JavaScriptCore-7601.1.46.3.tar.gz

[apple/javascriptcore.git] / ChangeLog-2014-02-20

2014-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        CopiedBlock::pin can call into fastFree while forbidden
        https://bugs.webkit.org/show_bug.cgi?id=128654

        Reviewed by Oliver Hunt.

        A FullCollection that skips copying doesn't clear the CopyWorkList of the all the surviving 
        CopiedBlocks because we currently only call didSurviveGC() at the beginning of FullCollections.

        EdenCollections always do copying, therefore they always clear all CopyWorkLists.

        The fix is to call didSurviveGC() for all surviving CopiedBlocks at the end of FullCollections 
        as well at the beginning.

        * heap/CopiedBlock.h:
        (JSC::CopiedBlock::didSurviveGC):
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::doneCopying):

2014-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add a JSC option to disable EdenCollections
        https://bugs.webkit.org/show_bug.cgi?id=128849

        Reviewed by Mark Lam.

        This will help quickly identify whether or not GenGC is responsible for a 
        particular crash by prematurely collecting a live object.

        * heap/Heap.cpp:
        (JSC::Heap::collect):
        (JSC::Heap::shouldDoFullCollection):
        * heap/Heap.h:
        * runtime/Options.h:

2014-02-20  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r164417): ASSERTION FAILED: isBranch() in X86 32 bit build
        https://bugs.webkit.org/show_bug.cgi?id=129118

        Reviewed by Filip Pizlo.

        Changed 32 bit version of SpeculativeJIT::compile handling of Jump nodes to match
        what is in the 64 bit build.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2014-02-20  Zan Dobersek  <zdobersek@igalia.com>

        [Automake] Collect the JavaScript files required for JSC builtins through a wildcard
        https://bugs.webkit.org/show_bug.cgi?id=129115

        Reviewed by Oliver Hunt.

        * GNUmakefile.list.am: Simplify adding new JavaScriptCore builtins by using a wildcard
        to gather all the JavaScript files instead of listing each file explicitly.

2014-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Replace uses of deprecated POSIX index() with strchr() in ObjcRuntimeExtras.h
        https://bugs.webkit.org/show_bug.cgi?id=128610

        Reviewed by Anders Carlsson.

        index() is deprecated in favor of strchr() so we should use the latter.

        * API/JSWrapperMap.mm:
        (selectorToPropertyName):
        * API/ObjcRuntimeExtras.h:
        (parseObjCType):

2014-02-19  Filip Pizlo  <fpizlo@apple.com>

        FTL should not emit stack overflow checks in leaf functions
        https://bugs.webkit.org/show_bug.cgi?id=129085

        Reviewed by Michael Saboff.
        
        Miniscule (0.5%) speed-up on V8v7.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::lower):
        (JSC::FTL::LowerDFGToLLVM::didOverflowStack):

2014-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Dynamically generated JSExport protocols added to a class results in a crash
        https://bugs.webkit.org/show_bug.cgi?id=129108

        Reviewed by Oliver Hunt.

        We're not getting any information from the runtime about the types of the methods on 
        these protocols because they didn't exist at compile time. We should handle this gracefully.

        * API/ObjCCallbackFunction.mm:
        (objCCallbackFunctionForInvocation):
        * API/tests/JSExportTests.mm:
        (+[JSExportTests exportDynamicallyGeneratedProtocolTest]):
        (runJSExportTests):

2014-02-20  Gabor Rapcsanyi  <rgabor@webkit.org>

        ASSERTION FAILED: isUInt16() on ARMv7 after r113253.
        https://bugs.webkit.org/show_bug.cgi?id=129101

        Reviewed by Michael Saboff.

        If the immediate value type is encoded then we shouldn't reach this assert.
        Check the immediate type to avoid assertion in alignemnt check.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::add):

2014-02-20  Csaba Osztrogonác  <ossy@webkit.org>

        Get rid of redundant Platform.h includes
        https://bugs.webkit.org/show_bug.cgi?id=128817

        Reviewed by Brent Fulgham.

        * API/tests/JSNode.c:
        * API/tests/JSNodeList.c:
        * API/tests/minidom.c:
        * API/tests/testapi.c:
        * assembler/MacroAssembler.h:
        * bytecode/ByValInfo.h:
        * bytecode/CallLinkInfo.h:
        * bytecode/CallReturnOffsetToBytecodeOffset.h:
        * bytecode/CodeType.h:
        * bytecode/HandlerInfo.h:
        * bytecode/MethodOfGettingAValueProfile.h:
        * bytecode/PolymorphicAccessStructureList.h:
        * bytecode/PolymorphicPutByIdList.h:
        * bytecode/StructureStubClearingWatchpoint.h:
        * bytecode/StructureStubInfo.h:
        * bytecode/ValueRecovery.h:
        * bytecode/VirtualRegister.h:
        * dfg/DFGAbstractHeap.h:
        * dfg/DFGAbstractInterpreter.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        * dfg/DFGAbstractValue.h:
        * dfg/DFGAdjacencyList.h:
        * dfg/DFGAllocator.h:
        * dfg/DFGAnalysis.h:
        * dfg/DFGArgumentsSimplificationPhase.h:
        * dfg/DFGArrayMode.h:
        * dfg/DFGArrayifySlowPathGenerator.h:
        * dfg/DFGAtTailAbstractState.h:
        * dfg/DFGBackwardsPropagationPhase.h:
        * dfg/DFGBinarySwitch.h:
        * dfg/DFGBlockInsertionSet.h:
        * dfg/DFGBranchDirection.h:
        * dfg/DFGCFAPhase.h:
        * dfg/DFGCFGSimplificationPhase.h:
        * dfg/DFGCPSRethreadingPhase.h:
        * dfg/DFGCSEPhase.h:
        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
        * dfg/DFGCapabilities.h:
        * dfg/DFGClobberSet.h:
        * dfg/DFGClobberize.h:
        * dfg/DFGCommon.h:
        * dfg/DFGCommonData.h:
        * dfg/DFGConstantFoldingPhase.h:
        * dfg/DFGCriticalEdgeBreakingPhase.h:
        * dfg/DFGDCEPhase.h:
        * dfg/DFGDesiredIdentifiers.h:
        * dfg/DFGDesiredStructureChains.h:
        * dfg/DFGDesiredWatchpoints.h:
        * dfg/DFGDisassembler.h:
        * dfg/DFGDominators.h:
        * dfg/DFGDriver.h:
        * dfg/DFGEdge.h:
        * dfg/DFGEdgeDominates.h:
        * dfg/DFGEdgeUsesStructure.h:
        * dfg/DFGFailedFinalizer.h:
        * dfg/DFGFiltrationResult.h:
        * dfg/DFGFinalizer.h:
        * dfg/DFGFixupPhase.h:
        * dfg/DFGFlushFormat.h:
        * dfg/DFGFlushLivenessAnalysisPhase.h:
        * dfg/DFGFlushedAt.h:
        * dfg/DFGGraph.h:
        * dfg/DFGInPlaceAbstractState.h:
        * dfg/DFGInsertionSet.h:
        * dfg/DFGInvalidationPointInjectionPhase.h:
        * dfg/DFGJITCode.h:
        * dfg/DFGJITFinalizer.h:
        * dfg/DFGLICMPhase.h:
        * dfg/DFGLazyJSValue.h:
        * dfg/DFGLivenessAnalysisPhase.h:
        * dfg/DFGLongLivedState.h:
        * dfg/DFGLoopPreHeaderCreationPhase.h:
        * dfg/DFGMinifiedGraph.h:
        * dfg/DFGMinifiedID.h:
        * dfg/DFGMinifiedNode.h:
        * dfg/DFGNaturalLoops.h:
        * dfg/DFGNode.h:
        * dfg/DFGNodeAllocator.h:
        * dfg/DFGNodeFlags.h:
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRAvailabilityAnalysisPhase.h:
        * dfg/DFGOSREntrypointCreationPhase.h:
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitBase.h:
        * dfg/DFGOSRExitCompilationInfo.h:
        * dfg/DFGOSRExitCompiler.h:
        * dfg/DFGOSRExitCompilerCommon.h:
        * dfg/DFGOSRExitJumpPlaceholder.h:
        * dfg/DFGPhase.h:
        * dfg/DFGPlan.h:
        * dfg/DFGPredictionInjectionPhase.h:
        * dfg/DFGPredictionPropagationPhase.h:
        * dfg/DFGResurrectionForValidationPhase.h:
        * dfg/DFGSSAConversionPhase.h:
        * dfg/DFGSafeToExecute.h:
        * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
        * dfg/DFGSilentRegisterSavePlan.h:
        * dfg/DFGSlowPathGenerator.h:
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGStackLayoutPhase.h:
        * dfg/DFGStructureAbstractValue.h:
        * dfg/DFGThunks.h:
        * dfg/DFGTierUpCheckInjectionPhase.h:
        * dfg/DFGToFTLDeferredCompilationCallback.h:
        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
        * dfg/DFGTypeCheckHoistingPhase.h:
        * dfg/DFGUnificationPhase.h:
        * dfg/DFGUseKind.h:
        * dfg/DFGValidate.h:
        * dfg/DFGValueRecoveryOverride.h:
        * dfg/DFGValueSource.h:
        * dfg/DFGVariableAccessData.h:
        * dfg/DFGVariableAccessDataDump.h:
        * dfg/DFGVariableEvent.h:
        * dfg/DFGVariableEventStream.h:
        * dfg/DFGVirtualRegisterAllocationPhase.h:
        * dfg/DFGWatchpointCollectionPhase.h:
        * dfg/DFGWorklist.h:
        * disassembler/Disassembler.h:
        * ftl/FTLAbbreviatedTypes.h:
        * ftl/FTLAbbreviations.h:
        * ftl/FTLAbstractHeap.h:
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.h:
        * ftl/FTLCommonValues.h:
        * ftl/FTLCompile.h:
        * ftl/FTLExitArgument.h:
        * ftl/FTLExitArgumentForOperand.h:
        * ftl/FTLExitArgumentList.h:
        * ftl/FTLExitThunkGenerator.h:
        * ftl/FTLExitValue.h:
        * ftl/FTLFail.h:
        * ftl/FTLForOSREntryJITCode.h:
        * ftl/FTLFormattedValue.h:
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLJITCode.h:
        * ftl/FTLJITFinalizer.h:
        * ftl/FTLLink.h:
        * ftl/FTLLocation.h:
        * ftl/FTLLowerDFGToLLVM.h:
        * ftl/FTLLoweredNodeValue.h:
        * ftl/FTLOSREntry.h:
        * ftl/FTLOSRExit.h:
        * ftl/FTLOSRExitCompilationInfo.h:
        * ftl/FTLOSRExitCompiler.h:
        * ftl/FTLOutput.h:
        * ftl/FTLSaveRestore.h:
        * ftl/FTLStackMaps.h:
        * ftl/FTLState.h:
        * ftl/FTLSwitchCase.h:
        * ftl/FTLThunks.h:
        * ftl/FTLTypedPointer.h:
        * ftl/FTLValueFormat.h:
        * ftl/FTLValueFromBlock.h:
        * heap/JITStubRoutineSet.h:
        * interpreter/AbstractPC.h:
        * jit/AssemblyHelpers.h:
        * jit/CCallHelpers.h:
        * jit/ClosureCallStubRoutine.h:
        * jit/GCAwareJITStubRoutine.h:
        * jit/HostCallReturnValue.h:
        * jit/JITDisassembler.h:
        * jit/JITStubRoutine.h:
        * jit/JITThunks.h:
        * jit/JITToDFGDeferredCompilationCallback.h:
        * jit/RegisterSet.h:
        * jit/Repatch.h:
        * jit/ScratchRegisterAllocator.h:
        * jit/TempRegisterSet.h:
        * jit/ThunkGenerator.h:
        * llint/LLIntData.h:
        * llint/LLIntEntrypoint.h:
        * llint/LLIntExceptions.h:
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LLIntOpcode.h:
        * llint/LLIntSlowPaths.h:
        * llint/LLIntThunks.h:
        * llint/LowLevelInterpreter.h:
        * llvm/InitializeLLVM.h:
        * llvm/InitializeLLVMPOSIX.h:
        * llvm/LLVMAPI.h:
        * os-win32/inttypes.h:
        * runtime/ArrayStorage.h:
        * runtime/Butterfly.h:
        * runtime/CommonSlowPaths.h:
        * runtime/CommonSlowPathsExceptions.h:
        * runtime/IndexingHeader.h:
        * runtime/JSExportMacros.h:
        * runtime/PropertyOffset.h:
        * runtime/SparseArrayValueMap.h:

2014-02-19  Filip Pizlo  <fpizlo@apple.com>

        DFG should have a way of carrying and preserving conditional branch weights
        https://bugs.webkit.org/show_bug.cgi?id=129083

        Reviewed by Michael Saboff.
        
        Branch and Switch now have branch counts/weights for each target. This is encapsulated
        behind DFG::BranchTarget. We carry this data all the way to the FTL, and the DFG
        backend ignores it.
        
        We don't set this data yet; that's for https://bugs.webkit.org/show_bug.cgi?id=129055.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::branchData):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::linkBlock):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGNode.cpp:
        (JSC::DFG::BranchTarget::dump):
        * dfg/DFGNode.h:
        (JSC::DFG::BranchTarget::BranchTarget):
        (JSC::DFG::BranchTarget::setBytecodeIndex):
        (JSC::DFG::BranchTarget::bytecodeIndex):
        (JSC::DFG::BranchData::withBytecodeIndices):
        (JSC::DFG::BranchData::takenBytecodeIndex):
        (JSC::DFG::BranchData::notTakenBytecodeIndex):
        (JSC::DFG::BranchData::forCondition):
        (JSC::DFG::SwitchCase::SwitchCase):
        (JSC::DFG::SwitchCase::withBytecodeIndex):
        (JSC::DFG::SwitchData::SwitchData):
        (JSC::DFG::Node::targetBytecodeOffsetDuringParsing):
        (JSC::DFG::Node::targetBlock):
        (JSC::DFG::Node::branchData):
        (JSC::DFG::Node::successor):
        (JSC::DFG::Node::successorForCondition):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        (JSC::DFG::SpeculativeJIT::compileRegExpExec):
        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
        (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
        (JSC::DFG::SpeculativeJIT::emitSwitchChar):
        (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
        (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
        (JSC::DFG::SpeculativeJIT::emitSwitchString):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileJump):
        (JSC::FTL::LowerDFGToLLVM::compileBranch):
        (JSC::FTL::LowerDFGToLLVM::compileSwitch):
        (JSC::FTL::LowerDFGToLLVM::buildSwitch):

2014-02-19  ChangSeok Oh  <changseok.oh@collabora.com>

        Unreviewed build fix after r164396

        * GNUmakefile.list.am: Added Promises.prototype.js properly

2014-02-19  Geoffrey Garen  <ggaren@apple.com>

        Crash after -[JSContext evaluateScript:] when initializing JSContext with JSVirtualMachine
        https://bugs.webkit.org/show_bug.cgi?id=129070

        Reviewed by Mark Hahnenberg.

        Clear our exception explicitly before throwing away the VM because our
        exception references VM memory.

        * API/JSContext.mm:
        (-[JSContext dealloc]):
        * API/tests/testapi.mm:
        (testObjectiveCAPI):

2014-02-19  Brent Fulgham  <bfulgham@apple.com>

        Unreviewed build fix after r164391

        * runtime/Arguments.h: Make SlowArgumentData public so template libraries can
        access its methods.

2014-02-19  Mark Lam  <mark.lam@apple.com>

        Need to align sp before calling operationLoadVarargs on 32-bit platforms.
        <https://webkit.org/b/129056>

        Reviewed by Michael Saboff.

        In JIT::compileLoadVarargs(), we'll call operationSizeFrameForVarargs()
        to compute the amount of stack space we need for the varargs, adjust the
        stack pointer to make room for those varargs, and then call
        operationLoadVarargs() to fill in the varargs. Currently, the stack
        pointer adjustment takes care of allocating space for the varargs, but
        does not align the stack pointer for the call to operationLoadVarargs().
        The fix is to align the stack pointer there.

        Note: The stack pointer adjustment is based on the new CallFrame pointer
        value returned by operationSizeFrameForVarargs(). On 64-bit platforms,
        both the stack pointer and call frame pointer are similarly aligned
        (i.e. low nibbles are 0). Hence, no additional adjustment is needed.
        Only the 32-bit code needs the fix.

        Note: The LLINT also works this way i.e. aligns the stack pointer before
        calling llint_slow_path_call_varargs().

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):

2014-02-19  Sam Weinig  <sam@webkit.org>

        [JS] Convert Promise.prototype.catch to be a built-in
        https://bugs.webkit.org/show_bug.cgi?id=129052

        Reviewed by Geoffrey Garen.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/Promise.prototype.js: Added.
        (catch): Add JS based implementation of Promise.prototype.catch.

        * runtime/JSPromisePrototype.cpp:
        Remove the C++ implementation of Promise.prototype.catch.

2014-02-19  Filip Pizlo  <fpizlo@apple.com>

        FTL should allow LLVM to allocate data sections with alignment > 8
        https://bugs.webkit.org/show_bug.cgi?id=129066

        Reviewed by Geoffrey Garen.
        
        We were previously using the native allocator's alignment guarantees (which we presumed
        to be 8 bytes), and further hinting our desires by using the LSectionWord type (which
        was 8 bytes). This breaks now that LLVM will sometimes ask for 16 byte alignment on
        some sections.
        
        This changes our data section allocation strategy to use the new FTL::DataSection,
        which can handle arbitrary 2^k alignment.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        (JSC::FTL::dumpDataSection):
        (JSC::FTL::compile):
        * ftl/FTLDataSection.cpp: Added.
        (JSC::FTL::DataSection::DataSection):
        (JSC::FTL::DataSection::~DataSection):
        * ftl/FTLDataSection.h: Added.
        (JSC::FTL::DataSection::base):
        (JSC::FTL::DataSection::size):
        * ftl/FTLJITCode.cpp:
        (JSC::FTL::JITCode::addDataSection):
        * ftl/FTLJITCode.h:
        (JSC::FTL::JITCode::dataSections):
        * ftl/FTLState.h:

2014-02-19  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix comment.

        * ftl/FTLWeight.h:
        (JSC::FTL::Weight::scaleToTotal):

2014-02-19  Anders Carlsson  <andersca@apple.com>

        Add WTF_MAKE_FAST_ALLOCATED to more classes
        https://bugs.webkit.org/show_bug.cgi?id=129064

        Reviewed by Andreas Kling.

        * dfg/DFGSpeculativeJIT.h:
        * heap/CopyWorkList.h:
        * heap/Region.h:
        * runtime/Arguments.h:
        * runtime/SymbolTable.h:
        * runtime/WriteBarrier.h:

2014-02-19  Michael Saboff  <msaboff@apple.com>

        Unreviewed build fix after r164374

        * llint/LLIntOfflineAsmConfig.h: Added #define OFFLINE_ASM_X86_WIN 0 
        for ENABLE(LLINT_C_LOOP).

2014-02-19  Filip Pizlo  <fpizlo@apple.com>

        FTL should be able to convey branch weights to LLVM
        https://bugs.webkit.org/show_bug.cgi?id=129054

        Reviewed by Michael Saboff.
        
        This introduces a really nice way to convey branch weights to LLVM. The basic class
        is Weight, which just wraps a float; NaN is used when you are not sure. You can
        pass this alongside a LBasicBlock to branching instructions like condbr and switch.
        But for simplicity, you can just pass a WeightedTarget, which is a tuple of the
        two. And for even greater simplicity, you can create WeightedTargets from
        LBasicBlocks by doing:
        
            usually(b)   => WeightedTarget(b, Weight(1))
            rarely(b)    => WeightedTarget(b, Weight(0))
            unsure(b)    => WeightedTarget(b, Weight()) or WeightedTarget(b, Weight(NaN))
        
        This allows for constructs like:
        
            m_out.branch(isCell(value), usually(isCellCase), rarely(slowCase));
        
        This was intended to be perf-neutral for now, but it did end up creating a ~1%
        speed-up on V8v7 and Octane2.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::mdNode):
        * ftl/FTLCommonValues.cpp:
        (JSC::FTL::CommonValues::CommonValues):
        * ftl/FTLCommonValues.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::lower):
        (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
        (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
        (JSC::FTL::LowerDFGToLLVM::compileToThis):
        (JSC::FTL::LowerDFGToLLVM::compileArithMul):
        (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
        (JSC::FTL::LowerDFGToLLVM::compileArithMod):
        (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
        (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
        (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
        (JSC::FTL::LowerDFGToLLVM::compileGetById):
        (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
        (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
        (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
        (JSC::FTL::LowerDFGToLLVM::compileToString):
        (JSC::FTL::LowerDFGToLLVM::compileToPrimitive):
        (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
        (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
        (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
        (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
        (JSC::FTL::LowerDFGToLLVM::compileBranch):
        (JSC::FTL::LowerDFGToLLVM::compileSwitch):
        (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
        (JSC::FTL::LowerDFGToLLVM::nonSpeculativeCompare):
        (JSC::FTL::LowerDFGToLLVM::allocateCell):
        (JSC::FTL::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
        (JSC::FTL::LowerDFGToLLVM::boolify):
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
        (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
        (JSC::FTL::LowerDFGToLLVM::buildSwitch):
        (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
        (JSC::FTL::LowerDFGToLLVM::sensibleDoubleToInt32):
        (JSC::FTL::LowerDFGToLLVM::lowDouble):
        (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
        (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
        (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
        (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
        (JSC::FTL::LowerDFGToLLVM::callCheck):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        * ftl/FTLOutput.cpp:
        (JSC::FTL::Output::initialize):
        (JSC::FTL::Output::appendTo):
        (JSC::FTL::Output::newBlock):
        (JSC::FTL::Output::sensibleDoubleToInt):
        (JSC::FTL::Output::load):
        (JSC::FTL::Output::store):
        (JSC::FTL::Output::baseIndex):
        (JSC::FTL::Output::branch):
        (JSC::FTL::Output::crashNonTerminal):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::branch):
        (JSC::FTL::Output::switchInstruction):
        * ftl/FTLSwitchCase.h:
        (JSC::FTL::SwitchCase::SwitchCase):
        (JSC::FTL::SwitchCase::weight):
        * ftl/FTLWeight.h: Added.
        (JSC::FTL::Weight::Weight):
        (JSC::FTL::Weight::isSet):
        (JSC::FTL::Weight::operator!):
        (JSC::FTL::Weight::value):
        (JSC::FTL::Weight::scaleToTotal):
        * ftl/FTLWeightedTarget.h: Added.
        (JSC::FTL::WeightedTarget::WeightedTarget):
        (JSC::FTL::WeightedTarget::target):
        (JSC::FTL::WeightedTarget::weight):
        (JSC::FTL::usually):
        (JSC::FTL::rarely):
        (JSC::FTL::unsure):

2014-02-19  peavo@outlook.com  <peavo@outlook.com>

        [Win][LLINT] Incorrect stack alignment.
        https://bugs.webkit.org/show_bug.cgi?id=129045

        Reviewed by Michael Saboff.

        LLINT expects the stack to be 16 byte aligned, but with MSVC it is not.
        To align the stack, a new backend, X86_WIN, is created.

        * llint/LLIntOfflineAsmConfig.h: Use X86_WIN backend on Windows.
        * llint/LowLevelInterpreter.asm: Align stack to 16 byte boundaries. Otherwise, use same implementation for X86_WIN as for X86.
        * llint/LowLevelInterpreter32_64.asm: Adjust stack offset to retrieve function parameters now that the stack is aligned.
        * offlineasm/backends.rb: Added X86_WIN backend.
        * offlineasm/x86.rb: Fix crash caused by incorrect assembly code for double types.

2014-02-19  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        ASSERTION FAILED: (year >= 1970 && yearday >= 0) || (year < 1970 && yearday < 0) in WTF::dateToDaysFrom1970
        https://bugs.webkit.org/show_bug.cgi?id=128740

        Very large numbers could cause an overflow which resulted in the assertion failing in WTF::dateToDaysFrom1970
        DateConstructor will now check if the number fits into an Int32 before casting

        Reviewed by Geoffrey Garen.

        * runtime/DateConstructor.cpp:
        (JSC::constructDate):
        (JSC::dateUTC):

2014-02-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Dedicated worker crash caused by global DFG worklists + GC
        https://bugs.webkit.org/show_bug.cgi?id=128537

        Reviewed by Filip Pizlo.

        The process-global DFG worklists were causing objects to participate in the garbage collections of VMs 
        other than the one they were allocated in. This started manifesting in the worker tests because they're 
        one of the few WebKit tests that do multithreaded JS.

        The fix is to filter out Plans from other VMs during collection.

        * dfg/DFGSafepoint.cpp:
        (JSC::DFG::Safepoint::vm):
        * dfg/DFGSafepoint.h:
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::isActiveForVM):
        (JSC::DFG::Worklist::suspendAllThreads):
        (JSC::DFG::Worklist::resumeAllThreads):
        (JSC::DFG::Worklist::visitChildren):
        * dfg/DFGWorklist.h:
        * heap/Heap.cpp:
        (JSC::Heap::deleteAllCompiledCode):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::copyLater):

2014-02-19  Brady Eidson  <beidson@apple.com>

        Add FeatureDefines for image controls
        https://bugs.webkit.org/show_bug.cgi?id=129022

        Reviewed by Jer Noble.

        * Configurations/FeatureDefines.xcconfig:

2014-02-19  Dan Bernstein  <mitz@apple.com>

        Simplify PLATFORM(MAC) && !PLATFORM(IOS) and similar expressions
        https://bugs.webkit.org/show_bug.cgi?id=129029

        Reviewed by Mark Rowe.

        * API/JSValueRef.cpp:
        (JSValueUnprotect):
        * jit/ExecutableAllocatorFixedVMPool.cpp:

2014-02-18  Filip Pizlo  <fpizlo@apple.com>

        Correctly install libllvmForJSC.dylib in production builds
        https://bugs.webkit.org/show_bug.cgi?id=129023

        Reviewed by Mark Rowe.
        
        In non-production builds, we copy it as before. In production builds, we use the install
        path.
        
        Also roll http://trac.webkit.org/changeset/164348 back in.

        * Configurations/Base.xcconfig:
        * Configurations/LLVMForJSC.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-02-18  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out http://trac.webkit.org/changeset/164348 because it broke some
        builds.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-02-18  Filip Pizlo  <fpizlo@apple.com>

        Don't call LLVMInitializeNativeTarget() because it can be all messed up if you cross-compile LLVM
        https://bugs.webkit.org/show_bug.cgi?id=129020

        Reviewed by Dan Bernstein.
        
        LLVMInitializeNativeTarget() is this super special inline function in llvm-c/Target.h that
        depends on some #define's that come from some really weird magic in autoconf/configure.ac.
        That magic fails miserably for cross-compiles. So, we need to manually initialize the things
        that InitializeNativeTarget initializes.

        * llvm/library/LLVMExports.cpp:
        (initializeAndGetJSCLLVMAPI):

2014-02-18  Filip Pizlo  <fpizlo@apple.com>

        The shell scripts in the Xcode build system should tell you when they failed
        https://bugs.webkit.org/show_bug.cgi?id=129018

        Reviewed by Mark Rowe.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-02-17  Gavin Barraclough  <barraclough@apple.com>

        Add fast mapping from StringImpl to JSString
        https://bugs.webkit.org/show_bug.cgi?id=128625

        Reviewed by Geoff Garen & Andreas Kling.

        * runtime/JSString.cpp:
        (JSC::JSString::WeakOwner::finalize):
            - once the JSString weakly owned by a StringImpl becomed unreachable remove the WeakImpl.
        * runtime/JSString.h:
        (JSC::jsStringWithWeakOwner):
            - create a JSString wrapping a StringImpl, and weakly caches the JSString on the StringImpl.
        * runtime/VM.cpp:
        (JSC::VM::VM):
            - initialize jsStringWeakOwner.
        (JSC::VM::createLeakedForMainThread):
            - initialize jsStringWeakOwner - the main thread gets to use the weak pointer
              on StringImpl to cache a JSString wrapper.
        * runtime/VM.h:
            - renamed createLeaked -> createLeakedForMainThread to make it clear this
              should only be used to cretae the main thread VM.

2014-02-18  Oliver Hunt  <oliver@apple.com>

        Prevent builtin js named with C++ reserved words from breaking the build
        https://bugs.webkit.org/show_bug.cgi?id=129017

        Reviewed by Sam Weinig.

        Simple change to a couple of macros to make sure we don't create functions
        named using reserved words.

        * builtins/BuiltinExecutables.cpp:
        * builtins/BuiltinNames.h:

2014-02-18  Filip Pizlo  <fpizlo@apple.com>

        FTL should build on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=129010

        Reviewed by Sam Weinig.
        
        * disassembler/X86Disassembler.cpp: Just because we have the LLVM disassembler doesn't mean we're on X86.
        * ftl/FTLLocation.cpp: DWARF parsing for ARM64 is super easy.
        (JSC::FTL::Location::isGPR):
        (JSC::FTL::Location::gpr):
        (JSC::FTL::Location::isFPR):
        (JSC::FTL::Location::fpr):
        (JSC::FTL::Location::restoreInto): This function wasn't even X86-specific to begin with so move it out of the #if stuff.
        * ftl/FTLUnwindInfo.cpp: They're called q not d.
        (JSC::FTL::UnwindInfo::parse):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toArgumentRegister): Add this method; we alraedy had it on X86.

2014-02-18  Filip Pizlo  <fpizlo@apple.com>

        FTL unwind parsing should handle ARM64
        https://bugs.webkit.org/show_bug.cgi?id=128984

        Reviewed by Oliver Hunt.
        
        This makes unwind parsing handle ARM64 and it makes all clients of unwind info capable of
        dealing with that architecture.
        
        The big difference is that ARM64 has callee-save double registers. This is conceptually easy
        to handle, but out code for dealing with callee-saves spoke of "GPRReg". We've been in this
        situation before: code that needs to deal with either a GPRReg or a FPRReg. In the past we'd
        hacked around the problem, but this time I decided to do a full frontal assault. This patch
        adds a Reg class, which is a box for either GPRReg or FPRReg along with tools for iterating
        over all possible registers. Then, I threaded this through SaveRestore, RegisterSet,
        RegisterAtOffset, and UnwindInfo. With the help of Reg, it was easy to refactor the code to
        handle FPRs in addition to GPRs.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLRegisterAtOffset.cpp:
        (JSC::FTL::RegisterAtOffset::dump):
        * ftl/FTLRegisterAtOffset.h:
        (JSC::FTL::RegisterAtOffset::RegisterAtOffset):
        (JSC::FTL::RegisterAtOffset::operator!):
        (JSC::FTL::RegisterAtOffset::reg):
        (JSC::FTL::RegisterAtOffset::operator==):
        (JSC::FTL::RegisterAtOffset::operator<):
        (JSC::FTL::RegisterAtOffset::getReg):
        * ftl/FTLSaveRestore.cpp:
        (JSC::FTL::offsetOfReg):
        * ftl/FTLSaveRestore.h:
        * ftl/FTLUnwindInfo.cpp:
        (JSC::FTL::UnwindInfo::parse):
        (JSC::FTL::UnwindInfo::find):
        (JSC::FTL::UnwindInfo::indexOf):
        * ftl/FTLUnwindInfo.h:
        * jit/Reg.cpp: Added.
        (JSC::Reg::dump):
        * jit/Reg.h: Added.
        (JSC::Reg::Reg):
        (JSC::Reg::fromIndex):
        (JSC::Reg::first):
        (JSC::Reg::last):
        (JSC::Reg::next):
        (JSC::Reg::index):
        (JSC::Reg::isSet):
        (JSC::Reg::operator!):
        (JSC::Reg::isGPR):
        (JSC::Reg::isFPR):
        (JSC::Reg::gpr):
        (JSC::Reg::fpr):
        (JSC::Reg::operator==):
        (JSC::Reg::operator!=):
        (JSC::Reg::operator<):
        (JSC::Reg::operator>):
        (JSC::Reg::operator<=):
        (JSC::Reg::operator>=):
        (JSC::Reg::hash):
        (JSC::Reg::invalid):
        * jit/RegisterSet.h:
        (JSC::RegisterSet::set):
        (JSC::RegisterSet::clear):
        (JSC::RegisterSet::get):

2014-02-17  Filip Pizlo  <fpizlo@apple.com>

        More ARM FTL glue
        https://bugs.webkit.org/show_bug.cgi?id=128948

        Reviewed by Sam Weinig.

        * Configurations/Base.xcconfig: Allow for an header search directory for LLVM's generated files.
        * Configurations/LLVMForJSC.xcconfig: Link the right things for ARM.
        * assembler/ARM64Assembler.h: Builds fix.
        (JSC::ARM64Assembler::fillNops):
        * disassembler/LLVMDisassembler.cpp: Use the right target triples.
        (JSC::tryToDisassembleWithLLVM):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps): Build fix.
        * jit/GPRInfo.h: Builds fix.
        * llvm/library/LLVMExports.cpp: Link the right things.
        (initializeAndGetJSCLLVMAPI):

2014-02-17  Anders Carlsson  <andersca@apple.com>

        Remove ENABLE_GLOBAL_FASTMALLOC_NEW
        https://bugs.webkit.org/show_bug.cgi?id=127067

        Reviewed by Geoffrey Garen.

        * parser/Nodes.h:

2014-02-17  Sergio Correia  <sergio.correia@openbossa.org>

        Replace uses of PassOwnPtr/OwnPtr with std::unique_ptr in WebCore/inspector
        https://bugs.webkit.org/show_bug.cgi?id=128681

        Reviewed by Timothy Hatcher.

        Another step towards getting rid of PassOwnPtr/OwnPtr, now targeting
        WebCore/inspector/*. Besides files in there, a few other files in
        JavaScriptCore/inspector, WebKit/, WebKit2/WebProcess/WebCoreSupport/
        and WebCore/testing were touched.


        * inspector/ContentSearchUtilities.cpp:
        * inspector/ContentSearchUtilities.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        * inspector/agents/InspectorConsoleAgent.h:

2014-02-17  Filip Pizlo  <fpizlo@apple.com>

        FTL should support ToPrimitive and the DFG should fold it correctly
        https://bugs.webkit.org/show_bug.cgi?id=128892

        Reviewed by Geoffrey Garen.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileToPrimitive):
        * tests/stress/fold-to-primitive-in-cfa.js: Added.
        (foo):
        (.result.foo):
        * tests/stress/fold-to-primitive-to-identity-in-cfa.js: Added.
        (foo):
        (.result.foo):

2014-02-17  Filip Pizlo  <fpizlo@apple.com>

        Register preservation wrapper should know about the possibility of callee-saved FPRs
        https://bugs.webkit.org/show_bug.cgi?id=128923

        Reviewed by Mark Hahnenberg.

        * jit/RegisterPreservationWrapperGenerator.cpp:
        (JSC::generateRegisterPreservationWrapper):
        (JSC::generateRegisterRestoration):
        * jit/RegisterSet.cpp:

2014-02-17  Filip Pizlo  <fpizlo@apple.com>

        lr is a special register on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=128922

        Reviewed by Mark Hahnenberg.

        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::specialRegisters):

2014-02-17  Filip Pizlo  <fpizlo@apple.com>

        Fix RegisterSet::calleeSaveRegisters() by making it correct on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=128921

        Reviewed by Mark Hahnenberg.

        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::calleeSaveRegisters):

2014-02-17  Filip Pizlo  <fpizlo@apple.com>

        RegisterSet::calleeSaveRegisters() should know about ARM64
        https://bugs.webkit.org/show_bug.cgi?id=128918

        Reviewed by Mark Hahnenberg.

        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::calleeSaveRegisters):

2014-02-17  Csaba Osztrogonác  <ossy@webkit.org>

        Move back primary header includes next to config.h
        https://bugs.webkit.org/show_bug.cgi?id=128912

        Reviewed by Alexey Proskuryakov.

        * dfg/DFGAbstractHeap.cpp:
        * dfg/DFGAbstractValue.cpp:
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        * dfg/DFGArithMode.cpp:
        * dfg/DFGArrayMode.cpp:
        * dfg/DFGAtTailAbstractState.cpp:
        * dfg/DFGAvailability.cpp:
        * dfg/DFGBackwardsPropagationPhase.cpp:
        * dfg/DFGBasicBlock.cpp:
        * dfg/DFGBinarySwitch.cpp:
        * dfg/DFGBlockInsertionSet.cpp:
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGCFAPhase.cpp:
        * dfg/DFGCFGSimplificationPhase.cpp:
        * dfg/DFGCPSRethreadingPhase.cpp:
        * dfg/DFGCSEPhase.cpp:
        * dfg/DFGCapabilities.cpp:
        * dfg/DFGClobberSet.cpp:
        * dfg/DFGClobberize.cpp:
        * dfg/DFGCommon.cpp:
        * dfg/DFGCommonData.cpp:
        * dfg/DFGCompilationKey.cpp:
        * dfg/DFGCompilationMode.cpp:
        * dfg/DFGConstantFoldingPhase.cpp:
        * dfg/DFGCriticalEdgeBreakingPhase.cpp:
        * dfg/DFGDCEPhase.cpp:
        * dfg/DFGDesiredIdentifiers.cpp:
        * dfg/DFGDesiredStructureChains.cpp:
        * dfg/DFGDesiredTransitions.cpp:
        * dfg/DFGDesiredWatchpoints.cpp:
        * dfg/DFGDesiredWeakReferences.cpp:
        * dfg/DFGDesiredWriteBarriers.cpp:
        * dfg/DFGDisassembler.cpp:
        * dfg/DFGDominators.cpp:
        * dfg/DFGEdge.cpp:
        * dfg/DFGFailedFinalizer.cpp:
        * dfg/DFGFinalizer.cpp:
        * dfg/DFGFixupPhase.cpp:
        * dfg/DFGFlushFormat.cpp:
        * dfg/DFGFlushLivenessAnalysisPhase.cpp:
        * dfg/DFGFlushedAt.cpp:
        * dfg/DFGGraph.cpp:
        * dfg/DFGGraphSafepoint.cpp:
        * dfg/DFGInPlaceAbstractState.cpp:
        * dfg/DFGIntegerCheckCombiningPhase.cpp:
        * dfg/DFGInvalidationPointInjectionPhase.cpp:
        * dfg/DFGJITCode.cpp:
        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGJITFinalizer.cpp:
        * dfg/DFGJumpReplacement.cpp:
        * dfg/DFGLICMPhase.cpp:
        * dfg/DFGLazyJSValue.cpp:
        * dfg/DFGLivenessAnalysisPhase.cpp:
        * dfg/DFGLongLivedState.cpp:
        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
        * dfg/DFGMinifiedNode.cpp:
        * dfg/DFGNaturalLoops.cpp:
        * dfg/DFGNode.cpp:
        * dfg/DFGNodeFlags.cpp:
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        * dfg/DFGOSREntry.cpp:
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        * dfg/DFGOSRExit.cpp:
        * dfg/DFGOSRExitBase.cpp:
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        * dfg/DFGOSRExitCompiler64.cpp:
        * dfg/DFGOSRExitCompilerCommon.cpp:
        * dfg/DFGOSRExitJumpPlaceholder.cpp:
        * dfg/DFGOSRExitPreparation.cpp:
        * dfg/DFGPhase.cpp:
        * dfg/DFGPlan.cpp:
        * dfg/DFGPredictionInjectionPhase.cpp:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGResurrectionForValidationPhase.cpp:
        * dfg/DFGSSAConversionPhase.cpp:
        * dfg/DFGSSALoweringPhase.cpp:
        * dfg/DFGSafepoint.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:
        * dfg/DFGStackLayoutPhase.cpp:
        * dfg/DFGStoreBarrierElisionPhase.cpp:
        * dfg/DFGStrengthReductionPhase.cpp:
        * dfg/DFGThreadData.cpp:
        * dfg/DFGThunks.cpp:
        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        * dfg/DFGToFTLDeferredCompilationCallback.cpp:
        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        * dfg/DFGUnificationPhase.cpp:
        * dfg/DFGUseKind.cpp:
        * dfg/DFGValidate.cpp:
        * dfg/DFGValueSource.cpp:
        * dfg/DFGVariableAccessDataDump.cpp:
        * dfg/DFGVariableEvent.cpp:
        * dfg/DFGVariableEventStream.cpp:
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        * dfg/DFGWatchpointCollectionPhase.cpp:
        * dfg/DFGWorklist.cpp:
        * heap/JITStubRoutineSet.cpp:
        * jit/GCAwareJITStubRoutine.cpp:
        * jit/JIT.cpp:
        * jit/JITDisassembler.cpp:
        * jit/JITOperations.cpp:
        * jit/JITStubRoutine.cpp:
        * jit/JITStubs.cpp:
        * jit/TempRegisterSet.cpp:

2014-02-16  Filip Pizlo  <fpizlo@apple.com>

        FTL OSR exit shouldn't make X86-specific assumptions
        https://bugs.webkit.org/show_bug.cgi?id=128890

        Reviewed by Mark Hahnenberg.

        Mostly this is about not using push/pop, but instead using the more abstract pushToSave() and popToRestore() while reflecting on the stack alignment.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::pushToSaveImmediateWithoutTouchingRegisters):
        (JSC::MacroAssembler::pushToSaveByteOffset):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::pushToSaveImmediateWithoutTouchingRegisters):
        (JSC::MacroAssemblerARM64::pushToSaveByteOffset):
        * ftl/FTLExitThunkGenerator.cpp:
        (JSC::FTL::ExitThunkGenerator::emitThunk):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLThunks.cpp:
        (JSC::FTL::osrExitGenerationThunkGenerator):

2014-02-17  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, make this test pass without DFG. It was assuming that you always have DFG
        and that it would always tier-up to the DFG - both wrong assumptions.

        * tests/stress/tricky-array-bounds-checks.js:
        (foo):

2014-02-17  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        Fix the CLoop build after r163760
        https://bugs.webkit.org/show_bug.cgi?id=128900

        Reviewed by Csaba Osztrogonác.

        * llint/LLIntThunks.cpp:

2014-02-17  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        CLoop buildfix after r164207
        https://bugs.webkit.org/show_bug.cgi?id=128899

        Reviewed by Csaba Osztrogonác.

        * dfg/DFGCommon.h:
        (JSC::DFG::shouldShowDisassembly):

2014-02-16  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, 32-bit build fix.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::lshiftPtr):

2014-02-15  Filip Pizlo  <fpizlo@apple.com>

        FTL should inline polymorphic heap accesses
        https://bugs.webkit.org/show_bug.cgi?id=128795

        Reviewed by Oliver Hunt.
        
        We now inline GetByIds that we know are pure but polymorphic. They manifest in DFG IR
        as MultiGetByOffset, and in LLVM IR as a switch with a basic block for each kind of
        read.
        
        2% speed-up on Octane mostly due to a 18% speed-up on deltablue.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/ExitingJITType.cpp: Added.
        (WTF::printInternal):
        * bytecode/ExitingJITType.h:
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        (JSC::GetByIdStatus::computeForChain):
        (JSC::GetByIdStatus::computeForStubInfo):
        (JSC::GetByIdStatus::computeFor):
        (JSC::GetByIdStatus::dump):
        * bytecode/GetByIdStatus.h:
        (JSC::GetByIdStatus::GetByIdStatus):
        (JSC::GetByIdStatus::numVariants):
        (JSC::GetByIdStatus::variants):
        (JSC::GetByIdStatus::at):
        (JSC::GetByIdStatus::operator[]):
        * bytecode/GetByIdVariant.cpp: Added.
        (JSC::GetByIdVariant::dump):
        (JSC::GetByIdVariant::dumpInContext):
        * bytecode/GetByIdVariant.h: Added.
        (JSC::GetByIdVariant::GetByIdVariant):
        (JSC::GetByIdVariant::isSet):
        (JSC::GetByIdVariant::operator!):
        (JSC::GetByIdVariant::structureSet):
        (JSC::GetByIdVariant::chain):
        (JSC::GetByIdVariant::specificValue):
        (JSC::GetByIdVariant::offset):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        (JSC::DFG::verboseCompilationEnabled):
        (JSC::DFG::logCompilationChanges):
        (JSC::DFG::shouldShowDisassembly):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::convertToConstant):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToGetByOffset):
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::hasMultiGetByOffsetData):
        (JSC::DFG::Node::multiGetByOffsetData):
        * dfg/DFGNodeType.h:
        * dfg/DFGPhase.h:
        (JSC::DFG::Phase::graph):
        (JSC::DFG::runAndLog):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::dumpAndVerifyGraph):
        (JSC::DFG::Plan::compileInThread):
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        (JSC::FTL::compile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
        * ftl/FTLState.h:
        (JSC::FTL::verboseCompilationEnabled):
        (JSC::FTL::showDisassembly):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionEffectful42):
        * runtime/IntendedStructureChain.cpp:
        (JSC::IntendedStructureChain::dump):
        (JSC::IntendedStructureChain::dumpInContext):
        * runtime/IntendedStructureChain.h:
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:
        * tests/stress/fold-multi-get-by-offset-to-get-by-offset-with-watchpoint.js: Added.
        (foo):
        (bar):
        * tests/stress/fold-multi-get-by-offset-to-get-by-offset.js: Added.
        (foo):
        (bar):
        * tests/stress/multi-get-by-offset-proto-and-self.js: Added.
        (foo):
        (Foo):

2014-02-16  Filip Pizlo  <fpizlo@apple.com>

        DFG::prepareOSREntry should be nice to the stack
        https://bugs.webkit.org/show_bug.cgi?id=128883

        Reviewed by Oliver Hunt.
        
        Previously OSR entry had some FIXME's and some really badly commented-out code for
        clearing stack entries to help GC. It also did some permutations on a stack frame
        above us, in such a way that it wasn't obviously that we wouldn't clobber our own
        stack frame. This function also crashed in ASan.
        
        It just seems like there was too much badness to the whole idea of prepareOSREntry
        directly editing the stack. So, I changed it to create a stack frame in a scratch
        buffer on the side and then have some assembly code just copy it into place. This
        works fine, fixes a FIXME, possibly fixes some stack clobbering, and might help us
        make more progress with ASan.

        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntry.h:
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrEntryThunkGenerator):
        * dfg/DFGThunks.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitSlow_op_loop_hint):
        * jit/JITOperations.cpp:

2014-02-15  Filip Pizlo  <fpizlo@apple.com>

        Vector with inline capacity should work with non-PODs
        https://bugs.webkit.org/show_bug.cgi?id=128864

        Reviewed by Michael Saboff.
        
        Deques no longer have inline capacity because it was broken, and we didn't need it
        here anyway.

        * dfg/DFGWorklist.h:

2014-02-15  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out r164166.

        This broke three unique tests:

        ** The following JSC stress test failures have been introduced:
            regress/script-tests/variadic-closure-call.js.default-ftl
            regress/script-tests/variadic-closure-call.js.ftl-no-cjit-validate
            regress/script-tests/variadic-closure-call.js.ftl-no-cjit-osr-validation
            regress/script-tests/variadic-closure-call.js.ftl-eager
            regress/script-tests/variadic-closure-call.js.ftl-eager-no-cjit
            regress/script-tests/variadic-closure-call.js.ftl-eager-no-cjit-osr-validation
            jsc-layout-tests.yaml/js/script-tests/unmatching-argument-count.js.layout-ftl-eager-no-cjit
            regress/script-tests/direct-arguments-getbyval.js.ftl-eager-no-cjit
            regress/script-tests/direct-arguments-getbyval.js.ftl-eager-no-cjit-osr-validation

        * bytecode/PolymorphicAccessStructureList.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        * tests/stress/ftl-getbyval-arguments.js:

2014-02-15  Matthew Mirman  <mmirman@apple.com>

        Added GetMyArgumentByVal to FTL
        https://bugs.webkit.org/show_bug.cgi?id=128850

        Reviewed by Filip Pizlo.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
        * tests/stress/ftl-getbyval-arguments.js: Added.
        (foo):

2014-02-15  peavo@outlook.com  <peavo@outlook.com>

        [Win] LLINT is not working.
        https://bugs.webkit.org/show_bug.cgi?id=128115

        Reviewed by Mark Lam.

        This patch will generate assembly code with Intel syntax, which can be processed by the Microsoft assembler (MASM).
        By creating an asm file instead of a header file with inline assembly, we can support 64-bit.
        Only 32-bit compilation has been tested, not 64-bit.
        The aim of this patch is to get LLINT up and running on Windows.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added new files, and generated asm file.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
        * LLIntAssembly/build-LLIntAssembly.sh: Generate dummy asm file in case we're using C backend.
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor): Compile fix when DFG is disabled.
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor): Ditto.
        * bytecode/GetByIdStatus.h: Ditto.
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor): Ditto.
        * bytecode/PutByIdStatus.h: Ditto.
        * llint/LLIntData.cpp:
        (JSC::LLInt::initialize): Compile fix.
        * llint/LLIntSlowPaths.h: Added llint_crash function.
        * llint/LLIntSlowPaths.cpp: Ditto.        
        * llint/LowLevelInterpreter.cpp: Disable code for Windows.
        * llint/LowLevelInterpreter.asm: Remove instruction which generates incorrect assembly code on Windows (MOV 0xbbadbeef, register), call llint_crash instead.
        Make local labels visible to MASM on Windows.
        * llint/LowLevelInterpreter32_64.asm: Make local labels visible to MASM on Windows.
        * offlineasm/asm.rb: Generate asm file with Intel assembly syntax.
        * offlineasm/settings.rb: Ditto.
        * offlineasm/x86.rb: Ditto.

2014-02-14  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: CRASH when debugger closes while paused and remote inspecting a JSContext
        https://bugs.webkit.org/show_bug.cgi?id=127757

        Reviewed by Timothy Hatcher.

        The problem was that the lifetime of the InspectorController and all agents
        was tied to the remote inspector session. So, if a remote inspector was
        disconnected while in the nested run loop, everything would get torn
        down and when execution continued out of the nested runloop we would be
        back in the original call stack of destroyed objects.

        This patch changes the lifetime of the InspectorController and agents to
        the JSGlobalObject. This way the agents are always alive, just the
        frontend and backend channels are destroyed and recreated each remote
        inspector session. This matches the agent lifetime for WebCore agents.
        We can also later take advantage of the agents being alive before
        and between inspector debug sessions to stash exception messages to
        pass on to a debugger if a debugger is connected later.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        Cleaner initialization of agents. Easier to follow.

        (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
        Move InjectedScript disconnection only once the global object is destroyed.
        This way if a developer has attached once and included an injected script,
        we will keep it around with any state it might want to remember until
        the global object is destroyed.

        (Inspector::JSGlobalObjectInspectorController::globalObjectDestroyed):
        Disconnect agents and injected scripts when the global object is destroyed.

        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::disconnect):
        Now that the injected script manager is reused between remote
        inspector sessions, don't clear the pointer on disconnect calls.
        We now only call this once when the global object is getting
        destroyed anyways so it doesn't matter. But if we wanted to call
        disconnect multiple times, e.g. once per session, we could.

        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
        If the only listener was removed during the nested runloop, then when
        we dispatch an event after the nested runloop the listener list will
        be empty. Instead of asserting, just pass by an empty list.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::inspectorController):
        Tie the inspector controller lifetime to the JSGlobalObject.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::~JSGlobalObject):
        (JSC::JSGlobalObject::init):
        Create the inspector controller, and eagerly signal teardown
        in destruction.

        * runtime/JSGlobalObjectDebuggable.h:
        * runtime/JSGlobalObjectDebuggable.cpp:
        (JSC::JSGlobalObjectDebuggable::connect):
        (JSC::JSGlobalObjectDebuggable::disconnect):
        (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
        Simplify by using the inspector controller on JSGlobalObject.

2014-02-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        -[JSManagedValue value] needs to be protected by the API lock
        https://bugs.webkit.org/show_bug.cgi?id=128857

        Reviewed by Mark Lam.

        * API/APICast.h:
        (toRef): Added an ASSERT so that we can detect these sorts of errors earlier. On 32-bit, toRef
        can allocate objects so we need to be holding the lock.
        * API/APIShims.h: Removed outdated comments.
        * API/JSManagedValue.mm: Added RefPtr<JSLock> to JSManagedValue.
        (-[JSManagedValue initWithValue:]): Initialize the m_lock field.
        (-[JSManagedValue value]): Lock the JSLock, check the VM*, return nil if invalid, take the APIEntryShim otherwise.
        * runtime/JSLock.cpp: Bug fix in JSLock. We were assuming that the VM was always non-null in JSLock::lock.
        (JSC::JSLock::lock):

2014-02-14  Oliver Hunt  <oliver@apple.com>

        Implement a few more Array prototype functions in JS
        https://bugs.webkit.org/show_bug.cgi?id=128788

        Reviewed by Gavin Barraclough.

        Remove a pile of awful C++, and rewrite in simple JS.

        Needed to make a few other changes to get fully builtins
        behavior to more accurately match a host function's.

        * builtins/Array.prototype.js:
        (every):
        (forEach):
        (filter):
        (map):
        (some):
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::BuiltinExecutables):
        (JSC::BuiltinExecutables::createBuiltinExecutable):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitPutByVal):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitExpressionInfo):
        * interpreter/Interpreter.cpp:
        (JSC::GetStackTraceFunctor::operator()):
        * parser/Nodes.h:
        (JSC::FunctionBodyNode::overrideName):
        * profiler/LegacyProfiler.cpp:
        (JSC::createCallIdentifierFromFunctionImp):
        * runtime/ArrayPrototype.cpp:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::deleteProperty):
        * runtime/JSFunction.h:

2014-02-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        ASSERT(isValidAllocation(bytes)) when ObjC API creates custom errors
        https://bugs.webkit.org/show_bug.cgi?id=128840

        Reviewed by Joseph Pecoraro.

        We need to add APIEntryShims around places where we allocate errors in JSC.
        Also converted some of the createTypeError call sites to use ASCIILiteral.

        * API/JSValue.mm:
        (valueToArray):
        (valueToDictionary):
        * API/ObjCCallbackFunction.mm:
        (JSC::objCCallbackFunctionCallAsConstructor):
        (JSC::ObjCCallbackFunctionImpl::call):
        * API/tests/testapi.mm:

2014-02-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Baseline JIT should have a fast path to bypass the write barrier on op_enter
        https://bugs.webkit.org/show_bug.cgi?id=128832

        Reviewed by Filip Pizlo.

        * jit/JIT.h: Removed some random commented out functions.h
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_enter):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitWriteBarrier):

2014-02-14  Filip Pizlo  <fpizlo@apple.com>

        Don't optimize variadic closure calls
        https://bugs.webkit.org/show_bug.cgi?id=128835

        Reviewed by Gavin Barraclough.
        
        Read the check that had been in JITStubs.cpp, back in the day. This code came
        from the DFG and the DFG didn't need these checks.

        * jit/JITOperations.cpp:

2014-02-14  David Kilzer  <ddkilzer@apple.com>

        [ASan] Disable JSStack::sanitizeStack() to avoid false-positive stack-buffer-overflow errors
        <http://webkit.org/b/128819>

        Reviewed by Filip Pizlo.

        * interpreter/JSStack.cpp:
        (JSC::JSStack::sanitizeStack): When building with the clang
        address sanitizer, don't sanitize the stack since it will
        trigger false-positive stack-buffer-overflow errors.  Disabling
        this only results in a performance penalty, not a correctness
        penalty.

2014-02-14  Andres Gomez  <agomez@igalia.com>

        Cleaning the JSStaticScopeObject files left behind after renaming their objects to JSNameScope
        https://bugs.webkit.org/show_bug.cgi?id=127595

        Reviewed by Mario Sanchez Prada.

        JSStaticScopeObject was renamed to JSNameScope and removed long
        ago but the files were left behind empty and the CMake compilation
        in need of its existance. Now, we are definitely getting rid of
        them.

        * CMakeLists.txt:
        * runtime/JSStaticScopeObject.cpp: Removed.
        * runtime/JSStaticScopeObject.h: Removed.

2014-02-13  Filip Pizlo  <fpizlo@apple.com>

        Kill some of the last vestiges of the C++ interpreter's PICs
        https://bugs.webkit.org/show_bug.cgi?id=128796

        Reviewed by Michael Saboff.

        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfo):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecode/PolymorphicAccessStructureList.h:
        (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::PolymorphicStubInfo):
        (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
        (JSC::PolymorphicAccessStructureList::PolymorphicAccessStructureList):
        (JSC::PolymorphicAccessStructureList::visitWeak):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        (JSC::isGetByIdAccess):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/Repatch.cpp:
        (JSC::getPolymorphicStructureList):
        (JSC::tryBuildGetByIDList):
        * llint/LowLevelInterpreter.asm:

2014-02-13  Mark Lam  <mark.lam@apple.com>

        The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs. Part 2.
        <https://webkit.org/b/128764>

        Reviewed by Mark Hahnenberg.

        toJS() is the wrong cast function to use. We need to use toJSForGC() instead.
        Also we need to acquire the JSLock to prevent concurrent accesses to the
        Strong handle list.

        * API/JSValue.mm:
        (JSContainerConvertor::add):
        (containerValueToObject):
        (ObjcContainerConvertor::add):
        (objectToValue):

2014-02-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSManagedValue::dealloc modifies NSMapTable while iterating it
        https://bugs.webkit.org/show_bug.cgi?id=128713

        Reviewed by Geoffrey Garen.

        Having to write a test for this revealed a bug in how addManagedReference:withOwner:
        actually notifies JSManagedValues of new owners.

        * API/JSManagedValue.mm:
        (-[JSManagedValue dealloc]):
        * API/JSVirtualMachine.mm:
        (-[JSVirtualMachine addManagedReference:withOwner:]):
        (-[JSVirtualMachine removeManagedReference:withOwner:]):
        * API/tests/testapi.mm:
        (testObjectiveCAPI):

2014-02-13  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix build.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):

2014-02-13  Ryosuke Niwa  <rniwa@webkit.org>

        Speculative Release build fix after r164077.

        * API/JSValue.mm:

2014-02-13  Mark Lam  <mark.lam@apple.com>

        The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs.
        <https://webkit.org/b/128764>

        Reviewed by Mark Hahnenberg.

        Added a vector of Strong<Unknown> references in the 2 containers, and append
        the newly created JSValues to those vectors. This will keep all those JS objects
        alive for the duration of the conversion.

        * API/JSValue.mm:
        (JSContainerConvertor::add):
        (ObjcContainerConvertor::add):

2014-02-13  Matthew Mirman  <mmirman@apple.com>

        Added GetMyArgumentsLength to FTL
        https://bugs.webkit.org/show_bug.cgi?id=128758

        Reviewed by Filip Pizlo.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
        * tests/stress/ftl-getmyargumentslength.js: Added.
        (foo):

2014-02-13  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out http://trac.webkit.org/changeset/164066.
        
        It broke tests and it was just plain wrong.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        (JSC::GetByIdStatus::computeForStubInfo):
        * runtime/Structure.h:
        (JSC::Structure::takesSlowPathInDFGForImpureProperty):

2014-02-13  Ryuan Choi  <ryuan.choi@samsung.com>

        Unreviewed build fix.

        Fixed typo.

        * dfg/DFGIntegerCheckCombiningPhase.cpp:
        (JSC::DFG::IntegerCheckCombiningPhase::run):

2014-02-13  Michael Saboff  <msaboff@apple.com>

        Change FTL stack check to use VM's stackLimit
        https://bugs.webkit.org/show_bug.cgi?id=128561

        Reviewed by Filip Pizlo.

        Changes FTL function entry to check the call frame register against the FTL
        specific stack limit (VM::m_ftlStackLimit) and throw an exception if the
        stack limit has been exceeded.  Updated the exception handling code to have
        a second entry that will unroll the current frame to the caller, since that
        is where the exception should be processed.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::lower):
        * ftl/FTLState.h:
        * runtime/VM.h:
        (JSC::VM::addressOfFTLStackLimit):

2014-02-13  Filip Pizlo  <fpizlo@apple.com>

        GetByIdStatus shouldn't call takesSlowPathInDFGForImpureProperty() for self accesses, and calling that method should never assert about anything
        https://bugs.webkit.org/show_bug.cgi?id=128772

        Reviewed by Mark Hahnenberg.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        (JSC::GetByIdStatus::computeForStubInfo):
        * runtime/Structure.h:
        (JSC::Structure::takesSlowPathInDFGForImpureProperty):

2014-02-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add some RELEASE_ASSERTs to catch JSLock bugs earlier
        https://bugs.webkit.org/show_bug.cgi?id=128762

        Reviewed by Mark Lam.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * runtime/JSLock.cpp:
        (JSC::JSLock::DropAllLocks::DropAllLocks):

2014-02-12  Filip Pizlo  <fpizlo@apple.com>

        Hoist and combine array bounds checks
        https://bugs.webkit.org/show_bug.cgi?id=125433

        Reviewed by Mark Hahnenberg.
        
        This adds a phase for reasoning about overflow checks and array bounds checks. It's
        block-local, and removes both overflow checks and bounds checks in one go.
        
        This also improves reasoning about commutative operations, and CSE between
        CheckOverflow and Unchecked arithmetic.
        
        This strangely uncovered a DFG backend bug where we were trying to extract an int32
        from a constant even when that constant was just simply a number. I fixed that bug.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::set):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGArithMode.h:
        (JSC::DFG::subsumes):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::int32ToDoubleCSE):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGEdge.cpp:
        (JSC::DFG::Edge::dump):
        * dfg/DFGEdge.h:
        (JSC::DFG::Edge::sanitized):
        (JSC::DFG::Edge::hash):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueOfInt32Constant):
        * dfg/DFGInsertionSet.h:
        (JSC::DFG::InsertionSet::insertConstant):
        * dfg/DFGIntegerCheckCombiningPhase.cpp: Added.
        (JSC::DFG::IntegerCheckCombiningPhase::IntegerCheckCombiningPhase):
        (JSC::DFG::IntegerCheckCombiningPhase::run):
        (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
        (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
        (JSC::DFG::IntegerCheckCombiningPhase::isValid):
        (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
        (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
        (JSC::DFG::performIntegerCheckCombining):
        * dfg/DFGIntegerCheckCombiningPhase.h: Added.
        * dfg/DFGNode.h:
        (JSC::DFG::Node::willHaveCodeGenOrOSR):
        * dfg/DFGNodeType.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAdd):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        (JSC::DFG::StrengthReductionPhase::handleCommutativity):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionFalse):
        * runtime/Identifier.h:
        * runtime/Intrinsic.h:
        * runtime/JSObject.h:
        * tests/stress/get-by-id-untyped.js: Added.
        (foo):
        * tests/stress/inverted-additive-subsumption.js: Added.
        (foo):
        * tests/stress/redundant-add-overflow-checks.js: Added.
        (foo):
        * tests/stress/redundant-array-bounds-checks-addition-skip-first.js: Added.
        (foo):
        (arraycmp):
        * tests/stress/redundant-array-bounds-checks-addition.js: Added.
        (foo):
        (arraycmp):
        * tests/stress/redundant-array-bounds-checks-unchecked-addition.js: Added.
        (foo):
        (arraycmp):
        * tests/stress/redundant-array-bounds-checks.js: Added.
        (foo):
        (arraycmp):
        * tests/stress/tricky-array-bounds-checks.js: Added.
        (foo):
        (arraycmp):

2014-02-13  Filip Pizlo  <fpizlo@apple.com>

        FTL should be OK with __compact_unwind in a data section
        https://bugs.webkit.org/show_bug.cgi?id=128756

        Reviewed by Mark Hahnenberg.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateCodeSection):
        (JSC::FTL::mmAllocateDataSection):

2014-02-13  Michael Saboff  <msaboff@apple.com>

        CStack Branch: VM::currentReturnThunkPC appears to be unused and should be removed
        https://bugs.webkit.org/show_bug.cgi?id=127205

        Reviewed by Geoffrey Garen.

        Removed ununsed references to VM::currentReturnThunkPC.

        * jit/ThunkGenerators.cpp:
        (JSC::arityFixup):
        * runtime/VM.h:

2014-02-13  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>

        Code cleanup: remove gcc<4.7 guards.
        https://bugs.webkit.org/show_bug.cgi?id=128729

        Reviewed by Anders Carlsson.

        Remove GCC_VERSION_AT_LEAST guards when it checks for pre-4.7 versions,
        as WK does not compile with earlier gcc versions.

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::cacheFlush):
        * interpreter/StackVisitor.cpp:
        (JSC::printif):

2014-02-12  Mark Lam  <mark.lam@apple.com>

        No need to save reservedZoneSize when dropping the JSLock.
        <https://webkit.org/b/128719>

        Reviewed by Geoffrey Garen.

        The reservedZoneSize does not change due to the VM being run on a different
        thread. Hence, there is no need to save and restore its value. Instead of
        calling updateReservedZoneSize() to update the stack limit, we now call
        setStackPointerAtVMEntry() to do the job. setStackPointerAtVMEntry()
        will update the stackPointerAtVMEntry and delegate to updateStackLimit() to
        update the stack limit based on the new stackPointerAtVMEntry.

        * runtime/ErrorHandlingScope.cpp:
        (JSC::ErrorHandlingScope::ErrorHandlingScope):
        (JSC::ErrorHandlingScope::~ErrorHandlingScope):
        - Previously, we initialize stackPointerAtVMEntry in VMEntryScope. This
          means that the stackPointerAtVMEntry may not be initialize when we
          instantiate the ErrorHandlingScope. And so, we needed to initialize the
          stackPointerAtVMEntry in the ErrorHandlingScope constructor if it's not
          already initialized.

          Now that we initialize the stackPointerAtVMEntry when we lock the VM JSLock,
          we are guaranteed that it will be initialized by the time we instantiate
          the ErrorHandlingScope. Hence, we can change the ErrorHandlingScope code
          to just assert that the stackPointerAtVMEntry is initialized instead.

        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        - We no longer need to save the reservedZoneSize. Remove the related code.

        * runtime/JSLock.cpp:
        (JSC::JSLock::lock):
        - When we grab the JSLock mutex for the first time, there is no reason why
          the stackPointerAtVMEntry should be initialized. By definition, grabbing
          the lock for the first time equates to entering the VM for the first time.
          Hence, we can just assert that stackPointerAtVMEntry is uninitialized,
          and initialize it unconditionally.

          The only exception to this is if we're locking to regrab the JSLock in
          grabAllLocks(), but grabAllLocks() will take care of restoring the
          stackPointerAtVMEntry in that case after lock() returns. stackPointerAtVMEntry
          should still be 0 when we've just locked the JSLock. So, the above assertion
          always holds true.

          Note: VM::setStackPointerAtVMEntry() will take care of calling
          VM::updateStackLimit() based on the new stackPointerAtVMEntry.

        - There is no need to save the reservedZoneSize. The reservedZoneSize is
          set to Options::reservedZoneSize() when the VM is initialized. Thereafter,
          the ErrorHandlingScope will change it to Options::errorModeReservedZoneSize()
          when we're handling an error, and it will restore it afterwards. There is
          no other reason we should be changing the reservedZoneSize. Hence, we can
          remove the unnecessary code to save it here.

        (JSC::JSLock::unlock):
        - Similarly, when the lockCount reaches 0 in unlock(), it is synonymous with
          exiting the VM. Hence, we should just clear the stackPointerAtVMEntry and
          update the stackLimit. Exiting the VM should have no effect on the VM
          reservedZoneSize. Hence, we can remove the unnecessary code to "restore" it.

        (JSC::JSLock::dropAllLocks):
        - When dropping locks, we do not need to save the reservedZoneSize because
          the reservedZoneSize should remain the same regardless of which thread
          we are executing JS on. Hence, we can remove the unnecessary code to save
          the reservedZoneSize here.

        (JSC::JSLock::grabAllLocks):
        - When re-grabbing locks, restoring the stackPointerAtVMEntry via
          VM::setStackPointerAtVMEntry() will take care of updating the stack limit.
          As explained above, there's no need to save the reservedZoneSize. Hence,
          there's no need to "restore" it here.

        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::setStackPointerAtVMEntry):
        - Sets the stackPointerAtVMEntry and delegates to updateStackLimit() to update
          the stack limit based on the new stackPointerAtVMEntry.
        (JSC::VM::updateStackLimit):
        * runtime/VM.h:
        (JSC::VM::stackPointerAtVMEntry):
        - Renamed stackPointerAtVMEntry to m_stackPointerAtVMEntry and made it private.
          Added a stackPointerAtVMEntry() function to read the value.

2014-02-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        DelayedReleaseScope in MarkedAllocator::tryAllocateHelper is wrong
        https://bugs.webkit.org/show_bug.cgi?id=128641

        Reviewed by Michael Saboff.

        We were improperly handling the case where the DelayedReleaseScope 
        in tryAllocateHelper would cause us to drop the API lock, allowing 
        another thread to sneak in and allocate a new block after we had already 
        concluded that there were no more blocks to allocate out of.

        The fix is to call tryAllocateHelper in a loop until we know for sure 
        that this did not happen.

        There was also a race condition with the DelayedReleaseScope in addBlock.
        We would add the block to the MarkedBlock's list, sweep it, and then return,
        causing us to drop the API lock momentarily. Another thread could then 
        grab the lock, and allocate out of the new block to the point where the 
        free list was empty. Then we would return to the original thread, who thinks 
        it's impossible to not allocate successfully at this point. 
        Instead we should just let tryAllocate do all the hard work with correctly 
        sweeping and getting a valid result.

        There was another race condition in didFinishIterating. We would call resumeAllocating,
        which would create a DelayedReleaseScope. The DelayedReleaseScope would then release 
        API lock before we set m_isIterating back to false, which would potentially confuse 
        other threads.

        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::tryPopFreeList):
        (JSC::MarkedAllocator::tryAllocate):
        (JSC::MarkedAllocator::addBlock):
        * heap/MarkedAllocator.h:

2014-02-12  Brian Burg  <bburg@apple.com>

        Web Replay: capture and replay nondeterminism of Date.now() and Math.random()
        https://bugs.webkit.org/show_bug.cgi?id=128633

        Reviewed by Filip Pizlo.

        Upstream the only two sources of script-visible nondeterminism in JavaScriptCore.

        The random seed for WeakRandom is memoized when the owning JSGlobalObject is
        constructed. It is deterministically initialized during replay before any
        scripts execute with the global object.

        The implementations of `Date.now()` and `new Date()` eventually obtain the
        current time from jsCurrentTime(). When capturing, we save return values of
        jsCurrentTime() into the recording. When replaying, we use memoized values from
        the recording instead of obtaining values from the platform-specific currentTime()
        implementation. No other code calls jsCurrentTime().

        * DerivedSources.make: Add rules to make JSReplayInputs.h from JSInputs.json.
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * replay/JSInputs.json: Added. Includes specifications for replay inputs
        "GetCurrentTime" and "SetRandomSeed". Tests will be added for both input
        cases once sufficient replay machinery has been added.

        * replay/NondeterministicInput.h: NondeterministicInput should not have
        been marked 'final'.

        * runtime/DateConstructor.cpp:
        (JSC::deterministicCurrentTime): Added. Load or store the current time depending
        on what kind of InputCursor is attached to the JSGlobalObject.

        (JSC::constructDate): Use deterministicCurrentTime().
        (JSC::dateNow): Use deterministicCurrentTime().
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::setInputCursor): When setting a non-empty input cursor,
        immediately store or load the "SetRandomSeed" input and initialize WeakRandom's
        random seed with it. The input cursor (and thus random seed) must be set before
        any scripts are evaluated with this JSGlobalObject.

        * runtime/WeakRandom.h:
        (JSC::WeakRandom::WeakRandom): Add JSGlobalObject as a friend class.
        (JSC::WeakRandom::initializeSeed): Extract the seed initialization into a
        separate method so it can be called outside of the JSGlobalObject constructor.

2014-02-12  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Cleanup JavaScriptCore/inspector
        https://bugs.webkit.org/show_bug.cgi?id=128662

        Reviewed by Timothy Hatcher.

        Now that the code has settled, do a cleanup pass.

        * inspector/ContentSearchUtilities.cpp:
        * inspector/InspectorValues.cpp:
        (Inspector::InspectorValue::asObject):
        (Inspector::InspectorValue::asArray):
        (Inspector::InspectorValue::parseJSON):
        (Inspector::InspectorObjectBase::getObject):
        (Inspector::InspectorObjectBase::getArray):
        (Inspector::InspectorObjectBase::get):
        * inspector/ScriptCallStackFactory.cpp:
        * inspector/ScriptDebugServer.cpp:
        * inspector/agents/JSGlobalObjectConsoleAgent.h:

2014-02-12  Ryosuke Niwa  <rniwa@webkit.org>

        Windows build fix attempt after r163960.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2014-02-12  Michael Saboff  <msaboff@apple.com>

        Adjust VM::stackLimit based on the size of the largest FTL stack produced
        https://bugs.webkit.org/show_bug.cgi?id=128562

        Reviewed by Mark Lam.

        Added VM::m_largestFTLStackSize to track the largest stack size of an FTL compiled
        function. Added VM::m_ftlStackLimit for FTL functions stack limit.  Renamed
        VM::updateStackLimitWithReservedZoneSize to VM::updateReservedZoneSize.  Renamed
        VM::setStackLimit to VM::updateStackLimit and changed it to do the updating of the
        stack limits, including taking into account m_largestFTLStackSize.

        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * runtime/ErrorHandlingScope.cpp:
        (JSC::ErrorHandlingScope::ErrorHandlingScope):
        (JSC::ErrorHandlingScope::~ErrorHandlingScope):
        * runtime/JSLock.cpp:
        (JSC::JSLock::lock):
        (JSC::JSLock::unlock):
        (JSC::JSLock::grabAllLocks):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::updateReservedZoneSize):
        (JSC::VM::updateStackLimit):
        (JSC::VM::updateFTLLargestStackSize):
        * runtime/VM.h:

2014-02-11  Oliver Hunt  <oliver@apple.com>

        Make it possible to implement JS builtins in JS
        https://bugs.webkit.org/show_bug.cgi?id=127887

        Reviewed by Michael Saboff.

        This patch makes it possible to write builtin functions in JS.
        The bindings, generators, and definitions are all created automatically
        based on js files in the builtins/ directory.  This patch includes one
        such case: Array.prototype.js with an implementation of every().

        There's a lot of refactoring to make it possible for CommonIdentifiers
        to include the output of the generated files (DerivedSources/JSCBuiltins.{h,cpp})
        without breaking the offset extractor. The result of this refactoring
        is that CommonIdentifiers, and a few other miscellaneous headers now
        need to be included directly as they were formerly captured through other
        paths.

        In addition this adds a flag to the Lookup table's hashentry to indicate
        that a static function is actually backed by JS. There is then a lot of
        logic to thread the special nature of the functon to where it matters.
        This allows toString(), .caller, etc to mimic the behaviour of a host
        function.

        Notes on writing builtins:
         - Each function is compiled independently of the others, and those
           implementations cannot currently capture all global properties (as
           that could be potentially unsafe). If a function does capture a
           global we will deliberately crash.
         - For those "global" properties that we do want access to, we use
           the @ prefix, e.g. Object(this) becomes @Object(this). The @ identifiers
           are private names, and behave just like regular properties, only
           without the risk of adulteration. Again, in the @Object case, we
           explicitly duplicate the ObjectConstructor reference on the GlobalObject
           so that we have guaranteed access to the original version of the
           constructor.
         - call, apply, eval, and Function are all rejected identifiers, again
           to prevent anything from accidentally using an adulterated object.
           Instead @call and @apply are available, and happily they completely
           drop the neq_ptr instruction as they're defined as always being the
           original call/apply functions.

        These restrictions are just intended to make it harder to accidentally
        make changes that are incorrect (for instance calling whatever has been
        assigned to global.Object, instead of the original constructor function).
        However, making a mistake like this should result in a purely semantic
        error as fundamentally these functions are treated as though they were
        regular JS code in the host global, and have no more privileges than
        any other JS.

        The initial proof of concept is Array.prototype.every, this shows a 65%
        performance improvement, and that improvement is significantly hurt by
        our poor optimisation of op_in.

        As this is such a limited function, we have not yet exported all symbols
        that we could possibly need, but as we implement more, the likelihood
        of encountering missing features will reduce.


        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
        (JSC::JSCallbackObject<Parent>::put):
        (JSC::JSCallbackObject<Parent>::deleteProperty):
        (JSC::JSCallbackObject<Parent>::getStaticValue):
        (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
        (JSC::JSCallbackObject<Parent>::callbackGetter):
        * CMakeLists.txt:
        * DerivedSources.make:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
        * JavaScriptCore.vcxproj/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/Array.prototype.js:
        (every):
        * builtins/BuiltinExecutables.cpp: Added.
        (JSC::BuiltinExecutables::BuiltinExecutables):
        (JSC::BuiltinExecutables::createBuiltinExecutable):
        * builtins/BuiltinExecutables.h:
        (JSC::BuiltinExecutables::create):
        * builtins/BuiltinNames.h: Added.
        (JSC::BuiltinNames::BuiltinNames):
        (JSC::BuiltinNames::getPrivateName):
        (JSC::BuiltinNames::getPublicName):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        (JSC::UnlinkedFunctionExecutable::codeBlockFor):
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::ExecutableInfo::ExecutableInfo):
        (JSC::UnlinkedFunctionExecutable::create):
        (JSC::UnlinkedFunctionExecutable::toStrictness):
        (JSC::UnlinkedFunctionExecutable::isBuiltinFunction):
        (JSC::UnlinkedCodeBlock::isBuiltinFunction):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::isBuiltinFunction):
        (JSC::BytecodeGenerator::makeFunction):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        * create_hash_table:
        * generate-js-builtins: Added.
        (getCopyright):
        (getFunctions):
        (generateCode):
        (mangleName):
        (FunctionExecutable):
        (Identifier):
        (JSGlobalObject):
        (SourceCode):
        (UnlinkedFunctionExecutable):
        (VM):
        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::makeFunctionCallNode):
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::Lexer):
        (JSC::isSafeBuiltinIdentifier):
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        (JSC::Lexer<T>::lex):
        * parser/Lexer.h:
        (JSC::isSafeIdentifier):
        (JSC::Lexer<T>::lexExpectIdentifier):
        * parser/Nodes.cpp:
        (JSC::ProgramNode::setClosedVariables):
        * parser/Nodes.h:
        (JSC::ScopeNode::capturedVariables):
        (JSC::ScopeNode::setClosedVariables):
        (JSC::ProgramNode::closedVariables):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::didFinishParsing):
        (JSC::Parser<LexerType>::printUnexpectedTokenText):
        * parser/Parser.h:
        (JSC::Scope::getUsedVariables):
        (JSC::Parser::closedVariables):
        (JSC::parse):
        * parser/ParserModes.h:
        * parser/ParserTokens.h:
        * runtime/ArrayPrototype.cpp:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CommonIdentifiers.cpp:
        (JSC::CommonIdentifiers::CommonIdentifiers):
        (JSC::CommonIdentifiers::~CommonIdentifiers):
        (JSC::CommonIdentifiers::getPrivateName):
        (JSC::CommonIdentifiers::getPublicName):
        * runtime/CommonIdentifiers.h:
        (JSC::CommonIdentifiers::builtinNames):
        * runtime/ExceptionHelpers.cpp:
        (JSC::createUndefinedVariableError):
        * runtime/Executable.h:
        (JSC::EvalExecutable::executableInfo):
        (JSC::ProgramExecutable::executableInfo):
        (JSC::FunctionExecutable::isBuiltinFunction):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::symbolTableGet):
        (JSC::JSActivation::symbolTablePut):
        (JSC::JSActivation::symbolTablePutWithAttributes):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::createBuiltinFunction):
        (JSC::JSFunction::calculatedDisplayName):
        (JSC::JSFunction::sourceCode):
        (JSC::JSFunction::isHostOrBuiltinFunction):
        (JSC::JSFunction::isBuiltinFunction):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::getOwnNonIndexPropertyNames):
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSFunction.h:
        * runtime/JSFunctionInlines.h:
        (JSC::JSFunction::nativeFunction):
        (JSC::JSFunction::nativeConstructor):
        (JSC::isHostFunction):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::objectConstructor):
        (JSC::JSGlobalObject::symbolTableHasProperty):
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
        (JSC::JSObject::reifyStaticFunctionsForDelete):
        (JSC::JSObject::putDirectBuiltinFunction):
        * runtime/JSObject.h:
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTableGet):
        (JSC::symbolTablePut):
        (JSC::symbolTablePutWithAttributes):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashEntry::builtinGenerator):
        (JSC::HashEntry::propertyGetter):
        (JSC::HashEntry::propertyPutter):
        (JSC::HashTable::entry):
        (JSC::getStaticPropertySlot):
        (JSC::getStaticValueSlot):
        (JSC::putEntry):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::finishCreation):
        * runtime/NativeErrorConstructor.h:
        * runtime/PropertySlot.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::builtinExecutables):

2014-02-11  Brent Fulgham  <bfulgham@apple.com>

        Remove some unintended copies in ranged for loops
        https://bugs.webkit.org/show_bug.cgi?id=128644

        Reviewed by Anders Carlsson.

        * inspector/InjectedScriptHost.cpp:
        (Inspector::InjectedScriptHost::clearAllWrappers): Avoid creating/destroying
        a std::pair<> and pointer each loop iteration.
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser): Avoid copying object containing a string
        each loop iteration.

2014-02-11  Ryosuke Niwa  <rniwa@webkit.org>

        Debug build fix after r163946.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):

2014-02-11  Filip Pizlo  <fpizlo@apple.com>

        Inserting a node with a codeOrigin "like" another node should copy both the codeOrigin and codeOriginForExitTarget
        https://bugs.webkit.org/show_bug.cgi?id=128635

        Reviewed by Michael Saboff.
        
        Originally nodes just had a codeOrigin. But then we started doing code motion, and we
        needed to separate the codeOrigin that designated where to exit from the codeOrigin
        that designated everything else. The "everything else" is actually pretty important:
        it includes profiling, exception handling, and the actual semantics of the node. For
        example some nodes use the origin's global object in some way.
        
        This all sort of worked except for one quirk: the facilities for creating nodes all
        assumed that there really was only one origin. LICM would work around this by setting
        the codeOriginForExitTarget manually. But, that means that:
        
        - If we did hoist a node twice, then the second time around, we would forget the node's
          original exit target.
        
        - If we did an insertNode() to insert a node before a hoisted node, the inserted node
          would have the wrong exit target.
        
        Most of the time, if we copy the code origin, we actually want to copy both origins.
        So, this patch introduces the notion of a NodeOrigin which has two CodeOrigins: a
        forExit code origin that says where to exit, and a semantic code origin for everything
        else.
        
        This also (annoyingly?) means that we are always more explicit about which code origin
        we refer to. That means that a lot of "node->codeOrigin" expressions had to change to
        "node->origin.semantic". This was partly a ploy on my part to ensure that this
        refactoring was complete: to get the code to compile I really had to audit all uses of
        CodeOrigin. If, in the future, we find that "node->origin.semantic" is too cumbersome
        then we can reintroduce the Node::codeOrigin field. For now I kinda like it though.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
        (JSC::DFG::ArgumentsSimplificationPhase::observeProperArgumentsUse):
        (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::originalArrayStructure):
        (JSC::DFG::ArrayMode::alreadyChecked):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::convertToJump):
        (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
        (JSC::DFG::CFGSimplificationPhase::jettisonBlock):
        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
        (JSC::DFG::CPSRethreadingPhase::addPhi):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
        (JSC::DFG::CPSRethreadingPhase::propagatePhis):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::setLocalStoreElimination):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommonData.cpp:
        (JSC::DFG::CommonData::notifyCompilingStructureTransition):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
        * dfg/DFGCriticalEdgeBreakingPhase.cpp:
        (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::fixupBlock):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::createDumpList):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::createToString):
        (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
        (JSC::DFG::FixupPhase::convertStringAddUse):
        (JSC::DFG::FixupPhase::fixupToPrimitive):
        (JSC::DFG::FixupPhase::fixupToString):
        (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
        (JSC::DFG::FixupPhase::checkArray):
        (JSC::DFG::FixupPhase::blessArrayOperation):
        (JSC::DFG::FixupPhase::fixEdge):
        (JSC::DFG::FixupPhase::insertStoreBarrier):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
        (JSC::DFG::FixupPhase::truncateConstantToInt32):
        (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
        (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
        (JSC::DFG::FixupPhase::convertToGetArrayLength):
        (JSC::DFG::FixupPhase::prependGetArrayLength):
        (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
        (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpCodeOrigin):
        (JSC::DFG::Graph::amountOfNodeWhiteSpace):
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::dumpBlockHeader):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::hasExitSite):
        (JSC::DFG::Graph::valueProfileFor):
        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
        * dfg/DFGInvalidationPointInjectionPhase.cpp:
        (JSC::DFG::InvalidationPointInjectionPhase::handle):
        (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
        * dfg/DFGLICMPhase.cpp:
        (JSC::DFG::LICMPhase::attemptHoist):
        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
        (JSC::DFG::createPreHeader):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::isStronglyProvedConstantIn):
        * dfg/DFGNodeOrigin.h: Added.
        (JSC::DFG::NodeOrigin::NodeOrigin):
        (JSC::DFG::NodeOrigin::isSet):
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        (JSC::DFG::OSREntrypointCreationPhase::run):
        * dfg/DFGResurrectionForValidationPhase.cpp:
        (JSC::DFG::ResurrectionForValidationPhase::run):
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * dfg/DFGSSALoweringPhase.cpp:
        (JSC::DFG::SSALoweringPhase::handleNode):
        (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
        (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
        (JSC::DFG::SpeculativeJIT::appendCallSetResult):
        (JSC::DFG::SpeculativeJIT::appendCall):
        (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
        (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray):
        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        (JSC::DFG::TierUpCheckInjectionPhase::run):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::run):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validateSSA):
        * dfg/DFGWatchpointCollectionPhase.cpp:
        (JSC::DFG::WatchpointCollectionPhase::handle):
        (JSC::DFG::WatchpointCollectionPhase::handleEdge):
        (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
        (JSC::DFG::WatchpointCollectionPhase::globalObject):
        * ftl/FTLJSCall.cpp:
        (JSC::FTL::JSCall::link):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileToThis):
        (JSC::FTL::LowerDFGToLLVM::compilePutById):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (JSC::FTL::LowerDFGToLLVM::compileNewArray):
        (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
        (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
        (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
        (JSC::FTL::LowerDFGToLLVM::compileGetMyScope):
        (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
        (JSC::FTL::LowerDFGToLLVM::getById):
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
        (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructure):
        (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIsStillValid):
        (JSC::FTL::LowerDFGToLLVM::callPreflight):

2014-02-11  Filip Pizlo  <fpizlo@apple.com>

        Fix assertions and incorrect codegen for CompareEq(ObjectOrOther:, Object:)
        https://bugs.webkit.org/show_bug.cgi?id=128648

        Reviewed by Mark Lam.
        
        I did CompareEq(Object:, ObjectOrOther:) correctly but the flipped version wrong.
        That's what I get for running tests in release mode. It's hard to write a test for
        the incorrect codegen; that's kind of why the assertions are there.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):

2014-02-11  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, trivial change to silence FTL assertions

        Normally, lowJSValue() should only be used for UntypedUse only. Here we are using it
        on ObjectOrOtherUse because we execute the speculation ourselves. The way you're
        supposed to do this is by passing ManualOperandSpeculation to tell lowJSValue() not
        to assert.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):

2014-02-11  Filip Pizlo  <fpizlo@apple.com>

        Use LLVM's dead store elimination
        https://bugs.webkit.org/show_bug.cgi?id=128638

        Reviewed by Mark Hahnenberg.
        
        DFG's store elimination was being run too soon for comfort on the FTL path. It's
        really only sound when run after all other optimizations. Remove it from the FTL
        path.
        
        Enable LLVM store elimination. It's both easier to reason about and more
        comprehensive.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):

2014-02-11  Brian Burg  <bburg@apple.com>

        Web Replay: upstream replay input code generator and EncodedValue class
        https://bugs.webkit.org/show_bug.cgi?id=128215

        Reviewed by Joseph Pecoraro.

        Add the replay inputs code generator. Most features of the input generator are
        exercised by included generator regression tests, which produce useful but
        non-compilable test replay inputs.

        Add EncodedValue, the main replay input serialization class that encodes and
        decodes inputs and their data between C++ types and the JSON-based replay recording
        format. EncodedValue uses EncodingTraits specializations for type-specific encoding.
        Relative to other WebKit marshalling mechanisms, EncodedValue is key/value based.
        EncodedValue uses InspectorValue subclasses as its backing data structure.

        Add some missing numerical conversions to InspectorValue.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/InspectorValues.cpp:
        (Inspector::InspectorValue::asNumber):
        (Inspector::InspectorBasicValue::asNumber):
        * inspector/InspectorValues.h:
        * replay/EncodedValue.cpp: Added.
        (JSC::EncodedValue::asObject):
        (JSC::EncodedValue::asArray):
        (JSC::ScalarEncodingTraits<bool>::encodeValue):
        (JSC::ScalarEncodingTraits<double>::encodeValue):
        (JSC::ScalarEncodingTraits<float>::encodeValue):
        (JSC::ScalarEncodingTraits<int32_t>::encodeValue):
        (JSC::ScalarEncodingTraits<int64_t>::encodeValue):
        (JSC::ScalarEncodingTraits<uint32_t>::encodeValue):
        (JSC::ScalarEncodingTraits<uint64_t>::encodeValue):
        (JSC::long>::encodeValue):
        (JSC::EncodedValue::convertTo<bool>):
        (JSC::EncodedValue::convertTo<double>):
        (JSC::EncodedValue::convertTo<float>):
        (JSC::EncodedValue::convertTo<int32_t>):
        (JSC::EncodedValue::convertTo<int64_t>):
        (JSC::EncodedValue::convertTo<uint32_t>):
        (JSC::EncodedValue::convertTo<uint64_t>):
        (JSC::long>):
        (JSC::EncodedValue::convertTo<String>):
        (JSC::EncodedValue::put<EncodedValue>):
        (JSC::EncodedValue::append<EncodedValue>):
        (JSC::EncodedValue::get<EncodedValue>):
        * replay/EncodedValue.h: Added.
        (JSC::EncodedValue::EncodedValue):
        (JSC::EncodedValue::createObject):
        (JSC::EncodedValue::createArray):
        (JSC::EncodedValue::createString):
        (JSC::EncodedValue::~EncodedValue):
        (JSC::ScalarEncodingTraits::decodeValue):
        (JSC::EncodingTraits<String>::encodeValue):
        (JSC::EncodedValue::put):
        (JSC::EncodedValue::append):
        (JSC::EncodedValue::get):
        * replay/scripts/CodeGeneratorReplayInputs.py: Added.
        (ParseException):
        (TypecheckException):
        (Framework):
        (Framework.__init__):
        (Framework.setting):
        (Framework.fromString):
        (Frameworks):
        (InputQueue):
        (InputQueue.__init__):
        (InputQueue.setting):
        (InputQueue.fromString):
        (InputQueues):
        (Input):
        (Input.__init__):
        (Input.setting):
        (InputMember):
        (InputMember.__init__):
        (InputMember.has_flag):
        (TypeMode):
        (TypeMode.__init__):
        (TypeMode.fromString):
        (TypeModes):
        (Type):
        (Type.__init__):
        (Type.__eq__):
        (Type.__hash__):
        (Type.has_flag):
        (Type.is_struct):
        (Type.is_enum):
        (Type.is_enum_class):
        (Type.declaration_kind):
        (Type.qualified_prefix):
        (Type.qualified_prefix.is):
        (Type.type_name):
        (Type.storage_type):
        (Type.borrow_type):
        (Type.argument_type):
        (check_properties):
        (VectorType):
        (VectorType.__init__):
        (VectorType.has_flag):
        (VectorType.is_struct):
        (VectorType.is_enum):
        (VectorType.is_enum_class):
        (VectorType.qualified_prefix):
        (VectorType.type_name):
        (VectorType.argument_type):
        (InputsModel):
        (InputsModel.__init__):
        (InputsModel.enum_types):
        (InputsModel.get_type_for_member):
        (InputsModel.parse_toplevel):
        (InputsModel.parse_type_with_framework_name):
        (InputsModel.parse_input):
        (InputsModel.typecheck):
        (InputsModel.typecheck_type):
        (InputsModel.typecheck_input):
        (InputsModel.typecheck_input_member):
        (IncrementalFileWriter):
        (IncrementalFileWriter.__init__):
        (IncrementalFileWriter.write):
        (IncrementalFileWriter.close):
        (lcfirst):
        (wrap_with_guard):
        (Generator):
        (Generator.__init__):
        (Generator.setting):
        (Generator.output_filename):
        (Generator.write_output_files):
        (Generator.generate_header):
        (Generator.generate_implementation):
        (Generator.generate_license):
        (Generator.generate_includes):
        (Generator.generate_includes.declaration):
        (Generator.generate_includes.declaration.is):
        (Generator.generate_type_forward_declarations):
        (Generator.generate_type_forward_declarations.is):
        (Generator.generate_class_declaration):
        (Generator.generate_input_constructor_declaration):
        (Generator.generate_input_destructor_declaration):
        (Generator.generate_input_member_getter):
        (Generator.generate_input_member_declaration):
        (Generator.generate_input_member_tuples):
        (Generator.qualified_input_name):
        (Generator.generate_input_trait_declaration):
        (Generator.generate_enum_trait_declaration):
        (Generator.generate_for_each_macro):
        (Generator.generate_class_implementation):
        (Generator.generate_enum_trait_implementation):
        (Generator.generate_enum_trait_implementation.is):
        (Generator.generate_input_trait_implementation):
        (Generator.generate_input_encode_implementation):
        (Generator.generate_input_decode_implementation):
        (Generator.generate_constructor_initializer_list):
        (Generator.generate_constructor_formals_list):
        (Generator.generate_member_borrow_expression):
        (Generator.generate_member_move_expression):
        (Generator.generate_constructor_arguments_list):
        (generate_from_specification):
        * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Added.
        (Templates):
        * replay/scripts/tests/expected/JSInputs.json-TestReplayInputs.cpp: Added.
        * replay/scripts/tests/expected/JSInputs.json-TestReplayInputs.h: Added.
        * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Added.
        * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Added.
        * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Added.
        * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Added.
        * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Added.
        * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Added.
        * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Added.
        * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Added.
        * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Added.
        * replay/scripts/tests/expected/fail-on-no-inputs.json-error: Added.
        * replay/scripts/tests/expected/fail-on-no-types.json-error: Added.
        * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Added.
        * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Added.
        * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Added.
        * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Added.
        * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Added.
        * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Added.
        * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Added.
        * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-error: Added.
        * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Added.
        * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Added.
        * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Added.
        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Added.
        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Added.
        * replay/scripts/tests/expected/generate-inputs-with-flags.json-error: Added.
        * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Added.
        * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Added.
        * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Added.
        * replay/scripts/tests/fail-on-duplicate-input-names.json: Added.
        * replay/scripts/tests/fail-on-duplicate-type-names.json: Added.
        * replay/scripts/tests/fail-on-enum-type-missing-values.json: Added.
        * replay/scripts/tests/fail-on-missing-input-member-name.json: Added.
        * replay/scripts/tests/fail-on-missing-input-name.json: Added.
        * replay/scripts/tests/fail-on-missing-input-queue.json: Added.
        * replay/scripts/tests/fail-on-missing-type-mode.json: Added.
        * replay/scripts/tests/fail-on-missing-type-name.json: Added.
        * replay/scripts/tests/fail-on-no-inputs.json: Added.
        * replay/scripts/tests/fail-on-no-types.json: Added.
        * replay/scripts/tests/fail-on-unknown-input-queue.json: Added.
        * replay/scripts/tests/fail-on-unknown-member-type.json: Added.
        * replay/scripts/tests/fail-on-unknown-type-mode.json: Added.
        * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Added.
        * replay/scripts/tests/generate-enum-encoding-helpers.json: Added.
        * replay/scripts/tests/generate-event-loop-shape-types.json: Added.
        * replay/scripts/tests/generate-input-with-guard.json: Added.
        * replay/scripts/tests/generate-input-with-vector-members.json: Added.
        * replay/scripts/tests/generate-inputs-with-flags.json: Added.
        * replay/scripts/tests/generate-memoized-type-modes.json: Added.

2014-02-11  Joseph Pecoraro  <pecoraro@apple.com>

        Add Availability Macros to new JSC APIs
        https://bugs.webkit.org/show_bug.cgi?id=128615

        Reviewed by Mark Rowe.

        * API/JSContext.h:
        * API/JSContextRef.h:

2014-02-11  Filip Pizlo  <fpizlo@apple.com>

        FTL should support CompareEq(ObjectOrOther:, Object:)
        https://bugs.webkit.org/show_bug.cgi?id=127752

        Reviewed by Oliver Hunt.
        
        Also introduce some helpers for reasoning about nullness and truthyness.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
        (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
        (JSC::FTL::LowerDFGToLLVM::isNotNully):
        (JSC::FTL::LowerDFGToLLVM::isNully):
        (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
        * tests/stress/compare-eq-object-or-other-to-object.js: Added.
        (foo):
        (test):
        * tests/stress/compare-eq-object-to-object-or-other.js: Added.
        (foo):
        (test):

2014-02-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        32-bit LLInt writeBarrierOnGlobalObject is wrong
        https://bugs.webkit.org/show_bug.cgi?id=128556

        Reviewed by Geoffrey Garen.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm: Also fixed the value check on 64-bit.

2014-02-11  Gabor Rapcsanyi  <rgabor@webkit.org>

        LLInt typo error after r139004.
        https://bugs.webkit.org/show_bug.cgi?id=128592

        Reviewed by Michael Saboff.

        * offlineasm/arm.rb: change immediate to register in the condition

2014-02-10  Filip Pizlo  <fpizlo@apple.com>

        LICM should gracefully handle unprofiled code
        https://bugs.webkit.org/show_bug.cgi?id=127848

        Reviewed by Mark Hahnenberg.

        * dfg/DFGLICMPhase.cpp:
        (JSC::DFG::LICMPhase::run):

2014-02-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        Obj-C API: JSExport doesn't work for methods that contain protocols in their type signature
        https://bugs.webkit.org/show_bug.cgi?id=128540

        Reviewed by Oliver Hunt.

        The bug is in parseObjCType in ObjcRuntimeExtras.h. When we see an '@' in the 
        type signature of a method, we assume that what follows the '@' is a class name, 
        so we call objc_getClass, and if that returns nil then we give up on the method 
        and don't export it.

        This assumption doesn't work in the case of id<Protocol> because it's the name 
        of the protocol that follows the '@', not the name of a class. We should have 
        another fallback case for protocol names.

        There's another case that also doesn't work, and that's the case of a named class 
        with a specified prototype in a method signature (e.g. NSObject<MyProtocol>). 
        There the substring of the type signature that represents the class is "NSObject<MyProtocol>", 
        which will also cause objc_getClass to return nil.

        * API/ObjcRuntimeExtras.h:
        (parseObjCType):
        * API/tests/DateTests.mm: Also fixed an issue I noticed where we don't use an autorelease pool
        for the DateTests.
        * API/tests/JSExportTests.h: Added.
        * API/tests/JSExportTests.mm: Added.
        (-[TruthTeller returnTrue]):
        (-[ExportMethodWithIdProtocol methodWithIdProtocol:]):
        (-[ExportMethodWithClassProtocol methodWithClassProtocol:]):
        (+[JSExportTests exportInstanceMethodWithIdProtocolTest]):
        (+[JSExportTests exportInstanceMethodWithClassProtocolTest]):
        (runJSExportTests):
        * API/tests/testapi.mm:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-02-10  Michael Saboff  <msaboff@apple.com>

        Re-enable ARM Thumb2 disassembler
        https://bugs.webkit.org/show_bug.cgi?id=128577

        Reviewed by Filip Pizlo.

        Changed signature of tryToDisassemble() to match updates.
        Fixed typo in disassembler.

        * disassembler/ARMv7/ARMv7DOpcode.cpp:
        * disassembler/ARMv7Disassembler.cpp:
        (JSC::tryToDisassemble):

2014-02-10  Mark Lam  <mark.lam@apple.com>

        Removing limitation on JSLock's lockDropDepth.
        <https://webkit.org/b/128570>

        Reviewed by Geoffrey Garen.

        Now that we've switched to using the C stack, we no longer need to limit
        the JSLock::lockDropDepth to 2.

        For C loop builds which still use the separate JSStack, the JSLock will
        enforce ordering for re-grabbing the lock after dropping it. Re-grabbing
        must occur in the reverse order of the dropping of the locks.

        Ordering is achieved by JSLock::dropAllLocks() stashing away the
        JSLock:: m_lockDropDepth in its DropAllLocks instance's m_dropDepth
        before unlocking the lock. Subsequently, JSLock::grabAllLocks() will
        ensure that JSLocks::m_lockDropDepth equals its DropAllLocks instance's
        m_dropDepth before allowing the lock to be re-grabbed. Otherwise, it
        will yield execution and retry again later.

        Note: because JSLocks::m_lockDropDepth is protected by the JSLock's
        mutex, grabAllLocks() will optimistically lock the JSLock before doing
        the check on m_lockDropDepth. If the check fails, it will unlock the
        JSLock, yield, and then relock it again later before retrying the check.
        This ensures that m_lockDropDepth remains under the protection of the
        JSLock's mutex.

        * runtime/JSLock.cpp:
        (JSC::JSLock::dropAllLocks):
        (JSC::JSLock::grabAllLocks):
        (JSC::JSLock::DropAllLocks::DropAllLocks):
        (JSC::JSLock::DropAllLocks::~DropAllLocks):
        * runtime/JSLock.h:
        (JSC::JSLock::DropAllLocks::setDropDepth):
        (JSC::JSLock::DropAllLocks::dropDepth):

2014-02-10  Filip Pizlo  <fpizlo@apple.com>

        FTL should support ToThis
        https://bugs.webkit.org/show_bug.cgi?id=127751

        Reviewed by Oliver Hunt.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileToThis):
        * tests/stress/to-this-polymorphic.js: Added.
        (foo):

2014-02-10  Filip Pizlo  <fpizlo@apple.com>

        Rename Operations.h to JSCInlines.h
        https://bugs.webkit.org/show_bug.cgi?id=128543

        Rubber stamped by Geoffrey Garen.
        
        Well, what this actually does is it splits Operations.h into a real Operations.h that
        actually contains "operations", and JSCInlines.h, which serves the role of being an
        inlines umbrella.
        
        * API/JSBase.cpp:
        * API/JSCTestRunnerUtils.cpp:
        * API/JSCallbackConstructor.cpp:
        * API/JSCallbackFunction.cpp:
        * API/JSCallbackObject.cpp:
        * API/JSClassRef.cpp:
        * API/JSContext.mm:
        * API/JSContextRef.cpp:
        * API/JSManagedValue.mm:
        * API/JSObjectRef.cpp:
        * API/JSScriptRef.cpp:
        * API/JSValue.mm:
        * API/JSValueRef.cpp:
        * API/JSWeakObjectMapRefPrivate.cpp:
        * API/JSWrapperMap.mm:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/LinkBuffer.cpp:
        * bindings/ScriptFunctionCall.cpp:
        * bindings/ScriptObject.cpp:
        * bytecode/ArrayAllocationProfile.cpp:
        * bytecode/ArrayProfile.cpp:
        * bytecode/BytecodeBasicBlock.cpp:
        * bytecode/CallLinkInfo.cpp:
        * bytecode/CallLinkStatus.cpp:
        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlockJettisoningWatchpoint.cpp:
        * bytecode/CodeOrigin.cpp:
        * bytecode/ExecutionCounter.cpp:
        * bytecode/GetByIdStatus.cpp:
        * bytecode/LazyOperandValueProfile.cpp:
        * bytecode/MethodOfGettingAValueProfile.cpp:
        * bytecode/PreciseJumpTargets.cpp:
        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
        * bytecode/PutByIdStatus.cpp:
        * bytecode/SamplingTool.cpp:
        * bytecode/SpecialPointer.cpp:
        * bytecode/SpeculatedType.cpp:
        * bytecode/StructureStubClearingWatchpoint.cpp:
        * bytecode/UnlinkedCodeBlock.cpp:
        * bytecode/ValueRecovery.cpp:
        * bytecompiler/BytecodeGenerator.cpp:
        * bytecompiler/NodesCodegen.cpp:
        * debugger/Debugger.cpp:
        * debugger/DebuggerActivation.cpp:
        * debugger/DebuggerCallFrame.cpp:
        * dfg/DFGAbstractHeap.cpp:
        * dfg/DFGAbstractValue.cpp:
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        * dfg/DFGArithMode.cpp:
        * dfg/DFGArrayMode.cpp:
        * dfg/DFGAtTailAbstractState.cpp:
        * dfg/DFGAvailability.cpp:
        * dfg/DFGBackwardsPropagationPhase.cpp:
        * dfg/DFGBasicBlock.cpp:
        * dfg/DFGBinarySwitch.cpp:
        * dfg/DFGBlockInsertionSet.cpp:
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGCFAPhase.cpp:
        * dfg/DFGCFGSimplificationPhase.cpp:
        * dfg/DFGCPSRethreadingPhase.cpp:
        * dfg/DFGCSEPhase.cpp:
        * dfg/DFGCapabilities.cpp:
        * dfg/DFGClobberSet.cpp:
        * dfg/DFGClobberize.cpp:
        * dfg/DFGCommon.cpp:
        * dfg/DFGCommonData.cpp:
        * dfg/DFGCompilationKey.cpp:
        * dfg/DFGCompilationMode.cpp:
        * dfg/DFGConstantFoldingPhase.cpp:
        * dfg/DFGCriticalEdgeBreakingPhase.cpp:
        * dfg/DFGDCEPhase.cpp:
        * dfg/DFGDesiredIdentifiers.cpp:
        * dfg/DFGDesiredStructureChains.cpp:
        * dfg/DFGDesiredTransitions.cpp:
        * dfg/DFGDesiredWatchpoints.cpp:
        * dfg/DFGDesiredWeakReferences.cpp:
        * dfg/DFGDesiredWriteBarriers.cpp:
        * dfg/DFGDisassembler.cpp:
        * dfg/DFGDominators.cpp:
        * dfg/DFGDriver.cpp:
        * dfg/DFGEdge.cpp:
        * dfg/DFGFailedFinalizer.cpp:
        * dfg/DFGFinalizer.cpp:
        * dfg/DFGFixupPhase.cpp:
        * dfg/DFGFlushFormat.cpp:
        * dfg/DFGFlushLivenessAnalysisPhase.cpp:
        * dfg/DFGFlushedAt.cpp:
        * dfg/DFGGraph.cpp:
        * dfg/DFGGraphSafepoint.cpp:
        * dfg/DFGInPlaceAbstractState.cpp:
        * dfg/DFGInvalidationPointInjectionPhase.cpp:
        * dfg/DFGJITCode.cpp:
        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGJITFinalizer.cpp:
        * dfg/DFGJumpReplacement.cpp:
        * dfg/DFGLICMPhase.cpp:
        * dfg/DFGLazyJSValue.cpp:
        * dfg/DFGLivenessAnalysisPhase.cpp:
        * dfg/DFGLongLivedState.cpp:
        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
        * dfg/DFGMinifiedNode.cpp:
        * dfg/DFGNaturalLoops.cpp:
        * dfg/DFGNode.cpp:
        * dfg/DFGNodeFlags.cpp:
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        * dfg/DFGOSREntry.cpp:
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        * dfg/DFGOSRExit.cpp:
        * dfg/DFGOSRExitBase.cpp:
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        * dfg/DFGOSRExitCompiler64.cpp:
        * dfg/DFGOSRExitCompilerCommon.cpp:
        * dfg/DFGOSRExitJumpPlaceholder.cpp:
        * dfg/DFGOSRExitPreparation.cpp:
        * dfg/DFGOperations.cpp:
        * dfg/DFGPhase.cpp:
        * dfg/DFGPlan.cpp:
        * dfg/DFGPredictionInjectionPhase.cpp:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGResurrectionForValidationPhase.cpp:
        * dfg/DFGSSAConversionPhase.cpp:
        * dfg/DFGSSALoweringPhase.cpp:
        * dfg/DFGSafepoint.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:
        * dfg/DFGStackLayoutPhase.cpp:
        * dfg/DFGStoreBarrierElisionPhase.cpp:
        * dfg/DFGStrengthReductionPhase.cpp:
        * dfg/DFGThreadData.cpp:
        * dfg/DFGThunks.cpp:
        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        * dfg/DFGToFTLDeferredCompilationCallback.cpp:
        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        * dfg/DFGUnificationPhase.cpp:
        * dfg/DFGUseKind.cpp:
        * dfg/DFGValidate.cpp:
        * dfg/DFGValueSource.cpp:
        * dfg/DFGVariableAccessDataDump.cpp:
        * dfg/DFGVariableEvent.cpp:
        * dfg/DFGVariableEventStream.cpp:
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        * dfg/DFGWatchpointCollectionPhase.cpp:
        * dfg/DFGWorklist.cpp:
        * ftl/FTLAbstractHeap.cpp:
        * ftl/FTLAbstractHeapRepository.cpp:
        * ftl/FTLExitValue.cpp:
        * ftl/FTLLink.cpp:
        * ftl/FTLLowerDFGToLLVM.cpp:
        * ftl/FTLOSREntry.cpp:
        * ftl/FTLOSRExit.cpp:
        * ftl/FTLOSRExitCompiler.cpp:
        * ftl/FTLSlowPathCall.cpp:
        * heap/BlockAllocator.cpp:
        * heap/CodeBlockSet.cpp:
        * heap/ConservativeRoots.cpp:
        * heap/CopiedSpace.cpp:
        * heap/CopyVisitor.cpp:
        * heap/DeferGC.cpp:
        * heap/GCThread.cpp:
        * heap/GCThreadSharedData.cpp:
        * heap/HandleSet.cpp:
        * heap/HandleStack.cpp:
        * heap/Heap.cpp:
        * heap/HeapStatistics.cpp:
        * heap/HeapTimer.cpp:
        * heap/IncrementalSweeper.cpp:
        * heap/JITStubRoutineSet.cpp:
        * heap/MachineStackMarker.cpp:
        * heap/MarkStack.cpp:
        * heap/MarkedAllocator.cpp:
        * heap/MarkedBlock.cpp:
        * heap/MarkedSpace.cpp:
        * heap/SlotVisitor.cpp:
        * heap/SuperRegion.cpp:
        * heap/Weak.cpp:
        * heap/WeakBlock.cpp:
        * heap/WeakHandleOwner.cpp:
        * heap/WeakSet.cpp:
        * heap/WriteBarrierBuffer.cpp:
        * heap/WriteBarrierSupport.cpp:
        * inspector/InjectedScript.cpp:
        * inspector/InjectedScriptBase.cpp:
        * inspector/JSGlobalObjectScriptDebugServer.cpp:
        * inspector/JSInjectedScriptHost.cpp:
        * inspector/ScriptArguments.cpp:
        * inspector/ScriptCallStackFactory.cpp:
        * interpreter/AbstractPC.cpp:
        * interpreter/CallFrame.cpp:
        * interpreter/Interpreter.cpp:
        * interpreter/JSStack.cpp:
        * interpreter/ProtoCallFrame.cpp:
        * interpreter/StackVisitor.cpp:
        * interpreter/VMInspector.cpp:
        * jit/ArityCheckFailReturnThunks.cpp:
        * jit/AssemblyHelpers.cpp:
        * jit/ClosureCallStubRoutine.cpp:
        * jit/ExecutableAllocator.cpp:
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        * jit/GCAwareJITStubRoutine.cpp:
        * jit/HostCallReturnValue.cpp:
        * jit/JIT.cpp:
        * jit/JITArithmetic.cpp:
        * jit/JITArithmetic32_64.cpp:
        * jit/JITCall.cpp:
        * jit/JITCall32_64.cpp:
        * jit/JITCode.cpp:
        * jit/JITDisassembler.cpp:
        * jit/JITExceptions.cpp:
        * jit/JITInlineCacheGenerator.cpp:
        * jit/JITInlines.h:
        * jit/JITOperations.cpp:
        * jit/JITOperationsMSVC64.cpp:
        * jit/JITStubRoutine.cpp:
        * jit/JITStubs.cpp:
        * jit/JITThunks.cpp:
        * jit/JITToDFGDeferredCompilationCallback.cpp:
        * jit/RegisterPreservationWrapperGenerator.cpp:
        * jit/RegisterSet.cpp:
        * jit/Repatch.cpp:
        * jit/TempRegisterSet.cpp:
        * jit/ThunkGenerators.cpp:
        * jsc.cpp:
        * llint/LLIntExceptions.cpp:
        * llint/LLIntSlowPaths.cpp:
        * llint/LowLevelInterpreter.cpp:
        * parser/Lexer.cpp:
        * parser/Nodes.cpp:
        * parser/Parser.cpp:
        * parser/ParserArena.cpp:
        * parser/SourceCode.cpp:
        * parser/SourceProvider.cpp:
        * parser/SourceProviderCache.cpp:
        * profiler/LegacyProfiler.cpp:
        * profiler/ProfileGenerator.cpp:
        * profiler/ProfilerBytecode.cpp:
        * profiler/ProfilerBytecodeSequence.cpp:
        * profiler/ProfilerBytecodes.cpp:
        * profiler/ProfilerCompilation.cpp:
        * profiler/ProfilerCompiledBytecode.cpp:
        * profiler/ProfilerDatabase.cpp:
        * profiler/ProfilerOSRExit.cpp:
        * profiler/ProfilerOSRExitSite.cpp:
        * profiler/ProfilerOrigin.cpp:
        * profiler/ProfilerOriginStack.cpp:
        * profiler/ProfilerProfiledBytecodes.cpp:
        * runtime/ArgList.cpp:
        * runtime/Arguments.cpp:
        * runtime/ArgumentsIteratorPrototype.cpp:
        * runtime/ArrayBuffer.cpp:
        * runtime/ArrayBufferNeuteringWatchpoint.cpp:
        * runtime/ArrayConstructor.cpp:
        * runtime/ArrayPrototype.cpp:
        * runtime/BooleanConstructor.cpp:
        * runtime/BooleanObject.cpp:
        * runtime/BooleanPrototype.cpp:
        * runtime/CallData.cpp:
        * runtime/CodeCache.cpp:
        * runtime/CommonSlowPaths.cpp:
        * runtime/CommonSlowPathsExceptions.cpp:
        * runtime/Completion.cpp:
        * runtime/ConstructData.cpp:
        * runtime/DateConstructor.cpp:
        * runtime/DateInstance.cpp:
        * runtime/DatePrototype.cpp:
        * runtime/Error.cpp:
        * runtime/ErrorConstructor.cpp:
        * runtime/ErrorInstance.cpp:
        * runtime/ErrorPrototype.cpp:
        * runtime/ExceptionHelpers.cpp:
        * runtime/Executable.cpp:
        * runtime/FunctionConstructor.cpp:
        * runtime/FunctionPrototype.cpp:
        * runtime/GetterSetter.cpp:
        * runtime/Identifier.cpp:
        * runtime/IntendedStructureChain.cpp:
        * runtime/InternalFunction.cpp:
        * runtime/JSActivation.cpp:
        * runtime/JSArgumentsIterator.cpp:
        * runtime/JSArray.cpp:
        * runtime/JSArrayBuffer.cpp:
        * runtime/JSArrayBufferConstructor.cpp:
        * runtime/JSArrayBufferPrototype.cpp:
        * runtime/JSArrayBufferView.cpp:
        * runtime/JSBoundFunction.cpp:
        * runtime/JSCInlines.h: Copied from Source/JavaScriptCore/runtime/Operations.h.
        * runtime/JSCell.cpp:
        * runtime/JSDataView.cpp:
        * runtime/JSDataViewPrototype.cpp:
        * runtime/JSDateMath.cpp:
        * runtime/JSFunction.cpp:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObjectFunctions.cpp:
        * runtime/JSLock.cpp:
        * runtime/JSNameScope.cpp:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSONObject.cpp:
        * runtime/JSObject.cpp:
        * runtime/JSPropertyNameIterator.cpp:
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSProxy.cpp:
        * runtime/JSScope.cpp:
        * runtime/JSSegmentedVariableObject.cpp:
        * runtime/JSString.cpp:
        * runtime/JSStringJoiner.cpp:
        * runtime/JSSymbolTableObject.cpp:
        * runtime/JSTypedArrayConstructors.cpp:
        * runtime/JSTypedArrayPrototypes.cpp:
        * runtime/JSTypedArrays.cpp:
        * runtime/JSVariableObject.cpp:
        * runtime/JSWithScope.cpp:
        * runtime/JSWrapperObject.cpp:
        * runtime/LiteralParser.cpp:
        * runtime/Lookup.cpp:
        * runtime/MathObject.cpp:
        * runtime/NameConstructor.cpp:
        * runtime/NameInstance.cpp:
        * runtime/NamePrototype.cpp:
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NativeErrorPrototype.cpp:
        * runtime/NumberConstructor.cpp:
        * runtime/NumberObject.cpp:
        * runtime/NumberPrototype.cpp:
        * runtime/ObjectConstructor.cpp:
        * runtime/ObjectPrototype.cpp:
        * runtime/Operations.cpp:
        * runtime/Operations.h:
        * runtime/PropertyDescriptor.cpp:
        * runtime/PrototypeMap.cpp:
        * runtime/RegExp.cpp:
        * runtime/RegExpCache.cpp:
        * runtime/RegExpCachedResult.cpp:
        * runtime/RegExpConstructor.cpp:
        * runtime/RegExpMatchesArray.cpp:
        * runtime/RegExpObject.cpp:
        * runtime/RegExpPrototype.cpp:
        * runtime/SimpleTypedArrayController.cpp:
        * runtime/SmallStrings.cpp:
        * runtime/SparseArrayValueMap.cpp:
        * runtime/StrictEvalActivation.cpp:
        * runtime/StringConstructor.cpp:
        * runtime/StringObject.cpp:
        * runtime/StringPrototype.cpp:
        * runtime/StringRecursionChecker.cpp:
        * runtime/Structure.cpp:
        * runtime/StructureChain.cpp:
        * runtime/StructureRareData.cpp:
        * runtime/SymbolTable.cpp:
        * runtime/TestRunnerUtils.cpp:
        * runtime/VM.cpp:
        * testRegExp.cpp:

2014-02-10  Matthew Mirman  <mmirman@apple.com>

        Removes the inline assert from SpeculativeJIT's ReallocatePropertyStorage
        https://bugs.webkit.org/show_bug.cgi?id=128566

        Reviewed by Filip Pizlo.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):

2014-02-10  Filip Pizlo  <fpizlo@apple.com>

        Rename getRecordMap to computeRecordMap.

        Rubber stamped by Michael Saboff.
        
        "get" is such a weird prefix. It implies a getter. We don't prefix our getters with
        anything in WebKit. Also, this isn't a getter. It actually does work to transform
        the stackmaps into a hashmap. So, computeRecordMap is a much better name.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::computeRecordMap):
        * ftl/FTLStackMaps.h:

2014-02-10  Matthew Mirman  <mmirman@apple.com>

        ReallocatePropertyStorage in FTL
        https://bugs.webkit.org/show_bug.cgi?id=128352

        Reviewed by Filip Pizlo.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
        * tests/stress/ftl-reallocatepropertystorage.js: Added.
        (foo):

2014-02-10  Michael Saboff  <msaboff@apple.com>

        Fail FTL compilation if the required stack is too big
        https://bugs.webkit.org/show_bug.cgi?id=128560

        Reviewed by Filip Pizlo.

        Added StackSize struct to FTLStackMaps and populated it.  Added and updated
        related dump functions.  Use the stack size found at the end of the compilation
        to compare against the value of a new option, llvmMaxStackSize.  We fail the
        compile if the function's stack size is greater than llvmMaxStackSize.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::StackSize::parse):
        (JSC::FTL::StackMaps::StackSize::dump):
        (JSC::FTL::StackMaps::parse):
        (JSC::FTL::StackMaps::dump):
        (JSC::FTL::StackMaps::dumpMultiline):
        (JSC::FTL::StackMaps::getStackSize):
        * ftl/FTLStackMaps.h:
        * runtime/Options.h:

2014-02-10  Mark Lam  <mark.lam@apple.com>

        Change JSLock::dropAllLocks() and friends to use lock() and unlock().
        <https://webkit.org/b/128451>

        Reviewed by Geoffrey Garen.

        Currently, JSLock's dropAllLocks(), dropAllLocksUnconditionally(), and
        grabAllLocks() implement locking / unlocking by duplicating the code from
        lock() and unlock(). Instead, they should just call lock() and unlock().

        * runtime/JSLock.cpp:
        (JSC::JSLock::lock):
        (JSC::JSLock::unlock):
        - Modified lock() and unlock() into a version that takes an entry count
          to lock / unlock. The previous lock() and unlock() now calls these
          new versions with an entry count of 1.

        (JSC::JSLock::dropAllLocks):
        (JSC::JSLock::dropAllLocksUnconditionally):
        (JSC::JSLock::grabAllLocks):
        - Delegate to unlock() and lock() instead of duplicating the lock / unlock
          code.
        - There a some differences with calling lock() instead of duplicating its
          code in grabAllLock() i.e. lock() does the following additional work:

          1. lock() does a re-entry check that is not needed by grabAllLocks().
             However, this is effectively a no-op since we never own the JSLock
             before calling grabAllLocks().

          2. set VM stackPointerAtVMEntry.
          3. update VM stackLimit and reservedZoneSize.
          4. set VM lastStackTop.
             These 3 steps are just busy work which are also effective no-ops
             because immediately after lock() returns, grabAllLocks() will write
             over those values with their saved versions in the threadData.

        * runtime/JSLock.h:

2014-02-10  Anders Carlsson  <andersca@apple.com>

        Try to fix the Windows build.

        * heap/UnconditionalFinalizer.h:
        * runtime/SymbolTable.h:

2014-02-10  Andreas Kling  <akling@apple.com>

        Make the Identifier::add() family return PassRef<StringImpl>.
        <https://webkit.org/b/128542>

        This knocks one branch off of creating an Identifier from another
        string source.

        Reviewed by Oliver Hunt.

        * runtime/Identifier.cpp:
        (JSC::Identifier::add):
        (JSC::Identifier::add8):
        (JSC::Identifier::addSlowCase):
        * runtime/Identifier.h:
        (JSC::Identifier::add):
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):

2014-02-09  Mark Lam  <mark.lam@apple.com>

        Remove unnecessary spinLock in JSLock.
        <https://webkit.org/b/128450>

        Reviewed by Filip Pizlo.

        The JSLock's mutex already provides protection for write access to
        JSLock's internal state. The only JSLock state that needs to be read
        from any thread including threads that don't own the JSLock is
        m_ownerThread, which is used in currentThreadIsHoldingLock() to do an
        ownership test on the lock.

        It is safe for other threads to read from m_ownerThread because they
        only need to know whether its value matches their own thread id
        (provided by WTF::currentThread()).

        Here are the scenarios for how the ownership test can go:

        1. The JSLock has just been initialized and is not owned by any thread.

           In this case, m_ownerThread will be 0 and will not match any thread's
           thread id. The checking thread will know that it needs to lock the
           JSLock before using the VM.

        2. The JSLock was previously locked, but now is unlocked.

           When we unlock it in JSLock::unlock(), the owner thread clears
           m_ownerThread to 0. Hence, this case is the same as (1) above.

        3. The JSLock is locked by Thread A. Thread B is checking ownership.

           In this case, m_ownerThread will contains the Thread A's thread id.
           Thread B will see that the thread id does not match its own and will
           proceed to block on the JSLock's mutex to wait for its turn to use
           the VM.

           With Weak Memory Ordering architectures, Thread A's thread id may
           not get written out to memory before Thread B inspects m_ownerThread.
           However, though Thread B may not see Thread A's thread id in
           m_ownerThread, it will see 0 which is the last value written to it
           before the JSLock mutex was unlocked. The mutex unlock would have
           executed a memory fence which would have flushed the 0 to
           m_ownerThread in memory. Hence, Thread B will know that it does not
           own the lock.

        Apart from removing the unneeded spin lock code, I also changed the
        JSLock code to use currentThreadIsHoldingLock() and setOwnerThread()
        instead of accessing m_ownerThread directly.

        * runtime/JSLock.cpp:
        (JSC::JSLock::JSLock):

        (JSC::JSLock::lock):
        - Removed spinLock but left the indentation as is to keep the diff to a
          minimum for better readability. Will unindent in a subsequent patch.

        (JSC::JSLock::unlock):
        - Before unlocking the mutex, clear m_ownerThread to indicate that the
          lock is no longer owned.

        (JSC::JSLock::currentThreadIsHoldingLock):
        - Removed the check of m_lockCount for determining ownership. Checking
          m_ownerThread is sufficient.

        (JSC::JSLock::dropAllLocks):
        (JSC::JSLock::dropAllLocksUnconditionally):
        - Renamed local locksToDrop to the better name droppedLockCount.
        - Clear m_ownerThread since we're unlocking the JSLock.

        (JSC::JSLock::grabAllLocks):
        - Removed unneeded lock ownership test for lock re-entry case because
          grabAllLocks() is never used to re-enter a locked JSLock.

        (JSC::JSLock::DropAllLocks::DropAllLocks):
        (JSC::JSLock::DropAllLocks::~DropAllLocks):

        * runtime/JSLock.h:
        (JSC::JSLock::setOwnerThread):

2014-02-10  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out http://trac.webkit.org/changeset/163796

        The change was not justified in any way and it has a net negative effect on the code.

        * dfg/DFGAbstractInterpreter.h:
        * dfg/DFGAbstractValue.h:
        * dfg/DFGAdjacencyList.h:
        * dfg/DFGArgumentPosition.h:
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        * dfg/DFGArrayMode.cpp:
        * dfg/DFGArrayifySlowPathGenerator.h:
        * dfg/DFGAtTailAbstractState.h:
        * dfg/DFGAvailability.h:
        * dfg/DFGBackwardsPropagationPhase.cpp:
        * dfg/DFGBasicBlock.h:
        * dfg/DFGBasicBlockInlines.h:
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGCFAPhase.cpp:
        * dfg/DFGCFGSimplificationPhase.cpp:
        * dfg/DFGCPSRethreadingPhase.cpp:
        * dfg/DFGCSEPhase.cpp:
        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
        * dfg/DFGCapabilities.cpp:
        * dfg/DFGCapabilities.h:
        * dfg/DFGClobberize.h:
        * dfg/DFGCommonData.cpp:
        * dfg/DFGConstantFoldingPhase.cpp:
        * dfg/DFGCriticalEdgeBreakingPhase.cpp:
        * dfg/DFGDCEPhase.cpp:
        * dfg/DFGDominators.h:
        * dfg/DFGDriver.cpp:
        * dfg/DFGDriver.h:
        * dfg/DFGFixupPhase.cpp:
        * dfg/DFGFlushLivenessAnalysisPhase.cpp:
        * dfg/DFGGenerationInfo.h:
        * dfg/DFGGraph.cpp:
        * dfg/DFGGraph.h:
        * dfg/DFGInPlaceAbstractState.cpp:
        * dfg/DFGInPlaceAbstractState.h:
        * dfg/DFGInlineCacheWrapperInlines.h:
        * dfg/DFGInvalidationPointInjectionPhase.cpp:
        * dfg/DFGJITCode.h:
        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGJITCompiler.h:
        * dfg/DFGJITFinalizer.cpp:
        * dfg/DFGJITFinalizer.h:
        * dfg/DFGLICMPhase.cpp:
        * dfg/DFGLivenessAnalysisPhase.cpp:
        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
        * dfg/DFGMinifiedNode.h:
        * dfg/DFGNaturalLoops.h:
        * dfg/DFGNode.cpp:
        * dfg/DFGNode.h:
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        * dfg/DFGOSREntry.cpp:
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        * dfg/DFGOSRExit.cpp:
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitBase.cpp:
        * dfg/DFGOSRExitCompilationInfo.h:
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        * dfg/DFGOSRExitCompiler64.cpp:
        * dfg/DFGOSRExitJumpPlaceholder.cpp:
        * dfg/DFGOperations.cpp:
        * dfg/DFGPhase.h:
        * dfg/DFGPlan.h:
        * dfg/DFGPredictionInjectionPhase.cpp:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGResurrectionForValidationPhase.cpp:
        * dfg/DFGSSAConversionPhase.cpp:
        * dfg/DFGSSALoweringPhase.cpp:
        * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
        * dfg/DFGSlowPathGenerator.h:
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:
        * dfg/DFGStackLayoutPhase.cpp:
        * dfg/DFGStoreBarrierElisionPhase.cpp:
        * dfg/DFGStrengthReductionPhase.cpp:
        * dfg/DFGThunks.cpp:
        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        * dfg/DFGUnificationPhase.cpp:
        * dfg/DFGValidate.h:
        * dfg/DFGValueSource.h:
        * dfg/DFGVariableAccessData.h:
        * dfg/DFGVariableAccessDataDump.cpp:
        * dfg/DFGVariableEvent.h:
        * dfg/DFGVariableEventStream.h:
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        * dfg/DFGWatchpointCollectionPhase.cpp:
        * dfg/DFGWorklist.cpp:

2014-02-10  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com> 
 
        Remove extra includes from DFG 
        https://bugs.webkit.org/show_bug.cgi?id=126983 
 
        Reviewed by Andreas Kling. 

        * dfg/DFGAbstractInterpreter.h:
        * dfg/DFGAbstractValue.h:
        * dfg/DFGAdjacencyList.h:
        * dfg/DFGArgumentPosition.h:
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        * dfg/DFGArrayMode.cpp:
        * dfg/DFGArrayifySlowPathGenerator.h:
        * dfg/DFGAtTailAbstractState.h:
        * dfg/DFGAvailability.h:
        * dfg/DFGBackwardsPropagationPhase.cpp:
        * dfg/DFGBasicBlock.h:
        * dfg/DFGBasicBlockInlines.h:
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGCFAPhase.cpp:
        * dfg/DFGCFGSimplificationPhase.cpp:
        * dfg/DFGCPSRethreadingPhase.cpp:
        * dfg/DFGCSEPhase.cpp:
        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
        * dfg/DFGCapabilities.cpp:
        * dfg/DFGCapabilities.h:
        * dfg/DFGClobberize.h:
        * dfg/DFGCommonData.cpp:
        * dfg/DFGConstantFoldingPhase.cpp:
        * dfg/DFGCriticalEdgeBreakingPhase.cpp:
        * dfg/DFGDCEPhase.cpp:
        * dfg/DFGDominators.h:
        * dfg/DFGDriver.cpp:
        * dfg/DFGDriver.h:
        * dfg/DFGFixupPhase.cpp:
        * dfg/DFGFlushLivenessAnalysisPhase.cpp:
        * dfg/DFGGenerationInfo.h:
        * dfg/DFGGraph.cpp:
        * dfg/DFGGraph.h:
        * dfg/DFGInPlaceAbstractState.cpp:
        * dfg/DFGInPlaceAbstractState.h:
        * dfg/DFGInlineCacheWrapperInlines.h:
        * dfg/DFGInvalidationPointInjectionPhase.cpp:
        * dfg/DFGJITCode.h:
        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGJITCompiler.h:
        * dfg/DFGJITFinalizer.cpp:
        * dfg/DFGJITFinalizer.h:
        * dfg/DFGLICMPhase.cpp:
        * dfg/DFGLivenessAnalysisPhase.cpp:
        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
        * dfg/DFGMinifiedNode.h:
        * dfg/DFGNaturalLoops.h:
        * dfg/DFGNode.cpp:
        * dfg/DFGNode.h:
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        * dfg/DFGOSREntry.cpp:
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        * dfg/DFGOSRExit.cpp:
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitBase.cpp:
        * dfg/DFGOSRExitCompilationInfo.h:
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        * dfg/DFGOSRExitCompiler64.cpp:
        * dfg/DFGOSRExitJumpPlaceholder.cpp:
        * dfg/DFGOperations.cpp:
        * dfg/DFGPhase.h:
        * dfg/DFGPlan.h:
        * dfg/DFGPredictionInjectionPhase.cpp:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGResurrectionForValidationPhase.cpp:
        * dfg/DFGSSAConversionPhase.cpp:
        * dfg/DFGSSALoweringPhase.cpp:
        * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
        * dfg/DFGSlowPathGenerator.h:
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:
        * dfg/DFGStackLayoutPhase.cpp:
        * dfg/DFGStoreBarrierElisionPhase.cpp:
        * dfg/DFGStrengthReductionPhase.cpp:
        * dfg/DFGThunks.cpp:
        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        * dfg/DFGUnificationPhase.cpp:
        * dfg/DFGValidate.h:
        * dfg/DFGValueSource.h:
        * dfg/DFGVariableAccessData.h:
        * dfg/DFGVariableAccessDataDump.cpp:
        * dfg/DFGVariableEvent.h:
        * dfg/DFGVariableEventStream.h:
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        * dfg/DFGWatchpointCollectionPhase.cpp:
        * dfg/DFGWorklist.cpp:

2014-02-10  Filip Pizlo  <fpizlo@apple.com>

        JSC environment variables should override other mechanisms for setting options
        https://bugs.webkit.org/show_bug.cgi?id=128511

        Reviewed by Geoffrey Garen.

        * runtime/Options.cpp:
        (JSC::Options::setOption):
        * runtime/Options.h:

2014-02-10  Darin Adler  <darin@apple.com>

        Stop using String::deprecatedCharacters to call WTF::Collator
        https://bugs.webkit.org/show_bug.cgi?id=128517

        Reviewed by Alexey Proskuryakov.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncLocaleCompare): Use the default constructor for Collator, which now
        gives the default locale collation rules. Use the new arguments for Collator::collate, which
        are now StringView. These two changes together eliminate the need for a separate helper function.

2014-02-10  Filip Pizlo  <fpizlo@apple.com>

        <1/100 probability FTL failure: v8-v6/v8-deltablue.js.ftl-eager: Exception: TypeError: undefined is not an object (evaluating 'c.isInput')
        https://bugs.webkit.org/show_bug.cgi?id=128278

        Reviewed by Mark Hahnenberg.
        
        Fix another FTL flake due to bytecode liveness corner cases. Hopefully it's the last
        one.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock): Make sure that inside a constructor, the 'this' result is always set. This makes it easier to unify the treatment of 'this' for OSR exit: we just say that it's always live.
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::isLiveInBytecode): Assume that 'this' is live. We were already sort of doing this for calls because the callsite would claim it to be live. But we didn't do it for constructors. It's true that *at the callsite* 'this' won't be live, but inside the inlined constructor, it almost certainly will be.
        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        (JSC::DFG::TierUpCheckInjectionPhase::run): I just noticed this benign bug. We should only return 'true' if we actually injected checks.
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub): Make it easier to just dump disassembly for FTL OSR exits.
        * runtime/Options.h: Ditto.
        * tests/stress/inlined-constructor-this-liveness.js: Added.
        (Foo):
        (foo):
        * tests/stress/inlined-function-this-liveness.js: Added.
        (bar):
        (foo):

2014-02-10  Filip Pizlo  <fpizlo@apple.com>

        Actually register those DFG::Safepoints
        https://bugs.webkit.org/show_bug.cgi?id=128521

        Reviewed by Mark Hahnenberg.
        
        No test because GC + thread + JIT = ???.

        * dfg/DFGSafepoint.cpp:
        (JSC::DFG::Safepoint::~Safepoint):
        (JSC::DFG::Safepoint::begin):

2014-02-10  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com>

        Fix EFL build with INSPECTOR disabled
        https://bugs.webkit.org/show_bug.cgi?id=125064

        Reviewed by Csaba Osztrogonác.

        * inspector/InjectedScriptManager.h:
        * inspector/ScriptDebugServer.cpp:
        * inspector/agents/InspectorAgent.h:
        * inspector/scripts/CodeGeneratorInspectorStrings.py:
        (Inspector):

2014-02-09  Filip Pizlo  <fpizlo@apple.com>

        GC blocks on FTL and then badness
        https://bugs.webkit.org/show_bug.cgi?id=128291

        Reviewed by Oliver Hunt.
        
        Introduce the notion of a DFG::Safepoint, which allows you to unlock the rightToRun
        mutex for your JIT thread, while supplying the GC with all of the information it would
        need to scan you at that moment in time. The default way of using this is
        DFG::GraphSafepoint, where you just supply the Graph. There's a lot of machinery in
        this patch just to make the Graph scannable.
        
        We then use DFG::GraphSafepoint in just two places for now: (1) while initializing LLVM
        and (2) while invoking LLVM' optimizer and backend.
        
        This is a 30% speed-up on Octane/typescript and a 10% speed-up on Octane/gbemu. 2-3%
        speed-up overall on Octane.
        
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::visitChildren):
        * dfg/DFGGraph.h:
        * dfg/DFGGraphSafepoint.cpp: Added.
        (JSC::DFG::GraphSafepoint::GraphSafepoint):
        (JSC::DFG::GraphSafepoint::~GraphSafepoint):
        * dfg/DFGGraphSafepoint.h: Added.
        * dfg/DFGOperations.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThread):
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPlan.h:
        * dfg/DFGSafepoint.cpp: Added.
        (JSC::DFG::Safepoint::Safepoint):
        (JSC::DFG::Safepoint::~Safepoint):
        (JSC::DFG::Safepoint::add):
        (JSC::DFG::Safepoint::begin):
        (JSC::DFG::Safepoint::visitChildren):
        * dfg/DFGSafepoint.h: Added.
        * dfg/DFGScannable.h: Added.
        (JSC::DFG::Scannable::Scannable):
        (JSC::DFG::Scannable::~Scannable):
        * dfg/DFGThreadData.cpp: Added.
        (JSC::DFG::ThreadData::ThreadData):
        (JSC::DFG::ThreadData::~ThreadData):
        * dfg/DFGThreadData.h: Added.
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::finishCreation):
        (JSC::DFG::Worklist::visitChildren):
        (JSC::DFG::Worklist::runThread):
        * dfg/DFGWorklist.h:
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * heap/SlotVisitor.h:
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::appendUnbarrieredReadOnlyPointer):
        (JSC::SlotVisitor::appendUnbarrieredReadOnlyValue):

2014-02-09  Filip Pizlo  <fpizlo@apple.com>

        Never include *Inlines.h files in interface headers, and never include *Inlines.h when you could include Operations.h instead
        https://bugs.webkit.org/show_bug.cgi?id=128505

        Reviewed by Mark Hahnenberg and Oliver Hunt.

        * API/JSContextRef.cpp:
        * assembler/LinkBuffer.cpp:
        * bytecode/ArrayProfile.cpp:
        * bytecode/BytecodeBasicBlock.cpp:
        * bytecode/BytecodeLivenessAnalysisInlines.h:
        * bytecode/CallLinkInfo.cpp:
        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        * bytecode/CodeBlockJettisoningWatchpoint.cpp:
        * bytecode/ExecutionCounter.cpp:
        * bytecode/MethodOfGettingAValueProfile.cpp:
        * bytecode/PreciseJumpTargets.cpp:
        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
        * bytecode/SamplingTool.cpp:
        * bytecode/SpecialPointer.cpp:
        * bytecode/StructureStubClearingWatchpoint.cpp:
        * debugger/DebuggerCallFrame.cpp:
        * dfg/DFGAbstractHeap.cpp:
        * dfg/DFGAbstractValue.cpp:
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        * dfg/DFGArithMode.cpp:
        * dfg/DFGArrayMode.cpp:
        * dfg/DFGAtTailAbstractState.cpp:
        * dfg/DFGAvailability.cpp:
        * dfg/DFGBackwardsPropagationPhase.cpp:
        * dfg/DFGBasicBlock.cpp:
        * dfg/DFGBinarySwitch.cpp:
        * dfg/DFGBlockInsertionSet.cpp:
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGCFAPhase.cpp:
        * dfg/DFGCFGSimplificationPhase.cpp:
        * dfg/DFGCPSRethreadingPhase.cpp:
        * dfg/DFGCSEPhase.cpp:
        * dfg/DFGCapabilities.cpp:
        * dfg/DFGClobberSet.cpp:
        * dfg/DFGClobberize.cpp:
        * dfg/DFGCommon.cpp:
        * dfg/DFGCommonData.cpp:
        * dfg/DFGCompilationKey.cpp:
        * dfg/DFGCompilationMode.cpp:
        * dfg/DFGConstantFoldingPhase.cpp:
        * dfg/DFGCriticalEdgeBreakingPhase.cpp:
        * dfg/DFGDCEPhase.cpp:
        * dfg/DFGDesiredIdentifiers.cpp:
        * dfg/DFGDesiredStructureChains.cpp:
        * dfg/DFGDesiredTransitions.cpp:
        * dfg/DFGDesiredWatchpoints.cpp:
        * dfg/DFGDisassembler.cpp:
        * dfg/DFGDisassembler.h:
        * dfg/DFGDominators.cpp:
        * dfg/DFGEdge.cpp:
        * dfg/DFGFailedFinalizer.cpp:
        * dfg/DFGFinalizer.cpp:
        * dfg/DFGFixupPhase.cpp:
        * dfg/DFGFlushFormat.cpp:
        * dfg/DFGFlushLivenessAnalysisPhase.cpp:
        * dfg/DFGFlushedAt.cpp:
        * dfg/DFGGraph.cpp:
        * dfg/DFGInPlaceAbstractState.cpp:
        * dfg/DFGInvalidationPointInjectionPhase.cpp:
        * dfg/DFGJITCode.cpp:
        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGJITCompiler.h:
        * dfg/DFGJITFinalizer.cpp:
        * dfg/DFGJumpReplacement.cpp:
        * dfg/DFGLICMPhase.cpp:
        * dfg/DFGLazyJSValue.cpp:
        * dfg/DFGLivenessAnalysisPhase.cpp:
        * dfg/DFGLongLivedState.cpp:
        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
        * dfg/DFGMinifiedNode.cpp:
        * dfg/DFGNaturalLoops.cpp:
        * dfg/DFGNode.cpp:
        * dfg/DFGNodeFlags.cpp:
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        * dfg/DFGOSREntry.cpp:
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        * dfg/DFGOSRExit.cpp:
        * dfg/DFGOSRExitBase.cpp:
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        * dfg/DFGOSRExitCompiler64.cpp:
        * dfg/DFGOSRExitCompilerCommon.cpp:
        * dfg/DFGOSRExitJumpPlaceholder.cpp:
        * dfg/DFGOSRExitPreparation.cpp:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPhase.cpp:
        * dfg/DFGPlan.cpp:
        * dfg/DFGPredictionInjectionPhase.cpp:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGResurrectionForValidationPhase.cpp:
        * dfg/DFGSSAConversionPhase.cpp:
        * dfg/DFGSSALoweringPhase.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:
        * dfg/DFGStackLayoutPhase.cpp:
        * dfg/DFGStoreBarrierElisionPhase.cpp:
        * dfg/DFGStrengthReductionPhase.cpp:
        * dfg/DFGThunks.cpp:
        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        * dfg/DFGToFTLDeferredCompilationCallback.cpp:
        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        * dfg/DFGUnificationPhase.cpp:
        * dfg/DFGUseKind.cpp:
        * dfg/DFGValidate.cpp:
        * dfg/DFGValueSource.cpp:
        * dfg/DFGVariableAccessDataDump.cpp:
        * dfg/DFGVariableEvent.cpp:
        * dfg/DFGVariableEventStream.cpp:
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        * dfg/DFGWatchpointCollectionPhase.cpp:
        * dfg/DFGWorklist.cpp:
        * disassembler/Disassembler.cpp:
        * ftl/FTLLink.cpp:
        * ftl/FTLOSRExitCompiler.cpp:
        * ftl/FTLSlowPathCall.cpp:
        * ftl/FTLThunks.cpp:
        (JSC::FTL::slowPathCallThunkGenerator):
        * heap/BlockAllocator.cpp:
        * heap/CodeBlockSet.cpp:
        * heap/ConservativeRoots.cpp:
        * heap/DeferGC.cpp:
        * heap/GCThread.cpp:
        * heap/GCThreadSharedData.cpp:
        * heap/HeapTimer.cpp:
        * heap/IncrementalSweeper.cpp:
        * heap/JITStubRoutineSet.cpp:
        * heap/MachineStackMarker.cpp:
        * heap/MarkStack.cpp:
        * heap/MarkedAllocator.cpp:
        * heap/MarkedSpace.cpp:
        * heap/SuperRegion.cpp:
        * heap/Weak.cpp:
        * heap/WeakHandleOwner.cpp:
        * heap/WeakSet.cpp:
        * heap/WriteBarrierBuffer.cpp:
        * heap/WriteBarrierSupport.cpp:
        * inspector/ScriptCallStackFactory.cpp:
        * interpreter/AbstractPC.cpp:
        * interpreter/JSStack.cpp:
        * interpreter/ProtoCallFrame.cpp:
        * interpreter/VMInspector.cpp:
        * jit/ArityCheckFailReturnThunks.cpp:
        * jit/AssemblyHelpers.cpp:
        * jit/ExecutableAllocator.cpp:
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        * jit/GCAwareJITStubRoutine.cpp:
        * jit/HostCallReturnValue.cpp:
        * jit/JITDisassembler.cpp:
        * jit/JITDisassembler.h:
        * jit/JITExceptions.cpp:
        * jit/JITInlines.h:
        * jit/JITOperations.cpp:
        * jit/JITOperationsMSVC64.cpp:
        * jit/JITStubRoutine.cpp:
        * jit/JITStubs.cpp:
        * jit/JITToDFGDeferredCompilationCallback.cpp:
        * jit/RegisterPreservationWrapperGenerator.cpp:
        * jit/RegisterSet.cpp:
        * jit/Repatch.cpp:
        * jit/TempRegisterSet.cpp:
        * jsc.cpp:
        * parser/Lexer.cpp:
        * parser/Parser.cpp:
        * parser/ParserArena.cpp:
        * parser/SourceCode.cpp:
        * parser/SourceProvider.cpp:
        * parser/SourceProviderCache.cpp:
        * profiler/ProfileGenerator.cpp:
        * runtime/Arguments.cpp:
        * runtime/ArgumentsIteratorPrototype.cpp:
        * runtime/CommonSlowPathsExceptions.cpp:
        * runtime/JSArgumentsIterator.cpp:
        * runtime/JSFunction.cpp:
        * runtime/JSGlobalObjectFunctions.cpp:
        * runtime/ObjectConstructor.cpp:
        * runtime/Operations.h:
        * runtime/VM.cpp:

2014-02-09  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, don't mark isHostFunction() inline in the header file because that really confuses EFL.

        * runtime/JSFunction.h:

2014-02-09  Anders Carlsson  <andersca@apple.com>

        Add WTF_MAKE_FAST_ALLOCATED to more classes
        https://bugs.webkit.org/show_bug.cgi?id=128506

        Reviewed by Andreas Kling.

        * bytecode/UnlinkedInstructionStream.h:
        * runtime/SymbolTable.h:
        * runtime/WriteBarrier.h:

2014-02-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API NSDate conversion is off by 1000x (ms vs s)
        https://bugs.webkit.org/show_bug.cgi?id=128386

        Reviewed by Michael Saboff.

        * API/JSValue.mm:
        (valueToObjectWithoutCopy):
        (valueToDate):
        (objectToValueWithoutCopy):
        * API/tests/DateTests.h: Added.
        * API/tests/DateTests.mm: Added.
        (+[DateTests NSDateToJSDateTest]):
        (+[DateTests JSDateToNSDateTest]):
        (+[DateTests roundTripThroughJSDateTest]):
        (+[DateTests roundTripThroughObjCDateTest]):
        * API/tests/testapi.mm:
        (checkResult):
        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-02-09  Andreas Kling  <akling@apple.com>

        Pass VM instead of ExecState to JSCell::fastGetOwnProperty().
        <https://webkit.org/b/128497>

        Knocks off a couple of instructions.

        Reviewed by Anders Carlsson.

        * dfg/DFGOperations.cpp:
        * jit/JITOperations.cpp:
        (JSC::getByVal):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::fastGetOwnProperty):

2014-02-09  Anders Carlsson  <andersca@apple.com>

        Convert some JSC code over to std::mutex
        https://bugs.webkit.org/show_bug.cgi?id=128500

        Reviewed by Dan Bernstein.

        * API/JSVirtualMachine.mm:
        (wrapperCacheMutex):
        (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
        (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
        * heap/GCThreadSharedData.h:
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::mergeOpaqueRoots):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::containsOpaqueRootTriState):
        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::registerDebuggable):
        (Inspector::RemoteInspector::unregisterDebuggable):
        (Inspector::RemoteInspector::updateDebuggable):
        (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
        (Inspector::RemoteInspector::start):
        (Inspector::RemoteInspector::stop):
        (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
        (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
        (Inspector::RemoteInspector::xpcConnectionFailed):
        (Inspector::RemoteInspector::pushListingSoon):
        (Inspector::RemoteInspector::receivedIndicateMessage):
        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorDebuggableConnection::setup):
        (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
        (Inspector::RemoteInspectorDebuggableConnection::close):
        (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
        * jit/ExecutableAllocator.cpp:
        (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
        (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
        (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
        (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
        (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
        (JSC::DemandExecutableAllocator::allocatorsMutex):

2014-02-09  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r163737.
        http://trac.webkit.org/changeset/163737
        https://bugs.webkit.org/show_bug.cgi?id=128491

        Caused 8+ tests to fail on Mavericks and Mountain Lion bots
        (Requested by rniwa on #webkit).

        * runtime/JSString.h:
        (JSC::jsSingleCharacterString):
        (JSC::jsSingleCharacterSubstring):
        (JSC::jsString):
        (JSC::jsSubstring8):
        * runtime/SmallStrings.cpp:
        (JSC::SmallStringsStorage::SmallStringsStorage):
        (JSC::SmallStrings::SmallStrings):

2014-02-08  Anders Carlsson  <andersca@apple.com>

        Simplify single character substrings in JSC
        https://bugs.webkit.org/show_bug.cgi?id=128483

        Reviewed by Andreas Kling.

        With the recent work to make StringImpl occupy less space, it is actually more
        efficient to allocate a single character string that it is to use createSubstringSharingImpl!
        
        * runtime/JSString.h:
        (JSC::jsSingleCharacterString):
        (JSC::jsSingleCharacterSubstring):
        (JSC::jsString):
        (JSC::jsSubstring8):
        * runtime/SmallStrings.cpp:
        (JSC::SmallStringsStorage::SmallStringsStorage):
        (JSC::SmallStrings::SmallStrings):

2014-02-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        Baseline JIT uses the wrong version of checkMarkWord in emitWriteBarrier
        https://bugs.webkit.org/show_bug.cgi?id=128474

        Reviewed by Michael Saboff.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitWriteBarrier):

2014-02-08  Mark Lam  <mark.lam@apple.com>

        Rename a field and some variables in JSLock to better describe what they contain.
        <https://webkit.org/b/128475>

        Reviewed by Oliver Hunt.

        * runtime/JSLock.cpp:
        (JSC::JSLock::dropAllLocks):
        (JSC::JSLock::dropAllLocksUnconditionally):
        (JSC::JSLock::grabAllLocks):
        (JSC::JSLock::DropAllLocks::DropAllLocks):
        (JSC::JSLock::DropAllLocks::~DropAllLocks):
        * runtime/JSLock.h:

2014-02-08  Anders Carlsson  <andersca@apple.com>

        Stop using getCharactersWithUpconvert in JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=128457

        Reviewed by Andreas Kling.

        Change substituteBackreferencesSlow to take StringViews and use a StringBuilder instead of upconverting
        if the source or replacement strings area 16-bit.

        * runtime/StringPrototype.cpp:
        (JSC::substituteBackreferencesSlow):
        (JSC::substituteBackreferences):

2014-02-08  Mark Rowe  <mrowe@apple.com>

        <https://webkit.org/b/128452> Don't duplicate the list of input files for postprocess-headers.sh

        Reviewed by Dan Bernstein.

        * postprocess-headers.sh: Pull the list of headers to process out of the environment.

2014-02-08  Mark Rowe  <mrowe@apple.com>

        Fix the iOS build.

        * API/WebKitAvailability.h: Skip the workarounds specific to OS X when we're building for iOS.

2014-02-07  Mark Rowe  <mrowe@apple.com>

        <https://webkit.org/b/128448> Fix use of availability macros on recently-added APIs

        Reviewed by Dan Bernstein.

        * API/JSContext.h: Remove some #ifs.
        * API/JSManagedValue.h: Ditto.
        * API/WebKitAvailability.h: #define the macros that availability macros mentioning
        newer OS X versions would expand to when building on older OS versions.
        * JavaScriptCore.xcodeproj/project.pbxproj: Call the new postprocess-headers.sh.
        * postprocess-headers.sh: Extracted from the Xcode project. Updated to remove content
        from headers based on the __MAC_OS_X_VERSION_MIN_REQUIRED macro, and to
        process WebKitAvailability.h.

2014-02-07  Mark Lam  <mark.lam@apple.com>

        JSLock should not "restore" VM stack values if it did not re-grab locks.
        <https://webkit.org/b/128447>

        Reviewed by Geoffrey Garen.

        In the existing code, if DropAllLocks is instantiate with DontAlwaysDropLocks
        in a thread that does not own the JSLock, then a bug will manifest where:

        1. The DropAllLocks constructor will save the VM's stackPointerAtEntry,
           lastStackTop, and reservedZoneSize even though it will not drop the JSLock.
        2. The DropAllLocks destructor will restore those 3 values to the VM even
           though the JSLock will not grab its internal lock.

        The former only causes busy work but does not impact correctness. The latter
        however, will corrupt those 3 VM values which belong to the thread that
        actually owns the JSLock.

        The fix is to only save the values when the JSLock will actually drop its
        internal lock, and only restore the values if it did re-grab the internal lock.

        * runtime/JSLock.cpp:
        (JSC::JSLock::dropAllLocks):
        (JSC::JSLock::dropAllLocksUnconditionally):
        (JSC::JSLock::grabAllLocks):
        (JSC::JSLock::DropAllLocks::DropAllLocks):
        - Moved the saving of VM stack values to dropAllLocks() and
          dropAllLocksUnconditionally().
        (JSC::JSLock::DropAllLocks::~DropAllLocks):
        - Moved the restoring of VM stack values to grabAllLocks().

2014-02-07  Filip Pizlo  <fpizlo@apple.com>

        Don't throw away code if there is code on the worklists
        https://bugs.webkit.org/show_bug.cgi?id=128443

        Reviewed by Joseph Pecoraro.
        
        If we throw away compiled code and there is code currently being JITed then the JIT
        will get confused after it resumes: it will see a code block that had claimed to belong
        to an executable except that it doesn't belong to any executables anymore.

        * dfg/DFGWorklist.h:
        (JSC::DFG::Worklist::isActive):
        * heap/Heap.cpp:
        (JSC::Heap::deleteAllCompiledCode):

2014-02-07  Filip Pizlo  <fpizlo@apple.com>

        GC should safepoint the DFG worklist in a smarter way rather than just waiting for everything to complete
        https://bugs.webkit.org/show_bug.cgi?id=128297

        Reviewed by Oliver Hunt.
        
        This makes DFG worklist threads have a rightToRun lock that gives them the ability to
        be safepointed by the GC in much the same way as you'd expect from a fully
        multithreaded VM.
        
        The idea is that the worklist threads's roots are the DFG::Plan. They only touch those
        roots when holding the rightToRun lock. They currently grab that lock to run the
        compiler, but relinquish it when accessing - and waiting on - the worklist.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlockSet::mark):
        * dfg/DFGCompilationKey.cpp:
        (JSC::DFG::CompilationKey::visitChildren):
        * dfg/DFGCompilationKey.h:
        * dfg/DFGDesiredStructureChains.cpp:
        (JSC::DFG::DesiredStructureChains::visitChildren):
        * dfg/DFGDesiredStructureChains.h:
        * dfg/DFGDesiredTransitions.cpp:
        (JSC::DFG::DesiredTransition::visitChildren):
        (JSC::DFG::DesiredTransitions::visitChildren):
        * dfg/DFGDesiredTransitions.h:
        * dfg/DFGDesiredWeakReferences.cpp:
        (JSC::DFG::DesiredWeakReferences::visitChildren):
        * dfg/DFGDesiredWeakReferences.h:
        * dfg/DFGDesiredWriteBarriers.cpp:
        (JSC::DFG::DesiredWriteBarrier::visitChildren):
        (JSC::DFG::DesiredWriteBarriers::visitChildren):
        * dfg/DFGDesiredWriteBarriers.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::visitChildren):
        * dfg/DFGPlan.h:
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::~Worklist):
        (JSC::DFG::Worklist::finishCreation):
        (JSC::DFG::Worklist::suspendAllThreads):
        (JSC::DFG::Worklist::resumeAllThreads):
        (JSC::DFG::Worklist::visitChildren):
        (JSC::DFG::Worklist::runThread):
        (JSC::DFG::Worklist::threadFunction):
        * dfg/DFGWorklist.h:
        (JSC::DFG::numberOfWorklists):
        (JSC::DFG::worklistForIndexOrNull):
        * heap/CodeBlockSet.h:
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::collect):
        * runtime/IntendedStructureChain.cpp:
        (JSC::IntendedStructureChain::visitChildren):
        * runtime/IntendedStructureChain.h:
        * runtime/VM.cpp:
        (JSC::VM::~VM):
        (JSC::VM::prepareToDiscardCode):

2014-02-07  Mark Lam  <mark.lam@apple.com>

        Unify JSLock implementation for iOS and non-iOS ports.
        <https://webkit.org/b/128409>

        Reviewed by Michael Saboff.

        The iOS and non-iOS implementations of dropAllLocks(),
        dropAllLocksUnconditionally(), and grabAllLocks() effectively do the
        same work. The main difference is that the iOS implementation acquires
        the JSLock spin lock in the DropAllLocks class while the other ports
        acquire it when it calls JSLock::lock() and unlock().

        The other difference is that the iOS implementation will only increment
        m_locksDropDepth if it actually drops locks, whereas other ports will
        increment it unconditionally. Analogously, iOS decrements the depth only
        when needed while other ports will decrement it unconditionally when
        re-grabbing locks.

        We can unify the 2 implementations by having both use the iOS
        implementation for a start.

        * runtime/JSLock.cpp:
        (JSC::JSLock::dropAllLocks):
        (JSC::JSLock::dropAllLocksUnconditionally):
        (JSC::JSLock::grabAllLocks):
        (JSC::JSLock::DropAllLocks::DropAllLocks):
        (JSC::JSLock::DropAllLocks::~DropAllLocks):

2014-02-06  Filip Pizlo  <fpizlo@apple.com>

        More FTL build scaffolding
        https://bugs.webkit.org/show_bug.cgi?id=128330

        Reviewed by Geoffrey Garen.

        * Configurations/FeatureDefines.xcconfig:
        * llvm/library/LLVMAnchor.cpp:

2014-02-07  Mark Lam  <mark.lam@apple.com>

        iOS port needs to clear VM::stackPointerAtVMEntry when it drops locks.
        <https://webkit.org/b/128424>

        Reviewed by Geoffrey Garen.

        The iOS code path for dropping locks differ from the non-iOS code path
        in that it (iOS) does not clear m_vm->stackPointerAtVMEntry nor reset the
        VM stack limit. This is now fixed by copying that snippit from
        JSLock::unlock().

        * runtime/JSLock.cpp:
        (JSC::JSLock::dropAllLocks):
        (JSC::JSLock::dropAllLocksUnconditionally):

2014-02-07  Mark Lam  <mark.lam@apple.com>

        Removed superflous JSLock::entryStackPointer field.
        <https://webkit.org/b/128413>

        Reviewed by Geoffrey Garen.

        * runtime/JSLock.cpp:
        (JSC::JSLock::lock):
        * runtime/JSLock.h:

2014-02-07  Mark Lam  <mark.lam@apple.com>

        Revert workaround committed in http://trac.webkit.org/r163595.
        <https://webkit.org/b/128408>

        Reviewed by Geoffrey Garen.

        Now that we have fixed the bugs in JSLock's stack limit adjusments
        in https://bugs.webkit.org/show_bug.cgi?id=128406, we can revert the
        workaround in r163595.

        * API/JSContextRef.cpp:
        (JSContextGroupCreate):
        (JSGlobalContextCreateInGroup):
        * API/tests/testapi.js:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::updateStackLimitWithReservedZoneSize):
        * runtime/VM.h:

2014-02-07  Mark Lam  <mark.lam@apple.com>

        Fix bug in stack limit adjustments in JSLock.
        <https://webkit.org/b/128406>

        Reviewed by Geoffrey Garen.

        1. JSLock::unlock() was only clearing the VM::stackPointerAtEntry when
           m_vm->stackPointerAtVMEntry == entryStackPointer. FYI,
           entryStackPointer is a field in JSLock.

           When DropAllLocks::~DropAllLocks() will call JSLock::grabAllLocks()
           to relock the JSLock, JSLock::grabAllLocks() will set a new
           entryStackPointer value. Thereafter, DropAllLocks::~DropAllLocks() will
           restore the saved VM::stackPointerAtEntry, which will now defer from
           the JSLock's entryStackPointer value.

           It turns out that when m_vm->stackPointerAtVMEntry was initialized,
           it was set to whatever value entryStackPointer is set to. At no time
           do we ever expect the 2 values to differ. The only time it differs is
           when this bug manifests.

           The fix is to remove the entryStackPointer field in JSLock and its uses
           altogether.

        2. DropAllLocks was unconditionally clearing VM::stackPointerAtEntry in
           its constructor instead of letting JSLock::unlock() do the clearing.

           However, DropAllLocks will not actually drop locks if it isn't required
           to (e.g. when alwaysDropLocks is DontAlwaysDropLocks), and when we've
           already drop locks once (i.e. JSLock::m_lockDropDepth is not 0).

           We should not have cleared VM::stackPointerAtEntry here if we don't
           actually drop the locks.

        * runtime/JSLock.cpp:
        (JSC::JSLock::unlock):
        (JSC::JSLock::DropAllLocks::DropAllLocks):

2014-02-07  Joseph Pecoraro  <pecoraro@apple.com>

        [iOS] Eliminate race between XPC connection queue and Notification queue
        https://bugs.webkit.org/show_bug.cgi?id=128384

        Reviewed by Timothy Hatcher.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::RemoteInspector):
        (Inspector::RemoteInspector::start):
        (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
        Create the queue to use for RemoteInspector xpc connection
        management and the connection itself.

        * inspector/remote/RemoteInspectorXPCConnection.h:
        * inspector/remote/RemoteInspectorXPCConnection.mm:
        (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
        Use the passed in queue instead of creating one for itself.

2014-02-07  Oliver Hunt  <oliver@apple.com>

        REGRESSION (r160628): LLint does not appear to handle impure get own property properly
        https://bugs.webkit.org/show_bug.cgi?id=127943

        Reviewed by Filip Pizlo.

        Make sure the LLINT doesn't attempt to cache property
        access on structures with impureGetOwnPropertySlot set.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2014-02-06  Michael Saboff  <msaboff@apple.com>

        Workaround REGRESSION(r163195-r163227): Crash beneath NSErrorUserInfoFromJSException when installing AppleInternal.mpkg
        https://bugs.webkit.org/show_bug.cgi?id=128347

        Reviewed by Geoffrey Garen.

        Added a flag to VM class called m_ignoreStackLimit that disables stack limit checks.
        We set this flag in JSContextGroupCreate() and JSGlobalContextCreateInGroup().

        Disabled stack overflow tests in testapi.js since it uses these paths.

        THis patch will be reverted as part of a comprehensive solution to the problem.

        * API/JSContextRef.cpp:
        (JSContextGroupCreate):
        (JSGlobalContextCreateInGroup):
        * API/tests/testapi.js:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::updateStackLimitWithReservedZoneSize):
        * runtime/VM.h:
        (JSC::VM::ignoreStackLimit):

2014-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        +[JSContext currentCallee] should return the currently executing JS function
        https://bugs.webkit.org/show_bug.cgi?id=122621

        Reviewed by Geoffrey Garen.

        It would be useful if there was a +[JSContext currentObject] API which was 
        callable from ObjC API callbacks. Its purpose would be to allow convenient 
        access to the JSValue wrapper for the currently-executing block callback.

        * API/JSContext.h:
        * API/JSContext.mm:
        (+[JSContext currentCallee]):
        (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
        * API/JSContextInternal.h:
        * API/ObjCCallbackFunction.mm:
        (JSC::objCCallbackFunctionCallAsFunction):
        (JSC::objCCallbackFunctionCallAsConstructor):
        * API/tests/testapi.mm:

2014-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix iOS builds after r163574

        * API/JSManagedValue.h:

2014-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Heap::writeBarrier shouldn't be static
        https://bugs.webkit.org/show_bug.cgi?id=127807

        Reviewed by Geoffrey Garen.

        Currently it looks up the Heap in which to fire the write barrier by using 
        the cell passed to it. Almost every call site already has a reference to the 
        VM or the Heap itself. It seems wasteful to look it up all over again.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/CopyWriteBarrier.h:
        (JSC::CopyWriteBarrier::set):
        * heap/Heap.cpp:
        (JSC::Heap::writeBarrier):
        * heap/Heap.h:
        (JSC::Heap::writeBarrier):
        * jit/JITOperations.cpp:
        * jit/JITWriteBarrier.h:
        (JSC::JITWriteBarrierBase::set):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::llint_write_barrier_slow):
        * runtime/Arguments.h:
        * runtime/JSWeakMap.cpp:
        * runtime/MapData.cpp:
        (JSC::MapData::ensureSpaceForAppend):
        * runtime/PropertyTable.cpp:
        (JSC::PropertyTable::PropertyTable):
        * runtime/Structure.h:
        * runtime/WriteBarrier.h:
        * runtime/WriteBarrierInlines.h: Added.

2014-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSManagedValue should automatically call removeManagedReference:withOwner: upon dealloc
        https://bugs.webkit.org/show_bug.cgi?id=124053

        Reviewed by Geoffrey Garen.

        * API/JSManagedValue.h:
        * API/JSManagedValue.mm:
        (+[JSManagedValue managedValueWithValue:andOwner:]):
        (-[JSManagedValue initWithValue:]):
        (-[JSManagedValue dealloc]):
        (-[JSManagedValue didAddOwner:]):
        (-[JSManagedValue didRemoveOwner:]):
        * API/JSManagedValueInternal.h: Added.
        * API/JSVirtualMachine.mm:
        (-[JSVirtualMachine addManagedReference:withOwner:]):
        (-[JSVirtualMachine removeManagedReference:withOwner:]):
        * API/WebKitAvailability.h:
        * API/tests/testapi.mm:
        (-[TextXYZ click]):
        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-02-06  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Add Console support to JSContext Inspection
        https://bugs.webkit.org/show_bug.cgi?id=127941

        Reviewed by Geoffrey Garen.

        * CMakeLists.txt:
        * DerivedSources.make:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add new files.

        * inspector/agents/InspectorConsoleAgent.cpp: Renamed from Source/WebCore/inspector/InspectorConsoleAgent.cpp.
        * inspector/agents/InspectorConsoleAgent.h: Added.
        New agent moved from WebCore. Rename a method to work in JS only context.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        Instantiate ConsoleAgent.

        * inspector/agents/JSGlobalObjectConsoleAgent.h: Copied from Source/WebCore/inspector/PageInjectedScriptHost.h.
        * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Copied from Source/WebCore/inspector/PageInjectedScriptHost.h.
        (Inspector::JSGlobalObjectConsoleAgent::JSGlobalObjectConsoleAgent):
        (Inspector::JSGlobalObjectConsoleAgent::setMonitoringXHREnabled):
        (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode):
        (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject):
        JSGlobalObject implementation.

        * inspector/agents/JSGlobalObjectDebuggerAgent.h:
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        (Inspector::JSGlobalObjectDebuggerAgent::JSGlobalObjectDebuggerAgent):
        (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
        Use ConsoleAgent to report logs.

        * inspector/ConsoleMessage.cpp: Renamed from Source/WebCore/inspector/ConsoleMessage.cpp.
        * inspector/ConsoleMessage.h: Renamed from Source/WebCore/inspector/ConsoleMessage.h.
        * inspector/ConsoleTypes.h: Copied from Source/WebCore/inspector/ConsoleAPITypes.h.
        * inspector/IdentifiersFactory.cpp: Renamed from Source/WebCore/inspector/IdentifiersFactory.cpp.
        * inspector/IdentifiersFactory.h: Renamed from Source/WebCore/inspector/IdentifiersFactory.h.
        * inspector/ScriptArguments.cpp: Renamed from Source/WebCore/inspector/ScriptArguments.cpp.
        * inspector/ScriptArguments.h: Renamed from Source/WebCore/inspector/ScriptArguments.h.
        * inspector/ScriptCallFrame.cpp: Renamed from Source/WebCore/inspector/ScriptCallFrame.cpp.
        * inspector/ScriptCallFrame.h: Renamed from Source/WebCore/inspector/ScriptCallFrame.h.
        * inspector/ScriptCallStack.cpp: Renamed from Source/WebCore/inspector/ScriptCallStack.cpp.
        * inspector/ScriptCallStack.h: Renamed from Source/WebCore/inspector/ScriptCallStack.h.
        * inspector/ScriptCallStackFactory.cpp: Renamed from Source/WebCore/bindings/js/ScriptCallStackFactory.cpp.
        * inspector/ScriptCallStackFactory.h: Renamed from Source/WebCore/bindings/js/ScriptCallStackFactory.h.
        * inspector/protocol/Console.json: Renamed from Source/WebCore/inspector/protocol/Console.json.
        * inspector/scripts/generate-combined-inspector-json.py:

2014-02-06  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r163542.
        http://trac.webkit.org/changeset/163542
        https://bugs.webkit.org/show_bug.cgi?id=128324

        Caused many assertion failures (Requested by ap on #webkit).

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/CopyWriteBarrier.h:
        (JSC::CopyWriteBarrier::set):
        * heap/Heap.cpp:
        (JSC::Heap::writeBarrier):
        * heap/Heap.h:
        (JSC::Heap::writeBarrier):
        * jit/JITOperations.cpp:
        * jit/JITWriteBarrier.h:
        (JSC::JITWriteBarrierBase::set):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::llint_write_barrier_slow):
        * runtime/Arguments.h:
        * runtime/JSWeakMap.cpp:
        * runtime/MapData.cpp:
        (JSC::MapData::ensureSpaceForAppend):
        * runtime/PropertyTable.cpp:
        (JSC::PropertyTable::PropertyTable):
        * runtime/Structure.h:
        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase::set):
        (JSC::WriteBarrierBase::setMayBeNull):
        (JSC::WriteBarrierBase::setEarlyValue):
        (JSC::WriteBarrierBase<Unknown>::set):
        * runtime/WriteBarrierInlines.h: Removed.

2014-02-06  Oliver Hunt  <oliver@apple.com>

        Make 32bit pass the correct this value to custom getters
        https://bugs.webkit.org/show_bug.cgi?id=128313

        Reviewed by Mark Lam.

        Now that the custom getter calling convetion uses a single register
        for the slot base we can easily pass the correct |thisValue| instead
        of simply relying on the thisValue not be relevant to existing
        custom getters. This also means that 32bit can call custom getters
        directly.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/Repatch.cpp:
        (JSC::generateProtoChainAccessStub):
        (JSC::tryBuildGetByIDList):

2014-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Heap::writeBarrier shouldn't be static
        https://bugs.webkit.org/show_bug.cgi?id=127807

        Reviewed by Geoffrey Garen.

        Currently it looks up the Heap in which to fire the write barrier by using 
        the cell passed to it. Almost every call site already has a reference to the 
        VM or the Heap itself. It seems wasteful to look it up all over again.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/CopyWriteBarrier.h:
        (JSC::CopyWriteBarrier::set):
        * heap/Heap.cpp:
        (JSC::Heap::writeBarrier):
        * heap/Heap.h:
        (JSC::Heap::writeBarrier):
        * jit/JITOperations.cpp:
        * jit/JITWriteBarrier.h:
        (JSC::JITWriteBarrierBase::set):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::llint_write_barrier_slow):
        * runtime/Arguments.h:
        * runtime/JSWeakMap.cpp:
        * runtime/MapData.cpp:
        (JSC::MapData::ensureSpaceForAppend):
        * runtime/PropertyTable.cpp:
        (JSC::PropertyTable::PropertyTable):
        * runtime/Structure.h:
        * runtime/WriteBarrier.h:
        * runtime/WriteBarrierInlines.h: Added.

2014-02-04  Filip Pizlo  <fpizlo@apple.com>

        Make FTL OSR entry something we only try after we've already compiled the function with the FTL and it still got stuck in a loop after that without ever returning like a sensible function oughta have
        https://bugs.webkit.org/show_bug.cgi?id=128234

        Reviewed by Geoffrey Garen.
        
        Use DFG::JITCode::osrEntryRetry as a counter to decide when to invoke OSR entry. That
        comes into play only after we've done a replacement compile.
        
        This appears to still give us a speed-up on the kinds of things that OSR entry is good
        for, while also eliminating pointless OSR entry compilations on other things.

        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::JITCode):
        * dfg/DFGJITCode.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
        (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
        * runtime/Options.h:

2014-02-04  Filip Pizlo  <fpizlo@apple.com>

        Don't speculate on ToThis if we already know that arg0 has a questionable record with structure checks
        https://bugs.webkit.org/show_bug.cgi?id=128229

        Reviewed by Geoffrey Garen.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2014-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Handling of opaque roots is wrong in EdenCollections
        https://bugs.webkit.org/show_bug.cgi?id=128210

        Reviewed by Oliver Hunt.

        The set of opaque roots is always cleared during each collection. We should instead persist 
        the set of opaque roots across EdenCollections and only clear it at the beginning of FullCollections.

        Also added a couple of custom objects to the jsc shell that allow us to test this.

        * heap/GCThreadSharedData.cpp:
        (JSC::GCThreadSharedData::reset):
        (JSC::GCThreadSharedData::didStartMarking):
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * heap/Heap.h:
        (JSC::Heap::setShouldDoFullCollection):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::didStartMarking):
        (JSC::SlotVisitor::reset):
        * heap/SlotVisitor.h:
        * jsc.cpp:
        (WTF::Element::Element):
        (WTF::Element::root):
        (WTF::Element::setRoot):
        (WTF::Element::create):
        (WTF::Element::createStructure):
        (WTF::ElementHandleOwner::isReachableFromOpaqueRoots):
        (WTF::Root::Root):
        (WTF::Root::element):
        (WTF::Root::setElement):
        (WTF::Root::create):
        (WTF::Root::createStructure):
        (WTF::Root::visitChildren):
        (WTF::Element::handleOwner):
        (WTF::Element::finishCreation):
        (GlobalObject::finishCreation):
        (functionCreateRoot):
        (functionCreateElement):
        (functionGetElement):
        (functionSetElementRoot):
        (functionGCAndSweep):
        (functionFullGC):
        (functionEdenGC):

2014-02-05  Anders Carlsson  <andersca@apple.com>

        Remove unused functions.

        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getOwnPropertySlot):
        * runtime/RegExpObject.cpp:

2014-02-05  Oliver Hunt  <oliver@apple.com>

        Change custom getter signature to make the base reference an object pointer
        https://bugs.webkit.org/show_bug.cgi?id=128279

        Reviewed by Geoffrey Garen.

        Make custom getters take a JSObject* instead of EncodedJSValue as the base
        reference.  This allows us to drop one pointer from the JSVALUE32_64 calling
        convention.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
        (JSC::JSCallbackObject<Parent>::callbackGetter):
        * jit/JITOperations.cpp:
        * jit/Repatch.cpp:
        (JSC::generateProtoChainAccessStub):
        (JSC::tryBuildGetByIDList):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::argumentsGetter):
        * runtime/JSActivation.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::argumentsGetter):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::lengthGetter):
        (JSC::JSFunction::nameGetter):
        * runtime/JSFunction.h:
        * runtime/JSObject.h:
        (JSC::PropertySlot::getValue):
        * runtime/NumberConstructor.cpp:
        (JSC::numberConstructorNaNValue):
        (JSC::numberConstructorNegInfinity):
        (JSC::numberConstructorPosInfinity):
        (JSC::numberConstructorMaxValue):
        (JSC::numberConstructorMinValue):
        * runtime/PropertySlot.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::regExpConstructorDollar1):
        (JSC::regExpConstructorDollar2):
        (JSC::regExpConstructorDollar3):
        (JSC::regExpConstructorDollar4):
        (JSC::regExpConstructorDollar5):
        (JSC::regExpConstructorDollar6):
        (JSC::regExpConstructorDollar7):
        (JSC::regExpConstructorDollar8):
        (JSC::regExpConstructorDollar9):
        (JSC::regExpConstructorInput):
        (JSC::regExpConstructorMultiline):
        (JSC::regExpConstructorLastMatch):
        (JSC::regExpConstructorLastParen):
        (JSC::regExpConstructorLeftContext):
        (JSC::regExpConstructorRightContext):
        * runtime/RegExpObject.cpp:
        (JSC::regExpObjectGlobal):
        (JSC::regExpObjectIgnoreCase):
        (JSC::regExpObjectMultiline):
        (JSC::regExpObjectSource):

2014-02-05  Andreas Kling  <akling@apple.com>

        Remove ENABLE(DIRECTORY_UPLOAD).
        <https://webkit.org/b/128275>

        Rubber-stamped by Ryosuke Niwa.

        * Configurations/FeatureDefines.xcconfig:

2014-02-05  Filip Pizlo  <fpizlo@apple.com>

        Rename useExperimentalFTL to useFTLJIT.

        Rubber stamped by Mark Hahnenberg.

        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        (JSC::DFG::TierUpCheckInjectionPhase::run):
        * runtime/Options.h:

2014-02-05  Brian Burg  <bburg@apple.com>

        Web Inspector: add probe manager and model objects to the frontend
        https://bugs.webkit.org/show_bug.cgi?id=127117

        Reviewed by Timothy Hatcher.

        The inspector frontend now assigns breakpoint action identifiers,
        rather than the backend. Remove return values containing breakpoint
        identifiers, and remove tracking and assignment of action identifiers.

        * inspector/ScriptDebugListener.h:
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::evaluateBreakpointAction):
        (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
        Pass BreakpointAction by reference rather than just the action identifier.

        * inspector/ScriptDebugServer.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::objectGroupForBreakpointAction):
        (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
        (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
        (Inspector::InspectorDebuggerAgent::setBreakpoint):
        (Inspector::InspectorDebuggerAgent::removeBreakpoint):
        (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/protocol/Debugger.json: Revert change to setBreakpoint return values. Add optional identifier to breakpoint actions.

2014-02-05  Filip Pizlo  <fpizlo@apple.com>

        JSC on Mac should pull LLVM from prefix=/usr/local/LLVMForJavaScriptCore and not /usr/local
        https://bugs.webkit.org/show_bug.cgi?id=128269

        Reviewed by Mark Hahnenberg.

        * Configurations/Base.xcconfig:
        * Configurations/LLVMForJSC.xcconfig:

2014-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix 32-bit builds after r163471

        * dfg/DFGOSRExitCompilerCommon.cpp:

2014-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Can no longer run OctaneV2 in browser, crashes in speculationFromCell
        https://bugs.webkit.org/show_bug.cgi?id=128266

        Reviewed by Filip Pizlo.

        Move the OSR exit write barriers into OSRExitCompilerCommon. Also reorganize some 
        of the code to be in more appropriate places.

        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::osrWriteBarrier):
        (JSC::DFG::adjustAndJumpToTarget):
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT.h:
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::genericWriteBarrier):

2014-02-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Malloc called beneath MachineThreads::gatherFromOtherThread(), while forbidden
        https://bugs.webkit.org/show_bug.cgi?id=128202

        Reviewed by Geoffrey Garen.

        This patch uses the new GCSegmentedArray to replace the Vector that was used 
        to record the set of currently executing CodeBlocks during the conservative 
        stack scan. This is primarily to avoid the possibility of the Vector resizing 
        while FastMalloc is forbidden.

        * heap/BlockAllocator.h:
        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::CodeBlockSet):
        (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
        * heap/CodeBlockSet.h:
        * heap/GCSegmentedArray.h:
        (JSC::GCSegmentedArray::begin):
        (JSC::GCSegmentedArray::end):
        (JSC::GCSegmentedArrayIterator::GCSegmentedArrayIterator):
        (JSC::GCSegmentedArrayIterator::get):
        (JSC::GCSegmentedArrayIterator::operator*):
        (JSC::GCSegmentedArrayIterator::operator->):
        (JSC::GCSegmentedArrayIterator::operator==):
        (JSC::GCSegmentedArrayIterator::operator!=):
        (JSC::GCSegmentedArrayIterator::operator++):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):

2014-02-05  Wojciech Bielawski  <w.bielawski@samsung.com>

        XMLHttpRequest performs too many copies for ArrayBuffer results
        https://bugs.webkit.org/show_bug.cgi?id=117458

        Reviewed by Alexey Proskuryakov.

        Based on blink change: https://chromium.googlesource.com/chromium/blink/+/bed266aa5a43f7c080c87e527bd35e2b80ecc7b7

        Add SharedBuffer::createArrayBuffer() and use it to create XMLHttpRequest's response in ArrayBuffer
        This cuts
            - two memsets (in ArrayBuffer::create and SharedBuffer::m_buffer::resize)
            - one copy (SharedBuffer::m_buffer to ArrayBufferContents::m_data)
            - one allocation (SharedBuffer::m_buffer)

        * runtime/ArrayBuffer.h:

2014-02-05  Csaba Osztrogonác  <ossy@webkit.org>

        Remove ENABLE(SVG) guards
        https://bugs.webkit.org/show_bug.cgi?id=127991

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:

2014-02-05  Zan Dobersek  <zdobersek@igalia.com>

        Remove CLASS_IF_GCC workarounds
        https://bugs.webkit.org/show_bug.cgi?id=128207

        Reviewed by Anders Carlsson.

        Remove the CLASS_IF_GCC macro that was defined to 'class' when using the GCC compiler.
        The macro was then used in class friendship declarations for templated classes to avoid
        corner-case compiler failures on both GCC pre-4.7 and MSVC pre-2013. The problematic
        versions of both compilers are no longer supported, so this macro is good to go.

        * heap/HeapBlock.h:
        * heap/Region.h:

2014-02-04  Mark Lam  <mark.lam@apple.com>

        The stack limit computation does not work for Windows.
        <https://webkit.org/b/128226>

        Reviewed by Geoffrey Garen.

        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoopRegister::CLoopRegister):
        (JSC::CLoop::execute):
        - Suppressed some compiler warnings for the C loop build.
        * runtime/VM.cpp:
        (JSC::VM::updateStackLimitWithReservedZoneSize):
        - Use the new StackBounds::recursionLimit() to compute the stack limit
          the right way.

2014-02-04  Andreas Kling  <akling@apple.com>

        Remove <iframe seamless> support.
        <https://webkit.org/b/128213>

        Rubber-stamped by Antti Koivisto.

        * Configurations/FeatureDefines.xcconfig:

2014-02-04  Mark Lam  <mark.lam@apple.com>

        DFG::operationTypeOf() needs to set the VM::topCallFrame.
        <https://webkit.org/b/128228>

        Reviewed by Mark Hahnenberg.

        * dfg/DFGOperations.cpp:
        - operationTypeOf() can end up calling into WebCore which may in turn
          call back to JSC, and need a valid VM::topCallFrame. So, we need to
          set the value of VM::topCallFrame at the top of operationTypeOf().

2014-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix !ENABLE(JIT) builds after r163418

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::reoptimizationRetryCounter): Return 0 if there's no way for us to reoptimize.

2014-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Reduce boilerplate in BlockAllocator.h
        https://bugs.webkit.org/show_bug.cgi?id=128222

        Reviewed by Filip Pizlo.

        There are a lot of template specializations for the various types of HeapBlocks 
        in BlockAllocator.h. We could reduce the spew by using a macro.

        * heap/BlockAllocator.h:

2014-02-04  Filip Pizlo  <fpizlo@apple.com>

        DFG PutByVal on typed arrays should detect OutOfBounds sooner
        https://bugs.webkit.org/show_bug.cgi?id=128162

        Reviewed by Mark Hahnenberg.
        
        Just wire the m_outOfBounds flag in ArrayProfile into the OutOfBounds speculation in
        DFG::ArrayMode for typed arrays.
        
        Also make it possible to have tests for convergence.
        
        Also turn one of the LayoutTests/js/dfg- tests into a stress test because it
        was relying on a specific number of recompiles. Stress tests instead take
        the approach of just running for a while. That's more robust.

        * bytecode/CodeBlock.h:
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::fromObserved):
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::withSpeculationFromProfile):
        (JSC::DFG::ArrayMode::withProfile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitIntTypedArrayPutByVal):
        (JSC::JIT::emitFloatTypedArrayPutByVal):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionReoptimizationRetryCount):
        * runtime/TestRunnerUtils.cpp:
        (JSC::getExecutableForFunction):
        (JSC::getSomeBaselineCodeBlockForFunction):
        (JSC::numberOfDFGCompiles):
        (JSC::setNeverInline):
        * runtime/TestRunnerUtils.h:
        * tests/stress/float32-repeat-out-of-bounds.js: Added.
        (foo):
        * tests/stress/int8-repeat-out-of-bounds.js: Added.
        (foo):
        * tests/stress/string-out-of-bounds-negative-proto-value.js: Added.
        (foo):

2014-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Refactor MarkStackArray to allow more than JSCells to be stored
        https://bugs.webkit.org/show_bug.cgi?id=128203

        Reviewed by Geoffrey Garen.

        This patch refactors MarkStackArray into a separate template class named GCSegmentedArray.
        This class allows subclassing to add functionality that only MarkStackArray wants.
        Since it uses the JSC BlockAllocator instead of FastMalloc, this class can be used during 
        conservative stack scanning, which disallows using FastMalloc.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/BlockAllocator.h:
        * heap/GCSegmentedArray.h: Added.
        (JSC::GCArraySegment::GCArraySegment):
        (JSC::GCArraySegment::data):
        * heap/GCSegmentedArrayInlines.h: Added.
        (JSC::GCSegmentedArray<T>::GCSegmentedArray):
        (JSC::GCSegmentedArray<T>::~GCSegmentedArray):
        (JSC::GCSegmentedArray<T>::clear):
        (JSC::GCSegmentedArray<T>::expand):
        (JSC::GCSegmentedArray<T>::refill):
        (JSC::GCSegmentedArray<T>::fillVector):
        (JSC::GCArraySegment<T>::create):
        (JSC::GCSegmentedArray<T>::postIncTop):
        (JSC::GCSegmentedArray<T>::preDecTop):
        (JSC::GCSegmentedArray<T>::setTopForFullSegment):
        (JSC::GCSegmentedArray<T>::setTopForEmptySegment):
        (JSC::GCSegmentedArray<T>::top):
        (JSC::GCSegmentedArray<T>::validatePrevious):
        (JSC::GCSegmentedArray<T>::append):
        (JSC::GCSegmentedArray<T>::canRemoveLast):
        (JSC::GCSegmentedArray<T>::removeLast):
        (JSC::GCSegmentedArray<T>::isEmpty):
        (JSC::GCSegmentedArray<T>::size):
        * heap/MarkStack.cpp:
        (JSC::MarkStackArray::MarkStackArray):
        (JSC::MarkStackArray::~MarkStackArray):
        (JSC::MarkStackArray::donateSomeCellsTo):
        (JSC::MarkStackArray::stealSomeCellsFrom):
        * heap/MarkStack.h:
        * heap/MarkStackInlines.h:

2014-02-04  Anders Carlsson  <andersca@apple.com>

        Rename the substring sharing StringImpl::create variants to better indicate what they do
        https://bugs.webkit.org/show_bug.cgi?id=128214

        Reviewed by Geoffrey Garen.

        * runtime/JSString.h:
        (JSC::jsSingleCharacterSubstring):
        (JSC::jsSubstring8):
        (JSC::jsSubstring):
        * runtime/SmallStrings.cpp:
        (JSC::SmallStringsStorage::SmallStringsStorage):
        * runtime/StringPrototype.cpp:
        (JSC::jsSpliceSubstrings):
        (JSC::jsSpliceSubstringsWithSeparators):
        (JSC::replaceUsingStringSearch):

2014-02-04  Anders Carlsson  <andersca@apple.com>

        Rename StringImpl::getCharacters to StringImpl::characters
        https://bugs.webkit.org/show_bug.cgi?id=128205

        Reviewed by Antti Koivisto.

        Update for WTF changes.

        * runtime/JSStringJoiner.cpp:
        (JSC::joinStrings):
        * runtime/StringPrototype.cpp:
        (JSC::splitStringByOneCharacterImpl):

2014-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix a mismatch of uint64_t and size_t on 32-bit platforms.

        * ftl/FTLDWARFDebugLineInfo.h:

2014-01-21  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSC needs to be able to parse DWARF debug_line info
        https://bugs.webkit.org/show_bug.cgi?id=127394

        Reviewed by Geoffrey Garen.

        If we want to encode IR maps in the DWARF debug line info metadata generated by LLVM, 
        we'll need to know how to decode the .debug_line DWARF section. This patch implements 
        an interpreter for the .debug_line DWARF section in accordance with the version 3 spec 
        published at http://www.dwarfstd.org.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * ftl/FTLDWARFDebugLineInfo.cpp: Added.
        (JSC::FTL::DebugLineInterpreter::DebugLineInterpreter):
        (JSC::FTL::read):
        (JSC::FTL::DebugLineInterpreter::parseULEB128):
        (JSC::FTL::DebugLineInterpreter::parseSLEB128):
        (JSC::FTL::DebugLineInterpreter::run):
        (JSC::FTL::DebugLineInterpreter::parsePrologue):
        (JSC::FTL::DebugLineInterpreter::parseIncludeDirectories):
        (JSC::FTL::DebugLineInterpreter::parseFileEntries):
        (JSC::FTL::DebugLineInterpreter::parseFileEntry):
        (JSC::FTL::DebugLineInterpreter::interpretStatementProgram):
        (JSC::FTL::DebugLineInterpreter::interpretOpcode):
        (JSC::FTL::DebugLineInterpreter::printLineInfo):
        (JSC::FTL::DebugLineInterpreter::resetInterpreterState):
        * ftl/FTLDWARFDebugLineInfo.h: Added.
        (JSC::FTL::DebugLineInterpreter::Prologue::Prologue):
        * ftl/FTLValueRange.cpp: Random build fix for !ENABLE(FTL_JIT).

2014-02-04  Anders Carlsson  <andersca@apple.com>

        Rename String::getCharacters to String::characters
        https://bugs.webkit.org/show_bug.cgi?id=128196

        Reviewed by Andreas Kling.

        Update for WTF::String changes.

        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::Parser):

2014-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSC needs to be able to parse DWARF debug_line info
        https://bugs.webkit.org/show_bug.cgi?id=127394

        Reviewed by Geoffrey Garen.

        If we want to encode IR maps in the DWARF debug line info metadata generated by LLVM, 
        we'll need to know how to decode the .debug_line DWARF section. This patch implements 
        an interpreter for the .debug_line DWARF section in accordance with the version 3 spec 
        published at http://www.dwarfstd.org.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * ftl/FTLDWARFDebugLineInfo.cpp: Added.
        (JSC::FTL::DebugLineInterpreter::DebugLineInterpreter):
        (JSC::FTL::read):
        (JSC::FTL::DebugLineInterpreter::parseULEB128):
        (JSC::FTL::DebugLineInterpreter::parseSLEB128):
        (JSC::FTL::DebugLineInterpreter::run):
        (JSC::FTL::DebugLineInterpreter::parsePrologue):
        (JSC::FTL::DebugLineInterpreter::parseIncludeDirectories):
        (JSC::FTL::DebugLineInterpreter::parseFileEntries):
        (JSC::FTL::DebugLineInterpreter::parseFileEntry):
        (JSC::FTL::DebugLineInterpreter::interpretStatementProgram):
        (JSC::FTL::DebugLineInterpreter::interpretOpcode):
        (JSC::FTL::DebugLineInterpreter::printLineInfo):
        (JSC::FTL::DebugLineInterpreter::resetInterpreterState):
        * ftl/FTLDWARFDebugLineInfo.h: Added.
        (JSC::FTL::DebugLineInterpreter::Prologue::Prologue):

2014-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        ASSERT in speculateMachineInt on 32-bit platforms
        https://bugs.webkit.org/show_bug.cgi?id=128155

        Reviewed by Filip Pizlo.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):

2014-02-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        GC timer should always do a FullCollection
        https://bugs.webkit.org/show_bug.cgi?id=128186

        Reviewed by Michael Saboff.

        Right now the GC timer does whatever type of collection the next collection 
        would have been, which is almost always an EdenCollection. It then thinks 
        that it has done all of the work it was supposed to do and never schedules 
        another GC. Ideally we'd like to have some heuristics for the timer that 
        would schedule both EdenCollections and FullCollections, but the easiest 
        fix for now is to always do FullCollections since that will at least be 
        a non-regression.

        * heap/Heap.h:
        (JSC::Heap::gcTimerDidFire):
        * runtime/GCActivityCallback.cpp:
        (JSC::DefaultGCActivityCallback::doWork):

2014-02-03  Filip Pizlo  <fpizlo@apple.com>

        Lift the FTL tier-up threshold from 25000 to 100000
        https://bugs.webkit.org/show_bug.cgi?id=128158

        Rubber stamped by Michael Saboff.

        * runtime/Options.h:

2014-02-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        LLInt: Regex for pseudo-instructions is too big
        https://bugs.webkit.org/show_bug.cgi?id=128148

        Reviewed by Mark Lam.

        * offlineasm/instructions.rb:
        * offlineasm/parser.rb:

2014-02-03  Brian Burg  <bburg@apple.com>

        Web Replay: upstream base input classes and the input cursor interface
        https://bugs.webkit.org/show_bug.cgi?id=128110

        Reviewed by Joseph Pecoraro.

        Add the base class for all replay inputs. Add InputTraits, a trait that
        provides an input's queue, type, and encode/decode methods statically so
        that they can be used within templated helper functions in InputCursor and
        EncodedValue.

        Add the InputCursor base class which mediates the saving and fetching of
        replay inputs from a replay recording by instrumented nondeterministic code.

        Add a dummy cursor implementation. This allows us to return a cursor reference
        to clients even if no capturing or replaying is happening.

        Add the ability to set an InputCursor instance on a JSGlobalObject. This
        is the means for connecting a replay recording to a script context.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * replay/EmptyInputCursor.h: Added.
        (JSC::EmptyInputCursor::~EmptyInputCursor):
        (JSC::EmptyInputCursor::create):
        (JSC::EmptyInputCursor::EmptyInputCursor):
        * replay/InputCursor.h: Added.
        (JSC::InputCursor::InputCursor):
        (JSC::InputCursor::~InputCursor):
        (JSC::InputCursor::appendInput):
        (JSC::InputCursor::fetchInput):
        * replay/NondeterministicInput.h: Added.
        (JSC::NondeterministicInputBase::NondeterministicInputBase):
        (JSC::NondeterministicInputBase::~NondeterministicInputBase):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::setInputCursor):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::inputCursor):

2014-02-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix the cloop due to GenGC
        https://bugs.webkit.org/show_bug.cgi?id=128137

        Reviewed by Geoffrey Garen.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::llint_write_barrier_slow):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoopRegister::operator JSCell*):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/cloop.rb:
        * offlineasm/instructions.rb:

2014-02-03  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r163011-r163031): Web Inspector: Latest nightly crashes when showing the Web Inspector
        https://bugs.webkit.org/show_bug.cgi?id=127901

        Reviewed by Geoffrey Garen.

        Set VM::topCallFrame before making calls to possible C++ code in
        generateProtoChainAccessStub() and tryBuildGetByIDList().

        * jit/Repatch.cpp:
        (JSC::generateProtoChainAccessStub):
        (JSC::tryBuildGetByIDList):

2014-02-03  Andreas Kling  <akling@apple.com>

        Keep only captured symbols in CodeBlock symbol tables.
        <https://webkit.org/b/128050>

        Discard all uncaptured symbols at the end of codegen since only
        the captured ones will be used after that point.

        ~2MB progression on Membuster OSUS.

        Reviewed by Geoffrey Garen.

        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::setSymbolTable):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):

2014-02-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix the LLInt C loop

        Rubber stamped by Mark Lam.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::llint_write_barrier_slow):
        * llint/LLIntSlowPaths.h:

2014-02-03  Dean Jackson  <dino@apple.com>

        Feature flag for shape-inside
        https://bugs.webkit.org/show_bug.cgi?id=128001

        Reviewed by Simon Fraser.

        Add CSS_SHAPE_INSIDE flag.

        * Configurations/FeatureDefines.xcconfig:

2014-02-03  Oliver Hunt  <oliver@apple.com>

        Deconstructed parameters aren't being placed in the correct scope
        https://bugs.webkit.org/show_bug.cgi?id=128126

        Reviewed by Antti Koivisto.

        Make sure we declare the bound parameter names as variables when
        we reparse.  In the BytecodeGenerator we now also directly ensure
        that bound parameters are placed in the symbol table of the function
        we're currently compiling.  We then delay binding until just before
        we start codegen for the body of the function so that we can ensure
        the function has completely initialised all scope details.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::createBindingPattern):

2014-02-03  Alexey Proskuryakov  <ap@apple.com>

        Update JS whitespace definition for changes in Unicode 6.3
        https://bugs.webkit.org/show_bug.cgi?id=127450

        Reviewed by Oliver Hunt.

        * parser/Lexer.h: (JSC::Lexer<UChar>::isWhiteSpace): Part 2 of the fix, update lexer too.

2014-02-03  Matthew Mirman  <mmirman@apple.com>

        Added GetTypedArrayByteOffset to FTL
        https://bugs.webkit.org/show_bug.cgi?id=127589

        Reviewed by Filip Pizlo.

        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
        * tests/stress/ftl-gettypedarrayoffset-simple.js: Added.
        (foo):
        * tests/stress/ftl-gettypedarrayoffset-wasteful.js: Added.
        (foo):

2014-02-03  Mark Lam  <mark.lam@apple.com>

        Debugger created JSActivations should account for CodeBlock::framePointerOffsetToGetActivationRegisters().
        <https://webkit.org/b/128112>

        Reviewed by Geoffrey Garen.

        Currently, when the DebuggerCallFrame creates the JSActivation object
        for a frame, it does not account for the framePointerOffsetToGetActivationRegisters()
        offset that needs to be added for DFG frames.

        Instead of special casing the fix in DebuggerCallFrame::scope(), we fix
        this by adding CodeBlock::framePointerOffsetToGetActivationRegisters() to
        callFrame->registers() in the JSActivation::create() method that does not
        explicitly take a Register*. This ensures that JSActivation::create() will
        always do the right thing instead of only being a special case for the
        LLINT and baselineJIT.

        Apart from the DebuggerCallFrame, this create() function is only called by
        slow paths in the LLINT and baselineJIT. Hence, it is not performance
        critical.

        * runtime/JSActivation.h:
        (JSC::JSActivation::create):

2014-01-31  Geoffrey Garen  <ggaren@apple.com>

        Simplified name scope creation for function expressions
        https://bugs.webkit.org/show_bug.cgi?id=128031

        Reviewed by Mark Lam.

        3X speedup on js/regress/script-tests/function-with-eval.js.

        We used to emit bytecode to push a name into local scope every
        time a function that needed such a name executed. Now, we push the name
        into scope once on the function object, and leave it there.

        This is faster, and it also reduces the number of variable resolution
        modes you have to worry about when thinking about bytecode and the
        debugger.

        This patch is slightly complicated by the fact that we don't know if
        a function needs a name scope until we parse its body. So, there's some
        glue code in here to delay filling in a function's scope until we parse
        its body for the first time.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::functionMode): Renamed
        functionNameIsInScopeToggle to functionMode.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator): No need to emit convert_this
        when debugging. The debugger will perform the conversion as needed.

        (JSC::BytecodeGenerator::resolveCallee):
        (JSC::BytecodeGenerator::addCallee): Simplified this code by removing
        the "my function needs a name scope, but didn't allocate one" mode.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall): Pass a scope slot through to
        CodeBlock generation, so we can add a function name scope if the parsed
        function body requires one.

        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::setUpCall): Ditto.

        * parser/NodeConstructors.h:
        (JSC::FuncExprNode::FuncExprNode):
        (JSC::FuncDeclNode::FuncDeclNode):
        * parser/Nodes.cpp:
        (JSC::FunctionBodyNode::finishParsing):
        * parser/Nodes.h:
        (JSC::FunctionBodyNode::functionMode): Updated for rename.

        * parser/ParserModes.h:
        (JSC::functionNameIsInScope):
        (JSC::functionNameScopeIsDynamic): Helper functions for reasoning about
        how crazy JavaScript language semantics are.

        * runtime/ArrayPrototype.cpp:
        (JSC::isNumericCompareFunction):
        (JSC::attemptFastSort): Updated for interface changes above.

        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        (JSC::ScriptExecutable::prepareForExecutionImpl):
        (JSC::FunctionExecutable::FunctionExecutable):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::prepareForExecution):
        (JSC::FunctionExecutable::functionMode):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::addNameScopeIfNeeded):
        * runtime/JSFunction.h:
        * runtime/JSNameScope.h:
        (JSC::JSNameScope::create):
        (JSC::JSNameScope::JSNameScope): Added machinery for pushing a function
        name scope onto a function when we first discover that it's needed.

2014-01-25  Darin Adler  <darin@apple.com>

        Stop using Unicode.h
        https://bugs.webkit.org/show_bug.cgi?id=127633

        Reviewed by Anders Carlsson.

        * parser/Lexer.h:
        * runtime/JSGlobalObjectFunctions.h:
        * yarr/YarrCanonicalizeUCS2.h:
        * yarr/YarrInterpreter.h:
        * yarr/YarrParser.h:
        * yarr/YarrPattern.h:
        Removed includes of <wtf/unicode/Unicode.h>, adding includes of
        ICU headers and <wtf/text/LChar.h> as needed to replace it.

2014-02-03  Dan Bernstein  <mitz@apple.com>

        Correctly address Darin’s review comment on the last change.

        * runtime/Watchdog.h: Changed an OS(DARWIN) guard around formerly PLATFORM(MAC)-only member
        variables to the equivalent OS(DARWIN) && !PLATFORM(EFL) && !PLATFORM(GTK).

2014-02-03  Dan Bernstein  <mitz@apple.com>

        Stop using PLATFORM(MAC) in JavaScriptCore except where it means “OS X but not iOS”
        https://bugs.webkit.org/show_bug.cgi?id=128098

        Reviewed by Darin Adler.

        * API/JSValueRef.cpp:
        (JSValueUnprotect): Added an explicit !PLATFORM(IOS) in guards for the Evernote workaround,
        which is only needed on OS X.

        * API/tests/testapi.c:
        (main): Changed PLATFORM(MAC) || PLATFORM(IOS) guards to OS(DARWIN), because they were
        surrounding tests for code that is itself guarded by OS(DARWIN).

        * runtime/Watchdog.h: Changed PLATFORM(MAC) to OS(DARWIN).

        * tools/CodeProfiling.cpp:
        (JSC::CodeProfiling::begin): Changed PLATFORM(MAC) to
        OS(DARWIN) && !PLATFORM(EFL) && !PLATFORM(GTK).
        (JSC::CodeProfiling::end): Ditto.

2014-02-02  Mark Lam  <mark.lam@apple.com>

        Repatch code is passing the wrong args to lookupExceptionHandler.
        <https://webkit.org/b/128085>

        Reviewed by Oliver Hunt.

        lookupExceptionHandler() is expecting 2 args: VM*, ExecState*.
        The repatch code was only passing an ExecState*. A crash ensues.
        This is now fixed.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompileExceptionHandlers):
        * jit/Repatch.cpp:
        (JSC::generateProtoChainAccessStub):

2014-02-01  Filip Pizlo  <fpizlo@apple.com>

        JSC profiler's stub info profiling support should work again
        https://bugs.webkit.org/show_bug.cgi?id=128057

        Reviewed by Mark Lam.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdCacheStatus): We want to know if the cache was ever reset by GC, since the DFG uses this information.
        (JSC::CodeBlock::printLocationAndOp): This shouldn't have been inline.
        (JSC::CodeBlock::printLocationOpAndRegisterOperand): Ditto.
        (JSC::CodeBlock::dumpBytecode): Dump the profiling field, and make sure that the caller can pass a StubInfoMap, which is necessary for dumping StructureStubInfo profiling.
        * bytecode/CodeBlock.h: Out-of-line some methods and add the StubInfoMap parameter.
        * profiler/ProfilerBytecodeSequence.cpp:
        (JSC::Profiler::BytecodeSequence::BytecodeSequence): Create a StubInfoMap before dumping bytecodes.

2014-02-01  Filip Pizlo  <fpizlo@apple.com>

        JSC profiler should show reasons for jettison
        https://bugs.webkit.org/show_bug.cgi?id=128047

        Reviewed by Geoffrey Garen.
        
        Henceforth if you want to jettison a CodeBlock, you gotta tell the Profiler why you did
        it. This makes figuring out convergence issues - where some code seems to take a long
        time to get into the top tier compiler - a lot easier.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::jettison):
        (JSC::CodeBlock::addBreakpoint):
        (JSC::CodeBlock::setSteppingMode):
        * bytecode/CodeBlock.h:
        * bytecode/CodeBlockJettisoningWatchpoint.cpp:
        (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
        (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
        * dfg/DFGOperations.cpp:
        * jit/JITOperations.cpp:
        * profiler/ProfilerCompilation.cpp:
        (JSC::Profiler::Compilation::Compilation):
        (JSC::Profiler::Compilation::toJS):
        * profiler/ProfilerCompilation.h:
        (JSC::Profiler::Compilation::setJettisonReason):
        * profiler/ProfilerJettisonReason.cpp: Added.
        (WTF::printInternal):
        * profiler/ProfilerJettisonReason.h: Added.
        * runtime/CommonIdentifiers.h:
        * runtime/VM.cpp:
        (JSC::SetEnabledProfilerFunctor::operator()):

2014-02-01  Mark Lam  <mark.lam@apple.com>

        Saying "jitType() == JITCode::DFGJIT" is almost never correct.
        <http://webkit.org/b/128045>

        Reviewed by Filip Pizlo.

        JITCode::isOptimizingJIT(jitType()) is the right way to say it.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::addBreakpoint):
        (JSC::CodeBlock::setSteppingMode):
        * runtime/VM.cpp:
        (JSC::SetEnabledProfilerFunctor::operator()):

2014-02-01  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r163027?): CrashTracer: [USER] com.apple.WebKit.WebContent.Development at com.apple.JavaScriptCore: JSC::ArrayProfile::computeUpdatedPrediction + 4
        https://bugs.webkit.org/show_bug.cgi?id=128037

        Reviewed by Mark Lam.

        op_call_varargs ops now needs an ArrayProfile since DFG inlines these since
        change set r162739.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCallVarargs):

2014-01-31  Mark Lam  <mark.lam@apple.com>

        Gardening: fix build breakage.

        Not reviewed.

        * interpreter/CallFrame.h:

2014-01-31  Mark Lam  <mark.lam@apple.com>

        Gardening: Fix a merge problem to unbreak bots.

        Not reviewed.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):

2014-01-31  Oliver Hunt  <oliver@apple.com>

        Rollout r163195 and related patches

        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
        (JSC::JSCallbackObject<Parent>::put):
        (JSC::JSCallbackObject<Parent>::deleteProperty):
        (JSC::JSCallbackObject<Parent>::getStaticValue):
        (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
        (JSC::JSCallbackObject<Parent>::callbackGetter):
        * CMakeLists.txt:
        * DerivedSources.make:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
        * JavaScriptCore.vcxproj/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/Array.prototype.js: Removed.
        * builtins/BuiltinExecutables.cpp: Removed.
        * builtins/BuiltinExecutables.h: Removed.
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        (JSC::UnlinkedFunctionExecutable::codeBlockFor):
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::ExecutableInfo::ExecutableInfo):
        (JSC::UnlinkedFunctionExecutable::create):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::makeFunction):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        * create_hash_table:
        * dfg/DFGDominators.cpp:
        * dfg/DFGJITCode.cpp:
        * dfg/DFGOperations.cpp:
        * generate-js-builtins: Removed.
        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall):
        * interpreter/Interpreter.cpp:
        * interpreter/ProtoCallFrame.cpp:
        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * jit/JITOperations.cpp:
        * jit/JITPropertyAccess.cpp:
        * jit/JITPropertyAccess32_64.cpp:
        * jsc.cpp:
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LLIntSlowPaths.cpp:
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::makeFunctionCallNode):
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::Lexer):
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        (JSC::Lexer<T>::lex):
        * parser/Lexer.h:
        (JSC::Lexer<T>::lexExpectIdentifier):
        * parser/Nodes.cpp:
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::didFinishParsing):
        (JSC::Parser<LexerType>::printUnexpectedTokenText):
        * parser/Parser.h:
        (JSC::parse):
        * parser/ParserModes.h:
        * parser/ParserTokens.h:
        * runtime/Arguments.h:
        * runtime/ArgumentsIteratorPrototype.cpp:
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncEvery):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CommonIdentifiers.cpp:
        (JSC::CommonIdentifiers::CommonIdentifiers):
        * runtime/CommonIdentifiers.h:
        * runtime/CommonSlowPaths.cpp:
        * runtime/CommonSlowPathsExceptions.cpp:
        * runtime/ExceptionHelpers.cpp:
        (JSC::createUndefinedVariableError):
        * runtime/Executable.h:
        (JSC::EvalExecutable::executableInfo):
        (JSC::ProgramExecutable::executableInfo):
        (JSC::isHostFunction):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::symbolTableGet):
        (JSC::JSActivation::symbolTablePut):
        (JSC::JSActivation::symbolTablePutWithAttributes):
        * runtime/JSArgumentsIterator.cpp:
        * runtime/JSArray.cpp:
        * runtime/JSArrayIterator.cpp:
        * runtime/JSCJSValue.cpp:
        * runtime/JSCellInlines.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::calculatedDisplayName):
        (JSC::JSFunction::sourceCode):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::getOwnNonIndexPropertyNames):
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSFunction.h:
        * runtime/JSFunctionInlines.h:
        (JSC::JSFunction::nativeFunction):
        (JSC::JSFunction::nativeConstructor):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        * runtime/JSGenericTypedArrayViewInlines.h:
        * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::symbolTableHasProperty):
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
        (JSC::JSObject::reifyStaticFunctionsForDelete):
        * runtime/JSObject.h:
        * runtime/JSPromiseConstructor.cpp:
        * runtime/JSPromiseDeferred.cpp:
        * runtime/JSPromisePrototype.cpp:
        * runtime/JSPromiseReaction.h:
        * runtime/JSPropertyNameIterator.cpp:
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSString.h:
        (JSC::JSString::getStringPropertySlot):
        (JSC::inlineJSValueNotStringtoString):
        (JSC::JSValue::toWTFStringInline):
        * runtime/JSStringInlines.h: Removed.
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTableGet):
        (JSC::symbolTablePut):
        (JSC::symbolTablePutWithAttributes):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashEntry::propertyGetter):
        (JSC::HashEntry::propertyPutter):
        (JSC::HashTable::entry):
        (JSC::getStaticPropertySlot):
        (JSC::getStaticValueSlot):
        (JSC::putEntry):
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::finishCreation):
        * runtime/PropertySlot.h:
        * runtime/RegExpConstructor.cpp:
        * runtime/RegExpPrototype.cpp:
        * runtime/SetConstructor.cpp:
        * runtime/StringObject.cpp:
        * runtime/Structure.cpp:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2014-01-31  Filip Pizlo  <fpizlo@apple.com>

        DFG->FTL tier-up shouldn't assume that LoopHints stay at the tops of loops
        https://bugs.webkit.org/show_bug.cgi?id=128030

        Reviewed by Oliver Hunt.
        
        Remove a bogus assertion. The only thing that matters is that the LoopHint had at one
        point in time been at the top of a loop header, and that it is now at the top of a
        basic block. But the basic block that it's at the top of now doesn't have to be the
        same as the loop header that it once was the top of.

        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        (JSC::DFG::TierUpCheckInjectionPhase::run):
        * tests/stress/tier-up-in-loop-with-cfg-simplification.js: Added.
        (foo):

2014-01-31  Mark Lam  <mark.lam@apple.com>

        Avoid eagerly creating the JSActivation when the debugger is attached.
        <https://webkit.org/b/127910>

        Reviewed by Oliver Hunt.

        Octane scores for this patch:
            baseline w/o WebInspector: 11621
            patched  w/o WebInspector: 11801
            baseline w/ WebInspector:  3295
            patched  w/ WebInspector:  7070   2.1x improvement

        1. Because debugger can potentially create a closure from any call frame,
           we need every function to allocate an activation register and check for
           the need to tear off the activation (if needed) on return.

           However, we do not need to eagerly create the activation object.
           This patch implements the optimization to defer creation of the
           activation object until we actually need it i.e. when:

           1. We encounter a "eval", "with", or "catch" statement.
           2. We've paused in the debugger, and called DebuggerCallFrame::scope().

        2. The UnlinkedCodeBlock provides a needsFullScopeChain flag that is used
           to indicate whether the linked CodeBlock will need an activation
           object or not. Under normal circumstances, needsFullScopeChain and
           needsActivation are synonymous. However, with a debugger attached, we
           want the CodeBlock to always allocate an activationRegister even if
           it does not need a "full scope chain".

           Hence, we apply the following definitions to the "flags":

           1. UnlinkedCodeBlock::needsFullScopeChain() - this flag indicates that
              the parser discovered JS artifacts (e.g. use of "eval", "with", etc.)
              that requires an activation.

              BytecodeGenerator's destinationForAssignResult() and leftHandSideNeedsCopy()
              checks needsFullScopeChain().

           2. UnlinkedCodeBlock::hasActivationRegister() - this flag indicates that
              an activation register was created for the UnlinkedCodeBlock either
              because it needsFullScopeChain() or because the debugger is attached.

           3. CodeBlock::needsActivation() reflects UnlinkedCodeBlock's
              hasActivationRegister().

        3. Introduced BytecodeGenerator::emitPushFunctionNameScope() and
           BytecodeGenerator::emitPushCatchScope() because the JSNameScope
           pushed for a function name cannot be popped unlike the JSNameScope
           pushed for a "catch". Hence, we have 2 functions to handle the 2 cases
           differently.

        4. Removed DebuggerCallFrame::evaluateWithCallFrame() and require that all
           debugger evaluations go through the DebuggerCallFrame::evaluate(). This
           ensures that debugger evaluations require a DebuggerCallFrame.

           DebuggerCallFrame::evaluateWithCallFrame() was used previously because
           we didn't want to instantiate a DebuggerCallFrame on every debug hook
           callback. However, we now only call the debug hooks when needed, and
           this no longer poses a performance problem.

           In addition, when the debug hook does an eval to test a breakpoint
           condition, it is incorrect to evaluate it without a DebuggerCallFrame
           anyway.

        5. Added some utility functions to the CallFrame to make it easier to work
           with the activation register in the frame (if present). These utility
           functions should only be called if the CodeBlock::needsActivation() is
           true (which indicates the presence of the activation register). The
           utlity functions are:

           1. CallFrame::hasActivation()
              - checks if the frame's activation object has been created.

           2. CallFrame::activation()
              - returns the frame's activation object.

           3. CallFrame::uncheckedActivation()
              - returns the JSValue in the frame's activation register. May be null.

           4. CallFrame::setActivation()
              - sets the frame's activation object.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        - added symbollic dumping of ResolveMode and ResolveType values for some
          bytecodes.
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::activationRegister):
        (JSC::CodeBlock::uncheckedActivationRegister):
        (JSC::CodeBlock::needsActivation):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::needsFullScopeChain):
        (JSC::UnlinkedCodeBlock::hasActivationRegister):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::resolveCallee):
        (JSC::BytecodeGenerator::createActivationIfNecessary):
        (JSC::BytecodeGenerator::emitCallEval):
        (JSC::BytecodeGenerator::emitReturn):
        (JSC::BytecodeGenerator::emitPushWithScope):
        (JSC::BytecodeGenerator::emitPushFunctionNameScope):
        (JSC::BytecodeGenerator::emitPushCatchScope):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::TryNode::emitBytecode):
        * debugger/Debugger.cpp:
        (JSC::Debugger::hasBreakpoint):
        (JSC::Debugger::pauseIfNeeded):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::scope):
        (JSC::DebuggerCallFrame::evaluate):
        * debugger/DebuggerCallFrame.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGGraph.h:
        - Removed an unused function DFGGraph::needsActivation().
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::activation):
        (JSC::CallFrame::setActivation):
        * interpreter/CallFrame.h:
        (JSC::ExecState::hasActivation):
        (JSC::ExecState::registers):
        * interpreter/CallFrameInlines.h:
        (JSC::CallFrame::uncheckedActivation):
        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        (JSC::Interpreter::unwind):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):

        * runtime/JSScope.cpp:
        * runtime/JSScope.h:
        (JSC::resolveModeName):
        (JSC::resolveTypeName):
        - utility functions for decoding names of the ResolveMode and ResolveType.
          These are used in CodeBlock::dumpBytecode().

2014-01-31  Michael Saboff  <msaboff@apple.com>

        REGRESSION: Crash in sanitizeStackForVMImpl when scrolling @ lifehacker.com.au
        https://bugs.webkit.org/show_bug.cgi?id=128017

        Reviewed by Filip Pizlo.

        Moved the setting and saving of VM::stackPointerAtVMEntry and the corresponding stack limit
        to JSLock and JSLock::DropAllLocks.  The saved data is now stored in per-thread in
        WTFThreadData.

        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        * runtime/JSLock.cpp:
        (JSC::JSLock::lock):
        (JSC::JSLock::unlock):
        (JSC::JSLock::DropAllLocks::DropAllLocks):
        (JSC::JSLock::DropAllLocks::~DropAllLocks):
        * runtime/JSLock.h:
        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::VMEntryScope):
        (JSC::VMEntryScope::~VMEntryScope):
        * runtime/VMEntryScope.h:

2014-01-31  Mark Lam  <mark.lam@apple.com>

        Don't need a JSNameScope for the callee name just for the debugger.
        <https://webkit.org/b/128024>

        Reviewed by Geoffrey Garen.

        Currently, in the bytecode for a function, we push a JSNamedScope for
        the name of the function when a debugger is attached. The name scope for
        the function name is only needed for evals which can redefine the name
        to resolve to something else, and can later delete the redefined name
        which should revert the resolution of the name to the original function.
        The debugger does not need this feature because it declares all new vars
        in a temporary nested scope. Hence, we can remove the presence of the
        debugger as a criteria for pushing the JSNameScope.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::resolveCallee):
        (JSC::BytecodeGenerator::addCallee):

2014-01-31  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, build fix.

        * ftl/FTLOSREntry.cpp:

2014-01-31  Oliver Hunt  <oliver@apple.com>

        Fix windows

        * generate-js-builtins:

2014-01-31  Oliver Hunt  <oliver@apple.com>

        Fix 32bit.

        * jit/JITPropertyAccess32_64.cpp:

2014-01-31  Mark Lam  <mark.lam@apple.com>

        Add options to force debugger / profiler bytecode generation.
        <https://webkit.org/b/128014>

        Reviewed by Oliver Hunt.

        Add Options::forceDebuggerBytecodeGeneration() and
        Options::forceProfilerBytecodeGeneration(). These options make it more
        convenient to do correctness testing when debugger / profiler bytecodes
        are generated.

        These options are disabled by default.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * runtime/Options.h:

2014-01-29  Oliver Hunt  <oliver@apple.com>

        Make it possible to implement JS builtins in JS
        https://bugs.webkit.org/show_bug.cgi?id=127887

        Reviewed by Michael Saboff.

        This patch makes it possible to write builtin functions in JS.
        The bindings, generators, and definitions are all created automatically
        based on js files in the builtins/ directory.  This patch includes one
        such case: Array.prototype.js with an implementation of every().

        There's a lot of refactoring to make it possible for CommonIdentifiers
        to include the output of the generated files (DerivedSources/JSCBuiltins.{h,cpp})
        without breaking the offset extractor. The result of this refactoring
        is that CommonIdentifiers, and a few other miscellaneous headers now
        need to be included directly as they were formerly captured through other
        paths.

        In addition this adds a flag to the Lookup table's hashentry to indicate
        that a static function is actually backed by JS. There is then a lot of
        logic to thread the special nature of the functon to where it matters.
        This allows toString(), .caller, etc to mimic the behaviour of a host
        function.

        Notes on writing builtins:
         - Each function is compiled independently of the others, and those
           implementations cannot currently capture all global properties (as
           that could be potentially unsafe). If a function does capture a
           global we will deliberately crash.
         - For those "global" properties that we do want access to, we use
           the @ prefix, e.g. Object(this) becomes @Object(this). The @ identifiers
           are private names, and behave just like regular properties, only
           without the risk of adulteration. Again, in the @Object case, we
           explicitly duplicate the ObjectConstructor reference on the GlobalObject
           so that we have guaranteed access to the original version of the
           constructor.
         - call, apply, eval, and Function are all rejected identifiers, again
           to prevent anything from accidentally using an adulterated object.
           Instead @call and @apply are available, and happily they completely
           drop the neq_ptr instruction as they're defined as always being the
           original call/apply functions.

        These restrictions are just intended to make it harder to accidentally
        make changes that are incorrect (for instance calling whatever has been
        assigned to global.Object, instead of the original constructor function).
        However, making a mistake like this should result in a purely semantic
        error as fundamentally these functions are treated as though they were
        regular JS code in the host global, and have no more privileges than
        any other JS.

        The initial proof of concept is Array.prototype.every, this shows a 65%
        performance improvement, and that improvement is significantly hurt by
        our poor optimisation of op_in.

        As this is such a limited function, we have not yet exported all symbols
        that we could possibly need, but as we implement more, the likelihood
        of encountering missing features will reduce.

        This did require breaking out a JSStringInlines header, and required
        fixing a few objects that were trying to using PropertyName::publicName
        rather than PropertyName::uid.

        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
        (JSC::JSCallbackObject<Parent>::put):
        (JSC::JSCallbackObject<Parent>::deleteProperty):
        (JSC::JSCallbackObject<Parent>::getStaticValue):
        (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
        (JSC::JSCallbackObject<Parent>::callbackGetter):
        * CMakeLists.txt:
        * DerivedSources.make:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/Array.prototype.js:
        (every):
        * builtins/BuiltinExecutables.cpp: Added.
        (JSC::BuiltinExecutables::BuiltinExecutables):
        (JSC::BuiltinExecutables::createBuiltinExecutable):
        * builtins/BuiltinExecutables.h:
        (JSC::BuiltinExecutables::create):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        (JSC::UnlinkedFunctionExecutable::codeBlockFor):
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::ExecutableInfo::ExecutableInfo):
        (JSC::UnlinkedFunctionExecutable::create):
        (JSC::UnlinkedFunctionExecutable::toStrictness):
        (JSC::UnlinkedFunctionExecutable::isBuiltinFunction):
        (JSC::UnlinkedCodeBlock::isBuiltinFunction):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::isBuiltinFunction):
        (JSC::BytecodeGenerator::makeFunction):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        * create_hash_table:
        * dfg/DFGOperations.cpp:
        * generate-js-builtins: Added.
        (getCopyright):
        (getFunctions):
        (generateCode):
        (mangleName):
        (FunctionExecutable):
        (Identifier):
        (JSGlobalObject):
        (SourceCode):
        (UnlinkedFunctionExecutable):
        (VM):
        * interpreter/Interpreter.cpp:
        * interpreter/ProtoCallFrame.cpp:
        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * jit/JITOperations.cpp:
        * jit/JITPropertyAccess.cpp:
        * jit/JITPropertyAccess32_64.cpp:
        * jsc.cpp:
        * llint/LLIntSlowPaths.cpp:
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::makeFunctionCallNode):
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::Lexer):
        (JSC::isSafeIdentifier):
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        (JSC::Lexer<T>::lex):
        * parser/Lexer.h:
        (JSC::isSafeIdentifier):
        (JSC::Lexer<T>::lexExpectIdentifier):
        * parser/Nodes.cpp:
        (JSC::ProgramNode::setClosedVariables):
        * parser/Nodes.h:
        (JSC::ScopeNode::capturedVariables):
        (JSC::ScopeNode::setClosedVariables):
        (JSC::ProgramNode::closedVariables):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parseInner):
        (JSC::Parser<LexerType>::didFinishParsing):
        (JSC::Parser<LexerType>::printUnexpectedTokenText):
        * parser/Parser.h:
        (JSC::Scope::getUsedVariables):
        (JSC::Parser::closedVariables):
        (JSC::parse):
        * parser/ParserModes.h:
        * parser/ParserTokens.h:
        * runtime/ArgList.cpp:
        * runtime/Arguments.cpp:
        * runtime/Arguments.h:
        * runtime/ArgumentsIteratorConstructor.cpp:
        * runtime/ArgumentsIteratorPrototype.cpp:
        * runtime/ArrayPrototype.cpp:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CommonIdentifiers.cpp:
        (JSC::CommonIdentifiers::CommonIdentifiers):
        (JSC::CommonIdentifiers::getPrivateName):
        (JSC::CommonIdentifiers::getPublicName):
        * runtime/CommonIdentifiers.h:
        * runtime/CommonSlowPaths.cpp:
        * runtime/CommonSlowPathsExceptions.cpp:
        * runtime/ExceptionHelpers.cpp:
        (JSC::createUndefinedVariableError):
        * runtime/Executable.h:
        (JSC::EvalExecutable::executableInfo):
        (JSC::ProgramExecutable::executableInfo):
        (JSC::FunctionExecutable::isBuiltinFunction):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::symbolTableGet):
        (JSC::JSActivation::symbolTablePut):
        (JSC::JSActivation::symbolTablePutWithAttributes):
        * runtime/JSArgumentsIterator.cpp:
        * runtime/JSArray.cpp:
        * runtime/JSArrayIterator.cpp:
        * runtime/JSCJSValue.cpp:
        * runtime/JSCellInlines.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::createBuiltinFunction):
        (JSC::JSFunction::calculatedDisplayName):
        (JSC::JSFunction::sourceCode):
        (JSC::JSFunction::isHostOrBuiltinFunction):
        (JSC::JSFunction::isBuiltinFunction):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::getOwnNonIndexPropertyNames):
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSFunction.h:
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        * runtime/JSGenericTypedArrayViewInlines.h:
        * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::objectConstructor):
        (JSC::JSGlobalObject::symbolTableHasProperty):
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
        (JSC::JSObject::reifyStaticFunctionsForDelete):
        (JSC::JSObject::putDirectBuiltinFunction):
        * runtime/JSObject.h:
        * runtime/JSPropertyNameIterator.cpp:
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSString.h:
        * runtime/JSStringInlines.h: Added.
        (JSC::JSString::getStringPropertySlot):
        (JSC::inlineJSValueNotStringtoString):
        (JSC::JSValue::toWTFStringInline):
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
           Don't report private names.
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTableGet):
        (JSC::symbolTablePut):
        (JSC::symbolTablePutWithAttributes):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashEntry::builtinGenerator):
        (JSC::HashEntry::propertyGetter):
        (JSC::HashEntry::propertyPutter):
        (JSC::HashTable::entry):
        (JSC::getStaticPropertySlot):
        (JSC::getStaticValueSlot):
        (JSC::putEntry):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::finishCreation):
        * runtime/NativeErrorConstructor.h:
        * runtime/PropertySlot.h:
        * runtime/RegExpPrototype.cpp:
        * runtime/SetConstructor.cpp:
        * runtime/StringObject.cpp:
        * runtime/Structure.cpp:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::builtinExecutables):

2014-01-31  Gabor Rapcsanyi  <rgabor@webkit.org>

        Fix the ARM Thumb2 build after jsCStack branch merge
        https://bugs.webkit.org/show_bug.cgi?id=127903

        Reviewed by Michael Saboff.

        SP register cannot be used as a destination register of SUB or ADD on Thumb mode.

        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:

2014-01-31  Julien Brianceau  <jbriance@cisco.com>

        [arm] Add missing pushPair/popPair implementations in MacroAssemblerARM.h
        https://bugs.webkit.org/show_bug.cgi?id=127904

        Reviewed by Zoltan Herczeg.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::popPair):
        (JSC::MacroAssemblerARM::pushPair):

2014-01-30  Martin Robinson  <mrobinson@igalia.com>

        [GTK] [CMake] Add support for building against GTK+ 2
        https://bugs.webkit.org/show_bug.cgi?id=127959

        Reviewed by Anders Carlsson.

        * PlatformGTK.cmake: Use the new API version variable and don't use GTK3 directly.

2014-01-30  Andreas Kling  <akling@apple.com>

        CodeBlock's cloned SymbolTables only need the captured names.
        <https://webkit.org/b/127978>

        Renamed SymbolTable::clone() to SymbolTable::cloneCapturedNames()
        and make it skip over any symbols that aren't captured, since those
        won't be needed after codegen.

        This is a first step towards getting rid of redundant symbol tables.

        Reviewed by Geoffrey Garen.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::cloneCapturedNames):
        * runtime/SymbolTable.h:

2014-01-28  Timothy Hatcher  <timothy@apple.com>

        Add column number and call timing support to LegacyProfiler.

        https://bugs.webkit.org/show_bug.cgi?id=127764

        Reviewed by Joseph Pecoraro.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * profiler/CallIdentifier.h:
        (JSC::CallIdentifier::CallIdentifier):
        (JSC::CallIdentifier::functionName):
        (JSC::CallIdentifier::url):
        (JSC::CallIdentifier::lineNumber):
        (JSC::CallIdentifier::columnNumber):
        (JSC::CallIdentifier::operator==):
        (JSC::CallIdentifier::operator!=):
        (JSC::CallIdentifier::Hash::hash):
        (WTF::HashTraits<JSC::CallIdentifier>::constructDeletedValue):
        (WTF::HashTraits<JSC::CallIdentifier>::isDeletedValue):
        * profiler/LegacyProfiler.cpp:
        (JSC::LegacyProfiler::willExecute):
        (JSC::LegacyProfiler::didExecute):
        (JSC::LegacyProfiler::exceptionUnwind):
        (JSC::LegacyProfiler::createCallIdentifier):
        (JSC::createCallIdentifierFromFunctionImp):
        * profiler/LegacyProfiler.h:
        * profiler/Profile.cpp:
        (JSC::Profile::Profile):
        * profiler/Profile.h:
        (JSC::Profile::uid):
        (JSC::Profile::idleTime):
        (JSC::Profile::setIdleTime):
        * profiler/ProfileGenerator.cpp:
        (JSC::AddParentForConsoleStartFunctor::operator()):
        (JSC::ProfileGenerator::addParentForConsoleStart):
        (JSC::ProfileGenerator::willExecute):
        (JSC::ProfileGenerator::didExecute):
        (JSC::ProfileGenerator::stopProfiling):
        (JSC::ProfileGenerator::removeProfileStart):
        (JSC::ProfileGenerator::removeProfileEnd):
        * profiler/ProfileNode.cpp:
        (JSC::ProfileNode::ProfileNode):
        (JSC::ProfileNode::stopProfiling):
        (JSC::ProfileNode::endAndRecordCall):
        (JSC::ProfileNode::startTimer):
        (JSC::ProfileNode::debugPrintData):
        * profiler/ProfileNode.h:
        (JSC::ProfileNode::Call::Call):
        (JSC::ProfileNode::Call::startTime):
        (JSC::ProfileNode::Call::setStartTime):
        (JSC::ProfileNode::Call::totalTime):
        (JSC::ProfileNode::Call::setTotalTime):
        (JSC::ProfileNode::id):
        (JSC::ProfileNode::functionName):
        (JSC::ProfileNode::url):
        (JSC::ProfileNode::lineNumber):
        (JSC::ProfileNode::columnNumber):
        (JSC::ProfileNode::calls):
        (JSC::ProfileNode::lastCall):
        (JSC::ProfileNode::numberOfCalls):

2014-01-26  Timothy Hatcher  <timothy@apple.com>

        Include profile with FunctionCall and EvaluateScript Timeline records.

        https://bugs.webkit.org/show_bug.cgi?id=127663

        Reviewed by Joseph Pecoraro.

        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
        * inspector/InspectorEnvironment.h:
        * inspector/JSGlobalObjectInspectorController.h:

2014-01-29  Filip Pizlo  <fpizlo@apple.com>

        FTL should support GetById(Untyped:)
        https://bugs.webkit.org/show_bug.cgi?id=127750

        Reviewed by Oliver Hunt.
        
        This was supposed to be easy. Indeed, the actual GetById UntypedUse case was easy. But
        then it expanded coverage by a lot and I got to deal with three bugs. So, this has
        some additional changes:
        
        Also make it safe for LLVM to duplicate calls to patchpoints and stackmaps. Previously
        we incorrectly assumed that if we emitted a patchpoint, then there would only be one
        copy of that patchpoint (with that ID) in the resulting machine code and in the
        stackmaps section. That's obviously a bad assumption - LLVM is allowed to do anything
        it wants so long as the outcome of executing the code has a semantically equivalent
        meaning to the IR we gave it, and duplicating code is trivially OK under this rule. We
        should be OK with it, too. The solution is to add Vectors in a bunch of places that
        previously just thought they only had one value. For example, an InlineCacheDescriptor
        now has a Vector of generators - one generator for each copy that LLVM stamped out.
        Normally there will only be one copy, of course - since duplication is usually
        unprofitable. But, if LLVM decides that copying would be groovy then we will no longer
        barf.
        
        Also fix SSA conversion. It turns out that we mishandled the case where a block had
        multiple Phi functions for the same local. If any of those CPS Phis fail to trivialize
        in the Aycock-Horspool fixpoint, we need to insert an SSA Phi. Previously, it was
        assuming that so long as the head CPS Phi was trivial, we could forego SSA Phi
        insertion. That's wrong if the head CPS Phi trivialized but ended up pointing to a
        non-trivial CPS Phi in the same block. This madness with trees of Phis occurs because
        we try to save on compile times: no Phi ever has more than three children even if the
        block has more than three predecessors; we just build out a tree of Phis to satisfy
        all predecessors. So weird.
        
        And finally, fix DFG->FTL OSR entry's reconstruction of 'this' in a constructor. That
        reconstruction code, JITCode::reconstruct(), had a work-around for the case where we
        were entering into a constructor at the prologue. In that case, 'this' is definitely
        unavailable. But the OSR code does reconstructions at LoopHints, which aren't at the
        prologue, and so 'this' should totally be available.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::reconstruct):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::tryGetVariableAccessData):
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::generateICFastPath):
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLInlineCacheDescriptor.h:
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::codeSize):
        * ftl/FTLJSCall.cpp:
        (JSC::FTL::JSCall::JSCall):
        * ftl/FTLJSCall.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetById):
        (JSC::FTL::LowerDFGToLLVM::getById):
        * ftl/FTLOSREntry.cpp:
        (JSC::FTL::prepareOSREntry):
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::getRecordMap):
        * ftl/FTLStackMaps.h:
        * tests/stress/get-by-id-untyped.js: Added.
        (foo):

2014-01-30  Geoffrey Garen  <ggaren@apple.com>

        Part 2: REGRESSION: JavascriptCore crash during OS Installation (due to
        Heap::m_operationInProgress ASSERT vs DelayedReleaseScope)
        https://bugs.webkit.org/show_bug.cgi?id=127950

        Reviewed by Mark Hahnenberg.

        Scope the APICallbackShim to make sure that we re-acquire the lock
        before putting the heap back into the "unsafe to allocate" state.
        Otherwise, the heap will seem to be in the "unsafe to allocate" state
        during any GC that happens before we re-acquire the lock.

        No regression test because threads.

        * heap/DelayedReleaseScope.h:
        (JSC::DelayedReleaseScope::~DelayedReleaseScope):

2014-01-30  Filip Pizlo  <fpizlo@apple.com>

        Update FTL StackMaps parser to stackSize change
        https://bugs.webkit.org/show_bug.cgi?id=127933

        Reviewed by Oliver Hunt.

        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::parse):

2014-01-30  Zan Dobersek  <zdobersek@igalia.com>

        [GTK] Only disable -ftree-dce optimization when compiling with GCC
        https://bugs.webkit.org/show_bug.cgi?id=127911

        Reviewed by Carlos Garcia Campos.

        * GNUmakefile.am: Only disable the -ftree-dce optimization when using the GCC compiler.
        Some Clang versions/configurations don't support the flag.

2014-01-30  Zan Dobersek  <zdobersek@igalia.com>

        [GTK] Disable optimizations for JSC that turned out malignant after jsCStack branch merge
        https://bugs.webkit.org/show_bug.cgi?id=127909

        Reviewed by Carlos Garcia Campos.

        * GNUmakefile.am: Disable the -fomit-frame-pointer optimization to achieve proper register usage
        in operationCallEval. Disable the -ftree-dce optimization since it is causing additional failures
        when using GCC 4.8, possibly due to a bug in the compiler itself.

2014-01-29  Csaba Osztrogonác  <ossy@webkit.org>

        Remove ENABLE(JAVASCRIPT_DEBUGGER) leftovers
        https://bugs.webkit.org/show_bug.cgi?id=127845

        Reviewed by Joseph Pecoraro.

        * Configurations/FeatureDefines.xcconfig:

2014-01-29  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Play Breakpoint Sound in Frontend
        https://bugs.webkit.org/show_bug.cgi?id=127885

        Reviewed by Timothy Hatcher.

        * inspector/ScriptDebugListener.h:
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::evaluateBreakpointAction):
        (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
        * inspector/ScriptDebugServer.h:
        Pass the breakpoint action identifier through when the
        sound breakpoint action is triggered.

        * inspector/protocol/Debugger.json:
        New "playBreakpointActionSound" event when a "sound" breakpoint action triggers.

        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::breakpointActionSound):
        Send the new event so the frontend can handle it.

2014-01-29  Filip Pizlo  <fpizlo@apple.com>

        Merge final changesets from the jsCStack branch (r162969, r162975, r162992, r163004, r163069).

    2014-01-29  Filip Pizlo  <fpizlo@apple.com>
    
            DFG ArrayPop double array mishandles the NaN hole installation
            https://bugs.webkit.org/show_bug.cgi?id=127813
    
            Reviewed by Mark Rowe.
            
            Our object model for arrays inferred double dictates that we use quiet NaN (QNaN) to
            mark holes. Holes, in this context, are any entries in the allocated array buffer
            (i.e. from index 0 up to the vectorLength) that don't currently hold a value. Popping
            creates a hole, since it deletes the value at publicLength - 1.
            
            But, because of some sloppy copy-and-paste, we were storing (int64_t)0 when creating
            the hole, instead of storing QNaN. That's likely because for other kinds of arrays,
            64-bit zero is the hole marker, instead of QNaN.
            
            The attached test case illustrates the problem. In the LLInt and Baseline JIT, the
            result returned from foo() is "1.5,2.5,,4.5", since array.pop() removes 3.5 and
            replaces it with a hole and then the assignment "array[3] = 4.5" creates an element
            just beyond that hole. But, once we tier-up to the DFG, the result previously became
            "1.5,2.5,0,4.5", which is wrong. The 0 appeared because the IEEE double
            interpretation of 64-bit zero is simply zero.
            
            This patch fixes that problem. Now the DFG agrees with the other engines.
            
            This patch also fixes style. For some reason that copy-pasted code wasn't even
            indented correctly.
    
            * dfg/DFGSpeculativeJIT64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * tests/stress/array-pop-double-hole.js: Added.
            (foo):
    
    2014-01-28  Filip Pizlo  <fpizlo@apple.com>
    
            FTL should support ArrayPush
            https://bugs.webkit.org/show_bug.cgi?id=127748
    
            Not reviewed, remove some debug code.
    
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
    
    2014-01-27  Filip Pizlo  <fpizlo@apple.com>
    
            FTL should support ArrayPush
            https://bugs.webkit.org/show_bug.cgi?id=127748
    
            Reviewed by Oliver Hunt.
    
            * ftl/FTLAbstractHeapRepository.h:
            (JSC::FTL::AbstractHeapRepository::forArrayType):
            * ftl/FTLCapabilities.cpp:
            (JSC::FTL::canCompile):
            * ftl/FTLIntrinsicRepository.h:
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileNode):
            (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
            * tests/stress/array-push-contiguous.js: Added.
            (foo):
            * tests/stress/array-push-double.js: Added.
            (foo):
    
    2014-01-28  Filip Pizlo  <fpizlo@apple.com>
    
            FTL should support ArrayPop
            https://bugs.webkit.org/show_bug.cgi?id=127749
    
            Reviewed by Geoffrey Garen.
    
            * ftl/FTLCapabilities.cpp:
            (JSC::FTL::canCompile):
            * ftl/FTLIntrinsicRepository.h:
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileNode):
            (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
            (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
            * tests/stress/array-pop-contiguous.js: Added.
            (foo):
            * tests/stress/array-pop-double.js: Added.
            (foo):
            * tests/stress/array-pop-int32.js: Added.
            (foo):
    
2014-01-29  Filip Pizlo  <fpizlo@apple.com>

        DFG::ByteCodeParser::m_dfgCodeBlock is sometimes uninitialized
        <rdar://problem/15939032>

        Reviewed by Dan Bernstein.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parse):

2014-01-29  Geoffrey Garen  <ggaren@apple.com>

        50% time on Dromaeo Selector * benchmark spent allocating oversized backing stores (but not in Chrome)
        https://bugs.webkit.org/show_bug.cgi?id=127879

        Reviewed by Gavin Barraclough.

        Let's not dynamically resize an array whose size is statically known,
        mmmkay?

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncConcat): Use nullptr to disambiguate vs the numeric
        argument.

        (JSC::arrayProtoFuncSlice): The fix.

        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap): Use nullptr.

2014-01-29  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Run JSC Inspector EventLoop in a custom run loop mode to prevent default observers from running
        https://bugs.webkit.org/show_bug.cgi?id=127865

        Reviewed by Geoffrey Garen.

        When hitting a breakpoint in a JSContext Inspector we want to entirely
        pause the process and all access to the JSContext and only move forward
        based on debugger commands. Having the nested run loop run in a default
        mode allowed NSTimers scheduled on the thread to regularly run and
        evaluate code in the JSContext. Using a custom run loop mode gets us
        a bit closer to locking down the context. This doesn't handle scenarios
        where background threads also access the JSContext, but it handles the
        most common scenario.

        * inspector/EventLoop.cpp:
        (Inspector::EventLoop::cycle):

2014-01-29  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Deadlock hitting breakpoint while inspecting JSContext
        https://bugs.webkit.org/show_bug.cgi?id=127864

        Reviewed by Geoffrey Garen.

        Temporarily drop the lock while we run the nested runloop.

        * inspector/JSGlobalObjectScriptDebugServer.cpp:
        (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):

2014-01-28  Oliver Hunt  <oliver@apple.com>

        Make DOM attributes appear to be faux accessor properties
        https://bugs.webkit.org/show_bug.cgi?id=127797

        Reviewed by Michael Saboff.

        Add flag so we can identify which properties should have the old
        custom property semantics vs. the new faux accessors. Update the
        inspector protocol accordingly.

        These faux accessors produce descriptors with "get" and "set"
        properties, but both values are undefined so can't be used
        directly. A few custom properties actually require their
        existing magical behaviour, so we now have a flag to 
        distinguish the expected output.

        * inspector/InjectedScriptSource.js:
        (.):
        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnPropertyDescriptor):
        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::setCustomDescriptor):
        * runtime/PropertyDescriptor.h:
        * runtime/PropertySlot.h:

2014-01-29  Beth Dakin  <bdakin@apple.com>

        Build fix.

        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
        * llint/LowLevelInterpreter.cpp:

2014-01-29  Dan Bernstein  <mitz@apple.com>

        Build fix.

        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added a newline at the end of the
        file.

2014-01-28  Michael Saboff  <msaboff@apple.com>

        Merge the jsCStack branch
        https://bugs.webkit.org/show_bug.cgi?id=127763

        Reviewed by Mark Hahnenberg.

        Changes from http://svn.webkit.org/repository/webkit/branches/jsCStack
        up to changeset 162958.

2014-01-29  Csaba Osztrogonác  <ossy@webkit.org>

        Remove ENABLE(JAVASCRIPT_DEBUGGER) guards
        https://bugs.webkit.org/show_bug.cgi?id=127840

        Reviewed by Mark Lam.

        * inspector/scripts/CodeGeneratorInspector.py:

2014-01-28  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r162987.
        http://trac.webkit.org/changeset/162987
        https://bugs.webkit.org/show_bug.cgi?id=127825

        Broke Mountain Lion build (Requested by andersca on #webkit).

        * inspector/InjectedScriptSource.js:
        (.):
        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnPropertyDescriptor):
        * runtime/PropertyDescriptor.cpp:
        * runtime/PropertyDescriptor.h:
        * runtime/PropertySlot.h:

2014-01-28  Oliver Hunt  <oliver@apple.com>

        Make DOM attributes appear to be faux accessor properties
        https://bugs.webkit.org/show_bug.cgi?id=127797

        Reviewed by Michael Saboff.

        Add flag so we can identify which properties should have the old
        custom property semantics vs. the new faux accessors. Update the
        inspector protocol accordingly.

        These faux accessors produce descriptors with "get" and "set"
        properties, but both values are undefined so can't be used
        directly. A few custom properties actually require their
        existing magical behaviour, so we now have a flag to 
        distinguish the expected output.

        * inspector/InjectedScriptSource.js:
        (.):
        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnPropertyDescriptor):
        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::setCustomDescriptor):
        * runtime/PropertyDescriptor.h:
        * runtime/PropertySlot.h:

2014-01-28  Mark Lam  <mark.lam@apple.com>

        Remove some unneeded debugger code.
        https://bugs.webkit.org/show_bug.cgi?id=127805.

        Reviewed by Oliver Hunt.

        JSC will now always support the debugger. Hence, the #if ENABLE(JAVASCRIPT_DEBUGGER)
        checks can be removed.

        DebuggerCallFrame::callFrame() is also unused and will be removed.

        * debugger/Breakpoint.h:
        * debugger/Debugger.cpp:
        * debugger/DebuggerCallFrame.h:
        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::wrapCallFrames):
        * inspector/InjectedScript.h:
        * inspector/JSGlobalObjectScriptDebugServer.cpp:
        * inspector/JSGlobalObjectScriptDebugServer.h:
        * inspector/JSJavaScriptCallFrame.cpp:
        * inspector/JSJavaScriptCallFrame.h:
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        * inspector/JSJavaScriptCallFramePrototype.h:
        * inspector/JavaScriptCallFrame.cpp:
        * inspector/JavaScriptCallFrame.h:
        * inspector/ScriptDebugListener.h:
        * inspector/ScriptDebugServer.cpp:
        * inspector/ScriptDebugServer.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
        (Inspector::setPauseOnExceptionsState):
        (Inspector::InspectorRuntimeAgent::evaluate):
        (Inspector::InspectorRuntimeAgent::callFunctionOn):
        (Inspector::InspectorRuntimeAgent::getProperties):
        * inspector/agents/InspectorRuntimeAgent.h:

2014-01-28  Geoffrey Garen  <ggaren@apple.com>

        REGRESSION: JavascriptCore crash during OS Installation (due to
        Heap::m_operationInProgress ASSERT vs DelayedReleaseScope)
        https://bugs.webkit.org/show_bug.cgi?id=127793

        Reviewed by Mark Hahnenberg.

        This was a mistaken ASSERT.

        * API/tests/testapi.mm:
        (-[EvilAllocationObject doEvilThingsWithContext:]): Added a test to verify
        that GC from a DelayedReleaseScope doesn't crash.

        * heap/DelayedReleaseScope.h:
        (JSC::DelayedReleaseScope::~DelayedReleaseScope): Our contract is that
        it is valid to do anything while running a DelayedReleaseScope -dealloc
        method, so the Heap must be ready for new allocations and collections.

        Change the Heap's operationInProgress value to NoOperation while running
        -dealloc methods, so that it doesn't ASSERT in the face of new allocations
        and collections.

        * heap/Heap.h: Made DelayedReleaseScope a friend because exposing a setter
        for m_operationInProgress seemed like the worse of the two options for
        encapsulation: we don't really want arbitrary clients to set the Heap's
        m_operationInProgress.

2014-01-28  Mark Lam  <mark.lam@apple.com>

        Jettison DFG code when neither breakpoints or the profiler are active.
        <https://webkit.org/b/127766>

        Reviewed by Geoffrey Garen.

        We need to jettison the DFG CodeBlocks under the following circumstances:
        1. When adding breakpoints to a CodeBlock, jettison it if it is a DFG CodeBlock.
        2. When enabling stepping mode in a CodeBlock, jettison it if it a DFG CodeBlock.
        3. When settign the enabled profiler in the VM, we need to jettison all DFG
           CodeBlocks.

        Instead of emitting speculation checks, the DFG code will now treat Breakpoint,
        ProfileWillCall, and ProfileDidCall as no-ops similar to a Phantom node. We
        still need to track these nodes so that they match the corresponding opcodes
        in the baseline JIT when we jettison and OSR exit. Without them, we would OSR
        exit to the wrong location in the baseline JIT code.

        In DFGDriver's compileImpl() and DFGPlan's finalizeWithoutNotifyingCallback()
        we fail the compilation effort with a CompilationInvalidated result. This allows
        the DFG compiler to re-attampt the compilation of the function after some time
        if it is hot. The CompilationInvalidated result is supposed to cause the DFG
        to exercise an exponential back off before re-attempting compilation again
        (see runtime/CompilationResult.h).

        This patch improves the Octane score from ~2950 to ~3067.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::addBreakpoint):
        (JSC::CodeBlock::setSteppingMode):
        * bytecode/CodeBlock.h:
        * debugger/Debugger.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * profiler/LegacyProfiler.cpp:
        (JSC::LegacyProfiler::startProfiling):
        (JSC::LegacyProfiler::stopProfiling):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::SetEnabledProfilerFunctor::operator()):
        (JSC::VM::setEnabledProfiler):
        * runtime/VM.h:
        (JSC::VM::enabledProfiler):

2014-01-27  Joseph Pecoraro  <pecoraro@apple.com>

        -[JSContext evaluteScript:] calls JSEvaluteScript with startingLineNumber 0, later interpreted as a oneBasedInt
        https://bugs.webkit.org/show_bug.cgi?id=127648

        Reviewed by Geoffrey Garen.

        The actual bug being fixed here is that the line number for
        scripts evaluated via the JSC APIs is now sane. However,
        there is no good infrastructure in place right now to test that.

        * API/tests/testapi.c:
        (main):
        * API/tests/testapi.mm:
        (testObjectiveCAPI):
        Add tests for exception line numbers and handling of bad
        startingLineNumbers in public APIs. These tests were already
        passing, I just add them to make sure they are not regressed
        in the future.

        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        * API/JSBase.h:
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        * API/JSObjectRef.h:
        * API/JSScriptRef.cpp:
        * API/JSScriptRefPrivate.h:
        * API/JSStringRef.h:
        - Clarify documentation that startingLineNumber is 1 based and clamped.
        - Add clamping in the implementation to put sane values into JSC::SourceProvider.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::didParseSource):
        Remove the FIXME now that the SourceProvider is giving us expected values.

2014-01-27  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: CRASH when debugger closes remote inspecting JSContext
        https://bugs.webkit.org/show_bug.cgi?id=127738

        Reviewed by Timothy Hatcher.

        RemoteInspectorXPCConnection could be accessed in a background dispatch
        queue, while being deallocated on the main thread when a connection
        was suddenly terminated.

        Make RemoteInspectorXPCConnection a ThreadSafeRefCounted object. Always
        keep the connection object ref'd until the main thread calls close()
        and removes its reference. At that point we can close the connection,
        queue, and deref safely on the background queue.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
        (Inspector::RemoteInspector::xpcConnectionFailed):
        For simplicity RemoteInspectorXPCConnections's don't have any threading
        primatives to prevent client callbacks after they are closed. RemoteInspector
        does, so it just ignores possible callbacks from connections it no longer
        cares about.

        * inspector/remote/RemoteInspectorXPCConnection.h:
        * inspector/remote/RemoteInspectorXPCConnection.mm:
        (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
        (Inspector::RemoteInspectorXPCConnection::~RemoteInspectorXPCConnection):
        (Inspector::RemoteInspectorXPCConnection::close):
        Keep the connection alive as long as the queue it can be used on
        is alive. Clean up everything on the queue when close() is called.

        (Inspector::RemoteInspectorXPCConnection::handleEvent):
        Checking if closed here is not thread safe so it is meaningless.
        Remove the check.

        (Inspector::RemoteInspectorXPCConnection::sendMessage):
        Bail based on the m_closed state.

2014-01-27  Joseph Pecoraro  <pecoraro@apple.com>

        JavaScriptCore: Enable -Wimplicit-fallthrough and add FALLTHROUGH annotation where needed
        https://bugs.webkit.org/show_bug.cgi?id=127647

        Reviewed by Anders Carlsson.

        Explicitly annotate switch case fallthroughs in JavaScriptCore and
        enable warnings for unannotated fallthroughs.

        * dfg/DFGArithMode.h:
        (doesOverflow):
        Only insert FALLTHROUGH in release builds. In debug builds, the
        FALLTHROUGH would be unreachable (due to the ASSERT_NOT_REACHED)
        and would through a warning.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
        Due to the templatized nature of this function, a fallthrough
        in one of the template expansions would be unreachable. Disable
        the warning for this function.

        * Configurations/Base.xcconfig:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validateCPS):
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::lex):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseStatement):
        (JSC::Parser<LexerType>::parseProperty):
        * runtime/JSArray.cpp:
        (JSC::JSArray::push):
        * runtime/JSONObject.cpp:
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putByIndex):
        (JSC::JSObject::putByIndexBeyondVectorLength):
        * runtime/JSObject.h:
        (JSC::JSObject::setIndexQuickly):
        (JSC::JSObject::initializeIndex):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::parse):
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::backtrackParenthesesOnceBegin):
        (JSC::Yarr::Interpreter::backtrackParenthesesOnceEnd):
        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
        (JSC::Yarr::Parser::CharacterClassParserDelegate::atomBuiltInCharacterClass):
        (JSC::Yarr::Parser::parseEscape):
        (JSC::Yarr::Parser::parseTokens):

2014-01-27  Andy Estes  <aestes@apple.com>

        Scrub WebKit API headers of WTF macros
        https://bugs.webkit.org/show_bug.cgi?id=127706

        Reviewed by David Kilzer.

        * Configurations/FeatureDefines.xcconfig: Added ENABLE_INSPECTOR.

2014-01-27  Mark Lam  <mark.lam@apple.com>

        Remove unused CodeBlock::createActivation().
        <https://webkit.org/b/127686>

        Reviewed by Filip Pizlo.

        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:

2014-01-26  Andreas Kling  <akling@apple.com>

        JSC: Pack unlinked instructions harder.
        <https://webkit.org/b/127660>

        Store UnlinkedCodeBlock's instructions in a variable-length stream
        to reduce memory usage. Compression rate ends up around 60-61%.

        The format is very simple. Every instruction starts with a 1 byte
        opcode. It's followed by an opcode-dependent number of argument
        values, each encoded separately for maximum packing. There are
        7 packed value formats:

            5-bit positive integer
            5-bit negative integer
            13-bit positive integer
            13-bit positive integer
            5-bit constant register index
            13-bit constant register index
            32-bit value (fallback)

        27.5 MB progression on Membuster3. (~2% of total memory.)

        Reviewed by Filip Pizlo.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/UnlinkedInstructionStream.h: Added.
        (JSC::UnlinkedInstructionStream::count):
        (JSC::UnlinkedInstructionStream::Reader::atEnd):
        * bytecode/UnlinkedInstructionStream.cpp: Added.
        (JSC::UnlinkedInstructionStream::Reader::Reader):
        (JSC::UnlinkedInstructionStream::Reader::read8):
        (JSC::UnlinkedInstructionStream::Reader::read32):
        (JSC::UnlinkedInstructionStream::Reader::next):
        (JSC::append8):
        (JSC::append32):
        (JSC::UnlinkedInstructionStream::UnlinkedInstructionStream):
        (JSC::UnlinkedInstructionStream::unpackForDebugging):
        * bytecompiler/BytecodeGenerator.cpp:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
        (JSC::dumpLineColumnEntry):
        (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
        (JSC::UnlinkedCodeBlock::setInstructions):
        (JSC::UnlinkedCodeBlock::instructions):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::BytecodeGenerator::generate):

2014-01-26  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Move InspectorDebuggerAgent into JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=127629

        Rubber-stamped by Sam Weinig.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        - Add new files to the build.
        - Also, since non REMOTE_INSPECTOR ports cannot yet connect to a
          JSGlobalObject for inspection remove those files as they don't
          need to be built.

        * inspector/EventLoop.cpp: Added.
        (Inspector::EventLoop::cycle):
        * inspector/EventLoop.h: Added.
        (Inspector::EventLoop::EventLoop):
        (Inspector::EventLoop::ended):
        Add a JavaScriptCore version of EventLoop. This is currently only
        used by the Mac port for JSGlobalObject remote inspection. Keep
        the WebCore/platform version alive because for the Mac port it does
        slightly different things involving AppKit.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        Create DebuggerAgent and hook up ScriptDebugServer where needed.

        * inspector/JSGlobalObjectScriptDebugServer.cpp: Added.
        (Inspector::JSGlobalObjectScriptDebugServer::JSGlobalObjectScriptDebugServer):
        (Inspector::JSGlobalObjectScriptDebugServer::addListener):
        (Inspector::JSGlobalObjectScriptDebugServer::removeListener):
        (Inspector::JSGlobalObjectScriptDebugServer::recompileAllJSFunctions):
        (Inspector::JSGlobalObjectScriptDebugServer::runEventLoopWhilePaused):
        * inspector/JSGlobalObjectScriptDebugServer.h: Added.
        Simple implementation of ScriptDebugServer with a JSGlobalObject.

        * inspector/agents/InspectorDebuggerAgent.cpp: Renamed from Source/WebCore/inspector/InspectorDebuggerAgent.cpp.
        * inspector/agents/InspectorDebuggerAgent.h: Renamed from Source/WebCore/inspector/InspectorDebuggerAgent.h.
        Copied from WebCore. A few methods need to be made virtual so that Web implementations
        can override and extend the funcitonality. E.g. sourceMapURLForScript and enable/disable.
        
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: Added.
        * inspector/agents/JSGlobalObjectDebuggerAgent.h: Added.
        (Inspector::JSGlobalObjectDebuggerAgent::JSGlobalObjectDebuggerAgent):
        (Inspector::JSGlobalObjectDebuggerAgent::startListeningScriptDebugServer):
        (Inspector::JSGlobalObjectDebuggerAgent::stopListeningScriptDebugServer):
        (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
        Simple implementation of DebuggerAGent with a JSGlobalObject.

2014-01-25  Mark Lam  <mark.lam@apple.com>

        Gardening: fix build breakage from previous commit.

        Not reviewed.

        * profiler/ProfileNode.cpp:
        (JSC::ProfileNode::debugPrintData):
        - Removed obsolete references to "visible" timers.

2014-01-25  Timothy Hatcher  <timothy@apple.com>

        Remove dead code from the JSC profiler.

        https://bugs.webkit.org/show_bug.cgi?id=127643

        Reviewed by Mark Lam.

        * profiler/Profile.cpp:
        * profiler/Profile.h:
        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::stopProfiling):
        * profiler/ProfileNode.cpp:
        (JSC::ProfileNode::ProfileNode):
        (JSC::ProfileNode::stopProfiling):
        (JSC::ProfileNode::endAndRecordCall):
        (JSC::ProfileNode::debugPrintData):
        (JSC::ProfileNode::debugPrintDataSampleStyle):
        * profiler/ProfileNode.h:
        (JSC::ProfileNode::totalTime):
        (JSC::ProfileNode::setTotalTime):
        (JSC::ProfileNode::selfTime):
        (JSC::ProfileNode::setSelfTime):
        (JSC::ProfileNode::totalPercent):
        (JSC::ProfileNode::selfPercent):
        Remove support for things like focus and exclude. The Inspector does those in JS now.

2014-01-25  Sam Weinig  <sam@webkit.org>

        Remove unused support for DRAGGABLE_REGION
        https://bugs.webkit.org/show_bug.cgi?id=127642

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig:

2014-01-25  Darin Adler  <darin@apple.com>

        Try to fix Mac build.

        * runtime/DatePrototype.cpp: Put the include of <unicode/udat.h> inside
        a conditional since we don't have that header in our Mac build configuration.

2014-01-25  Darin Adler  <darin@apple.com>

        Call deprecatedCharacters instead of characters at more call sites
        https://bugs.webkit.org/show_bug.cgi?id=127631

        Reviewed by Sam Weinig.

        * API/JSValueRef.cpp:
        (JSValueMakeFromJSONString):
        * API/OpaqueJSString.cpp:
        (OpaqueJSString::~OpaqueJSString):
        * bindings/ScriptValue.cpp:
        (Deprecated::jsToInspectorValue):
        * inspector/ContentSearchUtilities.cpp:
        (Inspector::ContentSearchUtilities::createSearchRegexSource):
        * inspector/InspectorValues.cpp:
        * runtime/Identifier.h:
        (JSC::Identifier::deprecatedCharacters):
        * runtime/JSStringBuilder.h:
        (JSC::JSStringBuilder::append):
        Use the new name.

2014-01-25  Darin Adler  <darin@apple.com>

        Get rid of ICU_UNICODE and WCHAR_UNICODE remnants
        https://bugs.webkit.org/show_bug.cgi?id=127623

        Reviewed by Anders Carlsson.

        * runtime/DatePrototype.cpp: Removed USE(ICU_UNICODE) checks, since that's always true now.

2014-01-25  Darin Adler  <darin@apple.com>

        [Mac] Rewrite locale-specific date formatting code to remove strange string creation
        https://bugs.webkit.org/show_bug.cgi?id=127624

        Reviewed by Anders Carlsson.

        * runtime/DatePrototype.cpp:
        (JSC::formatLocaleDate): Use some smart pointers and conversion operators we already
        have to do the formatting in a more straightforward way.

2014-01-25  Anders Carlsson  <andersca@apple.com>

        Remove atomicIncrement/atomicDecrement
        https://bugs.webkit.org/show_bug.cgi?id=127625

        Reviewed by Andreas Kling.

        Replace atomicIncrement/atomicDecrement with std::atomic.

        * bytecode/Watchpoint.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::lower):
        * profiler/ProfilerDatabase.cpp:
        (JSC::Profiler::Database::Database):
        (JSC::Profiler::Database::addDatabaseToAtExit):

2014-01-24  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Move InspectorRuntimeAgent into JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=127605

        Reviewed by Timothy Hatcher.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add new files to the build.

        * inspector/agents/InspectorRuntimeAgent.h: Renamed from Source/WebCore/inspector/InspectorRuntimeAgent.h.
        * inspector/agents/InspectorRuntimeAgent.cpp: Renamed from Source/WebCore/inspector/InspectorRuntimeAgent.cpp.
        (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
        (Inspector::InspectorRuntimeAgent::parse):
        (Inspector::InspectorRuntimeAgent::evaluate):
        (Inspector::InspectorRuntimeAgent::callFunctionOn):
        (Inspector::InspectorRuntimeAgent::getProperties):
        - Move the agent into JavaScriptCore.
        - Modernize and cleanup.
        - Make globalVM a pure virtual function for subclasses to implement.

        * inspector/agents/JSGlobalObjectRuntimeAgent.h: Added.
        * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: Added.
        (Inspector::JSGlobalObjectRuntimeAgent::JSGlobalObjectRuntimeAgent):
        (Inspector::JSGlobalObjectRuntimeAgent::didCreateFrontendAndBackend):
        (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
        (Inspector::JSGlobalObjectRuntimeAgent::globalVM):
        (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
        Straightforward JSGlobalObject implementation.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        Add a runtime agent when inspecting a JSContext!

2014-01-23  Joseph Pecoraro  <pecoraro@apple.com>

        Move JavaScriptCallFrame and ScriptDebugServer into JavaScriptCore for inspector
        https://bugs.webkit.org/show_bug.cgi?id=127543

        Reviewed by Geoffrey Garen.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add new files.

        * inspector/ScriptDebugListener.h:
        Extract WebCore knowledge from ScriptDebugServer. This will
        eventually be made to work outside of WebCore.

        * inspector/ScriptDebugServer.h: Renamed from Source/WebCore/bindings/js/ScriptDebugServer.h.
        * inspector/ScriptDebugServer.cpp: Renamed from Source/WebCore/bindings/js/ScriptDebugServer.cpp.
        (Inspector::ScriptDebugServer::evaluateBreakpointAction):
        (Inspector::ScriptDebugServer::dispatchDidPause):
        (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
        (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
        (Inspector::ScriptDebugServer::sourceParsed):
        (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
        (Inspector::ScriptDebugServer::handlePause):
        Modernize code, and call the new ScriptDebugListener callbacks where appropriate.

        * inspector/JSJavaScriptCallFrame.cpp: Renamed from Source/WebCore/bindings/js/JSJavaScriptCallFrameCustom.cpp.
        (Inspector::JSJavaScriptCallFrame::JSJavaScriptCallFrame):
        (Inspector::JSJavaScriptCallFrame::finishCreation):
        (Inspector::JSJavaScriptCallFrame::createPrototype):
        (Inspector::JSJavaScriptCallFrame::destroy):
        (Inspector::JSJavaScriptCallFrame::releaseImpl):
        (Inspector::JSJavaScriptCallFrame::~JSJavaScriptCallFrame):
        (Inspector::JSJavaScriptCallFrame::evaluate):
        (Inspector::JSJavaScriptCallFrame::scopeType):
        (Inspector::JSJavaScriptCallFrame::caller):
        (Inspector::JSJavaScriptCallFrame::sourceID):
        (Inspector::JSJavaScriptCallFrame::line):
        (Inspector::JSJavaScriptCallFrame::column):
        (Inspector::JSJavaScriptCallFrame::functionName):
        (Inspector::JSJavaScriptCallFrame::scopeChain):
        (Inspector::JSJavaScriptCallFrame::thisObject):
        (Inspector::JSJavaScriptCallFrame::type):
        (Inspector::toJS):
        (Inspector::toJSJavaScriptCallFrame):
        * inspector/JSJavaScriptCallFrame.h: Added.
        (Inspector::JSJavaScriptCallFrame::createStructure):
        (Inspector::JSJavaScriptCallFrame::create):
        (Inspector::JSJavaScriptCallFrame::impl):
        * inspector/JSJavaScriptCallFramePrototype.cpp: Added.
        (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
        (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate):
        (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType):
        (Inspector::jsJavaScriptCallFrameAttributeCaller):
        (Inspector::jsJavaScriptCallFrameAttributeSourceID):
        (Inspector::jsJavaScriptCallFrameAttributeLine):
        (Inspector::jsJavaScriptCallFrameAttributeColumn):
        (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
        (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
        (Inspector::jsJavaScriptCallFrameAttributeThisObject):
        (Inspector::jsJavaScriptCallFrameAttributeType):
        (Inspector::jsJavaScriptCallFrameConstantGLOBAL_SCOPE):
        (Inspector::jsJavaScriptCallFrameConstantLOCAL_SCOPE):
        (Inspector::jsJavaScriptCallFrameConstantWITH_SCOPE):
        (Inspector::jsJavaScriptCallFrameConstantCLOSURE_SCOPE):
        (Inspector::jsJavaScriptCallFrameConstantCATCH_SCOPE):
        * inspector/JSJavaScriptCallFramePrototype.h: Added.
        (Inspector::JSJavaScriptCallFramePrototype::create):
        (Inspector::JSJavaScriptCallFramePrototype::createStructure):
        (Inspector::JSJavaScriptCallFramePrototype::JSJavaScriptCallFramePrototype):
        * inspector/JavaScriptCallFrame.cpp: Renamed from Source/WebCore/bindings/js/JavaScriptCallFrame.cpp.
        (Inspector::JavaScriptCallFrame::caller):
        * inspector/JavaScriptCallFrame.h: Renamed from Source/WebCore/bindings/js/JavaScriptCallFrame.h.
        Port of JavaScriptCallFrame.idl to a set of native JS classes.

2014-01-24  Mark Lam  <mark.lam@apple.com>

        DebuggerCallFrame::evaluateWithCallFrame() should not execute a null executable.
        <https://webkit.org/b/127600>

        Reviewed by Oliver Hunt.

        In DebuggerCallFrame::evaluateWithCallFrame(), if the script string that
        is passed in is bad, it will fail to create an Executable i.e.
        EvalExecutable::create() returns a null pointer. However,
        DebuggerCallFrame::evaluateWithCallFrame() was just clearing the
        exception and proceeded to execute the null pointer as an Executable.
        A crash ensues.

        Now, if an exception is detected while creating the Executable, we
        abort instead.

        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::evaluateWithCallFrame):

2014-01-24  Oliver Hunt  <oliver@apple.com>

        Put functions need to take a base object and a this value, and perform type checks on |this|
        https://bugs.webkit.org/show_bug.cgi?id=127594

        Reviewed by Geoffrey Garen.

        Change the signature for static setter functions, and update uses

        * create_hash_table:
        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/PutPropertySlot.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::setRegExpConstructorInput):
        (JSC::setRegExpConstructorMultiline):

2014-01-24  Oliver Hunt  <oliver@apple.com>

        Generic JSObject::put should handle static properties in the classinfo hierarchy
        https://bugs.webkit.org/show_bug.cgi?id=127523

        Reviewed by Geoffrey Garen.

        This patch makes JSObject::put correctly call static setters
        defined by the ClassInfo.

        To make this not clobber performance, the ClassInfo HashTable
        now includes a flag to indicate that it contains setters. This
        required updating the lut generator so that it tracked (and emitted)
        this.

        The rest of the change was making a number of the methods take
        a VM rather than an ExecState*, so that Structure could set the
        getter/setter flags during construction (if necessary).

        This also means most objects do not need to perform a lookupPut
        manually anymore, so most custom ::put's are no longer needed.
        DOMWindow is the only exception as it has interesting security
        related semantics.

        * create_hash_table:
        * interpreter/CallFrame.h:
        (JSC::ExecState::arrayConstructorTable):
        (JSC::ExecState::arrayPrototypeTable):
        (JSC::ExecState::booleanPrototypeTable):
        (JSC::ExecState::dataViewTable):
        (JSC::ExecState::dateTable):
        (JSC::ExecState::dateConstructorTable):
        (JSC::ExecState::errorPrototypeTable):
        (JSC::ExecState::globalObjectTable):
        (JSC::ExecState::jsonTable):
        (JSC::ExecState::numberConstructorTable):
        (JSC::ExecState::numberPrototypeTable):
        (JSC::ExecState::objectConstructorTable):
        (JSC::ExecState::privateNamePrototypeTable):
        (JSC::ExecState::regExpTable):
        (JSC::ExecState::regExpConstructorTable):
        (JSC::ExecState::regExpPrototypeTable):
        (JSC::ExecState::stringConstructorTable):
        (JSC::ExecState::promisePrototypeTable):
        (JSC::ExecState::promiseConstructorTable):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::getOwnPropertySlot):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::getOwnPropertySlot):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::getOwnPropertySlot):
        * runtime/ClassInfo.h:
        (JSC::ClassInfo::propHashTable):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::getOwnPropertySlot):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::getOwnPropertySlot):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::getOwnPropertySlot):
        * runtime/JSDataViewPrototype.cpp:
        (JSC::JSDataViewPrototype::getOwnPropertySlot):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::getOwnPropertySlot):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::getOwnPropertySlot):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::deleteProperty):
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructor::getOwnPropertySlot):
        * runtime/JSPromisePrototype.cpp:
        (JSC::JSPromisePrototype::getOwnPropertySlot):
        * runtime/Lookup.h:
        (JSC::HashTable::copy):
        (JSC::putEntry):
        (JSC::lookupPut):
        * runtime/NamePrototype.cpp:
        (JSC::NamePrototype::getOwnPropertySlot):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getOwnPropertySlot):
        * runtime/NumberConstructor.h:
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::getOwnPropertySlot):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::getOwnPropertySlot):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getOwnPropertySlot):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::getOwnPropertySlot):
        (JSC::RegExpObject::put):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::getOwnPropertySlot):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::getOwnPropertySlot):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::freezeTransition):
        (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):

2014-01-24  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r162713.
        http://trac.webkit.org/changeset/162713
        https://bugs.webkit.org/show_bug.cgi?id=127593

        broke media/network-no-source-const-shadow (Requested by
        thorton on #webkit).

        * create_hash_table:
        * interpreter/CallFrame.h:
        (JSC::ExecState::arrayConstructorTable):
        (JSC::ExecState::arrayPrototypeTable):
        (JSC::ExecState::booleanPrototypeTable):
        (JSC::ExecState::dataViewTable):
        (JSC::ExecState::dateTable):
        (JSC::ExecState::dateConstructorTable):
        (JSC::ExecState::errorPrototypeTable):
        (JSC::ExecState::globalObjectTable):
        (JSC::ExecState::jsonTable):
        (JSC::ExecState::numberConstructorTable):
        (JSC::ExecState::numberPrototypeTable):
        (JSC::ExecState::objectConstructorTable):
        (JSC::ExecState::privateNamePrototypeTable):
        (JSC::ExecState::regExpTable):
        (JSC::ExecState::regExpConstructorTable):
        (JSC::ExecState::regExpPrototypeTable):
        (JSC::ExecState::stringConstructorTable):
        (JSC::ExecState::promisePrototypeTable):
        (JSC::ExecState::promiseConstructorTable):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::getOwnPropertySlot):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::getOwnPropertySlot):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::getOwnPropertySlot):
        * runtime/ClassInfo.h:
        (JSC::ClassInfo::propHashTable):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::getOwnPropertySlot):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::getOwnPropertySlot):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::getOwnPropertySlot):
        * runtime/JSDataViewPrototype.cpp:
        (JSC::JSDataViewPrototype::getOwnPropertySlot):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::getOwnPropertySlot):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::getOwnPropertySlot):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::deleteProperty):
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructor::getOwnPropertySlot):
        * runtime/JSPromisePrototype.cpp:
        (JSC::JSPromisePrototype::getOwnPropertySlot):
        * runtime/Lookup.h:
        (JSC::HashTable::copy):
        (JSC::putEntry):
        (JSC::lookupPut):
        * runtime/NamePrototype.cpp:
        (JSC::NamePrototype::getOwnPropertySlot):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getOwnPropertySlot):
        (JSC::NumberConstructor::put):
        * runtime/NumberConstructor.h:
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::getOwnPropertySlot):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::getOwnPropertySlot):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getOwnPropertySlot):
        (JSC::RegExpConstructor::put):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::getOwnPropertySlot):
        (JSC::RegExpObject::put):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::getOwnPropertySlot):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::getOwnPropertySlot):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::freezeTransition):

2014-01-24  Mark Lam  <mark.lam@apple.com>

        ASSERT(!m_markedSpace.m_currentDelayedReleaseScope) reloading page in inspector.
        <https://webkit.org/b/127582>

        Reviewed by Mark Hahnenberg.

        1. We should not enter a HeapIterationScope when we iterate the CodeBlocks.
           Apparently, iterating the CodeBlocks does not count as heap iteration.

        2. If we're detaching the debugger due to the JSGlobalObject destructing,
           then we don't need to clear the debugger requests in the associated
           CodeBlocks. The JSGlobalObject destructing would mean that those
           CodeBlocks would be destructing too, and it may not be safe to access
           them anyway at this point.

        The assertion failure is because we had entered a HeapIterationScope
        while the JSGlobalObject is destructing, which in turn means that GC
        sweeping is in progress. It's not legal to iterate the heap while the GC
        is sweeping. Once we fixed the above 2 issues, we will no longer have
        the conditions that manifests this assertion failure.

        * debugger/Debugger.cpp:
        (JSC::Debugger::detach):
        (JSC::Debugger::setSteppingMode):
        (JSC::Debugger::toggleBreakpoint):
        (JSC::Debugger::clearBreakpoints):
        (JSC::Debugger::clearDebuggerRequests):
        * debugger/Debugger.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::~JSGlobalObject):

2014-01-24  Brent Fulgham  <bfulgham@apple.com>

        [Win] Convert some NMake files to MSBuild project files
        https://bugs.webkit.org/show_bug.cgi?id=127579

        Reviewed by Tim Horton.

        * JavaScriptCore.vcxproj/JavaScriptCore.make: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCore.proj: Added.

2014-01-24  Mark Lam  <mark.lam@apple.com>

        Fixed a bad assertion in CodeBlock::removeBreakpoint().
        <https://webkit.org/b/127581>

        Reviewed by Joseph Pecoraro.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::removeBreakpoint):

2014-01-24  Joseph Pecoraro  <pecoraro@apple.com>

        fast/profiler tests ASSERTing after moving recompileAllJSFunctions off a timer
        https://bugs.webkit.org/show_bug.cgi?id=127566

        Reviewed by Oliver Hunt.

        Make the VM handle recompilation as soon as possible after it is requested.

        * debugger/Debugger.cpp:
        (JSC::Debugger::recompileAllJSFunctions):
        When in a JavaScript stack, mark for recompilation when possible.

        * runtime/VMEntryScope.h:
        (JSC::VMEntryScope::setRecompilationNeeded):
        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::VMEntryScope):
        (JSC::VMEntryScope::~VMEntryScope):
        Handle recompilation when the top VMEntryScope is popped.
        Pass the needs recompilation flag up the stack if needed.

2014-01-24  Oliver Hunt  <oliver@apple.com>

        Generic JSObject::put should handle static properties in the classinfo hierarchy
        https://bugs.webkit.org/show_bug.cgi?id=127523

        Reviewed by Geoffrey Garen.

        This patch makes JSObject::put correctly call static setters
        defined by the ClassInfo.

        To make this not clobber performance, the ClassInfo HashTable
        now includes a flag to indicate that it contains setters. This
        required updating the lut generator so that it tracked (and emitted)
        this.

        The rest of the change was making a number of the methods take
        a VM rather than an ExecState*, so that Structure could set the
        getter/setter flags during construction (if necessary).

        This also means most objects do not need to perform a lookupPut
        manually anymore, so most custom ::put's are no longer needed.
        DOMWindow is the only exception as it has interesting security
        related semantics.

        * create_hash_table:
        * interpreter/CallFrame.h:
        (JSC::ExecState::arrayConstructorTable):
        (JSC::ExecState::arrayPrototypeTable):
        (JSC::ExecState::booleanPrototypeTable):
        (JSC::ExecState::dataViewTable):
        (JSC::ExecState::dateTable):
        (JSC::ExecState::dateConstructorTable):
        (JSC::ExecState::errorPrototypeTable):
        (JSC::ExecState::globalObjectTable):
        (JSC::ExecState::jsonTable):
        (JSC::ExecState::numberConstructorTable):
        (JSC::ExecState::numberPrototypeTable):
        (JSC::ExecState::objectConstructorTable):
        (JSC::ExecState::privateNamePrototypeTable):
        (JSC::ExecState::regExpTable):
        (JSC::ExecState::regExpConstructorTable):
        (JSC::ExecState::regExpPrototypeTable):
        (JSC::ExecState::stringConstructorTable):
        (JSC::ExecState::promisePrototypeTable):
        (JSC::ExecState::promiseConstructorTable):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::getOwnPropertySlot):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::getOwnPropertySlot):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::getOwnPropertySlot):
        * runtime/ClassInfo.h:
        (JSC::ClassInfo::propHashTable):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::getOwnPropertySlot):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::getOwnPropertySlot):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::getOwnPropertySlot):
        * runtime/JSDataViewPrototype.cpp:
        (JSC::JSDataViewPrototype::getOwnPropertySlot):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::getOwnPropertySlot):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::getOwnPropertySlot):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::deleteProperty):
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructor::getOwnPropertySlot):
        * runtime/JSPromisePrototype.cpp:
        (JSC::JSPromisePrototype::getOwnPropertySlot):
        * runtime/Lookup.h:
        (JSC::HashTable::copy):
        (JSC::putEntry):
        (JSC::lookupPut):
        * runtime/NamePrototype.cpp:
        (JSC::NamePrototype::getOwnPropertySlot):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getOwnPropertySlot):
        * runtime/NumberConstructor.h:
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::getOwnPropertySlot):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::getOwnPropertySlot):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getOwnPropertySlot):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::getOwnPropertySlot):
        (JSC::RegExpObject::put):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::getOwnPropertySlot):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::getOwnPropertySlot):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::freezeTransition):
        (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):

2014-01-24  Mark Lam  <mark.lam@apple.com>

        Skip op_profiler callbacks if !VM::m_enabledProfiler.
        https://bugs.webkit.org/show_bug.cgi?id=127567.

        Reviewed by Geoffrey Garen.

        The profiler may not be always active (recording). When it's not active
        (as in VM::m_enabledProfiler is null), then we might as well skip the
        op_profiler callbacks. The callbacks themselves were already previously
        gated by a VM::enabledProfiler() check. So, this change does not change
        any profiler behavior.

        For the DFG, we'll turn the op_profiler handling into speculation checks
        and OSR exit to the baseline JIT if the profiler becomes active.

        This brings the Octane score up to ~3000 from ~2840.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGNodeType.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_profile_will_call):
        (JSC::JIT::emit_op_profile_did_call):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_profile_will_call):
        (JSC::JIT::emit_op_profile_did_call):
        * llint/LowLevelInterpreter.asm:
        * runtime/VM.h:
        (JSC::VM::enabledProfilerAddress):

2014-01-24  Mark Lam  <mark.lam@apple.com>

        Removing the need for Debugger* and m_shouldPause op_debug check.
        <https://webkit.org/b/127532>

        Reviewed by Geoffrey Garen.

        This patch replaces the checking of the Debugger::m_shouldPause flag
        with a procedure to set a SteppingMode flag on all CodeBlocks under
        the management of the debugger. This simplifies the op_debug checking
        logic in all the execution engines.

        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::hasDebuggerRequests):
        (JSC::CodeBlock::debuggerRequestsAddress):
        (JSC::CodeBlock::setSteppingMode):
        (JSC::CodeBlock::clearDebuggerRequests):
        - CodeBlock::m_debuggerRequests is a union of m_numBreakpoints and the
          new m_steppingMode. The debugger can add/remove breakpoints to the
          CodeBlock as well as set the stepping mode. By having
          m_debuggerRequests as a union of the 2 bit fields, the op_debug code
          can now check if any of the 2 requests made on the CodeBlock is still
          in effect just by testing a single int.

        * debugger/Debugger.cpp:
        (JSC::Debugger::Debugger):
        (JSC::Debugger::detach):
        - This was bug from before where I forgot to clear the CodeBlock
          breakpoints before detaching. We now take care of it by clearing all
          debugger requests made to the CodeBlock.

        (JSC::Debugger::SetSteppingModeFunctor::SetSteppingModeFunctor):
        (JSC::Debugger::SetSteppingModeFunctor::operator()):
        (JSC::Debugger::setSteppingMode):
        (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::ClearCodeBlockDebuggerRequestsFunctor):
        (JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor::operator()):
        (JSC::Debugger::clearBreakpoints):

        (JSC::Debugger::ClearDebuggerRequestsFunctor::ClearDebuggerRequestsFunctor):
        (JSC::Debugger::ClearDebuggerRequestsFunctor::operator()):
        (JSC::Debugger::clearDebuggerRequests):
        - We need a distinct clearDebuggerRequests() from clearBreakpoints()
          because:
          1. When we detach a globalObject, we only want to clear the debugger
             requests in CodeBlocks from that global.
          2. Clearing the debugger requests in the CodeBlocks is not the same
             as clearing the breakpoints. The breakpoints are still in effect
             for the next time a globalObject is attached, or for other
             globalObjects that are still attached.

        (JSC::Debugger::setPauseOnNextStatement):
        (JSC::Debugger::breakProgram):
        (JSC::Debugger::stepIntoStatement):
        (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
        (JSC::Debugger::pauseIfNeeded):
        (JSC::Debugger::exception):
        (JSC::Debugger::willExecuteProgram):
        (JSC::Debugger::didReachBreakpoint):
        * debugger/Debugger.h:
        - We're always going to support the debugger. So, there's no longer
          a need to check ENABLE(JAVASCRIPT_DEBUGGER). Removed the unneeded code.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::debug):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_debug):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_debug):
        * llint/LowLevelInterpreter.asm:
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::setDebugger):

2014-01-24  Michael Saboff  <msaboff@apple.com>

        ARM Offline assembler temporary register allocator has duplicate register when building fat binaries
        https://bugs.webkit.org/show_bug.cgi?id=127545

        Reviewed by Mark Lam.

        Eliminate the conditional addition of r11/r7 from getModifiedListARMCommon as the
        .concat will add the new register to ARM_EXTRA_GPRS.  If getModifiedListARMCommon is
        invoked a second time, there will be a second r11 or r7, which messes things up.
        Instead, r6 was added to ARM_EXTRA_GPRS.  r6 is currently an unused register.

        * offlineasm/arm.rb:

2014-01-23  Joseph Pecoraro  <pecoraro@apple.com>

        Move ContentSearchUtils, ScriptBreakpoint, and ScriptDebugListener into JavaScriptCore for inspector
        https://bugs.webkit.org/show_bug.cgi?id=127537

        Reviewed by Timothy Hatcher.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/ContentSearchUtilities.cpp: Renamed from Source/WebCore/inspector/ContentSearchUtils.cpp.
        (Inspector::ContentSearchUtilities::createSearchRegexSource):
        (Inspector::ContentSearchUtilities::sizetExtractor):
        (Inspector::ContentSearchUtilities::textPositionFromOffset):
        (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines):
        (Inspector::ContentSearchUtilities::lineEndings):
        (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
        (Inspector::ContentSearchUtilities::createSearchRegex):
        (Inspector::ContentSearchUtilities::countRegularExpressionMatches):
        (Inspector::ContentSearchUtilities::searchInTextByLines):
        (Inspector::ContentSearchUtilities::scriptCommentPattern):
        (Inspector::ContentSearchUtilities::stylesheetCommentPattern):
        (Inspector::ContentSearchUtilities::findMagicComment):
        (Inspector::ContentSearchUtilities::findScriptSourceURL):
        (Inspector::ContentSearchUtilities::findScriptSourceMapURL):
        (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
        * inspector/ContentSearchUtilities.h: Renamed from Source/WebCore/inspector/ContentSearchUtils.h.
        * inspector/ScriptBreakpoint.h: Renamed from Source/WebCore/inspector/ScriptBreakpoint.h.
        (Inspector::ScriptBreakpointAction::ScriptBreakpointAction):
        (Inspector::ScriptBreakpoint::ScriptBreakpoint):
        * inspector/ScriptDebugListener.h: Renamed from Source/WebCore/inspector/ScriptDebugListener.h.
        (Inspector::ScriptDebugListener::Script::Script):
        (Inspector::ScriptDebugListener::~ScriptDebugListener):
        * runtime/RegExp.cpp:
        (JSC::RegExp::match):

2014-01-23  Joseph Pecoraro  <pecoraro@apple.com>

        Move RegularExpression into JavaScriptCore for inspector
        https://bugs.webkit.org/show_bug.cgi?id=127526

        Reviewed by Geoffrey Garen.

        Move RegularExpression into JavaScriptCore/yarr so it can
        be used later on by JavaScriptCore/inspector. Convert to
        the JSC::Yarr namespace.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * yarr/RegularExpression.cpp: Renamed from Source/WebCore/platform/text/RegularExpression.cpp.
        (JSC::Yarr::RegularExpression::Private::create):
        (JSC::Yarr::RegularExpression::Private::Private):
        (JSC::Yarr::RegularExpression::Private::compile):
        (JSC::Yarr::RegularExpression::RegularExpression):
        (JSC::Yarr::RegularExpression::~RegularExpression):
        (JSC::Yarr::RegularExpression::operator=):
        (JSC::Yarr::RegularExpression::match):
        (JSC::Yarr::RegularExpression::searchRev):
        (JSC::Yarr::RegularExpression::matchedLength):
        (JSC::Yarr::replace):
        (JSC::Yarr::RegularExpression::isValid):
        * yarr/RegularExpression.h: Renamed from Source/WebCore/platform/text/RegularExpression.h.

2014-01-23  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove recompileAllJSFunctions timer in ScriptDebugServer
        https://bugs.webkit.org/show_bug.cgi?id=127409

        Reviewed by Geoffrey Garen.

        * inspector/InspectorAgentBase.h:
        When disconnecting agents, provide a InspectorDisconnectReason for
        the disconnection. It could be that an inspector frontend is just
        disconnecting or that the inspected object is going away entirely
        and we can avoid doing some work.

        * runtime/JSGlobalObjectDebuggable.h:
        * runtime/JSGlobalObjectDebuggable.cpp:
        (JSC::JSGlobalObjectDebuggable::~JSGlobalObjectDebuggable):
        (JSC::JSGlobalObjectDebuggable::disconnect):
        (JSC::JSGlobalObjectDebuggable::disconnectInternal):
        Pass different reasons for the different disconnects.

        * inspector/InspectorAgentRegistry.cpp:
        (Inspector::InspectorAgentRegistry::willDestroyFrontendAndBackend):
        * inspector/InspectorAgentRegistry.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
        * inspector/agents/InspectorAgent.h:
        Pass InspectorDisconnectReason around where needed.

2014-01-23  Mark Lam  <mark.lam@apple.com>

        Enable DFG for the Debugger and Profiler.
        <https://webkit.org/b/122847>

        Reviewed by Geoffrey Garen.

        In this patch, we implement DFG op_debug as a series of 3 checks:
        1. Check if the debugger pointer is non-null. This is needed in case
           the debugger has been detached but the DFG code is still running
           on the stack.
        2. Check if Debugger::m_shouldPause is true.
        3. Check if CodeBlock::m_numBreakpoints is non-zero.

        These are the same 3 checks done in the LLINT and baselineJIT. But unlike
        the LLINT and baselineJIT, these DFG checks are implemented as
        speculationChecks. If the check fails, we OSR exit to the baselineJIT and
        let it do the work of servicing the op_debug callback.

        Stepping through code in the debugger would work the same way. The top
        function being debugged has to be a LLINT or baselineJIT function because
        we would have OSR exited if there is a breakpoint in that function. When
        we step out of that function to its caller, we expect that the caller will
        call back to the debugger at the next op_debug. If the caller function is
        a DFG function, the op_debug site will fail its speculation check on
        Debugger::m_shouldPause and deopt into a baselineJIT function. Execution
        continues from there as usual, and the debugger gets its callback.

        For the profile, op_profile_will_call and op_profile_did_call are
        implemented as simple runtime calls to service the profiler.

        With this patch, Octane performance with the WebInspector open jump from
        ~2000 to ~2500 (25% progression).

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::numBreakpointsAddress):
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        * debugger/Debugger.cpp:
        (JSC::Debugger::toggleBreakpoint):
        - removed an obsolete assertion. The debugger can now handle DFG
          CodeBlocks too.
        * debugger/Debugger.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::debuggerAddress):

2014-01-23  Max Vujovic  <mvujovic@adobe.com>

        Remove CSS Custom Filters code and tests
        https://bugs.webkit.org/show_bug.cgi?id=127382

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig:

2014-01-22  Brent Fulgham  <bfulgham@apple.com>

        [Win] Update project and solution files for 64-bit builds.
        https://bugs.webkit.org/show_bug.cgi?id=127457

        Reviewed by Eric Carlson.

        * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Add 64-bit target.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Update for VS2013
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Add missing
        file from project view.
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Update for VS2013
        * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto
        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto

2014-01-22  Mark Lam  <mark.lam@apple.com>

        Poor man's fast breakpoints for a 2.3x debugger speedup.
        <https://webkit.org/b/122836>

        Reviewed by Geoffrey Garen.

        Previously we gained back some performance (run at baseline JIT speeds)
        when the WebInspector is opened provided no breakpoints are set. This
        was achieved by simply skipping all op_debug callbacks to the debugger
        if no breakpoints are set. If any breakpoints are set, the debugger will
        set a m_needsOpDebugCallbacks flag which causes the callbacks to be
        called, and we don't get the baseline JIT speeds anymore.

        With this patch, we will now track the number of breakpoints set in the
        CodeBlock that they are set in. The LLINT and baseline JIT code will
        check CodeBlock::m_numBreakpoints to determine if the op_debug callbacks
        need to be called. With this, we will only enable op_debug callbacks for
        CodeBlocks that need it i.e. those with breakpoints set in them.

        Debugger::m_needsOpDebugCallbacks is now obsoleted. The LLINT and baseline
        JIT code still needs to check Debugger::m_shouldPause to determine if the
        debugger is in stepping mode and hence, needs op_debug callbacks enabled
        for everything until the debugger "continues" the run and exit stepping
        mode.

        Also in this patch, I fixed a regression in DOM breakpoints which relies
        Debugger::breakProgram() to pause the debugger.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        - Missed accounting for op_debug's new hasBreakpointFlag operand here when
          it was added.
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::hasOpDebugForLineAndColumn):
        - This is needed in Debugger::toggleBreakpoint() to determine if a
          breakpoint falls within a CodeBlock or not. Simply checking the bounds
          of the CodeBlock is insufficient. For example, let's say we have the
          following JS code:

              // begin global scope
              function f1() {
                  function f2() {
                     ... // set breakpoint here.
                  }
              }
              // end global scope

          Using the CodeBlock bounds alone, the breakpoint above will to appear
          to be in the global program CodeBlock, and the CodeBlocks for function
          f1() and f2(). With CodeBlock::hasOpDebugForLineAndColumn() we can
          rule out the global program CodeBlock and f1(), and only apply the
          breakpoint to f2(0 where it belongs.

          CodeBlock::hasOpDebugForLineAndColumn() works by iterating over all
          the opcodes in the CodeBlock to look for op_debug's. For each op_debug,
          it calls CodeBlock::expressionRangeForBytecodeOffset() to do a binary
          seach to get the line and column info for that op_debug. This is a
          N * log(N) algorithm. However, a quick hands on test using the
          WebInspector (with this patch applied) to exercise setting, breaking
          on, and clearing breakpoints, as well as stepping through some code
          shows no noticeable degradation of the user experience compared to the
          baseline without this patch.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::numBreakpoints):
        (JSC::CodeBlock::numBreakpointsOffset):
        (JSC::CodeBlock::addBreakpoint):
        (JSC::CodeBlock::removeBreakpoint):
        (JSC::CodeBlock::clearAllBreakpoints):
        * debugger/Breakpoint.h:
        - defined Breakpoint::unspecifiedColumn so that we can explicitly indicate
          when the WebInspector was setting a line breakpoint and did not provide
          a column value. CodeBlock::hasOpDebugForLineAndColumn() needs this
          information in order to loosen its matching criteria for op_debug
          bytecodes for the specified breakpoint line and column values provided
          by the debugger.

          Previously, we just hijack a 0 value column as an unspecified column.
          However, the WebInspector operates on 0-based ints for column values.
          Hence, 0 should be a valid column value and should not be hijacked to
          mean an unspecified column.

        * debugger/Debugger.cpp:
        (JSC::Debugger::Debugger):
        - added tracking of the VM that the debugger is used with. This is
          needed by Debugger::breakProgram().

          The VM pointer is attained from the first JSGlobalObject that the debugger
          attaches to. When the debugger detaches from the last JSGlobalObject, it
          will nullify its VM pointer to allow a new one to be set on the next
          attach.

          We were always only using each debugger instance with one VM. This change
          makes it explicit with an assert to ensure that all globalObjects that
          the debugger attaches to beongs to the same VM.

        (JSC::Debugger::attach):
        (JSC::Debugger::detach):
        (JSC::Debugger::setShouldPause):

        (JSC::Debugger::registerCodeBlock):
        (JSC::Debugger::unregisterCodeBlock):
        - registerCodeBlock() is responsible for applying pre-existing breakpoints
          to new CodeBlocks being installed. Similarly, unregisterCodeBlock()
          clears the breakpoints.

        (JSC::Debugger::toggleBreakpoint):
        - This is the workhorse function that checks if a breakpoint falls within
          a CodeBlock or not. If it does, then it can either enable or disable
          said breakpoint in the CodeBlock. In the current implementation,
          enabling/disabling the breakpoint simply means incrementing/decrementing
          the CodeBlock's m_numBreakpoints.

        (JSC::Debugger::applyBreakpoints):

        (JSC::Debugger::ToggleBreakpointFunctor::ToggleBreakpointFunctor):
        (JSC::Debugger::ToggleBreakpointFunctor::operator()):
        (JSC::Debugger::toggleBreakpoint):
        - Iterates all relevant CodeBlocks and apply the specified breakpoint
          if appropriate. This is called when a new breakpoint is being defined
          by the WebInspector and needs to be applied to an already installed
          CodeBlock.

        (JSC::Debugger::setBreakpoint):
        (JSC::Debugger::removeBreakpoint):
        (JSC::Debugger::hasBreakpoint):
        (JSC::Debugger::ClearBreakpointsFunctor::ClearBreakpointsFunctor):
        (JSC::Debugger::ClearBreakpointsFunctor::operator()):
        (JSC::Debugger::clearBreakpoints):

        (JSC::Debugger::breakProgram):
        - Fixed a regression that broke DOM breakpoints. The issue is that with
          the skipping of op_debug callbacks, we don't always have an updated
          m_currentCallFrame. Normally, m_currentCallFrame is provided as arg
          in the op_debug callback. In this case, we can get the CallFrame* from
          m_vm->topCallFrame.

        (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
        (JSC::Debugger::pauseIfNeeded):
        (JSC::Debugger::willExecuteProgram):
        * debugger/Debugger.h:
        (JSC::Debugger::Debugger):
        (JSC::Debugger::shouldPause):

        * heap/CodeBlockSet.h:
        (JSC::CodeBlockSet::iterate):
        * heap/Heap.h:
        (JSC::Heap::forEachCodeBlock):
        - Added utility to iterate all CodeBlocks in the heap / VM.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::debug):

        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_debug):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_debug):
        * llint/LowLevelInterpreter.asm:
        - These now checks CodeBlock::m_numBreakpoints and Debugger::m_shouldPause
          instead of Debugger::m_needsOpDebugCallbacks.

        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::installCode):

2014-01-22  Myles C. Maxfield  <mmaxfield@apple.com>

        Remove CSS3_TEXT_DECORATION define
        https://bugs.webkit.org/show_bug.cgi?id=127333

        This is required for unprefixing the text-decoration-* CSS properties.

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig:

2014-01-22  Alexey Proskuryakov  <ap@apple.com>

        Update JS whitespace definition for changes in Unicode 6.3
        https://bugs.webkit.org/show_bug.cgi?id=127450
        <rdar://15863457>

        Reviewed by Oliver Hunt.

        Covered by existing tests when running against a Unicode back-end that supports
        Unicode 6.3 or higher.

        * runtime/JSGlobalObjectFunctions.cpp: (JSC::isStrWhiteSpace): Explicitly allow
        U+180E MONGOLIAN VOWEL SEPARATOR, because we need to keep recognizing all characters
        that used to be whitespace.

2014-01-21  Mark Hahnenberg  <mhahnenberg@apple.com>

        Registers used in writeBarrierOnOperand can cause clobbering on some platforms
        https://bugs.webkit.org/show_bug.cgi?id=127357

        Reviewed by Filip Pizlo.

        Some platforms use t0 and t1 for their first two arguments, so using those to load the 
        cell for the write barrier is a bad idea because it will get clobbered.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2014-01-21  Mark Rowe  <mrowe@apple.com>

        Mac production build fix.

        Move the shell script build phase to copy jsc into JavaScriptCore.framework
        out of the jsc target and in to the All target so that it's not run during
        production builds. Xcode appears to the parent directories of paths referenced
        in the Output Files of the build phase, which leads to problems when the
        SYMROOT for the JavaScriptCore framework and the jsc executables are later merged.

        I've also fixed the path to the Resources folder in the script while I'm here.
        On iOS the framework bundle is shallow so the correct destination is Resources/
        rather than Versions/A/Resources. This is handled by tweaking the
        JAVASCRIPTCORE_RESOURCES_DIR configuration setting to be relative rather than
        a complete path so we can reuse it in the script. The references in JSC.xcconfig
        and ToolExecutable.xcconfig are updated to prepend JAVASCRIPTCORE_FRAMEWORKS_DIR
        to preserve their former values.

        * Configurations/Base.xcconfig:
        * Configurations/JSC.xcconfig:
        * Configurations/ToolExecutable.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-01-19  Andreas Kling  <akling@apple.com>

        JSC Parser: Shrink BindingNode.
        <https://webkit.org/b/127253>

        The "divot" and "end" source locations are always identical for
        BindingNodes, so store only "start" and "end" instead.

        1.19 MB progression on Membuster3.

        Reviewed by Geoff Garen.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::BindingNode::bindValue):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createBindingLocation):
        * parser/NodeConstructors.h:
        (JSC::BindingNode::create):
        (JSC::BindingNode::BindingNode):
        * parser/Nodes.h:
        (JSC::BindingNode::divotStart):
        (JSC::BindingNode::divotEnd):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::createBindingPattern):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::operatorStackPop):

2014-01-20  Filip Pizlo  <fpizlo@apple.com>

        op_captured_mov and op_new_captured_func in UnlinkedCodeBlocks should use the IdentifierMap instead of the strings directly
        https://bugs.webkit.org/show_bug.cgi?id=127311
        <rdar://problem/15853958>

        Reviewed by Andreas Kling.
        
        This makes UnlinkedCodeBlocks use 32-bit instruction streams again.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedInstruction::UnlinkedInstruction):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addVar):
        (JSC::BytecodeGenerator::emitInitLazyRegister):
        (JSC::BytecodeGenerator::createArgumentsIfNecessary):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::watchableVariable):
        (JSC::BytecodeGenerator::hasWatchableVariable):

2014-01-20  Mark Lam  <mark.lam@apple.com>

        Removing CodeBlock::opDebugBytecodeOffsetForLineAndColumn() and friends.
        <https://webkit.org/b/127321>

        Reviewed by Geoffrey Garen.

        We're changing plans and will be going with CodeBlock level breakpoints
        instead of bytecode level breakpoints. As a result, we no longer need
        the services of CodeBlock::opDebugBytecodeOffsetForLineAndColumn() (and
        friends). This patch will remove that unused code.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        * bytecode/LineColumnInfo.h: Removed.
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo):
        * bytecode/UnlinkedCodeBlock.h:

2014-01-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        CodeBlockSet::traceMarked doesn't need to visit the ownerExecutable
        https://bugs.webkit.org/show_bug.cgi?id=127301

        Reviewed by Oliver Hunt.

        We used to just call CodeBlock::visitAggregate, but now we call visitChildren 
        on the ownerExecutable, which is unnecessary. 

        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::traceMarked):

2014-01-20  Anders Carlsson  <andersca@apple.com>

        Fix build.

        * heap/BlockAllocator.h:

2014-01-20  Anders Carlsson  <andersca@apple.com>

        Stop using ThreadCondition in BlockAllocator
        https://bugs.webkit.org/show_bug.cgi?id=126313

        Reviewed by Sam Weinig.

        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::~BlockAllocator):
        (JSC::BlockAllocator::waitForDuration):
        (JSC::BlockAllocator::blockFreeingThreadMain):
        * heap/BlockAllocator.h:
        (JSC::BlockAllocator::deallocate):

2014-01-19  Anders Carlsson  <andersca@apple.com>

        Convert GCThreadSharedData over to STL threading primitives
        https://bugs.webkit.org/show_bug.cgi?id=127256

        Reviewed by Andreas Kling.

        * heap/GCThread.cpp:
        (JSC::GCThread::waitForNextPhase):
        (JSC::GCThread::gcThreadMain):
        * heap/GCThreadSharedData.cpp:
        (JSC::GCThreadSharedData::GCThreadSharedData):
        (JSC::GCThreadSharedData::~GCThreadSharedData):
        (JSC::GCThreadSharedData::startNextPhase):
        (JSC::GCThreadSharedData::endCurrentPhase):
        (JSC::GCThreadSharedData::didStartMarking):
        (JSC::GCThreadSharedData::didFinishMarking):
        * heap/GCThreadSharedData.h:
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::donateKnownParallel):
        (JSC::SlotVisitor::drainFromShared):

2014-01-18  Andreas Kling  <akling@apple.com>

        CodeBlock: Size m_callLinkInfos and m_byValInfos to fit earlier.
        <https://webkit.org/b/127239>

        Reviewed by Anders Carlsson.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setNumberOfByValInfos):
        (JSC::CodeBlock::setNumberOfCallLinkInfos):

            Use resizeToFit() instead of grow() for these vectors, since
            we know the final size here.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::shrinkToFit):

            No need to shrink here anymore. We were not even shrinking
            m_byValInfo before!

2014-01-18  Andreas Kling  <akling@apple.com>

        CodeBlock: Size m_function{Exprs,Decls} to fit from creation.
        <https://webkit.org/b/127238>

        Reviewed by Anders Carlsson.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):

            Use resizeToFit() instead of grow() for m_functionExprs and
            m_functionDecls since we know they will never change size.

        (JSC::CodeBlock::shrinkToFit):

            No need to shrink them here anymore.

2014-01-18  Andreas Kling  <akling@apple.com>

        Remove unused CodeBlock::m_additionalIdentifiers member.
        <https://webkit.org/b/127237>

        Reviewed by Anders Carlsson.

        * bytecode/CodeBlock.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::shrinkToFit):

            Remove m_additionalIdentifiers, nothing uses it.

2014-01-18  Andreas Kling  <akling@apple.com>

        Remove two unused CodeBlock functions.
        <https://webkit.org/b/127235>

        Kill copyPostParseDataFrom() and copyPostParseDataFromAlternative()
        since they are not used.

        Reviewed by Anders Carlsson.

        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:

2014-01-18  Andreas Kling  <akling@apple.com>

        CodeBlock: Size m_exceptionHandlers to fit from creation.
        <https://webkit.org/b/127234>

        Avoid allocation churn for CodeBlock::m_exceptionHandlers.

        Reviewed by Anders Carlsson.

        * bytecode/CodeBlock.h:

            Removed unused CodeBlock::allocateHandlers() function.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):

            Use resizeToFit() instead of grow() for m_exceptionHandlers
            since we know it's never going to change size.

        (JSC::CodeBlock::shrinkToFit):

            No need to shrink m_exceptionHandlers here since it's already
            the perfect size.

2014-01-18  Mark Lam  <mark.lam@apple.com>

        Add a hasBreakpointFlag arg to the op_debug bytecode.
        https://bugs.webkit.org/show_bug.cgi?id=127230.

        Reviewed by Geoffrey Garen.

        This is in anticipation of upcoming changes to support bytecode level
        breakpoints. This patch adds the flag to the op_debug bytecode and
        initializes it, but does not use it yet.

        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDebugHook):
        * llint/LowLevelInterpreter.asm:

2014-01-18  Alberto Garcia  <berto@igalia.com>

        JavaScriptCore uses PLATFORM(MAC) when it means OS(DARWIN)
        https://bugs.webkit.org/show_bug.cgi?id=99683

        Reviewed by Anders Carlsson.

        * jit/ThunkGenerators.cpp:
        * tools/CodeProfile.cpp:
        (JSC::symbolName):
        (JSC::CodeProfile::sample):

2014-01-18  Anders Carlsson  <andersca@apple.com>

        Remove ENABLE_THREADED_HTML_PARSER defines everywhere
        https://bugs.webkit.org/show_bug.cgi?id=127225

        Reviewed by Andreas Kling.

        This concludes the removal of over 8.8 million lines of threaded parser code.

        * Configurations/FeatureDefines.xcconfig:

2014-01-18  Mark Lam  <mark.lam@apple.com>

        Adding UnlinkedCodeBlock::opDebugBytecodeOffsetForLineAndColumn()..
        https://bugs.webkit.org/show_bug.cgi?id=127127.

        Reviewed by Geoffrey Garen.

        In order to implement bytecode level breakpoints, we need a mechanism
        for computing the best fit op_debug bytecode offset for any valid given
        line and column value in the source. The "best fit" op_debug bytecode
        in this case is defined below in the comment for
        UnlinkedCodeBlock::opDebugBytecodeOffsetForLineAndColumn().

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::opDebugBytecodeOffsetForLineAndColumn):
        - Convert the line and column to unlinked line and column values and
          pass them to UnlinkedCodeBlock::opDebugBytecodeOffsetForLineAndColumn()
          to do the real work.

        * bytecode/CodeBlock.h:
        * bytecode/LineColumnInfo.h: Added.
        (JSC::LineColumnInfo::operator <):
        (JSC::LineColumnInfo::LineColumnPair::LineColumnPair):
        (JSC::LineColumnInfo::operator ==):
        (JSC::LineColumnInfo::operator !=):
        (JSC::LineColumnInfo::operator <=):
        (JSC::LineColumnInfo::operator >):
        (JSC::LineColumnInfo::operator >=):
        * bytecode/LineInfo.h: Removed.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::decodeExpressionRangeLineAndColumn):
        - Factored this out of expressionRangeForBytecodeOffset() so that it can
          be called from multiple places.
        (JSC::dumpLineColumnEntry):
        (JSC::UnlinkedCodeBlock::dumpExpressionRangeInfo):
        (JSC::UnlinkedCodeBlock::dumpOpDebugLineColumnInfoList):
        - Some dumpers for debugging use only.
        (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
        (JSC::UnlinkedCodeBlock::opDebugBytecodeOffsetForLineAndColumn):
        - Finds the earliest op_debug bytecode whose line and column matches the
          specified line and column values. If an exact match is not found, then
          finds the nearest op_debug bytecode that precedes the specified line
          and column values. If there are more than one op_debug at that preceding
          line and column value, then the earliest of those op_debug bytecodes will
          be be selected. The offset of the selected bytecode will be returned.

          We want the earliest one because when we have multiple op_debug bytecodes
          that map to a given line and column, a debugger user would expect to break
          on the first one and step through the rest thereafter if needed.

        (JSC::compareLineColumnInfo):
        (JSC::UnlinkedCodeBlock::opDebugLineColumnInfoList):
        - Creates the sorted opDebugLineColumnInfoList on demand. This list is
          stored in the UnlinkedCodeBlock's rareData.
        * bytecode/UnlinkedCodeBlock.h:

2014-01-18  Zan Dobersek  <zdobersek@igalia.com>

        Inspector scripts are not compatible with Python v3
        https://bugs.webkit.org/show_bug.cgi?id=127128

        Reviewed by Benjamin Poulain.

        * inspector/scripts/generate-combined-inspector-json.py: Turn print statements into print function calls.
        * inspector/scripts/jsmin.py: Try importing the StringIO class from the StringIO module (which will work for
        Python v2) or, on import error, import the class from the io module (which will work for Python v3).

2014-01-17  Anders Carlsson  <andersca@apple.com>

        String::is8Bit() crashes if m_impl is null, handle this.

        * API/OpaqueJSString.h:
        (OpaqueJSString::OpaqueJSString):

2014-01-17  Anders Carlsson  <andersca@apple.com>

        Try to fix the Windows build.

        * API/OpaqueJSString.cpp:
        (OpaqueJSString::~OpaqueJSString):
        (OpaqueJSString::characters):
        * API/OpaqueJSString.h:
        (OpaqueJSString::OpaqueJSString):

2014-01-17  Anders Carlsson  <andersca@apple.com>

        Get rid of OpaqueJSString::deprecatedCharacters()
        https://bugs.webkit.org/show_bug.cgi?id=127161

        Reviewed by Sam Weinig.

        Handle OpaqueJSString::m_string being either 8-bit or 16-bit and add extra
        code paths for the 8-bit cases.
        
        Unfortunately, JSStringGetCharactersPtr is still expected to return a 16-bit character pointer.
        Handle this by storing a separate 16-bit string and initializing it on demand when JSStringGetCharactersPtr
        is called and the backing string is 8-bit.
        
        This has the nice side effect of making JSStringGetCharactersPtr thread-safe when it wasn't before.
        (In theory, someone could have a JSStringRef backed by an 8-bit string and call JSStringGetCharactersPtr on it
        causing an unsafe upconversion to a 16-bit string).

        * API/JSStringRef.cpp:
        (JSStringGetCharactersPtr):
        Call OpaqueJSString::characters.

        (JSStringGetUTF8CString):
        Add a code path that handles 8-bit strings.

        (JSStringIsEqual):
        Call OpaqueJSString::equal.

        * API/JSStringRefCF.cpp:
        (JSStringCreateWithCFString):
        Reformat the code to use an early return instead of putting most of the code inside the body of an if statement.

        (JSStringCopyCFString):
        Create an 8-bit CFStringRef if possible.

        * API/OpaqueJSString.cpp:
        (OpaqueJSString::create):
        Use nullptr.

        (OpaqueJSString::~OpaqueJSString):
        Free m_characters.

        (OpaqueJSString::characters):
        Do the up-conversion and store the result in m_characters.

        (OpaqueJSString::equal):
        New helper function.

        * API/OpaqueJSString.h:
        (OpaqueJSString::is8Bit):
        New function that returns whether a string is 8-bit or not.

        (OpaqueJSString::characters8):
        (OpaqueJSString::characters16):
        Add getters.

2014-01-17  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com>

        Remove workaround for compilers not supporting deleted functions
        https://bugs.webkit.org/show_bug.cgi?id=127166

        Reviewed by Andreas Kling.

        * inspector/InspectorAgentRegistry.h:

2014-01-17  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r162185, r162186, and r162187.
        http://trac.webkit.org/changeset/162185
        http://trac.webkit.org/changeset/162186
        http://trac.webkit.org/changeset/162187
        https://bugs.webkit.org/show_bug.cgi?id=127164

        Broke JSStringCreateWithCharactersNoCopy, as evidenced by a
        JSC API test (Requested by ap on #webkit).

        * API/JSStringRef.cpp:
        (JSStringGetCharactersPtr):
        (JSStringGetUTF8CString):
        (JSStringIsEqual):
        * API/JSStringRefCF.cpp:
        (JSStringCreateWithCFString):
        (JSStringCopyCFString):
        * API/OpaqueJSString.cpp:
        (OpaqueJSString::create):
        (OpaqueJSString::identifier):
        * API/OpaqueJSString.h:
        (OpaqueJSString::create):
        (OpaqueJSString::characters):
        (OpaqueJSString::deprecatedCharacters):
        (OpaqueJSString::OpaqueJSString):

2014-01-16  Anders Carlsson  <andersca@apple.com>

        Export OpaqueJSString destructor.

        * API/OpaqueJSString.h:

2014-01-16  Anders Carlsson  <andersca@apple.com>

        Build fix.

        * API/OpaqueJSString.h:

2014-01-16  Anders Carlsson  <andersca@apple.com>

        Get rid of OpaqueJSString::deprecatedCharacters()
        https://bugs.webkit.org/show_bug.cgi?id=127161

        Reviewed by Sam Weinig.

        Handle OpaqueJSString::m_string being either 8-bit or 16-bit and add extra
        code paths for the 8-bit cases.
        
        Unfortunately, JSStringGetCharactersPtr is still expected to return a 16-bit character pointer.
        Handle this by storing a separate 16-bit string and initializing it on demand when JSStringGetCharactersPtr
        is called. This has the nice side effect of making JSStringGetCharactersPtr thread-safe when it wasn't before.
        (In theory, someone could have a JSStringRef backed by an 8-bit string and call JSStringGetCharactersPtr on it
        causing an unsafe upconversion to a 16-bit string).

        * API/JSStringRef.cpp:
        (JSStringGetCharactersPtr):
        Call OpaqueJSString::characters.

        (JSStringGetUTF8CString):
        Add a code path that handles 8-bit strings.

        (JSStringIsEqual):
        Call OpaqueJSString::equal.

        * API/JSStringRefCF.cpp:
        (JSStringCreateWithCFString):
        Reformat the code to use an early return instead of putting most of the code inside the body of an if statement.

        (JSStringCopyCFString):
        Create an 8-bit CFStringRef if possible.

        * API/OpaqueJSString.cpp:
        (OpaqueJSString::create):
        Use nullptr.

        (OpaqueJSString::~OpaqueJSString):
        Free m_characters.

        (OpaqueJSString::characters):
        Do the up-conversion and store the result in m_characters.

        (OpaqueJSString::equal):
        New helper function.

        * API/OpaqueJSString.h:
        (OpaqueJSString::is8Bit):
        New function that returns whether a string is 8-bit or not.

        (OpaqueJSString::characters8):
        (OpaqueJSString::characters16):
        Add getters.

2014-01-16  Anders Carlsson  <andersca@apple.com>

        Change all uses of FINAL to final now that all our compilers support it
        https://bugs.webkit.org/show_bug.cgi?id=127142

        Reviewed by Benjamin Poulain.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/agents/InspectorAgent.h:
        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        * inspector/scripts/CodeGeneratorInspector.py:
        (Generator.go):
        * runtime/JSGlobalObjectDebuggable.h:
        * runtime/JSPromiseReaction.cpp:

2014-01-16  Oliver Hunt  <oliver@apple.com>

        throwing an objc object (or general binding object) triggers an assertion
        https://bugs.webkit.org/show_bug.cgi?id=127146

        Reviewed by Alexey Proskuryakov.

        This is simply a bogus assertion as we can't guarantee a bindings object
        won't intercept assignment to .stack

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::unwind):

2014-01-16  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com>

        Remove workaround for compilers not supporting explicit override control
        https://bugs.webkit.org/show_bug.cgi?id=127111

        Reviewed by Anders Carlsson.

        Now all compilers support explicit override control, this workaround can be removed.

        * API/JSAPIWrapperObject.mm:
        * API/JSCallbackObject.h:
        * API/JSManagedValue.mm:
        * API/JSScriptRef.cpp:
        * bytecode/CodeBlock.h:
        * bytecode/CodeBlockJettisoningWatchpoint.h:
        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h:
        * bytecode/StructureStubClearingWatchpoint.h:
        * dfg/DFGArrayifySlowPathGenerator.h:
        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
        * dfg/DFGFailedFinalizer.h:
        * dfg/DFGJITCode.h:
        * dfg/DFGJITFinalizer.h:
        * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
        * dfg/DFGSlowPathGenerator.h:
        * dfg/DFGSpeculativeJIT64.cpp:
        * heap/Heap.h:
        * heap/IncrementalSweeper.h:
        * heap/SuperRegion.h:
        * inspector/InspectorValues.h:
        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/agents/InspectorAgent.h:
        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        * inspector/scripts/CodeGeneratorInspector.py:
        (Generator.go):
        * jit/ClosureCallStubRoutine.h:
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        * jit/GCAwareJITStubRoutine.h:
        * jit/JITCode.h:
        * jit/JITToDFGDeferredCompilationCallback.h:
        * parser/Nodes.h:
        * parser/SourceProvider.h:
        * runtime/DataView.h:
        * runtime/GCActivityCallback.h:
        * runtime/GenericTypedArrayView.h:
        * runtime/JSGlobalObjectDebuggable.h:
        * runtime/JSPromiseReaction.cpp:
        * runtime/RegExpCache.h:
        * runtime/SimpleTypedArrayController.h:
        * runtime/SymbolTable.h:
        * runtime/WeakMapData.h:

2014-01-15  Joseph Pecoraro  <pecoraro@apple.com>

        [iOS] Clean up REMOTE_INSPECTOR code in OpenSource after the iOS merge
        https://bugs.webkit.org/show_bug.cgi?id=127069

        Reviewed by Timothy Hatcher.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        Export XPCConnection because it is needed by RemoteInspector.h.

        * inspector/remote/RemoteInspectorXPCConnection.h:
        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::startDisabled):
        (Inspector::RemoteInspector::shared):
        Allow RemoteInspector singleton to start disabled.

2014-01-15  Brian Burg  <bburg@apple.com>

        Web Inspector: capture probe samples on the backend
        https://bugs.webkit.org/show_bug.cgi?id=126668

        Reviewed by Joseph Pecoraro.

        Add the 'probe' breakpoint action to the protocol. Change the setBreakpoint
        commands to return a list of assigned breakpoint action identifiers
        Add a type for breakpoint action identifiers. Add an event for sending
        captured probe samples to the inspector frontend.

        * inspector/protocol/Debugger.json:

2014-01-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        Copying should be generational
        https://bugs.webkit.org/show_bug.cgi?id=126555

        Reviewed by Geoffrey Garen.

        This patch adds support for copying to our generational collector. Eden collections 
        always trigger copying. Full collections use our normal fragmentation-based heuristics.

        The way this works is that the CopiedSpace now has the notion of an old generation set of CopiedBlocks
        and a new generation of CopiedBlocks. During each mutator cycle new CopiedSpace allocations reside
        in the new generation. When a collection occurs, those blocks are moved to the old generation.

        One key thing to remember is that both new and old generation objects in the MarkedSpace can
        refer to old or new generation allocations in CopiedSpace. This is why we must fire write barriers 
        when assigning to an old (MarkedSpace) object's Butterfly.

        * heap/CopiedAllocator.h:
        (JSC::CopiedAllocator::tryAllocateDuringCopying):
        * heap/CopiedBlock.h:
        (JSC::CopiedBlock::CopiedBlock):
        (JSC::CopiedBlock::didEvacuateBytes):
        (JSC::CopiedBlock::isOld):
        (JSC::CopiedBlock::didPromote):
        * heap/CopiedBlockInlines.h:
        (JSC::CopiedBlock::reportLiveBytes):
        (JSC::CopiedBlock::reportLiveBytesDuringCopying):
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::CopiedSpace):
        (JSC::CopiedSpace::~CopiedSpace):
        (JSC::CopiedSpace::init):
        (JSC::CopiedSpace::tryAllocateOversize):
        (JSC::CopiedSpace::tryReallocateOversize):
        (JSC::CopiedSpace::doneFillingBlock):
        (JSC::CopiedSpace::didStartFullCollection):
        (JSC::CopiedSpace::doneCopying):
        (JSC::CopiedSpace::size):
        (JSC::CopiedSpace::capacity):
        (JSC::CopiedSpace::isPagedOut):
        * heap/CopiedSpace.h:
        (JSC::CopiedSpace::CopiedGeneration::CopiedGeneration):
        * heap/CopiedSpaceInlines.h:
        (JSC::CopiedSpace::contains):
        (JSC::CopiedSpace::recycleEvacuatedBlock):
        (JSC::CopiedSpace::allocateBlock):
        (JSC::CopiedSpace::startedCopying):
        * heap/CopyVisitor.cpp:
        (JSC::CopyVisitor::copyFromShared):
        * heap/CopyVisitorInlines.h:
        (JSC::CopyVisitor::allocateNewSpace):
        (JSC::CopyVisitor::allocateNewSpaceSlow):
        * heap/GCThreadSharedData.cpp:
        (JSC::GCThreadSharedData::didStartCopying):
        * heap/Heap.cpp:
        (JSC::Heap::copyBackingStores):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::copyLater):
        * heap/TinyBloomFilter.h:
        (JSC::TinyBloomFilter::add):

2014-01-14  Mark Lam  <mark.lam@apple.com>

        ASSERTION FAILED: !hasError() in JSC::Parser<LexerType>::createSavePoint().
        https://bugs.webkit.org/show_bug.cgi?id=126990.

        Reviewed by Geoffrey Garen.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseConstDeclarationList):
        - We were missing an error check after attempting to parse an initializer
          expression. This is now fixed.

2014-01-14  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: For Remote Inspection link WebProcess's to their parent UIProcess
        https://bugs.webkit.org/show_bug.cgi?id=126995

        Reviewed by Timothy Hatcher.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::listingForDebuggable):
        For each WebView, list the parent process. Listing the parent per WebView
        is already supported back when we supported processes that could host WebViews
        for multiple applications.

        * inspector/remote/RemoteInspectorConstants.h:
        Add a separate key for the bundle identifier, separate from application identifier.

        * inspector/remote/RemoteInspectorDebuggable.cpp:
        (Inspector::RemoteInspectorDebuggable::info):
        * inspector/remote/RemoteInspectorDebuggable.h:
        (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
        (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess):
        If a RemoteInspectorDebuggable has a non-zero parent process identifier
        it is a proxy for the parent process.

2014-01-14  Brian J. Burg  <burg@cs.washington.edu>

        Add ENABLE(WEB_REPLAY) feature flag to the build system
        https://bugs.webkit.org/show_bug.cgi?id=126949

        Reviewed by Joseph Pecoraro.

        * Configurations/FeatureDefines.xcconfig:

2014-01-14  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com>

        [EFL] FTL buildfix, add missing includes
        https://bugs.webkit.org/show_bug.cgi?id=126641

        Reviewed by Csaba Osztrogonác.

        * ftl/FTLOSREntry.cpp:
        * ftl/FTLOSRExitCompiler.cpp:

2014-01-14  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: RemoteInspector::updateDebuggable may miss a push
        https://bugs.webkit.org/show_bug.cgi?id=126965

        Reviewed by Timothy Hatcher.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::updateDebuggable):
        Always push an update. If a debuggable went from allowed to
        not allowed, we would have missed pushing an update.

2014-01-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        Performance regression on dromaeo due to generational marking
        https://bugs.webkit.org/show_bug.cgi?id=126901

        Reviewed by Oliver Hunt.

        We were seeing some performance regression with ENABLE_GGC == 0, so this patch
        ifdefs out more things to get rid of the additional overhead.

        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::writeBarrier):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::clearMarks):
        (JSC::MarkedBlock::clearMarksWithCollectionType):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::resetAllocators):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::didAllocateInBlock):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::internalAppend):
        (JSC::SlotVisitor::reportExtraMemoryUsage):

2014-01-13  Brian Burg  <bburg@apple.com>

        Web Inspector: protocol generator should support integer-typed declarations
        https://bugs.webkit.org/show_bug.cgi?id=126828

        Reviewed by Joseph Pecoraro.

        Add new binding classes for parameter/ad-hoc and normal integer type declarations.

        * inspector/scripts/CodeGeneratorInspector.py:
        (TypeBindings.create_type_declaration_):
        (TypeBindings.create_type_declaration_.PlainInteger):
        (TypeBindings.create_type_declaration_.PlainInteger.resolve_inner):
        (TypeBindings.create_type_declaration_.PlainInteger.request_user_runtime_cast):
        (TypeBindings.create_type_declaration_.PlainInteger.request_internal_runtime_cast):
        (TypeBindings.create_type_declaration_.PlainInteger.get_code_generator):
        (TypeBindings.create_type_declaration_.PlainInteger.get_validator_call_text):
        (TypeBindings.create_type_declaration_.PlainInteger.reduce_to_raw_type):
        (TypeBindings.create_type_declaration_.PlainInteger.get_type_model):
        (TypeBindings.create_type_declaration_.PlainInteger.get_setter_value_expression_pattern):
        (TypeBindings.create_type_declaration_.PlainInteger.get_array_item_c_type_text):
        (TypeBindings.create_type_declaration_.TypedefInteger):
        (TypeBindings.create_type_declaration_.TypedefInteger.resolve_inner):
        (TypeBindings.create_type_declaration_.TypedefInteger.request_user_runtime_cast):
        (TypeBindings.create_type_declaration_.TypedefInteger.request_internal_runtime_cast):
        (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator):
        (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator.CodeGenerator):
        (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator.CodeGenerator.generate_type_builder):
        (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator.CodeGenerator.generate_type_builder.int):
        (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator.CodeGenerator.register_use):
        (TypeBindings.create_type_declaration_.TypedefInteger.get_code_generator.CodeGenerator.get_generate_pass_id):
        (TypeBindings.create_type_declaration_.TypedefInteger.get_validator_call_text):
        (TypeBindings.create_type_declaration_.TypedefInteger.reduce_to_raw_type):
        (TypeBindings.create_type_declaration_.TypedefInteger.get_type_model):
        (TypeBindings.create_type_declaration_.TypedefInteger.get_setter_value_expression_pattern):
        (TypeBindings.create_type_declaration_.TypedefInteger.get_array_item_c_type_text):

2014-01-13  Zalan Bujtas  <zalan@apple.com>

        Enable SUBPIXEL_LAYOUT on Mac
        <https://webkit.org/b/126283>

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig:

2014-01-13  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed. Changes in r161686 are exposing a bug in GCC where the global .cfi_startproc directive
        is not inserted early enough into the generated assembler code when building in debug mode, causing
        compilation failures on ports using the GCC compilers. To work around the problem, only utilize the
        OFFLINE_ASM_* macros that use .cfi_ directives when compiling with Clang.

        * llint/LowLevelInterpreter.cpp:

2014-01-12  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r161840.
        http://trac.webkit.org/changeset/161840
        https://bugs.webkit.org/show_bug.cgi?id=126870

        Caused jsscore and layout test failures (Requested by smfr on
        #webkit).

        * API/JSValueRef.cpp:
        (JSValueMakeFromJSONString):
        * bindings/ScriptValue.cpp:
        (Deprecated::jsToInspectorValue):
        * inspector/InspectorValues.cpp:
        * runtime/DatePrototype.cpp:
        (JSC::formatLocaleDate):
        * runtime/Identifier.h:
        (JSC::Identifier::characters):
        * runtime/JSStringBuilder.h:
        (JSC::JSStringBuilder::append):

2014-01-12  Darin Adler  <darin@apple.com>

        Add deprecatedCharacters as a synonym for characters and convert most call sites
        https://bugs.webkit.org/show_bug.cgi?id=126858

        Reviewed by Anders Carlsson.

        * API/JSStringRef.cpp:
        (JSStringGetCharactersPtr):
        (JSStringGetUTF8CString):
        (JSStringIsEqual):
        * API/JSStringRefCF.cpp:
        (JSStringCopyCFString):
        * API/OpaqueJSString.h:
        (OpaqueJSString::characters):
        (OpaqueJSString::deprecatedCharacters):
        (OpaqueJSString::length):
        (OpaqueJSString::OpaqueJSString):
        * inspector/InspectorValues.cpp:
        (Inspector::InspectorValue::parseJSON):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::parseInt):
        * runtime/StringPrototype.cpp:
        (JSC::localeCompare):
        (JSC::stringProtoFuncFontsize):
        (JSC::stringProtoFuncLink):
        Use deprecatedCharacters instead of characters.

2014-01-12  Darin Adler  <darin@apple.com>

        Reduce use of String::characters
        https://bugs.webkit.org/show_bug.cgi?id=126854

        Reviewed by Sam Weinig.

        * API/JSValueRef.cpp:
        (JSValueMakeFromJSONString): Use characters16 instead of characters for 16-bit case.
        Had to remove length check because an empty string could be either 8 bit or 16 bit.
        Don't need a null string check before calling is8Bit because JSStringRef can't hold
        a null string.

        * bindings/ScriptValue.cpp:
        (Deprecated::jsToInspectorValue): Use the existing string here instead of creating
        a new one by calling characters and length on the old string. I think this may be
        left over from when string types were not the same in JavaScriptCore and WebCore.
        Also rewrite the property names loop to use modern for syntax and fewer locals.

        * inspector/InspectorValues.cpp:
        (Inspector::escapeChar): Changed to use appendLiteral instead of hard-coding string
        lengths. Moved handling of "<" and ">" in here instead of at the call site.
        (Inspector::doubleQuoteString): Simplify the code so there is no use of characters
        and length. This is still an inefficient way of doing this job and could use a rethink.

        * runtime/DatePrototype.cpp:
        (JSC::formatLocaleDate): Use RetainPtr, createCFString, and the conversion from
        CFStringRef to WTF::String to remove a lot of unneeded code.

        * runtime/Identifier.h: Removed unneeded Identifier::characters function.

        * runtime/JSStringBuilder.h:
        (JSC::JSStringBuilder::append): Use characters16 instead of characters function here,
        since we have already checked is8Bit above.

2014-01-12  Andy Estes  <aestes@apple.com>

        [iOS] Enable the JSC Objective-C API

        Rubber-stamped by Simon Fraser.

        * API/JSBase.h:

2014-01-12  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.am: Add inline-and-minify-stylesheets-and-scripts.py
        to EXTRA_DIST and fix InjectedScriptSource.h generation rule.
        * GNUmakefile.list.am: Move InjectedScriptSource.h to
        built_nosources to make sure it's not disted.

2014-01-11  Anders Carlsson  <andersca@apple.com>

        Try again to fix the build.

        * inspector/InspectorAgentRegistry.cpp:
        * inspector/InspectorAgentRegistry.h:

2014-01-11  Anders Carlsson  <andersca@apple.com>

        Try to prevent the Vector copy constructor from being instantiated.

        * inspector/InspectorAgentRegistry.cpp:
        (Inspector::InspectorAgentRegistry::InspectorAgentRegistry):
        * inspector/InspectorAgentRegistry.h:

2014-01-11  Anders Carlsson  <andersca@apple.com>

        Try something else.

        * inspector/InspectorAgentRegistry.cpp:
        (Inspector::InspectorAgentRegistry::~InspectorAgentRegistry):
        * inspector/InspectorAgentRegistry.h:

2014-01-11  Dean Jackson  <dino@apple.com>

        [JSC] Revise typed array implementations to match ECMAScript and WebGL Specification
        https://bugs.webkit.org/show_bug.cgi?id=126754

        Reviewed by Filip Pizlo.

        The ECMAScript specification forbids calling the typed array
        constructors without using "new". Change the call data to return
        none so we throw and exception in these cases.

        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):

2014-01-11  Anders Carlsson  <andersca@apple.com>

        Try to fix the build by introducing a constructor.

        * inspector/InspectorAgentRegistry.cpp:
        (Inspector::InspectorAgentRegistry::InspectorAgentRegistry):
        * inspector/InspectorAgentRegistry.h:

2014-01-11  Anders Carlsson  <andersca@apple.com>

        * inspector/InspectorAgentRegistry.h:

        Remove an unused function.

2014-01-11  Anders Carlsson  <andersca@apple.com>

        InspectorAgentRegistry should use std::unique_ptr
        https://bugs.webkit.org/show_bug.cgi?id=126826

        Reviewed by Sam Weinig.

        * inspector/InspectorAgentRegistry.cpp:
        (Inspector::InspectorAgentRegistry::append):
        * inspector/InspectorAgentRegistry.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        * inspector/agents/InspectorAgent.h:

2014-01-10  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Push InspectorAgent down into JSC, give JSC an InspectorController
        https://bugs.webkit.org/show_bug.cgi?id=126763

        Reviewed by Timothy Hatcher.

        Introduce JSGlobalObjectInspectorController. This is the InspectorController
        for a JSContext. It is created by the JSGlobalObject Remote Inspector Debuggable
        when a remote frontend connects, and is destroyed when the remote frontend
        disconnects of the JSGlobalObject is destroyed.

        * inspector/JSGlobalObjectInspectorController.h: Added.
        * inspector/JSGlobalObjectInspectorController.cpp: Added.
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::~JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
        (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
        (Inspector::JSGlobalObjectInspectorController::dispatchMessageFromFrontend):
        (Inspector::JSGlobalObjectInspectorController::functionCallHandler):
        (Inspector::JSGlobalObjectInspectorController::evaluateHandler):
        Create/destory agents, create/destroy dispatches, implement InspectorEnvironment.

        * runtime/JSGlobalObjectDebuggable.h:
        * runtime/JSGlobalObjectDebuggable.cpp:
        (JSC::JSGlobalObjectDebuggable::~JSGlobalObjectDebuggable):
        (JSC::JSGlobalObjectDebuggable::connect):
        (JSC::JSGlobalObjectDebuggable::disconnect):
        (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
        Forward actions to the InspectorController object.

        * inspector/agents/InspectorAgent.h: Renamed from Source/WebCore/inspector/InspectorAgent.h.
        * inspector/agents/InspectorAgent.cpp: Renamed from Source/WebCore/inspector/InspectorAgent.cpp.
        (Inspector::InspectorAgent::InspectorAgent):
        (Inspector::InspectorAgent::~InspectorAgent):
        (Inspector::InspectorAgent::didCreateFrontendAndBackend):
        (Inspector::InspectorAgent::inspect):
        (Inspector::InspectorAgent::evaluateForTestInFrontend):
        Implement InspectorAgent in JavaScriptCore in namespace Inspector.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * CMakeLists.txt:
        * ChangeLog:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.vcxproj/copy-files.cmd:
        Add files and new inspector/agents subdirectory.

2014-01-10  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r161702.
        http://trac.webkit.org/changeset/161702
        https://bugs.webkit.org/show_bug.cgi?id=126803

        Broke multiple tests (Requested by ap on #webkit).

        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):

2014-01-10  David Kilzer  <ddkilzer@apple.com>

        Clean up architectures in xcconfig files
        <http://webkit.org/b/126794>

        Reviewed by Andy Estes.

        * Configurations/Base.xcconfig:
        * Configurations/JavaScriptCore.xcconfig: Remove armv6, ppc.
        * Configurations/ToolExecutable.xcconfig: Sort.
        - Add new arch.

2014-01-10  Dean Jackson  <dino@apple.com>

        [JSC] Revise typed array implementations to match ECMAScript and WebGL Specification
        https://bugs.webkit.org/show_bug.cgi?id=126754

        Reviewed by Filip Pizlo.

        The ECMAScript specification forbids calling the typed array
        constructors without using "new". Change the call data to return
        none so we throw and exception in these cases.

        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData):

2014-01-10  Benjamin Poulain  <bpoulain@apple.com>

        Remove the BlackBerry port from trunk
        https://bugs.webkit.org/show_bug.cgi?id=126715

        Reviewed by Anders Carlsson.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::cacheFlush):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::replaceWithJump):
        (JSC::ARMv7Assembler::maxJumpReplacementSize):
        (JSC::ARMv7Assembler::cacheFlush):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):
        * heap/MachineStackMarker.cpp:
        (JSC::getPlatformThreadRegisters):
        (JSC::otherThreadStackPointer):
        (JSC::freePlatformThreadRegisters):
        * jit/ExecutableAllocator.h:

2014-01-10  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove unimplemented or static ScriptDebugServer features
        https://bugs.webkit.org/show_bug.cgi?id=126784

        Reviewed by Timothy Hatcher.

        * inspector/protocol/Debugger.json:

2014-01-10  Michael Saboff  <msaboff@apple.com>

        REGRESSION(C stack work): stack traces no longer work in CrashTracer, lldb, and other tools
        https://bugs.webkit.org/show_bug.cgi?id=126764

        Reviewed by Geoffrey Garen.

        Updated callToJavaScript and cllToNativeFunction to properly replicate the caller's
        return PC and frame pointer in the sentinel frame.  For X86-64, added .cfi_
        directives to create eh_frame info for all LLInt symbols so that the various
        unwinding code understands that we are using a separate JS stack referenced
        by BP and at what offsets in that frame the prior PC (register 16) and prior
        BP (register 6) can be found.  These two changes are sufficient for stack tracing
        to work for Mac OSX.

        * llint/LowLevelInterpreter.cpp:
        * llint/LowLevelInterpreter64.asm:

2014-01-10  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>

        [EFL][JSC] Enable udis86 disassembler on efl.
        https://bugs.webkit.org/show_bug.cgi?id=125502

        Reviewed by Michael Saboff.

        Enable udis86 disassembler on efl and fix build warnings.

        * CMakeLists.txt:
          Add udis86 disassembler source files.
        * disassembler/udis86/udis86_decode.c:
        (decode_modrm_rm):
          Build warning fixes.
        * disassembler/udis86/udis86_syn-att.c:
        (gen_operand):
          Build warning fixes.
        * disassembler/udis86/udis86_syn-intel.c:
        (gen_operand):
          Build warning fixes.
        * disassembler/udis86/udis86_types.h:
          Correct FMT64 for uint64_t.

2014-01-09  Benjamin Poulain  <bpoulain@apple.com>

        Remove the BlackBerry files outside WebCore
        https://bugs.webkit.org/show_bug.cgi?id=126715

        Reviewed by Anders Carlsson.

        * PlatformBlackBerry.cmake: Removed.
        * runtime/GCActivityCallbackBlackBerry.cpp: Removed.
        * shell/PlatformBlackBerry.cmake: Removed.

2014-01-10  Geoffrey Garen  <ggaren@apple.com>

        Removed Blackberry #ifdefs and platform code from JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=126757

        Reviewed by Sam Weinig.

        * PlatformBlackBerry.cmake: Removed.
        * heap/HeapTimer.cpp:
        * heap/HeapTimer.h:
        * heap/IncrementalSweeper.cpp:
        * heap/IncrementalSweeper.h:
        * jsc.cpp:
        (main):
        * runtime/GCActivityCallbackBlackBerry.cpp: Removed.
        * runtime/MemoryStatistics.cpp:
        (JSC::globalMemoryStatistics):

2014-01-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        Marking should be generational
        https://bugs.webkit.org/show_bug.cgi?id=126552

        Reviewed by Geoffrey Garen.

        Re-marking the same objects over and over is a waste of effort. This patch implements 
        the sticky mark bit algorithm (along with our already-present write barriers) to reduce 
        overhead during garbage collection caused by rescanning objects.

        There are now two collection modes, EdenCollection and FullCollection. EdenCollections
        only visit new objects or objects that were added to the remembered set by a write barrier.
        FullCollections are normal collections that visit all objects regardless of their 
        generation.

        In this patch EdenCollections do not do anything in CopiedSpace. This will be fixed in 
        https://bugs.webkit.org/show_bug.cgi?id=126555.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlockSet::mark):
        * dfg/DFGOperations.cpp:
        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::add):
        (JSC::CodeBlockSet::traceMarked):
        (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
        * heap/CodeBlockSet.h:
        * heap/CopiedBlockInlines.h:
        (JSC::CopiedBlock::reportLiveBytes):
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::didStartFullCollection):
        * heap/CopiedSpace.h:
        (JSC::CopiedSpace::heap):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::didAbandon):
        (JSC::Heap::markRoots):
        (JSC::Heap::copyBackingStores):
        (JSC::Heap::addToRememberedSet):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::collect):
        (JSC::Heap::didAllocate):
        (JSC::Heap::writeBarrier):
        * heap/Heap.h:
        (JSC::Heap::isInRememberedSet):
        (JSC::Heap::operationInProgress):
        (JSC::Heap::shouldCollect):
        (JSC::Heap::isCollecting):
        (JSC::Heap::isWriteBarrierEnabled):
        (JSC::Heap::writeBarrier):
        * heap/HeapOperation.h:
        * heap/MarkStack.cpp:
        (JSC::MarkStackArray::~MarkStackArray):
        (JSC::MarkStackArray::clear):
        (JSC::MarkStackArray::fillVector):
        * heap/MarkStack.h:
        * heap/MarkedAllocator.cpp:
        (JSC::isListPagedOut):
        (JSC::MarkedAllocator::isPagedOut):
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::addBlock):
        (JSC::MarkedAllocator::removeBlock):
        (JSC::MarkedAllocator::reset):
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::MarkedAllocator):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::clearMarks):
        (JSC::MarkedBlock::clearRememberedSet):
        (JSC::MarkedBlock::clearMarksWithCollectionType):
        (JSC::MarkedBlock::lastChanceToFinalize):
        * heap/MarkedBlock.h: Changed atomSize to 16 bytes because we have no objects smaller
        than 16 bytes. This is also to pay for the additional Bitmap for the remembered set.
        (JSC::MarkedBlock::didConsumeEmptyFreeList):
        (JSC::MarkedBlock::setRemembered):
        (JSC::MarkedBlock::clearRemembered):
        (JSC::MarkedBlock::atomicClearRemembered):
        (JSC::MarkedBlock::isRemembered):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::~MarkedSpace):
        (JSC::MarkedSpace::resetAllocators):
        (JSC::MarkedSpace::visitWeakSets):
        (JSC::MarkedSpace::reapWeakSets):
        (JSC::VerifyMarked::operator()):
        (JSC::MarkedSpace::clearMarks):
        * heap/MarkedSpace.h:
        (JSC::ClearMarks::operator()):
        (JSC::ClearRememberedSet::operator()):
        (JSC::MarkedSpace::didAllocateInBlock):
        (JSC::MarkedSpace::clearRememberedSet):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::~SlotVisitor):
        (JSC::SlotVisitor::clearMarkStack):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::markStack):
        (JSC::SlotVisitor::sharedData):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::internalAppend):
        (JSC::SlotVisitor::unconditionallyAppend):
        (JSC::SlotVisitor::copyLater):
        (JSC::SlotVisitor::reportExtraMemoryUsage):
        (JSC::SlotVisitor::heap):
        * jit/Repatch.cpp:
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
        * runtime/JSPropertyNameIterator.h:
        (JSC::StructureRareData::setEnumerationCache):
        * runtime/JSString.cpp:
        (JSC::JSString::visitChildren):
        * runtime/StructureRareDataInlines.h:
        (JSC::StructureRareData::setPreviousID):
        (JSC::StructureRareData::setObjectToStringValue):
        * runtime/WeakMapData.cpp:
        (JSC::WeakMapData::visitChildren):

2014-01-09  Joseph Pecoraro  <pecoraro@apple.com>

        Unreviewed Windows build fix for r161563.

        Copy all scripts, some may not be .py.

        * JavaScriptCore.vcxproj/copy-files.cmd:

2014-01-09  Filip Pizlo  <fpizlo@apple.com>

        AI for CreateArguments should pass through non-SpecEmpty input values
        https://bugs.webkit.org/show_bug.cgi?id=126709

        Reviewed by Mark Hahnenberg.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * tests/stress/use-arguments-as-object-pointer.js: Added.
        (foo):

2014-01-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        Constructors for Objective-C classes do not work properly with instanceof
        https://bugs.webkit.org/show_bug.cgi?id=126670

        Reviewed by Oliver Hunt.

        This bug is due to the fact that the JS constructors created for Objective-C classes via the JSC 
        API inherit from JSCallbackObject, which overrides hasInstance with its own customHasInstance. 
        JSCallbackObject::customHasInstance only checks the JSClassRefs for hasInstance callbacks. 
        If it doesn't find any callbacks, it returns false.

        This patch adds a hasInstance callback to constructors created for Objective-C wrapper classes.

        * API/JSWrapperMap.mm:
        (constructorHasInstance):
        (constructorWithCustomBrand):
        (allocateConstructorForCustomClass):
        * API/tests/testapi.mm:

2014-01-09  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Move InjectedScript classes into JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=126598

        Reviewed by Timothy Hatcher.

        Part 5: Move InjectedScript classes into JavaScriptCore

        There are pieces of logic that WebCore wants to hook into in the InjectedScript
        execution (e.g. for CommandLineAPIModule and InspectorInstrumentation). Create
        hooks for those in a base class called InspectorEnvironment. For now, the
        InspectorControllers (Page, JSGlobalObject, Worker) will be the InspectorEnvironments
        and provide answers to its hooks.

        * inspector/InspectorEnvironment.h: Added.
        New hooks needed by WebCore in various places. Mostly stubbed in JavaScriptCore.

        * inspector/InjectedScript.cpp: Renamed from Source/WebCore/inspector/InjectedScript.cpp.
        * inspector/InjectedScript.h: Added.
        * inspector/InjectedScriptBase.cpp: Renamed from Source/WebCore/inspector/InjectedScriptBase.cpp.
        * inspector/InjectedScriptBase.h: Renamed from Source/WebCore/inspector/InjectedScriptBase.h.
        * inspector/InjectedScriptModule.cpp: Renamed from Source/WebCore/inspector/InjectedScriptModule.cpp.
        * inspector/InjectedScriptModule.h: Renamed from Source/WebCore/inspector/InjectedScriptModule.h.
        Cleanup the style of these files (nullptr, formatting, whitespace, etc).
        Use the InspectorEnvironments call/evaluate function for ScriptFunctionCalls and checking access

        * inspector/InjectedScriptManager.cpp: Renamed from Source/WebCore/inspector/InjectedScriptManager.cpp.
        * inspector/InjectedScriptManager.h: Renamed from Source/WebCore/inspector/InjectedScriptManager.h.
        Take an InspectorEnvironment with multiple hooks, instead of a single hook function.

        * inspector/InjectedScriptHost.cpp: Added.
        * inspector/InjectedScriptHost.h: Added.
        * inspector/JSInjectedScriptHost.cpp: Renamed from Source/WebCore/bindings/js/JSInjectedScriptHostCustom.cpp.
        * inspector/JSInjectedScriptHost.h: Added.
        * inspector/JSInjectedScriptHostPrototype.cpp: Added.
        * inspector/JSInjectedScriptHostPrototype.h: Added.
        Implementation of InjectedScriptHost which is passed into the script (InjectedScriptSource.js)
        that we inject into the page. This is mostly copied from the original autogenerated code,
        then simplified and cleaned up. InjectedScriptHost can be subclasses to provide specialized
        implementations of isHTMLAllCollection and type for Web/DOM types unknown to a pure JS context.


        Part 4: Move all inspector scripts into JavaScriptCore and update generators.

        For OS X be sure to export the scripts as if they are private headers.

        * GNUmakefile.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/scripts/cssmin.py: Renamed from Source/WebCore/inspector/Scripts/cssmin.py.
        * inspector/scripts/inline-and-minify-stylesheets-and-scripts.py: Renamed from Source/WebCore/inspector/Scripts/inline-and-minify-stylesheets-and-scripts.py.
        * inspector/scripts/jsmin.py: Renamed from Source/WebCore/inspector/Scripts/jsmin.py.
        * inspector/scripts/xxd.pl: Renamed from Source/WebCore/inspector/xxd.pl.


        Part 3: Update CodeGeneratorInspector to avoid inlining virtual destructors.

        This avoids build errors about duplicate exported virtual inlined methods
        are included from multiple places. Just put empty destructors in the
        implementation file instead of inlined.

        * inspector/scripts/CodeGeneratorInspector.py:
        (Generator):
        (Generator.go):
        * inspector/scripts/CodeGeneratorInspectorStrings.py:


        Part 2: Move InjectedScriptSource and generation into JavaScriptCore.

        Move InjectedScriptSource.js and derived sources generation.

        * CMakeLists.txt:
        * DerivedSources.make:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/InjectedScriptSource.js: Renamed from Source/WebCore/inspector/InjectedScriptSource.js.

2014-01-09  Balazs Kilvady  <kilvadyb@homejinni.com>

        Regression: failing RegExp tests on 32 bit architectures.
        https://bugs.webkit.org/show_bug.cgi?id=126699

        Reviewed by Michael Saboff.

        Fix setRegExpConstructor functions for 32 bit architectures.

        * runtime/RegExpConstructor.cpp:
        (JSC::setRegExpConstructorInput):
        (JSC::setRegExpConstructorMultiline):

2014-01-09  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r161540.
        http://trac.webkit.org/changeset/161540
        https://bugs.webkit.org/show_bug.cgi?id=126704

        Caused assertion failures on multiple tests (Requested by ap
        on #webkit).

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlockSet::mark):
        * dfg/DFGOperations.cpp:
        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::add):
        (JSC::CodeBlockSet::traceMarked):
        * heap/CodeBlockSet.h:
        * heap/CopiedBlockInlines.h:
        (JSC::CopiedBlock::reportLiveBytes):
        * heap/CopiedSpace.cpp:
        * heap/CopiedSpace.h:
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::didAbandon):
        (JSC::Heap::markRoots):
        (JSC::Heap::copyBackingStores):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::collect):
        (JSC::Heap::didAllocate):
        * heap/Heap.h:
        (JSC::Heap::shouldCollect):
        (JSC::Heap::isCollecting):
        (JSC::Heap::isWriteBarrierEnabled):
        (JSC::Heap::writeBarrier):
        * heap/HeapOperation.h:
        * heap/MarkStack.cpp:
        (JSC::MarkStackArray::~MarkStackArray):
        * heap/MarkStack.h:
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::isPagedOut):
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::addBlock):
        (JSC::MarkedAllocator::removeBlock):
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::reset):
        * heap/MarkedBlock.cpp:
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::lastChanceToFinalize):
        (JSC::MarkedBlock::didConsumeEmptyFreeList):
        (JSC::MarkedBlock::clearMarks):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::~MarkedSpace):
        (JSC::MarkedSpace::resetAllocators):
        (JSC::MarkedSpace::visitWeakSets):
        (JSC::MarkedSpace::reapWeakSets):
        * heap/MarkedSpace.h:
        (JSC::ClearMarks::operator()):
        (JSC::MarkedSpace::clearMarks):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::~SlotVisitor):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::sharedData):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::internalAppend):
        (JSC::SlotVisitor::copyLater):
        (JSC::SlotVisitor::reportExtraMemoryUsage):
        * jit/Repatch.cpp:
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
        * runtime/JSPropertyNameIterator.h:
        (JSC::StructureRareData::setEnumerationCache):
        * runtime/JSString.cpp:
        (JSC::JSString::visitChildren):
        * runtime/StructureRareDataInlines.h:
        (JSC::StructureRareData::setPreviousID):
        (JSC::StructureRareData::setObjectToStringValue):
        * runtime/WeakMapData.cpp:
        (JSC::WeakMapData::visitChildren):

2014-01-09  Andreas Kling  <akling@apple.com>

        Shrink WatchpointSet.
        <https://webkit.org/b/126694>

        Reorder the members of WatchpointSet, shrinking it by 8 bytes.
        767 kB progression on Membuster3.

        Reviewed by Antti Koivisto.

        * bytecode/Watchpoint.h:

2014-01-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        Reverting accidental GC logging

        * heap/Heap.cpp:

2014-01-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        Marking should be generational
        https://bugs.webkit.org/show_bug.cgi?id=126552

        Reviewed by Geoffrey Garen.

        Re-marking the same objects over and over is a waste of effort. This patch implements 
        the sticky mark bit algorithm (along with our already-present write barriers) to reduce 
        overhead during garbage collection caused by rescanning objects.

        There are now two collection modes, EdenCollection and FullCollection. EdenCollections
        only visit new objects or objects that were added to the remembered set by a write barrier.
        FullCollections are normal collections that visit all objects regardless of their 
        generation.

        In this patch EdenCollections do not do anything in CopiedSpace. This will be fixed in 
        https://bugs.webkit.org/show_bug.cgi?id=126555.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlockSet::mark):
        * dfg/DFGOperations.cpp:
        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::add):
        (JSC::CodeBlockSet::traceMarked):
        (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
        * heap/CodeBlockSet.h:
        * heap/CopiedBlockInlines.h:
        (JSC::CopiedBlock::reportLiveBytes):
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::didStartFullCollection):
        * heap/CopiedSpace.h:
        (JSC::CopiedSpace::heap):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::didAbandon):
        (JSC::Heap::markRoots):
        (JSC::Heap::copyBackingStores):
        (JSC::Heap::addToRememberedSet):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::collect):
        (JSC::Heap::didAllocate):
        (JSC::Heap::writeBarrier):
        * heap/Heap.h:
        (JSC::Heap::isInRememberedSet):
        (JSC::Heap::operationInProgress):
        (JSC::Heap::shouldCollect):
        (JSC::Heap::isCollecting):
        (JSC::Heap::isWriteBarrierEnabled):
        (JSC::Heap::writeBarrier):
        * heap/HeapOperation.h:
        * heap/MarkStack.cpp:
        (JSC::MarkStackArray::~MarkStackArray):
        (JSC::MarkStackArray::clear):
        (JSC::MarkStackArray::fillVector):
        * heap/MarkStack.h:
        * heap/MarkedAllocator.cpp:
        (JSC::isListPagedOut):
        (JSC::MarkedAllocator::isPagedOut):
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::addBlock):
        (JSC::MarkedAllocator::removeBlock):
        (JSC::MarkedAllocator::reset):
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::MarkedAllocator):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::clearMarks):
        (JSC::MarkedBlock::clearRememberedSet):
        (JSC::MarkedBlock::clearMarksWithCollectionType):
        (JSC::MarkedBlock::lastChanceToFinalize):
        * heap/MarkedBlock.h: Changed atomSize to 16 bytes because we have no objects smaller
        than 16 bytes. This is also to pay for the additional Bitmap for the remembered set.
        (JSC::MarkedBlock::didConsumeEmptyFreeList):
        (JSC::MarkedBlock::setRemembered):
        (JSC::MarkedBlock::clearRemembered):
        (JSC::MarkedBlock::atomicClearRemembered):
        (JSC::MarkedBlock::isRemembered):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::~MarkedSpace):
        (JSC::MarkedSpace::resetAllocators):
        (JSC::MarkedSpace::visitWeakSets):
        (JSC::MarkedSpace::reapWeakSets):
        (JSC::VerifyMarked::operator()):
        (JSC::MarkedSpace::clearMarks):
        * heap/MarkedSpace.h:
        (JSC::ClearMarks::operator()):
        (JSC::ClearRememberedSet::operator()):
        (JSC::MarkedSpace::didAllocateInBlock):
        (JSC::MarkedSpace::clearRememberedSet):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::~SlotVisitor):
        (JSC::SlotVisitor::clearMarkStack):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::markStack):
        (JSC::SlotVisitor::sharedData):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::internalAppend):
        (JSC::SlotVisitor::unconditionallyAppend):
        (JSC::SlotVisitor::copyLater):
        (JSC::SlotVisitor::reportExtraMemoryUsage):
        (JSC::SlotVisitor::heap):
        * jit/Repatch.cpp:
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
        * runtime/JSPropertyNameIterator.h:
        (JSC::StructureRareData::setEnumerationCache):
        * runtime/JSString.cpp:
        (JSC::JSString::visitChildren):
        * runtime/StructureRareDataInlines.h:
        (JSC::StructureRareData::setPreviousID):
        (JSC::StructureRareData::setObjectToStringValue):
        * runtime/WeakMapData.cpp:
        (JSC::WeakMapData::visitChildren):

2014-01-08  Sam Weinig  <sam@webkit.org>

        [JS] Should be able to create a promise by calling the Promise constructor as a function
        https://bugs.webkit.org/show_bug.cgi?id=126561

        Reviewed by Geoffrey Garen.

        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructor::getCallData):
        Add support for calling the Promise constructor as a function (e.g. var p = Promise(...), note
        the missing "new").

2014-01-08  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        [EFL] Make FTL buildable
        https://bugs.webkit.org/show_bug.cgi?id=125777

        Reviewed by Csaba Osztrogonác.

        * CMakeLists.txt:
        * ftl/FTLOSREntry.cpp:
        * ftl/FTLOSRExitCompiler.cpp:
        * llvm/library/config_llvm.h:

2014-01-08  Zan Dobersek  <zdobersek@igalia.com>

        [Automake] Scripts for generated build targets do not necessarily produce their output
        https://bugs.webkit.org/show_bug.cgi?id=126378

        Reviewed by Carlos Garcia Campos.

        * GNUmakefile.am: Touch the build targets that are generated through helper scripts that don't
        assure the output is generated every time the script is invoked, most commonly due to unchanged
        input. This assures the build targets are up-to-date and can't be older that their dependencies,
        which would result in constant regeneration at every build.

2014-01-07  Filip Pizlo  <fpizlo@apple.com>

        DFG fixup phase should be responsible for inserting ValueToInt32's as needed and it should use Phantom to keep the original values alive in case of OSR exit
        https://bugs.webkit.org/show_bug.cgi?id=126600

        Reviewed by Michael Saboff.
        
        This fixes an embarrassing OSR exit liveness bug. It also simplifies the code. We were
        already using FixupPhase as the place where conversion nodes get inserted. ValueToInt32
        was the only exception to that rule, and that was one of the reasons why we had this bug.
        
        Henceforth ValueToInt32 is only inserted by FixupPhase, and only when it is necessary:
        we have a BitOp that will want a ToInt32 conversion and the operand is not predicted to
        already be an int32. If FixupPhase inserts any ValueToInt32's then the BitOp will no
        longer appear to use the original operand, which will make OSR exit think that the
        original operand is dead. We work around this they way we always do: insert a Phantom on
        the original operands right after the BitOp. This ensures that any OSR exit in any of the
        ValueToInt32's or in the BitOp itself will have values for the original inputs.

        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::FixupPhase::fixBinaryIntEdges):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * tests/stress/bit-op-value-to-int32-input-liveness.js: Added.
        (foo):

2014-01-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        Repatch write barrier slow path call doesn't align the stack in the presence of saved registers
        https://bugs.webkit.org/show_bug.cgi?id=126093

        Reviewed by Geoffrey Garen.

        * jit/Repatch.cpp: Reworked the stack alignment code for calling out to C code on the write barrier slow path.
        We need to properly account for the number of reused registers that were saved to the stack, so we have to 
        pass the ScratchRegisterAllocator around.
        (JSC::storeToWriteBarrierBuffer):
        (JSC::writeBarrier):
        (JSC::emitPutReplaceStub):
        (JSC::emitPutTransitionStub):
        * jit/ScratchRegisterAllocator.h: Previously the ScratchRegisterAllocator only knew whether or not it had
        reused registers, but not how many. In order to correctly align the stack for calls to C slow paths for 
        the write barriers in inline caches we need to know how the stack is aligned. So now ScratchRegisterAllocator
        tracks how many registers it has reused.
        (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
        (JSC::ScratchRegisterAllocator::allocateScratch):
        (JSC::ScratchRegisterAllocator::didReuseRegisters):
        (JSC::ScratchRegisterAllocator::numberOfReusedRegisters):
        (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
        (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
        * llint/LowLevelInterpreter64.asm: Random typo fix.

2014-01-07  Mark Lam  <mark.lam@apple.com>

        r161364 caused JSC tests regression on non-DFG builds (e.g. C Loop and Windows).
        https://bugs.webkit.org/show_bug.cgi?id=126589.

        Reviewed by Filip Pizlo.

        After the removal of ENABLE(VALUE_PROFILER), the LLINT is now expecting the
        relevant opcode operands to point to ValueProfiler data structures and will
        write profiling data into them. Hence, we need to allocate these data
        structures even though the profiling data won't be used in non-DFG builds.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):

2014-01-07  Filip Pizlo  <fpizlo@apple.com>

        ASSERT in compileArithNegate on pdfjs
        https://bugs.webkit.org/show_bug.cgi?id=126584

        Reviewed by Mark Hahnenberg.
        
        Check negative zero when we should check it, not when we shouldn't check it. :-/

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithNegate):

2014-01-07  Gabor Rapcsanyi  <rgabor@webkit.org>

        pushFinallyContext saves wrong m_labelScopes size
        https://bugs.webkit.org/show_bug.cgi?id=124529

        Remove free label scopes before saving finally context.

        Reviewed by Geoffrey Garen.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::pushFinallyContext):

2014-01-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Heap::collect shouldn't be responsible for sweeping
        https://bugs.webkit.org/show_bug.cgi?id=126556

        Reviewed by Geoffrey Garen.

        Sweeping happens at an awkward time during collection due to the fact that destructors can 
        cause arbitrary reentry into the VM. This patch separates collecting and sweeping, and delays 
        sweeping until after collection has completely finished.

        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::collect):
        (JSC::Heap::collectIfNecessaryOrDefer):
        * heap/Heap.h:
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::sweep):
        * runtime/GCActivityCallback.cpp:
        (JSC::DefaultGCActivityCallback::doWork):

2014-01-07  Mark Rowe  <mrowe@apple.com>

        <https://webkit.org/b/126567> Remove the legacy WebKit availability macros

        They're no longer used.

        Reviewed by Ryosuke Niwa.

        * API/WebKitAvailability.h:

2014-01-07  Filip Pizlo  <fpizlo@apple.com>

        SetLocal for a FlushedArguments should not claim that the dataFormat is DataFormatJS
        https://bugs.webkit.org/show_bug.cgi?id=126563

        Reviewed by Gavin Barraclough.
        
        This was a rookie arguments simplification mistake: the SetLocal needs to record the fact
        that although it set JSValue(), OSR should think it set Arguments. DataFormatArguments
        conveys this, and dataFormatFor(FlushFormat) will do the right thing.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * tests/stress/phantom-arguments-set-local-then-exit-in-same-block.js: Added.
        (foo):

2014-01-06  Filip Pizlo  <fpizlo@apple.com>

        Make the different flavors of integer arithmetic more explicit, and don't rely on (possibly stale) results of the backwards propagator to decide integer arithmetic semantics
        https://bugs.webkit.org/show_bug.cgi?id=125519

        Reviewed by Geoffrey Garen.
        
        Adds the Arith::Mode enum to arithmetic nodes, which makes it explicit what sorts of
        checks and overflows the node should do. Previously this would be deduced from
        backwards analysis results.
        
        This also makes "unchecked" variants really mean that you want the int32 wrapped
        result, so ArithIMul is now done in terms of ArithMul(Unchecked). That means that the
        constant folder needs to compute exactly the result implied by ArithMode, instead of
        just folding the double result.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGArithMode.cpp: Added.
        (WTF::printInternal):
        * dfg/DFGArithMode.h: Added.
        (JSC::DFG::doesOverflow):
        (JSC::DFG::shouldCheckOverflow):
        (JSC::DFG::shouldCheckNegativeZero):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::hasArithMode):
        (JSC::DFG::Node::arithMode):
        (JSC::DFG::Node::setArithMode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        (JSC::DFG::SpeculativeJIT::compileArithDiv):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileAddSub):
        (JSC::FTL::LowerDFGToLLVM::compileArithMul):
        (JSC::FTL::LowerDFGToLLVM::compileArithDivMod):
        (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
        (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):

2014-01-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add write barriers to the LLInt
        https://bugs.webkit.org/show_bug.cgi?id=126527

        Reviewed by Filip Pizlo.

        This patch takes a similar approach to how write barriers work in the baseline JIT.
        We execute the write barrier at the beginning of the opcode so we don't have to 
        worry about saving and restoring live registers across write barrier slow path calls 
        to C code.

        * llint/LLIntOfflineAsmConfig.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::llint_write_barrier_slow):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/arm64.rb:
        * offlineasm/instructions.rb:
        * offlineasm/x86.rb:

2014-01-05  Sam Weinig  <sam@webkit.org>

        [JS] Implement Promise.all()
        https://bugs.webkit.org/show_bug.cgi?id=126510

        Reviewed by Gavin Barraclough.

        Add Promise.all() implementation and factor out performing resolves and rejects
        on deferreds to share a bit of code. Also moves the abruptRejection helper to
        JSPromiseDeferred so it can be used in JSPromiseFunctions.

        * runtime/CommonIdentifiers.h:
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructorFuncCast):
        (JSC::JSPromiseConstructorFuncResolve):
        (JSC::JSPromiseConstructorFuncReject):
        (JSC::JSPromiseConstructorFuncAll):
        * runtime/JSPromiseDeferred.cpp:
        (JSC::updateDeferredFromPotentialThenable):
        (JSC::performDeferredResolve):
        (JSC::performDeferredReject):
        (JSC::abruptRejection):
        * runtime/JSPromiseDeferred.h:
        * runtime/JSPromiseFunctions.cpp:
        (JSC::promiseAllCountdownFunction):
        (JSC::createPromiseAllCountdownFunction):
        * runtime/JSPromiseFunctions.h:
        * runtime/JSPromiseReaction.cpp:
        (JSC::ExecutePromiseReactionMicrotask::run):

2014-01-06  Filip Pizlo  <fpizlo@apple.com>

        Get rid of ENABLE(VALUE_PROFILER). It's on all the time now.

        Rubber stamped by Mark Hahnenberg.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpValueProfiling):
        (JSC::CodeBlock::dumpArrayProfiling):
        (JSC::CodeBlock::dumpRareCaseProfile):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::setNumParameters):
        (JSC::CodeBlock::shrinkToFit):
        (JSC::CodeBlock::shouldOptimizeNow):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::valueProfileForBytecodeOffset):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForChain):
        (JSC::GetByIdStatus::computeFor):
        * bytecode/LazyOperandValueProfile.cpp:
        * bytecode/LazyOperandValueProfile.h:
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        * bytecode/ValueProfile.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::newArrayProfile):
        (JSC::BytecodeGenerator::newArrayAllocationProfile):
        (JSC::BytecodeGenerator::emitProfiledOpcode):
        * jit/GPRInfo.h:
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITArithmetic.cpp:
        (JSC::JIT::compileBinaryArithOp):
        (JSC::JIT::emit_op_mul):
        (JSC::JIT::emit_op_div):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitBinaryDoubleOp):
        (JSC::JIT::emit_op_mul):
        (JSC::JIT::emitSlow_op_mul):
        (JSC::JIT::emit_op_div):
        * jit/JITCall.cpp:
        (JSC::JIT::emitPutCallResult):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emitPutCallResult):
        * jit/JITInlines.h:
        (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
        (JSC::JIT::emitValueProfilingSite):
        (JSC::JIT::emitArrayProfilingSiteForBytecodeIndex):
        (JSC::JIT::emitArrayProfileStoreToHoleSpecialCase):
        (JSC::JIT::emitArrayProfileOutOfBoundsSpecialCase):
        (JSC::arrayProfileSaw):
        (JSC::JIT::chooseArrayMode):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_get_argument_by_val):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_get_argument_by_val):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_get_from_scope):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_get_from_scope):
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * profiler/ProfilerBytecodeSequence.cpp:
        (JSC::Profiler::BytecodeSequence::BytecodeSequence):
        * runtime/CommonSlowPaths.cpp:

2014-01-06  Filip Pizlo  <fpizlo@apple.com>

        LLInt shouldn't check for ENABLE(JIT).

        Rubber stamped by Mark Hahnenberg.

        * llint/LLIntCommon.h:
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::entryOSR):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:

2014-01-06  Filip Pizlo  <fpizlo@apple.com>

        LLInt shouldnt check for ENABLE(JAVASCRIPT_DEBUGGER).

        Rubber stamped by Mark Hahnenberg.

        * debugger/Debugger.h:
        (JSC::Debugger::Debugger):
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter.asm:

2014-01-05  Sam Weinig  <sam@webkit.org>

        [JS] Implement Promise.race()
        https://bugs.webkit.org/show_bug.cgi?id=126506

        Reviewed by Oliver Hunt.

        * runtime/CommonIdentifiers.h:
        Add identifier for "cast".
    
        * runtime/JSPromiseConstructor.cpp:
        (JSC::abruptRejection):
        Helper for the RejectIfAbrupt abstract operation.
  
        (JSC::JSPromiseConstructorFuncRace):
        Add implementation of Promise.race()

2014-01-05  Martin Robinson  <mrobinson@igalia.com>

        [GTK] [CMake] Ensure that the autotools build and the CMake install the same files
        https://bugs.webkit.org/show_bug.cgi?id=116379

        Reviewed by Gustavo Noronha Silva.

        * PlatformGTK.cmake: Install API headers, gir files, and the pkg-config file.

2014-01-04  Yusuke Suzuki  <utatane.tea@gmail.com>

        Use Compiler macros instead of raw "final" and "override"
        https://bugs.webkit.org/show_bug.cgi?id=126490

        Reviewed by Sam Weinig.

        * runtime/JSPromiseReaction.cpp:

2014-01-04  Martin Robinson  <mrobinson@igalia.com>

        [GTK] [CMake] Improve the way we locate gobject-introspection
        https://bugs.webkit.org/show_bug.cgi?id=126452

        Reviewed by Philippe Normand.

        * PlatformGTK.cmake: Use the new introspection variables.

2014-01-04  Zan Dobersek  <zdobersek@igalia.com>

        Explicitly use the std:: nested name specifier when using std::pair, std::make_pair
        https://bugs.webkit.org/show_bug.cgi?id=126439

        Reviewed by Andreas Kling.

        Instead of relying on std::pair and std::make_pair symbols being present in the current scope
        through the pair and make_pair symbols, the std:: specifier should be used explicitly.

        * bytecode/Opcode.cpp:
        (JSC::compareOpcodePairIndices):
        (JSC::OpcodeStats::~OpcodeStats):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::makeBinaryNode):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseIfStatement):
        * runtime/Structure.cpp:
        (JSC::StructureTransitionTable::contains):
        (JSC::StructureTransitionTable::get):
        (JSC::StructureTransitionTable::add):

2014-01-03  David Farler  <dfarler@apple.com>

        [super dealloc] missing in Source/JavaScriptCore/API/tests/testapi.mm, fails to build with -Werror,-Wobjc-missing-super-calls
        https://bugs.webkit.org/show_bug.cgi?id=126454

        Reviewed by Geoffrey Garen.

        * API/tests/testapi.mm:
        (-[TextXYZ dealloc]):
        add [super dealloc]
        (-[EvilAllocationObject dealloc]):
        add [super dealloc]

2014-01-02  Carlos Garcia Campos  <cgarcia@igalia.com>

        REGRESSION(r160304): [GTK] Disable libtool fast install
        https://bugs.webkit.org/show_bug.cgi?id=126381

        Reviewed by Martin Robinson.

        Remove -no-fast-install ld flag since fast install is now disabled
        globally.

        * GNUmakefile.am:

2014-01-02  Sam Weinig  <sam@webkit.org>

        Update Promises to the https://github.com/domenic/promises-unwrapping spec
        https://bugs.webkit.org/show_bug.cgi?id=120954

        Reviewed by Filip Pizlo.

        Update Promises to the revised spec. Notable changes:
        - JSPromiseResolver is gone.
        - TaskContext has been renamed Microtask and now has a virtual run() function.
        - Instead of using custom InternalFunction subclasses, JSFunctions are used
          with PrivateName properties for internal slots.

        * CMakeLists.txt:
        * DerivedSources.make:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * interpreter/CallFrame.h:
        (JSC::ExecState::promiseConstructorTable):
        * runtime/CommonIdentifiers.cpp:
        (JSC::CommonIdentifiers::CommonIdentifiers):
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        (JSC::JSGlobalObject::queueMicrotask):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::promiseConstructor):
        (JSC::JSGlobalObject::promisePrototype):
        (JSC::JSGlobalObject::promiseStructure):
        * runtime/JSPromise.cpp:
        (JSC::JSPromise::create):
        (JSC::JSPromise::JSPromise):
        (JSC::JSPromise::finishCreation):
        (JSC::JSPromise::visitChildren):
        (JSC::JSPromise::reject):
        (JSC::JSPromise::resolve):
        (JSC::JSPromise::appendResolveReaction):
        (JSC::JSPromise::appendRejectReaction):
        (JSC::triggerPromiseReactions):
        * runtime/JSPromise.h:
        (JSC::JSPromise::status):
        (JSC::JSPromise::result):
        (JSC::JSPromise::constructor):
        * runtime/JSPromiseCallback.cpp: Removed.
        * runtime/JSPromiseCallback.h: Removed.
        * runtime/JSPromiseConstructor.cpp:
        (JSC::constructPromise):
        (JSC::JSPromiseConstructor::getCallData):
        (JSC::JSPromiseConstructorFuncCast):
        (JSC::JSPromiseConstructorFuncResolve):
        (JSC::JSPromiseConstructorFuncReject):
        * runtime/JSPromiseConstructor.h:
        * runtime/JSPromiseDeferred.cpp: Added.
        (JSC::JSPromiseDeferred::create):
        (JSC::JSPromiseDeferred::JSPromiseDeferred):
        (JSC::JSPromiseDeferred::finishCreation):
        (JSC::JSPromiseDeferred::visitChildren):
        (JSC::createJSPromiseDeferredFromConstructor):
        (JSC::updateDeferredFromPotentialThenable):
        * runtime/JSPromiseDeferred.h: Added.
        (JSC::JSPromiseDeferred::createStructure):
        (JSC::JSPromiseDeferred::promise):
        (JSC::JSPromiseDeferred::resolve):
        (JSC::JSPromiseDeferred::reject):
        * runtime/JSPromiseFunctions.cpp: Added.
        (JSC::deferredConstructionFunction):
        (JSC::createDeferredConstructionFunction):
        (JSC::identifyFunction):
        (JSC::createIdentifyFunction):
        (JSC::promiseAllCountdownFunction):
        (JSC::createPromiseAllCountdownFunction):
        (JSC::promiseResolutionHandlerFunction):
        (JSC::createPromiseResolutionHandlerFunction):
        (JSC::rejectPromiseFunction):
        (JSC::createRejectPromiseFunction):
        (JSC::resolvePromiseFunction):
        (JSC::createResolvePromiseFunction):
        (JSC::throwerFunction):
        (JSC::createThrowerFunction):
        * runtime/JSPromiseFunctions.h: Added.
        * runtime/JSPromisePrototype.cpp:
        (JSC::JSPromisePrototypeFuncThen):
        (JSC::JSPromisePrototypeFuncCatch):
        * runtime/JSPromiseReaction.cpp: Added.
        (JSC::createExecutePromiseReactionMicroTask):
        (JSC::ExecutePromiseReactionMicroTask::run):
        (JSC::JSPromiseReaction::create):
        (JSC::JSPromiseReaction::JSPromiseReaction):
        (JSC::JSPromiseReaction::finishCreation):
        (JSC::JSPromiseReaction::visitChildren):
        * runtime/JSPromiseReaction.h: Added.
        (JSC::JSPromiseReaction::createStructure):
        (JSC::JSPromiseReaction::deferred):
        (JSC::JSPromiseReaction::handler):
        * runtime/JSPromiseResolver.cpp: Removed.
        * runtime/JSPromiseResolver.h: Removed.
        * runtime/JSPromiseResolverConstructor.cpp: Removed.
        * runtime/JSPromiseResolverConstructor.h: Removed.
        * runtime/JSPromiseResolverPrototype.cpp: Removed.
        * runtime/JSPromiseResolverPrototype.h: Removed.
        * runtime/Microtask.h: Added.
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        * runtime/VM.h:

2014-01-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add support for StoreBarrier and friends to the FTL
        https://bugs.webkit.org/show_bug.cgi?id=126040

        Reviewed by Filip Pizlo.

        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
        (JSC::FTL::LowerDFGToLLVM::compileConditionalStoreBarrier):
        (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
        (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
        (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        * heap/Heap.h:
        (JSC::Heap::writeBarrierBuffer):

2014-01-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        Storing new CopiedSpace memory into a JSObject should fire a write barrier
        https://bugs.webkit.org/show_bug.cgi?id=126025

        Reviewed by Filip Pizlo.

        Technically this is creating a pointer between a (potentially) old generation object and a young 
        generation chunk of memory, thus there needs to be a barrier.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGOperations.cpp:
        * heap/CopyWriteBarrier.h: Added. This class functions similarly to the WriteBarrier class. It 
        acts as a proxy for pointers to CopiedSpace. Assignments to the field cause a write barrier to 
        fire for the object that is the owner of the CopiedSpace memory. This is to ensure during nursery 
        collections that objects with new backing stores are visited, even if they are old generation objects. 
        (JSC::CopyWriteBarrier::CopyWriteBarrier):
        (JSC::CopyWriteBarrier::operator!):
        (JSC::CopyWriteBarrier::operator UnspecifiedBoolType*):
        (JSC::CopyWriteBarrier::get):
        (JSC::CopyWriteBarrier::operator*):
        (JSC::CopyWriteBarrier::operator->):
        (JSC::CopyWriteBarrier::set):
        (JSC::CopyWriteBarrier::setWithoutWriteBarrier):
        (JSC::CopyWriteBarrier::clear):
        * heap/Heap.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::unshiftCountSlowCase):
        (JSC::JSArray::shiftCountWithArrayStorage):
        (JSC::JSArray::unshiftCountWithArrayStorage):
        * runtime/JSCell.h:
        (JSC::JSCell::unvalidatedStructure):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
        * runtime/JSObject.cpp:
        (JSC::JSObject::copyButterfly):
        (JSC::JSObject::getOwnPropertySlotByIndex):
        (JSC::JSObject::putByIndex):
        (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
        (JSC::JSObject::createInitialIndexedStorage):
        (JSC::JSObject::createArrayStorage):
        (JSC::JSObject::deletePropertyByIndex):
        (JSC::JSObject::getOwnPropertyNames):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
        (JSC::JSObject::countElements):
        (JSC::JSObject::increaseVectorLength):
        (JSC::JSObject::ensureLengthSlow):
        * runtime/JSObject.h:
        (JSC::JSObject::butterfly):
        (JSC::JSObject::setStructureAndButterfly):
        (JSC::JSObject::setButterflyWithoutChangingStructure):
        (JSC::JSObject::JSObject):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putDirectWithoutTransition):
        * runtime/MapData.cpp:
        (JSC::MapData::ensureSpaceForAppend):
        * runtime/Structure.cpp:
        (JSC::Structure::materializePropertyMap):

2013-12-23  Oliver Hunt  <oliver@apple.com>

        Refactor PutPropertySlot to be aware of custom properties
        https://bugs.webkit.org/show_bug.cgi?id=126187

        Reviewed by Antti Koivisto.

        Refactor PutPropertySlot, making the constructor take the thisValue
        used as a target.  This results in a wide range of boilerplate changes
        to pass the new parameter.

        * API/JSObjectRef.cpp:
        (JSObjectSetProperty):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Arguments.cpp:
        (JSC::Arguments::putByIndex):
        * runtime/ArrayPrototype.cpp:
        (JSC::putProperty):
        (JSC::arrayProtoFuncPush):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitiveByIndex):
        * runtime/JSCell.cpp:
        (JSC::JSCell::putByIndex):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::put):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
        * runtime/JSONObject.cpp:
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putByIndex):
        (JSC::JSObject::putDirectNonIndexAccessor):
        (JSC::JSObject::deleteProperty):
        * runtime/JSObject.h:
        (JSC::JSObject::putDirect):
        * runtime/Lookup.h:
        (JSC::putEntry):
        (JSC::lookupPut):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::PutPropertySlot):
        (JSC::PutPropertySlot::setCustomProperty):
        (JSC::PutPropertySlot::thisValue):
        (JSC::PutPropertySlot::isCacheable):

2014-01-01  Filip Pizlo  <fpizlo@apple.com>

        Rationalize DFG DCE
        https://bugs.webkit.org/show_bug.cgi?id=125523

        Reviewed by Mark Hahnenberg.
        
        Adds the ability to DCE more things. It's now the case that if a node is completely
        pure, we clear NodeMustGenerate and the node becomes a DCE candidate.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::cleanVariables):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::clobbersWorld):
        * dfg/DFGNodeType.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAdd):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileValueAdd):

2014-01-02  Benjamin Poulain  <benjamin@webkit.org>

        Attempt to fix the build of WebCore's code generator on CMake based system
        https://bugs.webkit.org/show_bug.cgi?id=126271

        Reviewed by Sam Weinig.

        * CMakeLists.txt:

2013-12-30  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r161157, r161158, r161160, r161161,
        r161163, and r161165.
        http://trac.webkit.org/changeset/161157
        http://trac.webkit.org/changeset/161158
        http://trac.webkit.org/changeset/161160
        http://trac.webkit.org/changeset/161161
        http://trac.webkit.org/changeset/161163
        http://trac.webkit.org/changeset/161165
        https://bugs.webkit.org/show_bug.cgi?id=126332

        Broke WebKit2 on Mountain Lion (Requested by ap on #webkit).

        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::~BlockAllocator):
        (JSC::BlockAllocator::waitForRelativeTimeWhileHoldingLock):
        (JSC::BlockAllocator::waitForRelativeTime):
        (JSC::BlockAllocator::blockFreeingThreadMain):
        * heap/BlockAllocator.h:
        (JSC::BlockAllocator::deallocate):

2013-12-30  Anders Carlsson  <andersca@apple.com>

        Fix build.

        * heap/BlockAllocator.h:

2013-12-30  Anders Carlsson  <andersca@apple.com>

        Stop using ThreadCondition in BlockAllocator
        https://bugs.webkit.org/show_bug.cgi?id=126313

        Reviewed by Sam Weinig.

        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::~BlockAllocator):
        (JSC::BlockAllocator::waitForDuration):
        (JSC::BlockAllocator::blockFreeingThreadMain):
        * heap/BlockAllocator.h:
        (JSC::BlockAllocator::deallocate):

2013-12-30  Anders Carlsson  <andersca@apple.com>

        Stop using ThreadCondition in jsc.cpp
        https://bugs.webkit.org/show_bug.cgi?id=126311

        Reviewed by Sam Weinig.

        * jsc.cpp:
        (timeoutThreadMain):
        (main):

2013-12-30  Anders Carlsson  <andersca@apple.com>

        Replace WTF::ThreadingOnce with std::call_once
        https://bugs.webkit.org/show_bug.cgi?id=126215

        Reviewed by Sam Weinig.

        * dfg/DFGWorklist.cpp:
        (JSC::DFG::globalWorklist):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):

2013-12-30  Martin Robinson  <mrobinson@igalia.com>

        [CMake] [GTK] Add support for GObject introspection
        https://bugs.webkit.org/show_bug.cgi?id=126162

        Reviewed by Daniel Bates.

        * PlatformGTK.cmake: Add the GIR targets.

2013-12-28  Filip Pizlo  <fpizlo@apple.com>

        Get rid of DFG forward exiting
        https://bugs.webkit.org/show_bug.cgi?id=125531

        Reviewed by Oliver Hunt.
        
        This finally gets rid of forward exiting. Forward exiting was always a fragile concept
        since it involved the compiler trying to figure out how to "roll forward" the
        execution from some DFG node to the next bytecode index. It was always easy to find
        counterexamples where it broke, and it has always served as an obstacle to adding
        compiler improvements - the latest being http://webkit.org/b/125523, which tried to
        make DCE work for more things.
        
        This change finishes the work of removing forward exiting. A lot of forward exiting
        was already removed in some other bugs, but SetLocal still did forward exits. SetLocal
        is in many ways the hardest to remove, since the forward exiting of SetLocal also
        implied that any conversion nodes inserted before the SetLocal would then also be
        marked as forward-exiting. Hence SetLocal's forward-exiting made a bunch of other
        things also forward-exiting, and this was always a source of weirdo bugs.
        
        SetLocal must be able to exit in case it performs a hoisted type speculation. Nodes
        inserted just before SetLocal must also be able to exit - for example type check
        hoisting may insert a CheckStructure, or fixup phase may insert something like
        Int32ToDouble. But if any of those nodes tried to backward exit, then this could lead
        to the reexecution of a side-effecting operation, for example:
        
            a: Call(...)
            b: SetLocal(@a, r1)
        
        For a long time it seemed like SetLocal *had* to exit forward because of this. But
        this change side-steps the problem by changing the ByteCodeParser to always emit a
        kind of "two-phase commit" for stores to local variables. Now when the ByteCodeParser
        wishes to store to a local, it first emits a MovHint and then enqueues a SetLocal.
        The SetLocal isn't actually emitted until the beginning of the next bytecode
        instruction (which the exception of op_enter and op_ret, which emit theirs immediately
        since it's always safe to reexecute those bytecode instructions and since deferring
        SetLocals would be weird there - op_enter has many SetLocals and op_ret is a set
        followed by a jump in case of inlining, so we'd have to emit the SetLocal "after" the
        jump and that would be awkward). This means that the above IR snippet would look
        something like:
        
            a: Call(..., bc#42)
            b: MovHint(@a, r1, bc#42)
            c: SetLocal(@a, r1, bc#47)
        
        Where the SetLocal exits "backwards" but appears at the beginning of the next bytecode
        instruction. This means that by the time we get to that SetLocal, the OSR exit
        analysis already knows that r1 is associated with @a, and it means that the SetLocal
        or anything hoisted above it can exit backwards as normal.
        
        This change also means that the "forward rewiring" can be killed. Previously, we might
        have inserted a conversion node on SetLocal and then the SetLocal died (i.e. turned
        into a MovHint) and the conversion node either died completely or had its lifetime
        truncated to be less than the actual value's bytecode lifetime. This no longer happens
        since conversion nodes are only inserted at SetLocals.
        
        More precisely, this change introduces two laws that we were basically already
        following anyway:
        
        1) A MovHint's child should never be changed except if all other uses of that child
           are also replaced. Specifically, this prohibits insertion of conversion nodes at
           MovHints.
        
        2) Anytime any child is replaced with something else, and all other uses aren't also
           replaced, we must insert a Phantom use of the original child.

        This is a slight compile-time regression but has no effect on code-gen. It unlocks a
        bunch of optimization opportunities so I think it's worth it.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpAssumingJITType):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::instructionCount):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGArrayifySlowPathGenerator.h:
        (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::setDirect):
        (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
        (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::eliminate):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::run):
        (JSC::DFG::DCEPhase::fixupBlock):
        (JSC::DFG::DCEPhase::cleanVariables):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixEdge):
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
        * dfg/DFGLICMPhase.cpp:
        (JSC::DFG::LICMPhase::run):
        (JSC::DFG::LICMPhase::attemptHoist):
        * dfg/DFGMinifiedNode.cpp:
        (JSC::DFG::MinifiedNode::fromNode):
        * dfg/DFGMinifiedNode.h:
        (JSC::DFG::belongsInMinifiedGraph):
        (JSC::DFG::MinifiedNode::constantNumber):
        (JSC::DFG::MinifiedNode::weakConstant):
        * dfg/DFGNode.cpp:
        (JSC::DFG::Node::hasVariableAccessData):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToPhantom):
        (JSC::DFG::Node::convertToPhantomUnchecked):
        (JSC::DFG::Node::convertToIdentity):
        (JSC::DFG::Node::containsMovHint):
        (JSC::DFG::Node::hasUnlinkedLocal):
        (JSC::DFG::Node::willHaveCodeGenOrOSR):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGNodeFlags.h:
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        (JSC::DFG::OSREntrypointCreationPhase::run):
        * dfg/DFGOSRExit.cpp:
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitBase.cpp:
        * dfg/DFGOSRExitBase.h:
        (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
        (JSC::DFG::SpeculativeJIT::typeCheck):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::needsTypeCheck):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::run):
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validateCPS):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
        (JSC::FTL::LowerDFGToLLVM::compileMovHint):
        (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
        (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::typeCheck):
        (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        * ftl/FTLOSRExit.cpp:
        * ftl/FTLOSRExit.h:
        * tests/stress/dead-int32-to-double.js: Added.
        (foo):
        * tests/stress/dead-uint32-to-number.js: Added.
        (foo):

2013-12-25  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r161033 and r161074.
        http://trac.webkit.org/changeset/161033
        http://trac.webkit.org/changeset/161074
        https://bugs.webkit.org/show_bug.cgi?id=126240

        Oliver says that a rollout would be better (Requested by ap on
        #webkit).

        * API/JSObjectRef.cpp:
        (JSObjectSetProperty):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Arguments.cpp:
        (JSC::Arguments::putByIndex):
        * runtime/ArrayPrototype.cpp:
        (JSC::putProperty):
        (JSC::arrayProtoFuncPush):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitiveByIndex):
        * runtime/JSCell.cpp:
        (JSC::JSCell::putByIndex):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::put):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
        * runtime/JSONObject.cpp:
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putByIndex):
        (JSC::JSObject::putDirectNonIndexAccessor):
        (JSC::JSObject::deleteProperty):
        * runtime/JSObject.h:
        (JSC::JSObject::putDirect):
        * runtime/Lookup.h:
        (JSC::putEntry):
        (JSC::lookupPut):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::PutPropertySlot):
        (JSC::PutPropertySlot::setNewProperty):
        (JSC::PutPropertySlot::isCacheable):

2013-12-25  Filip Pizlo  <fpizlo@apple.com>

        DFG PhantomArguments shouldn't rely on a dead Phi graph
        https://bugs.webkit.org/show_bug.cgi?id=126218

        Reviewed by Oliver Hunt.
        
        This change dramatically rationalizes our handling of PhantomArguments (i.e.
        speculative elision of arguments object allocation).
        
        It's now the case that if we decide that we can elide arguments allocation, we just
        turn the arguments-creating node into a PhantomArguments and mark all locals that
        it's stored to as being arguments aliases. Being an arguments alias and being a
        PhantomArguments means basically the same thing: in DFG execution you have the empty
        value, on OSR exit an arguments object is allocated in your place, and all operations
        that use the value now just refer directly to the actual arguments in the call frame
        header (or the arguments we know that we passed to the call, in case of inlining).
        
        This means that we no longer have arguments simplification creating a dead Phi graph
        that then has to be interpreted by the OSR exit logic. That sort of never made any
        sense.
        
        This means that PhantomArguments now has a clear story in SSA: basically SSA just
        gets rid of the "locals" but everything else is the same.
        
        Finally, this means that we can more easily get rid of forward exiting. As I was
        working on the code to get rid of forward exiting, I realized that I'd have to
        carefully preserve the special meanings of MovHint and SetLocal in the case of
        PhantomArguments. It was really bizarre: even the semantics of MovHint were tied to
        our specific treatment of PhantomArguments. After this change this is no longer the
        case.
        
        One of the really cool things about this change is that arguments reification now
        just becomes a special kind of FlushFormat. This further unifies things: it means
        that a MovHint(PhantomArguments) and a SetLocal(PhantomArguments) both have the same
        meaning, since both of them dictate that the way we recover the local on exit is by
        reifying arguments. Previously, the SetLocal(PhantomArguments) case needed some
        special handling to accomplish this.
        
        A downside of this approach is that we will now emit code to store the empty value
        into aliased arguments variables, and we will even emit code to load that empty value
        as well. As far as I can tell this doesn't cost anything, since PhantomArguments are
        most profitable in cases where it allows us to simplify control flow and kill the
        arguments locals entirely. Of course, this isn't an issue in SSA form since SSA form
        also eliminates the locals.

        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        (JSC::DFG::ArgumentsSimplificationPhase::detypeArgumentsReferencingPhantomChild):
        * dfg/DFGFlushFormat.cpp:
        (WTF::printInternal):
        * dfg/DFGFlushFormat.h:
        (JSC::DFG::resultFor):
        (JSC::DFG::useKindFor):
        (JSC::DFG::dataFormatFor):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValueSource.h:
        (JSC::DFG::ValueSource::ValueSource):
        (JSC::DFG::ValueSource::forFlushFormat):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::flushFormat):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):

2013-12-23  Oliver Hunt  <oliver@apple.com>

        Refactor PutPropertySlot to be aware of custom properties
        https://bugs.webkit.org/show_bug.cgi?id=126187

        Reviewed by msaboff.

        Refactor PutPropertySlot, making the constructor take the thisValue
        used as a target.  This results in a wide range of boilerplate changes
        to pass the new parameter.

        * API/JSObjectRef.cpp:
        (JSObjectSetProperty):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Arguments.cpp:
        (JSC::Arguments::putByIndex):
        * runtime/ArrayPrototype.cpp:
        (JSC::putProperty):
        (JSC::arrayProtoFuncPush):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitiveByIndex):
        * runtime/JSCell.cpp:
        (JSC::JSCell::putByIndex):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::put):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
        * runtime/JSONObject.cpp:
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putByIndex):
        (JSC::JSObject::putDirectNonIndexAccessor):
        (JSC::JSObject::deleteProperty):
        * runtime/JSObject.h:
        (JSC::JSObject::putDirect):
        * runtime/Lookup.h:
        (JSC::putEntry):
        (JSC::lookupPut):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::PutPropertySlot):
        (JSC::PutPropertySlot::setCustomProperty):
        (JSC::PutPropertySlot::thisValue):
        (JSC::PutPropertySlot::isCacheable):

2013-12-23  Benjamin Poulain  <benjamin@webkit.org>

        Add class matching to the Selector Code Generator
        https://bugs.webkit.org/show_bug.cgi?id=126176

        Reviewed by Antti Koivisto and Oliver Hunt.

        Add test and branch based on BaseIndex addressing for x86_64.
        Fast loops are needed to compete with clang on tight loops.

        * assembler/MacroAssembler.h:
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::branch64):
        (JSC::MacroAssemblerX86_64::branchPtr):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::cmpq_rm):

2013-12-23  Oliver Hunt  <oliver@apple.com>

        Update custom setter implementations to perform type checks
        https://bugs.webkit.org/show_bug.cgi?id=126171

        Reviewed by Daniel Bates.

        Modify the setter function signature to take encoded values
        as we're changing the setter usage everywhere anyway.

        * runtime/Lookup.h:
        (JSC::putEntry):

2013-12-23  Lucas Forschler  <lforschler@apple.com>

        <rdar://problem/15682948> Update copyright strings
        
        Reviewed by Dan Bernstein.

        * Info.plist:
        * JavaScriptCore.vcxproj/JavaScriptCore.resources/Info.plist:

2013-12-23  Zan Dobersek  <zdobersek@igalia.com>

        [GTK] Clean up compiler optimizations flags for libWTF, libJSC
        https://bugs.webkit.org/show_bug.cgi?id=126157

        Reviewed by Gustavo Noronha Silva.

        * GNUmakefile.am: Remove the -fstrict-aliasing and -O3 compiler flags for libWTF.la. -O3 gets
        overridden by -O2 that's listed in CXXFLAGS (or -O0 in case of debug builds) and -fstrict-aliasing
        is enabled when -O2 is used (and shouldn't be enabled in debug builds anyway).

2013-12-22  Martin Robinson  <mrobinson@igalia.com>

        [CMake] Fix typo from r160812
        https://bugs.webkit.org/show_bug.cgi?id=126145

        Reviewed by Gustavo Noronha Silva.

        * CMakeLists.txt: Fix typo when detecting the type of library.

2013-12-22  Martin Robinson  <mrobinson@igalia.com>

        [GTK][CMake] libtool-compatible soversion calculation
        https://bugs.webkit.org/show_bug.cgi?id=125511

        Reviewed by Gustavo Noronha Silva.

        * CMakeLists.txt: Use the POPULATE_LIBRARY_VERSION macro and the
        library-specific version information.

2013-12-23  Gustavo Noronha Silva  <gns@gnome.org>

        [GTK] [CMake] Generate pkg-config files
        https://bugs.webkit.org/show_bug.cgi?id=125685

        Reviewed by Martin Robinson.

        * PlatformGTK.cmake: Added. Generate javascriptcoregtk-3.0.pc.

2013-12-22  Benjamin Poulain  <benjamin@webkit.org>

        Create a skeleton for CSS Selector code generation
        https://bugs.webkit.org/show_bug.cgi?id=126044

        Reviewed by Antti Koivisto and Gavin Barraclough.

        * assembler/LinkBuffer.h:
        Add a new owner UID for code compiled for CSS.
        Export the symbols needed to link code from WebCore.

2013-12-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Clean up DFG write barriers
        https://bugs.webkit.org/show_bug.cgi?id=126047

        Reviewed by Filip Pizlo.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): Use the register allocator to 
        determine which registers need saving instead of saving every single one of them.
        (JSC::DFG::SpeculativeJIT::osrWriteBarrier): We don't need to save live register state 
        because the write barriers during OSR execute when there are no live registers. Also we  
        don't need to use pushes to pad the stack pointer for pokes on x86; we can just use an add.
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT.h:
        * jit/Repatch.cpp:
        (JSC::emitPutReplaceStub):
        (JSC::emitPutTransitionStub):
        * runtime/VM.h: Get rid of writeBarrierRegisterBuffer since it's no longer used.

2013-12-20  Balazs Kilvady  <kilvadyb@homejinni.com>

        [MIPS] Missing MacroAssemblerMIPS::branchTest8(ResultCondition, BaseIndex, TrustedImm32)
        https://bugs.webkit.org/show_bug.cgi?id=126062

        Reviewed by Mark Hahnenberg.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::branchTest8):

2013-12-20  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Add missing implementation in MacroAssembler to fix build.
        https://bugs.webkit.org/show_bug.cgi?id=126063

        Reviewed by Mark Hahnenberg.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::branchTest8):

2013-12-20  Julien Brianceau  <jbriance@cisco.com>

        [arm] Add missing implementation in MacroAssembler to fix CPU(ARM_TRADITIONAL) build.
        https://bugs.webkit.org/show_bug.cgi?id=126064

        Reviewed by Mark Hahnenberg.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branchTest8):

2013-12-19  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Add InspectorFrontendHost.debuggableType to let the frontend know it's backend is JavaScript or Web
        https://bugs.webkit.org/show_bug.cgi?id=126016

        Reviewed by Timothy Hatcher.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::listingForDebuggable):
        * inspector/remote/RemoteInspectorConstants.h:
        Include a debuggable type identifier in the debuggable listing,
        so the remote frontend can know if it is debugging a Web Page
        or JS Context.

2013-12-19  Benjamin Poulain  <benjamin@webkit.org>

        Add an utility class to simplify generating function calls
        https://bugs.webkit.org/show_bug.cgi?id=125972

        Reviewed by Geoffrey Garen.

        Split branchTest32 in two functions: test32AndSetFlags and branchOnFlags.
        This is done to allow code where the flags are set, multiple operation that
        do not modify the flags occur, then the flags are used.

        This is used for function calls to test the return value while discarding the
        return register.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::test32AndSetFlags):
        (JSC::MacroAssemblerX86Common::branchOnFlags):
        (JSC::MacroAssemblerX86Common::branchTest32):

2013-12-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Put write barriers in the right places in the baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=125975

        Reviewed by Filip Pizlo.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        (JSC::JIT::emitArrayProfilingSite):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_enter):
        (JSC::JIT::emitSlow_op_enter):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_enter):
        (JSC::JIT::emitSlow_op_enter):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emitGenericContiguousPutByVal):
        (JSC::JIT::emitArrayStoragePutByVal):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitPutGlobalProperty):
        (JSC::JIT::emitPutGlobalVar):
        (JSC::JIT::emitPutClosureVar):
        (JSC::JIT::emit_op_init_global_const):
        (JSC::JIT::checkMarkWord):
        (JSC::JIT::emitWriteBarrier):
        (JSC::JIT::privateCompilePutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitGenericContiguousPutByVal):
        (JSC::JIT::emitArrayStoragePutByVal):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        (JSC::JIT::emitPutGlobalProperty):
        (JSC::JIT::emitPutGlobalVar):
        (JSC::JIT::emitPutClosureVar):
        (JSC::JIT::emit_op_init_global_const):
        * jit/Repatch.cpp:
        (JSC::emitPutReplaceStub):
        (JSC::emitPutTransitionStub):
        (JSC::repatchPutByID):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:

2013-12-19  Brent Fulgham  <bfulgham@apple.com>

        Implement ArrayBuffer.isView
        https://bugs.webkit.org/show_bug.cgi?id=126004

        Reviewed by Filip Pizlo.

        Test coverage in webgl/1.0.2/resources/webgl_test_files/conformance/typedarrays/array-unit-tests.html

        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::JSArrayBufferConstructor::finishCreation): Add 'isView' to object constructor.
        (JSC::arrayBufferFuncIsView): New method.

2013-12-19  Mark Lam  <mark.lam@apple.com>

        Fix broken C loop LLINT build.
        https://bugs.webkit.org/show_bug.cgi?id=126024.

        Reviewed by Oliver Hunt.

        * runtime/VM.h:

2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        DelayedReleaseScope is in the wrong place
        https://bugs.webkit.org/show_bug.cgi?id=125876

        Reviewed by Geoffrey Garen.

        The DelayedReleaseScope needs to be around the free list sweeping in MarkedAllocator::tryAllocateHelper. 
        This location gives us a good safe point between getting ready to allocate  (i.e. identifying a non-empty 
        free list) and doing the actual allocation (popping the free list).

        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::allocateSlowCase):
        (JSC::MarkedAllocator::addBlock):
        * runtime/JSCellInlines.h:
        (JSC::allocateCell):

2013-12-18  Gustavo Noronha Silva  <gns@gnome.org>

        [GTK][CMake] make libjavascriptcoregtk a public shared library again
        https://bugs.webkit.org/show_bug.cgi?id=125512

        Reviewed by Martin Robinson.

        * CMakeLists.txt: use target type instead of SHARED_CORE to decide whether
        JavaScriptCore is a shared library, since it's always shared for GTK+ regardless
        of SHARED_CORE.

2013-12-18  Benjamin Poulain  <benjamin@webkit.org>

        Add a simple stack abstraction for x86_64
        https://bugs.webkit.org/show_bug.cgi?id=125908

        Reviewed by Geoffrey Garen.

        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::addPtrNoFlags):
        Add an explicit abstraction for the "lea" instruction. This is needed
        by the experimental JIT to have add and substract without changing the flags.

        This is useful for function calls to test the return value, restore the registers,
        then branch on the flags from the return value.

2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        DFG should have a separate StoreBarrier node
        https://bugs.webkit.org/show_bug.cgi?id=125530

        Reviewed by Filip Pizlo.

        This is in preparation for GenGC. We use a separate StoreBarrier node instead of making them implicitly 
        part of other nodes so that it's easier to run analyses on them, e.g. for the StoreBarrierElisionPhase. 
        They are inserted during the fixup phase. Initially they do not generate any code.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractHeap.h:
        * dfg/DFGAbstractInterpreter.h:
        (JSC::DFG::AbstractInterpreter::isKnownNotCell):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberizeForAllocation):
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants): Whenever we insert new nodes that require StoreBarriers,
        we have to add those new StoreBarriers too. It's important to note that AllocatePropertyStorage and 
        ReallocatePropertyStorage nodes require their StoreBarriers to come after them since they allocate first,
        which could cause a GC, and then store the resulting buffer into their JSCell, which requires the barrier.
        If we ever require that write barriers occur before stores, we'll have to split these nodes into 
        AllocatePropertyStorage + StoreBarrier + PutPropertyStorage.
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::insertStoreBarrier):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isStoreBarrier):
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
        (JSC::DFG::SpeculativeJIT::genericWriteBarrier): The fast path write barrier check. It loads the 
        byte that contains the mark bit of the object. 
        (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): If the fast path check fails we try to store the 
        cell in the WriteBarrierBuffer so as to avoid frequently flushing all registers in order to make a C call.
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        (JSC::DFG::SpeculativeJIT::osrWriteBarrier): More barebones version of the write barrier to be executed 
        during an OSR exit into baseline code. We must do this so that the baseline JIT object and array profiles 
        are properly cleared during GC.
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compileBaseValueStoreBarrier):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGStoreBarrierElisionPhase.cpp: Added. New DFG phase that does block-local elision of redundant
        StoreBarriers. Every time a StoreBarrier on a particular object is executed, a bit is set indicating that 
        that object doesn't need any more StoreBarriers. 
        (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
        (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Nodes that could cause a GC reset the bits for all of the 
        objects known in the current block. 
        (JSC::DFG::StoreBarrierElisionPhase::allocatesFreshObject): A node that creates a new object automatically 
        sets the bit for that object since if a GC occurred as the result of that object's allocation then that 
        object would not need a barrier since it would be guaranteed to be a young generation object until the 
        next GC point.
        (JSC::DFG::StoreBarrierElisionPhase::noticeFreshObject):
        (JSC::DFG::StoreBarrierElisionPhase::getBaseOfStore):
        (JSC::DFG::StoreBarrierElisionPhase::shouldBeElided):
        (JSC::DFG::StoreBarrierElisionPhase::elideBarrier):
        (JSC::DFG::StoreBarrierElisionPhase::handleNode):
        (JSC::DFG::StoreBarrierElisionPhase::handleBlock):
        (JSC::DFG::StoreBarrierElisionPhase::run):
        (JSC::DFG::performStoreBarrierElision):
        * dfg/DFGStoreBarrierElisionPhase.h: Added.
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::flushWriteBarrierBuffer):
        * heap/Heap.h:
        (JSC::Heap::writeBarrier):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::offsetOfMarks):
        * heap/WriteBarrierBuffer.cpp: Added. The WriteBarrierBuffer buffers a set of JSCells that are awaiting 
        a pending WriteBarrier. This buffer is used by the DFG to avoid the overhead of calling out to C repeatedly
        to invoke a write barrier on a single JSCell. Instead the DFG has inline code to fill the WriteBarrier buffer
        until its full, and then to call out to C to flush it. The WriteBarrierBuffer will also be flushed prior to 
        each EdenCollection.
        (JSC::WriteBarrierBuffer::WriteBarrierBuffer):
        (JSC::WriteBarrierBuffer::~WriteBarrierBuffer):
        (JSC::WriteBarrierBuffer::flush):
        (JSC::WriteBarrierBuffer::reset):
        (JSC::WriteBarrierBuffer::add):
        * heap/WriteBarrierBuffer.h: Added.
        (JSC::WriteBarrierBuffer::currentIndexOffset):
        (JSC::WriteBarrierBuffer::capacityOffset):
        (JSC::WriteBarrierBuffer::bufferOffset):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * runtime/VM.h:

2013-12-18  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.am:

2013-12-17  Julien Brianceau  <jbriance@cisco.com>

        Fix armv7 and sh4 builds.
        https://bugs.webkit.org/show_bug.cgi?id=125848

        Reviewed by Csaba Osztrogonác.

        * assembler/ARMv7Assembler.h: Include limits.h for INT_MIN.
        * assembler/SH4Assembler.h: Include limits.h for INT_MIN.

2013-12-16  Oliver Hunt  <oliver@apple.com>

        Avoid indirect function calls for custom getters
        https://bugs.webkit.org/show_bug.cgi?id=125821

        Reviewed by Mark Hahnenberg.

        Rather than invoking a helper function to perform an indirect call
        through a function pointer, just have the JIT call the function directly.

        Unfortunately this only works in JSVALUE64 at the moment as there
        is not an obvious way to pass two EncodedJSValues uniformly over
        the various effected JITs.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArguments):
        * jit/Repatch.cpp:
        (JSC::generateProtoChainAccessStub):
        (JSC::tryBuildGetByIDList):

2013-12-16  Joseph Pecoraro  <pecoraro@apple.com>

        Fix some whitespace issues in inspector code
        https://bugs.webkit.org/show_bug.cgi?id=125814

        Reviewed by Darin Adler.

        * inspector/protocol/Debugger.json:
        * inspector/protocol/Runtime.json:
        * inspector/scripts/CodeGeneratorInspector.py:
        (Generator.process_command):

2013-12-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add some missing functions to MacroAssembler
        https://bugs.webkit.org/show_bug.cgi?id=125809

        Reviewed by Oliver Hunt.

        * assembler/AbstractMacroAssembler.h:
        * assembler/AssemblerBuffer.h:
        * assembler/LinkBuffer.cpp:
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::storePtr):
        (JSC::MacroAssembler::andPtr):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::and64):
        (JSC::MacroAssemblerARM64::branchTest8):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branchTest8):
        * assembler/X86Assembler.h:

2013-12-16  Brent Fulgham  <bfulgham@apple.com>

        [Win] Remove dead code after conversion to VS2013
        https://bugs.webkit.org/show_bug.cgi?id=125795

        Reviewed by Darin Adler.

        * API/tests/testapi.c: Remove local nan implementation

2013-12-16  Oliver Hunt  <oliver@apple.com>

        Cache getters and custom accessors on the prototype chain
        https://bugs.webkit.org/show_bug.cgi?id=125602

        Reviewed by Michael Saboff.

        Support caching of custom getters and accessors on the prototype chain.
        This is relatively trivial and just requires a little work compared to
        the direct access mode as we're under more register pressure.

        * bytecode/StructureStubInfo.h:
          Removed the unsued initGetByIdProto as it was confusing to still have it present.
        * jit/Repatch.cpp:
        (JSC::generateProtoChainAccessStub):
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):

2013-12-16  Mark Lam  <mark.lam@apple.com>

        Change slow path result to take a void* instead of a ExecState*.
        https://bugs.webkit.org/show_bug.cgi?id=125802.

        Reviewed by Filip Pizlo.

        This is in preparation for C Stack OSR entry work that is coming soon.
        In the OSR entry case, we'll be returning a topOfFrame pointer value
        instead of the ExecState*.

        * offlineasm/cloop.rb:
        * runtime/CommonSlowPaths.h:
        (JSC::encodeResult):
        (JSC::decodeResult):

2013-12-16  Alex Christensen  <achristensen@webkit.org>

        Fixed Win64 build on VS2013.
        https://bugs.webkit.org/show_bug.cgi?id=125753

        Reviewed by Brent Fulgham.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
        * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
        Added correct PlatformToolset for 64-bit builds.

2013-12-16  Peter Szanka  <h868064@stud.u-szeged.hu>

        Delete RVCT related code parts.
        https://bugs.webkit.org/show_bug.cgi?id=125626

        Reviewed by Darin Adler.

        * assembler/ARMAssembler.cpp:
        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::cacheFlush):
        * assembler/MacroAssemblerARM.cpp:
        (JSC::isVFPPresent):
        * jit/JITStubsARM.h:
        * jit/JITStubsARMv7.h:

2013-12-15  Ryosuke Niwa  <rniwa@webkit.org>

        REGRESSION: 2x regression on Dromaeo DOM query tests
        https://bugs.webkit.org/show_bug.cgi?id=125377

        Reviewed by Filip Pizlo.

        The bug was caused by JSC not JIT'ing property access on "document" due to its type info having
        HasImpureGetOwnPropertySlot flag.

        Fixed the bug by new type info flag NewImpurePropertyFiresWatchpoints, which allows the baseline
        JIT to generate byte code for access properties on an object with named properties (a.k.a.
        custom name getter) in DOM. When a new named property appears on the object, VM is notified via
        VM::addImpureProperty and fires StructureStubClearingWatchpoint added during the repatch.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt): Take the slow path if we have any object with impure
        properties in the prototype chain.
        (JSC::GetByIdStatus::computeForChain): Ditto.

        * jit/Repatch.cpp:
        (JSC::repatchByIdSelfAccess): Throw away the byte code when a new impure property is added on any
        object in the prototype chain via StructureStubClearingWatchpoint.
        (JSC::generateProtoChainAccessStub): Ditto.
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::tryRepatchIn): Ditto.

        * runtime/JSTypeInfo.h: Added NewImpurePropertyFiresWatchpoints.
        (JSC::TypeInfo::newImpurePropertyFiresWatchpoints): Added.

        * runtime/Operations.h:
        (JSC::normalizePrototypeChainForChainAccess): Don't exit early if VM will be notified of new
        impure property even if the object had impure properties.

        * runtime/Structure.h:
        (JSC::Structure::takesSlowPathInDFGForImpureProperty): Added. Wraps hasImpureGetOwnPropertySlot and
        asserts that newImpurePropertyFiresWatchpoints is true whenever hasImpureGetOwnPropertySlot is true.

        * runtime/VM.cpp:
        (JSC::VM::registerWatchpointForImpureProperty): Added.
        (JSC::VM::addImpureProperty): Added. HTMLDocument calls it to notify JSC of a new impure property.

        * runtime/VM.h:

2013-12-15  Andy Estes  <aestes@apple.com>

        [iOS] Upstream changes to FeatureDefines.xcconfig
        https://bugs.webkit.org/show_bug.cgi?id=125742

        Reviewed by Dan Bernstein.

        * Configurations/FeatureDefines.xcconfig:

2013-12-14  Filip Pizlo  <fpizlo@apple.com>

        FTL should *really* know when things are flushed
        https://bugs.webkit.org/show_bug.cgi?id=125747

        Reviewed by Sam Weinig.
        
        Fix more codegen badness. This makes V8v7's crypto am3() function run faster in the FTL
        than in DFG. This means that even if we just compile those functions in V8v7 that don't
        make calls, the FTL gives us a 2% speed-up over the DFG. That's pretty good considering
        that we have still more optimizations to fix and we can make calls work.

        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):

2013-12-14  Andy Estes  <aestes@apple.com>

        Unify FeatureDefines.xcconfig
        https://bugs.webkit.org/show_bug.cgi?id=125741

        Rubber-stamped by Dan Bernstein.

        * Configurations/FeatureDefines.xcconfig: Enable ENABLE_MEDIA_SOURCE.

2013-12-14  Mark Rowe  <mrowe@apple.com>

        Build fix after r160557.

        r160557 added the first generated header to JavaScriptCore that needs to be installed in to
        the framework wrapper. Sadly JavaScriptCore's Derived Sources target was not set to generate
        headers when invoked as part of the installhdrs action. This resulted in the build failing
        due to Xcode being unable to find the header file to install. The fix for this is to configure
        the Derived Sources target to use JavaScriptCore.xcconfig, which sets INSTALLHDRS_SCRIPT_PHASE
        to YES and allows Xcode to generate derived sources during the installhdrs action.

        Enabling INSTALLHDRS_SCRIPT_PHASE required tweaking the Generate Derived Sources script build
        phase to skip running code related to offlineasm that depends on JSCLLIntOffsetExtractor
        having been compiled, which isn't the case at installhdrs time.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>

        Some Set and Map prototype functions have incorrect function lengths
        https://bugs.webkit.org/show_bug.cgi?id=125732

        Reviewed by Oliver Hunt.

        * runtime/MapPrototype.cpp:
        (JSC::MapPrototype::finishCreation):
        * runtime/SetPrototype.cpp:
        (JSC::SetPrototype::finishCreation):

2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Move Inspector and Debugger protocol domains into JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=125707

        Reviewed by Timothy Hatcher.

        * CMakeLists.txt:
        * DerivedSources.make:
        * GNUmakefile.am:
        * inspector/protocol/Debugger.json: Renamed from Source/WebCore/inspector/protocol/Debugger.json.
        * inspector/protocol/GenericTypes.json: Added.
        * inspector/protocol/InspectorDomain.json: Renamed from Source/WebCore/inspector/protocol/InspectorDomain.json.
        Add new files to inspector generation.

        * inspector/scripts/CodeGeneratorInspector.py:
        (Generator.go):
        Only build TypeBuilder output if the domain only has types. Avoid
        backend/frontend dispatchers and backend commands.

        (TypeBindings.create_type_declaration_.EnumBinding.get_setter_value_expression_pattern):
        (format_setter_value_expression):
        (Generator.process_command):
        (Generator.generate_send_method):
        * inspector/scripts/CodeGeneratorInspectorStrings.py:
        Export and name the get{JS,Web}EnumConstant function.

2013-12-11  Filip Pizlo  <fpizlo@apple.com>

        Get rid of forward exit on UInt32ToNumber by adding an op_unsigned bytecode instruction
        https://bugs.webkit.org/show_bug.cgi?id=125553

        Reviewed by Oliver Hunt.
        
        UInt32ToNumber was a super complicated node because it had to do a speculation, but it
        would do it after we already had computed the urshift. It couldn't just back to the
        beginning of the urshift because the inputs to the urshift weren't necessarily live
        anymore. We couldn't jump forward to the beginning of the next instruction because the
        result of the urshift was not yet unsigned-converted.
        
        For a while we solved this by forward-exiting in UInt32ToNumber. But that's really
        gross and I want to get rid of all forward exits. They cause a lot of bugs.
        
        We could also have turned UInt32ToNumber to a backwards exit by forcing the inputs to
        the urshift to be live. I figure that this might be a bit too extreme.
        
        So, I just created a new place that we can exit to: I split op_urshift into op_urshift
        followed by op_unsigned. op_unsigned is an "unsigned cast" along the lines of what
        UInt32ToNumber does. This allows me to get rid of all of the nastyness in the DFG for
        forward exiting in UInt32ToNumber.
        
        This patch enables massive code carnage in the DFG and FTL, and brings us closer to
        eliminating one of the DFG's most confusing concepts. On the flipside, it does make the
        bytecode slightly more complex (one new instruction). This is a profitable trade. We
        want the DFG and FTL to trend towards simplicity, since they are both currently too
        complicated.

        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecode/ValueRecovery.cpp:
        (JSC::ValueRecovery::dumpInContext):
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::gpr):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::BinaryOpNode::emitBytecode):
        (JSC::emitReadModifyAssignment):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::toInt32):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
        (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild1):
        (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild2):
        * ftl/FTLFormattedValue.h:
        (JSC::FTL::int32Value):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
        * ftl/FTLValueFormat.cpp:
        (JSC::FTL::reboxAccordingToFormat):
        (WTF::printInternal):
        * ftl/FTLValueFormat.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_urshift):
        (JSC::JIT::emitSlow_op_urshift):
        (JSC::JIT::emit_op_unsigned):
        (JSC::JIT::emitSlow_op_unsigned):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitRightShift):
        (JSC::JIT::emitRightShiftSlowCase):
        (JSC::JIT::emit_op_unsigned):
        (JSC::JIT::emitSlow_op_unsigned):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:

2013-12-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        LLInt should not conditionally branch to to labels outside of its function
        https://bugs.webkit.org/show_bug.cgi?id=125713

        Reviewed by Geoffrey Garen.

        Conditional branches are insufficient for jumping to out-of-function labels.
        The fix is to use an unconditional jmp to the label combined with a conditional branch around the jmp.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>

        [GTK] Remove Warnings in building about duplicate INSPECTOR variables
        https://bugs.webkit.org/show_bug.cgi?id=125710

        Reviewed by Tim Horton.

        * GNUmakefile.am:

2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>

        Cleanup CodeGeneratorInspectorStrings a bit
        https://bugs.webkit.org/show_bug.cgi?id=125705

        Reviewed by Timothy Hatcher.

        * inspector/scripts/CodeGeneratorInspectorStrings.py:
        Use ${foo} variable syntax and add an ASCIILiteral.

2013-12-13  Brent Fulgham  <bfulgham@apple.com>

        [Win] Unreviewed build fix after r160563

        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Missed the Debug
        target in my last patch.

2013-12-13  Brent Fulgham  <bfulgham@apple.com>

        [Win] Unreviewed build fix after r160548

        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Specify
        that we are using the vs12_xp target for Makefile-based projects.
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: Ditto
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: Ditto.

2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>

        Make inspector folder groups smarter in JavaScriptCore.xcodeproj
        https://bugs.webkit.org/show_bug.cgi?id=125663

        Reviewed by Darin Adler.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-12-13  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Add Inspector Code Generation to JavaScriptCore for Runtime Domain
        https://bugs.webkit.org/show_bug.cgi?id=125595

        Reviewed by Timothy Hatcher.

          - Move CodeGeneration scripts from WebCore into JavaScriptCore/inspector/scripts
          - For ports that build WebKit frameworks separately, export the scripts as PrivateHeaders
          - Update CodeGeneratorInspector.py in a few ways:
            - output dynamic filenames, so JavaScriptCore generates InspectorJSFoo.* and WebCore generates InspectorWebFoo.*
            - take in more then one protocol JSON file. The first contains domains to generate, the others are dependencies
              that are generated elsewhere that we can depend on for Types.
          - Add DerivedSources build step to generate the Inspector Interfaces

        * CMakeLists.txt:
        * DerivedSources.make:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.vcxproj/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add scripts and code generation.

        * inspector/protocol/Runtime.json: Renamed from Source/WebCore/inspector/protocol/Runtime.json.
        Move protocol file into JavaScriptCore so its types will be generated in JavaScriptCore.

        * inspector/scripts/CodeGeneratorInspector.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspector.py.
        Updates to the script as listed above.

        * inspector/scripts/CodeGeneratorInspectorStrings.py: Renamed from Source/WebCore/inspector/CodeGeneratorInspectorStrings.py.
        * inspector/scripts/generate-combined-inspector-json.py: Renamed from Source/WebCore/inspector/Scripts/generate-combined-inspector-json.py.
        Moved from WebCore into JavaScriptCore for code generation.

2013-12-13  Peter Szanka  <h868064@stud.u-szeged.hu>

        Delete INTEL C compiler related code parts.
        https://bugs.webkit.org/show_bug.cgi?id=125625

        Reviewed by Darin Adler.

        * jsc.cpp:
        * testRegExp.cpp:

2013-12-13  Brent Fulgham  <bfulgham@apple.com>

        [Win] Switch WebKit solution to Visual Studio 2013
        https://bugs.webkit.org/show_bug.cgi?id=125192

        Reviewed by Anders Carlsson.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Update for VS2013
        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
        Ditto
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Ditto
        * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto
        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto

2013-12-12  Joseph Pecoraro  <pecoraro@apple.com>

        Add a few more ASCIILiterals
        https://bugs.webkit.org/show_bug.cgi?id=125662

        Reviewed by Darin Adler.

        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::InspectorBackendDispatcher::dispatch):

2013-12-12  Joseph Pecoraro  <pecoraro@apple.com>

        Test new JSContext name APIs
        https://bugs.webkit.org/show_bug.cgi?id=125607

        Reviewed by Darin Adler.

        * API/JSContext.h:
        * API/JSContextRef.h:
        Fix whitespace issues.

        * API/tests/testapi.c:
        (globalContextNameTest):
        (main):
        * API/tests/testapi.mm:
        Add tests for JSContext set/get name APIs.

2013-12-11  Filip Pizlo  <fpizlo@apple.com>

        ARM64: Hang running pdfjs test, suspect DFG generated code for "in"
        https://bugs.webkit.org/show_bug.cgi?id=124727
        <rdar://problem/15566923>

        Reviewed by Michael Saboff.
        
        Get rid of In's hackish use of StructureStubInfo. Previously it was using hotPathBegin,
        and it was the only IC that used that field, which was wasteful. Moreover, it used it
        to store two separate locations: the label for patching the jump and the label right
        after the jump. The code was relying on those two being the same label, which is true
        on X86 and some other platforms, but it isn't true on ARM64.
        
        This gets rid of hotPathBegin and makes In express those two locations as offsets from
        the callReturnLocation, which is analogous to what the other IC's do.
        
        This fixes a bug where any successful In patching would result in a trivially infinite
        loop - and hence a hang - on ARM64.

        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::InRecord::InRecord):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::finalize):
        * jit/Repatch.cpp:
        (JSC::replaceWithJump):
        (JSC::patchJumpToGetByIdStub):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        (JSC::tryRepatchIn):
        (JSC::resetGetByID):
        (JSC::resetPutByID):
        (JSC::resetIn):

2013-12-11  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Push More Inspector Required Classes Down into JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=125324

        Reviewed by Timothy Hatcher.

        * CMakeLists.txt:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
        * JavaScriptCore.vcxproj/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bindings/ScriptFunctionCall.cpp: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.cpp.
        * bindings/ScriptFunctionCall.h: Renamed from Source/WebCore/bindings/js/ScriptFunctionCall.h.
        * bindings/ScriptObject.cpp: Copied from Source/WebCore/inspector/WorkerConsoleAgent.cpp.
        * bindings/ScriptObject.h: Renamed from Source/WebCore/inspector/InspectorBaseAgent.h.
        * bindings/ScriptValue.cpp: Renamed from Source/WebCore/bindings/js/ScriptValue.cpp.
        * bindings/ScriptValue.h: Renamed from Source/WebCore/bindings/js/ScriptValue.h.
        * inspector/InspectorAgentBase.h: Copied from Source/WebCore/inspector/InspectorAgentRegistry.h.
        * inspector/InspectorAgentRegistry.cpp: Renamed from Source/WebCore/inspector/InspectorAgentRegistry.cpp.
        * inspector/InspectorBackendDispatcher.h: Renamed from Source/WebCore/inspector/InspectorBackendDispatcher.h.
        (Inspector::InspectorSupplementalBackendDispatcher::InspectorSupplementalBackendDispatcher):
        (Inspector::InspectorSupplementalBackendDispatcher::~InspectorSupplementalBackendDispatcher):
        * inspector/InspectorValues.cpp: Renamed from Source/WebCore/inspector/InspectorValues.cpp.
        * inspector/InspectorValues.h: Renamed from Source/WebCore/inspector/InspectorValues.h.

2013-12-11  Laszlo Vidacs  <lac@inf.u-szeged.hu>

        Store SHA1 hash in std::array
        https://bugs.webkit.org/show_bug.cgi?id=125446

        Reviewed by Darin Adler.

        Change Vector to std::array and use typedef.

        * bytecode/CodeBlockHash.cpp:
        (JSC::CodeBlockHash::CodeBlockHash):

2013-12-11  Mark Rowe  <mrowe@apple.com>

        <https://webkit.org/b/125141> Modernize the JavaScriptCore API headers
        <rdar://problem/15540121>

        This consists of three main changes:
        1) Converting the return type of initializer methods to instancetype.
        2) Declaring properties rather than getters and setters.
        3) Tagging C API methods with information about their memory management semantics.

        Changing the declarations from getters and setters to properties also required
        updating the headerdoc in a number of places.

        Reviewed by Anders Carlsson.

        * API/JSContext.h:
        * API/JSContext.mm:
        * API/JSManagedValue.h:
        * API/JSManagedValue.mm:
        * API/JSStringRefCF.h:
        * API/JSValue.h:
        * API/JSVirtualMachine.h:
        * API/JSVirtualMachine.mm:

2013-12-11  Mark Rowe  <mrowe@apple.com>

        <https://webkit.org/b/125559> Move JavaScriptCore off the legacy WebKit availability macros

        The legacy WebKit availability macros are verbose, confusing, and provide no benefit over
        using the system availability macros directly. The original vision was that they'd serve
        a cross-platform purpose but that never came to be.

        Map from WebKit version to OS X version based on the mapping in WebKitAvailability.h.
        All iOS versions are specified as 7.0 as that is when the JavaScriptCore C API was made
        public.

        Part of <rdar://problem/15512304>.

        Reviewed by Anders Carlsson.

        * API/JSBasePrivate.h:
        * API/JSContextRef.h:
        * API/JSContextRefPrivate.h:
        * API/JSObjectRef.h:
        * API/JSValueRef.h:

2013-12-10  Filip Pizlo  <fpizlo@apple.com>

        Get rid of forward exit on DoubleAsInt32
        https://bugs.webkit.org/show_bug.cgi?id=125552

        Reviewed by Oliver Hunt.
        
        The forward exit was just there so that we wouldn't have to keep the inputs alive up to
        the DoubleAsInt32. That's dumb. Forward exits are a complicated piece of machinery and
        we shouldn't have it just for a bit of liveness micro-optimization.
        
        Also add a bunch of machinery to test this case on X86.

        * assembler/AbstractMacroAssembler.h:
        (JSC::optimizeForARMv7s):
        (JSC::optimizeForARM64):
        (JSC::optimizeForX86):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
        * runtime/Options.h:
        * tests/stress/double-as-int32.js: Added.
        (foo):
        (test):

2013-12-10  Filip Pizlo  <fpizlo@apple.com>

        Simplify CSE's treatment of NodeRelevantToOSR
        https://bugs.webkit.org/show_bug.cgi?id=125538

        Reviewed by Oliver Hunt.
        
        Make the NodeRelevantToOSR thing obvious: if there is any MovHint on a node then the
        node is relevant to OSR.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::run):
        (JSC::DFG::CSEPhase::performNodeCSE):
        (JSC::DFG::CSEPhase::performBlockCSE):

2013-12-10  Filip Pizlo  <fpizlo@apple.com>

        Get rid of forward exit in GetByVal on Uint32Array
        https://bugs.webkit.org/show_bug.cgi?id=125543

        Reviewed by Oliver Hunt.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):

2013-12-10  Balazs Kilvady  <kilvadyb@homejinni.com>

        [MIPS] Redundant instructions in code generated from offlineasm.
        https://bugs.webkit.org/show_bug.cgi?id=125528

        Reviewed by Michael Saboff.

        Optimize lowering of offlineasm BaseIndex Addresses.

        * offlineasm/mips.rb:

2013-12-10  Oliver Hunt  <oliver@apple.com>

        Reduce the mass templatizing of the JS parser
        https://bugs.webkit.org/show_bug.cgi?id=125535

        Reviewed by Michael Saboff.

        The various caches we have now have removed the need for many of
        the template vs. regular parameters.  This patch converts those
        template parameters to regular parameters and updates the call
        sites.  This reduces the code size of the parser by around 15%.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createProperty):
        * parser/Parser.cpp:
        (JSC::::parseInner):
        (JSC::::parseSourceElements):
        (JSC::::parseVarDeclarationList):
        (JSC::::createBindingPattern):
        (JSC::::tryParseDeconstructionPatternExpression):
        (JSC::::parseDeconstructionPattern):
        (JSC::::parseSwitchClauses):
        (JSC::::parseSwitchDefaultClause):
        (JSC::::parseBlockStatement):
        (JSC::::parseFormalParameters):
        (JSC::::parseFunctionInfo):
        (JSC::::parseFunctionDeclaration):
        (JSC::::parseProperty):
        (JSC::::parseObjectLiteral):
        (JSC::::parseStrictObjectLiteral):
        (JSC::::parseMemberExpression):
        * parser/Parser.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createProperty):
        (JSC::SyntaxChecker::createGetterOrSetterProperty):

2013-12-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        ASSERT !heap.vm()->isInitializingObject() when finishing DFG compilation at beginning of GC
        https://bugs.webkit.org/show_bug.cgi?id=125472

        Reviewed by Geoff Garen.

        This patch makes it look like it's okay to allocate so that the DFG plan finalization stuff 
        can do what it needs to do. We already expected that we might do allocation during plan 
        finalization and we increased the deferral depth to handle this, but we need to fix this other 
        ASSERT stuff too.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * heap/Heap.h:
        * heap/RecursiveAllocationScope.h: Added.
        (JSC::RecursiveAllocationScope::RecursiveAllocationScope):
        (JSC::RecursiveAllocationScope::~RecursiveAllocationScope):
        * runtime/VM.h:

2013-12-09  Filip Pizlo  <fpizlo@apple.com>

        Impose and enforce some basic rules of sanity for where Phi functions are allowed to occur and where their (optional) corresponding MovHints can be
        https://bugs.webkit.org/show_bug.cgi?id=125480

        Reviewed by Geoffrey Garen.
        
        Previously, if you wanted to insert some speculation right after where a value was
        produced, you'd get super confused if that value was produced by a Phi node.  You can't
        necessarily insert speculations after a Phi node because Phi nodes appear in this
        special sequence of Phis and MovHints that establish the OSR exit state for a block.
        So, you'd probably want to search for the next place where it's safe to insert things.
        We already do this "search for beginning of next bytecode instruction" search by
        looking at the next node that has a different CodeOrigin.  But this would be hard for a
        Phi because those Phis and MovHints have basically random CodeOrigins and they can all
        have different CodeOrigins.

        This change imposes some sanity for this situation:

        - Phis must have unset CodeOrigins.

        - In each basic block, all nodes that have unset CodeOrigins must come before all nodes
          that have set CodeOrigins.

        This all ends up working out just great because prior to this change we didn't have a 
        use for unset CodeOrigins.  I think it's appropriate to make "unset CodeOrigin" mean
        that we're in the prologue of a basic block.

        It's interesting what this means for block merging, which we don't yet do in SSA.
        Consider merging the edge A->B.  One possibility is that the block merger is now
        required to clean up Phi/Upsilons, and reascribe the MovHints to have the CodeOrigin of
        the A's block terminal.  But an answer that might be better is that the originless
        nodes at the top of the B are just given the origin of the terminal and we keep the
        Phis.  That would require changing the above rules.  We'll see how it goes, and what we
        end up picking...

        Overall, this special-things-at-the-top rule is analogous to what other SSA-based
        compilers do.  For example, LLVM has rules mandating that Phis appear at the top of a
        block.

        * bytecode/CodeOrigin.cpp:
        (JSC::CodeOrigin::dump):
        * dfg/DFGOSRExitBase.h:
        (JSC::DFG::OSRExitBase::OSRExitBase):
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        (JSC::DFG::Validate::validateSSA):

2013-12-08  Filip Pizlo  <fpizlo@apple.com>

        Reveal array bounds checks in DFG IR
        https://bugs.webkit.org/show_bug.cgi?id=125253

        Reviewed by Oliver Hunt and Mark Hahnenberg.
        
        In SSA mode, this reveals array bounds checks and the load of array length in DFG IR,
        making this a candidate for LICM.

        This also fixes a long-standing performance bug where the JSObject slow paths would
        always create contiguous storage, rather than type-specialized storage, when doing a
        "storage creating" storage, like:
        
            var o = {};
            o[0] = 42;

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        (JSC::exitKindIsCountable):
        * bytecode/ExitKind.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::permitsBoundsCheckLowering):
        (JSC::DFG::ArrayMode::permitsBoundsCheckLowering):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::lengthNeedsStorage):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSSALoweringPhase.cpp: Added.
        (JSC::DFG::SSALoweringPhase::SSALoweringPhase):
        (JSC::DFG::SSALoweringPhase::run):
        (JSC::DFG::SSALoweringPhase::handleNode):
        (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
        (JSC::DFG::performSSALowering):
        * dfg/DFGSSALoweringPhase.h: Added.
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCheckInBounds):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
        * runtime/JSObject.cpp:
        (JSC::JSObject::convertUndecidedForValue):
        (JSC::JSObject::createInitialForValueAndSet):
        (JSC::JSObject::putByIndexBeyondVectorLength):
        (JSC::JSObject::putDirectIndexBeyondVectorLength):
        * runtime/JSObject.h:
        * tests/stress/float32array-out-of-bounds.js: Added.
        (make):
        (foo):
        (test):
        * tests/stress/int32-object-out-of-bounds.js: Added.
        (make):
        (foo):
        (test):
        * tests/stress/int32-out-of-bounds.js: Added.
        (foo):
        (test):

2013-12-09  Sam Weinig  <sam@webkit.org>

        Replace use of WTF::FixedArray with std::array
        https://bugs.webkit.org/show_bug.cgi?id=125475

        Reviewed by Anders Carlsson.

        * bytecode/CodeBlockHash.cpp:
        (JSC::CodeBlockHash::dump):
        * bytecode/Opcode.cpp:
        (JSC::OpcodeStats::~OpcodeStats):
        * dfg/DFGCSEPhase.cpp:
        * ftl/FTLAbstractHeap.h:
        * heap/MarkedSpace.h:
        * parser/ParserArena.h:
        * runtime/CodeCache.h:
        * runtime/DateInstanceCache.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObject.h:
        * runtime/JSString.h:
        * runtime/LiteralParser.h:
        * runtime/NumericStrings.h:
        * runtime/RegExpCache.h:
        * runtime/SmallStrings.h:

2013-12-09  Joseph Pecoraro  <pecoraro@apple.com>

        Remove miscellaneous unnecessary build statements
        https://bugs.webkit.org/show_bug.cgi?id=125466

        Reviewed by Darin Adler.

        * DerivedSources.make:
        * JavaScriptCore.vcxproj/build-generated-files.sh:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * make-generated-sources.sh:

2013-12-08  Filip Pizlo  <fpizlo@apple.com>

        CSE should work in SSA
        https://bugs.webkit.org/show_bug.cgi?id=125430

        Reviewed by Oliver Hunt and Mark Hahnenberg.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::run):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):

2013-12-09  Joseph Pecoraro  <pecoraro@apple.com>

        Remove docs/make-bytecode-docs.pl
        https://bugs.webkit.org/show_bug.cgi?id=125462

        This sript is very old and no longer outputs useful data since the
        op code definitions have moved from Interpreter.cpp.

        Reviewed by Darin Adler.

        * DerivedSources.make:
        * docs/make-bytecode-docs.pl: Removed.

2013-12-09  Julien Brianceau  <jbriance@cisco.com>

        Fix sh4 LLINT build.
        https://bugs.webkit.org/show_bug.cgi?id=125454

        Reviewed by Michael Saboff.

        In LLINT, sh4 backend implementation didn't handle properly conditional jumps using
        a LabelReference instance. This patch fixes it through sh4LowerMisplacedLabels phase.
        Also, to avoid the need of a 4th temporary gpr, this phase is triggered later in
        getModifiedListSH4.

        * offlineasm/sh4.rb:

2013-12-08  Filip Pizlo  <fpizlo@apple.com>

        Add the notion of ConstantStoragePointer to DFG IR
        https://bugs.webkit.org/show_bug.cgi?id=125395

        Reviewed by Oliver Hunt.
        
        This pushes more typed array folding into StrengthReductionPhase, and enables CSE on
        storage pointers. Previously, you might have separate nodes for the same storage
        pointer and this would cause some bad register pressure in the DFG. Note that this
        was really a theoretical problem and not, to my knowledge a practical one - so this
        patch is basically just a clean-up.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::constantStoragePointerCSE):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToConstantStoragePointer):
        (JSC::DFG::Node::hasStoragePointer):
        (JSC::DFG::Node::storagePointer):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileConstantStoragePointer):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
        (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray):
        * dfg/DFGWatchpointCollectionPhase.cpp:
        (JSC::DFG::WatchpointCollectionPhase::handle):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileConstantStoragePointer):
        (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):

2013-12-08  Filip Pizlo  <fpizlo@apple.com>

        FTL should support UntypedUse versions of Compare nodes
        https://bugs.webkit.org/show_bug.cgi?id=125426

        Reviewed by Oliver Hunt.
        
        This adds UntypedUse versions of all comparisons except CompareStrictEq, which is
        sufficiently different that I thought I'd do it in another patch.
        
        This also extends our ability to abstract over comparison kind and removes a bunch of
        copy-paste code.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
        (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
        (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
        (JSC::FTL::LowerDFGToLLVM::compare):
        (JSC::FTL::LowerDFGToLLVM::nonSpeculativeCompare):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::icmp):
        (JSC::FTL::Output::equal):
        (JSC::FTL::Output::notEqual):
        (JSC::FTL::Output::above):
        (JSC::FTL::Output::aboveOrEqual):
        (JSC::FTL::Output::below):
        (JSC::FTL::Output::belowOrEqual):
        (JSC::FTL::Output::greaterThan):
        (JSC::FTL::Output::greaterThanOrEqual):
        (JSC::FTL::Output::lessThan):
        (JSC::FTL::Output::lessThanOrEqual):
        (JSC::FTL::Output::fcmp):
        (JSC::FTL::Output::doubleEqual):
        (JSC::FTL::Output::doubleNotEqualOrUnordered):
        (JSC::FTL::Output::doubleLessThan):
        (JSC::FTL::Output::doubleLessThanOrEqual):
        (JSC::FTL::Output::doubleGreaterThan):
        (JSC::FTL::Output::doubleGreaterThanOrEqual):
        (JSC::FTL::Output::doubleEqualOrUnordered):
        (JSC::FTL::Output::doubleNotEqual):
        (JSC::FTL::Output::doubleLessThanOrUnordered):
        (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
        (JSC::FTL::Output::doubleGreaterThanOrUnordered):
        (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
        * tests/stress/untyped-equality.js: Added.
        (foo):
        * tests/stress/untyped-less-than.js: Added.
        (foo):

2013-12-07  Filip Pizlo  <fpizlo@apple.com>

        Fold typedArray.length if typedArray is constant
        https://bugs.webkit.org/show_bug.cgi?id=125252

        Reviewed by Sam Weinig.
        
        This was meant to be easy. The problem is that there was no good place for putting
        the folding of typedArray.length to a constant. You can't quite do it in the
        bytecode parser because at that point you don't yet know if typedArray is really
        a typed array. You can't do it as part of constant folding because the folder
        assumes that it can opportunistically forward-flow a constant value without changing
        the IR; this doesn't work since we need to first change the IR to register a
        desired watchpoint and only after that can we introduce that constant. We could have
        done it in Fixup but that would have been awkward since Fixup's code for turning a
        GetById of "length" into GetArrayLength is already somewhat complex. We could have
        done it in CSE but CSE is already fairly gnarly and will probably get rewritten.
        
        So I introduced a new phase, called StrengthReduction. This phase should have any
        transformations that don't requite CFA or CSE and that it would be weird to put into
        those other phases.
        
        I also took the opportunity to refactor some of the other folding code.
        
        This also adds a test, but the test couldn't quite be a LayoutTests/js/regress so I
        introduced the notion of JavaScriptCore/tests/stress.
        
        The goal of this patch isn't really to improve performance or anything like that.
        It adds an optimization for completeness, and in doing so it unlocks a bunch of new
        possibilities. The one that I'm most excited about is revealing array length checks
        in DFG IR, which will allow for array bounds check hoisting and elimination.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::tryGetFoldableView):
        (JSC::DFG::Graph::tryGetFoldableViewForChild1):
        * dfg/DFGGraph.h:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasTypedArray):
        (JSC::DFG::Node::typedArray):
        * dfg/DFGNodeType.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
        (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStrengthReductionPhase.cpp: Added.
        (JSC::DFG::StrengthReductionPhase::StrengthReductionPhase):
        (JSC::DFG::StrengthReductionPhase::run):
        (JSC::DFG::StrengthReductionPhase::handleNode):
        (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant):
        (JSC::DFG::performStrengthReduction):
        * dfg/DFGStrengthReductionPhase.h: Added.
        * dfg/DFGWatchpointCollectionPhase.cpp:
        (JSC::DFG::WatchpointCollectionPhase::handle):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionTransferArrayBuffer):
        * runtime/ArrayBufferView.h:
        * tests/stress: Added.
        * tests/stress/fold-typed-array-properties.js: Added.
        (foo):

2013-12-07  peavo@outlook.com  <peavo@outlook.com>

        [Win][64-bit] Hitting breakpoint assembler instruction in callToJavaScript.
        https://bugs.webkit.org/show_bug.cgi?id=125382

        Reviewed by Michael Saboff.

        The WinCairo results from run-javascriptcore-tests are the same as the WinCairo 32-bits results, when removing these breakpoints.

        * jit/JITStubsMSVC64.asm: Remove breakpoint instructions.

2013-12-06  Filip Pizlo  <fpizlo@apple.com>

        FTL should support all of Branch/LogicalNot
        https://bugs.webkit.org/show_bug.cgi?id=125370

        Reviewed by Mark Hahnenberg.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::boolify):

2013-12-06  Roger Fong <roger_fong@apple.com> and Brent Fulgham  <bfulgham@apple.com>

        [Win] Support compiling with VS2013
        https://bugs.webkit.org/show_bug.cgi?id=125353

        Reviewed by Anders Carlsson.

        * API/tests/testapi.c: Use C99 defines if available.
        * jit/JITOperations.cpp: Don't attempt to define C linkage when
        returning a C++ object.

2013-12-06  Filip Pizlo  <fpizlo@apple.com>

        FTL should support generic ByVal accesses
        https://bugs.webkit.org/show_bug.cgi?id=125368

        Reviewed by Mark Hahnenberg.

        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::isStrictModeFor):
        (JSC::DFG::Graph::ecmaModeFor):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):

2013-12-06  Filip Pizlo  <fpizlo@apple.com>

        FTL should support hole/OOB array accesses
        https://bugs.webkit.org/show_bug.cgi?id=118077

        Reviewed by Oliver Hunt and Mark Hahnenberg.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (JSC::FTL::LowerDFGToLLVM::baseIndex):

2013-12-06  Michael Saboff  <msaboff@apple.com>

        Split sizing of VarArgs frames from loading arguments for the frame
        https://bugs.webkit.org/show_bug.cgi?id=125331

        Reviewed by Filip Pizlo.

        Split loadVarargs into sizeAndAllocFrameForVarargs() and loadVarargs() in
        preparation for moving onto the C stack.  sizeAndAllocFrameForVarargs() will
        compute the size of the callee frame and allocate it, while loadVarargs()
        actually loads the argument values.

        As part of moving onto the C stack, sizeAndAllocFrameForVarargs() will be
        changed to a function that just computes the size.  The caller will use that
        size to allocate the new frame on the stack before calling loadVargs() and
        actually making the call.

        * interpreter/Interpreter.cpp:
        (JSC::sizeAndAllocFrameForVarargs):
        (JSC::loadVarargs):
        * interpreter/Interpreter.h:
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/VM.h:

2013-12-06  Filip Pizlo  <fpizlo@apple.com>

        FTL should support all of ValueToInt32
        https://bugs.webkit.org/show_bug.cgi?id=125283

        Reviewed by Mark Hahnenberg.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (JSC::FTL::LowerDFGToLLVM::lowCell):
        (JSC::FTL::LowerDFGToLLVM::isCell):

2013-12-06  Filip Pizlo  <fpizlo@apple.com>

        FTL shouldn't have a doubleToUInt32 path
        https://bugs.webkit.org/show_bug.cgi?id=125360

        Reviewed by Mark Hahnenberg.
        
        This code existed because I incorrectly thought it was necessary. It's now basically
        dead.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):

2013-12-06  Laszlo Vidacs  <lac@inf.u-szeged.hu>

        Define SHA1 hash size in SHA1.h and use it at various places.
        https://bugs.webkit.org/show_bug.cgi?id=125345

        Reviewed by Darin Adler.

        Use SHA1::hashSize instead of local variables.

        * bytecode/CodeBlockHash.cpp:
        (JSC::CodeBlockHash::CodeBlockHash): use SHA1::hashSize

2013-12-05  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r160213): Crash in js/dom/JSON-parse.html
        https://bugs.webkit.org/show_bug.cgi?id=125335

        Reviewed by Mark Lam.

        Changed _llint_op_catch to materialize the VM via the scope chain instead of 
        the CodeBlock.  CallFrames always have a scope chain, but may have a null CodeBlock.

        * llint/LowLevelInterpreter32_64.asm:
        (_llint_op_catch):
        * llint/LowLevelInterpreter64.asm:
        (_llint_op_catch):

2013-12-05  Michael Saboff  <msaboff@apple.com>

        JSC: Simplify interface between throw and catch handler
        https://bugs.webkit.org/show_bug.cgi?id=125328

        Reviewed by Geoffrey Garen.

        Simplified the throw - catch interface.  The throw side is only responsible for
        jumping to the appropriate op_catch handler or returnFromJavaScript for uncaught
        exceptions.  The handler uses the exception values like VM.callFrameForThrow
        as appropriate and no longer relies on the throw side putting anything in
        registers.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::jumpToExceptionHandler):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_catch):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_catch):
        * llint/LowLevelInterpreter32_64.asm:
        (_llint_op_catch):
        (_llint_throw_from_slow_path_trampoline):
        * llint/LowLevelInterpreter64.asm:
        (_llint_op_catch):
        (_llint_throw_from_slow_path_trampoline):

2013-12-04  Oliver Hunt  <oliver@apple.com>

        Refactor static getter function prototype to include thisValue in addition to the base object
        https://bugs.webkit.org/show_bug.cgi?id=124461

        Reviewed by Geoffrey Garen.

        Add thisValue parameter to static getter prototype, and switch
        from JSValue to EncodedJSValue for parameters and return value.

        Currently none of the static getters use the thisValue, but
        separating out the refactoring will prevent future changes
        from getting lost in the noise of refactoring.  This means
        that this patch does not result in any change in behaviour.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::asCallbackObject):
        (JSC::::staticFunctionGetter):
        (JSC::::callbackGetter):
        * jit/JITOperations.cpp:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::argumentsGetter):
        * runtime/JSActivation.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::argumentsGetter):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::lengthGetter):
        (JSC::JSFunction::nameGetter):
        * runtime/JSFunction.h:
        * runtime/JSObject.h:
        (JSC::PropertySlot::getValue):
        * runtime/NumberConstructor.cpp:
        (JSC::numberConstructorNaNValue):
        (JSC::numberConstructorNegInfinity):
        (JSC::numberConstructorPosInfinity):
        (JSC::numberConstructorMaxValue):
        (JSC::numberConstructorMinValue):
        * runtime/PropertySlot.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::asRegExpConstructor):
        (JSC::regExpConstructorDollar1):
        (JSC::regExpConstructorDollar2):
        (JSC::regExpConstructorDollar3):
        (JSC::regExpConstructorDollar4):
        (JSC::regExpConstructorDollar5):
        (JSC::regExpConstructorDollar6):
        (JSC::regExpConstructorDollar7):
        (JSC::regExpConstructorDollar8):
        (JSC::regExpConstructorDollar9):
        (JSC::regExpConstructorInput):
        (JSC::regExpConstructorMultiline):
        (JSC::regExpConstructorLastMatch):
        (JSC::regExpConstructorLastParen):
        (JSC::regExpConstructorLeftContext):
        (JSC::regExpConstructorRightContext):
        * runtime/RegExpObject.cpp:
        (JSC::asRegExpObject):
        (JSC::regExpObjectGlobal):
        (JSC::regExpObjectIgnoreCase):
        (JSC::regExpObjectMultiline):
        (JSC::regExpObjectSource):

2013-12-04  Filip Pizlo  <fpizlo@apple.com>

        FTL should use cvttsd2si directly for double-to-int32 conversions
        https://bugs.webkit.org/show_bug.cgi?id=125275

        Reviewed by Michael Saboff.
        
        Wow. This was an ordeal. Using cvttsd2si was actually easy, but I learned, and
        sometimes even fixed, some interesting things:
        
        - The llvm.x86.sse2.cvttsd2si intrinsic can actually result in LLVM emitting a
          vcvttsd2si. I guess the intrinsic doesn't actually imply the instruction.
        
        - That whole thing about branchTruncateDoubleToUint32? Yeah we don't need that. It's
          better to use branchTruncateDoubleToInt32 instead. It has the right semantics for
          all of its callers (err, its one-and-only caller), and it's more likely to take
          fast path. This patch kills branchTruncateDoubleToUint32.
        
        - "a[i] = v; v = a[i]". Does this change v? OK, assume that 'a[i]' is a pure-ish
          operation - like an array access with 'i' being an integer index and we're not
          having a bad time. Now does this change v? CSE assumes that it doesn't. That's
          wrong. If 'a' is a typed array - the most sensible and pure kind of array - then
          this can be a truncating cast. For example 'v' could be a double and 'a' could be
          an integer array.
        
        - "v1 = a[i]; v2 = a[i]". Is v1 === v2 assuming that 'a[i]' is pure-ish? The answer
          is no. You could have a different arrayMode in each access. I know this sounds
          weird, but with concurrent JIT that might happen.
        
        This patch adds tests for all of this stuff, except for the first issue (it's weird
        but probably doesn't matter) and the last issue (it's too much of a freakshow).

        * assembler/MacroAssemblerARM64.h:
        * assembler/MacroAssemblerARMv7.h:
        * assembler/MacroAssemblerX86Common.h:
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::vectorType):
        (JSC::FTL::getUndef):
        (JSC::FTL::buildInsertElement):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
        (JSC::FTL::LowerDFGToLLVM::doubleToUInt32):
        (JSC::FTL::LowerDFGToLLVM::sensibleDoubleToInt32):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::insertElement):
        (JSC::FTL::Output::hasSensibleDoubleToInt):
        (JSC::FTL::Output::sensibleDoubleToInt):

2013-12-05  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r160133.
        http://trac.webkit.org/changeset/160133
        https://bugs.webkit.org/show_bug.cgi?id=125325

        broke bindings tests on all the bots (Requested by thorton on
        #webkit).

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::staticFunctionGetter):
        (JSC::::callbackGetter):
        * jit/JITOperations.cpp:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::argumentsGetter):
        * runtime/JSActivation.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::argumentsGetter):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::lengthGetter):
        (JSC::JSFunction::nameGetter):
        * runtime/JSFunction.h:
        * runtime/JSObject.h:
        (JSC::PropertySlot::getValue):
        * runtime/NumberConstructor.cpp:
        (JSC::numberConstructorNaNValue):
        (JSC::numberConstructorNegInfinity):
        (JSC::numberConstructorPosInfinity):
        (JSC::numberConstructorMaxValue):
        (JSC::numberConstructorMinValue):
        * runtime/PropertySlot.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::regExpConstructorDollar1):
        (JSC::regExpConstructorDollar2):
        (JSC::regExpConstructorDollar3):
        (JSC::regExpConstructorDollar4):
        (JSC::regExpConstructorDollar5):
        (JSC::regExpConstructorDollar6):
        (JSC::regExpConstructorDollar7):
        (JSC::regExpConstructorDollar8):
        (JSC::regExpConstructorDollar9):
        (JSC::regExpConstructorInput):
        (JSC::regExpConstructorMultiline):
        (JSC::regExpConstructorLastMatch):
        (JSC::regExpConstructorLastParen):
        (JSC::regExpConstructorLeftContext):
        (JSC::regExpConstructorRightContext):
        * runtime/RegExpObject.cpp:
        (JSC::regExpObjectGlobal):
        (JSC::regExpObjectIgnoreCase):
        (JSC::regExpObjectMultiline):
        (JSC::regExpObjectSource):

2013-12-05  Mark Lam  <mark.lam@apple.com>

        Make the C Loop LLINT work with callToJavaScript.
        https://bugs.webkit.org/show_bug.cgi?id=125294.

        Reviewed by Michael Saboff.

        1. Changed the C Loop LLINT to dispatch to an Executable via its JITCode
           instance which is consistent with how the ASM LLINT works.
        2. Changed CLoop::execute() to take an Opcode instead of an OpcodeID.
           This makes it play nice with the use of JITCode for dispatching.
        3. Introduce a callToJavaScript and callToNativeFunction for the C Loop
           LLINT. These will call JSStack::pushFrame() and popFrame() to setup
           and teardown the CallFrame.
        4. Also introduced a C Loop returnFromJavaScript which is just a
           replacement for ctiOpThrowNotCaught which had the same function.
        5. Remove a lot of #if ENABLE(LLINT_C_LOOP) code now that the dispatch
           mechanism is consistent.

        This patch has been tested with both configurations of COMPUTED_GOTOs
        on and off.

        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall):
        (JSC::CachedCall::call):
        (JSC::CachedCall::setArgument):
        * interpreter/CallFrameClosure.h:
        (JSC::CallFrameClosure::setThis):
        (JSC::CallFrameClosure::setArgument):
        (JSC::CallFrameClosure::resetCallFrame):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        * interpreter/Interpreter.h:
        * interpreter/JSStack.h:
        * interpreter/JSStackInlines.h:
        (JSC::JSStack::pushFrame):
        * interpreter/ProtoCallFrame.h:
        (JSC::ProtoCallFrame::scope):
        (JSC::ProtoCallFrame::callee):
        (JSC::ProtoCallFrame::thisValue):
        (JSC::ProtoCallFrame::argument):
        (JSC::ProtoCallFrame::setArgument):
        * jit/JITCode.cpp:
        (JSC::JITCode::execute):
        * jit/JITCode.h:
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * llint/LLIntCLoop.cpp:
        (JSC::LLInt::CLoop::initialize):
        * llint/LLIntCLoop.h:
        * llint/LLIntEntrypoint.cpp:
        (JSC::LLInt::setFunctionEntrypoint):
        (JSC::LLInt::setEvalEntrypoint):
        (JSC::LLInt::setProgramEntrypoint):
        - Inverted the check for vm.canUseJIT(). This allows the JIT case to be
          #if'd out nicely when building the C Loop LLINT.
        * llint/LLIntOpcode.h:
        * llint/LLIntThunks.cpp:
        (JSC::doCallToJavaScript):
        (JSC::executeJS):
        (JSC::callToJavaScript):
        (JSC::executeNative):
        (JSC::callToNativeFunction):
        * llint/LLIntThunks.h:
        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        * runtime/Executable.h:
        (JSC::ExecutableBase::offsetOfNumParametersFor):
        (JSC::ExecutableBase::hostCodeEntryFor):
        (JSC::ExecutableBase::jsCodeEntryFor):
        (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::finishCreation):
        (JSC::ProgramExecutable::generatedJITCode):
        * runtime/JSArray.cpp:
        (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):
        * runtime/VM.cpp:
        (JSC::VM::getHostFunction):

2013-12-05  Laszlo Vidacs  <lac@inf.u-szeged.hu>

        Fix JavaScriptCore build if cloop is enabled after r160094
        https://bugs.webkit.org/show_bug.cgi?id=125292

        Reviewed by Michael Saboff.

        Move ProtoCallFrame outside the JIT guard.

        * jit/JITCode.h:

2013-12-04  Filip Pizlo  <fpizlo@apple.com>

        Fold constant typed arrays
        https://bugs.webkit.org/show_bug.cgi?id=125205

        Reviewed by Oliver Hunt and Mark Hahnenberg.
        
        If by some other mechanism we have a typed array access on a compile-time constant
        typed array pointer, then fold:
        
        - Array bounds checks. Specifically, fold the load of length.
        
        - Loading the vector.
        
        This needs to install a watchpoint on the array itself because of the possibility of
        neutering. Neutering is ridiculous. We do this without bloating the size of
        ArrayBuffer or JSArrayBufferView in the common case (i.e. the case where you
        allocated an array that didn't end up becoming a compile-time constant). To install
        the watchpoint, we slowDownAndWasteMemory and then create an incoming reference to
        the ArrayBuffer, where that incoming reference is from a watchpoint object. The
        ArrayBuffer already knows about such incoming references and can fire the
        watchpoints that way.
        
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGDesiredWatchpoints.cpp:
        (JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
        (JSC::DFG::DesiredWatchpoints::addLazily):
        * dfg/DFGDesiredWatchpoints.h:
        (JSC::DFG::GenericSetAdaptor::add):
        (JSC::DFG::GenericSetAdaptor::hasBeenInvalidated):
        (JSC::DFG::ArrayBufferViewWatchpointAdaptor::hasBeenInvalidated):
        (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
        (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
        (JSC::DFG::GenericDesiredWatchpoints::isStillValid):
        (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState):
        (JSC::DFG::DesiredWatchpoints::isStillValid):
        (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState):
        (JSC::DFG::DesiredWatchpoints::isValidOrMixed):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::tryGetFoldableView):
        * dfg/DFGGraph.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
        (JSC::DFG::SpeculativeJIT::emitTypedArrayBoundsCheck):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileConstantIndexedPropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGWatchpointCollectionPhase.cpp:
        (JSC::DFG::WatchpointCollectionPhase::handle):
        (JSC::DFG::WatchpointCollectionPhase::addLazily):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
        * runtime/ArrayBuffer.cpp:
        (JSC::ArrayBuffer::transfer):
        * runtime/ArrayBufferNeuteringWatchpoint.cpp: Added.
        (JSC::ArrayBufferNeuteringWatchpoint::ArrayBufferNeuteringWatchpoint):
        (JSC::ArrayBufferNeuteringWatchpoint::~ArrayBufferNeuteringWatchpoint):
        (JSC::ArrayBufferNeuteringWatchpoint::finishCreation):
        (JSC::ArrayBufferNeuteringWatchpoint::destroy):
        (JSC::ArrayBufferNeuteringWatchpoint::create):
        (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
        * runtime/ArrayBufferNeuteringWatchpoint.h: Added.
        (JSC::ArrayBufferNeuteringWatchpoint::set):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2013-12-04  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r160116.
        http://trac.webkit.org/changeset/160116
        https://bugs.webkit.org/show_bug.cgi?id=125264

        Change doesn't work as intended. See bug comments for details.
        (Requested by bfulgham on #webkit).

        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):

2013-12-04  Oliver Hunt  <oliver@apple.com>

        Refactor static getter function prototype to include thisValue in addition to the base object
        https://bugs.webkit.org/show_bug.cgi?id=124461

        Reviewed by Geoffrey Garen.

        Add thisValue parameter to static getter prototype, and switch
        from JSValue to EncodedJSValue for parameters and return value.

        Currently none of the static getters use the thisValue, but
        separating out the refactoring will prevent future changes
        from getting lost in the noise of refactoring.  This means
        that this patch does not result in any change in behaviour.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::asCallbackObject):
        (JSC::::staticFunctionGetter):
        (JSC::::callbackGetter):
        * jit/JITOperations.cpp:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::argumentsGetter):
        * runtime/JSActivation.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::argumentsGetter):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::lengthGetter):
        (JSC::JSFunction::nameGetter):
        * runtime/JSFunction.h:
        * runtime/JSObject.h:
        (JSC::PropertySlot::getValue):
        * runtime/NumberConstructor.cpp:
        (JSC::numberConstructorNaNValue):
        (JSC::numberConstructorNegInfinity):
        (JSC::numberConstructorPosInfinity):
        (JSC::numberConstructorMaxValue):
        (JSC::numberConstructorMinValue):
        * runtime/PropertySlot.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::asRegExpConstructor):
        (JSC::regExpConstructorDollar1):
        (JSC::regExpConstructorDollar2):
        (JSC::regExpConstructorDollar3):
        (JSC::regExpConstructorDollar4):
        (JSC::regExpConstructorDollar5):
        (JSC::regExpConstructorDollar6):
        (JSC::regExpConstructorDollar7):
        (JSC::regExpConstructorDollar8):
        (JSC::regExpConstructorDollar9):
        (JSC::regExpConstructorInput):
        (JSC::regExpConstructorMultiline):
        (JSC::regExpConstructorLastMatch):
        (JSC::regExpConstructorLastParen):
        (JSC::regExpConstructorLeftContext):
        (JSC::regExpConstructorRightContext):
        * runtime/RegExpObject.cpp:
        (JSC::asRegExpObject):
        (JSC::regExpObjectGlobal):
        (JSC::regExpObjectIgnoreCase):
        (JSC::regExpObjectMultiline):
        (JSC::regExpObjectSource):

2013-12-04  Daniel Bates  <dabates@apple.com>

        [iOS] Enable Objective-C ARC when building JSC tools for iOS simulator
        https://bugs.webkit.org/show_bug.cgi?id=125170

        Reviewed by Geoffrey Garen.

        * API/tests/testapi.mm:
        * Configurations/ToolExecutable.xcconfig:

2013-12-04  peavo@outlook.com  <peavo@outlook.com>

        Use ThreadingOnce class to encapsulate pthread_once functionality.
        https://bugs.webkit.org/show_bug.cgi?id=125228

        Reviewed by Brent Fulgham.

        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):

2013-12-04  Mark Lam  <mark.lam@apple.com>

        Remove unneeded semicolons.
        https://bugs.webkit.org/show_bug.cgi?id=125083.

        Rubber-stamped by Filip Pizlo.

        * debugger/Debugger.h:
        (JSC::Debugger::detach):
        (JSC::Debugger::sourceParsed):
        (JSC::Debugger::exception):
        (JSC::Debugger::atStatement):
        (JSC::Debugger::callEvent):
        (JSC::Debugger::returnEvent):
        (JSC::Debugger::willExecuteProgram):
        (JSC::Debugger::didExecuteProgram):
        (JSC::Debugger::didReachBreakpoint):

2013-12-04  Andy Estes  <aestes@apple.com>

        [iOS] Build projects with $(ARCHS_STANDARD_32_64_BIT)
        https://bugs.webkit.org/show_bug.cgi?id=125236

        Reviewed by Sam Weinig.

        $(ARCHS_STANDARD_32_64_BIT) is what we want for both device and simulator builds.

        * Configurations/DebugRelease.xcconfig:

2013-12-03  Filip Pizlo  <fpizlo@apple.com>

        Infer constant closure variables
        https://bugs.webkit.org/show_bug.cgi?id=124630

        Reviewed by Geoffrey Garen.
        
        Captured variables that are assigned once (not counting op_enter's Undefined
        initialization) and that are contained within a function that has thus far only been
        entered once are now constant folded. It's pretty awesome.
        
        This involves a watchpoint on the assignment to variables and a watchpoint on entry
        into the function. The former is reused from global variable constant inference and the
        latter is reused from one-time closure inference.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/Instruction.h:
        (JSC::Instruction::Instruction):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedInstruction::UnlinkedInstruction):
        * bytecode/VariableWatchpointSet.h:
        (JSC::VariableWatchpointSet::invalidate):
        * bytecode/Watchpoint.h:
        (JSC::WatchpointSet::invalidate):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addVar):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitInitLazyRegister):
        (JSC::BytecodeGenerator::emitMove):
        (JSC::BytecodeGenerator::emitNewFunctionInternal):
        (JSC::BytecodeGenerator::createArgumentsIfNecessary):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::addVar):
        (JSC::BytecodeGenerator::watchableVariable):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::inferredConstant):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::tryGetActivation):
        (JSC::DFG::Graph::tryGetRegisters):
        * dfg/DFGGraph.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_mov):
        (JSC::JIT::emit_op_captured_mov):
        (JSC::JIT::emit_op_new_captured_func):
        (JSC::JIT::emitSlow_op_captured_mov):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_mov):
        (JSC::JIT::emit_op_captured_mov):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/ConstantMode.h: Added.
        * runtime/JSGlobalObject.h:
        * runtime/JSScope.cpp:
        (JSC::abstractAccess):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTableEntry::prepareToWatch):

2013-12-04  Brent Fulgham  <bfulgham@apple.com>

        [Win] Unreviewed project file gardening.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Remove deleted files from project.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Put files in proper directory
        folders to match the directory structure of the source code.

2013-12-04  Joseph Pecoraro  <pecoraro@apple.com>

        Unreviewed Windows Build Fix attempt after r160099.

        * JavaScriptCore.vcxproj/copy-files.cmd:

2013-12-04  Julien Brianceau  <jbriance@cisco.com>

        REGRESSION (r160094): Fix lots of crashes for sh4 architecture.
        https://bugs.webkit.org/show_bug.cgi?id=125227

        Reviewed by Michael Saboff.

        * llint/LowLevelInterpreter32_64.asm: Do not use t4 and t5 as they match a0 and a1.
        * offlineasm/registers.rb: Add t7, t8 and t9 in register list for sh4 port.
        * offlineasm/sh4.rb: Rearrange RegisterID list and add the missing ones.

2013-12-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Push Remote Inspector debugging connection management into JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=124613

        Reviewed by Timothy Hatcher.

        Move the ENABLE(REMOTE_INSPECTOR) remote debugger connection management
        into JavaScriptCore (originally from WebKit/mac). Include enhancements:

          * allow for different types of remote debuggable targets,
            eventually at least a JSContext, WebView, WKView.
          * allow debuggables to be registered and debugged on any thread. Unlike
            WebViews, JSContexts may be run entirely off of the main thread.
          * move the remote connection (XPC connection) itself off of the main thread,
            it doesn't need to be on the main thread.

        Make JSContext @class and JavaScriptCore::JSContextRef
        "JavaScript" Remote Debuggables.

        * inspector/remote/RemoteInspectorDebuggable.h: Added.
        * inspector/remote/RemoteInspectorDebuggable.cpp: Added.
        (Inspector::RemoteInspectorDebuggable::RemoteInspectorDebuggable):
        (Inspector::RemoteInspectorDebuggable::~RemoteInspectorDebuggable):
        (Inspector::RemoteInspectorDebuggable::init):
        (Inspector::RemoteInspectorDebuggable::update):
        (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
        (Inspector::RemoteInspectorDebuggable::info):
        RemoteInspectorDebuggable defines a debuggable target. As long as
        something creates a debuggable and is set to allow remote inspection
        it will be listed in remote debuggers. For the different types of
        debuggables (JavaScript and Web) there is different basic information
        that may be listed.

        * inspector/InspectorFrontendChannel.h: Added.
        (Inspector::InspectorFrontendChannel::~InspectorFrontendChannel):
        The only thing a debuggable needs for remote debugging is an
        InspectorFrontendChannel a way to send messages to a remote frontend.
        This class provides that method, and is vended to the
        RemoteInspectorDebuggable when a remote connection is setup.

        * inspector/remote/RemoteInspector.h: Added.
        * inspector/remote/RemoteInspector.mm: Added.
        Singleton, created at least when the first Debuggable is created.
        This class manages the list of debuggables, any connection to a
        remote debugger proxy (XPC service "com.apple.webinspector").

        (Inspector::dispatchAsyncOnQueueSafeForAnyDebuggable):
        (Inspector::RemoteInspector::shared):
        (Inspector::RemoteInspector::RemoteInspector):
        (Inspector::RemoteInspector::nextAvailableIdentifier):
        (Inspector::RemoteInspector::registerDebuggable):
        (Inspector::RemoteInspector::unregisterDebuggable):
        (Inspector::RemoteInspector::updateDebuggable):
        Debuggable management. When debuggables are added, removed, or updated
        we stash a copy of the debuggable information and push an update to
        debuggers. Stashing a copy of the information in the RemoteInspector
        is a thread safe way to avoid walking over all debuggables to gather
        the information when it is needed.

        (Inspector::RemoteInspector::start):
        (Inspector::RemoteInspector::stop):
        Runtime API to enable / disable the feature.

        (Inspector::RemoteInspector::listingForDebuggable):
        (Inspector::RemoteInspector::pushListingNow):
        (Inspector::RemoteInspector::pushListingSoon):
        Pushing a listing to remote debuggers.

        (Inspector::RemoteInspector::sendMessageToRemoteFrontend):
        (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
        (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
        (Inspector::RemoteInspector::xpcConnectionFailed):
        (Inspector::RemoteInspector::xpcConnectionUnhandledMessage):
        XPC setup, send, and receive handling.

        (Inspector::RemoteInspector::updateHasActiveDebugSession):
        Applications being debugged may want to know when a debug
        session is active. This provides that notification.

        (Inspector::RemoteInspector::receivedSetupMessage):
        (Inspector::RemoteInspector::receivedDataMessage):
        (Inspector::RemoteInspector::receivedDidCloseMessage):
        (Inspector::RemoteInspector::receivedGetListingMessage):
        (Inspector::RemoteInspector::receivedIndicateMessage):
        (Inspector::RemoteInspector::receivedConnectionDiedMessage):
        Dispatching incoming remote debugging protocol messages.
        These are wrapping above the inspector protocol messages.

        * inspector/remote/RemoteInspectorConstants.h: Added.
        Protocol messages and dictionary keys inside the messages.

        (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
        * inspector/remote/RemoteInspectorDebuggableConnection.h: Added.
        * inspector/remote/RemoteInspectorDebuggableConnection.mm: Added.
        This is a connection between the RemoteInspector singleton and a RemoteInspectorDebuggable.

        (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
        (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
        Allow for dispatching messages on JavaScript debuggables on a dispatch_queue
        instead of the main queue.

        (Inspector::RemoteInspectorDebuggableConnection::destination):
        (Inspector::RemoteInspectorDebuggableConnection::connectionIdentifier):
        Needed in the remote debugging protocol to identify the remote debugger.

        (Inspector::RemoteInspectorDebuggableConnection::dispatchSyncOnDebuggable):
        (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
        (Inspector::RemoteInspectorDebuggableConnection::setup):
        (Inspector::RemoteInspectorDebuggableConnection::closeFromDebuggable):
        (Inspector::RemoteInspectorDebuggableConnection::close):
        (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
        (Inspector::RemoteInspectorDebuggableConnection::sendMessageToFrontend):
        The connection is a thin channel between the two sides that can be closed
        from either side, so there is some logic around multi-threaded access.

        * inspector/remote/RemoteInspectorXPCConnection.h: Added.
        (Inspector::RemoteInspectorXPCConnection::Client::~Client):
        * inspector/remote/RemoteInspectorXPCConnection.mm: Added.
        (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
        (Inspector::RemoteInspectorXPCConnection::~RemoteInspectorXPCConnection):
        (Inspector::RemoteInspectorXPCConnection::close):
        (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
        (Inspector::RemoteInspectorXPCConnection::handleEvent):
        (Inspector::RemoteInspectorXPCConnection::sendMessage):
        This is a connection between the RemoteInspector singleton and an XPC service
        named "com.apple.webinspector". This handles serialization of the dictionary
        messages to and from the service. The receiving is done on a non-main queue.

        * API/JSContext.h:
        * API/JSContext.mm:
        (-[JSContext name]):
        (-[JSContext setName:]):
        ObjC API to enable/disable JSContext remote inspection and give a name.

        * API/JSContextRef.h:
        * API/JSContextRef.cpp:
        (JSGlobalContextGetName):
        (JSGlobalContextSetName):
        C API to give a JSContext a name.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::setName):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::name):
        Shared handling of the APIs above.

        * runtime/JSGlobalObjectDebuggable.cpp: Added.
        (JSC::JSGlobalObjectDebuggable::JSGlobalObjectDebuggable):
        (JSC::JSGlobalObjectDebuggable::name):
        (JSC::JSGlobalObjectDebuggable::connect):
        (JSC::JSGlobalObjectDebuggable::disconnect):
        (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
        * runtime/JSGlobalObjectDebuggable.h: Added.
        Stub for the actual remote debugging implementation. We will push
        down the appropriate WebCore/inspector peices suitable for debugging
        just a JavaScript context.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        Update build files.

2013-12-04  Michael Saboff  <msaboff@apple.com>

        Move the setting up of callee's callFrame from pushFrame to callToJavaScript thunk
        https://bugs.webkit.org/show_bug.cgi?id=123999

        Reviewed by Filip Pizlo.

        Changed LLInt and/or JIT enabled ports to allocate the stack frame in the
        callToJavaScript stub.  Added an additional stub, callToNativeFunction that
        allocates a stack frame in a similar way for calling native entry points
        that take a single ExecState* argument.  These stubs are implemented
        using common macros in LowLevelInterpreter{32_64,64}.asm.  There are also
        Windows X86 and X86-64 versions in the corresponding JitStubsXX.h.
        The stubs allocate and create a sentinel frame, then create the callee's
        frame, populating  the header and arguments from the passed in ProtoCallFrame*.
        It is assumed that the caller of either stub does a check for enough stack space
        via JSStack::entryCheck().

        For ports using the C-Loop interpreter, the prior method for allocating stack
        frame and invoking functions is used, namely with JSStack::pushFrame() and
        ::popFrame().

        Made spelling changes "sentinal" -> "sentinel".

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall):
        (JSC::CachedCall::setThis):
        (JSC::CachedCall::setArgument):
        * interpreter/CallFrameClosure.h:
        (JSC::CallFrameClosure::resetCallFrame):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        * interpreter/Interpreter.h:
        * interpreter/JSStack.h:
        * interpreter/JSStackInlines.h:
        (JSC::JSStack::entryCheck):
        (JSC::JSStack::pushFrame):
        (JSC::JSStack::popFrame):
        * interpreter/ProtoCallFrame.cpp: Added.
        (JSC::ProtoCallFrame::init):
        * interpreter/ProtoCallFrame.h: Added.
        (JSC::ProtoCallFrame::codeBlock):
        (JSC::ProtoCallFrame::setCodeBlock):
        (JSC::ProtoCallFrame::setScope):
        (JSC::ProtoCallFrame::setCallee):
        (JSC::ProtoCallFrame::argumentCountIncludingThis):
        (JSC::ProtoCallFrame::argumentCount):
        (JSC::ProtoCallFrame::setArgumentCountIncludingThis):
        (JSC::ProtoCallFrame::setPaddedArgsCount):
        (JSC::ProtoCallFrame::clearCurrentVPC):
        (JSC::ProtoCallFrame::setThisValue):
        (JSC::ProtoCallFrame::setArgument):
        * jit/JITCode.cpp:
        (JSC::JITCode::execute):
        * jit/JITCode.h:
        * jit/JITOperations.cpp:
        * jit/JITStubs.h:
        * jit/JITStubsMSVC64.asm:
        * jit/JITStubsX86.h:
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LLIntThunks.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/ArgList.h:
        (JSC::ArgList::data):
        * runtime/JSArray.cpp:
        (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):

2013-12-04  László Langó  <lango@inf.u-szeged.hu>

        Remove stdio.h from JSC files.
        https://bugs.webkit.org/show_bug.cgi?id=125220

        Reviewed by Michael Saboff.

        * interpreter/VMInspector.cpp:
        * jit/JITArithmetic.cpp:
        * jit/JITArithmetic32_64.cpp:
        * jit/JITCall.cpp:
        * jit/JITCall32_64.cpp:
        * jit/JITPropertyAccess.cpp:
        * jit/JITPropertyAccess32_64.cpp:
        * runtime/Completion.cpp:
        * runtime/IndexingType.cpp:
        * runtime/Lookup.h:
        * runtime/Operations.cpp:
        * runtime/Options.cpp:
        * runtime/RegExp.cpp:

2013-12-04  László Langó  <lango@inf.u-szeged.hu>

        Avoid to add zero offset in BaseIndex.
        https://bugs.webkit.org/show_bug.cgi?id=125215

        Reviewed by Michael Saboff.

        When using cloop do not generate offsets additions for BaseIndex if the offset is zero.

        * offlineasm/cloop.rb:

2013-12-04  Peter Molnar  <pmolnar.u-szeged@partner.samsung.com>

        Fix !ENABLE(JAVASCRIPT_DEBUGGER) build.
        https://bugs.webkit.org/show_bug.cgi?id=125083

        Reviewed by Mark Lam.

        * debugger/Debugger.cpp:
        * debugger/Debugger.h:
        (JSC::Debugger::Debugger):
        (JSC::Debugger::needsOpDebugCallbacks):
        (JSC::Debugger::needsExceptionCallbacks):
        (JSC::Debugger::detach):
        (JSC::Debugger::sourceParsed):
        (JSC::Debugger::exception):
        (JSC::Debugger::atStatement):
        (JSC::Debugger::callEvent):
        (JSC::Debugger::returnEvent):
        (JSC::Debugger::willExecuteProgram):
        (JSC::Debugger::didExecuteProgram):
        (JSC::Debugger::didReachBreakpoint):
        * debugger/DebuggerPrimitives.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_debug):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_debug):
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter.asm:

2013-12-03  Mark Lam  <mark.lam@apple.com>

        testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size().
        https://bugs.webkit.org/show_bug.cgi?id=121972.

        Reviewed by Brent Fulgham.

        * interpreter/JSStack.cpp:
        (JSC::JSStack::~JSStack):
        - Reverting the change from r160004 since it's better to fix OSAllocatorWin
          to be consistent with OSAllocatorPosix.

2013-12-03  Mark Lam  <mark.lam@apple.com>

        Fix LLINT_C_LOOP build for Win64.
        https://bugs.webkit.org/show_bug.cgi?id=125186.

        Reviewed by Michael Saboff.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * jit/JITOperationsMSVC64.cpp: Added.
        (JSC::getHostCallReturnValueWithExecState):
        - Win64 will build JITStubMSVC64.asm even when !ENABLE(JIT). This results
          in a linkage error due to a missing getHostCallReturnValueWithExecState().
          So, we add a stub getHostCallReturnValueWithExecState() here to satisfy
          that linkage. This function will never be called.
          The alternative to providing such a stub is to make the MSVC project
          recognize if the JIT is enabled or not, and exclude JITStubMSVC64.asm
          if it's not enabled. We don't currently set ENABLE(JIT) via the MSVC
          project and the work to do that is too much trouble for what we're trying
          to achieve here. So, we're opting for this simpler workaround instead.

        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        - Don't build callToJavaScript if we're building the C loop. Otherwise,
          the C loop won't build if !ENABLE(COMPUTE_GOTO_OPCODES). 

2013-12-03  Michael Saboff  <msaboff@apple.com>

        ARM64: Crash in JIT code due to improper reuse of cached memory temp register
        https://bugs.webkit.org/show_bug.cgi?id=125181

        Reviewed by Geoffrey Garen.

        Changed load8() and load() to invalidate the memory temp CachedTempRegister when the
        destination of an absolute load is the memory temp register since the source address
        is also the memory temp register.  Change branch{8,32,64} of an AbsoluteAddress with
        a register to use the dataTempRegister as the destinate of the absolute load to
        reduce the chance that we need to invalidate the memory temp register cache.
        In the process, found and fixed an outright bug in branch8() where we'd load into
        the data temp register and then compare and branch on the memory temp register.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::load8):
        (JSC::MacroAssemblerARM64::branch32):
        (JSC::MacroAssemblerARM64::branch64):
        (JSC::MacroAssemblerARM64::branch8):
        (JSC::MacroAssemblerARM64::load):

2013-12-03  Michael Saboff  <msaboff@apple.com>

        jit/JITArithmetic.cpp doesn't build for non-X86 ports
        https://bugs.webkit.org/show_bug.cgi?id=125185

        Rubber stamped by Mark Hahnenberg.

        Removed unused declarations and related UNUSED_PARAM().

        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_mod):

2013-12-03  Filip Pizlo  <fpizlo@apple.com>

        ObjectAllocationProfile is racy and the DFG should be cool with that
        https://bugs.webkit.org/show_bug.cgi?id=125172
        <rdar://problem/15233487>

        Reviewed by Mark Hahnenberg.
        
        We would previously sometimes get a null Structure because checking if the profile is non-null and loading
        the structure from it were two separate operations.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::setFuturePossibleStructure):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * runtime/JSFunction.h:
        (JSC::JSFunction::allocationProfile):
        (JSC::JSFunction::allocationStructure):

2013-12-03  peavo@outlook.com  <peavo@outlook.com>

        testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size()
        https://bugs.webkit.org/show_bug.cgi?id=121972

        Reviewed by Michael Saboff.

        The reason for the crash is that the wrong memory block is decommitted.
        This can happen if no memory has been committed in the reserved block before the JSStack object is destroyed.
        In the JSStack destructor, the pointer to decommit then points to the end of the block (or the start of the next), and the decommit size is zero.
        If there is a block just after the block we are trying to decommit, this block will be decommitted, since Windows will decommit the whole block,
        if the decommit size is zero (see VirtualFree). When somebody tries to read/write to this block later, we crash.

        * interpreter/JSStack.cpp:
        (JSC::JSStack::~JSStack): Don't decommit memory if nothing has been committed.

2013-12-03  László Langó  <lango@inf.u-szeged.hu>

        Guard JIT include.
        https://bugs.webkit.org/show_bug.cgi?id=125063

        Reviewed by Filip Pizlo.

        * llint/LLIntThunks.cpp:

2013-12-03  Julien Brianceau  <jbriance@cisco.com>

        Merge mips and arm/sh4 paths in nativeForGenerator and privateCompileCTINativeCall functions.
        https://bugs.webkit.org/show_bug.cgi?id=125067

        Reviewed by Michael Saboff.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator):

2013-12-02  Mark Lam  <mark.lam@apple.com>

        Build failure when disabling JIT, YARR_JIT, and ASSEMBLER.
        https://bugs.webkit.org/show_bug.cgi?id=123809.

        Reviewed by Geoffrey Garen.

        Also fixed build when disabling the DISASSEMBLER.
        Added some needed #if's and some comments.

        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::finalizeCodeWithDisassembly):
        * dfg/DFGDisassembler.cpp:
        * dfg/DFGDisassembler.h:
        (JSC::DFG::Disassembler::Disassembler):
        (JSC::DFG::Disassembler::setStartOfCode):
        (JSC::DFG::Disassembler::setForBlockIndex):
        (JSC::DFG::Disassembler::setForNode):
        (JSC::DFG::Disassembler::setEndOfMainPath):
        (JSC::DFG::Disassembler::setEndOfCode):
        (JSC::DFG::Disassembler::dump):
        (JSC::DFG::Disassembler::reportToProfiler):
        * disassembler/Disassembler.cpp:
        * disassembler/X86Disassembler.cpp:
        * jit/FPRInfo.h:
        * jit/GPRInfo.h:
        * jit/JITDisassembler.cpp:
        * jit/JITDisassembler.h:
        (JSC::JITDisassembler::JITDisassembler):
        (JSC::JITDisassembler::setStartOfCode):
        (JSC::JITDisassembler::setForBytecodeMainPath):
        (JSC::JITDisassembler::setForBytecodeSlowPath):
        (JSC::JITDisassembler::setEndOfSlowPath):
        (JSC::JITDisassembler::setEndOfCode):
        (JSC::JITDisassembler::dump):
        (JSC::JITDisassembler::reportToProfiler):

2013-12-02  Filip Pizlo  <fpizlo@apple.com>

        Baseline JIT calls to CommonSlowPaths shouldn't restore the last result
        https://bugs.webkit.org/show_bug.cgi?id=125107

        Reviewed by Mark Hahnenberg.

        Just killing dead code.

        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitSlow_op_negate):
        (JSC::JIT::emitSlow_op_lshift):
        (JSC::JIT::emitSlow_op_rshift):
        (JSC::JIT::emitSlow_op_urshift):
        (JSC::JIT::emitSlow_op_bitand):
        (JSC::JIT::emitSlow_op_inc):
        (JSC::JIT::emitSlow_op_dec):
        (JSC::JIT::emitSlow_op_mod):
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::compileBinaryArithOpSlowCase):
        (JSC::JIT::emitSlow_op_div):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSlow_op_negate):
        (JSC::JIT::emitSlow_op_lshift):
        (JSC::JIT::emitRightShiftSlowCase):
        (JSC::JIT::emitSlow_op_bitand):
        (JSC::JIT::emitSlow_op_bitor):
        (JSC::JIT::emitSlow_op_bitxor):
        (JSC::JIT::emitSlow_op_inc):
        (JSC::JIT::emitSlow_op_dec):
        (JSC::JIT::emitSlow_op_add):
        (JSC::JIT::emitSlow_op_sub):
        (JSC::JIT::emitSlow_op_mul):
        (JSC::JIT::emitSlow_op_div):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_strcat):
        (JSC::JIT::emitSlow_op_get_callee):
        (JSC::JIT::emitSlow_op_create_this):
        (JSC::JIT::emitSlow_op_to_this):
        (JSC::JIT::emitSlow_op_to_primitive):
        (JSC::JIT::emitSlow_op_not):
        (JSC::JIT::emitSlow_op_bitxor):
        (JSC::JIT::emitSlow_op_bitor):
        (JSC::JIT::emitSlow_op_stricteq):
        (JSC::JIT::emitSlow_op_nstricteq):
        (JSC::JIT::emitSlow_op_to_number):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emitSlow_op_to_primitive):
        (JSC::JIT::emitSlow_op_not):
        (JSC::JIT::emitSlow_op_stricteq):
        (JSC::JIT::emitSlow_op_nstricteq):
        (JSC::JIT::emitSlow_op_to_number):
        (JSC::JIT::emitSlow_op_get_callee):
        (JSC::JIT::emitSlow_op_create_this):
        (JSC::JIT::emitSlow_op_to_this):

2013-12-01  Filip Pizlo  <fpizlo@apple.com>

        Stores to local captured variables should be intercepted
        https://bugs.webkit.org/show_bug.cgi?id=124883

        Reviewed by Mark Hahnenberg.
        
        Previously, in bytecode, you could assign to a captured variable just as you would
        assign to any other kind of variable. This complicates closure variable constant
        inference because we don't have any place where we can intercept stores to captured
        variables in the LLInt.
        
        This patch institutes a policy that only certain instructions can store to captured
        variables. If you interpret those instructions and you are required to notifyWrite()
        then you need to check if the relevant variable is captured. Those instructions are
        tracked in CodeBlock.cpp's VerifyCapturedDef. The main one is simply op_captured_mov.
        In the future, we'll probably modify those instructions to have a pointer directly to
        the VariableWatchpointSet; but for now we just introduce the captured instructions as
        placeholders.
        
        In order to validate that the placeholders are inserted correctly, this patch improves
        the CodeBlock validation to be able to inspect every def in the bytecode. To do that,
        this patch refactors the liveness analysis' use/def calculator to be reusable; it now
        takes a functor for each use or def.
        
        In the process of refactoring the liveness analysis, I noticed that op_enter was
        claiming to def all callee registers. That's wrong; it only defs the non-temporary
        variables. Making that change revealed preexisting bugs in the liveness analysis, since
        now the validator would pick up cases where the bytecode claimed to use a temporary and
        the def calculator never noticed the definition (or the converse - where the bytecode
        was actually not using a temporary but the liveness analysis thought that it was a
        use). This patch fixes a few of those bugs.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::stepOverInstruction):
        * bytecode/BytecodeUseDef.h: Added.
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::isCaptured):
        (JSC::CodeBlock::validate):
        * bytecode/CodeBlock.h:
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::resolveCallee):
        (JSC::BytecodeGenerator::emitMove):
        (JSC::BytecodeGenerator::isCaptured):
        (JSC::BytecodeGenerator::local):
        (JSC::BytecodeGenerator::constLocal):
        (JSC::BytecodeGenerator::emitNewFunction):
        (JSC::BytecodeGenerator::emitLazyNewFunction):
        (JSC::BytecodeGenerator::emitNewFunctionInternal):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::Local::Local):
        (JSC::Local::isCaptured):
        (JSC::Local::captureMode):
        (JSC::BytecodeGenerator::captureMode):
        (JSC::BytecodeGenerator::emitNode):
        (JSC::BytecodeGenerator::pushOptimisedForIn):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PostfixNode::emitResolve):
        (JSC::PrefixNode::emitResolve):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::ConstDeclNode::emitCodeSingle):
        (JSC::ForInNode::emitBytecode):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/SymbolTable.h:
        (JSC::SymbolTable::isCaptured):

2013-12-02  Filip Pizlo  <fpizlo@apple.com>

        Instead of watchpointing activation allocation, we should watchpoint entry into functions that have captured variables
        https://bugs.webkit.org/show_bug.cgi?id=125052

        Reviewed by Mark Hahnenberg.
        
        This makes us watch function entry rather than activation creation. We only incur the
        costs of doing so for functions that have captured variables, and only on the first two
        entries into the function. This means that closure variable constant inference will
        naturally work even for local uses of the captured variable, like:
        
            (function(){
                var blah = 42;
                ... // stuff
                function () { ... blah /* we can fold this to 42 */ }
                ... blah // we can also fold this to 42.
            })();
        
        Previously, only the nested use would have been foldable.

        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecode/Watchpoint.h:
        (JSC::WatchpointSet::touch):
        (JSC::InlineWatchpointSet::touch):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasSymbolTable):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGWatchpointCollectionPhase.cpp:
        (JSC::DFG::WatchpointCollectionPhase::handle):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_touch_entry):
        * llint/LowLevelInterpreter.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/JSActivation.h:
        (JSC::JSActivation::create):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::SymbolTable):
        * runtime/SymbolTable.h:

2013-12-02  Nick Diego Yamane  <nick.yamane@openbossa.org>

        [JSC] Get rid of some unused parameters in LLIntSlowPaths.cpp macros
        https://bugs.webkit.org/show_bug.cgi?id=125075

        Reviewed by Michael Saboff.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::handleHostCall): added UNUSED_PARAM(pc).
        (JSC::LLInt::setUpCall): Doesn't pass 'pc' to LLINT_CALL macros.
        (JSC::LLInt::LLINT_SLOW_PATH_DECL): Ditto.

2013-12-02  László Langó  <lango@inf.u-szeged.hu>

        Remove stdio.h from JSC files.
        https://bugs.webkit.org/show_bug.cgi?id=125066

        Reviewed by Michael Saboff.

        Remove stdio.h, when it is not necessary to be included.

        * bytecode/CodeBlock.cpp:
        * bytecode/StructureSet.h:
        * profiler/LegacyProfiler.cpp:
        * profiler/Profile.cpp:
        * profiler/ProfileNode.cpp:
        * yarr/YarrInterpreter.cpp:

2013-12-02  László Langó  <lango@inf.u-szeged.hu>

        Unused include files when building without JIT.
        https://bugs.webkit.org/show_bug.cgi?id=125062

        Reviewed by Michael Saboff.

        We should organize the includes, and guard JIT methods
        in ValueRecovery.

        * bytecode/ValueRecovery.cpp: Guard include files.
        * bytecode/ValueRecovery.h: Guard JIT methods.

2013-12-02  Balazs Kilvady  <kilvadyb@homejinni.com>

        [MIPS] Small stack frame causes regressions.
        https://bugs.webkit.org/show_bug.cgi?id=124945

        Reviewed by Michael Saboff.

        Fix stack space for LLInt on MIPS.

        * llint/LowLevelInterpreter32_64.asm:

2013-12-02  Brian J. Burg  <burg@cs.washington.edu>

        jsc: implement a native readFile function
        https://bugs.webkit.org/show_bug.cgi?id=125059

        Reviewed by Filip Pizlo.

        This adds a native readFile() function to jsc, used to slurp
        an entire file into a JavaScript string.

        * jsc.cpp:
        (GlobalObject::finishCreation): Add readFile() to globals.
        (functionReadFile): Added.

2013-12-02  László Langó  <lango@inf.u-szeged.hu>

        JSC does not build if OPCODE_STATS is enabled.
        https://bugs.webkit.org/show_bug.cgi?id=125011

        Reviewed by Filip Pizlo.

        * bytecode/Opcode.cpp:

2013-11-29  Filip Pizlo  <fpizlo@apple.com>

        Finally remove those DFG_ENABLE things
        https://bugs.webkit.org/show_bug.cgi?id=125025

        Rubber stamped by Sam Weinig.
        
        This removes a bunch of unused and untested insanity.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::tallyFrequentExitSites):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
        (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::linkBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        (JSC::DFG::ByteCodeParser::parse):
        (JSC::DFG::parse):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::convertToJump):
        (JSC::DFG::CFGSimplificationPhase::fixJettisonedPredecessors):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::endIndexForPureCSE):
        (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
        (JSC::DFG::CSEPhase::setReplacement):
        (JSC::DFG::CSEPhase::eliminate):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCommon.h:
        (JSC::DFG::verboseCompilationEnabled):
        (JSC::DFG::logCompilationChanges):
        (JSC::DFG::shouldDumpGraphAtEachPhase):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::initialize):
        (JSC::DFG::InPlaceAbstractState::endBasicBlock):
        (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
        (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::adjustAndJumpToTarget):
        * dfg/DFGPredictionInjectionPhase.cpp:
        (JSC::DFG::PredictionInjectionPhase::run):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::propagateForward):
        (JSC::DFG::PredictionPropagationPhase::propagateBackward):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::use):
        * dfg/DFGSlowPathGenerator.h:
        (JSC::DFG::SlowPathGenerator::generate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        (JSC::DFG::SpeculativeJIT::runSlowPathGenerators):
        (JSC::DFG::SpeculativeJIT::dump):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):
        * dfg/DFGVariableEventStream.h:
        (JSC::DFG::VariableEventStream::appendAndLog):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):

2013-11-29  Filip Pizlo  <fpizlo@apple.com>

        FTL IC should nop-fill to make up the difference between the actual IC size and the requested patchpoint size
        https://bugs.webkit.org/show_bug.cgi?id=124960

        Reviewed by Sam Weinig.

        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::size):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::fillNops):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::dumpHeader):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::generateICFastPath):
        * jit/JITDisassembler.cpp:
        (JSC::JITDisassembler::dumpHeader):

2013-11-29  Julien Brianceau  <jbriance@cisco.com>

        Use moveDoubleToInts in SpecializedThunkJIT::returnDouble for non-X86 JSVALUE32_64 ports.
        https://bugs.webkit.org/show_bug.cgi?id=124936

        Reviewed by Zoltan Herczeg.

        The moveDoubleToInts implementations in ARM, MIPS and SH4 macro assemblers do not clobber
        src FPRegister and are likely to be more efficient than the current generic implementation
        using the stack.

        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::returnDouble):

2013-11-29  Julien Brianceau  <jbriance@cisco.com>

        Merge arm and sh4 paths in nativeForGenerator and privateCompileCTINativeCall functions.
        https://bugs.webkit.org/show_bug.cgi?id=124892

        Reviewed by Zoltan Herczeg.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::call): Pick a scratch register instead of getting it as a
        parameter. The sh4 port was the only one to have this call(Address, RegisterID) prototype.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall): Use argumentGPRx and merge arm and sh4 paths.
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator): Use argumentGPRx and merge arm and sh4 paths.

2013-11-28  Nadav Rotem  <nrotem@apple.com>

        Revert the X86 assembler peephole changes
        https://bugs.webkit.org/show_bug.cgi?id=124988

        Reviewed by Csaba Osztrogonác.

        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::add32):
        (JSC::MacroAssemblerX86::add64):
        (JSC::MacroAssemblerX86::or32):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::add32):
        (JSC::MacroAssemblerX86Common::or32):
        (JSC::MacroAssemblerX86Common::branchAdd32):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::add32):
        (JSC::MacroAssemblerX86_64::or32):
        (JSC::MacroAssemblerX86_64::add64):
        (JSC::MacroAssemblerX86_64::or64):
        (JSC::MacroAssemblerX86_64::xor64):

2013-11-28  Antti Koivisto  <antti@apple.com>

        Remove feature: CSS variables
        https://bugs.webkit.org/show_bug.cgi?id=114119

        Reviewed by Andreas Kling.

        * Configurations/FeatureDefines.xcconfig:

2013-11-28  Peter Gal  <galpeter@inf.u-szeged.hu>

        Typo fix after r159834 to fix 32 bit builds.

        Reviewed by Csaba Osztrogonác.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-11-27  Nadav Rotem  <nrotem@apple.com>

        Add a bunch of early exits and local optimizations to the x86 assembler.
        https://bugs.webkit.org/show_bug.cgi?id=124904

        Reviewed by Filip Pizlo.

        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::add32):
        (JSC::MacroAssemblerX86::add64):
        (JSC::MacroAssemblerX86::or32):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::add32):
        (JSC::MacroAssemblerX86Common::or32):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::add32):
        (JSC::MacroAssemblerX86_64::or32):
        (JSC::MacroAssemblerX86_64::add64):
        (JSC::MacroAssemblerX86_64::or64):
        (JSC::MacroAssemblerX86_64::xor64):

2013-11-27  Filip Pizlo  <fpizlo@apple.com>

        Infer one-time scopes
        https://bugs.webkit.org/show_bug.cgi?id=124812

        Reviewed by Oliver Hunt.
        
        This detects JSActivations that are created only once. The JSActivation pointer is then
        baked into the machine code.
        
        This takes advantage of the one-time scope inference to reduce the number of
        indirections needed to get to a closure variable in case where the scope is only
        allocated once. This isn't really a speed-up since in the common case the total number
        of instruction bytes needed to load the scope from the stack is about equal to the
        number of instruction bytes needed to materialize the absolute address of a scoped
        variable. But, this is a necessary prerequisite to
        https://bugs.webkit.org/show_bug.cgi?id=124630, so it's probably a good idea anyway.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        * bytecode/Instruction.h:
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecode/Watchpoint.h:
        (JSC::WatchpointSet::notifyWrite):
        (JSC::InlineWatchpointSet::notifyWrite):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitResolveScope):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::scopedVarLoadElimination):
        (JSC::DFG::CSEPhase::scopedVarStoreElimination):
        (JSC::DFG::CSEPhase::getLocalLoadElimination):
        (JSC::DFG::CSEPhase::setLocalStoreElimination):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::tryGetRegisters):
        * dfg/DFGGraph.h:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::varNumber):
        (JSC::DFG::Node::hasSymbolTable):
        (JSC::DFG::Node::symbolTable):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGWatchpointCollectionPhase.cpp:
        (JSC::DFG::WatchpointCollectionPhase::handle):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSActivation.h:
        (JSC::JSActivation::create):
        * runtime/JSScope.cpp:
        (JSC::abstractAccess):
        (JSC::JSScope::abstractResolve):
        * runtime/JSScope.h:
        (JSC::ResolveOp::ResolveOp):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::registers):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::SymbolTable):
        * runtime/SymbolTable.h:

2013-11-27  Filip Pizlo  <fpizlo@apple.com>

        Finally fix some obvious Bartlett bugs
        https://bugs.webkit.org/show_bug.cgi?id=124951

        Reviewed by Mark Hahnenberg.
        
        Sanitize the stack (i.e. zero parts of it known to be dead) at three key points:
        
        - GC.
        
        - At beginning of OSR entry.
        
        - Just as we finish preparing OSR entry. This clears those slots on the stack that
          could have been live in baseline but that are known to be dead in DFG.
        
        This is as much as a 2x speed-up on splay if you run it in certain modes, and run it
        for a long enough interval. It appears to fix all instances of the dreaded exponential
        heap growth that splay gets into when some stale pointer stays around.
        
        This doesn't have much of an effect on real-world programs. This bug has only ever
        manifested in splay and for that reason we thus far opted against fixing it. But splay
        is, for what it's worth, the premiere GC stress test in JavaScript - so making sure we
        can run it without pathologies - even when you tweak its configuration - is probably
        fairly important.

        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntry.h:
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * interpreter/JSStack.cpp:
        (JSC::JSStack::JSStack):
        (JSC::JSStack::sanitizeStack):
        * interpreter/JSStack.h:

2013-11-26  Filip Pizlo  <fpizlo@apple.com>

        Do bytecode validation as part of testing
        https://bugs.webkit.org/show_bug.cgi?id=124913

        Reviewed by Oliver Hunt.
        
        Also fix some small bugs in the bytecode liveness analysis that I found by doing
        this validation thingy.

        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::isValidRegisterForLiveness):
        (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::validate):
        (JSC::CodeBlock::beginValidationDidFail):
        (JSC::CodeBlock::endValidationDidFail):
        * bytecode/CodeBlock.h:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::prepareForExecutionImpl):
        * runtime/Options.h:

2013-11-27  Andreas Kling  <akling@apple.com>

        Structure::m_staticFunctionReified should be a single bit.
        <https://webkit.org/b/124912>

        Shave 8 bytes off of JSC::Structure by jamming m_staticFunctionReified
        into the bitfield just above.

        Reviewed by Antti Koivisto.

2013-11-27  Andreas Kling  <akling@apple.com>

        JSActivation constructor should use NotNull placement new.
        <https://webkit.org/b/124909>

        Knock a null check outta the storage initialization loop.

        Reviewed by Antti Koivisto.

2013-11-26  Filip Pizlo  <fpizlo@apple.com>

        Restructure global variable constant inference so that it could work for any kind of symbol table variable
        https://bugs.webkit.org/show_bug.cgi?id=124760

        Reviewed by Oliver Hunt.
        
        This changes the way global variable constant inference works so that it can be reused
        for closure variable constant inference. Some of the premises that originally motivated
        this patch are somewhat wrong, but it led to some simplifications anyway and I suspect
        that we'll be able to fix those premises in the future. The main point of this patch is
        to make it easy to reuse global variable constant inference for closure variable
        constant inference, and this will be possible provided we can also either (a) infer
        one-shot closures (easy) or (b) infer closure variables that are always assigned prior
        to first use.
        
        One of the things that this patch is meant to enable is constant inference for closure
        variables that may be part of a multi-shot closure. Closure variables may be
        instantiated multiple times, like:
        
            function foo() {
                var WIDTH = 45;
                function bar() {
                    ... use WIDTH ...
                }
                ...
            }
        
        Even if foo() is called many times and WIDTH is assigned to multiple times, that
        doesn't change the fact that it's a constant. The goal of closure variable constant
        inference is to catch any case where a closure variable has been assigned at least once
        and its value has never changed. This patch doesn't implement that, but it does change
        global variable constant inference to have most of the powers needed to do that. Note
        that most likely we will use this functionality only to implement constant inference
        for one-shot closures, but the resulting machinery is still simpler than what we had
        before.
        
        This involves three changes:
        
            - The watchpoint object now contains the inferred value. This involves creating a
              new kind of watchpoint set, the VariableWatchpointSet. We will reuse this object
              for closure variables.
        
            - Writing to a variable that is watchpointed still involves these three states that
              we proceed through monotonically (Uninitialized->Initialized->Invalidated) but
              now, the Initialized->Invalidated state transition only happens if we change the
              variable's value, rather than store to the variable. Repeatedly storing the same
              value won't change the variable's state.
        
            - On 64-bit systems (the only systems on which we do concurrent JIT), you no longer
              need fancy fencing to get a consistent view of the watchpoint in the JIT. The
              state of the VariableWatchpointSet for the purposes of constant folding is
              entirely encapsulated in the VariableWatchpointSet::m_inferredValue. If that is
              JSValue() then you cannot fold (either because the set is uninitialized or
              because it's invalidated - doesn't matter which); on the other hand if the value
              is anything other than JSValue() then you can fold, and that's the value you fold
              to. Simple!
        
        This also changes the way that DFG IR deals with variable watchpoints. It's now
        oblivious to global variables. You install a watchpoint using VariableWatchpoint and
        you notify write using NotifyWrite. Easy!
        
        Note that this will requires some more tweaks because of the fact that op_enter will
        store Undefined into every captured variable. Hence it won't even work for one-shot
        closures. One-shot closures are easily fixed by introducing another state (so we'll
        have Uninitialized->Undefined->Initialized->Invalidated). Multi-shot closures will
        require static analysis. One-shot closures are clearly a higher priority.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/Instruction.h:
        * bytecode/VariableWatchpointSet.h: Added.
        (JSC::VariableWatchpointSet::VariableWatchpointSet):
        (JSC::VariableWatchpointSet::~VariableWatchpointSet):
        (JSC::VariableWatchpointSet::inferredValue):
        (JSC::VariableWatchpointSet::notifyWrite):
        (JSC::VariableWatchpointSet::invalidate):
        (JSC::VariableWatchpointSet::finalizeUnconditionally):
        (JSC::VariableWatchpointSet::addressOfInferredValue):
        * bytecode/Watchpoint.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasRegisterPointer):
        (JSC::DFG::Node::hasVariableWatchpointSet):
        (JSC::DFG::Node::variableWatchpointSet):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGWatchpointCollectionPhase.cpp:
        (JSC::DFG::WatchpointCollectionPhase::handle):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
        * jit/JIT.h:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitNotifyWrite):
        (JSC::JIT::emitPutGlobalVar):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitNotifyWrite):
        (JSC::JIT::emitPutGlobalVar):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::addGlobalVar):
        (JSC::JSGlobalObject::addFunction):
        * runtime/JSGlobalObject.h:
        * runtime/JSScope.h:
        (JSC::ResolveOp::ResolveOp):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTablePut):
        (JSC::symbolTablePutWithAttributes):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTableEntry::inferredValue):
        (JSC::SymbolTableEntry::prepareToWatch):
        (JSC::SymbolTableEntry::addWatchpoint):
        (JSC::SymbolTableEntry::notifyWriteSlow):
        (JSC::SymbolTable::visitChildren):
        (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup):
        (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup):
        (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
        * runtime/SymbolTable.h:
        (JSC::SymbolTableEntry::watchpointSet):
        (JSC::SymbolTableEntry::notifyWrite):

2013-11-24  Filip Pizlo  <fpizlo@apple.com>

        Create a new SymbolTable every time code is loaded so that the watchpoints don't get reused
        https://bugs.webkit.org/show_bug.cgi?id=124824

        Reviewed by Oliver Hunt.
        
        This helps with one shot closure inference as well as closure variable constant
        inference, since without this, if code was reloaded from the cache then we would
        think that the first run was actually an Nth run. This would cause us to think that
        the watchpoint(s) should all be invalidated.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::symbolTable):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::symbolTable):
        * runtime/Executable.h:
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::clone):
        * runtime/SymbolTable.h:

2013-11-26  Oliver Hunt  <oliver@apple.com>

        Crash in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
        https://bugs.webkit.org/show_bug.cgi?id=124886

        Reviewed by Sam Weinig.

        Make sure the error macros propagate an existing error before
        trying to create a new error message.  We need to do this as
        the parser state may not be safe for any specific error message
        if we are already unwinding due to an error.

        * parser/Parser.cpp:

2013-11-26  Nadav Rotem  <nrotem@apple.com>

        Optimize away OR with zero - a common ASM.js pattern.
        https://bugs.webkit.org/show_bug.cgi?id=124869

        Reviewed by Filip Pizlo.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2013-11-25  Julien Brianceau  <jbriance@cisco.com>

        [arm][mips] Fix crash in dfg-arrayify-elimination layout jsc test.
        https://bugs.webkit.org/show_bug.cgi?id=124839

        Reviewed by Michael Saboff.

        In ARM EABI and MIPS, 64-bit values have to be aligned on stack too.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.

2013-11-23  Filip Pizlo  <fpizlo@apple.com>

        Fix more fallout from failed attempts at div/mod DFG strength reductions
        https://bugs.webkit.org/show_bug.cgi?id=124813

        Reviewed by Geoffrey Garen.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMod):

2013-11-22  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSC Obj-C API should have real documentation
        https://bugs.webkit.org/show_bug.cgi?id=124805

        Reviewed by Geoffrey Garen.

        Massaging the header comments into proper headerdocs.

        * API/JSContext.h:
        * API/JSExport.h:
        * API/JSManagedValue.h:
        * API/JSValue.h:
        * API/JSVirtualMachine.h:

2013-11-22  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock::m_numCalleeRegisters shouldn't also mean frame size, frame size needed for exit, or any other unrelated things
        https://bugs.webkit.org/show_bug.cgi?id=124793

        Reviewed by Mark Hahnenberg.
        
        Now m_numCalleeRegisters always refers to the number of locals that the attached
        bytecode uses. It never means anything else.
        
        For frame size, we now have it lazily computed from m_numCalleeRegisters for the
        baseline engines and we have it stored in DFG::CommonData for the optimizing JITs.
        
        For frame-size-needed-at-exit, we store that in DFG::CommonData, too.
        
        The code no longer implies that there is any arithmetic relationship between
        m_numCalleeRegisters and frameSize. Previously it implied that the latter is greater
        than the former.
        
        The code no longer implies that there is any arithmetic relationship between the
        frame Size and the frame-size-needed-at-exit. Previously it implied that the latter
        is greater that the former.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::frameRegisterCount):
        * bytecode/CodeBlock.h:
        * dfg/DFGCommonData.h:
        (JSC::DFG::CommonData::CommonData):
        (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::frameRegisterCount):
        (JSC::DFG::Graph::requiredRegisterCountForExit):
        (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
        * ftl/FTLOSREntry.cpp:
        (JSC::FTL::prepareOSREntry):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::frameExtentInternal):
        * interpreter/JSStackInlines.h:
        (JSC::JSStack::pushFrame):
        * jit/JIT.h:
        (JSC::JIT::frameRegisterCountFor):
        * jit/JITOperations.cpp:
        * llint/LLIntEntrypoint.cpp:
        (JSC::LLInt::frameRegisterCountFor):
        * llint/LLIntEntrypoint.h:

2013-11-21  Filip Pizlo  <fpizlo@apple.com>

        Combine SymbolTable and SharedSymbolTable
        https://bugs.webkit.org/show_bug.cgi?id=124761

        Reviewed by Geoffrey Garen.
        
        SymbolTable was never used directly; we now always used SharedSymbolTable. So, this
        gets rid of SymbolTable and renames SharedSymbolTable to SymbolTable.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::symbolTable):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::symbolTable):
        (JSC::UnlinkedCodeBlock::symbolTable):
        (JSC::UnlinkedCodeBlock::finishCreation):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::symbolTable):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::symbolTableFor):
        * runtime/Arguments.h:
        (JSC::Arguments::finishCreation):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::symbolTable):
        * runtime/JSActivation.h:
        (JSC::JSActivation::create):
        (JSC::JSActivation::JSActivation):
        (JSC::JSActivation::registersOffset):
        (JSC::JSActivation::allocationSize):
        * runtime/JSSymbolTableObject.h:
        (JSC::JSSymbolTableObject::symbolTable):
        (JSC::JSSymbolTableObject::JSSymbolTableObject):
        (JSC::JSSymbolTableObject::finishCreation):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::JSVariableObject):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::destroy):
        (JSC::SymbolTable::SymbolTable):
        * runtime/SymbolTable.h:
        (JSC::SymbolTable::create):
        (JSC::SymbolTable::createStructure):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2013-11-22  Mark Lam  <mark.lam@apple.com>

        Remove residual references to "dynamicGlobalObject".
        https://bugs.webkit.org/show_bug.cgi?id=124787.

        Reviewed by Filip Pizlo.

        * JavaScriptCore.order:
        * interpreter/CallFrame.h:

2013-11-22  Mark Lam  <mark.lam@apple.com>

        Ensure that arity fixups honor stack alignment requirements.
        https://bugs.webkit.org/show_bug.cgi?id=124756.

        Reviewed by Geoffrey Garen.

        The LLINT and all the JITs rely on CommonSlowPaths::arityCheckFor() to
        compute the arg count adjustment for the arity fixup. We take advantage
        of this choke point and introduce the stack alignment padding there in
        the guise of additional args.

        The only cost of this approach is that the padding will also be
        initialized to undefined values as if they were args. Since arity fixups
        are considered a slow path that is rarely taken, this cost is not a
        concern.

        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
        * runtime/VM.h:
        (JSC::VM::isSafeToRecurse):

2013-11-21  Filip Pizlo  <fpizlo@apple.com>

        BytecodeGenerator should align the stack according to native conventions
        https://bugs.webkit.org/show_bug.cgi?id=124735

        Reviewed by Mark Lam.
        
        Rolling this back in because it actually fixed fast/dom/gc-attribute-node.html, but
        our infrastructure misleads peole into thinking that fixing a test constitutes
        breaking it.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::CallArguments::registerOffset):
        (JSC::CallArguments::argumentCountIncludingThis):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallArguments::CallArguments):

2013-11-21  Filip Pizlo  <fpizlo@apple.com>

        Get rid of CodeBlock::dumpStatistics()
        https://bugs.webkit.org/show_bug.cgi?id=124762

        Reviewed by Mark Hahnenberg.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        * bytecode/CodeBlock.h:

2013-11-22  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r159652.
        http://trac.webkit.org/changeset/159652
        https://bugs.webkit.org/show_bug.cgi?id=124778

        broke fast/dom/gc-attribute-node.html (Requested by ap on
        #webkit).

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::CallArguments::registerOffset):
        (JSC::CallArguments::argumentCountIncludingThis):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallArguments::CallArguments):
        (JSC::CallArguments::newArgument):

2013-11-21  Filip Pizlo  <fpizlo@apple.com>

        Fix a typo (requriements->requirements).

        * runtime/StackAlignment.h:

2013-11-21  Mark Lam  <mark.lam@apple.com>

        CodeBlock::m_numCalleeRegisters need to honor native stack alignment.
        https://bugs.webkit.org/show_bug.cgi?id=124754.

        Reviewed by Filip Pizlo.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::newRegister):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2013-11-21  Mark Rowe  <mrowe@apple.com>

        <https://webkit.org/b/124702> Stop overriding VALID_ARCHS.

        All modern versions of Xcode set it appropriately for our needs.

        Reviewed by Alexey Proskuryakov.

        * Configurations/Base.xcconfig:

2013-11-21  Mark Rowe  <mrowe@apple.com>

        <https://webkit.org/b/124701> Fix an error in a few Xcode configuration setting files.

        Reviewed by Alexey Proskuryakov.

        * Configurations/Base.xcconfig:

2013-11-21  Michael Saboff  <msaboff@apple.com>

        ARM64: Implement push/pop equivalents in LLInt
        https://bugs.webkit.org/show_bug.cgi?id=124721

        Reviewed by Filip Pizlo.

        Added pushLRAndFP and popLRAndFP that push and pop the link register and frame pointer register.
        These ops emit code just like what the compiler emits in the prologue and epilogue.  Also changed
        pushCalleeSaves and popCalleeSaves to use the same store pair and load pair instructions to do
        the actually pushing and popping.  Finally changed the implementation of push and pop to raise
        an exception since we don't have (or need) a single register push or pop.

        * llint/LowLevelInterpreter64.asm:
        * offlineasm/arm64.rb:
        * offlineasm/instructions.rb:

2013-11-21  Michael Saboff  <msaboff@apple.com>

        JSC: Removed unused opcodes from offline assembler
        https://bugs.webkit.org/show_bug.cgi?id=124749

        Reviewed by Mark Hahnenberg.

        Removed the unused, X86 only peekq and pokeq.

        * offlineasm/instructions.rb:
        * offlineasm/x86.rb:

2013-11-21  Michael Saboff  <msaboff@apple.com>

        REGRESSION(159395) Fix branch8(…, AbsoluteAddress, …) in ARM64 MacroAssembler
        https://bugs.webkit.org/show_bug.cgi?id=124688

        Reviewed by Geoffrey Garen.

        Changed handling of the address for the load8() in the branch8(AbsoluteAddress) to be like
        the rest of the branchXX(AbsoluteAddress) fucntions.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branch8):

2013-11-21  Filip Pizlo  <fpizlo@apple.com>

        BytecodeGenerator should align the stack according to native conventions
        https://bugs.webkit.org/show_bug.cgi?id=124735

        Reviewed by Mark Lam.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::CallArguments::registerOffset):
        (JSC::CallArguments::argumentCountIncludingThis):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallArguments::CallArguments):

2013-11-21  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, preemptive build fix.

        * runtime/StackAlignment.h:
        (JSC::stackAlignmentBytes):
        (JSC::stackAlignmentRegisters):

2013-11-21  Filip Pizlo  <fpizlo@apple.com>

        JSC should know what the stack alignment conventions are
        https://bugs.webkit.org/show_bug.cgi?id=124736

        Reviewed by Mark Lam.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/StackAlignment.h: Added.
        (JSC::stackAlignmentBytes):
        (JSC::stackAlignmentRegisters):

2013-11-21  Balazs Kilvady  <kilvadyb@homejinni.com>

        [MIPS] Build fails since r159545.
        https://bugs.webkit.org/show_bug.cgi?id=124716

        Reviewed by Michael Saboff.

        Add missing implementations in MacroAssembler and LLInt for MIPS.

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::sync):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::store8):
        (JSC::MacroAssemblerMIPS::memoryFence):
        * offlineasm/mips.rb:

2013-11-21  Julien Brianceau  <jbriance@cisco.com>

        Fix sh4 build after r159545.
        https://bugs.webkit.org/show_bug.cgi?id=124713

        Reviewed by Michael Saboff.

        Add missing implementations in macro assembler and LLINT for sh4.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::load8):
        (JSC::MacroAssemblerSH4::store8):
        (JSC::MacroAssemblerSH4::memoryFence):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::synco):
        * offlineasm/sh4.rb: Handle "memfence" opcode.

2013-11-20  Mark Lam  <mark.lam@apple.com>

        Introducing VMEntryScope to update the VM stack limit.
        https://bugs.webkit.org/show_bug.cgi?id=124634.

        Reviewed by Geoffrey Garen.

        1. Introduced USE(SEPARATE_C_AND_JS_STACK) (defined in Platform.h).
           Currently, it is hardcoded to use separate C and JS stacks. Once we
           switch to using the C stack for JS frames, we'll need to fix this to
           only be enabled when ENABLE(LLINT_C_LOOP).

        2. Stack limits are now tracked in the VM.

           Logically, there are 2 stack limits:
           a. m_stackLimit for the native C stack, and
           b. m_jsStackLimit for the JS stack.

           If USE(SEPARATE_C_AND_JS_STACK), then the 2 limits are the same
           value, and are implemented as 2 fields in a union.

        3. The VM native stackLimit is set as follows:
           a. Initially, the VM sets it to the limit of the stack of the thread that
              instantiated the VM. This allows the parser and bytecode generator to
              run before we enter the VM to execute JS code.

           b. Upon entry into the VM to execute JS code (via one of the
              Interpreter::execute...() functions), we instantiate a VMEntryScope
              that sets the VM's stackLimit to the limit of the current thread's
              stack. The VMEntryScope will automatically restore the previous
              entryScope and stack limit upon destruction.

           If USE(SEPARATE_C_AND_JS_STACK), the JSStack's methods will set the VM's
           jsStackLimit whenever it grows or shrinks.

        4. The VM now provides a isSafeToRecurse() function that compares the
           current stack pointer against its native stackLimit. This subsumes and
           obsoletes the VMStackBounds class.

        5. The VMEntryScope class also subsumes DynamicGlobalObjectScope for
           tracking the JSGlobalObject that we last entered the VM with.

        6. Renamed dynamicGlobalObject() to vmEntryGlobalObject() since that is
           the value that the function retrieves.

        7. Changed JIT and LLINT code to do stack checks against the jsStackLimit
           in the VM class instead of the JSStack.

        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        * API/JSContextRef.cpp:
        (JSGlobalContextRetain):
        (JSGlobalContextRelease):
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitNode):
        (JSC::BytecodeGenerator::emitNodeInConditionContext):
        * debugger/Debugger.cpp:
        (JSC::Debugger::detach):
        (JSC::Debugger::recompileAllJSFunctions):
        (JSC::Debugger::pauseIfNeeded):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::vmEntryGlobalObject):
        * debugger/DebuggerCallFrame.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOSREntry.cpp:
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLOSREntry.cpp:
        * heap/Heap.cpp:
        (JSC::Heap::lastChanceToFinalize):
        (JSC::Heap::deleteAllCompiledCode):
        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::vmEntryGlobalObject):
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        (JSC::Interpreter::unwind):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        (JSC::Interpreter::debug):
        * interpreter/JSStack.cpp:
        (JSC::JSStack::JSStack):
        (JSC::JSStack::growSlowCase):
        * interpreter/JSStack.h:
        * interpreter/JSStackInlines.h:
        (JSC::JSStack::shrink):
        (JSC::JSStack::grow):
        - Moved these inlined functions here from JSStack.h. It reduces some
          #include dependencies of JSSTack.h which had previously resulted
          in some EWS bots' unhappiness with this patch.
        (JSC::JSStack::updateStackLimit):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        * llint/LowLevelInterpreter.asm:
        * parser/Parser.cpp:
        (JSC::::Parser):
        * parser/Parser.h:
        (JSC::Parser::canRecurse):
        * runtime/CommonSlowPaths.h:
        * runtime/Completion.cpp:
        (JSC::evaluate):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/StringRecursionChecker.h:
        (JSC::StringRecursionChecker::performCheck):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::releaseExecutableMemory):
        (JSC::VM::throwException):
        * runtime/VM.h:
        (JSC::VM::addressOfJSStackLimit):
        (JSC::VM::jsStackLimit):
        (JSC::VM::setJSStackLimit):
        (JSC::VM::stackLimit):
        (JSC::VM::setStackLimit):
        (JSC::VM::isSafeToRecurse):
        * runtime/VMEntryScope.cpp: Added.
        (JSC::VMEntryScope::VMEntryScope):
        (JSC::VMEntryScope::~VMEntryScope):
        (JSC::VMEntryScope::requiredCapacity):
        * runtime/VMEntryScope.h: Added.
        (JSC::VMEntryScope::globalObject):
        * runtime/VMStackBounds.h: Removed.

2013-11-20  Michael Saboff  <msaboff@apple.com>

        [Win] JavaScript JIT crash (with DFG enabled).
        https://bugs.webkit.org/show_bug.cgi?id=124675

        Reviewed by Geoffrey Garen.

        Similar to the change in r159427, changed linkClosureCall to use regT0/regT1 (payload/tag) for the callee.
        linkForThunkGenerator already expected the callee in regT0/regT1, but changed the comment to reflect that.

        * jit/Repatch.cpp:
        (JSC::linkClosureCall):
        * jit/ThunkGenerators.cpp:
        (JSC::linkForThunkGenerator):

2013-11-20  Michael Saboff  <msaboff@apple.com>

        ARMv7: Crash due to use after free of AssemblerBuffer
        https://bugs.webkit.org/show_bug.cgi?id=124611

        Reviewed by Geoffrey Garen.

        Changed JITFinalizer constructor to take a MacroAssemblerCodePtr instead of a Label.
        In finalizeFunction(), we use that value instead of calculating it from the label.

        * assembler/MacroAssembler.cpp:
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::JITFinalizer):
        (JSC::DFG::JITFinalizer::finalizeFunction):
        * dfg/DFGJITFinalizer.h:

2013-11-20  Julien Brianceau  <jbriance@cisco.com>

        Fix CPU(ARM_TRADITIONAL) build after r159545.
        https://bugs.webkit.org/show_bug.cgi?id=124649

        Reviewed by Michael Saboff.

        Add missing memoryFence, load8 and store8 implementations in macro assembler.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::dmbSY):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::load8):
        (JSC::MacroAssemblerARM::store8):
        (JSC::MacroAssemblerARM::memoryFence):

2013-11-20  Julien Brianceau  <jbriance@cisco.com>

        [armv7][arm64] Speculative build fix after r159545.
        https://bugs.webkit.org/show_bug.cgi?id=124646

        Reviewed by Filip Pizlo.

        * assembler/ARMv7Assembler.h:
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::memoryFence):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::memoryFence):

2013-11-19  Ryosuke Niwa  <rniwa@webkit.org>

        Enable HTMLTemplateElement on Mac port
        https://bugs.webkit.org/show_bug.cgi?id=124637

        Reviewed by Tim Horton.

        * Configurations/FeatureDefines.xcconfig:

2013-11-19  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, remove completely bogus assertion.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::addFunction):

2013-11-19  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, debug build fix.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::addFunction):

2013-11-19  Filip Pizlo  <fpizlo@apple.com>

        Infer constant global variables
        https://bugs.webkit.org/show_bug.cgi?id=124464

        Reviewed by Sam Weinig.
        
        All global variables that are candidates for watchpoint-based constant inference (i.e.
        not 'const' variables) will now have WatchpointSet's associated with them and those
        are used to drive the inference by tracking three states of each variable:
        
        Uninitialized: the variable's value is Undefined and the WatchpointSet state is
            ClearWatchpoint.
        
        Initialized: the variable's value was set to something (could even be explicitly set
            to Undefined) and the WatchpointSet state is IsWatching.
        
        Invalidated: the variable's value was set to something else (could even be the same
            thing as before but the point is that a put operation did execute again) and the
            WatchpointSet is IsInvalidated.
        
        If the compiler tries to compile a GetGlobalVar and the WatchpointSet state is
        IsWatching, then the current value of the variable can be folded in place of the get,
        and a watchpoint on the variable can be registered.
        
        We handle race conditions between the mutator and compiler by mandating that:
        
        - The mutator changes the WatchpointSet state after executing the put.
        
        - There is no opportunity to install code or call functions between when the mutator
          executes a put and changes the WatchpointSet state.
        
        - The compiler checks the WatchpointSet state prior to reading the value.
        
        The concrete algorithm used by the mutator is:
        
            1. Store the new value into the variable.
            --- Execute a store-store fence.
            2. Bump the state (ClearWatchpoing becomes IsWatching, IsWatching becomes
               IsInvalidated); the IsWatching->IsInvalidated transition may end up firing
               watchpoints.
        
        The concrete algorithm that the compiler uses is:
        
            1. Load the state. If it's *not* IsWatching, then give up on constant inference.
            --- Execute a load-load fence.
            2. Load the value of the variable and use that for folding, while also registering
               a DesiredWatchpoint. The various parts of this step can be done in any order.
        
        The desired watchpoint registration will fail if the watchpoint set is already
        invalidated. Now consider the following interesting interleavings:
        
        Uninitialized->M1->M2->C1->C2: Compiler sees IsWatching because of the mutator's store
            operation, and the variable is folded. The fencing ensures that C2 sees the value
            stored in M1 - i.e. we fold on the value that will actually be watchpointed. If
            before the compilation is installed the mutator executes another store then we
            will be sure that it will be a complete sequence of M1+M2 since compilations get
            installed at safepoints and never "in the middle" of a put_to_scope. Hence that
            compilation installation will be invalidated. If the M1+M2 sequence happens after
            the code is installed, then the code will be invalidated by triggering a jettison.
        
        Uninitialized->M1->C1->C2->M2: Compiler sees Uninitialized and will not fold. This is
            a sensible outcome since if the compiler read the variable's value, it would have
            seen Undefined.
        
        Uninitialized->C1->C2->M1->M2: Compiler sees Uninitialized and will not fold.
        Uninitialized->C1->M1->C2->M2: Compiler sees Uninitialized and will not fold.
        Uninitialized->C1->M1->M2->C2: Compiler sees Uninitialized and will not fold.
        Uninitialized->M1->C1->M2->C2: Compiler sees Uninitialized and will not fold.
        
        IsWatched->M1->M2->C1->C2: Compiler sees IsInvalidated and will not fold.
        
        IsWatched->M1->C1->C2->M2: Compiler will fold, but will also register a desired
            watchpoint, and that watchpoint will get invalidated before the code is installed.
        
        IsWatched->M1->C1->M2->C2: As above, will fold but the code will get invalidated.
        IsWatched->C1->C2->M1->M2: As above, will fold but the code will get invalidated.
        IsWatched->C1->M1->C2->M2: As above, will fold but the code will get invalidated.
        IsWatched->C1->M1->M2->C2: As above, will fold but the code will get invalidated.
        
        Note that this kind of reasoning shows why having the mutator first bump the state and
        then store the new value would be wrong. If we had done that (M1 = bump state, M2 =
        execute put) then we could have the following deadly interleavings:
        
        Uninitialized->M1->C1->C2->M2:
        Uninitialized->M1->C1->M2->C2: Mutator bumps the state to IsWatched and then the
            compiler folds Undefined, since M2 hasn't executed yet. Although C2 will set the
            watchpoint, M1 didn't notify it - it mearly initiated watching. M2 then stores a
            value other than Undefined, and you're toast.
        
        You could fix this sort of thing by making the Desired Watchpoints machinery more
        sophisticated, for example having it track the value that was folded; if the global
        variable's value was later found to be different then we could invalidate the
        compilation. You could also fix it by having the compiler also check that the value of
        the variable is not Undefined before folding. While those all sound great, I decided
        to instead just use the right interleaving since that results in less code and feels
        more intuitive.
        
        This is a 0.5% speed-up on SunSpider, mostly due to a 20% speed-up on math-cordic.
        It's a 0.6% slow-down on LongSpider, mostly due to a 25% slow-down on 3d-cube. This is
        because 3d-cube takes global variable assignment slow paths very often. Note that this
        3d-cube slow-down doesn't manifest as much in SunSpider (only 6% there). This patch is
        also a 1.5% speed-up on V8v7 and a 2.8% speed-up on Octane v1, mostly due to deltablue
        (3.7%), richards (4%), and mandreel (26%). This is a 2% speed-up on Kraken, mostly due
        to a 17.5% speed-up on imaging-gaussian-blur. Something that really illustrates the
        slam-dunk-itude of this patch is the wide range of speed-ups on JSRegress. Casual JS
        programming often leads to global-var-based idioms and those variables tend to be
        assigned once, leading to excellent constant folding opportunities in an optimizing
        JIT. This is very evident in the speed-ups on JSRegress.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::dmbSY):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::dmbSY):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::memfence):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::load8):
        (JSC::MacroAssemblerARMv7::memfence):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::load8):
        (JSC::MacroAssemblerX86::store8):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::getUnusedRegister):
        (JSC::MacroAssemblerX86Common::store8):
        (JSC::MacroAssemblerX86Common::memoryFence):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::load8):
        (JSC::MacroAssemblerX86_64::store8):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movb_rm):
        (JSC::X86Assembler::movzbl_mr):
        (JSC::X86Assembler::mfence):
        (JSC::X86Assembler::X86InstructionFormatter::threeByteOp):
        (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/Watchpoint.cpp:
        (JSC::WatchpointSet::WatchpointSet):
        (JSC::WatchpointSet::add):
        (JSC::WatchpointSet::notifyWriteSlow):
        * bytecode/Watchpoint.h:
        (JSC::WatchpointSet::state):
        (JSC::WatchpointSet::isStillValid):
        (JSC::WatchpointSet::addressOfSetIsNotEmpty):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getJSConstantForValue):
        (JSC::DFG::ByteCodeParser::getJSConstant):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isStronglyProvedConstantIn):
        (JSC::DFG::Node::hasIdentifierNumberForCheck):
        (JSC::DFG::Node::hasRegisterPointer):
        * dfg/DFGNodeFlags.h:
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNotifyPutGlobalVar):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLAbbreviatedTypes.h:
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::buildFence):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileNotifyPutGlobalVar):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::fence):
        * jit/JIT.h:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitPutGlobalVar):
        (JSC::JIT::emit_op_put_to_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitPutGlobalVar):
        (JSC::JIT::emit_op_put_to_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * llvm/LLVMAPIFunctions.h:
        * offlineasm/arm.rb:
        * offlineasm/arm64.rb:
        * offlineasm/cloop.rb:
        * offlineasm/instructions.rb:
        * offlineasm/x86.rb:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::addGlobalVar):
        (JSC::JSGlobalObject::addFunction):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::addVar):
        (JSC::JSGlobalObject::addConst):
        * runtime/JSScope.cpp:
        (JSC::abstractAccess):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTablePut):
        (JSC::symbolTablePutWithAttributes):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTableEntry::couldBeWatched):
        (JSC::SymbolTableEntry::prepareToWatch):
        (JSC::SymbolTableEntry::notifyWriteSlow):
        * runtime/SymbolTable.h:

2013-11-19  Michael Saboff  <msaboff@apple.com>

        REGRESSION(158384) ARMv7 point checks too restrictive for native calls to traditional ARM code
        https://bugs.webkit.org/show_bug.cgi?id=124612

        Reviewed by Geoffrey Garen.

        Removed ASSERT checks (i.e. lower bit set) for ARM Thumb2 destination addresses related to
        calls since we are calling native ARM traditional functions like sin() and cos().

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::linkCall):
        (JSC::ARMv7Assembler::relinkCall):
        * assembler/MacroAssemblerCodeRef.h:

2013-11-19  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r159459.
        http://trac.webkit.org/changeset/159459
        https://bugs.webkit.org/show_bug.cgi?id=124616

        tons of assertions on launch (Requested by thorton on
        #webkit).

        * API/JSContext.mm:
        (-[JSContext setException:]):
        (-[JSContext wrapperForObjCObject:]):
        (-[JSContext wrapperForJSObject:]):
        * API/JSContextRef.cpp:
        (JSContextGroupRelease):
        (JSGlobalContextRelease):
        * API/JSManagedValue.mm:
        (-[JSManagedValue initWithValue:]):
        (-[JSManagedValue value]):
        * API/JSObjectRef.cpp:
        (JSObjectIsFunction):
        (JSObjectCopyPropertyNames):
        * API/JSValue.mm:
        (containerValueToObject):
        * API/JSWrapperMap.mm:
        (tryUnwrapObjcObject):

2013-11-19  Filip Pizlo  <fpizlo@apple.com>

        Rename WatchpointSet::notifyWrite() should be renamed to WatchpointSet::fireAll()
        https://bugs.webkit.org/show_bug.cgi?id=124609

        Rubber stamped by Mark Lam.
        
        notifyWrite() is a thing that SymbolTable does. WatchpointSet uses that terminology
        because it was original designed to match exactly SymbolTable's semantics. But now
        it's a confusing term.

        * bytecode/Watchpoint.cpp:
        (JSC::WatchpointSet::fireAllSlow):
        * bytecode/Watchpoint.h:
        (JSC::WatchpointSet::fireAll):
        (JSC::InlineWatchpointSet::fireAll):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::haveABadTime):
        * runtime/Structure.h:
        (JSC::Structure::notifyTransitionFromThisStructure):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTableEntry::notifyWriteSlow):

2013-11-18  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r159395): Error compiling for ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=124552

        Reviewed by Geoffrey Garen.

        Fixed the implementation of branch8(RelationalCondition cond, AbsoluteAddress address, TrustedImm32 right)
        to materialize and use address similar to other ARMv7 branchXX() functions.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branch8):

2013-11-19  Mark Lam  <mark.lam@apple.com>

        Add tracking of endColumn for Executables.
        https://bugs.webkit.org/show_bug.cgi?id=124245.

        Reviewed by Geoffrey Garen.

        1. Fixed computation of columns to take into account the startColumn from
           <script> tags. Previously, we were only computing the column relative
           to the char after the <script> tag. Now, the column number that JSC
           computes is always the column number you'll see when viewing the source
           in a text editor (assuming the first column position is 1, not 0).

        2. Previously, unlinkedExecutables kept the a base-1 startColumn for
           ProgramExecutables and EvalExecutables, but uses base-0 columns for
           FunctionExecutables. This has been fixed so that they all use base-0
           columns. When the executable gets linked, the column is adjusted into
           a base-1 value.

        3. In the UnlinkedFunctionExecutable, renamed m_functionStartOffset to
           m_unlinkedFunctionNameStart because it actually points to the start
           column in the name part of the function declaration.

           Similarly, renamed m_functionStartColumn to m_unlinkedBodyStartColumn
           because it points to the first character in the function body. This is
           usually '{' except for functions created from "global code" which
           excludes its braces. See FunctionExecutable::fromGlobalCode().

               The exclusion of braces for the global code case is needed so that
           computed start and end columns will more readily map to what a JS
           developer would expect them to be. Otherwise, the first column of the
           function source will not be 1 (includes prepended characters added in
           constructFunctionSkippingEvalEnabledCheck()).

           Also, similarly, a m_unlinkedBodyEndColumn has been added to track the
           end column of the UnlinkedFunctionExecutable.

        4. For unlinked executables, end column values are either:
           a. Relative to the start of the last line if (last line != first line).
           b. Relative to the start column position if (last line == first line).

           The second case is needed so that we can add an appropriate adjustment
           to the end column value (just like we do for the start column) when we
           link the executable.

        5. This is not new to this patch, but it worth noting that the lineCount
           values used through this patch has the following meaning:
           - a lineCount of 0 means the source for this code block is on 1 line.
           - a lineCount of N means there are N + l lines of source.

           This interpretation is janky, but was present before this patch. We can
           clean that up later in another patch.


        * JavaScriptCore.xcodeproj/project.pbxproj:
        - In order to implement WebCore::Internals::parserMetaData(), we need to
          move some seemingly unrelated header files from the Project section to
          the Private section so that they can be #include'd by the forwarding
          CodeBlock.h from WebCore.
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::sourceCodeForTools):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        - m_isFromGlobalCode is needed to support the exclusion of the open brace /
          prepended code for functions created from "global code".
        (JSC::UnlinkedFunctionExecutable::link):
        (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::create):
        (JSC::UnlinkedFunctionExecutable::unlinkedFunctionNameStart):
        (JSC::UnlinkedFunctionExecutable::unlinkedBodyStartColumn):
        (JSC::UnlinkedFunctionExecutable::unlinkedBodyEndColumn):
        (JSC::UnlinkedFunctionExecutable::recordParse):
        (JSC::UnlinkedCodeBlock::recordParse):
        (JSC::UnlinkedCodeBlock::endColumn):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionBodyNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createFunctionBody):
        (JSC::ASTBuilder::setFunctionNameStart):
        * parser/Lexer.cpp:
        (JSC::::shiftLineTerminator):
        - Removed an unused SourceCode Lexer<T>::sourceCode() function.
        * parser/Lexer.h:
        (JSC::Lexer::positionBeforeLastNewline):
        (JSC::Lexer::prevTerminator):
        - Added tracking of m_positionBeforeLastNewline in the Lexer to enable us
          to exclude the close brace / appended code for functions created from "global
          code".
        * parser/Nodes.cpp:
        (JSC::ProgramNode::ProgramNode):
        (JSC::ProgramNode::create):
        (JSC::EvalNode::EvalNode):
        (JSC::EvalNode::create):
        (JSC::FunctionBodyNode::FunctionBodyNode):
        (JSC::FunctionBodyNode::create):
        (JSC::FunctionBodyNode::setEndPosition):
        - setEndPosition() is needed to fixed up the end position so that we can
          exclude the close brace / appended code for functions created from "global
          code".
        * parser/Nodes.h:
        (JSC::ProgramNode::startColumn):
        (JSC::ProgramNode::endColumn):
        (JSC::EvalNode::startColumn):
        (JSC::EvalNode::endColumn):
        (JSC::FunctionBodyNode::setFunctionNameStart):
        (JSC::FunctionBodyNode::functionNameStart):
        (JSC::FunctionBodyNode::endColumn):
        * parser/Parser.cpp:
        (JSC::::parseFunctionBody):
        (JSC::::parseFunctionInfo):
        * parser/Parser.h:
        (JSC::Parser::positionBeforeLastNewline):
        (JSC::::parse):
        - Subtracted 1 from startColumn here to keep the node column values consistently
          base-0. See note 2 above.
        (JSC::parse):
        * parser/SourceProviderCacheItem.h:
        (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createFunctionBody):
        (JSC::SyntaxChecker::setFunctionNameStart):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CodeCache.h:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::ProgramExecutable::initializeGlobalProperties):
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/Executable.h:
        (JSC::ExecutableBase::isEvalExecutable):
        (JSC::ExecutableBase::isProgramExecutable):
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::ScriptExecutable::endColumn):
        (JSC::ScriptExecutable::recordParse):
        (JSC::FunctionExecutable::create):
        (JSC::FunctionExecutable::bodyIncludesBraces):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionPrototype.cpp:
        (JSC::insertSemicolonIfNeeded):
        (JSC::functionProtoFuncToString):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createProgramCodeBlock):
        (JSC::JSGlobalObject::createEvalCodeBlock):

2013-11-19  Dean Jackson  <dino@apple.com>

        MarkedSpace::resumeAllocating needs to delay release
        https://bugs.webkit.org/show_bug.cgi?id=124596

        Reviewed by Geoffrey Garen.

        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::resumeAllocating): Add DelayedReleaseScope protection.

2013-11-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        IncrementalSweeper needs to use DelayedReleaseScope too
        https://bugs.webkit.org/show_bug.cgi?id=124558

        Reviewed by Filip Pizlo.

        It does sweeping too, so it needs to use it. Also refactored an
        ASSERT that should have caught this sooner.

        * heap/DelayedReleaseScope.h:
        (JSC::DelayedReleaseScope::isInEffectFor):
        * heap/IncrementalSweeper.cpp:
        (JSC::IncrementalSweeper::doSweep):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::sweep):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::sweep):

2013-11-18  Michael Saboff  <msaboff@apple.com>

        ARM64 CRASH: Debug builds crash in emitPointerValidation()
        https://bugs.webkit.org/show_bug.cgi?id=124545

        Reviewed by Filip Pizlo.

        Changed emitPointerValidation() to use pushToSave() and popToRestore() as
        all macro assemblers have an implementation of these functions.

        * jit/ThunkGenerators.cpp:
        (JSC::emitPointerValidation):

2013-11-18  Michael Saboff  <msaboff@apple.com>

        ARM64: Update getHostCallReturnValue() to use architected frame pointer register
        https://bugs.webkit.org/show_bug.cgi?id=124520

        Reviewed by Filip Pizlo.

        Changed from using the prior JSC specific x25 callframe register to the ARM64
        architected x29 (fp) register.  This change should have been done as part of
        https://bugs.webkit.org/show_bug.cgi?id=123956.

        * jit/JITOperations.cpp:

2013-11-18  Filip Pizlo  <fpizlo@apple.com>

        put_to_scope[5] should not point to the structure if it's a variable access, but it should point to the WatchpointSet
        https://bugs.webkit.org/show_bug.cgi?id=124539

        Reviewed by Mark Hahnenberg.
        
        This is in preparation for getting put_to_scope to directly invalidate the watchpoint set
        on stores, which will allow us to run constant inference on all globals.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        * bytecode/Instruction.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * runtime/JSScope.cpp:
        (JSC::abstractAccess):
        (JSC::JSScope::abstractResolve):
        * runtime/JSScope.h:
        (JSC::ResolveOp::ResolveOp):
        * runtime/SymbolTable.h:
        (JSC::SymbolTableEntry::watchpointSet):

2013-11-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        APIEntryShims need some love
        https://bugs.webkit.org/show_bug.cgi?id=124540

        Reviewed by Filip Pizlo.

        We were missing them in key places which some other hacking revealed. These could have manifested as
        race conditions for VMs being used in multithreaded environments.

        * API/JSContext.mm:
        (-[JSContext setException:]):
        (-[JSContext wrapperForObjCObject:]):
        (-[JSContext wrapperForJSObject:]):
        * API/JSContextRef.cpp:
        (JSContextGroupRelease):
        (JSGlobalContextRelease):
        * API/JSManagedValue.mm:
        (-[JSManagedValue initWithValue:]):
        (-[JSManagedValue value]):
        * API/JSObjectRef.cpp:
        (JSObjectIsFunction):
        (JSObjectCopyPropertyNames):
        * API/JSValue.mm:
        (containerValueToObject):
        * API/JSWrapperMap.mm:
        (tryUnwrapObjcObject):

2013-11-18  Filip Pizlo  <fpizlo@apple.com>

        Allow the FTL debug dumps to include the new size field
        https://bugs.webkit.org/show_bug.cgi?id=124479

        Reviewed by Mark Hahnenberg.

        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Location::parse):
        (JSC::FTL::StackMaps::Location::dump):
        * ftl/FTLStackMaps.h:

2013-11-18  peavo@outlook.com  <peavo@outlook.com>

        [Win] Link fails when DFG JIT is enabled.
        https://bugs.webkit.org/show_bug.cgi?id=123614

        Reviewed by Brent Fulgham.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added new files.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.

2013-11-18  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Add missing implementation in MacroAssembler to fix build (broken since r159395).
        https://bugs.webkit.org/show_bug.cgi?id=124484

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::load8):
        (JSC::MacroAssemblerSH4::branch8):

2013-11-18  Michael Saboff  <msaboff@apple.com>

        ARM64 CRASH: Improper offset in getHostCallReturnValue() to access callerFrame in CallFrame
        https://bugs.webkit.org/show_bug.cgi?id=124481

        Reviewed by Mark Lam.

        Fixed the offset to access CallerFrame in the ARM64 version of getHostCallReturnValue() to be 0
        to correspond with the change in CallFrame layout done in r158315.

        * jit/JITOperations.cpp:

2013-11-18  Michael Saboff  <msaboff@apple.com>

        Crash in virtualForThunkGenerator generated code on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=124447

        Reviewed by Geoffrey Garen.

        The baseline JIT generates slow path call code with the caller in regT0.  The DFG
        generates call code with the caller in nonArgGPR0.  The virtualForThunkGenerator
        generates code with the caller in nonArgGPR0.  For X86 and X86_64, regT0 and nonArgGPR0
        are the same CPU register, eax.  For other platforms this isn't the case.  The same
        issue exists for JSVALUE32_64 ports as well, where there also is an issue with the callee
        tag registers being regT1 and nonArgGPR1 in the various locations.

        Changed nonArgGPR0, nonArgGPR1 and nonArgGPR2 for X86 and X86_64 to not match up with
        regT0-2.  Changing these registers will cause a crash on all ports should we have a
        similar problem in the future.  Changed the DFG call generating code to use regT0 and
        regT1.  Now all slow path call code is generated using regT0 and for JSVALUE32_64 regT1.
        Added r12 to X86_64 as a new temp register (regT9) and moved r13 down to regT10.
        The new temp register decreases the likelihood of inadvertant register overlap.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toRegister):
        (JSC::GPRInfo::toIndex):
        * jit/ThunkGenerators.cpp:
        (JSC::virtualForThunkGenerator):

2013-11-18  Balazs Kilvady  <kilvadyb@homejinni.com>

        Add missing load8/branch8 with AbsoluteAddress parameter to MIPS port.

        [MIPS] Build fails since r159395.
        https://bugs.webkit.org/show_bug.cgi?id=124491

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::load8):
        (JSC::MacroAssemblerMIPS::branch8):

2013-11-18  Csaba Osztrogonác  <ossy@webkit.org>

        REGRESSION(r159351): It made zillion tests assert on !CF platforms
        https://bugs.webkit.org/show_bug.cgi?id=124490

        Reviewed by Mark Hahnenberg.

        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::sweep):

2013-11-18  Julien Brianceau  <jbriance@cisco.com>

        Remove architecture specific code in LowLevelInterpreter.
        https://bugs.webkit.org/show_bug.cgi?id=124501

        Reviewed by Michael Saboff.

        * llint/LowLevelInterpreter.asm: Use generic path instead of sh4 specific code.
        * llint/LowLevelInterpreter32_64.asm: Merge sh4/mips path with arm path. The
        "move t0, a0" is not needed for arm because t0 == a0 with this architecture.
        * offlineasm/sh4.rb: Handle move opcode with pr register.

2013-11-18  Julien Brianceau  <jbriance@cisco.com>

        [arm] Add missing implementation in MacroAssembler to fix build (broken since r159395).
        https://bugs.webkit.org/show_bug.cgi?id=124488

        Reviewed by Zoltan Herczeg.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branch8):

2013-11-17  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Fix revertJumpReplacementToBranchPtrWithPatch in MacroAssembler.
        https://bugs.webkit.org/show_bug.cgi?id=124468

        Reviewed by Michael Saboff.

        Current implementation of revertJumpReplacementToBranchPtrWithPatch is wrong in
        the sh4 MacroAssembler part, leading to random instabilities. This patch fixes it
        and also renames the bad-named revertJumpToMove to revertJumpReplacementToBranchPtrWithPatch
        in the SH4Assembler.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::revertJumpReplacementToBranchPtrWithPatch):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::replaceWithJump):
        (JSC::SH4Assembler::revertJumpReplacementToBranchPtrWithPatch):

2013-11-16  Filip Pizlo  <fpizlo@apple.com>

        Simplify WatchpointSet state tracking
        https://bugs.webkit.org/show_bug.cgi?id=124465

        Reviewed by Sam Weinig.
        
        We previously represented the state of watchpoint sets using two booleans. But that
        makes it awkward to case over the state.
        
        We also previously supported a watchpoint set being both watched and invalidated. We
        never used that capability, and its presence was just purely confusing.
        
        This turns the whole thing into an enum.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branch8):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branch8):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::branch8):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::branch8):
        * bytecode/Watchpoint.cpp:
        (JSC::WatchpointSet::WatchpointSet):
        (JSC::WatchpointSet::add):
        (JSC::WatchpointSet::notifyWriteSlow):
        (JSC::InlineWatchpointSet::inflateSlow):
        * bytecode/Watchpoint.h:
        (JSC::WatchpointSet::state):
        (JSC::WatchpointSet::isStillValid):
        (JSC::WatchpointSet::startWatching):
        (JSC::WatchpointSet::notifyWrite):
        (JSC::WatchpointSet::addressOfState):
        (JSC::InlineWatchpointSet::InlineWatchpointSet):
        (JSC::InlineWatchpointSet::hasBeenInvalidated):
        (JSC::InlineWatchpointSet::startWatching):
        (JSC::InlineWatchpointSet::notifyWrite):
        (JSC::InlineWatchpointSet::decodeState):
        (JSC::InlineWatchpointSet::encodeState):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitVarInjectionCheck):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitVarInjectionCheck):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        * runtime/JSFunctionInlines.h:
        (JSC::JSFunction::JSFunction):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTableEntry::attemptToWatch):
        * runtime/SymbolTable.h:

2013-11-16  Filip Pizlo  <fpizlo@apple.com>

        FTL should have an explicit notion of bytecode liveness
        https://bugs.webkit.org/show_bug.cgi?id=124181

        Reviewed by Sam Weinig.
        
        This makes FTL OSR exit use bytecode liveness analysis to determine which variables
        to include values for. The decision of how to get the values of variables is based on
        forward propagation of MovHints and SetLocals.
        
        This fixes a bunch of bugs (like https://bugs.webkit.org/show_bug.cgi?id=124138 but
        also others that I noticed when I started writing more targetted tests) and allows us
        to remove some sketchy code.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeBasicBlock.h:
        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::isValidRegisterForLiveness):
        (JSC::setForOperand):
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        (JSC::stepOverInstruction):
        (JSC::computeLocalLivenessForBytecodeOffset):
        (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
        (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
        (JSC::getLivenessInfo):
        (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
        (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
        * bytecode/BytecodeLivenessAnalysis.h:
        * bytecode/BytecodeLivenessAnalysisInlines.h: Added.
        (JSC::operandIsAlwaysLive):
        (JSC::operandThatIsNotAlwaysLiveIsLive):
        (JSC::operandIsLive):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::captureCount):
        (JSC::CodeBlock::captureStart):
        (JSC::CodeBlock::captureEnd):
        * bytecode/CodeOrigin.cpp:
        (JSC::InlineCallFrame::dumpInContext):
        * bytecode/FullBytecodeLiveness.h: Added.
        (JSC::FullBytecodeLiveness::FullBytecodeLiveness):
        (JSC::FullBytecodeLiveness::getOut):
        (JSC::FullBytecodeLiveness::operandIsLive):
        (JSC::FullBytecodeLiveness::getLiveness):
        * dfg/DFGAvailability.cpp: Added.
        (JSC::DFG::Availability::dump):
        (JSC::DFG::Availability::dumpInContext):
        * dfg/DFGAvailability.h: Added.
        (JSC::DFG::Availability::Availability):
        (JSC::DFG::Availability::unavailable):
        (JSC::DFG::Availability::withFlush):
        (JSC::DFG::Availability::withNode):
        (JSC::DFG::Availability::withUnavailableNode):
        (JSC::DFG::Availability::nodeIsUndecided):
        (JSC::DFG::Availability::nodeIsUnavailable):
        (JSC::DFG::Availability::hasNode):
        (JSC::DFG::Availability::node):
        (JSC::DFG::Availability::flushedAt):
        (JSC::DFG::Availability::operator!):
        (JSC::DFG::Availability::operator==):
        (JSC::DFG::Availability::merge):
        (JSC::DFG::Availability::mergeNodes):
        (JSC::DFG::Availability::unavailableMarker):
        * dfg/DFGBasicBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::Disassembler):
        * dfg/DFGFlushFormat.cpp:
        (WTF::printInternal):
        * dfg/DFGFlushFormat.h:
        (JSC::DFG::resultFor):
        (JSC::DFG::useKindFor):
        (JSC::DFG::dataFormatFor):
        * dfg/DFGFlushedAt.cpp:
        (JSC::DFG::FlushedAt::dump):
        * dfg/DFGFlushedAt.h:
        (JSC::DFG::FlushedAt::FlushedAt):
        (JSC::DFG::FlushedAt::merge):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::livenessFor):
        (JSC::DFG::Graph::isLiveInBytecode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::baselineCodeBlockFor):
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
        * dfg/DFGOSRAvailabilityAnalysisPhase.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGResurrectionForValidationPhase.cpp: Added.
        (JSC::DFG::ResurrectionForValidationPhase::ResurrectionForValidationPhase):
        (JSC::DFG::ResurrectionForValidationPhase::run):
        (JSC::DFG::performResurrectionForValidation):
        * dfg/DFGResurrectionForValidationPhase.h: Added.
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * dfg/DFGValueSource.h:
        (JSC::DFG::ValueSource::forFlushFormat):
        * dfg/DFGVariableAccessData.h:
        * ftl/FTLExitValue.cpp:
        (JSC::FTL::ExitValue::dumpInContext):
        * ftl/FTLInlineCacheSize.cpp:
        (JSC::FTL::sizeOfGetById):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::gpr):
        (JSC::FTL::Location::fpr):
        (JSC::FTL::Location::directGPR):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::compileBlock):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
        (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
        (JSC::FTL::LowerDFGToLLVM::compilePutById):
        (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
        (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
        (JSC::FTL::LowerDFGToLLVM::observeMovHint):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::alloca):
        * ftl/FTLValueSource.cpp: Removed.
        * ftl/FTLValueSource.h: Removed.
        * llvm/LLVMAPIFunctions.h:
        * runtime/DumpContext.cpp:
        (JSC::DumpContext::DumpContext):
        * runtime/DumpContext.h:
        * runtime/Options.h:
        * runtime/SymbolTable.h:
        (JSC::SharedSymbolTable::captureStart):
        (JSC::SharedSymbolTable::captureEnd):
        (JSC::SharedSymbolTable::captureCount):

2013-11-16  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation of JSActivation.h.

        Rubber stamped by Mark Hahnenberg.

        * runtime/JSActivation.h:

2013-11-16  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation of JSVariableObject.h.

        Rubber stamped by Mark Hahnenberg.
        
        I'm about to do some damage to this file. I wanted to give it some sanity first.

        * runtime/JSVariableObject.h:

2013-11-16  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Fix build (broken since r159346).
        https://bugs.webkit.org/show_bug.cgi?id=124455

        Reviewed by Oliver Hunt.

        Fix LLINT implementation for sh4 architecture to handle properly load and store operations with pr register.

        * offlineasm/sh4.rb:

2013-11-15  Alexey Proskuryakov  <ap@apple.com>

        Support exporting symmetric keys as JWK
        https://bugs.webkit.org/show_bug.cgi?id=124442

        Reviewed by Sam Weinig.

        * runtime/JSONObject.h: Export JSONStringify.

2013-11-15  peavo@outlook.com  <peavo@outlook.com>

        [Win] JavaScript crashes on 64-bit with JIT enabled.
        https://bugs.webkit.org/show_bug.cgi?id=124409

        Reviewed by Michael Saboff.

        These are issues found with JIT on 64-bit:
        - The registers rsi and rdi in callToJavaScript needs to be saved and restored. This is required by the Windows 64-bit ABI.
        - The getHostCallReturnValue function needs to be updated according to it's GCC counterpart.
        - The poke argument offset needs to be 20h, because Windows 64-bit ABI requires stack space allocated for the 4 argument registers.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Re-added JITStubsMSVC64.asm to project.
        * jit/CCallHelpers.h: Set poke argument offset.
        (JSC::CCallHelpers::setupArguments): Compile fix, added needed method.
        * jit/JITStubsMSVC64.asm: Save and restore registers rsi and rdi.
                                  Update getHostCallReturnValue according to the GCC version.

2013-11-14  David Farler  <dfarler@apple.com>

        Copy ASAN flag settings to WebCore and JavaScriptCore intermediate build tools
        https://bugs.webkit.org/show_bug.cgi?id=124362

        Reviewed by David Kilzer.

        * Configurations/ToolExecutable.xcconfig:
        Use ASAN_C*FLAGS.

2013-11-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove JSChunk
        https://bugs.webkit.org/show_bug.cgi?id=124435

        Reviewed by Geoffrey Garen.

        It's empty and has been since it was added 3 years ago.

        * CMakeLists.txt:
        * runtime/JSChunk.cpp: Removed.
        * runtime/JSChunk.h: Removed.

2013-11-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove VTableSpectrum
        https://bugs.webkit.org/show_bug.cgi?id=124427

        Reviewed by Filip Pizlo.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.cpp:
        (JSC::Heap::lastChanceToFinalize):
        * heap/Heap.h:
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::callDestructor):
        * heap/SlotVisitor.cpp:
        (JSC::visitChildren):
        * heap/SlotVisitor.h:
        * heap/VTableSpectrum.cpp: Removed.
        * heap/VTableSpectrum.h: Removed.

2013-11-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        -dealloc callbacks from wrapped Objective-C objects can happen at bad times
        https://bugs.webkit.org/show_bug.cgi?id=123821

        Reviewed by Darin Adler.

        Currently with the JSC Obj-C API, JS wrappers for client Obj-C objects retain their associated Obj-C 
        object. When they are swept, they release their Obj-C objects which can trigger a call to that 
        object's -dealloc method. These -dealloc methods can then call back into the same VM, which is not 
        allowed during sweeping or VM shutdown.

        We can handle this case by creating our own pool of Obj-C objects to be released when it is safe to do so.
        This is accomplished by using DelayedReleaseScope, an RAII-style object that will retain all objects
        that are unsafe to release until the end of the DelayedReleaseScope.

        * API/APIShims.h:
        (JSC::APICallbackShim::APICallbackShim):
        (JSC::APICallbackShim::vmForDropAllLocks):
        (JSC::APICallbackShim::execForDropAllLocks):
        * API/JSAPIWrapperObject.mm:
        (JSAPIWrapperObjectHandleOwner::finalize):
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunctionImpl::destroy):
        (JSC::ObjCCallbackFunction::destroy):
        * API/tests/testapi.mm:
        (-[TinyDOMNode initWithVirtualMachine:]):
        (-[TinyDOMNode dealloc]):
        (-[TinyDOMNode appendChild:]):
        (-[TinyDOMNode removeChildAtIndex:]):
        (-[EvilAllocationObject initWithContext:]):
        (-[EvilAllocationObject dealloc]):
        (-[EvilAllocationObject doEvilThingsWithContext:]):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/DelayedReleaseScope.h: Added.
        (JSC::DelayedReleaseScope::DelayedReleaseScope):
        (JSC::DelayedReleaseScope::~DelayedReleaseScope):
        (JSC::DelayedReleaseScope::releaseSoon):
        (JSC::MarkedSpace::releaseSoon):
        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage):
        * heap/Heap.h:
        (JSC::Heap::releaseSoon):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateSlowCase):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::lastChanceToFinalize):
        (JSC::MarkedSpace::sweep):
        * heap/MarkedSpace.h:

2013-11-15  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r158586): callToJavaScript needs to save return PC to Sentinel frame
        https://bugs.webkit.org/show_bug.cgi?id=124420

        Reviewed by Filip Pizlo.

        Save the return PC into the sentinel frame.

        * jit/JITStubsMSVC64.asm:
        * jit/JITStubsX86.h:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2013-11-14  Oliver Hunt  <oliver@apple.com>

        Make CLoop easier to build, and make it work
        https://bugs.webkit.org/show_bug.cgi?id=124359

        Reviewed by Geoffrey Garen.

        Add --cloop to build-jsc, build-webkit and friends.

        Also make CLoop build and work again - This meant adding a
        couple of missing ENABLE(DFG_JIT) blocks, and fixing a few 
        other references.

        * Configurations/FeatureDefines.xcconfig:
        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/DFGExitProfile.cpp:
        * dfg/DFGCapabilities.cpp:
        * dfg/DFGCompilationKey.cpp:
        * dfg/DFGCompilationMode.cpp:
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):

2013-11-14  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r159276): Fix lots of crashes for arm_traditional architecture.
        https://bugs.webkit.org/show_bug.cgi?id=124365

        Reviewed by Oliver Hunt.

        Crashes were caused by a mixup between regular registers and temporary registers in ARM_EXTRA_GPRS.

        * llint/LowLevelInterpreter32_64.asm: Warning, t3 != a3. It's safer to use an implementation using aX
        registers like the MIPS one for cCallX macros.
        * offlineasm/arm.rb: Rearrange ARM_EXTRA_GPRS according to the new register distribution in LLINT.

2013-11-14  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r159276): rbp register overwritten in Win 64 version of callToJavascript stub
        https://bugs.webkit.org/show_bug.cgi?id=124361

        Reviewed by Oliver Hunt.

        Swapped operand ordering to: mov rax, rbp

        * jit/JITStubsMSVC64.asm:

2013-11-14  Julien Brianceau  <jbriance@cisco.com>

        REGRESSION (r159276): Fix lots of crashes for sh4 architecture.
        https://bugs.webkit.org/show_bug.cgi?id=124347

        Reviewed by Michael Saboff.

        Since r159276, we have (t4 == a0 == r4) and (t5 == a1 == r5) in LLINT for sh4.
        This leads to argument register trampling in cCallX macros, especially with cCall2
        macro when arg1 == t4.

        * llint/LowLevelInterpreter32_64.asm: Use a new "setargs" pseudo-op to setup arguments for sh4.
        * offlineasm/instructions.rb:
        * offlineasm/sh4.rb: Lower "setargs" pseudo-op to setup argument registers and prevent register trampling issues.

2013-11-14  Julien Brianceau  <jbriance@cisco.com>

        Fix build for sh4 architectures (broken since r159276).
        https://bugs.webkit.org/show_bug.cgi?id=124344

        Reviewed by Csaba Osztrogonác.

        * offlineasm/sh4.rb: There is no fp alias for r14 register for sh4.

2013-11-13  Michael Saboff  <msaboff@apple.com>

        Change callToJavaScript thunk into an offline assembled stub
        https://bugs.webkit.org/show_bug.cgi?id=124251

        Reviewed by Geoffrey Garen.

        Changed callToJavaScript and throwNotCaught into stubs generated by the offline assembler.
        Added popCalleeSaves and pushCalleeSaves pseudo ops to the offline assembler to handle
        the saving and restoring of callee save registers.  Fixed callFrameRegister differences
        between arm traditional (r11) and arm Thumb2 (r7) in GPRInfo.h.  Also fixed implementation
        of pop & push in arm.rb.

        Since the offline assembler and therefore the LLInt don't work on Windows, the Windows stubs
        are handled as inline assembly in JITStubsX86.h and JITStubsMSVC64.asm.

        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toIndex):
        (JSC::GPRInfo::debugName):
        * jit/JITCode.cpp:
        (JSC::JITCode::execute):
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITStubs.h:
        * jit/JITStubsMSVC64.asm:
        * jit/JITStubsX86.h:
        * jit/ThunkGenerators.cpp:
        * jit/ThunkGenerators.h:
        * llint/LLIntThunks.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/arm.rb:
        * offlineasm/arm64.rb:
        * offlineasm/instructions.rb:
        * offlineasm/mips.rb:
        * offlineasm/registers.rb:
        * offlineasm/sh4.rb:
        * offlineasm/x86.rb:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2013-11-13  Andy Estes  <aestes@apple.com>

        Fix the ARM64 build after recent JavaScriptCore changes
        https://bugs.webkit.org/show_bug.cgi?id=124315

        Reviewed by Michael Saboff.

        Based on patches by myself, Filip Pizlo, Benjamin Poulain, and Michael Saboff.

        * Configurations/JavaScriptCore.xcconfig: Hid the symbol for
        std::bad_function_call.
        * JavaScriptCore.xcodeproj/project.pbxproj: Marked
        MacroAssemblerARM64.h and ARM64Assembler.h as Private headers.
        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::executableOffsetFor):
        * assembler/MacroAssemblerARM64.h: Removed ARM64's executableCopy(),
        which was removed from other assembler backends in r157690.
        (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch): Added.
        (JSC::MacroAssemblerARM64::lshift64): Added.
        (JSC::MacroAssemblerARM64::mul64): Added.
        (JSC::MacroAssemblerARM64::rshift64): Added.
        (JSC::MacroAssemblerARM64::convertInt64ToDouble): Added.
        (JSC::MacroAssemblerARM64::branchMul64): Added.
        (JSC::MacroAssemblerARM64::branchNeg64): Added.
        (JSC::MacroAssemblerARM64::scratchRegisterForBlinding): Added.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithDiv): Changed
        SpeculateIntegerOperand to SpeculateInt32Operand,
        nodeCanIgnoreNegativeZero() to bytecodeCanIgnoreNegativeZero(), and
        nodeUsedAsNumber() to bytecodeUsesAsNumber().
        (JSC::DFG::SpeculativeJIT::compileArithMod): Changed
        nodeCanIgnoreNegativeZero() to bytecodeCanIgnoreNegativeZero().

2013-11-13  Oliver Hunt  <oliver@apple.com>

        Fix debug build.

        * parser/Parser.cpp:

2013-11-13  Tim Horton  <timothy_horton@apple.com>

        r159210 added a period where there previously wasn't one, breaking >100 tests

        Rubber-stamped by Oliver Hunt.

        * parser/Parser.cpp:
        (JSC::::logError):
        Remove the extra period.

2013-11-13  Oliver Hunt  <oliver@apple.com>

        REGRESSION (r158014): Many webpages throw stack overflow exceptions on iOS (because Parser::parseMemberExpression uses ~130K more stack)
        https://bugs.webkit.org/show_bug.cgi?id=124177

        Reviewed by Michael Saboff.

        This patch pushes error handling into NEVER_INLINE functions to perform
        the actual error message construction.  This dramatically reduces the
        stack usage of the Parser.  For the large functions (such as parseMemberExpression)
        the improvement is on the order of 2.5x reduction in stack usage.  For
        smaller functions the reduction is in the order of 5-6x.

        * parser/Parser.cpp:
        (JSC::::logError):
        * parser/Parser.h:

2013-11-13  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Protect repatchCompact from flushConstantPool.
        https://bugs.webkit.org/show_bug.cgi?id=124278

        Reviewed by Michael Saboff.

        Random crashes may occur with sh4 architecture, when a flushConstantPool occurs in
        movlMemRegCompact. As in this case a branch opcode and the constant pool are put
        before the movlMemRegCompact, the branch itself is patched when calling repatchCompact
        instead of the mov instruction, which is really bad.

        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::repatchCompact): Handle this specific case and add an ASSERT.

2013-11-12  Alexey Proskuryakov  <ap@apple.com>

        Disable WebCrypto on Mountain Lion
        https://bugs.webkit.org/show_bug.cgi?id=124261

        Rubber-stamped by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:

2013-11-12  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Fix load32WithUnalignedHalfWords function in baseline JIT.
        https://bugs.webkit.org/show_bug.cgi?id=124233

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::load32WithUnalignedHalfWords): Do not claim scratch register too early.
        Test already covered by fast/regex/pcre-test-1.

2013-11-12  Filip Pizlo  <fpizlo@apple.com>

        Liveness analysis should take less memory in CodeBlock when it is unused
        https://bugs.webkit.org/show_bug.cgi?id=124225

        Reviewed by Mark Hahnenberg.
        
        Basically, I turned CodeBlock::m_livenessAnalysis into a pointer that is null by
        default.

        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
        (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
        (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
        (JSC::BytecodeLivenessAnalysis::dumpResults):
        (JSC::BytecodeLivenessAnalysis::compute):
        * bytecode/BytecodeLivenessAnalysis.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::livenessAnalysis):

2013-11-11  Oliver Hunt  <oliver@apple.com>

        Support unprefixed deconstructing assignment
        https://bugs.webkit.org/show_bug.cgi?id=124172

        Reviewed by Mark Lam.

        Add support for unprefixed descontructive assignment.

        Happily non-reference types on the left hand side of an assignment
        are a runtime error, so we're able to defer validation of the binding
        pattern to codegen time when we're already doing a lot more work.

        We're also able to predicate our attempt to parse on the existence of
        '[' or '{' as they are not as common as other constructs. 

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayPatternNode::emitDirectBinding):
        * parser/ASTBuilder.h:
        * parser/Parser.cpp:
        (JSC::::createBindingPattern):
        (JSC::::tryParseDeconstructionPatternExpression):
        (JSC::::parseDeconstructionPattern):
        (JSC::::parseForStatement):
        (JSC::::parseAssignmentExpression):
        * parser/Parser.h:
        (JSC::Parser::createSavePoint):
        (JSC::Parser::restoreSavePoint):
        * parser/SyntaxChecker.h:

2013-11-12  Andy Estes  <aestes@apple.com>

        Run JavaScriptCore Objective-C API tests on all supported platforms
        https://bugs.webkit.org/show_bug.cgi?id=124214

        Reviewed by Mark Hahnenberg.

        Now that we support the API on iOS and on OS X 10.8, there's no reason
        to limit the tests to OS X 10.9 (or greater).

        * API/tests/CurrentThisInsideBlockGetterTest.h:
        * API/tests/CurrentThisInsideBlockGetterTest.mm:
        * API/tests/testapi.mm:

2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        CodeBlocks should be able to determine bytecode liveness
        https://bugs.webkit.org/show_bug.cgi?id=118546

        Reviewed by Filip Pizlo.

        This will simplify some things in the DFG related to OSR exits and determining 
        which bytecode variables are live at which points during execution. It will
        also be useful for making our conservative GC scan more precise. Currently it 
        doesn't properly account for liveness while the DFG is running, so it will be 
        off by default behing a runtime Options flag.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeBasicBlock.cpp: Added.
        (JSC::isBranch): Used to determine the end of basic blocks.
        (JSC::isUnconditionalBranch): Used to determine when a branch at the end of a 
        basic block can't possibly fall through to the next basic block in program order.
        (JSC::isTerminal): Also used to detect the end of a block.
        (JSC::isThrow):
        (JSC::isJumpTarget): Used to correctly separate basic blocks. Any jump destination 
        must be the head of its own basic block.
        (JSC::linkBlocks): Links two blocks together in a bi-direcitonal fashion.
        (JSC::computeBytecodeBasicBlocks): Creates a set of basic blocks given a particular 
        CodeBlock and links them together.
        * bytecode/BytecodeBasicBlock.h: Added.
        (JSC::BytecodeBasicBlock::isEntryBlock): Entry blocks are a special basic blocks 
        that indicate the beginning of the function.
        (JSC::BytecodeBasicBlock::isExitBlock): Exit blocks are a special basic block that 
        all blocks that exit the function have as a successor. Entry and exit blocks allows 
        the various code paths to be more regular.
        (JSC::BytecodeBasicBlock::leaderBytecodeOffset): The leader bytecode offset is the 
        bytecode offset of the first instruction in the block.
        (JSC::BytecodeBasicBlock::totalBytecodeLength): The total length of all the bytecodes 
        in this block.
        (JSC::BytecodeBasicBlock::bytecodeOffsets): The bytecode offsets in this particular 
        basic block. This Vector allows us to iterate over the bytecodes in reverse order 
        which wouldn't be possible normally since they are of variable size.
        (JSC::BytecodeBasicBlock::addPredecessor): Links a block to a specified predecessor. 
        Only creates one direction of the link.
        (JSC::BytecodeBasicBlock::addSuccessor): Same as addPredecessor, but for successors.
        (JSC::BytecodeBasicBlock::predecessors): Getter for predecessors.
        (JSC::BytecodeBasicBlock::successors): Getter for successors.
        (JSC::BytecodeBasicBlock::in): Getter for the liveness info at the head of the block.
        (JSC::BytecodeBasicBlock::out): Getter for the liveness info at  the tail of the block.
        (JSC::BytecodeBasicBlock::BytecodeBasicBlock):
        (JSC::BytecodeBasicBlock::addBytecodeLength): When creating basic blocks we call 
        this function when we want to add the next bytecode in program order to this block.
        * bytecode/BytecodeLivenessAnalysis.cpp: Added.
        (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
        (JSC::numberOfCapturedVariables): Convenience wrapper. Returns the
        number of captured variables for a particular CodeBlock, or 0 if 
        the CodeBlock has no SymbolTable.
        (JSC::captureStart): Ditto, but for captureStart().
        (JSC::captureEnd): Ditto, but for captureEnd().
        (JSC::isValidRegisterForLiveness): Returns true if the liveness analysis should 
        track the liveness of a particular operand. We ignore constants, arguments, and 
        captured variables. We ignore arguments because they're live for the duration of 
        a function call. We ignore captured variables because we also treat them as live 
        for the duration of the function. This could probably be improved to be more precise, 
        but it didn't seem worth it for now.
        (JSC::setForOperand): Convenience wrapper that sets the bit in the provided bit 
        vector for the provided operand. It handles skipping over captured variables.
        (JSC::computeUsesForBytecodeOffset): Computes which operands are used by a particular bytecode.
        (JSC::computeDefsForBytecodeOffset): Computes which operands are defined by a particular 
        bytecode. Typically this is just the left-most operand.
        (JSC::findBasicBlockWithLeaderOffset): 
        (JSC::findBasicBlockForBytecodeOffset): Scans over basic blocks to find the block 
        which contains a particular bytecode offset.
        (JSC::computeLocalLivenessForBytecodeOffset): Computes block-local liveness from the 
        bottom of the block until a specified bytecode offset is reached. 
        (JSC::computeLocalLivenessForBlock): Computes liveness for the entire block and 
        stores the resulting liveness at the head.
        (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint): Runs backward flow liveness 
        analysis to fixpoint.
        (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): 
        Slow path to get liveness info for non-captured, non-argument variable.
        (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): 
        (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset): Returns the liveness 
        info for both captured and non-captured vars at a particular bytecode offset.
        (JSC::BytecodeLivenessAnalysis::dumpResults): Dumps the output of the liveness analysis. 
        Controlled by new flag in Options.h/.cpp.
        (JSC::BytecodeLivenessAnalysis::compute): Creates bytecode basic blocks and runs 
        full liveness analysis.
        * bytecode/BytecodeLivenessAnalysis.h: Added.
        (JSC::BytecodeLivenessAnalysis::hasBeenComputed):
        (JSC::BytecodeLivenessAnalysis::computeIfNecessary):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::livenessAnalysis):
        * bytecode/PreciseJumpTargets.cpp: Refactored to be able to get the jump targets for 
        a particular bytecode offset for use during bytecode basic block construction.
        (JSC::getJumpTargetsForBytecodeOffset):
        (JSC::computePreciseJumpTargets):
        (JSC::findJumpTargetsForBytecodeOffset):
        * bytecode/PreciseJumpTargets.h:
        * runtime/Options.cpp:
        (JSC::Options::initialize):
        * runtime/Options.h:

2013-11-11  Andy Estes  <aestes@apple.com>

        [iOS] Define JSC_OBJC_API_ENABLED
        https://bugs.webkit.org/show_bug.cgi?id=124192

        Reviewed by Geoffrey Garen.

        * API/JSBase.h: JSC_OBJC_API_ENABLED should evaluate to true if
        TARGET_OS_IPHONE is true.
        * API/JSValue.h: Ensure CG types referenced later in the file are defined.

2013-11-12  Balazs Kilvady  <kilvadyb@homejinni.com>

        Fix undefined reference issues in JavaScriptCore build.
        https://bugs.webkit.org/show_bug.cgi?id=124152

        Reviewed by Michael Saboff.

        Missing includes added.

        * runtime/SymbolTable.cpp:

2013-11-12  Alexandru Chiculita  <achicu@adobe.com>

        Web Inspector: Crash when closing the Inspector while debugging an exception inside a breakpoint condition.
        https://bugs.webkit.org/show_bug.cgi?id=124078

        Reviewed by Joseph Pecoraro.

        The crash would happen because the Debugger is not designed to support nested
        breaks. For example, when the debugger handles a breakpoint and the Inspector
        executes a console command that would hit the breakpoint again, the Debugger
        will just ignore the breakpoint.

        There were no checks for conditions and actions. Because of that conditions and actions
        could trigger exceptions and breakpoints. This patch disables that functionality as it
        cannot be supported without a bigger rewrite of the code.

        * debugger/Debugger.cpp:
        (JSC::TemporaryPausedState::TemporaryPausedState):
        (JSC::TemporaryPausedState::~TemporaryPausedState):
        (JSC::Debugger::hasBreakpoint):
        (JSC::Debugger::pauseIfNeeded):
        * debugger/Debugger.h:

2013-11-12  Julien Brianceau  <jbriance@cisco.com>

        InvalidIndex shouldn't be private in GPRInfo and FPRInfo for sh4, mips and arm64 architectures.
        https://bugs.webkit.org/show_bug.cgi?id=124156

        Reviewed by Michael Saboff.

        * jit/FPRInfo.h:
        (JSC::FPRInfo::debugName):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::debugName):

2013-11-11  Andreas Kling  <akling@apple.com>

        CodeBlock: Un-segment some Vectors.
        <https://webkit.org/b/124188>

        Turn some SegmentedVectors into Vectors where the final item count
        is known at CodeBlock construction time. This removes unnecessary
        allocation and indirection.

        I've got ~4.5 MB below SegmentedVector<ValueProfile>::ensureSegment
        on Membuster3 (peak, before pressure signal) so this should help
        take a bit of the edge off there.

        Reviewed by Geoffrey Garen.

2013-11-11  Filip Pizlo  <fpizlo@apple.com>

        Get rid of the lastResultRegister optimization in the baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=124171

        Rubber stamped by Mark Hahnenberg.
        
        The baseline JIT no longer needs amazing throughput. And this optimization has caused
        way too many OSR exit bugs. And it constrains how much we can do in the DFG/FTL. So,
        I'm getting rid of it.

        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::OSRExit::convertToForward):
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        * dfg/DFGSpeculativeJIT.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
        (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::observeMovHint):
        * ftl/FTLOSRExit.cpp:
        (JSC::FTL::OSRExit::OSRExit):
        (JSC::FTL::OSRExit::convertToForward):
        * ftl/FTLOSRExit.h:
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JSC::JIT::appendCall):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_lshift):
        (JSC::JIT::emitRightShift):
        (JSC::JIT::emit_op_bitand):
        (JSC::JIT::emit_op_bitor):
        (JSC::JIT::emit_op_bitxor):
        (JSC::JIT::emit_op_inc):
        (JSC::JIT::emit_op_dec):
        * jit/JITCall.cpp:
        (JSC::JIT::emitPutCallResult):
        (JSC::JIT::compileLoadVarargs):
        * jit/JITInlines.h:
        (JSC::JIT::emitGetFromCallFrameHeaderPtr):
        (JSC::JIT::emitGetFromCallFrameHeader32):
        (JSC::JIT::emitGetFromCallFrameHeader64):
        (JSC::JIT::emitLoadTag):
        (JSC::JIT::emitLoadPayload):
        (JSC::JIT::emitLoad2):
        (JSC::JIT::emitGetVirtualRegister):
        (JSC::JIT::emitGetVirtualRegisters):
        (JSC::JIT::emitPutVirtualRegister):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_mov):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_new_func):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_mov):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emit_op_to_number):
        (JSC::JIT::emit_op_catch):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_resolve_scope):
        (JSC::JIT::emit_op_get_from_scope):
        (JSC::JIT::emit_op_put_to_scope):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_get_by_pname):
        (JSC::JIT::emitResolveClosure):
        (JSC::JIT::emit_op_resolve_scope):
        (JSC::JIT::emit_op_get_from_scope):
        (JSC::JIT::emit_op_init_global_const):
        * jit/SlowPathCall.h:
        (JSC::JITSlowPathCall::call):

2013-11-11  Filip Pizlo  <fpizlo@apple.com>

        Remove ConstantFoldingPhase's weirdo compile-time optimization
        https://bugs.webkit.org/show_bug.cgi?id=124169

        Reviewed by Mark Hahnenberg.
        
        It turns out that this compile-time optimization doesn't optimize compile times
        anymore. Kill it with fire.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):

2013-11-11  Filip Pizlo  <fpizlo@apple.com>

        Make bytecode dumping use the right opcode names for inc/dec.

        Rubber stamped by Mark Hahnenberg.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):

2013-11-10  Filip Pizlo  <fpizlo@apple.com>

        DFG Int52 boxing code may clobber the source without telling anyone
        https://bugs.webkit.org/show_bug.cgi?id=124137

        Reviewed by Mark Hahnenberg.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::boxInt52): This is called in places where source is expected to be unchanged. We never call this expecting super-amazing codegen. So, preserve the source's value the dumb way (by recovering it mathematically).
        * jit/AssemblyHelpers.h: Document the invariant for boxInt52.
        * jsc.cpp:
        (GlobalObject::finishCreation): It's been super annoying that sometimes we say noInline() and sometimes we say neverInlineFunction(). The LayoutTests harnesses ensure that we have something called noInline(), but it's great to also ensure that the shell has it.

2013-11-11  Oliver Hunt  <oliver@apple.com>

        ExtJS breaks with modern Array.prototype.values API due to use of with()
        https://bugs.webkit.org/show_bug.cgi?id=123440

        Reviewed by Beth Dakin.

        As with our attempt to make Arguments use the Array prototype, ExtJS has
        a weird dependency on not adding new APIs to core types.  In this case
        Array.prototype.values.  The fix is to remove it, and push for ES6 to drop
        the API.

        * runtime/ArrayPrototype.cpp:

2013-11-11  Gabor Rapcsanyi  <rgabor@webkit.org>

        Fix CPU(ARM_TRADITIONAL) build after r159039.
        https://bugs.webkit.org/show_bug.cgi?id=124149

        Reviewed by Geoffrey Garen.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::firstRegister):
        (JSC::ARMAssembler::lastRegister):
        (JSC::ARMAssembler::firstFPRegister):
        (JSC::ARMAssembler::lastFPRegister):
        * assembler/MacroAssemblerARM.h:
        * jit/FPRInfo.h:

2013-11-09  Filip Pizlo  <fpizlo@apple.com>

        Switch FTL GetById/PutById IC's over to using AnyRegCC
        https://bugs.webkit.org/show_bug.cgi?id=124094

        Reviewed by Sam Weinig.
        
        This closes the loop on inline caches (IC's) in the FTL. The goal is to have IC's
        in LLVM-generated code that are just as efficient (if not more so) than what a
        custom JIT could do. As in zero sources of overhead. Not a single extra instruction
        or even register allocation pathology. We accomplish this by having two thingies in
        LLVM. First is the llvm.experimental.patchpoint intrinsic, which is sort of an
        inline machine code snippet that we can fill in with whatever we want and then
        modify subsequently. But you have only two choices of how to pass values to a
        patchpoint: (1) via the calling convention or (2) via the stackmap. Neither are good
        for operands to an IC (like the base pointer for a GetById, for example). (1) is bad
        because it results in things being pinned to certain registers a priori; a custom
        JIT (like the DFG) will not pin IC operands to any registers a priori but will allow
        the register allocator to do whatever it wants. (2) is bad because the operands may
        be spilled or may be represented in other crazy ways. You generally want an IC to
        have its operands in registers. Also, patchpoints only return values using the
        calling convention, which is unfortunate since it pins the return value to a
        register a priori. This is where the second thingy comes in: the AnyRegCC. This is
        a special calling convention only for use with patchpoints. It means that arguments
        passed "by CC" in the patchpoint can be placed in any register, and the register
        that gets used is reported as part of the stackmap. It also means that the return
        value (if there is one) can be placed in any register, and the stackmap will tell
        you which one it was. Thus, patchpoints combined with AnyRegCC mean that you not
        only get the kind of self-modifying code that you want for IC's, but you also get
        all of the register allocation goodness that a custom JIT would have given you.
        Except that you're getting it from LLVM and not a custom JIT. Awesome.
        
        Even though all of the fun stuff is on the LLVM side, this patch was harder than
        you'd expect.
        
        First the obvious bits:
        
        - IC patchpoints now use AnyRegCC instead of the C CC. (CC = calling convention.)
        
        - FTL::fixFunctionBasedOnStackMaps() now correctly figures out which registers the
          IC is supposed to use instead of assuming C CC argument registers.
        
        And then all of the stuff that broke and that this patch fixes:
        
        - IC sizing based on generating a dummy IC (what FTLInlineCacheSize did) is totally
          bad on x86-64, where various register permutations lead to bizarre header bytes
          and eclectic SIB encodings. I changed that to have magic constants, for now.
        
        - Slow path calls didn't preserve the CC return register.
        
        - Repatch's scratch register allocation would get totally confused if the operand
          registers weren't one of the DFG-style "temp" registers. And by "totally confused"
          I mean that it would crash.
        
        - We assumed that r10 is callee-saved. It's not. That one dude's PPT about x86-64
          cdecl that I found on the intertubes was not a trustworthy source of information,
          apparently.
        
        - Call repatching didn't know that the FTL does its IC slow calls via specially
          generated thunks. This was particularly fun to fix: basically, now when we relink
          an IC call in the FTL, we use the old call target to find the SlowPathCallKey,
          which tells us everything we need to know to generate (or look up) a new thunk for
          the new function we want to call.
        
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
        (JSC::MacroAssemblerCodePtr::isEmptyValue):
        (JSC::MacroAssemblerCodePtr::isDeletedValue):
        (JSC::MacroAssemblerCodePtr::hash):
        (JSC::MacroAssemblerCodePtr::emptyValue):
        (JSC::MacroAssemblerCodePtr::deletedValue):
        (JSC::MacroAssemblerCodePtrHash::hash):
        (JSC::MacroAssemblerCodePtrHash::equal):
        * assembler/MacroAssemblerX86Common.h:
        * assembler/RepatchBuffer.h:
        (JSC::RepatchBuffer::RepatchBuffer):
        (JSC::RepatchBuffer::codeBlock):
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::setInstructionCallingConvention):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLInlineCacheSize.cpp:
        (JSC::FTL::sizeOfGetById):
        (JSC::FTL::sizeOfPutById):
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::forStackmaps):
        * ftl/FTLLocation.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetById):
        (JSC::FTL::LowerDFGToLLVM::compilePutById):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLSlowPathCall.cpp:
        * ftl/FTLSlowPathCallKey.h:
        (JSC::FTL::SlowPathCallKey::withCallTarget):
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Location::directGPR):
        (JSC::FTL::StackMaps::Location::restoreInto):
        * ftl/FTLStackMaps.h:
        * ftl/FTLThunks.h:
        (JSC::FTL::generateIfNecessary):
        (JSC::FTL::keyForThunk):
        (JSC::FTL::Thunks::keyForSlowPathCallThunk):
        * jit/FPRInfo.h:
        (JSC::FPRInfo::toIndex):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toIndex):
        (JSC::GPRInfo::debugName):
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::calleeSaveRegisters):
        * jit/RegisterSet.h:
        (JSC::RegisterSet::filter):
        * jit/Repatch.cpp:
        (JSC::readCallTarget):
        (JSC::repatchCall):
        (JSC::repatchByIdSelfAccess):
        (JSC::tryCacheGetByID):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        (JSC::resetGetByID):
        (JSC::resetPutByID):
        * jit/ScratchRegisterAllocator.h:
        (JSC::ScratchRegisterAllocator::lock):

2013-11-10  Oliver Hunt  <oliver@apple.com>

        Implement Set iterators
        https://bugs.webkit.org/show_bug.cgi?id=124129

        Reviewed by Antti Koivisto.

        Add Set iterator classes and implementations

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSSetIterator.cpp: Added.
        (JSC::JSSetIterator::finishCreation):
        (JSC::JSSetIterator::visitChildren):
        (JSC::JSSetIterator::createPair):
        * runtime/JSSetIterator.h: Added.
        (JSC::JSSetIterator::createStructure):
        (JSC::JSSetIterator::create):
        (JSC::JSSetIterator::next):
        (JSC::JSSetIterator::JSSetIterator):
        * runtime/SetIteratorConstructor.cpp: Added.
        (JSC::SetIteratorConstructor::finishCreation):
        * runtime/SetIteratorConstructor.h: Added.
        (JSC::SetIteratorConstructor::create):
        (JSC::SetIteratorConstructor::createStructure):
        (JSC::SetIteratorConstructor::SetIteratorConstructor):
        * runtime/SetIteratorPrototype.cpp: Added.
        (JSC::SetIteratorPrototype::finishCreation):
        (JSC::SetIteratorPrototypeFuncIterator):
        (JSC::SetIteratorPrototypeFuncNext):
        * runtime/SetIteratorPrototype.h: Added.
        (JSC::SetIteratorPrototype::create):
        (JSC::SetIteratorPrototype::createStructure):
        (JSC::SetIteratorPrototype::SetIteratorPrototype):
        * runtime/SetPrototype.cpp:
        (JSC::SetPrototype::finishCreation):
        (JSC::setProtoFuncValues):
        (JSC::setProtoFuncEntries):
        (JSC::setProtoFuncKeys):

2013-11-09  Oliver Hunt  <oliver@apple.com>

        Add Map Iterators
        https://bugs.webkit.org/show_bug.cgi?id=124109

        Reviewed by Andreas Kling.

        Added new Map iterator implementation.  This is a mostly boilerplate patch
        however there's a a little bit of additional logic added to the MapData iterator
        to deal with the possibility of map mutation between creation of the iterator
        and use of it.  We'll be able to improve the performance of this substantially
        by using intrinsics, however I'm pondering coming up with a better way to define
        these thunks without requiring so much duplicated logic.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSMapIterator.cpp: Added.
        (JSC::JSMapIterator::finishCreation):
        (JSC::JSMapIterator::visitChildren):
        (JSC::JSMapIterator::createPair):
        * runtime/JSMapIterator.h: Added.
        (JSC::JSMapIterator::createStructure):
        (JSC::JSMapIterator::create):
        (JSC::JSMapIterator::next):
        (JSC::JSMapIterator::JSMapIterator):
        * runtime/MapData.h:
        (JSC::MapData::const_iterator::ensureSlot):
        * runtime/MapIteratorConstructor.cpp: Added.
        (JSC::MapIteratorConstructor::finishCreation):
        * runtime/MapIteratorConstructor.h: Added.
        (JSC::MapIteratorConstructor::create):
        (JSC::MapIteratorConstructor::createStructure):
        (JSC::MapIteratorConstructor::MapIteratorConstructor):
        * runtime/MapIteratorPrototype.cpp: Added.
        (JSC::MapIteratorPrototype::finishCreation):
        (JSC::MapIteratorPrototypeFuncIterator):
        (JSC::MapIteratorPrototypeFuncNext):
        * runtime/MapIteratorPrototype.h: Added.
        (JSC::MapIteratorPrototype::create):
        (JSC::MapIteratorPrototype::createStructure):
        (JSC::MapIteratorPrototype::MapIteratorPrototype):
        * runtime/MapPrototype.cpp:
        (JSC::MapPrototype::finishCreation):
        (JSC::mapProtoFuncValues):
        (JSC::mapProtoFuncEntries):
        (JSC::mapProtoFuncKeys):

2013-11-08  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed GTK build fix.

        * GNUmakefile.list.am: Remove redundant build targets.

2013-11-08  Filip Pizlo  <fpizlo@apple.com>

        Remove dead FTL C ABI support
        https://bugs.webkit.org/show_bug.cgi?id=124100

        Reviewed by Jer Noble.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * ftl/FTLCArgumentGetter.cpp: Removed.
        * ftl/FTLCArgumentGetter.h: Removed.
        * ftl/FTLOSRExitCompiler.cpp:
        * jit/FPRInfo.h:

2013-11-08  Filip Pizlo  <fpizlo@apple.com>

        FTL should support Phantom(FinalObject:)
        https://bugs.webkit.org/show_bug.cgi?id=124092

        Reviewed by Oliver Hunt.

        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::isType):
        (JSC::FTL::LowerDFGToLLVM::isNotType):
        (JSC::FTL::LowerDFGToLLVM::speculateFinalObject):

2013-11-08  Filip Pizlo  <fpizlo@apple.com>

        Get rid of the FTL tail call APIs since they are unused
        https://bugs.webkit.org/show_bug.cgi?id=124093

        Reviewed by Oliver Hunt.

        * ftl/FTLAbbreviations.h:
        (JSC::FTL::buildCall):
        * ftl/FTLOutput.h:

2013-11-08  Filip Pizlo  <fpizlo@apple.com>

        FTL should support AllocatePropertyStorage
        https://bugs.webkit.org/show_bug.cgi?id=124086

        Reviewed by Oliver Hunt.
        
        Also rationalized some offsets in the DFG.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):

2013-11-08  Filip Pizlo  <fpizlo@apple.com>

        Get rid of the bizarre Darwin/x86-only MacroAssembler::shouldBlindForSpecificArch(uintptr_t) overload
        https://bugs.webkit.org/show_bug.cgi?id=124087

        Reviewed by Michael Saboff.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlindPointerForSpecificArch):
        (JSC::MacroAssembler::shouldBlind):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch):

2013-11-08  Filip Pizlo  <fpizlo@apple.com>

        FTL should support NewArrayBuffer
        https://bugs.webkit.org/show_bug.cgi?id=124067

        Reviewed by Michael Saboff.
        
        This expanded coverage and revealed some bugs.
        
        This revealed a bug in FTL::OSRExitCompiler where it was assuming that it could save
        the framePointer in regT3 even though DFG::reifyInlinedCallFrames() would clobber it.
        It turns out that this can be fixed by just completely restoring the stack prior to
        doing reifyInlineCallFrames().
        
        I used this as an opportunity to simplify NewArray. That revealed a bug; whenever we say
        lowJSValue() in there we need to use ManualOperandSpeculation since we're using it to
        rebox values even when we also have to do some speculations. The speculations are done
        at the top of compileNewArray().
        
        This also revealed a bug in StringCharAt() for the OOB case.

        * ftl/FTLAbstractHeapRepository.h:
        (JSC::FTL::AbstractHeapRepository::forIndexingType):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileNewArray):
        (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
        (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):

2013-11-08  Filip Pizlo  <fpizlo@apple.com>

        It should be easy to disable blinding on a per-architecture basis
        https://bugs.webkit.org/show_bug.cgi?id=124083

        Reviewed by Michael Saboff.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::haveScratchRegisterForBlinding):
        (JSC::AbstractMacroAssembler::scratchRegisterForBlinding):
        (JSC::AbstractMacroAssembler::canBlind):
        (JSC::AbstractMacroAssembler::shouldBlindForSpecificArch):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlind):
        (JSC::MacroAssembler::store32):
        (JSC::MacroAssembler::branch32):
        (JSC::MacroAssembler::branchAdd32):
        (JSC::MacroAssembler::branchMul32):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::canBlind):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::haveScratchRegisterForBlinding):

2013-11-08  Oliver Hunt  <oliver@apple.com>

        Remove more accidentally added files.

        * runtime/SetIteratorConstructor.cpp: Removed.
        * runtime/SetIteratorConstructor.h: Removed.
        * runtime/SetIteratorPrototype.cpp: Removed.
        * runtime/SetIteratorPrototype.h: Removed.

2013-11-08  Oliver Hunt  <oliver@apple.com>

        Remove accidentally added files.

        * runtime/JSSetIterator.cpp: Removed.
        * runtime/JSSetIterator.h: Removed.

2013-11-08  Oliver Hunt  <oliver@apple.com>

        Fix minor (unobservable) bug in ArrayIterator::next()
        https://bugs.webkit.org/show_bug.cgi?id=124061

        Reviewed by Beth Dakin.

        I noticed this while reading the array iterator code.  Due to how
        ArrayIterator::next() and our enumeration behaviour is implemented
        this is not actually a code path that can be hit.  But in order to
        future proof this it should be correct.
        
        * runtime/JSArrayIterator.cpp:
        (JSC::arrayIteratorNext):

2013-11-08  Mark Lam  <mark.lam@apple.com>

        Move breakpoint (and exception break) functionality into JSC::Debugger.
        https://bugs.webkit.org/show_bug.cgi?id=121796.

        Reviewed by Geoffrey Garen.

        - In ScriptDebugServer and JSC::Debugger, SourceID and BreakpointID are
          now numeric tokens.

        - JSC::Debugger now tracks user defined breakpoints in a JSC::Breakpoint
          record. Previously, this info is tracked in the ScriptBreakpoint record
          in ScriptDebugServer. The only element of ScriptBreakpoint that is not
          being tracked by JSC::Breakpoint is the ScriptBreakpointAction.
             The ScriptBreakpointAction is still tracked by the ScriptDebugServer
          in a list keyed on the corresponding BreakpointID.
             The ScriptBreakpoint record is now only used as a means of passing
          breakpoint paramaters to the ScriptDebugServer.

        - ScriptDebugServer now no longer accesses the JSC::CallFrame* directly.
          It always goes through the DebuggerCallFrame.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/Breakpoint.h: Added.
        (JSC::Breakpoint::Breakpoint):
        - Breakpoint class to track info for each breakpoint in JSC::Debugger.
        * debugger/Debugger.cpp:
        (JSC::DebuggerCallFrameScope::DebuggerCallFrameScope):
        (JSC::DebuggerCallFrameScope::~DebuggerCallFrameScope):
        (JSC::Debugger::Debugger):
        (JSC::Debugger::detach):
        (JSC::Debugger::updateNeedForOpDebugCallbacks):
        (JSC::Debugger::setBreakpoint):
        (JSC::Debugger::removeBreakpoint):
        (JSC::Debugger::hasBreakpoint):
        (JSC::Debugger::clearBreakpoints):
        (JSC::Debugger::setBreakpointsActivated):
        (JSC::Debugger::setPauseOnExceptionsState):
        (JSC::Debugger::setPauseOnNextStatement):
        (JSC::Debugger::breakProgram):
        (JSC::Debugger::continueProgram):
        (JSC::Debugger::stepIntoStatement):
        (JSC::Debugger::stepOverStatement):
        (JSC::Debugger::stepOutOfFunction):
        (JSC::Debugger::updateCallFrame):
        (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
        (JSC::Debugger::pauseIfNeeded):
        (JSC::Debugger::exception):
        (JSC::Debugger::atStatement):
        (JSC::Debugger::callEvent):
        (JSC::Debugger::returnEvent):
        (JSC::Debugger::willExecuteProgram):
        (JSC::Debugger::didExecuteProgram):
        (JSC::Debugger::didReachBreakpoint):
        (JSC::Debugger::currentDebuggerCallFrame):
        * debugger/Debugger.h:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::sourceID):
        (JSC::DebuggerCallFrame::sourceIDForCallFrame):
        * debugger/DebuggerCallFrame.h:
        * debugger/DebuggerPrimitives.h: Added.
        - define SourceID, noSourceID, BreakpointID, and noBreakpointID.

2013-11-08  Oliver Hunt  <oliver@apple.com>

        Map.forEach crashes on deleted values
        https://bugs.webkit.org/show_bug.cgi?id=124017

        Reviewed by Ryosuke Niwa.

        MapData iterator did not consider the case of the first entries
        being holes.  To fix this I've refactored iteration so that we
        can perform an initialisation increment on construction, whle
        retaining the useful assertion in MapData::const_iterator::operator++

        * runtime/MapData.h:
        (JSC::MapData::const_iterator::operator++):
        (JSC::MapData::const_iterator::internalIncrement):
        (JSC::MapData::const_iterator::const_iterator):

2013-11-08  Julien Brianceau  <jbriance@cisco.com>

        REGRESSION(r158883): Fix crashes for ARM architecture.
        https://bugs.webkit.org/show_bug.cgi?id=124038

        Reviewed by Michael Saboff.

        * jit/GPRInfo.h: Remove r11 from the temporary register set, use a free register for
        nonPreservedNonReturnGPR and remove obsolete declaration of bucketCounterRegister.
        (JSC::GPRInfo::toRegister):
        (JSC::GPRInfo::toIndex):
        * jit/JITOperations.cpp: Frame pointer register is r11 for ARM_TRADITIONAL and
        r7 for ARM_THUMB2 instead of r5 since r158883.

2013-11-08  Julien Brianceau  <jbriance@cisco.com>

        REGRESSION(r158883): Fix crashes for MIPS architecture.
        https://bugs.webkit.org/show_bug.cgi?id=124044

        Reviewed by Michael Saboff.

        * jit/JITOperations.cpp: Frame pointer register is fp instead of s0 since r158883 for MIPS.
        * jit/ThunkGenerators.cpp: Save and restore the new frame pointer register.
        (JSC::returnFromJavaScript):
        (JSC::callToJavaScript):

2013-11-08  peavo@outlook.com  <peavo@outlook.com>

        [Win] JavaScript crash in getHostCallReturnValue.
        https://bugs.webkit.org/show_bug.cgi?id=124040

        Reviewed by Geoffrey Garen.

        * jit/JITOperations.cpp: Update MSVC assembler code in getHostCallReturnValue according to gcc x86 version.

2013-11-08  Julien Brianceau  <jbriance@cisco.com>

        [mips] Fix typo (introduced in r158751).
        https://bugs.webkit.org/show_bug.cgi?id=124033.

        Reviewed by Csaba Osztrogonác.

        * jit/ThunkGenerators.cpp:
        (JSC::callToJavaScript):

2013-11-08  Julien Brianceau  <jbriance@cisco.com>

        [arm] Use specific PatchableJump implementation for CPU(ARM_TRADITIONAL).
        https://bugs.webkit.org/show_bug.cgi?id=123891

        Reviewed by Michael Saboff.

        Although patchableBranch32 is implemented in MacroAssemblerARM.h, the used implementation
        is the generic one in MacroAssembler.h. This patch fixes it and also implements the
        patchableJump() function for CPU(ARM_TRADITIONAL). These specific implementations are
        needed for this architecture backend to ensure that these jumps can be relinked.

        * assembler/MacroAssembler.h:
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::patchableJump):
        * jit/GPRInfo.h: Remove static_cast that are generating warnings in debug builds.
        (JSC::GPRInfo::toIndex):
        (JSC::GPRInfo::debugName):

2013-11-07  Mark Lam  <mark.lam@apple.com>

        Get rid of the regT* definitions in JSInterfaceJIT.h.
        https://bugs.webkit.org/show_bug.cgi?id=123806.

        Reviewed by Geoffrey Garen.

        JSInterfaceJIT now inherits from GPRInfo and FPRInfo, and relies on them
        to provide all the register definitions.

        * jit/GPRInfo.h:
        (JSC::GPRInfo::toArgumentRegister):
        * jit/JIT.cpp:
        (JSC::JIT::emitEnterOptimizationCheck):
        (JSC::JIT::privateCompile):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_compareAndJumpSlow):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_compareAndJumpSlow):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITInlines.h:
        (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
        (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_end):
        (JSC::JIT::emitSlow_op_new_object):
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::emit_op_ret_object_or_this):
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        (JSC::JIT::emit_op_create_activation):
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emitSlow_op_jfalse):
        (JSC::JIT::emitSlow_op_jtrue):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        (JSC::JIT::emitSlow_op_loop_hint):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_end):
        (JSC::JIT::emitSlow_op_new_object):
        (JSC::JIT::emitSlow_op_jfalse):
        (JSC::JIT::emitSlow_op_jtrue):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        (JSC::JIT::emit_op_create_activation):
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::JSInterfaceJIT):
        * jit/SlowPathCall.h:
        (JSC::JITSlowPathCall::call):
        * jit/ThunkGenerators.cpp:

2013-11-07  Filip Pizlo  <fpizlo@apple.com>

        FTL should support NewArray
        https://bugs.webkit.org/show_bug.cgi?id=124010

        Reviewed by Oliver Hunt.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileNewObject):
        (JSC::FTL::LowerDFGToLLVM::compileNewArray):
        (JSC::FTL::LowerDFGToLLVM::allocateCell):
        (JSC::FTL::LowerDFGToLLVM::allocateObject):
        (JSC::FTL::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
        (JSC::FTL::LowerDFGToLLVM::ArrayValues::ArrayValues):
        (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::loadDouble):
        (JSC::FTL::Output::storeDouble):

2013-11-07  Michael Saboff  <msaboff@apple.com>

        Change CallFrameRegister to architected frame pointer register
        https://bugs.webkit.org/show_bug.cgi?id=123956

        Reviewed by Geoffrey Garen.

        Changed X86 and ARM variants as well as MIPS to use their respective architected
        frame pointer registers.  The freed up callFrameRegisteris are made available to 
        the DFG register allocator.  Modified the FTL OSR exit compiler to use a temporary
        register as a stand in for the destination callFrameRegister since the FTL frame
        pointer register is needed to extract values from the FTL stack.

        Reviewed by Geoffrey Garen.

        * assembler/ARMAssembler.h:
        * assembler/ARMv7Assembler.h:
        * assembler/MacroAssemblerMIPS.h:
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::addressFor):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toRegister):
        (JSC::GPRInfo::toIndex):
        * jit/JITOperations.cpp:
        * jit/JSInterfaceJIT.h:
        * jit/ThunkGenerators.cpp:
        (JSC::callToJavaScript):
        * offlineasm/arm.rb:
        * offlineasm/arm64.rb:
        * offlineasm/mips.rb:
        * offlineasm/x86.rb:

2013-11-07  Oliver Hunt  <oliver@apple.com>

        Reproducible crash when using Map (affects Web Inspector)
        https://bugs.webkit.org/show_bug.cgi?id=123940

        Reviewed by Geoffrey Garen.

        Trivial fix.  Once again we get bitten by attempting to be clever when
        growing while adding entries to indexing maps.

        Now we simply do a find(), and then add() _after_ we've ensured there is
        sufficient space in the MapData list.

        * runtime/MapData.cpp:
        (JSC::MapData::add):

2013-11-07  Mark Lam  <mark.lam@apple.com>

        Cosmetic: rename xxxId to xxxID for ScriptId, SourceId, and BreakpointId.
        https://bugs.webkit.org/show_bug.cgi?id=123945.

        Reviewed by Geoffrey Garen.

        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::sourceID):
        (JSC::DebuggerCallFrame::sourceIDForCallFrame):
        * debugger/DebuggerCallFrame.h:

2013-11-07  Michael Saboff  <msaboff@apple.com>

        returnFromJavaScript() for ARM_THUMB2 uses push()s which should be pop()s
        https://bugs.webkit.org/show_bug.cgi?id=124006

        Rubber stamped by Mark Hahnenberg.

        Changed the push() calls to pop().

        * jit/ThunkGenerators.cpp:
        (JSC::returnFromJavaScript):

2013-11-07  Michael Saboff  <msaboff@apple.com>

        Remove unneeded moving of ESP to ECX in callToJavaScript for COMPILER(MSVC)
        https://bugs.webkit.org/show_bug.cgi?id=123998

        Reviewed by Mark Lam.

        Dead code removal.  Passing esp as the first "C" argument to a JavaScript
        function is no longer needed.

        * jit/ThunkGenerators.cpp:
        (JSC::callToJavaScript):

2013-11-07  Julien Brianceau  <jbriance@cisco.com>

        Fix build for architectures with 4 argument registers (broken since r158820).
        https://bugs.webkit.org/show_bug.cgi?id=123969

        Reviewed by Andreas Kling.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArguments):

2013-11-05  Filip Pizlo  <fpizlo@apple.com>

        FTL should support CheckFunction
        https://bugs.webkit.org/show_bug.cgi?id=123862

        Reviewed by Sam Weinig.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCheckFunction):

2013-11-06  Filip Pizlo  <fpizlo@apple.com>

        IC code should handle the call frame register not being the callFrameRegister
        https://bugs.webkit.org/show_bug.cgi?id=123865

        Reviewed by Geoffrey Garen.
        
        For now, in the FTL, the call frame may be something other than our frame pointer,
        since it's an argument passed in according to whatever convention LLVM picks.
        
        This is temporary in two ways - pretty soon the callFrameRegister will be the actual
        frame pointer and not some other register, and LLVM will not pass the frame pointer
        as an argument to IC's.

        * bytecode/StructureStubInfo.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLInlineCacheSize.cpp:
        (JSC::FTL::sizeOfGetById):
        (JSC::FTL::sizeOfPutById):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArguments):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/Repatch.cpp:
        (JSC::tryBuildGetByIDList):
        (JSC::emitPutTransitionStub):

2013-11-06  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream Letterpress effect
        https://bugs.webkit.org/show_bug.cgi?id=123932

        Reviewed by Sam Weinig.

        Add feature define ENABLE_LETTERPRESS disabled by default. We only enable
        letterpress on iOS.

        * Configurations/FeatureDefines.xcconfig:

2013-11-05  Oliver Hunt  <oliver@apple.com>

        Support iteration of the Arguments object
        https://bugs.webkit.org/show_bug.cgi?id=123835

        Reviewed by Mark Lam.

        Add an ArgumentsIterator object, and associated classes so that we can support
        iteration of the arguments object.

        This is a largely mechanical patch.  The only gnarliness is in the
        logic to avoid reifying the Arguments object in for(... of arguments)
        scenarios.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitEnumeration):
        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertySlot):
        (JSC::argumentsFuncIterator):
        * runtime/Arguments.h:
        * runtime/ArgumentsIteratorConstructor.cpp: Added.
        (JSC::ArgumentsIteratorConstructor::finishCreation):
        * runtime/ArgumentsIteratorConstructor.h: Added.
        (JSC::ArgumentsIteratorConstructor::create):
        (JSC::ArgumentsIteratorConstructor::createStructure):
        (JSC::ArgumentsIteratorConstructor::ArgumentsIteratorConstructor):
        * runtime/ArgumentsIteratorPrototype.cpp: Added.
        (JSC::ArgumentsIteratorPrototype::finishCreation):
        (JSC::argumentsIteratorPrototypeFuncIterator):
        (JSC::argumentsIteratorPrototypeFuncNext):
        * runtime/ArgumentsIteratorPrototype.h: Added.
        (JSC::ArgumentsIteratorPrototype::create):
        (JSC::ArgumentsIteratorPrototype::createStructure):
        (JSC::ArgumentsIteratorPrototype::ArgumentsIteratorPrototype):
        * runtime/CommonIdentifiers.h:
        * runtime/JSArgumentsIterator.cpp: Added.
        (JSC::JSArgumentsIterator::finishCreation):
        * runtime/JSArgumentsIterator.h: Added.
        (JSC::JSArgumentsIterator::createStructure):
        (JSC::JSArgumentsIterator::create):
        (JSC::JSArgumentsIterator::next):
        (JSC::JSArgumentsIterator::JSArgumentsIterator):
        * runtime/JSArrayIterator.cpp:
        (JSC::createIteratorResult):
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:

2013-11-06  Filip Pizlo  <fpizlo@apple.com>

        DFG CheckArray(NonArray) should prove that the child isn't an array
        https://bugs.webkit.org/show_bug.cgi?id=123911
        <rdar://problem/15202803>

        Reviewed by Mark Hahnenberg.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::isArrayType):

2013-11-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSExport doesn't support constructors
        https://bugs.webkit.org/show_bug.cgi?id=123380

        Reviewed by Geoffrey Garen.

        Needed another linked-on-or-after check for when we're deciding whether
        we should copy over init family methods.

        Factored out the link time checks into a separate function so that they can be cached.

        Factored out the check for init-family method selectors into helper function and changed it to
        match the description in the clang docs, namely that there can be underscores at the beginning
        and the first letter after 'init' part of the selector (if there is one) must be a capital letter.

        Updated tests to make sure we don't treat "initialize" as an init-family method and that we do
        treat "_init" as an init-family method.

        * API/JSWrapperMap.h:
        * API/JSWrapperMap.mm:
        (isInitFamilyMethod):
        (shouldSkipMethodWithName):
        (copyMethodsToObject):
        (allocateConstructorForCustomClass):
        (supportsInitMethodConstructors):
        * API/tests/testapi.mm:
        (-[ClassA initialize]):
        (-[ClassD initialize]):

2013-11-06  Michael Saboff  <msaboff@apple.com>

        Change ctiTrampoline into a thunk
        https://bugs.webkit.org/show_bug.cgi?id=123844

        Reviewed by Filip Pizlo.

        Converted ctiTrampoline and ctiOpThrowNotCaught into thunks named callToJavaScript
        and returnFromJavaScript.  Cleaned up and in some cases removed JITStubsXXX.h files
        after removing ctiTrampoline and ctiOpThrowNotCaught.  Added callJavaScriptJITFunction
        to VM that is a function pointer to the callToJavaScript thunk.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * jit/JITCode.cpp:
        (JSC::JITCode::execute):
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JITStubsARM.h:
        * jit/JITStubsARM64.h: Removed.
        * jit/JITStubsARMv7.h:
        * jit/JITStubsMIPS.h: Removed.
        * jit/JITStubsMSVC64.asm:
        * jit/JITStubsSH4.h: Removed.
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:
        * jit/JSInterfaceJIT.h:
        * jit/ThunkGenerators.cpp:
        (JSC::returnFromJavaScript):
        (JSC::callToJavaScript):
        * jit/ThunkGenerators.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2013-11-05  Filip Pizlo  <fpizlo@apple.com>

        FTL should support StringCharCodeAt
        https://bugs.webkit.org/show_bug.cgi?id=123854

        Reviewed by Sam Weinig.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):

2013-11-05  Filip Pizlo  <fpizlo@apple.com>

        FTL should support NewObject
        https://bugs.webkit.org/show_bug.cgi?id=123849

        Reviewed by Oliver Hunt.

        * ftl/FTLAbstractHeapRepository.cpp:
        (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileNewObject):
        (JSC::FTL::LowerDFGToLLVM::allocate):

2013-11-05  Filip Pizlo  <fpizlo@apple.com>

        FTL should support StringCharAt
        https://bugs.webkit.org/show_bug.cgi?id=123855

        Reviewed by Oliver Hunt.
        
        This is just like GetByVal for String, so we reuse that code.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):

2013-11-05  Filip Pizlo  <fpizlo@apple.com>

        Remove old unused code for hypothetical LLVM intrinsics
        https://bugs.webkit.org/show_bug.cgi?id=123824

        Reviewed by Oliver Hunt.

        * ftl/FTLIntrinsicRepository.h:

2013-11-05  Filip Pizlo  <fpizlo@apple.com>

        FTL should support String character access operations
        https://bugs.webkit.org/show_bug.cgi?id=123783

        Reviewed by Oliver Hunt.
        
        Implements:
        
        - string.length
        
        - string[index]

        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):

2013-11-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        ObjCCallbackFunctionImpl's NSInvocation shouldn't retain its target or arguments
        https://bugs.webkit.org/show_bug.cgi?id=123822

        Reviewed by Geoffrey Garen.

        Using -retainArguments on ObjCCallbackFunctionImpl's NSInvocation leads to memory leaks.
        We should handle retaining/releasing the target ourselves, and we should never retain the arguments.

        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl):
        (JSC::ObjCCallbackFunctionImpl::name):
        (objCCallbackFunctionForInvocation):
        (objCCallbackFunctionForMethod):
        (objCCallbackFunctionForBlock):

2013-11-05  Julien Brianceau  <jbriance@cisco.com>

        Fix build for architectures with 4 argument registers (broken since r158681).
        https://bugs.webkit.org/show_bug.cgi?id=123826

        Reviewed by Michael Saboff.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        (JSC::CCallHelpers::setupArguments):

2013-11-05  Filip Pizlo  <fpizlo@apple.com>

        Fix register allocation inside control flow in GetByVal String
        https://bugs.webkit.org/show_bug.cgi?id=123816

        Reviewed by Geoffrey Garen.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):

2013-11-05  Filip Pizlo  <fpizlo@apple.com>

        Remove FTL::LowerDFGToLLVM::compileJSConstant()
        https://bugs.webkit.org/show_bug.cgi?id=123817

        Reviewed by Geoffrey Garen.

        * ftl/FTLLowerDFGToLLVM.cpp:

2013-11-04  Filip Pizlo  <fpizlo@apple.com>

        FTL should support PutById
        https://bugs.webkit.org/show_bug.cgi?id=123784

        Reviewed by Geoffrey Garen.

        * ftl/FTLAbbreviations.h:
        (JSC::FTL::buildCall):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::generateICFastPath):
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLInlineCacheDescriptor.h:
        (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
        (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
        (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor):
        (JSC::FTL::PutByIdDescriptor::ecmaMode):
        (JSC::FTL::PutByIdDescriptor::putKind):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compilePutById):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::call):
        * ftl/FTLSlowPathCall.cpp:
        (JSC::FTL::callOperation):
        * ftl/FTLSlowPathCall.h:
        * ftl/FTLState.h:
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArguments):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::ecmaMode):

2013-11-04  Filip Pizlo  <fpizlo@apple.com>

        GetById->GetByOffset and PutById->PutByOffset folding should mark haveStructures since it may result in structure transition watchpoints
        https://bugs.webkit.org/show_bug.cgi?id=123788

        Reviewed by Geoffrey Garen.
        
        haveStructures is true if there are any currentlyKnownStructures that have
        interesting values, since that's the only time when clobbering needs to do things.
        It's a really important compile-time optimization. But that also means that anytime
        we might cause currentlyKnownStructures to get set - like when we might insert some
        structure transition watchpoints - we need to set haveStructures. We were forgetting
        to do that for GetById->GetByOffset and PutById->PutByOffset because, I guess, we
        forgot that those might insert structure transition watchpoints.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):

2013-11-05  Julien Brianceau  <jbriance@cisco.com>

        [mips] Make regTx registers match between JSInterfaceJIT and GPRInfo.
        https://bugs.webkit.org/show_bug.cgi?id=123807

        Reviewed by Mark Lam.

        * jit/GPRInfo.h:
        (JSC::GPRInfo::toIndex):
        * jit/JSInterfaceJIT.h:

2013-11-05  Julien Brianceau  <jbriance@cisco.com>

        REGRESSION(r158315): Fix register mixup in JIT::compileOpCall.
        https://bugs.webkit.org/show_bug.cgi?id=123799

        Reviewed by Mark Lam.

        Changeset r158315 is crashing architectures where JSInterfaceJIT::regT3 is
        different from GPRInfo::regT3. This is the case for MIPS architecture.

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):

2013-11-05  Julien Brianceau  <jbriance@cisco.com>

        [mips] Fix build for MIPS platforms.
        https://bugs.webkit.org/show_bug.cgi?id=123796

        Reviewed by Michael Saboff.

        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::linkCode): Add specific MIPS call to relocateJumps.
        * assembler/MIPSAssembler.h: Remove executableCopy (because of r157690) and set relocateJumps function public.
        (JSC::MIPSAssembler::firstRegister):
        (JSC::MIPSAssembler::lastRegister):
        (JSC::MIPSAssembler::firstFPRegister):
        (JSC::MIPSAssembler::lastFPRegister):
        (JSC::MIPSAssembler::buffer): Needed since r157690.
        * assembler/MacroAssemblerMIPS.h: Add framePointerRegister.
        (JSC::MacroAssemblerMIPS::revertJumpReplacementToPatchableBranchPtrWithPatch): Remove unused parameter warning.

2013-11-04  Filip Pizlo  <fpizlo@apple.com>

        internal-js-tests.yaml/Octane/stress-tests/pdfjs.js.default: ASSERTION FAILED: m_state.forNode(child).m_futurePossibleStructure.isSubsetOf(StructureSet(structure)) at DFGConstantFoldingPhase.cpp:249
        https://bugs.webkit.org/show_bug.cgi?id=123778

        Unreviewed, remove the other such assertion.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):

2013-11-04  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r158586): plugins/refcount-leaks.html fails
        https://bugs.webkit.org/show_bug.cgi?id=123765

        We were leaving a hole of one slot above a new frame when pushing the new frame on
        the stack with pushFrame().  This unused slot can contain residual values that will
        be marked during GC.

        Reviewed by Filip Pizlo.

        * interpreter/JSStackInlines.h:
        (JSC::JSStack::pushFrame):

2013-11-04  Filip Pizlo  <fpizlo@apple.com>

        internal-js-tests.yaml/Octane/stress-tests/pdfjs.js.default: ASSERTION FAILED: m_state.forNode(child).m_futurePossibleStructure.isSubsetOf(StructureSet(structure)) at DFGConstantFoldingPhase.cpp:249
        https://bugs.webkit.org/show_bug.cgi?id=123778

        Reviewed by Geoffrey Garen.
        
        This assertion was just wrong: ee do an execute() above the assertion. The assertion
        is asserting that if we need a watchpoint (i.e. the best proven structure was not the
        current structure) then it must be the future possible structure.  But while that may
        have been true before execute(), it won't be true after if the PutById was a
        transition. Of course, this can only happen in the concurrent JIT in which case the
        code would be invalidated anyway since we would only transform the code in a way that
        leveraged the lack of a transition if we inserted a watchpoint, in which case we
        would realize that the watchpoint had been fired during compilation.
        
        Since this requires concurrent JIT awesomeness, I don't know how to test it.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):

2013-11-04  Filip Pizlo  <fpizlo@apple.com>

        DFG CheckArray(String) should just be a Phantom(String:)
        https://bugs.webkit.org/show_bug.cgi?id=123779

        Reviewed by Geoffrey Garen.
        
        This should be a speed-up since Phantom(String:) is smart enough to use the string
        structure. It should also be a simplification since CheckArray(String) was totally
        redundant.
        
        Also FixupPhase was assuming that it may see CheckArray's. That's wrong. It can
        create CheckArray's but it won't see them as input since no previous phase can
        create them.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::checkArray):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArray):

2013-11-04  Filip Pizlo  <fpizlo@apple.com>

        DFG NewArray/NewArrayBuffer shouldn't be constructing with negative indexing
        https://bugs.webkit.org/show_bug.cgi?id=123760
        <rdar://problem/15356705>

        Reviewed by Mark Hahnenberg and Oliver Hunt.

        * dfg/DFGOperations.cpp:

2013-11-04  Michael Saboff  <msaboff@apple.com>

        Eliminate HostCall bit from JSC Stack CallerFrame
        https://bugs.webkit.org/show_bug.cgi?id=123642

        Reviewed by Geoffrey Garen.

        Replace the HostCallFrame bit or'ed to the CallerFrame value in a CallFrame with
        a VM entry sentinel CallFrame.  Logically, the VM entry sentinel call frame is
        pushed on the stack before the callee frame when calling from native to JavaScript
        code.  The callee frame's CallerFrame points at the VM entry sentinel call frame
        and the VM entry sentinel call frame's CallerFrame points to the real caller.
        The VM entry sentinel call frame has a sentinel (1) in the CodeBlock to indicate
        its a VM entry sentinel call frame.  It's ScopeChain has vm.topCallFrame at the
        time of the call.  This allows for a complete stack walk as well as walking just
        the contiguous JS frames.

        The VM entry sentinel call frame and callee frame are currently allocated and
        initialized in ExecState::init(), but this initialization will be moved to
        ctiTrampoline when we actually move onto the native stack.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::noticeIncomingCall):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::callerFrame):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        * interpreter/CallFrame.h:
        (JSC::ExecState::frameExtent):
        (JSC::ExecState::currentVPC):
        (JSC::ExecState::setCurrentVPC):
        (JSC::ExecState::init):
        (JSC::ExecState::noCaller):
        (JSC::ExecState::isVMEntrySentinel):
        (JSC::ExecState::vmEntrySentinelCallerFrame):
        (JSC::ExecState::initializeVMEntrySentinelFrame):
        (JSC::ExecState::callerFrameSkippingVMEntrySentinel):
        (JSC::ExecState::vmEntrySentinelCodeBlock):
        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        (JSC::Interpreter::getStackTrace):
        * interpreter/Interpreter.h:
        (JSC::TopCallFrameSetter::TopCallFrameSetter):
        (JSC::TopCallFrameSetter::~TopCallFrameSetter):
        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
        * interpreter/JSStack.cpp:
        (JSC::JSStack::~JSStack):
        * interpreter/JSStackInlines.h:
        (JSC::JSStack::getStartOfFrame):
        (JSC::JSStack::pushFrame):
        (JSC::JSStack::popFrame):
        * interpreter/Register.h:
        (JSC::Register::operator=):
        (JSC::Register::callFrame):
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::readFrame):
        (JSC::StackVisitor::readNonInlinedFrame):
        (JSC::StackVisitor::readInlinedFrame):
        (JSC::StackVisitor::Frame::print):
        * interpreter/VMInspector.cpp:
        (JSC::VMInspector::countFrames):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileExceptionHandlers):
        * jit/JITOperations.cpp:
        * jit/JITStubsARM.h:
        (JSC::ctiTrampoline):
        * jit/JITStubsARM64.h:
        * jit/JITStubsARMv7.h:
        (JSC::ctiTrampoline):
        * jit/JITStubsMIPS.h:
        * jit/JITStubsMSVC64.asm:
        * jit/JITStubsSH4.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:
        * jsc.cpp:
        (functionDumpCallFrame):
        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::throwException):

2013-11-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSArrayBufferViews of length 0 allocate 0 CopiedSpace bytes, which is invalid
        https://bugs.webkit.org/show_bug.cgi?id=123746

        Reviewed by Geoffrey Garen.

        This patch disallows clients from allocating 0 bytes in CopiedSpace. We enforce this invariant 
        with an ASSERT in C++ code and a breakpoint in JIT code. Clients who care about 0-byte 
        allocations (like JSArrayBufferViews) must handle that case themselves, but we don't punish 
        anybody else for the rare case that somebody decides to allocate a 0-length typed array. 
        It also makes the allocation and copying cases consistent for CopiedSpace: no 0-byte allocations, 
        no 0-byte copying.
 
        Also added a check so that JSArrayBufferViews don't try to copy their m_vector backing store when 
        their length is 0. Also sprinkled several ASSERTs throughout the JSArrayBufferView code to make sure that 
        when length is 0 m_vector is null.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
        * heap/CopiedSpaceInlines.h:
        (JSC::CopiedSpace::tryAllocate):
        * runtime/ArrayBuffer.h:
        (JSC::ArrayBuffer::create):
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::::visitChildren):
        (JSC::::copyBackingStore):
        (JSC::::slowDownAndWasteMemory):

2013-11-04  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Refactor jumps in baseline JIT to return label after the jump.
        https://bugs.webkit.org/show_bug.cgi?id=123734

        Reviewed by Michael Saboff.

        Current implementation of jumps in sh4 baseline JIT returns a label on the jump itself
        and not after it. This is not correct and leads to issues like infinite loop the DFG
        (https://bugs.webkit.org/show_bug.cgi?id=122597 for instance). This refactor fixes this
        and also simplifies the link and relink procedures for sh4 jumps.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::branchDouble):
        (JSC::MacroAssemblerSH4::branchTrue):
        (JSC::MacroAssemblerSH4::branchFalse):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::jmp):
        (JSC::SH4Assembler::extraInstrForBranch):
        (JSC::SH4Assembler::jne):
        (JSC::SH4Assembler::je):
        (JSC::SH4Assembler::bra):
        (JSC::SH4Assembler::linkJump):
        (JSC::SH4Assembler::relinkJump):

2013-11-03  Filip Pizlo  <fpizlo@apple.com>

        Generated color wheel displays incorrectly (regressed in r155567)
        https://bugs.webkit.org/show_bug.cgi?id=123664

        Reviewed by Andreas Kling.

        Interestingly, r155567 just "un-broke" the attempt to constant-fold ArithMod, but
        that constant folding was just wrong to begin with. There is no evidence that this
        constant folding rule is profitable. I'm removing it instead of trying to think
        about what it means for it to be correct.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):

2013-11-03  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, it is no longer necessary to call DisablePrettyStackTrace.

        * llvm/library/LLVMExports.cpp:
        (initializeAndGetJSCLLVMAPI):

2013-11-02  Mark Lam  <mark.lam@apple.com>

        Assertion failure in non-JIT'ed LLInt on ARM Thumb.
        https://bugs.webkit.org/show_bug.cgi?id=97569.

        Reviewed by Geoffrey Garen.

        * assembler/MacroAssemblerCodeRef.h:
        - Thumb2 alignment assertions do not apply to the C Loop LLINT because
          the arguments passed to those assertions are actually OpcodeIDs
          masquerading as addresses.
        * llint/LLIntOfflineAsmConfig.h:
        - Some of the #defines belong in the !ENABLE(LLINT_C_LOOP) section.
          Moving them there.
        * llint/LowLevelInterpreter.cpp:
        - Keep the compiler happy from some unreferenced C Loop labels.

2013-11-02  Filip Pizlo  <fpizlo@apple.com>

        FTL should use LLVM intrinsics for OSR exit, watchpoints, inline caches, and stack layout
        https://bugs.webkit.org/show_bug.cgi?id=122318

        Reviewed by Geoffrey Garen.
        
        This all now works. This patch just updates our implementation to work with LLVM trunk,
        and removes all of the old code that tried to do OSR exits and heap accesses without
        the benefit of those intrinsics.
        
        In particular:
        
        - StackMaps parsing now uses the new, less compact, but more future-proof, format.
        
        - Remove the ftlUsesStackmaps() option and hard-code ftlUsesStackmaps = true. Remove
          all code for ftlUsesStackmaps = false, since that was only there for back when we
          didn't have the intrinsics.
        
        - Remove the other experimental OSR options (useLLVMOSRExitIntrinsic,
          ftlTrapsOnOSRExit, and FTLOSRExitOmitsMarshalling).
        
        - Remove LowerDFGToLLVM's use of the ExitThunkGenerator since we don't need to generate
          the exit thunks until after we parse the stackmaps.
        
        - Remove all of the exit thunk and compiler code for the no-stackmaps case.

        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        * ftl/FTLExitThunkGenerator.cpp:
        (JSC::FTL::ExitThunkGenerator::emitThunk):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::forStackmaps):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::lower):
        (JSC::FTL::LowerDFGToLLVM::compileGetById):
        (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        (JSC::FTL::LowerDFGToLLVM::callStackmap):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
        * ftl/FTLOSRExitCompilationInfo.h:
        (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        (JSC::FTL::compileFTLOSRExit):
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Location::parse):
        (JSC::FTL::StackMaps::parse):
        (WTF::printInternal):
        * ftl/FTLStackMaps.h:
        * ftl/FTLThunks.cpp:
        (JSC::FTL::osrExitGenerationThunkGenerator):
        * ftl/FTLThunks.h:
        (JSC::FTL::Thunks::getOSRExitGenerationThunk):
        * runtime/Options.h:

2013-11-02  Patrick Gansterer  <paroga@webkit.org>

        Add missing getHostCallReturnValue() for MSVC ARM
        https://bugs.webkit.org/show_bug.cgi?id=123685

        Reviewed by Darin Adler.

        * jit/JITStubsARM.h:

2013-11-02  Patrick Gansterer  <paroga@webkit.org>

        Fix MSVC warning about unary minus operator
        https://bugs.webkit.org/show_bug.cgi?id=123674

        Reviewed by Darin Adler.

        Change some static_cast<> to silence the following warning of Microsoft compiler:
        warning C4146: unary minus operator applied to unsigned type, result still unsigned

        * jit/Repatch.cpp:
        (JSC::emitPutTransitionStub):

2013-11-02  Filip Pizlo  <fpizlo@apple.com>

        Disable LLVM's pretty stack traces, which involve intercepting fatal signals
        https://bugs.webkit.org/show_bug.cgi?id=123681

        Reviewed by Geoffrey Garen.

        * llvm/library/LLVMExports.cpp:
        (initializeAndGetJSCLLVMAPI):

2013-11-02  Filip Pizlo  <fpizlo@apple.com>

        LLVM assertion failures should funnel into WTF's crash handling
        https://bugs.webkit.org/show_bug.cgi?id=123682

        Reviewed by Geoffrey Garen.
        
        Inside llvmForJSC, we override assertion-related functions and funnel them
        into g_llvmTrapCallback(). We also now register a fatal error handler inside
        the library and funnel that into g_llvmTrapCallback, and have
        initializeAndGetJSCLLVMAPI() take such a callback as an argument.
        
        Inside JSC, we no longer call LLVMInstallFatalErrorHandler() but instead we
        pass WTFLogAlwaysAndCrash() as the trap callback for llvmForJSC.

        * llvm/InitializeLLVM.cpp:
        (JSC::initializeLLVM):
        * llvm/InitializeLLVMPOSIX.cpp:
        (JSC::initializeLLVMPOSIX):
        * llvm/library/LLVMExports.cpp:
        (llvmCrash):
        (initializeAndGetJSCLLVMAPI):
        * llvm/library/LLVMOverrides.cpp:
        (raise):
        (__assert_rtn):
        (abort):
        * llvm/library/LLVMTrapCallback.h: Added.

2013-11-02  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock::jettison() shouldn't call baselineVersion()
        https://bugs.webkit.org/show_bug.cgi?id=123675

        Reviewed by Geoffrey Garen.
        
        Fix more uses of baselineVersion().

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::jettison):
        * bytecode/CodeBlock.h:
        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
        (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):

2013-11-02  Filip Pizlo  <fpizlo@apple.com>

        LLVM asserts in internal-js-tests.yaml/Octane/stress-tests/mandreel.js
        https://bugs.webkit.org/show_bug.cgi?id=123535

        Reviewed by Geoffrey Garen.
        
        Use double comparisons for doubles.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::doubleToInt32):

2013-11-02  Patrick Gansterer  <paroga@webkit.org>

        Various small WinCE build fixes

        * jsc.cpp:
        (main):

2013-11-02  Patrick Gansterer  <paroga@webkit.org>

        Fix MSVC ARM build after r157581.

        * jit/JITStubsARM.h:

2013-11-01  Filip Pizlo  <fpizlo@apple.com>

        FTL should use a simple optimization pipeline by default
        https://bugs.webkit.org/show_bug.cgi?id=123638

        Reviewed by Geoffrey Garen.
        
        20% speed-up on imagine-gaussian-blur, when combined with --ftlUsesStackmaps=true.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * runtime/Options.h:

2013-11-01  Andreas Kling  <akling@apple.com>

        Neuter WTF_MAKE_FAST_ALLOCATED in GLOBAL_FASTMALLOC_NEW builds.
        <https://webkit.org/b/123639>

        JSC::ParserArenaRefCounted really needed to have the new/delete
        operators overridden, in order for JSC::ScopeNode to be able to
        choose that "operator new" out of the two it inherits.

        Reviewed by Anders Carlsson.

2013-11-01  Filip Pizlo  <fpizlo@apple.com>

        OSR exit profiling should be robust against all code being cleared
        https://bugs.webkit.org/show_bug.cgi?id=123629
        <rdar://problem/15365476>

        Reviewed by Michael Saboff.
        
        The problem here is two-fold:

        1) A watchpoint (i.e. ProfiledCodeBlockJettisoningWatchpoint) may be fired after we
        have cleared the CodeBlock for all or some Executables.  This means that doing
        codeBlock->baselineVersion() would either crash or return a bogus CodeBlock, since
        there wasn't a baseline code block reachable from the Executable anymore.  The
        solution is that we shouldn't be asking for the baseline code block reachable from
        the owning executable (what baselineVersion did), but instead we should be asking
        for the baseline version reachable from the code block being watchpointed (basically
        what CodeBlock::alternative() did).

        2) If dealing with inlined code, baselienCodeBlockForOriginAndBaselineCodeBlock()
        may return null, for the same reason as above - we might have cleared the baseline
        codeblock for the executable that was inlined.  The solution is to just not do
        profiling if there isn't a baseline code block anymore.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::baselineAlternative):
        (JSC::CodeBlock::baselineVersion):
        (JSC::CodeBlock::jettison):
        * bytecode/CodeBlock.h:
        * bytecode/CodeBlockJettisoningWatchpoint.cpp:
        (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
        (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
        * dfg/DFGOSRExitBase.cpp:
        (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::AssemblyHelpers):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::baselineCodeBlockFor):

2013-10-31  Oliver Hunt  <oliver@apple.com>

        JavaScript parser bug
        https://bugs.webkit.org/show_bug.cgi?id=123506

        Reviewed by Mark Lam.

        Add ParserState as an abstraction and use that to save and restore
        the parser state around nested functions (We'll need to use this in
        more places in future).  Also fix a minor error typo this testcases
        hit.

        * parser/Parser.cpp:
        (JSC::::parseFunctionInfo):
        (JSC::::parseAssignmentExpression):
        * parser/Parser.h:
        (JSC::Parser::saveState):
        (JSC::Parser::restoreState):

2013-10-31  Filip Pizlo  <fpizlo@apple.com>

        FTL Int32ToDouble should handle the forward type check case where you need a recovery
        https://bugs.webkit.org/show_bug.cgi?id=123605

        Reviewed by Mark Hahnenberg.
        
        If you have a Int32ToDouble that needs to do a type check and it's required to do a
        forward exit, then it needs to manually pass in a value recovery for itself in the
        OSR exit - since this is one of those forward-exiting nodes that doesn't have a
        preceding MovHint.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
        (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck):

2013-10-31  Filip Pizlo  <fpizlo@apple.com>

        FTL should implement InvalidationPoint in terms of llvm.stackmap
        https://bugs.webkit.org/show_bug.cgi?id=113647

        Reviewed by Mark Hahnenberg.
        
        This is pretty straightforward now that InvalidationPoint has exactly the semantics
        that agree with llvm.stackmap.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
        (JSC::FTL::LowerDFGToLLVM::callStackmap):
        * ftl/FTLOSRExitCompilationInfo.h:
        (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):

2013-10-30  Oliver Hunt  <oliver@apple.com>

        Implement basic ES6 Math functions
        https://bugs.webkit.org/show_bug.cgi?id=123536

        Reviewed by Michael Saboff.

        Fairly trivial patch to implement the core ES6 Math functions.

        This doesn't implement Math.hypot as it is not a trivial function.
        I've also skipped Math.sign as I am yet to be convinced the spec
        behaviour is good.  Everything else is trivial.

        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):
        (JSC::mathProtoFuncACosh):
        (JSC::mathProtoFuncASinh):
        (JSC::mathProtoFuncATanh):
        (JSC::mathProtoFuncCbrt):
        (JSC::mathProtoFuncCosh):
        (JSC::mathProtoFuncExpm1):
        (JSC::mathProtoFuncFround):
        (JSC::mathProtoFuncLog1p):
        (JSC::mathProtoFuncLog10):
        (JSC::mathProtoFuncLog2):
        (JSC::mathProtoFuncSinh):
        (JSC::mathProtoFuncTanh):
        (JSC::mathProtoFuncTrunc):

2013-10-31  Filip Pizlo  <fpizlo@apple.com>

        FTL::Location::restoreInto() doesn't handle stack-related registers correctly if you're using it after pushing a new stack frame
        https://bugs.webkit.org/show_bug.cgi?id=123591

        Reviewed by Mark Hahnenberg.
        
        This gets us to pass more tests with ftlUsesStackmaps.

        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::restoreInto):
        * ftl/FTLLocation.h:
        * ftl/FTLThunks.cpp:
        (JSC::FTL::osrExitGenerationWithStackMapThunkGenerator):

2013-10-31  Alexey Proskuryakov  <ap@apple.com>

        Enable WebCrypto on Mac
        https://bugs.webkit.org/show_bug.cgi?id=123587

        Reviewed by Anders Carlsson.

        * Configurations/FeatureDefines.xcconfig: Do it.

2013-10-31  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, really remove CachedTranscendentalFunction.h.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:

2013-10-31  Filip Pizlo  <fpizlo@apple.com>

        Remove CachedTranscendentalFunction because caching math functions is an ugly idea
        https://bugs.webkit.org/show_bug.cgi?id=123574

        Reviewed by Mark Hahnenberg.
        
        This is performance-neutral because I also make Math.cos/sin intrinsic. This means that
        we gain the "overhead" of actually computing sin and cos but we lose the overhead of
        going through the native call thunks.
        
        Caching transcendental functions is a really ugly idea. It works for SunSpider because
        that benchmark makes very predictable calls into Math.sin. But I don't believe that this
        is representative of any kind of reality, and so for sensible uses of Math.sin/cos all
        that this was doing was adding more call overhead and some hashing overhead.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITOperations.h:
        * runtime/CachedTranscendentalFunction.h: Removed.
        * runtime/DateInstanceCache.h:
        * runtime/Intrinsic.h:
        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):
        (JSC::mathProtoFuncCos):
        (JSC::mathProtoFuncSin):
        * runtime/VM.h:

2013-10-30  Filip Pizlo  <fpizlo@apple.com>

        Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html
        https://bugs.webkit.org/show_bug.cgi?id=123551
        <rdar://problem/15356238>

        Reviewed by Mark Hahnenberg.
        
        WatchpointSets have always had this "fire everything on deletion" policy because it
        seemed like a good fail-safe at the time I first implemented WatchpointSets. But
        it's actually causing bugs rather than providing safety:
        
        - Everyone who registers Watchpoints with WatchpointSets have separate mechanisms
          for either keeping the WatchpointSets alive or noticing when they are collected.
          So this wasn't actually providing any safety.
          
          One example of this is Structures, where:
          
          - CodeBlocks that register Watchpoints on Structure's WatchpointSet will also
            register weak references to the Structure, and the GC will jettison a CodeBlock
            if the Structure(s) it cares about dies.
          
          - StructureStubInfos that register Watchpoints on Structure's WatchpointSet will
            also be cleared by GC if the Structures die.
        
        - The WatchpointSet destructor would get invoked from finalization/destruction.
          This would then cause CodeBlock::jettison() to be called on a CodeBlock, but that
          method requires doing things that access heap objects. This would usually cause
          problems on VM destruction, since then the CodeBlocks would still be alive but the
          whole heap would be destroyed.
        
        This also ensures that CodeBlock::jettison() cannot cause a GC. This is safe since
        that method doesn't really allocate objects, and it is likely necessary because
        jettison() may be called from deep in the stack.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::jettison):
        * bytecode/Watchpoint.cpp:
        (JSC::WatchpointSet::~WatchpointSet):
        * bytecode/Watchpoint.h:

2013-10-30  Mark Lam  <mark.lam@apple.com>

        Unreviewed, fix C Loop LLINT build.

        * bytecode/CodeBlockJettisoningWatchpoint.cpp:
        (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
        (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):

2013-10-30  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix FTL build.

        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):

2013-10-30  Alexey Proskuryakov  <ap@apple.com>

        Add a way to fulfill promises from DOM code
        https://bugs.webkit.org/show_bug.cgi?id=123466

        Reviewed by Sam Weinig.

        * JavaScriptCore.xcodeproj/project.pbxproj: Make JSPromise.h and JSPromiseResolver.h
        private headers for WebCore to use.

        * runtime/JSPromise.h:
        * runtime/JSPromiseResolver.h:
        Export functions that JSDOMPromise will use.

2013-10-30  Mark Lam  <mark.lam@apple.com>

        Adjust CallFrameHeader's ReturnPC and CallFrame locations to match the native ABI .
        https://bugs.webkit.org/show_bug.cgi?id=123444.

        Reviewed by Geoffrey Garen.

        - Introduced an explicit CallerFrameAndPC struct.
        - A CallFrame is expected to start with a CallerFrameAndPC struct. 
        - The Register class no longer supports CallFrame* and Instruction*.

          These hides the differences between JSVALUE32_64 and JSVALUE64 in
          terms of managing the callerFrame() and returnPC() values.

        - Convert all uses of JSStack::CallerFrame and JSStack::ReturnPC to
          go through CallFrame to access the appropriate values and offsets.
          CallFrame, in turn, will access the callerFrame and returnPC via
          the CallerFrameAndPC struct.

        - InlineCallFrame will provide offsets for its callerFrame and
          returnPC. It will make use of CallFrame::callerFrameOffset() and
          CallerFrame::returnPCOffset() to compute these.

        * bytecode/CodeOrigin.h:
        (JSC::InlineCallFrame::callerFrameOffset):
        (JSC::InlineCallFrame::returnPCOffset):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::calleeFrameSlot):
        (JSC::DFG::SpeculativeJIT::calleeArgumentSlot):
        (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot):
        (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot):
        (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot):
        (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot):
        - Prefixed all the above with callee since they apply to the callee frame.
        (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame):
        - Added to set the callerFrame pointer in the callee frame.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLink.cpp:
        (JSC::FTL::compileEntry):
        (JSC::FTL::link):
        * interpreter/CallFrame.h:
        (JSC::ExecState::callerFrame):
        (JSC::ExecState::callerFrameOffset):
        (JSC::ExecState::returnPC):
        (JSC::ExecState::hasReturnPC):
        (JSC::ExecState::clearReturnPC):
        (JSC::ExecState::returnPCOffset):
        (JSC::ExecState::setCallerFrame):
        (JSC::ExecState::setReturnPC):
        (JSC::ExecState::callerFrameAndPC):
        * interpreter/JSStack.h:
        * interpreter/Register.h:
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitPutToCallFrameHeader):
        - Convert to using storePtr() here and simplify the code.
        (JSC::AssemblyHelpers::emitGetCallerFrameFromCallFrameHeaderPtr):
        (JSC::AssemblyHelpers::emitPutCallerFrameToCallFrameHeader):
        (JSC::AssemblyHelpers::emitGetReturnPCFromCallFrameHeaderPtr):
        (JSC::AssemblyHelpers::emitPutReturnPCToCallFrameHeader):
        - Helpers to emit gets/puts of the callerFrame and returnPC.
        (JSC::AssemblyHelpers::addressForByteOffset):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompile):
        (JSC::JIT::privateCompileExceptionHandlers):
        * jit/JITCall.cpp:
        (JSC::JIT::compileCallEval):
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::emit_op_ret_object_or_this):
        (JSC::JIT::compileCallEval):
        (JSC::JIT::compileOpCall):
        * jit/JITInlines.h:
        (JSC::JIT::unmap):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_end):
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::emit_op_ret_object_or_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_end):
        * jit/JITOperations.cpp:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::returnJSValue):
        (JSC::SpecializedThunkJIT::returnDouble):
        (JSC::SpecializedThunkJIT::returnInt32):
        (JSC::SpecializedThunkJIT::returnJSCell):
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::slowPathFor):
        (JSC::nativeForGenerator):

        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        - Updated offsets and asserts to match the new CallFrame layout.

2013-10-30  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix Mac.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::RegisterAllocationOffset::checkOffsets):
        (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):

2013-10-30  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix Windows.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::jettison):

2013-10-30  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix Windows.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addFrequentExitSite):

2013-10-29  Filip Pizlo  <fpizlo@apple.com>

        Add InvalidationPoints to the DFG and use them for all watchpoints
        https://bugs.webkit.org/show_bug.cgi?id=123472

        Reviewed by Mark Hahnenberg.
        
        This makes a fundamental change to how watchpoints work in the DFG.
        
        Previously, a watchpoint was an instruction whose execution semantics were something
        like:
        
            if (watchpoint->invalidated)
                exit
        
        We would implement this without any branch by using jump replacement.
        
        This is a very good optimization. But it's a bit awkward once you get a lot of
        watchpoints: semantically we will have lots of these branches in the code, which the
        compiler needs to reason about even though they don't actually result in any emitted
        code.
        
        Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would
        be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be
        called into again, but it would do nothing for CodeBlocks that were already on the
        stack.
        
        This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump
        replacement has nothing to do with watchpoints; instead it's something that happens if
        you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over
        all of the potential call-return safe-exit-points in a CodeBlock. We call these
        "InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG
        collect all of the watchpoint sets that the CodeBlock cares about, and then registering
        a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it
        jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into
        (because the entrypoint now points to baseline code) and can't be returned into
        (because returning exits to baseline before the next bytecode instruction).
        
        This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow
        for jettison() to be used effectively for things like breakpointing and single-stepping
        in the debugger.
        
        Well, basically, this mechanism just takes us into the HotSpot-style world where anyone
        can, at any time and for any reason, request that an optimized CodeBlock is rendered
        immediately invalid. You can use this for many cool things, I'm sure.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::jettison):
        * bytecode/CodeBlock.h:
        * bytecode/CodeBlockJettisoningWatchpoint.cpp: Added.
        (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
        * bytecode/CodeBlockJettisoningWatchpoint.h: Added.
        (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint):
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added.
        (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added.
        (JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint):
        * dfg/DFGAbstractHeap.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGClobberize.cpp:
        (JSC::DFG::writesOverlap):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        (JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps):
        (JSC::DFG::AbstractHeapOverlaps::operator()):
        (JSC::DFG::AbstractHeapOverlaps::result):
        * dfg/DFGCommonData.cpp:
        (JSC::DFG::CommonData::invalidate):
        * dfg/DFGCommonData.h:
        (JSC::DFG::CommonData::CommonData):
        * dfg/DFGDesiredWatchpoints.cpp:
        (JSC::DFG::DesiredWatchpoints::addLazily):
        (JSC::DFG::DesiredWatchpoints::reallyAdd):
        * dfg/DFGDesiredWatchpoints.h:
        (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
        (JSC::DFG::GenericDesiredWatchpoints::addLazily):
        (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
        (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGInvalidationPointInjectionPhase.cpp: Added.
        (JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase):
        (JSC::DFG::InvalidationPointInjectionPhase::run):
        (JSC::DFG::InvalidationPointInjectionPhase::handle):
        (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
        (JSC::DFG::performInvalidationPointInjection):
        * dfg/DFGInvalidationPointInjectionPhase.h: Added.
        * dfg/DFGJITCode.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        * dfg/DFGJumpReplacement.cpp: Added.
        (JSC::DFG::JumpReplacement::fire):
        * dfg/DFGJumpReplacement.h: Added.
        (JSC::DFG::JumpReplacement::JumpReplacement):
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRExitCompilationInfo.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        (JSC::DFG::Plan::reallyAdd):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
        (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGWatchpointCollectionPhase.cpp: Added.
        (JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase):
        (JSC::DFG::WatchpointCollectionPhase::run):
        (JSC::DFG::WatchpointCollectionPhase::handle):
        (JSC::DFG::WatchpointCollectionPhase::handleEdge):
        (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
        (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal):
        (JSC::DFG::WatchpointCollectionPhase::addLazily):
        (JSC::DFG::WatchpointCollectionPhase::globalObject):
        (JSC::DFG::performWatchpointCollection):
        * dfg/DFGWatchpointCollectionPhase.h: Added.
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
        (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
        (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
        * jit/JITOperations.cpp:
        * jit/JumpReplacementWatchpoint.cpp: Removed.
        * jit/JumpReplacementWatchpoint.h: Removed.

2013-10-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSExport doesn't support constructors
        https://bugs.webkit.org/show_bug.cgi?id=123380

        Reviewed by Geoffrey Garen.

        Support for constructor-style callbacks for the Objective-C API to JSC is currently limited to 
        Objective-C blocks. Any clients who try to call the constructor of a JSExport-ed Objective-C class 
        are met with a type error stating that it cannot be called as a constructor.

        It would be nice to expand JSExport's functionality to support this idiom. It is a natural 
        extension to JSExport and would increase the expressiveness and simplicity in both Objective-C and 
        JavaScript client code.

        The way we'll do this is to expand the capabilities of ObjCCallbackFunction and associated classes. 
        Instead of constructing a normal C API object for the constructor, we'll instead allocate a full-blown 
        ObjCCallbackFunction object which can already properly handle being invoked as a constructor.

        * API/JSWrapperMap.mm:
        (copyMethodsToObject):
        (allocateConstructorForCustomClass):
        (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
        (tryUnwrapObjcObject):
        * API/ObjCCallbackFunction.h:
        (JSC::ObjCCallbackFunction::impl):
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
        (JSC::ObjCCallbackFunctionImpl::wrappedConstructor):
        (JSC::ObjCCallbackFunctionImpl::isConstructible):
        (JSC::ObjCCallbackFunction::getConstructData):
        (JSC::ObjCCallbackFunctionImpl::name):
        (JSC::ObjCCallbackFunctionImpl::call):
        (objCCallbackFunctionForInvocation):
        (objCCallbackFunctionForInit):
        (tryUnwrapConstructor):
        * API/tests/testapi.mm:
        (-[TextXYZ initWithString:]):
        (-[ClassA initWithA:]):
        (-[ClassB initWithA:b:]):
        (-[ClassC initWithA:]):
        (-[ClassC initWithA:b:]):

2013-10-30  peavo@outlook.com  <peavo@outlook.com>

        [Win] Compile errors when enabling DFG JIT.
        https://bugs.webkit.org/show_bug.cgi?id=120998

        Reviewed by Brent Fulgham.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added files.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
        * dfg/DFGAllocator.h: Removed scope.
        * dfg/DFGWorklist.cpp: Use new ThreadingOnce class instead of pthread_once.
        (JSC::DFG::globalWorklist):
        * heap/DeferGC.h: Link fix, member needs to be public.
        * jit/JITOperationWrappers.h: Added required assembler macros.

2013-10-30  Iago Toral Quiroga  <itoral@igalia.com>

        Add result caching for Math.cos
        https://bugs.webkit.org/show_bug.cgi?id=123255

        Reviewed by Brent Fulgham.

        * runtime/MathObject.cpp:
        (JSC::mathProtoFuncCos):
        * runtime/VM.h:

2013-10-30  Alex Christensen  <achristensen@webkit.org>

        Disabled JIT on Win64.
        https://bugs.webkit.org/show_bug.cgi?id=122472

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        Disabled building JITStubsMSVC64.

2013-10-29  Michael Saboff  <msaboff@apple.com>

        Change local variable register allocation to start at offset -1
        https://bugs.webkit.org/show_bug.cgi?id=123182

        Reviewed by Geoffrey Garen.

        Adjusted the virtual register mapping down by one slot.  Reduced
        the CallFrame header slots offsets by one.  They now start at 0.
        Changed arity fixup to no longer skip passed register slot 0 as this
        is now part of the CallFrame header.

        * bytecode/VirtualRegister.h:
        (JSC::operandIsLocal):
        (JSC::operandIsArgument):
        (JSC::VirtualRegister::localToOperand):
        (JSC::VirtualRegister::operandToLocal):
          Adjusted functions for shift in mapping from local to register offset.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):
        * interpreter/CallFrame.h:
        (JSC::ExecState::frameExtent):
        (JSC::ExecState::offsetFor):
        * interpreter/Interpreter.cpp:
        (JSC::loadVarargs):
        (JSC::Interpreter::dumpRegisters):
        (JSC::Interpreter::executeCall):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
          Adjusted math to accomodate for shift in call frame slots.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::frameExtentInternal):
        * interpreter/JSStackInlines.h:
        (JSC::JSStack::pushFrame):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::llint_slow_path_stack_check):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
          Fixed offset calculation to use VirtualRegister and related calculation instead of
          doing seperate calculations.

        * interpreter/JSStack.h:
          Adjusted CallFrame slots down by one.  Did some miscellaneous fixing of dumpRegisters()
          in the process of testing the fixes.

        * jit/ThunkGenerators.cpp:
        (JSC::arityFixup):
          Changed arity fixup to no longer skip passed register slot 0 as this
          is now part of the CallFrame header.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
          Changed arity fixup to no longer skip passed register slot 0 as this
          is now part of the CallFrame header.  Updated op_enter processing for
          the change in local registers.

        * runtime/JSGlobalObject.h:
          Removed the now unneeded extra slot in the global callframe

2013-10-29  Julien Brianceau  <jbriance@cisco.com>

        [arm] Fix lots of crashes because of 4th argument register trampling.
        https://bugs.webkit.org/show_bug.cgi?id=123421

        Reviewed by Michael Saboff.

        r3 register is the 4th argument register for ARM and also a scratch
        register in the baseline JIT for this architecture. We can use r6
        instead, as this used to be the timeoutCheckRegister and it is no
        longer used since r148119.

        * assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM.
        * assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7.
        * jit/GPRInfo.h: Add r3 properly in GPRInfo for ARM.
        (JSC::GPRInfo::toRegister):
        (JSC::GPRInfo::toIndex):
        * jit/JITStubsARM.h:
        (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
        * jit/JITStubsARMv7.h:
        (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
        * jit/JSInterfaceJIT.h: Remove useless stuff.
        * yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6.
        (JSC::Yarr::YarrGenerator::generateEnter): r8 register doesn't need to be saved.
        (JSC::Yarr::YarrGenerator::generateReturn):

2013-10-29  Julien Brianceau  <jbriance@cisco.com>

        Fix CPU(ARM_TRADITIONAL) build after r157690.
        https://bugs.webkit.org/show_bug.cgi?id=123247

        Reviewed by Michael Saboff.

        Since r157690, the executableCopy function has been removed from AssemblerBuffer.h
        and the copy of executable code occurs in the linkCode function (in LinkBuffer.cpp).
        As the constant pool for jumps is updated in the executableCopy function of ARM_TRADITIONAL,
        this part of code still needs to be called and absolute jumps must be corrected to anticipate
        the copy of the executable code through memcpy.

        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::prepareExecutableCopy): Rename executableCopy to prepareExecutableCopy
        and correct absolute jump values using the delta between the source and destination buffers.
        * assembler/ARMAssembler.h:
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::linkCode): Call prepareExecutableCopy just before the memcpy.

2013-10-28  Filip Pizlo  <fpizlo@apple.com>

        OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo
        https://bugs.webkit.org/show_bug.cgi?id=123423

        Reviewed by Mark Hahnenberg.
        
        Also enable ExitKind to tell you if it's a watchpoint.

        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        (JSC::isWatchpoint):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::appendExitInfo):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompilationInfo.h:
        (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-10-28  Myles C. Maxfield  <mmaxfield@apple.com>

        Parsing support for -webkit-text-decoration-skip: ink
        https://bugs.webkit.org/show_bug.cgi?id=123358

        Reviewed by Dean Jackson.

        Adding ENABLE(CSS3_TEXT_DECORATION)

        * Configurations/FeatureDefines.xcconfig:

2013-10-24  Filip Pizlo  <fpizlo@apple.com>

        Get rid of InlineStart so that I don't have to implement it in FTL
        https://bugs.webkit.org/show_bug.cgi?id=123302

        Reviewed by Geoffrey Garen.
        
        InlineStart was a special instruction that we would insert at the top of inlined code,
        so that the backend could capture the OSR state of arguments to an inlined call. It used
        to be that only the backend had this information, so this instruction was sort of an ugly
        callback from the backend for filling in some data structures.
        
        But in the time since when that code was written (two years ago?), we rationalized how
        variables work. It's now the case that variables that the runtime must know about are
        treated specially in IR (they are "flushed") and we know how we will represent them even
        before we get to the backend. The last place that makes changes to their representation
        is the StackLayoutPhase.
        
        So, this patch gets rid of InlineStart, but keeps around the special meta-data that the
        instruction had. Instead of handling the bookkeeping in the backend, we handle it in
        StackLayoutPhase. This means that the DFG and FTL can share code for handling this
        bookkeeping. This also means that now the FTL can compile code blocks that had inlining.
        
        Of course, giving the FTL the ability to handle code blocks that had inlining means that
        we're going to have new bugs. Sure enough, the FTL's linker didn't handle inline call
        frames. This patch also fixes that.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        * dfg/DFGNode.h:
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):

2013-10-24  Filip Pizlo  <fpizlo@apple.com>

        The GetById->GetByOffset AI-based optimization should actually do things
        https://bugs.webkit.org/show_bug.cgi?id=123299

        Reviewed by Oliver Hunt.
        
        20% speed-up on Octane/gbemu.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor): Actually finish filling in the Status by setting the state. Previously it would remain set to NoInformation, meaning that this whole method was a no-op.

2013-10-28  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing files to compilation.

2013-10-25  Oliver Hunt  <oliver@apple.com>

        Refactor parser rollback logic
        https://bugs.webkit.org/show_bug.cgi?id=123372

        Reviewed by Brady Eidson.

        Add a sane abstraction for rollbacks in the parser.

        * parser/Parser.cpp:
        (JSC::::parseSourceElements):
        (JSC::::parseObjectLiteral):
        * parser/Parser.h:
        (JSC::Parser::createSavePoint):
        (JSC::Parser::restoreSavePoint):

2013-10-25  peavo@outlook.com  <peavo@outlook.com>

        [Win] Javascript crash with DFG JIT enabled.
        https://bugs.webkit.org/show_bug.cgi?id=121001

        Reviewed by Geoffrey Garen.

        On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
        results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
        where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
        This causes the register to be written to address 0, hence the crash.
  
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::storeDouble): Assert if we try to generate code which writes to a null pointer.
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitGenerationThunkGenerator): Ditto.

2013-10-25  Oliver Hunt  <oliver@apple.com>

        Fix a number of problems with destructuring of arguments
        https://bugs.webkit.org/show_bug.cgi?id=123357

        Reviewed by Filip Pizlo.

        This renames the destructuring node's emitBytecode to bindValue
        in order to remove the existing confusion over what was happening.

        We then fix an incorrect fall through in the destructuring arguments
        logic, and fix the then exposed bug where we placed the index rather
        than value into the bound property.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitBytecode):
        (JSC::ForOfNode::emitBytecode):
        (JSC::DeconstructingAssignmentNode::emitBytecode):
        (JSC::ArrayPatternNode::bindValue):
        (JSC::ArrayPatternNode::emitDirectBinding):
        (JSC::ObjectPatternNode::bindValue):
        (JSC::BindingNode::bindValue):
        * parser/Nodes.h:

2013-10-25  Joseph Pecoraro  <pecoraro@apple.com>

        Upstream ENABLE(REMOTE_INSPECTOR) and enable on iOS and Mac
        https://bugs.webkit.org/show_bug.cgi?id=123111

        Reviewed by Timothy Hatcher.

        * Configurations/FeatureDefines.xcconfig:

2013-10-25  Oliver Hunt  <oliver@apple.com>

        Fix MSVC again

        * parser/Parser.cpp:

2013-10-25  Oliver Hunt  <oliver@apple.com>

        Fix MSVC

        * parser/Parser.cpp:

2013-10-25  Oliver Hunt  <oliver@apple.com>

        Improve JSC Parser error messages
        https://bugs.webkit.org/show_bug.cgi?id=123341

        Reviewed by Andreas Kling.

        This patch moves away from the current cludgy mechanisms used to produce
        error messages and moves to something closer to case by case errors.

        This results in a large change size as previously we may just have
        'failIfFalse(foo)', but now the logic becomes either
        'failIfFalseWithMessage(foo, "Cannot do blah with ", foo->thing())'
        Or alternatively

        if (!foo)
            check for 'interesting' errors, before falling back to generic error

        This means that this patch is large, but produces no semantic changes, and
        only hits slow (e.g. error) paths.

        * parser/Parser.cpp:
        (JSC::::Parser):
        (JSC::::parseSourceElements):
        (JSC::::parseVarDeclaration):
        (JSC::::parseConstDeclaration):
        (JSC::::parseDoWhileStatement):
        (JSC::::parseWhileStatement):
        (JSC::::parseVarDeclarationList):
        (JSC::::createBindingPattern):
        (JSC::::parseDeconstructionPattern):
        (JSC::::parseConstDeclarationList):
        (JSC::::parseForStatement):
        (JSC::::parseBreakStatement):
        (JSC::::parseContinueStatement):
        (JSC::::parseReturnStatement):
        (JSC::::parseThrowStatement):
        (JSC::::parseWithStatement):
        (JSC::::parseSwitchStatement):
        (JSC::::parseSwitchClauses):
        (JSC::::parseSwitchDefaultClause):
        (JSC::::parseTryStatement):
        (JSC::::parseDebuggerStatement):
        (JSC::::parseBlockStatement):
        (JSC::::parseStatement):
        (JSC::::parseFormalParameters):
        (JSC::::parseFunctionBody):
        (JSC::stringForFunctionMode):
        (JSC::::parseFunctionInfo):
        (JSC::::parseFunctionDeclaration):
        (JSC::::parseExpressionOrLabelStatement):
        (JSC::::parseExpressionStatement):
        (JSC::::parseIfStatement):
        (JSC::::parseExpression):
        (JSC::::parseAssignmentExpression):
        (JSC::::parseConditionalExpression):
        (JSC::::parseBinaryExpression):
        (JSC::::parseProperty):
        (JSC::::parseObjectLiteral):
        (JSC::::parseStrictObjectLiteral):
        (JSC::::parseArrayLiteral):
        (JSC::::parsePrimaryExpression):
        (JSC::::parseArguments):
        (JSC::::parseMemberExpression):
        (JSC::operatorString):
        (JSC::::parseUnaryExpression):
        (JSC::::printUnexpectedTokenText):
        * parser/Parser.h:
        (JSC::Scope::hasDeclaredVariable):
        (JSC::Scope::hasDeclaredParameter):
        (JSC::Parser::hasDeclaredVariable):
        (JSC::Parser::hasDeclaredParameter):
        (JSC::Parser::setErrorMessage):

2013-10-24  Mark Rowe  <mrowe@apple.com>

        Remove references to OS X 10.7 from Xcode configuration settings.

        Now that we're not building for OS X 10.7 they're no longer needed.

        Reviewed by Anders Carlsson.

        * Configurations/Base.xcconfig:
        * Configurations/DebugRelease.xcconfig:
        * Configurations/FeatureDefines.xcconfig:
        * Configurations/Version.xcconfig:

2013-10-24  Mark Rowe  <mrowe@apple.com>

        <rdar://problem/15312643> Prepare for the mysterious future.

        Reviewed by David Kilzer.

        * Configurations/Base.xcconfig:
        * Configurations/DebugRelease.xcconfig:
        * Configurations/FeatureDefines.xcconfig:
        * Configurations/Version.xcconfig:

2013-10-24  Mark Lam  <mark.lam@apple.com>

        Better way to fix part of broken C Loop LLINT build.
        https://bugs.webkit.org/show_bug.cgi?id=123271.

        Reviewed by Geoffrey Garen.

        Undoing offline asm hackery.

        * llint/LowLevelInterpreter.cpp:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/cloop.rb:
        * offlineasm/instructions.rb:

2013-10-24  Mark Lam  <mark.lam@apple.com>

        Fix broken C Loop LLINT build.
        https://bugs.webkit.org/show_bug.cgi?id=123271.

        Reviewed by Michael Saboff.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdCacheStatus): Added an UNUSED_PARAM().
        (JSC::CodeBlock::dumpBytecode): Added #if ENABLE(JIT) to JIT only code.
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor): Added an UNUSED_PARAM().
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor): Added an UNUSED_PARAM().
        * bytecode/StructureStubInfo.h:
        - Added a stub StubInfoMap for non-JIT builds. StubInfoMap is still used
          in function prototypes even when !ENABLE(JIT). Rather that adding #if's
          in many places, we just provide a stub/placeholder implementation that
          is unused but keeps the compiler happy.
        * jit/JITOperations.h: Added #if ENABLE(JIT).
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        - The putByVal() macro reifies a slow path which is never taken in one case.
          This translates into a label that is never used in the C Loop LLINT. The
          C++ compiler doesn't like unused labels. So, we fix this by adding a
          cloopUnusedLabel offline asm instruction that synthesizes the following:

              if (false) goto unusedLabel;

          This keeps the C++ compiler happy without changing code behavior.
        * offlineasm/cloop.rb: Implementing cloopUnusedLabel.
        * offlineasm/instructions.rb: Declaring cloopUnusedLabel.
        * runtime/Executable.cpp:
        (JSC::setupJIT): Added UNUSED_PARAM()s.
        (JSC::ScriptExecutable::prepareForExecutionImpl):
        - run-javascriptcore-tests have phases that forces the LLINT to be off
          which in turn asserts that the JIT is enabled. With the C Loop LLINT,
          this combination is illegal. So, we override the setup code here to
          always use the LLINT if !ENABLE(JIT) regardless of what options are
          passed in.

2013-10-24  peavo@outlook.com  <peavo@outlook.com>

        Uninitialized member causes crash when DFG JIT is not enabled.
        https://bugs.webkit.org/show_bug.cgi?id=123270

        Reviewed by Brent Fulgham.

        The data member sizeOfLastScratchBuffer in the VM class is only initialized if DFG JIT is enabled, even though it's defined regardless.
        This causes an early crash on Windows, which doesn't have DFG JIT enabled.

        * runtime/VM.cpp:
        (JSC::VM::VM): Initialize sizeOfLastScratchBuffer member regardless of whether DFG JIT is enabled.

2013-10-24  Ryuan Choi  <ryuan.choi@samsung.com>

        [EFL] Build break with latest EFL 1.8 libraries.
        https://bugs.webkit.org/show_bug.cgi?id=123245

        Reviewed by Gyuyoung Kim.

        After fixed build break on EFL 1.8 at r138326, EFL libraries are changed
        Eo typedef and splitted header files which contain version macro.

        * PlatformEfl.cmake: Added EO path to include directories.
        * heap/HeapTimer.h: Changed Ecore_Timer typedef when EO exist.

2013-10-23  Filip Pizlo  <fpizlo@apple.com>

        Put all uses of LLVM intrinsics behind a single Option
        https://bugs.webkit.org/show_bug.cgi?id=123219

        Reviewed by Mark Hahnenberg.

        * ftl/FTLExitThunkGenerator.cpp:
        (JSC::FTL::ExitThunkGenerator::emitThunk):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::generateExitThunks):
        (JSC::FTL::LowerDFGToLLVM::compileGetById):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileFTLOSRExit):
        * runtime/Options.h:

2013-10-23  Daniel Bates  <dabates@apple.com>

        Fix JavaScriptCore build targets following <http://trac.webkit.org/changeset/157864>
        (https://bugs.webkit.org/show_bug.cgi?id=123169)

        Tell Xcode that the supported platforms for all JavaScriptCore targets are iOS and OS X.

        * Configurations/Base.xcconfig:

2013-10-23  Michael Saboff  <msaboff@apple.com>

        LLInt arity check exception processing should start unwinding from caller
        https://bugs.webkit.org/show_bug.cgi?id=123209

        Reviewed by Oliver Hunt.

        Use the caller frame returned from slow_path_call_arityCheck to process exceptions.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2013-10-22  Filip Pizlo  <fpizlo@apple.com>

        FTL should be able to do some simple inline caches using LLVM patchpoints
        https://bugs.webkit.org/show_bug.cgi?id=123164

        Reviewed by Mark Hahnenberg.
        
        This implements GetById inline caches in the FTL using llvm.webkit.patchpoint.
        
        The idea is that we ask LLVM for a nop slide the size of a GetById inline
        cache and then fill in the code after LLVM compilation is complete. For now, we
        just use the system calling convention for the arguments and return. We also
        still make some assumptions about registers that aren't correct. But, most of
        the scaffolding is there and this will successfully patch an inline cache.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
        (JSC::LinkBuffer::linkCode):
        (JSC::LinkBuffer::allocate):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::link):
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::constNull):
        (JSC::FTL::buildCall):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLInlineCacheDescriptor.h: Added.
        (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
        (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
        (JSC::FTL::GetByIdDescriptor::stackmapID):
        (JSC::FTL::GetByIdDescriptor::codeOrigin):
        (JSC::FTL::GetByIdDescriptor::uid):
        * ftl/FTLInlineCacheSize.cpp: Added.
        (JSC::FTL::sizeOfGetById):
        (JSC::FTL::sizeOfPutById):
        * ftl/FTLInlineCacheSize.h: Added.
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * ftl/FTLJITFinalizer.h:
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::directGPR):
        * ftl/FTLLocation.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetById):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::call):
        * ftl/FTLSlowPathCall.cpp: Added.
        (JSC::FTL::callOperation):
        * ftl/FTLSlowPathCall.h: Added.
        (JSC::FTL::SlowPathCall::SlowPathCall):
        (JSC::FTL::SlowPathCall::call):
        (JSC::FTL::SlowPathCall::key):
        * ftl/FTLSlowPathCallKey.cpp: Added.
        (JSC::FTL::SlowPathCallKey::dump):
        * ftl/FTLSlowPathCallKey.h: Added.
        (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
        (JSC::FTL::SlowPathCallKey::usedRegisters):
        (JSC::FTL::SlowPathCallKey::callTarget):
        (JSC::FTL::SlowPathCallKey::offset):
        (JSC::FTL::SlowPathCallKey::isEmptyValue):
        (JSC::FTL::SlowPathCallKey::isDeletedValue):
        (JSC::FTL::SlowPathCallKey::operator==):
        (JSC::FTL::SlowPathCallKey::hash):
        (JSC::FTL::SlowPathCallKeyHash::hash):
        (JSC::FTL::SlowPathCallKeyHash::equal):
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Location::directGPR):
        * ftl/FTLStackMaps.h:
        * ftl/FTLState.h:
        * ftl/FTLThunks.cpp:
        (JSC::FTL::slowPathCallThunkGenerator):
        * ftl/FTLThunks.h:
        (JSC::FTL::Thunks::getSlowPathCallThunk):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArguments):
        * jit/GPRInfo.h:
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::garbageStubInfo):
        (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
        (JSC::JITByIdGenerator::finalize):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITByIdGenerator::slowPathBegin):
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::stackRegisters):
        (JSC::RegisterSet::specialRegisters):
        (JSC::RegisterSet::calleeSaveRegisters):
        (JSC::RegisterSet::allGPRs):
        (JSC::RegisterSet::allFPRs):
        (JSC::RegisterSet::allRegisters):
        (JSC::RegisterSet::dump):
        * jit/RegisterSet.h:
        (JSC::RegisterSet::exclude):
        (JSC::RegisterSet::numberOfSetRegisters):
        (JSC::RegisterSet::RegisterSet):
        (JSC::RegisterSet::isEmptyValue):
        (JSC::RegisterSet::isDeletedValue):
        (JSC::RegisterSet::operator==):
        (JSC::RegisterSet::hash):
        (JSC::RegisterSetHash::hash):
        (JSC::RegisterSetHash::equal):
        * runtime/Options.h:

2013-10-22  Filip Pizlo  <fpizlo@apple.com>

        jitCompileAndSetHeuristics should DeferGCForAWhile
        https://bugs.webkit.org/show_bug.cgi?id=123196

        Reviewed by Mark Hahnenberg.
        
        This fixes random crashes in V8v7/raytrace. I only see those crashes on exactly one of
        my machines. I don't think this is testable; we just need to steadily converge towards
        getting our uses of DeferGC to be right and then be careful not to regress. We're not
        there yet, obviously.
        
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):

2013-10-23  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream more JavaScriptCore build configuration changes
        https://bugs.webkit.org/show_bug.cgi?id=123169

        Reviewed by David Kilzer.

        * Configurations/Base.xcconfig:
        * Configurations/Version.xcconfig:
        * Configurations/iOS.xcconfig: Added.
        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-10-23  Daniel Bates  <dabates@apple.com>

        [iOS] Export DefaultGCActivityCallback member functions
        https://bugs.webkit.org/show_bug.cgi?id=123175

        Reviewed by David Kilzer.

        * runtime/GCActivityCallback.h:

2013-10-23  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream more ARMv7s bits
        https://bugs.webkit.org/show_bug.cgi?id=123052

        Reviewed by Joseph Pecoraro.

        * Configurations/JavaScriptCore.xcconfig:

2013-10-22  Andreas Kling  <akling@apple.com>

        Minor VM* -> VM& cleanups in HashTable and Keywords.
        <https://webkit.org/b/123183>

        Turn some VM* variables that will never be null into VM&.

        Reviewed by Geoffrey Garen.

2013-10-22  Geoffrey Garen  <ggaren@apple.com>

        REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't!
        https://bugs.webkit.org/show_bug.cgi?id=123179

        Reviewed by Mark Hahnenberg.

        * parser/NodeConstructors.h:
        (JSC::LogicalOpNode::LogicalOpNode):
        * parser/ResultType.h:
        (JSC::ResultType::forLogicalOp): Don't assume that && produces a boolean.
        This is JavaScript (aka Sparta).

2013-10-22  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r157819.
        http://trac.webkit.org/changeset/157819
        https://bugs.webkit.org/show_bug.cgi?id=123180

        Broke 32-bit builds (Requested by smfr on #webkit).

        * Configurations/JavaScriptCore.xcconfig:
        * Configurations/ToolExecutable.xcconfig:

2013-10-22  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream more ARMv7s bits
        https://bugs.webkit.org/show_bug.cgi?id=123052

        Reviewed by Joseph Pecoraro.

        * Configurations/JavaScriptCore.xcconfig:
        * Configurations/ToolExecutable.xcconfig: Enable CLANG_ENABLE_OBJC_ARC for i386 as I'm
        modifying a file in JavaScriptCore/Configurations.

2013-10-22  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream JSLock changes
        https://bugs.webkit.org/show_bug.cgi?id=123107

        Reviewed by Geoffrey Garen.

        * runtime/JSLock.cpp:
        (JSC::JSLock::unlock):
        (JSC::JSLock::dropAllLocks): Modified to take a SpinLock, used only on iOS.
        (JSC::JSLock::dropAllLocksUnconditionally): Modified to take a SpinLock, used only on iOS. Also
        use pre-increment instead of post-increment when we're not using the return value of the instruction.
        (JSC::JSLock::grabAllLocks): Modified to take a SpinLock, used only on iOS. Also change
        places where we were using post-increment/post-decrement to use pre-increment/pre-decrement,
        since we don't use the return value of such instructions.
        (JSC::JSLock::DropAllLocks::DropAllLocks): Modified to support releasing all locks unconditionally.
        Take a spin lock before releasing all locks on iOS. Also, use nullptr instead of 0.
        (JSC::JSLock::DropAllLocks::~DropAllLocks): Take a spin lock before acquiring all locks on iOS.
        * runtime/JSLock.h: Remove extraneous argument name "exec" from DropAllLocks as the data type of
        the argument is sufficiently descriptive of its purpose.

2013-10-22  Julien Brianceau  <jbriance@cisco.com>

        [arm] Add missing setupArgumentsWithExecState() prototypes to fix build.
        https://bugs.webkit.org/show_bug.cgi?id=123166

        Reviewed by Michael Saboff.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):

2013-10-22  Julien Brianceau  <jbriance@cisco.com>

        [sh4][mips][arm] Fix crashes in JSC (32-bit only).
        https://bugs.webkit.org/show_bug.cgi?id=123165

        Reviewed by Michael Saboff.

        * jit/JITInlines.h:
        (JSC::JIT::callOperationNoExceptionCheck): Add missing EABI_32BIT_DUMMY_ARG.
        (JSC::JIT::callOperation): The last TrustedImm32(arg3) is a bit overkill for SH4 :)
        (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
        (JSC::JIT::callOperation): Fix tag and payload order for V_JITOperation_EJJJ prototype.

2013-10-22  Julien Brianceau  <jbriance@cisco.com>

        REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool.
        https://bugs.webkit.org/show_bug.cgi?id=123092

        Reviewed by Michael Saboff.

        Impacted architectures are SH4 and ARM_TRADITIONAL.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::buffer):
        * assembler/AssemblerBufferWithConstantPool.h:
        (JSC::AssemblerBufferWithConstantPool::flushConstantPool):
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::linkCode):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::buffer):

2013-10-22  Julien Brianceau  <jbriance@cisco.com>

        Remove unused stuff in JIT stubs.
        https://bugs.webkit.org/show_bug.cgi?id=123155

        Reviewed by Michael Saboff.

        * jit/JITStubs.h:
        * jit/JITStubsARM.h:
        (JSC::ctiTrampoline):
        * jit/JITStubsARM64.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsMIPS.h:
        * jit/JITStubsSH4.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:

2013-10-22  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream OS-version-specific install paths for JavaScriptCore.framework
        https://bugs.webkit.org/show_bug.cgi?id=123115
        <rdar://problem/13696872>

        Reviewed by Andy Estes.

        Based on a patch by Mark Hahnenberg.

        Add support for running JavaScriptCore-based apps, built against the iOS 7 SDK, on older versions of iOS.

        * API/JSBase.cpp:

2013-10-22  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Add missing lastRegister(), firstFPRegister() and lastFPRegister(). 
        https://bugs.webkit.org/show_bug.cgi?id=123157

        Reviewed by Andreas Kling.

        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::lastRegister):
        (JSC::SH4Assembler::firstFPRegister):
        (JSC::SH4Assembler::lastFPRegister):

2013-10-22  Brian Holt  <brian.holt@samsung.com>

        Build break on ARMv7 after r157209
        https://bugs.webkit.org/show_bug.cgi?id=122890

        Reviewed by Csaba Osztrogonác.

        Add framePointerRegister and first/last register helpers for ARM_TRADITIONAL.

        * assembler/ARMAssembler.h:
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::firstRegister):
        (JSC::MacroAssemblerARM::lastRegister):
        (JSC::MacroAssemblerARM::firstFPRegister):
        (JSC::MacroAssemblerARM::lastFPRegister):

2013-10-21  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream JSGlobalObject::shouldInterruptScriptBeforeTimeout()
        https://bugs.webkit.org/show_bug.cgi?id=123045

        Reviewed by Joseph Pecoraro.

        * jsc.cpp: Add function pointer for shouldInterruptScriptBeforeTimeout
        to global method table.
        * runtime/JSGlobalObject.cpp: Ditto.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout): Added.

2013-10-21  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream JSC Objective-C API compiler warning fixes
        https://bugs.webkit.org/show_bug.cgi?id=123125

        Reviewed by Mark Hahnenberg.

        Based on a patch by Mark Hahnenberg.

        * API/JSValue.mm:
        (-[JSValue toPoint]): Cast to CGFloat to fix some compiler warnings about double narrowing to float.
        (-[JSValue toSize]): Ditto.
        * API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7.

2013-10-21  Daniel Bates  <dabates@apple.com>

        [iOS] Mark classes JS{Context, ManagedValue, Value, VirtualMachine} as
        available since iOS 7.0
        https://bugs.webkit.org/show_bug.cgi?id=123122

        Reviewed by Dan Bernstein.

        * API/JSContext.h:
        * API/JSManagedValue.h:
        * API/JSValue.h:
        * API/JSVirtualMachine.h:

2013-10-20  Mark Lam  <mark.lam@apple.com>

        Avoid JSC debugger overhead unless needed.
        https://bugs.webkit.org/show_bug.cgi?id=123084.

        Reviewed by Geoffrey Garen.

        - If no breakpoints are set, we now avoid calling the debug hook callbacks.
        - If no break on exception is set, we also avoid exception event debug callbacks.
        - When we return from the ScriptDebugServer to the JSC::Debugger, we may no
          longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
          pointer in the ScriptDebugServer may become stale. To avoid this issue, before
          returning, the ScriptDebugServer will clear its m_currentCallFrame if
          needsOpDebugCallbacks() is false.

        * debugger/Debugger.cpp:
        (JSC::Debugger::Debugger):
        (JSC::Debugger::setNeedsExceptionCallbacks):
        (JSC::Debugger::setShouldPause):
        (JSC::Debugger::updateNumberOfBreakpoints):
        (JSC::Debugger::updateNeedForOpDebugCallbacks):
        * debugger/Debugger.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::unwind):
        (JSC::Interpreter::debug):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_debug):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_debug):
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LowLevelInterpreter.asm:

2013-10-21  Brent Fulgham  <bfulgham@apple.com>

        [WIN] Unreviewed build correction.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Handle new JIT files as C++ implementation
          sources, not header files.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.

2013-10-21  Oliver Hunt  <oliver@apple.com>

        Support computed property names in object literals
        https://bugs.webkit.org/show_bug.cgi?id=123112

        Reviewed by Michael Saboff.

        Add support for computed property names to the parser.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createProperty):
        (JSC::ASTBuilder::getName):
        * parser/NodeConstructors.h:
        (JSC::PropertyNode::PropertyNode):
        * parser/Nodes.h:
        (JSC::PropertyNode::expressionName):
        (JSC::PropertyNode::name):
        * parser/Parser.cpp:
        (JSC::::parseProperty):
        (JSC::::parseStrictObjectLiteral):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::Property::Property):
        (JSC::SyntaxChecker::createProperty):
        (JSC::SyntaxChecker::operatorStackPop):

2013-10-21  Michael Saboff  <msaboff@apple.com>

        Add option so that JSC will crash if it can't allocate executable memory for the JITs
        https://bugs.webkit.org/show_bug.cgi?id=123048
        <rdar://problem/12856193>

        Reviewed by Geoffrey Garen.

        Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash
        when checking the validity of the executable allocator. The default value for this option is
        false, but jsc sets it to true when built for iOS to make it straightforward to identify whether
        the app can obtain executable memory.

        * jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS.
        (main):
        * runtime/Options.h: Added option crashIfCantAllocateJITMemory.
        * runtime/VM.cpp:
        (JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory
        is enabled.

2013-10-21  Nadav Rotem  <nrotem@apple.com>

        Remove AllInOneFile.cpp
        https://bugs.webkit.org/show_bug.cgi?id=123055

        Reviewed by Csaba Osztrogonác.

        * AllInOneFile.cpp: Removed.

2013-10-20  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, cleanup a FIXME comment.

        * jit/Repatch.cpp:

2013-10-20  Filip Pizlo  <fpizlo@apple.com>

        StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
        https://bugs.webkit.org/show_bug.cgi?id=123076

        Reviewed by Sam Weinig.
        
        Start preparing for a world in which we are patching code generated by LLVM, which may have
        very different register usage conventions than our JITs. This requires us being more explicit
        about the registers we are using. For example, the repatching code shouldn't take for granted
        that tagMaskRegister holds the TagMask or that the register is even in use.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::numberOfRegisters):
        (JSC::MacroAssembler::registerIndex):
        (JSC::MacroAssembler::numberOfFPRegisters):
        (JSC::MacroAssembler::fpRegisterIndex):
        (JSC::MacroAssembler::totalNumberOfRegisters):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::usedRegisters):
        * dfg/DFGSpeculativeJIT.h:
        * ftl/FTLSaveRestore.cpp:
        (JSC::FTL::bytesForGPRs):
        (JSC::FTL::bytesForFPRs):
        (JSC::FTL::offsetOfGPR):
        (JSC::FTL::offsetOfFPR):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/RegisterSet.cpp: Added.
        (JSC::RegisterSet::specialRegisters):
        * jit/RegisterSet.h: Added.
        (JSC::RegisterSet::RegisterSet):
        (JSC::RegisterSet::set):
        (JSC::RegisterSet::clear):
        (JSC::RegisterSet::get):
        (JSC::RegisterSet::merge):
        * jit/Repatch.cpp:
        (JSC::generateProtoChainAccessStub):
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::emitPutReplaceStub):
        (JSC::tryRepatchIn):
        (JSC::linkClosureCall):
        * jit/TempRegisterSet.cpp: Added.
        (JSC::TempRegisterSet::TempRegisterSet):
        * jit/TempRegisterSet.h:

2013-10-20  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Fix build (broken since r157690).
        https://bugs.webkit.org/show_bug.cgi?id=123081

        Reviewed by Andreas Kling.

        * assembler/AssemblerBufferWithConstantPool.h:
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::buffer):
        (JSC::SH4Assembler::readCallTarget):

2013-10-19  Filip Pizlo  <fpizlo@apple.com>

        Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union
        https://bugs.webkit.org/show_bug.cgi?id=123079

        Reviewed by Geoffrey Garen.

        * jit/TempRegisterSet.h:

2013-10-19  Filip Pizlo  <fpizlo@apple.com>

        Rename RegisterSet to TempRegisterSet
        https://bugs.webkit.org/show_bug.cgi?id=123077

        Reviewed by Dan Bernstein.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCompiler.h:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::usedRegisters):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/RegisterSet.h: Removed.
        * jit/ScratchRegisterAllocator.h:
        (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
        * jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
        (JSC::TempRegisterSet::TempRegisterSet):
        (JSC::TempRegisterSet::asPOD):
        (JSC::TempRegisterSet::copyInfo):

2013-10-19  Filip Pizlo  <fpizlo@apple.com>

        Restructure LinkBuffer to allow for alternate allocation strategies
        https://bugs.webkit.org/show_bug.cgi?id=123071

        Reviewed by Oliver Hunt.
        
        The idea is to eventually allow a LinkBuffer to place the code into an already
        allocated region of memory.  That region of memory could be the nop-slide left behind
        by a llvm.webkit.patchpoint.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::buffer):
        * assembler/AssemblerBuffer.h:
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        (JSC::LinkBuffer::linkCode):
        (JSC::LinkBuffer::allocate):
        (JSC::LinkBuffer::shrink):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::didFailToAllocate):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::buffer):
        (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):

2013-10-19  Alexey Proskuryakov  <ap@apple.com>

        Some includes in JSC seem to use an incorrect style
        https://bugs.webkit.org/show_bug.cgi?id=123057

        Reviewed by Geoffrey Garen.

        Changed pseudo-system includes to user ones.

        * API/JSContextRef.cpp:
        * API/JSStringRefCF.cpp:
        * API/JSValueRef.cpp:
        * API/OpaqueJSString.cpp:
        * jit/JIT.h:
        * parser/SyntaxChecker.h:
        * runtime/WeakGCMap.h:

2013-10-19  Filip Pizlo  <fpizlo@apple.com>

        Baseline JIT and DFG IC code generation should be unified and rationalized
        https://bugs.webkit.org/show_bug.cgi?id=122939

        Reviewed by Geoffrey Garen.
        
        Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
        some register info and creates JIT inline caches for you. Used this to even furhter
        unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
        is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
        that it needs to do the equivalent of get_by_id, so with this generator it will be able
        to create an IC even though it wasn't associated with a get_by_id bytecode instruction.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::DataLabelCompact::label):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::ecmaMode):
        * dfg/DFGInlineCacheWrapper.h: Added.
        (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
        * dfg/DFGInlineCacheWrapperInlines.h: Added.
        (JSC::DFG::::finalize):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addGetById):
        (JSC::DFG::JITCompiler::addPutById):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::isStrictModeFor):
        (JSC::AssemblyHelpers::strictModeFor):
        * jit/GPRInfo.h:
        (JSC::JSValueRegs::tagGPR):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITInlineCacheGenerator.cpp: Added.
        (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITByIdGenerator::finalize):
        (JSC::JITByIdGenerator::generateFastPathChecks):
        (JSC::JITGetByIdGenerator::generateFastPath):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        (JSC::JITPutByIdGenerator::generateFastPath):
        (JSC::JITPutByIdGenerator::slowPathFunction):
        * jit/JITInlineCacheGenerator.h: Added.
        (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
        (JSC::JITInlineCacheGenerator::stubInfo):
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITByIdGenerator::reportSlowPathCall):
        (JSC::JITByIdGenerator::slowPathJump):
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        * jit/RegisterSet.h:
        (JSC::RegisterSet::set):

2013-10-19  Alexey Proskuryakov  <ap@apple.com>

        APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
        https://bugs.webkit.org/show_bug.cgi?id=123067

        Reviewed by Geoffrey Garen.

        * API/APICast.h: Include it.

2013-10-19  Filip Pizlo  <fpizlo@apple.com>

        FTL::Location should treat the offset as an addend in the case of a Register location
        https://bugs.webkit.org/show_bug.cgi?id=123062

        Reviewed by Sam Weinig.

        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::forStackmaps):
        (JSC::FTL::Location::dump):
        (JSC::FTL::Location::restoreInto):
        * ftl/FTLLocation.h:
        (JSC::FTL::Location::forRegister):
        (JSC::FTL::Location::hasAddend):
        (JSC::FTL::Location::addend):

2013-10-19  Nadav Rotem  <nrotem@apple.com>

        DFG dominators: document and rename stuff.
        https://bugs.webkit.org/show_bug.cgi?id=123056

        Reviewed by Filip Pizlo.

        Documented the code and renamed some variables.

        * dfg/DFGDominators.cpp:
        (JSC::DFG::Dominators::compute):
        (JSC::DFG::Dominators::pruneDominators):
        * dfg/DFGDominators.h:

2013-10-19  Julien Brianceau  <jbriance@cisco.com>

        Fix build failure for architectures with 4 argument registers.
        https://bugs.webkit.org/show_bug.cgi?id=123060

        Reviewed by Michael Saboff.

        Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
        Remove SH4 specific code no longer needed since callOperation prototype change in r157660.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):

2013-10-18  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix FTL build.

        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetById):

2013-10-18  Filip Pizlo  <fpizlo@apple.com>

        A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
        https://bugs.webkit.org/show_bug.cgi?id=122940

        Reviewed by Oliver Hunt.
        
        This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
        whereas previously it was in a Vector, so it moved. This allows you to use pointers to
        StructureStubInfo. This also eliminates the use of return PC as a way of finding the
        StructureStubInfo's. It removes some of the need for the compile-time property access
        records; for example the DFG no longer has to save information about registers in a
        property access record only to later save it to the stub info.
        
        The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
        at any stage of compilation.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::addStubInfo):
        (JSC::CodeBlock::getStubInfoMap):
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::begin):
        (JSC::CodeBlock::end):
        (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
        * bytecode/CodeOrigin.h:
        (JSC::CodeOrigin::CodeOrigin):
        (JSC::CodeOrigin::isHashTableDeletedValue):
        (JSC::CodeOrigin::hash):
        (JSC::CodeOriginHash::hash):
        (JSC::CodeOriginHash::equal):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        * bytecode/GetByIdStatus.h:
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        * bytecode/PutByIdStatus.h:
        * bytecode/StructureStubInfo.h:
        (JSC::getStructureStubInfoCodeOrigin):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
        (JSC::DFG::InRecord::InRecord):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JIT.cpp:
        (JSC::PropertyStubCompilationInfo::copyToStubInfo):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::PropertyStubCompilationInfo::slowCaseInfo):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        * jit/Repatch.cpp:
        (JSC::appropriateGenericPutByIdFunction):
        (JSC::appropriateListBuildingPutByIdFunction):
        (JSC::resetPutByID):

2013-10-18  Oliver Hunt  <oliver@apple.com>

        Spread operator should be performing direct "puts" and not triggering setters
        https://bugs.webkit.org/show_bug.cgi?id=123047

        Reviewed by Geoffrey Garen.

        Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
        to array construct.  This required a new PutByValDirect node to be introduced to
        the DFG.  The current implementation simply changes the slow path function that
        is called, but in future this could be made faster as it does not need to check
        the prototype chain.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDirectPutByVal):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::getArrayLengthElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkStructureElimination):
        (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::clobbersWorld):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasArrayMode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        (JSC::DFG::operationPutByValInternal):
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JSC::JIT::compileDirectPutByVal):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::privateCompilePutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_put_by_val):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2013-10-18  Daniel Bates  <dabates@apple.com>

        [iOS] Export symbol for VM::sharedInstanceExists()
        https://bugs.webkit.org/show_bug.cgi?id=123046

        Reviewed by Mark Hahnenberg.

        * runtime/VM.h:

2013-10-18  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
        https://bugs.webkit.org/show_bug.cgi?id=123049

        Reviewed by Mark Hahnenberg.

        * heap/Heap.cpp:
        (JSC::Heap::setIncrementalSweeper):
        * heap/Heap.h:
        * heap/HeapTimer.h:
        * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
        Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
        (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
        (duplicates the include in the .cpp).
        * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
        making use of this now, but we'll make use of it in a subsequent patch.

2013-10-18  Anders Carlsson  <andersca@apple.com>

        Remove spaces between template angle brackets
        https://bugs.webkit.org/show_bug.cgi?id=123040

        Reviewed by Andreas Kling.

        * API/JSCallbackObject.cpp:
        (JSC::::create):
        * API/JSObjectRef.cpp:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::constants):
        (JSC::CodeBlock::setConstantRegisters):
        * bytecode/DFGExitProfile.h:
        * bytecode/EvalCodeCache.h:
        * bytecode/Operands.h:
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::constantRegisters):
        * bytecode/Watchpoint.h:
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/StaticPropertyAnalysis.h:
        * bytecompiler/StaticPropertyAnalyzer.h:
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        * dfg/DFGBlockInsertionSet.h:
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::performCSE):
        (JSC::DFG::performStoreElimination):
        * dfg/DFGCommonData.h:
        * dfg/DFGDesiredStructureChains.h:
        * dfg/DFGDesiredWatchpoints.h:
        * dfg/DFGJITCompiler.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGWorklist.h:
        * heap/BlockAllocator.h:
        (JSC::CopiedBlock):
        (JSC::MarkedBlock):
        (JSC::WeakBlock):
        (JSC::MarkStackSegment):
        (JSC::CopyWorkListSegment):
        (JSC::HandleBlock):
        * heap/Heap.h:
        * heap/Local.h:
        * heap/MarkedBlock.h:
        * heap/Strong.h:
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::decodedCodeMapFor):
        * jit/AssemblyHelpers.h:
        * jit/SpecializedThunkJIT.h:
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::::parseIfStatement):
        * parser/Parser.h:
        (JSC::Scope::copyCapturedVariablesToVector):
        (JSC::parse):
        * parser/ParserArena.h:
        * parser/SourceProviderCacheItem.h:
        * profiler/LegacyProfiler.cpp:
        (JSC::dispatchFunctionToProfiles):
        * profiler/LegacyProfiler.h:
        (JSC::LegacyProfiler::currentProfiles):
        * profiler/ProfileNode.h:
        (JSC::ProfileNode::children):
        * profiler/ProfilerDatabase.h:
        * runtime/Butterfly.h:
        (JSC::Butterfly::contiguousInt32):
        (JSC::Butterfly::contiguous):
        * runtime/GenericTypedArrayViewInlines.h:
        (JSC::::create):
        * runtime/Identifier.h:
        (JSC::Identifier::add):
        * runtime/JSPromise.h:
        * runtime/PropertyMapHashTable.h:
        * runtime/PropertyNameArray.h:
        * runtime/RegExpCache.h:
        * runtime/SparseArrayValueMap.h:
        * runtime/SymbolTable.h:
        * runtime/VM.h:
        * tools/CodeProfile.cpp:
        (JSC::truncateTrace):
        * tools/CodeProfile.h:
        * yarr/YarrInterpreter.cpp:
        * yarr/YarrInterpreter.h:
        (JSC::Yarr::BytecodePattern::BytecodePattern):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
        (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
        (JSC::Yarr::YarrGenerator::opCompileBody):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
        (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
        * yarr/YarrPattern.h:

2013-10-18  Mark Lam  <mark.lam@apple.com>

        Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
        https://bugs.webkit.org/show_bug.cgi?id=123037.

        Reviewed by Geoffrey Garen.

        * jit/JITStubsMSVC64.asm:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:

2013-10-18  Filip Pizlo  <fpizlo@apple.com>

        Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
        https://bugs.webkit.org/show_bug.cgi?id=121661

        Reviewed by Mark Hahnenberg.
        
        This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
        so I added a return-early check using isCompilationThread().
        
        Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
        it is describing: m_offset and the property table. Most structures only have m_offset and report
        null for the property table. If the property table is there, it will tell you additional
        information and that information subsumes m_offset - but the m_offset is still there. So, when
        we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
        machinery to do this.
        
        Changing the property table only happens on the main thread.
        
        Because the machinery to change the property table is so complex, especially with respect to
        keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
        called at key points before and after changes to the property table or the offset.

        Most clients of Structure who care about object layout, including the concurrent thread, will
        want to know m_offset and not the property table. If they want the property table, they will
        already be super careful. The concurrent thread has special methods for this, like
        Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
        view of the property table.
        
        Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
        called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
        
        But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
        which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
        because we have found that it helps quickly identify situations where the property table and
        m_offset get out of sync - mainly because code that changes either of those things will usually
        also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
        need the property table; it uses the m_offset. The concurrent JIT is correct to call
        outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
        it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
        outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
        locks, and that same structure is having its property table modified by the main thread, we end
        up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
        property table modified - instead what happens is that some downstream structure steals the
        property table and then starts adding things to it. The concurrent thread loads the property
        table before it's stolen, and hence the badness.
        
        I suspect there are other code paths that lead to the concurrent JIT calling some Structure
        method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
        and then you have a possible crash.
        
        The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
        aware of its uselessness to the concurrent JIT thread. This change makes it return early if
        it's in the concurrent JIT.
        
        * runtime/StructureInlines.h:
        (JSC::Structure::checkOffsetConsistency):

2013-10-18  Daniel Bates  <dabates@apple.com>

        Add SPI to disable the garbage collector timer
        https://bugs.webkit.org/show_bug.cgi?id=122921

        Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
        omitted.

        * heap/Heap.cpp:
        (JSC::Heap::setGarbageCollectionTimerEnabled):

2013-10-18  Julien Brianceau  <jbriance@cisco.com>

        Group 64-bit specific and 32-bit specific callOperation implementations.
        https://bugs.webkit.org/show_bug.cgi?id=123024

        Reviewed by Michael Saboff.

        This is not a big deal, but could be less confusing when reading the code.

        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        (JSC::JIT::callOperationWithCallFrameRollbackOnException):
        (JSC::JIT::callOperationNoExceptionCheck):

2013-10-18  Nadav Rotem  <nrotem@apple.com>

        Fix a FlushLiveness problem.
        https://bugs.webkit.org/show_bug.cgi?id=122984

        Reviewed by Filip Pizlo.

        * dfg/DFGFlushLivenessAnalysisPhase.cpp:
        (JSC::DFG::FlushLivenessAnalysisPhase::process):

2013-10-18  Michael Saboff  <msaboff@apple.com>

        Change native function call stubs to use JIT operations instead of ctiVMHandleException
        https://bugs.webkit.org/show_bug.cgi?id=122982

        Reviewed by Geoffrey Garen.

        Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
        return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
        This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
        in the process.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::jumpToExceptionHandler):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileExceptionHandlers):
        * jit/JIT.h:
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITExceptions.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperationNoExceptionCheck):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_throw):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_throw):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JITStubsARM.h:
        * jit/JITStubsARM64.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsMIPS.h:
        * jit/JITStubsMSVC64.asm:
        * jit/JITStubsSH4.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:
        * jit/Repatch.cpp:
        (JSC::tryBuildGetByIDList):
        * jit/SlowPathCall.h:
        (JSC::JITSlowPathCall::call):
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::nativeForGenerator):
        * runtime/VM.h:
        (JSC::VM::callFrameForThrowOffset):
        (JSC::VM::targetMachinePCForThrowOffset):

2013-10-18  Julien Brianceau  <jbriance@cisco.com>

        Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
        https://bugs.webkit.org/show_bug.cgi?id=123023

        Reviewed by Michael Saboff.

        * jit/JITInlines.h:
        (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
        using EABI_32BIT_DUMMY_ARG here.

2013-10-17  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, another ARM64 build fix.
        
        Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
        on ARM64 and none of its uses are legit - they should all be using
        andPtr(TrustedImm32, blah) anyway.

        * assembler/MacroAssembler.h:
        * assembler/MacroAssemblerARM64.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileExceptionHandlers):

2013-10-17  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, speculative ARM64 build fix.
        
        move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
        implemented. So, you have to use TrustedImmPtr in the superclasses.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::store8):
        (JSC::MacroAssemblerARM64::branchTest8):

2013-10-17  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, speculative ARM build fix.
        https://bugs.webkit.org/show_bug.cgi?id=122890
        <rdar://problem/15258624>

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::firstRegister):
        (JSC::ARM64Assembler::lastRegister):
        (JSC::ARM64Assembler::firstFPRegister):
        (JSC::ARM64Assembler::lastFPRegister):
        * assembler/MacroAssemblerARM64.h:
        * assembler/MacroAssemblerARMv7.h:

2013-10-17  Andreas Kling  <akling@apple.com>

        Pass VM instead of JSGlobalObject to JSONObject constructor.
        <https://webkit.org/b/122999>

        JSONObject was only use the JSGlobalObject to grab at the VM.
        Dodge a few loads by passing the VM directly instead.

        Reviewed by Geoffrey Garen.

        * runtime/JSONObject.cpp:
        (JSC::JSONObject::JSONObject):
        (JSC::JSONObject::finishCreation):
        * runtime/JSONObject.h:
        (JSC::JSONObject::create):

2013-10-17  Geoffrey Garen  <ggaren@apple.com>

        Removed the JITStackFrame struct
        https://bugs.webkit.org/show_bug.cgi?id=123001

        Reviewed by Anders Carlsson.

        * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
        our helper functions obey the C function call ABI.

2013-10-17  Geoffrey Garen  <ggaren@apple.com>

        Removed an unused #define
        https://bugs.webkit.org/show_bug.cgi?id=123000

        Reviewed by Anders Carlsson.

        * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
        since it is unused now. This is a step toward using the C stack.

2013-10-17  Geoffrey Garen  <ggaren@apple.com>

        Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
        https://bugs.webkit.org/show_bug.cgi?id=122973

        Reviewed by Michael Saboff.

        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
        so I removed it.

        The code acted as if it needed to pass an argument to
        lookupExceptionHandler, and as if it passed that argument to itself
        through JITStackFrame. However, lookupExceptionHandler does not take
        an argument (other than the default ExecState argument), and the code
        did not initialize the thing that it thought it passed to itself!

2013-10-17  Alex Christensen  <achristensen@webkit.org>

        Run JavaScriptCore tests again on Windows.
        https://bugs.webkit.org/show_bug.cgi?id=122787

        Reviewed by Tim Horton.

        * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
        * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.

2013-10-17  Geoffrey Garen  <ggaren@apple.com>

        Removed restoreArgumentReference (another use of JITStackFrame)
        https://bugs.webkit.org/show_bug.cgi?id=122997

        Reviewed by Oliver Hunt.

        * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
        toward using the C stack.

2013-10-17  Oliver Hunt  <oliver@apple.com>

        Remove JITStubCall.h
        https://bugs.webkit.org/show_bug.cgi?id=122991

        Reviewed by Geoff Garen.

        Happily this is no longer used

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jit/JIT.cpp:
        * jit/JITArithmetic.cpp:
        * jit/JITArithmetic32_64.cpp:
        * jit/JITCall.cpp:
        * jit/JITCall32_64.cpp:
        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * jit/JITPropertyAccess.cpp:
        * jit/JITPropertyAccess32_64.cpp:
        * jit/JITStubCall.h: Removed.

2013-10-17  Geoffrey Garen  <ggaren@apple.com>

        Removed a use of JITSTACKFRAME_ARGS_INDEX
        https://bugs.webkit.org/show_bug.cgi?id=122989

        Reviewed by Oliver Hunt.

        * jit/JITStubCall.h: Removed an unused function. This is one step closer
        to using the C stack.

2013-10-17  Geoffrey Garen  <ggaren@apple.com>

        Change emit_op_catch to use another method to materialize VM
        https://bugs.webkit.org/show_bug.cgi?id=122977

        Reviewed by Oliver Hunt.

        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_catch):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
        on JITStackFrame. It is also faster and simpler.

2013-10-17  Geoffrey Garen  <ggaren@apple.com>

        Eliminate emitGetJITStubArg() - dead code
        https://bugs.webkit.org/show_bug.cgi?id=122975

        Reviewed by Anders Carlsson.

        * jit/JIT.h:
        * jit/JITInlines.h: Removed unused, deprecated function.

2013-10-17  Mark Lam  <mark.lam@apple.com>

        Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
        https://bugs.webkit.org/show_bug.cgi?id=122979.

        Reviewed by Michael Saboff.

        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JITStubsARM.h:
        * jit/JITStubsARM64.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsMIPS.h:
        * jit/JITStubsSH4.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):

2013-10-17  Michael Saboff  <msaboff@apple.com>

        Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
        https://bugs.webkit.org/show_bug.cgi?id=122974

        Reviewed by Geoffrey Garen.

        Eliminated unneeded storing to JITStackFrame.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):

2013-10-17  Michael Saboff  <msaboff@apple.com>

        Transition cti_op_throw and cti_vm_throw to a JIT operation
        https://bugs.webkit.org/show_bug.cgi?id=122931

        Reviewed by Filip Pizlo.

        Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
        catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
        and their callers as it is now dead code.  There is some work needed on the Microsoft X86
        callOperation to handle the need to provide space for structure return value.

        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_throw):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_catch):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JITStubsARM.h:
        * jit/JITStubsARM64.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsMIPS.h:
        * jit/JITStubsMSVC64.asm:
        * jit/JITStubsSH4.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:
        * jit/JSInterfaceJIT.h:

2013-10-17  Mark Lam  <mark.lam@apple.com>

        Remove JITStackFrame references in the C Loop LLINT.
        https://bugs.webkit.org/show_bug.cgi?id=122950.

        Reviewed by Michael Saboff.

        * jit/JITStubs.h:
        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        * offlineasm/cloop.rb:

2013-10-17  Mark Lam  <mark.lam@apple.com>

        Remove JITStackFrame references in JIT probes.
        https://bugs.webkit.org/show_bug.cgi?id=122947.

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerARM.cpp:
        (JSC::MacroAssemblerARM::ProbeContext::dump):
        * assembler/MacroAssemblerARM.h:
        * assembler/MacroAssemblerARMv7.cpp:
        (JSC::MacroAssemblerARMv7::ProbeContext::dump):
        * assembler/MacroAssemblerARMv7.h:
        * assembler/MacroAssemblerX86Common.cpp:
        (JSC::MacroAssemblerX86Common::ProbeContext::dump):
        * assembler/MacroAssemblerX86Common.h:
        * jit/JITStubsARM.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86Common.h:
        * jit/JITStubsX86_64.h:

2013-10-17  Julien Brianceau  <jbriance@cisco.com>

        Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
        https://bugs.webkit.org/show_bug.cgi?id=122949

        Reviewed by Andreas Kling.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):

2013-10-16  Mark Lam  <mark.lam@apple.com>

        Transition remaining op_get* JITStubs to JIT operations.
        https://bugs.webkit.org/show_bug.cgi?id=122925.

        Reviewed by Geoffrey Garen.

        Transitioning:
            cti_op_get_by_id_generic
            cti_op_get_by_val
            cti_op_get_by_val_generic
            cti_op_get_by_val_string

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitSlow_op_get_arguments_length):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emitSlow_op_get_arguments_length):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_pname):
        (JSC::JIT::privateCompileGetByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_pname):
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * runtime/Executable.cpp:
        (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
        * runtime/Options.cpp:
        (JSC::Options::initialize):

2013-10-16  Filip Pizlo  <fpizlo@apple.com>

        Introduce WTF::Bag and start using it for InlineCallFrameSet
        https://bugs.webkit.org/show_bug.cgi?id=122941

        Reviewed by Geoffrey Garen.
        
        Use Bag for InlineCallFrameSet. If this works out then I'll make other
        SegmentedVectors into Bags as well.

        * bytecode/InlineCallFrameSet.cpp:
        (JSC::InlineCallFrameSet::add):
        * bytecode/InlineCallFrameSet.h:
        (JSC::InlineCallFrameSet::begin):
        (JSC::InlineCallFrameSet::end):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2013-10-16  Filip Pizlo  <fpizlo@apple.com>

        libllvmForJSC shouldn't call exit(1) on report_fatal_error()
        https://bugs.webkit.org/show_bug.cgi?id=122905
        <rdar://problem/15237856>

        Reviewed by Michael Saboff.
        
        Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
        then always call it to install something that calls CRASH().

        * llvm/InitializeLLVM.cpp:
        (JSC::llvmCrash):
        (JSC::initializeLLVMOnce):
        (JSC::initializeLLVM):
        * llvm/LLVMAPIFunctions.h:

2013-10-16  Filip Pizlo  <fpizlo@apple.com>

        Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
        https://bugs.webkit.org/show_bug.cgi?id=122938

        Reviewed by Sam Weinig.
        
        This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.

        * jit/Repatch.cpp:
        (JSC::tryBuildGetByIDList):

2013-10-16  Filip Pizlo  <fpizlo@apple.com>

        JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
        https://bugs.webkit.org/show_bug.cgi?id=122937

        Reviewed by Geoffrey Garen.
        
        JITStubCall used to do it.
        
        This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.

        * jit/JIT.h:
        (JSC::JIT::appendCall):

2013-10-16  Michael Saboff  <msaboff@apple.com>

        transition void cti_op_put_by_val* stubs to JIT operations
        https://bugs.webkit.org/show_bug.cgi?id=122903

        Reviewed by Geoffrey Garen.

        Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
        operationPutByValGeneric.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::privateCompilePutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_put_by_val):
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JSInterfaceJIT.h:

2013-10-16  Oliver Hunt  <oliver@apple.com>

        Implement ES6 spread operator
        https://bugs.webkit.org/show_bug.cgi?id=122911

        Reviewed by Michael Saboff.

        Implement the ES6 spread operator

        This has a little bit of refactoring to move the enumeration logic out ForOfNode
        and into BytecodeGenerator, and then adds the logic to make it nicely callback
        driven.

        The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
        and actually handling the spread.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitNewArray):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitEnumeration):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        (JSC::ForOfNode::emitBytecode):
        (JSC::SpreadExpressionNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createSpreadExpression):
        * parser/Lexer.cpp:
        (JSC::::lex):
        * parser/NodeConstructors.h:
        (JSC::SpreadExpressionNode::SpreadExpressionNode):
        * parser/Nodes.h:
        (JSC::ExpressionNode::isSpreadExpression):
        (JSC::SpreadExpressionNode::expression):
        * parser/Parser.cpp:
        (JSC::::parseArrayLiteral):
        (JSC::::parseArguments):
        (JSC::::parseMemberExpression):
        * parser/Parser.h:
        (JSC::Parser::getTokenName):
        (JSC::Parser::updateErrorMessageSpecialCase):
        * parser/ParserTokens.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createSpreadExpression):

2013-10-16  Filip Pizlo  <fpizlo@apple.com>

        Add a useLLInt option to jsc
        https://bugs.webkit.org/show_bug.cgi?id=122930

        Reviewed by Geoffrey Garen.

        * runtime/Executable.cpp:
        (JSC::setupLLInt):
        (JSC::setupJIT):
        (JSC::ScriptExecutable::prepareForExecutionImpl):
        * runtime/Options.h:

2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        Build fix.

        Forgot to svn add DeferGC.cpp

        * heap/DeferGC.cpp: Added.

2013-10-16  Filip Pizlo  <fpizlo@apple.com>

        r157411 fails run-javascriptcore-tests when run with Baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=122902

        Reviewed by Mark Hahnenberg.
        
        It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
        not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
        logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
        didn't. Turns out that there's even a helpful method,
        Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!

        * jit/Repatch.cpp:
        (JSC::tryCachePutByID):

2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
        https://bugs.webkit.org/show_bug.cgi?id=122667

        Reviewed by Geoffrey Garen.

        The issue this patch is attempting to fix is that there are places in our codebase
        where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
        operations that can initiate a garbage collection. Garbage collection then calls 
        some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
        always necessarily run during garbage collection). This causes a deadlock.
 
        To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
        into a thread-local field that indicates that it is unsafe to perform any operation 
        that could trigger garbage collection on the current thread. In debug builds, 
        ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
        detect deadlocks.
 
        This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
        which uses the DeferGC mechanism to prevent collections from occurring while the 
        lock is held.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/DeferGC.h:
        (JSC::DisallowGC::DisallowGC):
        (JSC::DisallowGC::~DisallowGC):
        (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
        (JSC::DisallowGC::initialize):
        * jit/Repatch.cpp:
        (JSC::repatchPutByID):
        (JSC::buildPutByIdList):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/ConcurrentJITLock.h:
        (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
        (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
        (JSC::ConcurrentJITLockerBase::unlockEarly):
        (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
        (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
        (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
        (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * runtime/JSCellInlines.h:
        (JSC::allocateCell):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTablePut):
        * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
        can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
        before the caller has a chance to use the newly created PropertyTable. The garbage collection
        clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
        we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
        the Structure.
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::takePropertyTableOrCloneIfPinned):
        (JSC::Structure::isSealed):
        (JSC::Structure::isFrozen):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        (JSC::Structure::despecifyAllFunctions):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::createPropertyMap):
        (JSC::Structure::getPropertyNamesFromStructure):
        * runtime/Structure.h:
        (JSC::Structure::materializePropertyMapIfNecessary):
        (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
        * runtime/StructureInlines.h:
        (JSC::Structure::get):
        * runtime/SymbolTable.h:
        (JSC::SymbolTable::find):
        (JSC::SymbolTable::end):

2013-10-16  Daniel Bates  <dabates@apple.com>

        Add SPI to disable the garbage collector timer
        https://bugs.webkit.org/show_bug.cgi?id=122921

        Reviewed by Geoffrey Garen.

        Based on a patch by Mark Hahnenberg.

        * API/JSBase.cpp:
        (JSDisableGCTimer): Added; SPI function.
        * API/JSBasePrivate.h:
        * heap/BlockAllocator.cpp:
        (JSC::createBlockFreeingThread): Added.
        (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
        to conditionally create the "block freeing" thread depending on the value of
        GCActivityCallback::s_shouldCreateGCTimer.
        (JSC::BlockAllocator::~BlockAllocator):
        * heap/BlockAllocator.h:
        (JSC::BlockAllocator::deallocate):
        * heap/Heap.cpp:
        (JSC::Heap::didAbandon):
        (JSC::Heap::collect):
        (JSC::Heap::didAllocate):
        * heap/HeapTimer.cpp:
        (JSC::HeapTimer::timerDidFire):
        * runtime/GCActivityCallback.cpp:
        * runtime/GCActivityCallback.h:
        (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
        when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
        object (since DefaultGCActivityCallback ultimately extends HeapTimer).

2013-10-16  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r157529.
        http://trac.webkit.org/changeset/157529
        https://bugs.webkit.org/show_bug.cgi?id=122919

        Caused score test failures and some build failures. (Requested
        by rfong on #webkit).

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitNewArray):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        (JSC::CallArguments::CallArguments):
        (JSC::ForOfNode::emitBytecode):
        (JSC::BindingNode::collectBoundIdentifiers):
        * parser/ASTBuilder.h:
        * parser/Lexer.cpp:
        (JSC::::lex):
        * parser/NodeConstructors.h:
        (JSC::DotAccessorNode::DotAccessorNode):
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::::parseArrayLiteral):
        (JSC::::parseArguments):
        (JSC::::parseMemberExpression):
        * parser/Parser.h:
        (JSC::Parser::getTokenName):
        (JSC::Parser::updateErrorMessageSpecialCase):
        * parser/ParserTokens.h:
        * parser/SyntaxChecker.h:

2013-10-16  Julien Brianceau  <jbriance@cisco.com>

        Remove useless architecture specific implementation in DFG.
        https://bugs.webkit.org/show_bug.cgi?id=122917.

        Reviewed by Michael Saboff.

        With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
        as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.

        * dfg/DFGSpeculativeJIT.h:

2013-10-16  Julien Brianceau  <jbriance@cisco.com>

        Remove unused JIT::restoreArgumentReferenceForTrampoline function.
        https://bugs.webkit.org/show_bug.cgi?id=122916.

        Reviewed by Michael Saboff.

        This architecture specific function is not used anymore, so get rid of it.

        * jit/JIT.h:
        * jit/JITInlines.h:

2013-10-16  Oliver Hunt  <oliver@apple.com>

        Implement ES6 spread operator
        https://bugs.webkit.org/show_bug.cgi?id=122911

        Reviewed by Michael Saboff.

        Implement the ES6 spread operator

        This has a little bit of refactoring to move the enumeration logic out ForOfNode
        and into BytecodeGenerator, and then adds the logic to make it nicely callback
        driven.

        The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
        and actually handling the spread.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitNewArray):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitEnumeration):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        (JSC::ForOfNode::emitBytecode):
        (JSC::SpreadExpressionNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createSpreadExpression):
        * parser/Lexer.cpp:
        (JSC::::lex):
        * parser/NodeConstructors.h:
        (JSC::SpreadExpressionNode::SpreadExpressionNode):
        * parser/Nodes.h:
        (JSC::ExpressionNode::isSpreadExpression):
        (JSC::SpreadExpressionNode::expression):
        * parser/Parser.cpp:
        (JSC::::parseArrayLiteral):
        (JSC::::parseArguments):
        (JSC::::parseMemberExpression):
        * parser/Parser.h:
        (JSC::Parser::getTokenName):
        (JSC::Parser::updateErrorMessageSpecialCase):
        * parser/ParserTokens.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createSpreadExpression):

2013-10-16  Mark Lam  <mark.lam@apple.com>

        Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
        https://bugs.webkit.org/show_bug.cgi?id=122899.

        Reviewed by Michael Saboff.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_tear_off_activation):
        (JSC::JIT::emit_op_tear_off_arguments):
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:

2013-10-16  Julien Brianceau  <jbriance@cisco.com>

        Remove more of the UNINTERRUPTED_SEQUENCE thing
        https://bugs.webkit.org/show_bug.cgi?id=122885

        Reviewed by Andreas Kling.

        It was not completely removed by r157481, leading to build failure for sh4 architecture.

        * jit/JIT.h:
        * jit/JITInlines.h:

2013-10-15  Filip Pizlo  <fpizlo@apple.com>

        Get rid of the StructureStubInfo::patch union
        https://bugs.webkit.org/show_bug.cgi?id=122877

        Reviewed by Sam Weinig.
        
        Just simplifying code by getting rid of data structures that ain't used no more.
        
        Note that I replace the patch union with a patch struct. This means we say things like
        stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
        encapsulation makes the code more readable: the patch struct contains just those things
        that you need to know to perform patching.

        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * jit/JIT.cpp:
        (JSC::PropertyStubCompilationInfo::copyToStubInfo):
        * jit/Repatch.cpp:
        (JSC::repatchByIdSelfAccess):
        (JSC::replaceWithJump):
        (JSC::linkRestoreScratch):
        (JSC::generateProtoChainAccessStub):
        (JSC::tryCacheGetByID):
        (JSC::getPolymorphicStructureList):
        (JSC::patchJumpToGetByIdStub):
        (JSC::tryBuildGetByIDList):
        (JSC::emitPutReplaceStub):
        (JSC::emitPutTransitionStub):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        (JSC::tryRepatchIn):
        (JSC::resetGetByID):
        (JSC::resetPutByID):
        (JSC::resetIn):

2013-10-15  Nadav Rotem  <nrotem@apple.com>

        FTL: add support for Int52ToValue and fix putByVal of int52s.
        https://bugs.webkit.org/show_bug.cgi?id=122873

        Reviewed by Filip Pizlo.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):

2013-10-15  Filip Pizlo  <fpizlo@apple.com>

        Get rid of the UNINTERRUPTED_SEQUENCE thing
        https://bugs.webkit.org/show_bug.cgi?id=122876

        Reviewed by Mark Hahnenberg.
        
        It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
        
        Moreover, we should resist the temptation to bring anything like this back. We don't
        want to have inline caches that only work if the assembler lays out code in a specific
        predetermined way.

        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):

2013-10-15  Filip Pizlo  <fpizlo@apple.com>

        Baseline JIT should use the DFG GetById IC
        https://bugs.webkit.org/show_bug.cgi?id=122861

        Reviewed by Oliver Hunt.
        
        This mostly just kills a ton of code.
        
        Note that this doesn't yet do all of the simplifications that can be done, but it does
        kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::resetStubInternal):
        * jit/JIT.cpp:
        (JSC::PropertyStubCompilationInfo::copyToStubInfo):
        * jit/JIT.h:
        (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
        * jit/JITInlines.h:
        (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
        (JSC::JIT::callOperation):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_from_scope):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_from_scope):
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/Repatch.cpp:
        (JSC::repatchGetByID):
        (JSC::buildGetByIDList):
        * jit/ThunkGenerators.cpp:
        * jit/ThunkGenerators.h:

2013-10-15  Dean Jackson  <dino@apple.com>

        Add ENABLE_WEB_ANIMATIONS flag
        https://bugs.webkit.org/show_bug.cgi?id=122871

        Reviewed by Tim Horton.

        Eventually might be http://dev.w3.org/fxtf/web-animations/
        but this is just engine-internal work at the moment.

        * Configurations/FeatureDefines.xcconfig:

2013-10-15  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Some calls don't match sh4 ABI.
        https://bugs.webkit.org/show_bug.cgi?id=122863

        Reviewed by Michael Saboff.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):

2013-10-15  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream JavaScriptCore support for ARM64
        https://bugs.webkit.org/show_bug.cgi?id=122762

        Reviewed by Oliver Hunt and Filip Pizlo.

        * Configurations/Base.xcconfig:
        * Configurations/DebugRelease.xcconfig:
        * Configurations/JavaScriptCore.xcconfig:
        * Configurations/ToolExecutable.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/ARM64Assembler.h: Added.
        * assembler/AbstractMacroAssembler.h:
        (JSC::isARM64):
        (JSC::AbstractMacroAssembler::Label::Label):
        (JSC::AbstractMacroAssembler::Jump::Jump):
        (JSC::AbstractMacroAssembler::Jump::link):
        (JSC::AbstractMacroAssembler::Jump::linkTo):
        (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
        (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
        (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
        (JSC::AbstractMacroAssembler::CachedTempRegister::value):
        (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
        (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
        (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
        (JSC::AbstractMacroAssembler::isTempRegisterValid):
        (JSC::AbstractMacroAssembler::clearTempRegisterValid):
        (JSC::AbstractMacroAssembler::setTempRegisterValid):
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        (JSC::LinkBuffer::linkCode):
        * assembler/LinkBuffer.h:
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::isPtrAlignedAddressOffset):
        (JSC::MacroAssembler::pushToSave):
        (JSC::MacroAssembler::popToRestore):
        (JSC::MacroAssembler::patchableBranchTest32):
        * assembler/MacroAssemblerARM64.h: Added.
        * assembler/MacroAssemblerARMv7.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithDiv):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        * disassembler/ARM64/A64DOpcode.cpp: Added.
        * disassembler/ARM64/A64DOpcode.h: Added.
        * disassembler/ARM64Disassembler.cpp: Added.
        * heap/MachineStackMarker.cpp:
        (JSC::getPlatformThreadRegisters):
        (JSC::otherThreadStackPointer):
        * heap/Region.h:
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::debugCall):
        * jit/CCallHelpers.h:
        * jit/ExecutableAllocator.h:
        * jit/FPRInfo.h:
        (JSC::FPRInfo::toRegister):
        (JSC::FPRInfo::toIndex):
        (JSC::FPRInfo::debugName):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toRegister):
        (JSC::GPRInfo::toIndex):
        (JSC::GPRInfo::debugName):
        * jit/JITInlines.h:
        (JSC::JIT::restoreArgumentReferenceForTrampoline):
        * jit/JITOperationWrappers.h:
        * jit/JITOperations.cpp:
        * jit/JITStubs.cpp:
        (JSC::performPlatformSpecificJITAssertions):
        (JSC::tryCachePutByID):
        * jit/JITStubs.h:
        (JSC::JITStackFrame::returnAddressSlot):
        * jit/JITStubsARM64.h: Added.
        * jit/JSInterfaceJIT.h:
        * jit/Repatch.cpp:
        (JSC::emitRestoreScratch):
        (JSC::generateProtoChainAccessStub):
        (JSC::tryCacheGetByID):
        (JSC::emitPutReplaceStub):
        (JSC::tryCachePutByID):
        (JSC::tryRepatchIn):
        * jit/ScratchRegisterAllocator.h:
        (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
        (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator):
        (JSC::floorThunkGenerator):
        (JSC::ceilThunkGenerator):
        * jsc.cpp:
        (main):
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::handleHostCall):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/arm.rb:
        * offlineasm/arm64.rb: Added.
        * offlineasm/backends.rb:
        * offlineasm/instructions.rb:
        * offlineasm/risc.rb:
        * offlineasm/transform.rb:
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
        (JSC::Yarr::YarrGenerator::initCallFrame):
        (JSC::Yarr::YarrGenerator::removeCallFrame):
        (JSC::Yarr::YarrGenerator::generateEnter):
        * yarr/YarrJIT.h:

2013-10-15  Mark Lam  <mark.lam@apple.com>

        Fix 3 operand sub operation in C loop LLINT.
        https://bugs.webkit.org/show_bug.cgi?id=122866.

        Reviewed by Geoffrey Garen.

        * offlineasm/cloop.rb:

2013-10-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        ObjCCallbackFunctionImpl shouldn't store a JSContext
        https://bugs.webkit.org/show_bug.cgi?id=122531

        Reviewed by Geoffrey Garen.

        The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct 
        in the common case. It's also no longer necessary in that we can look up the current JSContext 
        by looking using the globalObject of the callee when the function callback is invoked.
 
        Also added a new test that would cause us to crash previously. The test required making 
        JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
        in C API callbacks.

        * API/JSContextRef.h:
        * API/JSContextRefPrivate.h:
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
        (JSC::objCCallbackFunctionCallAsFunction):
        (objCCallbackFunctionForInvocation):
        * API/WebKitAvailability.h:
        * API/tests/CurrentThisInsideBlockGetterTest.h: Added.
        * API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
        (CallAsConstructor):
        (ConstructorFinalize):
        (ConstructorClass):
        (+[JSValue valueWithConstructorDescriptor:inContext:]):
        (-[JSContext valueWithConstructorDescriptor:]):
        (currentThisInsideBlockGetterTest):
        * API/tests/testapi.mm:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.

2013-10-15  Julien Brianceau  <jbriance@cisco.com>

        Fix build after r157457 for architecture with 4 argument registers.
        https://bugs.webkit.org/show_bug.cgi?id=122860

        Reviewed by Michael Saboff.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupStubArguments134):

2013-10-14  Michael Saboff  <msaboff@apple.com>

        transition void cti_op_* methods to JIT operations.
        https://bugs.webkit.org/show_bug.cgi?id=122617

        Reviewed by Geoffrey Garen.

        Converted the follow stubs to JIT operations:
            cti_handle_watchdog_timer
            cti_op_debug
            cti_op_pop_scope
            cti_op_profile_did_call
            cti_op_profile_will_call
            cti_op_put_by_index
            cti_op_put_getter_setter
            cti_op_tear_off_activation
            cti_op_tear_off_arguments
            cti_op_throw_static_error
            cti_optimize

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        (JSC::CCallHelpers::setupThreeStubArgsGPR):
        (JSC::CCallHelpers::setupStubArguments):
        (JSC::CCallHelpers::setupStubArguments134):
        * jit/JIT.cpp:
        (JSC::JIT::emitEnterOptimizationCheck):
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_tear_off_activation):
        (JSC::JIT::emit_op_tear_off_arguments):
        (JSC::JIT::emit_op_push_with_scope):
        (JSC::JIT::emit_op_pop_scope):
        (JSC::JIT::emit_op_push_name_scope):
        (JSC::JIT::emit_op_throw_static_error):
        (JSC::JIT::emit_op_debug):
        (JSC::JIT::emit_op_profile_will_call):
        (JSC::JIT::emit_op_profile_did_call):
        (JSC::JIT::emitSlow_op_loop_hint):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_push_with_scope):
        (JSC::JIT::emit_op_pop_scope):
        (JSC::JIT::emit_op_push_name_scope):
        (JSC::JIT::emit_op_throw_static_error):
        (JSC::JIT::emit_op_debug):
        (JSC::JIT::emit_op_profile_will_call):
        (JSC::JIT::emit_op_profile_did_call):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_index):
        (JSC::JIT::emit_op_put_getter_setter):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_index):
        (JSC::JIT::emit_op_put_getter_setter):
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:

2013-10-15  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Introduce const pools in LLINT.
        https://bugs.webkit.org/show_bug.cgi?id=122746

        Reviewed by Michael Saboff.

        In current implementation of LLINT for sh4, immediate values outside range -128..127 are
        loaded this way:

            mov.l .label, rx
            bra out
            nop
            .balign 4
            .label: .long immvalue
            out:

        This change introduces const pools for sh4 implementation to avoid lots of useless branches
        and reduce code size. It also removes lines of dirty code, like jmpf and callf.

        * offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
        * offlineasm/sh4.rb:

2013-10-15  Mark Lam  <mark.lam@apple.com>

        Fix broken C Loop LLINT build.
        https://bugs.webkit.org/show_bug.cgi?id=122839.

        Reviewed by Michael Saboff.

        * dfg/DFGFlushedAt.cpp:
        * jit/JITOperations.h:

2013-10-14  Mark Lam  <mark.lam@apple.com>

        Transition *switch* and *scope* JITStubs to JIT operations.
        https://bugs.webkit.org/show_bug.cgi?id=122757.

        Reviewed by Geoffrey Garen.

        Transitioning:
            cti_op_switch_char
            cti_op_switch_imm
            cti_op_switch_string
            cti_op_resolve_scope
            cti_op_get_from_scope
            cti_op_put_to_scope

        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_resolve_scope):
        (JSC::JIT::emitSlow_op_get_from_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_resolve_scope):
        (JSC::JIT::emitSlow_op_get_from_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:

2013-10-14  Filip Pizlo  <fpizlo@apple.com>

        DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
        https://bugs.webkit.org/show_bug.cgi?id=122786

        Reviewed by Mark Hahnenberg.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
        * jit/Repatch.cpp:
        (JSC::repatchPutByID): Doing the PutById patching should hold the lock.
        (JSC::buildPutByIdList): Ditto.

2013-10-14  Nadav Rotem  <nrotem@apple.com>

        Add FTL support for LogicalNot(string)
        https://bugs.webkit.org/show_bug.cgi?id=122765

        Reviewed by Filip Pizlo.

        This patch is tested by:
        regress/script-tests/emscripten-cube2hash.js.ftl-eager

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):

2013-10-14  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Fixes after r157404 and r157411.
        https://bugs.webkit.org/show_bug.cgi?id=122782

        Reviewed by Michael Saboff.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.

2013-10-14  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r157413.
        http://trac.webkit.org/changeset/157413
        https://bugs.webkit.org/show_bug.cgi?id=122779

        Appears to have caused frequent crashes (Requested by ap on
        #webkit).

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/DeferGC.cpp: Removed.
        * heap/DeferGC.h:
        * jit/JITStubs.cpp:
        (JSC::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/ConcurrentJITLock.h:
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * runtime/JSCellInlines.h:
        (JSC::allocateCell):
        * runtime/Structure.cpp:
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::createPropertyMap):
        * runtime/Structure.h:

2013-10-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        COLLECT_ON_EVERY_ALLOCATION causes assertion failures
        https://bugs.webkit.org/show_bug.cgi?id=122652

        Reviewed by Filip Pizlo.

        COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
        so we would end up ASSERTing during garbage collection.

        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateSlowCase):

2013-10-11  Oliver Hunt  <oliver@apple.com>

        Separate out array iteration intrinsics
        https://bugs.webkit.org/show_bug.cgi?id=122656

        Reviewed by Michael Saboff.

        Separate out the intrinsics for key and values iteration
        of arrays.

        This requires moving moving array iteration into the iterator
        instance, rather than the prototype, but this is essentially
        unobservable so we'll live with it for now.

        * jit/ThunkGenerators.cpp:
        (JSC::arrayIteratorNextThunkGenerator):
        (JSC::arrayIteratorNextKeyThunkGenerator):
        (JSC::arrayIteratorNextValueThunkGenerator):
        * jit/ThunkGenerators.h:
        * runtime/ArrayIteratorPrototype.cpp:
        (JSC::ArrayIteratorPrototype::finishCreation):
        * runtime/Intrinsic.h:
        * runtime/JSArrayIterator.cpp:
        (JSC::JSArrayIterator::finishCreation):
        (JSC::createIteratorResult):
        (JSC::arrayIteratorNext):
        (JSC::arrayIteratorNextKey):
        (JSC::arrayIteratorNextValue):
        (JSC::arrayIteratorNextGeneric):
        * runtime/VM.cpp:
        (JSC::thunkGeneratorForIntrinsic):

2013-10-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
        https://bugs.webkit.org/show_bug.cgi?id=122667

        Reviewed by Filip Pizlo.

        The issue this patch is attempting to fix is that there are places in our codebase
        where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
        operations that can initiate a garbage collection. Garbage collection then calls 
        some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
        always necessarily run during garbage collection). This causes a deadlock.

        To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
        into a thread-local field that indicates that it is unsafe to perform any operation 
        that could trigger garbage collection on the current thread. In debug builds, 
        ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
        detect deadlocks.

        This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
        which uses the DeferGC mechanism to prevent collections from occurring while the 
        lock is held.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/DeferGC.cpp: Added.
        * heap/DeferGC.h:
        (JSC::DisallowGC::DisallowGC):
        (JSC::DisallowGC::~DisallowGC):
        (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
        (JSC::DisallowGC::initialize):
        * jit/JITStubs.cpp:
        (JSC::tryCachePutByID):
        (JSC::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/ConcurrentJITLock.h:
        (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
        (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
        (JSC::ConcurrentJITLockerBase::unlockEarly):
        (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
        (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * runtime/JSCellInlines.h:
        (JSC::allocateCell):
        * runtime/Structure.cpp:
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::createPropertyMap):
        * runtime/Structure.h:

2013-10-14  Filip Pizlo  <fpizlo@apple.com>

        Baseline JIT should use the DFG's PutById IC
        https://bugs.webkit.org/show_bug.cgi?id=122704

        Reviewed by Mark Hahnenberg.
        
        Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing
        that JIT to use the DFG's (i.e. JITOperations) PutById IC.
        
        The only complicated part was that the PutById operations assumed that we first did a
        cell speculation, which the baseline JIT obviously won't do. So I changed all of those
        slow paths to deal with EncodedJSValue's.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::resetStubInternal):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JIT.cpp:
        (JSC::PropertyStubCompilationInfo::copyToStubInfo):
        * jit/JIT.h:
        (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
        (JSC::PropertyStubCompilationInfo::slowCaseInfo):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOperationWrappers.h:
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::compileGetByIdSlowCase):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::compileGetByIdSlowCase):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/Repatch.cpp:
        (JSC::appropriateGenericPutByIdFunction):
        (JSC::appropriateListBuildingPutByIdFunction):
        (JSC::resetPutByID):

2013-10-13  Filip Pizlo  <fpizlo@apple.com>

        FTL should have an inefficient but correct implementation of GetById
        https://bugs.webkit.org/show_bug.cgi?id=122740

        Reviewed by Mark Hahnenberg.
        
        It took some effort to realize that the node->prediction() check in the DFG backends
        are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
        if !prediction.
        
        But other than that this was an easy patch.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleGetById):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetById):

2013-10-13  Mark Lam  <mark.lam@apple.com>

        Transition misc cti_op_* JITStubs to JIT operations.
        https://bugs.webkit.org/show_bug.cgi?id=122645.

        Reviewed by Michael Saboff.

        Stubs converted:
            cti_op_check_has_instance
            cti_op_create_arguments
            cti_op_del_by_id
            cti_op_instanceof
            cti_to_object
            cti_op_push_activation
            cti_op_get_pnames
            cti_op_load_varargs

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JIT.h:
        (JSC::JIT::emitStoreCell):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_create_activation):
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emitSlow_op_check_has_instance):
        (JSC::JIT::emitSlow_op_instanceof):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emitSlow_op_check_has_instance):
        (JSC::JIT::emitSlow_op_instanceof):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_create_activation):
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_del_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_del_by_id):
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:

2013-10-13  Filip Pizlo  <fpizlo@apple.com>

        FTL OSR exit should perform zero extension on values smaller than 64-bit
        https://bugs.webkit.org/show_bug.cgi?id=122688

        Reviewed by Gavin Barraclough.
        
        In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit
        register will have zeros on the high bits.  In the few cases where the high bits are
        non-zero, the DFG sort of tells us this explicitly.

        But when working with llvm.webkit.stackmap, it doesn't work that way.  Consider we might
        emit LLVM IR like:

            %2 = trunc i64 %1 to i32
            stuff %2
            call @llvm.webkit.stackmap(...., %2)

        LLVM may never actually emit a truncation instruction of any kind.  And that's great - in
        many cases it won't be needed, like if 'stuff %2' is a 32-bit op that ignores the high
        bits anyway.  Hence LLVM may tell us that %2 is in the register that still had the value
        from before truncation, and that register may have garbage in the high bits.

        This means that on our end, if we want a 32-bit value and we want that value to be
        zero-extended, we should zero-extend it ourselves.  This is pretty easy and should be
        cheap, so we should just do it and not make it a requirement that LLVM does it on its
        end.
        
        This makes all tests pass with JSC_ftlOSRExitUsesStackmap=true.

        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStubWithOSRExitStackmap):
        * ftl/FTLValueFormat.cpp:
        (JSC::FTL::reboxAccordingToFormat):

== Rolled over to ChangeLog-2013-10-13 ==