setup ENABLE(TRACK) feature define
        https://bugs.webkit.org/show_bug.cgi?id=53556


        * Configurations/FeatureDefines.xcconfig:

2011-04-07  Balazs Kelemen  <kbalazs@webkit.org>

        Reviewed by Kenneth Rohde Christiansen.

        [WK2][Qt][GTK] Introduce common use flag for the shared UNIX domain socket IPC implementation
        https://bugs.webkit.org/show_bug.cgi?id=58030

        * wtf/Platform.h: Introduce USE(UNIX_DOMAIN_SOCKETS) for WebKit2.

2011-04-08  Adam Roben  <aroben@apple.com>

        Clean build fix

        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd: Don't try to delete directories that
        don't exist. Also switched from del /s to rmdir /s, which has the benefit of deleting the
        directory itself in addition to the files it contains.

2011-04-07  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Maciej Stachowiak.

        Some Handle<T> cleanup
        https://bugs.webkit.org/show_bug.cgi?id=58109

        * bytecode/SamplingTool.h: Sorted alphabetically because that's the
        WebKit style. Added a Global.h #include that was previously missing
        but harmless.

        * collector/handles/Global.h:
        (JSC::Global::Global): Added a null constructor. No need for a special
        tag, and the tag is incompatible with some data structures.
        
        (JSC::Global::isHashTableDeletedValue):
        (JSC::Global::~Global):
        (JSC::Global::set):
        (JSC::Global::operator=):
        (JSC::Global::clear):
        (JSC::Global::hashTableDeletedValue): Reordered constructors to be near
        each other.

        (JSC::Global::setWithWriteBarrier): Renamed internalSet to
        setWithWriteBarrier for clarity, and funneled more code into using set
        and setWithWriteBarrier to reduce duplication.

        * collector/handles/Handle.h:
        (JSC::HandleBase::operator!):
        (JSC::HandleBase::HandleBase): Removed isEmpty(), since we already have
        boolean and ! operators.

        (JSC::HandleBase::slot):
        (JSC::HandleBase::setSlot):
        (JSC::Handle::Handle): Added general support for null Handles. This was
        previously outlawed by ASSERTs, but our code has grown to support and
        rely on null Handles.
        
        * collector/handles/HandleHeap.cpp:
        (JSC::HandleHeap::markWeakHandles):
        (JSC::HandleHeap::finalizeWeakHandles):
        (JSC::HandleHeap::isValidWeakNode): Migrated from isValidWeakHandle,
        and beefed this up a bit.

        * collector/handles/HandleHeap.h:
        (JSC::HandleHeap::globalData): Added accessor, used by some new set functions.

        * collector/handles/Local.h: Moved hash traits to the bottom of the file,
        since this file is about the Local class, not the traits.

        (JSC::::Local): Updated for removal of invalidate().

        (JSC::::operator): Deployed "using" to avoid a lot of this->
        template funny business.

        (JSC::::setWithSlotCheck): Renamed from internalSet, more specific now.

        * interpreter/RegisterFile.h:
        (JSC::RegisterFile::RegisterFile): Updated to use null constructor.

        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub):

        * runtime/JSPropertyNameIterator.h:
        (JSC::Structure::setEnumerationCache):
        * runtime/Structure.h: Removed clearEnumerationCache
        because it was an unused holdover from when the enumeration cache was
        not a handle.

        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::set): Finish initializing our handle before putting it
        in the table. This seemed more logical, and at one point was required
        to avoid triggering an ASSERT.

        * runtime/WeakGCPtr.h: Inherit from Handle instead of rolling our own
        handle-like behavior, to avoid duplication.

        (JSC::WeakGCPtr::WeakGCPtr):
        (JSC::WeakGCPtr::~WeakGCPtr):
        (JSC::WeakGCPtr::get):
        (JSC::WeakGCPtr::clear):
        (JSC::WeakGCPtr::set):
        (JSC::WeakGCPtr::setWithWriteBarrier): Removed duplicate code and
        standardized on Handle idioms.

2011-04-07  Adam Barth  <abarth@webkit.org>

        Reviewed by Martin Robinson.

        Refactor Gtk build system to separate list of files
        https://bugs.webkit.org/show_bug.cgi?id=58090

        This is the first step towards generating part of the GTK build system
        using GYP.  In the first iteration, our plan is to just generate the
        list of files.  This patch is the first step, which is to separate out
        the part of JavaScriptCore build system that we intend to generate from
        the rest of the build system.

        * GNUmakefile.am:
        * GNUmakefile.list.am: Added.

2011-04-07  Zoltan Herczeg  <zherczeg@webkit.org>

        Reviewed by Gavin Barraclough.

        Mapping booleans the same way as integers
        https://bugs.webkit.org/show_bug.cgi?id=56913

        Instead of having a seperate tag field for booleans,
        the logical values are stored in the payload field
        (for JSValue32_64 representation).

        1.007x speedup on SunSpider.

        * jit/JIT.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitStoreBool):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emit_op_not):
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emitSlow_op_jfalse):
        (JSC::JIT::emit_op_jtrue):
        (JSC::JIT::emitSlow_op_jtrue):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emit_op_eq):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emit_op_neq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):
        * jit/JSInterfaceJIT.h:
        * runtime/JSValue.h:
        (JSC::JSValue::JSValue):
        (JSC::JSValue::isTrue):
        (JSC::JSValue::isFalse):
        (JSC::JSValue::getBoolean):

2011-04-07  Eric Seidel  <eric@webkit.org>

        Reviewed by Adam Barth.

        Add stub support for generating Gtk build system from gyp
        https://bugs.webkit.org/show_bug.cgi?id=58086

        This does not produce a buildable JavaScriptCore, but it
        does allow running gyp/configure --port=gtk and having
        it generate a gtk.Makefile which we can use for testing
        the rest of the plumbing.

        * gyp/gtk.gyp: Added.

2011-04-07  Andrew Scherkus  <scherkus@chromium.org>

        Revert ENABLE_TRACK patch due to compile failures.

        * Configurations/FeatureDefines.xcconfig:

2011-04-07  Adam Barth  <abarth@webkit.org>

        Fix whitespace in GNUmakefile.am.

        * GNUmakefile.am:

2011-04-07  Gavin Barraclough  <barraclough@apple.com>

        Fix a couple of typos in comments that Darin spotted.

        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_not):
        * runtime/JSImmediate.h:

2011-04-06  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.
        Bug 58057 - Store boolean payload in low bit of JSImmediate

        And remove some uncalled functions from JSImmediate.h

        * jit/JITInlineMethods.h:
        (JSC::JIT::emitTagAsBoolImmediate):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_not):
        * runtime/JSImmediate.h:
        (JSC::JSImmediate::makeInt):
        (JSC::JSImmediate::makeBool):
        (JSC::JSImmediate::intValue):
        (JSC::JSImmediate::boolValue):
        (JSC::JSImmediate::asInt32):
        (JSC::JSImmediate::toDouble):
        (JSC::JSValue::asInt32):
        (JSC::JSValue::isUInt32):
        (JSC::JSValue::asUInt32):

2011-04-07  Liang Qi  <liang.qi@nokia.com>

        Reviewed by Laszlo Gombos.

        [Qt][Symbian] Enable webkit build with GCCE on Symbian.
        https://bugs.webkit.org/show_bug.cgi?id=57841

        * wtf/MathExtras.h: GCCE compiler doesn't support those std static functions.

2011-04-06  Dai Mikurube  <dmikurube@chromium.org>

        Reviewed by David Levin.

        Add QUOTA build flag for unified quota API
        https://bugs.webkit.org/show_bug.cgi?id=57918

        * Configurations/FeatureDefines.xcconfig: Added QUOTA build flag

2011-04-06  Kevin Ollivier  <kevino@theolliviers.com>
        
        Reviewed by Darin Adler.
        
        Make sure JS_EXPORT_PRIVATE is an empty define when we aren't using the export macros.
        
        https://bugs.webkit.org/show_bug.cgi?id=27551

        * config.h:

2011-04-06  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Stop JSObject::isUsingInlineStorage() from using the structure
        https://bugs.webkit.org/show_bug.cgi?id=57986

        Make the isUsingInlineStorage() implementation just look at
        whether the property storage is inside the object.

        * runtime/JSObject.h:
        (JSC::JSObject::isUsingInlineStorage):
        (JSC::JSObject::JSObject):

2011-04-06  Gavin Barraclough  <barraclough@apple.com>

        Rubber stamped by Geoff Garen.

        Update comments documenting JSVALUE64/JSVALUE32_64 JSValue representations.

        * runtime/JSImmediate.h:
        * runtime/JSValue.h:

2011-04-06  Lucas De Marchi  <lucas.demarchi@profusion.mobi>

        cmake: Fix build for ARMv7

        * CMakeLists.txt: add missing file.

2011-04-06  Liang Qi  <liang.qi@nokia.com>

        Reviewed by Benjamin Poulain.

        Correct a include file name.
        https://bugs.webkit.org/show_bug.cgi?id=57839

        * wtf/PageAllocatorSymbian.h: It should be case sensitive. This fix 
        builds on Unix hosts.

2011-04-06  Adam Roben  <aroben@apple.com>

        Build fix after r83056

        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd: Added property svn:executable.

2011-04-06  Adam Roben  <aroben@apple.com>

        Move JavaScriptCoreGenerated's file-copying logic out to a new script

        Hopefully this will make it easier to modify this logic in the future. I also made the
        script much quieter than the old logic, since it didn't seem helpful to see long lists of
        filenames during the copying phase.

        If we like this new style, we could copy it for our other projects.

        Fixes <http://webkit.org/b/57950> JavaScriptCoreGenerated's file-copying logic is hard to
        modify and noisy

        Reviewed by Steve Falkenburg.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.make: Moved logic to copy
        files from here...
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd: ...to here. (Added.)

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj: Added copy-files.cmd
        for convenience.

2011-04-05  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Who likes export files? I do!

2011-04-05  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Introduced the concept of opaque roots, in preparation for marking the DOM with them
        https://bugs.webkit.org/show_bug.cgi?id=57903

        * JavaScriptCore.exp: Who likes export files? I do!

        * collector/handles/HandleHeap.cpp:
        (JSC::isValidWeakHandle): Factored out a helper function for ASSERTs.

        (JSC::WeakHandleOwner::~WeakHandleOwner): Moved from header to avoid
        weak linkage problems.

        (JSC::WeakHandleOwner::isReachableFromOpaqueRoots): New callback.
        Currently unused.

        (JSC::WeakHandleOwner::finalize): Switched from pure virtual to a
        default empty implementation, since not all clients necessarily want
        or need non-trivial finalizers.

        (JSC::HandleHeap::markWeakHandles): Split updateWeakHandles into two
        passes. The first pass marks all reachable weak handles. The second pass
        finalizes all unreachable weak handles. This must be two passes because
        we don't know the set of finalizable weak handles until we're done
        marking all weak handles.

        (JSC::HandleHeap::finalizeWeakHandles): Use new helper function.

        * collector/handles/HandleHeap.h: Ditto.

        * runtime/Heap.cpp: 
        (JSC::Heap::destroy):
        (JSC::Heap::markRoots):
        (JSC::Heap::reset): Split out handle marking from handle finalization.

        * runtime/MarkStack.cpp:
        (JSC::MarkStack::reset):
        * runtime/MarkStack.h:
        (JSC::MarkStack::addOpaqueRoot):
        (JSC::MarkStack::containsOpaqueRoot):
        (JSC::MarkStack::opaqueRootCount):
        (JSC::HeapRootMarker::markStack): New helper functions for managing the
        set of opaque roots.

        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::finalize): Renamed to match parent class declaration.

2011-04-05  Balazs Kelemen  <kbalazs@webkit.org>

        Reviewed by Darin Adler.

        Build fix for YarrParser.h
        https://bugs.webkit.org/show_bug.cgi?id=57822

        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::CharacterClassParserDelegate::CharacterClassParserDelegate):

2011-04-05  Steve Falkenburg  <sfalken@apple.com>

        Follow-up Windows build fix.
        Don't skip react-to-vsprops-changes.py for all production builds,
        only those initiated via JavaScriptCore.make.

        * JavaScriptCore.vcproj/JavaScriptCore.make:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.make:

2011-04-05  Oliver Hunt  <oliver@apple.com>

        Reviewed by Darin Adler.

        REGRESSION (r82849): 85,000+ JSC-related leaks seen on SnowLeopard Intel Leaks
        https://bugs.webkit.org/show_bug.cgi?id=57857

        Whoops, accidentally removed a deref().

        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):

2011-04-05  Steve Falkenburg  <sfalken@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj: Add per-configuration vsprops files.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedCommon.vsprops: Removed inheritance from common.vsprops.
        Set production environment variable before calling make.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebug.vsprops: Added.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugAll.vsprops: Added.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugCairoCFLite.vsprops: Added.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedProduction.vsprops: Added.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedRelease.vsprops: Added.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleaseCairoCFLite.vsprops: Added.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleasePGO.vsprops: Added.

2011-04-05  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Make caches window show more info about non-jsobject GC values
        https://bugs.webkit.org/show_bug.cgi?id=57874

        Add ClassInfo to the various internal JS types that currently
        don't have any, and make the text for caches window show the
        classname for non-JSObject instances.

        * runtime/Executable.cpp:
        * runtime/Executable.h:
        (JSC::ExecutableBase::createStructure):
        (JSC::NativeExecutable::createStructure):
        (JSC::NativeExecutable::NativeExecutable):
        (JSC::EvalExecutable::createStructure):
        (JSC::ProgramExecutable::createStructure):
        (JSC::FunctionExecutable::createStructure):
        * runtime/Heap.cpp:
        (JSC::TypeCounter::typeName):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        * runtime/ScopeChain.cpp:
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::createStructure):
        * runtime/StructureChain.cpp:
        * runtime/StructureChain.h:
        (JSC::StructureChain::createStructure):

2011-04-05  Nikolas Zimmermann  <nzimmermann@rim.com>

        Reviewed by Andreas Kling.

        Cleanup StringConcatenate
        https://bugs.webkit.org/show_bug.cgi?id=57836

        Don't use PassRefPtr in local variables, properly store in RefPtrs and release on return.
        Add a makeString() variant taking 9 arguments, needed by a follow-up patch.

        * wtf/text/StringConcatenate.h:
        (WTF::tryMakeString):
        (WTF::makeString):

2011-04-04  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r82876.
        http://trac.webkit.org/changeset/82876
        https://bugs.webkit.org/show_bug.cgi?id=57816

        Caused a lot of test crashes (Requested by tkent on #webkit).

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/FastMalloc.cpp:
        (WTF::tryFastMalloc):
        (WTF::fastMalloc):
        (WTF::tryFastCalloc):
        (WTF::fastCalloc):
        (WTF::fastFree):
        (WTF::tryFastRealloc):
        (WTF::fastRealloc):
        (WTF::fastMallocSize):
        (WTF::TCMalloc_PageHeap::isScavengerSuspended):
        (WTF::TCMalloc_PageHeap::scheduleScavenger):
        (WTF::TCMalloc_PageHeap::suspendScavenger):
        (WTF::TCMalloc_PageHeap::signalScavenger):
        (WTF::TCMallocStats::malloc):
        (WTF::TCMallocStats::free):
        (WTF::TCMallocStats::fastCalloc):
        (WTF::TCMallocStats::tryFastCalloc):
        (WTF::TCMallocStats::calloc):
        (WTF::TCMallocStats::fastRealloc):
        (WTF::TCMallocStats::tryFastRealloc):
        (WTF::TCMallocStats::realloc):
        (WTF::TCMallocStats::fastMallocSize):
        * wtf/FastMalloc.h:
        (WTF::Internal::fastMallocMatchValidationType):
        (WTF::Internal::fastMallocMatchValidationValue):
        (WTF::Internal::setFastMallocMatchValidationType):
        (WTF::fastMallocMatchValidateFree):
        * wtf/Platform.h:

2011-04-04  Oliver Hunt  <oliver@apple.com>

        Reviewed by Antti Koivisto.

        Stop JSCell.h from including Structure.h
        https://bugs.webkit.org/show_bug.cgi?id=57809

        * runtime/GetterSetter.h:
        * runtime/JSAPIValueWrapper.h:
        * runtime/JSCell.h:
        (JSC::JSCell::JSValue::toThisObject):
        * runtime/JSString.h:
        * runtime/ScopeChain.h:
        * runtime/Structure.h:
        (JSC::JSCell::isObject):
        (JSC::JSCell::isString):
        (JSC::JSCell::classInfo):
        (JSC::JSCell::createDummyStructure):
        (JSC::JSValue::needsThisConversion):
        (JSC::MarkStack::internalAppend):
        * runtime/StructureChain.h:

2011-04-04  Oliver Hunt  <oliver@apple.com>

        Fix clang build.

        * wtf/FastMalloc.cpp:
        (WTF::fastMalloc):
        (WTF::fastCalloc):
        (WTF::fastRealloc):

2011-04-04  Oliver Hunt  <oliver@apple.com>

        Remove accidental change to Platform.h

        * wtf/Platform.h:

2011-04-04  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Fixed a weak-handle-related leak in RegisterFile
        https://bugs.webkit.org/show_bug.cgi?id=57793

        * interpreter/RegisterFile.cpp: Nixed leaky GlobalObjectNotifier.
        * interpreter/RegisterFile.h:
        (JSC::RegisterFile::GlobalObjectOwner::finalize):
        (JSC::RegisterFile::RegisterFile): Replaced GlobalObjectNotifier with
        a per-RegisterFile weak handle owner, which does not leak.

        * runtime/WeakGCPtr.h:
        (JSC::WeakGCPtr::set): Allow set() to take a context argument, since
        RegisterFile now needs this. (Seems like it was an accidental omission
        all along.)

2011-04-04  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make malloc validation useful
        https://bugs.webkit.org/show_bug.cgi?id=57502

        This patch changes FAST_MALLOC_MATCH_VALIDATION with a general
        corruption check that tags the beginning and end of all allocations
        to check for write overflows and overwrites the contents of
        memory on free in order to (hopefully) show up use-after-free issues
        sooner.

        We also turn it on by default for debug builds.

        * JavaScriptCore.exp:
        * wtf/FastMalloc.cpp:
        (WTF::tryFastMalloc):
        (WTF::fastMalloc):
        (WTF::tryFastCalloc):
        (WTF::fastCalloc):
        (WTF::fastFree):
        (WTF::tryFastRealloc):
        (WTF::fastRealloc):
        (WTF::TCMalloc_PageHeap::isScavengerSuspended):
        (WTF::TCMalloc_PageHeap::scheduleScavenger):
        (WTF::TCMalloc_PageHeap::suspendScavenger):
        (WTF::TCMalloc_PageHeap::signalScavenger):
        (WTF::TCMallocStats::malloc):
        (WTF::TCMallocStats::free):
        (WTF::TCMallocStats::fastCalloc):
        (WTF::TCMallocStats::tryFastCalloc):
        (WTF::TCMallocStats::calloc):
        (WTF::TCMallocStats::fastRealloc):
        (WTF::TCMallocStats::tryFastRealloc):
        (WTF::TCMallocStats::realloc):
        * wtf/FastMalloc.h:
        (WTF::Internal::fastMallocValidationHeader):
        (WTF::Internal::fastMallocValidationSuffix):
        (WTF::Internal::fastMallocMatchValidationType):
        (WTF::Internal::setFastMallocMatchValidationType):
        (WTF::fastMallocMatchValidateFree):
        (WTF::fastMallocValidate):
        * wtf/Platform.h:

2011-04-04  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Renamed clearWeakPointers => updateWeakHandles and removed misleading comment
        https://bugs.webkit.org/show_bug.cgi?id=57790

        * collector/handles/HandleHeap.cpp:
        (JSC::HandleHeap::updateWeakHandles): Updated for rename.

        * collector/handles/HandleHeap.h: Removed comment claiming that this
        function should only be called during teardown, because it's actually
        called after every GC pass.

        * runtime/Heap.cpp:
        (JSC::Heap::destroy):
        (JSC::Heap::markRoots): Updated for rename.

2011-04-04  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Standardized handling of handles for immediate values
        https://bugs.webkit.org/show_bug.cgi?id=57788

        * collector/handles/HandleHeap.cpp:
        (JSC::HandleHeap::clearWeakPointers): Don't check for null or non-cell
        values here, because our write barrier guarantees that such values are
        not in the weak list.

        (JSC::HandleHeap::writeBarrier): Standardized on checking for null before
        checking for cell, and on using early return instead of if/else.

        * collector/handles/HandleHeap.h:
        (JSC::HandleHeap::deallocate):
        (JSC::HandleHeap::makeWeak): Ditto.

2011-04-04  Geoffrey Garen  <ggaren@apple.com>

        Not reviewed.

        Removed a redundant variable from HandleHeap
        https://bugs.webkit.org/show_bug.cgi?id=57786
        
        Forgot to commit the file that actually removes the data member!
        
        * collector/handles/HandleHeap.h:

2011-04-04  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Removed a redundant variable from HandleHeap
        https://bugs.webkit.org/show_bug.cgi?id=57786
        
        We don't need a specific variable to indicate that we're in the middle
        of the finalization phase, since m_nextToFinalize already does this.

        * collector/handles/HandleHeap.cpp:
        (JSC::HandleHeap::HandleHeap):
        (JSC::HandleHeap::clearWeakPointers):
        (JSC::HandleHeap::writeBarrier):

2011-04-04  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Renamed Finalizer => WeakHandleOwner (in preparation for adding a reachability callback)
        https://bugs.webkit.org/show_bug.cgi?id=57775
        
        Also renamed noFinalizer => emptyWeakOwner, since this is really an
        optimization for a weak owner with empty callbacks.

        * collector/handles/HandleHeap.cpp:
        (JSC::HandleHeap::clearWeakPointers): Updated for renames. Removed
        redundant initialization of m_nextToFinalize. Moved deletion check inside
        weak owner check, since the weak owner can't delete the node if there is
        no weak owner!

        * collector/handles/HandleHeap.h:
        (JSC::WeakHandleOwner::~WeakHandleOwner):
        (JSC::HandleHeap::makeWeak): Updated for renames.

        (JSC::HandleHeap::hasWeakOwner): Changed getFinalizer to hasWeakOwner,
        to clarify this function's role in assertions.

        (JSC::HandleHeap::Node::Node):
        (JSC::HandleHeap::Node::makeWeak):
        (JSC::HandleHeap::Node::isWeak):
        (JSC::HandleHeap::Node::weakOwner):
        (JSC::HandleHeap::Node::weakOwnerContext):
        (JSC::HandleHeap::Node::emptyWeakOwner):
        * interpreter/RegisterFile.cpp:
        (JSC::RegisterFile::globalObjectCollectedNotifier):
        * interpreter/RegisterFile.h:
        * runtime/WeakGCMap.h:
        * runtime/WeakGCPtr.h:
        (JSC::WeakGCPtr::WeakGCPtr):
        (JSC::WeakGCPtr::set): Updated for renames.

2011-04-04  Oliver Hunt  <oliver@apple.com>

        Fix WinCE build.

        * bytecode/Instruction.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::tryCachePutByID):
        (JSC::Interpreter::tryCacheGetByID):

2011-04-04  Adam Roben  <aroben@apple.com>

        Delete mt.dep files when doing a clean build due to .vsprops file changes

        Apparently this is yet another file that Visual Studio can't figure out it needs to rebuild.

        Fixes <http://webkit.org/b/57777> r82850 failed to build on Windows Debug (Build)

        Reviewed by Brian Weinstein.

        * JavaScriptCore.vcproj/JavaScriptCore/react-to-vsprops-changes.py:
        (main): Added dep to the list of extensions we look for when choosing files to delete.

2011-04-01  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make StructureChain GC allocated
        https://bugs.webkit.org/show_bug.cgi?id=56695

        Make StructureChain GC allocated, and make the various owners
        mark it correctly.

        * JavaScriptCore.exp:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::derefStructures):
        (JSC::CodeBlock::refStructures):
        (JSC::CodeBlock::markAggregate):
        * bytecode/Instruction.h:
        (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
        (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
        (JSC::PolymorphicAccessStructureList::derefStructures):
        (JSC::PolymorphicAccessStructureList::markAggregate):
        (JSC::Instruction::Instruction):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        (JSC::StructureStubInfo::markAggregate):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::initGetByIdChain):
        (JSC::StructureStubInfo::initPutByIdTransition):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
        (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
        * collector/handles/Handle.h:
        (JSC::HandleConverter::operator->):
        (JSC::HandleConverter::operator*):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_jneq_ptr):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_jneq_ptr):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompileGetByIdChainList):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompileGetByIdChainList):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::tryCachePutByID):
        (JSC::JITThunks::tryCacheGetByID):
        (JSC::getPolymorphicAccessStructureListSlot):
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSCell.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::markIfNeeded):
        * runtime/JSGlobalObject.h:
        (JSC::Structure::prototypeChain):
        * runtime/JSObject.h:
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::markChildrenDirect):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):
        (JSC::JSPropertyNameIterator::get):
        (JSC::JSPropertyNameIterator::markChildren):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::setCachedPrototypeChain):
        * runtime/JSZombie.cpp:
        (JSC::JSZombie::leakedZombieStructure):
        * runtime/JSZombie.h:
        * runtime/MarkStack.h:
        (JSC::MarkStack::append):
        * runtime/MarkedBlock.cpp:
        (JSC::MarkedBlock::sweep):
        * runtime/Structure.cpp:
        (JSC::Structure::addPropertyTransition):
        * runtime/Structure.h:
        (JSC::Structure::markAggregate):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::StructureChain):
        (JSC::StructureChain::~StructureChain):
        (JSC::StructureChain::markChildren):
        * runtime/StructureChain.h:
        (JSC::StructureChain::create):
        (JSC::StructureChain::createStructure):
        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase::get):
        (JSC::WriteBarrierBase::operator*):
        (JSC::WriteBarrierBase::operator->):

2011-04-01  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Removed some complexity from HandleHeap
        https://bugs.webkit.org/show_bug.cgi?id=57650
        
        Eliminated pointer-tagging flags.
        
        Tied being weak to having a finalizer (or at least a finalizer sentinel).

        * collector/handles/HandleHeap.cpp:
        (JSC::HandleHeap::clearWeakPointers): Removed the special self-destroying
        flag. It was unused. If we bring it back, we'll probably use a shared
        autodeallocating finalizer instead.

        * collector/handles/HandleHeap.h:
        (JSC::HandleHeap::makeWeak): makeWeak and adding a finalizer are now
        a single, atomic operation -- this makes the relationship between
        finalizers and weak pointers clearer, and impossible to get wrong.

        (JSC::HandleHeap::Node::Node):
        (JSC::HandleHeap::Node::handleHeap): No more flags.

        (JSC::HandleHeap::Node::makeWeak):
        (JSC::HandleHeap::Node::isWeak): Ditto above. We use a special sentienl
        value in the finalizer slot to indicate that a handle is weak but doesn't
        require an external function call for finalization.

2011-04-01  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Removed WeakGCMap::deprecatedRemove because it was deprecated and unused
        https://bugs.webkit.org/show_bug.cgi?id=57648

        * runtime/WeakGCMap.h:

2011-04-01  Adam Roben  <aroben@apple.com>

        Maintain the invariant that Lexer::m_current is set to -1 when at the end of the code buffer

        Covered by existing tests.

        Fixes <http://webkit.org/b/56699>.

        Reviewed by Oliver Hunt.

        * parser/Lexer.h:
        (JSC::Lexer::setOffset): Copied code from Lexer::shift to update m_current, because
        supposedly the idiom that function uses is fast.

2011-03-31  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        Reviewed by Oliver Hunt.

        SH4 JIT SUPPORT.
        https://bugs.webkit.org/show_bug.cgi?id=44329

        Add YARR support for SH4 platforms (disabled by default).

        * GNUmakefile.am:
        * assembler/MacroAssembler.h:
        * assembler/MacroAssemblerSH4.cpp: Added.
        * assembler/MacroAssemblerSH4.h: Added.
        * assembler/SH4Assembler.h: Added.
        * yarr/YarrJIT.cpp:

2011-03-30  Adam Roben  <aroben@apple.com>

        Clean build fix

        * JavaScriptCore.vcproj/JavaScriptCore.sln: Serialized project dependencies so projects
        don't try to build in parallel (which doesn't mesh with our buildfailed mechanism).

2011-03-30  Oliver Hunt  <oliver@apple.com>

        Rollout r82500

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::derefStructures):
        (JSC::CodeBlock::refStructures):
        (JSC::CodeBlock::markAggregate):
        * bytecode/Instruction.h:
        (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
        (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
        (JSC::PolymorphicAccessStructureList::derefStructures):
        (JSC::Instruction::Instruction):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::initGetByIdChain):
        (JSC::StructureStubInfo::initPutByIdTransition):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
        (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_jneq_ptr):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_jneq_ptr):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompileGetByIdChainList):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompileGetByIdChainList):
        * jit/JITStubs.cpp:
        (JSC::getPolymorphicAccessStructureListSlot):
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSCell.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::markIfNeeded):
        * runtime/JSGlobalObject.h:
        (JSC::Structure::prototypeChain):
        * runtime/JSObject.h:
        (JSC::JSObject::markChildrenDirect):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):
        (JSC::JSPropertyNameIterator::get):
        (JSC::JSPropertyNameIterator::markChildren):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::setCachedPrototypeChain):
        * runtime/MarkStack.h:
        (JSC::MarkStack::append):
        * runtime/Structure.h:
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::StructureChain):
        * runtime/StructureChain.h:
        (JSC::StructureChain::create):

2011-03-29  Matthew Delaney  <mdelaney@apple.com>

        Reviewed by Simon Fraser.

        Use the Accelerate vImage vectorized (un)premultiplyImageData functions for ImageBufferCG

        https://bugs.webkit.org/show_bug.cgi?id=53134

        * wtf/Platform.h: Added in WTF flag for using the Accelerate framework

2011-03-30  Steve Falkenburg  <sfalken@apple.com>

        Reviewed by Adam Roben.

        Share most vsprops between Release and Production builds in releaseproduction.vsprops
        https://bugs.webkit.org/show_bug.cgi?id=57508

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreProduction.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreRelease.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGOOptimize.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFProduction.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFRelease.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFReleasePGO.vsprops:
        * JavaScriptCore.vcproj/jsc/jscProduction.vsprops:
        * JavaScriptCore.vcproj/jsc/jscRelease.vsprops:
        * JavaScriptCore.vcproj/jsc/jscReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiProduction.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiRelease.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiReleaseCairoCFLite.vsprops:

2011-03-30  Mark Rowe  <mrowe@apple.com>

        Reviewed by Adam Roben.

        Explicitly prevent testapi and minidom from being installed rather than relying
        on Xcode's current behavior of not installing if INSTALL_PATH is not explicitly
        set at the target level.

        <rdar://problem/9206357>

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-03-30  Timur Iskhodzhanov  <timurrrr@google.com>

        Reviewed by Alexey Proskuryakov.

        Add some dynamic annotations to JavaScriptCore/wtf
        https://bugs.webkit.org/show_bug.cgi?id=53747

        By using these annotations we can improve the precision of finding
        WebKit errors using dynamic analysis tools like ThreadSanitizer and Valgrind.
        These annotations don't affect the compiled binaries unless USE(DYNAMIC_ANNOTATIONS) is "1".

        These files don't add new functionality, so don't need extra tests.

        * GNUmakefile.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CMakeLists.txt:
        * wtf/DynamicAnnotations.cpp: Added.
        (WTFAnnotateBenignRaceSized):
        (WTFAnnotateHappensBefore):
        (WTFAnnotateHappensAfter):
        * wtf/DynamicAnnotations.h: Added.
        * wtf/ThreadSafeRefCounted.h:
        (WTF::ThreadSafeRefCountedBase::derefBase):
        * wtf/text/StringStatics.cpp:
        (WTF::StringImpl::empty):

2011-03-30  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make StructureChain GC allocated
        https://bugs.webkit.org/show_bug.cgi?id=56695

        Make StructureChain GC allocated, and make the various owners
        mark it correctly.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::derefStructures):
        (JSC::CodeBlock::refStructures):
        (JSC::CodeBlock::markAggregate):
        * bytecode/Instruction.h:
        (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
        (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
        (JSC::PolymorphicAccessStructureList::derefStructures):
        (JSC::PolymorphicAccessStructureList::markAggregate):
        (JSC::Instruction::Instruction):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        (JSC::StructureStubInfo::markAggregate):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::initGetByIdChain):
        (JSC::StructureStubInfo::initPutByIdTransition):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
        (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_jneq_ptr):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_jneq_ptr):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompileGetByIdChainList):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompileGetByIdChainList):
        * jit/JITStubs.cpp:
        (JSC::getPolymorphicAccessStructureListSlot):
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSCell.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::markIfNeeded):
        * runtime/JSGlobalObject.h:
        (JSC::Structure::prototypeChain):
        * runtime/JSObject.h:
        (JSC::JSObject::markChildrenDirect):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):
        (JSC::JSPropertyNameIterator::get):
        (JSC::JSPropertyNameIterator::markChildren):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::setCachedPrototypeChain):
        * runtime/MarkStack.h:
        (JSC::MarkStack::append):
        * runtime/Structure.h:
        (JSC::Structure::cachedPrototypeChainSlot):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::StructureChain):
        * runtime/StructureChain.h:
        (JSC::StructureChain::create):
        (JSC::StructureChain::createStructure):

2011-03-30  Steve Falkenburg  <sfalken@apple.com>

        Reviewed by Adam Roben.

        Update Windows production build logic for new production configurations
        https://bugs.webkit.org/show_bug.cgi?id=57494

        * JavaScriptCore.vcproj/JavaScriptCore.make:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreProduction.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGOOptimize.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFProduction.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFReleasePGO.vsprops:
        * JavaScriptCore.vcproj/jsc/jscProduction.vsprops:
        * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiProduction.vsprops:

2011-03-30  Steve Falkenburg  <sfalken@apple.com>

        Reviewed by Adam Roben.

        Rename Windows configuration Release_LTCG to Production for clarity
        https://bugs.webkit.org/show_bug.cgi?id=57465

        * JavaScriptCore.vcproj/JavaScriptCore.sln:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreProduction.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleaseLTCG.vsprops.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleaseLTCG.vsprops: Removed.
        * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.vcproj/WTF/WTFProduction.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/WTF/WTFReleaseLTCG.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFReleaseLTCG.vsprops: Removed.
        * JavaScriptCore.vcproj/jsc/jsc.vcproj:
        * JavaScriptCore.vcproj/jsc/jscProduction.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/jsc/jscReleaseLTCG.vsprops.
        * JavaScriptCore.vcproj/jsc/jscReleaseLTCG.vsprops: Removed.
        * JavaScriptCore.vcproj/testapi/testapi.vcproj:
        * JavaScriptCore.vcproj/testapi/testapiProduction.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/testapi/testapiReleaseLTCG.vsprops.
        * JavaScriptCore.vcproj/testapi/testapiReleaseLTCG.vsprops: Removed.

2011-03-30  Zoltan Herczeg  <zherczeg@inf.u-szeged.hu>

        Reviewed by Maciej Stachowiak.

        Add the NEXT_OPCODE() macro to the DFG-JIT parser
        https://bugs.webkit.org/show_bug.cgi?id=57322

        In JavaScriptCore we use macros to jump to the next opcode
        (both in interpreter and JIT). This macro is added to the
        DFG-JIT parser as well.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parse):

2011-03-29  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Darin Adler.

        ~25% regression on v8-splay in the SunSpider harness
        https://bugs.webkit.org/show_bug.cgi?id=56128
        
        I'm not sure if this is the root cause of the regression Stephanie
        measured, but it seems to get us back to previous v8-splay times.
        
        SunSpider reports no change. v8-splay says 41% faster.

        * runtime/Heap.cpp:
        (JSC::Heap::reset): Make marking proportional to 1X the size of the heap,
        not .5X the size of the heap. When the heap is large, this makes a big
        difference. (Our old heap growth policy matched this. You can see by
        looking at resizeBlocks in revisions prior to r77699.)

2011-03-29  Steve Falkenburg  <sfalken@apple.com>

        Reviewed by Darin Adler.

        Use per-configuration vsprops in JavaScriptCore to avoid WebKitVSPropsRedirectionDir removal by MSVC IDE
        https://bugs.webkit.org/show_bug.cgi?id=57350
        
        Visual Studio's IDE was removing instances of $(WebKitVSPropsRedirectionDir) from
        InheritedPropertySheet rules in our vcproj files when the vcproj was edited from within
        the IDE. To avoid this, add a separate vsprops file for each project configuration that
        contains the required inherited property sheets.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebug.vsprops: Added.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebugAll.vsprops: Added.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebugCairoCFLite.vsprops: Added.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreRelease.vsprops: Added.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleaseCairoCFLite.vsprops: Added.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleaseLTCG.vsprops: Added.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops: Added.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGOOptimize.vsprops: Added.
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.vcproj/WTF/WTFDebug.vsprops: Added.
        * JavaScriptCore.vcproj/WTF/WTFDebugAll.vsprops: Added.
        * JavaScriptCore.vcproj/WTF/WTFDebugCairoCFLite.vsprops: Added.
        * JavaScriptCore.vcproj/WTF/WTFRelease.vsprops: Added.
        * JavaScriptCore.vcproj/WTF/WTFReleaseCairoCFLite.vsprops: Added.
        * JavaScriptCore.vcproj/WTF/WTFReleaseLTCG.vsprops: Added.
        * JavaScriptCore.vcproj/WTF/WTFReleasePGO.vsprops: Added.
        * JavaScriptCore.vcproj/jsc/jsc.vcproj:
        * JavaScriptCore.vcproj/jsc/jscDebug.vsprops: Added.
        * JavaScriptCore.vcproj/jsc/jscDebugAll.vsprops: Added.
        * JavaScriptCore.vcproj/jsc/jscDebugCairoCFLite.vsprops: Added.
        * JavaScriptCore.vcproj/jsc/jscRelease.vsprops: Added.
        * JavaScriptCore.vcproj/jsc/jscReleaseCairoCFLite.vsprops: Added.
        * JavaScriptCore.vcproj/jsc/jscReleaseLTCG.vsprops: Added.
        * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops: Added.
        * JavaScriptCore.vcproj/testapi/testapi.vcproj:
        * JavaScriptCore.vcproj/testapi/testapiDebug.vsprops: Added.
        * JavaScriptCore.vcproj/testapi/testapiDebugAll.vsprops: Added.
        * JavaScriptCore.vcproj/testapi/testapiDebugCairoCFLite.vsprops: Added.
        * JavaScriptCore.vcproj/testapi/testapiRelease.vsprops: Added.
        * JavaScriptCore.vcproj/testapi/testapiReleaseCairoCFLite.vsprops: Added.
        * JavaScriptCore.vcproj/testapi/testapiReleaseLTCG.vsprops: Added.

2011-03-29  Oliver Hunt  <oliver@apple.com>

        Reviewed by Eric Seidel.

        REGRESSION(r82173): Causes assertion and test failures in run-javascriptcore-tests on Windows (Requested by aroben on #webkit).
        https://bugs.webkit.org/show_bug.cgi?id=57333

        constructDate now takes the global object explicitly as it may be called
        by functions other than the constructor itself.

        * API/JSObjectRef.cpp:
        (JSObjectMakeDate):
        * runtime/DateConstructor.cpp:
        (JSC::constructDate):
        (JSC::constructWithDateConstructor):
        * runtime/DateConstructor.h:

2011-03-29  Ben Taylor  <bentaylor.solx86@gmail.com>

        Reviewed by Benjamin Poulain.

        https://bugs.webkit.org/show_bug.cgi?id=41953

        Fix compile error on Solaris 10/Sun Studio 12 CC emanating from MathExtras.h

        * wtf/MathExtras.h:

2011-03-29  Ben Taylor  <bentaylor.solx86@gmail.com>

        Reviewed by Darin Adler.

        https://bugs.webkit.org/show_bug.cgi?id=57231
        Add conditional for SUNCC supporting alignment macros

        Compile fix for Solaris 10/Sun Studio 12 CC

        * wtf/Vector.h:

2011-03-29  Ben Taylor  <bentaylor.solx86@gmail.com>

        Reviewed by Darin Adler.

        https://bugs.webkit.org/show_bug.cgi?id=57256

        Fix crash on misaligned reads on Solaris 10/Sparc

        * wtf/text/AtomicString.cpp:
        (WTF::equal):

2011-03-28  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        instanceof Array test fails when using iframes
        https://bugs.webkit.org/show_bug.cgi?id=17250

        This is a problem with all built in constructors, the use of
        lexicalGlobalObject rather than the constructors own 
        global object reference means that a builtin will always use
        the prototype from the lexical global object rather than that
        of the constructors origin.

        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        (JSObjectMakeRegExp):
        * JavaScriptCore.exp:
        * runtime/ArrayConstructor.cpp:
        (JSC::constructArrayWithSizeQuirk):
        * runtime/BooleanConstructor.cpp:
        (JSC::constructBoolean):
        (JSC::constructBooleanFromImmediateBoolean):
        * runtime/BooleanConstructor.h:
        * runtime/DateConstructor.cpp:
        (JSC::constructDate):
        * runtime/DateInstance.cpp:
        * runtime/DateInstance.h:
        * runtime/ErrorConstructor.cpp:
        (JSC::constructWithErrorConstructor):
        (JSC::callErrorConstructor):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructWithFunctionConstructor):
        (JSC::callFunctionConstructor):
        (JSC::constructFunction):
        * runtime/FunctionConstructor.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::getOwnPropertySlot):
        (JSC::JSCell::put):
        (JSC::JSCell::deleteProperty):
        (JSC::JSCell::toThisObject):
        (JSC::JSCell::toObject):
        * runtime/JSCell.h:
        (JSC::JSCell::JSValue::toObject):
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::toObject):
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::toObject):
        * runtime/JSObject.h:
        * runtime/JSString.cpp:
        (JSC::StringObject::create):
        (JSC::JSString::toObject):
        (JSC::JSString::toThisObject):
        * runtime/JSString.h:
        * runtime/JSValue.cpp:
        (JSC::JSValue::toObjectSlowCase):
        (JSC::JSValue::toThisObjectSlowCase):
        (JSC::JSValue::synthesizeObject):
        * runtime/JSValue.h:
        * runtime/NumberConstructor.cpp:
        (JSC::constructWithNumberConstructor):
        * runtime/NumberObject.cpp:
        (JSC::constructNumber):
        * runtime/NumberObject.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::constructObject):
        (JSC::constructWithObjectConstructor):
        (JSC::callObjectConstructor):
        * runtime/RegExpConstructor.cpp:
        (JSC::constructRegExp):
        (JSC::constructWithRegExpConstructor):
        (JSC::callRegExpConstructor):
        * runtime/RegExpConstructor.h:
        * runtime/StringConstructor.cpp:
        (JSC::constructWithStringConstructor):
        * runtime/StringObject.h:

2011-03-28  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        REGRESSION [r78794-r79249] Allocation of memory is slow when number of active objects is large
        https://bugs.webkit.org/show_bug.cgi?id=56823
        
        Partial fix for most of the problem. (TOT still shows a regression, though.)

        * runtime/Heap.cpp:
        (JSC::Heap::reportExtraMemoryCostSlowCase): Use highWaterMark(), instead of
        capacity(), since capacity() is O(n) relative to the size of the heap.

        In limited circumstances, capacity() is also worse than highWaterMark()
        for measuring extra cost relative to heap size, since capacity() only
        measures the *current* capacity of the heap, but the heap will grow if
        necessary to attain highWaterMark().

2011-03-28  Oliver Hunt  <oliver@apple.com>

        REGRESSION(r82130): It made all tests crash (Requested by Ossy on #webkit).
        https://bugs.webkit.org/show_bug.cgi?id=57251

        Build fix, had remnant of another patch in r82130

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompileGetByIdChainList):

2011-03-27  Oliver Hunt  <oliver@apple.com>

        Reviewed by Maciej Stachowiak.

        Add additional immediate types to allow us to distinguish the source of a JIT immediate
        https://bugs.webkit.org/show_bug.cgi?id=57190

        Allow us to distinguish whether a JIT immediate is a value that we
        control (TrustedImm32 and TrustedImmPtr) vs. ones that can be controlled
        or influenced by code we are compiling.  Currently we do nothing with this
        information -- this change is large and mechanical but would obscure any
        logic changes that we would have made.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
        (JSC::AbstractMacroAssembler::ImmPtr::ImmPtr):
        (JSC::AbstractMacroAssembler::TrustedImm32::TrustedImm32):
        (JSC::AbstractMacroAssembler::Imm32::Imm32):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::pop):
        (JSC::MacroAssembler::poke):
        (JSC::MacroAssembler::branchPtr):
        (JSC::MacroAssembler::branch32):
        (JSC::MacroAssembler::addPtr):
        (JSC::MacroAssembler::andPtr):
        (JSC::MacroAssembler::orPtr):
        (JSC::MacroAssembler::subPtr):
        (JSC::MacroAssembler::xorPtr):
        (JSC::MacroAssembler::setPtr):
        (JSC::MacroAssembler::storePtr):
        (JSC::MacroAssembler::branchTestPtr):
        (JSC::MacroAssembler::branchSubPtr):
        (JSC::MacroAssembler::branchTest8):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::add32):
        (JSC::MacroAssemblerARM::and32):
        (JSC::MacroAssemblerARM::lshift32):
        (JSC::MacroAssemblerARM::mul32):
        (JSC::MacroAssemblerARM::or32):
        (JSC::MacroAssemblerARM::rshift32):
        (JSC::MacroAssemblerARM::urshift32):
        (JSC::MacroAssemblerARM::sub32):
        (JSC::MacroAssemblerARM::xor32):
        (JSC::MacroAssemblerARM::store32):
        (JSC::MacroAssemblerARM::push):
        (JSC::MacroAssemblerARM::move):
        (JSC::MacroAssemblerARM::branch8):
        (JSC::MacroAssemblerARM::branch32):
        (JSC::MacroAssemblerARM::branch32WithUnalignedHalfWords):
        (JSC::MacroAssemblerARM::branch16):
        (JSC::MacroAssemblerARM::branchTest8):
        (JSC::MacroAssemblerARM::branchTest32):
        (JSC::MacroAssemblerARM::branchAdd32):
        (JSC::MacroAssemblerARM::branchMul32):
        (JSC::MacroAssemblerARM::branchSub32):
        (JSC::MacroAssemblerARM::set32Compare32):
        (JSC::MacroAssemblerARM::set8Compare32):
        (JSC::MacroAssemblerARM::set32Test32):
        (JSC::MacroAssemblerARM::set32Test8):
        (JSC::MacroAssemblerARM::moveWithPatch):
        (JSC::MacroAssemblerARM::branchPtrWithPatch):
        (JSC::MacroAssemblerARM::storePtrWithPatch):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::add32):
        (JSC::MacroAssemblerARMv7::and32):
        (JSC::MacroAssemblerARMv7::lshift32):
        (JSC::MacroAssemblerARMv7::mul32):
        (JSC::MacroAssemblerARMv7::or32):
        (JSC::MacroAssemblerARMv7::rshift32):
        (JSC::MacroAssemblerARMv7::urshift32):
        (JSC::MacroAssemblerARMv7::sub32):
        (JSC::MacroAssemblerARMv7::xor32):
        (JSC::MacroAssemblerARMv7::load32):
        (JSC::MacroAssemblerARMv7::load32WithAddressOffsetPatch):
        (JSC::MacroAssemblerARMv7::load16):
        (JSC::MacroAssemblerARMv7::store32WithAddressOffsetPatch):
        (JSC::MacroAssemblerARMv7::store32):
        (JSC::MacroAssemblerARMv7::loadDouble):
        (JSC::MacroAssemblerARMv7::storeDouble):
        (JSC::MacroAssemblerARMv7::push):
        (JSC::MacroAssemblerARMv7::move):
        (JSC::MacroAssemblerARMv7::compare32):
        (JSC::MacroAssemblerARMv7::test32):
        (JSC::MacroAssemblerARMv7::branch32):
        (JSC::MacroAssemblerARMv7::branch32WithUnalignedHalfWords):
        (JSC::MacroAssemblerARMv7::branch16):
        (JSC::MacroAssemblerARMv7::branch8):
        (JSC::MacroAssemblerARMv7::branchTest32):
        (JSC::MacroAssemblerARMv7::branchTest8):
        (JSC::MacroAssemblerARMv7::branchAdd32):
        (JSC::MacroAssemblerARMv7::branchMul32):
        (JSC::MacroAssemblerARMv7::branchSub32):
        (JSC::MacroAssemblerARMv7::nearCall):
        (JSC::MacroAssemblerARMv7::call):
        (JSC::MacroAssemblerARMv7::set32Compare32):
        (JSC::MacroAssemblerARMv7::set8Compare32):
        (JSC::MacroAssemblerARMv7::set32Test32):
        (JSC::MacroAssemblerARMv7::set32Test8):
        (JSC::MacroAssemblerARMv7::moveWithPatch):
        (JSC::MacroAssemblerARMv7::branchPtrWithPatch):
        (JSC::MacroAssemblerARMv7::storePtrWithPatch):
        (JSC::MacroAssemblerARMv7::tailRecursiveCall):
        (JSC::MacroAssemblerARMv7::makeJump):
        (JSC::MacroAssemblerARMv7::makeBranch):
        (JSC::MacroAssemblerARMv7::setupArmAddress):
        (JSC::MacroAssemblerARMv7::makeBaseIndexBase):
        (JSC::MacroAssemblerARMv7::moveFixedWidthEncoding):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::add32):
        (JSC::MacroAssemblerMIPS::and32):
        (JSC::MacroAssemblerMIPS::lshift32):
        (JSC::MacroAssemblerMIPS::mul32):
        (JSC::MacroAssemblerMIPS::or32):
        (JSC::MacroAssemblerMIPS::rshift32):
        (JSC::MacroAssemblerMIPS::urshift32):
        (JSC::MacroAssemblerMIPS::sub32):
        (JSC::MacroAssemblerMIPS::xor32):
        (JSC::MacroAssemblerMIPS::load32):
        (JSC::MacroAssemblerMIPS::load32WithAddressOffsetPatch):
        (JSC::MacroAssemblerMIPS::store32WithAddressOffsetPatch):
        (JSC::MacroAssemblerMIPS::store32):
        (JSC::MacroAssemblerMIPS::push):
        (JSC::MacroAssemblerMIPS::move):
        (JSC::MacroAssemblerMIPS::branch8):
        (JSC::MacroAssemblerMIPS::branch32):
        (JSC::MacroAssemblerMIPS::branch32WithUnalignedHalfWords):
        (JSC::MacroAssemblerMIPS::branch16):
        (JSC::MacroAssemblerMIPS::branchTest32):
        (JSC::MacroAssemblerMIPS::branchTest8):
        (JSC::MacroAssemblerMIPS::branchAdd32):
        (JSC::MacroAssemblerMIPS::branchMul32):
        (JSC::MacroAssemblerMIPS::branchSub32):
        (JSC::MacroAssemblerMIPS::set8Compare32):
        (JSC::MacroAssemblerMIPS::set32Compare32):
        (JSC::MacroAssemblerMIPS::set32Test8):
        (JSC::MacroAssemblerMIPS::set32Test32):
        (JSC::MacroAssemblerMIPS::moveWithPatch):
        (JSC::MacroAssemblerMIPS::branchPtrWithPatch):
        (JSC::MacroAssemblerMIPS::storePtrWithPatch):
        (JSC::MacroAssemblerMIPS::tailRecursiveCall):
        (JSC::MacroAssemblerMIPS::loadDouble):
        (JSC::MacroAssemblerMIPS::storeDouble):
        (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::add32):
        (JSC::MacroAssemblerX86::addWithCarry32):
        (JSC::MacroAssemblerX86::and32):
        (JSC::MacroAssemblerX86::or32):
        (JSC::MacroAssemblerX86::sub32):
        (JSC::MacroAssemblerX86::store32):
        (JSC::MacroAssemblerX86::branch32):
        (JSC::MacroAssemblerX86::moveWithPatch):
        (JSC::MacroAssemblerX86::branchPtrWithPatch):
        (JSC::MacroAssemblerX86::storePtrWithPatch):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::add32):
        (JSC::MacroAssemblerX86Common::and32):
        (JSC::MacroAssemblerX86Common::lshift32):
        (JSC::MacroAssemblerX86Common::mul32):
        (JSC::MacroAssemblerX86Common::or32):
        (JSC::MacroAssemblerX86Common::rshift32):
        (JSC::MacroAssemblerX86Common::urshift32):
        (JSC::MacroAssemblerX86Common::sub32):
        (JSC::MacroAssemblerX86Common::xor32):
        (JSC::MacroAssemblerX86Common::store32):
        (JSC::MacroAssemblerX86Common::branchTruncateDoubleToInt32):
        (JSC::MacroAssemblerX86Common::push):
        (JSC::MacroAssemblerX86Common::move):
        (JSC::MacroAssemblerX86Common::branch8):
        (JSC::MacroAssemblerX86Common::branch32):
        (JSC::MacroAssemblerX86Common::branch32WithUnalignedHalfWords):
        (JSC::MacroAssemblerX86Common::branch16):
        (JSC::MacroAssemblerX86Common::branchTest32):
        (JSC::MacroAssemblerX86Common::branchTest8):
        (JSC::MacroAssemblerX86Common::branchAdd32):
        (JSC::MacroAssemblerX86Common::branchMul32):
        (JSC::MacroAssemblerX86Common::branchSub32):
        (JSC::MacroAssemblerX86Common::set8Compare32):
        (JSC::MacroAssemblerX86Common::set32Compare32):
        (JSC::MacroAssemblerX86Common::set32Test8):
        (JSC::MacroAssemblerX86Common::set32Test32):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::add32):
        (JSC::MacroAssemblerX86_64::and32):
        (JSC::MacroAssemblerX86_64::or32):
        (JSC::MacroAssemblerX86_64::sub32):
        (JSC::MacroAssemblerX86_64::loadDouble):
        (JSC::MacroAssemblerX86_64::addDouble):
        (JSC::MacroAssemblerX86_64::convertInt32ToDouble):
        (JSC::MacroAssemblerX86_64::store32):
        (JSC::MacroAssemblerX86_64::call):
        (JSC::MacroAssemblerX86_64::tailRecursiveCall):
        (JSC::MacroAssemblerX86_64::makeTailRecursiveCall):
        (JSC::MacroAssemblerX86_64::addPtr):
        (JSC::MacroAssemblerX86_64::andPtr):
        (JSC::MacroAssemblerX86_64::orPtr):
        (JSC::MacroAssemblerX86_64::subPtr):
        (JSC::MacroAssemblerX86_64::xorPtr):
        (JSC::MacroAssemblerX86_64::storePtr):
        (JSC::MacroAssemblerX86_64::setPtr):
        (JSC::MacroAssemblerX86_64::branchPtr):
        (JSC::MacroAssemblerX86_64::branchTestPtr):
        (JSC::MacroAssemblerX86_64::branchSubPtr):
        (JSC::MacroAssemblerX86_64::moveWithPatch):
        (JSC::MacroAssemblerX86_64::branchPtrWithPatch):
        (JSC::MacroAssemblerX86_64::storePtrWithPatch):
        (JSC::MacroAssemblerX86_64::branchTest8):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::callOperation):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::jitAssertIsInt32):
        (JSC::DFG::JITCompiler::emitCount):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::emitPutImmediateToCallFrameHeader):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.cpp:
        (JSC::JIT::emitTimeoutCheck):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_urshift):
        (JSC::JIT::emitSlow_op_urshift):
        (JSC::JIT::emit_op_post_inc):
        (JSC::JIT::emit_op_post_dec):
        (JSC::JIT::emit_op_pre_inc):
        (JSC::JIT::emit_op_pre_dec):
        (JSC::JIT::emit_op_mod):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_negate):
        (JSC::JIT::emit_op_jnless):
        (JSC::JIT::emit_op_jless):
        (JSC::JIT::emit_op_jlesseq):
        (JSC::JIT::emit_op_lshift):
        (JSC::JIT::emitRightShift):
        (JSC::JIT::emitRightShiftSlowCase):
        (JSC::JIT::emit_op_bitand):
        (JSC::JIT::emit_op_bitor):
        (JSC::JIT::emit_op_bitxor):
        (JSC::JIT::emit_op_bitnot):
        (JSC::JIT::emit_op_post_inc):
        (JSC::JIT::emit_op_post_dec):
        (JSC::JIT::emitSlow_op_post_dec):
        (JSC::JIT::emit_op_pre_inc):
        (JSC::JIT::emit_op_pre_dec):
        (JSC::JIT::emit_op_add):
        (JSC::JIT::emitAdd32Constant):
        (JSC::JIT::emit_op_sub):
        (JSC::JIT::emitSub32Constant):
        (JSC::JIT::emitBinaryDoubleOp):
        (JSC::JIT::emit_op_mul):
        (JSC::JIT::emitSlow_op_mul):
        (JSC::JIT::emit_op_div):
        (JSC::JIT::emit_op_mod):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCallVarargs):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCallVarargs):
        (JSC::JIT::emit_op_ret_object_or_this):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitPutCellToCallFrameHeader):
        (JSC::JIT::emitPutIntToCallFrameHeader):
        (JSC::JIT::emitPutImmediateToCallFrameHeader):
        (JSC::JIT::emitLoadCharacterString):
        (JSC::JIT::restoreArgumentReferenceForTrampoline):
        (JSC::JIT::checkStructure):
        (JSC::JIT::setSamplingFlag):
        (JSC::JIT::clearSamplingFlag):
        (JSC::JIT::emitCount):
        (JSC::JIT::sampleInstruction):
        (JSC::JIT::sampleCodeBlock):
        (JSC::JIT::emitStoreInt32):
        (JSC::JIT::emitStoreCell):
        (JSC::JIT::emitStoreBool):
        (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
        (JSC::JIT::emitInitRegister):
        (JSC::JIT::emitJumpIfJSCell):
        (JSC::JIT::emitJumpIfNotJSCell):
        (JSC::JIT::emitJumpIfImmediateInteger):
        (JSC::JIT::emitJumpIfNotImmediateInteger):
        (JSC::JIT::emitFastArithDeTagImmediate):
        (JSC::JIT::emitFastArithDeTagImmediateJumpIfZero):
        (JSC::JIT::emitFastArithReTagImmediate):
        (JSC::JIT::emitTagAsBoolImmediate):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_check_has_instance):
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emit_op_ret_object_or_this):
        (JSC::JIT::emit_op_resolve):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emit_op_resolve_base):
        (JSC::JIT::emit_op_ensure_property_exists):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emit_op_resolve_global):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_not):
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emit_op_jneq_ptr):
        (JSC::JIT::emit_op_jsr):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_new_func_exp):
        (JSC::JIT::emit_op_jtrue):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_next_pname):
        (JSC::JIT::emit_op_to_jsnumber):
        (JSC::JIT::emit_op_push_new_scope):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):
        (JSC::JIT::emit_op_init_lazy_reg):
        (JSC::JIT::emit_op_convert_this):
        (JSC::JIT::emit_op_convert_this_strict):
        (JSC::JIT::emitSlow_op_not):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::emit_op_get_arguments_length):
        (JSC::JIT::emitSlow_op_get_arguments_length):
        (JSC::JIT::emit_op_get_argument_by_val):
        (JSC::JIT::emitSlow_op_resolve_global_dynamic):
        (JSC::JIT::emit_op_new_regexp):
        (JSC::JIT::emit_op_load_varargs):
        (JSC::JIT::emitSlow_op_load_varargs):
        (JSC::JIT::emit_op_new_func):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_loop_if_lesseq):
        (JSC::JIT::emit_op_check_has_instance):
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_tear_off_activation):
        (JSC::JIT::emit_op_tear_off_arguments):
        (JSC::JIT::emit_op_resolve):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emit_op_resolve_base):
        (JSC::JIT::emit_op_ensure_property_exists):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emit_op_resolve_global):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_not):
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emit_op_jtrue):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emit_op_jneq_ptr):
        (JSC::JIT::emit_op_jsr):
        (JSC::JIT::emit_op_eq):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emit_op_neq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_new_func_exp):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_next_pname):
        (JSC::JIT::emit_op_to_jsnumber):
        (JSC::JIT::emit_op_push_new_scope):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_create_activation):
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emit_op_convert_this):
        (JSC::JIT::emit_op_convert_this_strict):
        (JSC::JIT::emit_op_get_arguments_length):
        (JSC::JIT::emitSlow_op_get_arguments_length):
        (JSC::JIT::emit_op_get_argument_by_val):
        (JSC::JIT::softModulo):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_get_by_pname):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emit_op_put_by_index):
        (JSC::JIT::emit_op_put_getter):
        (JSC::JIT::emit_op_put_setter):
        (JSC::JIT::emit_op_del_by_id):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::compileGetByIdSlowCase):
        (JSC::JIT::emitSlow_op_put_by_id):
        (JSC::JIT::testPrototype):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_getter):
        (JSC::JIT::emit_op_put_setter):
        (JSC::JIT::emit_op_del_by_id):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::compileGetByIdSlowCase):
        (JSC::JIT::emitSlow_op_put_by_id):
        (JSC::JIT::testPrototype):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        (JSC::JIT::emit_op_get_by_pname):
        * jit/JITStubCall.h:
        (JSC::JITStubCall::addArgument):
        * jit/JITStubs.cpp:
        (JSC::getPolymorphicAccessStructureListSlot):
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::emitJumpIfNotJSCell):
        (JSC::JSInterfaceJIT::emitLoadInt32):
        (JSC::JSInterfaceJIT::emitLoadDouble):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
        (JSC::SpecializedThunkJIT::loadJSStringArgument):
        (JSC::SpecializedThunkJIT::tagReturnAsInt32):
        (JSC::SpecializedThunkJIT::tagReturnAsJSCell):
        * jit/ThunkGenerators.cpp:
        (JSC::charToString):
        (JSC::powThunkGenerator):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::matchCharacterClass):
        (JSC::Yarr::YarrGenerator::storeToFrame):
        (JSC::Yarr::YarrGenerator::storeToFrameWithPatch):
        (JSC::Yarr::YarrGenerator::ParenthesesTail::generateCode):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterSingle):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterNonGreedy):
        (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
        (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
        (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
        (JSC::Yarr::YarrGenerator::generateParenthesesSingle):
        (JSC::Yarr::YarrGenerator::generateDisjunction):

2011-03-28  Andras Becsi  <abecsi@webkit.org>

        Reviewed by Csaba Osztrogonác.

        [Qt] Fix the linking of jsc with MinGW after r81963.

        * jsc.pro: add -l and remove the lib suffix.

2011-03-27  Ben Taylor  <bentaylor.solx86@gmail.com>

        Reviewed by Alexey Proskuryakov.

        https://bugs.webkit.org/show_bug.cgi?id=57170  Fix last elements
        in an enum to remove a trailing comma. Sun Studio 12 CC errors out.

        Compile fix only, no actual code change.

        * wtf/MessageQueue.h:

2011-03-25  Oliver Hunt  <oliver@apple.com>

        Reviewed by Darin Adler.

        Allow defineOwnProperty to work on DOMObjects
        https://bugs.webkit.org/show_bug.cgi?id=57129

        Fix a couple of places where we uses getter()/setter() rather
        than [gs]etterPresent().

        * runtime/JSObject.cpp:
        (JSC::JSObject::defineOwnProperty):

2011-03-25  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Crash when paused at a breakpoint caused by inaccurate Activation records.
        https://bugs.webkit.org/show_bug.cgi?id=57120

        * runtime/JSActivation.cpp:
        (JSC::JSActivation::symbolTableGet):
        (JSC::JSActivation::symbolTablePut):
        (JSC::JSActivation::getOwnPropertyNames):
        (JSC::JSActivation::symbolTablePutWithAttributes):

2011-03-24  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Crash in debugger beneath MarkStack::drain @ me.com, ibm.com
        https://bugs.webkit.org/show_bug.cgi?id=57080
        <rdar://problem/8525907>

        The crash was caused by changes in the executable after recompilation.

        The fix is for the activation to copy the data it needs instead of
        relying on the data in the executable.
        
        SunSpider and v8 report no change.

        * runtime/Arguments.h:
        (JSC::JSActivation::copyRegisters): Use our own data members instead of
        reading data out of the executable.

        * runtime/JSActivation.cpp:
        (JSC::JSActivation::JSActivation): Initialize our data members.

        (JSC::JSActivation::markChildren):
        (JSC::JSActivation::symbolTableGet):
        (JSC::JSActivation::symbolTablePut):
        (JSC::JSActivation::getOwnPropertyNames):
        (JSC::JSActivation::symbolTablePutWithAttributes):
        (JSC::JSActivation::isDynamicScope):
        (JSC::JSActivation::argumentsGetter): Use our own data members instead of
        reading data out of the executable.

        * runtime/JSActivation.h: Added new data members to track data previously
        tracked by the executable. Since I've removed the executable pointer,
        on a 64bit system, I've only made activations bigger by an int.

2011-03-25  David Kilzer  <ddkilzer@apple.com>

        Remove duplicate entry from JavaScriptCore.exp

        JSC::createStackOverflowError(JSC::ExecState*) was originally
        exported in r60057, then duplicated in r60392.

        * JavaScriptCore.exp: Removed duplicate entry.

2011-03-25  Jarred Nicholls  <jarred@sencha.com>

        Reviewed by Ariya Hidayat.

        [Qt] MSVC Build Error - need to link advapi32.lib for jsc.exe
        https://bugs.webkit.org/show_bug.cgi?id=56098

        Need to link advapi32.lib for jsc.exe since wtf/OSRandomSource.cpp uses the Win32 Crypto API

        * jsc.pro:

2011-03-24  Nikolas Zimmermann  <nzimmermann@rim.com>

        Reviewed by Darin Adler.

        Introduce WTF HexNumber.h
        https://bugs.webkit.org/show_bug.cgi?id=56099

        Introduce a set of functions that ease converting from a bye or a number to a hex string,
        replacing several of these conversions and String::format("%x") usages all over WebCore.

        * GNUmakefile.am: Add HexNumber.h to build.
        * JavaScriptCore.exp: Export StringBuilder::reserveCapacity.
        * JavaScriptCore.gypi: Add HexNumber.h to build.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Export StringBuilder::reserveCapacity.
        * JavaScriptCore.vcproj/WTF/WTF.vcproj: Add HexNumber.h to build.
        * JavaScriptCore.xcodeproj/project.pbxproj: Ditto.
        * wtf/CMakeLists.txt: Ditto.
        * wtf/HexNumber.h: Added.
        (WTF::Internal::hexDigitsForMode): Internal helper.
        (WTF::appendByteAsHex): Free function, that appends a byte as hex string into a destination.
        (WTF::placeByteAsHex): Ditto, but places the result using *foo++ = '..' or foo[index++] = '..'
        (WTF::appendUnsignedAsHex): Free function, that appends a number as hex string into a destination.

2011-03-24  Geoffrey Garen  <ggaren@apple.com>

        Windows build fix take 2: Add new symobl.
        
        (I should have used the EWS bots for this!)

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-03-24  Geoffrey Garen  <ggaren@apple.com>

        Windows build fix take 1: Removed old symobl.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-03-24  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Ensure that all compilation takes place within a dynamic global object scope
        https://bugs.webkit.org/show_bug.cgi?id=57054
        <rdar://problem/9083011>        

        Otherwise, entry to the global object scope might throw away the code
        we just compiled, causing a crash.

        * JavaScriptCore.exp: Updated for signature change.

        * debugger/Debugger.cpp:
        (JSC::evaluateInGlobalCallFrame):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::evaluate): Removed explicit compilation calls
        here because (a) they took place outside a dynamic global object scope
        and (b) they were redundant.

        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall): Updated for signature change.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct): Declare our dynamic global object
        scope earlier, to ensure that compilation takes place within it.

        * runtime/Completion.cpp:
        (JSC::evaluate): Removed explicit compilation calls here because (a)
        they took place outside a dynamic global object scope and (b) they were
        redundant.

        * runtime/Executable.h:
        (JSC::EvalExecutable::compile):
        (JSC::ProgramExecutable::compile):
        (JSC::FunctionExecutable::compileForCall):
        (JSC::FunctionExecutable::compileForConstruct): Added an ASSERT to
        verify our new invariant that all compilation takes place within a
        dynamic global object scope.

        * runtime/JSGlobalObject.cpp:
        (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope):
        * runtime/JSGlobalObject.h: Changed the signature of DynamicGlobalObjectScope
        to require a JSGlobalData instead of an ExecState* since it is often
        easier to provide the former, and the latter was not necessary.

2011-03-24  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        REGRESSION (r79987-r80210): Crash in JSWeakObjectMapClear
        https://bugs.webkit.org/show_bug.cgi?id=55671

        This is no longer necessary, and it seems that with the new weakmap
        model it's simply unsafe, so this reduces it to a no-op. 

        * API/JSWeakObjectMapRefPrivate.cpp:

2011-03-24  Ben Taylor  <bentaylor.solx86@gmail.com>

        Reviewed by Darin Adler.

        https://bugs.webkit.org/show_bug.cgi?id=20302
        Correct implementation of signbit on Solaris

        * wtf/MathExtras.h:
        (signbit):

2011-03-23  Mark Rowe  <mrowe@apple.com>

        Reviewed by Darin Adler.

        <rdar://problem/7959320> Threads that use APIs above the BSD layer must be registered with the Obj-C GC.

        * wtf/ThreadingPthreads.cpp:
        (WTF::initializeCurrentThreadInternal):

2011-03-23  Mark Rowe  <mrowe@apple.com>

        Stop setting OTHER_OPTIONS in JavaScriptCore's Makefile.

        It's not necessary to pass "-target All" as xcodebuild always builds the
        first target in the project unless otherwise specified. The presence of
        that option also breaks "make clean" since that results in both the
        -target and -alltargets options being passed to xcodebuild.

        * Makefile:

2011-03-23  Pavel Feldman  <pfeldman@chromium.org>

        Not reviewed: bring back Vector::contains that was removed as a part of roll back.

        * wtf/Vector.h:
        (WTF::::contains):

2011-03-23  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r81686.
        http://trac.webkit.org/changeset/81686
        https://bugs.webkit.org/show_bug.cgi?id=56914

        Breaks webkit_tests in Chromium again. (Requested by pfeldman
        on #webkit).

        * wtf/Vector.h:

2011-03-23  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        JavaScriptCore GYP build should work on a case-sensitive file system
        https://bugs.webkit.org/show_bug.cgi?id=56911

        The issue is that there are two UString.h headers, one named UString.h
        and one named ustring.h.  This patch excludes ustring.h from the header
        map to avoid confusion.  While I was editing this part of the GYP file,
        I cleaned up the exclude rules to be more modern.

        * gyp/JavaScriptCore.gyp:

2011-03-22  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Maciej Stachowiak.

        REGRESSION (r78382): No scripts appear in the Web Inspector's Scripts
        panel on Windows, and many inspector regression tests are failing
        https://bugs.webkit.org/show_bug.cgi?id=54490
        
        The bug was caused by two different classes using the same name (Recompiler).

        * debugger/Debugger.cpp:
        * runtime/JSGlobalData.cpp:
        (WTF::Recompiler::operator()): Put Recompiler in an anonymous namespace,
        so our two recompilers' inline functions don't stomp each other at
        link time.

2011-03-22  Sam Weinig  <sam@webkit.org>

        Reviewed by Mark Rowe.

        Remove USE_WK_SCROLLBAR_PAINTER_AND_CONTROLLER.
        <rdar://problem/8944718> 

        * DerivedSources.make:
        Remove generation of USE_WK_SCROLLBAR_PAINTER_AND_CONTROLLER.

2011-03-22  Gabor Loki  <loki@webkit.org>

        Reviewed by Csaba Osztrogonác.

        [Qt] Add DFG module to build system (disabled by default).
        https://bugs.webkit.org/show_bug.cgi?id=56845

        * JavaScriptCore.pri:
        * JavaScriptCore.pro:

2011-03-22  Eric Seidel  <eric@webkit.org>

        Reviewed by Adam Barth.

        Add support to build-webkit for building with gyp-generated project files
        https://bugs.webkit.org/show_bug.cgi?id=56877

        Found a couple missing Private headers while trying to make WebCore build.

        * JavaScriptCore.gypi:

2011-03-22  Eric Seidel  <eric@webkit.org>

        Reviewed by Adam Barth.

        Make it possible to build JavaScriptCore and WebCore gyp builds outside of Source
        https://bugs.webkit.org/show_bug.cgi?id=56867

        This should make it possible to build the gyp-generated JavaScriptCore.xcodeproj
        from a JavaScriptCore directory outside of Source.

        * gyp/JavaScriptCore.gyp:
        * gyp/run-if-exists.sh: Added.
        * gyp/update-info-plist.sh: Added.

2011-03-22  Eric Seidel  <eric@webkit.org>

        Reviewed by Adam Barth.

        Add Profiling Configuration to JavaScriptCore gyp build
        https://bugs.webkit.org/show_bug.cgi?id=56862

        It appears this is identical to Release, but I suspect
        there is someone/thing who uses the Profiling target
        so we're adding it for completeness.

        * gyp/JavaScriptCore.gyp:

2011-03-22  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Remove os_win32_files variable from the GYP build
        https://bugs.webkit.org/show_bug.cgi?id=56804

        Now that our understanding of GYP is sufficiently advanced, we don't
        need os_win32_files any more.  (Turns out Eric was right, as he always
        is.)

        * JavaScriptCore.gypi:

2011-03-22  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        GYP build of JavaScriptCore should be able to link from an empty WebKitBuild directory
        https://bugs.webkit.org/show_bug.cgi?id=56803

        Previously, we thought we should generate the derived source files in
        the shared intermediate build products directory, but there are
        assumptions built into other parts of the Mac build system that the
        derived source files will be generated in a particular subdirectory of
        the build products directory.

        This patch is a partial revert of the change that moved the derived
        source files to the shared intermediate directory.  After this patch,
        the GYP build can build JavaScriptCore without help from the main
        normal build system.

        * JavaScriptCore.gypi:
        * gyp/JavaScriptCore.gyp:
        * gyp/generate-derived-sources.sh:
        * gyp/generate-dtrace-header.sh:

2011-03-22  Jay Civelli  <jcivelli@chromium.org>

        Reviewed by David Levin.

        Adding a contains method to Vector.
        https://bugs.webkit.org/show_bug.cgi?id=55859

        * wtf/Vector.h:
        (WTF::Vector::contains):

2011-03-22  Gabor Loki  <loki@webkit.org>

        Reviewed by Alexey Proskuryakov.

        Fix a bunch of typos in DFG.
        https://bugs.webkit.org/show_bug.cgi?id=56813

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::parse):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::setSpilled):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::setupStubArguments):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.h:
        * dfg/DFGOperations.h:
        * dfg/DFGRegisterBank.h:
        (JSC::DFG::RegisterBank::allocate):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::~ScoreBoard):
        (JSC::DFG::ScoreBoard::allocate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:

2011-03-22  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Production configuration in GYP isn&apos;t set up correctly
        https://bugs.webkit.org/show_bug.cgi?id=56786

        Update JavaScriptCore.gyp with information mined from
        JavaScriptCore.xcodeproj.

        * JavaScriptCore.gypi:
        * gyp/JavaScriptCore.gyp:

2011-03-22  Kent Tamura  <tkent@chromium.org>

        Reviewed by Eric Seidel.

        REGRESSION(r80096): Number type input unexpectedly rounds fractional values
        https://bugs.webkit.org/show_bug.cgi?id=56367

        Introduce clampToInteger(unsigned).
        
        * wtf/MathExtras.h:
        (clampToInteger): Added.

2011-03-21  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        GYP build should not have include paths that point within the source tree
        https://bugs.webkit.org/show_bug.cgi?id=56788

        Turns out we don't need these include paths anymore now that we have
        header maps working properly.

        * gyp/JavaScriptCore.gyp:
            - Also, remove jsc.cpp from the excluded list because it's not part
              of the jsc_files variable instead of the javascriptcore_files
              variable.

2011-03-21  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Solve the Assertions.cpp / -Wno-missing-format-attribute mystery
        https://bugs.webkit.org/show_bug.cgi?id=56780

        The reason we couldn't resolve this warning in the GYP build was that
        the normal build disables this warning specifically for this file.
        This patch takes the same approach as the previous patch to
        WebCoreObjCExtras.mm in that it uses a pragma to suppress the warning
        (rather than a build system configuration).

        * JavaScriptCore.xcodeproj/project.pbxproj:
            - Remove the special-case for this file.
        * gyp/JavaScriptCore.gyp:
            - Remove the work-around for this issue.
        * wtf/Assertions.cpp:
            - Add a pragma disabling this warning for this file.

2011-03-21  Adam Barth  <abarth@webkit.org>

        Reviewed by Dimitri Glazkov.

        WebCore GYP build shouldn't crash on startup
        https://bugs.webkit.org/show_bug.cgi?id=56776

        Debug builds shouldn't define NDEBUG.  This same logic exists in the
        project.pbxproj file.

        * gyp/JavaScriptCore.gyp:

2011-03-21  Robert Kroeger  <rjkroege@chromium.org>

        Reviewed by Antonio Gomes.

        Flag to enable/disable a GestureReocognizer framework

        https://bugs.webkit.org/show_bug.cgi?id=49345

        * wtf/Platform.h:

2011-03-21  Adam Barth  <abarth@webkit.org>

        Reviewed by Dimitri Glazkov.

        Add new files to JavaScriptCore.gypi
        https://bugs.webkit.org/show_bug.cgi?id=56766

        * JavaScriptCore.gypi:

2011-03-21  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r81377.
        http://trac.webkit.org/changeset/81377
        https://bugs.webkit.org/show_bug.cgi?id=56765

        WebPageSerializerTest.MultipleFrames is broken (Requested by
        simonjam on #webkit).

        * wtf/Vector.h:

2011-03-21  Gabor Loki  <loki@webkit.org>

        Reviewed by Csaba Osztrogonác.

        Extend constant pool to be able to store 16 bit instructions with a constant
        https://bugs.webkit.org/show_bug.cgi?id=46796

        The putShortWithConstantInt function inserts a 16 bit instruction which
        refers a 32 bits constant or literal. This is a vital function for those
        target which loads a PC relative value with a 16 bit instruction (like
        Thumb-2 instruction set and SH4 architecture).

        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerBuffer::putIntegral):
        (JSC::AssemblerBuffer::putIntegralUnchecked):
        * assembler/AssemblerBufferWithConstantPool.h:

2011-03-21  Philippe Normand  <pnormand@igalia.com>

        Unreviewed, GTK distcheck build fix.

        * GNUmakefile.am:

2011-03-20  Bill Budge  <bbudge@chromium.org>

        Reviewed by Adam Barth.

        Rename ThreadSafeShared to ThreadSafeRefCounted
        https://bugs.webkit.org/show_bug.cgi?id=56714

        No new tests. Exposes no new functionality.

        * API/JSClassRef.h:
        * API/OpaqueJSString.h:
        * GNUmakefile.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/Atomics.h:
        * wtf/CMakeLists.txt:
        * wtf/CrossThreadRefCounted.h:
        (WTF::CrossThreadRefCounted::CrossThreadRefCounted):
        (WTF::::crossThreadCopy):
        * wtf/ThreadSafeRefCounted.h: Copied from wtf/ThreadSafeShared.h.
        (WTF::ThreadSafeRefCountedBase::ThreadSafeRefCountedBase):
        (WTF::ThreadSafeRefCountedBase::ref):
        (WTF::ThreadSafeRefCountedBase::refCount):
        (WTF::ThreadSafeRefCountedBase::derefBase):
        (WTF::ThreadSafeRefCounted::ThreadSafeRefCounted):
        * wtf/ThreadSafeShared.h: Removed.
        * wtf/Threading.h:

2011-03-19  Patrick Gansterer  <paroga@webkit.org>

        Reviewed by Darin Adler.

        Remove StringImpl::computeHash()
        https://bugs.webkit.org/show_bug.cgi?id=49894

        Replace remainig StringImpl::computeHash with StringImpl::computeHashStringHasher.

        * wtf/text/AtomicString.cpp:
        (WTF::CStringTranslator::hash):
        (WTF::UCharBufferTranslator::hash):
        (WTF::HashAndCharactersTranslator::hash):
        * wtf/text/StringImpl.h:
        (WTF::StringImpl::setHash):
        (WTF::StringImpl::hash):

2011-03-19  Patrick Gansterer  <paroga@webkit.org>

        Reviewed by Darin Adler.

        Rename WTF::StringHasher methods
        https://bugs.webkit.org/show_bug.cgi?id=53532

        Rename createHash to computeHash and createBlobHash to hashMemory.
        Also add a using WTF::StringHasher in the header file.

        * profiler/CallIdentifier.h:
        (JSC::CallIdentifier::Hash::hash):
        * runtime/Identifier.cpp:
        (JSC::IdentifierCStringTranslator::hash):
        (JSC::IdentifierUCharBufferTranslator::hash):
        * wtf/StringHasher.h:
        (WTF::StringHasher::computeHash):
        (WTF::StringHasher::hashMemory):
        * wtf/text/StringHash.h:
        (WTF::CaseFoldingHash::hash):
        * wtf/text/StringImpl.h:
        (WTF::StringImpl::computeHash):
        * wtf/unicode/UTF8.cpp:
        (WTF::Unicode::calculateStringHashAndLengthFromUTF8Internal):

2011-03-18  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        [GTK] JSC crashes in 32bit Release bots after r80743
        https://bugs.webkit.org/show_bug.cgi?id=56180
        
        The crash was caused by referencing GC memory from a GC destructor. This
        is not safe because destruction time / order is not guaranteed.

        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::create):
        (JSC::ProfileGenerator::ProfileGenerator):
        (JSC::ProfileGenerator::willExecute):
        (JSC::ProfileGenerator::didExecute):
        * profiler/ProfileGenerator.h:
        (JSC::ProfileGenerator::origin): Made ExecState* the first argument,
        to match the rest of this class and JSC.
        
        Use a JSGlobalObject* instead of an ExecState* with an indirect reference
        to a JSGlobalObject* to track our origin. This is simpler and more
        efficient, and it removes the destruction order dependency that was causing
        our crash.

        * profiler/Profiler.cpp:
        (JSC::Profiler::startProfiling): Updated for change to JSGlobalObject*.
        (JSC::Profiler::stopProfiling): New function for stopping all profiles
        for a given global object. This is more straight-forward than multiplexing
        through the old function.

        (JSC::dispatchFunctionToProfiles): Updated for change to JSGlobalObject*.
        * profiler/Profiler.h: Ditto.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::~JSGlobalObject): Ditto.

2011-03-17  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        1 Structure leaked beneath JSGlobalData::storeVPtrs()
        https://bugs.webkit.org/show_bug.cgi?id=56595

        * runtime/Executable.cpp:
        (JSC::EvalExecutable::EvalExecutable):
        (JSC::ProgramExecutable::ProgramExecutable):
        (JSC::FunctionExecutable::FunctionExecutable):
        * runtime/Executable.h:
        (JSC::ExecutableBase::ExecutableBase):
        (JSC::NativeExecutable::NativeExecutable):
        (JSC::VPtrHackExecutable::VPtrHackExecutable):
        (JSC::ScriptExecutable::ScriptExecutable): Use a raw pointer instead of
        PassRefPtr, like JSString does, since JSGlobalData owns the singleton
        exectuable structure.

2011-03-17  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Mark Rowe.

        Fixed some string leaks seen on the buildbot
        https://bugs.webkit.org/show_bug.cgi?id=56619

        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::~PropertyTable): DEref!

2011-03-17  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Crash in  JSC::MarkStack::drain Under Stress
        https://bugs.webkit.org/show_bug.cgi?id=56470

        We perform a number of gc allocations while when
        we are setting up new globals in a piece of global
        code.  We do this by adding new properties to the
        symbol table, and then expanding the storage to fit
        at the end.

        If a GC happens during this time we will report an
        incorrect size for the global object's symbol table
        storage.

        This patch corrects this by growing the storage size
        before we starting adding entries to the symbol table.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::resizeRegisters):

2011-03-17  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        1 Structure leaked beneath JSGlobalData::storeVPtrs()
        https://bugs.webkit.org/show_bug.cgi?id=56595

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::storeVPtrs): Take local ownership of the Structure
        we're using, since the Executable is not designed to own the Structure.

2011-03-17  Gavin Barraclough  <barraclough@apple.com>

        Rubber Stamped by Sam Weinig.

        Add missing register-register branchTest8 to MacroAssemblerX86Common/X86Assembler.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::branchTest8):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::testb_rr):

2011-03-17  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Bug 56603 - DFG JIT related cleanup
        Move node generation out to separate function, move binarySearch algorithm out
        to StdLibExtras, fix Graph::dump() to print comma between non-node children,
        even if there are no node children.

        * bytecode/CodeBlock.h:
        (JSC::getCallReturnOffset):
        (JSC::CodeBlock::getStubInfo):
        (JSC::CodeBlock::getCallLinkInfo):
        (JSC::CodeBlock::getMethodCallLinkInfo):
        (JSC::CodeBlock::bytecodeOffset):
            - Move binaryChop to binarySearch in StdLibExtras
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::parse):
        (JSC::DFG::parse):
            - Make m_noArithmetic a member, initialize m_currentIndex in the constructor.
        * dfg/DFGByteCodeParser.h:
            - Change parse() to not take a start index (always 0).
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
            - Fix Graph::dump() to print comma between non-node children, even if there are no node children.
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::JITCodeGenerator):
            - Initialize m_compileIndex in constructor.
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGNonSpeculativeJIT.h:
            - Spilt out compilation of individual node.
        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationConvertThis):
        * dfg/DFGOperations.h:
            - Cleanup parameter name.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
            - Spilt out compilation of individual node.
        * runtime/Executable.cpp:
        (JSC::tryDFGCompile):
            - Change parse() to not take a start index (always 0).
        * wtf/StdLibExtras.h:
        (WTF::binarySearch):
            - Move binaryChop to binarySearch in StdLibExtras

2011-03-17  Anders Carlsson  <andersca@apple.com>

        Reviewed by Geoffrey Garen.

        Fix clang build.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::storeVPtrs):

2011-03-17  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Darin Adler.

        1 Structure leaked beneath JSGlobalData::storeVPtrs()
        https://bugs.webkit.org/show_bug.cgi?id=56595

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::storeVPtrs): Now that we have an executable, we need
        to explicitly run its destructor.

2011-03-17  Jeff Miller  <jeffm@apple.com>

        Use a consistent set of file patterns in the svn:ignore property for all .xcodeproj directories, specifically:
        
        *.mode*
        *.pbxuser
        *.perspective*
        project.xcworkspace
        xcuserdata

        * JavaScriptCore.xcodeproj: Modified property svn:ignore.

2011-03-17  Gavin Barraclough  <barraclough@apple.com>

        Reverting r81197, breaks JIT + INTERPRETER build.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::hasGlobalResolveInstructionAtBytecodeOffset):
        (JSC::CodeBlock::hasGlobalResolveInfoAtBytecodeOffset):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addPropertyAccessInstruction):
        (JSC::CodeBlock::addGlobalResolveInstruction):
        (JSC::CodeBlock::addStructureStubInfo):
        * bytecode/Opcode.h:
        * bytecode/StructureStubInfo.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveWithBase):
        (JSC::BytecodeGenerator::emitGetById):
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitDirectPutById):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        (JSC::BytecodeGenerator::emitCatch):

2011-03-17  Ben Taylor  <bentaylor.solx86@gmail.com>

        Reviewed by Alexey Proskuryakov.

        Add a COMPILER(SUNCC) define for Sun Studio 12. 
        https://bugs.webkit.org/show_bug.cgi?56444
        derived from patch 1 of 16 originally from https://bugs.webkit.org/show_bug.cgi?id=24932

        * wtf/Platform.h:

2011-03-17  Jay Civelli  <jcivelli@chromium.org>

        Reviewed by David Levin.

        Adding a contains method to Vector.
        https://bugs.webkit.org/show_bug.cgi?id=55859

        * wtf/Vector.h:
        (WTF::::operator):
        (WTF::::contains):

2011-03-17  Patrick Gansterer  <paroga@webkit.org>

        Fix the interpreter build.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute): Added globalData to inheritorID().

2011-03-16  Sam Weinig  <sam@webkit.org>

        Fix the interpreter build.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::resolve):
        (JSC::Interpreter::resolveSkip):
        (JSC::Interpreter::resolveGlobal):
        (JSC::Interpreter::resolveGlobalDynamic):
        (JSC::Interpreter::resolveBaseAndProperty):
        (JSC::Interpreter::privateExecute):
        Remove .get()s.

2011-03-16  Adam Barth  <abarth@webkit.org>

        Reviewed by James Robinson.

        Remove USE(BUILTIN_UTF8_CODEC)
        https://bugs.webkit.org/show_bug.cgi?id=56508

        We added this recently when we were unsure about the stability of the
        built-in UTF-8 codec.  However, the codec seems to be stable, so we
        don't need the macro.

        * wtf/Platform.h:

2011-03-16  Daniel Bates  <dbates@rim.com>

        Reviewed by Darin Adler.

        Make JIT build for ARM Thumb-2 with RVCT
        https://bugs.webkit.org/show_bug.cgi?id=56440

        Derived from a patch by Dave Tapuska.

        Also, modify the RVCT stub template to indicate that it preserves 8 byte stack alignment.

        * jit/JITStubs.cpp:

2011-03-16  Chao-ying Fu  <fu@mips.com>

        Reviewed by Darin Adler.

        Fix MIPS build with const *void
        https://bugs.webkit.org/show_bug.cgi?id=56513

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::load32):
        (JSC::MacroAssemblerMIPS::store32):

2011-03-16  Oliver Hunt  <oliver@apple.com>

        Reviewed by Darin Adler.

        Remove unnecessary caller tracking shenanigans from CodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=56483

        This removes some leftover cruft from when we made CodeBlock
        mark its callees.  Removing it gives us a 0.7% progression,
        reducing the overall regression to ~1.3%.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (JSC::CallLinkInfo::CallLinkInfo):
        * jit/JIT.cpp:
        (JSC::JIT::linkCall):
        (JSC::JIT::linkConstruct):

2011-03-15  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make Structure creation require a JSGlobalData
        https://bugs.webkit.org/show_bug.cgi?id=56438

        Mechanical change to make Structure::create require JSGlobalData&, and
        require all users to provide the globalData.

        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::createStructure):
        * API/JSCallbackFunction.h:
        (JSC::JSCallbackFunction::createStructure):
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::createStructure):
        * API/JSContextRef.cpp:
        * JavaScriptCore.exp:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::DebuggerActivation):
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::createStructure):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jsc.cpp:
        (GlobalObject::GlobalObject):
        (functionRun):
        (jscmain):
        * runtime/Arguments.h:
        (JSC::Arguments::createStructure):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::createStructure):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::createStructure):
        * runtime/DateInstance.h:
        (JSC::DateInstance::createStructure):
        * runtime/DatePrototype.h:
        (JSC::DatePrototype::createStructure):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::createStructure):
        * runtime/Executable.h:
        (JSC::ExecutableBase::createStructure):
        (JSC::EvalExecutable::createStructure):
        (JSC::ProgramExecutable::createStructure):
        (JSC::FunctionExecutable::createStructure):
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::createStructure):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::createStructure):
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::createStructure):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        * runtime/JSActivation.h:
        (JSC::JSActivation::createStructure):
        * runtime/JSArray.cpp:
        (JSC::JSArray::JSArray):
        * runtime/JSArray.h:
        (JSC::JSArray::createStructure):
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::createStructure):
        * runtime/JSByteArray.h:
        (JSC::JSByteArray::JSByteArray):
        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::createDummyStructure):
        * runtime/JSFunction.h:
        (JSC::JSFunction::createStructure):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::storeVPtrs):
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::createStructure):
        * runtime/JSNotAnObject.h:
        (JSC::JSNotAnObject::createStructure):
        * runtime/JSONObject.h:
        (JSC::JSONObject::createStructure):
        * runtime/JSObject.cpp:
        (JSC::JSObject::createInheritorID):
        * runtime/JSObject.h:
        (JSC::JSObject::createStructure):
        (JSC::JSNonFinalObject::createStructure):
        (JSC::JSFinalObject::createStructure):
        (JSC::createEmptyObjectStructure):
        (JSC::JSObject::inheritorID):
        * runtime/JSObjectWithGlobalObject.h:
        (JSC::JSObjectWithGlobalObject::createStructure):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::createStructure):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::createStructure):
        * runtime/JSString.h:
        (JSC::RopeBuilder::createStructure):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::createStructure):
        * runtime/JSWrapperObject.h:
        (JSC::JSWrapperObject::createStructure):
        * runtime/JSZombie.h:
        (JSC::JSZombie::createStructure):
        * runtime/MathObject.h:
        (JSC::MathObject::createStructure):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::NativeErrorConstructor):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::createStructure):
        * runtime/NumberConstructor.h:
        (JSC::NumberConstructor::createStructure):
        * runtime/NumberObject.h:
        (JSC::NumberObject::createStructure):
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::createStructure):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::createStructure):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::createStructure):
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::createStructure):
        * runtime/StringObject.h:
        (JSC::StringObject::createStructure):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::createStructure):
        * runtime/StringPrototype.h:
        (JSC::StringPrototype::createStructure):
        * runtime/Structure.h:
        (JSC::Structure::create):

2011-03-16  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Some conservative root gathering cleanup
        https://bugs.webkit.org/show_bug.cgi?id=56447
        
        SunSpider says 0.5% - 1.8% faster.

        * interpreter/RegisterFile.cpp:
        (JSC::RegisterFile::gatherConservativeRoots):
        * interpreter/RegisterFile.h: New helper function for doing the
        conservative gathering of the register file. It's still conservative,
        since the register file may contain uninitialized values, but it's
        moving-safe, because it only visits values tagged as pointers, so there's
        no risk of mistaking an integer for a pointer and accidentally changing it.

        * runtime/ConservativeSet.cpp:
        (JSC::ConservativeRoots::add):
        * runtime/ConservativeSet.h: Added a single-value add function, used above.

        * runtime/Heap.cpp:
        (JSC::Heap::markRoots): Separated machine stack conservative roots from
        register file conservative roots because machine stack roots must be
        pinned, but register file roots need not be pinned.
        
        Adopted new interface for passing the current stack extent to the machine
        stack root gathering routine. This allows us to exclude marking-related
        data structures on the stack, and thus avoid double-marking the set of
        machine roots.

        * runtime/MachineStackMarker.cpp:
        (JSC::MachineThreads::gatherFromCurrentThread):
        (JSC::MachineThreads::gatherConservativeRoots):
        * runtime/MachineStackMarker.h: Added new interface, described above.

        * runtime/MarkedBlock.h:
        (JSC::MarkedBlock::firstAtom):
        * wtf/StdLibExtras.h:
        (WTF::roundUpToMultipleOf): Moved roundUpToMultipleOf so it could be used
        by MachineStacks.

2011-03-16  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        A little bit of MarkStack cleanup
        https://bugs.webkit.org/show_bug.cgi?id=56443
        
        Moved MarkStack functions into MarkStack.h/.cpp.
        
        SunSpider reports no change.

        * runtime/JSArray.h:
        * runtime/JSCell.h: Moved from here...
        * runtime/MarkStack.cpp:
        (JSC::MarkStack::markChildren):
        (JSC::MarkStack::drain): ...to here. Also, no need to inline drain. It's
        a huge function, and not called many times.

        * runtime/MarkStack.h:
        (JSC::MarkStack::~MarkStack): Moved near constructor, per style guide.
        (JSC::MarkStack::append):
        (JSC::MarkStack::deprecatedAppend):
        (JSC::MarkStack::internalAppend): Moved to here.

2011-03-15  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Removed another deprecatedAppend
        https://bugs.webkit.org/show_bug.cgi?id=56429

        * collector/handles/HandleHeap.cpp:
        (JSC::HandleHeap::markStrongHandles):
        * collector/handles/HandleHeap.h: Use HeapRootMarker, since handles are
        marked directly by the Heap.

        * runtime/Heap.cpp:
        (JSC::Heap::markRoots): Ditto.

2011-03-15  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Removed some more deprecated / unsafe append
        https://bugs.webkit.org/show_bug.cgi?id=56428

        * collector/handles/HandleStack.cpp:
        (JSC::HandleStack::mark):
        * collector/handles/HandleStack.h: Mark the handle stack using a HeapRoot
        marker, since it's a heap root.
        
        * runtime/ArgList.cpp:
        (JSC::MarkedArgumentBuffer::markLists):
        (JSC::MarkedArgumentBuffer::slowAppend):
        * runtime/ArgList.h: Ditto.

        * runtime/Heap.cpp:
        (JSC::Heap::markRoots): Added a mark call for marking the handle stack.
        It seems like Oliver forgot this in his last patch. (!)

        * runtime/MarkStack.h: Removed appendSlots, since it would allow an
        object to embed JSValues directly instead of using WriteBarrier.

        (JSC::MarkStack::append): Added a private append for a list of values.

        (JSC::HeapRootMarker::mark): Access to the above.

2011-03-15  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Removed a few more deprecatedAppends, and removed HeapRoot<T>
        https://bugs.webkit.org/show_bug.cgi?id=56422
        
        Added HeapRootMarker, a privileged class for marking direct heap roots
        that are iterated during each garbage collection. This is easier to use
        and more reliable than HeapRoot<T>, so I've removed HeapRoot<T>.

        * debugger/Debugger.cpp:
        (JSC::evaluateInGlobalCallFrame):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::evaluate):
        * interpreter/CallFrame.h:
        (JSC::ExecState::exception):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Completion.cpp:
        (JSC::evaluate): exception is no longer a HeapRoot<T>, so no need to
        call .get() on it.

        * runtime/Heap.cpp:
        (JSC::Heap::markProtectedObjects):
        (JSC::Heap::markTempSortVectors):
        (JSC::Heap::markRoots):
        * runtime/Heap.h: Updated to use HeapRootMarker.

        * runtime/JSCell.h:
        (JSC::JSCell::MarkStack::append): Added private functions for
        HeapRootMarker to use.

        * runtime/JSGlobalData.h: exception is no longer a HeapRoot<T>.

        * runtime/MarkStack.h:
        (JSC::HeapRootMarker::HeapRootMarker):
        (JSC::HeapRootMarker::mark): Added private functions for
        HeapRootMarker to use.

        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::markChildren): Updated to use HeapRootMarker.

        * runtime/SmallStrings.h:
        (JSC::SmallStrings::emptyString):
        (JSC::SmallStrings::singleCharacterString):
        (JSC::SmallStrings::singleCharacterStrings): Updated to use HeapRootMarker.

        * runtime/WriteBarrier.h: Removed HeapRoot<T>.

2011-03-14  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Made the global object moving-GC-safe
        https://bugs.webkit.org/show_bug.cgi?id=56348
        
        SunSpider reports no change.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::markChildren): Removed a dubious comment that
        suggested we do not need to visit all our references during GC, since
        that is not true in a moving GC.

        Re-sorted data members by type, removed one duplicate, and added back
        the one missing mark I found.

        * runtime/JSGlobalObject.h: Re-sorted data members by type.

2011-03-15  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Introduce Local<T> to allow us to start moving to precise marking of locals
        https://bugs.webkit.org/show_bug.cgi?id=56394

        Introduce a new handle type, Local<T> and a scoping mechanism
        LocalScope to allow us to start moving towards precise marking
        of temporaries and local variables.

        We also start to use the new Local<> type in the JSON stringifier
        so that we can have some coverage of their behaviour in the initial
        checkin.

        * GNUmakefile.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * collector/handles/Handle.h:
        (JSC::::asObject):
        * collector/handles/HandleStack.cpp: Added.
        (JSC::HandleStack::HandleStack):
        (JSC::HandleStack::mark):
        (JSC::HandleStack::grow):
        * collector/handles/HandleStack.h: Added.
        (JSC::HandleStack::enterScope):
        (JSC::HandleStack::zapTo):
        (JSC::HandleStack::leaveScope):
        (JSC::HandleStack::push):
        * collector/handles/Local.h: Added.
        (JSC::Local::internalSet):
        (JSC::::Local):
        (JSC::::operator):
        (JSC::LocalStack::LocalStack):
        (JSC::LocalStack::peek):
        (JSC::LocalStack::pop):
        (JSC::LocalStack::push):
        (JSC::LocalStack::isEmpty):
        (JSC::LocalStack::size):
        * collector/handles/LocalScope.h: Added.
        (JSC::LocalScope::LocalScope):
        (JSC::LocalScope::~LocalScope):
        (JSC::LocalScope::release):
        * runtime/Heap.cpp:
        (JSC::Heap::markRoots):
        * runtime/Heap.h:
        (JSC::Heap::allocateLocalHandle):
        (JSC::Heap::handleStack):
        * runtime/JSCell.h:
        (JSC::JSCell::::getString):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::allocateLocalHandle):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Stringifier):
        (JSC::Stringifier::stringify):
        (JSC::Stringifier::appendStringifiedValue):
        (JSC::Stringifier::Holder::Holder):
        (JSC::Walker::Walker):
        (JSC::Walker::walk):
        (JSC::JSONProtoFuncParse):
        (JSC::JSONProtoFuncStringify):
        (JSC::JSONStringify):
        * runtime/JSONObject.h:
        * runtime/MarkStack.h:
        (JSC::MarkStack::appendValues):
        (JSC::MarkStack::appendSlots):

2011-03-15  Gavin Barraclough  <barraclough@apple.com>

        Rubber Stamped by Sam Weinig.

        Bug 56420 - Remove ENABLE(JIT) code from ByteCompiler
        Some methods have unnecessary differences in name/arguments for interpreter/JIT.

        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        (JSC::HandlerInfo::HandlerInfo):
        (JSC::CodeBlock::addPropertyAccessInfo):
        (JSC::CodeBlock::addGlobalResolveInfo):
        (JSC::CodeBlock::addCallLinkInfo):
        (JSC::CodeBlock::globalResolveInfo):
        * bytecode/Opcode.h:
        * bytecode/StructureStubInfo.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveWithBase):
        (JSC::BytecodeGenerator::emitGetById):
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitDirectPutById):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        (JSC::BytecodeGenerator::emitCatch):

2011-03-15  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Fix broken assert in new code.

        * dfg/DFGAliasTracker.h:
        (JSC::DFG::AliasTracker::recordPutByVal):
            - recordPutByVal is called for both PutByVal & PutByValAlias.

2011-03-15  Gavin Barraclough  <barraclough@apple.com>

        Rubber stamped by Sam Weinig.

        Removed redundant code from BytecodeGenerator.

        * bytecompiler/BytecodeGenerator.cpp:
        * bytecompiler/BytecodeGenerator.h:
            - delete uncalled code missed when reparsing was removed.

2011-03-15  Kevin Ollivier  <kevino@theolliviers.com>

        Reviewed by Darin Adler.

        Introduce WTF_USE_EXPORT_MACROS, which will allow us to put shared library import/export
        info into the headers rather than in export symbol definition files, but disable it on 
        all platforms initially so we can deal with port build issues one port at a time.
        
        https://bugs.webkit.org/show_bug.cgi?id=27551

        * API/JSBase.h:
        * config.h:
        * wtf/Assertions.h:
        * wtf/ExportMacros.h: Added.
        * wtf/Platform.h:

2011-03-14  Laszlo Gombos  <laszlo.1.gombos@nokia.com>

        Unreviewed build fix.

        Buildfix when JIT is not enabled after r81079
        https://bugs.webkit.org/show_bug.cgi?id=56361

        * runtime/Executable.cpp:

2011-03-14  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Made the global object moving-GC-safe
        https://bugs.webkit.org/show_bug.cgi?id=56348
        
        SunSpider reports no change.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::markChildren): Removed a dubious comment that
        suggested we do not need to visit all our references during GC, since
        that is not true in a moving GC.

        Re-sorted data members by type, removed one duplicate, and added back
        the one missing mark I found.

        * runtime/JSGlobalObject.h: Re-sorted data members by type.

2011-03-14  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Made JSWrapperObject and subclasses moving-GC-safe
        https://bugs.webkit.org/show_bug.cgi?id=56346
        
        SunSpider reports no change.

        * runtime/BooleanObject.cpp:
        (JSC::BooleanObject::BooleanObject):
        * runtime/DateInstance.cpp:
        (JSC::DateInstance::DateInstance): No more need for JSGlobalData, since
        we don't initialize the wrapped value in our constructor.

        * runtime/DateInstance.h: Don't set the OverridesMarkChildren flag because
        we do not in fact override markChildren.

        * runtime/DatePrototype.h: Declare an anonymous slot, since wrapper object
        no longer does so for us. Also added an ASSERT to catch a latent bug,
        where DatePrototype stomped on its base class's anonymous slot. Hard-coded
        anonymous slots are a plague on our code. This doesn't cause any problems
        in our existing code since the base class never reads the anonymous slot
        it declares, but it caused crashes when I tried to start using the slot
        in an initial version of this patch.

        * runtime/JSWrapperObject.h:
        (JSC::JSWrapperObject::JSWrapperObject):
        (JSC::JSWrapperObject::internalValue):
        (JSC::JSWrapperObject::setInternalValue): Resolved a problem where
        our internal value was stored in two places: an anonymous slot, and a
        data member which was not always visited during GC. Now, we only use the
        data member, and we always visit it. (Instead of relying on certain
        subclasses to set the OverridesMarkChildren bit, we set it ourselves.)

        * runtime/NumberObject.cpp:
        (JSC::NumberObject::NumberObject): No more need for JSGlobalData, since
        we don't initialize the wrapped value in our constructor.

        * runtime/NumberObject.h: Removed meaningless declaration.

        * runtime/StringObject.cpp:
        (JSC::StringObject::StringObject): No more need for JSGlobalData, since
        we don't initialize the wrapped value in our constructor.

        * runtime/StringObject.h: Don't set the OverridesMarkChildren flag because
        we do not in fact override markChildren.

        * runtime/StringPrototype.h: Declare an anonymous slot, since wrapper object
        no longer does so for us. Also added an ASSERT to catch a latent bug,
        where DatePrototype stomped on its base class's anonymous slot. Hard-coded
        anonymous slots are a plague on our code.

2011-03-14  Michael Saboff  <msaboff@apple.com>

        Reviewed by Gavin Barraclough.

        Look-ahead assertions with back references don’t work as expected
        https://bugs.webkit.org/show_bug.cgi?id=56082

        Changed parentheses assertion processing to temporarily back out the 
        number of known characters after the assertion while processing the 
        assertion.  This was done so that assertions don't fail due to 
        checking the number of required characters as additional to the 
        rest of the express since assertions don't "consume" input.
        Added a byte code to uncheck characters to support the change.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::matchDisjunction):
        (JSC::Yarr::ByteCompiler::uncheckInput):
        (JSC::Yarr::ByteCompiler::emitDisjunction):
        * yarr/YarrInterpreter.h:
        (JSC::Yarr::ByteTerm::UncheckInput):

2011-03-14  Viatcheslav Ostapenko  <ostapenko.viatcheslav@nokia.com>

        Reviewed by Laszlo Gombos.

        [Qt] Warning that round/roundf functions are already defined when compiled with RVCT 4 on symbian.
        https://bugs.webkit.org/show_bug.cgi?id=56133

        Add condition to not compile webkit internal math round functions on RVCT compiler versions 
        from 3.0.0 because they are already defined in compiler math library.

        * wtf/MathExtras.h:

2011-03-14  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoffrey Garen & Oliver Hunt.

        Bug 56284 - Add a dataflow intermediate representation for use in JIT generation.

        The JSC JIT presently generates code directly from the bytecode used by the interpreter.
        This is not an optimal intermediate representation for JIT code generation, since it does
        not capture liveness information of values, and provides little opportunity to perform
        any static analysis for even primitive types. The JIT currently generates two code paths,
        a fast path handling common cases, and a slower path handling less common operand types.
        However the slow path jumps back into the fast path, meaning that information arising
        from the earlier type checks cannot be propagated to later operations.

        This patch adds:
            * a dataflow intermediate representation capable of describing a single basic block
              of operations,
            * a mechanism to convert a simple, single-block bytecode functions to the new IR,
            * and a JIT code generator capable of generating code from this representation.

        The JIT generates two code paths, with the slower path not reentering the fast path
        mid-block, allowing speculative optimizations to be made on the hot path, with type
        information arising from these speculative decisions able to be propagated through the
        dataflow. Code generation of both speculative and non-speculative paths exploits the type
        and liveness information represented in the dataflow graph to attempt to avoid redundant
        boxing and type-checking of values, and to remove unnecessary spills of temporary values
        to the RegisterFile.

        The dataflow JIT currently can only support a subset of bytecode operations, limited to
        arithmetic, bit-ops, and basic property access. Functions that cannot be compiled by the
        dataflow JIT will be run using the existing JIT. The coverage of the dataflow JIT will be
        expanded to include, control-flow, function calls, and then the long-tail of remaining
        bytecode instructions. The JIT presently only support JSVALUE64, and as a consequence of
        this only supports x86-64.

        The status of the dataflow JIT is currently work-in-progress. Limitations of the present
        JIT code generation may cause performance regressions, particularly:
            * the policy to only generate arithmetic code on the speculative path using integer
              instructions, never using floating point.
            * the policy to only generate arithmetic code on the non-speculative path using
              floating point instructions, never using integer.
            * always generating JSValue adds on the non-speculative path as a call out to a
              C-function, never handling this in JIT code.
            * always assuming by-Value property accesses on the speculative path to be array
              accesses.
            * generating all by-Value property accesses from the non-speculative path as a call
              out to a C-function.
            * generating all by-Indentifer property accesses as a call out to a C-function.
        Due to these regressions, the code is landed in a state where it is disabled in most
        cases by the ENABLE_DFG_JIT_RESTRICTIONS guard in Platform.h. As these regressions are
        addressed, the JIT will be allowed to trigger in more cases.

        * JavaScriptCore.xcodeproj/project.pbxproj:
            - Added new files to Xcode project.
        * dfg: Added.
            - Added directory for new code.
        * dfg/DFGByteCodeParser.cpp: Added.
        * dfg/DFGByteCodeParser.h: Added.
            - Contruct a DFG::Graph representation from a bytecode CodeBlock.
        * dfg/DFGGenerationInfo.h: Added.
            - Track type & register information for VirtualRegisters during JIT code generation.
        * dfg/DFGGraph.cpp: Added.
        * dfg/DFGGraph.h: Added.
            - Dataflow graph intermediate representation for code generation.
        * dfg/DFGJITCodeGenerator.cpp: Added.
        * dfg/DFGJITCodeGenerator.h: Added.
            - Base class for SpeculativeJIT & NonSpeculativeJIT to share common functionality.
        * dfg/DFGJITCompiler.cpp: Added.
        * dfg/DFGJITCompiler.h: Added.
            - Class responsible for driving code generation of speculativeJIT & non-speculative
              code paths from the dataflow graph.
        * dfg/DFGNonSpeculativeJIT.cpp: Added.
        * dfg/DFGNonSpeculativeJIT.h: Added.
            - Used to generate the non-speculative code path, this make no assumptions
              about operand types.
        * dfg/DFGOperations.cpp: Added.
        * dfg/DFGOperations.h: Added.
            - Helper functions called from the JIT generated code.
        * dfg/DFGRegisterBank.h: Added.
            - Used to track contents of physical registers during JIT code generation.
        * dfg/DFGSpeculativeJIT.cpp: Added.
        * dfg/DFGSpeculativeJIT.h: Added.
            - Used to generate the speculative code path, this make assumptions about
              operand types to enable optimization.
        * runtime/Executable.cpp:
            - Add code to attempt to use the DFG JIT to compile a function, with fallback
              to the existing JIT.
        * wtf/Platform.h:
            - Added compile guards to enable the DFG JIT.

2011-03-14  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Removed more cases of DeprecatedPtr (exception, SmallStrings)
        https://bugs.webkit.org/show_bug.cgi?id=56332

        * runtime/Identifier.cpp:
        (JSC::Identifier::add):
        (JSC::Identifier::addSlowCase): Use a variable instead of a hard-coded
        constant, to make this code less brittle.

        * runtime/JSGlobalData.h: Use HeapRoot instead of DeprecatedPtr because
        this reference is owned and managed directly by the heap.

        * runtime/JSString.cpp:
        (JSC::JSString::substringFromRope):
        * runtime/JSString.h:
        (JSC::jsSingleCharacterString):
        (JSC::jsSingleCharacterSubstring):
        (JSC::jsString):
        (JSC::jsStringWithFinalizer):
        (JSC::jsSubstring):
        (JSC::jsOwnedString): Use a variable instead of a hard-coded
        constant, to make this code less brittle.

        * runtime/SmallStrings.cpp:
        (JSC::SmallStringsStorage::rep):
        (JSC::SmallStringsStorage::SmallStringsStorage):
        (JSC::SmallStrings::SmallStrings):
        (JSC::SmallStrings::markChildren):
        (JSC::SmallStrings::clear):
        (JSC::SmallStrings::count): Use a variable instead of a hard-coded
        constant, to make this code less brittle.

        * runtime/SmallStrings.h:
        (JSC::SmallStrings::singleCharacterString): Use HeapRoot instead of
        DeprecatedPtr because these references are owned and managed directly by
        the heap.
        
        Stop using FixedArray because we only want a very limited set
        of classes to be able to use HeapRoot. (Replaced with manual ASSERTs.)

        * runtime/WriteBarrier.h:
        (JSC::operator==):
        (JSC::WriteBarrier::WriteBarrier):
        (JSC::HeapRoot::HeapRoot):
        (JSC::HeapRoot::operator=): Added HeapRoot, which is allowed to set
        without write barrier because we assume all HeapRoots are scanned during
        all GC passes.

2011-03-14  Brian Weinstein  <bweinstein@apple.com>

        Reviewed by Adam Roben and Gavin Barraclough.

        FileSystemWin.cpp needs listDirectory() implementation
        https://bugs.webkit.org/show_bug.cgi?id=56331
        <rdar://problem/9126635>
        
        Give StringConcatenate the ability to deal with const UChar*'s as a String type to append.

        * wtf/text/StringConcatenate.h:

2011-03-14  Mark Rowe  <mrowe@apple.com>

        Reviewed by Oliver Hunt.

        <http://webkit.org/b/56304> REGRESSION(r80892): 100,000+ leaks seen on the build bot

        * API/JSClassRef.cpp:
        (OpaqueJSClass::OpaqueJSClass): Don't leak any existing entry for the given name if
        the class definition contains duplicates. This also removes what look to be leaks
        of the StringImpl instances that are used as keys: the HashMap key type is a RefPtr
        which retains / releases the instances at the appropriate time, so explicitly calling
        ref is not necessary.

2011-03-14  Oliver Hunt  <oliver@apple.com>

        Fix windows build

        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::emitLoadInt32):
        (JSC::JSInterfaceJIT::tagFor):
        (JSC::JSInterfaceJIT::payloadFor):
        (JSC::JSInterfaceJIT::intPayloadFor):
        (JSC::JSInterfaceJIT::intTagFor):
        (JSC::JSInterfaceJIT::addressFor):

2011-03-11  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Ensure all values are correctly tagged in the registerfile
        https://bugs.webkit.org/show_bug.cgi?id=56214

        This patch makes sure that all JSCell pointers written to
        the registerfile are correctly tagged as JSCells, and replaces
        raw int usage with the immediate representation.

        For performance, register pressure, and general saneness reasons
        I've added abstractions for reading and writing the tag
        and payload of integer registers directly for the JSVALUE64
        encoding.

        * interpreter/Register.h:
        (JSC::Register::withInt):
        (JSC::Register::withCallee):
        (JSC::Register::operator=):
        (JSC::Register::i):
        (JSC::Register::activation):
        (JSC::Register::function):
        (JSC::Register::propertyNameIterator):
        (JSC::Register::scopeChain):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCallInitializeCallFrame):
        (JSC::JIT::compileOpCallVarargs):
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCallInitializeCallFrame):
        (JSC::JIT::compileOpCallVarargs):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitPutToCallFrameHeader):
        (JSC::JIT::emitPutCellToCallFrameHeader):
        (JSC::JIT::emitPutIntToCallFrameHeader):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_next_pname):
        (JSC::JIT::emit_op_load_varargs):
        (JSC::JIT::emitSlow_op_load_varargs):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_next_pname):
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::intPayloadFor):
        (JSC::JSInterfaceJIT::intTagFor):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::returnJSValue):
        (JSC::SpecializedThunkJIT::returnDouble):
        (JSC::SpecializedThunkJIT::returnInt32):
        (JSC::SpecializedThunkJIT::returnJSCell):

2011-03-13  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Sam Weinig.

        A few Heap-related renames (sans file moves, which should come next)
        https://bugs.webkit.org/show_bug.cgi?id=56283
        
        ConservativeSet => ConservativeRoots. "Set" was misleading, since items
        are not uniqued. Also, "Roots" is more specific about what's in the set.
        
        MachineStackMarker => MachineThreads. "Threads" is more descriptive of
        the fact that this class maintains a set of all threads using JSC.
        "Stack" was misleading, since this class traverses stacks and registers.
        "Mark" was misleading, since this class doesn't mark anything anymore.
        
        registerThread => addCurrentThread. "Current" is more specific.
        unregisterThread => removeCurrentThread. "Current" is more specific.
        
        "currentThreadRegistrar" => threadSpecific. The only point of this data
        structure is to register a thread-specific destructor with a pointer to
        this.
        
        "mark...Conservatively" => "gather". "Mark" is not true, since these
        functions don't mark anything. "Conservatively" is redundant, since they
        take "ConservativeRoots" as an argument.

        * API/APIShims.h:
        (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
        * JavaScriptCore.exp:
        * runtime/ConservativeSet.cpp:
        (JSC::ConservativeRoots::grow):
        (JSC::ConservativeRoots::add):
        * runtime/ConservativeSet.h:
        (JSC::ConservativeRoots::ConservativeRoots):
        (JSC::ConservativeRoots::~ConservativeRoots):
        (JSC::ConservativeRoots::size):
        (JSC::ConservativeRoots::roots):
        * runtime/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::markRoots):
        * runtime/Heap.h:
        (JSC::Heap::machineThreads):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::makeUsableFromMultipleThreads):
        * runtime/MachineStackMarker.cpp:
        (JSC::MachineThreads::MachineThreads):
        (JSC::MachineThreads::~MachineThreads):
        (JSC::MachineThreads::makeUsableFromMultipleThreads):
        (JSC::MachineThreads::addCurrentThread):
        (JSC::MachineThreads::removeThread):
        (JSC::MachineThreads::removeCurrentThread):
        (JSC::MachineThreads::gatherFromCurrentThreadInternal):
        (JSC::MachineThreads::gatherFromCurrentThread):
        (JSC::MachineThreads::gatherFromOtherThread):
        (JSC::MachineThreads::gatherConservativeRoots):
        * runtime/MachineStackMarker.h:
        * runtime/MarkStack.h:
        (JSC::MarkStack::append):

2011-03-13  David Kilzer  <ddkilzer@apple.com>

        BUILD FIX for armv7 after r80969

        Bug 56270 - The JIT 'friend's many classes in JSC; start unwinding this.
        <https://bugs.webkit.org/show_bug.cgi?id=56270>

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::load32): Made void* address argument
        const.
        (JSC::MacroAssemblerARMv7::store32): Ditto.

2011-03-13  Geoffrey Garen  <ggaren@apple.com>

        Not reviewed.

        Try to fix the Mac build.

        * JavaScriptCore.xcodeproj/project.pbxproj: Make sure to forward
        ConervativeSet.h, since it's now visible when compiling other projects.

2011-03-13  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Removed another case of DeprecatedPtr (ConservativeSet)
        https://bugs.webkit.org/show_bug.cgi?id=56281
        
        The ConservativeSet is an internal data structure used during marking,
        so direct pointers are fine.

        * runtime/ConservativeSet.cpp:
        (JSC::ConservativeSet::grow):
        * runtime/ConservativeSet.h: Added some accessors, for use by MarkStack::append.
        (JSC::ConservativeSet::~ConservativeSet): Fixed a typo where we calculated
        the size of the set based on sizeof(DeprecatedPtr<T>*) instead of
        sizeof(DeprecatedPtr<T>). I'm not sure if this had real-world implications or not.
        (JSC::ConservativeSet::size):
        (JSC::ConservativeSet::set): Use direct pointers, as stated above. 

        * runtime/Heap.cpp:
        (JSC::Heap::markRoots):
        * runtime/MarkStack.h:
        (JSC::MarkStack::append): Created a special case of append for
        ConservativeSet. I didn't want to add back a generic "append JSCell*"
        function, since other class might start using that wrong. (In the end,
        this function might go away, since the Heap will want to do something
        slightly more interesting with the conservative set, but this is OK for
        now.)

2011-03-13  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Removed another case of DeprecatedPtr (PutPropertySlot)
        https://bugs.webkit.org/show_bug.cgi?id=56278

        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::setExistingProperty):
        (JSC::PutPropertySlot::setNewProperty):
        (JSC::PutPropertySlot::base): Direct pointer is fine for PutPropertySlot,
        since it's a stack-allocated temporary.

2011-03-13  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Removed one case of DeprecatedPtr (ScopeChainIterator)
        https://bugs.webkit.org/show_bug.cgi?id=56277

        * runtime/ScopeChain.h: Direct pointer is fine for ScopeChainIterator,
        since it's a stack-allocated temporary.

2011-03-13  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Bug 56273 - Add three operand forms to MacroAssember operations.

        Adding for X86(_64) for now, should be rolled out to other backends as necessary.
        These may allow more efficient code generation in some cases, avoiding the need
        for unnecessary register-register move instructions.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::Jump::link):
        (JSC::AbstractMacroAssembler::Jump::linkTo):
            - marked these methods const.
        (JSC::AbstractMacroAssembler::Jump::isSet):
            - add a method to check whether a Jump object has been set to
              reference an instruction, or is in a null, unset state. 
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::FunctionPtr::FunctionPtr):
            - add non-explicit constructor, for FunctionPtr's to C/C++ functions.
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::and32):
        (JSC::MacroAssemblerX86Common::lshift32):
        (JSC::MacroAssemblerX86Common::or32):
        (JSC::MacroAssemblerX86Common::rshift32):
        (JSC::MacroAssemblerX86Common::urshift32):
        (JSC::MacroAssemblerX86Common::xor32):
        (JSC::MacroAssemblerX86Common::moveDouble):
        (JSC::MacroAssemblerX86Common::addDouble):
        (JSC::MacroAssemblerX86Common::divDouble):
        (JSC::MacroAssemblerX86Common::subDouble):
        (JSC::MacroAssemblerX86Common::mulDouble):
        (JSC::MacroAssemblerX86Common::branchTruncateDoubleToInt32):
        (JSC::MacroAssemblerX86Common::branchTest32):
        (JSC::MacroAssemblerX86Common::branchTest8):
        (JSC::MacroAssemblerX86Common::branchAdd32):
        (JSC::MacroAssemblerX86Common::branchMul32):
        (JSC::MacroAssemblerX86Common::branchSub32):
            - add three operand forms of these instructions.
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::addDouble):
        (JSC::MacroAssemblerX86_64::convertInt32ToDouble):
        (JSC::MacroAssemblerX86_64::loadPtr):
        (JSC::MacroAssemblerX86_64::branchTestPtr):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::JmpSrc::isSet):
            - add a method to check whether a JmpSrc object has been set to
              reference an instruction, or is in a null, unset state. 
        (JSC::X86Assembler::movsd_rr):
            - added FP register-register move.
        (JSC::X86Assembler::linkJump):
            - Add an assert to check jumps aren't linked more than once.
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitLoadInt32ToDouble):
            - load integers to the FPU via regsiters on x86-64.

2011-03-13  Gavin Barraclough  <barraclough@apple.com>

        ARM build fix.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::load32):

2011-03-13  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Bug 56270 - The JIT 'friend's many classes in JSC; start unwinding this.

        The JIT need to 'friend' other classes in order to be able to calculate offsets
        of various properties, or the absolute addresses of members within specific objects,
        in order to JIT generate code that will access members within the class when run.

        Instead of using friends in these cases, switch to providing specific accessor
        methods to provide this information.  In the case of offsets, these can be static
        functions, and in the case of pointers to members within a specific object these can
        be const methods returning pointers to const values, to prevent clients from
        modifying values otherwise encapsulated within classes.

        * bytecode/SamplingTool.h:
        * interpreter/Register.h:
        * interpreter/RegisterFile.h:
        * runtime/JSArray.h:
        * runtime/JSCell.h:
        * runtime/JSTypeInfo.h:
        * runtime/JSVariableObject.h:
        * runtime/Structure.h:
        * wtf/RefCounted.h:
            - Change these classes to no longer friend the JIT, add accessors for member offsets.
        * jit/JIT.cpp:
        * jit/JITCall32_64.cpp:
        * jit/JITInlineMethods.h:
        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * jit/JITPropertyAccess.cpp:
        * jit/JITPropertyAccess32_64.cpp:
            - Change the JIT to use class accessors, rather than taking object ofsets directly.
        * assembler/AbstractMacroAssembler.h:
        * assembler/MacroAssemblerX86_64.h:
        * assembler/X86Assembler.h:
            - Since the accessors for objects members return const pointers to retain encapsulation,
              methods generating code with absolute addresses must be able to handle const pointers
              (the JIT doesn't write to these values, do dies treat the pointer to value as const
              from within the C++ code of the JIT, if not at runtime!).

2011-03-12  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r80919.
        http://trac.webkit.org/changeset/80919
        https://bugs.webkit.org/show_bug.cgi?id=56251

        all windows bots failed to compile this change (Requested by
        loislo on #webkit).

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/StructureStubInfo.cpp:
        * interpreter/Register.h:
        (JSC::Register::withInt):
        (JSC::Register::withCallee):
        (JSC::Register::operator=):
        (JSC::Register::i):
        (JSC::Register::activation):
        (JSC::Register::function):
        (JSC::Register::propertyNameIterator):
        (JSC::Register::scopeChain):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCallInitializeCallFrame):
        (JSC::JIT::compileOpCallVarargs):
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCallInitializeCallFrame):
        (JSC::JIT::compileOpCallVarargs):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitPutToCallFrameHeader):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_next_pname):
        (JSC::JIT::emit_op_load_varargs):
        (JSC::JIT::emitSlow_op_load_varargs):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_next_pname):
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::payloadFor):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::returnJSValue):
        (JSC::SpecializedThunkJIT::returnDouble):
        (JSC::SpecializedThunkJIT::returnInt32):
        (JSC::SpecializedThunkJIT::returnJSCell):
        * runtime/ArgList.cpp:
        * runtime/DateConversion.cpp:
        * runtime/GCActivityCallbackCF.cpp:
        * runtime/Identifier.cpp:
        * runtime/JSActivation.h:
        (JSC::asActivation):
        * runtime/JSLock.cpp:
        * runtime/JSNumberCell.cpp:
        * runtime/JSObject.h:
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSValue.h:
        * runtime/JSZombie.cpp:
        * runtime/MarkedBlock.cpp:
        * runtime/MarkedSpace.cpp:
        * runtime/PropertyNameArray.cpp:
        * runtime/ScopeChain.h:
        (JSC::ExecState::globalThisValue):
        * wtf/DateMath.cpp:

2011-03-11  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Ensure all values are correctly tagged in the registerfile
        https://bugs.webkit.org/show_bug.cgi?id=56214

        This patch makes sure that all JSCell pointers written to
        the registerfile are correctly tagged as JSCells, and replaces
        raw int usage with the immediate representation.

        For performance, register pressure, and general saneness reasons
        I've added abstractions for reading and writing the tag
        and payload of integer registers directly for the JSVALUE64
        encoding.

        * interpreter/Register.h:
        (JSC::Register::withInt):
        (JSC::Register::withCallee):
        (JSC::Register::operator=):
        (JSC::Register::i):
        (JSC::Register::activation):
        (JSC::Register::function):
        (JSC::Register::propertyNameIterator):
        (JSC::Register::scopeChain):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCallInitializeCallFrame):
        (JSC::JIT::compileOpCallVarargs):
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCallInitializeCallFrame):
        (JSC::JIT::compileOpCallVarargs):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitPutToCallFrameHeader):
        (JSC::JIT::emitPutCellToCallFrameHeader):
        (JSC::JIT::emitPutIntToCallFrameHeader):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_next_pname):
        (JSC::JIT::emit_op_load_varargs):
        (JSC::JIT::emitSlow_op_load_varargs):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_next_pname):
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::intPayloadFor):
        (JSC::JSInterfaceJIT::intTagFor):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::returnJSValue):
        (JSC::SpecializedThunkJIT::returnDouble):
        (JSC::SpecializedThunkJIT::returnInt32):
        (JSC::SpecializedThunkJIT::returnJSCell):

2011-03-11  Dimitri Glazkov  <dglazkov@chromium.org>

        Reviewed by Eric Seidel.

        Introduce project_dir variable and make paths a whole lot saner. Ok, a little bit saner.
        https://bugs.webkit.org/show_bug.cgi?id=56231

        * JavaScriptCore.gypi: Added project_dir variable.
        * gyp/JavaScriptCore.gyp: Changed to use project_dir, rather than DEPTH/JavaScriptCore.
        * gyp/generate-dtrace-header.sh: Changed to use project_dir.

2011-03-11  Dimitri Glazkov  <dglazkov@chromium.org>

        Reviewed by Adam Barth.

        Start using derived sources correctly and link minidom with JavaScriptCore gyp project.
        https://bugs.webkit.org/show_bug.cgi?id=56217

        * gyp/JavaScriptCore.gyp: Added derived source files and passing of shared directory
            to the scripts.
        * gyp/generate-derived-sources.sh: Changed to use passed directory.
        * gyp/generate-dtrace-header.sh: Ditto.

2011-03-11  Eric Carlson  <eric.carlson@apple.com>

        Reviewed by Sam Weinig.

        <rdar://problem/8955589> Adopt AVFoundation media back end on Lion.

        No new tests, existing media tests cover this.

        * JavaScriptCore.exp: Export cancelCallOnMainThread
        * wtf/Platform.h: Define WTF_USE_AVFOUNDATION.

2011-03-11  Dimitri Glazkov  <dglazkov@chromium.org>

        Reviewed by Adam Barth.

        Tweak dylib paths and add dtrace header generation action to JavaScriptCore gyp project.
        https://bugs.webkit.org/show_bug.cgi?id=56207

        * JavaScriptCore.gypi: Added Tracing.d to the sources.
        * gyp/generate-dtrace-header.sh: Added.
        * gyp/JavaScriptCore.gyp: Updated dylib paths (now the project can see them),
            and added DTrace header generating step.

2011-03-10  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Fix allocation of native function with a cached thunk
        https://bugs.webkit.org/show_bug.cgi?id=56127

        Fix this race condition found while fixing zombies.

        * collector/handles/HandleHeap.cpp:
        (JSC::HandleHeap::clearWeakPointers):
        * runtime/Heap.cpp:
        (JSC::Heap::reset):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::markChildren):
        * runtime/JSValue.h:
        (JSC::JSValue::decode):
        * runtime/JSZombie.cpp:
        (JSC::JSZombie::leakedZombieStructure):
        * runtime/JSZombie.h:
        (JSC::JSZombie::createStructure):
        * runtime/MarkedBlock.cpp:

2011-03-10  Luiz Agostini  <luiz.agostini@openbossa.org>

        Reviewed by Andreas Kling.

        [Qt] fast/workers/stress-js-execution.html is crashing on Qt bot (intermittently)
        https://bugs.webkit.org/show_bug.cgi?id=33008

        Defining WTF_USE_PTHREAD_BASED_QT=1 for platforms where QThread uses pthread internally.
        Symbian is excluded because pthread_kill does not work on it. Mac is excluded because
        it has its own ways to do JSC threading.

        Defining WTF_USE_PTHREADS inside MachineStackMarker.cpp if USE(PTHREAD_BASED_QT) is true.

        * runtime/MachineStackMarker.cpp:
        * wtf/Platform.h:

2011-03-10  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        Bug 56077 - ES5 conformance issues with RegExp.prototype

        There are three issues causing test failures in sputnik.

        (1) lastIndex should be converted at the point it is used, not the point it is set (this is visible if valueOf is overridden).
        (2) The 'length' property of the test/exec functions should be 1.
        (3) If no input is specified, the input to test()/exec() is "undefined" (i.e. ToString(undefined)) - not RegExp.input.

        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::markChildren):
            - Added to mark lastIndex
        (JSC::regExpObjectLastIndex):
        (JSC::setRegExpObjectLastIndex):
            - lastIndex is now stored as a JSValue.
        (JSC::RegExpObject::match):
            - Use accessor methods to get/set lastIndex, add fast case for isUInt32 (don't convert to double).
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::setLastIndex):
        (JSC::RegExpObject::setLastIndex):
            - Set lastIndex, either from a size_t or a JSValue.
        (JSC::RegExpObject::getLastIndex):
            - Get lastIndex.
        (JSC::RegExpObject::RegExpObjectData::RegExpObjectData):
            - Initialize as a JSValue.
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::RegExpPrototype):
            - Add test/exec properties with length 1.
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
            - Do not read RegExp.input if none is provided.
        * tests/mozilla/js1_2/regexp/RegExp_input.js:
        * tests/mozilla/js1_2/regexp/RegExp_input_as_array.js:
            - Update these tests (they relied on non-ES5 behaviour).

2011-03-10  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Rolled back in 80277 and 80280 with event handler layout test failures fixed.
        https://bugs.webkit.org/show_bug.cgi?id=55653        

        The failures were caused by a last minute typo: assigning to currentEvent
        instead of m_currentEvent.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecompiler/BytecodeGenerator.cpp:
        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * runtime/Arguments.h:
        * runtime/JSActivation.cpp:
        * runtime/JSActivation.h:
        * runtime/JSCell.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSObject.cpp:
        * runtime/JSStaticScopeObject.cpp:
        * runtime/JSStaticScopeObject.h:
        * runtime/JSVariableObject.h:
        * runtime/MarkedSpace.cpp:
        * runtime/MarkedSpace.h:

2011-03-09  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        jquery/manipulation.html fails after r80598
        https://bugs.webkit.org/show_bug.cgi?id=56019

        When linking a call, codeblock now takes ownership of the linked function
        This removes the need for unlinking, and thus the incorrectness that was
        showing up in these tests.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::markAggregate):
        * bytecode/CodeBlock.h:
        (JSC::CallLinkInfo::CallLinkInfo):
        (JSC::CallLinkInfo::setUnlinked):
        (JSC::CodeBlock::addCaller):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        (JSC::JIT::linkCall):
        (JSC::JIT::linkConstruct):
        * jit/JIT.h:
        * runtime/Executable.cpp:
        * runtime/Executable.h:

2011-03-09  Daniel Bates  <dbates@rim.com>

        Attempt to fix the WinCE build after changeset 80684 <http://trac.webkit.org/changeset/80684>
        (Bug #56041<https://bugs.webkit.org/show_bug.cgi?id=56041>).

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute): Substitute variable callFrame for exec in call to createSyntaxError().

2011-03-09  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Bug 56041 - RexExp constructor should only accept flags "gim"
        Fix for issues introduced in r80667.

        Invalid flags to a RegExp literal are a late syntax error!

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addRegExp):
            - Pass a PassRefPtr<RegExp>
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addRegExp):
        (JSC::BytecodeGenerator::emitNewRegExp):
        * bytecompiler/BytecodeGenerator.h:
            - Pass a PassRefPtr<RegExp>
        * bytecompiler/NodesCodegen.cpp:
        (JSC::RegExpNode::emitBytecode):
            - Should not be ASSERTing that the flags are valid - this is a late(er) error.
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
            - Need to check for error from RegExp constructor.
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
            - Need to check for error from RegExp constructor.
        * runtime/RegExp.h:
        (JSC::RegExp::isValid):
            - Make isValid check that the regexp was created with valid flags.
        * runtime/RegExpKey.h:
            - Since we'll not create RegExp objects with invalid flags, separate out the deleted value.

2011-03-09  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix part 2.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-03-09  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix part 1.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-03-09  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Darin Adler.

        Bug 56041 - RexExp constructor should only accept flags "gim"
        We also should be passing the flags around as a bitfield rather than a string,
        and should not have redundant, incompatible code for converting the string to a bitfield!

        * JavaScriptCore.exp:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::RegExpNode::emitBytecode):
            - Need to parse flags string to enum.
        * runtime/RegExp.cpp:
        (JSC::regExpFlags):
        (JSC::RegExp::RegExp):
        (JSC::RegExp::create):
            - Add method to parse flags string to enum, change constructor/create args to take enum.
        * runtime/RegExp.h:
        (JSC::RegExp::global):
        (JSC::RegExp::ignoreCase):
        (JSC::RegExp::multiline):
            - Change to use new enum values.
        * runtime/RegExpCache.cpp:
        (JSC::RegExpCache::lookupOrCreate):
        (JSC::RegExpCache::create):
        * runtime/RegExpCache.h:
            - Changed to use regExpFlags enum instead of int/const UString&.
        * runtime/RegExpConstructor.cpp:
        (JSC::constructRegExp):
            - Add use new enum parsing, check for error.
        * runtime/RegExpKey.h:
        (JSC::RegExpKey::RegExpKey):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::RegExpPrototype):
            - Pass NoFlags value instead of empty string.
        (JSC::regExpProtoFuncCompile):
            - Add use new enum parsing, check for error.
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
            - Pass NoFlags value instead of empty string.

2011-03-08  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig

        Bug 55994 - Functions on Array.prototype should check length first.
        These methods are designed to work on generic objects too, and if 'length'
        is a getter that throws an exception, ensure this is correctly thrown
        (even if other exceptions would be thrown, too).

        Make the length check the first thing we do.
        This change shows a progression on SunSpider on my machine, but this is likely bogus.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        (JSC::arrayProtoFuncEvery):
        (JSC::arrayProtoFuncForEach):
        (JSC::arrayProtoFuncSome):
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):
        (JSC::arrayProtoFuncIndexOf):
        (JSC::arrayProtoFuncLastIndexOf):

2011-03-07  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Make CodeBlock GC write barrier safe
        https://bugs.webkit.org/show_bug.cgi?id=55910

        In order to make CodeBlock WriteBarrier safe it was necessary
        to make it have a single GC owner, and for that reason I have
        made ExecutableBase a GC allocated object.  This required
        updating their creation routines as well as all sites that hold
        a reference to them.  GC objects that held Executable's have been
        converted to WriteBarriers, and all other sites now use Global<>.

        As an added benefit this gets rid of JSGlobalData's list of
        GlobalCodeBlocks.

        Perf testing shows a 0.5% progression on v8, vs. a 0.3% regression
        on SunSpider.  Given none of the tests that show regressions
        demonstrate a regression on their own, and sampling shows up nothing.
        I suspect we're just getting one or two additional gc passes at
        the end of the run.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::CodeBlock):
        (JSC::EvalCodeCache::markAggregate):
        (JSC::CodeBlock::markAggregate):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::ownerExecutable):
        (JSC::CodeBlock::addConstant):
        (JSC::CodeBlock::constantRegister):
        (JSC::CodeBlock::getConstant):
        (JSC::CodeBlock::addFunctionDecl):
        (JSC::CodeBlock::addFunctionExpr):
        (JSC::GlobalCodeBlock::GlobalCodeBlock):
        (JSC::ExecState::r):
        * bytecode/EvalCodeCache.h:
        (JSC::EvalCodeCache::get):
        * bytecode/SamplingTool.h:
        (JSC::ScriptSampleRecord::ScriptSampleRecord):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addConstantValue):
        (JSC::BytecodeGenerator::emitEqualityOp):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::makeFunction):
        * debugger/Debugger.cpp:
        (JSC::evaluateInGlobalCallFrame):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::evaluate):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::callEval):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitLoadDouble):
        (JSC::JIT::emitLoadInt32ToDouble):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::JITThunks):
        (JSC::JITThunks::hostFunctionStub):
        (JSC::JITThunks::clearHostFunctionStubs):
        * jit/JITStubs.h:
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        (JSC::evaluate):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::EvalExecutable):
        (JSC::ProgramExecutable::ProgramExecutable):
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::FunctionExecutable::~FunctionExecutable):
        (JSC::EvalExecutable::markChildren):
        (JSC::ProgramExecutable::markChildren):
        (JSC::FunctionExecutable::markChildren):
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/Executable.h:
        (JSC::ExecutableBase::ExecutableBase):
        (JSC::ExecutableBase::createStructure):
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::NativeExecutable):
        (JSC::VPtrHackExecutable::VPtrHackExecutable):
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::EvalExecutable::create):
        (JSC::EvalExecutable::createStructure):
        (JSC::ProgramExecutable::create):
        (JSC::ProgramExecutable::createStructure):
        (JSC::FunctionExecutable::create):
        (JSC::FunctionExecutable::createStructure):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunction):
        * runtime/Heap.cpp:
        (JSC::Heap::destroy):
        (JSC::Heap::markRoots):
        * runtime/Heap.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::JSActivation):
        (JSC::JSActivation::markChildren):
        * runtime/JSActivation.h:
        (JSC::JSActivation::JSActivationData::JSActivationData):
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::~JSFunction):
        (JSC::JSFunction::markChildren):
        * runtime/JSFunction.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::storeVPtrs):
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::getHostFunction):
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * runtime/JSObject.cpp:
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::markChildren):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::JSStaticScopeObjectData::JSStaticScopeObjectData):
        (JSC::JSStaticScopeObject::JSStaticScopeObject):
        * runtime/JSZombie.cpp:
        (JSC::JSZombie::leakedZombieStructure):
        * runtime/JSZombie.h:
        (JSC::JSZombie::createStructure):
        * runtime/MarkedSpace.h:

2011-03-07  Andy Estes  <aestes@apple.com>

        Reviewed by Dan Bernstein.

        REGRESSION (r79060): Timestamp is missing from tweets in twitter.
        https://bugs.webkit.org/show_bug.cgi?id=55228

        A change to the date parser to handle the case where the year is
        specified before the time zone inadvertently started accepting strings
        such as '+0000' as valid years. Those strings actually represent time
        zones in an offset of hours and minutes from UTC, not years.

        * wtf/DateMath.cpp:
        (WTF::parseDateFromNullTerminatedCharacters): If the current character
        in dateString is '+' or '-', do not try to parse the next token as a
        year.

2011-03-06  Yuta Kitamura  <yutak@chromium.org>

        Reviewed by Kent Tamura.

        Add SHA-1 for new WebSocket protocol
        https://bugs.webkit.org/show_bug.cgi?id=55039

        The code is based on Chromium's portable SHA-1 implementation
        (src/base/sha1_portable.cc). Modifications were made in order
        to make the code comply with WebKit coding style.

        * GNUmakefile.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CMakeLists.txt:
        * wtf/MD5.cpp:
        (WTF::MD5::MD5):
        * wtf/SHA1.cpp: Added.
        (WTF::testSHA1): This function will be run the first time SHA1
        constructor is called. This function computes a few hash values
        and checks the results in debug builds. However, constructor is
        probably not a good place to run these tests, so we need to find
        a good place for it (bug 55853).
        (WTF::expectSHA1):
        (WTF::f):
        (WTF::k):
        (WTF::rotateLeft):
        (WTF::SHA1::SHA1):
        (WTF::SHA1::addBytes):
        (WTF::SHA1::computeHash):
        (WTF::SHA1::finalize):
        (WTF::SHA1::processBlock):
        (WTF::SHA1::reset):
        * wtf/SHA1.h: Added.
        (WTF::SHA1::addBytes):
        * wtf/wtf.pri:

2011-03-05  Adam Barth  <abarth@webkit.org>

        Reviewed by Dimitri Glazkov.

        Add Derived Sources to WebCore GYP build
        https://bugs.webkit.org/show_bug.cgi?id=55813

        Rename the action to be friendlier.

        * gyp/JavaScriptCore.gyp:

2011-03-04  Viatcheslav Ostapenko  <ostapenko.viatcheslav@nokia.com>

        Reviewed by Laszlo Gombos.

        [Qt] Need symbian version of cryptographicallyRandomValuesFromOS
        https://bugs.webkit.org/show_bug.cgi?id=55782

        Implement Symbian version of cryptographicallyRandomValuesFromOS

        * wtf/OSRandomSource.cpp:
        (WTF::cryptographicallyRandomValuesFromOS):

2011-03-04  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Cameron Zwarich.

        Bug 55815 - Should throw an exception from JSObject::defineOwnProperty if !isExtensible().

        * runtime/JSObject.cpp:
        (JSC::JSObject::defineOwnProperty):
            Add missing check.

2011-03-04  Gavin Barraclough  <barraclough@apple.com>

        Rubber stamped by olliej.

        Bug 54945 - The web page hangs towards the end of page load in Interpreter enabled javascript code in the latest webkit trunk.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
            (1) don't infinite loop.
            (2) goto 1.

2011-03-04  Gavin Barraclough  <barraclough@apple.com>

        cmake build fix.

        * CMakeLists.txt:

2011-03-04  Adam Barth  <abarth@webkit.org>

        Reviewed by Dimitri Glazkov.

        Add Copy Files step to JavaScriptCore GYP build for apitest and minidom
        https://bugs.webkit.org/show_bug.cgi?id=55798

        * JavaScriptCore.gypi:
        * gyp/JavaScriptCore.gyp:

2011-03-04  Adam Barth  <abarth@webkit.org>

        Reviewed by Dimitri Glazkov.

        Remove unneeded round-trips through ../Source in the Chromium GYP build
        https://bugs.webkit.org/show_bug.cgi?id=55795

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2011-03-04  Adam Barth  <abarth@webkit.org>

        Reviewed by Dimitri Glazkov.

        Use target_defaults to reduce boilerplate in GYP build system
        https://bugs.webkit.org/show_bug.cgi?id=55790

        Instead of setting up the configuration in each target, just defer to
        target_defaults.  Also, removed a define that was redundant with the
        xcconfig.

        * gyp/JavaScriptCore.gyp:

2011-03-03  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Bug 55736 - Implement seal/freeze/preventExtensions for normal object types.
        Provide basic functionallity from section 15.2.4 of ECMA-262.
        This support will need expanding to cover arrays, too.

        Shows a 0.5% progression on SunSpidey, this seems to be due to changing
        ObjectConstructor to use a static table.

        * DerivedSources.make:
        * JavaScriptCore.exp:
        * interpreter/CallFrame.h:
        (JSC::ExecState::objectConstructorTable):
            Add a static table for ObjectConstructor.
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
            Add a static table for ObjectConstructor.
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
            Add a static table for ObjectConstructor.
        * runtime/JSObject.cpp:
        (JSC::JSObject::seal):
        (JSC::JSObject::freeze):
        (JSC::JSObject::preventExtensions):
            Transition the object's structure.
        (JSC::JSObject::defineOwnProperty):
            Check isExtensible.
        * runtime/JSObject.h:
        (JSC::JSObject::isSealed):
        (JSC::JSObject::isFrozen):
        (JSC::JSObject::isExtensible):
            These wrap method on structure.
        (JSC::JSObject::putDirectInternal):
            Check isExtensible.
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::ObjectConstructor):
        (JSC::ObjectConstructor::getOwnPropertySlot):
        (JSC::ObjectConstructor::getOwnPropertyDescriptor):
            Change ObjectConstructor to use a static table.
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::objectConstructorPreventExtensions):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
        (JSC::objectConstructorIsExtensible):
            Add new methods on Object.
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::createStructure):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
            init/propagate  m_preventExtensions
        (JSC::Structure::sealTransition):
        (JSC::Structure::freezeTransition):
        (JSC::Structure::preventExtensionsTransition):
            transition the structure, materializing the property map, setting m_preventExtensions & changing attributes.
        (JSC::Structure::isSealed):
        (JSC::Structure::isFrozen):
            check attributes to detect if object is sealed/frozen.
        * runtime/Structure.h:
        (JSC::Structure::isExtensible):
            checks the m_preventExtensions flag.

2011-03-04  Steve Falkenburg  <sfalken@apple.com>

        Reviewed by Jon Honeycutt.

        Adopt VersionStamper tool for Windows WebKit DLLs
        https://bugs.webkit.org/show_bug.cgi?id=55784
        <rdar://problem/9021273>
        
        We now use a tool to stamp the version number onto the Apple WebKit DLLs
        during the post-build step.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.rc: Removed.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePostBuild.cmd:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePreBuild.cmd:

2011-03-04  Adam Barth  <abarth@webkit.org>

        Reviewed by Dimitri Glazkov.

        JavaScriptCore GYP build should use a header map
        https://bugs.webkit.org/show_bug.cgi?id=55712

        This patch moves the os-win32 files into their own variable so that we
        can use a header map in the Apple Mac Xcode build.  The problem is that
        the header map searches the whole project rather than just the files
        included in a given target.  Another solution to this problem is to
        make GYP smarter about filtering out what files are added to the
        project file.

        * JavaScriptCore.gypi:
        * gyp/JavaScriptCore.gyp:

2011-03-03  Ryosuke Niwa  <rniwa@webkit.org>

        Reviewed by Darin Adler.

        Remove LOOSE_PASS_OWN_ARRAY_PTR from PassOwnArrayPtr.h
        https://bugs.webkit.org/show_bug.cgi?id=55554

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::copyGlobalsTo): Pass nullptr instead of 0.
        (JSC::JSGlobalObject::resizeRegisters): Ditto; also use OwnArrayPtr instead of a raw pointer.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::addStaticGlobals): Ditto.
        * wtf/PassOwnArrayPtr.h: Removed #define LOOSE_PASS_OWN_ARRAY_PTR
        (WTF::PassOwnArrayPtr::PassOwnArrayPtr): Added a constructor that takes nullptr_t.

2011-03-03  Adam Barth  <abarth@webkit.org>

        Reviewed by Dimitri Glazkov.

        Add jsc to JavaScriptCore GYP build
        https://bugs.webkit.org/show_bug.cgi?id=55711

        * JavaScriptCore.gypi:
            - Move jsc.cpp into jsc_files because it's really part of the jsc
              target.
        * JavaScriptCore.xcodeproj/project.pbxproj:
            - Remove extraneous files from the normal jsc build.  I probably
              added these by mistake at some point.
        * gyp/JavaScriptCore.gyp:
            - Add the jsc target to the GYP file.

2011-03-03  Adam Barth  <abarth@webkit.org>

        Reviewed by Dimitri Glazkov.

        Add testapi to JavaScriptCore GYP build
        https://bugs.webkit.org/show_bug.cgi?id=55707

        The new testapi target is slightly incomplete.  There's a resource
        copying step that we don't quite have yet.

        This patch also cleans up some of the configuration issues in
        JavaScriptCore.xcodeproj.  It seems kind of wordy to repeat these for
        each target.  I suspect there's a more compact way of defining the
        configurations, but this removes the "Default" configuration, which is
        progress.

        * JavaScriptCore.gypi:
        * gyp/JavaScriptCore.gyp:

2011-03-03  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Teach JavaScriptCore GYP build about private headers
        https://bugs.webkit.org/show_bug.cgi?id=55532

        This patch distinguishes between public and private framework headers
        so that public headers are copied into the Headers directory and
        private headers are copied into the PrivateHeaders directory.

        * gyp/JavaScriptCore.gyp:

2011-03-03  Geoffrey Garen  <ggaren@apple.com>

        Rolled out 80277 and 80280 because they caused event handler layout test
        failures.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecompiler/BytecodeGenerator.cpp:
        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * runtime/Arguments.h:
        * runtime/JSActivation.cpp:
        * runtime/JSActivation.h:
        * runtime/JSCell.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSObject.cpp:
        * runtime/JSStaticScopeObject.cpp:
        * runtime/JSStaticScopeObject.h:
        * runtime/JSVariableObject.h:
        * runtime/MarkedSpace.cpp:
        * runtime/MarkedSpace.h:

2011-03-03  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Build fix. Alter order of headers included to make sure windows.h
        is configured by wx, and skip Posix implementation file we don't use on Win.

        * wscript:
        * wtf/wx/StringWx.cpp:

2011-03-03  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        JSVariableObject needs to use WriteBarrier for symboltable property storage
        https://bugs.webkit.org/show_bug.cgi?id=55698

        Replace the direct usage of Register in JSVariableObject (and descendents)
        with WriteBarrier.  This requires updating the Arguments object to use
        WriteBarrier as well.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::unwindCallFrame):
        (JSC::Interpreter::privateExecute):
        (JSC::Interpreter::retrieveArguments):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::initialize):
        * runtime/Arguments.cpp:
        (JSC::Arguments::markChildren):
        (JSC::Arguments::copyToRegisters):
        (JSC::Arguments::fillArgList):
        (JSC::Arguments::getOwnPropertySlot):
        (JSC::Arguments::getOwnPropertyDescriptor):
        (JSC::Arguments::put):
        * runtime/Arguments.h:
        (JSC::Arguments::setActivation):
        (JSC::Arguments::Arguments):
        (JSC::Arguments::copyRegisters):
        (JSC::JSActivation::copyRegisters):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::markChildren):
        (JSC::JSActivation::symbolTableGet):
        (JSC::JSActivation::symbolTablePut):
        (JSC::JSActivation::symbolTablePutWithAttributes):
        (JSC::JSActivation::put):
        (JSC::JSActivation::putWithAttributes):
        (JSC::JSActivation::argumentsGetter):
        * runtime/JSActivation.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::put):
        (JSC::JSGlobalObject::putWithAttributes):
        (JSC::JSGlobalObject::markChildren):
        (JSC::JSGlobalObject::copyGlobalsFrom):
        (JSC::JSGlobalObject::copyGlobalsTo):
        (JSC::JSGlobalObject::resizeRegisters):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::setRegisters):
        (JSC::JSGlobalObject::addStaticGlobals):
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::put):
        (JSC::JSStaticScopeObject::putWithAttributes):
        * runtime/JSVariableObject.cpp:
        (JSC::JSVariableObject::symbolTableGet):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::registerAt):
        (JSC::JSVariableObject::JSVariableObjectData::JSVariableObjectData):
        (JSC::JSVariableObject::symbolTableGet):
        (JSC::JSVariableObject::symbolTablePut):
        (JSC::JSVariableObject::symbolTablePutWithAttributes):
        (JSC::JSVariableObject::copyRegisterArray):
        (JSC::JSVariableObject::setRegisters):

2011-03-03  Geoffrey Garen  <ggaren@apple.com>

        Try to fix Windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed obsolete symbol.

        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::getOwnPropertySlot): Don't mark this function
        inline -- it's virtual.

2011-03-02  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Darin Adler.

        Moved all variable object storage inline -- upping the object size limit to 1K
        https://bugs.webkit.org/show_bug.cgi?id=55653

        * JavaScriptCore.exp:
        * bytecompiler/BytecodeGenerator.cpp:
        * jit/JITOpcodes.cpp:
        * runtime/Arguments.h:
        * runtime/JSActivation.h: Removed out-of-line storage. Changed d-> to m_.

        * runtime/JSCell.h:
        (JSC::JSCell::MarkedSpace::sizeClassFor): Added an imprecise size class
        to accomodate objects up to 1K.

        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h: Removed out-of-line storage. Changed d-> to m_.

        * runtime/JSObject.cpp: Don't ASSERT that JSFinalObject fills the maximum
        object size, since it doesn't anymore.

        * runtime/JSStaticScopeObject.cpp:
        * runtime/JSStaticScopeObject.h:
        * runtime/JSVariableObject.h: Removed out-of-line storage. Changed d-> to m_.

        * runtime/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::reset):
        * runtime/MarkedSpace.h: Added an imprecise size class to accomodate objects up to 1K.

2011-03-03  Timothy Hatcher  <timothy@apple.com>

        Make APIShims usable from WebCore.

        Reviewed by Oliver Hunt.

        * ForwardingHeaders/JavaScriptCore/APIShims.h: Added.
        * GNUmakefile.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-03-03  Peter Varga  <pvarga@webkit.org>

        Reviewed by Oliver Hunt.

        Begin Characters Optimization Causes YARR Interpreter Errors
        https://bugs.webkit.org/show_bug.cgi?id=55479

        The addBeginTerm function is removed because it doesn't correctly handle those
        cases when an "invalid" term has been
        collected (e.g. CharacterClass). Move the removed function to the
        setupAlternativeBeginTerms method's switch-case
        where the non-allowed cases are correctly handled.

        Reenable the Beginning Character Optimization in the YARR Interpreter again.

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::setupAlternativeBeginTerms):
        (JSC::Yarr::YarrPattern::compile):

2011-03-02  Jessie Berlin  <jberlin@apple.com>

        Reviewed by Adam Roben.

        WebKit2: Use CFNetwork Sessions API.
        https://bugs.webkit.org/show_bug.cgi?id=55435

        Add the ability to create a Private Browsing storage session.

        * wtf/Platform.h:
        Add a new #define for using CF Storage Sessions.

2011-03-02  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Remove "register slot" concept from PropertySlot
        https://bugs.webkit.org/show_bug.cgi?id=55621

        PropertySlot had already stopped storing Register "slots"
        so this patch is simply removing that api entirely.
        This exposed a problem in the ProgramNode constructor for
        BytecodeGenerator where it reads from the registerfile
        before it has initialised it.

        This bug wasn't a problem before as we were merely testing
        for property existence rather than the actual value, and
        used to work because setRegisterSlot didn't check that the
        provided slot contained an initialised value.

        To get around this issue we now use symbolTableHasProperty
        to do the symbol table check without trying to read the
        RegisterFile.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertySlot):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::symbolTableGet):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::symbolTableHasProperty):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::symbolTableGet):
        * runtime/PropertySlot.h:

2011-03-02  Daniel Cheng  <dcheng@chromium.org>

        Reviewed by David Levin.

        Add feature define for data transfer items
        https://bugs.webkit.org/show_bug.cgi?id=55510

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2011-03-02  Adam Roben  <aroben@apple.com>

        Delete old .res files whenever any .vsprops file changes

        Prospective fix for <http://webkit.org/b/55599> r80079 caused incremental Windows builds to
        fail

        Reviewed by Tony Chang.

        * JavaScriptCore.vcproj/JavaScriptCore/react-to-vsprops-changes.py:
        (main): Restructured code to loop over a set of file extensions, deleting any old files that
        have that extension. Now deletes .res files, too. (We previously deleted any file matching
        *.manifest*, but that turned out to just be the union of *.manifest and *.res.)

2011-03-02  Adam Barth  <abarth@webkit.org>

        Reviewed by Dimitri Glazkov.

        Teach JavaScriptCore GYP build how to build minidom
        https://bugs.webkit.org/show_bug.cgi?id=55536

        * JavaScriptCore.gypi:
        * gyp/JavaScriptCore.gyp:

2011-03-01  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        JavaScriptCore GYP build should copy some headers into the target framework
        https://bugs.webkit.org/show_bug.cgi?id=55524

        After this patch, all the framework headers are exported as public
        headers.  We need to teach GYP how to handle private headers.

        I struggled to determine how to store the information about whether a
        header was public, private, or project (i.e., not exported).
        Generally, the GYPI should just list the files, but it seemed siliy to
        have an almost duplicated list of files in the GYP file itself.  If
        this design doesn't scale, we might have to revisit it in the future.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * JavaScriptCore.gypi:
        * gyp/JavaScriptCore.gyp:

2011-03-01  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r80079.
        http://trac.webkit.org/changeset/80079
        https://bugs.webkit.org/show_bug.cgi?id=55547

        "Broke the Win debug build?" (Requested by dcheng on #webkit).

        * wtf/Platform.h:

2011-03-01  Daniel Cheng  <dcheng@chromium.org>

        Reviewed by David Levin.

        Add feature define for data transfer items
        https://bugs.webkit.org/show_bug.cgi?id=55510

        * wtf/Platform.h:

2011-03-01  Oliver Hunt  <oliver@apple.com>

        Reviewed by Joseph Pecoraro.

        Misaligned memory access in CloneDeserializer on all ARM arch.
        https://bugs.webkit.org/show_bug.cgi?id=48742

        Add a CPU class for architectures that need aligned addresses
        for memory access.

        * wtf/Platform.h:

2011-03-01  Adam Barth  <abarth@webkit.org>

        Reviewed by Dimitri Glazkov.

        Add pre- and post-build actions for JavaScriptCore GYP build
        https://bugs.webkit.org/show_bug.cgi?id=55507

        After this patch, we have all the steps for building the main
        JavaScriptCore framework except the "copy headers" step, which I'll do
        next.

        * gyp/JavaScriptCore.gyp:

2011-03-01  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Sam Weinig.

        Rolled back in r79627 now that the underlying cause for it crashing is fixed.
        https://bugs.webkit.org/show_bug.cgi?id=55159

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/Heap.cpp:
        (JSC::Heap::allocateSlowCase):
        * runtime/Heap.h:
        * runtime/JSCell.h:
        (JSC::JSCell::MarkedSpace::sizeClassFor):
        (JSC::JSCell::Heap::allocate):
        (JSC::JSCell::JSCell::operator new):
        * runtime/MarkedBlock.h:
        * runtime/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::allocateBlock):
        (JSC::MarkedSpace::reset):
        * runtime/MarkedSpace.h:
        (JSC::MarkedSpace::SizeClass::SizeClass):

2011-03-01  Mark Rowe  <mrowe@apple.com>

        Reviewed by Sam Weinig.

        Replace two script phases that do nothing but copy files with copy files build phases.

        This speeds up the build by a few seconds on high-end Mac Pros.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-03-01  David Kilzer  <ddkilzer@apple.com>

        Spring cleaning!

        Rubber-stamped by Mark Rowe.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        (Copy Into Framework): Remove "set -x" and its comment.

2011-03-01  Michael Saboff  <msaboff@apple.com>

        Reviewed by Darin Adler.

        TinyMCE not working in nightlies
        https://bugs.webkit.org/show_bug.cgi?id=54978

        Disabling setupBeginChars() to temporarily work arround the test 
        failure.  Filed https://bugs.webkit.org/show_bug.cgi?id=55479
        to track fixing the issue.

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPattern::compile):

2011-02-23  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by Kenneth Rohde Christiansen.

        Viewport parsing no longer accepts "1.0;" value as valid.
        https://bugs.webkit.org/show_bug.cgi?id=53705

        Include a didReadNumber parameter to String -> float / double
        conversion functions. This way, if the "ok" boolean out
        parameter is false, you can check to see if there in fact
        was a valid number parsed with garbage at the end. Examples
        of that would be parsing "123x456" would have ok = false,
        but didReadNumber = true.

        * JavaScriptCore.exp:
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::toDouble):
        (WTF::StringImpl::toFloat):
        * wtf/text/StringImpl.h:
        * wtf/text/WTFString.cpp:
        (WTF::String::toDouble):
        (WTF::String::toFloat):
        (WTF::charactersToDouble):
        (WTF::charactersToFloat):
        * wtf/text/WTFString.h:

2011-02-28  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Gavin Barraclough.

        Past-the-end writes in VM exceptions (caused crashes in r79627)
        https://bugs.webkit.org/show_bug.cgi?id=55448
        
        Some exceptions had the wrong structures, so they misoverestimated their
        inline storage sizes.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData): Use the right structure.

        * runtime/JSObject.h:
        (JSC::JSNonFinalObject::JSNonFinalObject):
        (JSC::JSFinalObject::JSFinalObject): ASSERT that our structure capacity
        is correct to verify this doesn't happen again.

2011-03-01  Andras Becsi  <abecsi@webkit.org>

        Reviewed by Csaba Osztrogonác.

        [Qt] Clean up the project files and move common options to WebKit.pri.

        * JavaScriptCore.pri: Move options also needed in WebCore into WebKit.pri.
        * JavaScriptCore.pro: Deduplicate options.
        * jsc.pro: Ditto.

2011-03-01  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Teach JavaScriptCore GYP build about DEPTH
        https://bugs.webkit.org/show_bug.cgi?id=55425

        In addition to teaching the JavaScriptCore GYP build about DEPTH, this
        change overrides the GCC warning configuration to disable a warning
        that's causing probems in Assertions.cpp.  With that warning disabled,
        JavaScriptCore builds again.

        * gyp/JavaScriptCore.gyp:

2011-02-28  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-02-28  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r79948.
        http://trac.webkit.org/changeset/79948
        https://bugs.webkit.org/show_bug.cgi?id=55439

        "caused crashes on the SL release bot" (Requested by ggaren on
        #webkit).

        * runtime/JSGlobalData.h:
        * runtime/WriteBarrier.h:

2011-02-28  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-02-28  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig & Darin Adler.

        Bug 55423 - Clean up property tables in Structure

        Encapsulate, reduce duplication of table search code,
        and reduce the size of the tables (remove the index,
        just maintain the tables in the correct order).

        Shows a 0.5% - 1% progression on sunspider.

        * JavaScriptCore.exp:
        * runtime/PropertyMapHashTable.h:
        (JSC::isPowerOf2):
        (JSC::nextPowerOf2):
            bit ops used to calculate table size.
        (JSC::PropertyMapEntry::PropertyMapEntry):
        (JSC::PropertyTable::ordered_iterator::operator++):
        (JSC::PropertyTable::ordered_iterator::operator==):
        (JSC::PropertyTable::ordered_iterator::operator!=):
        (JSC::PropertyTable::ordered_iterator::operator*):
        (JSC::PropertyTable::ordered_iterator::operator->):
        (JSC::PropertyTable::ordered_iterator::ordered_iterator):
            implementation of the iterator types
        (JSC::PropertyTable::PropertyTable):
        (JSC::PropertyTable::~PropertyTable):
            constructors take an initial capacity for the table,
            a table to copy, or both.
        (JSC::PropertyTable::begin):
        (JSC::PropertyTable::end):
            create in-order iterators.
        (JSC::PropertyTable::find):
            search the hash table
        (JSC::PropertyTable::add):
            add a value to the hash table
        (JSC::PropertyTable::remove):
            remove a value from the hash table
        (JSC::PropertyTable::size):
        (JSC::PropertyTable::isEmpty):
            accessors.
        (JSC::PropertyTable::propertyStorageSize):
        (JSC::PropertyTable::clearDeletedOffsets):
        (JSC::PropertyTable::hasDeletedOffset):
        (JSC::PropertyTable::getDeletedOffset):
        (JSC::PropertyTable::addDeletedOffset):
            cache deleted (available) offsets in the property storage array.
        (JSC::PropertyTable::copy):
            take a copy of the PropertyTable, potentially expanding the capacity.
        (JSC::PropertyTable::sizeInMemory):
            used for DEBUG build statistics
        (JSC::PropertyTable::reinsert):
        (JSC::PropertyTable::rehash):
        (JSC::PropertyTable::tableCapacity):
        (JSC::PropertyTable::deletedEntryIndex):
        (JSC::PropertyTable::skipDeletedEntries):
        (JSC::PropertyTable::table):
        (JSC::PropertyTable::usedCount):
        (JSC::PropertyTable::dataSize):
        (JSC::PropertyTable::sizeForCapacity):
        (JSC::PropertyTable::canInsert):
            these methods provide internal implementation.
        * runtime/Structure.cpp:
        (JSC::Structure::dumpStatistics):
        (JSC::Structure::~Structure):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        (JSC::Structure::despecifyAllFunctions):
        (JSC::Structure::put):
        (JSC::Structure::remove):
        (JSC::Structure::createPropertyMap):
        (JSC::Structure::getPropertyNames):
        (JSC::PropertyTable::checkConsistency):
        (JSC::Structure::checkConsistency):
            factored out code to PropertyMapHashTable.h
        * runtime/Structure.h:
        (JSC::Structure::propertyStorageSize):
        (JSC::Structure::isEmpty):
        (JSC::Structure::get):
            factored out code to PropertyMapHashTable.h

2011-02-28  Xan Lopez  <xlopez@igalia.com>

        Another fix build :(

        Fix typo.

        * runtime/MachineStackMarker.cpp:
        (JSC::freePlatformThreadRegisters):

2011-02-28  Xan Lopez  <xlopez@igalia.com>

        Unreviewed build fix for Snow Leopard.

        * runtime/MachineStackMarker.cpp:
        (JSC::freePlatformThreadRegisters):

2011-02-28  Alejandro G. Castro  <alex@igalia.com>

        Unreviewed, fix SnowLeopard compilation after r79952.

        * runtime/MachineStackMarker.cpp:
        (JSC::freePlatformThreadRegisters):

2011-02-28  Mark Rowe  <mrowe@apple.com>

        Reviewed by Darin Adler.

        <http://webkit.org/b/55430> OwnArrayPtr.h's LOOSE_OWN_ARRAY_PTR results in link errors.

        * wtf/OwnArrayPtr.h:
        (WTF::::set): Implement OwnArrayPtr::set.

2011-02-28  Martin Zoubek  <martin.zoubek@acision.com> and Alejandro G. Castro  <alex@igalia.com>

        Reviewed by Martin Robinson.

        Multithread support for JSC on UNIX
        https://bugs.webkit.org/show_bug.cgi?id=26838

        Implement suspendThread() and resumeThread() for systems with
        pthread.h using thread signal handler.

        * runtime/MachineStackMarker.cpp:
        (JSC::pthreadSignalHandlerSuspendResume):
        (JSC::MachineStackMarker::Thread::Thread):
        (JSC::getCurrentPlatformThread):
        (JSC::suspendThread):
        (JSC::resumeThread):
        (JSC::getPlatformThreadRegisters):
        (JSC::otherThreadStackPointer):
        (JSC::freePlatformThreadRegisters):
        (JSC::MachineStackMarker::markOtherThreadConservatively):
        * wtf/Platform.h: Added Gtk port to use
        ENABLE_JSC_MULTIPLE_THREADS.

2011-02-28  Oliver Hunt  <oliver@apple.com>

        Reviewed by Darin Adler.

        Stop using DeprecatedPtr for the global exception slot
        https://bugs.webkit.org/show_bug.cgi?id=55424

        Create GCRootPtr to signify that the exception slot is
        a gcroot, and so is exempt from the usual writebarrier
        restrictions.

        * runtime/JSGlobalData.h:
        * runtime/WriteBarrier.h:
        (JSC::GCRootPtr::GCRootPtr):
        (JSC::GCRootPtr::operator=):

2011-02-28  Adam Barth  <abarth@webkit.org>

        Reviewed by Dimitri Glazkov.

        Use more xcconfig files in JavaScriptCore gyp build
        https://bugs.webkit.org/show_bug.cgi?id=55391

        The GYP experts tell me that we have have a total of two xcconfig
        files: one for the xcodeproj as a whole and one for each target.  This
        patch uses that technique to re-use the existing xcconfig files and
        eliminate the duplication.

        Technically, this patch introduces some build errors because the
        xcconfig files assume that the xcodeproj file is one level higher in
        the directory hierarchy.  Specifically, the xcodeproj file can no
        longer find the Info.plist or the prefix header.  I plan to fix that in
        a subsequent patch.

        Also, this patch introduces the Release and Production configurations,
        which should work correctly now.

        * gyp/JavaScriptCore.gyp:

2011-02-28  Jon Honeycutt  <jhoneycutt@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        Add symbol to export.

2011-02-28  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Make ScopeChainNode GC allocated
        https://bugs.webkit.org/show_bug.cgi?id=55283

        Simplify lifetime and other issues with the scopechain
        by making it gc allocated.  This allows us to simplify
        function exit and unwinding, as well as making the
        current iterative refcounting go away.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::createActivation):
        * bytecode/StructureStubInfo.cpp:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitJumpIfNotFunctionCall):
        (JSC::BytecodeGenerator::emitJumpIfNotFunctionApply):
        * bytecompiler/BytecodeGenerator.h:
        * debugger/Debugger.cpp:
        (JSC::Recompiler::operator()):
        * debugger/DebuggerCallFrame.h:
        (JSC::DebuggerCallFrame::scopeChain):
        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall):
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        (JSC::depth):
        (JSC::Interpreter::unwindCallFrame):
        (JSC::Interpreter::throwException):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::privateExecute):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCallInitializeCallFrame):
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCallInitializeCallFrame):
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::emit_op_ret_object_or_this):
        (JSC::JIT::compileOpCall):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_end):
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::emit_op_ret_object_or_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_end):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        * runtime/ArgList.cpp:
        * runtime/Completion.cpp:
        (JSC::evaluate):
        * runtime/Completion.h:
        * runtime/DateConversion.cpp:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunction):
        * runtime/GCActivityCallbackCF.cpp:
        * runtime/Identifier.cpp:
        * runtime/JSCell.h:
        * runtime/JSChunk.cpp: Added.
        * runtime/JSChunk.h: Added.
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::markChildren):
        (JSC::JSFunction::getCallData):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::getConstructData):
        * runtime/JSFunction.h:
        (JSC::JSFunction::scope):
        (JSC::JSFunction::setScope):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::markChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::JSGlobalObjectData::JSGlobalObjectData):
        (JSC::JSGlobalObject::globalScopeChain):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * runtime/JSLock.cpp:
        * runtime/JSNumberCell.cpp:
        * runtime/JSZombie.cpp:
        * runtime/MarkedBlock.cpp:
        * runtime/MarkedSpace.cpp:
        * runtime/PropertyNameArray.cpp:
        * runtime/ScopeChain.cpp:
        (JSC::ScopeChainNode::print):
        (JSC::ScopeChainNode::localDepth):
        (JSC::ScopeChainNode::markChildren):
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::ScopeChainNode):
        (JSC::ScopeChainNode::createStructure):
        (JSC::ScopeChainNode::push):
        (JSC::ScopeChainNode::pop):
        (JSC::ScopeChainIterator::ScopeChainIterator):
        (JSC::ScopeChainIterator::operator*):
        (JSC::ScopeChainIterator::operator->):
        (JSC::ScopeChainIterator::operator++):
        (JSC::ScopeChainNode::begin):
        (JSC::ScopeChainNode::end):
        (JSC::ExecState::globalData):
        (JSC::ExecState::lexicalGlobalObject):
        (JSC::ExecState::globalThisValue):
        * runtime/ScopeChainMark.h:
        * wtf/DateMath.cpp:

2011-02-27  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Implement WTF::randomNumber in terms of WTF::cryptographicallyRandomNumber when possible
        https://bugs.webkit.org/show_bug.cgi?id=55326

        Currently, randomNumber does a bunch of platform-specific work that to
        get a cryptographic randomness when available.  Instead, we should use
        cryptographicallyRandomNumber, which abstracts this work.
        Unfortunately, we can't remove all of the WTF::randomNumber
        implementation because not every port has access to cryptographically
        random numbers.

        * wtf/RandomNumber.cpp:
        (WTF::randomNumber):

2011-02-27  Benjamin Poulain  <ikipou@gmail.com>

        Reviewed by Darin Adler.

        Eliminate DeprecatedPtrList from RenderBlock
        https://bugs.webkit.org/show_bug.cgi?id=54972

        Add methods find() and contains() using an adaptor to ListHashSet.
        Those method are like the one of HashSet, they allow to find objects
        based on a different key than the one used to define the set.

        Add convenience methods for direct access to the head and tail of the list.
        Those methods are providing similar API/behavior as Vector.

        * wtf/ListHashSet.h:
        (WTF::::first):
        (WTF::::last):
        (WTF::::removeLast):
        (WTF::ListHashSetTranslatorAdapter::hash):
        (WTF::ListHashSetTranslatorAdapter::equal):
        (WTF::::find):
        (WTF::::contains):

2011-02-26  Patrick Gansterer  <paroga@webkit.org>

        Reviewed by Andreas Kling.

        Add support for DragonFly BSD
        https://bugs.webkit.org/show_bug.cgi?id=54407

        DragonFly BSD is based on FreeBSD, so handle it like FreeBSD.

        * wtf/Platform.h:

2011-02-26  Adam Barth  <abarth@webkit.org>

        Reviewed by Dimitri Glazkov.

        JavaScriptCore should use the xcconfig file instead of importing that information into GYP
        https://bugs.webkit.org/show_bug.cgi?id=55282

        Technically, this breaks the build because I had removed one of the
        warnings in this config file, but this change seems like an
        improvement.

        * gyp/JavaScriptCore.gyp:

2011-02-26  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        Reviewed by Nikolas Zimmermann.

        SH4 JIT SUPPORT
        https://bugs.webkit.org/show_bug.cgi?id=44329

        Provide an ExecutableAllocater::cacheFlush() implementation for
        Linux/SH4.

        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::cacheFlush):

2011-02-25  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r79627.
        http://trac.webkit.org/changeset/79627
        https://bugs.webkit.org/show_bug.cgi?id=55274

        broke worker tests (Requested by olliej on #webkit).

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/Heap.cpp:
        (JSC::Heap::allocate):
        * runtime/Heap.h:
        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::operator new):
        (JSC::JSCell::MarkedSpace::sizeClassFor):
        (JSC::JSCell::MarkedSpace::allocate):
        * runtime/MarkedBlock.h:
        * runtime/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::allocateBlock):
        (JSC::MarkedSpace::reset):
        * runtime/MarkedSpace.h:
        (JSC::MarkedSpace::SizeClass::SizeClass):

2011-02-25  Michael Saboff  <msaboff@apple.com>

        Reviewed by Darin Adler.

        Leak in JSParser::Scope of ScopeLabelInfo Vector
        https://bugs.webkit.org/show_bug.cgi?id=55249

        Changed m_labels to be an OwnPtr<>.  Added VectorTraits
        and Scope copy constructor to support this change.

        * parser/JSParser.cpp:
        (JSC::JSParser::Scope::~Scope):

2011-02-25  Fumitoshi Ukai  <ukai@chromium.org>

        Reviewed by Adam Barth.

        WebSocket uses insecure random numbers
        https://bugs.webkit.org/show_bug.cgi?id=54714

        * JavaScriptCore.exp: Export WTF::cryptographicallyRandomNumber()

2011-02-25  Patrick Gansterer  <paroga@webkit.org>

        Reviewed by Adam Roben.

        Move timeBeginPeriod into OS(WINDOWS) section
        https://bugs.webkit.org/show_bug.cgi?id=55247

        * jsc.cpp:
        (main): timeBeginPeriod is available on all Windows versions and not compiler specific.

2011-02-25  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed WinCE build fix for r79695.

        * jsc.cpp:
        (main): SetErrorMode isn't available on WinCE.

2011-02-25  Adam Roben  <aroben@apple.com>

        Work around Cygwin's crash-suppression behavior

        Cygwin calls ::SetErrorMode(SEM_FAILCRITICALERRORS), which any processes it launches will
        inherit. This is bad for testing/debugging, as it causes the post-mortem debugger not to be
        invoked. (Cygwin does this because it makes crashes more UNIX-y.) We reset the error mode
        when our test apps launch to work around Cygwin's behavior.

        Fixes <http://webkit.org/b/55222> Test apps crash silently (without invoking post-mortem
        debugger) when launched from Cygwin 1.7

        Reviewed by Darin Adler.

        * API/tests/testapi.c: Added a now-needed #include.
        (main):
        * jsc.cpp:
        (main):
        Call ::SetErrorMode(0) to undo Cygwin's folly.

        * JavaScriptCore.vcproj/testapi/testapiCommon.vsprops: Define NOMINMAX like many of our
        other projects do so that windows.h won't define min/max macros that interfere with
        std::numeric_limits<T>::min/max.

2011-02-24  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Add GYP project for JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=55027

        Again, this GYP files is very rough, but it succeeds in building
        JavaScriptCore.  There's a lot more work to do here, especially in the
        area of sharing with JavaScriptGlue.gyp.  This patch is more of a
        checkpoint so that other folks can help out if they wish.

        * gyp: Added.
        * gyp/JavaScriptCore.gyp: Added.
        * gyp/generate-derived-sources.sh: Added.

2011-02-24  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Add missing files to JavaScriptCore.gypi
        https://bugs.webkit.org/show_bug.cgi?id=55193

        I forgot to add mm files in my previous patch.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * JavaScriptCore.gypi:

2011-02-24  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Remove unused parameter name in GCActivityCallback.cpp
        https://bugs.webkit.org/show_bug.cgi?id=55194

        This change is not strictly required for the GYP-based build system,
        but I noticed this error when working on the new build system.

        * runtime/GCActivityCallback.cpp:
        (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):

2011-02-24  James Robinson  <jamesr@chromium.org>

        Reviewed by Darin Fisher.

        Add a USE() macro to control use of the built-in UTF8 codec
        https://bugs.webkit.org/show_bug.cgi?id=55189

        Defaults USE(BUILTIN_UTF8_CODEC) to true for all platforms except chromium, which controls the flag via features.gypi.

        * wtf/Platform.h:

2011-02-24  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Darin Adler.

        Variable-sized allocation (but still capped at 64 bytes)
        https://bugs.webkit.org/show_bug.cgi?id=55159
        
        SunSpider reports no change.

        * JavaScriptCore.exp: Some day, I hope not to have to edit this file.

        * runtime/Heap.cpp:
        (JSC::Heap::allocateSlowCase): Split allocation into a fast and slow
        case, so the fast case can inline size class selection and turn it into
        a compile-time constant.
        
        Changed the collect-on-every allocation debugging switch to collect only
        on every slow allocation, so you can still flip the switch without
        recompiling the world. This may also be preferable for debugging purposes,
        since collecting after every single allocation can be unusably slow,
        and can mask problems by running destructors early.

        * runtime/Heap.h: Ditto.

        * runtime/JSCell.h:
        (JSC::JSCell::MarkedSpace::sizeClassFor):
        (JSC::JSCell::Heap::allocate):
        (JSC::JSCell::JSCell::operator new): The inlining mentioned above.

        * runtime/MarkedBlock.h: Dropped the block size from 256KB to 16KB. With
        multiple size classes, allocating a full 256KB for the first allocation
        in a given class can be pathologically wasteful. (8KB, or 4KB Mac and
        8KB Windows, would be even better, but that seems to be a peformance
        regression for now.)
        
        * runtime/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::allocateBlock):
        (JSC::MarkedSpace::reset): There's more than one size class now, and its
        cell size is not constant.

        * runtime/MarkedSpace.h:
        (JSC::MarkedSpace::SizeClass::SizeClass): Ditto.

2011-02-23  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Make WeakGCMap use new handle infrastructure
        https://bugs.webkit.org/show_bug.cgi?id=55100

        Remove old WeakGCMap implementation and move over to new handle
        based logic.

        This has a number of benefits, most notably it makes a WeakGCMap
        always reflect the true state of the world by as all entries are
        removed at the first gc cycle that makes them dead.  This allows
        us to get rid of code in a wide variety of objects where the only
        purpose was to remove themselves from maps.

        It also means that we no longer need to have special "unchecked"
        versions of any functions on WeakGCMap.  Alas in order to maintain
        compatibility with the JSWeakObjectMapClear API it is still
        necessary to have an api that resembles uncheckedRemove, this is
        now deprecatedRemove and will be dealt with in a later patch.

        In order to get correct semantics in WeakGCMap we need more
        contextual information in the finalizer, so we've added an
        abstract class based finaliser and a context parameter to the
        calls.

        The new an improved WeakGCMap also results in sigificantly more
        churn in the weak handle lists so exposed some potential problems
        during the post mark phase which have been rectified as well.

        * API/JSWeakObjectMapRefPrivate.cpp:
        * API/JSWeakObjectMapRefPrivate.h:
        * runtime/Heap.cpp:
        (JSC::Heap::globalObjectCount):
        (JSC::Heap::protectedGlobalObjectCount):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::~JSGlobalObject):
        (JSC::JSGlobalObject::init):
        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::iterator::iterator):
        (JSC::WeakGCMap::iterator::get):
        (JSC::WeakGCMap::iterator::getSlot):
        (JSC::WeakGCMap::iterator::operator++):
        (JSC::WeakGCMap::iterator::operator==):
        (JSC::WeakGCMap::iterator::operator!=):
        (JSC::WeakGCMap::WeakGCMap):
        (JSC::WeakGCMap::isEmpty):
        (JSC::WeakGCMap::clear):
        (JSC::WeakGCMap::get):
        (JSC::WeakGCMap::getSlot):
        (JSC::WeakGCMap::set):
        (JSC::WeakGCMap::take):
        (JSC::WeakGCMap::size):
        (JSC::WeakGCMap::deprecatedRemove):
        (JSC::WeakGCMap::begin):
        (JSC::WeakGCMap::end):
        (JSC::WeakGCMap::~WeakGCMap):
        (JSC::WeakGCMap::finalize):
        * runtime/WeakGCPtr.h:
        (JSC::WeakGCPtr::WeakGCPtr):
        (JSC::WeakGCPtr::set):

2011-02-24  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Make weaklist processing deal with weak handles being removed during the iteration
        https://bugs.webkit.org/show_bug.cgi?id=55105

        It is possible for the handle heap to end up in a broken state if
        a handle's finalizer removes either the current or next handle
        to be visited during the post-gc cleanup.  This patch removes that
        problem by allowing the deallocate(Node*) routine to update the
        iterator if it is called during finalization.

        * collector/handles/HandleHeap.cpp:
        (JSC::HandleHeap::HandleHeap):
        (JSC::HandleHeap::updateAfterMark):
        (JSC::HandleHeap::clearWeakPointers):
        (JSC::HandleHeap::writeBarrier):
        (JSC::HandleHeap::protectedGlobalObjectCount):
        * collector/handles/HandleHeap.h:
        (JSC::Finalizer::~Finalizer):
        (JSC::HandleHeap::getFinalizer):
        (JSC::HandleHeap::deallocate):
        (JSC::HandleHeap::makeWeak):
        (JSC::HandleHeap::makeSelfDestroying):
        (JSC::HandleHeap::Node::Node):
        (JSC::HandleHeap::Node::setFinalizer):
        (JSC::HandleHeap::Node::finalizer):
        (JSC::HandleHeap::Node::finalizerContext):
        * interpreter/RegisterFile.cpp:
        (JSC::RegisterFile::setGlobalObject):
        (JSC::GlobalObjectNotifier::finalize):
        (JSC::RegisterFile::globalObjectCollectedNotifier):
        * interpreter/RegisterFile.h:
        (JSC::RegisterFile::RegisterFile):
        * runtime/Heap.cpp:
        (JSC::Heap::destroy):
        * runtime/WeakGCPtr.h:
        (JSC::WeakGCPtr::WeakGCPtr):
        (JSC::WeakGCPtr::set):

2011-02-24  Michael Saboff  <msaboff@apple.com>

        Reviewed by Oliver Hunt.

        PatternAlternative leaked in YarrPatternConstructor::atomParenthesesEnd()
        https://bugs.webkit.org/show_bug.cgi?id=55156

        Added code to delete unneeded PatternAlternative after it is removed
        from m_alternatives Vector.

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::atomParenthesesEnd):

2011-02-24  Eric Seidel  <eric@webkit.org>

        Reviewed by Anders Carlsson.

        VectorBuffer should not call malloc(0)
        https://bugs.webkit.org/show_bug.cgi?id=55091

        Turns out the malloc() call which was so hot in:
        https://bugs.webkit.org/show_bug.cgi?id=55005
        was actually just malloc(0).

        We shouldn't be calling malloc(0) anyway, since there is no need to
        and it might actually do work on some systems.
        I believe on Mac it ends up taking the standard spinlocks (expensive)
        and the code on Brew actually does a malloc(1) instead.  Neither is desirable.

        * wtf/Vector.h:
        (WTF::VectorBufferBase::allocateBuffer):
        (WTF::VectorBufferBase::tryAllocateBuffer):

2011-02-24  Patrick Gansterer  <paroga@webkit.org>

        Reviewed by Darin Adler.

        Remove obsolete PLATFORM(CI)
        https://bugs.webkit.org/show_bug.cgi?id=55082

        * wtf/Platform.h:

2011-02-24  Martin Robinson  <mrobinson@igalia.com>

        Reviewed by Xan Lopez.

        [GTK] Remove the GFile GOwnPtr specialization
        https://bugs.webkit.org/show_bug.cgi?id=55154

        Remove the GFile specialization of GOwnPtr. It's sufficient to use GRefPtr
        to track GFiles since they are just regular reference-counted GObjects.

        * wtf/gobject/GOwnPtr.cpp: Remove GFile specialization.
        * wtf/gobject/GOwnPtr.h: Ditto.

2011-02-24  Patrick Gansterer  <paroga@webkit.org>

        Reviewed by Eric Seidel.

        Rename PLATFORM(SKIA) to USE(SKIA)
        https://bugs.webkit.org/show_bug.cgi?id=55090

        * wtf/Platform.h:

2011-02-24  Patrick Gansterer  <paroga@webkit.org>

        Reviewed by Alexey Proskuryakov.

        Remove pthreads dependecy for JSLock
        https://bugs.webkit.org/show_bug.cgi?id=54832

        JSLock is only needed to support an obsolete execution model where JavaScriptCore
        automatically protected against concurrent access from multiple threads.
        So it's safe to disable it on non-mac platforms where we don't have native pthreads.

        * runtime/JSLock.cpp:

2011-02-24  Chao-ying Fu  <fu@mips.com>

        Reviewed by Eric Seidel.

        Fix MIPS build with new patchOffsetPut/GetByIdPropertyMapOffset1/2 values
        https://bugs.webkit.org/show_bug.cgi?id=54997

        * jit/JIT.h:
        * jit/JITStubs.cpp:
        (JSC::JITThunks::JITThunks):

2011-02-24  Andras Becsi  <abecsi@webkit.org>

        Reviewed by Laszlo Gombos.

        [Qt] MinGW build fails to link
        https://bugs.webkit.org/show_bug.cgi?id=55050

        Prepend the libraries of subcomponents instead of appending them
        to fix the library order according to the dependency of the libraries

        * JavaScriptCore.pri: rename addJavaScriptCore to prependJavaScriptCore
        * jsc.pro: ditto

2011-02-24  Eric Seidel  <eric@webkit.org>

        Reviewed by Adam Barth.

        Deque<T> should support inline capacity
        https://bugs.webkit.org/show_bug.cgi?id=55032

        The title says it all.  There are currently no places
        which use this code yet, however it's been tested in conjunction
        with code for bug 55005.

        This also adds an ASSERT that capacity is never 1.  If you were able
        to set the capacity equal to 1, the Deque would just get confused
        and happily append your item but still think it had size 0.

        * wtf/Deque.h:
        (WTF::DequeIterator::DequeIterator):
        (WTF::DequeConstIterator::DequeConstIterator):
        (WTF::DequeReverseIterator::DequeReverseIterator):
        (WTF::DequeConstReverseIterator::DequeConstReverseIterator):
        (WTF::::checkValidity):
        (WTF::::checkIndexValidity):
        (WTF::::invalidateIterators):
        (WTF::::Deque):
        (WTF::deleteAllValues):
        (WTF::::operator):
        (WTF::::destroyAll):
        (WTF::::~Deque):
        (WTF::::swap):
        (WTF::::clear):
        (WTF::::findIf):
        (WTF::::expandCapacityIfNeeded):
        (WTF::::expandCapacity):
        (WTF::::takeFirst):
        (WTF::::append):
        (WTF::::prepend):
        (WTF::::removeFirst):
        (WTF::::remove):
        (WTF::::addToIteratorsList):
        (WTF::::removeFromIteratorsList):
        (WTF::::DequeIteratorBase):
        (WTF::::~DequeIteratorBase):
        (WTF::::isEqual):
        (WTF::::increment):
        (WTF::::decrement):
        (WTF::::after):
        (WTF::::before):
        * wtf/Vector.h:

2011-02-22  Adam Barth  <abarth@webkit.org>

        Reviewed by Ojan Vafai. 

        Add missing files to JavaScriptCore.gypi 
        https://bugs.webkit.org/show_bug.cgi?id=55020 

        gypi files are supposed to list every file under the sun.  This patch 
        adds some missing files and sorts the rest. 

        * JavaScriptCore.gypi: 

2011-02-23  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Darin Adler.

        Refactored MarkedSpace to operate in terms of size classes
        https://bugs.webkit.org/show_bug.cgi?id=55106
        
        SunSpider reports no change.

        * runtime/JSCell.h:
        (JSC::JSCell::MarkedSpace::sizeClassFor):
        (JSC::JSCell::MarkedSpace::allocate): Delegate allocation based on size
        class. Since these functions are inline, the compiler can constant fold
        them.

        * runtime/MarkedBlock.h:
        (JSC::MarkedBlock::cellSize):
        (JSC::MarkedBlock::size): Factored out a cellSize() helper.

        * runtime/MarkedSpace.cpp:
        (JSC::MarkedSpace::allocateBlock):
        (JSC::MarkedSpace::allocateFromSizeClass):
        (JSC::MarkedSpace::shrink):
        (JSC::MarkedSpace::reset):
        * runtime/MarkedSpace.h:
        (JSC::MarkedSpace::SizeClass::SizeClass):
        (JSC::MarkedSpace::SizeClass::reset): Changed to operate in terms of
        abstract SizeClass objects, which are independent linked lists of blocks
        of a certain size class, instead of a single m_heap object.

2011-02-23  Adam Barth  <abarth@webkit.org>

        Reviewed by James Robinson.

        [Chromium] Use WebKitClient for OSRandomSource instead of trying to talk to the file system in the sandbox
        https://bugs.webkit.org/show_bug.cgi?id=55093

        Exclude OSRandomSource.cpp from the Chromium build.  This function is
        implemented in WebKit/chromium/src instead.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2011-02-23  Oliver Hunt  <oliver@apple.com>

        Roll out r64156 as it introduces incorrect behaviour.

        * runtime/JSByteArray.h:
        (JSC::JSByteArray::setIndex):

2011-02-23  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Moved the "nextAtom" allocation pointer into MarkedBlock for better encapsulation
        https://bugs.webkit.org/show_bug.cgi?id=55079
        
        SunSpider reports no change.

        * runtime/Heap.cpp:
        (JSC::Heap::reset): Moved Zombie sweeping here, up from MarkedSpace,
        since we want Heap to logically control MarkedSpace. MarkedSpace should
        never choose to sweep itself.

        * runtime/JSCell.h:
        (JSC::JSCell::MarkedBlock::allocate): Updated for nextAtom becoming a
        member of MarkedBlock. No need to reset nextAtom to firstAtom() when
        we reach the end of a block, since there's now an explicit reset pass
        during GC.

        * runtime/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        * runtime/MarkedBlock.h:
        (JSC::MarkedBlock::reset): Added the nextAtom data member, and reordered
        some data members to improve cache locality.

        * runtime/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::allocate):
        (JSC::MarkedSpace::reset):
        * runtime/MarkedSpace.h:
        (JSC::CollectorHeap::CollectorHeap): Removed nextAtom, and added an
        explicit reset pass.

2011-02-23  James Robinson  <jamesr@chromium.org>

        Unreviewed, rolling out r79428.
        http://trac.webkit.org/changeset/79428
        https://bugs.webkit.org/show_bug.cgi?id=54714

        Does not work in the Chromium sandbox

        * JavaScriptCore.exp:

2011-02-23  Adam Roben  <aroben@apple.com>

        Fix an off-by-one error in JSC::appendSourceToError

        Looks like this bug has been around since the code was first added in r35245.

        Fixes <http://webkit.org/b/55052> <rdar://problem/9043512> Crash in JSC::appendSourceToError
        when running fast/dom/objc-big-method-name.html on Windows with full page heap enabled

        Reviewed by Darin Adler.

        * interpreter/Interpreter.cpp:
        (JSC::appendSourceToError): When trimming whitespace off the end of the string, examine the
        character at stop-1 rather than at stop. At this point in the code, stop represents the
        index just past the end of the characters we care about, and can even be just past the end
        of the entire data buffer.

2011-02-23  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Darin Adler.
        
        Rolled back in r79367 with SnowLeopard Release bot crash fixed.
        https://bugs.webkit.org/show_bug.cgi?id=54999
        
        The crash was caused by failure to update the "nextBlock" pointer when
        removing a block from the list while shrinking. The fix is to update the
        "nextBlock" pointer.
        
        This crash was very rare because it only happened in cases where the very
        first block in the heap contained no marked cells.

2011-02-23  Dan Bernstein  <mitz@apple.com>

        Reviewed by Gavin Barraclough.

        Include frame numbers in backtraces.
        https://bugs.webkit.org/show_bug.cgi?id=55060

        * wtf/Assertions.cpp:

2011-02-23  Xan Lopez  <xlopez@igalia.com>

        Reviewed by Gavin Barraclough.

        latest jsc for armv7 crashes in sunspider tests
        https://bugs.webkit.org/show_bug.cgi?id=54667

        Update JIT offset values in ARMv7 after r78732. Fixes crashes in
        SunSpider and JavaScript tests.

        * jit/JIT.h: update values.

2011-02-23  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r79418.
        http://trac.webkit.org/changeset/79418
        https://bugs.webkit.org/show_bug.cgi?id=55043

        "breaks shlib linux build" (Requested by morrita on #webkit).

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * JavaScriptCore.gypi:

2011-02-23  Patrick Gansterer  <paroga@webkit.org>

        Reviewed by Alexey Proskuryakov.

        Use DEFINE_STATIC_LOCAL for ignoreSetMutex in Structure.cpp
        https://bugs.webkit.org/show_bug.cgi?id=54831

        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * runtime/Structure.cpp:
        (JSC::ignoreSetMutex):
        (JSC::Structure::Structure):
        (JSC::Structure::~Structure):
        (JSC::Structure::initializeThreading):
        * runtime/Structure.h:

2011-02-23  Patrick Gansterer  <paroga@webkit.org>

        Reviewed by Darin Adler.

        Rename PLATFORM(CF) to USE(CF)
        https://bugs.webkit.org/show_bug.cgi?id=53540

        * runtime/DatePrototype.cpp:
        * runtime/GCActivityCallbackCF.cpp:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * wtf/CurrentTime.cpp:
        * wtf/Platform.h:
        * wtf/text/AtomicString.h:
        * wtf/text/StringImpl.h:
        (WTF::StringImpl::computeHash):
        * wtf/text/WTFString.h:
        * wtf/unicode/icu/CollatorICU.cpp:
        (WTF::Collator::userDefault):

2011-02-23  Fumitoshi Ukai  <ukai@chromium.org>

        Unreviewed build fix for Windows.

        WebSocket uses insecure random numbers
        https://bugs.webkit.org/show_bug.cgi?id=54714

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Export WTF::cryptographicallyRandomNumber()

2011-02-23  Fumitoshi Ukai  <ukai@chromium.org>

        Reviewed by Adam Barth.

        WebSocket uses insecure random numbers
        https://bugs.webkit.org/show_bug.cgi?id=54714

        * JavaScriptCore.exp: Export WTF::cryptographicallyRandomNumber()

2011-02-22  Adam Barth  <abarth@webkit.org>

        Reviewed by Ojan Vafai.

        Add missing files to JavaScriptCore.gypi
        https://bugs.webkit.org/show_bug.cgi?id=55020

        gypi files are supposed to list every file under the sun.  This patch
        adds some missing files and sorts the rest.

        * JavaScriptCore.gypi:

2011-02-22  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r79367.
        http://trac.webkit.org/changeset/79367
        https://bugs.webkit.org/show_bug.cgi?id=55012

        all layout tests are crashing on Snow Leopard (Requested by
        rniwa on #webkit).

        * GNUmakefile.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        * runtime/MarkedBlock.h:
        * runtime/MarkedSpace.cpp:
        (JSC::MarkedSpace::destroy):
        (JSC::MarkedSpace::allocateBlock):
        (JSC::MarkedSpace::freeBlock):
        (JSC::MarkedSpace::allocate):
        (JSC::MarkedSpace::shrink):
        (JSC::MarkedSpace::reset):
        * runtime/MarkedSpace.h:
        (JSC::CollectorHeap::collectorBlock):
        * wtf/CMakeLists.txt:
        * wtf/DoublyLinkedList.h: Removed.

2011-02-22  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Manage MarkedBlocks in a linked list instead of a vector, so arbitrary removal is O(1)
        https://bugs.webkit.org/show_bug.cgi?id=54999
        
        SunSpider reports no change.

        * GNUmakefile.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj: So many build systems, so little time.
        * wtf/CMakeLists.txt:

        * runtime/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        * runtime/MarkedBlock.h:
        (JSC::MarkedBlock::setPrev):
        (JSC::MarkedBlock::setNext):
        (JSC::MarkedBlock::prev):
        (JSC::MarkedBlock::next): Added linked list data members and accessors.

        * runtime/MarkedSpace.cpp:
        (JSC::MarkedSpace::destroy):
        (JSC::MarkedSpace::allocateBlock): Stop using vector, since it doesn't exist anymore.

        (JSC::MarkedSpace::freeBlocks): New helper function for updating relevant
        data structures when freeing blocks.

        (JSC::MarkedSpace::allocate): Updated for nextBlock being a pointer and
        not a vector index.

        (JSC::MarkedSpace::shrink): Construct a temporary list of empties and
        then free them, to avoid modifying our hash table while iterating it.
        This wasn't a concern before because we were using indirect array
        indexing, not direct pointer indexing.

        (JSC::MarkedSpace::reset): Updated for nextBlock being a pointer and
        not a vector index.

        * runtime/MarkedSpace.h:
        (JSC::CollectorHeap::CollectorHeap): Changed data type from vector to linked list.

        * wtf/DoublyLinkedList.h: Added. New linked list class.
        (WTF::::DoublyLinkedList):
        (WTF::::isEmpty):
        (WTF::::head):
        (WTF::::append):
        (WTF::::remove):

2011-02-22  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-02-22  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Bug 54988 - Re-create StructureTransitionTable class, encapsulate transition table

        The Structure class keeps a table of transitions to derived Structure types. Since
        this table commonly contains a single entry we employ an optimization where instead
        of holding a map, we may hold a pointer directly to a single instance of the mapped
        type. We use an additional bit of data to flag whether the pointer is currently
        pointing to a table of transitions, or a singleton transition. Previously we had
        commonly used a pattern of storing data in the low bits of pointers, but had moved
        away from this since it causes false leaks to be reported by the leaks tool. However
        in this case, the entries in the map are weak links - this pointer will never be
        responsible for keeping an object alive.  As such we can use this approach provided
        that the bit is set when a table is not in use (otherwise the table would appear to
        be leaked).

        Additionally, the transition table currently allows two entries to exist for a given
        key - one specialized to a particular value, and one not specialized. This is
        unnecessary, wasteful, and a little inconsistent. (If you create an entry for a
        specialized value, then a non-specialized entry, both will exist.  If you create an
        entry for a non-specialized value, then try to create a specialized entry, only a
        non-specialized form will be allowed.)

        This shows a small progression on v8.

        * JavaScriptCore.exp:
        * runtime/JSObject.h:
        (JSC::JSObject::putDirectInternal):
        * runtime/Structure.cpp:
        (JSC::StructureTransitionTable::contains):
        (JSC::StructureTransitionTable::get):
        (JSC::StructureTransitionTable::remove):
        (JSC::StructureTransitionTable::add):
        (JSC::Structure::dumpStatistics):
        (JSC::Structure::Structure):
        (JSC::Structure::~Structure):
        (JSC::Structure::addPropertyTransitionToExistingStructure):
        (JSC::Structure::addPropertyTransition):
        * runtime/Structure.h:
        (JSC::Structure::get):
        * runtime/StructureTransitionTable.h:
        (JSC::StructureTransitionTable::Hash::hash):
        (JSC::StructureTransitionTable::Hash::equal):
        (JSC::StructureTransitionTable::HashTraits::emptyValue):
        (JSC::StructureTransitionTable::HashTraits::constructDeletedValue):
        (JSC::StructureTransitionTable::HashTraits::isDeletedValue):
        (JSC::StructureTransitionTable::StructureTransitionTable):
        (JSC::StructureTransitionTable::~StructureTransitionTable):
        (JSC::StructureTransitionTable::isUsingSingleSlot):
        (JSC::StructureTransitionTable::map):
        (JSC::StructureTransitionTable::setMap):
        (JSC::StructureTransitionTable::singleTransition):
        (JSC::StructureTransitionTable::setSingleTransition):

2011-02-22  Andras Becsi  <abecsi@webkit.org>

        Reviewed by Laszlo Gombos.

        [Qt] Redesign the build system
        https://bugs.webkit.org/show_bug.cgi?id=51339

        Part 2.

        Build WebCore as a static library, compile the WebKit API and WebKit2 API
        in a final step and link to WebKit2, WebCore and JSC libraries to fix
        linking issues resulting from stripped away symbols.

        * JavaScriptCore.pri: Remove the workaround.

2011-02-21  Adam Roben  <aroben@apple.com>

        Fix linker warning on Windows

        r79135 tried to export JSObject::s_info by adding it to JavaScriptCore.def. This is the
        obvious way (since it's how we export functions), but unfortunately it doesn't work correct.
        r79222 made us export it the right way (using the JS_EXPORTDATA macro), but forgot to remove
        it from JavaScriptCore.def. This caused us to get linker warnings about exporting the symbol
        multiple times.

        Rubber-stamped by Anders Carlsson.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed JSObject::s_info.

2011-02-21  Brian Weinstein  <bweinstein@apple.com>

        Reviewed by Adam Roben.

        WebResourceCacheManager should be responsible for managing the CFURLCache as well
        as the WebCore memory cache.
        https://bugs.webkit.org/show_bug.cgi?id=54886
        Part of <rdar://problem/8971738>

        Add a new use flag for using the CFURLCache.

        * wtf/Platform.h:

2011-02-21  Xan Lopez  <xlopez@igalia.com>

        Reviewed by Gavin Barraclough.

        Use ASSERT_JIT_OFFSET in JITPropertyAccess32_64.cpp
        https://bugs.webkit.org/show_bug.cgi?id=54901

        * jit/JIT.h: swap actual and expected values in message, they were
        reversed.
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall): use ASSERT_JIT_OFFSET instead of
        a simple ASSERT.
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_method_check): ditto.
        (JSC::JIT::compileGetByIdHotPath): ditto.
        (JSC::JIT::compileGetByIdSlowCase): ditto.
        (JSC::JIT::emit_op_put_by_id): ditto.

2011-02-21  Gavin Barraclough  <barraclough@apple.com>

        Ruber stamped by Sam Weinig

        Bug 54899 - Math.LOG10E should be 0.4342944819032518
        This value is quoted in section 15.8.1.5 of the spec.

        * runtime/MathObject.cpp:
        (JSC::MathObject::MathObject):

2011-02-21  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Bug 54894 - Make inheritance structure described by ClassInfo match C++ class hierarchy.

        The ClassInfo objects describe an inheritance hierarchy, with each ClassInfo instance
        containing a pointer to its parent class. These links should reflect the inheritance
        hierarchy of C++ classes below JSObject. For the large part it does, but in some cases
        entries in the C++ hierarchy are skipped over. This presently likely doesn't matter,
        since intervening C++ classes may not have ClassInfo - but would be a potential bug
        were ClassInfo were to be added.

        * API/JSCallbackConstructor.cpp:
        * API/JSCallbackFunction.cpp:
        * API/JSCallbackObjectFunctions.h:
        * runtime/Arguments.h:
        * runtime/ArrayPrototype.cpp:
        * runtime/BooleanObject.cpp:
        * runtime/DateInstance.cpp:
        * runtime/DatePrototype.cpp:
        * runtime/ErrorInstance.cpp:
        * runtime/InternalFunction.cpp:
        * runtime/JSActivation.cpp:
        * runtime/JSArray.cpp:
        * runtime/JSFunction.cpp:
        * runtime/JSONObject.cpp:
        * runtime/JSObject.h:
        * runtime/JSZombie.h:
        * runtime/MathObject.cpp:
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NumberConstructor.cpp:
        * runtime/NumberObject.cpp:
        * runtime/RegExpConstructor.cpp:
        * runtime/RegExpObject.cpp:
        * runtime/StringObject.cpp:
        * runtime/StringPrototype.cpp:

2011-02-21  Adam Roben  <aroben@apple.com>

        Export JSObject::s_info from JavaScriptCore.dll

        This matches what we do for all other ClassInfo objects that WebCore needs access to.

        Fixes <http://webkit.org/b/54881> REGRESSION (r79132): Lots of tests crashing in
        JSCell::inherits on Windows

        Reviewed by Sam Weinig.

        * runtime/JSObject.h: Added JS_EXPORTDATA to s_info.

2011-02-21  Kristian Amlie  <kristian.amlie@nokia.com>

        Reviewed by Andreas Kling.

        Switched to compiler based detection, where the error actually is.

        It is not the platform that needs the workaround, it is the compiler.

        QtWebKit fails to compile on Windows XP with msvc-2008
        https://bugs.webkit.org/show_bug.cgi?id=54746

        * bytecode/CodeBlock.h:
        * runtime/RegExpObject.h:

2011-02-20  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=54839
        Remove PrototypeFunction, NativeFunctionWrapper, and GlobalEvalFunction.

        Historically, Native functions used to be represented by PrototypeFunctions, however
        since introducing call optimizations to the JIT this has used JSFunctions for host
        calls too. At the point this change was made, the interpreter continued to use
        PrototypeFunctions, however since fallback from the JIT to interpreter was introduced
        the interpreter has had to be able to run using host functions represented using
        JSFunctions - leading to an unnecessary and redundant divergence in behaviour between 
        interpreter only builds, and situations where the JIT has fallen back to interpreting.

        NativeFunctionWrapper only existed to select between PrototypeFunction and JSFunction
        for wrappers for host functions, and as such can also be removed.

        GlobalEvalFunction is a redundant wrapper that happens to be derived from
        PrototypeFunction. It existed to hold a reference to the global object - but since all
        functions how derive from JSObjectWithGlobalObject, this no longer requires an
        additional class to provide this functionality.

        * JavaScriptCore.JSVALUE32_64only.exp:
        * JavaScriptCore.JSVALUE64only.exp:
        * JavaScriptCore.xcodeproj/project.pbxproj:
            Removed symbols / references to files.

        * runtime/GlobalEvalFunction.cpp: Removed.
        * runtime/GlobalEvalFunction.h: Removed.
        * runtime/NativeFunctionWrapper.h: Removed.
        * runtime/PrototypeFunction.cpp: Removed.
        * runtime/PrototypeFunction.h: Removed.
            Removed.

        * runtime/Executable.cpp:
        (JSC::NativeExecutable::~NativeExecutable):
        * runtime/Executable.h:
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::NativeExecutable):
        (JSC::JSFunction::nativeFunction):
        * runtime/JSFunction.cpp:
        (JSC::callHostFunctionAsConstructor):
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::getCallData):
        * runtime/JSFunction.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::getHostFunction):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::getCTIStub):
            Added interpreter-friendly constructors for NativeExecutables.

        * bytecompiler/BytecodeGenerator.cpp:
        * interpreter/Interpreter.cpp:
        * jit/JITStubs.cpp:
        * jsc.cpp:
        * runtime/ArrayConstructor.cpp:
        * runtime/BooleanPrototype.cpp:
        * runtime/BooleanPrototype.h:
        * runtime/CallData.h:
        * runtime/DateConstructor.cpp:
        * runtime/DateConstructor.h:
        * runtime/ErrorPrototype.cpp:
        * runtime/ErrorPrototype.h:
        * runtime/FunctionPrototype.cpp:
        * runtime/FunctionPrototype.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        * runtime/Lookup.cpp:
        * runtime/NumberPrototype.cpp:
        * runtime/NumberPrototype.h:
        * runtime/ObjectConstructor.cpp:
        * runtime/ObjectConstructor.h:
        * runtime/ObjectPrototype.cpp:
        * runtime/ObjectPrototype.h:
        * runtime/RegExpPrototype.cpp:
        * runtime/RegExpPrototype.h:
        * runtime/SmallStrings.h:
        * runtime/StringConstructor.cpp:
        * runtime/StringConstructor.h:
            Removed use of redundant classes.

2011-02-19  Laszlo Gombos  <laszlo.1.gombos@nokia.com>

        Unreviewed build fix for Symbian.

        [Symbian] Revert the removal of linking 
        against hal after r79126.

        Dependency on the hal library can not be removed 
        as it is still used (e.g. in MarkStackSymbian.cpp).

        * JavaScriptCore.pri:

2011-02-19  Gavin Barraclough  <barraclough@apple.com>

        Interpreter build fix.

        * runtime/ArrayConstructor.cpp:
        * runtime/BooleanPrototype.cpp:
        * runtime/DateConstructor.cpp:
        * runtime/ErrorPrototype.cpp:
        * runtime/FunctionPrototype.cpp:
        * runtime/Lookup.cpp:
        * runtime/NumberPrototype.cpp:
        * runtime/ObjectConstructor.cpp:
        * runtime/ObjectPrototype.cpp:
        * runtime/RegExpPrototype.cpp:
        * runtime/StringConstructor.cpp:

2011-02-19  Gavin Barraclough  <barraclough@apple.com>

        Build fix!!

        * JavaScriptCore.exp:

2011-02-19  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix!!

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-02-19  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix!

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-02-19  Gavin Barraclough  <barraclough@apple.com>

        Build fix!

        * JavaScriptCore.exp:

2011-02-18  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        Bug 54786 - Devirtualize JSCell::classInfo()

        Instead of making a virtual function call, add a pointer to the ClassInfo
        onto Structure.

        This removes a virtual function call, and paves the way towards removing all
        the createStructure methods, and StructureFlags/AnonymousSlotCount properties
        (these should be able to move onto ClassInfo).

        Calls to Structure::create must now pass a pointer to the ClassInfo for the
        structure. All objects now have a ClassInfo pointer, non-object cell types
        still do not.

        Changes are most mechanical, involving three steps:
            * Remove virtual classInfo() methods.
            * Add &s_info parameter to calls to Structure::create.
            * Rename ClassInfo static members on classes from 'info' to 's_info',
              for consistency.

        * API/JSCallbackConstructor.cpp:
        * API/JSCallbackConstructor.h:
        * API/JSCallbackFunction.cpp:
        * API/JSCallbackFunction.h:
        * API/JSCallbackObject.cpp:
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        * API/JSObjectRef.cpp:
        * API/JSValueRef.cpp:
        * API/JSWeakObjectMapRefPrivate.cpp:
        * JavaScriptCore.exp:
        * debugger/Debugger.cpp:
        * debugger/DebuggerActivation.h:
        * debugger/DebuggerCallFrame.cpp:
        * interpreter/Interpreter.cpp:
        * jit/JITCall32_64.cpp:
        * jit/JITOpcodes.cpp:
        * jit/JITStubs.cpp:
        * profiler/Profiler.cpp:
        * runtime/Arguments.cpp:
        * runtime/Arguments.h:
        * runtime/ArrayConstructor.cpp:
        * runtime/ArrayPrototype.cpp:
        * runtime/ArrayPrototype.h:
        * runtime/BooleanObject.cpp:
        * runtime/BooleanObject.h:
        * runtime/BooleanPrototype.cpp:
        * runtime/DateConstructor.cpp:
        * runtime/DateInstance.cpp:
        * runtime/DateInstance.h:
        * runtime/DatePrototype.cpp:
        * runtime/DatePrototype.h:
        * runtime/ErrorInstance.cpp:
        * runtime/ErrorInstance.h:
        * runtime/ErrorPrototype.cpp:
        * runtime/FunctionPrototype.cpp:
        * runtime/FunctionPrototype.h:
        * runtime/GetterSetter.h:
        * runtime/GlobalEvalFunction.h:
        * runtime/InternalFunction.cpp:
        * runtime/InternalFunction.h:
        * runtime/JSAPIValueWrapper.h:
        * runtime/JSActivation.cpp:
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        * runtime/JSArray.h:
        * runtime/JSByteArray.cpp:
        * runtime/JSByteArray.h:
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        * runtime/JSFunction.h:
        * runtime/JSGlobalData.cpp:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSNotAnObject.h:
        * runtime/JSONObject.cpp:
        * runtime/JSONObject.h:
        * runtime/JSObject.cpp:
        * runtime/JSObject.h:
        * runtime/JSObjectWithGlobalObject.h:
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSStaticScopeObject.h:
        * runtime/JSString.h:
        * runtime/JSVariableObject.h:
        * runtime/JSWrapperObject.h:
        * runtime/JSZombie.cpp:
        * runtime/JSZombie.h:
        * runtime/Lookup.cpp:
        * runtime/MathObject.cpp:
        * runtime/MathObject.h:
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NativeErrorConstructor.h:
        * runtime/NumberConstructor.cpp:
        * runtime/NumberConstructor.h:
        * runtime/NumberObject.cpp:
        * runtime/NumberObject.h:
        * runtime/NumberPrototype.cpp:
        * runtime/ObjectConstructor.cpp:
        * runtime/ObjectPrototype.cpp:
        * runtime/RegExpConstructor.cpp:
        * runtime/RegExpConstructor.h:
        * runtime/RegExpObject.cpp:
        * runtime/RegExpObject.h:
        * runtime/RegExpPrototype.cpp:
        * runtime/ScopeChain.cpp:
        * runtime/StringConstructor.cpp:
        * runtime/StringObject.cpp:
        * runtime/StringObject.h:
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        * runtime/StringPrototype.cpp:
        * runtime/StringPrototype.h:
        * runtime/Structure.cpp:
        * runtime/Structure.h:

2011-02-19  David Kilzer  <ddkilzer@apple.com>

        <http://webkit.org/b/54808> Change jsc target to build directly into JavaScriptCore.framework/Resources/jsc

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig: Added
        JAVASCRIPTCORE_FRAMEWORKS_DIR variable.
        * Configurations/JavaScriptCore.xcconfig: Used
        JAVASCRIPTCORE_FRAMEWORKS_DIR to define INSTALL_PATH.
        * JavaScriptCore.xcodeproj/project.pbxproj: Set the INSTALL_PATH
        for Production configuration of jsc target.
        (Copy Into Framework): Removed old build phase.
        (Fix Framework Reference): Renamed build phase to "Copy Into
        Framework".  Added "set -x" call to make the script print the
        commands it is running.  Added code to exit early for Production
        builds since this was never intended for them.  Added code to
        copy jsc into the JavaScriptCore.framework/Resources directory.

2011-02-19  Siddharth Mathur  <siddharth.mathur@nokia.com>

        Reviewed by Laszlo Gombos.

        [Symbian] OSAllocator implementation for Symbian OS. 
        Manages both data and code region requests. V8 and Sunspider tested
        OK with interpreter. Not tested with JSC JIT yet as it has unrelated
        failures. Also no thread safety yet.
        https://bugs.webkit.org/show_bug.cgi?id=51128

        * JavaScriptCore.pri: removed HAL linkage
        * wtf/Bitmap.h:
        (WTF::::findRunOfZeros): find run of zeros in a bitmap. quick n dirty
        * wtf/OSAllocator.h:
        (WTF::OSAllocator::decommitAndRelease): decommit explicitly 
        * wtf/OSAllocatorSymbian.cpp: Impl. of OSAllocator interface 
        (WTF::allocateCodeChunk): utility for code chunks
        (WTF::deallocateCodeChunk): utility for code chunks
        (WTF::dataAllocatorInstance): getter for data allocator instance
        (WTF::OSAllocator::reserveUncommitted):
        (WTF::OSAllocator::releaseDecommitted):
        (WTF::OSAllocator::commit):
        (WTF::OSAllocator::decommit):
        (WTF::OSAllocator::reserveAndCommit):
        (WTF::PageAllocatorSymbian::PageAllocatorSymbian): maps requests 
        to one underlying Symbian chunk
        (WTF::PageAllocatorSymbian::~PageAllocatorSymbian):
        (WTF::PageAllocatorSymbian::reserve):
        (WTF::PageAllocatorSymbian::release):
        (WTF::PageAllocatorSymbian::commit):
        (WTF::PageAllocatorSymbian::decommit):
        (WTF::PageAllocatorSymbian::contains):
        * wtf/PageAllocatorSymbian.h: Added.
        (WTF::SymbianChunk::SymbianChunk): wrapper around RChunk  
        (WTF::SymbianChunk::~SymbianChunk):
        (WTF::SymbianChunk::contains):
        
2011-02-19  Yong Li  <yoli@rim.com>

        Reviewed by Eric Seidel.

        https://bugs.webkit.org/show_bug.cgi?id=54687
        When being built with armcc, "int" bit fields are treated as
        unsigned integers, which will fail the comparisons like "m_offset == -1".
        Using "signed" fixes the problem.

        * assembler/ARMAssembler.h:
        * assembler/ARMv7Assembler.h:

2011-02-18  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Sam Weinig.

        Made MarkedSpace block iteration size-class agnostic
        https://bugs.webkit.org/show_bug.cgi?id=54792
        
        SunSpider reports no change.

        * runtime/MarkedSpace.cpp:
        (JSC::MarkedSpace::clearMarks):
        (JSC::MarkedSpace::sweep):
        (JSC::MarkedSpace::objectCount):
        (JSC::MarkedSpace::size):
        (JSC::MarkedSpace::capacity):
        * runtime/MarkedSpace.h:
        (JSC::MarkedSpace::forEach): Iterate blocks in hashing order instead of
        size class list order. This is a much simpler convention in a world
        of many different size classes.

2011-02-18  Kristian Amlie  <kristian.amlie@nokia.com>

        Reviewed by Andreas Kling.

        Added friend exception to Qt platform, which also compiles Windows.

        QtWebKit fails to compile on Windows XP with msvc-2008
        https://bugs.webkit.org/show_bug.cgi?id=54746

        * bytecode/CodeBlock.h:
        * runtime/RegExpObject.h:

2011-02-18  Geoffrey Garen  <ggaren@apple.com>

        (Rolled back in r79022 with crash fixed.)

        Reviewed by Sam Weinig.

        Use hashing instead of linear search in the conservative pointer test
        https://bugs.webkit.org/show_bug.cgi?id=54767
        
        SunSpider reports no change.

        * runtime/MarkedSpace.cpp:
        (JSC::MarkedSpace::destroy): No need to explicitly clear the blocks array,
        since freeBlock removes items for us.

        (JSC::MarkedSpace::freeBlock): Fixed a typo that always removed the last
        block from the block set instead of the block being freed. Changed to
        remove a block from our data structures before deallocating it, since
        this is slightly cleaner.

        * runtime/MarkedSpace.h:
        (JSC::MarkedSpace::contains): Variable-sized objects will use more,
        smaller blocks, so it's important for the contains check not to be O(n)
        in the number of blocks.

2011-02-18  chris reiss  <christopher.reiss@nokia.com>

        Reviewed by Andreas Kling.

        REGRESSION: Date.parse("Tue Nov 23 20:40:05 2010 GMT") returns NaN
        https://bugs.webkit.org/show_bug.cgi?id=49989

        updated test fast/js/script-tests/date-parse-test.js

        * wtf/DateMath.cpp:
        (WTF::parseDateFromNullTerminatedCharacters):

2011-02-18  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r79022.
        http://trac.webkit.org/changeset/79022
        https://bugs.webkit.org/show_bug.cgi?id=54775

        It broke the whole world (Requested by Ossy on #webkit).

        * runtime/MarkedSpace.h:
        (JSC::MarkedSpace::contains):

2011-02-18  Yael Aharon  <yael.aharon@nokia.com>

        Reviewed by Dave Hyatt.

        Add support for dir=auto
        https://bugs.webkit.org/show_bug.cgi?id=50916

        Change defaultWritingDirection() to return if the writing direction
        was determined from a letter with strong directionality or not.

        * JavaScriptCore.exp:
        * JavaScriptCore.order:
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::defaultWritingDirection):
        * wtf/text/StringImpl.h:
        * wtf/text/WTFString.h:
        (WTF::String::defaultWritingDirection):

2011-02-18  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Sam Weinig.

        Use hashing instead of linear search in the conservative pointer test
        https://bugs.webkit.org/show_bug.cgi?id=54767
        
        SunSpider reports no change.

        * runtime/MarkedSpace.h:
        (JSC::MarkedSpace::contains): Variable-sized objects will use more,
        smaller blocks, so it's important for the contains check not to be O(n)
        in the number of blocks.

2011-02-18  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Sam Weinig.

        Tightened some usage accounting code in MarkedSpace
        https://bugs.webkit.org/show_bug.cgi?id=54761
        
        SunSpider reports no change.

        * runtime/Heap.cpp:
        (JSC::Heap::Heap): Initialize the marked space high water mark on
        construction, instead of relying on some implicit subtleties to make
        not initializing it work out OK.

        * runtime/Heap.h: Fixed up includes.

        * runtime/MarkedBlock.h: Made firstAtom() static so clients can call it
        even without having allocated a block.

        * runtime/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace): Don't pre-allocate a block, since this
        would be prohibitively expensive with multiple size classes.

        (JSC::MarkedSpace::allocateBlock):
        (JSC::MarkedSpace::freeBlock): Track allocated blocks in a hash set,
        since linear search in the contains check will be prohibitively
        expensive once we're using lots of smaller blocks.

        (JSC::MarkedSpace::allocate): Don't assume that we always have a block
        allocated, since we don't anymore. (See above.)

        (JSC::MarkedSpace::reset):
        * runtime/MarkedSpace.h: Updated for changes mentioned above.

2011-02-17  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Sam Weinig.

        Made object allocation secretly variable-sized (Shhhh!)
        https://bugs.webkit.org/show_bug.cgi?id=54721
        
        SunSpider reports no change.
        
        Internally, MarkedBlock now makes variable-sized allocations, even
        though MarkedSpace doesn't take advantage of this yet.

        * runtime/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock): No need to ASSERT that allocations are
        fixed-sized.

        * runtime/MarkedBlock.h: Shrunk the atom size so we can allocate things
        that are not multiples of 64 bytes.

2011-02-17  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Sam Weinig.

        Fixed some math errors when when using variable-sized cells
        https://bugs.webkit.org/show_bug.cgi?id=54717
        
        SunSpider reports no change.
        
        Computer Science Barbie says, "Math is not so hard afterall!"

        * runtime/JSCell.h:
        (JSC::JSCell::MarkedBlock::allocate): Round up when calculating the
        minimum number of atoms required for a cell, since rounding down
        will get you splinched.

        * runtime/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        (JSC::MarkedBlock::sweep):
        * runtime/MarkedBlock.h:
        (JSC::MarkedBlock::forEach): Changed a bunch of != tests to < tests
        because m_endAtom is actually a fuzzy end -- iterating from firstAtom()
        may not hit m_endAtom exactly.

2011-02-17  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Sam Weinig.

        A little more abstraction for MarkedSpace::contains
        https://bugs.webkit.org/show_bug.cgi?id=54715

        * runtime/MarkedBlock.h:
        (JSC::MarkedBlock::contains): Added a contains function, so MarkedSpace
        doesn't have to know how MarkedBlock tracks containment internally.

        * runtime/MarkedSpace.h:
        (JSC::MarkedSpace::contains): Call through to MarkedBlock to figure out
        if a cell that seems to be in a block is valid.

2011-02-17  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Sam Weinig.

        Removed the invariant that the last cell in a block is always marked
        https://bugs.webkit.org/show_bug.cgi?id=54713
        
        SunSpider reports no change.
        
        This adds one branch to allocation, but simplifies the mark invariant,
        especially in a world of variable-sized cells. Now, it really is true
        that any cell whose mark bit is set is a valid, live cell whose
        constructor has run and whose destructor has not run.

        * runtime/JSCell.h: 
        (JSC::JSCell::MarkedBlock::allocate): Changed this do-while into a while
        since we can no longer rely on a set mark bit to break out of this loop
        before it reaches the end of the block.

        * runtime/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        (JSC::MarkedBlock::sweep): 
        * runtime/MarkedBlock.h:
        (JSC::MarkedBlock::isEmpty):
        (JSC::MarkedBlock::clearMarks):
        (JSC::MarkedBlock::markCount):
        (JSC::MarkedBlock::forEach): No need to set a special last mark bit.

2011-02-17  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r78856 and r78907.
        http://trac.webkit.org/changeset/78856
        http://trac.webkit.org/changeset/78907
        https://bugs.webkit.org/show_bug.cgi?id=54705

        These seem to break tests on 32-bit builds. (Requested by
        aroben on #webkit).

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * collector/handles/Global.h:
        (JSC::Global::internalSet):
        * collector/handles/Handle.h:
        (JSC::HandleTypes::getFromSlot):
        (JSC::HandleTypes::toJSValue):
        (JSC::HandleTypes::validateUpcast):
        (JSC::HandleConverter::operator->):
        (JSC::HandleConverter::operator*):
        (JSC::Handle::Handle):
        (JSC::Handle::get):
        * runtime/JSArray.cpp:
        (JSC::JSArray::sortNumeric):
        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):
        * runtime/SlotAccessor.h: Removed.
        * runtime/WeakGCPtr.h:
        (JSC::WeakGCPtr::get):
        (JSC::WeakGCPtr::internalSet):
        * runtime/WriteBarrier.h:
        (JSC::DeprecatedPtr::DeprecatedPtr):
        (JSC::DeprecatedPtr::get):
        (JSC::DeprecatedPtr::operator*):
        (JSC::DeprecatedPtr::operator->):
        (JSC::DeprecatedPtr::slot):
        (JSC::DeprecatedPtr::operator UnspecifiedBoolType*):
        (JSC::DeprecatedPtr::operator!):
        (JSC::WriteBarrierBase::set):
        (JSC::WriteBarrierBase::get):
        (JSC::WriteBarrierBase::operator*):
        (JSC::WriteBarrierBase::operator->):
        (JSC::WriteBarrierBase::clear):
        (JSC::WriteBarrierBase::slot):
        (JSC::WriteBarrierBase::operator UnspecifiedBoolType*):
        (JSC::WriteBarrierBase::operator!):
        (JSC::WriteBarrierBase::setWithoutWriteBarrier):
        (JSC::WriteBarrier::WriteBarrier):

2011-02-17  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed.

        [Qt] Buildfix.

        * wtf/RetainPtr.h: Add missing PLATFORM(CF) guard.

2011-02-17  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Made MarkedBlock variable-sized
        https://bugs.webkit.org/show_bug.cgi?id=54692
        
        SunSpider reports no change.
        
        Each MarkedBlock is now composed of a set of fixed-sized atoms, with one
        mark bit per atom. A given cell may be composed of one or more atoms.
        
        * runtime/Heap.cpp:
        (JSC::Heap::allocate): Made fixed-sizedness a property of MarkedSpace,
        bubbling it up from MarkedBlock, since MarkedBlock now supports variable-
        sizedness.

        * runtime/JSCell.h:
        (JSC::JSCell::MarkedBlock::allocate): Removed use of CELLS_PER_BLOCK and
        (implicit) one constants -- these quantities are not constant anymore.
        Updated for switch from cell to atom.

        * runtime/MarkedBlock.cpp:
        (JSC::MarkedBlock::create):
        (JSC::MarkedBlock::destroy):
        (JSC::MarkedBlock::MarkedBlock):
        (JSC::MarkedBlock::sweep):
        * runtime/MarkedBlock.h:
        (JSC::MarkedBlock::firstAtom):
        (JSC::MarkedBlock::atoms):
        (JSC::MarkedBlock::isAtomAligned):
        (JSC::MarkedBlock::blockFor):
        (JSC::MarkedBlock::isEmpty):
        (JSC::MarkedBlock::clearMarks):
        (JSC::MarkedBlock::size):
        (JSC::MarkedBlock::capacity):
        (JSC::MarkedBlock::atomNumber):
        (JSC::MarkedBlock::isMarked):
        (JSC::MarkedBlock::testAndSetMarked):
        (JSC::MarkedBlock::setMarked):
        (JSC::MarkedBlock::forEach): Same as above. Also removed use of CELL_SIZE
        and BLOCK_SIZE, and switched away from calling arbitrary pointers cells.

        * runtime/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::allocateBlock):
        (JSC::MarkedSpace::allocate):
        (JSC::MarkedSpace::reset):
        * runtime/MarkedSpace.h:
        (JSC::CollectorHeap::CollectorHeap):
        (JSC::MarkedSpace::contains): Updated for renames. Made fixed-sizedness
        a property of MarkedSpace.

2011-02-17  Oliver Hunt  <oliver@apple.com>

        Attempt to fix windows build

        * runtime/WriteBarrier.h:

2011-02-17  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Refactor WriteBarrier and DeprecatedPtr to have less code duplication.
        https://bugs.webkit.org/show_bug.cgi?id=54608

        Make use of the tricks used for Handle, et al to avoid duplicating all
        of the logic for DeprecatedPtr and WriteBarrier simply to support known
        vs. unknown types.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * collector/handles/Global.h:
        (JSC::Global::internalSet):
        * collector/handles/Handle.h:
        (JSC::Handle::Handle):
        (JSC::Handle::get):
        * runtime/JSArray.cpp:
        (JSC::JSArray::sortNumeric):
        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):
        * runtime/SlotAccessor.h: Added.
        (JSC::SlotTypes::getFromBaseType):
        (JSC::SlotTypes::convertToBaseType):
        (JSC::SlotTypes::getFromSlot):
        (JSC::SlotTypes::toJSValue):
        (JSC::SlotTypes::validateUpcast):
        (JSC::SlotAccessor::operator->):
        (JSC::SlotAccessor::operator*):
        * runtime/WeakGCPtr.h:
        (JSC::WeakGCPtr::get):
        (JSC::WeakGCPtr::internalSet):
        * runtime/WriteBarrier.h:
        (JSC::DeprecatedPtr::DeprecatedPtr):
        (JSC::DeprecatedPtr::get):
        (JSC::DeprecatedPtr::slot):
        (JSC::DeprecatedPtr::operator=):
        (JSC::WriteBarrierTranslator::convertToStorage):
        (JSC::WriteBarrierTranslator::convertFromStorage):
        (JSC::WriteBarrierBase::set):
        (JSC::WriteBarrierBase::get):
        (JSC::WriteBarrierBase::clear):
        (JSC::WriteBarrierBase::slot):
        (JSC::WriteBarrierBase::operator UnspecifiedBoolType*):
        (JSC::WriteBarrierBase::operator!):
        (JSC::WriteBarrierBase::setWithoutWriteBarrier):
        (JSC::WriteBarrier::WriteBarrier):

2011-02-17  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Revert incorrect blind fix and restore previous working code.

        * wtf/wx/StringWx.cpp:
        (WTF::String::String):

2011-02-16  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Maciej Stachowiak.

        Intermittent crashes beneath MarkStack::drain
        https://bugs.webkit.org/show_bug.cgi?id=54614
        <rdar://problem/8971070>
        
        The crashes were caused by a GC happening after the global object's
        property table had grown (due to compilation), but before the properties
        had been fully initialized by program execution.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator): Explicitly resize the global
        object's register storage immediately, without waiting for program
        execution to do it for us. This ensures that the global object's count
        of global variables is consistent with the size of its global variable
        storage at all times, and it ensures that all global variables are
        properly initialized from the get-go.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::resizeRegisters):
        * runtime/JSGlobalObject.h: Added a helper function for growing the
        global object's register storage, and initializing new registers.

== Rolled over to ChangeLog-2011-02-16 ==