JavaScriptCore-7601.1.46.3.tar.gz

[apple/javascriptcore.git] / ChangeLog-2014-10-07

2014-10-07  Oliver Hunt  <oliver@apple.com>

        Remove op_new_captured_func
        https://bugs.webkit.org/show_bug.cgi?id=137491

        Reviewed by Mark Lam.

        Removes the op_captured_new_func opcode as part of the work
        towards having any magical opcodes that write directly to
        named "registers" and then have a follow on op to ensure that
        the environment record correctly represents the stack state.

        For this we add a non-captured scratch register so we don't
        have to have any kind of magic opcode, and instead simply
        have sensible creation and move semantics for capturing new
        functions.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitNewFunction):
        (JSC::BytecodeGenerator::emitLazyNewFunction):
        (JSC::BytecodeGenerator::emitNewFunctionInternal):
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_captured_func): Deleted.
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL): Deleted.
        * runtime/CommonSlowPaths.h:

2014-10-06  Andy Estes  <aestes@apple.com>

        Objective-C objects must be fully defined when used in a WTF::Vector
        https://bugs.webkit.org/show_bug.cgi?id=137479

        Reviewed by Mark Rowe.

        When compiling an Objective-C++ file under ARC, @class types are considered non-trivially destructable, so
        Vector needs to see their definition in order to call their destructor.

        See <http://clang.llvm.org/docs/AutomaticReferenceCounting.html#ownership-qualified-fields-of-structs-and-unions> for details.

        * API/ObjcRuntimeExtras.h: Imported <objc/Protocol.h>.

2014-10-06  Brent Fulgham  <bfulgham@apple.com>

        [Win] Use of 1-bit Enum type behaves improperly
        https://bugs.webkit.org/show_bug.cgi?id=137471
        <rdar://problem/18559172>

        Reviewed by Mark Lam.

        Represent 1-bit enum element as 'unsigned', as we have done elsewhere
        in WebKit to avoid problems when building with MSVC.

        * debugger/Debugger.h:

2014-10-06  Mark Lam  <mark.lam@apple.com>

        Fixed compiler warnings on Windows build.
        <https://webkit.org/b/135205>

        Reviewed by Geoffrey Garen.

        Benchmarking with jsc shows that perf is neutral with this change.

        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::call):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * dfg/DFGArgumentPosition.h:
        (JSC::DFG::ArgumentPosition::mergeShouldNeverUnbox):
        (JSC::DFG::ArgumentPosition::mergeArgumentUnboxingAwareness):
        * dfg/DFGEdge.h:
        (JSC::DFG::Edge::makeWord):
        * dfg/DFGNodeFlags.h:
        (JSC::DFG::nodeMayOverflow):
        (JSC::DFG::nodeMayNegZero):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        * dfg/DFGVariableAccessData.cpp:
        (JSC::DFG::VariableAccessData::mergeIsCaptured):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::mergeIsProfitableToUnbox):
        (JSC::DFG::VariableAccessData::mergeStructureCheckHoistingFailed):
        (JSC::DFG::VariableAccessData::mergeCheckArrayHoistingFailed):
        (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias):
        (JSC::DFG::VariableAccessData::mergeIsLoadedFrom):
        * runtime/JSDataViewPrototype.cpp:
        (JSC::getData):

2014-10-06  Oliver Hunt  <oliver@apple.com>

        Remove incorrect assertion.

        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOff):

2014-10-06  Oliver Hunt  <oliver@apple.com>

        Fix cloop build

        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):

2014-10-06  Mark Lam  <mark.lam@apple.com>

        Unreviewed build fix.
        <https://webkit.org/b/137279>

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):

2014-10-06  Oliver Hunt  <oliver@apple.com>

        REGRESSION(r174226): [JSC] Crash when running the perf test Speedometer/Full.html
        https://bugs.webkit.org/show_bug.cgi?id=137404

        Reviewed by Michael Saboff.

        Update the Arguments object to recognise that it must always have an
        environment record if the referenced callee has one, and if such is not
        present it should not try to extract one from the callframe, as that
        path leads to madness.

        Happily this makes some of the other code more sensible, and removes a
        bunch of unnecessary and icky logic.

        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOff):
        (JSC::Arguments::didTearOffActivation): Deleted.
        * runtime/Arguments.h:
        (JSC::Arguments::argument):
        (JSC::Arguments::finishCreation):

2014-10-04  Brian J. Burg  <burg@cs.washington.edu>

        Unreviewed, rolling out r174319.

        Causes assertions in fast/profiler tests. Needs nontrivial
        investigation, will take offline.

        Reverted changeset:

        "Web Inspector: timelines should not count time elapsed while
        paused in the debugger"
        https://bugs.webkit.org/show_bug.cgi?id=136351
        http://trac.webkit.org/changeset/174319

2014-10-04  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: timelines should not count time elapsed while paused in the debugger
        https://bugs.webkit.org/show_bug.cgi?id=136351

        Reviewed by Timothy Hatcher.

        Now that we have a stopwatch to provide pause-aware timing data, we can remove the
        profiler's handling of debugger pause/continue callbacks. The timeline agent accounts
        for debugger pauses by pausing and resuming the stopwatch.

        * API/JSProfilerPrivate.cpp:
        (JSStartProfiling): Use a fresh stopwatch when profiling from the JSC API.
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::handlePause):
        * profiler/LegacyProfiler.cpp:
        (JSC::LegacyProfiler::profiler): Use nullptr.
        (JSC::LegacyProfiler::startProfiling): Hand off a stopwatch to the profile generator.
        (JSC::LegacyProfiler::stopProfiling): Use nullptr.
        (JSC::LegacyProfiler::didPause): Deleted.
        (JSC::LegacyProfiler::didContinue): Deleted.
        * profiler/LegacyProfiler.h:
        * profiler/ProfileGenerator.cpp: Remove debugger pause/continue callbacks and the
        timestamp member that was used to track time elapsed by the debugger. Just use the
        stopwatch's elapsed times to generate start/elapsed times for function calls.
        (JSC::ProfileGenerator::create):
        (JSC::ProfileGenerator::ProfileGenerator):
        (JSC::ProfileGenerator::beginCallEntry):
        (JSC::ProfileGenerator::endCallEntry):
        (JSC::ProfileGenerator::didPause): Deleted.
        (JSC::ProfileGenerator::didContinue): Deleted.
        * profiler/ProfileGenerator.h:

2014-10-04  Filip Pizlo  <fpizlo@apple.com>

        FTL should sink PutLocals
        https://bugs.webkit.org/show_bug.cgi?id=137168

        Reviewed by Oliver Hunt.
        
        We've known for a while that our PutLocal situation was sub-optimal. We emit them anytime we
        "pass" arguments to an inlined function call, because we need to enable the runtime to grab
        those arguments when doing foo.arguments where foo is inlined: our engine doesn't deoptimize
        in that case but rather just relies on the arguments being flushed (i.e. a copy of their
        values is spilled) at a well-known place in a well-known format.
        
        The PutLocals incur two costs: (1) they are store instructions and stores ain't free, and (2)
        they look like escaping sites and so they inhibit object allocation sinking.
        
        But in most cases, the PutLocals are unnecessary because the inlined code never performs any
        side effect that could transitively lead to function.arguments. Even if the inlined code
        could do such a side effect, it may be on a rare path so there is no need to penalize the
        entire function.
        
        This patch implements one solution to the PutLocal problem: it aggressively sinks PutLocals
        to the latest possible point. This is even more aggressive than the object allocation
        sinking. That sinking algorithm avoids creating situations where an object could be
        materialized more than one along any path. PutLocal sinking, on the other hand, doesn't avoid
        this at all - both to make the phase cheaper and simpler and to make it more aggressive.
        Every PutLocal is sunk no matter what.
        
        The upside of this patch is that it eliminates many PutLocals: many of them are sunk "past
        their death", thus eliminating them completely. Others are sunk to rare paths. This enables a
        lot of object allocation sinking and it removes a lot of pointless store instructions.
        
        It also has downsites. Sinking PutLocals increases register pressure because it increases the
        live ranges of things like inlined arguments.
        
        This patch is a net performance win in its current form: 1% SunSpider regression, 2% OctaneV2
        progression, 0.6% Kraken regression, 1% AsmBench progression, and 0.5% CompressionBench
        regression. The biggest win is on Octane/raytrace, which improves by 27%.
        
        Relanding after fixing internal builds. We have to be careful about implicit casts from int64
        to int32.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        * bytecode/Operands.h:
        (JSC::Operands::dump): Deleted.
        * bytecode/OperandsInlines.h:
        (JSC::Traits>::dump):
        * bytecode/VirtualRegister.h:
        (JSC::VirtualRegister::isHeader):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGClobberSet.h:
        (JSC::DFG::ClobberSetAdd::operator()):
        (JSC::DFG::ClobberSetOverlaps::operator()):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        (JSC::DFG::NoOpClobberize::operator()):
        (JSC::DFG::CheckClobberize::operator()):
        (JSC::DFG::AbstractHeapOverlaps::operator()):
        (JSC::DFG::ReadMethodClobberize::operator()):
        (JSC::DFG::WriteMethodClobberize::operator()):
        (JSC::DFG::DefMethodClobberize::operator()):
        * dfg/DFGFlushFormat.h:
        (JSC::DFG::merge):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::capturedVarsFor):
        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
        (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPreciseLocalClobberize.h: Added.
        (JSC::DFG::PreciseLocalClobberizeAdaptor::PreciseLocalClobberizeAdaptor):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
        (JSC::DFG::forEachLocalReadByUnwind):
        (JSC::DFG::preciseLocalClobberize):
        * dfg/DFGPutLocalSinkingPhase.cpp: Added.
        (JSC::DFG::performPutLocalSinking):
        * dfg/DFGPutLocalSinkingPhase.h: Added.
        * dfg/DFGSSACalculator.h:
        (JSC::DFG::SSACalculator::computePhis):
        * dfg/DFGValidate.cpp:

2014-10-03  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r174216): CodeBlock::dumpByteCodes crashes on op_push_name_scope
        https://bugs.webkit.org/show_bug.cgi?id=137412

        Reviewed by Mark Lam.

        Added support for the JSNameScope::type opcode parameter in dumpBytecode().

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):

2014-10-03  Saam Barati  <saambarati1@gmail.com>

        Implement op_profile_type in the 32-bit baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=137181

        Reviewed by Michael Saboff.

        Generate inline code to write to the TypeProfilerLog inside the 32-bit 
        baseline JIT instead of unconditionally bailing out to the slow path 
        for op_profile_type.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_profile_type):

2014-10-03  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r174275.
        https://bugs.webkit.org/show_bug.cgi?id=137408

        Build failures on the internal bots. (Requested by dethbakin
        on #webkit).

        Reverted changeset:

        "FTL should sink PutLocals"
        https://bugs.webkit.org/show_bug.cgi?id=137168
        http://trac.webkit.org/changeset/174275

2014-10-03  Oliver Hunt  <oliver@apple.com>

        tearoff_arguments should always refer to the unmodified arguments register
        https://bugs.webkit.org/show_bug.cgi?id=137406

        Reviewed by Michael Saboff.

        To simplify subsequent work, and remove unnecessary work from
        actual execution this patch simply ensures that tear_off_arguments
        refers to the actual unmodified arguments register.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitReturn):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_tear_off_arguments):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_tear_off_arguments):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2014-10-03  Saam Barati  <saambarati1@gmail.com>

        Web Inspector: Move the computation that results in UI strings from JSC to the Web Inspector
        https://bugs.webkit.org/show_bug.cgi?id=137295

        Reviewed by Timothy Hatcher.

        Remove unnecessary functions and properties from JSC that are
        now being computed inside the Web Inspector. 

        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        * inspector/protocol/Runtime.json:
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::allPrimitiveTypeNames): Deleted.
        * runtime/TypeSet.h:

2014-10-02  Filip Pizlo  <fpizlo@apple.com>

        FTL should sink PutLocals
        https://bugs.webkit.org/show_bug.cgi?id=137168

        Reviewed by Oliver Hunt.
        
        We've known for a while that our PutLocal situation was sub-optimal. We emit them anytime we
        "pass" arguments to an inlined function call, because we need to enable the runtime to grab
        those arguments when doing foo.arguments where foo is inlined: our engine doesn't deoptimize
        in that case but rather just relies on the arguments being flushed (i.e. a copy of their
        values is spilled) at a well-known place in a well-known format.
        
        The PutLocals incur two costs: (1) they are store instructions and stores ain't free, and (2)
        they look like escaping sites and so they inhibit object allocation sinking.
        
        But in most cases, the PutLocals are unnecessary because the inlined code never performs any
        side effect that could transitively lead to function.arguments. Even if the inlined code
        could do such a side effect, it may be on a rare path so there is no need to penalize the
        entire function.
        
        This patch implements one solution to the PutLocal problem: it aggressively sinks PutLocals
        to the latest possible point. This is even more aggressive than the object allocation
        sinking. That sinking algorithm avoids creating situations where an object could be
        materialized more than one along any path. PutLocal sinking, on the other hand, doesn't avoid
        this at all - both to make the phase cheaper and simpler and to make it more aggressive.
        Every PutLocal is sunk no matter what.
        
        The upside of this patch is that it eliminates many PutLocals: many of them are sunk "past
        their death", thus eliminating them completely. Others are sunk to rare paths. This enables a
        lot of object allocation sinking and it removes a lot of pointless store instructions.
        
        It also has downsites. Sinking PutLocals increases register pressure because it increases the
        live ranges of things like inlined arguments.
        
        This patch is a net performance win in its current form: 1% SunSpider regression, 2% OctaneV2
        progression, 0.6% Kraken regression, 1% AsmBench progression, and 0.5% CompressionBench
        regression. The biggest win is on Octane/raytrace, which improves by 27%.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        * bytecode/Operands.h:
        (JSC::Operands::dump): Deleted.
        * bytecode/OperandsInlines.h:
        (JSC::Traits>::dump):
        * bytecode/VirtualRegister.h:
        (JSC::VirtualRegister::isHeader):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGClobberSet.h:
        (JSC::DFG::ClobberSetAdd::operator()):
        (JSC::DFG::ClobberSetOverlaps::operator()):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        (JSC::DFG::NoOpClobberize::operator()):
        (JSC::DFG::CheckClobberize::operator()):
        (JSC::DFG::AbstractHeapOverlaps::operator()):
        (JSC::DFG::ReadMethodClobberize::operator()):
        (JSC::DFG::WriteMethodClobberize::operator()):
        (JSC::DFG::DefMethodClobberize::operator()):
        * dfg/DFGFlushFormat.h:
        (JSC::DFG::merge):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::capturedVarsFor):
        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
        (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPreciseLocalClobberize.h: Added.
        (JSC::DFG::PreciseLocalClobberizeAdaptor::PreciseLocalClobberizeAdaptor):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::read):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::write):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::def):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
        (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
        (JSC::DFG::forEachLocalReadByUnwind):
        (JSC::DFG::preciseLocalClobberize):
        * dfg/DFGPutLocalSinkingPhase.cpp: Added.
        (JSC::DFG::performPutLocalSinking):
        * dfg/DFGPutLocalSinkingPhase.h: Added.
        * dfg/DFGSSACalculator.h:
        (JSC::DFG::SSACalculator::computePhis):
        * dfg/DFGValidate.cpp:

2014-10-03  Saam Barati  <saambarati1@gmail.com>

        Change how 32-bit JSValues check if they are a Boolean

        Rubber stamped by Filip Pizlo.

        32-bit JSValue::isBoolean can simply check if its tag corresponds 
        to the boolean tag instead of checking if it's either true or false.

        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::isBoolean):

2014-10-01  Oliver Hunt  <oliver@apple.com>

        Do all closed variable access through the local lexical object
        https://bugs.webkit.org/show_bug.cgi?id=136869

        Reviewed by Filip Pizlo.

        This patch makes all reads and writes from captured registers
        go through the lexical record, and by doing so removes the
        need for record tearoff.

        To keep the patch simple we still number variables as though
        they are local stack allocated registers, but ::local() will
        fail. When local fails we perform a generic resolve, and in
        that resolve we now use a ResolveScopeInfo struct to pass
        around information about whether a lookup is a statically
        known captured variable, and its location in the activation.
        To ensure correct behaviour during codeblock linking we also
        add a LocalClosureVariable resolution type.

        To ensure correct semantics for the Arguments object, we now
        have to eagerly create the Arguments object for any function
        that uses both the Arguments object and requires a lexical
        record.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::initializeCapturedVariable):
          During the entry to a function we are not yet in a position
          to allocate temporaries so we directly use the lexical
          environment register.
        (JSC::BytecodeGenerator::resolveCallee):
        (JSC::BytecodeGenerator::emitMove):
        (JSC::BytecodeGenerator::local):
        (JSC::BytecodeGenerator::constLocal):
        (JSC::BytecodeGenerator::emitResolveScope):
        (JSC::BytecodeGenerator::emitResolveConstantLocal):
          The two resolve scope operations could technically skip
          the op_resolve_scope, and simply perform 
              op_mov dst, recordRegister
          but for now it seemed best to maintain the same basic
          behaviour.
        (JSC::BytecodeGenerator::emitGetFromScope):
        (JSC::BytecodeGenerator::emitPutToScope):
        (JSC::BytecodeGenerator::createArgumentsIfNecessary):
          If we have an environment we've already created Arguments
          so no need to check again.
        (JSC::BytecodeGenerator::emitReturn):
          Don't need to emit tearoff_environment
        * bytecompiler/BytecodeGenerator.h:
        (JSC::Local::Local):
        (JSC::Local::operator bool):
        (JSC::Local::get):
        (JSC::Local::isReadOnly):
        (JSC::Local::isSpecial):
        (JSC::ResolveScopeInfo::ResolveScopeInfo):
        (JSC::ResolveScopeInfo::isLocal):
        (JSC::ResolveScopeInfo::localIndex):
        (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly):
        (JSC::Local::isCaptured): Deleted.
        (JSC::Local::captureMode): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ResolveNode::emitBytecode):
        (JSC::EvalFunctionCallNode::emitBytecode):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::PostfixNode::emitResolve):
        (JSC::DeleteResolveNode::emitBytecode):
        (JSC::TypeOfResolveNode::emitBytecode):
        (JSC::PrefixNode::emitResolve):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::ConstDeclNode::emitCodeSingle):
        (JSC::EmptyVarExpression::emitBytecode):
        (JSC::ForInNode::tryGetBoundLocal):
        (JSC::ForInNode::emitLoopHeader):
        (JSC::ForOfNode::emitBytecode):
        (JSC::BindingNode::bindValue):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::tryGetRegisters):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_captured_mov): Deleted.
        (JSC::JIT::emit_op_tear_off_lexical_environment): Deleted.
        (JSC::JIT::emitSlow_op_captured_mov): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_captured_mov): Deleted.
        (JSC::JIT::emit_op_tear_off_lexical_environment): Deleted.
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_resolve_scope):
        (JSC::JIT::emit_op_get_from_scope):
        (JSC::JIT::emitPutClosureVar):
        (JSC::JIT::emit_op_put_to_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_resolve_scope):
        (JSC::JIT::emit_op_get_from_scope):
        (JSC::JIT::emitPutClosureVar):
        (JSC::JIT::emit_op_put_to_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOff):
        * runtime/Arguments.h:
        (JSC::Arguments::argument):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL): Deleted.
        * runtime/CommonSlowPaths.h:
        * runtime/JSLexicalEnvironment.cpp:
        (JSC::JSLexicalEnvironment::visitChildren):
        (JSC::JSLexicalEnvironment::symbolTableGet):
        (JSC::JSLexicalEnvironment::symbolTablePut):
        (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
        (JSC::JSLexicalEnvironment::getOwnPropertySlot):
        (JSC::JSLexicalEnvironment::argumentsGetter):
        * runtime/JSLexicalEnvironment.h:
        (JSC::JSLexicalEnvironment::create):
        (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
        (JSC::JSLexicalEnvironment::tearOff): Deleted.
        (JSC::JSLexicalEnvironment::isTornOff): Deleted.
        * runtime/JSScope.cpp:
        (JSC::resolveTypeName):
        * runtime/JSScope.h:
        (JSC::makeType):
        (JSC::needsVarInjectionChecks):
        * runtime/WriteBarrier.h:
        (JSC::WriteBarrier<Unknown>::WriteBarrier):

2014-10-02  Filip Pizlo  <fpizlo@apple.com>

        Object allocation sinking should have a sound story for picking materialization points
        https://bugs.webkit.org/show_bug.cgi?id=137315

        Reviewed by Oliver Hunt.
        
        The only missing piece was having the object allocation sinking phase locate materialization
        points that were at CFG edges.
        
        The logic for how and why this "just works" relies on some properties of critical edge
        breaking, so I was fairly careful in how I did this. Also, this requires inserting things at
        the "first origin node" of a block - that is the first node in a block that has a NodeOrigin
        and therefore is allowed to exit. We basically had support for such a notion before, but
        didn't close the loop on it; this patch does that.
        
        Also I added the ability to provide a BasicBlock* as context for a DFG_ASSERT().

        * dfg/DFGBasicBlock.cpp:
        (JSC::DFG::BasicBlock::firstOriginNode):
        (JSC::DFG::BasicBlock::firstOrigin):
        * dfg/DFGBasicBlock.h:
        * dfg/DFGCriticalEdgeBreakingPhase.cpp:
        (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::crash):
        (JSC::DFG::Graph::handleAssertionFailure):
        * dfg/DFGGraph.h:
        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
        (JSC::DFG::createPreHeader):
        * dfg/DFGNodeOrigin.h:
        (JSC::DFG::NodeOrigin::isSet):
        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
        (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
        (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
        (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        * runtime/Options.h:

2014-10-02  Daniel Bates  <dabates@apple.com>

        Clean up: Move XPC forward declarations in JavaScriptCore to WTF SPI wrapper header
        https://bugs.webkit.org/show_bug.cgi?id=137277

        Reviewed by Alexey Proskuryakov.

        Use wtf/spi/darwin/XPCSPI.h instead of including the corresponding XPC headers/
        forward declaring XPC functions.

        * inspector/remote/RemoteInspector.mm:
        * inspector/remote/RemoteInspectorXPCConnection.h:
        * inspector/remote/RemoteInspectorXPCConnection.mm:

2014-10-01  Anders Carlsson  <andersca@apple.com>

        Use variadic templates for jsMakeNontrivialString
        https://bugs.webkit.org/show_bug.cgi?id=137325

        Reviewed by Sam Weinig.

        * runtime/JSString.h:
        (JSC::jsNontrivialString):
        Add an overload that takes an rvalue reference to a String so we can transfer ownership easily.

        * runtime/JSStringBuilder.h:
        (JSC::jsMakeNontrivialString):
        Make this a variadic function template, with a single-parameter version that can steal the string if it's OK to do so.

2014-10-02  Mark Lam  <mark.lam@apple.com>

        Fixed the Inspector to be able to properly distinguish between scope types.
        <https://webkit.org/b/137279>

        Reviewed by Geoffrey Garen.

        The pre-existing code incorrectly labels Catch Scopes and Function Name Scopes
        as With Scopes.  This patch will fix this.

        * bytecode/BytecodeList.json:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitPushFunctionNameScope):
        (JSC::BytecodeGenerator::emitPushCatchScope):
        - These now passes stores the desired JSNameScope::Type in a bytecode operand.
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::isCatchScope):
        (JSC::DebuggerScope::isFunctionNameScope):
        - Added queries to be able to explicitly test if the scope is a CatchScope
          or FunctionNameScope.  The FunctionNameScope is the case where the
          NameScope is used to capture the function name of a function expression.
        * debugger/DebuggerScope.h:
        * inspector/InjectedScriptSource.js:
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::JSJavaScriptCallFrame::scopeType):
        * inspector/JSJavaScriptCallFrame.h:
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        (Inspector::JSJavaScriptCallFramePrototype::finishCreation):
        (Inspector::jsJavaScriptCallFrameConstantFUNCTION_NAME_SCOPE):
        * inspector/protocol/Debugger.json:
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_push_name_scope):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_push_name_scope):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::addNameScopeIfNeeded):
        * runtime/JSNameScope.h:
        (JSC::JSNameScope::create):
        (JSC::JSNameScope::isFunctionNameScope):
        (JSC::JSNameScope::isCatchScope):
        (JSC::JSNameScope::JSNameScope):
        - Now stores the JSNameScope::Type in a field.

2014-10-01  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r174180, r174183, and r174186.
        https://bugs.webkit.org/show_bug.cgi?id=137320

        Broke the Mac MountainLion build. Will investigate offline.
        (Requested by dydz on #webkit).

        Reverted changesets:

        "Clean up: Move XPC forward declarations in JavaScriptCore to
        WTF SPI wrapper header"
        https://bugs.webkit.org/show_bug.cgi?id=137277
        http://trac.webkit.org/changeset/174180

        "Attempt to fix the build after
        <https://trac.webkit.org/changeset/174180>"
        https://bugs.webkit.org/show_bug.cgi?id=137277
        http://trac.webkit.org/changeset/174183

        "Another attempt to fix the Mac build after
        <https://trac.webkit.org/changeset/174180>"
        https://bugs.webkit.org/show_bug.cgi?id=137277
        http://trac.webkit.org/changeset/174186

2014-10-01  Daniel Bates  <dabates@apple.com>

        Clean up: Move XPC forward declarations in JavaScriptCore to WTF SPI wrapper header
        https://bugs.webkit.org/show_bug.cgi?id=137277

        Reviewed by Alexey Proskuryakov.

        Use wtf/spi/darwin/XPCSPI.h instead of including the corresponding XPC headers/
        forward declaring XPC functions.

        * inspector/remote/RemoteInspector.mm:
        * inspector/remote/RemoteInspectorXPCConnection.h:
        * inspector/remote/RemoteInspectorXPCConnection.mm:

2014-10-01  Brent Fulgham  <bfulgham@apple.com>

        [Win] Unreviewed build gardening.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Show files in the appropriate
        folders in Visual Studio.

2014-10-01  Filip Pizlo  <fpizlo@apple.com>

        Object allocation sinking is broken for escaping sites in loops
        https://bugs.webkit.org/show_bug.cgi?id=137310

        Reviewed by Michael Saboff.
        
        I tried to do this clever forward-flow based materialization point placement, and I messed up loops. Disabling
        the phase for now and landing a test to demonstrate what it going on.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * runtime/Options.h:
        * tests/stress/object-escapes-in-loop.js: Added.
        (foo):
        (bar):

2014-10-01  Saam Barati  <saambarati1@gmail.com>

        Support the type profiler in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=136712

        Reviewed by Filip Pizlo.

        This patch implements op_profile_type inside the DFG as the node: ProfileType.
        The DFG will convert the ProfileType node into a Check node in the cases where
        passing a type check is equivalent to writing to the TypeProfilerLog. This
        gives the DFG the potential to optimize out multiple ProfileType nodes into
        a single Check node.

        When the DFG doesn't convert ProfileType into a Check node, it will generate
        the same inline code as the baseline JIT does for writing an entry to the
        TypeProfilerLog.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::typeLocation):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/TypeProfiler.cpp:
        (JSC::TypeProfiler::logTypesForTypeLocation):
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::dumpTypes):
        (JSC::TypeSet::doesTypeConformTo):
        Make this method public so others can reason about the types a TypeSet has seen.
        (JSC::TypeSet::seenTypes): Deleted.
        (JSC::TypeSet::dumpSeenTypes): Deleted.
        Renamed to dumpTypes so the method seenTypes can be used as a public getter.
        * runtime/TypeSet.h:
        (JSC::TypeSet::seenTypes):
        * tests/typeProfiler/dfg-jit-optimizations.js: Added.
        (tierUpToDFG):
        (funcs):
        (.return):

2014-10-01  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix 32-bit.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2014-09-30  Filip Pizlo  <fpizlo@apple.com>

        DFG SSA should use PutLocal/KillLocal instead of SetLocal to communicate what is flushed to the stack and when
        https://bugs.webkit.org/show_bug.cgi?id=137242

        Reviewed by Geoffrey Garen.
        
        OSR availability has to do with telling you the various ways that you could go about getting
        the value of a bytecode variable. It can give you two options: node availability means that
        there is a node in the DFG IR that has the right value, and flush availability tells you
        that the value was already stored to the stack. The clients of OSR availability would
        typically prefer flush over node availability.
        
        Previously OSR availability was affected thusly by the various local-related nodes: SetLocal
        set both the node and flush availability, MovHint set node availability and cleared flush
        availability, GetArgument set both, and ZombieHint cleared both.
        
        A MovHint could be turned into a ZombieHint if its source value was DCEd.
        
        The fact that each node affected both node and flush availability caused weirdness. For
        example it meant that we could not insert MovHints in areas of the CFG where a SetLocal's
        variable was still live, because then those parts of the code would forget that they had an
        availability flush. This meant that if a flush was available, we wouldn't insert MovHints,
        and so we would forget that a node was in fact available. This kind of "either-or" picking
        was not only hackish but it led to interesting problems for IR transformation: for example
        if you tried to do any kind of code motion on SetLocals, you had to be super careful because
        you might violate the rule that "MovHints must exist for a live local if a flush is
        unavailable".
        
        The right thing to do is to have independent nodes for flushing and making nodes available.
        They shouldn't interact with each other. This patch accomplishes this:
        
        - PutLocal means that that a value is to be stored to the stack. It makes a flush available.
        - KillLocal means that the value stored to the stack is no longer available for the purposes
          of OSR (i.e. it no longer accurately corresponds to what that actual bytecode variable
          would have been, so you have to fall back on node availability).
        - MovHint means that a node is available. It has no effect on flush availability.
        - ZombieHint means that a node is not available. It has no effect on flush availability.
        
        This means that we will see a lot of KillLocals and MovHints right next to each other. It's
        a bit verbose, but at least it's precise.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAvailability.h:
        (JSC::DFG::Availability::setFlush):
        (JSC::DFG::Availability::setNode):
        (JSC::DFG::Availability::setNodeUnavailable):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.cpp:
        (JSC::DFG::Node::hasVariableAccessData):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasUnlinkedLocal):
        (JSC::DFG::Node::willHaveCodeGenOrOSR):
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compilePutLocal):
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal): Deleted.

2014-10-01  Brent Fulgham  <bfulgham@apple.com>

        [Win] 32-bit JavaScriptCore should limit itself to the C loop
        https://bugs.webkit.org/show_bug.cgi?id=137304
        <rdar://problem/18375370>

        Reviewed by Michael Saboff.

        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
        Use the C loop for 32-bit builds.

2014-09-30  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: ErrorString should be passed by reference
        https://bugs.webkit.org/show_bug.cgi?id=137257

        Reviewed by Joseph Pecoraro.

        Pass the leading ErrorString argument by reference, since it is always an out parameter.
        Clean up callsites where the error message is written.

        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::evaluate):
        (Inspector::InjectedScript::callFunctionOn):
        (Inspector::InjectedScript::evaluateOnCallFrame):
        (Inspector::InjectedScript::getFunctionDetails):
        (Inspector::InjectedScript::getProperties):
        (Inspector::InjectedScript::getInternalProperties):
        * inspector/InjectedScript.h:
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::makeEvalCall):
        * inspector/InjectedScriptBase.h:
        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::willDestroyFrontendAndBackend):
        (Inspector::InspectorAgent::enable):
        (Inspector::InspectorAgent::disable):
        (Inspector::InspectorAgent::initialized):
        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
        (Inspector::InspectorConsoleAgent::enable):
        (Inspector::InspectorConsoleAgent::disable):
        (Inspector::InspectorConsoleAgent::clearMessages):
        (Inspector::InspectorConsoleAgent::reset):
        (Inspector::InspectorConsoleAgent::addMessageToConsole):
        * inspector/agents/InspectorConsoleAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::enable):
        (Inspector::InspectorDebuggerAgent::disable):
        (Inspector::InspectorDebuggerAgent::setBreakpointsActive):
        (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
        (Inspector::parseLocation):
        (Inspector::InspectorDebuggerAgent::setBreakpoint):
        (Inspector::InspectorDebuggerAgent::removeBreakpoint):
        (Inspector::InspectorDebuggerAgent::continueToLocation):
        (Inspector::InspectorDebuggerAgent::searchInContent):
        (Inspector::InspectorDebuggerAgent::getScriptSource):
        (Inspector::InspectorDebuggerAgent::getFunctionDetails):
        (Inspector::InspectorDebuggerAgent::pause):
        (Inspector::InspectorDebuggerAgent::resume):
        (Inspector::InspectorDebuggerAgent::stepOver):
        (Inspector::InspectorDebuggerAgent::stepInto):
        (Inspector::InspectorDebuggerAgent::stepOut):
        (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
        (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
        (Inspector::InspectorDebuggerAgent::setOverlayMessage):
        (Inspector::InspectorDebuggerAgent::didParseSource):
        (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
        (Inspector::InspectorDebuggerAgent::assertPaused):
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::parse):
        (Inspector::InspectorRuntimeAgent::evaluate):
        (Inspector::InspectorRuntimeAgent::callFunctionOn):
        (Inspector::InspectorRuntimeAgent::getProperties):
        (Inspector::InspectorRuntimeAgent::releaseObject):
        (Inspector::InspectorRuntimeAgent::releaseObjectGroup):
        (Inspector::InspectorRuntimeAgent::run):
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        (Inspector::InspectorRuntimeAgent::enableTypeProfiler):
        (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
        (Inspector::JSGlobalObjectConsoleAgent::setMonitoringXHREnabled):
        (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode):
        * inspector/agents/JSGlobalObjectConsoleAgent.h:
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
        * inspector/agents/JSGlobalObjectDebuggerAgent.h:
        * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
        (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
        * inspector/agents/JSGlobalObjectRuntimeAgent.h:
        * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
        (BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
        (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
        * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
        (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:

2014-09-30  Mark Lam  <mark.lam@apple.com>

        Label some asserts as having security implications.
        <https://webkit.org/b/137260>

        Reviewed by Filip Pizlo.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::handleAssertionFailure):
        * runtime/JSCell.h:
        (JSC::jsCast):
        * runtime/StructureIDTable.h:
        (JSC::StructureIDTable::get):

2014-09-30  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION (r174025): Invalid cast in JSC::asString
        https://bugs.webkit.org/show_bug.cgi?id=137224

        Reviewed by Geoffrey Garen.
        
        Store barrier elision in fixup depends on checking the type of the value being stored. It's very important that
        when we speak of "the value being stored" we are really referring to the right value.
        
        The bug here was that the PutClosureVar case was assuming that child2 is the value being stored. It's actually
        child3. So we were incorrectly removing all barriers from PutClosureVar.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2014-09-30  Brian J. Burg  <burg@cs.washington.edu>

        Web Replay: use static Strings instead of AtomicStrings for replay input type tags
        https://bugs.webkit.org/show_bug.cgi?id=137086

        Reviewed by Joseph Pecoraro.

        This pattern doesn't work when we want to define some inputs in WebKit2.
        The ReplayInputTypes class was generated from WebCore inputs only. This
        patch moves all input traits to use static local Strings as type tags.

        * replay/scripts/CodeGeneratorReplayInputs.py: Remove configuration of how
        type tags are generated, since all framework targets now generate the same code.

        * replay/NondeterministicInput.h:
        * replay/scripts/CodeGeneratorReplayInputs.py: Simplify and rebase test results.
        (Generator.generate_input_trait_implementation):
        * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Simplify templates.

        * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
        (JSC::InputTraits<Test::SavedMouseButton>::type):
        * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
        (JSC::InputTraits<Test::SavedMouseButton>::type):
        * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
        (JSC::InputTraits<Test::HandleWheelEvent>::type):
        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
        (JSC::InputTraits<Test::FormCombo>::type):
        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp:
        (JSC::InputTraits<Test::GetCurrentTime>::type):
        (JSC::InputTraits<Test::SetRandomSeed>::type):
        * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
        (JSC::InputTraits<Test::ArrayOfThings>::type):
        (JSC::InputTraits<Test::SavedHistory>::type):
        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp:
        (JSC::InputTraits<Test::ScalarInput1>::type):
        (JSC::InputTraits<Test::ScalarInput2>::type):
        * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
        * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
        (JSC::InputTraits<Test::ScalarInput>::type):
        (JSC::InputTraits<Test::MapInput>::type):
        * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:

2014-09-30  Daniel Bates  <dabates@apple.com>

        REGRESSION (r172532): JSBase.h declares NSMapTable functions that are SPI
        https://bugs.webkit.org/show_bug.cgi?id=137170
        <rdar://problem/18477384>

        Reviewed by Geoffrey Garen.

        Move conditional include of header Foundation/NSMapTablePriv.h and forward declarations
        of NSMapTable SPI from file JavaScriptCore/API/JSBase.h to WTF/wtf/spi/cocoa/NSMapTableSPI.h.

        * API/JSBase.h:
        * API/JSManagedValue.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h.
        * API/JSVirtualMachine.mm: Ditto.
        * API/JSVirtualMachineInternal.h: Forward declare class NSMapTable.
        * API/JSWrapperMap.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h. Also, order
        #include directives such that they are sorted in alphabetical order.

2014-09-30  Oliver Hunt  <oliver@apple.com>

        Fix C API header
        https://bugs.webkit.org/show_bug.cgi?id=137254
        <rdar://problem/18487528>

        Build fix

        Guard extern "C" behind __cplusplus ifdef

        * API/JSBase.h:

2014-09-29  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: InjectedScripts should not be profiled or displayed in Timeline
        https://bugs.webkit.org/show_bug.cgi?id=136806

        Reviewed by Timothy Hatcher.

        It doesn't make sense to show profile nodes for injected scripts when profiling user content.
        For now, omit nodes by suspending profiling before and after executing injected scripts.

        * profiler/LegacyProfiler.cpp:
        (JSC::LegacyProfiler::suspendProfiling): Added.
        (JSC::LegacyProfiler::unsuspendProfiling): Added.
        * profiler/LegacyProfiler.h:
        * profiler/ProfileGenerator.cpp: Add isSuspended() flag, remove unused typedef.
        (JSC::ProfileGenerator::ProfileGenerator):
        (JSC::ProfileGenerator::willExecute):
        (JSC::ProfileGenerator::didExecute):
        * profiler/ProfileGenerator.h:
        (JSC::ProfileGenerator::setIsSuspended): Added.

2014-09-29  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: InspectorValues should use references for out parameters
        https://bugs.webkit.org/show_bug.cgi?id=137190

        Reviewed by Joseph Pecoraro.

        Use references for out parameters in asType() and getType() methods.
        Also convert to references in some miscellaneous code where we don't
        expect or handle null values.

        Remove variants of asObject() and asArray() that return a nullable RefPtr.
        Now, client code is forced to use out parameters and check for cast failure.

        Iron out control flow in some functions and fix some style issues.

        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::getFunctionDetails):
        (Inspector::InjectedScript::wrapObject):
        (Inspector::InjectedScript::wrapTable):
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::makeEvalCall):
        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::injectedScriptForObjectId): Simplify control flow.
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::InspectorBackendDispatcher::dispatch):
        (Inspector::getPropertyValue):
        (Inspector::AsMethodBridges::asInteger):
        (Inspector::AsMethodBridges::asDouble):
        (Inspector::AsMethodBridges::asString):
        (Inspector::AsMethodBridges::asBoolean):
        (Inspector::AsMethodBridges::asObject):
        (Inspector::AsMethodBridges::asArray):
        * inspector/InspectorProtocolTypes.h:
        (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
        (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
        * inspector/InspectorValues.cpp: Use more by-reference out parameters. Add more spacing.
        (Inspector::InspectorValue::asBoolean):
        (Inspector::InspectorValue::asDouble):
        (Inspector::InspectorValue::asInteger):
        (Inspector::InspectorValue::asString):
        (Inspector::InspectorValue::asValue):
        (Inspector::InspectorValue::asObject):
        (Inspector::InspectorValue::asArray):
        (Inspector::InspectorValue::parseJSON):
        (Inspector::InspectorValue::toJSONString):
        (Inspector::InspectorValue::writeJSON):
        (Inspector::InspectorBasicValue::asBoolean):
        (Inspector::InspectorBasicValue::asDouble):
        (Inspector::InspectorBasicValue::asInteger):
        (Inspector::InspectorBasicValue::writeJSON):
        (Inspector::InspectorString::asString):
        (Inspector::InspectorString::writeJSON):
        (Inspector::InspectorObjectBase::asObject):
        (Inspector::InspectorObjectBase::openAccessors):
        (Inspector::InspectorObjectBase::getBoolean):
        (Inspector::InspectorObjectBase::getString):
        (Inspector::InspectorObjectBase::getObject):
        (Inspector::InspectorObjectBase::getArray):
        (Inspector::InspectorObjectBase::writeJSON):
        (Inspector::InspectorArrayBase::asArray):
        (Inspector::InspectorArrayBase::writeJSON):
        * inspector/InspectorValues.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
        (Inspector::parseLocation):
        (Inspector::InspectorDebuggerAgent::setBreakpoint):
        (Inspector::InspectorDebuggerAgent::continueToLocation):
        (Inspector::InspectorDebuggerAgent::didParseSource):
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        * inspector/scripts/codegen/generate_protocol_types_implementation.py:
        (ProtocolTypesImplementationGenerator):
        (ProtocolTypesImplementationGenerator._generate_assertion_for_enum):
        * inspector/scripts/codegen/generator_templates.py:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
        * replay/EncodedValue.cpp:
        (JSC::EncodedValue::asObject):
        (JSC::EncodedValue::asArray):
        (JSC::EncodedValue::convertTo<bool>):
        (JSC::EncodedValue::convertTo<double>):
        (JSC::EncodedValue::convertTo<float>):
        (JSC::EncodedValue::convertTo<int32_t>):
        (JSC::EncodedValue::convertTo<int64_t>):
        (JSC::EncodedValue::convertTo<uint32_t>):
        (JSC::EncodedValue::convertTo<uint64_t>):
        (JSC::EncodedValue::convertTo<String>):

2014-09-29  Filip Pizlo  <fpizlo@apple.com>

        DFG HasStructureProperty codegen should use one fewer registers
        https://bugs.webkit.org/show_bug.cgi?id=137235

        Reviewed by Andreas Kling.
        
        This was an obvious source of inefficiency and it was causing us to run out of registers on
        x86-32.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2014-09-29  Filip Pizlo  <fpizlo@apple.com>

        Don't use GPRResult unless you're flushing registers and making a runtime function call
        https://bugs.webkit.org/show_bug.cgi?id=137234

        Rubber stamped by Andreas Kling.

        Rename GPRResult to GPRFlushedCallResult, in an attempt to dissuade people from using it for results in the
        general case.
        
        Replace GPRResult with GPRTemporary in those places where it was causing bugs: particularly in GetDirectPname it
        would cause us to spill the register that has the base, and the code was assuming (rightly) that the base and the
        result were in different registers. That's a valid assumption when using GPRTemporary but not with GPRResult.
        Also this code wasn't getting any benefit from using GPRResult because it wasn't doing flushRegisters().
        
        I don't know how to test this. A test would require setting up a particularly awkward register allocation state.
        
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
        (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
        (JSC::DFG::SpeculativeJIT::compileRegExpExec):
        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::GPRFlushedCallResult::GPRFlushedCallResult):
        (JSC::DFG::GPRFlushedCallResult2::GPRFlushedCallResult2):
        (JSC::DFG::GPRResult::GPRResult): Deleted.
        (JSC::DFG::GPRResult2::GPRResult2): Deleted.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):

2014-09-29  Diego Pino Garcia  <dpino@igalia.com>

        Missing changes from r174049
        https://bugs.webkit.org/show_bug.cgi?id=137206

        Reviewed by Darin Adler.

        * runtime/CommonIdentifiers.h:

2014-09-28  Diego Pino Garcia  <dpino@igalia.com>

        Simple ES6 feature: Number constructor extras
        https://bugs.webkit.org/show_bug.cgi?id=131707

        Reviewed by Darin Adler.

        * runtime/CommonIdentifiers.h:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::finishCreation): Setup constants and
        functions.
        (JSC::numberConstructorFuncIsFinite): Added.
        (JSC::numberConstructorFuncIsInteger): Added.
        (JSC::numberConstructorFuncIsNaN): Added.
        (JSC::numberConstructorFuncIsSafeInteger): Added.
        (JSC::NumberConstructor::getOwnPropertySlot): Deleted.
        (JSC::numberConstructorNaNValue): Deleted.
        (JSC::numberConstructorNegInfinity): Deleted.
        (JSC::numberConstructorPosInfinity): Deleted.
        (JSC::numberConstructorMaxValue): Deleted.
        (JSC::numberConstructorMinValue): Deleted.
        * runtime/NumberConstructor.h:

2014-09-26  Filip Pizlo  <fpizlo@apple.com>

        Disable function.arguments
        https://bugs.webkit.org/show_bug.cgi?id=137167

        Rubber stamped by Geoffrey Garen.
        
        Add an option to disable function.arguments. Add a test for disabling it.
        
        Disabling function.arguments means that it returns an Arguments object that claims that
        there were zero arguments. All other Arguments functionality still works, so any code
        that tries to inspect this object will still think that it is looking at a perfectly
        valid Arguments object.
        
        This also makes function.arguments disabled by default. Note that the RJST harness will
        enable them by default, to continue to get test coverage for the code that implements
        the feature.
        
        We will rip out that code once we're confident that it's really safe to remove this
        feature. Only once we rip out that support will we be able to do optimizations to
        leverage the lack of this feature. It's important to keep the support code, and the test
        infrastructure, in place before we are confident. The logic to keep this working touches
        the entire compiler and a large chunk of the runtime, so reimplementing it - or even
        merging it back in - would be a nightmare. That's also basically the reason why we want
        to rip it out if at all possible. It's a lot of terrible code.

        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::createArguments):
        * runtime/Arguments.h:
        (JSC::Arguments::create):
        (JSC::Arguments::finishCreation):
        * runtime/Options.h:
        * tests/stress/disable-function-dot-arguments.js: Added.
        (foo):
        (bar):

2014-09-26  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Automatic Inspection should continue once all breakpoints are loaded
        https://bugs.webkit.org/show_bug.cgi?id=137038

        Reviewed by Timothy Hatcher.

        Add a new protocol command "Inspector.initialized" that signifies to the backend
        when the frontend has sent all its initialization messages to the backend. This
        can include information like breakpoints, which we would want to have loaded
        before any JavaScript evaluates in the context.

        * inspector/protocol/InspectorDomain.json:
        New protocol command, Inspector.initialized.

        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::InspectorAgent):
        (Inspector::InspectorAgent::initialized):
        Tell the InspectorEnvironment (the Controller) the frontend has initialized.

        * inspector/InspectorEnvironment.h:
        Abstract virtual method to handle frontend initialization. To be
        implemented by all of the InspectorControllers.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
        (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
        (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
        When a frontend is initialized, if it was automatic inspection unpause the debuggable.

        * inspector/remote/RemoteInspectorDebuggable.cpp:
        (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
        Complete setup for this debuggable.

        * inspector/remote/RemoteInspectorDebuggable.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorDebuggableConnection::setup):
        Move the setup complete to later, when the frontend sends an "initialized" message.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
        Provide a longer timeout now that the frontend must send messages after the connection
        has established. The longest I have seen in  600ms, but the average tends to be 200ms.
        So bump the timeout to 800ms for a buffer.

        (Inspector::RemoteInspector::setupSucceeded): Deleted.
        (Inspector::RemoteInspector::setupCompleted):
        Rename, as this happens at a slightly different time.

2014-09-26  Filip Pizlo  <fpizlo@apple.com>

        DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell
        https://bugs.webkit.org/show_bug.cgi?id=137161

        Reviewed by Mark Hahnenberg.
        
        This looks like a 1% Octane speed-up.

        * bytecode/SpeculatedType.h:
        (JSC::isNotCellSpeculation):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::insertStoreBarrier):
        (JSC::DFG::FixupPhase::insertCheck):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateNotCell):

2014-09-26  Peter Varga  <pvarga@webkit.org>

        Fix typo in YARR at BOL check
        https://bugs.webkit.org/show_bug.cgi?id=137144

        Reviewed by Darin Adler.

        * yarr/YarrPattern.cpp: replace bitwise and operator by logical and
        (JSC::Yarr::YarrPatternConstructor::assertionBOL):

2014-09-25  Saam Barati  <saambarati1@gmail.com>

        Web Inspector: console.assert(bitString) TypeSet:50 
        https://bugs.webkit.org/show_bug.cgi?id=137051

        Reviewed by Joseph Pecoraro.

        This patch creates stricter requirements on a TypeDescription
        being valid. To be valid, a TypeDescription now ensures that 
        the TypeSet it describes has non null type information.

        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        * runtime/TypeSet.h:
        (JSC::TypeSet::isEmpty):

2014-09-25  Filip Pizlo  <fpizlo@apple.com>

        FTL should sink object allocations
        https://bugs.webkit.org/show_bug.cgi?id=136330

        Reviewed by Oliver Hunt.
        
        This adds a comprehensive infrastructure for sinking object allocations in DFG SSA form. The
        ultimate goal of sinking is to sink an allocation "past the points of its death" - i.e. to
        eliminate it completely. The way sinking reasons about the CFG means that it resembles a
        partial escape analysis: we create paths through a function where some allocation(s) don't
        have to be done at all even if there are other paths along which those allocations still have
        to happen. But it also produces other side benefits. Even if an allocation isn't eliminated
        along any path, the act of sinking reduces the number of barriers that have to execute.
        
        Because this was a fairly ambituous SSA analysis and transformation, I added a bunch of C++11
        sugar to the DFG's internal APIs to allow for easier iteration over blocks, nodes, and
        successors; and to add more functor goodness to allow for more lambdas.
        
        This is just the beginning. The bug has a bunch of other bugs that depend on it. So far this
        is a spectacular speed-up on microbenchmarks but it's still too limited to affect big
        benchmarks. For example, doing o == p makes the sinking phase think that o and p escape.
        That's just an omission and there are likely others; we can easily fix them. I think it's
        best to land it in its current form and then to worry about the big benchmarks in subsequent
        work (see bug 137126).

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/StructureSet.h:
        (JSC::StructureSet::iterator::iterator):
        (JSC::StructureSet::iterator::operator*):
        (JSC::StructureSet::iterator::operator++):
        (JSC::StructureSet::iterator::operator==):
        (JSC::StructureSet::iterator::operator!=):
        (JSC::StructureSet::begin):
        (JSC::StructureSet::end):
        * dfg/DFGAbstractInterpreter.h:
        (JSC::DFG::AbstractInterpreter::phiChildren):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
        * dfg/DFGAvailability.h:
        (JSC::DFG::Availability::shouldUseNode):
        (JSC::DFG::Availability::isFlushUseful):
        (JSC::DFG::Availability::isDead):
        (JSC::DFG::Availability::operator!=):
        * dfg/DFGAvailabilityMap.cpp: Added.
        (JSC::DFG::AvailabilityMap::prune):
        (JSC::DFG::AvailabilityMap::clear):
        (JSC::DFG::AvailabilityMap::dump):
        (JSC::DFG::AvailabilityMap::operator==):
        (JSC::DFG::AvailabilityMap::merge):
        * dfg/DFGAvailabilityMap.h: Added.
        (JSC::DFG::AvailabilityMap::forEachAvailability):
        * dfg/DFGBasicBlock.cpp:
        (JSC::DFG::BasicBlock::SSAData::SSAData):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::begin):
        (JSC::DFG::BasicBlock::end):
        (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable):
        (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator):
        (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*):
        (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++):
        (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==):
        (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=):
        (JSC::DFG::BasicBlock::SuccessorsIterable::begin):
        (JSC::DFG::BasicBlock::SuccessorsIterable::end):
        (JSC::DFG::BasicBlock::successors):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGFlushedAt.cpp:
        (JSC::DFG::FlushedAt::dump):
        * dfg/DFGFlushedAt.h:
        (JSC::DFG::FlushedAt::FlushedAt):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::dumpBlockHeader):
        (JSC::DFG::Graph::mergeRelevantToOSR):
        (JSC::DFG::Graph::invalidateCFG):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::NaturalBlockIterable::NaturalBlockIterable):
        (JSC::DFG::Graph::NaturalBlockIterable::iterator::iterator):
        (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator*):
        (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator++):
        (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator==):
        (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator!=):
        (JSC::DFG::Graph::NaturalBlockIterable::iterator::findNext):
        (JSC::DFG::Graph::NaturalBlockIterable::begin):
        (JSC::DFG::Graph::NaturalBlockIterable::end):
        (JSC::DFG::Graph::blocksInNaturalOrder):
        (JSC::DFG::Graph::doToChildrenWithNode):
        (JSC::DFG::Graph::doToChildren):
        * dfg/DFGHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGHeapLocation.h:
        * dfg/DFGInsertOSRHintsForUpdate.cpp: Added.
        (JSC::DFG::insertOSRHintsForUpdate):
        * dfg/DFGInsertOSRHintsForUpdate.h: Added.
        * dfg/DFGInsertionSet.h:
        (JSC::DFG::InsertionSet::graph):
        * dfg/DFGMayExit.cpp:
        (JSC::DFG::mayExit):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToPutByOffsetHint):
        (JSC::DFG::Node::convertToPutStructureHint):
        (JSC::DFG::Node::convertToPhantomNewObject):
        (JSC::DFG::Node::isCellConstant):
        (JSC::DFG::Node::castConstant):
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::hasStorageAccessData):
        (JSC::DFG::Node::hasObjectMaterializationData):
        (JSC::DFG::Node::objectMaterializationData):
        (JSC::DFG::Node::isPhantomObjectAllocation):
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
        (JSC::DFG::LocalOSRAvailabilityCalculator::endBlock):
        (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
        * dfg/DFGOSRAvailabilityAnalysisPhase.h:
        * dfg/DFGObjectAllocationSinkingPhase.cpp: Added.
        (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase):
        (JSC::DFG::ObjectAllocationSinkingPhase::run):
        (JSC::DFG::ObjectAllocationSinkingPhase::performSinking):
        (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
        (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
        (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
        (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
        (JSC::DFG::ObjectAllocationSinkingPhase::resolve):
        (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
        (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
        (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
        (JSC::DFG::performObjectAllocationSinking):
        * dfg/DFGObjectAllocationSinkingPhase.h: Added.
        * dfg/DFGObjectMaterializationData.cpp: Added.
        (JSC::DFG::PhantomPropertyValue::dump):
        (JSC::DFG::ObjectMaterializationData::dump):
        (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore):
        (JSC::DFG::ObjectMaterializationData::similarityScore):
        * dfg/DFGObjectMaterializationData.h: Added.
        (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue):
        (JSC::DFG::PhantomPropertyValue::operator==):
        * dfg/DFGPhantomCanonicalizationPhase.cpp:
        (JSC::DFG::PhantomCanonicalizationPhase::run):
        * dfg/DFGPhantomRemovalPhase.cpp:
        (JSC::DFG::PhantomRemovalPhase::run):
        * dfg/DFGPhiChildren.cpp: Added.
        (JSC::DFG::PhiChildren::PhiChildren):
        (JSC::DFG::PhiChildren::~PhiChildren):
        (JSC::DFG::PhiChildren::upsilonsOf):
        * dfg/DFGPhiChildren.h: Added.
        (JSC::DFG::PhiChildren::forAllIncomingValues):
        (JSC::DFG::PhiChildren::forAllTransitiveIncomingValues):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPrePostNumbering.cpp: Added.
        (JSC::DFG::PrePostNumbering::PrePostNumbering):
        (JSC::DFG::PrePostNumbering::~PrePostNumbering):
        (JSC::DFG::PrePostNumbering::compute):
        (WTF::printInternal):
        * dfg/DFGPrePostNumbering.h: Added.
        (JSC::DFG::PrePostNumbering::preNumber):
        (JSC::DFG::PrePostNumbering::postNumber):
        (JSC::DFG::PrePostNumbering::isStrictAncestorOf):
        (JSC::DFG::PrePostNumbering::isAncestorOf):
        (JSC::DFG::PrePostNumbering::isStrictDescendantOf):
        (JSC::DFG::PrePostNumbering::isDescendantOf):
        (JSC::DFG::PrePostNumbering::edgeKind):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGPromoteHeapAccess.h: Added.
        (JSC::DFG::promoteHeapAccess):
        * dfg/DFGPromotedHeapLocation.cpp: Added.
        (JSC::DFG::PromotedLocationDescriptor::dump):
        (JSC::DFG::PromotedHeapLocation::createHint):
        (JSC::DFG::PromotedHeapLocation::dump):
        (WTF::printInternal):
        * dfg/DFGPromotedHeapLocation.h: Added.
        (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
        (JSC::DFG::PromotedLocationDescriptor::operator!):
        (JSC::DFG::PromotedLocationDescriptor::kind):
        (JSC::DFG::PromotedLocationDescriptor::info):
        (JSC::DFG::PromotedLocationDescriptor::hash):
        (JSC::DFG::PromotedLocationDescriptor::operator==):
        (JSC::DFG::PromotedLocationDescriptor::operator!=):
        (JSC::DFG::PromotedLocationDescriptor::isHashTableDeletedValue):
        (JSC::DFG::PromotedHeapLocation::PromotedHeapLocation):
        (JSC::DFG::PromotedHeapLocation::operator!):
        (JSC::DFG::PromotedHeapLocation::kind):
        (JSC::DFG::PromotedHeapLocation::base):
        (JSC::DFG::PromotedHeapLocation::info):
        (JSC::DFG::PromotedHeapLocation::descriptor):
        (JSC::DFG::PromotedHeapLocation::hash):
        (JSC::DFG::PromotedHeapLocation::operator==):
        (JSC::DFG::PromotedHeapLocation::isHashTableDeletedValue):
        (JSC::DFG::PromotedHeapLocationHash::hash):
        (JSC::DFG::PromotedHeapLocationHash::equal):
        * dfg/DFGSSACalculator.cpp:
        (JSC::DFG::SSACalculator::reset):
        * dfg/DFGSSACalculator.h:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLExitPropertyValue.cpp: Added.
        (JSC::FTL::ExitPropertyValue::dump):
        * ftl/FTLExitPropertyValue.h: Added.
        (JSC::FTL::ExitPropertyValue::ExitPropertyValue):
        (JSC::FTL::ExitPropertyValue::operator!):
        (JSC::FTL::ExitPropertyValue::location):
        (JSC::FTL::ExitPropertyValue::value):
        * ftl/FTLExitTimeObjectMaterialization.cpp: Added.
        (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
        (JSC::FTL::ExitTimeObjectMaterialization::~ExitTimeObjectMaterialization):
        (JSC::FTL::ExitTimeObjectMaterialization::add):
        (JSC::FTL::ExitTimeObjectMaterialization::get):
        (JSC::FTL::ExitTimeObjectMaterialization::dump):
        * ftl/FTLExitTimeObjectMaterialization.h: Added.
        (JSC::FTL::ExitTimeObjectMaterialization::type):
        (JSC::FTL::ExitTimeObjectMaterialization::properties):
        * ftl/FTLExitValue.cpp:
        (JSC::FTL::ExitValue::materializeNewObject):
        (JSC::FTL::ExitValue::dumpInContext):
        * ftl/FTLExitValue.h:
        (JSC::FTL::ExitValue::isObjectMaterialization):
        (JSC::FTL::ExitValue::objectMaterialization):
        (JSC::FTL::ExitValue::withVirtualRegister):
        (JSC::FTL::ExitValue::valueFormat):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
        (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
        (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
        (JSC::FTL::LowerDFGToLLVM::compileNewObject):
        (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
        (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
        (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
        (JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate):
        (JSC::FTL::LowerDFGToLLVM::compileMaterializeNewObject):
        (JSC::FTL::LowerDFGToLLVM::checkStructure):
        (JSC::FTL::LowerDFGToLLVM::allocateCell):
        (JSC::FTL::LowerDFGToLLVM::storeStructure):
        (JSC::FTL::LowerDFGToLLVM::allocateObject):
        (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
        (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
        (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
        (JSC::FTL::LowerDFGToLLVM::weakStructureID):
        (JSC::FTL::LowerDFGToLLVM::weakStructure):
        (JSC::FTL::LowerDFGToLLVM::availabilityMap):
        (JSC::FTL::LowerDFGToLLVM::availability): Deleted.
        * ftl/FTLOSRExit.h:
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileRecovery):
        (JSC::FTL::compileStub):
        * ftl/FTLOperations.cpp: Added.
        (JSC::FTL::operationNewObjectWithButterfly):
        (JSC::FTL::operationMaterializeObjectInOSR):
        * ftl/FTLOperations.h: Added.
        * ftl/FTLSwitchCase.h:
        (JSC::FTL::SwitchCase::SwitchCase):
        * runtime/JSObject.h:
        (JSC::JSObject::finishCreation):
        (JSC::JSFinalObject::JSFinalObject):
        (JSC::JSFinalObject::create):
        * runtime/Structure.cpp:
        (JSC::Structure::canUseForAllocationsOf):
        * runtime/Structure.h:
        * tests/stress/elidable-new-object-roflcopter-then-exit.js: Added.
        (sumOfArithSeries):
        (foo):
        * tests/stress/elide-new-object-dag-then-exit.js: Added.
        (sumOfArithSeries):
        (bar):
        (verify):
        (foo):
        * tests/stress/obviously-elidable-new-object-then-exit.js: Added.
        (sumOfArithSeries):
        (foo):

2014-09-25  Brian J. Burg  <burg@cs.washington.edu>

        Web Replay: Check event loop input extents during replaying too
        https://bugs.webkit.org/show_bug.cgi?id=136316

        Reviewed by Timothy Hatcher.

        Sometimes we see different nondeterminism during capture and replay
        executions, so we should add determinism checks during replay too.

        Move the withinEventLoopInputExtent flag to the base class, and tighten
        the assertion to address <http://webkit.org/b/133019>.

        * replay/InputCursor.h:
        (JSC::InputCursor::InputCursor):
        (JSC::InputCursor::setWithinEventLoopInputExtent): Added.
        This assertion is slightly wrong because it does not account for nested run loops.
        We can be within two input extents when a nested run loop processes additional
        user inputs while the debugger is paused.

        This should only be the case when execution is being neither captured or
        replayed. The debugger should not pause when capturing, and we should not replay
        event loop inputs while in a nested run loop.

        (JSC::InputCursor::withinEventLoopInputExtent): Added.

2014-09-25  Csaba Osztrogonác  <ossy@webkit.org>

        Remove WinCE port from trunk
        https://bugs.webkit.org/show_bug.cgi?id=136951

        Reviewed by Alex Christensen.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::cacheFlush):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::cacheFlush):
        * config.h:
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::gatherFromCurrentThread):
        (JSC::MachineThreads::gatherFromOtherThread):
        (JSC::swapIfBackwards): Deleted.
        * jit/ExecutableAllocator.h:
        * jsc.cpp:
        (main):
        * runtime/DateConstructor.cpp:
        * runtime/Options.cpp:
        (JSC::overrideOptionWithHeuristic):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * testRegExp.cpp:
        (main):
        * tools/CodeProfiling.cpp:
        (JSC::CodeProfiling::notifyAllocator):

2014-09-24  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: subtract elapsed time while debugger is paused from profile nodes
        https://bugs.webkit.org/show_bug.cgi?id=136796

        Reviewed by Timothy Hatcher.

        Rather than accruing no time to any profile node created while the debugger is paused,
        we can instead count a node's elapsed time and exclude time elapsed while paused.

        Time for a node may elapse in a non-contiguous fashion depending on the interleaving of
        didPause, didContinue, willExecute, and didExecute. A node's start time is set to the
        start of the last such interval that accrues elapsed time.

        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::ProfileGenerator):
        (JSC::ProfileGenerator::beginCallEntry):
        (JSC::ProfileGenerator::endCallEntry):
        (JSC::ProfileGenerator::didPause): Added.
        (JSC::ProfileGenerator::didContinue): Added.
        * profiler/ProfileGenerator.h:
        (JSC::ProfileGenerator::didPause): Deleted.
        (JSC::ProfileGenerator::didContinue): Deleted.
        * profiler/ProfileNode.h: Rename totalTime to elapsedTime.
        (JSC::ProfileNode::Call::Call):
        (JSC::ProfileNode::Call::elapsedTime): Added.
        (JSC::ProfileNode::Call::setElapsedTime): Added.
        (JSC::CalculateProfileSubtreeDataFunctor::operator()):
        (JSC::ProfileNode::Call::totalTime): Deleted.
        (JSC::ProfileNode::Call::setTotalTime): Deleted.

2014-09-24  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r173839.
        https://bugs.webkit.org/show_bug.cgi?id=137062

        NumberConstruct should no longer use static tables (Requested
        by dpino on #webkit).

        Reverted changeset:

        "Simple ES6 feature: Number constructor extras"
        https://bugs.webkit.org/show_bug.cgi?id=131707
        http://trac.webkit.org/changeset/173839

2014-09-23  Mark Lam  <mark.lam@apple.com>

        DebuggerCallFrame::invalidate() should invalidate all DebuggerScope chains.
        <https://webkit.org/b/137045>

        Reviewed by Geoffrey Garen.

        DebuggerCallFrame::invalidate() currently invalidates all DebuggerCallFrames
        in the debugger stack, but only invalidates the DebuggerScope chain of the
        top most frame.  We should also invalidate all the DebuggerScope chains of
        the other frames in the debugger stack.

        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::invalidate):
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::invalidateChain):

2014-09-23  Mark Lam  <mark.lam@apple.com>

        Renamed DebuggerCallFrameScope to DebuggerPausedScope.
        <https://webkit.org/b/137042>

        Reviewed by Michael Saboff.

        DebuggerPausedScope is a better name for this data structure because it
        is meant for tracking the period within which the debugger is paused,
        and doing clean ups after the pause ends.

        * debugger/Debugger.cpp:
        (JSC::DebuggerPausedScope::DebuggerPausedScope):
        (JSC::DebuggerPausedScope::~DebuggerPausedScope):
        (JSC::Debugger::pauseIfNeeded):
        (JSC::DebuggerCallFrameScope::DebuggerCallFrameScope): Deleted.
        (JSC::DebuggerCallFrameScope::~DebuggerCallFrameScope): Deleted.
        * debugger/Debugger.h:
        * debugger/DebuggerCallFrame.h:

2014-09-23  Tomas Popela  <tpopela@redhat.com>

        [CLoop] - Fix CLoop on the 32-bit Big-Endians
        https://bugs.webkit.org/show_bug.cgi?id=137020

        Reviewed by Mark Lam.

        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:

2014-09-23  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
        https://bugs.webkit.org/show_bug.cgi?id=136893

        Reviewed by Timothy Hatcher.

        Adds new remote inspector protocol handling for automatic inspection.
        Debuggers can signal they have enabled automatic inspection, and
        when debuggables are created the current application will pause to
        see if the debugger will inspect or decline to inspect the debuggable.

        * inspector/remote/RemoteInspectorConstants.h:
        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::globalAutomaticInspectionState):
        (Inspector::RemoteInspector::RemoteInspector):
        (Inspector::RemoteInspector::start):
        When first starting, check the global "is there an auto-inspect" debugger state.
        This is necessary so that the current application knows if it should pause or
        not when a debuggable is created, even without having connected to webinspectord yet.

        (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
        When a debuggable has enabled remote inspection, take this path to propose
        it as an automatic inspection candidate if there is an auto-inspect debugger.

        (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
        Send the automatic inspection candidate message.

        (Inspector::RemoteInspector::receivedSetupMessage):
        (Inspector::RemoteInspector::setupFailed):
        (Inspector::RemoteInspector::setupSucceeded):
        After attempting to open an inspector, unpause if it was for the
        automatic inspection candidate.

        (Inspector::RemoteInspector::waitingForAutomaticInspection):
        When running a nested runloop, check if we should remain paused.

        (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
        If by the time we connect to webinspectord we have a candidate, then
        immediately send the candidate message.

        (Inspector::RemoteInspector::stopInternal):
        (Inspector::RemoteInspector::xpcConnectionFailed):
        In error cases, clear our state.

        (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
        (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
        (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
        Update state when receiving new messages.


        * inspector/remote/RemoteInspectorDebuggable.h:
        * inspector/remote/RemoteInspectorDebuggable.cpp:
        (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
        Special case when a debuggable is newly allowed to be debuggable.

        (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
        Run a nested run loop while this is an automatic inspection candidate.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
        When the inspector starts via automatic inspection automatically pause.
        We plan on removing this condition by having the frontend signal to the
        backend when it is completely initialized.
        
        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorDebuggableConnection::setup):
        Pass on the flag of whether or not this was automatic inspection.

        * runtime/JSGlobalObjectDebuggable.h:
        * runtime/JSGlobalObjectDebuggable.cpp:
        (JSC::JSGlobalObjectDebuggable::connect):
        (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
        When pausing in a JSGlobalObject we need to release the API lock.

2014-09-22  Filip Pizlo  <fpizlo@apple.com>

        FTL allocatePropertyStorage code should involve less copy-paste
        https://bugs.webkit.org/show_bug.cgi?id=137006

        Reviewed by Michael Saboff.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorageWithSizeImpl):

2014-09-22  Diego Pino Garcia  <dpino@igalia.com>

        Simple ES6 feature: Number constructor extras
        https://bugs.webkit.org/show_bug.cgi?id=131707

        Reviewed by Darin Adler.

        * runtime/CommonIdentifiers.h: Added new identifiers.
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getOwnPropertySlot):
        (JSC::NumberConstructor::isFunction): Added.
        (JSC::numberConstructorEpsilonValue): Added.
        (JSC::numberConstructorNegInfinity): Added.
        (JSC::numberConstructorPosInfinity): Added.
        (JSC::numberConstructorMaxValue): Added.
        (JSC::numberConstructorMinValue): Added.
        (JSC::numberConstructorMaxSafeInteger): Added.
        (JSC::numberConstructorMinSafeInteger): Added.
        (JSC::numberConstructorFuncIsFinite): Added.
        (JSC::numberConstructorFuncIsInteger): Added.
        (JSC::numberConstructorFuncIsNaN): Added.
        (JSC::numberConstructorFuncIsSafeInteger): Added.
        * runtime/NumberConstructor.h:

2014-09-21  Filip Pizlo  <fpizlo@apple.com>

        FTL should store the four bytes of the cell header using a 32-bit store rather than four 8-bit stores
        https://bugs.webkit.org/show_bug.cgi?id=136992

        Reviewed by Sam Weinig.
        
        LLVM ought to be able to do this optimization for us given how the code was written, but
        any such lower-level attempts to optimize this would get into trouble with the weird
        object materialization logic I'll be introducing in bug 136330. So, this brings the
        merging of the byte stores into the FTL lowering so that we can control it explicitly.

        * ftl/FTLAbstractHeap.h:
        (JSC::FTL::AbstractHeap::changeParent):
        * ftl/FTLAbstractHeapRepository.cpp:
        (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::allocateCell):

2014-09-21  Saam Barati  <saambarati1@gmail.com>

        Web Inspector: fix TypeSet hierarchy in TypeTokenView
        https://bugs.webkit.org/show_bug.cgi?id=136982

        Reviewed by Joseph Pecoraro.

        TypeSet was computing the set of type booleans in the Inspector::Protocol::Runtime::TypeSet 
        object incorrectly because it was calling TypeSet::doesTypeConformTo(T) which checks if the 
        type set has only been of type T. It now checks '(m_seenTypes & T) != TypeNothing' to see 
        if type T is in the set of seen types, but not the entire set itself.

        * runtime/TypeSet.cpp:
        (JSC::TypeSet::inspectorTypeSet):

2014-09-21  Filip Pizlo  <fpizlo@apple.com>

        Structure should have a method for concurrently getting all of the property map entries, and this method shouldn't involve copy-paste
        https://bugs.webkit.org/show_bug.cgi?id=136983

        Reviewed by Mark Hahnenberg.

        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyMapEntry::PropertyMapEntry): Moved PropertyMapEntry struct to Structure.h so that Structure can refer to it.
        * runtime/Structure.cpp:
        (JSC::Structure::getConcurrently): Switch to using the new forEachPropertyConcurrently() method.
        (JSC::Structure::getPropertiesConcurrently): The subject of this patch. It will be useful for object allocation sinking (bug 136330).
        (JSC::Structure::dump): Switch to using the new forEachPropertyConcurrently() method.
        * runtime/Structure.h:
        (JSC::PropertyMapEntry::PropertyMapEntry): Moved from PropertyMapHashTable.h.
        * runtime/StructureInlines.h:
        (JSC::Structure::forEachPropertyConcurrently): Capture this very common concurrent structure iteration pattern into a template method.

2014-09-21  Filip Pizlo  <fpizlo@apple.com>

        Structure::getConcurrently() doesn't need to take a VM& argument.

        Rubber stamped by Dan Bernstein.
        
        Removed the extra argument, and then removed similar arguments from other methods until
        I could build successfully again. It turned out that many methods took a VM& argument
        just for calling getConcurrently().

        * bytecode/CodeBlock.cpp:
        (JSC::dumpStructure):
        (JSC::dumpChain):
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::printPutByIdCacheStatus):
        * bytecode/ComplexGetStatus.cpp:
        (JSC::ComplexGetStatus::computeFor):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        (JSC::GetByIdStatus::computeForStubInfo):
        (JSC::GetByIdStatus::computeFor):
        * bytecode/GetByIdStatus.h:
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        (JSC::PutByIdStatus::computeForStubInfo):
        (JSC::PutByIdStatus::computeFor):
        * bytecode/PutByIdStatus.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
        * runtime/IntendedStructureChain.cpp:
        (JSC::IntendedStructureChain::mayInterceptStoreTo):
        * runtime/IntendedStructureChain.h:
        * runtime/Structure.cpp:
        (JSC::Structure::getConcurrently):
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::getConcurrently):

2014-09-20  Filip Pizlo  <fpizlo@apple.com>

        FTL OSRExit construction should be based on methods that return ExitValues rather than methods that add ExitValues to OSRExit
        https://bugs.webkit.org/show_bug.cgi?id=136978

        Reviewed by Dean Jackson.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
        (JSC::FTL::LowerDFGToLLVM::exitValueForNode):
        (JSC::FTL::LowerDFGToLLVM::exitArgument):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): Deleted.
        (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): Deleted.
        (JSC::FTL::LowerDFGToLLVM::addExitArgument): Deleted.

2014-09-20  Filip Pizlo  <fpizlo@apple.com>

        FTL OSR exit should do reboxing and value recovery in the same pass
        https://bugs.webkit.org/show_bug.cgi?id=136977

        Reviewed by Oliver Hunt.
        
        It's conceptually simpler to have all of the logic in one place. After the
        recover-and-rebox loop is done, all of the exit values are in the form that the baseline
        JIT would want them to be in; the only remaining task is to move them into the right
        place on the stack after we do all of the necessary stack adjustments.

        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):

2014-09-19  Filip Pizlo  <fpizlo@apple.com>

        StorageAccessData should be referenced in a sensible way
        https://bugs.webkit.org/show_bug.cgi?id=136963

        Reviewed and rubber stamped by Michael Saboff.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleGetByOffset):
        (JSC::DFG::ByteCodeParser::handlePutByOffset):
        (JSC::DFG::ByteCodeParser::handlePutById):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
        (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToGetByOffset):
        (JSC::DFG::Node::convertToPutByOffset):
        (JSC::DFG::Node::storageAccessData):
        (JSC::DFG::Node::storageAccessDataIndex): Deleted.
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
        (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):

2014-09-19  Ryosuke Niwa  <rniwa@webkit.org>

        Leak of mallocs under StructureSet::OutOfLineList::create
        https://bugs.webkit.org/show_bug.cgi?id=136970

        Reviewed by Filip Pizlo.

        addOutOfLine should free the old list when expanding the capacity.

        * bytecode/StructureSet.cpp:
        (JSC::StructureSet::addOutOfLine):

2014-09-19  Daniel Bates  <dabates@apple.com>

        Always assume internal SDK when building configuration Production
        https://bugs.webkit.org/show_bug.cgi?id=136925
        <rdar://problem/18362399>

        Reviewed by Dan Bernstein.

        As a side effect of this change we will always enable ENABLE_TOUCH_EVENTS, ENABLE_IOS_{GESTURE, TOUCH}_EVENTS,
        and ENABLE_XSLT when either building configuration Production or building with the Internal SDK.

        * Configurations/Base.xcconfig:

2014-09-19  Diego Pino Garcia  <dpino@igalia.com>

        Simple ES6 feature:String prototype additions
        https://bugs.webkit.org/show_bug.cgi?id=131704

        Reviewed by Darin Adler.

        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        (JSC::stringProtoFuncStartsWith): Added.
        (JSC::stringProtoFuncEndsWith): Added.
        (JSC::stringProtoFuncContains): Added.

2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>

        Unreviewed rollout r173731. Broke multiple builds.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::RemoteInspector):
        (Inspector::RemoteInspector::setupFailed):
        (Inspector::RemoteInspector::start):
        (Inspector::RemoteInspector::stopInternal):
        (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
        (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
        (Inspector::RemoteInspector::xpcConnectionFailed):
        (Inspector::RemoteInspector::receivedSetupMessage):
        (Inspector::globalAutomaticInspectionState): Deleted.
        (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate): Deleted.
        (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): Deleted.
        (Inspector::RemoteInspector::setupSucceeded): Deleted.
        (Inspector::RemoteInspector::waitingForAutomaticInspection): Deleted.
        (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage): Deleted.
        (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage): Deleted.
        * inspector/remote/RemoteInspectorConstants.h:
        * inspector/remote/RemoteInspectorDebuggable.cpp:
        (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
        (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection): Deleted.
        * inspector/remote/RemoteInspectorDebuggable.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorDebuggableConnection::setup):
        * runtime/JSGlobalObjectDebuggable.cpp:
        (JSC::JSGlobalObjectDebuggable::connect):
        (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection): Deleted.
        * runtime/JSGlobalObjectDebuggable.h:

2014-09-18  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
        https://bugs.webkit.org/show_bug.cgi?id=136893

        Reviewed by Timothy Hatcher.

        Adds new remote inspector protocol handling for automatic inspection.
        Debuggers can signal they have enabled automatic inspection, and
        when debuggables are created the current application will pause to
        see if the debugger will inspect or decline to inspect the debuggable.

        * inspector/remote/RemoteInspectorConstants.h:
        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::globalAutomaticInspectionState):
        (Inspector::RemoteInspector::RemoteInspector):
        (Inspector::RemoteInspector::start):
        When first starting, check the global "is there an auto-inspect" debugger state.
        This is necessary so that the current application knows if it should pause or
        not when a debuggable is created, even without having connected to webinspectord yet.

        (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
        When a debuggable has enabled remote inspection, take this path to propose
        it as an automatic inspection candidate if there is an auto-inspect debugger.

        (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
        Send the automatic inspection candidate message.

        (Inspector::RemoteInspector::receivedSetupMessage):
        (Inspector::RemoteInspector::setupFailed):
        (Inspector::RemoteInspector::setupSucceeded):
        After attempting to open an inspector, unpause if it was for the
        automatic inspection candidate.

        (Inspector::RemoteInspector::waitingForAutomaticInspection):
        When running a nested runloop, check if we should remain paused.

        (Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
        If by the time we connect to webinspectord we have a candidate, then
        immediately send the candidate message.

        (Inspector::RemoteInspector::stopInternal):
        (Inspector::RemoteInspector::xpcConnectionFailed):
        In error cases, clear our state.

        (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
        (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
        (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
        Update state when receiving new messages.


        * inspector/remote/RemoteInspectorDebuggable.h:
        * inspector/remote/RemoteInspectorDebuggable.cpp:
        (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
        Special case when a debuggable is newly allowed to be debuggable.

        (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
        Run a nested run loop while this is an automatic inspection candidate.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::connectFrontend):
        When the inspector starts via automatic inspection automatically pause.
        We plan on removing this condition by having the frontend signal to the
        backend when it is completely initialized.
        
        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorDebuggableConnection::setup):
        Pass on the flag of whether or not this was automatic inspection.

        * runtime/JSGlobalObjectDebuggable.h:
        * runtime/JSGlobalObjectDebuggable.cpp:
        (JSC::JSGlobalObjectDebuggable::connect):
        (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
        When pausing in a JSGlobalObject we need to release the API lock.

2014-09-18  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        Fix "Tools/Scripts/build-webkit --efl --no-inspector" build
        https://bugs.webkit.org/show_bug.cgi?id=136912

        Reviewed by Darin Adler.

        * runtime/TypeSet.cpp:
        (JSC::TypeSet::leastCommonAncestor):

2014-09-17  Michael Saboff  <msaboff@apple.com>

        Change CallFrame to use Callee instead of JSScope to implement vm()
        https://bugs.webkit.org/show_bug.cgi?id=136894

        Reviewed by Geoffrey Garen.

        Added JSCell::vm() method that can be used on any JSObject.  Changed CallFrame::vm() to
        use JSCell::vm with the Callee.  Made similar changes in the LLInt.
        In support of this, changed JSGlobalObject::init() to take a VM& parameter, as there is
        a chicken/egg problem with trying to use the Callee in the global exec before the Callee
        has been create.  Besides, the vm is readily available in finishCreation(), the caller of
        init().

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        Changed the calculation of CallFrame::VM to use the Callee instead of JSScope.

        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::vm): New method for getting VM from the pointer.
        (JSC::ExecState::vm): Moved this method from JSScope.h to here since this file
        contains the implementation of JSCell::vm(), this file is included by all users
        of CallFrame::vm, and lastly putting it in CallFrameInlines.h required changing
        many other .h files and possible the WebCore generator generate-bindings.pl.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::finishCreation):
        Changed init() to take a VM parameter.

        * runtime/JSScope.h:
        (JSC::ExecState::vm): Deleted.

2014-09-16  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, disable native inlining because it causes build failures.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-09-16  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Reduce a bit of churn setting initial remote inspection state
        https://bugs.webkit.org/show_bug.cgi?id=136875

        Reviewed by Timothy Hatcher.

        * API/JSContextRef.cpp:
        (JSGlobalContextCreateInGroup):
        Set the defaultl remote debuggable state at the API boundary.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        Do not set remote debuggable state here. Let clients set it.

2014-09-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        Promise: Drop Promise.cast
        https://bugs.webkit.org/show_bug.cgi?id=136222

        Reviewed by Sam Weinig.

        Promise.cast is dropped and Promise.resolve is replaced with old Promise.cast.

        * runtime/CommonIdentifiers.h:
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructorFuncResolve):
        (JSC::JSPromiseConstructorFuncRace):
        (JSC::JSPromiseConstructorFuncAll):
        (JSC::JSPromiseConstructorFuncCast): Deleted.

2014-09-16  Filip Pizlo  <fpizlo@apple.com>

        Local OSR availability calculation should be reusable
        https://bugs.webkit.org/show_bug.cgi?id=136860

        Reviewed by Oliver Hunt.
        
        Previously, the FTL lowering repeated some of the logic of the OSR availability analysis
        phase. Humorously, it actually did this logic a bit differently; for example the phase
        would claim that a SetLocal makes both the flush and the node available while the FTL
        only claimed that the flush was available. This different was benign, but still: yuck!
        
        Also, previously if you wanted to use availability information then you'd have to repeat
        some of the logic that both the phase itself and the FTL lowering already had.
        Presumably, you could get epic style points for finding other benign ways in which to
        make your copy of the logic different from the other two!
        
        This reduces the amount of style points one could conceivably get in the future when
        hacking JSC, by creating a single reusable thingy for computing local OSR availability.

        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
        (JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
        (JSC::DFG::LocalOSRAvailabilityCalculator::~LocalOSRAvailabilityCalculator):
        (JSC::DFG::LocalOSRAvailabilityCalculator::beginBlock):
        (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
        * dfg/DFGOSRAvailabilityAnalysisPhase.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::compileBlock):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
        (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
        (JSC::FTL::LowerDFGToLLVM::availability):
        (JSC::FTL::LowerDFGToLLVM::compileMovHint): Deleted.
        (JSC::FTL::LowerDFGToLLVM::compileZombieHint): Deleted.
        (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): Deleted.

2014-09-16  Csaba Osztrogonác  <ossy@webkit.org>

        JSC test gardening
        https://bugs.webkit.org/show_bug.cgi?id=136823

        Reviewed by Geoffrey Garen.

        * tests/mozilla/mozilla-tests.yaml: Unskip passing tests.

2014-09-15  Michael Saboff  <msaboff@apple.com>

        Create a JSCallee for GlobalExec object
        https://bugs.webkit.org/show_bug.cgi?id=136840

        Reviewed by Geoffrey Garen.

        Added m_globalCallee, initialized it and then used it to set the globalExec's callee.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:

2014-09-14  Filip Pizlo  <fpizlo@apple.com>

        DFG ref count calculation should be reusable
        https://bugs.webkit.org/show_bug.cgi?id=136811

        Reviewed by Oliver Hunt.
        
        Henceforth if you call Graph::computeRefCounts(), a nifty O(n) operation, every Node
        will be able to tell you how many places it is used from. Currently only DCE uses this,
        but it will be useful for https://bugs.webkit.org/show_bug.cgi?id=136330.

        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::run):
        (JSC::DFG::DCEPhase::findTypeCheckRoot): Deleted.
        (JSC::DFG::DCEPhase::countNode): Deleted.
        (JSC::DFG::DCEPhase::countEdge): Deleted.
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::computeRefCounts):
        * dfg/DFGGraph.h:

2014-09-12  Michael Saboff  <msaboff@apple.com>

        Merge JSGlobalObject::reset() into ::init()
        https://bugs.webkit.org/show_bug.cgi?id=136800

        Reviewed by Oliver Hunt.

        Moved the contents of reset() into init().
        Note that the diff shows more changes.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init): Moved body of reset() into init.
        (JSC::JSGlobalObject::put):
        (JSC::JSGlobalObject::defineOwnProperty):
        (JSC::JSGlobalObject::addGlobalVar):
        (JSC::JSGlobalObject::addFunction):
        (JSC::lastInPrototypeChain):
        (JSC::JSGlobalObject::reset): Deleted.
        * runtime/JSGlobalObject.h:

2014-09-12  Michael Saboff  <msaboff@apple.com>

        Add JSCallee to program and eval CallFrames
        https://bugs.webkit.org/show_bug.cgi?id=136785

        Reviewed by Mark Lam.

        Populated Callee slot for program and call eval CallFrames with a JSCallee objects.
        Made supporting changes including adding a JSCallee structure to global object and adding
        JSCallee::create() method.  Added code so that the newly added callee object won't be
        returned by Function.caller.  Changed null pointer checks of callee to check the if
        the type is JSFunction* or JSCallee*.

        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::functionName):
        (JSC::DebuggerCallFrame::type):
        * profiler/LegacyProfiler.cpp:
        (JSC::LegacyProfiler::createCallIdentifier):
        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        Changed checks of callee is a JSFunction* or JSCallee* instead of just checking
        if it is null or not.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute): Create and use JSCallee objects for execute(EvalExecutable, ...)
        and execute(ProgramExecutable, ...)

        * jit/JITCode.cpp:
        (JSC::JITCode::execute): Use jsDynamicCast to cast only JSFunctions.

        * runtime/JSCallee.cpp:
        (JSC::JSCallee::create): Not used, therefore deleted.

        * runtime/JSCallee.h:
        (JSC::JSCallee::create): Added.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::callerGetter): Added test to return null for JSCallee's that aren't
        JSFunction's.  This can only be the case when the JSCallee comes from a program or
        call eval CallFrame.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::calleeStructure):
        Added new JSCallee structure.

2014-09-10  Jon Honeycutt  <jhoneycutt@apple.com>

        Re-add the request autocomplete feature

        <https://bugs.webkit.org/show_bug.cgi?id=136730>

        This feature was rolled out in r148731 because it was only used by
        Chromium. As we consider supporting this feature, roll it back in, but
        leave it disabled.

        This rolls out r148731 (which removed the feature) with small changes
        needed to make the code build in ToT, to match modern style, to make
        the tests run, and to remove unused code.

        Reviewed by Andy Estes.

        * Configurations/FeatureDefines.xcconfig:

2014-09-12  Julien Brianceau  <jbriance@cisco.com>

        [x86] moveDoubleToInts() does not clobber its source register anymore
        https://bugs.webkit.org/show_bug.cgi?id=131690

        Reviewed by Oliver Hunt.

        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::moveDoubleToInts):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueRep):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::returnDouble):

2014-09-12  Mark Lam  <mark.lam@apple.com>

        Unreviewed build fix for CLOOP build.

        * runtime/JSCallee.h:

2014-09-12  Michael Saboff  <msaboff@apple.com>

        Remove unneeded declarations from JSCallee.h
        https://bugs.webkit.org/show_bug.cgi?id=136783

        Reviewed by Mark Lam.

        * runtime/JSCallee.h:
        (JSCallee::name): Deleted.
        (JSCallee::displayName): Deleted.
        (JSCallee::calculatedDisplayName): Deleted.

2014-09-11  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: disambiguate double and integer primitive types in the protocol
        https://bugs.webkit.org/show_bug.cgi?id=136606

        Reviewed by Timothy Hatcher.

        Right now it's really easy to mix up doubles and integers when serializing or deserializing
        values for the inspector protocol. This patch disambiguates setting/getting doubles and integers
        so that it is clearer as to which type is intended.

        A new InspectorValue::Type is added for Integer types, and the Number type is renamed to Double.
        The existing callsites for asNumber/getNumber/setNumber have been fixed.

        Address various integration points to make sure the right type tag is assigned to InspectorValues.

        * bindings/ScriptValue.cpp:
        (Deprecated::jsToInspectorValue): Make an Integer if the JSValue is Int52 or smaller.
        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::injectedScriptForObjectId):
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::InspectorBackendDispatcher::dispatch):
        (Inspector::InspectorBackendDispatcher::sendResponse):
        (Inspector::InspectorBackendDispatcher::reportProtocolError):
        (Inspector::AsMethodBridges::asInteger):
        (Inspector::AsMethodBridges::asDouble):
        (Inspector::InspectorBackendDispatcher::getInteger):
        (Inspector::InspectorBackendDispatcher::getDouble):
        (Inspector::AsMethodBridges::asInt): Deleted.
        (Inspector::InspectorBackendDispatcher::getInt): Deleted.
        * inspector/InspectorBackendDispatcher.h:
        * inspector/InspectorProtocolTypes.h: Remove the special case for checking int type tags.
        (Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw):
        (Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw):
        (Inspector::Protocol::BindingTraits<int>::assertValueHasExpectedType): Deleted.
        * inspector/InspectorValues.cpp: Allow integers and doubles to be convertible using asInteger/asDouble.
        (Inspector::InspectorValue::asDouble):
        (Inspector::InspectorValue::asInteger):
        (Inspector::InspectorBasicValue::asDouble):
        (Inspector::InspectorBasicValue::asInteger):
        (Inspector::InspectorBasicValue::writeJSON):
        (Inspector::InspectorValue::asNumber): Deleted.
        (Inspector::InspectorBasicValue::asNumber): Deleted.
        * inspector/InspectorValues.h:
        (Inspector::InspectorObjectBase::setInteger):
        (Inspector::InspectorObjectBase::setDouble):
        (Inspector::InspectorArrayBase::pushInteger):
        (Inspector::InspectorArrayBase::pushDouble):
        (Inspector::InspectorObjectBase::setNumber): Deleted.
        (Inspector::InspectorArrayBase::pushInt): Deleted.
        (Inspector::InspectorArrayBase::pushNumber): Deleted.
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::buildObjectForBreakpointCookie):
        (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
        (Inspector::parseLocation):
        (Inspector::InspectorDebuggerAgent::didParseSource):
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        * inspector/scripts/codegen/generator.py: Update emitted code and rebaseline test results.
        (Generator.keyed_get_method_for_type):
        (Generator.keyed_set_method_for_type):
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
        * replay/EncodedValue.cpp:
        (JSC::EncodedValue::convertTo<double>):
        (JSC::EncodedValue::convertTo<float>):
        (JSC::EncodedValue::convertTo<int32_t>):
        (JSC::EncodedValue::convertTo<int64_t>):
        (JSC::EncodedValue::convertTo<uint32_t>):
        (JSC::EncodedValue::convertTo<uint64_t>):

2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Occasional ASSERT closing web inspector
        https://bugs.webkit.org/show_bug.cgi?id=136762

        Reviewed by Timothy Hatcher.

        It is harmless, and indeed possible to have an empty set of listeners
        now that each Page gets its own PageDebugServer instead of a shared
        global. So we should replace the null checks with isEmpty checks.
        Since nobody was ever returning null, convert to references as well.

        * inspector/JSGlobalObjectScriptDebugServer.h:
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
        (Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
        (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
        (Inspector::ScriptDebugServer::sourceParsed):
        (Inspector::ScriptDebugServer::dispatchFunctionToListeners):
        (Inspector::ScriptDebugServer::notifyDoneProcessingDebuggerEvents):
        (Inspector::ScriptDebugServer::handlePause):
        (Inspector::ScriptDebugServer::needPauseHandling): Deleted.
        * inspector/ScriptDebugServer.h:

2014-09-10  Michael Saboff  <msaboff@apple.com>

        Move JSScope out of JSFunction into separate JSCallee class
        https://bugs.webkit.org/show_bug.cgi?id=136725

        Reviewed by Oliver Hunt.

        Created new JSCallee class that contains a JSScope*.  Changed JSFunction to inherit from
        JSCallee.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Build changes.  Added JSCallee.cpp and JSCallee.h.

        * runtime/JSCallee.cpp: Added.
        (JSC::JSCallee::create):
        (JSC::JSCallee::destroy):
        (JSC::JSCallee::JSCallee):
        (JSC::JSCallee::finishCreation):
        (JSC::JSCallee::visitChildren):
        (JSC::JSCallee::getOwnPropertySlot): Pass through wrapper function.
        (JSC::JSCallee::getOwnNonIndexPropertyNames): Pass through wrapper function.
        (JSC::JSCallee::put): Pass through wrapper function.
        (JSC::JSCallee::deleteProperty): Pass through wrapper function.
        (JSC::JSCallee::defineOwnProperty): Pass through wrapper function.

        * runtime/JSCallee.h: Added.
        (JSC::JSCallee::scope):
        (JSC::JSCallee::scopeUnchecked):
        (JSC::JSCallee::setScope):
        (JSC::JSCallee::createStructure):
        (JSC::JSCallee::offsetOfScopeChain):

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::addNameScopeIfNeeded):
        (JSC::JSFunction::visitChildren):
        * runtime/JSFunction.h:
        (JSC::JSFunction::scope): Deleted.
        (JSC::JSFunction::scopeUnchecked): Deleted.
        (JSC::JSFunction::setScope): Deleted.
        (JSC::JSFunction::offsetOfScopeChain): Deleted.
        * runtime/JSFunctionInlines.h:
        (JSC::JSFunction::JSFunction):
        Changed to reference JSCallee and its methods.

        * runtime/JSType.h: Added JSCallee as a TypeEnum.

2014-09-11  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION (r172129): Vine pages load as blank
        https://bugs.webkit.org/show_bug.cgi?id=136655
        rdar://problem/18281215

        Reviewed by Michael Saboff.
        
        If lastNode is something that is subject to DCE, then removing the Phantom's reference to something
        that lastNode references means that the thing being referenced may no longer be kept alive for OSR.
        Teach PhantomRemovalPhase that it's only safe to do this if lastNode is a Phantom. That's probably too
        conservative, but that's fine since this is mainly just an optimization to make the IR sane to read and
        reasonably compact; it's OK if we miss cases here.

        * dfg/DFGPhantomRemovalPhase.cpp:
        (JSC::DFG::PhantomRemovalPhase::run):
        * tests/stress/remove-phantom-after-setlocal.js: Added.

2014-09-11  Bear Travis  <betravis@adobe.com>

        [CSS Font Loading] Enable CSS Font Loading on Mac
        https://bugs.webkit.org/show_bug.cgi?id=135473

        Reviewed by Antti Koivisto.

        Enable CSS Font Loading in FeatureDefines.

        * Configurations/FeatureDefines.xcconfig:

2014-09-11  Joseph Pecoraro  <pecoraro@apple.com>

        Unreviewed rebaseline of inspector generator test results after r173120.

        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:

2014-09-11  Oliver Hunt  <oliver@apple.com>

        Rename activation to be more in line with spec language
        https://bugs.webkit.org/show_bug.cgi?id=136721

        Reviewed by Michael Saboff.

        Somewhat bigger than the last one, but still just a rename.

        * CMakeLists.txt:
        * JavaScriptCore.order:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CallVariant.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::isCaptured):
        (JSC::CodeBlock::nameForRegister):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setActivationRegister):
        (JSC::CodeBlock::activationRegister):
        (JSC::CodeBlock::uncheckedActivationRegister):
        (JSC::CodeBlock::needsActivation):
        * bytecode/Instruction.h:
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::setActivationRegister):
        (JSC::UnlinkedCodeBlock::activationRegister):
        (JSC::UnlinkedCodeBlock::hasActivationRegister):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitReturn):
        * bytecompiler/BytecodeGenerator.h:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::scope):
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::isFunctionOrEvalScope):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::tryGetActivation):
        (JSC::DFG::Graph::tryGetRegisters):
        * dfg/DFGGraph.h:
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::lexicalEnvironment):
        (JSC::CallFrame::setActivation):
        (JSC::CallFrame::activation): Deleted.
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        * interpreter/Register.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_tear_off_lexical_environment):
        (JSC::JIT::emit_op_tear_off_arguments):
        (JSC::JIT::emit_op_create_lexical_environment):
        (JSC::JIT::emit_op_tear_off_activation): Deleted.
        (JSC::JIT::emit_op_create_activation): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_tear_off_lexical_environment):
        (JSC::JIT::emit_op_tear_off_arguments):
        (JSC::JIT::emit_op_create_lexical_environment):
        (JSC::JIT::emit_op_tear_off_activation): Deleted.
        (JSC::JIT::emit_op_create_activation): Deleted.
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildren):
        (JSC::Arguments::tearOff):
        (JSC::Arguments::didTearOffActivation):
        * runtime/Arguments.h:
        (JSC::Arguments::offsetOfActivation):
        (JSC::Arguments::argument):
        (JSC::Arguments::finishCreation):
        * runtime/CommonSlowPaths.cpp:
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::activationStructure):
        * runtime/JSLexicalEnvironment.cpp: Renamed from Source/JavaScriptCore/runtime/JSActivation.cpp.
        (JSC::JSLexicalEnvironment::visitChildren):
        (JSC::JSLexicalEnvironment::symbolTableGet):
        (JSC::JSLexicalEnvironment::symbolTablePut):
        (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
        (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
        (JSC::JSLexicalEnvironment::getOwnPropertySlot):
        (JSC::JSLexicalEnvironment::put):
        (JSC::JSLexicalEnvironment::deleteProperty):
        (JSC::JSLexicalEnvironment::toThis):
        (JSC::JSLexicalEnvironment::argumentsGetter):
        * runtime/JSLexicalEnvironment.h: Renamed from Source/JavaScriptCore/runtime/JSActivation.h.
        (JSC::JSLexicalEnvironment::create):
        (JSC::JSLexicalEnvironment::createStructure):
        (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
        (JSC::asActivation):
        (JSC::Register::lexicalEnvironment):
        (JSC::JSLexicalEnvironment::registersOffset):
        (JSC::JSLexicalEnvironment::tearOff):
        (JSC::JSLexicalEnvironment::isTornOff):
        (JSC::JSLexicalEnvironment::storageOffset):
        (JSC::JSLexicalEnvironment::storage):
        (JSC::JSLexicalEnvironment::allocationSize):
        (JSC::JSLexicalEnvironment::isValidIndex):
        (JSC::JSLexicalEnvironment::isValid):
        (JSC::JSLexicalEnvironment::registerAt):
        * runtime/JSObject.h:
        * runtime/JSScope.cpp:
        (JSC::abstractAccess):
        * runtime/JSScope.h:
        (JSC::ResolveOp::ResolveOp):
        * runtime/JSSymbolTableObject.cpp:
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::create):
        * runtime/VM.cpp:

2014-09-11  László Langó  <llango.u-szeged@partner.samsung.com>

        [JavaScriptCore] Fix FTL on platform EFL.
        https://bugs.webkit.org/show_bug.cgi?id=133571

        Reviewed by Filip Pizlo.

        There are no compact_unwind sections on Linux systems so FTL crashes.
        We have to parse eh_frame in FTLUnwindInfo instead of compact_unwind
        and get the information for stack unwinding from there.

        * CMakeLists.txt: Revert r169181.
        * ftl/FTLCompile.cpp:
        Change section name literals to use SECTION_NAME macro, because of architecture differencies.
        (JSC::FTL::mmAllocateCodeSection):
        (JSC::FTL::mmAllocateDataSection):
        (JSC::FTL::compile):
        * ftl/FTLJITCode.h:
        We need the SECTION_NAME macro in FTLCompile and FTLLink, so we define it here.
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLState.h:
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):
        * ftl/FTLUnwindInfo.h:
        * ftl/FTLUnwindInfo.cpp:
        Lift the eh_frame parsing method from LLVM/libcxxabi project and modify it for our purposes.
        Parse eh_frame on Linux instead of compact_unwind.
        (JSC::FTL::UnwindInfo::parse):

2014-09-10  Saam Barati  <saambarati1@gmail.com>

        Web Inspector: Modify the type profiler runtime protocol to transfer some computation into the WebInspector
        https://bugs.webkit.org/show_bug.cgi?id=136500

        Reviewed by Joseph Pecoraro.

        This patch changes the type profiler protocol to the Web Inspector
        by moving the work of calculating computed properties that effect the UI 
        into the Web Inspector. This makes the Web Inspector have control over the 
        strings it displays as UI elements representing type information to the user 
        instead of JavaScriptCore deciding on a convention for these strings.
        JavaScriptCore now sends enough information to the Web Inspector so that 
        it can compute the properties JavaScriptCore used to compute.

        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        * inspector/protocol/Runtime.json:
        * runtime/TypeProfiler.cpp:
        (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector): Deleted.
        * runtime/TypeProfiler.h:
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::inspectorTypeSet):
        (JSC::StructureShape::leastCommonAncestor):
        (JSC::StructureShape::inspectorRepresentation):
        * runtime/TypeSet.h:

2014-09-10  Akos Kiss  <akiss@inf.u-szeged.hu>

        Apply ARM64-specific lowering to load/store instructions in offlineasm
        https://bugs.webkit.org/show_bug.cgi?id=136569

        Reviewed by Michael Saboff.

        The standard risc lowering of load/store instructions with base +
        immediate offset addresses is to move the offset to a temporary, add the
        base to the temporary, and then change the load/store to use the
        temporary + 0 immediate offset address. However, on ARM64, base +
        register offset addressing mode is available, so it is unnecessary to
        perform explicit register additions but it is enough to change load/store
        to use base + temporary as the address.

        * offlineasm/arm64.rb: Added arm64LowerMalformedLoadStoreAddresses

2014-09-10  Oliver Hunt  <oliver@apple.com>

        Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec
        https://bugs.webkit.org/show_bug.cgi?id=136710

        Reviewed by Anders Carlsson.

        This is a trivial rename.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractHeap.h:
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLAbstractHeapRepository.cpp:
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
        * jit/JITOpcodes32_64.cpp:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitGetClosureVar):
        (JSC::JIT::emitPutClosureVar):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitGetClosureVar):
        (JSC::JIT::emitPutClosureVar):
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::getOwnNonIndexPropertyNames):
        * runtime/JSActivation.h:
        * runtime/JSEnvironmentRecord.cpp: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.cpp.
        * runtime/JSEnvironmentRecord.h: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.h.
        (JSC::JSEnvironmentRecord::registers):
        (JSC::JSEnvironmentRecord::registerAt):
        (JSC::JSEnvironmentRecord::addressOfRegisters):
        (JSC::JSEnvironmentRecord::offsetOfRegisters):
        (JSC::JSEnvironmentRecord::JSEnvironmentRecord):
        * runtime/JSNameScope.h:
        * runtime/JSSegmentedVariableObject.h:

2014-09-10  Julien Brianceau   <jbriance@cisco.com>

        [mips] Add missing parts and fix LLINT mips backend
        https://bugs.webkit.org/show_bug.cgi?id=136706

        Reviewed by Michael Saboff.

        * llint/LowLevelInterpreter.asm: Fix invalid CalleeSave register number.
        Implement initPCRelative and setEntryAddress macros.
        * llint/LowLevelInterpreter32_64.asm: Fix register distribution in
        doVMEntry macro.

2014-09-10  Saam Barati  <saambarati1@gmail.com>

        TypeSet needs a mode where it no longer profiles structure shapes
        https://bugs.webkit.org/show_bug.cgi?id=136263

        Reviewed by Filip Pizlo.

        The TypeSet data structure used to gather as many StructureShape
        objects as it encountered during type profiling. But, this meant 
        that there was no upper limit on how many objects it could allocate. 
        This patch places a fixed upper bound on the number of StructureShapes
        allocated per TypeSet to prevent using too much memory for little gain
        in type profiling usefulness.

        StructureShape objects are now also aware of when they are created
        from Structures which are dictionaries.

        In total, this patch lays the final groundwork needed in refactoring 
        the inspector protocol for the type profiler.

        * runtime/Structure.cpp:
        (JSC::Structure::toStructureShape):
        * runtime/TypeProfiler.cpp:
        (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::TypeSet):
        (JSC::TypeSet::addTypeInformation):
        (JSC::StructureShape::StructureShape):
        (JSC::StructureShape::toJSONString):
        (JSC::StructureShape::enterDictionaryMode):
        * runtime/TypeSet.h:
        (JSC::TypeSet::isOverflown):
        * tests/typeProfiler/dictionary-mode.js: Added.
        (wrapper):
        * tests/typeProfiler/driver/driver.js:
        * tests/typeProfiler/overflow.js: Added.
        (wrapper.Proto):
        (wrapper):

2014-09-10  Peter Gal  <galpeter@inf.u-szeged.hu>

        [MIPS] branch32WithPatch missing
        https://bugs.webkit.org/show_bug.cgi?id=136696

        Reviewed by Michael Saboff.

        Added the missing branch32WithPatch. The implementation
        is currently the same as the branchPtrithPatch because
        the macro assembler supports only 32 bit MIPS.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::branch32WithPatch):

2014-09-10  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        Fix !ENABLE(DFG_JIT) build
        https://bugs.webkit.org/show_bug.cgi?id=136702

        Reviewed by Michael Saboff.

        * bytecode/CallEdgeProfile.h:

2014-09-09  Benjamin Poulain  <bpoulain@apple.com>

        Disable the "unreachable-code" warning
        https://bugs.webkit.org/show_bug.cgi?id=136677

        Reviewed by Darin Adler.

        * Configurations/Base.xcconfig:

2014-09-08  Filip Pizlo  <fpizlo@apple.com>

        DFG should have a reusable SSA builder
        https://bugs.webkit.org/show_bug.cgi?id=136331

        Reviewed by Oliver Hunt.
        
        We want to implement sophisticated SSA transformations like object allocation sinking
        (https://bugs.webkit.org/show_bug.cgi?id=136330), but to do that, we need to be able to do
        updates to SSA that require inserting new Phi's. This requires calculating where Phis go.
        Previously, our Phi calculation was based on Aycock and Horspool's algorithm, and our
        implementation of this algorithm only worked when doing CPS->SSA conversion. The code
        could not be reused for cases where some phase happens to know that it introduced a few
        defs in some blocks and it wants to figure out where the Phis should go. Moreover, even
        the general algorithm of Aycock and Horspool is not well suited to such targetted SSA
        updates, since it requires first inserting maximal Phis. That scales well when the Phis
        were already there (like in our CPS form) but otherwise it's quite unnatural and may be
        difficult to make efficient.
        
        The usual way of handling both SSA conversion and SSA update is to use Cytron et al's
        algorithm based on dominance frontiers. For a while now, I've been working on creating a
        Cytron-based SSA calculator that can be used both as a replacement for our current SSA
        converter and as a reusable tool for any phase that needs to do SSA update. I previously
        optimized our dominator calculation and representation to use dominator trees computed
        using Lengauer and Tarjan's algorithm - mainly to make it more scalable to enumerate over
        the set of blocks that dominate you or vice-versa, and then I implemented a dominance
        frontier calculator. This patch implements the final step towards making SSA update
        available to all SSA phases: it implements an SSACalculator that can tell you where Phis
        go when given an arbitrary set of Defs. To keep things simple, and to ensure that we have
        good test coverage for this SSACalculator, this patch replaces the old Aycock-Horspool
        SSA converter with one based on the SSACalculator.
        
        This has no observable impact. It does reduce the amount of code in SSAConversionPhase.
        But even better, it makes SSAConversionPhase have significantly less tricky logic. It
        mostly just relies on SSACalculator to do the tricky stuff, and SSAConversionPhase mostly
        just reasons about the weirdnesses unique to the ThreadedCPS form that it sees as input.
        In fact, using the Cytron et al approach means that there isn't really any "smoke and
        mirrors" trickyness related to SSA. SSACalculator's only "tricks" are using the pruned
        iterated dominance frontier to place Phi's and using the dom tree to find reaching defs.
        The complexity is mostly confined to Dominators, which computes various dominator-related
        properties over the control flow graph. That class can be difficult to understand, but at
        least it follows well-known graph theory wisdom.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAnalysis.h:
        * dfg/DFGCSEPhase.cpp:
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::run):
        * dfg/DFGDominators.h:
        (JSC::DFG::Dominators::immediateDominatorOf):
        (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
        (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::blocksInPreOrder):
        (JSC::DFG::Graph::blocksInPostOrder):
        (JSC::DFG::Graph::getBlocksInPreOrder): Deleted.
        (JSC::DFG::Graph::getBlocksInPostOrder): Deleted.
        * dfg/DFGGraph.h:
        * dfg/DFGLICMPhase.cpp:
        (JSC::DFG::LICMPhase::run):
        * dfg/DFGNodeFlags.h:
        * dfg/DFGPhase.cpp:
        (JSC::DFG::Phase::beginPhase):
        (JSC::DFG::Phase::endPhase):
        * dfg/DFGPhase.h:
        * dfg/DFGSSACalculator.cpp: Added.
        (JSC::DFG::SSACalculator::Variable::dump):
        (JSC::DFG::SSACalculator::Variable::dumpVerbose):
        (JSC::DFG::SSACalculator::Def::dump):
        (JSC::DFG::SSACalculator::SSACalculator):
        (JSC::DFG::SSACalculator::~SSACalculator):
        (JSC::DFG::SSACalculator::newVariable):
        (JSC::DFG::SSACalculator::newDef):
        (JSC::DFG::SSACalculator::nonLocalReachingDef):
        (JSC::DFG::SSACalculator::reachingDefAtTail):
        (JSC::DFG::SSACalculator::dump):
        * dfg/DFGSSACalculator.h: Added.
        (JSC::DFG::SSACalculator::Variable::index):
        (JSC::DFG::SSACalculator::Variable::Variable):
        (JSC::DFG::SSACalculator::Def::variable):
        (JSC::DFG::SSACalculator::Def::block):
        (JSC::DFG::SSACalculator::Def::value):
        (JSC::DFG::SSACalculator::Def::Def):
        (JSC::DFG::SSACalculator::variable):
        (JSC::DFG::SSACalculator::computePhis):
        (JSC::DFG::SSACalculator::phisForBlock):
        (JSC::DFG::SSACalculator::reachingDefAtHead):
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
        (JSC::DFG::SSAConversionPhase::run):
        (JSC::DFG::SSAConversionPhase::forwardPhiChildren): Deleted.
        (JSC::DFG::SSAConversionPhase::forwardPhi): Deleted.
        (JSC::DFG::SSAConversionPhase::forwardPhiEdge): Deleted.
        (JSC::DFG::SSAConversionPhase::deduplicateChildren): Deleted.
        * dfg/DFGSSAConversionPhase.h:
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::Validate):
        (JSC::DFG::Validate::dumpGraphIfAppropriate):
        (JSC::DFG::validate):
        * dfg/DFGValidate.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::lower):
        * runtime/Options.h:

2014-09-08  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r173402.
        https://bugs.webkit.org/show_bug.cgi?id=136649

        Breaking buildw with error "unable to restore file position to
        0x00000c60 for section __DWARF.__debug_info (errno = 9)"
        (Requested by mlam_ on #webkit).

        Reverted changeset:

        "Move CallFrame and Register inlines functions out of
        JSScope.h."
        https://bugs.webkit.org/show_bug.cgi?id=136579
        http://trac.webkit.org/changeset/173402

2014-09-08  Mark Lam  <mark.lam@apple.com>

        Move CallFrame and Register inlines functions out of JSScope.h.
        <https://webkit.org/b/136579>

        Reviewed by Geoffrey Garen.

        This include fixing up some files to #include JSCInlines.h to pick up
        these inline functions.  I also added JSCellInlines.h to JSCInlines.h
        since it is included from many of the affected .cpp files.

        * API/ObjCCallbackFunction.mm:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bindings/ScriptValue.cpp:
        * inspector/InjectedScriptHost.cpp:
        * inspector/InjectedScriptManager.cpp:
        * inspector/JSGlobalObjectInspectorController.cpp:
        * inspector/JSJavaScriptCallFrame.cpp:
        * inspector/ScriptDebugServer.cpp:
        * interpreter/CallFrameInlines.h:
        (JSC::CallFrame::vm):
        (JSC::CallFrame::lexicalGlobalObject):
        (JSC::CallFrame::globalThisValue):
        * interpreter/RegisterInlines.h: Added.
        (JSC::Register::operator=):
        (JSC::Register::scope):
        * runtime/ArgumentsIteratorConstructor.cpp:
        * runtime/JSArrayIterator.cpp:
        * runtime/JSCInlines.h:
        * runtime/JSCJSValue.cpp:
        * runtime/JSMapIterator.cpp:
        * runtime/JSPromiseConstructor.cpp:
        * runtime/JSPromiseDeferred.cpp:
        * runtime/JSPromiseFunctions.cpp:
        * runtime/JSPromisePrototype.cpp:
        * runtime/JSPromiseReaction.cpp:
        * runtime/JSScope.h:
        (JSC::Register::operator=): Deleted.
        (JSC::Register::scope): Deleted.
        (JSC::ExecState::vm): Deleted.
        (JSC::ExecState::lexicalGlobalObject): Deleted.
        (JSC::ExecState::globalThisValue): Deleted.
        * runtime/JSSetIterator.cpp:
        * runtime/MapConstructor.cpp:
        * runtime/MapData.cpp:
        * runtime/MapIteratorPrototype.cpp:
        * runtime/MapPrototype.cpp:
        * runtime/SetConstructor.cpp:
        * runtime/SetIteratorPrototype.cpp:
        * runtime/SetPrototype.cpp:
        * runtime/WeakMapConstructor.cpp:
        * runtime/WeakMapPrototype.cpp:

2014-09-08  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        Remove FILTERS flag
        https://bugs.webkit.org/show_bug.cgi?id=136571

        Reviewed by Darin Adler.

        * Configurations/FeatureDefines.xcconfig:

2014-09-08  Saam Barati  <saambarati1@gmail.com>

        Merge StructureShapes that share the same prototype chain
        https://bugs.webkit.org/show_bug.cgi?id=136549

        Reviewed by Filip Pizlo.

        Instead of keeping track of many discrete StructureShapes that share
        the same prototype chain, TypeSet should merge StructureShapes that 
        have the same prototype chain and provide a new member variable for 
        optional structure fields. This provides a cleaner and more concise
        interface for dealing with StructureShapes within TypeSet. Instead
        of having many discrete shapes that are almost identical, almost 
        identical shapes will be merged together with an interface for 
        understanding what fields the shapes being merged together differ in.

        * runtime/TypeSet.cpp:
        (JSC::TypeSet::addTypeInformation):
        (JSC::StructureShape::addProperty):
        (JSC::StructureShape::toJSONString):
        (JSC::StructureShape::inspectorRepresentation):
        (JSC::StructureShape::hasSamePrototypeChain):
        (JSC::StructureShape::merge):
        * runtime/TypeSet.h:
        * tests/typeProfiler/optional-fields.js: Added.
        (wrapper.func):
        (wrapper):

2014-09-08  Jessie Berlin  <jberlin@apple.com>

        More 32-bit Release build fixes after r173364.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2014-09-07  Maciej Stachowiak  <mjs@apple.com>

        Fix typos in last patch to fix build.

        Unreviewed build fix.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):

2014-09-07  Maciej Stachowiak  <mjs@apple.com>

        Introduce COMPILER_QUIRK(CONSIDERS_UNREACHABLE_CODE) and use it
        https://bugs.webkit.org/show_bug.cgi?id=136616

        Reviewed by Darin Adler.
        
        Many compilers will analyze unrechable code paths (e.g. after an
        unreachable code path), so sometimes they need dead code initializations.
        But clang with suitable warnings will complain about unreachable code. So
        use the quirk to include it conditionally.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdOp):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::handleExitCounts):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThread):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        * jsc.cpp:
        * runtime/JSArray.cpp:
        (JSC::JSArray::fillArgList):
        (JSC::JSArray::copyToArguments):
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::compileMatchOnly):

2014-09-06  Darin Adler  <darin@apple.com>

        Make updates suggested by new version of Xcode
        https://bugs.webkit.org/show_bug.cgi?id=136603

        Reviewed by Mark Rowe.

        * Configurations/Base.xcconfig: Added CLANG_WARN_UNREACHABLE_CODE, COMBINE_HIDPI_IMAGES,
        and ENABLE_STRICT_OBJC_MSGSEND as suggested by Xcode upgrade check.

        * JavaScriptCore.xcodeproj/project.pbxproj: Update LastUpgradeCheck.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): Compile out unreachable code
        for clang, since it understands the code is unreachable.
        * runtime/JSArray.cpp:
        (JSC::JSArray::fillArgList): Ditto.
        (JSC::JSArray::copyToArguments): Ditto.

2014-09-05  Matt Baker  <mattbaker@apple.com>

        Web Inspector: breakpoint actions should work regardless of Content Security Policy
        https://bugs.webkit.org/show_bug.cgi?id=136542

        Reviewed by Mark Lam.

        Added JSC::DebuggerEvalEnabler, an RAII object which enables eval on a 
        JSGlobalObject for the duration of a scope, returning the eval enabled state to its
        original value when the scope exits. Used by JSC::DebuggerCallFrame::evaluate 
        to allow breakpoint actions to execute JS in pages with a Content Security Policy
        that would normally prohibit this (such as Inspector's Main.html).

        Refactored Inspector::InjectedScriptBase to use the RAII object instead of manually
        setting eval enabled and then resetting the original eval enabled state.

        NOTE: The JS::DebuggerEvalEnabler constructor checks the passed in ExecState pointer
        for null to be equivalent with the original code in Inspector::InjectedScriptBase.
        InjectedScriptBase is getting the ExecState from ScriptObject::scriptState(), which
        can currently be null.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::evaluate):
        * debugger/DebuggerEvalEnabler.h: Added.
        (JSC::DebuggerEvalEnabler::DebuggerEvalEnabler):
        (JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler):
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):

2014-09-05  peavo@outlook.com  <peavo@outlook.com>

        [WinCairo] jsc.exe won't run.
        https://bugs.webkit.org/show_bug.cgi?id=136481

        Reviewed by Alex Christensen.
        
        We need to define WIN_CAIRO to avoid looking for the AAS folder.

        * JavaScriptCore.vcxproj/jsc/DLLLauncherWinCairo.props: Added.
        * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj:
        * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj:
        * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
        * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj:

2014-09-05  David Kilzer  <ddkilzer@apple.com>

        JavaScriptCore should build with newer clang
        <http://webkit.org/b/136002>
        <rdar://problem/18020616>

        Reviewed by Geoffrey Garen.

        Other than the JSC::SourceProvider::asID() change (which simply
        removes code that the optimizing compiler would have discarded
        in Release builds), we move the |this| checks in OpaqueJSString
        to NULL checks in to JSBase, JSObjectRef, JSScriptRef,
        JSStringRef{CF} and JSValueRef.

        Note that the following function arguments are _not_ NULL-checked
        since doing so would just cover up bugs (and were not needed to
        prevent any tests from failing):
        - |script| in JSEvaluateScript(), JSCheckScriptSyntax();
        - |body| in JSObjectMakeFunction();
        - |source| in JSScriptCreateReferencingImmortalASCIIText()
          (which is a const char* anyway);
        - |source| in JSScriptCreateFromString().

        * API/JSBase.cpp:
        (JSEvaluateScript): Add NULL check for |sourceURL|.
        (JSCheckScriptSyntax): Ditto.
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction): Ditto.
        * API/JSScriptRef.cpp:
        (JSScriptCreateReferencingImmortalASCIIText): Ditto.
        (JSScriptCreateFromString): Add NULL check for |url|.
        * API/JSStringRef.cpp:
        (JSStringGetLength): Return early if NULL pointer is passed in.
        (JSStringGetCharactersPtr): Ditto.
        (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
        * API/JSStringRefCF.cpp:
        (JSStringCopyCFString): Ditto.
        * API/JSValueRef.cpp:
        (JSValueMakeString): Add NULL check for |string|.

        * API/OpaqueJSString.cpp:
        (OpaqueJSString::string): Remove code that checks |this|.
        (OpaqueJSString::identifier): Ditto.
        (OpaqueJSString::characters): Ditto.
        * API/OpaqueJSString.h:
        (OpaqueJSString::is8Bit): Remove code that checks |this|.
        (OpaqueJSString::characters8): Ditto.
        (OpaqueJSString::characters16): Ditto.
        (OpaqueJSString::length): Ditto.

        * parser/SourceProvider.h:
        (JSC::SourceProvider::asID): Remove code that checks |this|.

2014-06-06  Jer Noble  <jer.noble@apple.com>

        Refactoring: make MediaTime the primary time type for audiovisual times.
        https://bugs.webkit.org/show_bug.cgi?id=133579

        Reviewed by Eric Carlson.

        Add a utility function which converts a MediaTime to a JSNumber.

        * runtime/JSCJSValue.h:
        (JSC::jsNumber):

2014-09-04  Michael Saboff  <msaboff@apple.com>

        ARM: Add more coverage to ARMv7 disassembler
        https://bugs.webkit.org/show_bug.cgi?id=136565

        Reviewed by Mark Lam.

        Added ARMV7 disassembler support for Push/Pop multiple and floating point instructions
        VCMP, VCVT[R] between floating point and integer, and VLDR.

        * disassembler/ARMv7/ARMv7DOpcode.cpp:
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::appendRegisterList):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPopMultiple::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushMultiple::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format):
        * disassembler/ARMv7/ARMv7DOpcode.h:
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::registerList):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::condition):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::condition):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::dBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vd):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::szBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::eBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::mBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vm):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::condition):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::dBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op2):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vd):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::szBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::mBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vm):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8):

2014-09-04  Mark Lam  <mark.lam@apple.com>

        Move PropertySlot's inline functions back to PropertySlot.h.
        <https://webkit.org/b/136547>

        Reviewed by Filip Pizlo.

        * runtime/JSObject.h:
        (JSC::PropertySlot::getValue): Deleted.
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::getValue):

2014-09-04  Filip Pizlo  <fpizlo@apple.com>

        Make sure that deleting all code first processes the call edge log, and reenable call edge profiling.

        Rubber stamped by Sam Weinig.

        * debugger/Debugger.cpp:
        (JSC::Debugger::forEachCodeBlock):
        (JSC::Debugger::setSteppingMode):
        (JSC::Debugger::recompileAllJSFunctions):
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::recompileAllJSFunctionsForTypeProfiling):
        * runtime/Options.h: Reenable call edge profiling.
        * runtime/VM.cpp:
        (JSC::VM::prepareToDiscardCode): Make sure this also processes the call edge log, in case any call edge profiles are about to be destroyed.
        (JSC::VM::discardAllCode):
        (JSC::VM::releaseExecutableMemory):
        (JSC::VM::setEnabledProfiler):
        (JSC::VM::waitForCompilationsToComplete): Deleted.
        * runtime/VM.h: Rename waitForCompilationsToComplete() back to prepareToDiscardCode() because the purpose of the method - now as ever - is to do all of the things that need to be done to ensure that code may be safely deleted.

2014-09-04  Akos Kiss  <akiss@inf.u-szeged.hu>

        Ensure that the call frame set up by vmEntryToNative does not overlap with the stack of the callee
        https://bugs.webkit.org/show_bug.cgi?id=136485

        Reviewed by Michael Saboff.

        Changed makeHostFunctionCall to keep the stack pointer above the call
        frame set up by doVMEntry. Thus the callee will/can not override the top
        of the call frame.

        Refactored the two (32_64 and 64) versions of makeHostFunctionCall to be
        more alike to help future maintenance.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2014-09-04  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r173031): crashes during run-layout-jsc on x86/Linux
        https://bugs.webkit.org/show_bug.cgi?id=136436

        Reviewed by Geoffrey Garen.

        Instead of trying to calculate a stack pointer that allows for possible
        stacked argument space, just use the "home" stack pointer location.
        That stack pointer provides space for the worst case number of stacked
        arguments on architectures that use stacked arguments.  It also provides
        stack space so that the return PC and caller frame pointer that are stored
        as part of making the call to operationCallEval will not override any part
        of the callee frame created on the stack.

        Changed compileCallEval() to use the stackPointer value of the calling
        function.  That stack pointer is calculated to have enough space for
        outgoing stacked arguments.  By moving the stack pointer to its "home"
        position, the caller frame and return PC are not set as part of making
        the call to operationCallEval().  Moved the explicit setting of the
        callerFrame field of the callee CallFrame from operationCallEval() to
        compileCallEval() since it has been the artifact of making a call for
        most architectures.  Simplified the exception logic in compileCallEval()
        as a result of the change.  To be compliant with the stack state
        expected by virtualCallThunkGenerator(), moved the stack pointer to
        point above the CallerFrameAndPC of the callee CallFrame.

        * jit/JIT.h: Changed callOperationNoExceptionCheck(J_JITOperation_EE, ...)
        to callOperation(J_JITOperation_EE, ...) as it now can do a typical exception
        check.
        * jit/JITCall.cpp & jit/JITCall32_64.cpp:
        (JSC::JIT::compileCallEval): Use the home stack pointer when making the call
        to operationCallEval.  Since the stack pointer adjustment no longer needs
        to be done after making the call to operationCallEval(), the exception check
        logic can be simplified.
        (JSC::JIT::compileCallEvalSlowCase): Restored the stack pointer to point
        to above the calleeFrame as this is what the generated thunk expects.
        * jit/JITInlines.h:
        (JSC::JIT::callOperation): Refactor of callOperationNoExceptionCheck
        with the addition of a standard exception check.
        (JSC::JIT::callOperationNoExceptionCheck): Deleted.
        * jit/JITOperations.cpp:
        (JSC::operationCallEval): Eliminated the explicit setting of caller frame
        as that is now done in the code generated by compileCallEval().

2014-09-03  Filip Pizlo  <fpizlo@apple.com>

        Beef up the DFG's CFG analyses to include iterated dominance frontiers and more user-friendly BlockSets
        https://bugs.webkit.org/show_bug.cgi?id=136520

        Reviewed by Geoffrey Garen.
        
        Add code to compute iterated dominance frontiers. This involves using BlockSet a lot, so
        this patch also makes BlockSet a lot more user-friendly.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGBasicBlock.h:
        * dfg/DFGBlockSet.cpp: Added.
        (JSC::DFG::BlockSet::dump):
        * dfg/DFGBlockSet.h:
        (JSC::DFG::BlockSet::iterator::iterator):
        (JSC::DFG::BlockSet::iterator::operator++):
        (JSC::DFG::BlockSet::iterator::operator==):
        (JSC::DFG::BlockSet::iterator::operator!=):
        (JSC::DFG::BlockSet::Iterable::Iterable):
        (JSC::DFG::BlockSet::Iterable::begin):
        (JSC::DFG::BlockSet::Iterable::end):
        (JSC::DFG::BlockSet::iterable):
        (JSC::DFG::BlockAdder::BlockAdder):
        (JSC::DFG::BlockAdder::operator()):
        * dfg/DFGBlockSetInlines.h: Added.
        (JSC::DFG::BlockSet::iterator::operator*):
        * dfg/DFGDominators.cpp:
        (JSC::DFG::Dominators::strictDominatorsOf):
        (JSC::DFG::Dominators::dominatorsOf):
        (JSC::DFG::Dominators::blocksStrictlyDominatedBy):
        (JSC::DFG::Dominators::blocksDominatedBy):
        (JSC::DFG::Dominators::dominanceFrontierOf):
        (JSC::DFG::Dominators::iteratedDominanceFrontierOf):
        * dfg/DFGDominators.h:
        (JSC::DFG::Dominators::forAllStrictDominatorsOf):
        (JSC::DFG::Dominators::forAllDominatorsOf):
        (JSC::DFG::Dominators::forAllBlocksStrictlyDominatedBy):
        (JSC::DFG::Dominators::forAllBlocksDominatedBy):
        (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOf):
        (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
        (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOfImpl):
        (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOfImpl):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpBlockHeader):
        * dfg/DFGInvalidationPointInjectionPhase.cpp:
        (JSC::DFG::InvalidationPointInjectionPhase::run):

2014-09-04  Mark Lam  <mark.lam@apple.com>

        Fixed indentations and some style warnings in JavaScriptCore/runtime.
        <https://webkit.org/b/136518>

        Reviewed by Michael Saboff.

        Also removed some superflous spaces.  There are no semantic changes.

        * runtime/Completion.h:
        * runtime/ConstructData.h:
        * runtime/DateConstructor.h:
        * runtime/DateInstance.h:
        * runtime/DateInstanceCache.h:
        * runtime/DatePrototype.h:
        * runtime/Error.h:
        * runtime/ErrorConstructor.h:
        * runtime/ErrorInstance.h:
        * runtime/ErrorPrototype.h:
        * runtime/FunctionConstructor.h:
        * runtime/FunctionPrototype.h:
        * runtime/GetterSetter.h:
        * runtime/Identifier.h:
        * runtime/InitializeThreading.h:
        * runtime/InternalFunction.h:
        * runtime/JSAPIValueWrapper.h:
        * runtime/JSFunction.h:
        * runtime/JSLock.h:
        * runtime/JSNotAnObject.h:
        * runtime/JSONObject.h:
        * runtime/JSString.h:
        * runtime/JSTypeInfo.h:
        * runtime/JSWrapperObject.h:
        * runtime/Lookup.h:
        * runtime/MathObject.h:
        * runtime/NativeErrorConstructor.h:
        * runtime/NativeErrorPrototype.h:
        * runtime/NumberConstructor.h:
        * runtime/NumberObject.h:
        * runtime/NumberPrototype.h:
        * runtime/NumericStrings.h:
        * runtime/ObjectConstructor.h:
        * runtime/ObjectPrototype.h:
        * runtime/PropertyDescriptor.h:
        * runtime/Protect.h:
        * runtime/PutPropertySlot.h:
        * runtime/RegExp.h:
        * runtime/RegExpCachedResult.h:
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        * runtime/RegExpObject.h:
        * runtime/RegExpPrototype.h:
        * runtime/SmallStrings.h:
        * runtime/StringConstructor.h:
        * runtime/StringObject.h:
        * runtime/StringPrototype.h:
        * runtime/StructureChain.h:
        * runtime/VM.h:

2014-09-04  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        Remove CSS_FILTERS flag
        https://bugs.webkit.org/show_bug.cgi?id=136529

        Reviewed by Dirk Schulze.

        * Configurations/FeatureDefines.xcconfig:

2014-09-04  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r173248.
        https://bugs.webkit.org/show_bug.cgi?id=136536

        call edge profiling and polymorphic call inlining are still
        causing crashes (Requested by eric_carlson on #webkit).

        Reverted changeset:

        "Reenable call edge profiling and polymorphic call inlining,
        now that a bunch of the bugs"
        http://trac.webkit.org/changeset/173248

2014-09-04  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: the profiler should not accrue time to nodes while the debugger is paused
        https://bugs.webkit.org/show_bug.cgi?id=136352

        Reviewed by Timothy Hatcher.

        Hook up pause/continue events to the LegacyProfiler and any active
        ProfilerGenerators. If the debugger is paused, all intervening call
        entries will be created with totalTime as 0.0.

        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::handlePause):
        * profiler/LegacyProfiler.cpp: Move from typedef'd callbacks to using
        std::function. This allows callbacks to take different argument types.

        (JSC::callFunctionForProfilesWithGroup):
        (JSC::LegacyProfiler::willExecute):
        (JSC::LegacyProfiler::didExecute):
        (JSC::LegacyProfiler::exceptionUnwind):
        (JSC::LegacyProfiler::didPause):
        (JSC::LegacyProfiler::didContinue):
        (JSC::dispatchFunctionToProfiles): Deleted.
        * profiler/LegacyProfiler.h:
        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::ProfileGenerator):
        (JSC::ProfileGenerator::endCallEntry):
        (JSC::ProfileGenerator::didExecute): Deleted.
        * profiler/ProfileGenerator.h:
        (JSC::ProfileGenerator::didPause):
        (JSC::ProfileGenerator::didContinue):

2014-09-04  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r173245.
        https://bugs.webkit.org/show_bug.cgi?id=136533

        Broke JSC tests. (Requested by ddkilzer on #webkit).

        Reverted changeset:

        "JavaScriptCore should build with newer clang"
        https://bugs.webkit.org/show_bug.cgi?id=136002
        http://trac.webkit.org/changeset/173245

2014-09-04  Brian J. Burg  <burg@cs.washington.edu>

        LegacyProfiler: ProfileNodes should be used more like structs
        https://bugs.webkit.org/show_bug.cgi?id=136381

        Reviewed by Timothy Hatcher.

        Previously, both the profile generator and individual profile nodes
        were collectively responsible for creating new Call entries and
        maintaining data structure invariants. This complexity is unnecessary.

        This patch centralizes profile data creation inside the profile generator.
        The profile nodes manage nextSibling and parent pointers, but do not
        collect the current time or create new Call entries themselves.

        Since ProfileNode::nextSibling and its callers are only used within
        debug printing code, it should be compiled out for release builds.

        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::ProfileGenerator):
        (JSC::AddParentForConsoleStartFunctor::operator()):
        (JSC::ProfileGenerator::beginCallEntry): create a new Call entry.
        (JSC::ProfileGenerator::endCallEntry): finish the last Call entry.
        (JSC::ProfileGenerator::willExecute): inline ProfileNode::willExecute()
        (JSC::ProfileGenerator::didExecute): inline ProfileNode::didExecute()
        (JSC::ProfileGenerator::stopProfiling): Only walk up the spine.
        (JSC::ProfileGenerator::removeProfileStart):
        (JSC::ProfileGenerator::removeProfileEnd):
        * profiler/ProfileGenerator.h:
        * profiler/ProfileNode.cpp:
        (JSC::ProfileNode::ProfileNode):
        (JSC::ProfileNode::addChild):
        (JSC::ProfileNode::removeChild):
        (JSC::ProfileNode::spliceNode): Renamed from insertNode.
        (JSC::ProfileNode::debugPrintRecursively):
        (JSC::ProfileNode::willExecute): Deleted.
        (JSC::ProfileNode::insertNode): Deleted.
        (JSC::ProfileNode::stopProfiling): Deleted.
        (JSC::ProfileNode::traverseNextNodePostOrder):
        (JSC::ProfileNode::endAndRecordCall): Deleted.
        (JSC::ProfileNode::debugPrintDataSampleStyle):
        * profiler/ProfileNode.h:
        (JSC::ProfileNode::Call::setStartTime):
        (JSC::ProfileNode::Call::setTotalTime):
        (JSC::ProfileNode::appendCall):
        (JSC::ProfileNode::firstChild):
        (JSC::ProfileNode::lastChild):
        (JSC::ProfileNode::nextSibling):
        (JSC::ProfileNode::setNextSibling):

2014-09-02  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: fix prefixes for subclasses of JSC::ConsoleClient
        https://bugs.webkit.org/show_bug.cgi?id=136476

        Reviewed by Timothy Hatcher.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/JSGlobalObjectConsoleClient.cpp: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.cpp.
        * inspector/JSGlobalObjectConsoleClient.h: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.h.
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
        * inspector/JSGlobalObjectInspectorController.h:

2014-09-03  Filip Pizlo  <fpizlo@apple.com>

        Reenable call edge profiling and polymorphic call inlining, now that a bunch of the bugs
        are fixed.

        * runtime/Options.h:

2014-09-03  David Kilzer  <ddkilzer@apple.com>

        JavaScriptCore should build with newer clang
        <http://webkit.org/b/136002>
        <rdar://problem/18020616>

        Reviewed by Geoffrey Garen.

        Other than the JSC::SourceProvider::asID() change (which simply
        removes code that the optimizing compiler would have discarded
        in Release builds), we move the |this| checks in OpaqueJSString
        to NULL checks in to JSBase, JSScriptRef, JSStringRef{CF} and
        JSValueRef.

        * API/JSBase.cpp:
        (JSEvaluateScript): Use String() in case |script| or |sourceURL|
        are NULL.
        * API/JSScriptRef.cpp:
        (JSScriptCreateReferencingImmortalASCIIText): Use String() in
        case |url| is NULL.
        * API/JSStringRef.cpp:
        (JSStringGetLength): Return early if NULL pointer is passed in.
        (JSStringGetCharactersPtr): Ditto.
        (JSStringGetUTF8CString): Ditto.  Also check |buffer| parameter.
        * API/JSStringRefCF.cpp:
        (JSStringCopyCFString): Ditto.
        * API/JSValueRef.cpp:
        (JSValueMakeString): Use String() in case |string| is NULL.

        * API/OpaqueJSString.cpp:
        (OpaqueJSString::string): Remove code that checks |this|.
        (OpaqueJSString::identifier): Ditto.
        (OpaqueJSString::characters): Ditto.
        * API/OpaqueJSString.h:
        (OpaqueJSString::is8Bit): Remove code that checks |this|.
        (OpaqueJSString::characters8): Ditto.
        (OpaqueJSString::characters16): Ditto.
        (OpaqueJSString::length): Ditto.

        * parser/SourceProvider.h:
        (JSC::SourceProvider::asID): Remove code that checks |this|.

2014-09-03  Filip Pizlo  <fpizlo@apple.com>

        CallEdgeProfile::visitWeak() shouldn't attempt to despecify empty profiles
        https://bugs.webkit.org/show_bug.cgi?id=136511

        Reviewed by Geoffrey Garen.

        * bytecode/CallEdgeProfile.cpp:
        (JSC::CallEdgeProfile::worthDespecifying):
        (JSC::CallEdgeProfile::visitWeak):
        (JSC::CallEdgeProfile::mergeBack):

2014-09-03  David Kilzer  <ddkilzer@apple.com>

        REGRESSION (r167325): (null) entry added to Xcode project file when JSBoundFunction.h was removed
        <http://webkit.org/b/136509>

        Reviewed by Daniel Bates.

        * JavaScriptCore.xcodeproj/project.pbxproj: Remove the (null)
        entry left behind when JSBoundFunction.h was removed.

2014-09-03  Joseph Pecoraro  <pecoraro@apple.com>

        Avoid warning if a process does not have access to com.apple.webinspector
        https://bugs.webkit.org/show_bug.cgi?id=136473

        Reviewed by Alexey Proskuryakov.

        Pre-check for access to the mach port to avoid emitting warnings
        in syslog for processes that do not have access.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::canAccessWebInspectorMachPort):
        (Inspector::RemoteInspector::shared):

2014-09-03  Filip Pizlo  <fpizlo@apple.com>

        Temporarily disable call edge profiling. It is causing crashes and I'm still investigating
        them.

        * runtime/Options.h:

2014-09-03  Balazs Kilvady  <kilvadyb@homejinni.com>

        [MIPS] Wrong register usage in LLInt op_catch.
        https://bugs.webkit.org/show_bug.cgi?id=125168

        Reviewed by Geoffrey Garen.

        Fix register usage and add PIC header to all the ops in LLInt.

        * offlineasm/instructions.rb:
        * offlineasm/mips.rb:

2014-09-03  Saam Barati  <saambarati1@gmail.com>

        Create tests for type profiling
        https://bugs.webkit.org/show_bug.cgi?id=136161

        Reviewed by Geoffrey Garen.

        The type profiler is now being tested. These are basic tests that don't 
        check every edge case, but will catch any major failures in the type profiler. 
        These tests cover:
        - The basic, inheritance-based type system in TypeSet.
        - Function return types.
        - Correct merging of types for multiple assignments to one variable.

        This patch also provides an API for writing new tests for
        the type profiler. The API works by passing in a function and a 
        unique substring of an expression contained in that function, and 
        returns an object representing type information for that expression.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionFindTypeForExpression):
        (functionReturnTypeFor):
        * runtime/TypeProfiler.cpp:
        (JSC::TypeProfiler::typeInformationForExpressionAtOffset):
        * runtime/TypeProfiler.h:
        * runtime/TypeProfilerLog.h:
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::toJSONString):
        (JSC::StructureShape::toJSONString):
        * runtime/TypeSet.h:
        * tests/typeProfiler: Added.
        * tests/typeProfiler.yaml: Added.
        * tests/typeProfiler/basic.js: Added.
        (wrapper.foo):
        (wrapper):
        * tests/typeProfiler/captured.js: Added.
        (wrapper.changeFoo):
        (wrapper):
        * tests/typeProfiler/driver: Added.
        * tests/typeProfiler/driver/driver.js: Added.
        (assert):
        * tests/typeProfiler/inheritance.js: Added.
        (wrapper.A):
        (wrapper.B):
        (wrapper.C):
        (wrapper):
        * tests/typeProfiler/return.js: Added.
        (foo):
        (Ctor):

2014-09-03  Julien Brianceau   <jbriance@cisco.com>

        Add missing implementations to fix build for sh4 architecture
        https://bugs.webkit.org/show_bug.cgi?id=136455

        Reviewed by Geoffrey Garen.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::store8):
        (JSC::MacroAssemblerSH4::moveWithPatch):
        (JSC::MacroAssemblerSH4::branchAdd32):
        (JSC::MacroAssemblerSH4::branch32WithPatch):
        (JSC::MacroAssemblerSH4::abortWithReason):
        (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranch32WithPatch):
        (JSC::MacroAssemblerSH4::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranch32WithPatch):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitFunctionPrologue):
        (JSC::AssemblyHelpers::emitFunctionEpilogue):

2014-09-03  Dan Bernstein  <mitz@apple.com>

        Get rid of HIGH_DPI_CANVAS leftovers
        https://bugs.webkit.org/show_bug.cgi?id=136491

        Reviewed by Benjamin Poulain.

        * Configurations/FeatureDefines.xcconfig: Removed definition of ENABLE_HIGH_DPI_CANVAS
        and removed it from FEATURE_DEFINES.

2014-09-03  Filip Pizlo  <fpizlo@apple.com>

        CallEdgeProfile::visitWeak() should gracefully handle the case where primaryCallee duplicates an entry in otherCallees
        https://bugs.webkit.org/show_bug.cgi?id=136490

        Reviewed by Geoffrey Garen.

        * bytecode/CallEdgeProfile.cpp:
        (JSC::CallEdgeProfile::visitWeak):

2014-09-03  Filip Pizlo  <fpizlo@apple.com>

        FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
        https://bugs.webkit.org/show_bug.cgi?id=136488

        Reviewed by Mark Hahnenberg.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::generateCheckInICFastPath): The call is in the slow path.
        * tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.
        (foo):

2014-09-03  Akos Kiss  <akiss@inf.u-szeged.hu>

        Don't generate superfluous mov instructions for move immediate on ARM64.
        https://bugs.webkit.org/show_bug.cgi?id=136435

        Reviewed by Michael Saboff.

        On ARM64, the size of an immediate operand for a mov instruction is 16
        bits. Thus, a move immediate offlineasm instruction may potentially be
        split up to several machine level instructions. The current
        implementation always emits a mov for the least significant 16 bits of
        the value. However, if any of the bits 63:16 are significant then the
        first emitted mov already filled bits 15:0 with zeroes (or ones, for
        negative values). So, if bits 15:0 of the value are all zeroes (or ones)
        then the last mov does not need to be emitted.

        * offlineasm/arm64.rb:

2014-09-02  Brian J. Burg  <burg@cs.washington.edu>

        LegacyProfiler: remove redundant ProfileNode members and other cleanup
        https://bugs.webkit.org/show_bug.cgi?id=136380

        Reviewed by Timothy Hatcher.

        ProfileNode's selfTime and totalTime members are redundant and only used
        for dumping profile data from debug-only code. Remove the members and compute
        the same data on-demand when necessary using a postorder traversal functor.

        Remove ProfileNode.head since it is only used to calculate percentages for
        dumped profile data. This can be explicitly passed around when needed.

        Rename Profile.head to Profile.rootNode, and other various renamings.

        Rearrange some header includes so that touching LegacyProfiler-related headers
        will no longer cause a full rebuild.

        * inspector/JSConsoleClient.cpp: Add header include.
        * inspector/agents/InspectorProfilerAgent.cpp:
        (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
        * inspector/protocol/Profiler.json: Remove unused Profile.idleTime member.
        * jit/JIT.h: Remove header include.
        * jit/JITCode.h: Remove header include.
        * jit/JITOperations.cpp: Sort and add header include.
        * llint/LLIntSlowPaths.cpp: Sort and add header include.
        * profiler/Profile.cpp: Rename the debug dumping functions. Move the node
        postorder traversal code to ProfileNode so we can traverse any subtree.
        (JSC::Profile::Profile):
        (JSC::Profile::debugPrint):
        (JSC::Profile::debugPrintSampleStyle):
        (JSC::Profile::forEach): Deleted.
        (JSC::Profile::debugPrintData): Deleted.
        (JSC::Profile::debugPrintDataSampleStyle): Deleted.
        * profiler/Profile.h:
        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::ProfileGenerator):
        (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
        (JSC::AddParentForConsoleStartFunctor::operator()):
        (JSC::ProfileGenerator::addParentForConsoleStart):
        (JSC::ProfileGenerator::didExecute):
        (JSC::StopProfilingFunctor::operator()):
        (JSC::ProfileGenerator::stopProfiling):
        (JSC::ProfileGenerator::removeProfileStart):
        (JSC::ProfileGenerator::removeProfileEnd):
        * profiler/ProfileGenerator.h:
        * profiler/ProfileNode.cpp:
        (JSC::ProfileNode::ProfileNode):
        (JSC::ProfileNode::willExecute):
        (JSC::ProfileNode::removeChild):
        (JSC::ProfileNode::stopProfiling):
        (JSC::ProfileNode::endAndRecordCall):
        (JSC::ProfileNode::debugPrint):
        (JSC::ProfileNode::debugPrintSampleStyle):
        (JSC::ProfileNode::debugPrintRecursively):
        (JSC::ProfileNode::debugPrintSampleStyleRecursively):
        (JSC::ProfileNode::debugPrintData): Deleted.
        (JSC::ProfileNode::debugPrintDataSampleStyle): Deleted.
        * profiler/ProfileNode.h: Calculate per-node self and total times using a postorder traversal.
        The forEachNodePostorder functor traverses the subtree rooted at |this|.
        (JSC::ProfileNode::create):
        (JSC::ProfileNode::calls):
        (JSC::ProfileNode::forEachNodePostorder):
        (JSC::CalculateProfileSubtreeDataFunctor::returnValue):
        (JSC::CalculateProfileSubtreeDataFunctor::operator()):
        (JSC::ProfileNode::head): Deleted.
        (JSC::ProfileNode::setHead): Deleted.
        (JSC::ProfileNode::totalTime): Deleted.
        (JSC::ProfileNode::setTotalTime): Deleted.
        (JSC::ProfileNode::selfTime): Deleted.
        (JSC::ProfileNode::setSelfTime): Deleted.
        (JSC::ProfileNode::totalPercent): Deleted.
        (JSC::ProfileNode::selfPercent): Deleted.
        * runtime/ConsoleClient.h: Remove header include.

2014-09-02  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: remove ProfilerAgent and legacy profiler files in the frontend
        https://bugs.webkit.org/show_bug.cgi?id=136462

        Reviewed by Timothy Hatcher.

        It's not used by the frontend anymore.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:

        * inspector/JSConsoleClient.cpp:
        (Inspector::JSConsoleClient::JSConsoleClient): Stub out console.profile/profileEnd
        methods since they didn't work for JSContexts anyway.
        (Inspector::JSConsoleClient::profile):
        (Inspector::JSConsoleClient::profileEnd):
        * inspector/JSConsoleClient.h:

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        * inspector/agents/InspectorProfilerAgent.cpp: Removed.
        * inspector/agents/InspectorProfilerAgent.h: Removed.
        * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Removed.
        * inspector/agents/JSGlobalObjectProfilerAgent.h: Removed.
        * inspector/protocol/Profiler.json: Removed.

2014-09-02  Andreas Kling  <akling@apple.com>

        Optimize own property GetByVals with rope string subscripts.
        <https://webkit.org/b/136458>

        For simple JSObjects that don't override getOwnPropertySlot to implement
        custom properties, we have a fast path that grabs directly at the object
        property storage.

        Make this fast path even faster when the property name is an unresolved
        rope string by using JSString::toExistingAtomicString(). This is faster
        because it avoids allocating a new StringImpl if the string is already
        a known Identifier, which is guaranteed to be the case if it's present
        as an own property on the object.)

        ~10% speed-up on Dromaeo/dom-attr.html

        Reviewed by Geoffrey Garen.

        * dfg/DFGOperations.cpp:
        * jit/JITOperations.cpp:
        (JSC::getByVal):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):

            When using the fastGetOwnProperty() optimization, get the String
            out of JSString by using toExistingAtomicString(). This avoids
            StringImpl allocation and lets us bypass the PropertyTable lookup
            entirely if no AtomicString is found.

        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::fastGetOwnProperty):

            Make fastGetOwnProperty() take a PropertyName instead of a String.
            This avoids churning the ref count, since we don't need to create
            a temporary wrapper around the AtomicStringImpl* found in GetByVal.

        * runtime/PropertyName.h:
        (JSC::PropertyName::PropertyName):

            Add constructor: PropertyName(AtomicStringImpl*)

        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::get):
        (JSC::PropertyTable::findWithString): Deleted.
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::get):

            Remove code for querying a PropertyTable with an unhashed string key
            since the only client is now gone.

2014-09-02  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        [ARM] MacroAssembler generating incorrect code on ARM32 Traditional
        https://bugs.webkit.org/show_bug.cgi?id=136429

        Reviewed by Csaba Osztrogonác.

        Changed test32 to use tst to check if reg is zero, instead of cmp.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::test32):

2014-09-02  Michael Saboff  <msaboff@apple.com>

        Out of bounds write in vmEntryToJavaScript / JSC::JITCode::execute
        https://bugs.webkit.org/show_bug.cgi?id=136305

        Reviewed by Filip Pizlo.

        While preparing the callee's CallFrame, ProtoCallFrame fixes any arity mismatch
        and then JITCode::execute() calls the normal entrypoint.  This is incompatible
        with the expectation of FTL generated functions.  Changed ProtoCallFrame to not 
        perform the arity fix, but just flag an arity mismatch.  now JITCode::execute()
        uses that arity mismatch condition to select the normal or arity check
        entrypoint.  The entrypoint selection is only done for functions, programs
        and eval always have one parameter.

        * interpreter/ProtoCallFrame.cpp:
        (JSC::ProtoCallFrame::init): Changed to flag arity mismatch instead of fixing it.
        * interpreter/ProtoCallFrame.h:
        (JSC::ProtoCallFrame::needArityCheck): New boolean to signify what entrypoint
        should be called.
        * jit/JITCode.cpp:
        (JSC::JITCode::execute): Select normal or arity check entrypoint as appropriate.

2014-09-02  peavo@outlook.com  <peavo@outlook.com>

        [WinCairo] testapi.exe is not built.
        https://bugs.webkit.org/show_bug.cgi?id=136369

        Reviewed by Alex Christensen.

        The testapi project should be of type Application.

        * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Change project type to Application.
        * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Ditto.
        * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Compile and link fix.
        * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Change project type to Application.

2014-09-01  Akos Kiss  <akiss@inf.u-szeged.hu>

        [CMAKE] Add missing offlineasm dependencies
        https://bugs.webkit.org/show_bug.cgi?id=136437

        Reviewed by Csaba Osztrogonác.

        Add the ARM64, MIPS and SH4 backends to the dependencies.

        * CMakeLists.txt:

2014-09-01  Brian J. Burg  <burg@cs.washington.edu>

        Provide column numbers to DTrace willExecute/didExecute probes
        https://bugs.webkit.org/show_bug.cgi?id=136434

        Reviewed by Antti Koivisto.

        Provide the columnNumber and update stubs for !HAVE(DTRACE).

        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::willExecute):
        (JSC::ProfileGenerator::didExecute):
        * runtime/Tracing.d:
        * runtime/Tracing.h:

2014-09-01  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        [CMAKE] Build warning by INTERFACE_LINK_LIBRARIES
        https://bugs.webkit.org/show_bug.cgi?id=136194

        Reviewed by Csaba Osztrogonác.

        Set the LINK_INTERFACE_LIBRARIES target property on the top level CMakeLists.txt.

        * CMakeLists.txt:

2014-08-26  Maciej Stachowiak  <mjs@apple.com>

        Use RetainPtr::autorelease in some places where it seems appropriate
        https://bugs.webkit.org/show_bug.cgi?id=136280

        Reviewed by Darin Adler.

        * API/JSContext.mm:
        (-[JSContext name]): Use RetainPtr::autorelease() in place of ObjC autorelease.
        * API/JSValue.mm:
        (valueToString): Make appropriate use of RetainPtr

2014-08-29  Akos Kiss  <akiss@inf.u-szeged.hu>

        Ensure that the call frame passed from doVMEntry to the called function always contains the valid scope chain.
        https://bugs.webkit.org/show_bug.cgi?id=136391

        Reviewed by Michael Saboff.

        Do not rely on calling conventions to fill in the CallerFrame component
        of the ExecState* parameter of the called function.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2014-08-29  Saam Barati  <sbarati@apple.com>

        emit op_profile_type for deconstruction assignments
        https://bugs.webkit.org/show_bug.cgi?id=136274

        Reviewed by Filip Pizlo.

        Enable type profiling for ES6 deconstruction expressions.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::BindingNode::bindValue):

2014-08-29  Joseph Pecoraro  <pecoraro@apple.com>

        JavaScriptCore: Use ASCIILiteral where possible
        https://bugs.webkit.org/show_bug.cgi?id=136179

        Reviewed by Michael Saboff.

        General string / character related changes. Use ASCIILiteral where
        possible, jsNontrivialString where possible, and replace string
        literals with character literals in some places.

        No new tests, no changes to functionality.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::nameForRegister):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PostfixNode::emitBytecode):
        (JSC::PrefixNode::emitBytecode):
        (JSC::AssignErrorNode::emitBytecode):
        (JSC::ForInNode::emitMultiLoopBytecode):
        (JSC::ForOfNode::emitBytecode):
        (JSC::ObjectPatternNode::toString):
        * dfg/DFGFunctionWhitelist.cpp:
        (JSC::DFG::FunctionWhitelist::contains):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::newTypedArrayWithSize):
        (JSC::DFG::newTypedArrayWithOneArgument):
        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::addToFrontend):
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::InspectorBackendDispatcher::dispatch):
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::extractSourceInformationFromException):
        * inspector/scripts/codegen/generator_templates.py:
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::functionName):
        (JSC::StackVisitor::Frame::sourceURL):
        * jit/JITOperations.cpp:
        * jsc.cpp:
        (functionDescribeArray):
        (functionRun):
        (functionLoad):
        (functionReadFile):
        (functionCheckSyntax):
        (functionTransferArrayBuffer):
        (runWithScripts):
        (runInteractive):
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::invalidCharacterMessage):
        (JSC::Lexer<T>::parseString):
        (JSC::Lexer<T>::parseStringSlowCase):
        (JSC::Lexer<T>::lex):
        * profiler/Profile.cpp:
        (JSC::Profile::Profile):
        * runtime/Arguments.cpp:
        (JSC::argumentsFuncIterator):
        * runtime/ArrayPrototype.cpp:
        (JSC::performSlowSort):
        (JSC::arrayProtoFuncSort):
        * runtime/ExceptionHelpers.cpp:
        (JSC::createError):
        (JSC::createInvalidParameterError):
        (JSC::createNotAConstructorError):
        (JSC::createNotAFunctionError):
        (JSC::createNotAnObjectError):
        (JSC::createErrorForInvalidGlobalAssignment):
        * runtime/FunctionPrototype.cpp:
        (JSC::insertSemicolonIfNeeded):
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        (JSC::JSArray::pop):
        (JSC::JSArray::push):
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::JSArrayBufferConstructor::finishCreation):
        * runtime/JSArrayBufferPrototype.cpp:
        (JSC::arrayBufferProtoFuncSlice):
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::create):
        * runtime/JSDataViewPrototype.cpp:
        (JSC::getData):
        (JSC::setData):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoSetter):
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructor::finishCreation):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::Lexer::lex):
        (JSC::LiteralParser<CharType>::Lexer::lexString):
        (JSC::LiteralParser<CharType>::parse):
        * runtime/LiteralParser.h:
        (JSC::LiteralParser::getErrorMessage):
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::seenTypes):
        (JSC::TypeSet::displayName):
        (JSC::TypeSet::allPrimitiveTypeNames):
        (JSC::StructureShape::propertyHash):
        (JSC::StructureShape::stringRepresentation):

2014-08-29  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviwed, remove empty directories.

        * qt: Removed.

2014-08-28  Mark Lam  <mark.lam@apple.com>

        DebuggerCallFrame::scope() should return a DebuggerScope.
        <https://webkit.org/b/134420>

        Reviewed by Geoffrey Garen.

        Rolling back in r170680 with the fix for <https://webkit.org/b/135656>.

        Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
        peers) which the WebInspector will use to introspect CallFrame variables.
        Instead, we should be returning a DebuggerScope as an abstraction layer that
        provides the introspection functionality that the WebInspector needs.  This
        is the first step towards not forcing every frame to have a JSActivation
        object just because the debugger is enabled.

        1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
           instead of the VM.  This allows JSObject::globalObject() to be able to
           return the global object for the DebuggerScope.

        2. On the DebuggerScope's life-cycle management:

           The DebuggerCallFrame is designed to be "valid" only during a debugging session
           (while the debugger is broken) through the use of a DebuggerCallFrameScope in
           Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
           DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
           We can't guarantee (from this code alone) that the Inspector code isn't still
           holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
           the frame will be invalidated, and any attempt to query it will return null values.
           This is pre-existing behavior.

           Now, we're adding the DebuggerScope into the picture.  While a single debugger
           pause session is in progress, the Inspector may request the scope from the
           DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
           DebuggerCallFrame::scope() to always return the same DebuggerScope object.
           This is why we hold on to the DebuggerScope with a strong ref.

           If we use a weak ref instead, the following cooky behavior can manifest:
           1. The Inspector calls Debugger::scope() to get the top scope.
           2. The Inspector iterates down the scope chain and is now only holding a
              reference to a parent scope.  It is no longer referencing the top scope.
           3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
              gets cleared.
           4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
              a different DebuggerScope instance.
           5. The Inspector iterates down the scope chain but never sees the parent scope
              instance that retained a ref to in step 2 above.  This is because when iterating
              this new DebuggerScope instance (which has no knowledge of the previous parent
              DebuggerScope instance), a new DebuggerScope instance will get created for the
              same parent scope. 

           Since the DebuggerScope is a JSObject, its liveness is determined by its reachability.
           However, its "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
           When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
           instantiated) will also get invalidated.  This is why we need the
           DebuggerScope::invalidateChain() method.  The Inspector should not be using the
           DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
           those methods will do nothing or returned a failed status.

        Fix for <https://webkit.org/b/135656>:
        3. DebuggerScope::getOwnPropertySlot() and DebuggerScope::put() need to set
           m_thisValue in the returned slot to the wrapped scope object.  Previously,
           it was pointing to the DebuggerScope though the rest of the fields in the
           returned slot will be set to data pertaining the wrapped scope object.

        4. DebuggerScope::getOwnPropertySlot() will invoke getPropertySlot() on its
           wrapped scope.  This is because JSObject::getPropertySlot() cannot be
           overridden, and when called on a DebuggerScope, will not know to look in
           the ptototype chain of the DebuggerScope's wrapped scope.  Hence, we'll
           treat all properties in the wrapped scope as own properties in the
           DebuggerScope.  This is fine because the WebInspector does not presently
           care about where in the prototype chain the scope property comes from.

           Note that the DebuggerScope and the JSActivation objects that it wraps do
           not have prototypes.  They are always jsNull().  This works perfectly with
           the above change to use getPropertySlot() instead of getOwnPropertySlot().
           To make this an explicit invariant, I also changed DebuggerScope::createStructure()
           and JSActivation::createStructure() to not take a prototype argument, and
           to always use jsNull() for their prototype value.

        * debugger/Debugger.h:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::scope):
        (JSC::DebuggerCallFrame::evaluate):
        (JSC::DebuggerCallFrame::invalidate):
        * debugger/DebuggerCallFrame.h:
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::DebuggerScope):
        (JSC::DebuggerScope::finishCreation):
        (JSC::DebuggerScope::visitChildren):
        (JSC::DebuggerScope::className):
        (JSC::DebuggerScope::getOwnPropertySlot):
        (JSC::DebuggerScope::put):
        (JSC::DebuggerScope::deleteProperty):
        (JSC::DebuggerScope::getOwnPropertyNames):
        (JSC::DebuggerScope::defineOwnProperty):
        (JSC::DebuggerScope::next):
        (JSC::DebuggerScope::invalidateChain):
        (JSC::DebuggerScope::isWithScope):
        (JSC::DebuggerScope::isGlobalScope):
        (JSC::DebuggerScope::isFunctionOrEvalScope):
        * debugger/DebuggerScope.h:
        (JSC::DebuggerScope::create):
        (JSC::DebuggerScope::createStructure):
        (JSC::DebuggerScope::iterator::iterator):
        (JSC::DebuggerScope::iterator::get):
        (JSC::DebuggerScope::iterator::operator++):
        (JSC::DebuggerScope::iterator::operator==):
        (JSC::DebuggerScope::iterator::operator!=):
        (JSC::DebuggerScope::isValid):
        (JSC::DebuggerScope::jsScope):
        (JSC::DebuggerScope::begin):
        (JSC::DebuggerScope::end):
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::JSJavaScriptCallFrame::scopeType):
        (Inspector::JSJavaScriptCallFrame::scopeChain):
        * inspector/JavaScriptCallFrame.h:
        (Inspector::JavaScriptCallFrame::scopeChain):
        * inspector/ScriptDebugServer.cpp:
        * runtime/JSActivation.h:
        (JSC::JSActivation::createStructure):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::debuggerScopeStructure):
        * runtime/JSObject.cpp:
        * runtime/JSObject.h:
        (JSC::JSObject::isWithScope):
        * runtime/JSScope.h:
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::setThisValue):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::setThisValue):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2014-08-28  Andreas Kling  <akling@apple.com>

        Use JSString::toIdentifier() in more places.
        <https://webkit.org/b/136348>

        Call sites that grab the WTF::String from a JSString using value() can
        use the more efficient toIdentifier() if the string is going to be used
        to construct an Identifier.

        If the JSString is a rope that resolves to something that is already
        present in the VM's Identifier table, using toIdentifier() can avoid
        allocating a new StringImpl.

        Reviewed by Geoffrey Garen.

        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::opIn):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Stringifier):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyDescriptor):
        (JSC::objectConstructorDefineProperty):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncPropertyIsEnumerable):

2014-08-27  Filip Pizlo  <fpizlo@apple.com>

        DFG should compute immediate dominators using the O(n log n) form of Lengauer and Tarjan's "A Fast Algorithm for Finding Dominators in a Flowgraph"
        https://bugs.webkit.org/show_bug.cgi?id=93361

        Reviewed by Mark Hahnenberg.
        
        This patch also adds some new utilities for reasoning about block-keyed maps, block sets,
        and block worklists. It changes preexisting code to use these abstractions.
        
        The main effect of this code is that all current clients of dominators end up using the
        results of the new idom calculation. We convert the dom tree to a dominance test using
        Dietz's pre/post number range check trick.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAnalysis.h:
        (JSC::DFG::Analysis::computeIfNecessary):
        (JSC::DFG::Analysis::computeDependencies):
        * dfg/DFGBlockMap.h: Added.
        (JSC::DFG::BlockMap::BlockMap):
        (JSC::DFG::BlockMap::size):
        (JSC::DFG::BlockMap::atIndex):
        (JSC::DFG::BlockMap::operator[]):
        * dfg/DFGBlockMapInlines.h: Added.
        (JSC::DFG::BlockMap<T>::BlockMap):
        * dfg/DFGBlockSet.h: Added.
        (JSC::DFG::BlockSet::BlockSet):
        (JSC::DFG::BlockSet::add):
        (JSC::DFG::BlockSet::contains):
        * dfg/DFGBlockWorklist.cpp: Added.
        (JSC::DFG::BlockWorklist::BlockWorklist):
        (JSC::DFG::BlockWorklist::~BlockWorklist):
        (JSC::DFG::BlockWorklist::push):
        (JSC::DFG::BlockWorklist::pop):
        (JSC::DFG::PostOrderBlockWorklist::PostOrderBlockWorklist):
        (JSC::DFG::PostOrderBlockWorklist::~PostOrderBlockWorklist):
        (JSC::DFG::PostOrderBlockWorklist::pushPre):
        (JSC::DFG::PostOrderBlockWorklist::pushPost):
        (JSC::DFG::PostOrderBlockWorklist::pop):
        * dfg/DFGBlockWorklist.h: Added.
        (JSC::DFG::BlockWorklist::notEmpty):
        (JSC::DFG::BlockWith::BlockWith):
        (JSC::DFG::BlockWith::operator UnspecifiedBoolType*):
        (JSC::DFG::ExtendedBlockWorklist::ExtendedBlockWorklist):
        (JSC::DFG::ExtendedBlockWorklist::forcePush):
        (JSC::DFG::ExtendedBlockWorklist::push):
        (JSC::DFG::ExtendedBlockWorklist::notEmpty):
        (JSC::DFG::ExtendedBlockWorklist::pop):
        (JSC::DFG::BlockWithOrder::BlockWithOrder):
        (JSC::DFG::BlockWithOrder::operator UnspecifiedBoolType*):
        (JSC::DFG::PostOrderBlockWorklist::push):
        (JSC::DFG::PostOrderBlockWorklist::notEmpty):
        * dfg/DFGCSEPhase.cpp:
        * dfg/DFGDominators.cpp:
        (JSC::DFG::Dominators::compute):
        (JSC::DFG::Dominators::naiveDominates):
        (JSC::DFG::Dominators::dump):
        (JSC::DFG::Dominators::pruneDominators): Deleted.
        * dfg/DFGDominators.h:
        (JSC::DFG::Dominators::strictlyDominates):
        (JSC::DFG::Dominators::dominates):
        (JSC::DFG::Dominators::BlockData::BlockData):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpBlockHeader):
        (JSC::DFG::Graph::getBlocksInPreOrder):
        (JSC::DFG::Graph::getBlocksInPostOrder):
        * dfg/DFGInvalidationPointInjectionPhase.cpp:
        (JSC::DFG::InvalidationPointInjectionPhase::run):
        * dfg/DFGNaiveDominators.cpp: Added.
        (JSC::DFG::NaiveDominators::NaiveDominators):
        (JSC::DFG::NaiveDominators::~NaiveDominators):
        (JSC::DFG::NaiveDominators::compute):
        (JSC::DFG::NaiveDominators::pruneDominators):
        (JSC::DFG::NaiveDominators::dump):
        * dfg/DFGNaiveDominators.h: Added.
        (JSC::DFG::NaiveDominators::dominates):
        * dfg/DFGNaturalLoops.cpp:
        (JSC::DFG::NaturalLoops::computeDependencies):
        (JSC::DFG::NaturalLoops::compute):
        * dfg/DFGNaturalLoops.h:

2014-08-27  Filip Pizlo  <fpizlo@apple.com>

        FTL should be able to do polymorphic call inlining
        https://bugs.webkit.org/show_bug.cgi?id=135145

        Reviewed by Geoffrey Garen.
        
        Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
        baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
        inlining sites use the call edge profile if it is available, but they will still fall back
        on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
        multiple possible callees can be inlined with a switch to guard them. The slow path may
        either be an OSR exit or a virtual call.
        
        The call edge profiling added in this patch is very precise - it will tell you about every
        call that has ever happened. It took some effort to reduce the overhead of this profiling.
        This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
        in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
        it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
        I also experimented with reducing the precision of the profiling. This led to a significant
        reduction in the speed-up, so I avoided this approach. I also explored making log processing
        concurrent, but that didn't help. Also, I tested the overhead of the log processing and
        found that most of the overhead of this profiling is actually in putting things into the log
        rather than in processing the log - that part appears to be surprisingly cheap.
        
        Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
        and if we guarded such inlining sites with some profiling mechanism to detect
        polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
        it's actually monomorphic).
        
        This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
        other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
        on anything we care about. Some aggregates, like V8Spider, see a regression. This is
        highlighting the increase in profiling overhead. But since this doesn't show up on any major
        score (code-load or SunSpider), it's probably not relevant.
        
        Relanding after fixing debug assertions in fast/storage/serialized-script-value.html.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CallEdge.cpp: Added.
        (JSC::CallEdge::dump):
        * bytecode/CallEdge.h: Added.
        (JSC::CallEdge::operator!):
        (JSC::CallEdge::callee):
        (JSC::CallEdge::count):
        (JSC::CallEdge::despecifiedClosure):
        (JSC::CallEdge::CallEdge):
        * bytecode/CallEdgeProfile.cpp: Added.
        (JSC::CallEdgeProfile::callEdges):
        (JSC::CallEdgeProfile::numCallsToKnownCells):
        (JSC::worthDespecifying):
        (JSC::CallEdgeProfile::worthDespecifying):
        (JSC::CallEdgeProfile::visitWeak):
        (JSC::CallEdgeProfile::addSlow):
        (JSC::CallEdgeProfile::mergeBack):
        (JSC::CallEdgeProfile::fadeByHalf):
        (JSC::CallEdgeLog::CallEdgeLog):
        (JSC::CallEdgeLog::~CallEdgeLog):
        (JSC::CallEdgeLog::isEnabled):
        (JSC::operationProcessCallEdgeLog):
        (JSC::CallEdgeLog::emitLogCode):
        (JSC::CallEdgeLog::processLog):
        * bytecode/CallEdgeProfile.h: Added.
        (JSC::CallEdgeProfile::numCallsToNotCell):
        (JSC::CallEdgeProfile::numCallsToUnknownCell):
        (JSC::CallEdgeProfile::totalCalls):
        * bytecode/CallEdgeProfileInlines.h: Added.
        (JSC::CallEdgeProfile::CallEdgeProfile):
        (JSC::CallEdgeProfile::add):
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::visitWeak):
        * bytecode/CallLinkInfo.h:
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::CallLinkStatus):
        (JSC::CallLinkStatus::computeFromLLInt):
        (JSC::CallLinkStatus::computeFor):
        (JSC::CallLinkStatus::computeExitSiteData):
        (JSC::CallLinkStatus::computeFromCallLinkInfo):
        (JSC::CallLinkStatus::computeFromCallEdgeProfile):
        (JSC::CallLinkStatus::computeDFGStatuses):
        (JSC::CallLinkStatus::isClosureCall):
        (JSC::CallLinkStatus::makeClosureCall):
        (JSC::CallLinkStatus::dump):
        (JSC::CallLinkStatus::function): Deleted.
        (JSC::CallLinkStatus::internalFunction): Deleted.
        (JSC::CallLinkStatus::intrinsicFor): Deleted.
        * bytecode/CallLinkStatus.h:
        (JSC::CallLinkStatus::CallLinkStatus):
        (JSC::CallLinkStatus::isSet):
        (JSC::CallLinkStatus::couldTakeSlowPath):
        (JSC::CallLinkStatus::edges):
        (JSC::CallLinkStatus::size):
        (JSC::CallLinkStatus::at):
        (JSC::CallLinkStatus::operator[]):
        (JSC::CallLinkStatus::canOptimize):
        (JSC::CallLinkStatus::canTrustCounts):
        (JSC::CallLinkStatus::isClosureCall): Deleted.
        (JSC::CallLinkStatus::callTarget): Deleted.
        (JSC::CallLinkStatus::executable): Deleted.
        (JSC::CallLinkStatus::makeClosureCall): Deleted.
        * bytecode/CallVariant.cpp: Added.
        (JSC::CallVariant::dump):
        * bytecode/CallVariant.h: Added.
        (JSC::CallVariant::CallVariant):
        (JSC::CallVariant::operator!):
        (JSC::CallVariant::despecifiedClosure):
        (JSC::CallVariant::rawCalleeCell):
        (JSC::CallVariant::internalFunction):
        (JSC::CallVariant::function):
        (JSC::CallVariant::isClosureCall):
        (JSC::CallVariant::executable):
        (JSC::CallVariant::nonExecutableCallee):
        (JSC::CallVariant::intrinsicFor):
        (JSC::CallVariant::functionExecutable):
        (JSC::CallVariant::isHashTableDeletedValue):
        (JSC::CallVariant::operator==):
        (JSC::CallVariant::operator!=):
        (JSC::CallVariant::operator<):
        (JSC::CallVariant::operator>):
        (JSC::CallVariant::operator<=):
        (JSC::CallVariant::operator>=):
        (JSC::CallVariant::hash):
        (JSC::CallVariant::deletedToken):
        (JSC::CallVariantHash::hash):
        (JSC::CallVariantHash::equal):
        * bytecode/CodeOrigin.h:
        (JSC::InlineCallFrame::isNormalCall):
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfo):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGBasicBlock.cpp:
        (JSC::DFG::BasicBlock::~BasicBlock):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::takeLast):
        (JSC::DFG::BasicBlock::didLink):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::processSetLocalQueue):
        (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
        (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::emitFunctionChecks):
        (JSC::DFG::ByteCodeParser::undoFunctionChecks):
        (JSC::DFG::ByteCodeParser::inliningCost):
        (JSC::DFG::ByteCodeParser::inlineCall):
        (JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        (JSC::DFG::ByteCodeParser::prepareToParseBlock):
        (JSC::DFG::ByteCodeParser::clearCaches):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::linkBlock):
        (JSC::DFG::ByteCodeParser::linkBlocks):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::getBlocksInPreOrder):
        (JSC::DFG::Graph::visitChildren):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGLazyJSValue.cpp:
        (JSC::DFG::LazyJSValue::switchLookupValue):
        * dfg/DFGLazyJSValue.h:
        (JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
        * dfg/DFGNode.cpp:
        (WTF::printInternal):
        * dfg/DFGNode.h:
        (JSC::DFG::OpInfo::OpInfo):
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::hasCellOperand):
        (JSC::DFG::Node::cellOperand):
        (JSC::DFG::Node::setCellOperand):
        (JSC::DFG::Node::canBeKnownFunction): Deleted.
        (JSC::DFG::Node::hasKnownFunction): Deleted.
        (JSC::DFG::Node::knownFunction): Deleted.
        (JSC::DFG::Node::giveKnownFunction): Deleted.
        (JSC::DFG::Node::hasFunction): Deleted.
        (JSC::DFG::Node::function): Deleted.
        (JSC::DFG::Node::hasExecutable): Deleted.
        (JSC::DFG::Node::executable): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGPhantomCanonicalizationPhase.cpp:
        (JSC::DFG::PhantomCanonicalizationPhase::run):
        * dfg/DFGPhantomRemovalPhase.cpp:
        (JSC::DFG::PhantomRemovalPhase::run):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitSwitch):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        (JSC::DFG::TierUpCheckInjectionPhase::run):
        (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        * dfg/DFGWatchpointCollectionPhase.cpp:
        (JSC::DFG::WatchpointCollectionPhase::handle):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::ftlUnreachable):
        (JSC::FTL::LowerDFGToLLVM::lower):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
        (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
        (JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
        (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
        (JSC::FTL::LowerDFGToLLVM::compileSwitch):
        (JSC::FTL::LowerDFGToLLVM::buildSwitch):
        (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
        (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::storeValue):
        (JSC::AssemblyHelpers::loadValue):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArguments):
        * jit/GPRInfo.h:
        (JSC::JSValueRegs::uses):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::ensureCallEdgeLog):
        * runtime/VM.h:
        * tests/stress/fold-profiled-call-to-call.js: Added. This test pinpoints the problem we saw in fast/storage/serialized-script-value.html.
        * tests/stress/new-array-then-exit.js: Added.
        * tests/stress/poly-call-exit-this.js: Added.
        * tests/stress/poly-call-exit.js: Added.

2014-08-28  Julien Brianceau   <jbriance@cisco.com>

        Correct GC length unit and prevent division by 0 in showObjectStatistics.
        https://bugs.webkit.org/show_bug.cgi?id=136340

        Reviewed by Mark Hahnenberg.

        * heap/HeapStatistics.cpp:
        (JSC::HeapStatistics::showObjectStatistics):

2014-08-27  Akos Kiss  <akiss@inf.u-szeged.hu>

        Ensure that the call frame passed from JIT code via JSC::operationCallEval to JSC::eval always contains the valid scope chain.
        https://bugs.webkit.org/show_bug.cgi?id=136313

        Reviewed by Michael Saboff.

        Do not rely on calling conventions to fill in the CallerFrame component
        of the execCallee parameter of JSC::operationCallEval.

        * jit/JITOperations.cpp:

2014-08-27  Saam Barati  <sbarati@apple.com>

        Deconstruction object pattern node emits the wrong start/end text positions
        https://bugs.webkit.org/show_bug.cgi?id=136304

        Reviewed by Geoffrey Garen.

        Object pattern nodes that used the syntactic sugar binding: 
        'var {foo} = {foo:20}' instead of 'var {foo:foo} = {foo:20}' 
        would get the wrong text position for variable 'foo'. The position 
        would be placed on the comma(s)/closing brace instead of the identifier. 
        This patch fixes this bug by caching the identifier's JSToken before 
        trying to parse an optional colon.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseVarDeclarationList):
        (JSC::Parser<LexerType>::createBindingPattern):
        (JSC::Parser<LexerType>::parseDeconstructionPattern):
        * parser/Parser.h:

2014-08-27  Brent Fulgham  <bfulgham@apple.com>

        [Win] Build fix after last commit.

        Check in new DLLLauncherMain.cpp file.

        * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Added.
        (enableTerminationOnHeapCorruption):
        (getStringValue):
        (applePathFromRegistry):
        (appleApplicationSupportDirectory):
        (copyEnvironmentVariable):
        (prependPath):
        (fatalError):
        (directoryExists):
        (modifyPath):
        (getLastErrorString):
        (wWinMain):

2014-08-27  Brent Fulgham  <bfulgham@apple.com>

        [Win] testapi and testRegExp need to find support libraries.
        https://bugs.webkit.org/show_bug.cgi?id=136008.

        Reviewed by Dean Jackson.

        Revise the Windows build of jsc, testapi, and testRegExp so that they
        find and use the proper runtime support libraries.

        These locations vary between the Apple Windows build and WinCairo, and
        are generally not in the system PATH environment setting. Consequently,
        these applications fail on launch unless the user modifies their
        PATH.

        This patch revises these tools to work like WinLauncher and DumpRenderTree
        so that they run reliably.

        * API/tests/testapi.c:
        (dllLauncherEntryPoint): Added.
        * JavaScriptCore.vcxproj/JavaScriptCore.sln: Add new build projects and
          provide proper dependencies with existing projects.
        * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Ditto.
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Switch to build
          a DLL, rather than an executable.
        * JavaScriptCore.vcxproj/jsc/jscCommon.props: Add shlwapi.lib
          to the list of libraries needed at link-time, and to use
          the DLL/Console combination entry point.
        * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Added.
        * JavaScriptCore.vcxproj/jsc/jscLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd.
        * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd.
        * JavaScriptCore.vcxproj/jsc/jscLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPreLink.cmd.
        * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Switch to build
          a DLL, rather than an executable.
        * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Add shlwapi.lib
          to the list of libraries needed at link-time, and to use
          the DLL/Console combination entry point.
        * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Added.
        * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd.
        * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd.
        * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd.
        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Switch to build
          a DLL, rather than an executable.
        * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Added.
        * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Add shlwapi.lib
          to the list of libraries needed at link-time, and to use
          the DLL/Console combination entry point.
        * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd.
        * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd.
        * JavaScriptCore.vcxproj/testapi/testapiLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd.
        * jsc.cpp:
        (dllLauncherEntryPoint): Added.
        * testRegExp.cpp:
        (dllLauncherEntryPoint): Added.

2014-08-27  Julien Brianceau   <jbriance@cisco.com>

        Take advantage of 3 parameters or32() calls
        https://bugs.webkit.org/show_bug.cgi?id=136287

        Reviewed by Michael Saboff.

        For specific architectures (arm and mips for instance), or32() calls
        with 3 parameters are likely to produce a single instruction.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::branchIsOther):
        (JSC::DFG::SpeculativeJIT::branchNotOther):

2014-08-26  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: put feature flags for Inspector domains in the protocol specification
        https://bugs.webkit.org/show_bug.cgi?id=136027

        Reviewed by Timothy Hatcher.

        Remove the hardcoded map of domains to feature guards, and instead parse it from the specification.

        Test: inspector/scripts/tests/generate-domains-with-feature-guards.json

        * inspector/scripts/codegen/generator.py:
        (Generator.wrap_with_guard_for_domain):
        * inspector/scripts/codegen/models.py:
        (Protocol.parse_domain):
        (Domain.__init__):
        (Domains):
        * inspector/scripts/tests/generate-domains-with-feature-guards.json: Added.
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:

2014-08-26  Andy Estes  <aestes@apple.com>

        [Cocoa] Some projects are incorrectly installed to $BUILT_PRODUCTS_DIR
        https://bugs.webkit.org/show_bug.cgi?id=136267

        Reviewed by Dan Bernstein.

        INSTALL_PATH was set to $BUILT_PRODUCTS_DIR for engineering configurations in r20225 as part of a build fix.
        Not only is this no longer necessary to build, but it causes built products to be incorrectly installed in
        engineering configurations.

        Remove the setting of INSTALL_PATH from the pbxproj file so that the value specified in the xcconfig files is
        used instead.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-08-26  Michael Saboff  <msaboff@apple.com>

        [Win] 64-bit JavaScriptCore crashes on launch
        https://bugs.webkit.org/show_bug.cgi?id=136241

        Reviewed by Mark Lam.

        * llint/LowLevelInterpreter.asm:
        (vmEntryRecord): X86_64_WIN doesn't use "a0" (rax) for the first argument, it uses
        "t2" (rcx).  Changed to get the input parameter using the correct register.

2014-08-26  Saam Barati  <sbarati@apple.com>

        TypeSet caches structureIDs even after the corresponding Structure could be GCed
        https://bugs.webkit.org/show_bug.cgi?id=136178

        Reviewed by Geoffrey Garen.

        Currently, TypeSet will never remove StructureIDs from its cache,
        even after the corresponding Structures could be garbage collected.
        Now, when the Garbage Collector collects, and type profiling is 
        enabled, the Garbage Collector will invalidate all TypeSet caches.

        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::addTypeInformation):
        (JSC::TypeSet::invalidateCache):
        * runtime/TypeSet.h:
        * runtime/VM.cpp:
        (JSC::VM::invalidateTypeSetCache):
        * runtime/VM.h:

2014-08-26  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result
        https://bugs.webkit.org/show_bug.cgi?id=136187

        Reviewed by Mark Hahnenberg.

        Added two arg version for 32 bit builds of callOperation(J_JITOperation_ECJ, ...) that
        doesn't require a tag for the second argument, instead it fills in a CellTag.  This is
        used for the slow case of the GetDirectPname case in SpeculativeJIT::compile since we
        haven't set up a register with a tag and we know that argument 2 is a cell.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation): New version with implicit CellTag.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Eliminated extraneous filling of the scratchGPR
        with CellTag as it wasn't in the control flow for the slow path that needed the tag.
        Instead changed to calling new version of callOperation with an implicit CellTag.

2014-08-26  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r172940.
        https://bugs.webkit.org/show_bug.cgi?id=136256

        Caused assertions on fast/storage/serialized-script-
        value.html, and possibly flakiness on more tests (Requested by
        ap on #webkit).

        Reverted changeset:

        "FTL should be able to do polymorphic call inlining"
        https://bugs.webkit.org/show_bug.cgi?id=135145
        http://trac.webkit.org/changeset/172940

2014-08-26  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r172794) + 32Bit build: ASSERT failures in for-in-tests.js tests.
        https://bugs.webkit.org/show_bug.cgi?id=136165

        Reviewed by Mark Hahnenberg.

        Changed switch case GetDirectPname: to always use the slow path for X86 since it only has
        6 registers available, but the code requires 7.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2014-08-25  Saam Barati  <sbarati@apple.com>

        TypeProfiler search breaks on return statements
        https://bugs.webkit.org/show_bug.cgi?id=136201

        Reviewed by Filip Pizlo.

        Searching for return statements in the TypeProfiler currently 
        breaks down because it expected to see the search descriptor 
        TypeProfilerSearchDescriptorFunctionReturn when looking for 
        return statements in the actual source code of the program. 
        But, TypeProfilerSearchDescriptorFunctionReturn search descriptor 
        is reserved for looking for return statements that aren't in the 
        actual source code of the program, but when asking for the 
        aggregate return type of a function. Now, searching for 
        return statements in the actual source code of the program will 
        work when passing in the search descriptor TypeProfilerSearchDescriptorNormal.  

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * runtime/TypeProfiler.cpp:
        (JSC::TypeProfiler::findLocation):
        (JSC::descriptorMatchesTypeLocation): Deleted.

2014-08-25  Saam Barati  <sbarati@apple.com>

        Return statement TypeSet's might be duplicated
        https://bugs.webkit.org/show_bug.cgi?id=136200

        Reviewed by Filip Pizlo.

        Currently, the globalTypeSet that converges the types of all 
        return statements in a function lives off of CodeBlock. It lives 
        off CodeBlock because of a faulty assumption that CodeBlock 
        will have a one to one mapping with a function in the source 
        text of the program. (Currently, there isn't an actual bug 
        with this design because TypeLocationCache will hash cons to 
        the same TypeLocation, but this is still an incorrect design). 
        In this patch, the globalTypeSet for function return statements  
        is moved to the FunctionExecutable object which does have a one 
        to one mapping with functions in the source text of a program.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::returnStatementTypeSet): Deleted.
        * runtime/Executable.h:
        (JSC::FunctionExecutable::returnStatementTypeSet):

2014-08-24  Filip Pizlo  <fpizlo@apple.com>

        FTL should be able to do polymorphic call inlining
        https://bugs.webkit.org/show_bug.cgi?id=135145

        Reviewed by Geoffrey Garen.
        
        Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
        baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
        inlining sites use the call edge profile if it is available, but they will still fall back
        on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
        multiple possible callees can be inlined with a switch to guard them. The slow path may
        either be an OSR exit or a virtual call.
        
        The call edge profiling added in this patch is very precise - it will tell you about every
        call that has ever happened. It took some effort to reduce the overhead of this profiling.
        This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
        in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
        it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
        I also experimented with reducing the precision of the profiling. This led to a significant
        reduction in the speed-up, so I avoided this approach. I also explored making log processing
        concurrent, but that didn't help. Also, I tested the overhead of the log processing and
        found that most of the overhead of this profiling is actually in putting things into the log
        rather than in processing the log - that part appears to be surprisingly cheap.
        
        Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
        and if we guarded such inlining sites with some profiling mechanism to detect
        polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
        it's actually monomorphic).
        
        This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
        other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
        on anything we care about. Some aggregates, like V8Spider, see a regression. This is
        highlighting the increase in profiling overhead. But since this doesn't show up on any major
        score (code-load or SunSpider), it's probably not relevant.
        
        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CallEdge.cpp: Added.
        (JSC::CallEdge::dump):
        * bytecode/CallEdge.h: Added.
        (JSC::CallEdge::operator!):
        (JSC::CallEdge::callee):
        (JSC::CallEdge::count):
        (JSC::CallEdge::despecifiedClosure):
        (JSC::CallEdge::CallEdge):
        * bytecode/CallEdgeProfile.cpp: Added.
        (JSC::CallEdgeProfile::callEdges):
        (JSC::CallEdgeProfile::numCallsToKnownCells):
        (JSC::worthDespecifying):
        (JSC::CallEdgeProfile::worthDespecifying):
        (JSC::CallEdgeProfile::visitWeak):
        (JSC::CallEdgeProfile::addSlow):
        (JSC::CallEdgeProfile::mergeBack):
        (JSC::CallEdgeProfile::fadeByHalf):
        (JSC::CallEdgeLog::CallEdgeLog):
        (JSC::CallEdgeLog::~CallEdgeLog):
        (JSC::CallEdgeLog::isEnabled):
        (JSC::operationProcessCallEdgeLog):
        (JSC::CallEdgeLog::emitLogCode):
        (JSC::CallEdgeLog::processLog):
        * bytecode/CallEdgeProfile.h: Added.
        (JSC::CallEdgeProfile::numCallsToNotCell):
        (JSC::CallEdgeProfile::numCallsToUnknownCell):
        (JSC::CallEdgeProfile::totalCalls):
        * bytecode/CallEdgeProfileInlines.h: Added.
        (JSC::CallEdgeProfile::CallEdgeProfile):
        (JSC::CallEdgeProfile::add):
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::visitWeak):
        * bytecode/CallLinkInfo.h:
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::CallLinkStatus):
        (JSC::CallLinkStatus::computeFromLLInt):
        (JSC::CallLinkStatus::computeFor):
        (JSC::CallLinkStatus::computeExitSiteData):
        (JSC::CallLinkStatus::computeFromCallLinkInfo):
        (JSC::CallLinkStatus::computeFromCallEdgeProfile):
        (JSC::CallLinkStatus::computeDFGStatuses):
        (JSC::CallLinkStatus::isClosureCall):
        (JSC::CallLinkStatus::makeClosureCall):
        (JSC::CallLinkStatus::dump):
        (JSC::CallLinkStatus::function): Deleted.
        (JSC::CallLinkStatus::internalFunction): Deleted.
        (JSC::CallLinkStatus::intrinsicFor): Deleted.
        * bytecode/CallLinkStatus.h:
        (JSC::CallLinkStatus::CallLinkStatus):
        (JSC::CallLinkStatus::isSet):
        (JSC::CallLinkStatus::couldTakeSlowPath):
        (JSC::CallLinkStatus::edges):
        (JSC::CallLinkStatus::size):
        (JSC::CallLinkStatus::at):
        (JSC::CallLinkStatus::operator[]):
        (JSC::CallLinkStatus::canOptimize):
        (JSC::CallLinkStatus::canTrustCounts):
        (JSC::CallLinkStatus::isClosureCall): Deleted.
        (JSC::CallLinkStatus::callTarget): Deleted.
        (JSC::CallLinkStatus::executable): Deleted.
        (JSC::CallLinkStatus::makeClosureCall): Deleted.
        * bytecode/CallVariant.cpp: Added.
        (JSC::CallVariant::dump):
        * bytecode/CallVariant.h: Added.
        (JSC::CallVariant::CallVariant):
        (JSC::CallVariant::operator!):
        (JSC::CallVariant::despecifiedClosure):
        (JSC::CallVariant::rawCalleeCell):
        (JSC::CallVariant::internalFunction):
        (JSC::CallVariant::function):
        (JSC::CallVariant::isClosureCall):
        (JSC::CallVariant::executable):
        (JSC::CallVariant::nonExecutableCallee):
        (JSC::CallVariant::intrinsicFor):
        (JSC::CallVariant::functionExecutable):
        (JSC::CallVariant::isHashTableDeletedValue):
        (JSC::CallVariant::operator==):
        (JSC::CallVariant::operator!=):
        (JSC::CallVariant::operator<):
        (JSC::CallVariant::operator>):
        (JSC::CallVariant::operator<=):
        (JSC::CallVariant::operator>=):
        (JSC::CallVariant::hash):
        (JSC::CallVariant::deletedToken):
        (JSC::CallVariantHash::hash):
        (JSC::CallVariantHash::equal):
        * bytecode/CodeOrigin.h:
        (JSC::InlineCallFrame::isNormalCall):
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfo):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGBasicBlock.cpp:
        (JSC::DFG::BasicBlock::~BasicBlock):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::takeLast):
        (JSC::DFG::BasicBlock::didLink):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::processSetLocalQueue):
        (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
        (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::emitFunctionChecks):
        (JSC::DFG::ByteCodeParser::undoFunctionChecks):
        (JSC::DFG::ByteCodeParser::inliningCost):
        (JSC::DFG::ByteCodeParser::inlineCall):
        (JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        (JSC::DFG::ByteCodeParser::prepareToParseBlock):
        (JSC::DFG::ByteCodeParser::clearCaches):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::linkBlock):
        (JSC::DFG::ByteCodeParser::linkBlocks):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::visitChildren):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGLazyJSValue.cpp:
        (JSC::DFG::LazyJSValue::switchLookupValue):
        * dfg/DFGLazyJSValue.h:
        (JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
        * dfg/DFGNode.cpp:
        (WTF::printInternal):
        * dfg/DFGNode.h:
        (JSC::DFG::OpInfo::OpInfo):
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::hasCellOperand):
        (JSC::DFG::Node::cellOperand):
        (JSC::DFG::Node::setCellOperand):
        (JSC::DFG::Node::canBeKnownFunction): Deleted.
        (JSC::DFG::Node::hasKnownFunction): Deleted.
        (JSC::DFG::Node::knownFunction): Deleted.
        (JSC::DFG::Node::giveKnownFunction): Deleted.
        (JSC::DFG::Node::hasFunction): Deleted.
        (JSC::DFG::Node::function): Deleted.
        (JSC::DFG::Node::hasExecutable): Deleted.
        (JSC::DFG::Node::executable): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGPhantomCanonicalizationPhase.cpp:
        (JSC::DFG::PhantomCanonicalizationPhase::run):
        * dfg/DFGPhantomRemovalPhase.cpp:
        (JSC::DFG::PhantomRemovalPhase::run):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitSwitch):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureRegistrationPhase.cpp:
        (JSC::DFG::StructureRegistrationPhase::run):
        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        (JSC::DFG::TierUpCheckInjectionPhase::run):
        (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        * dfg/DFGWatchpointCollectionPhase.cpp:
        (JSC::DFG::WatchpointCollectionPhase::handle):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::ftlUnreachable):
        (JSC::FTL::LowerDFGToLLVM::lower):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCheckCell):
        (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
        (JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
        (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
        (JSC::FTL::LowerDFGToLLVM::compileSwitch):
        (JSC::FTL::LowerDFGToLLVM::buildSwitch):
        (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
        (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::storeValue):
        (JSC::AssemblyHelpers::loadValue):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArguments):
        * jit/GPRInfo.h:
        (JSC::JSValueRegs::uses):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::ensureCallEdgeLog):
        * runtime/VM.h:
        * tests/stress/new-array-then-exit.js: Added.
        (foo):
        * tests/stress/poly-call-exit-this.js: Added.
        * tests/stress/poly-call-exit.js: Added.

2014-08-22  Michael Saboff  <msaboff@apple.com>

        After r172867 another crash in in js/dom/line-column-numbers.html
        https://bugs.webkit.org/show_bug.cgi?id=136192

        Reviewed by Geoffrey Garen.

        In lookupExceptionHandlerFromCallerFrame(), We need to use the caller's CallFrame
        and VMEntryFrame when calling genericUnwind().  NativeCallFrameTracerWithRestore()
        does that for us.

        In general, NativeCallFrameTracerWithRestore(), restores the values because we may
        do more processing that requires the current callFrame and vmEntryFrame before we
        get to the catch handler where we change these to the catch values.  In this
        particular case, that restoration isn't currently needed, but we add complexity
        and possible future confusion if we create another NativeCallFrameTracerXXX()
        version that doesn't restore the values.

        * jit/JITOperations.cpp:
        (JSC::lookupExceptionHandlerFromCallerFrame): Changed NativeCallFrameTracer() to
        NativeCallFrameTracerWithRestore() so that VM::topVMEntryFrame will be updated
        before calling genericUnwind().

2014-08-24  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: rename Inspector::TypeBuilder to Inspector::Protocol
        https://bugs.webkit.org/show_bug.cgi?id=136031

        Reviewed by Timothy Hatcher.

        Rename TypeBuilder namespace to Protocol. Disambiguate where
        necessary. Also rename InspectorTypeBuilder to ProtocolTypes.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.vcxproj/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/ConsoleMessage.cpp:
        (Inspector::messageSourceValue):
        (Inspector::messageTypeValue):
        (Inspector::messageLevelValue):
        (Inspector::ConsoleMessage::addToFrontend):
        * inspector/ContentSearchUtilities.cpp:
        (Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
        (Inspector::ContentSearchUtilities::searchInTextByLines):
        * inspector/ContentSearchUtilities.h:
        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::evaluate):
        (Inspector::InjectedScript::callFunctionOn):
        (Inspector::InjectedScript::evaluateOnCallFrame):
        (Inspector::InjectedScript::getFunctionDetails):
        (Inspector::InjectedScript::getProperties):
        (Inspector::InjectedScript::getInternalProperties):
        (Inspector::InjectedScript::wrapCallFrames):
        (Inspector::InjectedScript::wrapObject):
        (Inspector::InjectedScript::wrapTable):
        * inspector/InjectedScript.h:
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::makeEvalCall):
        * inspector/InjectedScriptBase.h:
        * inspector/InspectorTypeBuilder.h: Removed.
        * inspector/ScriptCallFrame.cpp:
        (Inspector::ScriptCallFrame::buildInspectorObject):
        * inspector/ScriptCallFrame.h:
        * inspector/ScriptCallStack.cpp:
        (Inspector::ScriptCallStack::buildInspectorArray):
        * inspector/ScriptCallStack.h:
        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::inspect):
        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::breakpointActionTypeForString):
        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
        (Inspector::InspectorDebuggerAgent::setBreakpoint):
        (Inspector::InspectorDebuggerAgent::resolveBreakpoint):
        (Inspector::InspectorDebuggerAgent::searchInContent):
        (Inspector::InspectorDebuggerAgent::getFunctionDetails):
        (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
        (Inspector::InspectorDebuggerAgent::currentCallFrames):
        (Inspector::InspectorDebuggerAgent::didParseSource):
        (Inspector::InspectorDebuggerAgent::breakpointActionProbe):
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorProfilerAgent.cpp:
        (Inspector::InspectorProfilerAgent::createProfileHeader):
        (Inspector::InspectorProfilerAgent::getProfileHeaders):
        (Inspector::buildInspectorObject):
        (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
        (Inspector::InspectorProfilerAgent::getCPUProfile):
        * inspector/agents/InspectorProfilerAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::buildErrorRangeObject):
        (Inspector::InspectorRuntimeAgent::parse):
        (Inspector::InspectorRuntimeAgent::evaluate):
        (Inspector::InspectorRuntimeAgent::callFunctionOn):
        (Inspector::InspectorRuntimeAgent::getProperties):
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/scripts/codegen/__init__.py:
        * inspector/scripts/codegen/generate_backend_dispatcher_header.py:
        (BackendDispatcherHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
        (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
        (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
        * inspector/scripts/codegen/generate_frontend_dispatcher_header.py:
        (FrontendDispatcherHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py:
        (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
        * inspector/scripts/codegen/generate_type_builder_header.py: Removed.
        * inspector/scripts/codegen/generate_type_builder_implementation.py: Removed.
        * inspector/scripts/codegen/generator.py:
        (Generator.protocol_type_string_for_type):
        (Generator.protocol_type_string_for_type_member):
        (Generator.type_string_for_type_with_name):
        (Generator.type_string_for_formal_out_parameter):
        (Generator.type_string_for_formal_async_parameter):
        (Generator.type_string_for_stack_in_parameter):
        (Generator.type_string_for_stack_out_parameter):
        (Generator.assertion_method_for_type_member.assertion_method_for_type):
        (Generator.assertion_method_for_type_member):
        (Generator.type_builder_string_for_type): Deleted.
        (Generator.type_builder_string_for_type_member): Deleted.
        * inspector/scripts/codegen/generator_templates.py:
        (Inspector):
        * inspector/scripts/generate-inspector-protocol-bindings.py:
        (generate_from_specification):
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
        * runtime/HighFidelityTypeProfiler.cpp:
        (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
        * runtime/HighFidelityTypeProfiler.h:
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::allPrimitiveTypeNames):
        (JSC::TypeSet::allStructureRepresentations):
        (JSC::StructureShape::inspectorRepresentation):
        * runtime/TypeSet.h:

2014-08-24  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: Rename DOM.RGBA and remove workarounds in the bindings generator
        https://bugs.webkit.org/show_bug.cgi?id=136025

        Reviewed by Joseph Pecoraro.

        This workaround can be removed since it is no longer necessary.

        * inspector/scripts/codegen/models.py:
        (TypeReference.__init__):
        (Type.raw_name):
        (TypeDeclaration.__init__):
        * inspector/scripts/tests/type-declaration-object-type.json: Remove related test input.
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Rebaseline.

2014-08-23  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Do not copy large module source strings
        https://bugs.webkit.org/show_bug.cgi?id=136191

        Reviewed by Benjamin Poulain.

        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::injectedScriptSource):

2014-08-21  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r163179): Sporadic crash in js/dom/line-column-numbers.html test
        https://bugs.webkit.org/show_bug.cgi?id=136111

        Reviewed by Filip Pizlo.

        The problem was that we weren't properly handling VM::topVMEntryFrame in two ways.

        First in the case where we get an exception of a stack overflow during setup of the direct
        callee frame of a VM entry frame, we need to throw the exception in the caller's frame.
        This requires unrolling topVMEntryFrame while creating the exception object.  This is
        accomplished with the renamed NativeCallFrameTracerWithRestore object.  As part of this,
        split the JIT rollback exception handling to call a new helper,
        callLookupExceptionHandlerFromCallerFrame, which will unroll the callFrame and VMEntryFrame.

        Second, when we unwind to find a handler, we also need to unwind topVMCallFrame for the
        case where we end up (re)throwing another exception after entering the catch block, but
        before another vmEntry call.  Added VM::vmEntryFrameForThrow as a way similar to
        VM::callFrameForThrow to pass the appropriate VMENtryFrame to the catch block.


        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileExceptionHandlers):
        Split out the unroll cases to use the new helper callLookupExceptionHandlerFromCallerFrame()
        to unwind both the callFrame and topVMEntryFrame.

        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::UnwindFunctor):
        (JSC::UnwindFunctor::operator()):
        (JSC::Interpreter::unwind):
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        Added VMEntryFrame as another component to unwind.

        * interpreter/Interpreter.h:
        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
        (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
        (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
        Renamed and changed to save and restore topCallFrame and topVMEntryFrame around the setting of
        both values.

        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::gotoNextFrame):
        (JSC::StackVisitor::readNonInlinedFrame):
        * interpreter/StackVisitor.h:
        (JSC::StackVisitor::Frame::vmEntryFrame):
        Added code to unwind the VMEntryFrame.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::jumpToExceptionHandler): Updated comment to indicate that the value
        the handler should use for VM::topEntryFrame is in VM::vmEntryFrameForThrow.

        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_catch):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_catch):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        Added code to update VM::topVMEntryFrame from VM::vmEntryFrameForThrowOffset.

        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        (JSC::operationThrowStackOverflowError):
        (JSC::operationCallArityCheck):
        (JSC::operationConstructArityCheck):

        * runtime/VM.h:
        (JSC::VM::vmEntryFrameForThrowOffset):
        (JSC::VM::topVMEntryFrameOffset):
        Added as the side channel to return the topVMEntryFrame that the handler should use.

2014-08-22  Daniel Bates  <dabates@apple.com>

        [iOS] Disable ENABLE_IOS_{GESTURE, TOUCH}_EVENTS, and temporarily disable ENABLE_TOUCH_EVENTS
        and ENABLE_XSLT when building with the iOS public SDK
        https://bugs.webkit.org/show_bug.cgi?id=135945

        Reviewed by Andy Estes.

        * Configurations/FeatureDefines.xcconfig:

2014-08-22  Jon Lee  <jonlee@apple.com>

        Fix iOS build due to r172832 and move RUBBER_BANDING out of FeatureDefines.h
        https://bugs.webkit.org/show_bug.cgi?id=136157

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig: Add ENABLE(RUBBER_BANDING).

2014-08-21  Mark Lam  <mark.lam@apple.com>

        r171362 accidentally increased the size of InlineCallFrame.
        <https://webkit.org/b/136141>

        Reviewed by Filip Pizlo.

        r171362 increased the size of InlineCallFrame::kind to 2 bits.  This increased
        the size of InlineCallFrame from 72 to 80 though not intentionally.  The fix
        is to reduce the size of InlineCallFrame::stackOffset to 29 bits.

        Also added an assert to ensure that we never set a value that exceeds the size
        of InlineCallFrame::stackOffset.

        * bytecode/CodeOrigin.h:
        (JSC::InlineCallFrame::setStackOffset):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):

2014-08-21  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: RetainPtr misuse, CFRunLoopSource leak
        https://bugs.webkit.org/show_bug.cgi?id=136143

        Reviewed by Timothy Hatcher.

        Adopt a Create into the RetainPtr to avoid leaking.

        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):

2014-08-21  Mark Lam  <mark.lam@apple.com>

        REGRESSION(r172808): It made 6 different tests fail on 32 bit platforms.
        <https://webkit.org/b/136123>

        Reviewed by Filip Pizlo.

        The original patch in r172808 removed the code to skip the top scope in
        the 64-bit port of JIT::emitResolveClosure() but not in the 32-bit port.
        This patch fixes that and achieves parity.

        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitResolveClosure):

2014-08-21  Zalan Bujtas  <zalan@apple.com>

        Enable SATURATED_LAYOUT_ARITHMETIC.
        https://bugs.webkit.org/show_bug.cgi?id=136106

        Reviewed by Simon Fraser.

        SATURATED_LAYOUT_ARITHMETIC protects LayoutUnit against arithmetic overflow.
        (No measurable performance regression on Mac.)

        * Configurations/FeatureDefines.xcconfig:

2014-08-20  Saam Barati  <sbarati@apple.com>

        Fix how CodeBlock dumps the opcode op_profile_type
        https://bugs.webkit.org/show_bug.cgi?id=136088

        Reviewed by Filip Pizlo.

        op_profile_type was modified to receive two extra arguments,
        but its dump in CodeBlock::dumpBytecode wasn't changed to 
        account for this, so it broke CodeBlock::dumpBytecode when
        op_profile_type was in the stream of bytecode instructions.
        CodeBlock::dumpBytecode now accounts for the change in 
        op_profile_type's arity.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):

2014-08-20  Saam Barati  <sbarati@apple.com>

        Rename HighFidelityTypeProfiling variables for more clarity
        https://bugs.webkit.org/show_bug.cgi?id=135899

        Reviewed by Geoffrey Garen.

        Many names that are used in the type profiling infrastructure
        prefix themselves with "HighFidelity" or include the words "high"
        and/or "fidelity" in some way. But the words "high" and "fidelity" don't 
        add anything descriptive to the names surrounding type profiling. 
        So this patch removes all uses of "HighFidelity" and its variants.

        Most renamings change "HighFidelity*" to "TypeProfiler*" or simply 
        drop the prefix "HighFidelity" all together. Now, almost all names 
        in relation to type profiling contain in them "TypeProfiler" or 
        "TypeProfiling" or some combination of the words "type" and "profile".

        This patch also changes how we check if type profiling is enabled:
        We no longer call vm::isProfilingTypesWithHighFidelity. We now just 
        check that vm::typeProfiler is not null.

        This patch also changes all calls to TypeProfilerLog::processLogEntries
        to use ASCIILiteral to form WTFStrings instead of vanilla C string literals.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/TypeLocation.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
        (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
        (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset): Deleted.
        (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo): Deleted.
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::typeProfilingStartOffset):
        (JSC::UnlinkedFunctionExecutable::typeProfilingEndOffset):
        (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset): Deleted.
        (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset): Deleted.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitMove):
        (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
        (JSC::BytecodeGenerator::emitProfileType):
        (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
        (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ThisNode::emitBytecode):
        (JSC::ResolveNode::emitBytecode):
        (JSC::BracketAccessorNode::emitBytecode):
        (JSC::DotAccessorNode::emitBytecode):
        (JSC::FunctionCallValueNode::emitBytecode):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::FunctionCallBracketNode::emitBytecode):
        (JSC::FunctionCallDotNode::emitBytecode):
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        (JSC::PostfixNode::emitResolve):
        (JSC::PostfixNode::emitBracket):
        (JSC::PostfixNode::emitDot):
        (JSC::PrefixNode::emitResolve):
        (JSC::PrefixNode::emitBracket):
        (JSC::PrefixNode::emitDot):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::AssignDotNode::emitBytecode):
        (JSC::ReadModifyDotNode::emitBytecode):
        (JSC::AssignBracketNode::emitBytecode):
        (JSC::ReadModifyBracketNode::emitBytecode):
        (JSC::ConstDeclNode::emitCodeSingle):
        (JSC::EmptyVarExpression::emitBytecode):
        (JSC::ReturnNode::emitBytecode):
        (JSC::FunctionBodyNode::emitBytecode):
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        (Inspector::recompileAllJSFunctionsForTypeProfiling):
        (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
        (Inspector::InspectorRuntimeAgent::enableTypeProfiler):
        (Inspector::InspectorRuntimeAgent::disableTypeProfiler):
        (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
        (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling): Deleted.
        (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling): Deleted.
        (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState): Deleted.
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/protocol/Runtime.json:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_profile_type):
        (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_profile_type):
        (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
        * jit/JITOperations.cpp:
        * jsc.cpp:
        (functionDumpTypesForAllVariables):
        * llint/LLIntSlowPaths.cpp:
        * llint/LowLevelInterpreter.asm:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::ProgramExecutable::ProgramExecutable):
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::ProgramExecutable::initializeGlobalProperties):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::typeProfilingStartOffset):
        (JSC::ScriptExecutable::typeProfilingEndOffset):
        (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset): Deleted.
        (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset): Deleted.
        * runtime/HighFidelityLog.cpp: Removed.
        * runtime/HighFidelityLog.h: Removed.
        * runtime/HighFidelityTypeProfiler.cpp: Removed.
        * runtime/HighFidelityTypeProfiler.h: Removed.
        * runtime/Options.h:
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::prepareForTypeProfiling):
        (JSC::SymbolTable::uniqueIDForVariable):
        (JSC::SymbolTable::uniqueIDForRegister):
        (JSC::SymbolTable::prepareForHighFidelityTypeProfiling): Deleted.
        * runtime/SymbolTable.h:
        * runtime/TypeProfiler.cpp: Added.
        (JSC::TypeProfiler::logTypesForTypeLocation):
        (JSC::TypeProfiler::insertNewLocation):
        (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector):
        (JSC::descriptorMatchesTypeLocation):
        (JSC::TypeProfiler::findLocation):
        * runtime/TypeProfiler.h: Added.
        (JSC::QueryKey::QueryKey):
        (JSC::QueryKey::isHashTableDeletedValue):
        (JSC::QueryKey::operator==):
        (JSC::QueryKey::hash):
        (JSC::QueryKeyHash::hash):
        (JSC::QueryKeyHash::equal):
        (JSC::TypeProfiler::functionHasExecutedCache):
        (JSC::TypeProfiler::typeLocationCache):
        * runtime/TypeProfilerLog.cpp: Added.
        (JSC::TypeProfilerLog::initializeLog):
        (JSC::TypeProfilerLog::~TypeProfilerLog):
        (JSC::TypeProfilerLog::processLogEntries):
        * runtime/TypeProfilerLog.h: Added.
        (JSC::TypeProfilerLog::LogEntry::structureIDOffset):
        (JSC::TypeProfilerLog::LogEntry::valueOffset):
        (JSC::TypeProfilerLog::LogEntry::locationOffset):
        (JSC::TypeProfilerLog::TypeProfilerLog):
        (JSC::TypeProfilerLog::recordTypeInformationForLocation):
        (JSC::TypeProfilerLog::logEndPtr):
        (JSC::TypeProfilerLog::logStartOffset):
        (JSC::TypeProfilerLog::currentLogEntryOffset):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::enableTypeProfiler):
        (JSC::VM::disableTypeProfiler):
        (JSC::VM::dumpTypeProfilerData):
        (JSC::VM::enableHighFidelityTypeProfiling): Deleted.
        (JSC::VM::disableHighFidelityTypeProfiling): Deleted.
        (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
        * runtime/VM.h:
        (JSC::VM::typeProfilerLog):
        (JSC::VM::typeProfiler):
        (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
        (JSC::VM::highFidelityLog): Deleted.
        (JSC::VM::highFidelityTypeProfiler): Deleted.

2014-08-20  Csaba Osztrogonác  <ossy@webkit.org>

        URTBF after r172799.

        * disassembler/ARM64/A64DOpcode.cpp:
        * disassembler/ARM64Disassembler.cpp:

2014-08-20  Oliver Hunt  <oliver@apple.com>

        Stop implicitly skipping a function's own activation when walking the scope chain
        https://bugs.webkit.org/show_bug.cgi?id=136118

        Reviewed by Geoffrey Garen.

        Remove the current logic that implicitly skips a function's
        own activation when walking the scope chain. This is ground
        work for ensuring that all closed variable access is made
        through the function's activation. This leads to a further
        10% regression on earley, but we're already tracking the
        overall performance regression.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getScope):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGHeapLocation.h:
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitResolveClosure):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSScope.cpp:
        (JSC::JSScope::abstractResolve):
        * runtime/JSScope.h:

2014-08-20  Michael Saboff  <msaboff@apple.com>

        REGRESSION: Web Inspector crashes when reloading apple.com with Timeline recording active
        https://bugs.webkit.org/show_bug.cgi?id=136034

        Reviewed by Mark Lam.

        DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle
        of the stack.  Hardened StackVisitor to skip over the frames between the current top frame
        and the requested start frame.

        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::StackVisitor):

2014-08-20  Brent Fulgham  <bfulgham@apple.com>

        [Win] JavaScriptCore.dll is missing version information.
        https://bugs.webkit.org/show_bug.cgi?id=136105
        <rdar://problem/18075852>

        Reviewed by Dean Jackson.

        * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Add missing step to generate
        version information for intermediary build path.

2014-08-20  Saam Barati  <sbarati@apple.com>

        Fix a memory leak in TypeSet
        https://bugs.webkit.org/show_bug.cgi?id=135913

        Reviewed by Filip Pizlo.

        Currently, TypeSet unconditionally allocates memory for its member
        variable m_structureHistory, but never deallocates it. Change this 
        from being a pointer that is unconditionally allocated to a member 
        variable that will be deallocated when TypeSet itself is deallocated.

        * runtime/TypeSet.cpp:
        (JSC::TypeSet::TypeSet):
        (JSC::TypeSet::addTypeInformation):
        (JSC::TypeSet::seenTypes):
        (JSC::TypeSet::displayName):
        (JSC::TypeSet::allStructureRepresentations):
        (JSC::StructureShape::leastCommonAncestor):
        * runtime/TypeSet.h:

2014-08-20  peavo@outlook.com  <peavo@outlook.com>

        [Win] Assertion fails when running JSC stress tests.
        https://bugs.webkit.org/show_bug.cgi?id=136103

        Reviewed by Darin Adler.

        Use unsigned bitfield member instead of enum bitfield member to avoid negative values.

        * bytecode/CodeOrigin.h: Use unsigned bitfield member.
        (JSC::InlineCallFrame::specializationKind): Compile fix.

2014-08-20  Akos Kiss  <akiss@inf.u-szeged.hu>

        Enable ARM64 disassembler on EFL
        https://bugs.webkit.org/show_bug.cgi?id=136089

        Reviewed by Filip Pizlo.

        * CMakeLists.txt:
        Added disassembler/ARM64Disassembler.cpp and
        disassembler/ARM64/A64DOpcode.cpp to JavaScriptCore_SOURCES.

        * disassembler/ARM64/A64DOpcode.cpp:
        Added USE(ARM64_DISASSEMBLER) guard around implementation.

        * disassembler/ARM64/A64DOpcode.h:
        (JSC::ARM64Disassembler::A64DOpcode::appendUnsignedImmediate64):
        (JSC::ARM64Disassembler::A64DOpcode::appendPCRelativeOffset):
        Made format strings portable by changing "%llx" to "%" PRIx64 for
        uint64_t arguments.

2014-08-19  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r172401): for-in optimization no longer works at all
        https://bugs.webkit.org/show_bug.cgi?id=136056

        Reviewed by Geoffrey Garen.
        
        Roll this back in, along with a fix to make proxies work. Previously, for-in over proxies
        would instacrash every time.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetByVal):
        (JSC::BytecodeGenerator::pushIndexedForInScope):
        (JSC::BytecodeGenerator::pushStructureForInScope):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::ForInContext::ForInContext):
        (JSC::StructureForInContext::StructureForInContext):
        (JSC::IndexedForInContext::IndexedForInContext):
        (JSC::ForInContext::base): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitMultiLoopBytecode):
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::getStructurePropertyNames):
        (JSC::JSProxy::getGenericPropertyNames):
        * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
        (foo):
        * tests/stress/for-in-base-reassigned-later.js: Added.
        (foo):
        * tests/stress/for-in-base-reassigned.js: Added.
        (foo):
        * tests/stress/for-in-proxy-target-changed-structure.js: Added.
        (deleteAll):
        (foo):
        * tests/stress/for-in-proxy.js: Added.
        (foo):

2014-08-19  Jaehun Lim  <ljaehun.lim@samsung.com>

        Unreviewed, fix EFL build after r17275

        Fix error: ignoring #pragma clang diagnostic [-Werror=unknown-pragmas]

        * runtime/JSDataViewPrototype.cpp:
        Add #if COMPILER(CLANG) and #endif.

2014-08-19  Michael Saboff  <msaboff@apple.com>

        Crash in jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js
        https://bugs.webkit.org/show_bug.cgi?id=136080

        Reviewed by Mark Lam.

        Update VM::topVMEntryFrame via NativeCallFrameTracer() when we pass the caller's frame
        to NativeCallFrameTracer() as the callee's frame may be the first callee from an entry
        frame.  In that case, the caller will have the prior VM entry frame.

        The new NativeCallFrameTracer with a VMEntryFrame parameter should be used when throwing
        an exception from a caller frame.  The value to use for the VMEntryFrame should be a
        value possibly modified by CallFrame::callerFrame(&*VMEntryFrame) used to find the caller.

        * interpreter/Interpreter.h:
        (JSC::NativeCallFrameTracer::NativeCallFrameTracer): Added a new constructor that takes a
        VMEntryFrame.  Added an ASSERT to both constructors to check that the updated topCallFrame
        is below the current vmEntryFrame.

        * jit/JITOperations.cpp:
        (JSC::operationThrowStackOverflowError):
        (JSC::operationCallArityCheck):
        (JSC::operationConstructArityCheck):
        Set VM::topVMEntryFrame to the possibly updated VMEntryFrame after getting the caller's frame.

2014-08-19  Andy Estes  <aestes@apple.com>

        [Cocoa] Offline Assembler build phase fails when $BUILT_PRODUCTS_DIR contains spaces
        https://bugs.webkit.org/show_bug.cgi?id=136086

        Reviewed by Filip Pizlo.

        Enclosed arguments to asm.rb containing $BUILT_PRODUCTS_DIR in double quotes so that they don't get split on
        whitespace. Also let Xcode have its way with an unrelated part of the project file.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-08-19  Filip Pizlo  <fpizlo@apple.com>

        LLInt build should be way faster
        https://bugs.webkit.org/show_bug.cgi?id=136085

        Reviewed by Geoffrey Garen.
        
        This does three things to improve the LLInt build performance. One of them is only for
        Xcode for now while the others should benefit all platforms:
        
        - Don't exponentially build settings combinations that correspond to being on two backends
          simultaneously. This is by far the biggest win.
        
        - Don't generate offset extraction code for backends that aren't supported by the current
          port. This currently only works on Xcode-based ports. This is a relatively small win.
        
        - Remove the ALWAYS_ALLOCATE_SLOW option. Each option increases build time, and we haven't
          used this one in a long time. Anyway, setting this option could be emulated by just
          directly hacking the code.
        
        This is an enormous speed-up in the LLInt build.

        * JavaScriptCore.xcodeproj/project.pbxproj: Prune the set of backends that we should consider on Xcode-based platforms.
        * llint/LLIntOfflineAsmConfig.h: Remove ALWAYS_ALLOCATE_SLOW
        * llint/LowLevelInterpreter.asm: Remove ALWAYS_ALLOCATE_SLOW
        * offlineasm/backends.rb: Add infrastructure for reasoning about valid backends.
        * offlineasm/generate_offset_extractor.rb: Allow the client to specify a filtered set of valid backends.
        * offlineasm/settings.rb: Improve the construction of settings combinations so that it doesn't traverse the enourmous set of obviously invalid multi-backend combinations. Also glue into support for valid backends.

2014-08-19  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation and style in LowLevelInterpreter.asm
        https://bugs.webkit.org/show_bug.cgi?id=136083

        Reviewed by Mark Lam.

        * llint/LowLevelInterpreter.asm:

2014-08-19  Magnus Granberg  <zorry@gentoo.org>

        TEXTREL in libjavascriptcoregtk-1.0.so.0.11.0 on x86 (or i586)
        https://bugs.webkit.org/show_bug.cgi?id=70610

        Reviewed by Darin Adler.

        Setup %ebx so we can use the plt.

        * jit/ThunkGenerators.cpp:

2014-08-19  Zalan Bujtas  <zalan@apple.com>

        Remove ENABLE(SUBPIXEL_LAYOUT).
        https://bugs.webkit.org/show_bug.cgi?id=136077

        Reviewed by Simon Fraser.

        Remove compile time flag SUBPIXEL_LAYOUT. All ports have it enabled for a while now.

        * Configurations/FeatureDefines.xcconfig:

2014-08-19  Alex Christensen  <achristensen@webkit.org>

        [CMake] Generate LLInt assembly correctly on Windows.
        https://bugs.webkit.org/show_bug.cgi?id=135888

        Reviewed by Oliver Hunt.

        * CMakeLists.txt:
        Generate LowLevelInterpreterWin.asm instead of LLIntAssembly.h on Windows like the existing build system.
        * PlatformWin.cmake:
        Don't build JSGlobalObjectInspectorController.cpp on Windows.
        * offlineasm/x86.rb:
        Detect non-cygwin ruby installations correctly.

2014-08-19  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r163179): It broke the build on ARM Thumb2 with GCC
        https://bugs.webkit.org/show_bug.cgi?id=136028

        Reviewed by Oliver Hunt.

        Added back ARMv7 conditionals around three op addp and subp since ARM Thumb2 spec says that
        the behavior for those ops are undefined.  This was originally done in changeset 163179.

        * llint/LowLevelInterpreter32_64.asm:

2014-08-18  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r172741.
        https://bugs.webkit.org/show_bug.cgi?id=136058

        This change is breaking PLT. (Requested by mlam on #webkit).

        Reverted changeset:

        "REGRESSION(r172401): for-in optimization no longer works at
        all"
        https://bugs.webkit.org/show_bug.cgi?id=136056
        http://trac.webkit.org/changeset/172741

2014-08-18  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r172401): for-in optimization no longer works at all
        https://bugs.webkit.org/show_bug.cgi?id=136056

        Reviewed by Mark Hahnenberg.
        
        This is a partial roll-out of r172401. It turns out that the fix wasn't actually fixing a
        real bug (since it's fine to use op_get_direct_pname on the wrong base because it has a
        structure check) and it was actually breaking the entire for-in optimization (since there is
        no way that we can statically prove that the base matches, because the base we see is a
        newly created temporary, and anyway doing it right would be really hard in our bytecode
        because it's 3AC form).
        
        But, I added a new test for the problem, and kept the original test. Both the old test and
        the new test prove that r172401 wasn't fixing what it thought it was fixing. To the extent
        that it resolved crashes it was because it just disabled the for-in optimization entirely.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetByVal):
        (JSC::BytecodeGenerator::pushIndexedForInScope):
        (JSC::BytecodeGenerator::pushStructureForInScope):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::ForInContext::ForInContext):
        (JSC::StructureForInContext::StructureForInContext):
        (JSC::IndexedForInContext::IndexedForInContext):
        (JSC::ForInContext::base): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitMultiLoopBytecode):
        * tests/stress/for-in-base-reassigned.js: Added.
        * tests/stress/for-in-base-reassigned-later.js: Added.
        * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.

2014-08-18  Mark Lam  <mark.lam@apple.com>

        Gardening: build fix for non-Mac builds after r172737.
        https://bugs.webkit.org/show_bug.cgi?id=135750

        Not reviewed.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2014-08-18  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash
        https://bugs.webkit.org/show_bug.cgi?id=135750

        Reviewed by Mark Lam.
        
        This was caused by a rather embarrassing oversight in how the DFG tracks structures: we
        could sometimes perform an optimization that requires a structure to be alive but forget to
        ensure that the structure is actually kept alive. In particular, any watchpoint-based
        optimizations involve setting watchpoints even if the code that got optimized is eventually
        deleted because it is unreachable. All such optimizations would leave behind something in
        the IR to tell us that we are interested in the structure and that therefore it should be
        kept alive. But, IR can be deleted if it is unreachable.
        
        The solution is to ensure that as soon as the DFG is made aware of a structure, it adds it
        to the set of weak references.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::setOSREntryValue):
        (JSC::DFG::AbstractValue::set):
        (JSC::DFG::AbstractValue::normalizeClarity):
        (JSC::DFG::AbstractValue::assertIsRegistered):
        (JSC::DFG::AbstractValue::assertIsWatched): Deleted.
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::assertIsRegistered):
        (JSC::DFG::AbstractValue::assertIsWatched): Deleted.
        * dfg/DFGCommon.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
        * dfg/DFGDesiredWeakReferences.cpp:
        (JSC::DFG::DesiredWeakReferences::addLazily):
        (JSC::DFG::DesiredWeakReferences::contains):
        (JSC::DFG::DesiredWeakReferences::reallyAdd):
        (JSC::DFG::DesiredWeakReferences::visitChildren):
        * dfg/DFGDesiredWeakReferences.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::registerFrozenValues):
        (JSC::DFG::Graph::convertToConstant):
        (JSC::DFG::Graph::registerStructure):
        (JSC::DFG::Graph::assertIsRegistered):
        (JSC::DFG::Graph::assertIsWatched): Deleted.
        * dfg/DFGGraph.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGStructureAbstractValue.cpp:
        (JSC::DFG::StructureAbstractValue::assertIsRegistered):
        (JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.
        * dfg/DFGStructureAbstractValue.h:
        (JSC::DFG::StructureAbstractValue::assertIsRegistered):
        (JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.
        * dfg/DFGStructureRegistrationPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp.
        (JSC::DFG::StructureRegistrationPhase::StructureRegistrationPhase):
        (JSC::DFG::StructureRegistrationPhase::run):
        (JSC::DFG::StructureRegistrationPhase::registerStructures):
        (JSC::DFG::StructureRegistrationPhase::registerStructure):
        (JSC::DFG::performStructureRegistration):
        (JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase): Deleted.
        (JSC::DFG::WatchableStructureWatchingPhase::run): Deleted.
        (JSC::DFG::WatchableStructureWatchingPhase::tryWatch): Deleted.
        (JSC::DFG::performWatchableStructureWatching): Deleted.
        * dfg/DFGStructureRegistrationPhase.h: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.h.
        * dfg/DFGWatchableStructureWatchingPhase.cpp: Removed.
        * dfg/DFGWatchableStructureWatchingPhase.h: Removed.

2014-08-18  Akos Kiss  <akiss@inf.u-szeged.hu>

        Fix ASSERT in ARM64's JSC::GPRInfo::debugName
        https://bugs.webkit.org/show_bug.cgi?id=136050

        Reviewed by Darin Adler.

        Remove cast of GPRReg to unsigned to prevent signed/unsigned comparison
        error.

        * jit/GPRInfo.h:
        (JSC::GPRInfo::debugName):

2014-08-18  Andreas Kling  <akling@apple.com>

        REGRESSION(r168256): JSString can get 8-bit flag wrong when re-using AtomicStrings.
        <https://webkit.org/b/133574>
        <rdar://problem/18051847>

        The optimization that resolves JSRopeStrings into an existing
        AtomicString (to save time and memory by avoiding StringImpl allocation)
        had a bug that it wasn't copying the 8-bit flag from the AtomicString.

        This could lead to a situation where a 16-bit StringImpl containing
        only 8-bit characters is sitting in the AtomicString table, is found
        by the rope resolution optimization, and gives you a rope that thinks
        it's all 8-bit, but has a fiber with 16-bit characters.

        Resolving that rope will then yield incorrect results.

        This was all caught by an assertion, but very hard to reproduce.

        Test: js/dopey-rope-with-16-bit-propertyname.html

        Reviewed by Darin Adler.

        * runtime/JSString.cpp:
        (JSC::JSRopeString::resolveRopeToAtomicString):
        (JSC::JSRopeString::resolveRopeToExistingAtomicString):
        * runtime/JSString.h:
        (JSC::JSString::setIs8Bit):
        (JSC::JSString::toExistingAtomicString):

2014-08-18  Matthew Mirman  <mmirman@apple.com>

        Merges the two native inlining passes from the build.
        Also adds the AvailableExternallyLinkage assertion to linked 
        functions to allow unused and duplicate ones to be removed.
        https://bugs.webkit.org/show_bug.cgi?id=135526

        Reviewed by Filip Pizlo.

        * JavaScriptCore.xcodeproj/project.pbxproj: 
        Removed second generation of llvm binary files.
        Fixed the flags on the first pass. 
        * build-symbol-table-index.py: Modified some paths.
        * build-symbol-table-index.sh: Removed.
        * copy-llvm-ir-to-derived-sources.sh: Now calls build-symbol-table-index directly.
        * ftl/FTLLowerDFGToLLVM.cpp: Added LLVMAvailableExternallyLinkage assertion.
        (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): 
        * runtime/ArrayPrototype.cpp: Removed static declarations. 
        * runtime/DateConstructor.cpp: ditto.
        (JSC::dateParse):
        (JSC::dateNow):
        (JSC::dateUTC):
        * runtime/DatePrototype.cpp: ditto.
        * runtime/JSDataViewPrototype.cpp: ditto on both.
        (JSC::dataViewProtoFuncGetInt8):
        (JSC::dataViewProtoFuncGetInt16):
        (JSC::dataViewProtoFuncGetInt32):
        (JSC::dataViewProtoFuncGetUint8):
        (JSC::dataViewProtoFuncGetUint16):
        (JSC::dataViewProtoFuncGetUint32):
        (JSC::dataViewProtoFuncGetFloat32):
        (JSC::dataViewProtoFuncGetFloat64):
        (JSC::dataViewProtoFuncSetInt8):
        (JSC::dataViewProtoFuncSetInt16):
        (JSC::dataViewProtoFuncSetInt32):
        (JSC::dataViewProtoFuncSetUint8):
        (JSC::dataViewProtoFuncSetUint16):
        (JSC::dataViewProtoFuncSetUint32):
        (JSC::dataViewProtoFuncSetFloat32):
        (JSC::dataViewProtoFuncSetFloat64):
        * runtime/JSONObject.cpp: ditto.
        * runtime/ObjectConstructor.cpp: ditto.
        * runtime/StringPrototype.cpp: ditto.

2014-08-18  Saam Barati  <sbarati@apple.com>

        The parser should generate AST nodes the var declarations with no initializers
        https://bugs.webkit.org/show_bug.cgi?id=135545

        Reviewed by Geoffrey Garen.

        Currently, JSC's parser ignores variable declarations
        that have no assignment initializer value because all 
        variables are implicitly assigned to undefined. But, 
        type profiling needs an AST node to be generated for these 
        empty variable declarations because it needs to be able to 
        profile their text locations and to see that their type 
        is undefined.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::EmptyVarExpression::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createVarStatement):
        (JSC::ASTBuilder::createEmptyVarExpression):
        * parser/NodeConstructors.h:
        (JSC::EmptyVarExpression::EmptyVarExpression):
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseVarDeclarationList):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createEmptyVarExpression):

2014-08-18  Diego Pino Garcia  <dpino@igalia.com>

        Completed iterator can be revived by adding more than one new entry to the target object
        https://bugs.webkit.org/show_bug.cgi?id=129993

        Reviewed by Oliver Hunt.

        When iterator reaches end, finish iterator.

        * runtime/JSMapIterator.h:
        (JSC::JSMapIterator::finish):
        * runtime/JSSetIterator.h:
        (JSC::JSSetIterator::finish):
        * runtime/MapData.h:
        (JSC::MapData::const_iterator::finish): set index of iterator to max
        Int32.
        * runtime/MapIteratorPrototype.cpp:
        (JSC::MapIteratorPrototypeFuncNext):
        * runtime/SetIteratorPrototype.cpp:
        (JSC::SetIteratorPrototypeFuncNext):

2014-08-15  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: rewrite CodeGeneratorInspector to be modular and testable
        https://bugs.webkit.org/show_bug.cgi?id=131596

        Unreviewed gardening to rebaseline inspector generator tests after addressing review comments.

        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:

2014-08-15  Brian J. Burg  <burg@cs.washington.edu>

        Unreviewed build fix for some GTK bots after r172655.

        Some bots use Python 2.6, which lacks the 'flags' named parameter for re.sub.

        * inspector/scripts/codegen/generator.py:
        (Generator.stylized_name_for_enum_value): Do things the old-school way.

2014-08-15  Michael Saboff  <msaboff@apple.com>

        Change callToJavaScript and callToNativeFunction so their callFrames match the native calling conventions
        https://bugs.webkit.org/show_bug.cgi?id=131578

        Reviewed by Geoffrey Garen.

        Renamed callToJavaScript and callToNativeFunction to vmEntryToJavaScript and vmEntryToNative,
        respectively.  Eliminated the sentinel frame and replaced it with the structure VMEntryRecord
        that appears in the "locals" area of a VM entry stack frame.  Changed the order that
        vmEntryToJavaScript and vmEntryToNative creates their stack frames to be native calling
        convention compliant.  That is to save prior frame pointer, save callee save registers, then
        allocate and populate the VMEntryRecord, and finally allocate a CallFrame for the JS function
        that vmEntryToJavaScript will invoke.  The top most vm entry frame pointer is saved in
        VM::topVMEntryFrame.  The vmEntry functions save prior contents of VM::topVMEntryFrame
        along with the VM and VM::topCallFrame in the VMEntryRecord it places on the stack.  Starting
        at VM::topCallFrame, the stack can be walked using these VMEntryRecords.

        Arbitrary stack unwinding is now handled either iteratively by loading VM::topVMEntryFrame
        into a local variable and using CallFrame::callerFrame(VMEntryFrame*&) or by using StackVisitor.
        Given that the stack is effectively a singly linked list, general stack unwinding needs to use
        one of these two methods.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Addition of VMEntryRecord.h

        * bytecode/BytecodeList.json:
        Renaming of llint helper opcodes due to renaming callToJavaScript and callToNativeFunction.

        * debugger/Debugger.cpp:
        (JSC::Debugger::stepOutOfFunction):
        (JSC::Debugger::returnEvent):
        (JSC::Debugger::didExecuteProgram):
        * jsc.cpp:
        (functionDumpCallFrame):
        * jit/JITOperations.cpp:
        Changed unwinding to use CallFrame::callerFrame(VMEntryFrame*&).

        * bytecode/CodeBlock.cpp:
        (JSC::RecursionCheckFunctor::RecursionCheckFunctor):
        (JSC::RecursionCheckFunctor::operator()):
        (JSC::RecursionCheckFunctor::didRecurse):
        (JSC::CodeBlock::noticeIncomingCall):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor):
        (JSC::FindCallerMidStackFunctor::operator()):
        (JSC::FindCallerMidStackFunctor::getCallerFrame):
        (JSC::DebuggerCallFrame::callerFrame):
        * interpreter/VMInspector.cpp:
        (JSC::CountFramesFunctor::CountFramesFunctor):
        (JSC::CountFramesFunctor::operator()):
        (JSC::CountFramesFunctor::count):
        (JSC::VMInspector::countFrames):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
        (JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
        (JSC::VM::throwException):
        Changed unwinding to use StackVisitor including added functor classes.

        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::callerFrame):
        Added new flavor of callerFrame() that can iteratively unwind the stack.

        * interpreter/CallFrame.h:
        (JSC::ExecState::callerFrame): Changed callerFrame() to use private common helper.
        (JSC::ExecState::callerFrameOrVMEntryFrame): Deleted.
        (JSC::ExecState::isVMEntrySentinel): Deleted.
        (JSC::ExecState::vmEntrySentinelCallerFrame): Deleted.
        (JSC::ExecState::initializeVMEntrySentinelFrame): Deleted.
        (JSC::ExecState::callerFrameSkippingVMEntrySentinel): Deleted.
        (JSC::ExecState::vmEntrySentinelCodeBlock): Deleted.

        * interpreter/CallFrame.h:
        (JSC::ExecState::init):
        (JSC::ExecState::topOfFrame):
        (JSC::ExecState::currentVPC):
        (JSC::ExecState::setCurrentVPC):
        Eliminated unneded checking of sentinel frame.

        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        (JSC::Interpreter::getStackTrace): Updated for unwidning changes.
        (JSC::Interpreter::unwind): Eliminated unneeded sentinel frame check.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        * jit/JITStubs.h:
        * llint/LLIntThunks.cpp:
        (JSC::callToJavaScript): Deleted.
        (JSC::callToNativetion): Deleted.
        (JSC::vmEntryToJavaScript):
        (JSC::vmEntryToNative):
        * llint/LLIntThunks.h:
        Updated for vmEntryToJavaScript and vmEntryToNative name changes.

        * interpreter/Interpreter.h:
        (JSC::TopCallFrameSetter::TopCallFrameSetter):
        (JSC::TopCallFrameSetter::~TopCallFrameSetter):
        Eliminated unneeded sentinel frame check.

        * interpreter/Interpreter.h:
        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
        Removed sentinel specific constructor.

        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::StackVisitor):
        (JSC::StackVisitor::readFrame):
        (JSC::StackVisitor::readNonInlinedFrame):
        (JSC::StackVisitor::readInlinedFrame):
        (JSC::StackVisitor::Frame::print):
        * interpreter/StackVisitor.h:
        (JSC::StackVisitor::Frame::callerIsVMEntry):
        Changes for unwinding using CallFrame::callerFrame(VMEntryFrame*&).  Also added field that
        indicates when about to step over a VM entry frame.

        * interpreter/VMEntryRecord.h: Added.
        (JSC::VMEntryRecord::prevTopCallFrame):
        (JSC::VMEntryRecord::prevTopVMEntryFrame):
        New struct to record prior state of VM's notion of VM entry and top call frames.

        * jit/JITCode.cpp:
        (JSC::JITCode::execute):
        Use new vmEntryToJavaScript and vmEntryToNative name.

        * llint/LLIntOffsetsExtractor.cpp: Added include for VMEntryRecord.h.

        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        Offline assembly implementation of creating stack frame with VMEntryRecord and well as restoring 
        relevent VM fields when exiting the VM.  Added a helper that returns a VMEntryRecord given
        a pointer to the VM entry frame.

        * llint/LLIntThunks.cpp:
        (JSC::vmEntryRecord):
        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        C Loop changes to mirror the assembly changes.

        * runtime/VM.h:
        Added topVMEntryFrame field.

2014-08-15  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: rewrite CodeGeneratorInspector to be modular and testable
        https://bugs.webkit.org/show_bug.cgi?id=131596

        Reviewed by Joseph Pecoraro.

        Replace CodeGeneratorInspector.py with generate-inspector-protocol-bindings.py.
        The new generator decouples parsing and typechecking a model of the protocol from
        code generation. Each generated file is created by a different subclass of Generator.
        Helper methods to compute various type signatures are shared among generators.

        This patch introduces a test harness and a test suite that covers all functionality.

        Aside from hooking up the new inspector bindings generator to the build system,
        there are a few comingled changes that would be painful to split from the main
        patch:

        Convert protocol enumeration types from struct-namespaced enums to C++ scoped enums.

        Move all runtimeCast(), assertValueHasExpectedType(), and RuntimeCastHelper methods to static
        methods of BindingTraits specializations.

        Together, these changes reduce duplication and make it possible to forward-declare
        all protocol enum and object types, reducing weird ordering dependencies between domains.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.vcxproj/copy-files.cmd:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Add inspector scripts to solution filters.
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/ConsoleMessage.cpp: Convert to scoped enums.
        (Inspector::messageSourceValue):
        (Inspector::messageTypeValue):
        (Inspector::messageLevelValue):
        * inspector/InjectedScript.cpp: Convert to scoped enums and BindingTraits.
        (Inspector::InjectedScript::getFunctionDetails):
        (Inspector::InjectedScript::getProperties):
        (Inspector::InjectedScript::getInternalProperties):
        (Inspector::InjectedScript::wrapCallFrames):
        (Inspector::InjectedScript::wrapObject):
        (Inspector::InjectedScript::wrapTable):
        * inspector/InjectedScriptBase.cpp: Convert InspectorValue::Type to a scoped enum.
        (Inspector::InjectedScriptBase::makeEvalCall):
        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::injectedScriptForObjectId):
        * inspector/InspectorTypeBuilder.h:
        (Inspector::TypeBuilder::Array::create):
        (Inspector::TypeBuilder::StructItemTraits::pushRefPtr):
        (Inspector::TypeBuilder::ArrayItemHelper<String>::Traits::pushRaw):
        (Inspector::TypeBuilder::ArrayItemHelper<int>::Traits::pushRaw):
        (Inspector::TypeBuilder::ArrayItemHelper<double>::Traits::pushRaw):
        (Inspector::TypeBuilder::ArrayItemHelper<bool>::Traits::pushRaw):
        (Inspector::TypeBuilder::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr):
        (Inspector::TypeBuilder::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr):
        (Inspector::TypeBuilder::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr):
        (Inspector::TypeBuilder::PrimitiveBindingTraits::assertValueHasExpectedType):
        (Inspector::TypeBuilder::BindingTraits<TypeBuilder::Array<T>>::runtimeCast):
        (Inspector::TypeBuilder::BindingTraits<TypeBuilder::Array<T>>::assertValueHasExpectedType):
        (Inspector::TypeBuilder::BindingTraits<InspectorValue>::assertValueHasExpectedType):
        (Inspector::TypeBuilder::BindingTraits<int>::assertValueHasExpectedType):
        (Inspector::TypeBuilder::ExactlyInt::ExactlyInt): Deleted. It was not used.
        (Inspector::TypeBuilder::ExactlyInt::operator int): Deleted.
        (Inspector::TypeBuilder::ExactlyInt::cast_to_int): Deleted.
        (Inspector::TypeBuilder::ExactlyInt::cast_to_int<int>): Deleted.
        (Inspector::TypeBuilder::int>): Deleted.
        (Inspector::TypeBuilder::RuntimeCastHelper::assertType): Deleted.
        (Inspector::TypeBuilder::RuntimeCastHelper::assertAny): Deleted.
        (Inspector::TypeBuilder::RuntimeCastHelper::assertInt): Deleted.
        (Inspector::TypeBuilder::Array::runtimeCast): Deleted.
        (Inspector::TypeBuilder::Array::assertCorrectValue): Deleted.
        (Inspector::TypeBuilder::StructItemTraits::assertCorrectValue): Deleted.
        (Inspector::TypeBuilder::ArrayItemHelper<String>::Traits::assertCorrectValue): Deleted.
        (Inspector::TypeBuilder::ArrayItemHelper<int>::Traits::assertCorrectValue): Deleted.
        (Inspector::TypeBuilder::ArrayItemHelper<double>::Traits::assertCorrectValue): Deleted.
        (Inspector::TypeBuilder::ArrayItemHelper<bool>::Traits::assertCorrectValue): Deleted.
        (Inspector::TypeBuilder::ArrayItemHelper<InspectorValue>::Traits::assertCorrectValue): Deleted.
        (Inspector::TypeBuilder::ArrayItemHelper<InspectorObject>::Traits::assertCorrectValue): Deleted.
        (Inspector::TypeBuilder::ArrayItemHelper<InspectorArray>::Traits::assertCorrectValue): Deleted.
        (Inspector::TypeBuilder::ArrayItemHelper<TypeBuilder::Array<T>>::Traits::assertCorrectValue): Deleted.

        * inspector/InspectorValues.cpp: Convert InspectorValue::Type to a scoped enum.
        (Inspector::InspectorValue::writeJSON):
        (Inspector::InspectorBasicValue::asBoolean):
        (Inspector::InspectorBasicValue::asNumber):
        (Inspector::InspectorBasicValue::writeJSON):
        (Inspector::InspectorString::writeJSON):
        (Inspector::InspectorObjectBase::InspectorObjectBase):
        (Inspector::InspectorObjectBase::setArray): Take InspectorArrayBase.
        (Inspector::InspectorObjectBase::setObject): Take InspectorObjectBase.
        (Inspector::InspectorArrayBase::InspectorArrayBase):
        * inspector/InspectorValues.h:

        * inspector/agents/InspectorDebuggerAgent.cpp: Convert to scoped enums.
        (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
        (Inspector::InspectorDebuggerAgent::breakProgram):
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::parse):
        * inspector/agents/InspectorRuntimeAgent.h:

        * inspector/scripts/CodeGeneratorInspector.py: Removed.
        * inspector/scripts/codegen/__init__.py: Added.
        * inspector/scripts/codegen/generate_backend_commands.py: Added.
        (BackendCommandsGenerator):
        (BackendCommandsGenerator.__init__):
        (BackendCommandsGenerator.model):
        (BackendCommandsGenerator.output_filename):
        (BackendCommandsGenerator.generate_license):
        (BackendCommandsGenerator.generate_output):
        (BackendCommandsGenerator.generate_domain):
        (BackendCommandsGenerator.generate_domain.is_anonymous_enum_member):
        (BackendCommandsGenerator.generate_domain.generate_parameter_object):
        * inspector/scripts/codegen/generate_backend_dispatcher_header.py: Added.
        (BackendDispatcherHeaderGenerator):
        (BackendDispatcherHeaderGenerator.__init__):
        (BackendDispatcherHeaderGenerator.model):
        (BackendDispatcherHeaderGenerator.output_filename):
        (BackendDispatcherHeaderGenerator.generate_license):
        (BackendDispatcherHeaderGenerator.generate_output):
        (BackendDispatcherHeaderGenerator.generate_output.for):
        (BackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
        (BackendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter):
        (BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
        (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
        (BackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
        (BackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
        * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py: Added.
        (BackendDispatcherImplementationGenerator):
        (BackendDispatcherImplementationGenerator.__init__):
        (BackendDispatcherImplementationGenerator.model):
        (BackendDispatcherImplementationGenerator.output_filename):
        (BackendDispatcherImplementationGenerator.generate_license):
        (BackendDispatcherImplementationGenerator.generate_output):
        (BackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
        (BackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
        (BackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
        (BackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
        (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
        (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
        * inspector/scripts/codegen/generate_frontend_dispatcher_header.py: Added.
        (FrontendDispatcherHeaderGenerator):
        (FrontendDispatcherHeaderGenerator.__init__):
        (FrontendDispatcherHeaderGenerator.model):
        (FrontendDispatcherHeaderGenerator.output_filename):
        (FrontendDispatcherHeaderGenerator.generate_license):
        (FrontendDispatcherHeaderGenerator.generate_output):
        (FrontendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter):
        (FrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
        (FrontendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_event):
        * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py: Added.
        (FrontendDispatcherImplementationGenerator):
        (FrontendDispatcherImplementationGenerator.__init__):
        (FrontendDispatcherImplementationGenerator.model):
        (FrontendDispatcherImplementationGenerator.output_filename):
        (FrontendDispatcherImplementationGenerator.generate_license):
        (FrontendDispatcherImplementationGenerator.generate_output):
        (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
        (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
        * inspector/scripts/codegen/generate_type_builder_header.py: Added.
        (TypeBuilderHeaderGenerator):
        (TypeBuilderHeaderGenerator.__init__):
        (TypeBuilderHeaderGenerator.model):
        (TypeBuilderHeaderGenerator.output_filename):
        (TypeBuilderHeaderGenerator.generate_license):
        (TypeBuilderHeaderGenerator.generate_output):
        (TypeBuilderHeaderGenerator._generate_forward_declarations):
        (_generate_typedefs):
        (_generate_typedefs_for_domain):
        (_generate_builders_for_domain):
        (_generate_class_for_object_declaration):
        (_generate_struct_for_enum_declaration):
        (_generate_struct_for_anonymous_enum_member):
        (_generate_struct_for_anonymous_enum_member.apply_indentation):
        (_generate_struct_for_enum_type):
        (_generate_builder_state_enum):
        (_generate_builder_setter_for_member):
        (_generate_unchecked_setter_for_member):
        (_generate_forward_declarations_for_binding_traits):
        * inspector/scripts/codegen/generate_type_builder_implementation.py: Added.
        (TypeBuilderImplementationGenerator):
        (TypeBuilderImplementationGenerator.__init__):
        (TypeBuilderImplementationGenerator.model):
        (TypeBuilderImplementationGenerator.output_filename):
        (TypeBuilderImplementationGenerator.generate_license):
        (TypeBuilderImplementationGenerator.generate_output):
        (TypeBuilderImplementationGenerator._generate_enum_mapping):
        (TypeBuilderImplementationGenerator._generate_open_field_names):
        (TypeBuilderImplementationGenerator._generate_builders_for_domain):
        (TypeBuilderImplementationGenerator._generate_runtime_cast_for_object_declaration):
        (TypeBuilderImplementationGenerator._generate_assertion_for_object_declaration):
        (TypeBuilderImplementationGenerator._generate_assertion_for_enum):
        * inspector/scripts/codegen/generator.py: Added.
        (ucfirst):
        (Generator):
        (Generator.__init__):
        (Generator.model):
        (Generator.generate_license):
        (Generator.domains_to_generate):
        (Generator.generate_output):
        (Generator.output_filename):
        (Generator.encoding_for_enum_value):
        (Generator.assigned_enum_values):
        (Generator.type_needs_runtime_casts):
        (Generator.type_has_open_fields):
        (Generator.type_needs_shape_assertions):
        (Generator.calculate_types_requiring_shape_assertions):
        (Generator.calculate_types_requiring_shape_assertions.gather_transitively_referenced_types):
        (Generator._traverse_and_assign_enum_values):
        (Generator._assign_encoding_for_enum_value):
        (Generator.wrap_with_guard_for_domain):
        (Generator.stylized_name_for_enum_value):
        (Generator.stylized_name_for_enum_value.replaceCallback):
        (Generator.keyed_get_method_for_type):
        (Generator.keyed_set_method_for_type):
        (Generator.type_builder_string_for_type):
        (Generator.type_builder_string_for_type_member):
        (Generator.type_string_for_unchecked_formal_in_parameter):
        (Generator.type_string_for_checked_formal_event_parameter):
        (Generator.type_string_for_type_member):
        (Generator.type_string_for_type_with_name):
        (Generator.type_string_for_formal_out_parameter):
        (Generator.type_string_for_formal_async_parameter):
        (Generator.type_string_for_stack_in_parameter):
        (Generator.type_string_for_stack_out_parameter):
        (Generator.assertion_method_for_type_member):
        (Generator.assertion_method_for_type_member.assertion_method_for_type):
        (Generator.cpp_name_for_primitive_type):
        (Generator.js_name_for_parameter_type):
        (Generator.should_use_wrapper_for_return_type):
        (Generator.should_pass_by_copy_for_return_type):
        * inspector/scripts/codegen/generator_templates.py: Added.
        (GeneratorTemplates):
        (void):
        (HashMap):
        (Builder):
        (Inspector):
        * inspector/scripts/codegen/models.py: Added.
        (ucfirst):
        (ParseException):
        (TypecheckException):
        (Framework):
        (Framework.__init__):
        (Framework.setting):
        (Framework.fromString):
        (Frameworks):
        (TypeReference):
        (TypeReference.__init__):
        (TypeReference.referenced_name):
        (Type):
        (Type.__init__):
        (Type.__eq__):
        (Type.__hash__):
        (Type.raw_name):
        (Type.is_enum):
        (Type.type_domain):
        (Type.qualified_name):
        (Type.resolve_type_references):
        (PrimitiveType):
        (PrimitiveType.__init__):
        (PrimitiveType.__repr__):
        (PrimitiveType.type_domain):
        (PrimitiveType.qualified_name):
        (AliasedType):
        (AliasedType.__init__):
        (AliasedType.__repr__):
        (AliasedType.is_enum):
        (AliasedType.type_domain):
        (AliasedType.qualified_name):
        (AliasedType.resolve_type_references):
        (EnumType):
        (EnumType.__init__):
        (EnumType.__repr__):
        (EnumType.is_enum):
        (EnumType.type_domain):
        (EnumType.enum_values):
        (EnumType.qualified_name):
        (EnumType.resolve_type_references):
        (ArrayType):
        (ArrayType.__init__):
        (ArrayType.__repr__):
        (ArrayType.type_domain):
        (ArrayType.qualified_name):
        (ArrayType.resolve_type_references):
        (ObjectType):
        (ObjectType.__init__):
        (ObjectType.__repr__):
        (ObjectType.type_domain):
        (ObjectType.qualified_name):
        (check_for_required_properties):
        (Protocol):
        (Protocol.__init__):
        (Protocol.parse_specification):
        (Protocol.parse_domain):
        (Protocol.parse_type_declaration):
        (Protocol.parse_type_member):
        (Protocol.parse_command):
        (Protocol.parse_event):
        (Protocol.parse_call_or_return_parameter):
        (Protocol.resolve_types):
        (Protocol.lookup_type_for_declaration):
        (Protocol.lookup_type_reference):
        (Domain):
        (Domain.__init__):
        (Domain.resolve_type_references):
        (Domains):
        (TypeDeclaration):
        (TypeDeclaration.__init__):
        (TypeDeclaration.resolve_type_references):
        (TypeMember):
        (TypeMember.__init__):
        (TypeMember.resolve_type_references):
        (Parameter):
        (Parameter.__init__):
        (Parameter.resolve_type_references):
        (Command):
        (Command.__init__):
        (Command.resolve_type_references):
        (Event):
        (Event.__init__):
        (Event.resolve_type_references):
        * inspector/scripts/generate-inspector-protocol-bindings.py: Added.
        (IncrementalFileWriter):
        (IncrementalFileWriter.__init__):
        (IncrementalFileWriter.write):
        (IncrementalFileWriter.close):
        (generate_from_specification):
        (generate_from_specification.load_specification):
        * inspector/scripts/tests/commands-with-async-attribute.json: Added.
        * inspector/scripts/tests/commands-with-optional-call-return-parameters.json: Added.
        * inspector/scripts/tests/domains-with-varying-command-sizes.json: Added.
        * inspector/scripts/tests/events-with-optional-parameters.json: Added.
        * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: Added.
        * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: Added.
        * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: Added.
        * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: Added.
        * inspector/scripts/tests/fail-on-duplicate-type-declarations.json-error: Added.
        * inspector/scripts/tests/fail-on-enum-with-no-values.json-error: Added.
        * inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json-error: Added.
        * inspector/scripts/tests/fail-on-type-with-lowercase-name.json-error: Added.
        * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json-error: Added.
        * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json-error: Added.
        * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: Added.
        * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: Added.
        * inspector/scripts/tests/expected/type-declaration-array-type.json-result: Added.
        * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: Added.
        * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Added.
        * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: Added.
        * inspector/scripts/tests/fail-on-duplicate-type-declarations.json: Added.
        * inspector/scripts/tests/fail-on-enum-with-no-values.json: Added.
        * inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json: Added.
        * inspector/scripts/tests/fail-on-type-with-lowercase-name.json: Added.
        * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json: Added.
        * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json: Added.
        * inspector/scripts/tests/same-type-id-different-domain.json: Added.
        * inspector/scripts/tests/type-declaration-aliased-primitive-type.json: Added.
        * inspector/scripts/tests/type-declaration-array-type.json: Added.
        * inspector/scripts/tests/type-declaration-enum-type.json: Added.
        * inspector/scripts/tests/type-declaration-object-type.json: Added.
        * inspector/scripts/tests/type-requiring-runtime-casts.json: Added.

2014-08-15  Matthew Mirman  <mmirman@apple.com>

        Made native inlining errors not segfault. 
        https://bugs.webkit.org/show_bug.cgi?id=135988
        
        Reviewed by Geoffrey Garen.

        * ftl/FTLAbbreviations.h:
        (JSC::FTL::disposeMessage): Added.
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compilePutById): 
        abstracted out Options::verboseCompilation as was the case in the rest of the file.
        (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
        (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): 
        added output error messages for llvm module loading.

2014-08-14  Andreas Kling  <akling@apple.com>

        Allocate the whole RegExpMatchesArray backing store up front.
        <https://webkit.org/b/135217>

        We were using the generic array backing store allocation path for
        RegExpMatchesArray which meant starting with 4 slots and then growing
        it dynamically as we append. Since we always know the final number of
        entries up front, allocate a perfectly-sized backing store right away.

        ~2% progression on Octane/regexp.

        Reviewed by Geoffrey Garen.

        * runtime/JSArray.h:
        (JSC::createArrayButterflyWithExactLength):
        * runtime/RegExpMatchesArray.cpp:
        (JSC::RegExpMatchesArray::create):

2014-08-14  Saam Barati  <sbarati@apple.com>

        Allow high fidelity type profiling to be enabled and disabled.
        https://bugs.webkit.org/show_bug.cgi?id=135423

        Reviewed by Geoffrey Garen.

        - Merged op_put_to_scope_with_profile and op_get_from_scope_with_profile into
          op_profile_types_with_high_fidelity by adding extra arguments to the opcode.
        - Altered SymbolTable to use less memory by adding a rare data structure for 
          type profiling.
        - Created an interface to turn on and off type profiling from the Web
          Inspector.
        - Refactored how entries are written to HighFidelityLog to make it
          easier to inline when generating machine code.
        - Implemented op_profile_types_with_high_fidelity in the baseline JIT
          by inlining the process of writing to the log and doing a small amount
          of type inference optimizations.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::scopeDependentProfile): Deleted.
        * bytecode/CodeBlock.h:
        * bytecode/TypeLocation.h:
        (JSC::TypeLocation::TypeLocation):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::emitMove):
        (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
        (JSC::BytecodeGenerator::emitGetFromScopeWithProfile): Deleted.
        (JSC::BytecodeGenerator::emitPutToScopeWithProfile): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ThisNode::emitBytecode):
        (JSC::ResolveNode::emitBytecode):
        (JSC::BracketAccessorNode::emitBytecode):
        (JSC::DotAccessorNode::emitBytecode):
        (JSC::FunctionCallValueNode::emitBytecode):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::FunctionCallBracketNode::emitBytecode):
        (JSC::FunctionCallDotNode::emitBytecode):
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        (JSC::PostfixNode::emitResolve):
        (JSC::PostfixNode::emitBracket):
        (JSC::PostfixNode::emitDot):
        (JSC::PrefixNode::emitResolve):
        (JSC::PrefixNode::emitBracket):
        (JSC::PrefixNode::emitDot):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::AssignDotNode::emitBytecode):
        (JSC::ReadModifyDotNode::emitBytecode):
        (JSC::AssignBracketNode::emitBytecode):
        (JSC::ReadModifyBracketNode::emitBytecode):
        (JSC::ReturnNode::emitBytecode):
        (JSC::FunctionBodyNode::emitBytecode):
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        (Inspector::TypeRecompiler::operator()):
        (Inspector::recompileAllJSFunctionsForTypeProfiling):
        (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
        (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling):
        (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling):
        (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState):
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
        (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
        * inspector/protocol/Runtime.json:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_profile_types_with_high_fidelity):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_profile_types_with_high_fidelity):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::getFromScopeCommon): Deleted.
        (JSC::LLInt::putToScopeCommon): Deleted.
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        * runtime/HighFidelityLog.cpp:
        (JSC::HighFidelityLog::initializeHighFidelityLog):
        (JSC::HighFidelityLog::~HighFidelityLog):
        (JSC::HighFidelityLog::processHighFidelityLog):
        * runtime/HighFidelityLog.h:
        (JSC::HighFidelityLog::LogEntry::structureIDOffset):
        (JSC::HighFidelityLog::LogEntry::valueOffset):
        (JSC::HighFidelityLog::LogEntry::locationOffset):
        (JSC::HighFidelityLog::recordTypeInformationForLocation):
        (JSC::HighFidelityLog::logEndPtr):
        (JSC::HighFidelityLog::logStartOffset):
        (JSC::HighFidelityLog::currentLogEntryOffset):
        * runtime/HighFidelityTypeProfiler.cpp:
        (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
        (JSC::descriptorMatchesTypeLocation):
        * runtime/HighFidelityTypeProfiler.h:
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::SymbolTable):
        (JSC::SymbolTable::cloneCapturedNames):
        (JSC::SymbolTable::prepareForHighFidelityTypeProfiling):
        (JSC::SymbolTable::uniqueIDForVariable):
        (JSC::SymbolTable::uniqueIDForRegister):
        (JSC::SymbolTable::globalTypeSetForRegister):
        (JSC::SymbolTable::globalTypeSetForVariable):
        * runtime/SymbolTable.h:
        (JSC::SymbolTable::add):
        (JSC::SymbolTable::set):
        * runtime/TypeLocationCache.cpp:
        (JSC::TypeLocationCache::getTypeLocation):
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::getRuntimeTypeForValue):
        (JSC::TypeSet::addTypeInformation):
        (JSC::TypeSet::allPrimitiveTypeNames):
        (JSC::TypeSet::addTypeForValue): Deleted.
        * runtime/TypeSet.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::nextTypeLocation):
        (JSC::VM::enableHighFidelityTypeProfiling):
        (JSC::VM::disableHighFidelityTypeProfiling):
        (JSC::VM::dumpHighFidelityProfilingTypes):
        * runtime/VM.h:
        (JSC::VM::nextLocation): Deleted.

2014-08-14  Oliver Hunt  <oliver@apple.com>

        Update scope resolution to assume that the parent activation is always there
        https://bugs.webkit.org/show_bug.cgi?id=135947

        Reviewed by Andreas Kling.

        Another incremental step in removing the idea of lazily created
        activations.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitResolveClosure):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitResolveClosure):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2014-08-14  Oliver Hunt  <oliver@apple.com>

        Create activations eagerly
        https://bugs.webkit.org/show_bug.cgi?id=135942

        Reviewed by Geoffrey Garen.

        Prepare to rewrite activation objects into a more
        sane implementation. Step 1 is reverting to eager
        creation of the activation object. This results in
        a 1.35x regression in earley, but otherwise has a
        minimal performance impact.

        The earley regression is being tracked by bug #135943

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitNewFunctionInternal):
        (JSC::BytecodeGenerator::emitNewFunctionExpression):
        (JSC::BytecodeGenerator::emitCallEval):
        (JSC::BytecodeGenerator::emitPushWithScope):
        (JSC::BytecodeGenerator::emitPushCatchScope):
        (JSC::BytecodeGenerator::createActivationIfNecessary): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_create_activation):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_create_activation):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2014-08-14  Oliver Hunt  <oliver@apple.com>

        Create activations eagerly
        https://bugs.webkit.org/show_bug.cgi?id=135942

        Reviewed by Geoffrey Garen.

        Prepare to rewrite activation objects into a more
        sane implementation. Step 1 is reverting to eager
        creation of the activation object. This results in
        a 1.35x regression in earley, but otherwise has a
        minimal performance impact.

        The earley regression is being tracked by 
        http://webkit.org/b/135943

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitNewFunctionInternal):
        (JSC::BytecodeGenerator::emitNewFunctionExpression):
        (JSC::BytecodeGenerator::emitCallEval):
        (JSC::BytecodeGenerator::emitPushWithScope):
        (JSC::BytecodeGenerator::emitPushCatchScope):
        (JSC::BytecodeGenerator::createActivationIfNecessary): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_create_activation):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_create_activation):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2014-08-14  Tomas Popela  <tpopela@redhat.com>

        Add support for ppc, ppc64, ppc64le, s390, s390x into the CMake build
        https://bugs.webkit.org/show_bug.cgi?id=135937

        Reviewed by Carlos Garcia Campos.

        * CMakeLists.txt:

2014-08-14  Akos Kiss  <akiss@inf.u-szeged.hu>

        Fix JSC::ARM64Assembler::LinkRecord::RealTypes
        https://bugs.webkit.org/show_bug.cgi?id=135906

        Reviewed by Michael Saboff.

        JSC::ARM64Assembler::LinkRecord::RealTypes::m_compareRegister is defined
        to occupy 5 bits but JSC::ARM64Assembler::RegisterID needs 6 bits. So,
        increase the size of the bit field and also reorganize the struct to 
        better align with word boundaries.

        * assembler/ARM64Assembler.h:

2014-08-13  Akos Kiss  <akiss@inf.u-szeged.hu>

        Add ARM64 support to CMake-based builds
        https://bugs.webkit.org/show_bug.cgi?id=135912

        Reviewed by Gyuyoung Kim.

        This patch ensures that CMake does not fail with Unknown CPU error when
        building for ARM64.

        * CMakeLists.txt:

2014-08-13  Wenson Hsieh  <wenson_hsieh@apple.com>

        Enable CSS_SCROLL_SNAP for iOS
        https://bugs.webkit.org/show_bug.cgi?id=135915

        Turn on CSS_SCROLL_SNAP for iOS and the iOS simulator.

        Reviewed by Tim Horton.

        * Configurations/FeatureDefines.xcconfig:

2014-08-13  Alex Christensen  <achristensen@webkit.org>

        Progress towards CMake on Mac.
        https://bugs.webkit.org/show_bug.cgi?id=135819

        Reviewed by Laszlo Gombos.

        * CMakeLists.txt:
        Add the remote inspector headers to the forwarding headers list.

2014-08-13  Daniel Bates  <dabates@apple.com>

        [iOS] Make JavaScriptCore and bmalloc build with the public SDK
        https://bugs.webkit.org/show_bug.cgi?id=135848

        Reviewed by Geoffrey Garen.

        * API/JSBase.h: Declare NSMap functions with external linkage when building for iOS without the
        header <Foundation/NSMapTablePriv.h>.
        * inspector/remote/RemoteInspector.mm: Define XPC functions with external linkage when building
        without the system header <xpc/xpc.h>.
        * inspector/remote/RemoteInspectorXPCConnection.h: Define xpc_connection_t and xpc_object_t when building
        without the system header <xpc/xpc.h>.
        * inspector/remote/RemoteInspectorXPCConnection.mm: Declare XPC functions with external linkage when
        building without without the system header <xpc/xpc.h>.
        (Inspector::RemoteInspectorXPCConnection::closeOnQueue): Fix code style; use nullptr instead of NULL.
        (Inspector::RemoteInspectorXPCConnection::sendMessage): Ditto.

2014-08-12  Peyton Randolph  <prandolph@apple.com>

        Runtime switch for long mouse press gesture. Part of 135257 - Add long mouse press gesture.
        https://bugs.webkit.org/show_bug.cgi?id=135682

        Reviewed by Tim Horton.

        * Configurations/FeatureDefines.xcconfig:
        Remove ENABLE_LONG_MOUSE_PRESS feature flag.

2014-08-12  Alex Christensen  <achristensen@webkit.org>

        Generate header detection headers for CMake on Windows.
        https://bugs.webkit.org/show_bug.cgi?id=135807

        Reviewed by Brent Fulgham.

        * CMakeLists.txt:
        Include the derived sources directory to find WTF/WTFHeaderDetection.h.

2014-08-11  Andy Estes  <aestes@apple.com>

        [iOS] Get rid of iOS.xcconfig
        https://bugs.webkit.org/show_bug.cgi?id=135809

        Reviewed by Joseph Pecoraro.

        All iOS.xcconfig did was include AspenFamily.xcconfig, so there's no need for the indirection.

        * Configurations/Base.xcconfig:
        * Configurations/iOS.xcconfig: Removed.
        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-08-11  Michael Saboff  <msaboff@apple.com>

        Eliminate {push,pop}CalleeSaves in favor of individual pushes & pops
        https://bugs.webkit.org/show_bug.cgi?id=127155

        Reviewed by Geoffrey Garen.

        Eliminated the offline assembler instructions {push,pop}CalleeSaves as well as the
        ARM64 specific {push,pop}LRAndFP and replaced them with individual push and pop
        instructions. Where the registers referenced by the added push and pop instructions
        are not part of the offline assembler register aliases, used a newly added "emit"
        offline assembler instruction which takes a string literal and outputs that
        string as a native instruction.

        * llint/LowLevelInterpreter.asm:
        * offlineasm/arm.rb:
        * offlineasm/arm64.rb:
        * offlineasm/ast.rb:
        * offlineasm/cloop.rb:
        * offlineasm/instructions.rb:
        * offlineasm/mips.rb:
        * offlineasm/parser.rb:
        * offlineasm/sh4.rb:
        * offlineasm/transform.rb:
        * offlineasm/x86.rb:

2014-08-11  Mark Lam  <mark.lam@apple.com>

        Re-landing r172401 with fixed test.
        <https://webkit.org/b/135782>

        Not reviewed.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetByVal):
        (JSC::BytecodeGenerator::pushIndexedForInScope):
        (JSC::BytecodeGenerator::pushStructureForInScope):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::ForInContext::ForInContext):
        (JSC::ForInContext::base):
        (JSC::StructureForInContext::StructureForInContext):
        (JSC::IndexedForInContext::IndexedForInContext):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitMultiLoopBytecode):
        * tests/stress/for-in-tests.js:

2014-08-11  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r172401.
        https://bugs.webkit.org/show_bug.cgi?id=135812

        Failing stress/for-in-tests.js
        http://build.webkit.org/builders/Apple%20Mavericks%20Release%20WK1%20%28Tests%29/builds/7945/steps
        /jscore-test/logs/stdio (Requested by mlam on #webkit).

        Reverted changeset:

        "for-in optimization should also make sure the base matches
        the object being iterated"
        https://bugs.webkit.org/show_bug.cgi?id=135782
        http://trac.webkit.org/changeset/172401

2014-08-11  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: use type builders to construct high fidelity type information payloads
        https://bugs.webkit.org/show_bug.cgi?id=135803

        Reviewed by Timothy Hatcher.

        Due to some typos in the protocol file, the code had worked with raw objects
        rather than with type builders. Convert to using builders.

        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/protocol/Runtime.json: Fix 'item' for 'items'; true for 'true'.
        * runtime/HighFidelityTypeProfiler.cpp:
        (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
        * runtime/HighFidelityTypeProfiler.h:
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::allStructureRepresentations):
        (JSC::StructureShape::stringRepresentation):
        (JSC::StructureShape::inspectorRepresentation):
        * runtime/TypeSet.h:

2014-08-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        for-in optimization should also make sure the base matches the object being iterated
        https://bugs.webkit.org/show_bug.cgi?id=135782

        Reviewed by Geoffrey Garen.

        If we access a different base object with the same index, we shouldn't try to randomly 
        load from that object's backing store.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetByVal):
        (JSC::BytecodeGenerator::pushIndexedForInScope):
        (JSC::BytecodeGenerator::pushStructureForInScope):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::ForInContext::ForInContext):
        (JSC::ForInContext::base):
        (JSC::StructureForInContext::StructureForInContext):
        (JSC::IndexedForInContext::IndexedForInContext):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitMultiLoopBytecode):
        * tests/stress/for-in-tests.js:

2014-08-11  Brent Fulgham  <bfulgham@apple.com>

        [Win] Unreviewed gardening.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Display files in
        proper folder categories..

2014-08-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        JIT should use full 64-bit stores for jsBoolean and jsNull
        https://bugs.webkit.org/show_bug.cgi?id=135784

        Reviewed by Michael Saboff.

        This guarantees that we set the high bits of the register with the correct tag.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_has_structure_property):
        (JSC::JIT::emit_op_next_enumerator_pname):

2014-08-11  Brent Fulgham  <bfulgham@apple.com>

        [Win] Adjust build script for Windows production build.
        https://bugs.webkit.org/show_bug.cgi?id=135806
        <rdar://problem/17978299>

        Reviewed by Timothy Hatcher.

        * JavaScriptCore.vcxproj/copy-files.cmd: Copy file for later use
        in WebInspectorUI build.

2014-08-10  Oliver Hunt  <oliver@apple.com>

        Destructuring assignment in a var declaration list incorrectly consumes subsequent variable initialisers
        https://bugs.webkit.org/show_bug.cgi?id=135773

        Reviewed by Michael Saboff.

        We should be using parseAssignment expression in order to get the correct
        precedence.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseVarDeclarationList):

2014-08-10  Diego Pino Garcia  <dpino@igalia.com>

        JSC Lexer is allowing octals 08 and 09 in strict mode functions
        https://bugs.webkit.org/show_bug.cgi?id=135704

        Reviewed by Oliver Hunt.

        Return syntax error ("Decimal integer literals with a leading zero are
        forbidden in strict mode") if a number starts with 0 and is followed 
        by a digit.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::lex):

2014-08-08  Mark Lam  <mark.lam@apple.com>

        REGRESSION: Inspector crashes when debugger is paused and injected scripts access window.screen().
        <https://webkit.org/b/135656>

        Not reviewed.

        Rolling out r170680 which was merged to ToT in r172129.

        * debugger/Debugger.h:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::scope):
        (JSC::DebuggerCallFrame::evaluate):
        (JSC::DebuggerCallFrame::invalidate):
        * debugger/DebuggerCallFrame.h:
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::DebuggerScope):
        (JSC::DebuggerScope::finishCreation):
        (JSC::DebuggerScope::visitChildren):
        (JSC::DebuggerScope::className):
        (JSC::DebuggerScope::getOwnPropertySlot):
        (JSC::DebuggerScope::put):
        (JSC::DebuggerScope::deleteProperty):
        (JSC::DebuggerScope::getOwnPropertyNames):
        (JSC::DebuggerScope::defineOwnProperty):
        (JSC::DebuggerScope::next): Deleted.
        (JSC::DebuggerScope::invalidateChain): Deleted.
        (JSC::DebuggerScope::isWithScope): Deleted.
        (JSC::DebuggerScope::isGlobalScope): Deleted.
        (JSC::DebuggerScope::isFunctionScope): Deleted.
        * debugger/DebuggerScope.h:
        (JSC::DebuggerScope::create):
        (JSC::DebuggerScope::Iterator::Iterator): Deleted.
        (JSC::DebuggerScope::Iterator::get): Deleted.
        (JSC::DebuggerScope::Iterator::operator++): Deleted.
        (JSC::DebuggerScope::Iterator::operator==): Deleted.
        (JSC::DebuggerScope::Iterator::operator!=): Deleted.
        (JSC::DebuggerScope::isValid): Deleted.
        (JSC::DebuggerScope::jsScope): Deleted.
        (JSC::DebuggerScope::begin): Deleted.
        (JSC::DebuggerScope::end): Deleted.
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::JSJavaScriptCallFrame::scopeType):
        (Inspector::JSJavaScriptCallFrame::scopeChain):
        * inspector/JavaScriptCallFrame.h:
        (Inspector::JavaScriptCallFrame::scopeChain):
        * inspector/ScriptDebugServer.cpp:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::debuggerScopeStructure): Deleted.
        * runtime/JSObject.h:
        (JSC::JSObject::isWithScope): Deleted.
        * runtime/JSScope.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2014-08-07  Saam Barati  <sbarati@apple.com>

        Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
        https://bugs.webkit.org/show_bug.cgi?id=135358

        Reviewed by Geoffrey Garen.

        When VMEntryScope is destroyed, and it has a flag set indicating that the
        Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. 
        This flag is only used by Debugger to have VMEntryScope notify it when the
        Debugger is safe to recompile all functions. This patch will substitute this
        Debugger-specific recompilation flag with a list of callbacks that are notified 
        when the outermost VMEntryScope dies. This creates a general purpose interface 
        for being notified when the VM stops executing code via the event of the outermost 
        VMEntryScope dying.

        * debugger/Debugger.cpp:
        (JSC::Debugger::recompileAllJSFunctions):
        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::VMEntryScope):
        (JSC::VMEntryScope::setEntryScopeDidPopListener):
        (JSC::VMEntryScope::~VMEntryScope):
        * runtime/VMEntryScope.h:
        (JSC::VMEntryScope::setRecompilationNeeded): Deleted.

2014-08-07  Benjamin Poulain  <bpoulain@apple.com>

        Get rid of SCRIPTED_SPEECH
        https://bugs.webkit.org/show_bug.cgi?id=135729

        Reviewed by Brent Fulgham.

        * Configurations/FeatureDefines.xcconfig:

2014-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        SpeculateInt32Operand is sometimes used in a 64-bit context, which has undefined behavior
        https://bugs.webkit.org/show_bug.cgi?id=135722

        Reviewed by Filip Pizlo.

        We should be using SpeculateStrictInt32Operand instead.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2014-08-07  Benjamin Poulain  <bpoulain@apple.com>

        Get rid of INPUT_SPEECH
        https://bugs.webkit.org/show_bug.cgi?id=135672

        Reviewed by Andreas Kling.

        * Configurations/FeatureDefines.xcconfig:

2014-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        for-in is failing fast/dom/dataset-xhtml.xhtml and dataset.html tests
        https://bugs.webkit.org/show_bug.cgi?id=135681

        Reviewed by Filip Pizlo.

        * runtime/Structure.cpp:
        (JSC::Structure::canCacheGenericPropertyNameEnumerator): We were checking the entire 
        prototype chain for overridesGetPropertyNames, but we were neglecting to check the 
        base object's Structure. D'oh!

2014-08-06  Mark Lam  <mark.lam@apple.com>

        Gardening: fix for build failure on EFL bots.

        Not reviewed.

        * runtime/EnumerationMode.h:
        (JSC::shouldIncludeJSObjectPropertyNames):
        (JSC::modeThatSkipsJSObject):
        * runtime/JSCell.cpp:
        (JSC::JSCell::getEnumerableLength):
        * runtime/JSCell.h:

2014-08-06  Dean Jackson  <dino@apple.com>

        ENABLE_CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED is not used anywhere. Remove it.
        https://bugs.webkit.org/show_bug.cgi?id=135675

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:

2014-08-06  Wenson Hsieh  <wenson_hsieh@apple.com>

        Implement parsing for CSS scroll snap points
        https://bugs.webkit.org/show_bug.cgi?id=134301

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig: Added ENABLE_CSS_SCROLL_SNAP

2014-08-06  Mark Lam  <mark.lam@apple.com>

        Gardening: fix for build failure on GTK bots.

        Not reviewed.

        * runtime/FunctionHasExecutedCache.cpp:
        - #include <limits.h> for UINT_MAX's definition.

2014-08-06  Mark Lam  <mark.lam@apple.com>

        Gardening: fix for build failure on EFL bots.

        Not reviewed.

        * jit/JITInlines.h:
        (JSC::JIT::emitLoadForArrayMode):

2014-08-06  Mark Lam  <mark.lam@apple.com>

        Gardening: adding missing build file changes from the FTLOPT merge at r172176.

        Not reviewed.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2014-08-06  Ryuan Choi  <ryuan.choi@samsung.com>

        Unreviewed build fix attempt since r172184

        * CMakeLists.txt: Removed TypeLocation.cpp

2014-08-06  Mark Lam  <mark.lam@apple.com>

        Gardening: adding missing build file changes from r171510.
        <https://webkit.org/b/134860>

        Not reviewed.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2014-08-06  Mark Lam  <mark.lam@apple.com>

        Gardening: adding missing build file changes from r170490.
        <https://webkit.org/b/133395>

        Not reviewed.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2014-08-06  Filip Pizlo  <fpizlo@apple.com>

        Silence a debug assertion.

        Reviewed by Mark Hahnenberg.

        * runtime/JSPropertyNameEnumerator.h:
        (JSC::JSPropertyNameEnumerator::cachedStructure):

2014-08-06  Filip Pizlo  <fpizlo@apple.com>

        Fix 32-bit build.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileHasIndexedProperty):

2014-08-06  Filip Pizlo  <fpizlo@apple.com>

        Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt.

    2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
    
            Support for-in in the FTL
            https://bugs.webkit.org/show_bug.cgi?id=134140
    
            Reviewed by Filip Pizlo.
    
            * dfg/DFGSSALoweringPhase.cpp:
            (JSC::DFG::SSALoweringPhase::handleNode):
            * ftl/FTLAbstractHeapRepository.cpp:
            * ftl/FTLAbstractHeapRepository.h:
            * ftl/FTLCapabilities.cpp:
            (JSC::FTL::canCompile):
            * ftl/FTLIntrinsicRepository.h:
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileNode):
            (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
            (JSC::FTL::LowerDFGToLLVM::compileHasGenericProperty):
            (JSC::FTL::LowerDFGToLLVM::compileHasStructureProperty):
            (JSC::FTL::LowerDFGToLLVM::compileGetDirectPname):
            (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
            (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator):
            (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator):
            (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
            (JSC::FTL::LowerDFGToLLVM::compileToIndexString):
    
    2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
    
            Remove JSPropertyNameIterator
            https://bugs.webkit.org/show_bug.cgi?id=135066
    
            Reviewed by Geoffrey Garen.
    
            It has been replaced by JSPropertyNameEnumerator.
    
            * JavaScriptCore.order:
            * bytecode/BytecodeBasicBlock.cpp:
            (JSC::isBranch):
            * bytecode/BytecodeList.json:
            * bytecode/BytecodeUseDef.h:
            (JSC::computeUsesForBytecodeOffset):
            (JSC::computeDefsForBytecodeOffset):
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::dumpBytecode):
            * bytecode/PreciseJumpTargets.cpp:
            (JSC::getJumpTargetsForBytecodeOffset):
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::emitGetPropertyNames): Deleted.
            (JSC::BytecodeGenerator::emitNextPropertyName): Deleted.
            * bytecompiler/BytecodeGenerator.h:
            * interpreter/Interpreter.cpp:
            * interpreter/Register.h:
            * jit/JIT.cpp:
            (JSC::JIT::privateCompileMainPass):
            (JSC::JIT::privateCompileSlowCases):
            * jit/JIT.h:
            * jit/JITOpcodes.cpp:
            (JSC::JIT::emit_op_get_pnames): Deleted.
            (JSC::JIT::emit_op_next_pname): Deleted.
            * jit/JITOpcodes32_64.cpp:
            (JSC::JIT::emit_op_get_pnames): Deleted.
            (JSC::JIT::emit_op_next_pname): Deleted.
            * jit/JITOperations.cpp:
            * jit/JITPropertyAccess.cpp:
            (JSC::JIT::emit_op_get_by_pname): Deleted.
            (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
            * jit/JITPropertyAccess32_64.cpp:
            (JSC::JIT::emit_op_get_by_pname): Deleted.
            (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
            * llint/LLIntOffsetsExtractor.cpp:
            * llint/LLIntSlowPaths.cpp:
            (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
            * llint/LLIntSlowPaths.h:
            * llint/LowLevelInterpreter.asm:
            * llint/LowLevelInterpreter32_64.asm:
            * llint/LowLevelInterpreter64.asm:
            * runtime/CommonSlowPaths.cpp:
            * runtime/JSPropertyNameIterator.cpp:
            (JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted.
            (JSC::JSPropertyNameIterator::create): Deleted.
            (JSC::JSPropertyNameIterator::destroy): Deleted.
            (JSC::JSPropertyNameIterator::get): Deleted.
            (JSC::JSPropertyNameIterator::visitChildren): Deleted.
            * runtime/JSPropertyNameIterator.h:
            (JSC::JSPropertyNameIterator::createStructure): Deleted.
            (JSC::JSPropertyNameIterator::size): Deleted.
            (JSC::JSPropertyNameIterator::setCachedStructure): Deleted.
            (JSC::JSPropertyNameIterator::cachedStructure): Deleted.
            (JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted.
            (JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted.
            (JSC::JSPropertyNameIterator::finishCreation): Deleted.
            (JSC::Register::propertyNameIterator): Deleted.
            (JSC::StructureRareData::enumerationCache): Deleted.
            (JSC::StructureRareData::setEnumerationCache): Deleted.
            * runtime/Structure.cpp:
            (JSC::Structure::addPropertyWithoutTransition):
            (JSC::Structure::removePropertyWithoutTransition):
            * runtime/Structure.h:
            * runtime/StructureInlines.h:
            (JSC::Structure::setEnumerationCache): Deleted.
            (JSC::Structure::enumerationCache): Deleted.
            * runtime/StructureRareData.cpp:
            (JSC::StructureRareData::visitChildren):
            * runtime/StructureRareData.h:
            * runtime/VM.cpp:
            (JSC::VM::VM):
    
    2014-07-25  Saam Barati  <sbarati@apple.com>
    
            Fix 32-bit build breakage for type profiling
            https://bugs.webkit.org/process_bug.cgi
    
            Reviewed by Mark Hahnenberg.
    
            32-bit builds currently break because global variable IDs for high
            fidelity type profiling are int64_t. Change this to intptr_t so that
            it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms.
    
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::CodeBlock):
            (JSC::CodeBlock::scopeDependentProfile):
            * bytecode/TypeLocation.h:
            * runtime/SymbolTable.cpp:
            (JSC::SymbolTable::uniqueIDForVariable):
            (JSC::SymbolTable::uniqueIDForRegister):
            * runtime/SymbolTable.h:
            * runtime/TypeLocationCache.cpp:
            (JSC::TypeLocationCache::getTypeLocation):
            * runtime/TypeLocationCache.h:
            * runtime/VM.h:
            (JSC::VM::getNextUniqueVariableID):
    
    2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
    
            Reindent PropertyNameArray.h
            https://bugs.webkit.org/show_bug.cgi?id=135067
    
            Reviewed by Geoffrey Garen.
    
            * runtime/PropertyNameArray.h:
            (JSC::RefCountedIdentifierSet::contains):
            (JSC::RefCountedIdentifierSet::size):
            (JSC::RefCountedIdentifierSet::add):
            (JSC::PropertyNameArrayData::create):
            (JSC::PropertyNameArrayData::propertyNameVector):
            (JSC::PropertyNameArrayData::PropertyNameArrayData):
            (JSC::PropertyNameArray::PropertyNameArray):
            (JSC::PropertyNameArray::vm):
            (JSC::PropertyNameArray::add):
            (JSC::PropertyNameArray::addKnownUnique):
            (JSC::PropertyNameArray::operator[]):
            (JSC::PropertyNameArray::setData):
            (JSC::PropertyNameArray::data):
            (JSC::PropertyNameArray::releaseData):
            (JSC::PropertyNameArray::identifierSet):
            (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
            (JSC::PropertyNameArray::size):
            (JSC::PropertyNameArray::begin):
            (JSC::PropertyNameArray::end):
            (JSC::PropertyNameArray::numCacheableSlots):
            (JSC::PropertyNameArray::setNumCacheableSlotsForObject):
            (JSC::PropertyNameArray::setBaseObject):
            (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
    
    2014-07-23  Mark Hahnenberg  <mhahnenberg@apple.com>
    
            Refactor our current implementation of for-in
            https://bugs.webkit.org/show_bug.cgi?id=134142
    
            Reviewed by Filip Pizlo.
    
            This patch splits for-in loops into three distinct parts:
    
            - Iterating over the indexed properties in the base object.
            - Iterating over the Structure properties in the base object.
            - Iterating over any other enumerable properties for that object and any objects in the prototype chain.
     
            It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to 
            support the various operations required for each loop.
    
            * API/JSCallbackObjectFunctions.h:
            (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * bytecode/BytecodeList.json:
            * bytecode/BytecodeUseDef.h:
            (JSC::computeUsesForBytecodeOffset):
            (JSC::computeDefsForBytecodeOffset):
            * bytecode/CallLinkStatus.h:
            (JSC::CallLinkStatus::CallLinkStatus):
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::dumpBytecode):
            (JSC::CodeBlock::CodeBlock):
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::emitGetByVal):
            (JSC::BytecodeGenerator::emitComplexPopScopes):
            (JSC::BytecodeGenerator::emitGetEnumerableLength):
            (JSC::BytecodeGenerator::emitHasGenericProperty):
            (JSC::BytecodeGenerator::emitHasIndexedProperty):
            (JSC::BytecodeGenerator::emitHasStructureProperty):
            (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator):
            (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator):
            (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName):
            (JSC::BytecodeGenerator::emitToIndexString):
            (JSC::BytecodeGenerator::pushIndexedForInScope):
            (JSC::BytecodeGenerator::popIndexedForInScope):
            (JSC::BytecodeGenerator::pushStructureForInScope):
            (JSC::BytecodeGenerator::popStructureForInScope):
            (JSC::BytecodeGenerator::invalidateForInContextForLocal):
            * bytecompiler/BytecodeGenerator.h:
            (JSC::ForInContext::ForInContext):
            (JSC::ForInContext::~ForInContext):
            (JSC::ForInContext::isValid):
            (JSC::ForInContext::invalidate):
            (JSC::ForInContext::local):
            (JSC::StructureForInContext::StructureForInContext):
            (JSC::StructureForInContext::type):
            (JSC::StructureForInContext::index):
            (JSC::StructureForInContext::property):
            (JSC::StructureForInContext::enumerator):
            (JSC::IndexedForInContext::IndexedForInContext):
            (JSC::IndexedForInContext::type):
            (JSC::IndexedForInContext::index):
            (JSC::BytecodeGenerator::pushOptimisedForIn): Deleted.
            (JSC::BytecodeGenerator::popOptimisedForIn): Deleted.
            * bytecompiler/NodesCodegen.cpp:
            (JSC::ReadModifyResolveNode::emitBytecode):
            (JSC::AssignResolveNode::emitBytecode):
            (JSC::ForInNode::tryGetBoundLocal):
            (JSC::ForInNode::emitLoopHeader):
            (JSC::ForInNode::emitMultiLoopBytecode):
            (JSC::ForInNode::emitBytecode):
            * debugger/DebuggerScope.h:
            * dfg/DFGAbstractHeap.h:
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::parseBlock):
            * dfg/DFGCapabilities.cpp:
            (JSC::DFG::capabilityLevel):
            * dfg/DFGClobberize.h:
            (JSC::DFG::clobberize):
            * dfg/DFGDoesGC.cpp:
            (JSC::DFG::doesGC):
            * dfg/DFGFixupPhase.cpp:
            (JSC::DFG::FixupPhase::fixupNode):
            * dfg/DFGHeapLocation.cpp:
            (WTF::printInternal):
            * dfg/DFGHeapLocation.h:
            * dfg/DFGNode.h:
            (JSC::DFG::Node::hasHeapPrediction):
            (JSC::DFG::Node::hasArrayMode):
            * dfg/DFGNodeType.h:
            * dfg/DFGPredictionPropagationPhase.cpp:
            (JSC::DFG::PredictionPropagationPhase::propagate):
            * dfg/DFGSafeToExecute.h:
            (JSC::DFG::safeToExecute):
            * dfg/DFGSpeculativeJIT.h:
            (JSC::DFG::SpeculativeJIT::callOperation):
            * dfg/DFGSpeculativeJIT32_64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGSpeculativeJIT64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * jit/JIT.cpp:
            (JSC::JIT::privateCompileMainPass):
            (JSC::JIT::privateCompileSlowCases):
            * jit/JIT.h:
            (JSC::JIT::compileHasIndexedProperty):
            (JSC::JIT::emitInt32Load):
            * jit/JITInlines.h:
            (JSC::JIT::emitDoubleGetByVal):
            (JSC::JIT::emitLoadForArrayMode):
            (JSC::JIT::emitContiguousGetByVal):
            (JSC::JIT::emitArrayStorageGetByVal):
            * jit/JITOpcodes.cpp:
            (JSC::JIT::emit_op_get_enumerable_length):
            (JSC::JIT::emit_op_has_structure_property):
            (JSC::JIT::emitSlow_op_has_structure_property):
            (JSC::JIT::emit_op_has_generic_property):
            (JSC::JIT::privateCompileHasIndexedProperty):
            (JSC::JIT::emit_op_has_indexed_property):
            (JSC::JIT::emitSlow_op_has_indexed_property):
            (JSC::JIT::emit_op_get_direct_pname):
            (JSC::JIT::emitSlow_op_get_direct_pname):
            (JSC::JIT::emit_op_get_structure_property_enumerator):
            (JSC::JIT::emit_op_get_generic_property_enumerator):
            (JSC::JIT::emit_op_next_enumerator_pname):
            (JSC::JIT::emit_op_to_index_string):
            * jit/JITOpcodes32_64.cpp:
            (JSC::JIT::emit_op_get_enumerable_length):
            (JSC::JIT::emit_op_has_structure_property):
            (JSC::JIT::emitSlow_op_has_structure_property):
            (JSC::JIT::emit_op_has_generic_property):
            (JSC::JIT::privateCompileHasIndexedProperty):
            (JSC::JIT::emit_op_has_indexed_property):
            (JSC::JIT::emitSlow_op_has_indexed_property):
            (JSC::JIT::emit_op_get_direct_pname):
            (JSC::JIT::emitSlow_op_get_direct_pname):
            (JSC::JIT::emit_op_get_structure_property_enumerator):
            (JSC::JIT::emit_op_get_generic_property_enumerator):
            (JSC::JIT::emit_op_next_enumerator_pname):
            (JSC::JIT::emit_op_to_index_string):
            * jit/JITOperations.cpp:
            * jit/JITOperations.h:
            * jit/JITPropertyAccess.cpp:
            (JSC::JIT::emitDoubleLoad):
            (JSC::JIT::emitContiguousLoad):
            (JSC::JIT::emitArrayStorageLoad):
            (JSC::JIT::emitDoubleGetByVal): Deleted.
            (JSC::JIT::emitContiguousGetByVal): Deleted.
            (JSC::JIT::emitArrayStorageGetByVal): Deleted.
            * jit/JITPropertyAccess32_64.cpp:
            (JSC::JIT::emitContiguousLoad):
            (JSC::JIT::emitDoubleLoad):
            (JSC::JIT::emitArrayStorageLoad):
            (JSC::JIT::emitContiguousGetByVal): Deleted.
            (JSC::JIT::emitDoubleGetByVal): Deleted.
            (JSC::JIT::emitArrayStorageGetByVal): Deleted.
            * llint/LowLevelInterpreter.asm:
            * parser/Nodes.h:
            * runtime/Arguments.cpp:
            (JSC::Arguments::getOwnPropertyNames):
            * runtime/ClassInfo.h:
            * runtime/CommonSlowPaths.cpp:
            (JSC::SLOW_PATH_DECL):
            * runtime/CommonSlowPaths.h:
            * runtime/EnumerationMode.h: Added.
            (JSC::shouldIncludeDontEnumProperties):
            (JSC::shouldExcludeDontEnumProperties):
            (JSC::shouldIncludeJSObjectPropertyNames):
            (JSC::modeThatSkipsJSObject):
            * runtime/JSActivation.cpp:
            (JSC::JSActivation::getOwnNonIndexPropertyNames):
            * runtime/JSArray.cpp:
            (JSC::JSArray::getOwnNonIndexPropertyNames):
            * runtime/JSArrayBuffer.cpp:
            (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
            * runtime/JSArrayBufferView.cpp:
            (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
            * runtime/JSCell.cpp:
            (JSC::JSCell::getEnumerableLength):
            (JSC::JSCell::getStructurePropertyNames):
            (JSC::JSCell::getGenericPropertyNames):
            * runtime/JSCell.h:
            * runtime/JSFunction.cpp:
            (JSC::JSFunction::getOwnNonIndexPropertyNames):
            * runtime/JSGenericTypedArrayViewInlines.h:
            (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
            * runtime/JSObject.cpp:
            (JSC::getClassPropertyNames):
            (JSC::JSObject::hasOwnProperty):
            (JSC::JSObject::getOwnPropertyNames):
            (JSC::JSObject::getOwnNonIndexPropertyNames):
            (JSC::JSObject::getEnumerableLength):
            (JSC::JSObject::getStructurePropertyNames):
            (JSC::JSObject::getGenericPropertyNames):
            * runtime/JSObject.h:
            * runtime/JSPropertyNameEnumerator.cpp: Added.
            (JSC::JSPropertyNameEnumerator::create):
            (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
            (JSC::JSPropertyNameEnumerator::finishCreation):
            (JSC::JSPropertyNameEnumerator::destroy):
            (JSC::JSPropertyNameEnumerator::visitChildren):
            * runtime/JSPropertyNameEnumerator.h: Added.
            (JSC::JSPropertyNameEnumerator::createStructure):
            (JSC::JSPropertyNameEnumerator::propertyNameAtIndex):
            (JSC::JSPropertyNameEnumerator::identifierSet):
            (JSC::JSPropertyNameEnumerator::cachedPrototypeChain):
            (JSC::JSPropertyNameEnumerator::setCachedPrototypeChain):
            (JSC::JSPropertyNameEnumerator::cachedStructure):
            (JSC::JSPropertyNameEnumerator::cachedStructureID):
            (JSC::JSPropertyNameEnumerator::cachedInlineCapacity):
            (JSC::JSPropertyNameEnumerator::cachedStructureIDOffset):
            (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
            (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset):
            (JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset):
            (JSC::structurePropertyNameEnumerator):
            (JSC::genericPropertyNameEnumerator):
            * runtime/JSProxy.cpp:
            (JSC::JSProxy::getEnumerableLength):
            (JSC::JSProxy::getStructurePropertyNames):
            (JSC::JSProxy::getGenericPropertyNames):
            * runtime/JSProxy.h:
            * runtime/JSSymbolTableObject.cpp:
            (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
            * runtime/PropertyNameArray.cpp:
            (JSC::PropertyNameArray::add):
            (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties):
            * runtime/PropertyNameArray.h:
            (JSC::RefCountedIdentifierSet::contains):
            (JSC::RefCountedIdentifierSet::size):
            (JSC::RefCountedIdentifierSet::add):
            (JSC::PropertyNameArray::PropertyNameArray):
            (JSC::PropertyNameArray::add):
            (JSC::PropertyNameArray::addKnownUnique):
            (JSC::PropertyNameArray::identifierSet):
            (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
            (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
            * runtime/RegExpObject.cpp:
            (JSC::RegExpObject::getOwnNonIndexPropertyNames):
            (JSC::RegExpObject::getPropertyNames):
            (JSC::RegExpObject::getGenericPropertyNames):
            * runtime/RegExpObject.h:
            * runtime/StringObject.cpp:
            (JSC::StringObject::getOwnPropertyNames):
            * runtime/Structure.cpp:
            (JSC::Structure::getPropertyNamesFromStructure):
            (JSC::Structure::setCachedStructurePropertyNameEnumerator):
            (JSC::Structure::cachedStructurePropertyNameEnumerator):
            (JSC::Structure::setCachedGenericPropertyNameEnumerator):
            (JSC::Structure::cachedGenericPropertyNameEnumerator):
            (JSC::Structure::canCacheStructurePropertyNameEnumerator):
            (JSC::Structure::canCacheGenericPropertyNameEnumerator):
            (JSC::Structure::canAccessPropertiesQuickly):
            * runtime/Structure.h:
            * runtime/StructureRareData.cpp:
            (JSC::StructureRareData::visitChildren):
            (JSC::StructureRareData::cachedStructurePropertyNameEnumerator):
            (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator):
            (JSC::StructureRareData::cachedGenericPropertyNameEnumerator):
            (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator):
            * runtime/StructureRareData.h:
            * runtime/VM.cpp:
            (JSC::VM::VM):
            * runtime/VM.h:
    
    2014-07-23  Saam Barati  <sbarati@apple.com>
    
            Make improvements to Type Profiling
            https://bugs.webkit.org/show_bug.cgi?id=134860
    
            Reviewed by Filip Pizlo.
    
            I improved the API between the inspector and JSC. We no longer send one huge
            string to the inspector. We now send structured data that represents the type
            information that JSC has collected. I've also created a beginning implementation 
            of a type lattice that allows us to resolve a display name for a type that
            consists of a single word.
    
            I created a data structure that knows which functions have executed. This
            solves the bug where types inside an un-executed function will resolve
            to the type of the enclosing expression of that function. This data
            structure may also be useful later if the inspector chooses to create a UI
            around showing which functions have executed.
    
            Better type information is gathered for objects. StructureShape now
            represents an object's prototype chain.  StructureShape also collects
            the constructor name for an object.
    
            Expression ranges are now zero indexed.
    
            Removed some extraneous methods.
    
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::CodeBlock):
            (JSC::CodeBlock::scopeDependentProfile):
            * bytecode/CodeBlock.h:
            * bytecode/TypeLocation.h:
            (JSC::TypeLocation::TypeLocation):
            * bytecode/UnlinkedCodeBlock.cpp:
            (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
            * bytecode/UnlinkedCodeBlock.h:
            (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset):
            (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset):
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::BytecodeGenerator):
            (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
            * bytecompiler/BytecodeGenerator.h:
            (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
            * heap/Heap.cpp:
            (JSC::Heap::collect):
            * inspector/agents/InspectorRuntimeAgent.cpp:
            (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
            (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): Deleted.
            * inspector/agents/InspectorRuntimeAgent.h:
            * inspector/protocol/Runtime.json:
            * runtime/Executable.cpp:
            (JSC::ScriptExecutable::ScriptExecutable):
            (JSC::ProgramExecutable::ProgramExecutable):
            (JSC::FunctionExecutable::FunctionExecutable):
            (JSC::ProgramExecutable::initializeGlobalProperties):
            * runtime/Executable.h:
            (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset):
            (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset):
            * runtime/FunctionHasExecutedCache.cpp: Added.
            (JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
            (JSC::FunctionHasExecutedCache::insertUnexecutedRange):
            (JSC::FunctionHasExecutedCache::removeUnexecutedRange):
            * runtime/FunctionHasExecutedCache.h: Added.
            (JSC::FunctionHasExecutedCache::FunctionRange::FunctionRange):
            (JSC::FunctionHasExecutedCache::FunctionRange::operator==):
            (JSC::FunctionHasExecutedCache::FunctionRange::hash):
            * runtime/HighFidelityLog.cpp:
            (JSC::HighFidelityLog::processHighFidelityLog):
            (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): Deleted.
            * runtime/HighFidelityLog.h:
            (JSC::HighFidelityLog::recordTypeInformationForLocation):
            * runtime/HighFidelityTypeProfiler.cpp:
            (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
            (JSC::HighFidelityTypeProfiler::insertNewLocation):
            (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
            (JSC::descriptorMatchesTypeLocation):
            (JSC::HighFidelityTypeProfiler::findLocation):
            (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): Deleted.
            (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): Deleted.
            (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): Deleted.
            * runtime/HighFidelityTypeProfiler.h:
            (JSC::QueryKey::QueryKey):
            (JSC::QueryKey::isHashTableDeletedValue):
            (JSC::QueryKey::operator==):
            (JSC::QueryKey::hash):
            (JSC::QueryKeyHash::hash):
            (JSC::QueryKeyHash::equal):
            (JSC::HighFidelityTypeProfiler::functionHasExecutedCache):
            (JSC::HighFidelityTypeProfiler::typeLocationCache):
            * runtime/Structure.cpp:
            (JSC::Structure::toStructureShape):
            * runtime/Structure.h:
            * runtime/TypeLocationCache.cpp: Added.
            (JSC::TypeLocationCache::getTypeLocation):
            * runtime/TypeLocationCache.h: Added.
            (JSC::TypeLocationCache::LocationKey::LocationKey):
            (JSC::TypeLocationCache::LocationKey::operator==):
            (JSC::TypeLocationCache::LocationKey::hash):
            * runtime/TypeSet.cpp:
            (JSC::TypeSet::getRuntimeTypeForValue):
            (JSC::TypeSet::addTypeForValue):
            (JSC::TypeSet::seenTypes):
            (JSC::TypeSet::doesTypeConformTo):
            (JSC::TypeSet::displayName):
            (JSC::TypeSet::allPrimitiveTypeNames):
            (JSC::TypeSet::allStructureRepresentations):
            (JSC::TypeSet::leastCommonAncestor):
            (JSC::StructureShape::StructureShape):
            (JSC::StructureShape::addProperty):
            (JSC::StructureShape::propertyHash):
            (JSC::StructureShape::leastCommonAncestor):
            (JSC::StructureShape::stringRepresentation):
            (JSC::StructureShape::inspectorRepresentation):
            (JSC::StructureShape::leastUpperBound): Deleted.
            * runtime/TypeSet.h:
            (JSC::StructureShape::setConstructorName):
            (JSC::StructureShape::constructorName):
            (JSC::StructureShape::setProto):
            * runtime/VM.cpp:
            (JSC::VM::dumpHighFidelityProfilingTypes):
            (JSC::VM::getTypesForVariableAtOffset): Deleted.
            (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
            * runtime/VM.h:
            (JSC::VM::isProfilingTypesWithHighFidelity):
            (JSC::VM::highFidelityTypeProfiler):
    
    2014-07-23  Filip Pizlo  <fpizlo@apple.com>
    
            Fix debug build.
    
            * bytecode/CallLinkStatus.h:
            (JSC::CallLinkStatus::CallLinkStatus):
    
    2014-07-20  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Phantoms in SSA form should be aggressively hoisted
            https://bugs.webkit.org/show_bug.cgi?id=135111
    
            Reviewed by Oliver Hunt.
            
            In CPS form, Phantom means three things: (1) that the children should be kept alive so long
            as they are relevant to OSR (due to a MovHint), (2) that the children are live-in-bytecode
            at the point of the Phantom, and (3) that some checks should be performed. In SSA, the
            second meaning is not used but the other two stay.
            
            The fact that a Phantom that is used to keep a node alive could be anywhere in the graph,
            even in a totally different basic block, complicates some SSA transformations. It's not
            possible to just jettison some successor, since tha successor could have a Phantom that we
            care about.
            
            This change rationalizes how Phantoms work so that:
            
            1) Phantoms keep children alive so long as those children are relevant to OSR. This is true
               in both CPS and SSA. This was true before and it's true now.
            
            2) Phantoms are used for live-in-bytecode only in CPS. This was true before and it's true
               now, except that now we also don't bother preserving the live-in-bytecode information
               that Phantoms convey, when we are in SSA.
            
            3) Phantoms may incidentally have checks, but in cases where we only want checks, we now
               use Check instead of Phantom. Notably, DCE phase has dead nodes decay to Check, not
               Phantom.
            
            The biggest part of this change is that in SSA, we canonicalize Phantoms:
            
            - All Phantoms are replaced with Check nodes that include only those edges that have
              checks.
            
            - Nodes that were the children of any Phantoms have a Phantom right after them.
            
            For example, the following code:
            
                5: ArithAdd(@1, @2)
                6: ArithSub(@5, @3)
                7: Phantom(Int32:@5)
            
            would be turned into the following:
            
                5: ArithAdd(@1, @2)
                8: Phantom(@5) // @5 was the child of a Phantom, so we create a new Phantom right after
                               // @5. This is the only Phantom we will have for @5.
                6: ArithSub(@5, @3)
                7: Check(Int32:@5) // We replace the Phantom with a Check; in this case since Int32: is
                                   // a checking edge, we leave it.
            
            This is a slight speed-up across the board, presumably because we now do a better job of
            reducing the size of the graph during compilation. It could also be a fluke, though. The
            main purpose of this is to unlock some other work (like CFG simplification in SSA). It will
            become a requirement to run phantom canonicalization prior to some SSA phases. None of the
            current phases need it, but future phases probably will.
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::foldConstants):
            * dfg/DFGDCEPhase.cpp:
            (JSC::DFG::DCEPhase::run):
            (JSC::DFG::DCEPhase::findTypeCheckRoot):
            (JSC::DFG::DCEPhase::countEdge):
            (JSC::DFG::DCEPhase::fixupBlock):
            (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
            * dfg/DFGEdge.cpp:
            (JSC::DFG::Edge::dump):
            * dfg/DFGEdge.h:
            (JSC::DFG::Edge::isProved):
            (JSC::DFG::Edge::needsCheck): Deleted.
            * dfg/DFGNodeFlags.h:
            * dfg/DFGPhantomCanonicalizationPhase.cpp: Added.
            (JSC::DFG::PhantomCanonicalizationPhase::PhantomCanonicalizationPhase):
            (JSC::DFG::PhantomCanonicalizationPhase::run):
            (JSC::DFG::performPhantomCanonicalization):
            * dfg/DFGPhantomCanonicalizationPhase.h: Added.
            * dfg/DFGPhantomRemovalPhase.cpp:
            (JSC::DFG::PhantomRemovalPhase::run):
            * dfg/DFGPhantomRemovalPhase.h:
            * dfg/DFGPlan.cpp:
            (JSC::DFG::Plan::compileInThreadImpl):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::lowJSValue):
            (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
    
    2014-07-22  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function
            https://bugs.webkit.org/show_bug.cgi?id=135146
    
            Reviewed by Oliver Hunt.
            
            This greatly simplifies our closure call optimizations by taking advantage of the type
            bits available in the cell header.
    
            * bytecode/CallLinkInfo.cpp:
            (JSC::CallLinkInfo::visitWeak):
            * bytecode/CallLinkStatus.cpp:
            (JSC::CallLinkStatus::CallLinkStatus):
            (JSC::CallLinkStatus::computeFor):
            (JSC::CallLinkStatus::dump):
            * bytecode/CallLinkStatus.h:
            (JSC::CallLinkStatus::CallLinkStatus):
            (JSC::CallLinkStatus::executable):
            (JSC::CallLinkStatus::structure): Deleted.
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::emitFunctionChecks):
            * dfg/DFGFixupPhase.cpp:
            (JSC::DFG::FixupPhase::fixupNode):
            (JSC::DFG::FixupPhase::observeUseKindOnNode):
            * dfg/DFGSafeToExecute.h:
            (JSC::DFG::SafeToExecuteEdge::operator()):
            * dfg/DFGSpeculativeJIT.cpp:
            (JSC::DFG::SpeculativeJIT::checkArray):
            (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
            (JSC::DFG::SpeculativeJIT::speculateCellType):
            (JSC::DFG::SpeculativeJIT::speculateFunction):
            (JSC::DFG::SpeculativeJIT::speculateFinalObject):
            (JSC::DFG::SpeculativeJIT::speculate):
            * dfg/DFGSpeculativeJIT.h:
            * dfg/DFGSpeculativeJIT32_64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGSpeculativeJIT64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGUseKind.cpp:
            (WTF::printInternal):
            * dfg/DFGUseKind.h:
            (JSC::DFG::typeFilterFor):
            (JSC::DFG::isCell):
            * ftl/FTLCapabilities.cpp:
            (JSC::FTL::canCompile):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable):
            (JSC::FTL::LowerDFGToLLVM::speculate):
            (JSC::FTL::LowerDFGToLLVM::isFunction):
            (JSC::FTL::LowerDFGToLLVM::isNotFunction):
            (JSC::FTL::LowerDFGToLLVM::speculateFunction):
            * jit/ClosureCallStubRoutine.cpp:
            (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
            (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
            * jit/ClosureCallStubRoutine.h:
            (JSC::ClosureCallStubRoutine::structure): Deleted.
            * jit/JIT.h:
            (JSC::JIT::compileClosureCall): Deleted.
            * jit/JITCall.cpp:
            (JSC::JIT::privateCompileClosureCall): Deleted.
            * jit/JITCall32_64.cpp:
            (JSC::JIT::privateCompileClosureCall): Deleted.
            * jit/JITOperations.cpp:
            * jit/Repatch.cpp:
            (JSC::linkClosureCall):
            * jit/Repatch.h:
    
2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        [ARM] Incorrect handling of Unicode characters
        https://bugs.webkit.org/show_bug.cgi?id=135380

        Reviewed by Darin Adler.

        Removed erroneous fast case from stringFromUTF(), since it assumed that 
        char is always implemented as signed.

        * jsc.cpp:
        (stringFromUTF):

2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        [JSC] Build fix for FTL on EFL after ftlopt merge
        https://bugs.webkit.org/show_bug.cgi?id=135565

        Reviewed by Mark Lam.

        Adding an enable guard for native inlining, since it now requires the bitcode
        emitted from Clang, and we don't have a good way of creating it from other compilers.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):
        * ftl/FTLState.h:

2014-08-05  Csaba Osztrogonác  <ossy@webkit.org>

        URTBF after r172129. (ftlopt branch merge)

        Remove the duplicated friend declaration to fix this build failure:
        "error: ‘JSC::Structure’ is already a friend of ‘JSC::StructureRareData’ [-Werror]"

        * runtime/StructureRareData.h:

2014-08-05  Filip Pizlo  <fpizlo@apple.com>

        Attempt to fix CMake-based builds, part 3.

        * CMakeLists.txt:

2014-08-05  Filip Pizlo  <fpizlo@apple.com>

        Attempt to fix CMake-based builds, part 2.

        * CMakeLists.txt:

2014-08-05  Filip Pizlo  <fpizlo@apple.com>

        Attempt to fix Windows build, part 2.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:

2014-08-05  Filip Pizlo  <fpizlo@apple.com>

        Attempt to fix CMake-based builds.

        * CMakeLists.txt:

2014-08-05  Filip Pizlo  <fpizlo@apple.com>

        Attempt to fix Windows build.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:

2014-08-05  Filip Pizlo  <fpizlo@apple.com>

        Fix cloop build.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::jettison):

2014-07-29  Filip Pizlo  <fpizlo@apple.com>

        Merge r170564, r170571, r170604, r170628, r170672, r170680, r170724, r170728, r170729, r170819, r170821, r170836, r170855, r170860, r170890, r170907, r170929, r171052, r171106, r171152, r171153, r171214 from ftlopt.

        This part of the merge delivers roughly a 2% across-the-board performance
        improvement, mostly due to immutable property inference and DFG-side GCSE. It also
        almost completely resolves accessor performance issues; in the common case the DFG
        will compile a getter/setter access into code that is just as efficient as a normal
        property access.
        
        Another major highlight of this part of the merge is the work to add a type profiler
        to the inspector. This work is still on-going but this greatly increases coverage.

        Note that this merge fixes a minor bug in the GetterSetter refactoring from
        http://trac.webkit.org/changeset/170729 (https://bugs.webkit.org/show_bug.cgi?id=134518).
        It also adds a new tests to tests/stress to cover that bug. That bug was previously only
        covered by layout tests.

    2014-07-17  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (merge trunk r171190)
            https://bugs.webkit.org/show_bug.cgi?id=135019
    
            Reviewed by Oliver Hunt.
            
            Behaviorally, this is just a merge of trunk r171190, except that the relevant functionality
            has moved to StrengthReductionPhase and is written in a different style. Same algorithm,
            different code.
    
            * dfg/DFGNodeType.h:
            * dfg/DFGStrengthReductionPhase.cpp:
            (JSC::DFG::StrengthReductionPhase::handleNode):
            * tests/stress/capture-escape-and-throw.js: Added.
            (foo.f):
            (foo):
            * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
            (foo):
            (bar):
    
    2014-07-15  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Constant fold GetGetter and GetSetter if the GetterSetter is a constant
            https://bugs.webkit.org/show_bug.cgi?id=134962
    
            Reviewed by Oliver Hunt.
            
            This removes yet another steady-state-throughput implication of using getters and setters:
            if your accessor call is monomorphic then you'll just get a structure check, nothing more.
            No more loads to get to the GetterSetter object or the accessor function object.
    
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * runtime/GetterSetter.h:
            (JSC::GetterSetter::getterConcurrently):
            (JSC::GetterSetter::setGetter):
            (JSC::GetterSetter::setterConcurrently):
            (JSC::GetterSetter::setSetter):
    
    2014-07-15  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Identity replacement in CSE shouldn't create a Phantom over the Identity's children
            https://bugs.webkit.org/show_bug.cgi?id=134893
    
            Reviewed by Oliver Hunt.
            
            Replace Identity with Check instead of Phantom. Phantom means that the child of the
            Identity should be unconditionally live. The liveness semantics of Identity are such that
            if the parents of Identity are live then the child is live. Removing the Identity entirely
            preserves such liveness semantics. So, the only thing that should be left behind is the
            type check on the child, which is what Check means: do the check but don't keep the child
            alive if the check isn't needed.
    
            * dfg/DFGCSEPhase.cpp:
            * dfg/DFGNode.h:
            (JSC::DFG::Node::convertToCheck):
    
    2014-07-13  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects
            https://bugs.webkit.org/show_bug.cgi?id=134677
    
            Reviewed by Sam Weinig.
            
            This removes the old local CSE phase, which was based on manually written backward-search 
            rules for all of the different kinds of things we cared about, and adds a new local/global
            CSE (local for CPS and global for SSA) that leaves the node semantics almost entirely up to
            clobberize(). Thus, the CSE phase itself just worries about the algorithms and data
            structures used for storing sets of available values. This results in a large reduction in
            code size in CSEPhase.cpp while greatly increasing the phase's power (since it now does
            global CSE) and reducing compile time (since local CSE is now rewritten to use smarter data
            structures). Even though LLVM was already running GVN, the extra GCSE at DFG IR level means
            that this is a significant (~0.7%) throughput improvement.
            
            This work is based on the concept of "def" to clobberize(). If clobberize() calls def(), it
            means that the node being analyzed makes available some value in some DFG node, and that
            future attempts to compute that value can simply use that node. In other words, it
            establishes an available value mapping of the form value=>node. There are two kinds of
            values that can be passed to def():
            
            PureValue. This captures everything needed to determine whether two pure nodes - nodes that
                neither read nor write, and produce a value that is a CSE candidate - are identical. It
                carries the NodeType, an AdjacencyList, and one word of meta-data. The meta-data is
                usually used for things like the arithmetic mode or constant pointer. Passing a
                PureValue to def() means that the node produces a value that is valid anywhere that the
                node dominates.
            
            HeapLocation. This describes a location in the heap that could be written to or read from.
                Both stores and loads can def() a HeapLocation. HeapLocation carries around an abstract
                heap that both serves as part of the "name" of the heap location (together with the
                other fields of HeapLocation) and also tells us what write()'s to watch for. If someone
                write()'s to an abstract heap that overlaps the heap associated with the HeapLocation,
                then it means that the values for that location are no longer available.
            
            This approach is sufficiently clever that the CSEPhase itself can focus on the mechanism of
            tracking the PureValue=>node and HeapLocation=>node maps, without having to worry about
            interpreting the semantics of different DFG node types - that is now almost entirely in
            clobberize(). The only things we special-case inside CSEPhase are the Identity node, which
            CSE is traditionally responsible for eliminating even though it has nothing to do with CSE,
            and the LocalCSE rule for turning PutByVal into PutByValAlias.
            
            This is a slight Octane, SunSpider, and Kraken speed-up - all somewhere arond 0.7% . It's
            not a bigger win because LLVM was already giving us most of what we needed in its GVN.
            Also, the SunSpider speed-up isn't from GCSE as much as it's a clean-up of local CSE - that
            is no longer O(n^2). Basically this is purely good: it reduces the amount of LLVM IR we
            generate, it removes the old CSE's heap modeling (which was a constant source of bugs), and
            it improves both the quality of the code we generate and the speed with which we generate
            it. Also, any future optimizations that depend on GCSE will now be easier to implement.
            
            During the development of this patch I also rationalized some other stuff, like Graph's
            ordered traversals - we now have preorder and postorder rather than just "depth first".
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * dfg/DFGAbstractHeap.h:
            * dfg/DFGAdjacencyList.h:
            (JSC::DFG::AdjacencyList::hash):
            (JSC::DFG::AdjacencyList::operator==):
            * dfg/DFGBasicBlock.h:
            * dfg/DFGCSEPhase.cpp:
            (JSC::DFG::performLocalCSE):
            (JSC::DFG::performGlobalCSE):
            (JSC::DFG::CSEPhase::CSEPhase): Deleted.
            (JSC::DFG::CSEPhase::run): Deleted.
            (JSC::DFG::CSEPhase::endIndexForPureCSE): Deleted.
            (JSC::DFG::CSEPhase::pureCSE): Deleted.
            (JSC::DFG::CSEPhase::constantCSE): Deleted.
            (JSC::DFG::CSEPhase::constantStoragePointerCSE): Deleted.
            (JSC::DFG::CSEPhase::getCalleeLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::getArrayLengthElimination): Deleted.
            (JSC::DFG::CSEPhase::globalVarLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::scopedVarLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::varInjectionWatchpointElimination): Deleted.
            (JSC::DFG::CSEPhase::getByValLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::checkFunctionElimination): Deleted.
            (JSC::DFG::CSEPhase::checkExecutableElimination): Deleted.
            (JSC::DFG::CSEPhase::checkStructureElimination): Deleted.
            (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): Deleted.
            (JSC::DFG::CSEPhase::getByOffsetLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::checkArrayElimination): Deleted.
            (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::getInternalFieldLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::getMyScopeLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::getLocalLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::invalidationPointElimination): Deleted.
            (JSC::DFG::CSEPhase::setReplacement): Deleted.
            (JSC::DFG::CSEPhase::eliminate): Deleted.
            (JSC::DFG::CSEPhase::performNodeCSE): Deleted.
            (JSC::DFG::CSEPhase::performBlockCSE): Deleted.
            (JSC::DFG::performCSE): Deleted.
            * dfg/DFGCSEPhase.h:
            * dfg/DFGClobberSet.cpp:
            (JSC::DFG::addReads):
            (JSC::DFG::addWrites):
            (JSC::DFG::addReadsAndWrites):
            (JSC::DFG::readsOverlap):
            (JSC::DFG::writesOverlap):
            * dfg/DFGClobberize.cpp:
            (JSC::DFG::doesWrites):
            (JSC::DFG::accessesOverlap):
            (JSC::DFG::writesOverlap):
            * dfg/DFGClobberize.h:
            (JSC::DFG::clobberize):
            (JSC::DFG::NoOpClobberize::operator()):
            (JSC::DFG::CheckClobberize::operator()):
            (JSC::DFG::ReadMethodClobberize::ReadMethodClobberize):
            (JSC::DFG::ReadMethodClobberize::operator()):
            (JSC::DFG::WriteMethodClobberize::WriteMethodClobberize):
            (JSC::DFG::WriteMethodClobberize::operator()):
            (JSC::DFG::DefMethodClobberize::DefMethodClobberize):
            (JSC::DFG::DefMethodClobberize::operator()):
            * dfg/DFGDCEPhase.cpp:
            (JSC::DFG::DCEPhase::run):
            (JSC::DFG::DCEPhase::fixupBlock):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::getBlocksInPreOrder):
            (JSC::DFG::Graph::getBlocksInPostOrder):
            (JSC::DFG::Graph::addForDepthFirstSort): Deleted.
            (JSC::DFG::Graph::getBlocksInDepthFirstOrder): Deleted.
            * dfg/DFGGraph.h:
            * dfg/DFGHeapLocation.cpp: Added.
            (JSC::DFG::HeapLocation::dump):
            (WTF::printInternal):
            * dfg/DFGHeapLocation.h: Added.
            (JSC::DFG::HeapLocation::HeapLocation):
            (JSC::DFG::HeapLocation::operator!):
            (JSC::DFG::HeapLocation::kind):
            (JSC::DFG::HeapLocation::heap):
            (JSC::DFG::HeapLocation::base):
            (JSC::DFG::HeapLocation::index):
            (JSC::DFG::HeapLocation::hash):
            (JSC::DFG::HeapLocation::operator==):
            (JSC::DFG::HeapLocation::isHashTableDeletedValue):
            (JSC::DFG::HeapLocationHash::hash):
            (JSC::DFG::HeapLocationHash::equal):
            * dfg/DFGLICMPhase.cpp:
            (JSC::DFG::LICMPhase::run):
            * dfg/DFGNode.h:
            (JSC::DFG::Node::replaceWith):
            (JSC::DFG::Node::convertToPhantomUnchecked): Deleted.
            * dfg/DFGPlan.cpp:
            (JSC::DFG::Plan::compileInThreadImpl):
            * dfg/DFGPureValue.cpp: Added.
            (JSC::DFG::PureValue::dump):
            * dfg/DFGPureValue.h: Added.
            (JSC::DFG::PureValue::PureValue):
            (JSC::DFG::PureValue::operator!):
            (JSC::DFG::PureValue::op):
            (JSC::DFG::PureValue::children):
            (JSC::DFG::PureValue::info):
            (JSC::DFG::PureValue::hash):
            (JSC::DFG::PureValue::operator==):
            (JSC::DFG::PureValue::isHashTableDeletedValue):
            (JSC::DFG::PureValueHash::hash):
            (JSC::DFG::PureValueHash::equal):
            * dfg/DFGSSAConversionPhase.cpp:
            (JSC::DFG::SSAConversionPhase::run):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::lower):
    
    2014-07-13  Filip Pizlo  <fpizlo@apple.com>
    
            Unreviewed, revert unintended change in r171051.
    
            * dfg/DFGCSEPhase.cpp:
    
    2014-07-08  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Move Flush(SetLocal) store elimination to StrengthReductionPhase
            https://bugs.webkit.org/show_bug.cgi?id=134739
    
            Reviewed by Mark Hahnenberg.
            
            I'm going to streamline CSE around clobberize() as part of
            https://bugs.webkit.org/show_bug.cgi?id=134677, and so Flush(SetLocal) store
            elimination wouldn't belong in CSE anymore. It doesn't quite belong anywhere, which
            means that it belongs in StrengthReductionPhase, since that's intended to be our
            dumping ground.
            
            To do this I had to add some missing smarts to clobberize(). Previously clobberize()
            could play a bit loose with reads of Variables because it wasn't used for store
            elimination. The main client of read() was LICM, but it would only use it to
            determine hoistability and anything that did a write() was not hoistable - so, we had
            benign (but still wrong) missing read() calls in places that did write()s. This fixes
            a bunch of those cases.
    
            * dfg/DFGCSEPhase.cpp:
            (JSC::DFG::CSEPhase::performNodeCSE):
            (JSC::DFG::CSEPhase::setLocalStoreElimination): Deleted.
            * dfg/DFGClobberize.cpp:
            (JSC::DFG::accessesOverlap):
            * dfg/DFGClobberize.h:
            (JSC::DFG::clobberize): Make clobberize() smart enough for detecting when this store elimination would be sound.
            * dfg/DFGStrengthReductionPhase.cpp:
            (JSC::DFG::StrengthReductionPhase::handleNode): Implement the store elimination in terms of clobberize().
    
    2014-07-08  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Phantom simplification should be in its own phase
            https://bugs.webkit.org/show_bug.cgi?id=134742
    
            Reviewed by Geoffrey Garen.
            
            This moves Phantom simplification out of CSE, which greatly simplifies CSE and gives it
            more focus. Also this finally adds a phase that removes empty Phantoms. We sort of had
            this in CPSRethreading, but that phase runs too infrequently and doesn't run at all for
            SSA.
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * dfg/DFGAdjacencyList.h:
            * dfg/DFGCSEPhase.cpp:
            (JSC::DFG::CSEPhase::run):
            (JSC::DFG::CSEPhase::setReplacement):
            (JSC::DFG::CSEPhase::eliminate):
            (JSC::DFG::CSEPhase::performNodeCSE):
            (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): Deleted.
            * dfg/DFGPhantomRemovalPhase.cpp: Added.
            (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase):
            (JSC::DFG::PhantomRemovalPhase::run):
            (JSC::DFG::performCleanUp):
            * dfg/DFGPhantomRemovalPhase.h: Added.
            * dfg/DFGPlan.cpp:
            (JSC::DFG::Plan::compileInThreadImpl):
    
    2014-07-08  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Get rid of Node::misc by moving the fields out of the union so that you can use replacement and owner simultaneously
            https://bugs.webkit.org/show_bug.cgi?id=134730
    
            Reviewed by Mark Lam.
            
            This will allow for a better GCSE implementation.
    
            * dfg/DFGCPSRethreadingPhase.cpp:
            (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
            * dfg/DFGCSEPhase.cpp:
            (JSC::DFG::CSEPhase::setReplacement):
            * dfg/DFGEdgeDominates.h:
            (JSC::DFG::EdgeDominates::operator()):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::clearReplacements):
            (JSC::DFG::Graph::initializeNodeOwners):
            * dfg/DFGGraph.h:
            (JSC::DFG::Graph::performSubstitutionForEdge):
            * dfg/DFGLICMPhase.cpp:
            (JSC::DFG::LICMPhase::attemptHoist):
            * dfg/DFGNode.h:
            (JSC::DFG::Node::Node):
            * dfg/DFGSSAConversionPhase.cpp:
            (JSC::DFG::SSAConversionPhase::run):
    
    2014-07-04  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Infer immutable object properties
            https://bugs.webkit.org/show_bug.cgi?id=134567
    
            Reviewed by Mark Hahnenberg.
            
            This introduces a new way of inferring immutable object properties. A property is said to
            be immutable if after its creation (i.e. the transition that creates it), we never
            overwrite it (i.e. replace it) or delete it. Immutability is a property of an "own
            property" - so if we say that "f" is immutable at "o" then we are implying that "o" has "f"
            directly and not on a prototype. More specifically, the immutability inference will prove
            that a property on some structure is immutable. This means that, for example, we may have a
            structure S1 with property "f" where we claim that "f" at S1 is immutable, but S1 has a
            transition to S2 that adds a new property "g" and we may claim that "f" at S2 is actually
            mutable. This is mainly for convenience; it allows us to decouple immutability logic from
            transition logic. Immutability can be used to constant-fold accesses to objects at
            DFG-time. The DFG needs to prove the following to constant-fold the access:
            
            - The base of the access must be a constant object pointer. We prove that a property at a
              structure is immutable, but that says nothing of its value; each actual instance of that
              property may have a different value. So, a constant object pointer is needed to get an
              actual constant instance of the immutable value.
            
            - A check (or watchpoint) must have been emitted proving that the object has a structure
              that allows loading the property in question.
            
            - The replacement watchpoint set of the property in the structure that we've proven the
              object to have is still valid and we add a watchpoint to it lazily. The replacement
              watchpoint set is the key new mechanism that this change adds. It's possible that we have
              proven that the object has one of many structures, in which case each of those structures
              needs a valid replacement watchpoint set.
            
            The replacement watchpoint set is created the first time that any access to the property is
            cached. A put replace cache will create, and immediately invalidate, the watchpoint set. A
            get cache will create the watchpoint set and make it start watching. Any non-cached put
            access will invalidate the watchpoint set if one had been created; the underlying algorithm
            ensures that checking for the existence of a replacement watchpoint set is very fast in the
            common case. This algorithm ensures that no cached access needs to ever do any work to
            invalidate, or check the validity of, any replacement watchpoint sets. It also has some
            other nice properties:
            
            - It's very robust in its definition of immutability. The strictest that it will ever be is
              that for any instance of the object, the property must be written to only once,
              specifically at the time that the property is created. But it's looser than this in
              practice. For example, the property may be written to any number of times before we add
              the final property that the object will have before anyone reads the property; this works
              since for optimization purposes we only care if we detect immutability on the structure
              that the object will have when it is most frequently read from, not any previous
              structure that the object had. Also, we may write to the property any number of times
              before anyone caches accesses to it.
            
            - It is mostly orthogonal to structure transitions. No new structures need to be created to
              track the immutability of a property. Hence, there is no risk from this feature causing
              more polymorphism. This is different from the previous "specificValue" constant
              inference, which did cause additional structures to be created and sometimes those
              structures led to fake polymorphism. This feature does leverage existing transitions to
              do some of the watchpointing: property deletions don't fire the replacement watchpoint
              set because that would cause a new structure and so the mandatory structure check would
              fail. Also, this feature is guaranteed to never kick in for uncacheable dictionaries
              because those wouldn't allow for cacheable accesses - and it takes a cacheable access for
              this feature to be enabled.
            
            - No memory overhead is incurred except when accesses to the property are cached.
              Dictionary properties will typically have no meta-data for immutability. The number of
              replacement watchpoint sets we allocate is proportional to the number of inline caches in
              the program, which is typically must smaller than the number of structures or even the
              number of objects.
            
            This inference is far more powerful than the previous "specificValue" inference, so this
            change also removes all of that code. It's interesting that the amount of code that is
            changed to remove that feature is almost as big as the amount of code added to support the
            new inference - and that's if you include the new tests in the tally. Without new tests,
            it appears that the new feature actually touches less code!
            
            There is one corner case where the previous "specificValue" inference was more powerful.
            You can imagine someone creating objects with functions as self properties on those
            objects, such that each object instance had the same function pointers - essentially,
            someone might be trying to create a vtable but failing at the whole "one vtable for many
            instances" concept. The "specificValue" inference would do very well for such programs,
            because a structure check would be sufficient to prove a constant value for all of the
            function properties. This new inference will fail because it doesn't track the constant
            values of constant properties; instead it detects the immutability of otherwise variable
            properties (in the sense that each instance of the property may have a different value).
            So, the new inference requires having a particular object instance to actually get the
            constant value. I think it's OK to lose this antifeature. It took a lot of code to support
            and was a constant source of grief in our transition logic, and there doesn't appear to be
            any real evidence that programs benefited from that particular kind of inference since
            usually it's the singleton prototype instance that has all of the functions.
            
            This change is a speed-up on everything. date-format-xparb and both SunSpider/raytrace and
            V8/raytrace seem to be the biggest winners among the macrobenchmarks; they see >5%
            speed-ups. Many of our microbenchmarks see very large performance improvements, even 80% in
            one case.
    
            * bytecode/ComplexGetStatus.cpp:
            (JSC::ComplexGetStatus::computeFor):
            * bytecode/GetByIdStatus.cpp:
            (JSC::GetByIdStatus::computeFromLLInt):
            (JSC::GetByIdStatus::computeForStubInfo):
            (JSC::GetByIdStatus::computeFor):
            * bytecode/GetByIdVariant.cpp:
            (JSC::GetByIdVariant::GetByIdVariant):
            (JSC::GetByIdVariant::operator=):
            (JSC::GetByIdVariant::attemptToMerge):
            (JSC::GetByIdVariant::dumpInContext):
            * bytecode/GetByIdVariant.h:
            (JSC::GetByIdVariant::alternateBase):
            (JSC::GetByIdVariant::specificValue): Deleted.
            * bytecode/PutByIdStatus.cpp:
            (JSC::PutByIdStatus::computeForStubInfo):
            (JSC::PutByIdStatus::computeFor):
            * bytecode/PutByIdVariant.cpp:
            (JSC::PutByIdVariant::operator=):
            (JSC::PutByIdVariant::setter):
            (JSC::PutByIdVariant::dumpInContext):
            * bytecode/PutByIdVariant.h:
            (JSC::PutByIdVariant::specificValue): Deleted.
            * bytecode/Watchpoint.cpp:
            (JSC::WatchpointSet::fireAllSlow):
            (JSC::WatchpointSet::fireAll): Deleted.
            * bytecode/Watchpoint.h:
            (JSC::WatchpointSet::fireAll):
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::handleGetByOffset):
            (JSC::DFG::ByteCodeParser::handleGetById):
            (JSC::DFG::ByteCodeParser::handlePutById):
            (JSC::DFG::ByteCodeParser::parseBlock):
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
            * dfg/DFGFixupPhase.cpp:
            (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
            (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::tryGetConstantProperty):
            (JSC::DFG::Graph::visitChildren):
            * dfg/DFGGraph.h:
            * dfg/DFGWatchableStructureWatchingPhase.cpp:
            (JSC::DFG::WatchableStructureWatchingPhase::run):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
            * jit/JITOperations.cpp:
            * jit/Repatch.cpp:
            (JSC::repatchByIdSelfAccess):
            (JSC::generateByIdStub):
            (JSC::tryCacheGetByID):
            (JSC::tryCachePutByID):
            (JSC::tryBuildPutByIdList):
            * llint/LLIntSlowPaths.cpp:
            (JSC::LLInt::LLINT_SLOW_PATH_DECL):
            (JSC::LLInt::putToScopeCommon):
            * runtime/CommonSlowPaths.h:
            (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
            * runtime/IntendedStructureChain.cpp:
            (JSC::IntendedStructureChain::mayInterceptStoreTo):
            * runtime/JSCJSValue.cpp:
            (JSC::JSValue::putToPrimitive):
            * runtime/JSGlobalObject.cpp:
            (JSC::JSGlobalObject::reset):
            * runtime/JSObject.cpp:
            (JSC::JSObject::put):
            (JSC::JSObject::putDirectNonIndexAccessor):
            (JSC::JSObject::deleteProperty):
            (JSC::JSObject::defaultValue):
            (JSC::getCallableObjectSlow): Deleted.
            (JSC::JSObject::getPropertySpecificValue): Deleted.
            * runtime/JSObject.h:
            (JSC::JSObject::getDirect):
            (JSC::JSObject::getDirectOffset):
            (JSC::JSObject::inlineGetOwnPropertySlot):
            (JSC::JSObject::putDirectInternal):
            (JSC::JSObject::putOwnDataProperty):
            (JSC::JSObject::putDirect):
            (JSC::JSObject::putDirectWithoutTransition):
            (JSC::getCallableObject): Deleted.
            * runtime/JSScope.cpp:
            (JSC::abstractAccess):
            * runtime/PropertyMapHashTable.h:
            (JSC::PropertyMapEntry::PropertyMapEntry):
            (JSC::PropertyTable::copy):
            * runtime/PropertyTable.cpp:
            (JSC::PropertyTable::clone):
            (JSC::PropertyTable::PropertyTable):
            (JSC::PropertyTable::visitChildren): Deleted.
            * runtime/Structure.cpp:
            (JSC::Structure::Structure):
            (JSC::Structure::materializePropertyMap):
            (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
            (JSC::Structure::addPropertyTransitionToExistingStructure):
            (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
            (JSC::Structure::addPropertyTransition):
            (JSC::Structure::changePrototypeTransition):
            (JSC::Structure::attributeChangeTransition):
            (JSC::Structure::toDictionaryTransition):
            (JSC::Structure::preventExtensionsTransition):
            (JSC::Structure::takePropertyTableOrCloneIfPinned):
            (JSC::Structure::nonPropertyTransition):
            (JSC::Structure::addPropertyWithoutTransition):
            (JSC::Structure::allocateRareData):
            (JSC::Structure::ensurePropertyReplacementWatchpointSet):
            (JSC::Structure::startWatchingPropertyForReplacements):
            (JSC::Structure::didCachePropertyReplacement):
            (JSC::Structure::startWatchingInternalProperties):
            (JSC::Structure::copyPropertyTable):
            (JSC::Structure::copyPropertyTableForPinning):
            (JSC::Structure::getConcurrently):
            (JSC::Structure::get):
            (JSC::Structure::add):
            (JSC::Structure::visitChildren):
            (JSC::Structure::prototypeChainMayInterceptStoreTo):
            (JSC::Structure::dump):
            (JSC::Structure::despecifyDictionaryFunction): Deleted.
            (JSC::Structure::despecifyFunctionTransition): Deleted.
            (JSC::Structure::despecifyFunction): Deleted.
            (JSC::Structure::despecifyAllFunctions): Deleted.
            (JSC::Structure::putSpecificValue): Deleted.
            * runtime/Structure.h:
            (JSC::Structure::startWatchingPropertyForReplacements):
            (JSC::Structure::startWatchingInternalPropertiesIfNecessary):
            (JSC::Structure::startWatchingInternalPropertiesIfNecessaryForEntireChain):
            (JSC::Structure::transitionDidInvolveSpecificValue): Deleted.
            (JSC::Structure::disableSpecificFunctionTracking): Deleted.
            * runtime/StructureInlines.h:
            (JSC::Structure::getConcurrently):
            (JSC::Structure::didReplaceProperty):
            (JSC::Structure::propertyReplacementWatchpointSet):
            * runtime/StructureRareData.cpp:
            (JSC::StructureRareData::destroy):
            * runtime/StructureRareData.h:
            * tests/stress/infer-constant-global-property.js: Added.
            (foo.Math.sin):
            (foo):
            * tests/stress/infer-constant-property.js: Added.
            (foo):
            * tests/stress/jit-cache-poly-replace-then-cache-get-and-fold-then-invalidate.js: Added.
            (foo):
            (bar):
            * tests/stress/jit-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
            (foo):
            (bar):
            * tests/stress/jit-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
            (foo):
            (bar):
            * tests/stress/llint-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
            (foo):
            (bar):
            * tests/stress/llint-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
            (foo):
            (bar):
            * tests/stress/repeat-put-to-scope-global-with-same-value-watchpoint-invalidate.js: Added.
            (foo):
            (bar):
    
    2014-07-03  Saam Barati  <sbarati@apple.com>
    
            Add more coverage for the profile_types_with_high_fidelity op code.
            https://bugs.webkit.org/show_bug.cgi?id=134616
    
            Reviewed by Filip Pizlo.
    
            More operations are now being recorded by the profile_types_with_high_fidelity 
            opcode. Specifically: function parameters, function return values,
            function 'this' value, get_by_id, get_by_value, resolve nodes, function return 
            values at the call site. Added more flags to the profile_types_with_high_fidelity
            opcode so more focused tasks can take place when the instruction is
            being linked in CodeBlock. Re-worked the type profiler to search 
            through character offset ranges when asked for the type of an expression
            at a given offset. Removed redundant calls to Structure::toStructureShape
            in HighFidelityLog and TypeSet by caching calls based on StructureID.
    
            * bytecode/BytecodeList.json:
            * bytecode/BytecodeUseDef.h:
            (JSC::computeUsesForBytecodeOffset):
            (JSC::computeDefsForBytecodeOffset):
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::CodeBlock):
            (JSC::CodeBlock::finalizeUnconditionally):
            (JSC::CodeBlock::scopeDependentProfile):
            * bytecode/CodeBlock.h:
            (JSC::CodeBlock::returnStatementTypeSet):
            * bytecode/TypeLocation.h:
            * bytecode/UnlinkedCodeBlock.cpp:
            (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset):
            (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo):
            * bytecode/UnlinkedCodeBlock.h:
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::emitMove):
            (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
            (JSC::BytecodeGenerator::emitGetFromScopeWithProfile):
            (JSC::BytecodeGenerator::emitPutToScope):
            (JSC::BytecodeGenerator::emitPutToScopeWithProfile):
            (JSC::BytecodeGenerator::emitPutById):
            (JSC::BytecodeGenerator::emitPutByVal):
            * bytecompiler/BytecodeGenerator.h:
            (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
            * bytecompiler/NodesCodegen.cpp:
            (JSC::ResolveNode::emitBytecode):
            (JSC::BracketAccessorNode::emitBytecode):
            (JSC::DotAccessorNode::emitBytecode):
            (JSC::FunctionCallValueNode::emitBytecode):
            (JSC::FunctionCallResolveNode::emitBytecode):
            (JSC::FunctionCallBracketNode::emitBytecode):
            (JSC::FunctionCallDotNode::emitBytecode):
            (JSC::CallFunctionCallDotNode::emitBytecode):
            (JSC::ApplyFunctionCallDotNode::emitBytecode):
            (JSC::PostfixNode::emitResolve):
            (JSC::PostfixNode::emitBracket):
            (JSC::PostfixNode::emitDot):
            (JSC::PrefixNode::emitResolve):
            (JSC::PrefixNode::emitBracket):
            (JSC::PrefixNode::emitDot):
            (JSC::ReadModifyResolveNode::emitBytecode):
            (JSC::AssignResolveNode::emitBytecode):
            (JSC::AssignDotNode::emitBytecode):
            (JSC::ReadModifyDotNode::emitBytecode):
            (JSC::AssignBracketNode::emitBytecode):
            (JSC::ReadModifyBracketNode::emitBytecode):
            (JSC::ReturnNode::emitBytecode):
            (JSC::FunctionBodyNode::emitBytecode):
            * inspector/agents/InspectorRuntimeAgent.cpp:
            (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset):
            (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
            * inspector/agents/InspectorRuntimeAgent.h:
            * inspector/protocol/Runtime.json:
            * llint/LLIntSlowPaths.cpp:
            (JSC::LLInt::getFromScopeCommon):
            (JSC::LLInt::LLINT_SLOW_PATH_DECL):
            * llint/LLIntSlowPaths.h:
            * llint/LowLevelInterpreter.asm:
            * runtime/HighFidelityLog.cpp:
            (JSC::HighFidelityLog::processHighFidelityLog):
            (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
            (JSC::HighFidelityLog::recordTypeInformationForLocation): Deleted.
            * runtime/HighFidelityLog.h:
            (JSC::HighFidelityLog::recordTypeInformationForLocation):
            * runtime/HighFidelityTypeProfiler.cpp:
            (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset):
            (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset):
            (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset):
            (JSC::HighFidelityTypeProfiler::insertNewLocation):
            (JSC::HighFidelityTypeProfiler::findLocation):
            (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange): Deleted.
            (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange): Deleted.
            (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange): Deleted.
            (JSC::HighFidelityTypeProfiler::getLocationBasedHash): Deleted.
            * runtime/HighFidelityTypeProfiler.h:
            (JSC::LocationKey::LocationKey): Deleted.
            (JSC::LocationKey::hash): Deleted.
            (JSC::LocationKey::operator==): Deleted.
            * runtime/Structure.cpp:
            (JSC::Structure::toStructureShape):
            * runtime/Structure.h:
            * runtime/TypeSet.cpp:
            (JSC::TypeSet::TypeSet):
            (JSC::TypeSet::addTypeForValue):
            (JSC::TypeSet::seenTypes):
            (JSC::TypeSet::removeDuplicatesInStructureHistory): Deleted.
            * runtime/TypeSet.h:
            (JSC::StructureShape::setConstructorName):
            * runtime/VM.cpp:
            (JSC::VM::getTypesForVariableAtOffset):
            (JSC::VM::dumpHighFidelityProfilingTypes):
            (JSC::VM::getTypesForVariableInRange): Deleted.
            * runtime/VM.h:
    
    2014-07-04  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt][REGRESSION] debug tests fail because PutByIdDirect is now implemented in terms of In
            https://bugs.webkit.org/show_bug.cgi?id=134642
    
            Rubber stamped by Andreas Kling.
    
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileNode):
    
    2014-07-01  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Allocate a new GetterSetter if we change the value of any of its entries other than when they were previously null, so that if we constant-infer an accessor slot then we immediately get the function constant for free
            https://bugs.webkit.org/show_bug.cgi?id=134518
    
            Reviewed by Mark Hahnenberg.
            
            This has no real effect right now, particularly since almost all uses of
            setSetter/setGetter were already allocating a branch new GetterSetter. But once we start
            doing more aggressive constant property inference, this change will allow us to remove
            all runtime checks from getter/setter calls.
    
            * runtime/GetterSetter.cpp:
            (JSC::GetterSetter::withGetter):
            (JSC::GetterSetter::withSetter):
            * runtime/GetterSetter.h:
            (JSC::GetterSetter::setGetter):
            (JSC::GetterSetter::setSetter):
            * runtime/JSObject.cpp:
            (JSC::JSObject::defineOwnNonIndexProperty):
    
    2014-07-02  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Rename notifyTransitionFromThisStructure to didTransitionFromThisStructure
    
            Rubber stamped by Mark Hahnenberg.
    
            * runtime/Structure.cpp:
            (JSC::Structure::Structure):
            (JSC::Structure::nonPropertyTransition):
            (JSC::Structure::didTransitionFromThisStructure):
            (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
            * runtime/Structure.h:
    
    2014-07-02  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Remove the functionality for cloning StructureRareData since we never do that anymore.
    
            Rubber stamped by Mark Hahnenberg.
    
            * runtime/Structure.cpp:
            (JSC::Structure::Structure):
            (JSC::Structure::cloneRareDataFrom): Deleted.
            * runtime/Structure.h:
            * runtime/StructureRareData.cpp:
            (JSC::StructureRareData::clone): Deleted.
            (JSC::StructureRareData::StructureRareData): Deleted.
            * runtime/StructureRareData.h:
            (JSC::StructureRareData::needsCloning): Deleted.
    
    2014-07-01  Mark Lam  <mark.lam@apple.com>
    
            [ftlopt] DebuggerCallFrame::scope() should return a DebuggerScope.
            <https://webkit.org/b/134420>
    
            Reviewed by Geoffrey Garen.
    
            Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
            peers) which the WebInspector will use to introspect CallFrame variables.
            Instead, we should be returning a DebuggerScope as an abstraction layer that
            provides the introspection functionality that the WebInspector needs.  This
            is the first step towards not forcing every frame to have a JSActivation
            object just because the debugger is enabled.
    
            1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
               instead of the VM.  This allows JSObject::globalObject() to be able to
               return the global object for the DebuggerScope.
    
            2. On the DebuggerScope's life-cycle management:
    
               The DebuggerCallFrame is designed to be "valid" only during a debugging session
               (while the debugger is broken) through the use of a DebuggerCallFrameScope in
               Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
               DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
               We can't guarantee (from this code alone) that the Inspector code isn't still
               holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
               the frame will be invalidated, and any attempt to query it will return null values.
               This is pre-existing behavior.
    
               Now, we're adding the DebuggerScope into the picture.  While a single debugger
               pause session is in progress, the Inspector may request the scope from the
               DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
               DebuggerCallFrame::scope() to always return the same DebuggerScope object.
               This is why we hold on to the DebuggerScope with a strong ref.
    
               If we use a weak ref instead, the following cooky behavior can manifest:
               1. The Inspector calls Debugger::scope() to get the top scope.
               2. The Inspector iterates down the scope chain and is now only holding a
                  reference to a parent scope.  It is no longer referencing the top scope.
               3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
                  gets cleared.
               4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
                  a different DebuggerScope instance.
               5. The Inspector iterates down the scope chain but never sees the parent scope
                  instance that retained a ref to in step 2 above.  This is because when iterating
                  this new DebuggerScope instance (which has no knowledge of the previous parent
                  DebuggerScope instance), a new DebuggerScope instance will get created for the
                  same parent scope. 
    
               Since the DebuggerScope is a JSObject, it's liveness is determined by its reachability.
               However, it's "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
               When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
               instantiated) will also get invalidated.  This is why we need the
               DebuggerScope::invalidateChain() method.  The Inspector should not be using the
               DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
               those methods will do nothing or returned a failed status.
    
            * debugger/Debugger.h:
            * debugger/DebuggerCallFrame.cpp:
            (JSC::DebuggerCallFrame::scope):
            (JSC::DebuggerCallFrame::evaluate):
            (JSC::DebuggerCallFrame::invalidate):
            (JSC::DebuggerCallFrame::vm):
            (JSC::DebuggerCallFrame::lexicalGlobalObject):
            * debugger/DebuggerCallFrame.h:
            * debugger/DebuggerScope.cpp:
            (JSC::DebuggerScope::DebuggerScope):
            (JSC::DebuggerScope::finishCreation):
            (JSC::DebuggerScope::visitChildren):
            (JSC::DebuggerScope::className):
            (JSC::DebuggerScope::getOwnPropertySlot):
            (JSC::DebuggerScope::put):
            (JSC::DebuggerScope::deleteProperty):
            (JSC::DebuggerScope::getOwnPropertyNames):
            (JSC::DebuggerScope::defineOwnProperty):
            (JSC::DebuggerScope::next):
            (JSC::DebuggerScope::invalidateChain):
            (JSC::DebuggerScope::isWithScope):
            (JSC::DebuggerScope::isGlobalScope):
            (JSC::DebuggerScope::isFunctionScope):
            * debugger/DebuggerScope.h:
            (JSC::DebuggerScope::create):
            (JSC::DebuggerScope::Iterator::Iterator):
            (JSC::DebuggerScope::Iterator::get):
            (JSC::DebuggerScope::Iterator::operator++):
            (JSC::DebuggerScope::Iterator::operator==):
            (JSC::DebuggerScope::Iterator::operator!=):
            (JSC::DebuggerScope::isValid):
            (JSC::DebuggerScope::jsScope):
            (JSC::DebuggerScope::begin):
            (JSC::DebuggerScope::end):
            * inspector/JSJavaScriptCallFrame.cpp:
            (Inspector::JSJavaScriptCallFrame::scopeType):
            (Inspector::JSJavaScriptCallFrame::scopeChain):
            * inspector/JavaScriptCallFrame.h:
            (Inspector::JavaScriptCallFrame::scopeChain):
            * inspector/ScriptDebugServer.cpp:
            * runtime/JSGlobalObject.cpp:
            (JSC::JSGlobalObject::reset):
            (JSC::JSGlobalObject::visitChildren):
            * runtime/JSGlobalObject.h:
            (JSC::JSGlobalObject::debuggerScopeStructure):
            * runtime/JSObject.h:
            (JSC::JSObject::isWithScope):
            * runtime/JSScope.h:
            * runtime/VM.cpp:
            (JSC::VM::VM):
            * runtime/VM.h:
    
    2014-07-01  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] DFG bytecode parser should turn PutById with nothing but a Setter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to
            https://bugs.webkit.org/show_bug.cgi?id=130756
    
            Reviewed by Oliver Hunt.
            
            The enables exposing the call to setters in the DFG, and then inlining it. Previously we
            already supproted inlined-cached calls to setters from within put_by_id inline caches,
            and the DFG could certainly emit such IC's. Now, if an IC had a setter call, then the DFG
            will either emit the GetGetterSetterByOffset/GetSetter/Call combo, or it will do one
            better and inline the call.
            
            A lot of the core functionality was already available from the previous work to inline
            getters. So, there are some refactorings in this patch that move preexisting
            functionality around. For example, the work to figure out how the DFG should go about
            getting to what we call the "loaded value" - i.e. the GetterSetter object reference in
            the case of accessors - is now shared in ComplexGetStatus, and both GetByIdStatus and
            PutByIdStatus use it. This means that we can keep the safety checks common.  This patch
            also does additional refactorings in DFG::ByteCodeParser so that we can continue to reuse
            handleCall() for all of the various kinds of calls we can now emit.
            
            83% speed-up on getter-richards, 2% speed-up on box2d.
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * bytecode/ComplexGetStatus.cpp: Added.
            (JSC::ComplexGetStatus::computeFor):
            * bytecode/ComplexGetStatus.h: Added.
            (JSC::ComplexGetStatus::ComplexGetStatus):
            (JSC::ComplexGetStatus::skip):
            (JSC::ComplexGetStatus::takesSlowPath):
            (JSC::ComplexGetStatus::kind):
            (JSC::ComplexGetStatus::attributes):
            (JSC::ComplexGetStatus::specificValue):
            (JSC::ComplexGetStatus::offset):
            (JSC::ComplexGetStatus::chain):
            * bytecode/GetByIdStatus.cpp:
            (JSC::GetByIdStatus::computeForStubInfo):
            * bytecode/GetByIdVariant.cpp:
            (JSC::GetByIdVariant::GetByIdVariant):
            * bytecode/PolymorphicPutByIdList.h:
            (JSC::PutByIdAccess::PutByIdAccess):
            (JSC::PutByIdAccess::setter):
            (JSC::PutByIdAccess::structure):
            (JSC::PutByIdAccess::chainCount):
            * bytecode/PutByIdStatus.cpp:
            (JSC::PutByIdStatus::computeFromLLInt):
            (JSC::PutByIdStatus::computeFor):
            (JSC::PutByIdStatus::computeForStubInfo):
            (JSC::PutByIdStatus::makesCalls):
            * bytecode/PutByIdStatus.h:
            (JSC::PutByIdStatus::makesCalls): Deleted.
            * bytecode/PutByIdVariant.cpp:
            (JSC::PutByIdVariant::PutByIdVariant):
            (JSC::PutByIdVariant::operator=):
            (JSC::PutByIdVariant::replace):
            (JSC::PutByIdVariant::transition):
            (JSC::PutByIdVariant::setter):
            (JSC::PutByIdVariant::writesStructures):
            (JSC::PutByIdVariant::reallocatesStorage):
            (JSC::PutByIdVariant::makesCalls):
            (JSC::PutByIdVariant::dumpInContext):
            * bytecode/PutByIdVariant.h:
            (JSC::PutByIdVariant::PutByIdVariant):
            (JSC::PutByIdVariant::structure):
            (JSC::PutByIdVariant::oldStructure):
            (JSC::PutByIdVariant::alternateBase):
            (JSC::PutByIdVariant::specificValue):
            (JSC::PutByIdVariant::callLinkStatus):
            (JSC::PutByIdVariant::replace): Deleted.
            (JSC::PutByIdVariant::transition): Deleted.
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
            (JSC::DFG::ByteCodeParser::addCall):
            (JSC::DFG::ByteCodeParser::handleCall):
            (JSC::DFG::ByteCodeParser::handleInlining):
            (JSC::DFG::ByteCodeParser::handleGetById):
            (JSC::DFG::ByteCodeParser::handlePutById):
            (JSC::DFG::ByteCodeParser::parseBlock):
            * jit/Repatch.cpp:
            (JSC::tryCachePutByID):
            (JSC::tryBuildPutByIdList):
            * runtime/IntendedStructureChain.cpp:
            (JSC::IntendedStructureChain::takesSlowPathInDFGForImpureProperty):
            * runtime/IntendedStructureChain.h:
            * tests/stress/exit-from-setter.js: Added.
            * tests/stress/poly-chain-setter.js: Added.
            (Cons):
            (foo):
            (test):
            * tests/stress/poly-chain-then-setter.js: Added.
            (Cons1):
            (Cons2):
            (foo):
            (test):
            * tests/stress/poly-setter-combo.js: Added.
            (Cons1):
            (Cons2):
            (foo):
            (test):
            (.test):
            * tests/stress/poly-setter-then-self.js: Added.
            (foo):
            (test):
            (.test):
            * tests/stress/weird-setter-counter.js: Added.
            (foo):
            (test):
            * tests/stress/weird-setter-counter-syntactic.js: Added.
            (foo):
            (test):
    
    2014-07-01  Matthew Mirman  <mmirman@apple.com>
    
            Added an implementation of the "in" check to FTL.
            https://bugs.webkit.org/show_bug.cgi?id=134508
    
            Reviewed by Filip Pizlo.
    
            * ftl/FTLCapabilities.cpp: enabled compilation for "in"
            (JSC::FTL::canCompile): ditto
            * ftl/FTLCompile.cpp:
            (JSC::FTL::generateCheckInICFastPath): added.
            (JSC::FTL::fixFunctionBasedOnStackMaps): added case for CheckIn descriptors.
            * ftl/FTLInlineCacheDescriptor.h:
            (JSC::FTL::CheckInGenerator::CheckInGenerator): added.
            (JSC::FTL::CheckInDescriptor::CheckInDescriptor): added.
            * ftl/FTLInlineCacheSize.cpp: 
            (JSC::FTL::sizeOfCheckIn): added. Currently larger than necessary.
            * ftl/FTLInlineCacheSize.h: ditto
            * ftl/FTLIntrinsicRepository.h: Added function type for operationInGeneric
            * ftl/FTLLowerDFGToLLVM.cpp: 
            (JSC::FTL::LowerDFGToLLVM::compileNode): added case for In.
            (JSC::FTL::LowerDFGToLLVM::compileIn): added.
            * ftl/FTLSlowPathCall.cpp: Added a callOperation for operationIn
            (JSC::FTL::callOperation): ditto
            * ftl/FTLSlowPathCall.h: ditto
            * ftl/FTLState.h: Added a vector to hold CheckIn descriptors.
            * jit/JITOperations.h: made operationIns internal.
            * tests/stress/ftl-checkin.js: Added.
            * tests/stress/ftl-checkin-variable.js: Added.
    
    2014-06-30  Mark Hahnenberg  <mhahnenberg@apple.com>
    
            CodeBlock::stronglyVisitWeakReferences should mark DFG::CommonData::weakStructureReferences
            https://bugs.webkit.org/show_bug.cgi?id=134455
    
            Reviewed by Geoffrey Garen.
    
            Otherwise we get hanging pointers which can cause us to die later.
    
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::stronglyVisitWeakReferences):
    
    2014-06-27  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Reduce the GC's influence on optimization decisions
            https://bugs.webkit.org/show_bug.cgi?id=134427
    
            Reviewed by Oliver Hunt.
            
            This is a slight speed-up on some platforms, that arises from a bunch of fixes that I made
            while trying to make the GC keep more structures alive
            (https://bugs.webkit.org/show_bug.cgi?id=128072).
            
            The fixes are, roughly:
            
            - If the GC clears an inline cache, then this no longer causes the IC to be forever
              polymorphic.
            
            - If we exit in inlined code into a function that tries to OSR enter, then we jettison
              sooner.
            
            - Some variables being uninitialized led to rage-recompilations.
            
            This is a pretty strong step in the direction of keeping more Structures alive and not
            blowing away code just because a Structure died. But, it seems like there is still a slight
            speed-up to be had from blowing away code that references dead Structures.
    
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::dumpAssumingJITType):
            (JSC::shouldMarkTransition):
            (JSC::CodeBlock::propagateTransitions):
            (JSC::CodeBlock::determineLiveness):
            * bytecode/GetByIdStatus.cpp:
            (JSC::GetByIdStatus::computeForStubInfo):
            * bytecode/PutByIdStatus.cpp:
            (JSC::PutByIdStatus::computeForStubInfo):
            * dfg/DFGCapabilities.cpp:
            (JSC::DFG::isSupportedForInlining):
            (JSC::DFG::mightInlineFunctionForCall):
            (JSC::DFG::mightInlineFunctionForClosureCall):
            (JSC::DFG::mightInlineFunctionForConstruct):
            * dfg/DFGCapabilities.h:
            * dfg/DFGCommonData.h:
            * dfg/DFGDesiredWeakReferences.cpp:
            (JSC::DFG::DesiredWeakReferences::reallyAdd):
            * dfg/DFGOSREntry.cpp:
            (JSC::DFG::prepareOSREntry):
            * dfg/DFGOSRExitCompilerCommon.cpp:
            (JSC::DFG::handleExitCounts):
            * dfg/DFGOperations.cpp:
            * dfg/DFGOperations.h:
            * ftl/FTLForOSREntryJITCode.cpp:
            (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode): These variables being uninitialized is benign in terms of correctness but can sometimes cause rage-recompilations. For some reason it took this patch to reveal this.
            * ftl/FTLOSREntry.cpp:
            (JSC::FTL::prepareOSREntry):
            * runtime/Executable.cpp:
            (JSC::ExecutableBase::destroy):
            (JSC::NativeExecutable::destroy):
            (JSC::ScriptExecutable::ScriptExecutable):
            (JSC::ScriptExecutable::destroy):
            (JSC::ScriptExecutable::installCode):
            (JSC::EvalExecutable::EvalExecutable):
            (JSC::ProgramExecutable::ProgramExecutable):
            * runtime/Executable.h:
            (JSC::ScriptExecutable::setDidTryToEnterInLoop):
            (JSC::ScriptExecutable::didTryToEnterInLoop):
            (JSC::ScriptExecutable::addressOfDidTryToEnterInLoop):
            (JSC::ScriptExecutable::ScriptExecutable): Deleted.
            * runtime/StructureInlines.h:
            (JSC::Structure::storedPrototypeObject):
            (JSC::Structure::storedPrototypeStructure):
    
    2014-06-25  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] If a CodeBlock is jettisoned due to a watchpoint then it should be possible to figure out something about that watchpoint
            https://bugs.webkit.org/show_bug.cgi?id=134333
    
            Reviewed by Geoffrey Garen.
            
            This is engineered to provide loads of information to the profiler without incurring any
            costs when the profiler is disabled. It's the oldest trick in the book: the thing that
            fires the watchpoint doesn't actually create anything to describe the reason why it was
            fired; instead it creates a stack-allocated FireDetail subclass instance. Only if the
            FireDetail::dump() virtual method is called does anything happen.
            
            Currently we use this to produce very fine-grained data for Structure watchpoints and
            some cases of variable watchpoints. For all other situations, the given reason is just a
            string constant, by using StringFireDetail. If we find a situation where that string
            constant is insufficient to diagnose an issue then we can change it to provide more
            fine-grained information.
    
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::CodeBlock):
            (JSC::CodeBlock::jettison):
            * bytecode/CodeBlock.h:
            * bytecode/CodeBlockJettisoningWatchpoint.cpp:
            (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
            * bytecode/CodeBlockJettisoningWatchpoint.h:
            * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Removed.
            * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Removed.
            * bytecode/StructureStubClearingWatchpoint.cpp:
            (JSC::StructureStubClearingWatchpoint::fireInternal):
            * bytecode/StructureStubClearingWatchpoint.h:
            * bytecode/VariableWatchpointSet.h:
            (JSC::VariableWatchpointSet::invalidate):
            (JSC::VariableWatchpointSet::finalizeUnconditionally):
            * bytecode/VariableWatchpointSetInlines.h:
            (JSC::VariableWatchpointSet::notifyWrite):
            * bytecode/Watchpoint.cpp:
            (JSC::StringFireDetail::dump):
            (JSC::WatchpointSet::fireAll):
            (JSC::WatchpointSet::fireAllSlow):
            (JSC::WatchpointSet::fireAllWatchpoints):
            (JSC::InlineWatchpointSet::fireAll):
            * bytecode/Watchpoint.h:
            (JSC::FireDetail::FireDetail):
            (JSC::FireDetail::~FireDetail):
            (JSC::StringFireDetail::StringFireDetail):
            (JSC::Watchpoint::fire):
            (JSC::WatchpointSet::fireAll):
            (JSC::WatchpointSet::touch):
            (JSC::WatchpointSet::invalidate):
            (JSC::InlineWatchpointSet::fireAll):
            (JSC::InlineWatchpointSet::touch):
            * dfg/DFGCommonData.h:
            * dfg/DFGOperations.cpp:
            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::execute):
            * jsc.cpp:
            (WTF::Masquerader::create):
            * profiler/ProfilerCompilation.cpp:
            (JSC::Profiler::Compilation::setJettisonReason):
            (JSC::Profiler::Compilation::toJS):
            * profiler/ProfilerCompilation.h:
            (JSC::Profiler::Compilation::setJettisonReason): Deleted.
            * runtime/ArrayBuffer.cpp:
            (JSC::ArrayBuffer::transfer):
            * runtime/ArrayBufferNeuteringWatchpoint.cpp:
            (JSC::ArrayBufferNeuteringWatchpoint::fireAll):
            * runtime/ArrayBufferNeuteringWatchpoint.h:
            * runtime/CommonIdentifiers.h:
            * runtime/CommonSlowPaths.cpp:
            (JSC::SLOW_PATH_DECL):
            * runtime/Identifier.cpp:
            (JSC::Identifier::dump):
            * runtime/Identifier.h:
            * runtime/JSFunction.cpp:
            (JSC::JSFunction::put):
            (JSC::JSFunction::defineOwnProperty):
            * runtime/JSGlobalObject.cpp:
            (JSC::JSGlobalObject::addFunction):
            (JSC::JSGlobalObject::haveABadTime):
            * runtime/JSSymbolTableObject.cpp:
            (JSC::VariableWriteFireDetail::dump):
            * runtime/JSSymbolTableObject.h:
            (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
            (JSC::symbolTablePut):
            (JSC::symbolTablePutWithAttributes):
            * runtime/PropertyName.h:
            (JSC::PropertyName::dump):
            * runtime/Structure.cpp:
            (JSC::Structure::notifyTransitionFromThisStructure):
            * runtime/Structure.h:
            (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
            * runtime/SymbolTable.cpp:
            (JSC::SymbolTableEntry::notifyWriteSlow):
            (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
            * runtime/SymbolTable.h:
            (JSC::SymbolTableEntry::notifyWrite):
            * runtime/VM.cpp:
            (JSC::VM::addImpureProperty):
    
2014-08-05  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r172099.
        https://bugs.webkit.org/show_bug.cgi?id=135635

        Needs a do-over. (Requested by kling on #webkit).

        Reverted changeset:

        "The JIT should cache property lookup misses."
        https://bugs.webkit.org/show_bug.cgi?id=135578
        http://trac.webkit.org/changeset/172099

2014-08-05  Przemyslaw Kuczynski  <p.kuczynski@samsung.com>

        Fix resource leak of unclosed file descriptor.
        https://bugs.webkit.org/show_bug.cgi?id=135417

        Reviewed by Darin Adler.

        When open returns zero, fd handle leaks. Checking (fd > 0) needs to be replaced
        with (fd != -1).

        * assembler/MacroAssemblerARM.cpp:
        (JSC::isVFPPresent):

2014-08-05  Andreas Kling  <akling@apple.com>

        The JIT should cache property lookup misses.
        <https://webkit.org/b/135578>

        Add support for inline caching of object properties that don't exist.
        Previously we'd fall back to the C++ slow-path whenever a property was missing.

        It's implemented as a simple GetById-style stub that returns jsUndefined() as
        long as the Structure chain check passes.

        10x speedup on the included microbenchmark.

        Reviewed by Geoffrey Garen.

        * jit/Repatch.cpp:
        (JSC::toString):
        (JSC::kindFor):
        (JSC::generateByIdStub):
        (JSC::tryCacheGetByID):
        (JSC::patchJumpToGetByIdStub):
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::isUnset):

2014-08-05  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r172009.
        https://bugs.webkit.org/show_bug.cgi?id=135627

        "Commit landed on trunk instead of ftlopt branch." (Requested
        by saamyjoon on #webkit).

        Reverted changeset:

        "Create a more generic way for VMEntryScope to notify those
        interested that it will be destroyed"
        https://bugs.webkit.org/show_bug.cgi?id=135358
        http://trac.webkit.org/changeset/172009

2014-08-05  Alex Christensen  <achristensen@webkit.org>

        More work on CMake.
        https://bugs.webkit.org/show_bug.cgi?id=135620

        Reviewed by Laszlo Gombos.

        * CMakeLists.txt:
        Added missing source files.
        * PlatformEfl.cmake:
        * PlatformGTK.cmake:
        Include glib directories and libraries to find glib.h in EventLoop.cpp.
        * PlatformMac.cmake:
        Moved STATICALLY_LINKED_WITH_WTF definition away from the common CMakeLists
        because it should not be defined on Windows.
        Added remote inspector source files.

2014-08-05  Peyton Randolph  <prandolph@apple.com>

        Rename MAC_LONG_PRESS feature flag to LONG_MOUSE_PRESS.
        https://bugs.webkit.org/show_bug.cgi?id=135276

        Reviewed by Beth Dakin.

        * Configurations/FeatureDefines.xcconfig:

2014-08-04  Benjamin Poulain  <benjamin@webkit.org>

        Add a flag for the CSS Selectors level 4 implementation
        https://bugs.webkit.org/show_bug.cgi?id=135535

        Reviewed by Andreas Kling.

        * Configurations/FeatureDefines.xcconfig:

2014-08-04  Alex Christensen  <achristensen@webkit.org>

        Progress towards CMake on Mac.
        https://bugs.webkit.org/show_bug.cgi?id=135528

        Reviewed by Gyuyoung Kim.

        * CMakeLists.txt:
        Include necessary directories and copy all necessary forwarding headers.
        Only compile UDis86Disassembler.cpp if we're using UDIS86.
        * PlatformMac.cmake: Added.
        * tools/CodeProfiling.cpp:
        Compile fix.  Include sys/time.h on darwin, too.

2014-08-04  Saam Barati  <sbarati@apple.com>

        Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
        https://bugs.webkit.org/show_bug.cgi?id=135358

        Reviewed by Geoffrey Garen.

        When VMEntryScope is destroyed, and it has a flag set indicating that the
        Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. 
        This flag is only used by Debugger to have VMEntryScope notify it when the
        Debugger is safe to recompile all functions. This patch will substitute this
        Debugger-specific recompilation flag with a list of callbacks that are notified 
        when the outermost VMEntryScope dies. This creates a general purpose interface 
        for being notified when the VM stops executing code via the event of the outermost 
        VMEntryScope dying.

        * debugger/Debugger.cpp:
        (JSC::Debugger::recompileAllJSFunctions):
        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::VMEntryScope):
        (JSC::VMEntryScope::addEntryScopeDidPopListener):
        (JSC::VMEntryScope::~VMEntryScope):
        * runtime/VMEntryScope.h:
        (JSC::VMEntryScope::setRecompilationNeeded): Deleted.

2014-08-01  Carlos Alberto Lopez Perez  <clopez@igalia.com>

        REGRESSION(r171942): [CMAKE] [GTK] build broken (clean build).
        https://bugs.webkit.org/show_bug.cgi?id=135522

        Reviewed by Martin Robinson.

        * CMakeLists.txt: Output the inspector headers inside inspector
        subdirectory.

2014-08-01  Mark Lam  <mark.lam@apple.com>

        Add some structure related assertions.
        <https://webkit.org/b/135523>

        Reviewed by Geoffrey Garen.

        Adding 2 assertions:
        1. assert that we don't index pass the end of the StructureIDTable.
           This should never happen, but this assertion will help catch bugs
           where a bad structureID gets passed in.
        2. assert that cells in MarkedBlock::callDestructor() that are not
           zapped should have a non-null StructureID.  This will help us catch
           bugs where the other cell header flag bits get set after the cell is
           zapped, thereby making the cell look like an unzapped cell but has a
           null structureID.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::callDestructor):
        * runtime/StructureIDTable.h:
        (JSC::StructureIDTable::get):

2014-08-01  Csaba Osztrogonác  <ossy@webkit.org>

        URTBF after r171946 to fix non-Apple builds.

        * bytecode/InlineCallFrameSet.cpp:

2014-08-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        CodeBlock fails to visit the Executables of its InlineCallFrames
        https://bugs.webkit.org/show_bug.cgi?id=135471

        Reviewed by Geoffrey Garen.

        CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they 
        can be prematurely collected and cause crashes.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        * bytecode/CodeOrigin.h:
        (JSC::InlineCallFrame::visitAggregate):
        * bytecode/InlineCallFrameSet.cpp:
        (JSC::InlineCallFrameSet::visitAggregate):
        * bytecode/InlineCallFrameSet.h:

2014-08-01  Alex Christensen  <achristensen@webkit.org>

        Progress towards cmake on Windows.
        https://bugs.webkit.org/show_bug.cgi?id=135484

        Reviewed by Martin Robinson.

        * CMakeLists.txt:
        Generate code directly to inspector directory to avoid using the cp command
        which is not available on Windows.
        * PlatformWin.cmake: Added.

2014-07-31  Andreas Kling  <akling@apple.com>

        Remove the JSC::OverridesVisitChildren flag.
        <https://webkit.org/b/135489>

        Except for 3 special classes, the visitChildren() call is always
        dispatched through the method table (see SlotVisitor.cpp.)

        The OverridesVisitChildren flag doesn't actually do anything.
        It could be used to implement a non-virtual direct call to
        JSCell::visitChildren, bypassing the method table for some objects,
        but such a micro-optimization seems like a weak trade for all this
        code complexity. Instead, just remove the flag.

        This change frees up an inline flag bit in JSCell.

        Reviewed by Geoffrey Garen.

        * API/JSAPIWrapperObject.h:
        * API/JSAPIWrapperObject.mm:
        (JSC::JSAPIWrapperObject::visitChildren):
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::visitChildren):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::visitChildren):
        (JSC::UnlinkedCodeBlock::visitChildren):
        (JSC::UnlinkedProgramCodeBlock::visitChildren):
        * bytecode/UnlinkedCodeBlock.h:
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::visitChildren):
        * debugger/DebuggerScope.h:
        * jsc.cpp:
        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildren):
        * runtime/Arguments.h:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::visitChildren):
        (JSC::ProgramExecutable::visitChildren):
        (JSC::FunctionExecutable::visitChildren):
        * runtime/Executable.h:
        * runtime/GetterSetter.cpp:
        (JSC::GetterSetter::visitChildren):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::createStructure):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::visitChildren):
        * runtime/JSActivation.h:
        * runtime/JSArrayIterator.cpp:
        (JSC::JSArrayIterator::visitChildren):
        * runtime/JSArrayIterator.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::visitChildren):
        * runtime/JSBoundFunction.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::setStructure):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::visitChildren):
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        * runtime/JSMap.h:
        * runtime/JSMapIterator.cpp:
        (JSC::JSMapIterator::visitChildren):
        * runtime/JSMapIterator.h:
        * runtime/JSNameScope.cpp:
        (JSC::JSNameScope::visitChildren):
        * runtime/JSNameScope.h:
        * runtime/JSPromise.cpp:
        (JSC::JSPromise::visitChildren):
        * runtime/JSPromise.h:
        * runtime/JSPromiseDeferred.cpp:
        (JSC::JSPromiseDeferred::visitChildren):
        * runtime/JSPromiseDeferred.h:
        * runtime/JSPromiseReaction.cpp:
        (JSC::JSPromiseReaction::visitChildren):
        * runtime/JSPromiseReaction.h:
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::visitChildren):
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::visitChildren):
        * runtime/JSProxy.h:
        * runtime/JSScope.cpp:
        (JSC::JSScope::visitChildren):
        * runtime/JSScope.h:
        * runtime/JSSegmentedVariableObject.cpp:
        (JSC::JSSegmentedVariableObject::visitChildren):
        * runtime/JSSegmentedVariableObject.h:
        * runtime/JSSet.h:
        * runtime/JSSetIterator.cpp:
        (JSC::JSSetIterator::visitChildren):
        * runtime/JSSetIterator.h:
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::visitChildren):
        * runtime/JSSymbolTableObject.h:
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::overridesVisitChildren): Deleted.
        * runtime/JSWeakMap.h:
        * runtime/JSWithScope.cpp:
        (JSC::JSWithScope::visitChildren):
        * runtime/JSWithScope.h:
        * runtime/JSWrapperObject.cpp:
        (JSC::JSWrapperObject::visitChildren):
        * runtime/JSWrapperObject.h:
        * runtime/MapData.h:
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::visitChildren):
        * runtime/NativeErrorConstructor.h:
        * runtime/PropertyMapHashTable.h:
        * runtime/PropertyTable.cpp:
        (JSC::PropertyTable::visitChildren):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::visitChildren):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.cpp:
        (JSC::RegExpMatchesArray::visitChildren):
        * runtime/RegExpMatchesArray.h:
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::visitChildren):
        * runtime/RegExpObject.h:
        * runtime/SparseArrayValueMap.h:
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::visitChildren):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::visitChildren):
        * runtime/StructureChain.h:
        * runtime/StructureRareData.cpp:
        (JSC::StructureRareData::visitChildren):
        * runtime/StructureRareData.h:
        * runtime/WeakMapData.h:

2014-07-31  Mark Lam  <mark.lam@apple.com>

        JSCell::classInfo() belongs in JSCellInlines.h.
        <https://webkit.org/b/135475>

        Reviewed by Mark Hahnenberg.

        * runtime/JSCellInlines.h:
        (JSC::JSCell::classInfo):
        * runtime/JSDestructibleObject.h:
        (JSC::JSCell::classInfo): Deleted.

2014-07-31  Tanay C  <tanay.c@samsung.com>

        Build warning in webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
        https://bugs.webkit.org/show_bug.cgi?id=135414

        Reviewed by Csaba Osztrogonác.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::putToScopeCommon):removed unused parameter from function definition

2014-07-30  Filip Pizlo  <fpizlo@apple.com>

        NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
        https://bugs.webkit.org/show_bug.cgi?id=135430

        Reviewed by Mark Hahnenberg.

        We already handled this correctly after the ftlopt merge, but it's useful to have the test.

        * tests/stress/new-function-expression-has-structures.js: Added.
        (foo.f):
        (foo.f.prototype.f):
        (foo):

2014-07-30  Andreas Kling  <akling@apple.com>

        Speculative Windows build fix.

        Try to dllimport the dllexported global object HashTable.

        * jsc.cpp:
        * testRegExp.cpp:

2014-07-30  Andreas Kling  <akling@apple.com>

        PropertyName's internal string is always atomic.
        <https://webkit.org/b/135451>

        Now that we've merged the JSC::Identifier and WTF::AtomicString tables,
        we know that any string that's an Identifier is guaranteed to be atomic.

        A PropertyName can be either an Identifier or a PrivateName, and the
        private names are also guaranteed to be atomic internally.

        Make PropertyName vend AtomicStringImpl* instead of StringImpl*.

        Reviewed by Benjamin Poulain.

        * runtime/PropertyName.h:
        (JSC::PropertyName::PropertyName):
        (JSC::PropertyName::uid):
        (JSC::PropertyName::publicName):

2014-07-30  Andy Estes  <aestes@apple.com>

        USE(CONTENT_FILTERING) should be ENABLE(CONTENT_FILTERING)
        https://bugs.webkit.org/show_bug.cgi?id=135439

        Reviewed by Tim Horton.

        We now support two different platform content filters, and will soon support a mock content filter (as part of
        webkit.org/b/128858). This makes content filtering a feature of WebKit, not just an adoption of a third-party
        library. ENABLE() is the correct macro to use for such a feature.

        * Configurations/FeatureDefines.xcconfig:

2014-07-30  Andreas Kling  <akling@apple.com>

        Static hash tables no longer need to be coupled with a VM.
        <https://webkit.org/b/135421>

        Now that the static hash tables are using char** instead of StringImpl**,
        it's no longer necessary to make them per-VM.

        This patch removes the hook in ClassInfo for providing your own static
        hash table getter. Everyone now uses ClassInfo::staticPropHashTable.
        Most of this patch is tweaking ClassInfo construction sites to pass one
        less null pointer.

        Also simplified Lookup.h to stop requiring ExecState/VM to access the
        static hash tables.

        Reviewed by Geoffrey Garen.

        * API/JSAPIWrapperObject.mm:
        * API/JSCallbackConstructor.cpp:
        * API/JSCallbackFunction.cpp:
        * API/JSCallbackObject.cpp:
        * API/ObjCCallbackFunction.mm:
        * bytecode/UnlinkedCodeBlock.cpp:
        * create_hash_table:
        * debugger/DebuggerScope.cpp:
        * inspector/JSInjectedScriptHost.cpp:
        * inspector/JSInjectedScriptHostPrototype.cpp:
        * inspector/JSJavaScriptCallFrame.cpp:
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        * interpreter/CallFrame.h:
        (JSC::ExecState::arrayConstructorTable): Deleted.
        (JSC::ExecState::arrayPrototypeTable): Deleted.
        (JSC::ExecState::booleanPrototypeTable): Deleted.
        (JSC::ExecState::dataViewTable): Deleted.
        (JSC::ExecState::dateTable): Deleted.
        (JSC::ExecState::dateConstructorTable): Deleted.
        (JSC::ExecState::errorPrototypeTable): Deleted.
        (JSC::ExecState::globalObjectTable): Deleted.
        (JSC::ExecState::jsonTable): Deleted.
        (JSC::ExecState::numberConstructorTable): Deleted.
        (JSC::ExecState::numberPrototypeTable): Deleted.
        (JSC::ExecState::objectConstructorTable): Deleted.
        (JSC::ExecState::privateNamePrototypeTable): Deleted.
        (JSC::ExecState::regExpTable): Deleted.
        (JSC::ExecState::regExpConstructorTable): Deleted.
        (JSC::ExecState::regExpPrototypeTable): Deleted.
        (JSC::ExecState::stringConstructorTable): Deleted.
        (JSC::ExecState::promisePrototypeTable): Deleted.
        (JSC::ExecState::promiseConstructorTable): Deleted.
        * jsc.cpp:
        * parser/Lexer.h:
        (JSC::Keywords::isKeyword):
        (JSC::Keywords::getKeyword):
        * runtime/Arguments.cpp:
        * runtime/ArgumentsIteratorConstructor.cpp:
        * runtime/ArgumentsIteratorPrototype.cpp:
        * runtime/ArrayBufferNeuteringWatchpoint.cpp:
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::getOwnPropertySlot):
        * runtime/ArrayIteratorConstructor.cpp:
        * runtime/ArrayIteratorPrototype.cpp:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::getOwnPropertySlot):
        * runtime/BooleanConstructor.cpp:
        * runtime/BooleanObject.cpp:
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::getOwnPropertySlot):
        * runtime/ClassInfo.h:
        (JSC::ClassInfo::hasStaticProperties):
        (JSC::ClassInfo::propHashTable): Deleted.
        * runtime/ConsolePrototype.cpp:
        * runtime/CustomGetterSetter.cpp:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::getOwnPropertySlot):
        * runtime/DateInstance.cpp:
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::getOwnPropertySlot):
        * runtime/Error.cpp:
        * runtime/ErrorConstructor.cpp:
        * runtime/ErrorInstance.cpp:
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::getOwnPropertySlot):
        * runtime/ExceptionHelpers.cpp:
        * runtime/Executable.cpp:
        * runtime/FunctionConstructor.cpp:
        * runtime/FunctionPrototype.cpp:
        * runtime/GetterSetter.cpp:
        * runtime/InternalFunction.cpp:
        * runtime/JSAPIValueWrapper.cpp:
        * runtime/JSActivation.cpp:
        * runtime/JSArgumentsIterator.cpp:
        * runtime/JSArray.cpp:
        * runtime/JSArrayBuffer.cpp:
        * runtime/JSArrayBufferConstructor.cpp:
        * runtime/JSArrayBufferPrototype.cpp:
        * runtime/JSArrayBufferView.cpp:
        * runtime/JSArrayIterator.cpp:
        * runtime/JSBoundFunction.cpp:
        * runtime/JSConsole.cpp:
        * runtime/JSDataView.cpp:
        * runtime/JSDataViewPrototype.cpp:
        (JSC::JSDataViewPrototype::getOwnPropertySlot):
        * runtime/JSFunction.cpp:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::getOwnPropertySlot):
        * runtime/JSMap.cpp:
        * runtime/JSMapIterator.cpp:
        * runtime/JSNameScope.cpp:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::getOwnPropertySlot):
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
        (JSC::JSObject::put):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::findPropertyHashEntry):
        (JSC::JSObject::reifyStaticFunctionsForDelete):
        * runtime/JSObject.h:
        * runtime/JSPromise.cpp:
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructor::getOwnPropertySlot):
        * runtime/JSPromiseDeferred.cpp:
        * runtime/JSPromisePrototype.cpp:
        (JSC::JSPromisePrototype::getOwnPropertySlot):
        * runtime/JSPromiseReaction.cpp:
        * runtime/JSPropertyNameIterator.cpp:
        * runtime/JSProxy.cpp:
        * runtime/JSSet.cpp:
        * runtime/JSSetIterator.cpp:
        * runtime/JSString.cpp:
        * runtime/JSTypedArrayConstructors.cpp:
        * runtime/JSTypedArrayPrototypes.cpp:
        * runtime/JSTypedArrays.cpp:
        * runtime/JSVariableObject.cpp:
        * runtime/JSWeakMap.cpp:
        * runtime/JSWithScope.cpp:
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):
        * runtime/Lookup.h:
        (JSC::HashTable::initializeIfNeeded):
        (JSC::HashTable::entry):
        (JSC::HashTable::begin):
        (JSC::HashTable::end):
        (JSC::getStaticPropertySlot):
        (JSC::getStaticFunctionSlot):
        (JSC::getStaticValueSlot):
        (JSC::lookupPut):
        * runtime/MapConstructor.cpp:
        * runtime/MapData.cpp:
        * runtime/MapIteratorConstructor.cpp:
        * runtime/MapIteratorPrototype.cpp:
        * runtime/MapPrototype.cpp:
        * runtime/MathObject.cpp:
        * runtime/NameConstructor.cpp:
        * runtime/NameInstance.cpp:
        * runtime/NamePrototype.cpp:
        (JSC::NamePrototype::getOwnPropertySlot):
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getOwnPropertySlot):
        * runtime/NumberObject.cpp:
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::getOwnPropertySlot):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::getOwnPropertySlot):
        * runtime/ObjectPrototype.cpp:
        * runtime/PropertyTable.cpp:
        * runtime/RegExp.cpp:
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getOwnPropertySlot):
        * runtime/RegExpMatchesArray.cpp:
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::getOwnPropertySlot):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::getOwnPropertySlot):
        * runtime/SetConstructor.cpp:
        * runtime/SetIteratorConstructor.cpp:
        * runtime/SetIteratorPrototype.cpp:
        * runtime/SetPrototype.cpp:
        * runtime/SparseArrayValueMap.cpp:
        * runtime/StrictEvalActivation.cpp:
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::getOwnPropertySlot):
        * runtime/StringObject.cpp:
        * runtime/StringPrototype.cpp:
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::freezeTransition):
        (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
        * runtime/StructureChain.cpp:
        * runtime/StructureRareData.cpp:
        * runtime/SymbolTable.cpp:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        * runtime/VM.h:
        * runtime/WeakMapConstructor.cpp:
        * runtime/WeakMapData.cpp:
        * runtime/WeakMapPrototype.cpp:
        * testRegExp.cpp:

2014-07-29  Brent Fulgham  <bfulgham@apple.com>

        [Win] Modify version numbering scheme to support 5-tuple versions
        https://bugs.webkit.org/show_bug.cgi?id=135400
        <rdar://problem/17849033>

        Reviewed by David Kilzer.

        * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Use the
        new version-stamp.pl script to version JavaScriptCore.dll.

2014-07-29  Daniel Bates  <dabates@apple.com>

        Use WTF::move() instead of std::move() to help ensure move semantics
        https://bugs.webkit.org/show_bug.cgi?id=135351

        Reviewed by Alexey Proskuryakov.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfo):
        * bytecode/GetByIdVariant.cpp:
        (JSC::GetByIdVariant::GetByIdVariant):

2014-07-28  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>

        BuildFix: JavaScriptCore/bytecode/StructureSet.h:262:77: warning.
        https://bugs.webkit.org/show_bug.cgi?id=135287

        Reviewed by Darin Adler.

        The set() method tries to use a part of the old value (the reservedFlag bit) which
        was not defined when the constructor is called. Initialize m_pointer to 0 explicitely.

        * bytecode/StructureSet.h:
        (JSC::StructureSet::StructureSet):

2014-07-28  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] JIT::assertStackPointerOffset() crashes on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=135316

        Reviewed by Geoffrey Garen.

        JIT::assertStackPointerOffset() does a compare between an arbitrary register
        and the stack pointer. This was not supported by the ARM64 assembler.

        There are no variation that can take a stack pointer for Xd. There is one version of subs
        that can take a stack pointer, but only for the Xn: the shift+extend one.
        To solve the problem, I changed cmp to swap the registers if necessary, and I fixed
        the implementation of sub.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::sub):
        In the generic sub(reg, reg), I added assertions to catch the condition that cannot be generated
        with either version of sub.

        In sub(with shift), I remove the weird special case for SP. First, it was quite misleading because
        the Rd case only works if "setflag == false". The other confusing part is going to addSubtractShiftedRegister()
        gives you a reduce shift range, which could create subtle bug that only appear when SP is used.

        Since I removed the weird case, I need to differentiate between the sub() that support SP, and the one that does
        not elsewhere. That is why that branch has moved to the generic sub(reg, reg). Since at that point we know
        the shift value must be zero, it is safe to call either variant.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branch64):
        With the changes described above, we can now use SP for the left register. What do we do if the rightmost
        register is SP?

        For the case of JIT::assertStackPointerOffset(), the comparison is Equal so the order really does not matter,
        we just switch the registers before generating the instruction.

        For the generic case, just move the value of SP to a GPR before doing the CMP.

2014-07-28  Brian J. Burg  <burg@cs.washington.edu>

        Unreviewed build fix after r171682.

        * replay/EncodedValue.h: Don't mark the inlined Vector<char> specialization
        as an exported symbol.

2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
        https://bugs.webkit.org/show_bug.cgi?id=135322

        Reviewed by Oliver Hunt.

        The prototype chain of the JSProxy object should match that of the JSGlobalObject. 

        This is a separate but related issue with JSObjectSetPrototype which doesn't correctly 
        account for JSProxies. I also audited the rest of the C API to check that we correctly 
        handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
        and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when 
        passed a JSProxy.

        I also added some new tests for these cases.

        * API/JSObjectRef.cpp:
        (JSObjectSetPrototype):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        * API/JSWeakObjectMapRefPrivate.cpp:
        * API/tests/CustomGlobalObjectClassTest.c:
        (globalObjectSetPrototypeTest):
        (globalObjectPrivatePropertyTest):
        * API/tests/CustomGlobalObjectClassTest.h:
        * API/tests/testapi.c:
        (main):

2014-07-28  Filip Pizlo  <fpizlo@apple.com>

        Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
        https://bugs.webkit.org/show_bug.cgi?id=135350
        <rdar://problem/17509889>

        Reviewed by Mark Hahnenberg and Oliver Hunt.
        
        If we have an exiting node that uses a conversion node, then that exiting node
        needs to have a Phantom after it for the the original node. But we can't do that
        for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
        * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
        (foo):
        (test):
        * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
        (foo):
        (test):

2014-07-28  Joseph Pecoraro  <pecoraro@apple.com>

        JSContext Inspector: crash when using step-into
        https://bugs.webkit.org/show_bug.cgi?id=135345

        Reviewed by Timothy Hatcher.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::stepInto):
        Null check m_listener since it may not be set.

2014-07-28  Brian J. Burg  <burg@cs.washington.edu>

        Web Replay: auto-decoding of parameterized vector's elements is incorrect
        https://bugs.webkit.org/show_bug.cgi?id=135343

        Reviewed by Timothy Hatcher.

        Fix an incorrect type argument in EncodingTraits<Vector<T>>::encodeValue
        that was using the element's decoded type as the type parameter to
        EncodedValue::append<T>. It should instead be the raw type T. This
        causes problems when encoding Vector<RefPtr<T>>, as it later tries to
        use encoding traits for RefPtr<T> rather than for T.

        Fix incorrect generated encoding traits argument for vectors of
        RefCounted objects. Updated test to cover this scenario.

        * replay/scripts/CodeGeneratorReplayInputs.py:
        (Type.encoding_type_argument):
        (VectorType.type_name):
        (VectorType):
        (VectorType.encoding_type_argument):
        (Generator.generate_input_encode_implementation):
        (Generator.generate_input_decode_implementation):
        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
        * replay/scripts/tests/generate-input-with-vector-members.json: Updated.

2014-07-28  Brian J. Burg  <burg@cs.washington.edu>

        Web Replay: incorrect serialization code generated for enum classes inside class scope
        https://bugs.webkit.org/show_bug.cgi?id=135342

        Reviewed by Timothy Hatcher.

        If an enum class is defined inside of a class scope, then the enum class
        cannot be forward-declared and the relevant header should be included.
        Some generated code used incorrectly-scoped enum values in this situation.

        * replay/scripts/CodeGeneratorReplayInputs.py:
        (Generator.generate_includes.declaration.is):
        (Generator.generate_enum_trait_implementation.is):
        (Generator.generate_enum_trait_implementation):

        Tests:

        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Rebaselined.
        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Rebaselined.
        * replay/scripts/tests/generate-enums-with-same-base-name.json: Add enum
        class types to this test case.

2014-07-28  Brian J. Burg  <burg@cs.washington.edu>

        Web Replay: vectors of characters should be base64-encoded
        https://bugs.webkit.org/show_bug.cgi?id=135341

        Reviewed by Timothy Hatcher.

        Without this specialization, encode/decode methods try to create an
        array of single characters in JSON, rather than treating the
        vector as a binary blob.

        * replay/EncodedValue.cpp:
        (JSC::EncodingTraits<Vector<char>>::encodeValue): Added.
        (JSC::EncodingTraits<Vector<char>>::decodeValue): Added.
        * replay/EncodedValue.h:

2014-07-28  Brent Fulgham  <bfulgham@apple.com>

        [Win] Unreviewed build fix.

        * JavaScriptCore.vcxproj/JavaScriptCore.proj: Switch from the 'Rebuild' target for MSBuild
        builds to the 'Build' target to avoid a spurious 'clean' in between build steps.

2014-07-27  Ryuan Choi  <ryuan.choi@samsung.com>

        Unreviewed build fix on the EFL port

        Build break because of -Werror=return-type

        * bytecode/PutByIdVariant.cpp:
        (JSC::PutByIdVariant::oldStructureForTransition):
        * dfg/DFGValueStrength.h:
        (JSC::DFG::merge):

2014-07-27  Filip Pizlo  <fpizlo@apple.com>

        [REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR
        https://bugs.webkit.org/show_bug.cgi?id=135323

        Reviewed by Oliver Hunt.
        
        SpeculativeJIT::silentSavePlanForGPR likes to believe that if a node is a constant,
        then it's a constant that can be represented using that node's current DataFormat.
        This doesn't work if the constant had been filled as a JSValue, and then one of the
        fillSpeculateBlah() methods had speculated that it's of some type that the constant
        isn't. Unless fillSpeculateBlah() specifically defends against this case, we'll have
        a constant that claims to have a contradictory data format.
        
        This patch fixes such a bug in the 32-bit fillSpeculateCell(). The 64-bit
        fillSpeculateCell() appears to not have this bug, but I added a similar defense
        mechanism anyway just in case, since this is one of those mistakes that keeps
        reappearing.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):

2014-07-27  Filip Pizlo  <fpizlo@apple.com>

        Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
        
        This fixes the previous mismerge and adds test coverage for the thing that went wrong.
        
        Additional changes listed here:

        * jsc.cpp:
        (functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!
        * runtime/Structure.cpp:
        (JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.
        * tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.

    2014-06-27  Michael Saboff  <msaboff@apple.com>
    
            Unreviewed build fix after r169795.
    
            Fixed ASSERT for 32 bit build.
    
            * dfg/DFGSpeculativeJIT.cpp:
            (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
    
    2014-06-24  Saam Barati  <sbarati@apple.com>
    
            Web Inspector: debugger should be able to show variable types
            https://bugs.webkit.org/show_bug.cgi?id=133395
    
            Reviewed by Filip Pizlo.
    
            Increase the amount of type information the VM gathers when directed
            to do so. This initial commit is working towards the goal of
            capturing, and then showing (via the Web Inspector) type information for all
            assignment and load operations. This patch doesn't have the feature fully 
            implemented, but it ensures the VM has no performance regressions
            unless the feature is specifically turned on.
    
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * bytecode/BytecodeList.json:
            * bytecode/BytecodeUseDef.h:
            (JSC::computeUsesForBytecodeOffset):
            (JSC::computeDefsForBytecodeOffset):
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::dumpBytecode):
            (JSC::CodeBlock::CodeBlock):
            (JSC::CodeBlock::finalizeUnconditionally):
            * bytecode/CodeBlock.h:
            * bytecode/Instruction.h:
            * bytecode/TypeLocation.h: Added.
            (JSC::TypeLocation::TypeLocation):
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::emitMove):
            (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
            (JSC::BytecodeGenerator::emitPutToScope):
            (JSC::BytecodeGenerator::emitPutById):
            (JSC::BytecodeGenerator::emitPutByVal):
            * bytecompiler/BytecodeGenerator.h:
            (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
            * bytecompiler/NodesCodegen.cpp:
            (JSC::PostfixNode::emitResolve):
            (JSC::PrefixNode::emitResolve):
            (JSC::ReadModifyResolveNode::emitBytecode):
            (JSC::AssignResolveNode::emitBytecode):
            (JSC::ConstDeclNode::emitCodeSingle):
            (JSC::ForInNode::emitBytecode):
            * heap/Heap.cpp:
            (JSC::Heap::collect):
            * inspector/agents/InspectorRuntimeAgent.cpp:
            (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
            * inspector/agents/InspectorRuntimeAgent.h:
            * inspector/protocol/Runtime.json:
            * jsc.cpp:
            (GlobalObject::finishCreation):
            (functionDumpTypesForAllVariables):
            * llint/LLIntSlowPaths.cpp:
            (JSC::LLInt::LLINT_SLOW_PATH_DECL):
            (JSC::LLInt::putToScopeCommon):
            * llint/LLIntSlowPaths.h:
            * llint/LowLevelInterpreter.asm:
            * runtime/HighFidelityLog.cpp: Added.
            (JSC::HighFidelityLog::initializeHighFidelityLog):
            (JSC::HighFidelityLog::~HighFidelityLog):
            (JSC::HighFidelityLog::recordTypeInformationForLocation):
            (JSC::HighFidelityLog::processHighFidelityLog):
            (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
            * runtime/HighFidelityLog.h: Added.
            (JSC::HighFidelityLog::HighFidelityLog):
            * runtime/HighFidelityTypeProfiler.cpp: Added.
            (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
            (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
            (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
            (JSC::HighFidelityTypeProfiler::insertNewLocation):
            (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
            * runtime/HighFidelityTypeProfiler.h: Added.
            * runtime/Options.h:
            * runtime/Structure.cpp:
            (JSC::Structure::toStructureShape):
            * runtime/Structure.h:
            * runtime/SymbolTable.cpp:
            (JSC::SymbolTable::SymbolTable):
            (JSC::SymbolTable::cloneCapturedNames):
            (JSC::SymbolTable::uniqueIDForVariable):
            (JSC::SymbolTable::uniqueIDForRegister):
            (JSC::SymbolTable::globalTypeSetForRegister):
            (JSC::SymbolTable::globalTypeSetForVariable):
            * runtime/SymbolTable.h:
            (JSC::SymbolTable::add):
            (JSC::SymbolTable::set):
            * runtime/TypeSet.cpp: Added.
            (JSC::TypeSet::TypeSet):
            (JSC::TypeSet::getRuntimeTypeForValue):
            (JSC::TypeSet::addTypeForValue):
            (JSC::TypeSet::removeDuplicatesInStructureHistory):
            (JSC::TypeSet::seenTypes):
            (JSC::TypeSet::dumpSeenTypes):
            (JSC::StructureShape::StructureShape):
            (JSC::StructureShape::markAsFinal):
            (JSC::StructureShape::addProperty):
            (JSC::StructureShape::propertyHash):
            (JSC::StructureShape::leastUpperBound):
            (JSC::StructureShape::stringRepresentation):
            * runtime/TypeSet.h: Added.
            (JSC::StructureShape::create):
            (JSC::TypeSet::create):
            * runtime/VM.cpp:
            (JSC::VM::VM):
            (JSC::VM::getTypesForVariableInRange):
            (JSC::VM::updateHighFidelityTypeProfileState):
            (JSC::VM::dumpHighFidelityProfilingTypes):
            * runtime/VM.h:
            (JSC::VM::isProfilingTypesWithHighFidelity):
            (JSC::VM::highFidelityLog):
            (JSC::VM::highFidelityTypeProfiler):
            (JSC::VM::nextLocation):
            (JSC::VM::getNextUniqueVariableID):
    
    2014-06-26  Mark Lam  <mark.lam@apple.com>
    
            Remove unused instantiation of the WithScope structure.
            <https://webkit.org/b/134331>
    
            Reviewed by Oliver Hunt.
    
            The WithScope structure instance is the VM is unused, and is now removed.
    
            * runtime/VM.cpp:
            (JSC::VM::VM):
            * runtime/VM.h:
    
    2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
    
            Structure bit fields should have a consistent format
            https://bugs.webkit.org/show_bug.cgi?id=134307
    
            Reviewed by Filip Pizlo.
    
            Currently we use C-style bit fields for a number of member variables in Structure to save space. 
            This makes it difficult to load these fields in the JIT. We should instead use our own bitfield 
            format to make it easy to load and test these variables in JIT code.
    
            * runtime/JSObject.cpp:
            (JSC::JSObject::putDirectNonIndexAccessor):
            (JSC::JSObject::reifyStaticFunctionsForDelete):
            * runtime/Structure.cpp:
            (JSC::StructureTransitionTable::contains):
            (JSC::StructureTransitionTable::get):
            (JSC::StructureTransitionTable::add):
            (JSC::Structure::Structure):
            (JSC::Structure::materializePropertyMap):
            (JSC::Structure::addPropertyTransition):
            (JSC::Structure::despecifyFunctionTransition):
            (JSC::Structure::toDictionaryTransition):
            (JSC::Structure::freezeTransition):
            (JSC::Structure::preventExtensionsTransition):
            (JSC::Structure::takePropertyTableOrCloneIfPinned):
            (JSC::Structure::nonPropertyTransition):
            (JSC::Structure::flattenDictionaryStructure):
            (JSC::Structure::addPropertyWithoutTransition):
            (JSC::Structure::pin):
            (JSC::Structure::allocateRareData):
            (JSC::Structure::cloneRareDataFrom):
            (JSC::Structure::getConcurrently):
            (JSC::Structure::putSpecificValue):
            (JSC::Structure::getPropertyNamesFromStructure):
            (JSC::Structure::visitChildren):
            (JSC::Structure::checkConsistency):
            * runtime/Structure.h:
            (JSC::Structure::isExtensible):
            (JSC::Structure::isDictionary):
            (JSC::Structure::isUncacheableDictionary):
            (JSC::Structure::propertyAccessesAreCacheable):
            (JSC::Structure::previousID):
            (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
            (JSC::Structure::setContainsReadOnlyProperties):
            (JSC::Structure::disableSpecificFunctionTracking):
            (JSC::Structure::objectToStringValue):
            (JSC::Structure::setObjectToStringValue):
            (JSC::Structure::setPreviousID):
            (JSC::Structure::clearPreviousID):
            (JSC::Structure::previous):
            (JSC::Structure::rareData):
            (JSC::Structure::didTransition): Deleted.
            (JSC::Structure::hasGetterSetterProperties): Deleted.
            (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
            (JSC::Structure::setHasGetterSetterProperties): Deleted.
            (JSC::Structure::hasNonEnumerableProperties): Deleted.
            (JSC::Structure::staticFunctionsReified): Deleted.
            (JSC::Structure::setStaticFunctionsReified): Deleted.
            * runtime/StructureInlines.h:
            (JSC::Structure::setEnumerationCache):
            (JSC::Structure::enumerationCache):
            (JSC::Structure::checkOffsetConsistency):
    
    2014-06-24  Mark Lam  <mark.lam@apple.com>
    
            [ftlopt] Renamed DebuggerActivation to DebuggerScope.
            <https://webkit.org/b/134273>
    
            Reviewed by Michael Saboff.
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * debugger/DebuggerActivation.cpp: Removed.
            * debugger/DebuggerActivation.h: Removed.
            * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
            (JSC::DebuggerScope::DebuggerScope):
            (JSC::DebuggerScope::finishCreation):
            (JSC::DebuggerScope::visitChildren):
            (JSC::DebuggerScope::className):
            (JSC::DebuggerScope::getOwnPropertySlot):
            (JSC::DebuggerScope::put):
            (JSC::DebuggerScope::deleteProperty):
            (JSC::DebuggerScope::getOwnPropertyNames):
            (JSC::DebuggerScope::defineOwnProperty):
            (JSC::DebuggerActivation::DebuggerActivation): Deleted.
            (JSC::DebuggerActivation::finishCreation): Deleted.
            (JSC::DebuggerActivation::visitChildren): Deleted.
            (JSC::DebuggerActivation::className): Deleted.
            (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
            (JSC::DebuggerActivation::put): Deleted.
            (JSC::DebuggerActivation::deleteProperty): Deleted.
            (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
            (JSC::DebuggerActivation::defineOwnProperty): Deleted.
            * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
            (JSC::DebuggerScope::create):
            (JSC::DebuggerActivation::create): Deleted.
            * runtime/VM.cpp:
            (JSC::VM::VM):
            * runtime/VM.h:
    
    2014-06-24  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
            https://bugs.webkit.org/show_bug.cgi?id=134265
    
            Reviewed by Geoffrey Garen.
            
            More assertion fallout from the PutById folding work.
    
            * dfg/DFGNode.h:
            (JSC::DFG::Node::convertToPutByOffset):
    
    2014-06-24  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] GC should notify us if it resets to_this
            https://bugs.webkit.org/show_bug.cgi?id=128231
    
            Reviewed by Geoffrey Garen.
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * bytecode/BytecodeList.json:
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::dumpBytecode):
            (JSC::CodeBlock::finalizeUnconditionally):
            * bytecode/Instruction.h:
            * bytecode/ToThisStatus.cpp: Added.
            (JSC::merge):
            (WTF::printInternal):
            * bytecode/ToThisStatus.h: Added.
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::BytecodeGenerator):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::parseBlock):
            * llint/LowLevelInterpreter32_64.asm:
            * llint/LowLevelInterpreter64.asm:
            * runtime/CommonSlowPaths.cpp:
            (JSC::SLOW_PATH_DECL):
    
    2014-06-24  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
            https://bugs.webkit.org/show_bug.cgi?id=134256
    
            Reviewed by Michael Saboff.
            
            This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
            point is to be able to precisely model what goes on in the snippets of code between a
            side-effect and an InvalidationPoint.
            
            This patch also cleans up onlyStructure() by delegating more work to
            StructureSet::onlyStructure().
    
            * dfg/DFGStructureAbstractValue.h:
            (JSC::DFG::StructureAbstractValue::onlyStructure):
    
    2014-06-24  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
            https://bugs.webkit.org/show_bug.cgi?id=134260
    
            Reviewed by Geoffrey Garen.
            
            This was causing loads of assertion failures in debug builds.
    
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
    
    2014-06-21  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
            https://bugs.webkit.org/show_bug.cgi?id=134090
    
            Reviewed by Oliver Hunt.
            
            This pretty much finishes off the work to eliminate the special-casing of singleton
            structure sets by making it possible to fold GetById and PutById to various polymorphic
            forms of the ByOffset nodes.
            
            * bytecode/GetByIdStatus.cpp:
            (JSC::GetByIdStatus::computeForStubInfo):
            (JSC::GetByIdStatus::computeFor):
            * bytecode/GetByIdStatus.h:
            * bytecode/PutByIdStatus.cpp:
            (JSC::PutByIdStatus::computeFor):
            * bytecode/PutByIdStatus.h:
            * bytecode/PutByIdVariant.h:
            (JSC::PutByIdVariant::constantChecks):
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::parseBlock):
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::foldConstants):
            (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
            (JSC::DFG::ConstantFoldingPhase::addChecks):
            * dfg/DFGNode.h:
            (JSC::DFG::Node::convertToMultiGetByOffset):
            (JSC::DFG::Node::convertToMultiPutByOffset):
            * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
            (JSC::DFG::SpeculativeJIT::fillJSValue):
            (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
            (JSC::DFG::SpeculativeJIT::emitCall):
            (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
            (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
            (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
            (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
            (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
            (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
            (JSC::DFG::SpeculativeJIT::compileLogicalNot):
            (JSC::DFG::SpeculativeJIT::emitBranch):
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGStructureAbstractValue.h:
            (JSC::DFG::StructureAbstractValue::set):
    
    2014-06-19  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
            https://bugs.webkit.org/show_bug.cgi?id=134077
    
            Reviewed by Sam Weinig.
            
            This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
            in the abstract interpreter.
    
            * bytecode/StructureSet.h:
            (JSC::StructureSet::onlyStructure):
    
    2014-06-18  Filip Pizlo  <fpizlo@apple.com>
    
            DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
            https://bugs.webkit.org/show_bug.cgi?id=133918
    
            Reviewed by Mark Hahnenberg.
            
            This also adds pruning of PutStructure, since I basically had no choice but
            to implement such logic within MultiPutByOffset.
            
            Also adds a bunch of PutById cache status dumping to bytecode dumping.
    
            * bytecode/GetByIdVariant.cpp:
            (JSC::GetByIdVariant::dumpInContext):
            * bytecode/GetByIdVariant.h:
            (JSC::GetByIdVariant::structureSet):
            * bytecode/PutByIdVariant.h:
            (JSC::PutByIdVariant::oldStructure):
            * bytecode/StructureSet.cpp:
            (JSC::StructureSet::filter):
            (JSC::StructureSet::filterArrayModes):
            * bytecode/StructureSet.h:
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGAbstractValue.cpp:
            (JSC::DFG::AbstractValue::changeStructure):
            (JSC::DFG::AbstractValue::contains):
            * dfg/DFGAbstractValue.h:
            (JSC::DFG::AbstractValue::couldBeType):
            (JSC::DFG::AbstractValue::isType):
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::foldConstants):
            (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
            (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
            (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::freezeStrong):
            * dfg/DFGGraph.h:
            * dfg/DFGStructureAbstractValue.h:
            (JSC::DFG::StructureAbstractValue::operator=):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
            * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
            (foo):
            (fu):
            (bar):
            (baz):
            (.bar):
            (.baz):
            * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
            (foo):
            (fu):
            (bar):
            (baz):
            (.bar):
            (.baz):
            * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
            (foo):
            (fu):
            (bar):
            (baz):
            (.bar):
            (.baz):
    
    2014-06-18  Mark Hahnenberg  <mhahnenberg@apple.com>
    
            Remove CompoundType and LeafType
            https://bugs.webkit.org/show_bug.cgi?id=134037
    
            Reviewed by Filip Pizlo.
    
            We don't use them for anything. We'll replace them with a generic CellType type for all 
            the objects that are JSCells, aren't JSObjects, and for which we generally don't care about 
            their JSType at runtime.
    
            * llint/LLIntData.cpp:
            (JSC::LLInt::Data::performAssertions):
            * runtime/ArrayBufferNeuteringWatchpoint.cpp:
            (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
            * runtime/Executable.h:
            (JSC::ExecutableBase::createStructure):
            (JSC::NativeExecutable::createStructure):
            * runtime/JSPromiseDeferred.h:
            (JSC::JSPromiseDeferred::createStructure):
            * runtime/JSPromiseReaction.h:
            (JSC::JSPromiseReaction::createStructure):
            * runtime/JSPropertyNameIterator.h:
            (JSC::JSPropertyNameIterator::createStructure):
            * runtime/JSType.h:
            * runtime/JSTypeInfo.h:
            (JSC::TypeInfo::TypeInfo):
            * runtime/MapData.h:
            (JSC::MapData::createStructure):
            * runtime/PropertyMapHashTable.h:
            (JSC::PropertyTable::createStructure):
            * runtime/RegExp.h:
            (JSC::RegExp::createStructure):
            * runtime/SparseArrayValueMap.cpp:
            (JSC::SparseArrayValueMap::createStructure):
            * runtime/Structure.cpp:
            (JSC::Structure::Structure):
            * runtime/StructureChain.h:
            (JSC::StructureChain::createStructure):
            * runtime/StructureRareData.cpp:
            (JSC::StructureRareData::createStructure):
            * runtime/SymbolTable.h:
            (JSC::SymbolTable::createStructure):
            * runtime/WeakMapData.h:
            (JSC::WeakMapData::createStructure):
    
    2014-06-17  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
            https://bugs.webkit.org/show_bug.cgi?id=134002
    
            Reviewed by Mark Hahnenberg.
            
            The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
            JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
            of the structure if that structure was watchable.
            
            Also kill PhantomPutStructure.
    
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
            * dfg/DFGClobberize.h:
            (JSC::DFG::clobberize):
            * dfg/DFGDoesGC.cpp:
            (JSC::DFG::doesGC):
            * dfg/DFGFixupPhase.cpp:
            (JSC::DFG::FixupPhase::fixupNode):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::visitChildren):
            * dfg/DFGNode.h:
            (JSC::DFG::Node::hasTransition):
            * dfg/DFGNodeType.h:
            * dfg/DFGPredictionPropagationPhase.cpp:
            (JSC::DFG::PredictionPropagationPhase::propagate):
            * dfg/DFGSafeToExecute.h:
            (JSC::DFG::safeToExecute):
            * dfg/DFGSpeculativeJIT32_64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGSpeculativeJIT64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGStructureAbstractValue.cpp:
            (JSC::DFG::StructureAbstractValue::observeTransition):
            (JSC::DFG::StructureAbstractValue::observeTransitions):
            * dfg/DFGValidate.cpp:
            (JSC::DFG::Validate::validate):
            * dfg/DFGWatchableStructureWatchingPhase.cpp:
            (JSC::DFG::WatchableStructureWatchingPhase::run):
            * ftl/FTLCapabilities.cpp:
            (JSC::FTL::canCompile):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileNode):
            (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
    
    2014-06-17  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
            https://bugs.webkit.org/show_bug.cgi?id=133964
    
            Reviewed by Mark Hahnenberg.
    
            * bytecode/PutByIdStatus.cpp:
            (JSC::PutByIdStatus::appendVariant):
            (JSC::PutByIdStatus::computeForStubInfo):
            * bytecode/PutByIdVariant.cpp:
            (JSC::PutByIdVariant::oldStructureForTransition):
            (JSC::PutByIdVariant::writesStructures):
            (JSC::PutByIdVariant::reallocatesStorage):
            (JSC::PutByIdVariant::attemptToMerge):
            (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
            (JSC::PutByIdVariant::dumpInContext):
            * bytecode/PutByIdVariant.h:
            (JSC::PutByIdVariant::PutByIdVariant):
            (JSC::PutByIdVariant::replace):
            (JSC::PutByIdVariant::transition):
            (JSC::PutByIdVariant::structure):
            (JSC::PutByIdVariant::oldStructure):
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::handlePutById):
            (JSC::DFG::ByteCodeParser::parseBlock):
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::foldConstants):
            (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::visitChildren):
            * dfg/DFGNode.cpp:
            (JSC::DFG::MultiPutByOffsetData::writesStructures):
            (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
            * ftl/FTLAbbreviations.h:
            (JSC::FTL::getLinkage):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
            (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
    
2014-07-26  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out r171641-r171644. It broke some tests; will investigate and
        reland later.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
        * bytecode/CodeBlock.h:
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfo):
        (JSC::GetByIdStatus::computeFor):
        * bytecode/GetByIdStatus.h:
        * bytecode/GetByIdVariant.cpp:
        (JSC::GetByIdVariant::dumpInContext):
        * bytecode/GetByIdVariant.h:
        (JSC::GetByIdVariant::structureSet):
        * bytecode/Instruction.h:
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::appendVariant):
        (JSC::PutByIdStatus::computeForStubInfo):
        (JSC::PutByIdStatus::computeFor):
        * bytecode/PutByIdStatus.h:
        * bytecode/PutByIdVariant.cpp:
        (JSC::PutByIdVariant::dumpInContext):
        (JSC::PutByIdVariant::oldStructureForTransition): Deleted.
        (JSC::PutByIdVariant::writesStructures): Deleted.
        (JSC::PutByIdVariant::reallocatesStorage): Deleted.
        (JSC::PutByIdVariant::attemptToMerge): Deleted.
        (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): Deleted.
        * bytecode/PutByIdVariant.h:
        (JSC::PutByIdVariant::PutByIdVariant):
        (JSC::PutByIdVariant::replace):
        (JSC::PutByIdVariant::transition):
        (JSC::PutByIdVariant::structure):
        (JSC::PutByIdVariant::oldStructure):
        (JSC::PutByIdVariant::newStructure):
        (JSC::PutByIdVariant::constantChecks):
        * bytecode/StructureSet.cpp:
        (JSC::StructureSet::filter): Deleted.
        (JSC::StructureSet::filterArrayModes): Deleted.
        * bytecode/StructureSet.h:
        (JSC::StructureSet::onlyStructure):
        * bytecode/ToThisStatus.cpp: Removed.
        * bytecode/ToThisStatus.h: Removed.
        * bytecode/TypeLocation.h: Removed.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitMove):
        (JSC::BytecodeGenerator::emitPutToScope):
        (JSC::BytecodeGenerator::emitPutById):
        (JSC::BytecodeGenerator::emitPutByVal):
        (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PostfixNode::emitResolve):
        (JSC::PrefixNode::emitResolve):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::ConstDeclNode::emitCodeSingle):
        (JSC::ForInNode::emitBytecode):
        * debugger/DebuggerActivation.cpp: Added.
        (JSC::DebuggerActivation::DebuggerActivation):
        (JSC::DebuggerActivation::finishCreation):
        (JSC::DebuggerActivation::visitChildren):
        (JSC::DebuggerActivation::className):
        (JSC::DebuggerActivation::getOwnPropertySlot):
        (JSC::DebuggerActivation::put):
        (JSC::DebuggerActivation::deleteProperty):
        (JSC::DebuggerActivation::getOwnPropertyNames):
        (JSC::DebuggerActivation::defineOwnProperty):
        * debugger/DebuggerActivation.h: Added.
        (JSC::DebuggerActivation::create):
        (JSC::DebuggerActivation::createStructure):
        * debugger/DebuggerScope.cpp: Removed.
        * debugger/DebuggerScope.h: Removed.
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::changeStructure): Deleted.
        (JSC::DFG::AbstractValue::contains): Deleted.
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::couldBeType):
        (JSC::DFG::AbstractValue::isType):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handlePutById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
        (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
        (JSC::DFG::ConstantFoldingPhase::addBaseCheck): Deleted.
        (JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::visitChildren):
        (JSC::DFG::Graph::freezeStrong):
        * dfg/DFGGraph.h:
        * dfg/DFGNode.cpp:
        (JSC::DFG::MultiPutByOffsetData::writesStructures):
        (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToPutByOffset):
        (JSC::DFG::Node::hasTransition):
        (JSC::DFG::Node::convertToMultiGetByOffset): Deleted.
        (JSC::DFG::Node::convertToMultiPutByOffset): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureAbstractValue.cpp:
        (JSC::DFG::StructureAbstractValue::observeTransition):
        (JSC::DFG::StructureAbstractValue::observeTransitions):
        * dfg/DFGStructureAbstractValue.h:
        (JSC::DFG::StructureAbstractValue::onlyStructure):
        (JSC::DFG::StructureAbstractValue::operator=): Deleted.
        (JSC::DFG::StructureAbstractValue::set): Deleted.
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        * dfg/DFGWatchableStructureWatchingPhase.cpp:
        (JSC::DFG::WatchableStructureWatchingPhase::run):
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::getLinkage): Deleted.
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
        (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
        (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
        (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/protocol/Runtime.json:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionDumpTypesForAllVariables): Deleted.
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::putToScopeCommon): Deleted.
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/ArrayBufferNeuteringWatchpoint.cpp:
        (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/Executable.h:
        (JSC::ExecutableBase::createStructure):
        (JSC::NativeExecutable::createStructure):
        * runtime/HighFidelityLog.cpp: Removed.
        * runtime/HighFidelityLog.h: Removed.
        * runtime/HighFidelityTypeProfiler.cpp: Removed.
        * runtime/HighFidelityTypeProfiler.h: Removed.
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectCustomAccessor):
        (JSC::JSObject::putDirectNonIndexAccessor):
        (JSC::JSObject::reifyStaticFunctionsForDelete):
        * runtime/JSPromiseDeferred.h:
        (JSC::JSPromiseDeferred::createStructure):
        * runtime/JSPromiseReaction.h:
        (JSC::JSPromiseReaction::createStructure):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::createStructure):
        * runtime/JSType.h:
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::TypeInfo):
        * runtime/MapData.h:
        (JSC::MapData::createStructure):
        * runtime/Options.h:
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::createStructure):
        * runtime/RegExp.h:
        (JSC::RegExp::createStructure):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::createStructure):
        * runtime/Structure.cpp:
        (JSC::StructureTransitionTable::contains):
        (JSC::StructureTransitionTable::get):
        (JSC::StructureTransitionTable::add):
        (JSC::Structure::Structure):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::freezeTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::takePropertyTableOrCloneIfPinned):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::pin):
        (JSC::Structure::allocateRareData):
        (JSC::Structure::cloneRareDataFrom):
        (JSC::Structure::getConcurrently):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::getPropertyNamesFromStructure):
        (JSC::Structure::visitChildren):
        (JSC::Structure::checkConsistency):
        (JSC::Structure::toStructureShape): Deleted.
        * runtime/Structure.h:
        (JSC::Structure::isExtensible):
        (JSC::Structure::didTransition):
        (JSC::Structure::isDictionary):
        (JSC::Structure::isUncacheableDictionary):
        (JSC::Structure::hasBeenFlattenedBefore):
        (JSC::Structure::propertyAccessesAreCacheable):
        (JSC::Structure::previousID):
        (JSC::Structure::hasGetterSetterProperties):
        (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto):
        (JSC::Structure::setHasGetterSetterProperties):
        (JSC::Structure::hasCustomGetterSetterProperties):
        (JSC::Structure::setHasCustomGetterSetterProperties):
        (JSC::Structure::setContainsReadOnlyProperties):
        (JSC::Structure::hasNonEnumerableProperties):
        (JSC::Structure::disableSpecificFunctionTracking):
        (JSC::Structure::objectToStringValue):
        (JSC::Structure::setObjectToStringValue):
        (JSC::Structure::staticFunctionsReified):
        (JSC::Structure::setStaticFunctionsReified):
        (JSC::Structure::transitionWatchpointSet):
        (JSC::Structure::setPreviousID):
        (JSC::Structure::clearPreviousID):
        (JSC::Structure::previous):
        (JSC::Structure::rareData):
        (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): Deleted.
        (JSC::Structure::setHasCustomGetterSetterPropertiesWithProtoCheck): Deleted.
        * runtime/StructureChain.h:
        (JSC::StructureChain::createStructure):
        * runtime/StructureInlines.h:
        (JSC::Structure::setEnumerationCache):
        (JSC::Structure::enumerationCache):
        (JSC::Structure::checkOffsetConsistency):
        * runtime/StructureRareData.cpp:
        (JSC::StructureRareData::createStructure):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::SymbolTable):
        (JSC::SymbolTable::cloneCapturedNames):
        (JSC::SymbolTable::uniqueIDForVariable): Deleted.
        (JSC::SymbolTable::uniqueIDForRegister): Deleted.
        (JSC::SymbolTable::globalTypeSetForRegister): Deleted.
        (JSC::SymbolTable::globalTypeSetForVariable): Deleted.
        * runtime/SymbolTable.h:
        (JSC::SymbolTable::createStructure):
        (JSC::SymbolTable::add):
        (JSC::SymbolTable::set):
        * runtime/TypeSet.cpp: Removed.
        * runtime/TypeSet.h: Removed.
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::getTypesForVariableInRange): Deleted.
        (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
        (JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
        * runtime/VM.h:
        (JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
        (JSC::VM::highFidelityLog): Deleted.
        (JSC::VM::highFidelityTypeProfiler): Deleted.
        (JSC::VM::nextLocation): Deleted.
        (JSC::VM::getNextUniqueVariableID): Deleted.
        * runtime/WeakMapData.h:
        (JSC::WeakMapData::createStructure):
        * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Removed.
        * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Removed.
        * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Removed.

2014-07-25  Filip Pizlo  <fpizlo@apple.com>

        Attempt to fix non-Xcode platforms.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:

2014-07-25  Filip Pizlo  <fpizlo@apple.com>

        Fix cloop.

        * bytecode/CodeBlock.cpp:
        (JSC::dumpChain):
        (JSC::CodeBlock::printPutByIdCacheStatus):
        * bytecode/StructureSet.cpp:
        * bytecode/StructureSet.h:

2014-07-25  Filip Pizlo  <fpizlo@apple.com>

        Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.

    2014-06-27  Michael Saboff  <msaboff@apple.com>
    
            Unreviewed build fix after r169795.
    
            Fixed ASSERT for 32 bit build.
    
            * dfg/DFGSpeculativeJIT.cpp:
            (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
    
    2014-06-24  Saam Barati  <sbarati@apple.com>
    
            Web Inspector: debugger should be able to show variable types
            https://bugs.webkit.org/show_bug.cgi?id=133395
    
            Reviewed by Filip Pizlo.
    
            Increase the amount of type information the VM gathers when directed
            to do so. This initial commit is working towards the goal of
            capturing, and then showing (via the Web Inspector) type information for all
            assignment and load operations. This patch doesn't have the feature fully 
            implemented, but it ensures the VM has no performance regressions
            unless the feature is specifically turned on.
    
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * bytecode/BytecodeList.json:
            * bytecode/BytecodeUseDef.h:
            (JSC::computeUsesForBytecodeOffset):
            (JSC::computeDefsForBytecodeOffset):
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::dumpBytecode):
            (JSC::CodeBlock::CodeBlock):
            (JSC::CodeBlock::finalizeUnconditionally):
            * bytecode/CodeBlock.h:
            * bytecode/Instruction.h:
            * bytecode/TypeLocation.h: Added.
            (JSC::TypeLocation::TypeLocation):
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::emitMove):
            (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
            (JSC::BytecodeGenerator::emitPutToScope):
            (JSC::BytecodeGenerator::emitPutById):
            (JSC::BytecodeGenerator::emitPutByVal):
            * bytecompiler/BytecodeGenerator.h:
            (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
            * bytecompiler/NodesCodegen.cpp:
            (JSC::PostfixNode::emitResolve):
            (JSC::PrefixNode::emitResolve):
            (JSC::ReadModifyResolveNode::emitBytecode):
            (JSC::AssignResolveNode::emitBytecode):
            (JSC::ConstDeclNode::emitCodeSingle):
            (JSC::ForInNode::emitBytecode):
            * heap/Heap.cpp:
            (JSC::Heap::collect):
            * inspector/agents/InspectorRuntimeAgent.cpp:
            (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
            * inspector/agents/InspectorRuntimeAgent.h:
            * inspector/protocol/Runtime.json:
            * jsc.cpp:
            (GlobalObject::finishCreation):
            (functionDumpTypesForAllVariables):
            * llint/LLIntSlowPaths.cpp:
            (JSC::LLInt::LLINT_SLOW_PATH_DECL):
            (JSC::LLInt::putToScopeCommon):
            * llint/LLIntSlowPaths.h:
            * llint/LowLevelInterpreter.asm:
            * runtime/HighFidelityLog.cpp: Added.
            (JSC::HighFidelityLog::initializeHighFidelityLog):
            (JSC::HighFidelityLog::~HighFidelityLog):
            (JSC::HighFidelityLog::recordTypeInformationForLocation):
            (JSC::HighFidelityLog::processHighFidelityLog):
            (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
            * runtime/HighFidelityLog.h: Added.
            (JSC::HighFidelityLog::HighFidelityLog):
            * runtime/HighFidelityTypeProfiler.cpp: Added.
            (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
            (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
            (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
            (JSC::HighFidelityTypeProfiler::insertNewLocation):
            (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
            * runtime/HighFidelityTypeProfiler.h: Added.
            * runtime/Options.h:
            * runtime/Structure.cpp:
            (JSC::Structure::toStructureShape):
            * runtime/Structure.h:
            * runtime/SymbolTable.cpp:
            (JSC::SymbolTable::SymbolTable):
            (JSC::SymbolTable::cloneCapturedNames):
            (JSC::SymbolTable::uniqueIDForVariable):
            (JSC::SymbolTable::uniqueIDForRegister):
            (JSC::SymbolTable::globalTypeSetForRegister):
            (JSC::SymbolTable::globalTypeSetForVariable):
            * runtime/SymbolTable.h:
            (JSC::SymbolTable::add):
            (JSC::SymbolTable::set):
            * runtime/TypeSet.cpp: Added.
            (JSC::TypeSet::TypeSet):
            (JSC::TypeSet::getRuntimeTypeForValue):
            (JSC::TypeSet::addTypeForValue):
            (JSC::TypeSet::removeDuplicatesInStructureHistory):
            (JSC::TypeSet::seenTypes):
            (JSC::TypeSet::dumpSeenTypes):
            (JSC::StructureShape::StructureShape):
            (JSC::StructureShape::markAsFinal):
            (JSC::StructureShape::addProperty):
            (JSC::StructureShape::propertyHash):
            (JSC::StructureShape::leastUpperBound):
            (JSC::StructureShape::stringRepresentation):
            * runtime/TypeSet.h: Added.
            (JSC::StructureShape::create):
            (JSC::TypeSet::create):
            * runtime/VM.cpp:
            (JSC::VM::VM):
            (JSC::VM::getTypesForVariableInRange):
            (JSC::VM::updateHighFidelityTypeProfileState):
            (JSC::VM::dumpHighFidelityProfilingTypes):
            * runtime/VM.h:
            (JSC::VM::isProfilingTypesWithHighFidelity):
            (JSC::VM::highFidelityLog):
            (JSC::VM::highFidelityTypeProfiler):
            (JSC::VM::nextLocation):
            (JSC::VM::getNextUniqueVariableID):
    
    2014-06-26  Mark Lam  <mark.lam@apple.com>
    
            Remove unused instantiation of the WithScope structure.
            <https://webkit.org/b/134331>
    
            Reviewed by Oliver Hunt.
    
            The WithScope structure instance is the VM is unused, and is now removed.
    
            * runtime/VM.cpp:
            (JSC::VM::VM):
            * runtime/VM.h:
    
    2014-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>
    
            Structure bit fields should have a consistent format
            https://bugs.webkit.org/show_bug.cgi?id=134307
    
            Reviewed by Filip Pizlo.
    
            Currently we use C-style bit fields for a number of member variables in Structure to save space. 
            This makes it difficult to load these fields in the JIT. We should instead use our own bitfield 
            format to make it easy to load and test these variables in JIT code.
    
            * runtime/JSObject.cpp:
            (JSC::JSObject::putDirectNonIndexAccessor):
            (JSC::JSObject::reifyStaticFunctionsForDelete):
            * runtime/Structure.cpp:
            (JSC::StructureTransitionTable::contains):
            (JSC::StructureTransitionTable::get):
            (JSC::StructureTransitionTable::add):
            (JSC::Structure::Structure):
            (JSC::Structure::materializePropertyMap):
            (JSC::Structure::addPropertyTransition):
            (JSC::Structure::despecifyFunctionTransition):
            (JSC::Structure::toDictionaryTransition):
            (JSC::Structure::freezeTransition):
            (JSC::Structure::preventExtensionsTransition):
            (JSC::Structure::takePropertyTableOrCloneIfPinned):
            (JSC::Structure::nonPropertyTransition):
            (JSC::Structure::flattenDictionaryStructure):
            (JSC::Structure::addPropertyWithoutTransition):
            (JSC::Structure::pin):
            (JSC::Structure::allocateRareData):
            (JSC::Structure::cloneRareDataFrom):
            (JSC::Structure::getConcurrently):
            (JSC::Structure::putSpecificValue):
            (JSC::Structure::getPropertyNamesFromStructure):
            (JSC::Structure::visitChildren):
            (JSC::Structure::checkConsistency):
            * runtime/Structure.h:
            (JSC::Structure::isExtensible):
            (JSC::Structure::isDictionary):
            (JSC::Structure::isUncacheableDictionary):
            (JSC::Structure::propertyAccessesAreCacheable):
            (JSC::Structure::previousID):
            (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
            (JSC::Structure::setContainsReadOnlyProperties):
            (JSC::Structure::disableSpecificFunctionTracking):
            (JSC::Structure::objectToStringValue):
            (JSC::Structure::setObjectToStringValue):
            (JSC::Structure::setPreviousID):
            (JSC::Structure::clearPreviousID):
            (JSC::Structure::previous):
            (JSC::Structure::rareData):
            (JSC::Structure::didTransition): Deleted.
            (JSC::Structure::hasGetterSetterProperties): Deleted.
            (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
            (JSC::Structure::setHasGetterSetterProperties): Deleted.
            (JSC::Structure::hasNonEnumerableProperties): Deleted.
            (JSC::Structure::staticFunctionsReified): Deleted.
            (JSC::Structure::setStaticFunctionsReified): Deleted.
            * runtime/StructureInlines.h:
            (JSC::Structure::setEnumerationCache):
            (JSC::Structure::enumerationCache):
            (JSC::Structure::checkOffsetConsistency):
    
    2014-06-24  Mark Lam  <mark.lam@apple.com>
    
            [ftlopt] Renamed DebuggerActivation to DebuggerScope.
            <https://webkit.org/b/134273>
    
            Reviewed by Michael Saboff.
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * debugger/DebuggerActivation.cpp: Removed.
            * debugger/DebuggerActivation.h: Removed.
            * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
            (JSC::DebuggerScope::DebuggerScope):
            (JSC::DebuggerScope::finishCreation):
            (JSC::DebuggerScope::visitChildren):
            (JSC::DebuggerScope::className):
            (JSC::DebuggerScope::getOwnPropertySlot):
            (JSC::DebuggerScope::put):
            (JSC::DebuggerScope::deleteProperty):
            (JSC::DebuggerScope::getOwnPropertyNames):
            (JSC::DebuggerScope::defineOwnProperty):
            (JSC::DebuggerActivation::DebuggerActivation): Deleted.
            (JSC::DebuggerActivation::finishCreation): Deleted.
            (JSC::DebuggerActivation::visitChildren): Deleted.
            (JSC::DebuggerActivation::className): Deleted.
            (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
            (JSC::DebuggerActivation::put): Deleted.
            (JSC::DebuggerActivation::deleteProperty): Deleted.
            (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
            (JSC::DebuggerActivation::defineOwnProperty): Deleted.
            * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
            (JSC::DebuggerScope::create):
            (JSC::DebuggerActivation::create): Deleted.
            * runtime/VM.cpp:
            (JSC::VM::VM):
            * runtime/VM.h:
    
    2014-06-24  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
            https://bugs.webkit.org/show_bug.cgi?id=134265
    
            Reviewed by Geoffrey Garen.
            
            More assertion fallout from the PutById folding work.
    
            * dfg/DFGNode.h:
            (JSC::DFG::Node::convertToPutByOffset):
    
    2014-06-24  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] GC should notify us if it resets to_this
            https://bugs.webkit.org/show_bug.cgi?id=128231
    
            Reviewed by Geoffrey Garen.
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * bytecode/BytecodeList.json:
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::dumpBytecode):
            (JSC::CodeBlock::finalizeUnconditionally):
            * bytecode/Instruction.h:
            * bytecode/ToThisStatus.cpp: Added.
            (JSC::merge):
            (WTF::printInternal):
            * bytecode/ToThisStatus.h: Added.
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::BytecodeGenerator):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::parseBlock):
            * llint/LowLevelInterpreter32_64.asm:
            * llint/LowLevelInterpreter64.asm:
            * runtime/CommonSlowPaths.cpp:
            (JSC::SLOW_PATH_DECL):
    
    2014-06-24  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
            https://bugs.webkit.org/show_bug.cgi?id=134256
    
            Reviewed by Michael Saboff.
            
            This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
            point is to be able to precisely model what goes on in the snippets of code between a
            side-effect and an InvalidationPoint.
            
            This patch also cleans up onlyStructure() by delegating more work to
            StructureSet::onlyStructure().
    
            * dfg/DFGStructureAbstractValue.h:
            (JSC::DFG::StructureAbstractValue::onlyStructure):
    
    2014-06-24  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
            https://bugs.webkit.org/show_bug.cgi?id=134260
    
            Reviewed by Geoffrey Garen.
            
            This was causing loads of assertion failures in debug builds.
    
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
    
    2014-06-21  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
            https://bugs.webkit.org/show_bug.cgi?id=134090
    
            Reviewed by Oliver Hunt.
            
            This pretty much finishes off the work to eliminate the special-casing of singleton
            structure sets by making it possible to fold GetById and PutById to various polymorphic
            forms of the ByOffset nodes.
            
            * bytecode/GetByIdStatus.cpp:
            (JSC::GetByIdStatus::computeForStubInfo):
            (JSC::GetByIdStatus::computeFor):
            * bytecode/GetByIdStatus.h:
            * bytecode/PutByIdStatus.cpp:
            (JSC::PutByIdStatus::computeFor):
            * bytecode/PutByIdStatus.h:
            * bytecode/PutByIdVariant.h:
            (JSC::PutByIdVariant::constantChecks):
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::parseBlock):
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::foldConstants):
            (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
            (JSC::DFG::ConstantFoldingPhase::addChecks):
            * dfg/DFGNode.h:
            (JSC::DFG::Node::convertToMultiGetByOffset):
            (JSC::DFG::Node::convertToMultiPutByOffset):
            * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
            (JSC::DFG::SpeculativeJIT::fillJSValue):
            (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
            (JSC::DFG::SpeculativeJIT::emitCall):
            (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
            (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
            (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
            (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
            (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
            (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
            (JSC::DFG::SpeculativeJIT::compileLogicalNot):
            (JSC::DFG::SpeculativeJIT::emitBranch):
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGStructureAbstractValue.h:
            (JSC::DFG::StructureAbstractValue::set):
    
    2014-06-19  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
            https://bugs.webkit.org/show_bug.cgi?id=134077
    
            Reviewed by Sam Weinig.
            
            This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
            in the abstract interpreter.
    
            * bytecode/StructureSet.h:
            (JSC::StructureSet::onlyStructure):
    
    2014-06-18  Filip Pizlo  <fpizlo@apple.com>
    
            DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
            https://bugs.webkit.org/show_bug.cgi?id=133918
    
            Reviewed by Mark Hahnenberg.
            
            This also adds pruning of PutStructure, since I basically had no choice but
            to implement such logic within MultiPutByOffset.
            
            Also adds a bunch of PutById cache status dumping to bytecode dumping.
    
            * bytecode/GetByIdVariant.cpp:
            (JSC::GetByIdVariant::dumpInContext):
            * bytecode/GetByIdVariant.h:
            (JSC::GetByIdVariant::structureSet):
            * bytecode/PutByIdVariant.h:
            (JSC::PutByIdVariant::oldStructure):
            * bytecode/StructureSet.cpp:
            (JSC::StructureSet::filter):
            (JSC::StructureSet::filterArrayModes):
            * bytecode/StructureSet.h:
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGAbstractValue.cpp:
            (JSC::DFG::AbstractValue::changeStructure):
            (JSC::DFG::AbstractValue::contains):
            * dfg/DFGAbstractValue.h:
            (JSC::DFG::AbstractValue::couldBeType):
            (JSC::DFG::AbstractValue::isType):
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::foldConstants):
            (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
            (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
            (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::freezeStrong):
            * dfg/DFGGraph.h:
            * dfg/DFGStructureAbstractValue.h:
            (JSC::DFG::StructureAbstractValue::operator=):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
            * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
            (foo):
            (fu):
            (bar):
            (baz):
            (.bar):
            (.baz):
            * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
            (foo):
            (fu):
            (bar):
            (baz):
            (.bar):
            (.baz):
            * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
            (foo):
            (fu):
            (bar):
            (baz):
            (.bar):
            (.baz):
    
    2014-06-18  Mark Hahnenberg  <mhahnenberg@apple.com>
    
            Remove CompoundType and LeafType
            https://bugs.webkit.org/show_bug.cgi?id=134037
    
            Reviewed by Filip Pizlo.
    
            We don't use them for anything. We'll replace them with a generic CellType type for all 
            the objects that are JSCells, aren't JSObjects, and for which we generally don't care about 
            their JSType at runtime.
    
            * llint/LLIntData.cpp:
            (JSC::LLInt::Data::performAssertions):
            * runtime/ArrayBufferNeuteringWatchpoint.cpp:
            (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
            * runtime/Executable.h:
            (JSC::ExecutableBase::createStructure):
            (JSC::NativeExecutable::createStructure):
            * runtime/JSPromiseDeferred.h:
            (JSC::JSPromiseDeferred::createStructure):
            * runtime/JSPromiseReaction.h:
            (JSC::JSPromiseReaction::createStructure):
            * runtime/JSPropertyNameIterator.h:
            (JSC::JSPropertyNameIterator::createStructure):
            * runtime/JSType.h:
            * runtime/JSTypeInfo.h:
            (JSC::TypeInfo::TypeInfo):
            * runtime/MapData.h:
            (JSC::MapData::createStructure):
            * runtime/PropertyMapHashTable.h:
            (JSC::PropertyTable::createStructure):
            * runtime/RegExp.h:
            (JSC::RegExp::createStructure):
            * runtime/SparseArrayValueMap.cpp:
            (JSC::SparseArrayValueMap::createStructure):
            * runtime/Structure.cpp:
            (JSC::Structure::Structure):
            * runtime/StructureChain.h:
            (JSC::StructureChain::createStructure):
            * runtime/StructureRareData.cpp:
            (JSC::StructureRareData::createStructure):
            * runtime/SymbolTable.h:
            (JSC::SymbolTable::createStructure):
            * runtime/WeakMapData.h:
            (JSC::WeakMapData::createStructure):
    
    2014-06-17  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
            https://bugs.webkit.org/show_bug.cgi?id=134002
    
            Reviewed by Mark Hahnenberg.
            
            The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
            JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
            of the structure if that structure was watchable.
            
            Also kill PhantomPutStructure.
    
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
            * dfg/DFGClobberize.h:
            (JSC::DFG::clobberize):
            * dfg/DFGDoesGC.cpp:
            (JSC::DFG::doesGC):
            * dfg/DFGFixupPhase.cpp:
            (JSC::DFG::FixupPhase::fixupNode):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::visitChildren):
            * dfg/DFGNode.h:
            (JSC::DFG::Node::hasTransition):
            * dfg/DFGNodeType.h:
            * dfg/DFGPredictionPropagationPhase.cpp:
            (JSC::DFG::PredictionPropagationPhase::propagate):
            * dfg/DFGSafeToExecute.h:
            (JSC::DFG::safeToExecute):
            * dfg/DFGSpeculativeJIT32_64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGSpeculativeJIT64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGStructureAbstractValue.cpp:
            (JSC::DFG::StructureAbstractValue::observeTransition):
            (JSC::DFG::StructureAbstractValue::observeTransitions):
            * dfg/DFGValidate.cpp:
            (JSC::DFG::Validate::validate):
            * dfg/DFGWatchableStructureWatchingPhase.cpp:
            (JSC::DFG::WatchableStructureWatchingPhase::run):
            * ftl/FTLCapabilities.cpp:
            (JSC::FTL::canCompile):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileNode):
            (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
    
    2014-06-17  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
            https://bugs.webkit.org/show_bug.cgi?id=133964
    
            Reviewed by Mark Hahnenberg.
    
            * bytecode/PutByIdStatus.cpp:
            (JSC::PutByIdStatus::appendVariant):
            (JSC::PutByIdStatus::computeForStubInfo):
            * bytecode/PutByIdVariant.cpp:
            (JSC::PutByIdVariant::oldStructureForTransition):
            (JSC::PutByIdVariant::writesStructures):
            (JSC::PutByIdVariant::reallocatesStorage):
            (JSC::PutByIdVariant::attemptToMerge):
            (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
            (JSC::PutByIdVariant::dumpInContext):
            * bytecode/PutByIdVariant.h:
            (JSC::PutByIdVariant::PutByIdVariant):
            (JSC::PutByIdVariant::replace):
            (JSC::PutByIdVariant::transition):
            (JSC::PutByIdVariant::structure):
            (JSC::PutByIdVariant::oldStructure):
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::handlePutById):
            (JSC::DFG::ByteCodeParser::parseBlock):
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::foldConstants):
            (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::visitChildren):
            * dfg/DFGNode.cpp:
            (JSC::DFG::MultiPutByOffsetData::writesStructures):
            (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
            * ftl/FTLAbbreviations.h:
            (JSC::FTL::getLinkage):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
            (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
    
2014-07-25  Filip Pizlo  <fpizlo@apple.com>

        Add an option to disable native call inlining. Disable it for now to see how it
        affects the bots.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        * runtime/Options.h:

2014-07-25  Filip Pizlo  <fpizlo@apple.com>

        Fix cloop.

        * dfg/DFGMayExit.cpp:

2014-07-25  Filip Pizlo  <fpizlo@apple.com>

        Merge r169795, r169819, r169864, r169902, r169949, r169950, r170016, r170017, r170060, r170064 from ftlopt.

    2014-06-17  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Fold constant Phis
            https://bugs.webkit.org/show_bug.cgi?id=133967
    
            Reviewed by Mark Hahnenberg.
            
            It's surprising but we didn't really do this before. Or, rather, we only did it
            incidentally when we would likely crash if it ever happened.
            
            Making this work required cleaning up the validater a bit, so I did that too. I also added
            mayExit() validation for nodes that didn't have origin.forExit (i.e. nodes that end up in
            the Phi header of basic blocks). But this required beefing up mayExit() a bit.
    
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGAdjacencyList.h:
            (JSC::DFG::AdjacencyList::isEmpty):
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::run):
            (JSC::DFG::ConstantFoldingPhase::foldConstants):
            (JSC::DFG::ConstantFoldingPhase::fixUpsilons):
            * dfg/DFGInPlaceAbstractState.h:
            * dfg/DFGLICMPhase.cpp:
            (JSC::DFG::LICMPhase::run):
            (JSC::DFG::LICMPhase::attemptHoist):
            * dfg/DFGMayExit.cpp:
            (JSC::DFG::mayExit):
            * dfg/DFGValidate.cpp:
            (JSC::DFG::Validate::validate):
            (JSC::DFG::Validate::validateSSA):
    
    2014-06-17  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase
            https://bugs.webkit.org/show_bug.cgi?id=133985
    
            Reviewed by Michael Saboff and Mark Hahnenberg.
            
            Store elimination phase has never been very profitable, and now that LLVM can do dead
            store elimination for us, this phase is just completely pointless.
            
            This phase is also the primary user of NodeDoesNotExit, which is a flag that the CFA
            computes. It computes it poorly and we often get bugs in it. It's also a lot of code to
            maintain.
            
            This patch does introduce a new mayExit() calculator that is independent of the CFA and
            should be enough for most of the previous NodeDoesNotExit users. Currently it's only used
            for assertions in the DFG backend, but we could use it if we ever brought back any of the
            other optimizations that previously relied upon NodeDoesNotExit.
            
            This is performance-neutral, except for SunSpider, where it's a speed-up.
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * dfg/DFGAbstractInterpreter.h:
            (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
            (JSC::DFG::AbstractInterpreter::filterByType):
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGCSEPhase.cpp:
            (JSC::DFG::CSEPhase::CSEPhase):
            (JSC::DFG::CSEPhase::invalidationPointElimination):
            (JSC::DFG::CSEPhase::setLocalStoreElimination):
            (JSC::DFG::CSEPhase::performNodeCSE):
            (JSC::DFG::CSEPhase::performBlockCSE):
            (JSC::DFG::performCSE):
            (JSC::DFG::CSEPhase::globalVarStoreElimination): Deleted.
            (JSC::DFG::CSEPhase::scopedVarStoreElimination): Deleted.
            (JSC::DFG::CSEPhase::putStructureStoreElimination): Deleted.
            (JSC::DFG::CSEPhase::putByOffsetStoreElimination): Deleted.
            (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
            (JSC::DFG::performStoreElimination): Deleted.
            * dfg/DFGCSEPhase.h:
            * dfg/DFGFixupPhase.cpp:
            (JSC::DFG::FixupPhase::fixupNode):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::resetExitStates): Deleted.
            * dfg/DFGGraph.h:
            * dfg/DFGMayExit.cpp: Added.
            (JSC::DFG::mayExit):
            * dfg/DFGMayExit.h: Added.
            * dfg/DFGNode.h:
            (JSC::DFG::Node::mergeFlags):
            (JSC::DFG::Node::filterFlags):
            (JSC::DFG::Node::setCanExit): Deleted.
            (JSC::DFG::Node::canExit): Deleted.
            * dfg/DFGNodeFlags.cpp:
            (JSC::DFG::dumpNodeFlags):
            * dfg/DFGNodeFlags.h:
            * dfg/DFGNodeType.h:
            * dfg/DFGPlan.cpp:
            (JSC::DFG::Plan::compileInThreadImpl):
            * dfg/DFGSpeculativeJIT.cpp:
            (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
            (JSC::DFG::SpeculativeJIT::bail):
            (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
            * dfg/DFGSpeculativeJIT32_64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGSpeculativeJIT64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
    
    2014-06-15  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it
            https://bugs.webkit.org/show_bug.cgi?id=133931
    
            Reviewed by Oliver Hunt.
    
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Trigger constant-folding for GetMyArgumentByVal (which means turning it into GetLocalUnlinked) and correct the handling of Upsilon so we don't fold them away.
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::foldConstants): Implement constant-folding for GetMyArgumentByVal.
            * dfg/DFGPlan.cpp:
            (JSC::DFG::Plan::compileInThreadImpl): Remove the fixpoint.
    
    2014-06-15  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values
            https://bugs.webkit.org/show_bug.cgi?id=133935
    
            Reviewed by Oliver Hunt.
    
            * bytecode/Operands.h:
            (JSC::Operands::Operands):
            (JSC::Operands::ensureLocals):
            * dfg/DFGAbstractValue.cpp:
            (JSC::DFG::AbstractValue::filter): Now we can compute intersections of abstract values!
            * dfg/DFGAbstractValue.h:
            (JSC::DFG::AbstractValue::makeFullTop): Completeness.
            (JSC::DFG::AbstractValue::bytecodeTop): Completeness.
            (JSC::DFG::AbstractValue::fullTop): Completeness. We end up using this one.
            * dfg/DFGBasicBlock.cpp:
            (JSC::DFG::BasicBlock::BasicBlock):
            (JSC::DFG::BasicBlock::ensureLocals):
            * dfg/DFGBasicBlock.h: Remember the intersection of all things ever proven.
            * dfg/DFGCFAPhase.cpp:
            (JSC::DFG::CFAPhase::run): Compute the intersection.
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::foldConstants): No need for the weirdo merge check since this fixes the root of the problem.
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::dumpBlockHeader): Better dumping.
            (JSC::DFG::Graph::dump): Better dumping.
            * dfg/DFGJITCompiler.h:
            (JSC::DFG::JITCompiler::noticeOSREntry): Use the intersected abstract value.
            * dfg/DFGSpeculativeJIT.cpp:
            (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Assert if the intersected state indicates the block shouldn't execute.
    
    2014-06-12  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
            https://bugs.webkit.org/show_bug.cgi?id=133821
    
            Reviewed by Mark Hahnenberg.
            
            This allows us to efficiently cache accesses that differ only in the prototypes on the path
            from the base to the prototype that has the field.
            
            It also simplifies a bunch of code - IntendedStructureChain is now just an intermediate
            data structure.
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * bytecode/ConstantStructureCheck.cpp: Added.
            (JSC::ConstantStructureCheck::dumpInContext):
            (JSC::ConstantStructureCheck::dump):
            (JSC::structureFor):
            (JSC::areCompatible):
            (JSC::mergeInto):
            * bytecode/ConstantStructureCheck.h: Added.
            (JSC::ConstantStructureCheck::ConstantStructureCheck):
            (JSC::ConstantStructureCheck::operator!):
            (JSC::ConstantStructureCheck::constant):
            (JSC::ConstantStructureCheck::structure):
            * bytecode/GetByIdStatus.cpp:
            (JSC::GetByIdStatus::computeForStubInfo):
            * bytecode/GetByIdVariant.cpp:
            (JSC::GetByIdVariant::GetByIdVariant):
            (JSC::GetByIdVariant::operator=):
            (JSC::GetByIdVariant::attemptToMerge):
            (JSC::GetByIdVariant::dumpInContext):
            * bytecode/GetByIdVariant.h:
            (JSC::GetByIdVariant::constantChecks):
            (JSC::GetByIdVariant::alternateBase):
            (JSC::GetByIdVariant::GetByIdVariant): Deleted.
            (JSC::GetByIdVariant::chain): Deleted.
            * bytecode/PutByIdVariant.cpp:
            (JSC::PutByIdVariant::dumpInContext):
            * bytecode/PutByIdVariant.h:
            (JSC::PutByIdVariant::transition):
            (JSC::PutByIdVariant::constantChecks):
            (JSC::PutByIdVariant::structureChain): Deleted.
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::emitChecks):
            (JSC::DFG::ByteCodeParser::handleGetById):
            (JSC::DFG::ByteCodeParser::handlePutById):
            (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): Deleted.
            (JSC::DFG::ByteCodeParser::structureChainIsStillValid): Deleted.
            (JSC::DFG::ByteCodeParser::emitPrototypeChecks): Deleted.
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::foldConstants):
            (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
            (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
            (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
            * dfg/DFGDesiredStructureChains.cpp: Removed.
            * dfg/DFGDesiredStructureChains.h: Removed.
            * dfg/DFGGraph.h:
            (JSC::DFG::Graph::watchpoints):
            (JSC::DFG::Graph::chains): Deleted.
            * dfg/DFGPlan.cpp:
            (JSC::DFG::Plan::isStillValid):
            (JSC::DFG::Plan::checkLivenessAndVisitChildren):
            (JSC::DFG::Plan::cancel):
            * dfg/DFGPlan.h:
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
            * runtime/IntendedStructureChain.cpp:
            (JSC::IntendedStructureChain::gatherChecks):
            * runtime/IntendedStructureChain.h:
            (JSC::IntendedStructureChain::at):
            (JSC::IntendedStructureChain::operator[]):
    
    2014-06-12  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Constant folding and strength reduction should work in SSA
            https://bugs.webkit.org/show_bug.cgi?id=133839
    
            Reviewed by Oliver Hunt.
    
            * dfg/DFGAtTailAbstractState.cpp:
            (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
            (JSC::DFG::AtTailAbstractState::forNode):
            * dfg/DFGAtTailAbstractState.h:
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::foldConstants):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::convertToConstant):
            * dfg/DFGIntegerCheckCombiningPhase.cpp:
            (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): Fix an unrelated regression that this uncovered.
            * dfg/DFGLICMPhase.cpp:
            (JSC::DFG::LICMPhase::LICMPhase):
            * dfg/DFGPlan.cpp:
            (JSC::DFG::Plan::compileInThreadImpl):
    
    2014-06-11  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
            https://bugs.webkit.org/show_bug.cgi?id=133751
    
            Reviewed by Mark Hahnenberg.
    
            * bytecode/GetByIdStatus.cpp:
            (JSC::GetByIdStatus::appendVariant):
            (JSC::GetByIdStatus::computeForStubInfo):
            * bytecode/GetByIdVariant.cpp:
            (JSC::GetByIdVariant::attemptToMerge):
            * bytecode/GetByIdVariant.h:
            * bytecode/PutByIdStatus.cpp:
            (JSC::PutByIdStatus::computeFor):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
            (JSC::DFG::ByteCodeParser::handleGetById):
            (JSC::DFG::ByteCodeParser::handlePutById):
            * runtime/IntendedStructureChain.cpp:
            (JSC::IntendedStructureChain::IntendedStructureChain):
            (JSC::IntendedStructureChain::isStillValid):
            (JSC::IntendedStructureChain::isNormalized):
            (JSC::IntendedStructureChain::terminalPrototype):
            (JSC::IntendedStructureChain::operator==):
            (JSC::IntendedStructureChain::visitChildren):
            (JSC::IntendedStructureChain::dumpInContext):
            (JSC::IntendedStructureChain::chain): Deleted.
            * runtime/IntendedStructureChain.h:
            (JSC::IntendedStructureChain::prototype):
            (JSC::IntendedStructureChain::operator!=):
            (JSC::IntendedStructureChain::head): Deleted.
    
    2014-06-11  Matthew Mirman  <mmirman@apple.com>
    
           Readded native calling to the FTL and Split the DFG nodes 
           Call and Construct into NativeCall and NativeConstruct 
           to better represent their semantics.
           https://bugs.webkit.org/show_bug.cgi?id=133660
    
           Reviewed by Filip Pizlo.
    
           * dfg/DFGAbstractInterpreterInlines.h:
           (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): 
           Added NativeCall and NativeConstruct case
           * dfg/DFGByteCodeParser.cpp:
           (JSC::DFG::ByteCodeParser::addCall): added NativeCall case. 
           (JSC::DFG::ByteCodeParser::handleCall): 
           set to return NativeCall or NativeConstruct instead of Call or Construct
           in the presence of a native function.
           * dfg/DFGClobberize.h:
           (JSC::DFG::clobberize): added NativeCall and NativeConstruct case.
           * dfg/DFGDoesGC.cpp:
           (JSC::DFG::doesGC): added NativeCall and NativeConstruct case.
           * dfg/DFGFixupPhase.cpp:
           (JSC::DFG::FixupPhase::fixupNode): added NativeCall and NativeConstruct case.
           * dfg/DFGNode.h:
           (JSC::DFG::Node::hasHeapPrediction): added NativeCall and NativeConstruct case.
           (JSC::DFG::Node::canBeKnownFunction): changed to NativeCall and NativeConstruct.
           (JSC::DFG::Node::hasKnownFunction): changed to NativeCall and NativeConstruct.
           * dfg/DFGNodeType.h: added NativeCall and NativeConstruct.
           * dfg/DFGPredictionPropagationPhase.cpp:
           (JSC::DFG::PredictionPropagationPhase::propagate): added NativeCall and NativeConstruct case.
           * dfg/DFGSafeToExecute.h:
           (JSC::DFG::safeToExecute): added NativeCall and NativeConstruct case.
           * dfg/DFGSpeculativeJIT32_64.cpp:
           (JSC::DFG::SpeculativeJIT::emitCall): ditto
           (JSC::DFG::SpeculativeJIT::compile): ditto
           * dfg/DFGSpeculativeJIT64.cpp:
           (JSC::DFG::SpeculativeJIT::emitCall): ditto
           (JSC::DFG::SpeculativeJIT::compile): ditto
           * ftl/FTLCapabilities.cpp:
           (JSC::FTL::canCompile): ditto
           * ftl/FTLLowerDFGToLLVM.cpp:  
           (JSC::FTL::LowerDFGToLLVM::lower): ditto
           (JSC::FTL::LowerDFGToLLVM::compileNode): ditto.
           (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): Added.
           (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): removed NativeCall and NativeConstruct functionality.
           (JSC::FTL::LowerDFGToLLVM::didOverflowStack): added NativeCall and NativeConstruct case.
           * runtime/JSCJSValue.h: added JS_EXPORT_PRIVATE to toInteger as it is apparently needed.
           
    2014-06-11  Matthew Mirman  <mmirman@apple.com>
    
            Ensured Native Calls and Construct and associated checks 
            are only emitted during ftl mode.
            https://bugs.webkit.org/show_bug.cgi?id=133718
            
            Reviewed by Filip Pizlo.
            
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::handleCall): Added check for ftl mode 
            before attaching the native function to Call or Construct.
            
    2014-06-10  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure
            https://bugs.webkit.org/show_bug.cgi?id=133426
    
            Reviewed by Geoffrey Garen.
            
            The impetus for this was to provide some sense and reason to race conditions arising from
            cell constants having their structure changed on the main thread - this is harmess because
            we defend against it, but when it goes wrong, it can be difficult to reproduce because it
            requires a race. Giving the DFG the ability to "freeze" a cell's structure fixes this.
            
            But this patch goes quite a bit further, and completely rationalizes how the DFG reasons
            about constants. It no longer relies on the CodeBlock constant pool at all, which allows
            for a more object-oriented approach: for example a Node that has a constant can tell you
            what constant it has without needing a CodeBlock.
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * bytecode/CallLinkStatus.cpp:
            (JSC::CallLinkStatus::computeExitSiteData):
            * bytecode/ExitKind.cpp:
            (JSC::exitKindToString):
            (JSC::exitKindIsCountable):
            * bytecode/ExitKind.h:
            (JSC::isWatchpoint): Deleted.
            * bytecode/GetByIdStatus.cpp:
            (JSC::GetByIdStatus::hasExitSite):
            * bytecode/PutByIdStatus.cpp:
            (JSC::PutByIdStatus::hasExitSite):
            * dfg/DFGAbstractInterpreter.h:
            (JSC::DFG::AbstractInterpreter::filterByValue):
            (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
            (JSC::DFG::AbstractInterpreter::setConstant):
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByValue):
            * dfg/DFGAbstractValue.cpp:
            (JSC::DFG::AbstractValue::setOSREntryValue):
            (JSC::DFG::AbstractValue::set):
            (JSC::DFG::AbstractValue::filterByValue):
            (JSC::DFG::AbstractValue::setMostSpecific): Deleted.
            * dfg/DFGAbstractValue.h:
            * dfg/DFGArgumentsSimplificationPhase.cpp:
            (JSC::DFG::ArgumentsSimplificationPhase::run):
            * dfg/DFGBackwardsPropagationPhase.cpp:
            (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
            (JSC::DFG::BackwardsPropagationPhase::isNotPosZero):
            (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
            (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::ByteCodeParser):
            (JSC::DFG::ByteCodeParser::getDirect):
            (JSC::DFG::ByteCodeParser::get):
            (JSC::DFG::ByteCodeParser::getLocal):
            (JSC::DFG::ByteCodeParser::setLocal):
            (JSC::DFG::ByteCodeParser::setArgument):
            (JSC::DFG::ByteCodeParser::jsConstant):
            (JSC::DFG::ByteCodeParser::weakJSConstant):
            (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
            (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
            (JSC::DFG::ByteCodeParser::handleCall):
            (JSC::DFG::ByteCodeParser::emitFunctionChecks):
            (JSC::DFG::ByteCodeParser::handleInlining):
            (JSC::DFG::ByteCodeParser::handleMinMax):
            (JSC::DFG::ByteCodeParser::handleIntrinsic):
            (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
            (JSC::DFG::ByteCodeParser::handleGetById):
            (JSC::DFG::ByteCodeParser::prepareToParseBlock):
            (JSC::DFG::ByteCodeParser::parseBlock):
            (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
            (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
            (JSC::DFG::ByteCodeParser::parseCodeBlock):
            (JSC::DFG::ByteCodeParser::addConstant): Deleted.
            (JSC::DFG::ByteCodeParser::getJSConstantForValue): Deleted.
            (JSC::DFG::ByteCodeParser::getJSConstant): Deleted.
            (JSC::DFG::ByteCodeParser::isJSConstant): Deleted.
            (JSC::DFG::ByteCodeParser::isInt32Constant): Deleted.
            (JSC::DFG::ByteCodeParser::valueOfJSConstant): Deleted.
            (JSC::DFG::ByteCodeParser::valueOfInt32Constant): Deleted.
            (JSC::DFG::ByteCodeParser::constantUndefined): Deleted.
            (JSC::DFG::ByteCodeParser::constantNull): Deleted.
            (JSC::DFG::ByteCodeParser::one): Deleted.
            (JSC::DFG::ByteCodeParser::constantNaN): Deleted.
            (JSC::DFG::ByteCodeParser::cellConstant): Deleted.
            (JSC::DFG::ByteCodeParser::inferredConstant): Deleted.
            (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord): Deleted.
            * dfg/DFGCFGSimplificationPhase.cpp:
            (JSC::DFG::CFGSimplificationPhase::run):
            * dfg/DFGCSEPhase.cpp:
            (JSC::DFG::CSEPhase::constantCSE):
            (JSC::DFG::CSEPhase::checkFunctionElimination):
            (JSC::DFG::CSEPhase::performNodeCSE):
            (JSC::DFG::CSEPhase::weakConstantCSE): Deleted.
            * dfg/DFGClobberize.h:
            (JSC::DFG::clobberize):
            * dfg/DFGCommon.h:
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::foldConstants):
            (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
            (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
            * dfg/DFGDoesGC.cpp:
            (JSC::DFG::doesGC):
            * dfg/DFGFixupPhase.cpp:
            (JSC::DFG::FixupPhase::fixupNode):
            (JSC::DFG::FixupPhase::fixupMakeRope):
            (JSC::DFG::FixupPhase::truncateConstantToInt32):
            (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
            (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
            * dfg/DFGFrozenValue.cpp: Added.
            (JSC::DFG::FrozenValue::emptySingleton):
            (JSC::DFG::FrozenValue::dumpInContext):
            (JSC::DFG::FrozenValue::dump):
            * dfg/DFGFrozenValue.h: Added.
            (JSC::DFG::FrozenValue::FrozenValue):
            (JSC::DFG::FrozenValue::operator!):
            (JSC::DFG::FrozenValue::value):
            (JSC::DFG::FrozenValue::structure):
            (JSC::DFG::FrozenValue::strengthenTo):
            (JSC::DFG::FrozenValue::strength):
            (JSC::DFG::FrozenValue::freeze):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::Graph):
            (JSC::DFG::Graph::dump):
            (JSC::DFG::Graph::tryGetActivation):
            (JSC::DFG::Graph::tryGetFoldableView):
            (JSC::DFG::Graph::registerFrozenValues):
            (JSC::DFG::Graph::visitChildren):
            (JSC::DFG::Graph::freezeFragile):
            (JSC::DFG::Graph::freeze):
            (JSC::DFG::Graph::freezeStrong):
            (JSC::DFG::Graph::convertToConstant):
            (JSC::DFG::Graph::convertToStrongConstant):
            (JSC::DFG::Graph::assertIsWatched):
            * dfg/DFGGraph.h:
            (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
            (JSC::DFG::Graph::convertToConstant): Deleted.
            (JSC::DFG::Graph::constantRegisterForConstant): Deleted.
            (JSC::DFG::Graph::getJSConstantSpeculation): Deleted.
            (JSC::DFG::Graph::isConstant): Deleted.
            (JSC::DFG::Graph::isJSConstant): Deleted.
            (JSC::DFG::Graph::isInt32Constant): Deleted.
            (JSC::DFG::Graph::isDoubleConstant): Deleted.
            (JSC::DFG::Graph::isNumberConstant): Deleted.
            (JSC::DFG::Graph::isBooleanConstant): Deleted.
            (JSC::DFG::Graph::isCellConstant): Deleted.
            (JSC::DFG::Graph::isFunctionConstant): Deleted.
            (JSC::DFG::Graph::isInternalFunctionConstant): Deleted.
            (JSC::DFG::Graph::valueOfJSConstant): Deleted.
            (JSC::DFG::Graph::valueOfInt32Constant): Deleted.
            (JSC::DFG::Graph::valueOfNumberConstant): Deleted.
            (JSC::DFG::Graph::valueOfBooleanConstant): Deleted.
            (JSC::DFG::Graph::valueOfFunctionConstant): Deleted.
            (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
            * dfg/DFGInPlaceAbstractState.cpp:
            (JSC::DFG::InPlaceAbstractState::initialize):
            * dfg/DFGInsertionSet.h:
            (JSC::DFG::InsertionSet::insertConstant):
            (JSC::DFG::InsertionSet::insertConstantForUse):
            * dfg/DFGIntegerCheckCombiningPhase.cpp:
            (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
            * dfg/DFGJITCompiler.cpp:
            (JSC::DFG::JITCompiler::link):
            * dfg/DFGLazyJSValue.cpp:
            (JSC::DFG::LazyJSValue::getValue):
            (JSC::DFG::LazyJSValue::strictEqual):
            (JSC::DFG::LazyJSValue::dumpInContext):
            * dfg/DFGLazyJSValue.h:
            (JSC::DFG::LazyJSValue::LazyJSValue):
            (JSC::DFG::LazyJSValue::tryGetValue):
            (JSC::DFG::LazyJSValue::value):
            (JSC::DFG::LazyJSValue::switchLookupValue):
            * dfg/DFGMinifiedNode.cpp:
            (JSC::DFG::MinifiedNode::fromNode):
            * dfg/DFGMinifiedNode.h:
            (JSC::DFG::belongsInMinifiedGraph):
            (JSC::DFG::MinifiedNode::hasConstant):
            (JSC::DFG::MinifiedNode::constant):
            (JSC::DFG::MinifiedNode::hasConstantNumber): Deleted.
            (JSC::DFG::MinifiedNode::constantNumber): Deleted.
            (JSC::DFG::MinifiedNode::hasWeakConstant): Deleted.
            (JSC::DFG::MinifiedNode::weakConstant): Deleted.
            * dfg/DFGNode.h:
            (JSC::DFG::Node::hasConstant):
            (JSC::DFG::Node::constant):
            (JSC::DFG::Node::convertToConstant):
            (JSC::DFG::Node::asJSValue):
            (JSC::DFG::Node::isInt32Constant):
            (JSC::DFG::Node::asInt32):
            (JSC::DFG::Node::asUInt32):
            (JSC::DFG::Node::isDoubleConstant):
            (JSC::DFG::Node::isNumberConstant):
            (JSC::DFG::Node::asNumber):
            (JSC::DFG::Node::isMachineIntConstant):
            (JSC::DFG::Node::asMachineInt):
            (JSC::DFG::Node::isBooleanConstant):
            (JSC::DFG::Node::asBoolean):
            (JSC::DFG::Node::isCellConstant):
            (JSC::DFG::Node::asCell):
            (JSC::DFG::Node::dynamicCastConstant):
            (JSC::DFG::Node::function):
            (JSC::DFG::Node::isWeakConstant): Deleted.
            (JSC::DFG::Node::constantNumber): Deleted.
            (JSC::DFG::Node::convertToWeakConstant): Deleted.
            (JSC::DFG::Node::weakConstant): Deleted.
            (JSC::DFG::Node::valueOfJSConstant): Deleted.
            * dfg/DFGNodeType.h:
            * dfg/DFGOSRExitCompiler.cpp:
            * dfg/DFGPredictionPropagationPhase.cpp:
            (JSC::DFG::PredictionPropagationPhase::propagate):
            * dfg/DFGSafeToExecute.h:
            (JSC::DFG::safeToExecute):
            * dfg/DFGSpeculativeJIT.cpp:
            (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
            (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
            (JSC::DFG::SpeculativeJIT::silentFill):
            (JSC::DFG::SpeculativeJIT::compileIn):
            (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
            (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
            (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
            (JSC::DFG::SpeculativeJIT::compileDoubleRep):
            (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
            (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
            (JSC::DFG::SpeculativeJIT::compileAdd):
            (JSC::DFG::SpeculativeJIT::compileArithSub):
            (JSC::DFG::SpeculativeJIT::compileArithMod):
            * dfg/DFGSpeculativeJIT.h:
            (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
            (JSC::DFG::SpeculativeJIT::initConstantInfo):
            (JSC::DFG::SpeculativeJIT::isConstant): Deleted.
            (JSC::DFG::SpeculativeJIT::isJSConstant): Deleted.
            (JSC::DFG::SpeculativeJIT::isInt32Constant): Deleted.
            (JSC::DFG::SpeculativeJIT::isDoubleConstant): Deleted.
            (JSC::DFG::SpeculativeJIT::isNumberConstant): Deleted.
            (JSC::DFG::SpeculativeJIT::isBooleanConstant): Deleted.
            (JSC::DFG::SpeculativeJIT::isFunctionConstant): Deleted.
            (JSC::DFG::SpeculativeJIT::valueOfInt32Constant): Deleted.
            (JSC::DFG::SpeculativeJIT::valueOfNumberConstant): Deleted.
            (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant): Deleted.
            (JSC::DFG::SpeculativeJIT::valueOfJSConstant): Deleted.
            (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant): Deleted.
            (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant): Deleted.
            (JSC::DFG::SpeculativeJIT::isNullConstant): Deleted.
            (JSC::DFG::SpeculativeJIT::isInteger): Deleted.
            * dfg/DFGSpeculativeJIT32_64.cpp:
            (JSC::DFG::SpeculativeJIT::fillJSValue):
            (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
            (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
            (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
            (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGSpeculativeJIT64.cpp:
            (JSC::DFG::SpeculativeJIT::fillJSValue):
            (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
            (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
            (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
            (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
            (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGStrengthReductionPhase.cpp:
            (JSC::DFG::StrengthReductionPhase::handleNode):
            * dfg/DFGValidate.cpp:
            (JSC::DFG::Validate::validate):
            * dfg/DFGValueStrength.cpp: Added.
            (WTF::printInternal):
            * dfg/DFGValueStrength.h: Added.
            (JSC::DFG::merge):
            * dfg/DFGVariableEventStream.cpp:
            (JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
            (JSC::DFG::VariableEventStream::reconstruct):
            * dfg/DFGVariableEventStream.h:
            * dfg/DFGWatchableStructureWatchingPhase.cpp:
            (JSC::DFG::WatchableStructureWatchingPhase::run):
            (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
            * dfg/DFGWatchpointCollectionPhase.cpp:
            (JSC::DFG::WatchpointCollectionPhase::handle):
            * ftl/FTLCapabilities.cpp:
            (JSC::FTL::canCompile):
            * ftl/FTLLink.cpp:
            (JSC::FTL::link):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileNode):
            (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
            (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
            (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
            (JSC::FTL::LowerDFGToLLVM::compileCheckFunction):
            (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
            (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
            (JSC::FTL::LowerDFGToLLVM::lowInt32):
            (JSC::FTL::LowerDFGToLLVM::lowCell):
            (JSC::FTL::LowerDFGToLLVM::lowBoolean):
            (JSC::FTL::LowerDFGToLLVM::lowJSValue):
            (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
            (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): Deleted.
            * ftl/FTLOSRExitCompiler.cpp:
            (JSC::FTL::compileStub):
            * runtime/JSCJSValue.cpp:
            (JSC::JSValue::dumpInContext):
            (JSC::JSValue::dumpInContextAssumingStructure):
            * runtime/JSCJSValue.h:
    
2014-07-24  Brent Fulgham  <bfulgham@apple.com>

        [Win] Correct build order in JavaScriptCore.submit.sln
        https://bugs.webkit.org/show_bug.cgi?id=135282
        <rdar://problem/17805592>

        Unreviewed build fix.

        * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order
        such that LLIntDesiredOffset is built prior to the rest of JSC.

2014-07-24  Mark Lam  <mark.lam@apple.com>

        JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
        <https://webkit.org/b/135258>

        Reviewed by Mark Hahnenberg.

        Where needed, we cache the prototype object pointer in a stack local var.
        This allows it to be scanned by the GC, and hence be kept alive until
        we use it.  The constructor object will in turn be kept alive by the
        prototype object.

        Also added some comments to warn against future code additions that could
        regress this issue.

        * API/JSWrapperMap.mm:
        (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
        (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
        (-[JSObjCClassInfo wrapperForObject:]):
        (-[JSObjCClassInfo constructor]):

2014-07-24  Joseph Pecoraro  <pecoraro@apple.com>

        JSLock release should only modify the AtomicStringTable if it modified in acquire
        https://bugs.webkit.org/show_bug.cgi?id=135143

        Reviewed by Darin Adler.

        * runtime/JSLock.cpp:
        (JSC::JSLock::JSLock):
        Initialize the member variable to nullptr.

        (JSC::JSLock::willDestroyVM):
        Update style to use nullptr instead of 0.

        (JSC::JSLock::willReleaseLock):
        We should only reset the thread data's atomic string table if
        didAcquireLock changed it. m_entryAtomicStringTable will have
        been set by didAcquireLock if it changed, or nullptr if it didn't.
        This way we are sure we are balanced, regardless of m_vm changes.

2014-07-24  Peyton Randolph  <prandolph@apple.com>

        Rename feature flag for long-press gesture on Mac.                                                                   
        https://bugs.webkit.org/show_bug.cgi?id=135259                                                                 

        Reviewed by Beth Dakin.

        * Configurations/FeatureDefines.xcconfig:
        Rename LINK_LONG_PRESS to MAC_LONG_PRESS.

2014-07-24  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r171527.
        https://bugs.webkit.org/show_bug.cgi?id=135265

        Breaks JSC API tests (Requested by mlam on #webkit).

        Reverted changeset:

        "JSWrapperMap's jsWrapperForObject() needs to defer GC."
        https://bugs.webkit.org/show_bug.cgi?id=135258
        http://trac.webkit.org/changeset/171527

2014-07-24  Mark Hahnenberg  <mhahnenberg@apple.com>

        Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype
        https://bugs.webkit.org/show_bug.cgi?id=135250

        Reviewed by Geoffrey Garen.

        JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its 
        JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype 
        chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change
        the JSProxy's prototype fixes the issue.

        * API/JSValueRef.cpp:
        (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef
        would claim it wasn't of the specified class, even if the target was of the specified class.
        * API/tests/CustomGlobalObjectClassTest.c: Added.
        (jsDoSomething):
        (customGlobalObjectClassTest):
        * API/tests/CustomGlobalObjectClassTest.h: Added.
        * API/tests/testapi.c:
        (assertTrue):
        (main):
        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::resetPrototype):

2014-07-24  Brian J. Burg  <burg@cs.washington.edu>

        Web Replay: don't encode/decode primitive types that lack explicit sizes
        https://bugs.webkit.org/show_bug.cgi?id=133430

        Reviewed by Anders Carlsson.

        Don't support encode/decode of unsigned long, since its size is compiler-dependent.

        * replay/EncodedValue.cpp:
        (JSC::EncodedValue::convertTo<unsigned long>):
        (JSC::unsigned long>::encodeValue): Deleted.
        * replay/EncodedValue.h:

2014-07-24  Mark Lam  <mark.lam@apple.com>

        JSWrapperMap's jsWrapperForObject() needs to defer GC.
        <https://webkit.org/b/135258>

        Reviewed by Oliver Hunt.

        In the process of creating a JS wrapper, jsWrapperForObject() will create
        the prototype and constructor of the corresponding ObjC class, as well as
        for classes in its inheritance chain.  These prototypes and constructors
        are stored in Weak references in the JSObjCClassInfo objects.  During all
        the allocation that is being done to create all the prototypes and
        constructors as well as the wrapper objects, a GC may occur thereby
        collecting one or more of these newly created prototype and constructor
        objects.

        One example of where this problem can manifest is in wrapperForObject()
        which is called from jsWrapperForObject().  In wrapperFoObject(), we do
        the following steps:

        1. reallocateConstructorAndOrPrototype() which creates the prototype
           object and store it in JSObjCClassInfo's m_prototype which is a Weak
           ref.
        2. makeWrapper() to create the wrapper object, which may trigger a GC.
           GC will collect the prototype object and nullify the corresponding
           JSObjCClassInfo's m_prototype Weak ref.
        3. call JSObjectSetPrototype() to set the JSObjCClassInfo's m_prototype
           in the newly created wrapper.  This results in the wrapper getting a
           jsNull as a prototype instead of the expected prototype object.

        To ensure that the prototype and constructor objects are retained until
        they can be referenced properly from the wrapper object,
        jsWrapperForObject() should defer GC until it's done with its work.

        * API/JSWrapperMap.mm:
        (-[JSWrapperMap jsWrapperForObject:]):

2014-07-23  Brent Fulgham  <bfulgham@apple.com>

        Build fix after r171482.

        Rubberstamped by Joe Pecoraro.

        * runtime/Identifier.h: Make header declarations match
        implementation file.

2014-07-23  Brent Fulgham  <bfulgham@apple.com>

        [Win] Use NO_RETURN_DUE_TO_CRASH on Windows
        https://bugs.webkit.org/show_bug.cgi?id=135199

        Reviewed by Mark Lam.

        * jsc.cpp:
        (WTF::RuntimeArray::deleteProperty): Stop using ugly
        compiler work-around on Windows; use NO_RETURN_DUE_TO_CRASH
        codepath instead.
        * runtime/Identifier.h: Add NO_RETURN_DUE_TO_CRASH
        to header so function declaration matches implementation.

2014-07-23  Bem Jones-Bey  <bjonesbe@adobe.com>

        Remove CSS_EXCLUSIONS compile flag and leftover code
        https://bugs.webkit.org/show_bug.cgi?id=135175

        Reviewed by Zoltan Horvath.

        At this point, the CSS_EXCLUSIONS flag guards nothing but some useless
        stubs. This removes the flag and the useless code.

        * Configurations/FeatureDefines.xcconfig:

2014-07-23  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r171367.
        https://bugs.webkit.org/show_bug.cgi?id=135192

        broke three API tests (Requested by thorton on #webkit).

        Reverted changeset:

        "JSLock release should only modify the AtomicStringTable if it
        modified in acquire"
        https://bugs.webkit.org/show_bug.cgi?id=135143
        http://trac.webkit.org/changeset/171367

2014-07-22  László Langó  <llango.u-szeged@partner.samsung.com>

        [EFL] Build fix after the [ftlopt] branch merge.

        Reviewed by Csaba Osztrogonác.

        * dfg/DFGBranchDirection.h:
        (JSC::DFG::branchDirectionToString):
        * dfg/DFGStructureClobberState.h:
        (JSC::DFG::merge):

2014-07-22  Brent Fulgham  <bfulgham@apple.com>

        Build fix for non-clang compile.

        * jsc.cpp:
        (WTF::RuntimeArray::put): Remove incorrect return statement
        I added.

2014-07-22  Brent Fulgham  <bfulgham@apple.com>

        Build fix for non-clang compile.

        * jsc.cpp:
        (WTF::RuntimeArray::deleteProperty): Need (fake) return
        value when NO_RETURN_DUE_TO_CRASH is not defined.

2014-07-22  Filip Pizlo  <fpizlo@apple.com>

        Merge r169628 from ftlopt.

    2014-06-04  Matthew Mirman  <mmirman@apple.com>
    
            Added system for inlining native functions via the FTL.
            https://bugs.webkit.org/show_bug.cgi?id=131515
    
            Reviewed by Filip Pizlo.
    
            Also fixed the build to not compress the bitcode and to 
            include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO, 
            the produced bitcode files are a 100th the size they were before.  
            Now we can include all of the relevant runtime files with only a 3mb overhead. 
            This is the same overhead as for two compressed files before, 
            but done more efficiently (on both ends) and with less code.
            
            Deciding whether to inline native functions is left up to LLVM. 
            The entire module containing the function is linked into the current 
            compiled JS so that inlining the native functions shouldn't make them smaller.
            
            Rather than loading Runtime.symtbl at runtime FTLState.cpp now generates a file 
            InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.  
            
            * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
            * build-symbol-table-index.py: Changed bitcode suffix. 
            Added inclusion of only tested symbols.  
            Added output to InlineRuntimeSymbolTable.h. 
            * build-symbol-table-index.sh: Changed bitcode suffix.
            * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
            * tested-symbols.symlst: Added.
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::handleCall):  
            Now sets the knownFunction of the call node if such a function exists 
            and emits a check that during runtime the callee is in fact known.
            * dfg/DFGNode.h:
            Added functions to set the known function of a call node.
            (JSC::DFG::Node::canBeKnownFunction): Added.
            (JSC::DFG::Node::hasKnownFunction): Added.
            (JSC::DFG::Node::knownFunction): Added.
            (JSC::DFG::Node::giveKnownFunction): Added.
            * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
            * ftl/FTLAbbreviations.h: Added some abbreviations.
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
            (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
            (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
            (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
            (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):  
            Added call to possiblyCompileInlineableNativeCall
            * ftl/FTLOutput.h:
            (JSC::FTL::Output::allocaName):  Added. Useful for debugging.
            * ftl/FTLState.cpp:
            (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
            * ftl/FTLState.h: Added symbol table hash table.
            * ftl/FTLCompile.cpp:
            (JSC::FTL::compile): Added inlining and dead function elimination passes.
            * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
            * llvm/InitializeLLVMMac.mm: Deleted.
            * llvm/InitializeLLVMMac.cpp: Added.
            * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
            * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
            * runtime/BundlePath.h: Added.
            * runtime/BundlePath.mm: Added.
            * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
            * runtime/DateInstance.h: ditto.
            * runtime/DateConversion.h: ditto.
            * runtime/ExceptionHelpers.h: ditto.
            * runtime/JSCJSValue.h: ditto.
            * runtime/JSArray.h: ditto.
            * runtime/JSDateMath.h: ditto.
            * runtime/JSObject.h: ditto.
            * runtime/JSObject.h: ditto.
            * runtime/RegExp.h: ditto.
            * runtime/Structure.h: ditto.
            * runtime/Options.h:  Added maximumLLVMInstructionCountForNativeInlining.
    
2014-07-22  Mark Lam  <mark.lam@apple.com>

        Array.concat() should work on runtime arrays too.
        <https://webkit.org/b/135179>

        Reviewed by Geoffrey Garen.

        * jsc.cpp:
        (WTF::RuntimeArray::create):
        (WTF::RuntimeArray::~RuntimeArray):
        (WTF::RuntimeArray::destroy):
        (WTF::RuntimeArray::getOwnPropertySlot):
        (WTF::RuntimeArray::getOwnPropertySlotByIndex):
        (WTF::RuntimeArray::put):
        (WTF::RuntimeArray::deleteProperty):
        (WTF::RuntimeArray::getLength):
        (WTF::RuntimeArray::createPrototype):
        (WTF::RuntimeArray::createStructure):
        (WTF::RuntimeArray::finishCreation):
        (WTF::RuntimeArray::RuntimeArray):
        (WTF::RuntimeArray::lengthGetter):
        (GlobalObject::finishCreation):
        (functionCreateRuntimeArray):
        - Added support to create a runtime array for testing purpose.
        * runtime/ArrayPrototype.cpp:
        (JSC::getLength):
        - Added fast case for when the array object is a JSArray.
        (JSC::arrayProtoFuncJoin):
        - Added a needed but missing exception check.
        (JSC::arrayProtoFuncConcat):
        - Use getLength() to compute the array length instead of assuming that
          the array is a JSArray instance.
        * tests/stress/regexp-matches-array.js: Added.
        (testArrayConcat):
        * tests/stress/runtime-array.js: Added.
        (testArrayConcat):

2014-07-22  Brent Fulgham  <bfulgham@apple.com>

        Fix Windows (return a value!)

        * jsc.cpp:
        (functionQuit): Satisfy compiler's need for
        a return value.

2014-07-22  Brent Fulgham  <bfulgham@apple.com>

        Fix Windows (sleep -> Sleep)

        * jsc.cpp:
        (WTF::jscExit):

2014-07-22  Filip Pizlo  <fpizlo@apple.com>

        Fix Windows.

        * jsc.cpp:
        (WTF::jscExit):

2014-07-22  Filip Pizlo  <fpizlo@apple.com>

        Fix 32-bit.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2014-07-22  Filip Pizlo  <fpizlo@apple.com>

        Merge r169148, r169185, r169188, r169578, r169582, r169584, r169588, r169753 from ftlopt.
        
        Note that r169753 is merged out of order because it fixes a bug in r169588.

    2014-06-10  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Structure::dfgShouldWatchIfPossible() is unsound
            https://bugs.webkit.org/show_bug.cgi?id=133624
    
            Reviewed by Mark Hahnenberg.
    
            * runtime/Structure.h:
            (JSC::Structure::dfgShouldWatchIfPossible): Make it sound and add some verbiage.
    
    2014-06-04  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] AI should be able track structure sets larger than 1
            https://bugs.webkit.org/show_bug.cgi?id=128073
    
            Reviewed by Oliver Hunt.
            
            This makes two major changes to how AI (abstract interpreter) proves that a value has
            some structure:
            
            - StructureAbstractValue can now track an arbitrary number of structures. A set whose
              size is greater than one means that the value may have any of the structures, and we
              don't know which - but we do know that it cannot be any structure not in the set. The
              structure abstract value can still be TOP, which means the set of all structures. We
              artificially limit the set size to StructureAbstractValue::polymorphismLimit to guard
              memory explosion on pathological programs. This limit is big enough that it wouldn't
              kick in for normal code, since we have other heuristics that limit the number of
              structures that we would allow an inline cache to know about.
            
            - We eagerly set watchpoints on all watchable structures and then we assume that
              watchable structures are being watched, and that the watchpoint will jettison the code.
              This allows tracking of watchable structures to be far simpler than before. Previously,
              a structure being tracked as "future possible" was predicated on it being watchable but
              we might not actually watch it. This makes algebra over sets of future possible
              structures quite weird. But watching all watchable structures means that we simple say
              that a structure set can be in the following states: unclobbered, which means it's just
              a set of structures and it doesn't matter what is watchable or what isn't because we've
              proven that the value must have one of these structures right now; and clobbered, which
              means that we have a set of structures, plus all possible structures temporarily, with
              invalidation removing the "plus all possible structures". Clobbering a set means that
              if any of its structures are unwatchable, the set just becomes TOP; but if all
              structures in the set are watchable then we just set the clobbered bit to add the "plus
              all possible structures temporarily" thing. This precisely tracks the exact meaning of
              watchability and invalidation points.
            
            Slight SunSpider slow-down, neutral on Octane, slight AsmBench speed-up. I believe that
            we will ultimately undo the SunSpider slow-down by making further improvements to the set
            representation. I believe that Octane perfromance will ultimately improve once we remove
            remaining singleton special-cases. The ultimate goal of this is to remove the need to
            try quite so desperately hard to make everything monomorphic as we do currently.
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * bytecode/StructureSet.cpp:
            (JSC::StructureSet::clear):
            (JSC::StructureSet::remove):
            (JSC::StructureSet::filter):
            (JSC::StructureSet::copyFromOutOfLine):
            (JSC::StructureSet::StructureSet): Deleted.
            (JSC::StructureSet::operator=): Deleted.
            (JSC::StructureSet::copyFrom): Deleted.
            * bytecode/StructureSet.h:
            (JSC::StructureSet::StructureSet):
            (JSC::StructureSet::operator=):
            (JSC::StructureSet::isEmpty):
            (JSC::StructureSet::genericFilter):
            (JSC::StructureSet::ContainsOutOfLine::ContainsOutOfLine):
            (JSC::StructureSet::ContainsOutOfLine::operator()):
            (JSC::StructureSet::copyFrom):
            (JSC::StructureSet::deleteStructureListIfNecessary):
            (JSC::StructureSet::setEmpty):
            (JSC::StructureSet::getReservedFlag):
            (JSC::StructureSet::setReservedFlag):
            * dfg/DFGAbstractInterpreter.h:
            (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars):
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber):
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
            * dfg/DFGAbstractValue.cpp:
            (JSC::DFG::AbstractValue::observeTransitions):
            (JSC::DFG::AbstractValue::setMostSpecific):
            (JSC::DFG::AbstractValue::set):
            (JSC::DFG::AbstractValue::filter):
            (JSC::DFG::AbstractValue::shouldBeClear):
            (JSC::DFG::AbstractValue::normalizeClarity):
            (JSC::DFG::AbstractValue::checkConsistency):
            (JSC::DFG::AbstractValue::assertIsWatched):
            (JSC::DFG::AbstractValue::dumpInContext):
            (JSC::DFG::AbstractValue::setFuturePossibleStructure): Deleted.
            * dfg/DFGAbstractValue.h:
            (JSC::DFG::AbstractValue::clear):
            (JSC::DFG::AbstractValue::clobberStructures):
            (JSC::DFG::AbstractValue::clobberStructuresFor):
            (JSC::DFG::AbstractValue::observeInvalidationPoint):
            (JSC::DFG::AbstractValue::observeInvalidationPointFor):
            (JSC::DFG::AbstractValue::observeTransition):
            (JSC::DFG::AbstractValue::TransitionObserver::TransitionObserver):
            (JSC::DFG::AbstractValue::TransitionObserver::operator()):
            (JSC::DFG::AbstractValue::TransitionsObserver::TransitionsObserver):
            (JSC::DFG::AbstractValue::TransitionsObserver::operator()):
            (JSC::DFG::AbstractValue::isHeapTop):
            (JSC::DFG::AbstractValue::setType):
            (JSC::DFG::AbstractValue::operator==):
            (JSC::DFG::AbstractValue::merge):
            (JSC::DFG::AbstractValue::validate):
            (JSC::DFG::AbstractValue::hasClobberableState):
            (JSC::DFG::AbstractValue::assertIsWatched):
            (JSC::DFG::AbstractValue::observeIndexingTypeTransition):
            (JSC::DFG::AbstractValue::makeTop):
            (JSC::DFG::AbstractValue::bestProvenStructure): Deleted.
            * dfg/DFGAllocator.h:
            * dfg/DFGArgumentsSimplificationPhase.cpp:
            (JSC::DFG::ArgumentsSimplificationPhase::run):
            * dfg/DFGArrayMode.cpp:
            (JSC::DFG::ArrayMode::alreadyChecked):
            * dfg/DFGAtTailAbstractState.h:
            (JSC::DFG::AtTailAbstractState::structureClobberState):
            (JSC::DFG::AtTailAbstractState::setStructureClobberState):
            (JSC::DFG::AtTailAbstractState::setFoundConstants):
            (JSC::DFG::AtTailAbstractState::haveStructures): Deleted.
            (JSC::DFG::AtTailAbstractState::setHaveStructures): Deleted.
            * dfg/DFGBasicBlock.cpp:
            (JSC::DFG::BasicBlock::BasicBlock):
            * dfg/DFGBasicBlock.h:
            * dfg/DFGBranchDirection.h:
            (JSC::DFG::branchDirectionToString):
            (WTF::printInternal):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::handlePutById):
            * dfg/DFGCFAPhase.cpp:
            (JSC::DFG::CFAPhase::performBlockCFA):
            * dfg/DFGCSEPhase.cpp:
            (JSC::DFG::CSEPhase::checkStructureElimination):
            (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
            (JSC::DFG::CSEPhase::performNodeCSE):
            * dfg/DFGClobberize.h:
            (JSC::DFG::clobberize):
            * dfg/DFGCommon.cpp:
            (JSC::DFG::startCrashing):
            (JSC::DFG::isCrashing):
            * dfg/DFGCommon.h:
            * dfg/DFGCommonData.cpp:
            (JSC::DFG::CommonData::notifyCompilingStructureTransition):
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::foldConstants):
            (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
            (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
            (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
            * dfg/DFGDesiredWatchpoints.cpp:
            (JSC::DFG::DesiredWatchpoints::consider):
            (JSC::DFG::DesiredWatchpoints::addLazily): Deleted.
            * dfg/DFGDesiredWatchpoints.h:
            (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
            (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
            (JSC::DFG::GenericDesiredWatchpoints::isWatched):
            (JSC::DFG::DesiredWatchpoints::isWatched):
            (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet): Deleted.
            (JSC::DFG::GenericDesiredWatchpoints::addLazily): Deleted.
            (JSC::DFG::GenericDesiredWatchpoints::isStillValid): Deleted.
            (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState): Deleted.
            (JSC::DFG::GenericDesiredWatchpoints::isValidOrMixed): Deleted.
            (JSC::DFG::DesiredWatchpoints::isStillValid): Deleted.
            (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState): Deleted.
            (JSC::DFG::DesiredWatchpoints::isValidOrMixed): Deleted.
            * dfg/DFGDoesGC.cpp:
            (JSC::DFG::doesGC):
            * dfg/DFGFixupPhase.cpp:
            (JSC::DFG::FixupPhase::fixupNode):
            (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
            (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::~Graph):
            (JSC::DFG::Graph::dump):
            (JSC::DFG::Graph::dumpBlockHeader):
            (JSC::DFG::Graph::tryGetFoldableView):
            (JSC::DFG::Graph::visitChildren):
            (JSC::DFG::Graph::assertIsWatched):
            (JSC::DFG::Graph::handleAssertionFailure):
            * dfg/DFGGraph.h:
            (JSC::DFG::Graph::convertToConstant):
            (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid):
            (JSC::DFG::Graph::addStructureTransitionData): Deleted.
            * dfg/DFGInPlaceAbstractState.cpp:
            (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
            (JSC::DFG::InPlaceAbstractState::initialize):
            (JSC::DFG::InPlaceAbstractState::endBasicBlock):
            (JSC::DFG::InPlaceAbstractState::reset):
            (JSC::DFG::InPlaceAbstractState::merge):
            * dfg/DFGInPlaceAbstractState.h:
            (JSC::DFG::InPlaceAbstractState::structureClobberState):
            (JSC::DFG::InPlaceAbstractState::setStructureClobberState):
            (JSC::DFG::InPlaceAbstractState::setFoundConstants):
            (JSC::DFG::InPlaceAbstractState::haveStructures): Deleted.
            (JSC::DFG::InPlaceAbstractState::setHaveStructures): Deleted.
            * dfg/DFGLivenessAnalysisPhase.cpp:
            (JSC::DFG::LivenessAnalysisPhase::run):
            * dfg/DFGNode.h:
            (JSC::DFG::Node::hasTransition):
            (JSC::DFG::Node::transition):
            (JSC::DFG::Node::hasStructure):
            (JSC::DFG::StructureTransitionData::StructureTransitionData): Deleted.
            (JSC::DFG::Node::convertToStructureTransitionWatchpoint): Deleted.
            (JSC::DFG::Node::hasStructureTransitionData): Deleted.
            (JSC::DFG::Node::structureTransitionData): Deleted.
            * dfg/DFGNodeType.h:
            * dfg/DFGPlan.cpp:
            (JSC::DFG::Plan::compileInThreadImpl):
            * dfg/DFGPredictionPropagationPhase.cpp:
            (JSC::DFG::PredictionPropagationPhase::propagate):
            * dfg/DFGSafeToExecute.h:
            (JSC::DFG::safeToExecute):
            * dfg/DFGSpeculativeJIT.cpp:
            (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
            (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
            * dfg/DFGSpeculativeJIT.h:
            (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
            * dfg/DFGSpeculativeJIT32_64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGSpeculativeJIT64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGStructureAbstractValue.cpp: Added.
            (JSC::DFG::StructureAbstractValue::assertIsWatched):
            (JSC::DFG::StructureAbstractValue::clobber):
            (JSC::DFG::StructureAbstractValue::observeTransition):
            (JSC::DFG::StructureAbstractValue::observeTransitions):
            (JSC::DFG::StructureAbstractValue::add):
            (JSC::DFG::StructureAbstractValue::merge):
            (JSC::DFG::StructureAbstractValue::mergeSlow):
            (JSC::DFG::StructureAbstractValue::mergeNotTop):
            (JSC::DFG::StructureAbstractValue::filter):
            (JSC::DFG::StructureAbstractValue::filterSlow):
            (JSC::DFG::StructureAbstractValue::contains):
            (JSC::DFG::StructureAbstractValue::isSubsetOf):
            (JSC::DFG::StructureAbstractValue::isSupersetOf):
            (JSC::DFG::StructureAbstractValue::overlaps):
            (JSC::DFG::StructureAbstractValue::equalsSlow):
            (JSC::DFG::StructureAbstractValue::dumpInContext):
            (JSC::DFG::StructureAbstractValue::dump):
            * dfg/DFGStructureAbstractValue.h:
            (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
            (JSC::DFG::StructureAbstractValue::operator=):
            (JSC::DFG::StructureAbstractValue::clear):
            (JSC::DFG::StructureAbstractValue::makeTop):
            (JSC::DFG::StructureAbstractValue::assertIsWatched):
            (JSC::DFG::StructureAbstractValue::observeInvalidationPoint):
            (JSC::DFG::StructureAbstractValue::top):
            (JSC::DFG::StructureAbstractValue::isClear):
            (JSC::DFG::StructureAbstractValue::isTop):
            (JSC::DFG::StructureAbstractValue::isNeitherClearNorTop):
            (JSC::DFG::StructureAbstractValue::isClobbered):
            (JSC::DFG::StructureAbstractValue::merge):
            (JSC::DFG::StructureAbstractValue::filter):
            (JSC::DFG::StructureAbstractValue::operator==):
            (JSC::DFG::StructureAbstractValue::size):
            (JSC::DFG::StructureAbstractValue::at):
            (JSC::DFG::StructureAbstractValue::operator[]):
            (JSC::DFG::StructureAbstractValue::onlyStructure):
            (JSC::DFG::StructureAbstractValue::isSupersetOf):
            (JSC::DFG::StructureAbstractValue::makeTopWhenThin):
            (JSC::DFG::StructureAbstractValue::setClobbered):
            (JSC::DFG::StructureAbstractValue::add): Deleted.
            (JSC::DFG::StructureAbstractValue::addAll): Deleted.
            (JSC::DFG::StructureAbstractValue::contains): Deleted.
            (JSC::DFG::StructureAbstractValue::isSubsetOf): Deleted.
            (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan): Deleted.
            (JSC::DFG::StructureAbstractValue::isClearOrTop): Deleted.
            (JSC::DFG::StructureAbstractValue::last): Deleted.
            (JSC::DFG::StructureAbstractValue::speculationFromStructures): Deleted.
            (JSC::DFG::StructureAbstractValue::isValidOffset): Deleted.
            (JSC::DFG::StructureAbstractValue::hasSingleton): Deleted.
            (JSC::DFG::StructureAbstractValue::singleton): Deleted.
            (JSC::DFG::StructureAbstractValue::dumpInContext): Deleted.
            (JSC::DFG::StructureAbstractValue::dump): Deleted.
            (JSC::DFG::StructureAbstractValue::topValue): Deleted.
            * dfg/DFGStructureClobberState.h: Added.
            (JSC::DFG::merge):
            (WTF::printInternal):
            * dfg/DFGTransition.cpp: Added.
            (JSC::DFG::Transition::dumpInContext):
            (JSC::DFG::Transition::dump):
            * dfg/DFGTransition.h: Added.
            (JSC::DFG::Transition::Transition):
            * dfg/DFGTypeCheckHoistingPhase.cpp:
            (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
            (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
            * dfg/DFGWatchableStructureWatchingPhase.cpp: Added.
            (JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase):
            (JSC::DFG::WatchableStructureWatchingPhase::run):
            (JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
            (JSC::DFG::performWatchableStructureWatching):
            * dfg/DFGWatchableStructureWatchingPhase.h: Added.
            * dfg/DFGWatchpointCollectionPhase.cpp:
            (JSC::DFG::WatchpointCollectionPhase::handle):
            (JSC::DFG::WatchpointCollectionPhase::handleEdge): Deleted.
            * ftl/FTLCapabilities.cpp:
            (JSC::FTL::canCompile):
            * ftl/FTLIntrinsicRepository.h:
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::ftlUnreachable):
            (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
            (JSC::FTL::LowerDFGToLLVM::compileBlock):
            (JSC::FTL::LowerDFGToLLVM::compileNode):
            (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
            (JSC::FTL::LowerDFGToLLVM::compilePhi):
            (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
            (JSC::FTL::LowerDFGToLLVM::compileValueRep):
            (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
            (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
            (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
            (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
            (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
            (JSC::FTL::LowerDFGToLLVM::compileArithMul):
            (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
            (JSC::FTL::LowerDFGToLLVM::compileArithMod):
            (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
            (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
            (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
            (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
            (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
            (JSC::FTL::LowerDFGToLLVM::compileGetById):
            (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
            (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
            (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
            (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
            (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
            (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
            (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
            (JSC::FTL::LowerDFGToLLVM::compileNewArray):
            (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
            (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
            (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
            (JSC::FTL::LowerDFGToLLVM::compileToString):
            (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
            (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
            (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
            (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
            (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
            (JSC::FTL::LowerDFGToLLVM::compileSwitch):
            (JSC::FTL::LowerDFGToLLVM::compare):
            (JSC::FTL::LowerDFGToLLVM::boolify):
            (JSC::FTL::LowerDFGToLLVM::terminate):
            (JSC::FTL::LowerDFGToLLVM::lowInt32):
            (JSC::FTL::LowerDFGToLLVM::lowInt52):
            (JSC::FTL::LowerDFGToLLVM::opposite):
            (JSC::FTL::LowerDFGToLLVM::lowCell):
            (JSC::FTL::LowerDFGToLLVM::lowBoolean):
            (JSC::FTL::LowerDFGToLLVM::lowDouble):
            (JSC::FTL::LowerDFGToLLVM::lowJSValue):
            (JSC::FTL::LowerDFGToLLVM::speculate):
            (JSC::FTL::LowerDFGToLLVM::isArrayType):
            (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
            (JSC::FTL::LowerDFGToLLVM::callCheck):
            (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
            (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
            (JSC::FTL::LowerDFGToLLVM::setInt52):
            (JSC::FTL::LowerDFGToLLVM::crash):
            (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint): Deleted.
            * ftl/FTLOutput.cpp:
            (JSC::FTL::Output::crashNonTerminal): Deleted.
            * ftl/FTLOutput.h:
            (JSC::FTL::Output::crash): Deleted.
            * jit/JITOperations.h:
            * jsc.cpp:
            (WTF::jscExit):
            (functionQuit):
            (main):
            (printUsageStatement):
            (CommandLine::parseArguments):
            * runtime/Structure.h:
            (JSC::Structure::dfgShouldWatchIfPossible):
            (JSC::Structure::dfgShouldWatch):
            * tests/stress/arrayify-to-structure-contradiction.js: Added.
            (foo):
            * tests/stress/ftl-getmyargumentslength-inline.js: Added.
            (foo):
            * tests/stress/multi-put-by-offset-multiple-transitions.js: Added.
            (foo):
            (Foo):
            * tests/stress/throw-from-ftl-in-loop.js: Added.
            * tests/stress/throw-from-ftl.js: Added.
            (foo):
    
    2014-06-03  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Unreviewed, roll out r169578. The build system needs some more love.
    
            * InlineRuntimeSymbolTable.h: Removed.
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * build-symbol-table-index.py:
            * build-symbol-table-index.sh:
            * copy-llvm-ir-to-derived-sources.sh:
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::handleCall):
            * dfg/DFGNode.h:
            (JSC::DFG::Node::canBeKnownFunction): Deleted.
            (JSC::DFG::Node::hasKnownFunction): Deleted.
            (JSC::DFG::Node::knownFunction): Deleted.
            (JSC::DFG::Node::giveKnownFunction): Deleted.
            * ftl/FTLAbbreviatedTypes.h:
            * ftl/FTLCompile.cpp:
            (JSC::FTL::compile):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
            (JSC::FTL::LowerDFGToLLVM::lower):
            (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
            (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Deleted.
            (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Deleted.
            (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Deleted.
            (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Deleted.
            * ftl/FTLState.cpp:
            (JSC::FTL::State::State):
            * ftl/FTLState.h:
            * heap/HandleStack.h:
            * llvm/InitializeLLVM.h:
            * llvm/InitializeLLVMMac.cpp: Removed.
            * llvm/InitializeLLVMMac.mm: Added.
            (JSC::initializeLLVMImpl):
            * llvm/LLVMAPIFunctions.h:
            * llvm/LLVMHeaders.h:
            * runtime/BundlePath.h: Removed.
            * runtime/BundlePath.mm: Removed.
            * runtime/DateConversion.h:
            * runtime/DateInstance.h:
            * runtime/ExceptionHelpers.h:
            * runtime/JSArray.h:
            * runtime/JSCJSValue.h:
            (JSC::JSValue::toFloat):
            * runtime/JSDateMath.h:
            * runtime/JSObject.h:
            * runtime/JSWrapperObject.h:
            * runtime/Options.h:
            * runtime/RegExp.h:
            * runtime/StringObject.h:
            * runtime/Structure.h:
            * tested-symbols.symlst: Removed.
    
    2014-06-03  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] FTL native inlining tests take far too long
            https://bugs.webkit.org/show_bug.cgi?id=133498
    
            Unreviewed test gardening.
            
            Added a new exceptions test since the other one appears to not work.
    
            * tests/stress/ftl-library-exception.js:
            * tests/stress/ftl-library-inline-gettimezoneoffset.js: Added.
            (foo):
            * tests/stress/ftl-library-inlining-exceptions-dataview.js: Added.
            (foo):
            * tests/stress/ftl-library-inlining-exceptions.js: Copied from LayoutTests/js/regress/script-tests/ftl-library-inlining-exceptions.js.
            * tests/stress/ftl-library-inlining-loops.js: Copied from LayoutTests/js/regress/script-tests/ftl-library-inlining-loops.js.
            * tests/stress/ftl-library-inlining-random.js:
            * tests/stress/ftl-library-substring.js:
    
    2014-06-03  Matthew Mirman  <mmirman@apple.com>
    
            [ftlopt] Added system for inlining native functions via the FTL.
            https://bugs.webkit.org/show_bug.cgi?id=131515
    
            Reviewed by Filip Pizlo.
    
            Also fixed the build to not compress the bitcode and to 
            include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO, 
            the produced bitcode files are a 100th the size they were before.  
            Now we can include all of the relevant runtime files with only a 3mb overhead. 
            This is the same overhead as for two compressed files before, 
            but done more efficiently (on both ends) and with less code.
            
            Deciding whether to inline native functions is left up to LLVM. 
            The entire module containing the function is linked into the current 
            compiled JS so that inlining the native functions shouldn't make them smaller.
            
            Rather than loading Runtime.symtbl at runtime FTLState.cpp now includes a file 
            InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.  
            Currently build-symbol-table-index.py updates this file from the 
            contents of tested-symbols.symlst when done building as a matter of convenience.  
            However, in order to include the new contents of the file in the build
            you'd need to build twice.  This will be fixed in future versions.
    
            * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
            * build-symbol-table-index.py: Changed bitcode suffix. 
            Added inclusion of only tested symbols.  
            Added output to InlineRuntimeSymbolTable.h. 
            * build-symbol-table-index.sh: Changed bitcode suffix.
            * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
            * tested-symbols.symlst: Added.
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::handleCall):  
            Now sets the knownFunction of the call node if such a function exists 
            and emits a check that during runtime the callee is in fact known.
            * dfg/DFGNode.h:
            Added functions to set the known function of a call node.
            (JSC::DFG::Node::canBeKnownFunction): Added.
            (JSC::DFG::Node::hasKnownFunction): Added.
            (JSC::DFG::Node::knownFunction): Added.
            (JSC::DFG::Node::giveKnownFunction): Added.
            * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
            (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
            (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
            (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
            (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):  
            Added call to possiblyCompileInlineableNativeCall
            * ftl/FTLOutput.h:
            (JSC::FTL::Output::allocaName):  Added. Useful for debugging.
            * ftl/FTLState.cpp:
            (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
            * ftl/FTLState.h: Added symbol table hash table.
            * ftl/FTLCompile.cpp:
            (JSC::FTL::compile): Added inlining and dead function elimination passes.
            * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
            * InlineRuntimeSymbolTable.h: Added.  
            * llvm/InitializeLLVMMac.mm: Deleted.
            * llvm/InitializeLLVMMac.cpp: Added.
            * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
            * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
            * runtime/BundlePath.h: Added.
            * runtime/BundlePath.mm: Added.
            * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
            * runtime/DateInstance.h: ditto.
            * runtime/DateConversion.h: ditto.
            * runtime/ExceptionHelpers.h: ditto.
            * runtime/JSCJSValue.h: ditto.
            * runtime/JSArray.h: ditto.
            * runtime/JSDateMath.h: ditto.
            * runtime/JSObject.h: ditto.
            * runtime/JSObject.h: ditto.
            * runtime/RegExp.h: ditto.
            * runtime/Structure.h: ditto.
            * runtime/Options.h:  Added maximumLLVMInstructionCountForNativeInlining.
            * tests/stress/ftl-library-inlining-random.js: Added.
            * tests/stress/ftl-library-substring.js: Added.
    
    2014-05-21  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] DFG::clobberize should be blind to the effects of GC
            https://bugs.webkit.org/show_bug.cgi?id=133166
    
            Reviewed by Goeffrey Garen.
            
            Move the computation of where GCs happen to DFG::doesGC().
            
            Large (>5x) speed-up on programs that do loop-invariant string concatenations.
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * dfg/DFGAbstractHeap.h:
            * dfg/DFGClobberize.h:
            (JSC::DFG::clobberize):
            (JSC::DFG::clobberizeForAllocation): Deleted.
            * dfg/DFGDoesGC.cpp: Added.
            (JSC::DFG::doesGC):
            * dfg/DFGDoesGC.h: Added.
            * dfg/DFGStoreBarrierElisionPhase.cpp:
            (JSC::DFG::StoreBarrierElisionPhase::handleNode):
            (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Deleted.
    
    2014-05-16  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] A StructureSet with one element should only require one word and no allocation
            https://bugs.webkit.org/show_bug.cgi?id=133014
    
            Reviewed by Oliver Hunt.
            
            This makes it more efficient to use StructureSet in situations where the common case is
            just one structure.
            
            I also took the opportunity to use the same set terminology we use in BitVector: merge,
            filter, exclude, contains, etc.
            
            Eventually, this will be used to implement StructureAbstractValue as well.
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * bytecode/StructureSet.cpp: Added.
            (JSC::StructureSet::StructureSet):
            (JSC::StructureSet::operator=):
            (JSC::StructureSet::clear):
            (JSC::StructureSet::add):
            (JSC::StructureSet::remove):
            (JSC::StructureSet::contains):
            (JSC::StructureSet::merge):
            (JSC::StructureSet::filter):
            (JSC::StructureSet::exclude):
            (JSC::StructureSet::isSubsetOf):
            (JSC::StructureSet::overlaps):
            (JSC::StructureSet::operator==):
            (JSC::StructureSet::speculationFromStructures):
            (JSC::StructureSet::arrayModesFromStructures):
            (JSC::StructureSet::dumpInContext):
            (JSC::StructureSet::dump):
            (JSC::StructureSet::addOutOfLine):
            (JSC::StructureSet::containsOutOfLine):
            (JSC::StructureSet::copyFrom):
            (JSC::StructureSet::OutOfLineList::create):
            (JSC::StructureSet::OutOfLineList::destroy):
            * bytecode/StructureSet.h:
            (JSC::StructureSet::StructureSet):
            (JSC::StructureSet::~StructureSet):
            (JSC::StructureSet::onlyStructure):
            (JSC::StructureSet::isEmpty):
            (JSC::StructureSet::size):
            (JSC::StructureSet::at):
            (JSC::StructureSet::operator[]):
            (JSC::StructureSet::last):
            (JSC::StructureSet::OutOfLineList::list):
            (JSC::StructureSet::OutOfLineList::OutOfLineList):
            (JSC::StructureSet::deleteStructureListIfNecessary):
            (JSC::StructureSet::isThin):
            (JSC::StructureSet::pointer):
            (JSC::StructureSet::singleStructure):
            (JSC::StructureSet::structureList):
            (JSC::StructureSet::set):
            (JSC::StructureSet::clear): Deleted.
            (JSC::StructureSet::add): Deleted.
            (JSC::StructureSet::addAll): Deleted.
            (JSC::StructureSet::remove): Deleted.
            (JSC::StructureSet::contains): Deleted.
            (JSC::StructureSet::containsOnly): Deleted.
            (JSC::StructureSet::isSubsetOf): Deleted.
            (JSC::StructureSet::overlaps): Deleted.
            (JSC::StructureSet::singletonStructure): Deleted.
            (JSC::StructureSet::speculationFromStructures): Deleted.
            (JSC::StructureSet::arrayModesFromStructures): Deleted.
            (JSC::StructureSet::operator==): Deleted.
            (JSC::StructureSet::dumpInContext): Deleted.
            (JSC::StructureSet::dump): Deleted.
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
            (JSC::DFG::ByteCodeParser::handleGetById):
            (JSC::DFG::ByteCodeParser::parseBlock):
            * dfg/DFGCSEPhase.cpp:
            (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
            * dfg/DFGNode.h:
            (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
            * dfg/DFGTypeCheckHoistingPhase.cpp:
            (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheck):
    
2014-07-22  Ryuan Choi  <ryuan.choi@samsung.com>

        Unreviewed build fix attempt on the EFL port after r171362.

        Build break because of -Werror=return-type

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::makesCalls):

2014-07-22  Joseph Pecoraro  <pecoraro@apple.com>

        JSLock release should only modify the AtomicStringTable if it modified in acquire
        https://bugs.webkit.org/show_bug.cgi?id=135143

        Reviewed by Pratik Solanki.

        * runtime/JSLock.cpp:
        (JSC::JSLock::willDestroyVM):
        (JSC::JSLock::willReleaseLock):
        Only set the AtomicStringTable when there was a VM, to balance JSLock::didAcquireLock.

2014-07-22  Filip Pizlo  <fpizlo@apple.com>

        Fix cloop build.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeExitSiteData):

2014-07-22  Filip Pizlo  <fpizlo@apple.com>

        Merge r168635, r168780, r169005, r169014, and r169143 from ftlopt.

    2014-05-20  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] DFG bytecode parser should turn GetById with nothing but a Getter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to
            https://bugs.webkit.org/show_bug.cgi?id=133105
    
            Reviewed by Michael Saboff.
            
            - GetByIdStatus now knows about getters and can report intelligent things about them.
              As is usually the case with how we do these things, GetByIdStatus knows more about
              getters than the DFG can actually handle: it'll report details about polymorphic
              getter calls even though the DFG won't be able to handle those. This is fine; the DFG
              will see those statuses and bail to a generic slow path.
            
            - The DFG::ByteCodeParser now knows how to set up and do handleCall() for a getter call.
              This can, and usually does, result in inlining of getters!
            
            - CodeOrigin and OSR exit know about inlined getter calls. When you OSR out of an
              inlined getter, we set the return PC to a getter return thunk that fixes up the stack.
              We use the usual offset-true-return-PC trick, where OSR exit places the true return PC
              of the getter's caller as a phony argument that only the thunk knows how to find.
            
            - Removed a bunch of dead monomorphic chain support from StructureStubInfo.
            
            - A large chunk of this change is dragging GetGetterSetterByOffset, GetGetter, and
              GetSetter through the DFG and FTL. GetGetterSetterByOffset is like GetByOffset except
              that we know that we're returning a GetterSetter cell. GetGetter and GetSetter extract
              the getter, or setter, from the GetterSetter.
            
            This is a ~2.5x speed-up on the getter microbenchmarks that we already had. So far none
            of the "real" benchmarks exercise getters enough for this to matter. But I noticed that
            some of the variants of the Richards benchmark in other languages - for example
            Wolczko's Java translation of a C++ translation of Deutsch's Smalltalk version - use
            getters and setters extensively. So, I created a getter/setter JavaScript version of
            Richards and put it in regress/script-tests/getter-richards.js. That sees about a 2.4x
            speed-up from this patch, which is very reassuring.
    
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::printGetByIdCacheStatus):
            (JSC::CodeBlock::findStubInfo):
            * bytecode/CodeBlock.h:
            * bytecode/CodeOrigin.cpp:
            (WTF::printInternal):
            * bytecode/CodeOrigin.h:
            (JSC::InlineCallFrame::specializationKindFor):
            * bytecode/GetByIdStatus.cpp:
            (JSC::GetByIdStatus::computeFor):
            (JSC::GetByIdStatus::computeForStubInfo):
            (JSC::GetByIdStatus::makesCalls):
            (JSC::GetByIdStatus::computeForChain): Deleted.
            * bytecode/GetByIdStatus.h:
            (JSC::GetByIdStatus::makesCalls): Deleted.
            * bytecode/GetByIdVariant.cpp:
            (JSC::GetByIdVariant::~GetByIdVariant):
            (JSC::GetByIdVariant::GetByIdVariant):
            (JSC::GetByIdVariant::operator=):
            (JSC::GetByIdVariant::dumpInContext):
            * bytecode/GetByIdVariant.h:
            (JSC::GetByIdVariant::GetByIdVariant):
            (JSC::GetByIdVariant::callLinkStatus):
            * bytecode/PolymorphicGetByIdList.cpp:
            (JSC::GetByIdAccess::fromStructureStubInfo):
            (JSC::PolymorphicGetByIdList::from):
            * bytecode/SpeculatedType.h:
            * bytecode/StructureStubInfo.cpp:
            (JSC::StructureStubInfo::deref):
            (JSC::StructureStubInfo::visitWeakReferences):
            * bytecode/StructureStubInfo.h:
            (JSC::isGetByIdAccess):
            (JSC::StructureStubInfo::initGetByIdChain): Deleted.
            * dfg/DFGAbstractHeap.h:
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::addCall):
            (JSC::DFG::ByteCodeParser::handleCall):
            (JSC::DFG::ByteCodeParser::handleInlining):
            (JSC::DFG::ByteCodeParser::handleGetByOffset):
            (JSC::DFG::ByteCodeParser::handleGetById):
            (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
            (JSC::DFG::ByteCodeParser::parse):
            * dfg/DFGCSEPhase.cpp:
            (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination):
            (JSC::DFG::CSEPhase::getInternalFieldLoadElimination):
            (JSC::DFG::CSEPhase::performNodeCSE):
            (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination): Deleted.
            * dfg/DFGClobberize.h:
            (JSC::DFG::clobberize):
            * dfg/DFGFixupPhase.cpp:
            (JSC::DFG::FixupPhase::fixupNode):
            * dfg/DFGJITCompiler.cpp:
            (JSC::DFG::JITCompiler::linkFunction):
            * dfg/DFGNode.h:
            (JSC::DFG::Node::hasStorageAccessData):
            * dfg/DFGNodeType.h:
            * dfg/DFGOSRExitCompilerCommon.cpp:
            (JSC::DFG::reifyInlinedCallFrames):
            * dfg/DFGPredictionPropagationPhase.cpp:
            (JSC::DFG::PredictionPropagationPhase::propagate):
            * dfg/DFGSafeToExecute.h:
            (JSC::DFG::safeToExecute):
            * dfg/DFGSpeculativeJIT32_64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGSpeculativeJIT64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * ftl/FTLAbstractHeapRepository.cpp:
            * ftl/FTLAbstractHeapRepository.h:
            * ftl/FTLCapabilities.cpp:
            (JSC::FTL::canCompile):
            * ftl/FTLLink.cpp:
            (JSC::FTL::link):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileNode):
            (JSC::FTL::LowerDFGToLLVM::compileGetGetter):
            (JSC::FTL::LowerDFGToLLVM::compileGetSetter):
            * jit/AccessorCallJITStubRoutine.h:
            * jit/JIT.cpp:
            (JSC::JIT::assertStackPointerOffset):
            (JSC::JIT::privateCompile):
            * jit/JIT.h:
            * jit/JITPropertyAccess.cpp:
            (JSC::JIT::emit_op_get_by_id):
            * jit/ThunkGenerators.cpp:
            (JSC::arityFixupGenerator):
            (JSC::baselineGetterReturnThunkGenerator):
            (JSC::baselineSetterReturnThunkGenerator):
            (JSC::arityFixup): Deleted.
            * jit/ThunkGenerators.h:
            * runtime/CommonSlowPaths.cpp:
            (JSC::setupArityCheckData):
            * tests/stress/exit-from-getter.js: Added.
            * tests/stress/poly-chain-getter.js: Added.
            (Cons):
            (foo):
            (test):
            * tests/stress/poly-chain-then-getter.js: Added.
            (Cons1):
            (Cons2):
            (foo):
            (test):
            * tests/stress/poly-getter-combo.js: Added.
            (Cons1):
            (Cons2):
            (foo):
            (test):
            (.test):
            * tests/stress/poly-getter-then-chain.js: Added.
            (Cons1):
            (Cons2):
            (foo):
            (test):
            * tests/stress/poly-getter-then-self.js: Added.
            (foo):
            (test):
            (.test):
            * tests/stress/poly-self-getter.js: Added.
            (foo):
            (test):
            (getter):
            * tests/stress/poly-self-then-getter.js: Added.
            (foo):
            (test):
            * tests/stress/weird-getter-counter.js: Added.
            (foo):
            (test):
    
    2014-05-17  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Factor out how CallLinkStatus uses exit site data
            https://bugs.webkit.org/show_bug.cgi?id=133042
    
            Reviewed by Anders Carlsson.
            
            This makes it easier to use CallLinkStatus from clients that are calling into after
            already holding some of the relevant locks. This is necessary because we use a "one lock
            at a time" policy for CodeBlock locks: if you hold one then you're not allowed to acquire
            any of the others. So, any code that needs to lock multiple CodeBlock locks needs to sort
            of lock one, do some stuff, release it, then lock another, and then do more stuff. The
            exit site data corresponds to the stuff you do while holding the baseline lock, while the
            CallLinkInfo method corresponds to the stuff you do while holding the CallLinkInfo owner's
            lock.
    
            * bytecode/CallLinkStatus.cpp:
            (JSC::CallLinkStatus::computeFor):
            (JSC::CallLinkStatus::computeExitSiteData):
            (JSC::CallLinkStatus::computeDFGStatuses):
            * bytecode/CallLinkStatus.h:
            (JSC::CallLinkStatus::ExitSiteData::ExitSiteData):
    
    2014-05-17  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] InlineCallFrame::isCall should be an enumeration
            https://bugs.webkit.org/show_bug.cgi?id=133034
    
            Reviewed by Sam Weinig.
            
            Once we start inlining getters and setters, we'll want InlineCallFrame to be able to tell
            us that the inlined call was a getter call or a setter call. Initially I thought I would
            have a new field called "kind" that would have components NormalCall, GetterCall, and
            SetterCall. But that doesn't make sense, because for GetterCall and SetterCall, isCall
            would have to be true. Hence, It makes more sense to have one enumeration that is Call,
            Construct, GetterCall, or SetterCall. This patch is a first step towards this.
            
            It's interesting that isClosureCall should probably still be separate, since getter and
            setter inlining could inline closure calls.
    
            * bytecode/CodeBlock.h:
            (JSC::baselineCodeBlockForInlineCallFrame):
            * bytecode/CodeOrigin.cpp:
            (JSC::InlineCallFrame::dumpInContext):
            (WTF::printInternal):
            * bytecode/CodeOrigin.h:
            (JSC::InlineCallFrame::kindFor):
            (JSC::InlineCallFrame::specializationKindFor):
            (JSC::InlineCallFrame::InlineCallFrame):
            (JSC::InlineCallFrame::specializationKind):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
            * dfg/DFGOSRExitPreparation.cpp:
            (JSC::DFG::prepareCodeOriginForOSRExit):
            * runtime/Arguments.h:
            (JSC::Arguments::finishCreation):
    
    2014-05-13  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] DFG should not exit due to inadequate profiling coverage when it can trivially fill in the profiling coverage due to variable constant inference and the better prediction modeling of typed array GetByVals
            https://bugs.webkit.org/show_bug.cgi?id=132896
    
            Reviewed by Geoffrey Garen.
            
            This is a slight win on SunSpider, but it's meant to ultimately help us on
            embenchen/lua. We already do well on that benchmark but our convergence is slower than
            I'd like.
    
            * dfg/DFGArrayMode.cpp:
            (JSC::DFG::ArrayMode::refine):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::parseBlock):
            * dfg/DFGFixupPhase.cpp:
            (JSC::DFG::FixupPhase::fixupNode):
            * dfg/DFGPredictionPropagationPhase.cpp:
            (JSC::DFG::PredictionPropagationPhase::propagate):
    
    2014-05-08  Filip Pizlo  <fpizlo@apple.com>
    
            jsSubstring() should be lazy
            https://bugs.webkit.org/show_bug.cgi?id=132556
    
            Reviewed by Andreas Kling.
            
            jsSubstring() is now lazy by using a special rope that is a substring instead of a
            concatenation. To make this patch super simple, we require that a substring's base is
            never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
            path, or we go down a concatenation path which may see exactly one level of substrings in
            its fibers.
            
            This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
            
            Relanding this with assertion fixes.
    
            * heap/MarkedBlock.cpp:
            (JSC::MarkedBlock::specializedSweep):
            * runtime/JSString.cpp:
            (JSC::JSRopeString::visitFibers):
            (JSC::JSRopeString::resolveRopeInternal8):
            (JSC::JSRopeString::resolveRopeInternal16):
            (JSC::JSRopeString::clearFibers):
            (JSC::JSRopeString::resolveRope):
            (JSC::JSRopeString::resolveRopeSlowCase8):
            (JSC::JSRopeString::resolveRopeSlowCase):
            * runtime/JSString.h:
            (JSC::JSRopeString::finishCreation):
            (JSC::JSRopeString::append):
            (JSC::JSRopeString::create):
            (JSC::JSRopeString::offsetOfFibers):
            (JSC::JSRopeString::fiber):
            (JSC::JSRopeString::substringBase):
            (JSC::JSRopeString::substringOffset):
            (JSC::JSRopeString::notSubstringSentinel):
            (JSC::JSRopeString::substringSentinel):
            (JSC::JSRopeString::isSubstring):
            (JSC::JSRopeString::setIsSubstring):
            (JSC::jsSubstring):
            * runtime/RegExpMatchesArray.cpp:
            (JSC::RegExpMatchesArray::reifyAllProperties):
            * runtime/StringPrototype.cpp:
            (JSC::stringProtoFuncSubstring):
    
2014-07-21  Sam Weinig  <sam@webkit.org>

        [Cocoa] WKScriptMessageHandlers don't seem to function properly after navigating
        https://bugs.webkit.org/show_bug.cgi?id=135148

        Reviewed by Geoffrey Garen.

        * runtime/CommonIdentifiers.h:
        Add a common identifier for the string "webkit".

2014-07-22  Filip Pizlo  <fpizlo@apple.com>

        ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell
        https://bugs.webkit.org/show_bug.cgi?id=135155
        <rdar://problem/17763909>

        Reviewed by Oliver Hunt.
        
        The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a
        contradiction, and that this is OK. In this case, we were speculating cell on an int.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        * tests/stress/regress-135155.js: Added.
        (run.t.length):
        (run):

2014-07-18  Filip Pizlo  <fpizlo@apple.com>

        Extend exception fuzzing to the LLInt
        https://bugs.webkit.org/show_bug.cgi?id=135076

        Reviewed by Oliver Hunt.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jit/JITOperations.cpp:
        (JSC::numberOfExceptionFuzzChecks): Deleted.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::setUpCall):
        * runtime/CommonSlowPaths.cpp:
        * runtime/ExceptionFuzz.cpp: Added.
        (JSC::numberOfExceptionFuzzChecks):
        (JSC::doExceptionFuzzing):
        * runtime/ExceptionFuzz.h: Added.
        (JSC::doExceptionFuzzingIfEnabled):

2014-07-21  Mark Lam  <mark.lam@apple.com>

        Refactor ArrayPrototype to use getLength() and putLength() utility functions.
        https://bugs.webkit.org/show_bug.cgi?id=135139.

        Reviewed by Oliver Hunt.

        - Specialize putProperty() to putLength() because it is only used for setting
          the length property.
        - Added a getLength() utility function to get the value of the length property.
        - Use these getLength() and putLength() functions instead of the existing code
          to get and put the length property.  Less code to read, easier to understand.

        * runtime/ArrayPrototype.cpp:
        (JSC::getLength):
        (JSC::putLength):
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):
        (JSC::arrayProtoFuncIndexOf):
        (JSC::arrayProtoFuncLastIndexOf):
        (JSC::putProperty): Deleted.

2014-07-21  Diego Pino Garcia  <dpino@igalia.com>

        new Int32Array(new ArrayBuffer(100), 1, 1) shouldn't throw an error that says "RangeError: Byte offset and length out of range of buffer"
        https://bugs.webkit.org/show_bug.cgi?id=125391

        Reviewed by Darin Adler.

        Create own method for verifying byte offset alignment.

        * runtime/ArrayBufferView.h:
        (JSC::ArrayBufferView::verifyByteOffsetAlignment):
        (JSC::ArrayBufferView::verifySubRangeLength):
        (JSC::ArrayBufferView::verifySubRange): Deleted.
        * runtime/GenericTypedArrayViewInlines.h:
        (JSC::GenericTypedArrayView<Adaptor>::create):
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::create):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::create):

2014-07-20  Diego Pino Garcia  <dpino@igalia.com>

        ES6: Implement Math.sign()
        https://bugs.webkit.org/show_bug.cgi?id=134980

        Reviewed by Darin Adler.

        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):
        (JSC::mathProtoFuncSign):

2014-07-18  Filip Pizlo  <fpizlo@apple.com>

        Exception fuzzing should work on iOS
        https://bugs.webkit.org/show_bug.cgi?id=135070

        Reviewed by Mark Hahnenberg.

        * tests/exceptionFuzz.yaml:

2014-07-18  Filip Pizlo  <fpizlo@apple.com>

        Fix cloop build.

        * jsc.cpp:
        (jscmain):

2014-07-15  Filip Pizlo  <fpizlo@apple.com>

        Need ability to fuzz exception throwing
        https://bugs.webkit.org/show_bug.cgi?id=134945
        <rdar://problem/17722027>

        Reviewed by Sam Weinig.
        
        Adds the ability to instrument exception checks, and to force some random
        exception check to artificially throw an exception. Also adds new tests that
        are suitable for testing this. Note that this is closely tied to the Tools
        directory changes that are also part of this changeset.
        
        This also fixes an activation tear-off bug that arises if we ever throw an
        exception from operationOptimize, or if due to some other bug it's only due
        to the operationOptimize exception check that we realize that there is an
        exception to be thrown.

        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::fastExceptionCheck):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::callCheck):
        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::callExceptionFuzz):
        (JSC::AssemblyHelpers::emitExceptionCheck):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitExceptionCheck): Deleted.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_enter):
        * jit/JITOperations.cpp:
        (JSC::numberOfExceptionFuzzChecks):
        * jit/JITOperations.h:
        * jsc.cpp:
        (jscmain):
        * runtime/Options.h:
        * runtime/TestRunnerUtils.h:
        * tests/exceptionFuzz.yaml: Added.
        * tests/exceptionFuzz: Added.
        * tests/exceptionFuzz/3d-cube.js: Added.
        * tests/exceptionFuzz/date-format-xparb.js: Added.
        * tests/exceptionFuzz/earley-boyer.js: Added.

2014-07-17  David Kilzer  <ddkilzer@apple.com>

        SECTORDER_FLAGS should be defined in target's xcconfig file, not Base.xcconfig
        <http://webkit.org/b/135006>

        Reviewed by Darin Adler.

        * Configurations/Base.xcconfig: Move SECTORDER_FLAGS to
        JavaScriptCore.xcconfig.
        * Configurations/CompileRuntimeToLLVMIR.xcconfig: Remove empty
        SECTORDER_FLAGS definition.
        * Configurations/DebugRelease.xcconfig: Ditto.
        * Configurations/JavaScriptCore.xcconfig: Use $(CONFIGURATION)
        so SECTORDER_FLAGS is only set on Production builds.

2014-07-17  Juergen Ributzka  <juergen@apple.com>

        Disable live-out calculation for stackmap intrinsics.
        https://bugs.webkit.org/show_bug.cgi?id=134366

        The live-out variables are not required for the stackmaps, because we
        don't care about preserving the state when we perform destructive
        patching.

        Reviewed by Filip Pizlo.

        * llvm/library/LLVMExports.cpp:
        (initializeAndGetJSCLLVMAPI):

2014-07-17  Joseph Pecoraro  <pecoraro@apple.com>

        Follow-up fix to r171195 to prevent ASSERT in fast/profiler/profile-with-no-title.html

        Rubber-stamped by Alexey Proskuryakov.

        Null / empty titles should be fine. Tests pass in release builds
        which allowed empty titles, and it looks like the LegacyProfiler
        stopProfiling handles empty titles as expected already.

        * profiler/LegacyProfiler.cpp:
        (JSC::LegacyProfiler::startProfiling):

2014-07-16  Filip Pizlo  <fpizlo@apple.com>

        DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw
        https://bugs.webkit.org/show_bug.cgi?id=134988
        <rdar://problem/17706349>

        Reviewed by Oliver Hunt.
        
        Luckily, we also don't need this optimization to be super powerful: the only place
        where it really matters is for getting rid of the redundancy between op_enter and
        op_init_lazy_reg, and in that case, there is a small set of possible nodes between the
        two things. This change updates the store eliminator to know about only that small,
        obviously safe, set of nodes over which we can store-eliminate.
        
        This shouldn't have any performance impact in the DFG because this optimization kicks
        in relatively rarely already. And once we tier up into the FTL, we get a much better
        store elimination over LLVM IR, so this really shouldn't matter at all.
        
        The tricky part of this patch is that there is a close relative of this optimization,
        for uncaptured variables that got flushed. This happens for arguments to inlined calls.
        I make this work by splitting it into two different store eliminators.
        
        Note that in the process of crafting the tests, I realized that we were incorrectly
        DCEing NewArrayWithSize. That's not cool, since that can throw an exception for
        negative array sizes. If we ever did want to DCE this node, we'd need to lower the node
        to a check node followed by the actual allocation.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::uncapturedSetLocalStoreElimination):
        (JSC::DFG::CSEPhase::capturedSetLocalStoreElimination):
        (JSC::DFG::CSEPhase::setLocalStoreElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
        * dfg/DFGNodeType.h:
        * tests/stress/capture-escape-and-throw.js: Added.
        (foo.f):
        (foo):
        * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
        (foo):
        (bar):

2014-07-15  Benjamin Poulain  <benjamin@webkit.org>

        Reduce the overhead of updating the AssemblerBuffer
        https://bugs.webkit.org/show_bug.cgi?id=134659

        Reviewed by Gavin Barraclough.

        In r164548, the linker was changed to allow the LinkBuffer to survive its MacroAssembler.
        That feature is useful for JSC to get offsets inside a linked buffer in order to jump directly
        there.

        On ARM, we use branch compaction and we need to keep the "compaction offset" somewher to be able
        to get the real address of a lable. That is done by reusing the memory of AssemblerData.

        To share the memory between LinkBuffer and the Assembler, r164548 moved the AssemblerData into
        a ref-counted object. Unfortunately, the extra complexity related to the new AssemblerData was enough
        to make clang give up a bunch of optimizations.

        This patch solve (some of) the problems by making AssemblerBuffer and AssemblerData super low overhead structures.
        In particular, the grow() function becomes 8 Thumb instructions, which is easily inlined everywhere it is used.

        Instead of sharing ownership between the Assembler and LinkBuffer, LinkBuffer now takes full ownership of
        the AssemblerData. I feel this is also safer since LinkBuffer is reusing the AssemblerData is a very
        specific way that would make it unusable for the Assembler.

        -- Technical details --

        From LinkBuffer, we don't want to ever access the Assembler after releasing its buffer (or writting anything
        into it really). This was obviously already the case, but that was hard to prove from LinkBuffer::copyCompactAndLinkCode().
        To make this easier to work with, I changed all the assembler specific function to be static. This way we know
        exactly what code access the Assembler instance. The code that does access the instance is then moved
        at the beginning, before we modify anything.

        The function recordLinkOffsets() that was on the MacroAssembler and copied in Assembler was moved directly
        to LinkBuffer. This make the modification of AssemblerData completely explicit, and that code is specific
        to LinkBuffer anyway (see LinkBuffer::executableOffsetFor()).

        -- Perf impact --

        This does not put us exactly at before r164548 due to the missing inline buffer. Still, it is very close.
        On ARMv7, this reduces the time spent in Assembler by half. On the CSS JIT, this reduces the compilation
        time by ~20%.

        I could not measure any difference on x86_64.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::jumpSizeDelta):
        (JSC::ARM64Assembler::canCompact):
        (JSC::ARM64Assembler::computeJumpType):
        (JSC::ARM64Assembler::link):
        (JSC::ARM64Assembler::recordLinkOffsets): Deleted.
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::ifThenElseConditionBit):
        (JSC::ARMv7Assembler::ifThenElse):
        (JSC::ARMv7Assembler::jumpSizeDelta):
        (JSC::ARMv7Assembler::canCompact):
        (JSC::ARMv7Assembler::computeJumpType):
        (JSC::ARMv7Assembler::link):
        (JSC::ARMv7Assembler::linkJumpT1):
        (JSC::ARMv7Assembler::linkJumpT3):
        (JSC::ARMv7Assembler::linkConditionalJumpT4):
        (JSC::ARMv7Assembler::linkConditionalBX):
        (JSC::ARMv7Assembler::recordLinkOffsets): Deleted.
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerData::AssemblerData):
        (JSC::AssemblerData::operator=):
        (JSC::AssemblerData::~AssemblerData):
        (JSC::AssemblerData::buffer):
        (JSC::AssemblerData::capacity):
        (JSC::AssemblerData::grow):
        (JSC::AssemblerBuffer::AssemblerBuffer):
        (JSC::AssemblerBuffer::isAvailable):
        (JSC::AssemblerBuffer::data):
        (JSC::AssemblerBuffer::releaseAssemblerData):
        (JSC::AssemblerBuffer::putIntegral):
        (JSC::AssemblerBuffer::putIntegralUnchecked):
        (JSC::AssemblerBuffer::append):
        (JSC::AssemblerBuffer::grow):
        (JSC::AssemblerBuffer::~AssemblerBuffer): Deleted.
        (JSC::AssemblerBuffer::storage): Deleted.
        * assembler/LinkBuffer.cpp:
        (JSC::recordLinkOffsets):
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::executableOffsetFor):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::canCompact):
        (JSC::MacroAssemblerARM64::computeJumpType):
        (JSC::MacroAssemblerARM64::jumpSizeDelta):
        (JSC::MacroAssemblerARM64::link):
        (JSC::MacroAssemblerARM64::recordLinkOffsets): Deleted.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::canCompact):
        (JSC::MacroAssemblerARMv7::computeJumpType):
        (JSC::MacroAssemblerARMv7::jumpSizeDelta):
        (JSC::MacroAssemblerARMv7::link):
        (JSC::MacroAssemblerARMv7::recordLinkOffsets): Deleted.

2014-07-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Stores to PropertyTable use the Structure as the owner
        https://bugs.webkit.org/show_bug.cgi?id=134595

        Reviewed by Darin Adler.

        Since PropertyTable is the object that does the marking of these references, it should be the owner.

        Also removed some unused parameters to other methods that historically used the Structure as the owner.

        * runtime/JSPropertyNameIterator.h:
        (JSC::StructureRareData::setEnumerationCache):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToString):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::copy):
        * runtime/PropertyTable.cpp:
        (JSC::PropertyTable::clone):
        (JSC::PropertyTable::PropertyTable):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::takePropertyTableOrCloneIfPinned):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::copyPropertyTableForPinning):
        (JSC::Structure::putSpecificValue):
        * runtime/Structure.h:
        (JSC::Structure::setObjectToStringValue):
        (JSC::Structure::setPreviousID):
        * runtime/StructureInlines.h:
        (JSC::Structure::setEnumerationCache):
        * runtime/StructureRareData.h:
        * runtime/StructureRareDataInlines.h:
        (JSC::StructureRareData::setPreviousID):
        (JSC::StructureRareData::setObjectToStringValue):

2014-07-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        ScriptExecutable::forEachCodeBlock can dereference null CodeBlocks
        https://bugs.webkit.org/show_bug.cgi?id=134928

        Reviewed by Andreas Kling.

        * bytecode/CodeBlock.h:
        (JSC::ScriptExecutable::forEachCodeBlock): Check for null CodeBlocks before calling forEachRelatedCodeBlock.

2014-07-15  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        Buildfix if LLINT_SLOW_PATH_TRACING is enabled
        https://bugs.webkit.org/show_bug.cgi?id=133790

        Reviewed by Mark Lam.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2014-07-14  Filip Pizlo  <fpizlo@apple.com>

        Allow for Int52Rep to see things other than Int32, and make this testable
        https://bugs.webkit.org/show_bug.cgi?id=134873
        <rdar://problem/17641915>

        Reviewed by Geoffrey Garen and Mark Hahnenberg.
        
        A major premise of our type inference is that prediction propagation can say whatever it
        wants and we'll still have valid IR after Fixup. This previously didn't work with Int52s.
        We required some kind of agreement between prediction propagation and fixup over which
        data flow paths were Int52 and which weren't.
        
        It turns out that we basically had such an agreement, with the exception of code that was
        unreachable due to ForceOSRExit. Then, fixup and prediction propagation would disagree. It
        might be nice to fix that bug - but it's only in the case of Int52 that such a thing would
        be a bug! Normally, we allow sloppiness in prediction propagation.
        
        This patch allows us to be sloppy with Int52 prediction propagation by giving Int52Rep the
        ability to see inputs other than Int32. This fixes the particular ForceOSRExit bug (see
        int52-force-osr-exit-path.js for the reduced test case). To make sure that the newly
        empowered Int52Rep is actually correct - in case we end up using it on paths other than
        ForceOSRExit - this patch introduces an internal intrinsic called fiatInt52() that forces
        us to attempt Int52 conversion on the input. This patch adds a bunch of tests that stress
        this intrinsic. This means that we're now stressing Int52Rep more so than ever before!
        
        Note that it would still be a bug for prediction propagation to ever cause us to create an
        Int52Rep node for a non-Int32 input. But, this will now be a performance bug, rather than
        a crash bug.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::fixTypeForRepresentation):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::isMachineIntConstant):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isMachineIntConstant):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::convertMachineInt):
        (JSC::DFG::SpeculativeJIT::speculateMachineInt):
        (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::isNumerical):
        (JSC::DFG::isDouble):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
        (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
        (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
        (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52):
        (JSC::FTL::LowerDFGToLLVM::doubleToStrictInt52):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateMachineInt):
        (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepMachineInt):
        * jit/JITOperations.h:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionIdentity):
        * runtime/Intrinsic.h:
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::tryConvertToInt52):
        (JSC::isInt52):
        (JSC::JSValue::isMachineInt):
        * tests/stress/dead-fiat-double-to-int52-then-exit-not-int52.js: Added.
        (foo):
        * tests/stress/dead-fiat-double-to-int52.js: Added.
        (foo):
        * tests/stress/dead-fiat-int32-to-int52.js: Added.
        (foo):
        * tests/stress/dead-fiat-value-to-int52-double-path.js: Added.
        (foo):
        (bar):
        * tests/stress/dead-fiat-value-to-int52-then-exit-not-double.js: Added.
        (foo):
        (bar):
        * tests/stress/dead-fiat-value-to-int52-then-exit-not-int52.js: Added.
        (foo):
        (bar):
        * tests/stress/dead-fiat-value-to-int52.js: Added.
        (foo):
        (bar):
        * tests/stress/fiat-double-to-int52-then-exit-not-int52.js: Added.
        (foo):
        * tests/stress/fiat-double-to-int52-then-fail-to-fold.js: Added.
        (foo):
        * tests/stress/fiat-double-to-int52-then-fold.js: Added.
        (foo):
        * tests/stress/fiat-double-to-int52.js: Added.
        (foo):
        * tests/stress/fiat-int32-to-int52.js: Added.
        (foo):
        * tests/stress/fiat-value-to-int52-double-path.js: Added.
        (foo):
        (bar):
        * tests/stress/fiat-value-to-int52-then-exit-not-double.js: Added.
        (foo):
        (bar):
        * tests/stress/fiat-value-to-int52-then-exit-not-int52.js: Added.
        (foo):
        (bar):
        * tests/stress/fiat-value-to-int52-then-fail-to-fold.js: Added.
        (foo):
        * tests/stress/fiat-value-to-int52-then-fold.js: Added.
        (foo):
        * tests/stress/fiat-value-to-int52.js: Added.
        (foo):
        (bar):
        * tests/stress/int52-force-osr-exit-path.js: Added.
        (foo):

2014-07-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Flattening dictionaries with oversize backing stores can cause crashes
        https://bugs.webkit.org/show_bug.cgi?id=134906

        Reviewed by Filip Pizlo.

        The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB 
        of the CopiedBlock header. This was always the case except for when flattening a dictionary 
        caused the size of the Butterfly to decrease. This was equivalent to moving the base of the 
        Butterfly to higher addresses. If the object was reduced sufficiently in size, the base 
        would no longer be within the first 32 KB of the CopiedBlock and the next collection would 
        choke on the Butterfly pointer.

        This patch fixes this issue by detect this situation during flattening and memmove-ing 
        the Butterfly down to where the old base was.

        * runtime/JSObject.cpp:
        (JSC::JSObject::shiftButterflyAfterFlattening):
        * runtime/JSObject.h:
        (JSC::JSObject::butterflyPreCapacity):
        (JSC::JSObject::butterflyTotalSize):
        * runtime/Structure.cpp:
        (JSC::Structure::flattenDictionaryStructure):
        * tests/stress/flatten-oversize-dictionary-object.js: Added.
        (foo):

2014-07-14  Benjamin Poulain  <benjamin@webkit.org>

        Remove some dead code from FTLJITFinalizer
        https://bugs.webkit.org/show_bug.cgi?id=134874

        Reviewed by Geoffrey Garen.

        Not sure what that code was for...but it does not do anything :)

        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeFunction):
        The pointer of the label is computed but never used.

        * ftl/FTLJITFinalizer.h:
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        The label is never set to anything.

2014-07-14  Bear Travis  <betravis@adobe.com>

        [Feature Queries] Enable Feature Queries on Mac
        https://bugs.webkit.org/show_bug.cgi?id=134404

        Reviewed by Antti Koivisto.

        Enable Feature Queries on Mac and resume running the
        feature tests.

        * Configurations/FeatureDefines.xcconfig: Turn on
        ENABLE_CSS3_CONDITIONAL_RULES.

2014-07-11  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Debugger Pause button does not work
        https://bugs.webkit.org/show_bug.cgi?id=134785

        Reviewed by Timothy Hatcher.

        * CMakeLists.txt:
        * DerivedSources.make:
        Minification strips the sourceURL command. Add it back with minification.

2014-07-11  peavo@outlook.com  <peavo@outlook.com>

        [Win] Enable DFG JIT.
        https://bugs.webkit.org/show_bug.cgi?id=123615

        Reviewed by Mark Lam.

        When the return type of a JIT generated function call is larger than 64-bit (e.g. SlowPathReturnType),
        the normal call() implementation cannot be used on 64-bit Windows, because the 64-bit Windows ABI is different in this case.
        Also, when generating calls with double arguments, we need to make sure the arguments are put in the correct registers,
        since the register allocation differs on 64-bit Windows.

        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType): Added method to handle function calls where the return value type size is larger than 64-bit.
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState): Move arguments to correct registers when there are floating point arguments.
        (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Added method.
        * jit/JIT.h:
        (JSC::JIT::appendCallWithSlowPathReturnType): Added method.
        * jit/JITInlines.h:
        (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): Added method.
        (JSC::JIT::callOperation): Call new method.

2014-07-09  Benjamin Poulain  <benjamin@webkit.org>

        Use 16bits instructions for push/pop on ARMv7 when possible
        https://bugs.webkit.org/show_bug.cgi?id=134753

        Reviewed by Geoffrey Garen.

        The patch r170839 mixed the code for push/pop pair and single push/pop.
        That part was reverted in r170909.

        This patch puts the code back but specialized for single push/pop.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::pop):
        (JSC::ARMv7Assembler::push):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::pop):
        (JSC::MacroAssemblerARMv7::push):

2014-07-09  Brent Fulgham  <bfulgham@apple.com>

        [Win] Remove uses of 'bash' in build system
        https://bugs.webkit.org/show_bug.cgi?id=134782
        <rdar://problem/17615533>

        Reviewed by Dean Jackson.

        Remove uses of 'bash' by replacing Windows-specific bash scripts
        with Perl equivalents.

        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters:
        * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh.
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Removed.
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh.
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
        * JavaScriptCore.vcxproj/build-generated-files.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/build-generated-files.sh.
        * JavaScriptCore.vcxproj/build-generated-files.sh: Removed.
        * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
        * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
        * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:

2014-07-09  Brent Fulgham  <bfulgham@apple.com>

        [Win] Remove use of 'grep' in build steps
        https://bugs.webkit.org/show_bug.cgi?id=134770
        <rdar://problem/17608783>

        Reviewed by Tim Horton.

        Replace uses of the grep command in Windows builds with the equivalent
        Perl program.

        * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
        * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
        * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
        * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:

2014-07-08  Benjamin Poulain  <benjamin@webkit.org>

        Restore the assertion changed with 170839

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::pop):
        (JSC::ARMv7Assembler::push):
        Revert the Assembler part of 170839. The assertions do not match both encoding.

        I'll add specific version of push and pop instead.

2014-07-08  Jon Honeycutt  <jhoneycutt@apple.com>

        RemoteInspector::shared() should not call WTF::initializeMainThread()
        <https://bugs.webkit.org/show_bug.cgi?id=134747>
        <rdar://problem/17161482>

        Reviewed by Joseph Pecoraro.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::shared):
        Don't call WTF::initializeMainThread(). WTF threading is initialized by
        JSC::initializeThreading().

2014-07-08  Andreas Kling  <akling@apple.com>

        VM::lastCachedString should be a Strong, not a Weak.
        <https://webkit.org/b/134746>

        Using Weak<JSString> for this regressed some of our bindings perf tests
        due to Weak having to allocate a new WeakImpl every time the last cached
        string changed. Make it a Strong instead should make that problem go away.

        Reviewed by Geoffrey Garen.

        * runtime/JSString.cpp:
        (JSC::jsStringWithCacheSlowCase):
        * runtime/VM.h:

2014-07-07  Benjamin Poulain  <bpoulain@apple.com>

        Fix the build after r170876

        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::linkCode):

2014-07-07  Benjamin Poulain  <benjamin@webkit.org>

        LinkBuffer should not keep a reference to the MacroAssembler
        https://bugs.webkit.org/show_bug.cgi?id=134668

        Reviewed by Geoffrey Garen.

        In FTL, the LinkBuffer can outlive the MacroAssembler that was used for code generation.
        When that happens, the pointer m_assembler points to released memory. That was not causing
        issues because the attribute is not used after linking, but that was not particularily
        future proof.

        This patch refactors LinkBuffer to avoid any lifetime risk. The MacroAssembler is now passed
        as a reference, it is used for linking but no reference is ever stored with the LinkBuffer.

        While fixing the call sites to use a reference, I also discovered LinkBuffer.h was included
        everywhere. I refactored some #include to avoid that.

        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        (JSC::LinkBuffer::linkCode):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        * bytecode/Watchpoint.cpp:
        * dfg/DFGDisassembler.cpp:
        * dfg/DFGDisassembler.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::linkFunction):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGPlan.cpp:
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitGenerationThunkGenerator):
        (JSC::DFG::osrEntryThunkGenerator):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::generateICFastPath):
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLJSCall.cpp:
        * ftl/FTLJSCall.h:
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToLLVM.cpp:
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLThunks.cpp:
        (JSC::FTL::osrExitGenerationThunkGenerator):
        (JSC::FTL::slowPathCallThunkGenerator):
        * jit/ArityCheckFailReturnThunks.cpp:
        (JSC::ArityCheckFailReturnThunks::returnPCsFor):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITCall.cpp:
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITDisassembler.cpp:
        * jit/JITDisassembler.h:
        * jit/JITOpcodes.cpp:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::privateCompileGetByVal):
        (JSC::JIT::privateCompilePutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        * jit/RegisterPreservationWrapperGenerator.cpp:
        (JSC::generateRegisterPreservationWrapper):
        (JSC::registerRestorationThunkGenerator):
        * jit/Repatch.cpp:
        (JSC::generateByIdStub):
        (JSC::tryCacheGetByID):
        (JSC::emitPutReplaceStub):
        (JSC::emitPutTransitionStub):
        (JSC::tryRepatchIn):
        (JSC::linkClosureCall):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::finalize):
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::linkForThunkGenerator):
        (JSC::linkClosureCallForThunkGenerator):
        (JSC::virtualForThunkGenerator):
        (JSC::nativeForGenerator):
        (JSC::arityFixup):
        * llint/LLIntThunks.cpp:
        (JSC::LLInt::generateThunkWithJumpTo):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::compile):

2014-07-07  Andreas Kling  <akling@apple.com>

        Fast path for jsStringWithCache() when asked for the same string repeatedly.
        <https://webkit.org/b/134635>

        Reviewed by Darin Adler.

        Follow-up to r170818 addressing a review comment by Geoff Garen.

        * runtime/JSString.cpp:
        (JSC::jsStringWithCacheSlowCase):

2014-07-07  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>

        Add missing ENABLE(FTL_JIT) guards
        https://bugs.webkit.org/show_bug.cgi?id=134680

        Reviewed by Darin Adler.

        * ftl/FTLDWARFDebugLineInfo.cpp:
        * ftl/FTLDWARFDebugLineInfo.h:
        * ftl/FTLGeneratedFunction.h:

2014-07-07  Zan Dobersek  <zdobersek@igalia.com>

        Enable ARMv7 disassembler for the GTK port
        https://bugs.webkit.org/show_bug.cgi?id=134676

        Reviewed by Benjamin Poulain.

        * CMakeLists.txt: Add ARMv7DOpcode.cpp file to the build.
        * disassembler/ARMv7/ARMv7DOpcode.cpp: Include the string.h header for strlen().

2014-07-06  Benjamin Poulain  <benjamin@webkit.org>

        [ARMv7] Use 16 bits instructions for push/pop when possible
        https://bugs.webkit.org/show_bug.cgi?id=134656

        Reviewed by Andreas Kling.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::pop):
        (JSC::ARMv7Assembler::push):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Imm9):
        Add the 16 bits version of push and pop.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::pop):
        (JSC::MacroAssemblerARMv7::push):
        Use the new push/pop instead of a regular load/store.

        * disassembler/ARMv7/ARMv7DOpcode.cpp:
        (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList):
        * disassembler/ARMv7/ARMv7DOpcode.h:
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask):
        Fix the disassembler for push/pop:
        -The register mask was on 7 bits for some reason.
        -The code printing the registers was comparing a register ID with a register
         mask.

2014-07-06  Yoav Weiss  <yoav@yoav.ws>

        Turn on img@sizes compile flag
        https://bugs.webkit.org/show_bug.cgi?id=134634

        Reviewed by Benjamin Poulain.

        * Configurations/FeatureDefines.xcconfig: Moved compile flag to alphabetical order.

2014-07-06  Daewoong Jang  <daewoong.jang@navercorp.com>

        Flags value of SourceCodeKey should be unique for each case.
        https://bugs.webkit.org/show_bug.cgi?id=134435

        Reviewed by Darin Adler.

        Different combinations of CodeType and JSParserStrictness could generate same m_flags value because
        the value of CodeType and the value of JSParserStrictness shares a bit inside m_flags member variable.
        Shift the value of CodeType one bit farther to the left so those values don't overlap.

        * runtime/CodeCache.h:
        (JSC::SourceCodeKey::SourceCodeKey):

2014-07-04  Andreas Kling  <akling@apple.com>

        Fast path for jsStringWithCache() when asked for the same string repeatedly.
        <https://webkit.org/b/134635>

        Also moved the whole thing from WebCore to JavaScriptCore since it
        makes more sense here, and inline the lightweight checks, leaving only
        the hashmap stuff out of line.

        Reviewed by Darin Adler.

        * runtime/JSString.cpp:
        (JSC::jsStringWithCacheSlowCase):
        * runtime/JSString.h:
        (JSC::jsStringWithCache):
        * runtime/VM.h:

2014-07-03  Daniel Bates  <dabates@apple.com>

        Add WTF::move()
        https://bugs.webkit.org/show_bug.cgi?id=134500

        Rubber-stamped by Anders Carlsson.

        Substitute WTF::move() for std::move().

        * bytecode/CodeBlock.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        * bytecompiler/BytecodeGenerator.cpp:
        * dfg/DFGGraph.cpp:
        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGStackLayoutPhase.cpp:
        * dfg/DFGWorklist.cpp:
        * heap/DelayedReleaseScope.h:
        * heap/HeapInlines.h:
        [...]

2014-07-03  Filip Pizlo  <fpizlo@apple.com>

        SSA DCE should process blocks in forward order
        https://bugs.webkit.org/show_bug.cgi?id=134611

        Reviewed by Andreas Kling.

        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::run):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
        * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added.
        (foo):

2014-07-03  Filip Pizlo  <fpizlo@apple.com>

        JSActivation::symbolTablePut() should invalidate variable watchpoints
        https://bugs.webkit.org/show_bug.cgi?id=134602

        Reviewed by Oliver Hunt.
        
        Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so
        during linking - we essentially assume that if it's at all possible for an inner function to store to a
        variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e.
        JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates
        JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code
        duplicated, but fixes JSActivation::symbolTablePut() to do the right thing.

        * runtime/JSActivation.cpp:
        (JSC::JSActivation::symbolTablePut):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTablePut):
        * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added.
        (.):

2014-07-01  Mark Lam  <mark.lam@apple.com>

        Debugger's breakpoint list should not be a Vector.
        <https://webkit.org/b/134514>

        Reviewed by Geoffrey Garen.

        The debugger currently stores breakpoint data as entries in a Vector (see
        BreakpointsInLine).  It also keeps a fast map look up of breakpoint IDs to
        the breakpoint data (see m_breakpointIDToBreakpoint).  Because a Vector can
        compact or reallocate its backing store, this can causes all sorts of havoc.
        The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't
        move in memory.

        The fix is to replace the BreakpointsInLine Vector with a BreakpointsList
        doubly linked list.

        * debugger/Breakpoint.h:
        (JSC::Breakpoint::Breakpoint):
        (JSC::BreakpointsList::~BreakpointsList):
        * debugger/Debugger.cpp:
        (JSC::Debugger::setBreakpoint):
        (JSC::Debugger::removeBreakpoint):
        (JSC::Debugger::hasBreakpoint):
        * debugger/Debugger.h:

2014-06-30  Michael Saboff  <msaboff@apple.com>

        Add option to run-jsc-stress-testes to filter out tests that use large heaps
        https://bugs.webkit.org/show_bug.cgi?id=134458

        Reviewed by Filip Pizlo.

        Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device.

        * tests/mozilla/mozilla-tests.yaml:

2014-06-30  Daniel Bates  <dabates@apple.com>

        Avoid copying closed variables vector; actually use move semantics

        Rubber-stamped by Oliver Hunt.

        Currently we always copy the closed variables vector passed by Parser::closedVariables()
        to ProgramNode::setClosedVariables() because these member functions return and take a const
        rvalue reference, respectively. Instead, these member functions should take an return a non-
        constant rvalue reference so that we actually move the closed variables vector from the Parser
        object to the Node object.

        * parser/Nodes.cpp:
        (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument.
        * parser/Nodes.h:
        (JSC::ScopeNode::setClosedVariables): Ditto.
        * parser/Parser.h:
        (JSC::Parser::closedVariables): Remove const qualifier on return type.
        (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here
        because Parser::closedVariables() returns an rvalue reference.

2014-06-30  Joseph Pecoraro  <pecoraro@apple.com>

        JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations
        https://bugs.webkit.org/show_bug.cgi?id=134371

        Reviewed by Timothy Hatcher.

        * API/JSContextPrivate.h:
        * API/JSContext.mm:
        (-[JSContext _debuggerRunLoop]):
        (-[JSContext _setDebuggerRunLoop:]):
        Private API for setting the CFRunLoop for a debugger to evaluate in.
        
        * API/JSContextRefInternal.h: Added.
        * API/JSContextRef.cpp:
        (JSGlobalContextGetDebuggerRunLoop):
        (JSGlobalContextSetDebuggerRunLoop):
        Internal API for setting a CFRunLoop on a JSContextRef.
        Set this on the debuggable.
        
        * inspector/remote/RemoteInspectorDebuggable.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
        (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
        (Inspector::RemoteInspectorBlock::operator=):
        (Inspector::RemoteInspectorBlock::operator()):
        Moved into the header.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::inspectorDebuggable):
        Lets store the RunLoop on the debuggable instead of this core
        platform agnostic class, so expose the debuggable.

        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorHandleRunSourceGlobal):
        (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
        (Inspector::RemoteInspectorInitializeGlobalQueue):
        Rename the global functions for clarity.

        (Inspector::RemoteInspectorHandleRunSourceWithInfo):
        Handler for private run loops.

        (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
        (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
        (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
        (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
        (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop):
        (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
        Setup and teardown and use private run loop sources if the debuggable needs it.

2014-06-30  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>

        Add missing ENABLE(DFG_JIT) guards
        https://bugs.webkit.org/show_bug.cgi?id=134444

        Reviewed by Darin Adler.

        * dfg/DFGFunctionWhitelist.cpp:
        * dfg/DFGFunctionWhitelist.h:

2014-06-29  Yoav Weiss  <yoav@yoav.ws>

        Add support for HTMLImageElement's sizes attribute
        https://bugs.webkit.org/show_bug.cgi?id=133620

        Reviewed by Dean Jackson.

        Added an ENABLE_PICTURE_SIZES compile flag.

        * Configurations/FeatureDefines.xcconfig:

2014-06-27  Filip Pizlo  <fpizlo@apple.com>

        Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep
        https://bugs.webkit.org/show_bug.cgi?id=134412

        Reviewed by Mark Hahnenberg.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::setReplacement):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added.
        (foo):
        (bar):
        (baz):

2014-06-27  Peyton Randolph  <prandolph@apple.com>

         Add feature flag for link long-press gesture.                                                                   
         https://bugs.webkit.org/show_bug.cgi?id=134262                                                                  
                                                                                                                         
         Reviewed by Enrica Casucci.                                                                                     
                                                                                                                         
         * Configurations/FeatureDefines.xcconfig:                                                                       
         Add ENABLE_LINK_LONG_PRESS. 

2014-06-27  László Langó  <llango.u-szeged@partner.samsung.com>

        [JavaScriptCore] FTL buildfix for EFL platform.
        https://bugs.webkit.org/show_bug.cgi?id=133546

        Reviewed by Darin Adler.

        * ftl/FTLAbstractHeap.cpp:
        (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::forStackmaps):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::opposite):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Constant::dump):
        * llvm/InitializeLLVMPOSIX.cpp:
        (JSC::initializeLLVMPOSIX):

2014-06-26  Benjamin Poulain  <benjamin@webkit.org>

        iOS 8 beta 2 ES6 'Set' clear() broken
        https://bugs.webkit.org/show_bug.cgi?id=134346

        Reviewed by Oliver Hunt.

        The object map was not cleared :(.

        Kudos to Ashley Gullen for tracking this and making a regression test.
        Credit to Oliver for finding the missing code.

        * runtime/MapData.h:
        (JSC::MapData::clear):

2014-06-25  Brent Fulgham  <bfulgham@apple.com>

        [Win] Expose Cache Information to WinLauncher
        https://bugs.webkit.org/show_bug.cgi?id=134318

        Reviewed by Dean Jackson.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
        MemoryStatistics files to the WIndows build.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2014-06-26  David Kilzer  <ddkilzer@apple.com>

        DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file
        <http://webkit.org/b/134343>
        <rdar://problem/17459487>

        Reviewed by Michael Saboff.

        * dfg/DFGFunctionWhitelist.cpp:
        (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
        Close the file handle, and log an error on failure.

2014-06-25  Dana Burkart  <dburkart@apple.com>

        Add support for 5-tuple versioning.

        Reviewed by David Farler.

        * Configurations/Version.xcconfig:

2014-06-25  Geoffrey Garen  <ggaren@apple.com>

        Build fix.

        Unreviewed.

        * runtime/JSDateMath.cpp:
        (JSC::parseDateFromNullTerminatedCharacters):
        * runtime/VM.cpp:
        (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN
        constant since that constant doesn't exist anymore.

2014-06-25  Geoffrey Garen  <ggaren@apple.com>

        Unreviewed, rolling out r166876.

        Caused some ECMA test262 failures

        Reverted changeset:

        "Date object needs to check for ES5 15.9.1.14 TimeClip limit."
        https://bugs.webkit.org/show_bug.cgi?id=131248
        http://trac.webkit.org/changeset/166876

2014-06-25  Brent Fulgham  <bfulgham@apple.com>

        [Win] Unreviewed gardening.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
        put various files in proper IDE categories.

2014-06-25  peavo@outlook.com  <peavo@outlook.com>

        [Win64] ASM LLINT is not enabled.
        https://bugs.webkit.org/show_bug.cgi?id=130638

        This patch adds a new LLINT assembler backend for Win64, and implements it.
        It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
        Also, LLINT and JIT is enabled for Win64.

        Reviewed by Mark Lam.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
        * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
        * assembler/MacroAssemblerX86_64.h: 
        (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
        * jit/JITStubsMSVC64.asm: Added.
        * jit/Repatch.cpp:
        (JSC::emitPutTransitionStub): Compile fix.
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator): Follow Win64 ABI spec.
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions): Ditto.
        * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
        * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
        * llint/LowLevelInterpreter64.asm: Ditto.
        * offlineasm/asm.rb: Compile fix.
        * offlineasm/backends.rb: Add new llint backend for Win64.
        * offlineasm/settings.rb: Compile fix.
        * offlineasm/x86.rb: Implement new llint Win64 backend.

2014-06-25  Laszlo Gombos  <l.gombos@samsung.com>

        Remove build guard for progress element
        https://bugs.webkit.org/show_bug.cgi?id=134292

        Reviewed by Benjamin Poulain.

        * Configurations/FeatureDefines.xcconfig:

2014-06-24  Michael Saboff  <msaboff@apple.com>

        Add support routines to provide descriptive JavaScript backtraces
        https://bugs.webkit.org/show_bug.cgi?id=134278

        Reviewed by Mark Lam.

        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::dump):
        (JSC::CallFrame::describeFrame):
        * interpreter/CallFrame.h:
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dumpForBacktrace):
        * runtime/JSCJSValue.h:

2014-06-24  Brady Eidson  <beidson@apple.com>

        Enable GAMEPAD in the Mac build, but disabled at runtime.
        https://bugs.webkit.org/show_bug.cgi?id=134255

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig:

        * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
          functions at runtime.

2014-06-24  Mark Hahnenberg  <mhahnenberg@apple.com>

        REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
        https://bugs.webkit.org/show_bug.cgi?id=134046

        Reviewed by Filip Pizlo.

        * runtime/GetterSetter.h:
        (JSC::asGetterSetter):
        * runtime/JSObject.cpp:
        (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
        a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
        and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.

2014-06-24  Brent Fulgham  <bfulgham@apple.com>

        [Win] MSVC mishandles enums in bitfields
        https://bugs.webkit.org/show_bug.cgi?id=134237

        Reviewed by Michael Saboff.

        Replace uses of enum types in bit fields with unsigned to
        avoid losing a bit to hold the sign value. This can result
        in Windows interpreting the value of the field improperly.

        * bytecode/StructureStubInfo.h:
        * parser/Nodes.h:

2014-06-23  Andreas Kling  <akling@apple.com>

        Inline the UnlinkedInstructionStream::Reader logic.
        <https://webkit.org/b/134203>

        This class is only used by CodeBlock to unpack the unlinked instructions,
        and we were spending 0.5% of total time on PLT calling Reader::next().
        Move the logic to the header file and mark it ALWAYS_INLINE.

        Reviewed by Geoffrey Garen.

        * bytecode/UnlinkedInstructionStream.cpp:
        * bytecode/UnlinkedInstructionStream.h:
        (JSC::UnlinkedInstructionStream::Reader::Reader):
        (JSC::UnlinkedInstructionStream::Reader::read8):
        (JSC::UnlinkedInstructionStream::Reader::read32):
        (JSC::UnlinkedInstructionStream::Reader::next):

2014-06-20  Sam Weinig  <sam@webkit.org>

        Remove static tables for bindings that use eager reification
        https://bugs.webkit.org/show_bug.cgi?id=134126

        Reviewed by Oliver Hunt.

        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectCustomAccessor):
        * runtime/Structure.h:
        (JSC::Structure::setHasCustomGetterSetterProperties):
        Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
        the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
        Without this, JSObject::put() won't think there are any setters on the prototype chain of an
        object that has no static lookup table and uses eagerly reified custom getter/setter properties.

2014-06-21  Brady Eidson  <beidson@apple.com>

        Gamepad API - Deprecate the existing implementation
        https://bugs.webkit.org/show_bug.cgi?id=134108

        Reviewed by Timothy Hatcher.

        -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
        -Move some implementation files into a "deprecated" subdirectory.

        * Configurations/FeatureDefines.xcconfig:

2014-06-21  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r170244.
        https://bugs.webkit.org/show_bug.cgi?id=134157

        GTK/EFL bindings generator works differently, making this
        patch not work there.  Will fix entire patch after a rollout.
        (Requested by bradee-oh on #webkit).

        Reverted changeset:

        "Gamepad API - Deprecate the existing implementation"
        https://bugs.webkit.org/show_bug.cgi?id=134108
        http://trac.webkit.org/changeset/170244

2014-06-21  Brady Eidson  <beidson@apple.com>

        Gamepad API - Deprecate the existing implementation
        https://bugs.webkit.org/show_bug.cgi?id=134108

        Reviewed by Timothy Hatcher.

        -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
        -Add the "Deprecated" suffix to some implementation files

        * Configurations/FeatureDefines.xcconfig:

2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        Removing PAGE_VISIBILITY_API compile guard.
        https://bugs.webkit.org/show_bug.cgi?id=133844

        Reviewed by Gavin Barraclough.

        * Configurations/FeatureDefines.xcconfig:

2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        ARM traditional buildfix after r169942.
        https://bugs.webkit.org/show_bug.cgi?id=134100

        Reviewed by Zoltan Herczeg.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::abortWithReason): Added.

2014-06-20  Andreas Kling  <akling@apple.com>

        [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
        <https://webkit.org/b/134112>

        Reviewed by Mark Hahnenberg.

        * heap/BlockAllocator.h:

2014-06-19  Alex Christensen  <achristensen@webkit.org>

        Unreviewed fix after r170130.

        * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
        Corrected directory so it can find common.props when opening Visual Studio.

2014-06-19  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
        https://bugs.webkit.org/show_bug.cgi?id=130389

        Reviewed by Mark Lam.

        Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
        into !ENABLE(JIT) since they are mutually exclusive.

        * CMakeLists.txt:
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
        (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
        * assembler/MaxFrameExtentForSlowPathCall.h:
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFromLLInt):
        * bytecode/CodeBlock.cpp:
        (JSC::dumpStructure):
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::unlinkCalls):
        (JSC::CodeBlock::unlinkIncomingCalls):
        (JSC::CodeBlock::linkIncomingCall):
        (JSC::CodeBlock::frameRegisterCount):
        * bytecode/CodeBlock.h:
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        * heap/Heap.cpp:
        (JSC::Heap::gatherJSStackRoots):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::initialize):
        (JSC::Interpreter::isOpcode):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::getOpcodeID):
        * interpreter/JSStack.cpp:
        (JSC::JSStack::JSStack):
        (JSC::JSStack::committedByteCount):
        * interpreter/JSStack.h:
        * interpreter/JSStackInlines.h:
        (JSC::JSStack::ensureCapacityFor):
        (JSC::JSStack::topOfFrameFor):
        (JSC::JSStack::setStackLimit):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        * jit/JIT.h:
        (JSC::JIT::compileCTINativeCall):
        * jit/JITExceptions.h:
        * jit/JITThunks.cpp:
        (JSC::JITThunks::ctiNativeCall):
        (JSC::JITThunks::ctiNativeConstruct):
        * llint/LLIntCLoop.cpp:
        * llint/LLIntCLoop.h:
        * llint/LLIntData.cpp:
        (JSC::LLInt::initialize):
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntData.h:
        (JSC::LLInt::Data::performAssertions): Deleted.
        * llint/LLIntEntrypoint.cpp:
        * llint/LLIntEntrypoint.h:
        * llint/LLIntExceptions.cpp:
        * llint/LLIntExceptions.h:
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LLIntOffsetsExtractor.cpp:
        (JSC::LLIntOffsetsExtractor::dummy):
        * llint/LLIntOpcode.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LLIntThunks.cpp:
        * llint/LLIntThunks.h:
        * llint/LowLevelInterpreter.cpp:
        * llint/LowLevelInterpreter.h:
        * runtime/CommonSlowPaths.cpp:
        * runtime/CommonSlowPaths.h:
        * runtime/ErrorHandlingScope.cpp:
        (JSC::ErrorHandlingScope::ErrorHandlingScope):
        (JSC::ErrorHandlingScope::~ErrorHandlingScope):
        * runtime/Executable.cpp:
        (JSC::setupLLInt):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::sanitizeStackForVM):
        * runtime/VM.h:
        (JSC::VM::canUseJIT): Deleted.

2014-06-18  Alex Christensen  <achristensen@webkit.org>

        Add FTL to Windows build.
        https://bugs.webkit.org/show_bug.cgi?id=134015

        Reviewed by Filip Pizlo.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        Added ftl source files.
        * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
        Added ftl and llvm directories to include path.
        * JavaScriptCore.vcxproj/libllvmForJSC: Added.
        * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
        * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
        * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
        MSVC doesn't like to divide by zero while compiling.  Use std::nan instead.
        * llvm/InitializeLLVMWin.cpp: Added.
        (JSC::initializeLLVMImpl):
        Implemented dynamic loading and linking for Windows.

2014-06-18  Alex Christensen  <achristensen@webkit.org>

        Unreviewed build fix after r170107.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        Use non-template sub for armv7s.

2014-06-18  David Kilzer  <ddkilzer@apple.com>

        -[JSContext setName:] leaks NSString
        <http://webkit.org/b/134038>

        Reviewed by Joseph Pecoraro.

        Fixes the following static analyzer warning:

            JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
                JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
                                                                                    ^

        * API/JSContext.mm:
        (-[JSContext setName:]): Autorelease the copy of |name|.

2014-06-18  Mark Lam  <mark.lam@apple.com>

        DFGGraph::m_doubleConstantMap will not map 0 values correctly.
        <https://webkit.org/b/133994>

        Reviewed by Geoffrey Garen.

        DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
        because it means two unfortunate things:
        - It will probably break for zero.
        - It will think that -0 is the same as +0 under some circumstances, size
          -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).

        The fix is to use std::unordered_map which does not require special empty
        and deleted values, and to use the raw bits instead of the double value as
        the key.

        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::addressOfDoubleConstant):

2014-06-18  Alex Christensen  <achristensen@webkit.org>

        Remove duplicate code using sdiv.
        https://bugs.webkit.org/show_bug.cgi?id=133764

        Reviewed by Daniel Bates.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::sdiv):
        Make sdiv a template to match arm64.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithDiv):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        Remove duplicate code that was identical except for sdiv not being a template.

2014-06-17  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r170082.
        https://bugs.webkit.org/show_bug.cgi?id=134006

        Breaks build. (Requested by mlam on #webkit).

        Reverted changeset:

        "DFGGraph::m_doubleConstantMap will not map 0 values
        correctly."
        https://bugs.webkit.org/show_bug.cgi?id=133994
        http://trac.webkit.org/changeset/170082

2014-06-17  Mark Lam  <mark.lam@apple.com>

        DFGGraph::m_doubleConstantMap will not map 0 values correctly.
        <https://webkit.org/b/133994>

        Reviewed by Geoffrey Garen.

        DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
        because it means two unfortunate things:
        - It will probably break for zero.
        - It will think that -0 is the same as +0 under some circumstances, size
          -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).

        The fix is to use std::unordered_map which does not require special empty
        and deleted values, and to use the raw bits instead of the double value as
        the key.

        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::addressOfDoubleConstant):

2014-06-17  Oliver Hunt  <oliver@apple.com>

        Fix error messages for incorrect hex literals
        https://bugs.webkit.org/show_bug.cgi?id=133998

        Reviewed by Mark Lam.

        Ensure that the error messages for bogus hex literals actually
        make sense.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::lex):
        * parser/ParserTokens.h:

2014-06-17  Matthew Mirman  <mmirman@apple.com>

        Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses. 
        https://bugs.webkit.org/show_bug.cgi?id=133814

        Reviewed by Filip Pizlo.
        
        Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell 
        script from using "*.o" as a file when no other files in the directory exist. 
        
        * build-symbol-table-index.sh: Added license.
        * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.

2014-06-16  Sam Weinig  <sam@webkit.org>

        Move forward declaration of bindings static functions into their implementation files
        https://bugs.webkit.org/show_bug.cgi?id=133943

        Reviewed by Geoffrey Garen.

        * runtime/CommonIdentifiers.h:
        Add a few identifiers that are needed by the DOM.

2014-06-16  Mark Lam  <mark.lam@apple.com>

        Parser statementDepth accounting needs to account for when a function body excludes its braces.
        <https://webkit.org/b/133832>

        Reviewed by Oliver Hunt.

        In some cases (e.g. when a Function object is instantiated from a string), the
        function body source may not include its braces.  The parser needs to account
        for this when calculating its statementDepth.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::codeBlockFor):
        * bytecode/UnlinkedCodeBlock.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseStatement):
        - Also fixed the error message for declaring nested functions in strict mode
          to be more accurate.
        * parser/Parser.h:
        (JSC::Parser<LexerType>::parse):
        (JSC::parse):
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):

2014-06-16  Juergen Ributzka  <juergen@apple.com>

        Change the order of the alias analysis passes to align with the opt pipeline of LLVM
        https://bugs.webkit.org/show_bug.cgi?id=133753

        Reviewed by Geoffrey Garen.

        The order in which the alias analysis passes are added affects also the
        order in which they are utilized. Change the order to align with the
        one use by LLVM itself. The last alias analysis pass added will be
        evaluated first. With this change we first perform a basic alias
        analysis and then use the type-based alias analysis (if required).

        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):

2014-06-16  Juergen Ributzka  <juergen@apple.com>

        Fix the arguments passed to the LLVM dylib
        https://bugs.webkit.org/show_bug.cgi?id=133757

        Reviewed by Geoffrey Garen.

        The LLVM command line argument parser assumes that the first argument
        is the program name. We need to add a fake program name, otherwise the
        first argument will be parsed as program name and ignored.

        * llvm/library/LLVMExports.cpp:
        (initializeAndGetJSCLLVMAPI):

2014-06-16  Michael Saboff  <msaboff@apple.com>

        Convert ASSERT in inlineFunctionForCapabilityLevel to early return
        https://bugs.webkit.org/show_bug.cgi?id=133903

        Reviewed by Mark Hahnenberg.

        Hardened code by Converting ASSERT to return CannotCompile.

        * dfg/DFGCapabilities.h:
        (JSC::DFG::inlineFunctionForCapabilityLevel):

2014-06-13  Sam Weinig  <sam@webkit.org>

        Store DOM constants directly in the JS object rather than jumping through a custom accessor
        https://bugs.webkit.org/show_bug.cgi?id=133898

        Reviewed by Oliver Hunt.

        * runtime/Lookup.h:
        (JSC::HashTableValue::attributes):
        Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
        and will make adding more flags possibles.

        (JSC::HashTableValue::propertyGetter):
        (JSC::HashTableValue::propertyPutter):
        Change assertion to use BuiltinOrFunctionOrConstant.

        (JSC::HashTableValue::constantInteger):
        Added.

        (JSC::getStaticPropertySlot):
        (JSC::getStaticValueSlot):
        Use PropertySlot::setValue() for constants during static lookup.

        (JSC::reifyStaticProperties):
        Put the constant directly on the object when eagerly reifying.

        * runtime/PropertySlot.h:
        Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.

2014-06-14  Michael Saboff  <msaboff@apple.com>

        operationCreateArguments could cause a GC during OSR exit
        https://bugs.webkit.org/show_bug.cgi?id=133905

        Reviewed by Filip Pizlo.

        Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
        for use by OSR exit stubs.

        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:

2014-06-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
        https://bugs.webkit.org/show_bug.cgi?id=133880

        Reviewed by Filip Pizlo.

        We could have exited due to a value received from an inlined block that's no longer on 
        the stack, so we should just barrier all InlineCallFrames.

        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::adjustAndJumpToTarget):

2014-06-13  Alex Christensen  <achristensen@webkit.org>

        Make css jit compile for armv7.
        https://bugs.webkit.org/show_bug.cgi?id=133596

        Reviewed by Benjamin Poulain.

        * assembler/MacroAssembler.h:
        Use branchPtr on ARM_THUMB2.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::addPtrNoFlags):
        (JSC::MacroAssemblerARMv7::or32):
        (JSC::MacroAssemblerARMv7::test32):
        (JSC::MacroAssemblerARMv7::branch):
        (JSC::MacroAssemblerARMv7::branchPtr):
        Added macros necessary for css jit.

2014-06-13  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix ARMv7.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::abortWithReason):

2014-06-12  Filip Pizlo  <fpizlo@apple.com>

        Even better diagnostics from DFG traps
        https://bugs.webkit.org/show_bug.cgi?id=133836

        Reviewed by Oliver Hunt.
        
        We now stuff the DFG::NodeType into a register before bailing. Also made the
        DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
        different numbers than any previous abort reasons.

        * assembler/AbortReason.h:
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::abortWithReason):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::abortWithReason):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::abortWithReason):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::abortWithReason):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::bail):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        * dfg/DFGSpeculativeJIT.h:

2014-06-12  Simon Fraser  <simon.fraser@apple.com>

        Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
        https://bugs.webkit.org/show_bug.cgi?id=133840

        Reviewed by Filip Pizlo.
        
        Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
        when running DFG tests.

        * API/JSCTestRunnerUtils.cpp:
        (JSC::numberOfDFGCompiles):
        (JSC::setNeverInline):

2014-06-12  Brent Fulgham  <bfulgham@apple.com>

        [Win] Avoid fork bomb during build
        https://bugs.webkit.org/show_bug.cgi?id=133837
        <rdar://problem/17296034>

        Reviewed by Tim Horton.

        * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
        reasonable default value when the 'num-cpus' script is not available.

2014-06-12  Mark Lam  <mark.lam@apple.com>

        Remove some dead / unused code.
        <https://webkit.org/b/133828>

        Reviewed by Filip Pizlo.

        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createBuiltinExecutable):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::create):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::makeFunction):
        * parser/Parser.h:
        (JSC::DepthManager::DepthManager): Deleted.
        (JSC::DepthManager::~DepthManager): Deleted.
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):

2014-06-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Move structureHasRareData out of TypeInfo
        https://bugs.webkit.org/show_bug.cgi?id=133800

        Reviewed by Andreas Kling.

        StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger, 
        but we have a few spare bits in Structure so it would be nice to remove this hack.

        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
        (JSC::TypeInfo::structureHasRareData): Deleted.
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::allocateRareData):
        (JSC::Structure::cloneRareDataFrom):
        * runtime/Structure.h:
        (JSC::Structure::previousID):
        (JSC::Structure::objectToStringValue):
        (JSC::Structure::setObjectToStringValue):
        (JSC::Structure::setPreviousID):
        (JSC::Structure::clearPreviousID):
        (JSC::Structure::previous):
        (JSC::Structure::rareData):
        * runtime/StructureInlines.h:
        (JSC::Structure::setEnumerationCache):
        (JSC::Structure::enumerationCache):

2014-06-12  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>

        Allow enum guards to be generated from the replay json files
        https://bugs.webkit.org/show_bug.cgi?id=133399

        Reviewed by Csaba Osztrogonác.

        * replay/scripts/CodeGeneratorReplayInputs.py:
        (Type.__init__):
        (InputsModel.parse_type_with_framework_name):
        (Generator.generate_header):
        (Generator.generate_implementation):
        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
        (Test::HandleWheelEvent::HandleWheelEvent):
        (Test::HandleWheelEvent::~HandleWheelEvent):
        (JSC::InputTraits<Test::HandleWheelEvent>::type):
        (JSC::InputTraits<Test::HandleWheelEvent>::encode):
        (JSC::InputTraits<Test::HandleWheelEvent>::decode):
        (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
        (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
        (JSC::InputTraits<Test::HandleWheelEvent>::queue):
        (Test::HandleWheelEvent::platformEvent):
        * replay/scripts/tests/generate-enum-with-guard.json: Added.

2014-06-12  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix GTK+ build after r169823.

        Include StructureInlines.h in a few more files to fix linking
        issues due to JSC::Structure::get undefined symbol.

        * runtime/ArrayIteratorConstructor.cpp:
        * runtime/ArrayIteratorPrototype.cpp:
        * runtime/JSConsole.cpp:
        * runtime/JSMapIterator.cpp:
        * runtime/JSSet.cpp:
        * runtime/JSSetIterator.cpp:
        * runtime/JSWeakMap.cpp:
        * runtime/MapIteratorPrototype.cpp:
        * runtime/MapPrototype.cpp:
        * runtime/SetIteratorPrototype.cpp:
        * runtime/SetPrototype.cpp:
        * runtime/WeakMapPrototype.cpp:

2014-06-12  Csaba Osztrogonác  <ossy@webkit.org>

        [EFL] One more URTBF after r169823 to make ARM64 build happy too.

        * runtime/JSMap.cpp:

2014-06-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        Inline caching should try to flatten uncacheable dictionaries
        https://bugs.webkit.org/show_bug.cgi?id=133683

        Reviewed by Geoffrey Garen.

        There exists a body of JS code that deletes properties off of objects (especially function/constructor objects), 
        which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects. 
        If properties are deleted out of the object during its initialization, we can enable caching for that object by 
        attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we 
        performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary 
        state then we can just give up on caching that object.

        In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
        the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
        the other inline caching functions to return this enum rather than the opaque booleans that we were previously 
        returning.

        * jit/Repatch.cpp:
        (JSC::actionForCell):
        (JSC::tryCacheGetByID):
        (JSC::repatchGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::buildGetByIDList):
        (JSC::tryCachePutByID):
        (JSC::repatchPutByID):
        (JSC::tryBuildPutByIdList):
        (JSC::buildPutByIdList):
        (JSC::tryRepatchIn):
        (JSC::repatchIn):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::flattenDictionaryStructure):
        * runtime/Structure.h:
        (JSC::Structure::hasBeenFlattenedBefore):

2014-06-11  Csaba Osztrogonác  <ossy@webkit.org>

        [EFL] URTBF after r169823.

        * bindings/ScriptValue.cpp: Missing include added.

2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>

        Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.

        Rubber-stamped by Andreas Kling.

        * runtime/JSObject.h:
        (JSC::JSObject::fastGetOwnPropertySlot):

2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>

        Turning on DUMP_PROPERTYMAP_STATS causes a build failure
        https://bugs.webkit.org/show_bug.cgi?id=133673

        Reviewed by Andreas Kling.

        Rewrote the property map statistics code because the old code wasn't building,
        and it was also mixing numbers for lookups and insertions/removals.

        New logging code records the number of calls to PropertyTable::find (finds) and
        PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
        the number of probing during updates and lookups.

        * jsc.cpp:
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::find):
        (JSC::PropertyTable::get):
        (JSC::PropertyTable::findWithString):
        (JSC::PropertyTable::add):
        (JSC::PropertyTable::remove):
        (JSC::PropertyTable::reinsert):
        (JSC::PropertyTable::rehash):
        * runtime/Structure.cpp:
        (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
        (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):

2014-06-11  Andreas Kling  <akling@apple.com>

        Always inline JSValue::get() and Structure::get().
        <https://webkit.org/b/133755>

        Reviewed by Ryosuke Niwa.

        These functions get really hot, so ask the compiler to be more
        aggressive about inlining them.

        ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
        through GetByVal.

        * runtime/JSArrayIterator.cpp:
        * runtime/JSCJSValue.cpp:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::get):
        * runtime/JSPromiseDeferred.cpp:
        * runtime/StructureInlines.h:
        (JSC::Structure::get):

2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>

        Structure::get should instantiate DeferGC only when materializing property map
        https://bugs.webkit.org/show_bug.cgi?id=133727

        Rubber-stamped by Andreas Kling.

        Make materializePropertyMapIfNecessary always inline.

        This is ~12% improvement on the microbenchmark attached in the bug.

        * runtime/Structure.h:
        (JSC::Structure::materializePropertyMapIfNecessary):
        (JSC::Structure::materializePropertyMapIfNecessaryForPinning):

2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>

        Structure::get should instantiate DeferGC only when materializing property map
        https://bugs.webkit.org/show_bug.cgi?id=133727

        Reviewed by Geoffrey Garen.

        DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
        collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
        when GCSafeConcurrentJITLocker goes out of scope.

        However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
        in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
        and running a release assertion inside Heap::incrementDeferralDepth() is expensive.

        Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
        and immediately storing a pointer to the newly created property table in the stack before DeferGC
        goes out of scope so that the property table will be marked.

        This shows 13-16% improvement on the microbenchmark attached in the bug.

        * runtime/JSCJSValue.cpp:
        * runtime/JSObject.h:
        (JSC::JSObject::fastGetOwnPropertySlot):
        * runtime/Structure.h:
        (JSC::Structure::materializePropertyMapIfNecessary):
        * runtime/StructureInlines.h:
        (JSC::Structure::get):

2014-06-11  Andreas Kling  <akling@apple.com>

        Some JSValue::get() micro-optimzations.
        <https://webkit.org/b/133739>

        Tighten some of the property lookup code to improve performance of the
        eagerly reified prototype attributes:

        - Instead of converting the property name to an integer at every step
          in the prototype chain, move that to a separate pass at the end
          since it should be a rare case.

        - Cache the StructureIDTable in a local instead of fetching it from
          the Heap on every step.

        - Make fillCustomGetterPropertySlot inline. It was out-of-lined based
          on the assumption that clients would mostly be cacheable GetByIds,
          and it gets pretty hot (~1%) in GetByVal.

        - Pass the Structure directly to fillCustomGetterPropertySlot instead
          of refetching it from the StructureIDTable.

        Reviewed by Geoff Garen.

        * runtime/JSObject.cpp:
        (JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSObject::fillCustomGetterPropertySlot):
        (JSC::JSObject::getOwnPropertySlot):
        (JSC::JSObject::fastGetOwnPropertySlot):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::getOwnPropertySlotSlow): Deleted.

2014-06-10  Sam Weinig  <sam@webkit.org>

        Don't create a HashTable for JSObjects that use eager reification
        https://bugs.webkit.org/show_bug.cgi?id=133705

        Reviewed by Geoffrey Garen.

        * runtime/Lookup.h:
        (JSC::reifyStaticProperties):
        Add a version of reifyStaticProperties that takes an array of HashTableValues
        rather than a HashTable.

2014-06-10  Filip Pizlo  <fpizlo@apple.com>

        Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
        https://bugs.webkit.org/show_bug.cgi?id=133698

        Reviewed by Geoffrey Garen and Mark Hahnenberg.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
        * dfg/DFGVariableAccessData.cpp:
        (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
        (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
        (JSC::DFG::VariableAccessData::flushFormat):
        * dfg/DFGVariableAccessData.h:
        * tests/stress/int52-inlined-call-argument.js: Added.
        (foo):
        (bar):

2014-06-10  Mark Lam  <mark.lam@apple.com>

        Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
        <https://webkit.org/b/133356>

        Reviewed by Mark Hahnenberg.

        The root cause of this issue is that a nonPropertyTransition can transition
        a pinned dictionary structure to an unpinned dictionary structure.  The new
        structure will get a copy of the property table from the original structure.
        However, when a GC occurs, the property table in the new structure will be
        cleared because it is unpinned.  This leads to complications in subsequent
        derivative structures when flattening occurs, which eventually leads to the
        assertion failure in this bug.

        The fix is to ensure that the new dictionary structure generated by the
        nonPropertyTransition will have a copy of its predecessor's property table
        and is pinned.

        * runtime/Structure.cpp:
        (JSC::Structure::nonPropertyTransition):

2014-06-10  Michael Saboff  <msaboff@apple.com>

        In a certain app state, Array.prototype.filter() returns incorrect results
        https://bugs.webkit.org/show_bug.cgi?id=133577

        Reviewed by Oliver Hunt.

        Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        Global HashTables contain references to atomic StringImpls
        https://bugs.webkit.org/show_bug.cgi?id=133661

        Reviewed by Geoffrey Garen.

        This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables 
        cache their set of keys as StringImpls that are associated with a particular VM.  This is obviously 
        incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to 
        change the "keys" field of the static HashTables to be char** instead of StringImpl**.

        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):
        (JSC::HashTable::deleteTable):
        * runtime/Lookup.h:
        (JSC::HashTable::ConstIterator::key):
        (JSC::HashTable::entry):

2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        Build fix after r169703

        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-06-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Eagerly reify DOM prototype attributes
        https://bugs.webkit.org/show_bug.cgi?id=133558

        Reviewed by Oliver Hunt.

        This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype. 
        By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override 
        getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on 
        DOM wrappers.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        * runtime/BatchedTransitionOptimizer.h:
        (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
        * runtime/CustomGetterSetter.cpp: Added.
        (JSC::callCustomSetter):
        * runtime/CustomGetterSetter.h: Added.
        (JSC::CustomGetterSetter::create):
        (JSC::CustomGetterSetter::getter):
        (JSC::CustomGetterSetter::setter):
        (JSC::CustomGetterSetter::createStructure):
        (JSC::CustomGetterSetter::CustomGetterSetter):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::isCustomGetterSetter):
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::isCustomGetterSetter):
        (JSC::JSCell::canUseFastGetOwnProperty):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
        (JSC::JSFunction::isBuiltinFunction): Deleted.
        * runtime/JSFunction.h:
        * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
        (JSC::JSFunction::isBuiltinFunction):
        (JSC::JSFunction::isHostOrBuiltinFunction):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::putDirectCustomAccessor):
        (JSC::JSObject::fillGetterPropertySlot):
        (JSC::JSObject::fillCustomGetterPropertySlot):
        (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
        * runtime/JSObject.h:
        (JSC::JSObject::hasCustomGetterSetterProperties):
        (JSC::JSObject::convertToDictionary):
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
        (JSC::JSObject::putOwnDataProperty):
        (JSC::JSObject::putDirect):
        (JSC::JSObject::putDirectWithoutTransition):
        * runtime/JSType.h:
        * runtime/Lookup.h:
        (JSC::reifyStaticProperties):
        * runtime/PropertyDescriptor.h:
        (JSC::PropertyDescriptor::PropertyDescriptor):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::nextOutOfLineStorageCapacity): Deleted.
        (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
        (JSC::Structure::get): Deleted.
        * runtime/Structure.h:
        (JSC::Structure::hasCustomGetterSetterProperties):
        (JSC::Structure::setHasCustomGetterSetterProperties):
        * runtime/StructureInlines.h:
        (JSC::Structure::get): Inlined due to hotness.
        (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
        (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):

2014-06-07  Mark Lam  <mark.lam@apple.com>

        Structure should initialize its previousID in its constructor.
        <https://webkit.org/b/133606>

        Reviewed by Mark Hahnenberg.

        Currently, the Structure constructor that takes a previous structure will
        initialize its previousID to point to the previous structure's previousID.
        This is incorrect.  However, the caller of the Structure::create() factory
        method (which instantiated the Structure) will later call setPreviousID()
        to set the previousID to the correct previous structure.  This makes the
        code confusing to read and more error prone in that the structure relies
        on client code to fix its invalid previousID.

        This patch fixes this by making the Structure constructor initialize
        previousID correctly.

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::nonPropertyTransition):
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::create):

2014-06-06  Andreas Kling  <akling@apple.com>

        Indexed getters should return values directly on the PropertySlot.
        <https://webkit.org/b/133586>

        Remove PropertySlot's custom index mode.

        Reviewed by Darin Adler.

        * runtime/JSObject.h:
        (JSC::PropertySlot::getValue):
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::setCustomIndex): Deleted.

2014-06-04  Timothy Horton  <timothy_horton@apple.com>

        iOS Debug build fix

        Rubber-stamped by Filip Pizlo.

        * Configurations/LLVMForJSC.xcconfig:
        Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.

2014-06-04  Oliver Hunt  <oliver@apple.com>

        ArrayIterator should not be exposed in Safari 8
        https://bugs.webkit.org/show_bug.cgi?id=133494

        Reviewed by Michael Saboff.

        Separate out types that require constructor objects, and don't
        include the iterator types in that list.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObject.h:

2014-06-04  Filip Pizlo  <fpizlo@apple.com>

        DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
        https://bugs.webkit.org/show_bug.cgi?id=133525
        <rdar://problem/16790296>

        Reviewed by Oliver Hunt.

        * dfg/DFGSafepoint.cpp:
        (JSC::DFG::Safepoint::begin):

2014-06-03  Filip Pizlo  <fpizlo@apple.com>

        LLVM soft-linking should be truly fail-silent
        https://bugs.webkit.org/show_bug.cgi?id=133482

        Reviewed by Mark Lam.

        * llvm/InitializeLLVMPOSIX.cpp:
        (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.

2014-06-03  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
        https://bugs.webkit.org/show_bug.cgi?id=133149

        Reviewed by Csaba Osztrogonác.

        * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.

2014-05-31  Anders Carlsson  <andersca@apple.com>

        Add a LazyNeverDestroyed class template and use it
        https://bugs.webkit.org/show_bug.cgi?id=133425

        Reviewed by Darin Adler.

        * dfg/DFGFunctionWhitelist.cpp:
        (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
        * dfg/DFGFunctionWhitelist.h:

2014-05-28  Filip Pizlo  <fpizlo@apple.com>

        DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
        https://bugs.webkit.org/show_bug.cgi?id=133368

        Reviewed by Mark Lam.

        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
        * tests/stress/new-array-dead.js: Added.
        (foo):

2014-05-28  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix not-x86 32-bit.

        * llint/LowLevelInterpreter32_64.asm:

2014-05-27  Filip Pizlo  <fpizlo@apple.com>

        Arrayify neglects to inform the clobberizer that it might fire watchpoints
        https://bugs.webkit.org/show_bug.cgi?id=133340

        Reviewed by Mark Lam.

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize): Be honest.
        * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
        * tests/stress/arrayify-fires-watchpoint.js: Added.
        (foo):
        (test):
        (makeObjectArray):
        * tests/stress/arrayify-structure-bad-test.js: Added.
        (foo):
        (test):

2014-05-27  Jon Lee  <jonlee@apple.com>

        Update ENABLE(MEDIA_SOURCE) on Mac
        https://bugs.webkit.org/show_bug.cgi?id=133141

        Reviewed by Darin Adler.

        * Configurations/FeatureDefines.xcconfig:

2014-05-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>

        Remove BLOB guards
        https://bugs.webkit.org/show_bug.cgi?id=132863

        Reviewed by Csaba Osztrogonác.

        * Configurations/FeatureDefines.xcconfig:

2014-05-27  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>

        Allow building CMake based ports with WEB_REPLAY
        https://bugs.webkit.org/show_bug.cgi?id=133154

        Reviewed by Csaba Osztrogonác.

        * CMakeLists.txt:

2014-05-25  Filip Pizlo  <fpizlo@apple.com>

        Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
        https://bugs.webkit.org/show_bug.cgi?id=133136

        Reviewed by Oliver Hunt.
        
        Some key concepts:

        - Except for the prediction propagation and type fixup phases, which are super early in
          the pipeline, nobody has to know about the fact that booleans may flow into numerical
          operations because there will just be a BooleanToNumber node that will take a value
          and, if that value is a boolean, will convert it to the equivalent numerical value. It
          will have a BooleanUse mode where it will also speculate that the input is a boolean
          but it can also do UntypedUse in which case it will pass through any non-booleans.
          This operation is very easy to model in all of the compiler tiers.

        - No changes to the baseline JIT. The Baseline JIT will still believe that boolean
          inputs require taking the slow path and it will still report that it took slow path
          for any such operations.  The DFG will now be smart enough to ignore baseline JIT slow
          path profiling on operations that were known to have had boolean inputs.  That's a
          little quirky, but it's probably easier than modifying the baseline JIT to track
          booleans correctly.
        
        4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.

        * bytecode/SpeculatedType.h:
        (JSC::isInt32OrBooleanSpeculation):
        (JSC::isInt32SpeculationForArithmetic):
        (JSC::isInt32OrBooleanSpeculationForArithmetic):
        (JSC::isInt32OrBooleanSpeculationExpectingDefined):
        (JSC::isInt52Speculation):
        (JSC::isMachineIntSpeculation):
        (JSC::isFullNumberOrBooleanSpeculation):
        (JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
        (JSC::isInt32SpeculationExpectingDefined): Deleted.
        (JSC::isMachineIntSpeculationExpectingDefined): Deleted.
        (JSC::isMachineIntSpeculationForArithmetic): Deleted.
        (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
        (JSC::isFullNumberSpeculationExpectingDefined): Deleted.
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAllocator.h:
        (JSC::DFG::Allocator<T>::indexOf):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixIntConvertingEdge):
        (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
        (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
        (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
        (JSC::DFG::FixupPhase::fixIntEdge): Deleted.
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addSpeculationMode):
        (JSC::DFG::Graph::valueAddSpeculationMode):
        (JSC::DFG::Graph::arithAddSpeculationMode):
        (JSC::DFG::Graph::addShouldSpeculateInt32):
        (JSC::DFG::Graph::mulShouldSpeculateInt32):
        (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
        (JSC::DFG::Graph::negateShouldSpeculateInt32):
        (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
        (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
        (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
        * dfg/DFGNode.h:
        (JSC::DFG::Node::sawBooleans):
        (JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
        (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
        (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
        (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
        (JSC::DFG::Node::shouldSpeculateMachineInt):
        (JSC::DFG::Node::shouldSpeculateDouble):
        (JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
        (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
        (JSC::DFG::Node::shouldSpeculateNumber):
        (JSC::DFG::Node::canSpeculateInt32):
        (JSC::DFG::Node::canSpeculateInt52):
        (JSC::DFG::Node::sourceFor):
        (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
        (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
        (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
        (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
        (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGNodeFlags.h:
        (JSC::DFG::nodeMayOverflow):
        (JSC::DFG::nodeMayNegZero):
        (JSC::DFG::nodeCanSpeculateInt32):
        (JSC::DFG::nodeCanSpeculateInt52):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):
        (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
        (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
        (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::asInt32ForArithmetic):
        * tests/stress/max-boolean-exit.js: Added.
        (foo):
        (test):
        * tests/stress/mul-boolean-exit.js: Added.
        (foo):
        (test):
        * tests/stress/plus-boolean-exit.js: Added.
        (foo):
        (test):
        * tests/stress/plus-boolean-or-double.js: Added.
        (foo):
        (test):
        * tests/stress/plus-boolean-or-int.js: Added.
        (foo):
        (test):

2014-05-26  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>

        Remove dead code from VM.cpp
        https://bugs.webkit.org/show_bug.cgi?id=133284

        Reviewed by Darin Adler.

        This workaround was added in r127505. Since the clang is the
        only used compiler in this case, this workaround is obsolete.

        * runtime/VM.cpp:
        (JSC::enableAssembler):

2014-05-26  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        JSC CLoop warning fix
        https://bugs.webkit.org/show_bug.cgi?id=133259

        Reviewed by Darin Adler.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2014-05-24  Andreas Kling  <akling@apple.com>

        Object.prototype.toString() should use cached strings for null/undefined.
        <https://webkit.org/b/133261>

        Normally, when calling Object.prototype.toString() on a regular object,
        we'd cache the result of the stringification on the object's structure,
        making repeated calls fast.

        For null and undefined, we were not as smart. We'd instead construct a
        new string with either "[object Null]" or "[object Undefined]" each time.

        This was exposed by Dromaeo's JS library tests, where some prototype.js
        subtests generate millions of strings this way.

        This patch adds two VM-permanent cached strings to the SmallStrings.
        Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html

        Reviewed by Darin Adler.

        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToString):
        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::SmallStrings):
        (JSC::SmallStrings::initializeCommonStrings):
        (JSC::SmallStrings::visitStrongReferences):
        * runtime/SmallStrings.h:
        (JSC::SmallStrings::nullObjectString):
        (JSC::SmallStrings::undefinedObjectString):

2014-05-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove operationCallGetter

        Rubber stamped by Filip Pizlo.

        Nobody calls this function.

        * JavaScriptCore.order:
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:

2014-05-23  Andreas Kling  <akling@apple.com>

        Templatize GC's destructor invocation for dtor type.
        <https://webkit.org/b/133231>

        Get rid of a branch in callDestructor() by templatizing it for
        the DestructorType. Removed JSCell::methodTableForDestruction()
        since this was the only call site and it was jumping through
        a bunch of unnecessary hoops.

        Reviewed by Geoffrey Garen.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::callDestructor):
        (JSC::MarkedBlock::specializedSweep):
        * heap/MarkedBlock.h:
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::methodTableForDestruction): Deleted.

2014-05-23  Andreas Kling  <akling@apple.com>

        Support inline caching of RegExpMatchesArray.length
        <https://webkit.org/b/133234>

        Give RegExpMatchesArray.length the same treatment as JSArray in
        repatch so we don't have to go out of line on every access.

        ~13% speed-up on Octane/regexp.

        Reviewed by Geoffrey Garen.

        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        * runtime/RegExpMatchesArray.h:
        (JSC::isRegExpMatchesArray):

2014-05-22  Mark Lam  <mark.lam@apple.com>

        REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
        <https://webkit.org/b/133182>

        Reviewed by Oliver Hunt.

        Before r154797, we used to clear the VM exception before calling into the
        debugger.  After r154797, we don't.  This patch will restore this clearing
        of the exception before calling into the debugger.

        Also added assertions after returning from calls into the debugger to
        ensure that the debugger did not introduce any exceptions.

        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        (JSC::Interpreter::unwind):
        (JSC::Interpreter::debug):
        - Fixed the assertion here.  Interpreter::debug() should never be called
          with a pending exception.  Debugger callbacks for exceptions should be
          handled by Interpreter::unwind() and Interpreter::unwindCallFrame().

2014-05-21  Filip Pizlo  <fpizlo@apple.com>

        Store barrier elision should run after DCE in both the DFG path and the FTL path
        https://bugs.webkit.org/show_bug.cgi?id=129718

        Rubber stamped by Mark Hahnenberg.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):

2014-05-21  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>

        [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
        https://bugs.webkit.org/show_bug.cgi?id=132907

        Reviewed by Gyuyoung Kim.

        * CMakeLists.txt:

2014-05-16  Martin Robinson  <mrobinson@igalia.com>

        [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
        https://bugs.webkit.org/show_bug.cgi?id=132819

        Reviewed by Carlos Garcia Campos.

        * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
        use the common CMake ones directly.

2014-05-21  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out http://trac.webkit.org/changeset/169159.
        
        This was a unilateral change and wasn't properly reviewed.

        * tests/mozilla/mozilla-tests.yaml:

2014-05-21  Antoine Quint  <graouts@webkit.org>

        Array.prototype.find and findIndex should skip holes
        https://bugs.webkit.org/show_bug.cgi?id=132658

        Reviewed by Geoffrey Garen.

        Skip holes in the array when iterating such that callback isn't called.

        * builtins/Array.prototype.js:
        (find):
        (findIndex):

2014-05-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
        https://bugs.webkit.org/show_bug.cgi?id=133149

        Reviewed by Csaba Osztrogonác.

        * tests/mozilla/mozilla-tests.yaml:

2014-05-20  Geoffrey Garen  <ggaren@apple.com>

        Rolled out <http://trac.webkit.org/changeset/166184>
        https://bugs.webkit.org/show_bug.cgi?id=133144

        Reviewed by Gavin Barraclough.

        It caused a performance regression.

        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::blockFreeingThreadStartFunc):

2014-05-20  Filip Pizlo  <fpizlo@apple.com>

        DFG prediction propagation should agree with fixup phase over the return type of GetByVal
        https://bugs.webkit.org/show_bug.cgi?id=133134

        Reviewed by Mark Hahnenberg.
        
        Make prediction propagator use ArrayMode refinement to decide the return type.
        
        Also introduce a heap prediction intrinsic that allows us to test weird corner cases
        like this. The only way we'll see a mismatch like this in the real world is probably
        through a gnarly race condition.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::setHeapPrediction):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionFalse1):
        (functionFalse2):
        (functionUndefined1):
        (functionUndefined2):
        (functionFalse): Deleted.
        (functionOtherFalse): Deleted.
        (functionUndefined): Deleted.
        * runtime/Intrinsic.h:
        * tests/stress/get-by-val-double-predicted-int.js: Added.
        (foo):

2014-05-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Watchdog timer should be lazily allocated
        https://bugs.webkit.org/show_bug.cgi?id=133135

        Reviewed by Geoffrey Garen.

        We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. 
        There is no reason to do this checking if we never activated the Watchdog, which can only be done through 
        JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. 

        By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use 
        these two API functions (which is true of most clients).

        * API/JSContextRef.cpp:
        (JSContextGroupSetExecutionTimeLimit):
        (JSContextGroupClearExecutionTimeLimit):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_loop_hint):
        (JSC::JIT::emitSlow_op_loop_hint):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/VM.h:
        * runtime/Watchdog.cpp:
        (JSC::Watchdog::Scope::Scope): Deleted.
        (JSC::Watchdog::Scope::~Scope): Deleted.
        * runtime/Watchdog.h:
        (JSC::Watchdog::Scope::Scope):
        (JSC::Watchdog::Scope::~Scope):

2014-05-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSArray::shiftCountWith* could be more efficient
        https://bugs.webkit.org/show_bug.cgi?id=133011

        Reviewed by Geoffrey Garen.

        Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage 
        are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling 
        them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.

        * runtime/ArrayStorage.h:
        (JSC::ArrayStorage::indexingHeader):
        (JSC::ArrayStorage::length):
        (JSC::ArrayStorage::hasHoles):
        * runtime/IndexingHeader.h:
        (JSC::IndexingHeader::publicLength):
        (JSC::IndexingHeader::from):
        * runtime/JSArray.cpp:
        (JSC::JSArray::shiftCountWithArrayStorage):
        (JSC::JSArray::shiftCountWithAnyIndexingType):
        (JSC::JSArray::unshiftCountWithArrayStorage):
        * runtime/JSArray.h:
        (JSC::JSArray::shiftCountForShift):
        (JSC::JSArray::shiftCountForSplice):
        (JSC::JSArray::shiftCount):
        * runtime/Structure.cpp:
        (JSC::Structure::holesRequireSpecialBehavior):
        * runtime/Structure.h:

2014-05-19  Filip Pizlo  <fpizlo@apple.com>

        Test gardening: skip some failing tests on not-X86.

        * tests/mozilla/mozilla-tests.yaml:

2014-05-19  Mark Lam  <mark.lam@apple.com>

        operationOptimize() should defer the GC for a while.
        <https://webkit.org/b/133103>

        Reviewed by Filip Pizlo.

        Currently, operationOptimize() only defers the GC until its end.  As a result,
        a GC may be triggered just before we return from operationOptimize(), and it may
        jettison the optimize codeBlock that we're planning to OSR enter into when we
        return from this function.  This is because the OSR entry on-ramp code hasn't
        been executed yet, and hence, there is not yet a reference to this new codeBlock
        from the stack, and there won't be until we've had a chance to return out of
        operationOptimize() to run the OSR entry on-ramp code.

        This issue is now fixed by using DeferGCForAWhile instead of DeferGC.  This
        ensures that the GC will be deferred until after the OSR entry on-ramp can be
        executed.

        * jit/JITOperations.cpp:

2014-05-19  Filip Pizlo  <fpizlo@apple.com>

        Take care of some ARM64 test failures
        https://bugs.webkit.org/show_bug.cgi?id=133090

        Reviewed by Geoffrey Garen.
        
        Constant blinding on ARM64 cannot use the scratch register.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::convertInt32ToDouble):
        (JSC::MacroAssembler::branchPtr):
        (JSC::MacroAssembler::storePtr):
        (JSC::MacroAssembler::store64):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):

2014-05-19  Tanay C  <tanay.c@samsung.com>

        Removing some check-webkit-style warnings from ./dfg
        https://bugs.webkit.org/show_bug.cgi?id=132854

        Reviewed by Darin Adler.

        * dfg/DFGAbstractInterpreter.h:
        * dfg/DFGAbstractValue.h:
        * dfg/DFGBlockInsertionSet.h:
        * dfg/DFGCommonData.h:
        * dfg/DFGDominators.h:
        * dfg/DFGGraph.h:
        * dfg/DFGInPlaceAbstractState.h:
        * dfg/DFGPredictionPropagationPhase.h:

2014-05-18  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
        That was a long time ago.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileReturn):

2014-05-18  Rik Cabanier  <cabanier@adobe.com>

        support for navigator.hardwareConcurrency
        https://bugs.webkit.org/show_bug.cgi?id=132588

        Reviewed by Filip Pizlo.

        * Configurations/FeatureDefines.xcconfig:

2014-05-16  Michael Saboff  <msaboff@apple.com>

        Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
        https://bugs.webkit.org/show_bug.cgi?id=133009

        Reviewed by Oliver Hunt.

        If we determine that any alternative requires a minumum match size greater than
        INT_MAX, we handle the match in the interpreter.

        Check to see if the pattern has unsigned lengths before invoking YARR JIT.
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::compileMatchOnly):

        * tests/stress/large-regexp.js: New test added.

        Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
        doesn't fit in an int.
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):

        Clear new m_containsUnsignedLengthPattern flag.
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPattern::YarrPattern):
        * yarr/YarrPattern.h:
        (JSC::Yarr::YarrPattern::reset):
        (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):

2014-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSDOMWindow should not claim HasImpureGetOwnPropertySlot
        https://bugs.webkit.org/show_bug.cgi?id=132918

        Reviewed by Geoffrey Garen.

        * jit/Repatch.cpp:
        (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".

2014-05-15  Alex Christensen  <achristensen@webkit.org>

        Add pointer lock to features without enabling it.
        https://bugs.webkit.org/show_bug.cgi?id=132961

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:
        Added ENABLE_POINTER_LOCK to list of features.

2014-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Inline caching for proxies clobbers baseGPR too early
        https://bugs.webkit.org/show_bug.cgi?id=132916

        Reviewed by Filip Pizlo.

        We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path 
        gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR 
        until we know the inline cache is going to succeed.

        * jit/Repatch.cpp:
        (JSC::generateByIdStub):

2014-05-14  Brent Fulgham  <bfulgham@apple.com>

        [Win] Unreviewed build fix.

        * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
        was missing commands to build LLInt portions of JSC.
        * llint/LLIntData.cpp: 64-bit build fix.

2014-05-14  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>

        ARM Traditional buildfix after r168776.
        https://bugs.webkit.org/show_bug.cgi?id=132903

        Reviewed by Darin Adler.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::abortWithReason): Added.

2014-05-14  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>

        Remove CSS_STICKY_POSITION guards
        https://bugs.webkit.org/show_bug.cgi?id=132676

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig:

2014-05-13  Filip Pizlo  <fpizlo@apple.com>

        JIT breakpoints should be more informative
        https://bugs.webkit.org/show_bug.cgi?id=132882

        Reviewed by Oliver Hunt.
        
        Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
        failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
        at that platform's abort reason register (r11 on X86-64 for example).

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbortReason.h: Added.
        * assembler/AbstractMacroAssembler.h:
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::abortWithReason):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::abortWithReason):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::abortWithReason):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::abortWithReason):
        * dfg/DFGSlowPathGenerator.h:
        (JSC::DFG::SlowPathGenerator::generate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::bail):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::compileMakeRope):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrEntryThunkGenerator):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::jitAssertIsInt32):
        (JSC::AssemblyHelpers::jitAssertIsJSInt32):
        (JSC::AssemblyHelpers::jitAssertIsJSNumber):
        (JSC::AssemblyHelpers::jitAssertIsJSDouble):
        (JSC::AssemblyHelpers::jitAssertIsCell):
        (JSC::AssemblyHelpers::jitAssertTagsInPlace):
        (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
        (JSC::AssemblyHelpers::jitAssertIsNull):
        (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
        (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::checkStackPointerAlignment):
        (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
        * jit/JIT.h:
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitSlow_op_div):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitSlow_op_loop_hint):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::compileGetDirectOffset):
        (JSC::JIT::addStructureTransitionCheck): Deleted.
        (JSC::JIT::testPrototype): Deleted.
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::compileGetDirectOffset):
        * jit/RegisterPreservationWrapperGenerator.cpp:
        (JSC::generateRegisterRestoration):
        * jit/Repatch.cpp:
        (JSC::addStructureTransitionCheck):
        (JSC::linkClosureCall):
        * jit/ThunkGenerators.cpp:
        (JSC::emitPointerValidation):
        (JSC::nativeForGenerator):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generate):

2014-05-13  peavo@outlook.com  <peavo@outlook.com>

        [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
        https://bugs.webkit.org/show_bug.cgi?id=132772

        Reviewed by Geoffrey Garen.

        Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
        This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
        This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
        The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::loadDouble):
        (JSC::MacroAssemblerARM::storeDouble):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::loadDouble):
        (JSC::MacroAssemblerARM64::storeDouble):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::loadDouble):
        (JSC::MacroAssemblerARMv7::storeDouble):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::loadDouble):
        (JSC::MacroAssemblerMIPS::storeDouble):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::loadDouble):
        (JSC::MacroAssemblerSH4::storeDouble):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::storeDouble):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::absDouble):
        (JSC::MacroAssemblerX86Common::negateDouble):
        (JSC::MacroAssemblerX86Common::loadDouble):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::compileClampDoubleToByte):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::purifyNaN):
        * jit/JITInlines.h:
        (JSC::JIT::emitLoadDouble):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitFloatTypedArrayGetByVal):
        * jit/ThunkGenerators.cpp:
        (JSC::floorThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::powThunkGenerator):

2014-05-12  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r168642.
        https://bugs.webkit.org/show_bug.cgi?id=132839

        Broke ARM build (Requested by jpfau on #webkit).

        Reverted changeset:

        "[Win] Enum type with value zero is compatible with void*,
        potential cause of crashes."
        https://bugs.webkit.org/show_bug.cgi?id=132772
        http://trac.webkit.org/changeset/168642

2014-05-12  peavo@outlook.com  <peavo@outlook.com>

        [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
        https://bugs.webkit.org/show_bug.cgi?id=132772

        Reviewed by Geoffrey Garen.

        Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
        This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
        This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
        The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::loadDouble):
        (JSC::MacroAssemblerARM::storeDouble):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::loadDouble):
        (JSC::MacroAssemblerARM64::storeDouble):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::loadDouble):
        (JSC::MacroAssemblerARMv7::storeDouble):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::loadDouble):
        (JSC::MacroAssemblerMIPS::storeDouble):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::loadDouble):
        (JSC::MacroAssemblerSH4::storeDouble):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::storeDouble):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::absDouble):
        (JSC::MacroAssemblerX86Common::negateDouble):
        (JSC::MacroAssemblerX86Common::loadDouble):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::compileClampDoubleToByte):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::purifyNaN):
        * jit/JITInlines.h:
        (JSC::JIT::emitLoadDouble):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitFloatTypedArrayGetByVal):
        * jit/ThunkGenerators.cpp:
        (JSC::floorThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::powThunkGenerator):

2014-05-12  Andreas Kling  <akling@apple.com>

        0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
        <https://webkit.org/b/132828>
        <rdar://problem/16886285>

        Reviewed by Michael Saboff.

        * runtime/JSObject.cpp:
        (JSC::JSObject::visitButterfly):
        (JSC::JSObject::visitChildren):

            Use JSCell::structure(VM&) to reduce the number of hoops we jump
            through to find Structures during marking.

2014-05-12  László Langó  <llango.u-szeged@partner.samsung.com>

        [cmake] Add missing FTL source files to the build system.

        Reviewed by Csaba Osztrogonác.

        * CMakeLists.txt:

2014-05-09  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
        https://bugs.webkit.org/show_bug.cgi?id=132409

        Reviewed by Timothy Hatcher.

        Proxy applications are applications which hold WebViews for other
        applications. The WebProcess (Web Content Service) is a proxy application.
        For legacy reasons we were supporting a scenario where proxy applications
        could potentially host WebViews for more then one other application. That
        was never the case for WebProcess and it is now a scenario we don't need
        to worry about supporting.

        With this change, a proxy application more naturally only holds WebViews
        for a single parent / host application. The proxy process can set the
        parent pid / audit_token data on the RemoteInspector singleton, and
        that data will be sent on to webinspectord later on to be validated.
        In the WebProcess<->UIProcess relationship that information is known
        and set immediately. In the Legacy iOS case that information is set
        soon after, but not immediately known at the point the WebView is created.

        This allows us to simplify the RemoteInspectorDebuggable interface.
        We no longer need a pid per-Debuggable.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::RemoteInspector):
        (Inspector::RemoteInspector::setParentProcessInformation):
        (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
        (Inspector::RemoteInspector::listingForDebuggable):
        (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
        Handle new proxy application setup message, and provide an API
        for a proxy application to set the parent process information.

        * inspector/remote/RemoteInspectorConstants.h:
        New setup and response message for proxy applications to pass
        their parent / host application information to webinspectord.

        * inspector/remote/RemoteInspectorDebuggable.cpp:
        (Inspector::RemoteInspectorDebuggable::info):
        * inspector/remote/RemoteInspectorDebuggable.h:
        (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
        (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
        pid per debuggable is no longer needed.

2014-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSDOMWindow should disable property caching after a certain point
        https://bugs.webkit.org/show_bug.cgi?id=132751

        Reviewed by Filip Pizlo.

        This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static 
        hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks 
        that it has provided a cacheable value.

        * runtime/PropertySlot.h:
        (JSC::PropertySlot::PropertySlot):
        (JSC::PropertySlot::isCacheable):
        (JSC::PropertySlot::disableCaching):

2014-05-09  Andreas Kling  <akling@apple.com>

        8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
        <https://webkit.org/b/132749>

        Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
        in Object.prototype.* by using JSString::toIdentifier() in the cases where
        we are converting JSString -> String -> Identifier.

        This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
        "The Great HTML5 Gaming Performance Test: 2014 edition"
        <http://www.scirra.com/demos/c2/sbperftest/>

        Reviewed by Oliver Hunt.

        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncHasOwnProperty):
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):

2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSDOMWindow should have a WatchpointSet to fire on window close
        https://bugs.webkit.org/show_bug.cgi?id=132721

        Reviewed by Filip Pizlo.

        This patch allows us to reset the inline caches that assumed they could skip 
        the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
        been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.

        PropertySlot now accepts a WatchpointSet which the inline cache code can look for
        to see if it should create a new Watchpoint for that particular inline cache site.

        * bytecode/Watchpoint.h:
        * jit/Repatch.cpp:
        (JSC::generateByIdStub):
        (JSC::tryBuildGetByIDList):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::PropertySlot):
        (JSC::PropertySlot::watchpointSet):
        (JSC::PropertySlot::setWatchpointSet):

2014-05-09  Tanay C  <tanay.c@samsung.com>

        Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
        https://bugs.webkit.org/show_bug.cgi?id=132331

        Reviewed by Darin Adler.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):

2014-05-09  peavo@outlook.com  <peavo@outlook.com>

        [Win] Crash when enabling DFG JIT.
        https://bugs.webkit.org/show_bug.cgi?id=132683

        Reviewed by Geoffrey Garen.

        On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
        results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
        where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
        This causes the register to be written to address 0, hence the crash.

        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit): Ditto.

2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>

        REGRESSION(r167094): JSC crashes on ARM Traditional
        https://bugs.webkit.org/show_bug.cgi?id=132738

        Reviewed by Zoltan Herczeg.

        PC is two instructions ahead of the current instruction
        on ARM Traditional, so the distance is 8 bytes not 2.

        * llint/LowLevelInterpreter.asm:

2014-05-09  Alberto Garcia  <berto@igalia.com>

        jsmin.py license header confusing, mentions non-free license
        https://bugs.webkit.org/show_bug.cgi?id=123665

        Reviewed by Darin Adler.

        Pull the most recent version from upstream, which has a clear
        license.

        * inspector/scripts/jsmin.py:

2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
        https://bugs.webkit.org/show_bug.cgi?id=132695

        Reviewed by Filip Pizlo.

        We check in the case where we're accessing something other than the base object (e.g. the prototype), 
        but we fail to do so for the base object.

        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
        because all of the values that are returned that could be impure are set to uncacheable anyways.
        (WTF::ImpureGetter::ImpureGetter):
        (WTF::ImpureGetter::createStructure):
        (WTF::ImpureGetter::create):
        (WTF::ImpureGetter::finishCreation):
        (WTF::ImpureGetter::getOwnPropertySlot):
        (WTF::ImpureGetter::visitChildren):
        (WTF::ImpureGetter::setDelegate):
        (GlobalObject::finishCreation):
        (functionCreateImpureGetter):
        (functionSetImpureGetterDelegate):
        * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
        (foo):

2014-05-08  Filip Pizlo  <fpizlo@apple.com>

        deleteAllCompiledCode() shouldn't use the suspension worklist
        https://bugs.webkit.org/show_bug.cgi?id=132708

        Reviewed by Mark Hahnenberg.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::isStillValid):
        * heap/Heap.cpp:
        (JSC::Heap::deleteAllCompiledCode):

2014-05-08  Filip Pizlo  <fpizlo@apple.com>

        SSA conversion should delete PhantomLocals for captured variables
        https://bugs.webkit.org/show_bug.cgi?id=132693

        Reviewed by Mark Hahnenberg.

        * dfg/DFGCommon.cpp:
        (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
        * dfg/DFGCommon.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
        * dfg/DFGLivenessAnalysisPhase.cpp:
        (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
        * dfg/DFGValidate.cpp: Use the workaround.
        * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
        (foo):
        (bar):

2014-05-07  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r168451.
        https://bugs.webkit.org/show_bug.cgi?id=132670

        Not a speed-up, just do what other compilers do. (Requested by
        kling on #webkit).

        Reverted changeset:

        "[X86] Emit BT instruction for single-bit tests."
        https://bugs.webkit.org/show_bug.cgi?id=132650
        http://trac.webkit.org/changeset/168451

2014-05-07  Filip Pizlo  <fpizlo@apple.com>

        Make Executable::clearCode() actually clear all of the entrypoints, and
        clean up some other FTL-related calling convention stuff.
        <rdar://problem/16720172>

        Rubber stamped by Mark Hahnenberg.

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::Worklist):
        (JSC::DFG::Worklist::finishCreation):
        (JSC::DFG::Worklist::create):
        (JSC::DFG::ensureGlobalDFGWorklist):
        (JSC::DFG::ensureGlobalFTLWorklist):
        * dfg/DFGWorklist.h:
        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::dump):
        * heap/CodeBlockSet.h:
        * runtime/Executable.cpp:
        (JSC::ExecutableBase::clearCode):

2014-05-07  Andreas Kling  <akling@apple.com>

        [X86] Emit BT instruction for single-bit tests.
        <https://webkit.org/b/132650>

        Implement test-bit-and-branch slightly more efficiently by using
        BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
        a single bit.

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::singleBitIndex):
        (JSC::MacroAssemblerX86Common::branchTest32):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::bt_i8r):
        (JSC::X86Assembler::bt_i8m):

2014-05-07  Mark Lam  <mark.lam@apple.com>

        REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
        <https://webkit.org/b/131356>

        Reviewed by Geoffrey Garen.

        The issue is that GC needs to be made aware of writes to m_inferredValue
        in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
        is written to a VariableWatchpointSet m_inferredValue, and that JSCell
        does not survive an eden GC shortly after, we will end up with a stale
        JSCell pointer left in the m_inferredValue.

        This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
        using DumpRenderTree with the VM heap in zombie mode.

        The fix is to change VariableWatchpointSet m_inferredValue to type
        WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
        is executed by all the execution engines so that the WriteBarrier semantics
        are honored.

        We still check if the value to be written is the same as the one in the
        inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
        values are the same.        

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        - need to pass the symbolTable to prepareToWatch() because it will be needed
          for instantiating the VariableWatchpointSet in prepareToWatch().

        * bytecode/VariableWatchpointSet.h:
        (JSC::VariableWatchpointSet::VariableWatchpointSet):
        - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
          write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
        (JSC::VariableWatchpointSet::inferredValue):
        (JSC::VariableWatchpointSet::invalidate):
        (JSC::VariableWatchpointSet::finalizeUnconditionally):
        (JSC::VariableWatchpointSet::addressOfInferredValue):
        (JSC::VariableWatchpointSet::notifyWrite): Deleted.
        * bytecode/VariableWatchpointSetInlines.h: Added.
        (JSC::VariableWatchpointSet::notifyWrite):

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::cellConstant):
        - Added an assert in case we try to make constants of zombified JSCells again.

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        - We now let the slow path handle the cases when the VariableWatchpointSet is
          in state ClearWatchpoint and IsWatched, and the slow path will ensure that
          we handle the needed write barrier semantics correctly.
          We will by-pass the slow path if the value being written is the same as the
          inferred value.

        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
        - Let the slow path handle the cases when the VariableWatchpointSet is
          in state ClearWatchpoint and IsWatched.
          We will by-pass the slow path if the value being written is the same as the
          inferred value.

        * heap/Heap.cpp:
        (JSC::Zombify::operator()):
        - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
          which is used everywhere else).
        * heap/Heap.h:
        (JSC::Heap::isZombified):
        - Provide a convenience test function to check if JSCells are zombified.  This is
          currently only used in an assertion in the DFG bytecode parser, but the intent
          it that we'll apply this test in other strategic places later to help with early
          detection of usage of GC'ed objects when we run in zombie mode.

        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitSlow_op_captured_mov):
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitNotifyWrite):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitNotifyWrite):
        (JSC::JIT::emitSlow_op_put_to_scope):
        - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
          is in state ClearWatchpoint and IsWatched.
          We will by-pass the slow path if the value being written is the same as the
          inferred value.
        
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
          is in state ClearWatchpoint and IsWatched.
          We will by-pass the slow path if the value being written is the same as the
          inferred value.
        
        * runtime/CommonSlowPaths.cpp:

        * runtime/JSCJSValue.h: Fixed some typos in the comments.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::addGlobalVar):
        (JSC::JSGlobalObject::addFunction):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTablePut):
        (JSC::symbolTablePutWithAttributes):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTableEntry::prepareToWatch):
        (JSC::SymbolTableEntry::notifyWriteSlow):
        * runtime/SymbolTable.h:
        (JSC::SymbolTableEntry::notifyWrite):

2014-05-06  Michael Saboff  <msaboff@apple.com>

        Unreviewd build fix for C-LOOP after r168396.

        * runtime/TestRunnerUtils.cpp:
        (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)

2014-05-06  Michael Saboff  <msaboff@apple.com>

        Add test for deleteAllCompiledCode
        https://bugs.webkit.org/show_bug.cgi?id=132632

        Reviewed by Phil Pizlo.

        Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
        the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
        to write a test that will queue up loads of DFG compiles and then call
        Heap::deleteAllCompiledCode() to make sure that it can handle compiled
        code as well as code being compiled.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionDeleteAllCompiledCode):
        (functionOptimizeNextInvocation):
        * runtime/TestRunnerUtils.cpp:
        (JSC::optimizeNextInvocation):
        * runtime/TestRunnerUtils.h:
        * tests/stress/deleteAllCompiledCode.js: Added.
        (functionList):
        (runTest):

2014-05-06  Andreas Kling  <akling@apple.com>

        JSString::toAtomicString() should return AtomicString.
        <https://webkit.org/b/132627>

        Remove premature optimization where I was trying to avoid refcount
        churn when returning an already atomicized String.

        Instead of using reinterpret_cast to mangle the String member into
        a const AtomicString& return value, just return AtomicString.

        Reviewed by Geoff Garen.

        * runtime/JSString.h:
        (JSC::JSString::toAtomicString):

2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Roll out r167889

        Rubber stamped by Geoff Garen.

        It broke some websites.

        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::hasDeletedOffset):
        (JSC::PropertyTable::hadDeletedOffset): Deleted.
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::removePropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::pin):
        (JSC::Structure::pinAndPreventTransitions): Deleted.
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::setEnumerationCache):
        (JSC::Structure::propertyTable):
        (JSC::Structure::checkOffsetConsistency):
        (JSC::Structure::hadDeletedOffsets): Deleted.
        * tests/stress/for-in-after-delete.js:
        (foo): Deleted.

2014-05-05  Andreas Kling  <akling@apple.com>

        Fix debug build.

        * runtime/JSCellInlines.h:
        (JSC::JSCell::fastGetOwnProperty):

2014-05-05  Andreas Kling  <akling@apple.com>

        Optimize GetByVal when subscript is a rope string.
        <https://webkit.org/b/132590>

        Use JSString::toIdentifier() in the various GetByVal implementations
        to try and avoid allocating extra strings.

        Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
        in that, to avoid calling JSString::value() which always resolves ropes
        into new strings and de-optimizes subsequent toIdentifier() calls.

        My iMac says ~9% progression on Dromaeo/dom-attr.html

        Reviewed by Phil Pizlo.

        * dfg/DFGOperations.cpp:
        * jit/JITOperations.cpp:
        (JSC::getByVal):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::fastGetOwnProperty):
        (JSC::JSCell::canUseFastGetOwnProperty):

2014-05-05  Andreas Kling  <akling@apple.com>

        REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
        <https://webkit.org/b/168256>
        <rdar://problem/16816316>

        Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
        clear the fibers. The caller takes care of this.

        Test: fast/dom/getElementById-with-rope-string-arg.html

        Reviewed by Geoffrey Garen.

        * runtime/JSString.cpp:
        (JSC::JSRopeString::resolveRopeSlowCase8):

2014-05-05  Michael Saboff  <msaboff@apple.com>

        REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
        https://bugs.webkit.org/show_bug.cgi?id=132581

        Reviewed by Filip Pizlo.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
        started compiling for is still the same at the end of compilation.
        Also did some minor restructuring.

2014-05-05  Andreas Kling  <akling@apple.com>

        Optimize PutByVal when subscript is a rope string.
        <https://webkit.org/b/132572>

        Add a JSString::toIdentifier() that is smarter when the JSString is
        really a rope string. Use this in baseline & DFG's PutByVal to avoid
        allocating new StringImpls that we immediately deduplicate anyway.

        Reviewed by Antti Koivisto.

        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        * jit/JITOperations.cpp:
        * runtime/JSString.h:
        (JSC::JSString::toIdentifier):

2014-05-05  Andreas Kling  <akling@apple.com>

        Remove two now-incorrect assertions after r168256.

        * runtime/JSString.cpp:
        (JSC::JSRopeString::resolveRopeSlowCase8):
        (JSC::JSRopeString::resolveRopeSlowCase):

2014-05-04  Andreas Kling  <akling@apple.com>

        Optimize JSRopeString for resolving directly to AtomicString.
        <https://webkit.org/b/132548>

        If we know that the JSRopeString we are resolving is going to be used
        as an AtomicString, we can try to avoid creating a new string.

        We do this by first resolving the rope into a stack buffer, and using
        that buffer as a key into the AtomicString table. If there is already
        an AtomicString with the same characters, we reuse that instead of
        constructing a new StringImpl.

        JSString gains these two public functions:

        - AtomicString toAtomicString()

            Returns an AtomicString, tries to avoid allocating a new string
            if possible.

        - AtomicStringImpl* toExistingAtomicString()

            Returns a non-null AtomicStringImpl* if one already exists in the
            AtomicString table. If none is found, the rope is left unresolved.

        Reviewed by Filip Pizlo.

        * runtime/JSString.cpp:
        (JSC::JSRopeString::resolveRopeInternal8):
        (JSC::JSRopeString::resolveRopeInternal16):
        (JSC::JSRopeString::resolveRopeToAtomicString):
        (JSC::JSRopeString::clearFibers):
        (JSC::JSRopeString::resolveRopeToExistingAtomicString):
        (JSC::JSRopeString::resolveRope):
        (JSC::JSRopeString::outOfMemory):
        * runtime/JSString.h:
        (JSC::JSString::toAtomicString):
        (JSC::JSString::toExistingAtomicString):

2014-05-04  Andreas Kling  <akling@apple.com>

        Unreviewed, rolling out r168254.

        Very crashy on debug JSC tests.

        Reverted changeset:

        "jsSubstring() should be lazy"
        https://bugs.webkit.org/show_bug.cgi?id=132556
        http://trac.webkit.org/changeset/168254

2014-05-04  Filip Pizlo  <fpizlo@apple.com>

        jsSubstring() should be lazy
        https://bugs.webkit.org/show_bug.cgi?id=132556

        Reviewed by Andreas Kling.
        
        jsSubstring() is now lazy by using a special rope that is a substring instead of a
        concatenation. To make this patch super simple, we require that a substring's base is
        never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
        path, or we go down a concatenation path which may see exactly one level of substrings in
        its fibers.
        
        This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::specializedSweep):
        * runtime/JSString.cpp:
        (JSC::JSRopeString::visitFibers):
        (JSC::JSRopeString::resolveRope):
        (JSC::JSRopeString::resolveRopeSlowCase8):
        (JSC::JSRopeString::resolveRopeSlowCase):
        (JSC::JSRopeString::outOfMemory):
        * runtime/JSString.h:
        (JSC::JSRopeString::finishCreation):
        (JSC::JSRopeString::append):
        (JSC::JSRopeString::create):
        (JSC::JSRopeString::offsetOfFibers):
        (JSC::JSRopeString::fiber):
        (JSC::JSRopeString::substringBase):
        (JSC::JSRopeString::substringOffset):
        (JSC::JSRopeString::substringSentinel):
        (JSC::JSRopeString::isSubstring):
        (JSC::jsSubstring):
        * runtime/RegExpMatchesArray.cpp:
        (JSC::RegExpMatchesArray::reifyAllProperties):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSubstring):

2014-05-02  Michael Saboff  <msaboff@apple.com>

        "arm64 function not 4-byte aligned" warnings when building JSC
        https://bugs.webkit.org/show_bug.cgi?id=132495

        Reviewed by Geoffrey Garen.

        Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.

        * llint/LowLevelInterpreter.cpp:

2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix cloop build after r168178

        * bytecode/CodeBlock.cpp:

2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add a DFG function whitelist
        https://bugs.webkit.org/show_bug.cgi?id=132437

        Reviewed by Geoffrey Garen.

        Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
        particular DFG block that's causing issues. This patch adds the ability to whitelist 
        specific functions specified in a file to enable further filtering without having to recompile.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::isSupported):
        (JSC::DFG::mightInlineFunctionForCall):
        (JSC::DFG::mightInlineFunctionForClosureCall):
        (JSC::DFG::mightInlineFunctionForConstruct):
        * dfg/DFGFunctionWhitelist.cpp: Added.
        (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
        (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
        (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
        (JSC::DFG::FunctionWhitelist::contains):
        * dfg/DFGFunctionWhitelist.h: Added.
        * runtime/Options.cpp:
        (JSC::parse):
        (JSC::Options::dumpOption):
        * runtime/Options.h:

2014-05-02  Filip Pizlo  <fpizlo@apple.com>

        DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
        https://bugs.webkit.org/show_bug.cgi?id=132446

        Reviewed by Mark Hahnenberg.
        
        Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
        our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
        to indicate a bound on the value. This is useful for knowing, for example, that
        Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
        ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
        But this means that all arithmetic operations must be careful to note that they may
        turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        * tests/stress/int52-ai-add-then-filter-int32.js: Added.
        (foo):
        * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
        (foo):
        * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
        (foo):
        * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
        (foo):
        * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
        (foo):
        * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
        (foo):

2014-05-01  Geoffrey Garen  <ggaren@apple.com>

        JavaScriptCore fails to build with some versions of clang
        https://bugs.webkit.org/show_bug.cgi?id=132436

        Reviewed by Anders Carlsson.

        * runtime/ArgumentsIteratorConstructor.cpp: Since we call
        putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
        and both are marked inline, it's valid for the compiler to decide
        to inline both and emit neither in the binary. Therefore, we need
        both inline definitions to be available in the translation unit at
        compile time, or we'll try to link against a function that doesn't exist.

2014-05-01  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167964.
        https://bugs.webkit.org/show_bug.cgi?id=132431

        Memory improvements should not regress memory usage (Requested
        by olliej on #webkit).

        Reverted changeset:

        "Don't hold on to parameter BindingNodes forever"
        https://bugs.webkit.org/show_bug.cgi?id=132360
        http://trac.webkit.org/changeset/167964

2014-05-01  Filip Pizlo  <fpizlo@apple.com>

        Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
        https://bugs.webkit.org/show_bug.cgi?id=132427

        Reviewed by Mark Hahnenberg.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):

2014-04-30  Simon Fraser  <simon.fraser@apple.com>

        Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
        https://bugs.webkit.org/show_bug.cgi?id=132396

        Reviewed by Eric Carlson.

        Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.

        * Configurations/FeatureDefines.xcconfig:

2014-04-30  Filip Pizlo  <fpizlo@apple.com>

        Argument flush formats should not be presumed to be JSValue since 'this' is weird
        https://bugs.webkit.org/show_bug.cgi?id=132404

        Reviewed by Michael Saboff.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Ditto.
        * dfg/DFGValueSource.cpp:
        (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
        * dfg/DFGValueSource.h:
        (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
        * ftl/FTLOSREntry.cpp:
        (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
        * tests/stress/strict-to-this-int.js: Added.
        (foo):
        (Number.prototype.valueOf):
        (test):

2014-04-29  Oliver Hunt  <oliver@apple.com>

        Don't hold on to parameterBindingNodes forever
        https://bugs.webkit.org/show_bug.cgi?id=132360

        Reviewed by Geoffrey Garen.

        Don't keep the parameter nodes anymore. Instead we store the
        original parameter string and reparse whenever we actually
        need them. Because we only actually need them for compilation
        this only results in a single extra parse.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        (JSC::UnlinkedFunctionExecutable::visitChildren):
        (JSC::UnlinkedFunctionExecutable::finishCreation):
        (JSC::UnlinkedFunctionExecutable::paramString):
        (JSC::UnlinkedFunctionExecutable::parameters):
        (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::create):
        (JSC::UnlinkedFunctionExecutable::parameterCount):
        (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
        (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::ASTBuilder):
        (JSC::ASTBuilder::setFunctionBodyParameters):
        * parser/Nodes.h:
        (JSC::FunctionBodyNode::parametersStartOffset):
        (JSC::FunctionBodyNode::parametersEndOffset):
        (JSC::FunctionBodyNode::setParameterLocation):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseFunctionInfo):
        (JSC::parseParameters):
        * parser/Parser.h:
        (JSC::parse):
        * parser/SourceCode.h:
        (JSC::SourceCode::subExpression):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::setFunctionBodyParameters):

2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSProxies should be cacheable
        https://bugs.webkit.org/show_bug.cgi?id=132351

        Reviewed by Geoffrey Garen.

        Whenever we encounter a proxy in an inline cache we should try to cache on the 
        proxy's target instead of giving up.

        This patch adds support for a simple "recursive" inline cache if the base object
        we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
        are the only ones to benefit from this right now.

        This is performance neutral on the benchmarks we track. Currently we won't
        cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.

        * jit/Repatch.cpp:
        (JSC::generateByIdStub):
        (JSC::tryBuildGetByIDList):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionCreateProxy):
        * runtime/IntendedStructureChain.cpp:
        (JSC::IntendedStructureChain::isNormalized):
        * runtime/JSCellInlines.h:
        (JSC::JSCell::isProxy):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::finishCreation):
        * runtime/JSProxy.h:
        (JSC::JSProxy::createStructure):
        (JSC::JSProxy::targetOffset):
        * runtime/JSType.h:
        * runtime/Operations.h:
        (JSC::isPrototypeChainNormalized):
        * runtime/Structure.h:
        (JSC::Structure::isProxy):
        * tests/stress/proxy-inline-cache.js: Added.
        (cacheOnTarget.getX):
        (cacheOnTarget):
        (cacheOnPrototypeOfTarget.getX):
        (cacheOnPrototypeOfTarget):
        (dontCacheOnProxyInPrototypeChain.getX):
        (dontCacheOnProxyInPrototypeChain):
        (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
        (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):

2014-04-29  Filip Pizlo  <fpizlo@apple.com>

        Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
        https://bugs.webkit.org/show_bug.cgi?id=112840

        Rubber stamped by Geoffrey Garen.

        * Configurations/FeatureDefines.xcconfig:

2014-04-29  Geoffrey Garen  <ggaren@apple.com>

        String.prototype.trim removes U+200B from strings.
        https://bugs.webkit.org/show_bug.cgi?id=130184

        Reviewed by Michael Saboff.

        * runtime/StringPrototype.cpp:
        (JSC::trimString):
        (JSC::isTrimWhitespace): Deleted.

2014-04-29  Mark Lam  <mark.lam@apple.com>

        Zombifying sweep should ignore retired blocks.
        <https://webkit.org/b/132344>

        Reviewed by Mark Hahnenberg.

        By definition, retired blocks do not have "dead" objects, or at least
        none that we know of yet until the next marking phase has been run
        over it.  So, we should not be sweeping them (even for zombie mode).

        * heap/Heap.cpp:
        (JSC::Heap::zombifyDeadObjects):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::zombifySweep):
        * heap/MarkedSpace.h:
        (JSC::ZombifySweep::operator()):

2014-04-29  Mark Lam  <mark.lam@apple.com>

        Fix bit rot in zombie mode heap code.
        <https://webkit.org/b/132342>

        Reviewed by Mark Hahnenberg.

        Need to enter a DelayedReleaseScope before doing a sweep.

        * heap/Heap.cpp:
        (JSC::Heap::zombifyDeadObjects):

2014-04-29  Tomas Popela  <tpopela@redhat.com>

        LLINT loadisFromInstruction doesn't need special case for big endians
        https://bugs.webkit.org/show_bug.cgi?id=132330

        Reviewed by Mark Lam.

        The change introduced in r167076 was wrong. We should not apply the offset
        adjustment on loadisFromInstruction usage as the instruction
        (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
        operand variable). The offset of the other union members will be the
        same as the offset of the first one, that is 0. The behavior here is the
        same on little and big endian architectures. Thus we don't need
        special case for big endians.

        * llint/LowLevelInterpreter.asm:

2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        Simplify tryCacheGetById
        https://bugs.webkit.org/show_bug.cgi?id=132314

        Reviewed by Oliver Hunt and Filip Pizlo.

        This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.

        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.

2014-04-28  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
        https://bugs.webkit.org/show_bug.cgi?id=132315

        Reviewed by Mark Hahnenberg.

        Used the StringImpl version of utf8() instead of creating a String first.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):

2014-04-28  Filip Pizlo  <fpizlo@apple.com>

        The LLInt is awesome and it should get more of the action.

        Rubber stamped by Geoffrey Garen.
        
        5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.

        * runtime/Options.h:

2014-04-27  Filip Pizlo  <fpizlo@apple.com>

        GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
        https://bugs.webkit.org/show_bug.cgi?id=132166

        Reviewed by Oliver Hunt and Mark Hahnenberg.
        
        The GC can aid type inference by removing structures that are dead and jettisoning
        code that relies on those structures. This can dramatically accelerate type inference
        for some tricky programs.
        
        Unfortunately, we previously pinned any structures that enqueued compilations depended
        on. This means that if you're on a machine that only runs a single compilation thread
        and where compilations are relatively slow, you have a high chance of large numbers of
        structures being pinned during any GC since the compilation queue is likely to be full
        of random stuff.
        
        This comprehensively fixes this issue by allowing the GC to remove compilation plans
        if the things they depend on are dead, and to even cancel safepointed compilations.
        
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
        (JSC::CodeBlock::isKnownToBeLiveDuringGC):
        (JSC::CodeBlock::finalizeUnconditionally):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
        * dfg/DFGDesiredIdentifiers.cpp:
        (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
        * dfg/DFGDesiredIdentifiers.h:
        * dfg/DFGDesiredWatchpoints.h:
        * dfg/DFGDesiredWeakReferences.cpp:
        (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
        * dfg/DFGDesiredWeakReferences.h:
        * dfg/DFGGraphSafepoint.cpp:
        (JSC::DFG::GraphSafepoint::GraphSafepoint):
        * dfg/DFGGraphSafepoint.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        (JSC::DFG::Plan::compileInThread):
        (JSC::DFG::Plan::compileInThreadImpl):
        (JSC::DFG::Plan::notifyCompiling):
        (JSC::DFG::Plan::notifyCompiled):
        (JSC::DFG::Plan::notifyReady):
        (JSC::DFG::Plan::checkLivenessAndVisitChildren):
        (JSC::DFG::Plan::isKnownToBeLiveDuringGC):
        (JSC::DFG::Plan::cancel):
        (JSC::DFG::Plan::visitChildren): Deleted.
        * dfg/DFGPlan.h:
        * dfg/DFGSafepoint.cpp:
        (JSC::DFG::Safepoint::Result::~Result):
        (JSC::DFG::Safepoint::Result::didGetCancelled):
        (JSC::DFG::Safepoint::Safepoint):
        (JSC::DFG::Safepoint::~Safepoint):
        (JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
        (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
        (JSC::DFG::Safepoint::cancel):
        (JSC::DFG::Safepoint::visitChildren): Deleted.
        * dfg/DFGSafepoint.h:
        (JSC::DFG::Safepoint::Result::Result):
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::compilationState):
        (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
        (JSC::DFG::Worklist::removeAllReadyPlansForVM):
        (JSC::DFG::Worklist::completeAllReadyPlansForVM):
        (JSC::DFG::Worklist::visitWeakReferences):
        (JSC::DFG::Worklist::removeDeadPlans):
        (JSC::DFG::Worklist::runThread):
        (JSC::DFG::Worklist::visitChildren): Deleted.
        * dfg/DFGWorklist.h:
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLCompile.h:
        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::visitCompilerWorklistWeakReferences):
        (JSC::Heap::removeDeadCompilerWorklistEntries):
        (JSC::Heap::visitWeakHandles):
        (JSC::Heap::collect):
        (JSC::Heap::visitCompilerWorklists): Deleted.
        * heap/Heap.h:

2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        Deleting properties poisons objects
        https://bugs.webkit.org/show_bug.cgi?id=131551

        Reviewed by Oliver Hunt.

        This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.

        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::hasDeletedOffset):
        (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when 
        iterating properties because we're required to iterate properties in insertion order.
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
        (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
        Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
        delete transitions, but we allow transitioning from them.
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
        (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::setEnumerationCache):
        (JSC::Structure::hadDeletedOffsets):
        (JSC::Structure::propertyTable):
        (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
        * tests/stress/for-in-after-delete.js: Added.
        (foo):

2014-04-25  Andreas Kling  <akling@apple.com>

        Inline (C++) GetByVal with numeric indices more aggressively.
        <https://webkit.org/b/132218>

        We were already inlining the string indexed GetByVal path pretty well,
        while the path for numeric indices got neglected. No more!

        ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:

            Before: 199.50 runs/s
             After: 218.58 runs/s

        Reviewed by Phil Pizlo.

        * dfg/DFGOperations.cpp:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::get):

            ALWAYS_INLINE all the things.

        * runtime/JSObject.h:
        (JSC::JSObject::getPropertySlot):

            Avoid fetching the Structure more than once. We have the same
            optimization in the string-indexed code path.

2014-04-25  Oliver Hunt  <oliver@apple.com>

        Need earlier cell test
        https://bugs.webkit.org/show_bug.cgi?id=132211

        Reviewed by Mark Lam.

        Move cell test to before the function call repatch
        location, as the repatch logic for 32bit assumes that the
        caller will already have performed a cell check.

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):

2014-04-25  Andreas Kling  <akling@apple.com>

        Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
        (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.

2014-04-25  Andreas Kling  <akling@apple.com>

        Windows build fix attempt.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):

2014-04-25  Mark Lam  <mark.lam@apple.com>

        Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
        <https://webkit.org/b/132201>

        Reviewed by Joseph Pecoraro.

        BreakpointActions is Vector<ScriptBreakpointAction>.  Let's just consistently use
        BreakpointActions everywhere.

        * inspector/ScriptBreakpoint.h:
        (Inspector::ScriptBreakpoint::ScriptBreakpoint):
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::setBreakpoint):
        (Inspector::ScriptDebugServer::getActionsForBreakpoint):
        * inspector/ScriptDebugServer.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
        (Inspector::InspectorDebuggerAgent::setBreakpoint):
        (Inspector::InspectorDebuggerAgent::removeBreakpoint):
        * inspector/agents/InspectorDebuggerAgent.h:

2014-04-24  Filip Pizlo  <fpizlo@apple.com>

        DFG worklist scanning should not treat the key as a separate entity
        https://bugs.webkit.org/show_bug.cgi?id=132167

        Reviewed by Mark Hahnenberg.
        
        This simplifies the interface to the GC and will enable more optimizations.

        * dfg/DFGCompilationKey.cpp:
        (JSC::DFG::CompilationKey::visitChildren): Deleted.
        * dfg/DFGCompilationKey.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::visitChildren):
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::visitChildren):

2014-04-25  Oliver Hunt  <oliver@apple.com>

        Remove unused parameter from codeblock linking function
        https://bugs.webkit.org/show_bug.cgi?id=132199

        Reviewed by Anders Carlsson.

        No change in behaviour. This is just a small change to make it
        slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
        actually mean.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::link):
        * bytecode/UnlinkedCodeBlock.h:
        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::initializeGlobalProperties):

2014-04-25  Andreas Kling  <akling@apple.com>

        Mark some things with WTF_MAKE_FAST_ALLOCATED.
        <https://webkit.org/b/132198>

        Use FastMalloc for more things.

        Reviewed by Anders Carlsson.

        * builtins/BuiltinExecutables.h:
        * heap/GCThreadSharedData.h:
        * inspector/JSConsoleClient.h:
        * inspector/agents/InspectorAgent.h:
        * runtime/CodeCache.h:
        * runtime/JSGlobalObject.h:
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):
        (JSC::HashTable::deleteTable):
        * runtime/WeakGCMap.h:

2014-04-25  Antoine Quint  <graouts@webkit.org>

        Implement Array.prototype.find()
        https://bugs.webkit.org/show_bug.cgi?id=130966

        Reviewed by Oliver Hunt.

        Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.

        * builtins/Array.prototype.js:
        (find):
        (findIndex):
        * runtime/ArrayPrototype.cpp:

2014-04-24  Brady Eidson  <beidson@apple.com>

        Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
        https://bugs.webkit.org/show_bug.cgi?id=132155

        Reviewed by Tim Horton.

        * Configurations/FeatureDefines.xcconfig:

2014-04-24  Michael Saboff  <msaboff@apple.com>

        REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
        https://bugs.webkit.org/show_bug.cgi?id=132147

        Reviewed by Mark Lam.

        Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::or64):
        (JSC::MacroAssemblerARM64::xor32):
        (JSC::MacroAssemblerARM64::xor64):
        * tests/stress/regress-132147.js: Added test.

2014-04-24  Mark Lam  <mark.lam@apple.com>

        Make slowPathAllocsBetweenGCs a runtime option.
        <https://webkit.org/b/132137>

        Reviewed by Mark Hahnenberg.

        This will make it easier to more casually run tests with this configuration
        as well as to reproduce issues (instead of requiring a code mod and rebuild).
        We will now take --slowPathAllocsBetweenGCs=N where N is the number of
        slow path allocations before we trigger a collection.

        The option defaults to 0, which is reserved to mean that we will not trigger
        any collections there.

        * heap/Heap.h:
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::doTestCollectionsIfNeeded):
        (JSC::MarkedAllocator::allocateSlowCase):
        * heap/MarkedAllocator.h:
        * runtime/Options.h:

2014-04-23  Mark Lam  <mark.lam@apple.com>

        The GC should only resume compiler threads that it suspended in the same GC pass.
        <https://webkit.org/b/132088>

        Reviewed by Mark Hahnenberg.

        Previously, this scenario can occur:
        1. Thread 1 starts a GC and tries to suspend DFG worklist threads.  However,
           no worklists were created yet at the that time.
        2. Thread 2 starts to compile some functions and creates a DFG worklist, and
           acquires the worklist thread's lock.
        3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
           This time, it sees the worklist created by Thread 2 and ends up unlocking
           the worklist thread's lock that is supposedly held by Thread 2.
        Thereafter, chaos ensues.

        The fix is to cache the worklists that were actually suspended by each GC pass,
        and only resume those when the GC is done.

        This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
        the fast/workers layout tests.

        * heap/Heap.cpp:
        (JSC::Heap::visitCompilerWorklists):
        (JSC::Heap::deleteAllCompiledCode):
        (JSC::Heap::suspendCompilerThreads):
        (JSC::Heap::resumeCompilerThreads):
        * heap/Heap.h:

2014-04-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
        https://bugs.webkit.org/show_bug.cgi?id=132079

        Reviewed by Michael Saboff.

        Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.

        Also added a test that previously triggered this bug.

        * runtime/Arguments.cpp:
        (JSC::Arguments::copyBackingStore): D'oh!
        * tests/stress/arguments-copy-register-array-backing-store.js: Added.
        (foo):
        (bar):

2014-04-23  Mark Rowe  <mrowe@apple.com>

        [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
        <https://webkit.org/b/132053>

        Reviewed by Dan Bernstein.

        * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
        the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
        from /bin/sh since that generates unnecessary output.

2014-04-22  Mark Lam  <mark.lam@apple.com>

        DFG::Worklist should acquire the m_lock before iterating DFG plans.
        <https://webkit.org/b/132032>

        Reviewed by Filip Pizlo.

        Currently, there's a rightToRun mechanism that ensures that no compilation
        threads are running when the GC is iterating through the DFG worklists.
        However, this does not prevent a Worker thread from doing a DFG compilation
        and modifying the plans in the worklists thereby invalidating the plan
        iterator that the GC is using.  This patch fixes the issue by acquiring
        the worklist m_lock before iterating the worklist plans.

        This issue was uncovered by running the fast/workers layout tests with
        COLLECT_ON_EVERY_ALLOCATION enabled.

        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::isActiveForVM):
        (JSC::DFG::Worklist::visitChildren):

2014-04-22  Brent Fulgham  <bfulgham@apple.com>

        [Win] Support Python 2.7 in Cygwin
        https://bugs.webkit.org/show_bug.cgi?id=132023

        Reviewed by Michael Saboff.

        * DerivedSources.make: Use a conditional variable to define
        the path to Python/Perl.

2014-04-22  Filip Pizlo  <fpizlo@apple.com>

        Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
        https://bugs.webkit.org/show_bug.cgi?id=130867
        <rdar://problem/16432456> 

        Reviewed by Mark Hahnenberg.

        * Configurations/Base.xcconfig:
        * Configurations/LLVMForJSC.xcconfig:

2014-04-22  Alex Christensen  <achristensen@webkit.org>

        [Win] Unreviewed build fix after my r167666.

        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
        Added ../../../ again to include headers in Source/JavaScriptCore.

2014-04-22  Alex Christensen  <achristensen@webkit.org>

        Removed old stdbool and inttypes headers.
        https://bugs.webkit.org/show_bug.cgi?id=131966

        Reviewed by Brent Fulgham.

        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
        * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
        Removed references to os-win32 directory.
        * os-win32: Removed.
        * os-win32/inttypes.h: Removed.
        * os-win32/stdbool.h: Removed.

2014-04-21  Filip Pizlo  <fpizlo@apple.com>

        DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
        https://bugs.webkit.org/show_bug.cgi?id=131971
        <rdar://problem/16676511>

        Reviewed by Mark Lam.

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):

2014-04-21  Filip Pizlo  <fpizlo@apple.com>

        Switch statements that skip the baseline JIT should work
        https://bugs.webkit.org/show_bug.cgi?id=131965

        Reviewed by Mark Hahnenberg.

        * bytecode/JumpTable.h:
        (JSC::SimpleJumpTable::ensureCTITable):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        * tests/stress/inline-llint-with-switch.js: Added.
        (foo):
        (bar):
        (test):

2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>

        Arguments objects shouldn't need a destructor
        https://bugs.webkit.org/show_bug.cgi?id=131899

        Reviewed by Oliver Hunt.

        This patch rids Arguments objects of their destructors. It does this by 
        switching their backing stores to use CopiedSpace rather than malloc memory.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
        Arguments allocation so that it only emits an extra write for strict mode code rather
        than unconditionally.
        * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
        (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
        (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
        (JSC::Arguments::deleteProperty):
        (JSC::Arguments::defineOwnProperty):
        (JSC::Arguments::allocateRegisterArray):
        (JSC::Arguments::tearOff):
        (JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
        * runtime/Arguments.h:
        (JSC::Arguments::registerArraySizeInBytes):
        (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
        in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
        allocation.
        (JSC::Arguments::SlowArgumentData::slowArguments):
        (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
        (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
        (JSC::Arguments::SlowArgumentData::sizeForNumArguments):
        (JSC::Arguments::Arguments):
        (JSC::Arguments::allocateSlowArguments):
        (JSC::Arguments::tryDeleteArgument):
        (JSC::Arguments::isDeletedArgument):
        (JSC::Arguments::isArgument):
        (JSC::Arguments::argument):
        (JSC::Arguments::finishCreation):
        * runtime/SymbolTable.h:

2014-04-21  Eric Carlson  <eric.carlson@apple.com>

        [Mac] implement WebKitDataCue
        https://bugs.webkit.org/show_bug.cgi?id=131799

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.

2014-04-21  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed test gardening, run the repeat-out-of-bounds tests again.

        * tests/stress/float32-repeat-out-of-bounds.js:
        * tests/stress/int8-repeat-out-of-bounds.js:

2014-04-21  Filip Pizlo  <fpizlo@apple.com>

        OSR exit should know about Int52 and Double constants
        https://bugs.webkit.org/show_bug.cgi?id=131945

        Reviewed by Oliver Hunt.
        
        The DFG OSR exit machinery's ignorance would lead to some constants becoming
        jsUndefined() after OSR exit.
        
        The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
        stackmap constant rather than baking the constant into the OSRExit data structure.
        So, not a big deal, but worth fixing.
        
        Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGMinifiedNode.h:
        (JSC::DFG::belongsInMinifiedGraph):
        (JSC::DFG::MinifiedNode::hasConstantNumber):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionOtherFalse):
        (functionUndefined):
        * runtime/Intrinsic.h:
        * tests/stress/fold-to-double-constant-then-exit.js: Added.
        (foo):
        * tests/stress/fold-to-int52-constant-then-exit.js: Added.
        (foo):

2014-04-21  Filip Pizlo  <fpizlo@apple.com>

        Provide feedback when we encounter an unrecognied node in the FTL backend.

        Rubber stamped by Alexey Proskuryakov.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):

2014-04-21  Andreas Kling  <akling@apple.com>

        Move the JSString cache from DOMWrapperWorld to VM.
        <https://webkit.org/b/131940>

        Reviewed by Geoff Garen.

        * runtime/VM.h:

2014-04-19  Filip Pizlo  <fpizlo@apple.com>

        Take block execution count estimates into account when voting double
        https://bugs.webkit.org/show_bug.cgi?id=131906

        Reviewed by Geoffrey Garen.
        
        This was a drama in three acts.
        
        Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
            number of uses of a variable that want double or non-double. Easy as pie. This
            gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
            else.
        
        Act II: Realize that there were some programs where our previous double voting was
            just on the edge of disaster and making it more precise tipped it over. In
            particular, if you had an integer variable that would infrequently be used in a
            computation that resulted in a variable that was frequently used as an array index,
            the outer infrequentness would be the thing we'd use in the vote. So, an array
            index would become double. We fix this by reviving global backwards propagation
            and introducing the concept of ReallyWantsInt, which is used just for array
            indices. Any variable transitively flagged as ReallyWantsInt will never be forced
            double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
            be set in bitops for RageConversion but using it for double forcing is too much.
            Basically, it's cheaper to have to convert a double to an int for a bitop than it
            is to convert a double to an int for an array index; also a variable being used as
            an array index is a much stronger hint that it ought to be an int. This recovered
            performance on everything except programs that used FTL OSR entry.
        
        Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
            count, which then completely pollutes the weighting - essentially all votes go
            NaN. Fix this with some surgical defenses. Basically, any client of execution
            counts should allow for them to be NaN and shouldn't completely fall off a cliff
            when it happens.
        
        This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
        7% speed-up on AsmBench and 2% speed-up on Kraken.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::run):
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpBlockHeader):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::voteNode):
        (JSC::DFG::Graph::voteChildren):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGNodeFlags.h:
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        (JSC::DFG::OSREntrypointCreationPhase::run):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        * dfg/DFGVariableAccessData.cpp: Added.
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::mergeIsCaptured):
        (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
        (JSC::DFG::VariableAccessData::predict):
        (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
        (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
        (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
        (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
        (JSC::DFG::VariableAccessData::flushFormat):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::vote):
        (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
        (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
        (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
        (JSC::DFG::VariableAccessData::predict): Deleted.
        (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
        (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
        (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
        (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
        (JSC::DFG::VariableAccessData::flushFormat): Deleted.

2014-04-21  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r167591): ARM64 and ARM traditional builds broken
        https://bugs.webkit.org/show_bug.cgi?id=131935

        Reviewed by Mark Hahnenberg.

        Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
        macro assemblers.  Added a new test for the original patch.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::store8):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::store8):
        * tests/stress/dfg-create-arguments-inline-alloc.js: New test.

2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>

        Inline allocate Arguments objects in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=131897

        Reviewed by Geoffrey Garen.

        Many libraries/frameworks depend on the arguments object for overloaded API entry points. 
        This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create 
        for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/Arguments.h:
        (JSC::Arguments::offsetOfActivation):
        (JSC::Arguments::offsetOfOverrodeLength):
        (JSC::Arguments::offsetOfIsStrictMode):
        (JSC::Arguments::offsetOfRegisterArray):
        (JSC::Arguments::offsetOfCallee):
        (JSC::Arguments::allocationSize):

2014-04-20  Andreas Kling  <akling@apple.com>

        Speed up jsStringWithCache() through WeakGCMap inlining.
        <https://webkit.org/b/131923>

        Always inline WeakGCMap::add() but move the slow garbage collecting
        path out-of-line.

        Reviewed by Darin Adler.

        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::add):
        (JSC::WeakGCMap::gcMap):

2014-04-20  László Langó  <llango.u-szeged@partner.samsung.com>

        JavaScriptCore: ARM build fix after r167094.
        https://bugs.webkit.org/show_bug.cgi?id=131612

        Reviewed by Michael Saboff.

        After r167094 there are many build errors on ARM like these:

            /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
            /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
            /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
            /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup

        Problem is caused by the wrong generated assembly like:
            "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741

        `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
        the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
        Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
        use case: move rn, (label1-label2) which is translated to movw and movt.

        * llint/LowLevelInterpreter.asm:
        * offlineasm/arm.rb:
        * offlineasm/instructions.rb:

2014-04-20  Csaba Osztrogonác  <ossy@webkit.org>

        [ARM] Unreviewed build fix after r167336.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branchAdd32):

2014-04-20  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167501.
        https://bugs.webkit.org/show_bug.cgi?id=131913

        It broke DYEBench (Requested by mhahnenberg on #webkit).

        Reverted changeset:

        "Deleting properties poisons objects"
        https://bugs.webkit.org/show_bug.cgi?id=131551
        http://trac.webkit.org/changeset/167501

2014-04-19  Filip Pizlo  <fpizlo@apple.com>

        It should be OK to store new fields into objects that have no prototypes
        https://bugs.webkit.org/show_bug.cgi?id=131905

        Reviewed by Mark Hahnenberg.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
        * tests/stress/put-by-id-transition-null-prototype.js: Added.
        (foo):

2014-04-19  Benjamin Poulain  <bpoulain@apple.com>

        Make the CSS JIT compile for ARM64
        https://bugs.webkit.org/show_bug.cgi?id=131834

        Reviewed by Gavin Barraclough.

        Extend the ARM64 MacroAssembler to support the code generation required by
        the CSS JIT.

        * assembler/MacroAssembler.h:
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::addPtrNoFlags):
        (JSC::MacroAssemblerARM64::or32):
        (JSC::MacroAssemblerARM64::branchPtr):
        (JSC::MacroAssemblerARM64::test32):
        (JSC::MacroAssemblerARM64::branch):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::test32):

2014-04-19  Andreas Kling  <akling@apple.com>

        Two little shortcuts to the JSType.
        <https://webkit.org/b/131896>

        Tweak two sites that take the long road through JSCell::structure()->typeInfo()
        to look at data that's already in JSCell::type().

        Reviewed by Darin Adler.

        * runtime/NameInstance.h:
        (JSC::isName):
        * runtime/NumberPrototype.cpp:
        (JSC::toThisNumber):

2014-04-19  Filip Pizlo  <fpizlo@apple.com>

        Make it easier to check if an integer sum would overflow
        https://bugs.webkit.org/show_bug.cgi?id=131900

        Reviewed by Darin Adler.

        * dfg/DFGOperations.cpp:
        * runtime/Operations.h:
        (JSC::jsString):

2014-04-19  Filip Pizlo  <fpizlo@apple.com>

        Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.

        * dfg/DFGOperations.cpp:
        * runtime/JSString.h:
        (JSC::JSRopeString::RopeBuilder::append):

2014-04-18  Mark Lam  <mark.lam@apple.com>

        REGRESSION(r164205): WebKit crash @StructureIDTable::get.
        <https://webkit.org/b/130539>

        Reviewed by Geoffrey Garen.

        prepareOSREntry() prepares for OSR entry by first copying the local var
        values from the baseline frame to a scartch buffer, which is then used
        to fill in the locals in their new position in the DFG frame.  Unfortunately,
        prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
        size of the baseline frame.  As a result, some values of locals in the
        baseline frame were not saved off, and the DFG frame may get initialized
        with random content that happened to be in the uninitialized (and possibly
        unallocated) portions of the scratch buffer.

        The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
        number of locals in the baseline frame that we want to copy to the scratch
        buffer.

        Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
        at offset 0 in the scratch buffer.  So, we continue to write that value
        there, not the baseline frame size.

        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):

2014-04-18  Timothy Hatcher  <timothy@apple.com>

        Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=131673

        Passes existing profiler and inspector tests.

        Reviewed by Joseph Pecoraro.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/JSConsoleClient.cpp:
        (Inspector::JSConsoleClient::JSConsoleClient):
        (Inspector::JSConsoleClient::profile):
        (Inspector::JSConsoleClient::profileEnd):
        (Inspector::JSConsoleClient::count): Deleted.
        * inspector/JSConsoleClient.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        * inspector/agents/InspectorProfilerAgent.cpp: Added.
        (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
        (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
        (Inspector::InspectorProfilerAgent::addProfile):
        (Inspector::InspectorProfilerAgent::createProfileHeader):
        (Inspector::InspectorProfilerAgent::enable):
        (Inspector::InspectorProfilerAgent::disable):
        (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
        (Inspector::InspectorProfilerAgent::getProfileHeaders):
        (Inspector::buildInspectorObject):
        (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
        (Inspector::InspectorProfilerAgent::getCPUProfile):
        (Inspector::InspectorProfilerAgent::removeProfile):
        (Inspector::InspectorProfilerAgent::reset):
        (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
        (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
        (Inspector::InspectorProfilerAgent::start):
        (Inspector::InspectorProfilerAgent::stop):
        (Inspector::InspectorProfilerAgent::setRecordingProfile):
        (Inspector::InspectorProfilerAgent::startProfiling):
        (Inspector::InspectorProfilerAgent::stopProfiling):
        * inspector/agents/InspectorProfilerAgent.h: Added.
        * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
        (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
        (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
        * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
        * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
        * profiler/Profile.h:
        * runtime/ConsoleClient.h:

2014-04-18  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167527.
        https://bugs.webkit.org/show_bug.cgi?id=131883

        Broke 32-bit build (Requested by ap on #webkit).

        Reverted changeset:

        "[Mac] implement WebKitDataCue"
        https://bugs.webkit.org/show_bug.cgi?id=131799
        http://trac.webkit.org/changeset/167527

2014-04-18  Eric Carlson  <eric.carlson@apple.com>

        [Mac] implement WebKitDataCue
        https://bugs.webkit.org/show_bug.cgi?id=131799

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.

2014-04-18  Filip Pizlo  <fpizlo@apple.com>

        Actually address Mark's review feedback.

        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::handleExitCounts):

2014-04-18  Filip Pizlo  <fpizlo@apple.com>

        Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
        https://bugs.webkit.org/show_bug.cgi?id=131850

        Reviewed by Mark Hahnenberg.
        
        Templatize ExecutionCounter to allow for two different styles of calculating the
        checkpoint threshold.
        
        Appears to be a slight speed-up on DYEBench.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::llintExecuteCounter):
        (JSC::CodeBlock::offsetOfJITExecuteCounter):
        (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
        (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
        (JSC::CodeBlock::jitExecuteCounter):
        * bytecode/ExecutionCounter.cpp:
        (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
        (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
        (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
        (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
        (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
        (JSC::applyMemoryUsageHeuristics):
        (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
        (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
        (JSC::ExecutionCounter<countingVariant>::setThreshold):
        (JSC::ExecutionCounter<countingVariant>::reset):
        (JSC::ExecutionCounter<countingVariant>::dump):
        (JSC::ExecutionCounter::ExecutionCounter): Deleted.
        (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
        (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
        (JSC::ExecutionCounter::setNewThreshold): Deleted.
        (JSC::ExecutionCounter::deferIndefinitely): Deleted.
        (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
        (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
        (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
        (JSC::ExecutionCounter::setThreshold): Deleted.
        (JSC::ExecutionCounter::reset): Deleted.
        (JSC::ExecutionCounter::dump): Deleted.
        * bytecode/ExecutionCounter.h:
        (JSC::formattedTotalExecutionCount):
        (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
        (JSC::ExecutionCounter::clippedThreshold):
        (JSC::ExecutionCounter::formattedTotalCount): Deleted.
        * dfg/DFGJITCode.h:
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::handleExitCounts):
        * llint/LowLevelInterpreter.asm:
        * runtime/Options.h:

2014-04-17  Mark Hahnenberg  <mhahnenberg@apple.com>

        Deleting properties poisons objects
        https://bugs.webkit.org/show_bug.cgi?id=131551

        Reviewed by Geoffrey Garen.

        This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
        (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
        Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
        delete transitions, but we allow transitioning from them.
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
        (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.

2014-04-17  Filip Pizlo  <fpizlo@apple.com>

        InlineCallFrameSet should be refcounted
        https://bugs.webkit.org/show_bug.cgi?id=131829

        Reviewed by Geoffrey Garen.
        
        And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
        became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
        Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
        the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
        
        So, just make the darn thing refcounted.

        * bytecode/InlineCallFrameSet.h:
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGCommonData.h:
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::requiredRegisterCountForExit):
        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        * dfg/DFGPlan.h:
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        * ftl/FTLFail.cpp:
        (JSC::FTL::fail):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):

2014-04-17  Filip Pizlo  <fpizlo@apple.com>

        FTL::fail() should manage memory "correctly"
        https://bugs.webkit.org/show_bug.cgi?id=131823
        <rdar://problem/16384297>

        Reviewed by Oliver Hunt.

        * ftl/FTLFail.cpp:
        (JSC::FTL::fail):

2014-04-17  Filip Pizlo  <fpizlo@apple.com>

        Prediction propagator should correctly model Int52s flowing through arguments
        https://bugs.webkit.org/show_bug.cgi?id=131822
        <rdar://problem/16641408>

        Reviewed by Oliver Hunt.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * tests/stress/int52-argument.js: Added.
        (foo):
        * tests/stress/int52-variable.js: Added.
        (foo):

2014-04-17  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
        https://bugs.webkit.org/show_bug.cgi?id=131798

        Reviewed by Alexey Proskuryakov.
        
        Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
        of this assertion can return. For now, it's not clear that the assertion is guarding
        any truly undesirable behavior - so it should just go away and be replaced with a
        FIXME.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfo):
        * runtime/Structure.h:
        (JSC::Structure::takesSlowPathInDFGForImpureProperty):

2014-04-17  David Kilzer  <ddkilzer@apple.com>

        Blind attempt to fix Windows build after r166837
        <http://webkit.org/b/131246>

        Hoping to fix this build error:

            warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result.  The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
        boo-boo by changing the GCLogging.cpp ClCompile entry to a
        GCLogging.h ClInclude entry.

2014-04-16  Filip Pizlo  <fpizlo@apple.com>

        AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
        https://bugs.webkit.org/show_bug.cgi?id=131764

        Reviewed by Geoffrey Garen.
        
        The attached test case can be made to not crash by deleting old code. It used to be
        the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
        long ago. At this point, these guards just make life difficult. So get rid of them.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * tests/stress/bug-131764.js: Added.
        (test1):
        (test2):

2014-04-17  Darin Adler  <darin@apple.com>

        Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
        https://bugs.webkit.org/show_bug.cgi?id=131785
        rdar://problem/16003108

        Reviewed by Brady Eidson.

        * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.

2014-04-16  Alexey Proskuryakov  <ap@apple.com>

        Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)

        * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):

2014-04-16  Filip Pizlo  <fpizlo@apple.com>

        Extra error reporting for invalid value conversions
        https://bugs.webkit.org/show_bug.cgi?id=131786

        Rubber stamped by Ryosuke Niwa.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):

2014-04-16  Filip Pizlo  <fpizlo@apple.com>

        Sink NaN sanitization to uses and remove it when it's unnecessary
        https://bugs.webkit.org/show_bug.cgi?id=131419

        Reviewed by Oliver Hunt.
        
        This moves NaN purification to stores that could see an impure NaN.
        
        5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
        though, because of the other bug that causes that benchmark to box doubles in a loop.

        * bytecode/SpeculatedType.h:
        (JSC::isInt32SpeculationForArithmetic):
        (JSC::isMachineIntSpeculationForArithmetic):
        (JSC::isDoubleSpeculation):
        (JSC::isDoubleSpeculationForArithmetic):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::fixTypeForRepresentation):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueRep):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileValueRep):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        * runtime/PureNaN.h:
        * tests/stress/float32-array-nan-inlined.js: Added.
        (foo):
        (test):
        * tests/stress/float32-array-nan.js: Added.
        (foo):
        (test):
        * tests/stress/float64-array-nan-inlined.js: Added.
        (foo):
        (isBigEndian):
        (test):
        * tests/stress/float64-array-nan.js: Added.
        (foo):
        (isBigEndian):
        (test):

2014-04-16  Brent Fulgham  <bfulgham@apple.com>

        [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
        to 32-bit builds, and revise the comment to explain what we are
        doing.

        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::isMachineInt): Provide motivation for the new
        'isinf' check for our 32-bit code path.

2014-04-16  Juergen Ributzka  <juergen@apple.com>

        Allocate the data section on the heap again for FTL on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=130156

        Reviewed by Geoffrey Garen and Filip Pizlo.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        * ftl/FTLDataSection.cpp:
        (JSC::FTL::DataSection::DataSection):
        (JSC::FTL::DataSection::~DataSection):
        * ftl/FTLDataSection.h:

2014-04-16  Mark Lam  <mark.lam@apple.com>

        Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
        <https://webkit.org/b/131747>

        Reviewed by Filip Pizlo.

        When the debugger is about to activate (e.g. enter stepping mode), it first
        waits for all DFG compilations to complete.  However, when the DFG completes,
        if compilation is successful, it will install a new DFG codeBlock.  The
        CodeBlock installation process is required to register codeBlocks with the
        debugger.  Debugger::registerCodeBlock() will eventually call
        CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
        trying to install.  Thereafter, chaos ensues.

        This jettison'ing only happens because the debugger currently set its
        m_steppingMode flag before waiting for compilation to complete.  The fix is
        simply to set that flag only after compilation is complete.

        * debugger/Debugger.cpp:
        (JSC::Debugger::setSteppingMode):
        (JSC::Debugger::registerCodeBlock):

2014-04-16  Filip Pizlo  <fpizlo@apple.com>

        Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
        https://bugs.webkit.org/show_bug.cgi?id=131420

        Reviewed by Oliver Hunt.
        
        Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
        replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
        goes through the purifyNaN() API.
        
        SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
        
        Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
        have to be too cautious since most prediction-based logic only cares about whether or not
        a value could be an integer.
        
        AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
        anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
        soundly and precisely.
        
        No performance change because this just unblocks
        https://bugs.webkit.org/show_bug.cgi?id=131419.

        * API/JSValueRef.cpp:
        (JSValueMakeNumber):
        (JSValueToNumber):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationFromValue):
        (JSC::typeOfDoubleSum):
        (JSC::typeOfDoubleDifference):
        (JSC::typeOfDoubleProduct):
        (JSC::polluteDouble):
        (JSC::typeOfDoubleQuotient):
        (JSC::typeOfDoubleMinMax):
        (JSC::typeOfDoubleNegation):
        (JSC::typeOfDoubleAbs):
        (JSC::typeOfDoubleFRound):
        (JSC::typeOfDoubleBinaryOp):
        (JSC::typeOfDoubleUnaryOp):
        * bytecode/SpeculatedType.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGCriticalEdgeBreakingPhase.cpp:
        (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
        (JSC::DFG::createPreHeader):
        * dfg/DFGNode.h:
        (JSC::DFG::BranchTarget::BranchTarget):
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        (JSC::DFG::OSREntrypointCreationPhase::run):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
        (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
        (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
        (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
        (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
        * ftl/FTLValueFormat.cpp:
        (JSC::FTL::reboxAccordingToFormat):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::purifyNaN):
        (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
        * jit/AssemblyHelpers.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitFloatTypedArrayGetByVal):
        * runtime/DateConstructor.cpp:
        (JSC::constructDate):
        * runtime/DateInstanceCache.h:
        (JSC::DateInstanceData::DateInstanceData):
        (JSC::DateInstanceCache::reset):
        * runtime/ExceptionHelpers.cpp:
        (JSC::TerminatedExecutionError::defaultValue):
        * runtime/JSArray.cpp:
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::shiftCountWithAnyIndexingType):
        (JSC::JSArray::sortVector):
        (JSC::JSArray::compactForSorting):
        * runtime/JSArray.h:
        (JSC::JSArray::create):
        (JSC::JSArray::tryCreateUninitialized):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::toNumberSlowCase):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::jsNaN):
        (JSC::JSValue::JSValue):
        (JSC::JSValue::getPrimitiveNumber):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::parseInt):
        (JSC::jsStrDecimalLiteral):
        (JSC::toDouble):
        (JSC::jsToNumber):
        (JSC::parseFloat):
        * runtime/JSObject.cpp:
        (JSC::JSObject::createInitialDouble):
        (JSC::JSObject::convertUndecidedToDouble):
        (JSC::JSObject::convertInt32ToDouble):
        (JSC::JSObject::deletePropertyByIndex):
        (JSC::JSObject::ensureLengthSlow):
        * runtime/MathObject.cpp:
        (JSC::mathProtoFuncMax):
        (JSC::mathProtoFuncMin):
        * runtime/PureNaN.h: Added.
        (JSC::pureNaN):
        (JSC::isImpureNaN):
        (JSC::purifyNaN):
        * runtime/TypedArrayAdaptors.h:
        (JSC::FloatTypedArrayAdaptor::toJSValue):

2014-04-16  Juergen Ributzka  <juergen@apple.com>

        Enable system library calls in FTL for ARM64
        https://bugs.webkit.org/show_bug.cgi?id=130154

        Reviewed by Geoffrey Garen and Filip Pizlo.

        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::doubleRem):
        (JSC::FTL::Output::doubleSin):
        (JSC::FTL::Output::doubleCos):

2014-04-16  peavo@outlook.com  <peavo@outlook.com>

        Fix JSC Debug Regressions on Windows
        https://bugs.webkit.org/show_bug.cgi?id=131182

        Reviewed by Brent Fulgham.

        The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
        and set the st floating point register tags, if the value of the number parameter is infinite.
        If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
        This can be avoided by checking for infinity first.

        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions): Re-enable jit for Windows.

2014-04-16  Oliver Hunt  <oliver@apple.com>

        Simple ES6 feature:Array.prototype.fill
        https://bugs.webkit.org/show_bug.cgi?id=131703

        Reviewed by David Hyatt.

        Add support for Array.prototype.fill

        * builtins/Array.prototype.js:
        (fill):
        * runtime/ArrayPrototype.cpp:

2014-04-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=131728

        Reviewed by Darin Adler.

        * runtime/JSObject.cpp:
        (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the 
        path we expect to never take. Also shut up confused compilers about uninitialized things.

2014-04-16  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, ARMv7 build fix after r167336.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branchAdd32):

2014-04-16  Gabor Rapcsanyi  <rgabor@webkit.org>

        Unreviewed, ARM64 buildfix after r167336.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.

2014-04-15  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2014-04-15  Filip Pizlo  <fpizlo@apple.com>

        compileMakeRope does not emit necessary bounds checks
        https://bugs.webkit.org/show_bug.cgi?id=130684
        <rdar://problem/16398388>

        Reviewed by Oliver Hunt.
        
        Add string length bounds checks in a bunch of places. We should never allow a string
        to have a length greater than 2^31-1 because it's not clear that the language has
        semantics for it and because there is code that assumes that this cannot happen.
        
        Also add a bunch of tests to that effect to cover the various ways in which this was
        previously allowed to happen.

        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileMakeRope):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
        * runtime/JSString.cpp:
        (JSC::JSRopeString::RopeBuilder::expand):
        * runtime/JSString.h:
        (JSC::JSString::create):
        (JSC::JSRopeString::RopeBuilder::append):
        (JSC::JSRopeString::RopeBuilder::release):
        (JSC::JSRopeString::append):
        * runtime/Operations.h:
        (JSC::jsString):
        (JSC::jsStringFromRegisterArray):
        (JSC::jsStringFromArguments):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncIndexOf):
        (JSC::stringProtoFuncSlice):
        (JSC::stringProtoFuncSubstring):
        (JSC::stringProtoFuncToLowerCase):
        * tests/stress/make-large-string-jit-strcat.js: Added.
        (foo):
        * tests/stress/make-large-string-jit.js: Added.
        (foo):
        * tests/stress/make-large-string-strcat.js: Added.
        * tests/stress/make-large-string.js: Added.

2014-04-15  Julien Brianceau  <jbriance@cisco.com>

        Remove invalid sh4 specific code in JITInlines header.
        https://bugs.webkit.org/show_bug.cgi?id=131692

        Reviewed by Geoffrey Garen.

        * jit/JITInlines.h:
        (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
        anymore since r160244, so the sh4 specific code is invalid now
        and has to be removed.

2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix precedence issue in JSCell:setRemembered

        Rubber stamped by Filip Pizlo.

        * runtime/JSCell.h:
        (JSC::JSCell::setRemembered):

2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API external object graphs don't handle generational collection properly
        https://bugs.webkit.org/show_bug.cgi?id=131634

        Reviewed by Geoffrey Garen.

        If the set of Objective-C objects transitively reachable through an object changes, we 
        need to update the set of opaque roots accordingly. If we don't, the next EdenCollection 
        won't rescan the external object graph, which would lead us to consider a newly allocated 
        JSManagedValue to be dead.

        * API/JSBase.cpp:
        (JSSynchronousEdenCollectForDebugging):
        * API/JSVirtualMachine.mm:
        (-[JSVirtualMachine initWithContextGroupRef:]):
        (-[JSVirtualMachine dealloc]):
        (-[JSVirtualMachine isOldExternalObject:]):
        (-[JSVirtualMachine addExternalRememberedObject:]):
        (-[JSVirtualMachine addManagedReference:withOwner:]):
        (-[JSVirtualMachine removeManagedReference:withOwner:]):
        (-[JSVirtualMachine externalRememberedSet]):
        (scanExternalObjectGraph):
        (scanExternalRememberedSet):
        * API/JSVirtualMachineInternal.h:
        * API/tests/testapi.mm:
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * heap/Heap.h:
        (JSC::Heap::slotVisitor):
        * heap/SlotVisitor.h:
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::containsOpaqueRoot):
        (JSC::SlotVisitor::containsOpaqueRootTriState):

2014-04-15  Filip Pizlo  <fpizlo@apple.com>

        DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
        https://bugs.webkit.org/show_bug.cgi?id=131423

        Reviewed by Geoffrey Garen.
        
        This introduces more static typing into DFG IR. Previously we just had the notion of
        JSValues and Storage. This was weird because doubles weren't always convertible to
        JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
        sort of insert explicit conversion nodes just for the places where we knew that an
        implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
        we'd get bugs from forgetting to do the right conversion.
        
        This patch introduces a hard and fast rule: doubles can never be implicitly converted to
        anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
        nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
        conversions. They are like Identity but return the same value using a different
        representation. Likewise, constants may now be represented using either JSConstant,
        Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
        Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
        Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
        we speculate DoubleReal and expect Double representation.
        
        In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
        this also makes it easier to introduce optimizations in the future. It's now possible for
        AI to model when/how conversion take place. For example if doing a conversion results in
        NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
        what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
        
        This was a big change, so I had to do some interesting things, like finally get rid of
        the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
        the ByteCodeParser no longer emits Identity nodes since that was always pointless.
        
        No performance change because this mostly just rationalizes preexisting behavior.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssemblerX86.h:
        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        * dfg/DFGAbstractInterpreter.h:
        (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
        (JSC::DFG::AbstractInterpreter::setConstant):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::set):
        (JSC::DFG::AbstractValue::fixTypeForRepresentation):
        (JSC::DFG::AbstractValue::checkConsistency):
        * dfg/DFGAbstractValue.h:
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGBasicBlock.h:
        * dfg/DFGBasicBlockInlines.h:
        (JSC::DFG::BasicBlock::appendNode):
        (JSC::DFG::BasicBlock::appendNonTerminal):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::constantCSE):
        (JSC::DFG::CSEPhase::performNodeCSE):
        (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
        * dfg/DFGCapabilities.h:
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::fixupBlock):
        * dfg/DFGEdge.h:
        (JSC::DFG::Edge::willNotHaveCheck):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
        (JSC::DFG::FixupPhase::observeUseKindOnNode):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
        (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
        (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
        (JSC::DFG::FixupPhase::fixEdgeRepresentation):
        (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
        (JSC::DFG::FixupPhase::addRequiredPhantom):
        (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
        (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
        (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
        * dfg/DFGFlushFormat.h:
        (JSC::DFG::resultFor):
        (JSC::DFG::useKindFor):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addNode):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::initialize):
        * dfg/DFGInsertionSet.h:
        (JSC::DFG::InsertionSet::insertNode):
        (JSC::DFG::InsertionSet::insertConstant):
        (JSC::DFG::InsertionSet::insertConstantForUse):
        * dfg/DFGIntegerCheckCombiningPhase.cpp:
        (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
        (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
        * dfg/DFGNode.cpp:
        (JSC::DFG::Node::convertToIdentity):
        (WTF::printInternal):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::setResult):
        (JSC::DFG::Node::result):
        (JSC::DFG::Node::isConstant):
        (JSC::DFG::Node::hasConstant):
        (JSC::DFG::Node::convertToConstant):
        (JSC::DFG::Node::valueOfJSConstant):
        (JSC::DFG::Node::hasResult):
        (JSC::DFG::Node::hasInt32Result):
        (JSC::DFG::Node::hasInt52Result):
        (JSC::DFG::Node::hasNumberResult):
        (JSC::DFG::Node::hasDoubleResult):
        (JSC::DFG::Node::hasJSResult):
        (JSC::DFG::Node::hasBooleanResult):
        (JSC::DFG::Node::hasStorageResult):
        (JSC::DFG::Node::defaultUseKind):
        (JSC::DFG::Node::defaultEdge):
        (JSC::DFG::Node::convertToIdentity): Deleted.
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGNodeFlags.h:
        (JSC::DFG::canonicalResultRepresentation):
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGResurrectionForValidationPhase.cpp:
        (JSC::DFG::ResurrectionForValidationPhase::run):
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
        (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
        (JSC::DFG::JSValueRegsTemporary::regs):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileDoubleRep):
        (JSC::DFG::SpeculativeJIT::compileValueRep):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        (JSC::DFG::SpeculativeJIT::compileArithDiv):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::speculateNumber):
        (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
        (JSC::DFG::SpeculativeJIT::speculate):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
        (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
        (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::allocate):
        (JSC::DFG::SpeculativeJIT::use):
        (JSC::DFG::SpeculativeJIT::boxDouble):
        (JSC::DFG::SpeculativeJIT::spill):
        (JSC::DFG::SpeculativeJIT::jsValueResult):
        (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
        (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
        (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::shouldNotHaveTypeCheck):
        (JSC::DFG::mayHaveTypeCheck):
        (JSC::DFG::isNumerical):
        (JSC::DFG::isDouble):
        (JSC::DFG::isCell):
        (JSC::DFG::usesStructure):
        (JSC::DFG::useKindForResult):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        * dfg/DFGVariadicFunction.h: Removed.
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
        (JSC::FTL::LowerDFGToLLVM::compilePhi):
        (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
        (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
        (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
        (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
        (JSC::FTL::LowerDFGToLLVM::compileValueRep):
        (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
        (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
        (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
        (JSC::FTL::LowerDFGToLLVM::compileArithMul):
        (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
        (JSC::FTL::LowerDFGToLLVM::compileArithMod):
        (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
        (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
        (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::compare):
        (JSC::FTL::LowerDFGToLLVM::boolify):
        (JSC::FTL::LowerDFGToLLVM::lowInt52):
        (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
        (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
        (JSC::FTL::LowerDFGToLLVM::lowDouble):
        (JSC::FTL::LowerDFGToLLVM::lowJSValue):
        (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
        (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateNumber):
        (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
        (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
        (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
        (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
        (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
        (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
        * ftl/FTLValueFormat.cpp:
        (JSC::FTL::reboxAccordingToFormat):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::sanitizeDouble):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::boxDouble):

2014-04-15  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167199 and r167251.
        https://bugs.webkit.org/show_bug.cgi?id=131678

        Caused a DYEBench regression and does not seem to improve perf
        on relevant websites (Requested by rniwa on #webkit).

        Reverted changesets:

        "Rewrite Function.bind as a builtin"
        https://bugs.webkit.org/show_bug.cgi?id=131083
        http://trac.webkit.org/changeset/167199

        "Update test result"
        http://trac.webkit.org/changeset/167251

2014-04-14  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167272.
        https://bugs.webkit.org/show_bug.cgi?id=131666

        Broke multiple tests (Requested by ap on #webkit).

        Reverted changeset:

        "Function.bind itself is too slow"
        https://bugs.webkit.org/show_bug.cgi?id=131636
        http://trac.webkit.org/changeset/167272

2014-04-14  Geoffrey Garen  <ggaren@apple.com>

        ASSERT when firing low memory warning
        https://bugs.webkit.org/show_bug.cgi?id=131659

        Reviewed by Mark Hahnenberg.

        * heap/Heap.cpp:
        (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
        called when no GC is happening because that is what we do when a low
        memory warning fires, and it is harmless.

2014-04-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        emit_op_put_by_id should not emit a write barrier that filters on value
        https://bugs.webkit.org/show_bug.cgi?id=131654

        Reviewed by Filip Pizlo.

        The 32-bit implementation does this, and it can cause crashes if we later repatch the 
        code to allocate and store new Butterflies.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on 
        32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag 
        load down into the if statement so that we don't do it if we're not filtering on the value.
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_id):

2014-04-14  Oliver Hunt  <oliver@apple.com>

        Function.bind itself is too slow
        https://bugs.webkit.org/show_bug.cgi?id=131636

        Reviewed by Geoffrey Garen.

        Rather than forcing creation of an activation, we now store
        bound function properties directly on the returned closure.
        This is necessary to deal with code that creates many function
        bindings, but does not call them very often.

        This is a 60% speed up in the included js/regress test.

        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createBuiltinExecutable):
        * builtins/Function.prototype.js:
        (bind.bindingFunction):
        (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
        (bind.else.switch.case.1.bindingFunction):
        (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
        (bind.else.switch.case.2.bindingFunction):
        (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
        (bind.else.switch.case.3.bindingFunction):
        (bind.else.switch.bindingFunction):
        (bind):
        (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted.
        (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted.
        (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted.
        * runtime/CommonIdentifiers.h:

2014-04-14  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Allow use of SubImmediates in LLINT.
        https://bugs.webkit.org/show_bug.cgi?id=131608

        Reviewed by Mark Lam.

        Allow use of SubImmediates with const pool so the sh4 architecture can
        share the arm path for setEntryAddress macro. It reduces architecture
        specific code and lead to a more optimal generated code for sh4.

        * llint/LowLevelInterpreter.asm:
        * offlineasm/sh4.rb:

2014-04-14  Andreas Kling  <akling@apple.com>

        Array.prototype.concat should allocate output storage only once.
        <https://webkit.org/b/131609>

        Do a first pass across 'this' and any arguments to compute the
        final size of the resulting array from Array.prototype.concat.
        This avoids having to grow the output incrementally as we go.

        This also includes two other micro-optimizations:

        - Mark getProperty() with ALWAYS_INLINE.

        - Use JSArray::length() instead of taking the generic property
          lookup path when we know an argument is an Array.

        My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.

        Reviewed by Oliver & Darin.

        * runtime/ArrayPrototype.cpp:
        (JSC::getProperty):
        (JSC::arrayProtoFuncConcat):

2014-04-14  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167249.
        https://bugs.webkit.org/show_bug.cgi?id=131621

        broke 3 tests on cloop (Requested by kling on #webkit).

        Reverted changeset:

        "Array.prototype.concat should allocate output storage only
        once."
        https://bugs.webkit.org/show_bug.cgi?id=131609
        http://trac.webkit.org/changeset/167249

2014-04-14  Alex Christensen  <achristensen@webkit.org>

        Fixed potential integer truncation.
        https://bugs.webkit.org/show_bug.cgi?id=131615

        Reviewed by Darin Adler.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::fillNops):
        Truncate the size_t to an unsigned after it is limited to 15 instead of before.

2014-04-14  Andreas Kling  <akling@apple.com>

        Array.prototype.concat should allocate output storage only once.
        <https://webkit.org/b/131609>

        Do a first pass across 'this' and any arguments to compute the
        final size of the resulting array from Array.prototype.concat.
        This avoids having to grow the output incrementally as we go.

        This also includes two other micro-optimizations:

        - Mark getProperty() with ALWAYS_INLINE.

        - Use JSArray::length() instead of taking the generic property
          lookup path when we know an argument is an Array.

        My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.

        Reviewed by Darin Adler.

        * runtime/ArrayPrototype.cpp:
        (JSC::getProperty):
        (JSC::arrayProtoFuncConcat):

2014-04-14  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] Improve the call site of string comparison in some hot path
        https://bugs.webkit.org/show_bug.cgi?id=131605

        Reviewed by Darin Adler.

        When resolved, the String of a JSString is never null. It can be empty but not null.
        The null value is reserved for ropes but those would be resolved when getting the value.

        Consequently, we should use the equal() operation that do not handle null values.
        Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason.

        * jit/JITOperations.cpp:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::equalSlowCaseInline):
        (JSC::JSValue::strictEqualSlowCaseInline):
        (JSC::JSValue::pureStrictEqual):

2014-04-08  Oliver Hunt  <oliver@apple.com>

        Rewrite Function.bind as a builtin
        https://bugs.webkit.org/show_bug.cgi?id=131083

        Reviewed by Geoffrey Garen.

        This change removes the existing function.bind implementation
        entirely so JSBoundFunction is no more.

        Instead we just return a regular JS closure with a few
        private properties hanging off it that allow us to perform
        the necessary bound function fakery.  While most of this is
        simple, a couple of key changes:

        - The parser and lexer now directly track whether they're
          parsing code for call or construct and convert the private
          name @IsConstructor into TRUETOK or FALSETOK as appropriate.
          This automatically gives us the ability to vary behaviour
          from within the builtin. It also leaves a lot of headroom
          for trivial future improvements.
        - The instanceof operator now uses the prototypeForHasInstance
          private name, and we have a helper function to ensure that
          all objects that need to can update their magical 'prototype'
          property pair correctly.

        * API/JSScriptRef.cpp:
        (parseScript):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createBuiltinExecutable):
        * builtins/Function.prototype.js:
        (bind.bindingFunction):
        (bind.else.bindingFunction):
        (bind):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::InstanceOfNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::Lexer):
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        * parser/Lexer.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parseInner):
        * parser/Parser.h:
        (JSC::parse):
        * parser/ParserModes.h:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CommonIdentifiers.h:
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::checkSyntax):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::addFunctionProperties):
        (JSC::functionProtoFuncBind): Deleted.
        * runtime/JSBoundFunction.cpp: Removed.
        * runtime/JSBoundFunction.h: Removed.
        * runtime/JSFunction.cpp:
        (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
        (JSC::RetrieveCallerFunctionFunctor::operator()):
        (JSC::retrieveCallerFunction):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncSetTypeErrorAccessor):
        * runtime/JSGlobalObjectFunctions.h:
        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):

2014-04-12  Filip Pizlo  <fpizlo@apple.com>

        Math.fround() should be an intrinsic
        https://bugs.webkit.org/show_bug.cgi?id=131583

        Reviewed by Geoffrey Garen.
        
        Makes programs that use Math.fround() run up to 6x faster.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileArithFRound):
        * runtime/Intrinsic.h:
        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):

2014-04-12  Filip Pizlo  <fpizlo@apple.com>

        FTL should use stackmap register liveness
        https://bugs.webkit.org/show_bug.cgi?id=130791

        Reviewed by Goeffrey Garen.
        
        Enable the stackmap register liveness support by fixing the two last bugs:
        
        - If everything is dead after the patchpoint - a good possibility for a put_by_id -
          then we shouldn't crash due to a null scratch buffer.
        
        - Always consider callee-saves as if they were live. More precisely, we should
          consider those callee-saves that are not saved by the enclosing function to be live.
          For now we do the much simpler thing and consider callee-saves to be always live
          since it has minimal impact on the scratch register allocator. It will know not to
          preserve those for calls, anyway.
        
        I tried writing a test for the null scratch buffer thing, but failed. I will land the
        test anyway since it seems useful.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::usedRegistersFor):
        * jit/ScratchRegisterAllocator.cpp:
        (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
        (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
        * runtime/Options.h:
        * tests/stress/repeated-put-by-id-reallocating-transition.js: Added.
        (foo):

2014-04-11  Filip Pizlo  <fpizlo@apple.com>

        DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled
        https://bugs.webkit.org/show_bug.cgi?id=131424

        Reviewed by Geoffrey Garen.
        
        This defers type conversion injection until we've decided on types. This makes the
        process of deciding types a bit more flexible - for example we can naturally fixpoint
        and change our minds. Only when things are settled do we actually insert conversions.
        
        This is a necessary prerequisite for keeping double, int52, and JSValue data flow
        separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize
        that there are typed uses. If we were eagerly inserting type conversions then we would
        first insert a to/from-JSValue conversion in some cases only to then replace it by
        the other conversions. It's probably trivial to remove those redundant conversions later
        but I think it's better if we don't insert them to begin with.

        * bytecode/CodeOrigin.h:
        (JSC::CodeOrigin::operator!):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupBlock):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
        (JSC::DFG::FixupPhase::fixEdge):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
        (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
        (JSC::DFG::FixupPhase::addRequiredPhantom):
        (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
        (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
        (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted.
        (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted.
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted.

2014-04-11  Brian J. Burg  <burg@cs.washington.edu>

        Web Replay: code generator should consider enclosing class when computing duplicate type names
        https://bugs.webkit.org/show_bug.cgi?id=131554

        Reviewed by Timothy Hatcher.

        We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name
        can coexist without triggering a "duplicate types" error. Now, such enums must be referenced
        by the enclosing class and enum name.

        Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change.

        * replay/scripts/CodeGeneratorReplayInputs.py:
        (Type.type_name): Prepend the enclosing class name.
        (Type.type_name.is):
        * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added.
        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added.
        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added.
        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline.
        * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added.
        * replay/scripts/tests/generate-enums-with-same-base-name.json: Added.

2014-04-11  Gavin Barraclough  <baraclough@apple.com>

        Rollout - Rewrite Function.bind as a builtin
        https://bugs.webkit.org/show_bug.cgi?id=131083

        Unreviewed.

        Rolling out r167020 while investigating a performance regression.

        * API/JSObjectRef.cpp:
        (JSObjectMakeConstructor):
        * API/JSScriptRef.cpp:
        (parseScript):
        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createBuiltinExecutable):
        * builtins/Function.prototype.js:
        (apply):
        (bind.bindingFunction): Deleted.
        (bind.else.bindingFunction): Deleted.
        (bind): Deleted.
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::InstanceOfNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::Lexer):
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        * parser/Lexer.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parseInner):
        * parser/Parser.h:
        (JSC::parse):
        * parser/ParserModes.h:
        * runtime/ArgumentsIteratorConstructor.cpp:
        (JSC::ArgumentsIteratorConstructor::finishCreation):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::finishCreation):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::finishCreation):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CommonIdentifiers.h:
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::finishCreation):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::finishCreation):
        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::checkSyntax):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::finishCreation):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::addFunctionProperties):
        (JSC::functionProtoFuncBind):
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::JSArrayBufferConstructor::finishCreation):
        * runtime/JSBoundFunction.cpp: Added.
        (JSC::boundFunctionCall):
        (JSC::boundFunctionConstruct):
        (JSC::JSBoundFunction::create):
        (JSC::JSBoundFunction::destroy):
        (JSC::JSBoundFunction::customHasInstance):
        (JSC::JSBoundFunction::JSBoundFunction):
        (JSC::JSBoundFunction::finishCreation):
        (JSC::JSBoundFunction::visitChildren):
        * runtime/JSBoundFunction.h: Added.
        (JSC::JSBoundFunction::targetFunction):
        (JSC::JSBoundFunction::boundThis):
        (JSC::JSBoundFunction::boundArgs):
        (JSC::JSBoundFunction::createStructure):
        * runtime/JSFunction.cpp:
        (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
        (JSC::RetrieveCallerFunctionFunctor::operator()):
        (JSC::retrieveCallerFunction):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::getOwnNonIndexPropertyNames):
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncSetTypeErrorAccessor): Deleted.
        * runtime/JSGlobalObjectFunctions.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectPrototypeProperty): Deleted.
        (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted.
        * runtime/JSObject.h:
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructor::finishCreation):
        * runtime/MapConstructor.cpp:
        (JSC::MapConstructor::finishCreation):
        * runtime/MapIteratorConstructor.cpp:
        (JSC::MapIteratorConstructor::finishCreation):
        * runtime/NameConstructor.cpp:
        (JSC::NameConstructor::finishCreation):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::finishCreation):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::finishCreation):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::finishCreation):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::finishCreation):
        * runtime/SetConstructor.cpp:
        (JSC::SetConstructor::finishCreation):
        * runtime/SetIteratorConstructor.cpp:
        (JSC::SetIteratorConstructor::finishCreation):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::finishCreation):
        * runtime/WeakMapConstructor.cpp:
        (JSC::WeakMapConstructor::finishCreation):

2014-04-11  David Kilzer  <ddkilzer@apple.com>

        [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib
        <http://webkit.org/b/131556>
        <rdar://problem/16591856>

        Reviewed by Brent Fulgham.

        * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear
        OTHER_LDFLAGS so the ASan build does not try to link to
        libclang_rt.asan_osx_dynamic.dylib.

2014-04-11  Mark Lam  <mark.lam@apple.com>

        JSMainThreadExecState::call() should clear exceptions before returning.
        <https://webkit.org/b/131530>

        Reviewed by Geoffrey Garen.

        Added a version of JSC::call() that return any uncaught exception instead
        of leaving it pending in the VM.

        As part of this change, I updated various parts of the code base to use the
        new API as needed.

        * bindings/ScriptFunctionCall.cpp:
        (Deprecated::ScriptFunctionCall::call):
        - ScriptFunctionCall::call() is only used by the inspector to inject scripts.
          The injected scripts that will include Inspector scripts that should catch
          and handle any exceptions that were thrown.  We should not be seeing any
          exceptions returned from this call.  However, we do have checks for
          exceptions in case there are bugs in the Inspector scripts which allowed
          the exception to leak through.  Hence, it is proper to clear the exception
          here, and only record the fact that an exception was seen (if present).

        * bindings/ScriptFunctionCall.h:
        * inspector/InspectorEnvironment.h:
        * runtime/CallData.cpp:
        (JSC::call):
        * runtime/CallData.h:

2014-04-11  Oliver Hunt  <oliver@apple.com>

        Add BuiltinLog function to make debugging builtins easier
        https://bugs.webkit.org/show_bug.cgi?id=131550

        Reviewed by Andreas Kling.

        Add a logging function that builtins can use for debugging.

        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncBuiltinLog):
        * runtime/JSGlobalObjectFunctions.h:

2014-04-11  Julien Brianceau  <jbriance@cisco.com>

        Fix LLInt for sh4 architecture (broken since C stack merge).
        https://bugs.webkit.org/show_bug.cgi?id=131532

        Reviewed by Mark Lam.

        This patch fixes build and also implements sh4 parts for initPCRelative and
        setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094.

        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * offlineasm/instructions.rb:
        * offlineasm/sh4.rb:

2014-04-10  Michael Saboff  <msaboff@apple.com>

        Crash beneath DFG JIT code @ video.disney.com
        https://bugs.webkit.org/show_bug.cgi?id=131447

        Reviewed by Geoffrey Garen.

        The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
        'tag not less than Undefined' check.  The first check was incorrectly elided if we
        knew that the value *was* an int32, when it should have been elided if we already
        knew that the value *was not* an int32.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculateMisc):
        * tests/stress/test-spec-misc.js: Added test.
        (getX):
        (foo):
        (bar):

2014-04-08  Filip Pizlo  <fpizlo@apple.com>

        Make room for additional types in SpeculatedType.h
        https://bugs.webkit.org/show_bug.cgi?id=131422

        Reviewed by Sam Weinig.
        
        This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN.

        * bytecode/SpeculatedType.h:

2014-04-10  Alex Christensen  <achristensen@webkit.org>

        Compile fix for Win64.
        https://bugs.webkit.org/show_bug.cgi?id=131508

        Reviewed by Geoffrey Garen.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::fillNops):
        Added unsigned template parameter to distinguish between size_t and unsigned long.

2014-04-10  Michael Saboff  <msaboff@apple.com>

        LLInt interpreter code should be generated as part of one function
        https://bugs.webkit.org/show_bug.cgi?id=131205

        Reviewed by Mark Lam.

        Changed the generation of llint opcodes so that they are all part of the same
        global function, llint_entry.  That function is used to fill in an entry point
        table that includes each of the opcodes and helpers.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Added appropriate use of new -I option to offline assembler and offset
        generator scripts.

        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter.cpp:
        * llint/LowLevelInterpreter.h:
        * offlineasm/arm.rb:
        * offlineasm/arm64.rb:
        * offlineasm/asm.rb:
        * offlineasm/ast.rb:
        * offlineasm/backends.rb:
        * offlineasm/cloop.rb:
        * offlineasm/generate_offset_extractor.rb:
        * offlineasm/instructions.rb:
        * offlineasm/parser.rb:
        * offlineasm/registers.rb:
        * offlineasm/self_hash.rb:
        * offlineasm/settings.rb:
        * offlineasm/transform.rb:
        * offlineasm/x86.rb:
        Added a new "global" keyword to the offline assembler that denotes a label that
        should be exported.  Added opcode and operand support to get the absolute
        address of a local label using position independent calculations.  Updated the
        offline assembler to handle included files, both when generating the checksum
        as well as including files from other than the local directory via a newly
        added -I option.  The offline assembler now automatically determines external
        functions by keeping track of referenced functions that are defined within the
        assembly source.  This is used both for choosing the correct macro for external
        references as well as generating the needed EXTERN directives for masm.
        Updated the generation of the masm only .sym file to be written once at the end
        of the offline assembler.

        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
        (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JITStubs.h:
        * llint/LLIntCLoop.cpp:
        (JSC::LLInt::initialize):
        * llint/LLIntData.h:
        (JSC::LLInt::getCodeFunctionPtr):
        (JSC::LLInt::getOpcode): Deleted.
        (JSC::LLInt::getCodePtr): Deleted.
        * llint/LLIntOpcode.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntThunks.cpp:
        (JSC::LLInt::functionForCallEntryThunkGenerator):
        (JSC::LLInt::functionForConstructEntryThunkGenerator):
        (JSC::LLInt::functionForCallArityCheckThunkGenerator):
        (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
        (JSC::LLInt::evalEntryThunkGenerator):
        (JSC::LLInt::programEntryThunkGenerator):
        * llint/LLIntThunks.h:
        Changed references to llint helpers to go through the entry point table populated
        by llint_entry.  Added helpers to OpcodeID enum for all builds.

        * bytecode/BytecodeList.json:
        * generate-bytecode-files:
        * llint/LLIntCLoop.cpp:
        (JSC::LLInt::CLoop::initialize):
        Reordered sections to match the order that the functions are added to the entry point
        table.  Added new "asmPrefix" property for symbols that have one name but are generated
        with a prefix, e.g. op_enter -> llint_op_enter.  Eliminated the "emitDefineID" property
        as we are using enums for all bytecode references.  Changed the C Loop only
        llint_c_loop_init to llint_entry.

2014-04-10  Matthew Mirman  <mmirman@apple.com>

        WIP for inlining C++.  Added a build target to produce LLVM IR.
        https://bugs.webkit.org/show_bug.cgi?id=130523

        Reviewed by Mark Rowe.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * build-symbol-table-index.py: Added.
        * build-symbol-table-index.sh: Added.
        * Configurations/CompileRuntimeToLLVMIR.xcconfig: Added.
        * copy-llvm-ir-to-derived-sources.sh: Added.

2014-04-10  Brian J. Burg  <burg@cs.washington.edu>

        Web Replay: memoize plugin data for navigator.mimeTypes and navigator.plugins
        https://bugs.webkit.org/show_bug.cgi?id=131341

        Reviewed by Timothy Hatcher.

        Add support for encoding/decoding unsigned long with EncodedValue.
        It is a distinct type from uint32_t and uint64_t.

        * replay/EncodedValue.cpp:
        (JSC::EncodedValue::convertTo<unsigned long>):
        * replay/EncodedValue.h:

2014-04-10  Mark Lam  <mark.lam@apple.com>

        LLINT loadisFromInstruction should handle the big endian case.
        <https://webkit.org/b/131495>

        Reviewed by Mark Hahnenberg.

        The LLINT loadisFromInstruction macro aims to load the least significant
        32-bit word from the 64-bit bytecode instruction stream and sign extend
        it.  For big endian machines, the current implementation would load the
        wrong 32-bit word.

        Without this fix, the JSC tests will crash on big endian machines.
        Thanks to Tomas Popela for diagnosing this issue.

        * llint/LowLevelInterpreter.asm:

2014-04-09  Mark Lam  <mark.lam@apple.com>

        Temporarily disable the JIT for the Windows port.
        <https://webkit.org/b/131470>

        Reviewed by Brent Fulgham.

        This is a temporary stop gap measure to green the Windows bots until
        we have a fix for https://webkit.org/b/131182.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2014-04-09  Juergen Ributzka  <juergen@apple.com>

        [FTL] Emit multibyte NOPs on X86-64
        https://bugs.webkit.org/show_bug.cgi?id=131394

        Reviewed by Michael Saboff.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::fillNops):

2014-04-09  Julien Brianceau  <jbriance@cisco.com>

        Get rid of JITOperationWrappers.h header file.
        https://bugs.webkit.org/show_bug.cgi?id=131450

        Reviewed by Michael Saboff.

        JITOperationWrappers header file contains architecture specific code that is
        not needed anymore, so get rid of it.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGOperations.cpp:
        * jit/JITOperationWrappers.h: Removed.
        * jit/JITOperations.cpp:

2014-04-09  Mark Lam  <mark.lam@apple.com>

        Ensure that LLINT accessing of the ProtoCallFrame is big endian friendly.
        <https://webkit.org/b/131449>

        Reviewed by Mark Hahnenberg.

        Change ProtoCallFrame::paddedArgCount to be of type uint32_t.  The argCount
        that it pads is of type int anyway.  It doesn't need to be 64 bit.  This
        also makes it work with the LLINT which is loading it with a loadi
        instruction.

        We should add the PayLoadOffset to ProtoCallFrame::argCountAndCodeOriginValue
        when loading the argCount.

        The paddedArgCount issue was causing failures when running the JSC tests on a
        64-bit big endian machine.  In this case, the paddedArgCount in the
        ProtoCallFrame has the value 2.  However, because the paddedArgCount was stored
        as a 64-bit size_t and the LLINT was loading only the low address 32-bits of
        that field, the LLINT got a value of 0 instead of the expected 2.  With this
        patch, we now have a matching store and load of a 32-bit value, and endianness
        no longer comes into play.

        As for ProtoCallFrame::argCountAndCodeOriginValue, the argCount is stored in
        the payload field of the Register.  In the definition of EncodedValueDescriptor,
        We already ensure that that the payload is in the least significant 32-bits for
        little endian machines, and in the most significant 32-bits for big endian
        machines.  This means that there is no endianness bug when loading this value
        using loadi.  However, adding the PayLoadOffset clarifies the intent of the
        code to load the payload part of the Register value.

        * interpreter/ProtoCallFrame.h:
        (JSC::ProtoCallFrame::setPaddedArgCount):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2014-04-08  Oliver Hunt  <oliver@apple.com>

        Rewrite Function.bind as a builtin
        https://bugs.webkit.org/show_bug.cgi?id=131083

        Reviewed by Geoffrey Garen.

        This change removes the existing function.bind implementation
        entirely so JSBoundFunction is no more.

        Instead we just return a regular JS closure with a few
        private properties hanging off it that allow us to perform
        the necessary bound function fakery.  While most of this is
        simple, a couple of key changes:

        - The parser and lexer now directly track whether they're
          parsing code for call or construct and convert the private
          name @IsConstructor into TRUETOK or FALSETOK as appropriate.
          This automatically gives us the ability to vary behaviour
          from within the builtin. It also leaves a lot of headroom
          for trivial future improvements.
        - The instanceof operator now uses the prototypeForHasInstance
          private name, and we have a helper function to ensure that
          all objects that need to can update their magical 'prototype'
          property pair correctly.

        * API/JSScriptRef.cpp:
        (parseScript):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createBuiltinExecutable):
        * builtins/Function.prototype.js:
        (bind.bindingFunction):
        (bind.else.bindingFunction):
        (bind):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::InstanceOfNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::Lexer):
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        * parser/Lexer.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parseInner):
        * parser/Parser.h:
        (JSC::parse):
        * parser/ParserModes.h:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CommonIdentifiers.h:
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::checkSyntax):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::addFunctionProperties):
        (JSC::functionProtoFuncBind): Deleted.
        * runtime/JSBoundFunction.cpp: Removed.
        * runtime/JSBoundFunction.h: Removed.
        * runtime/JSFunction.cpp:
        (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
        (JSC::RetrieveCallerFunctionFunctor::operator()):
        (JSC::retrieveCallerFunction):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncSetTypeErrorAccessor):
        * runtime/JSGlobalObjectFunctions.h:
        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):

2014-04-08  Jon Lee  <jonlee@apple.com>

        Turn MSE on by default
        https://bugs.webkit.org/show_bug.cgi?id=131313
        <rdar://problem/16525223>

        Reviewed by Jer Noble.

        * Configurations/FeatureDefines.xcconfig:

2014-04-08  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Prevent deadlocks receiving WIRPermissionDenied message
        https://bugs.webkit.org/show_bug.cgi?id=131406

        Reviewed by Timothy Hatcher.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::stop):
        (Inspector::RemoteInspector::stopInternal):
        (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
        Provide a way to stop externally and a path to stop when in
        the middle of handling a message already with the locked mutex.

        * inspector/remote/RemoteInspectorXPCConnection.h:
        * inspector/remote/RemoteInspectorXPCConnection.mm:
        (Inspector::RemoteInspectorXPCConnection::close):
        (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
        Provide a way to close externally and a path to close when in
        the middle of handling a message already with a mutex.

2014-04-08  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Address stale FIXMEs concerning console in JSContext inspection
        https://bugs.webkit.org/show_bug.cgi?id=131398

        Reviewed by Timothy Hatcher.

        * inspector/InjectedScriptSource.js:
        The console object can be deleted from a page or JSContext,
        so keep code that expects that it could have been deleted
        to be resilient in those cases.

        * inspector/JSGlobalObjectScriptDebugServer.h:
        * inspector/agents/JSGlobalObjectDebuggerAgent.h:
        * inspector/agents/JSGlobalObjectRuntimeAgent.h:
        Change the FIXMEs to NOTEs that explain why these functions
        have empty implementations for JSContext inspection.

2014-04-08  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix a goofy assertion to fix debug.

        * bytecode/PolymorphicPutByIdList.h:
        (JSC::PutByIdAccess::isSetter):
        (JSC::PutByIdAccess::oldStructure):
        (JSC::PutByIdAccess::chain):
        (JSC::PutByIdAccess::stubRoutine):
        (JSC::PutByIdAccess::customSetter):

2014-04-08  Filip Pizlo  <fpizlo@apple.com>

        Fail silently if the LLVM dylib isn't found
        https://bugs.webkit.org/show_bug.cgi?id=131385

        Reviewed by Mark Hahnenberg.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * llvm/InitializeLLVM.cpp:
        (JSC::initializeLLVM):
        * llvm/InitializeLLVM.h:
        * llvm/InitializeLLVMPOSIX.cpp:
        (JSC::initializeLLVMPOSIX):

2014-04-07  Filip Pizlo  <fpizlo@apple.com>

        Repatch should support setters and plant calls to them directly
        https://bugs.webkit.org/show_bug.cgi?id=130750

        Reviewed by Geoffrey Garen.
        
        All of the infrastructure was in place so this just enables setter optimization.
        
        This is a 12x speed-up on setter microbenchmarks. This is a 1% speed-up on Octane.

        * bytecode/PolymorphicPutByIdList.cpp:
        (JSC::PutByIdAccess::visitWeak):
        * bytecode/PolymorphicPutByIdList.h:
        (JSC::PutByIdAccess::setter):
        (JSC::PutByIdAccess::customSetter): Deleted.
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        * jit/Repatch.cpp:
        (JSC::toString):
        (JSC::kindFor):
        (JSC::customFor):
        (JSC::generateByIdStub):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::setCacheableSetter):
        (JSC::PutPropertySlot::isCacheableSetter):
        (JSC::PutPropertySlot::isCacheableCustom):
        (JSC::PutPropertySlot::setCacheableCustomProperty): Deleted.
        (JSC::PutPropertySlot::isCacheableCustomProperty): Deleted.
        * tests/stress/setter.js: Added.
        (foo):

2014-04-07  Filip Pizlo  <fpizlo@apple.com>

        Setters are just getters that take an extra argument and don't return a value
        https://bugs.webkit.org/show_bug.cgi?id=131336

        Reviewed by Geoffrey Garen.
        
        Other than that, they're totally the same thing.
        
        This isn't as dumb as it sounds.        

        Most of the work in calling an accessor has to do with emitting the necessary checks for
        figuring out whether we're calling the accessor we expected, followed by the boilerplate
        needed for setting up a call inside of a stub. It makes sense for the code to be totally
        common.

        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::storeValue):
        (JSC::AssemblyHelpers::moveTrustedValue):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupResults):
        * jit/Repatch.cpp:
        (JSC::kindFor):
        (JSC::customFor):
        (JSC::generateByIdStub):
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        (JSC::generateGetByIdStub): Deleted.
        (JSC::emitCustomSetterStub): Deleted.
        * runtime/JSCJSValue.h:
        (JSC::JSValue::asValue):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::cachedOffset):

2014-04-07  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Hang in debuggable application after receiving WIRPermissionDenied
        https://bugs.webkit.org/show_bug.cgi?id=131321

        Reviewed by Mark Rowe.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
        Avoid attempting to take the same lock twice. Move the received message
        lock grab after the WIRPermissionDenied branch, which takes the lock
        inside RemoteInspector::stop.

2014-04-07  Filip Pizlo  <fpizlo@apple.com>

        Make it possible to disable some of the FTL's more interesting features
        https://bugs.webkit.org/show_bug.cgi?id=131312

        Reviewed by Mark Hahnenberg.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        (JSC::DFG::ByteCodeParser::parse):
        * runtime/Options.h:

2014-04-04  Mark Lam  <mark.lam@apple.com>

        Date object needs to check for ES5 15.9.1.14 TimeClip limit.
        <https://webkit.org/b/131248>

        Reviewed by Mark Hahnenberg.

        The current Date object code does not adequately check for the ES5
        15.9.1.14 TimeClip limit.  As a result, some calculations can underflow
        / overflow and produce unexpected results.

        For example, we were getting an assertion failure in
        WTF::equivalentYearForDST() due int underflows in this function, which
        in turn were due to an int overflow in WTF::msToYear().

        This patch adds the needed checks, and adds some assertions to ensure
        that the used values are sane.

        The changes have no noticeable impact on benchmark results.

        * runtime/DateConstructor.cpp:
        (JSC::callDate):
        * runtime/JSDateMath.cpp:
        (JSC::localTimeOffset):
        (JSC::gregorianDateTimeToMS):
        (JSC::msToGregorianDateTime):
        (JSC::parseDateFromNullTerminatedCharacters):
        (JSC::parseDate):
        * runtime/JSDateMath.h:
        - parseDateFromNullTerminatedCharacters() does not need to be public.
          Made it a static function.
        * runtime/VM.cpp:
        (JSC::VM::resetDateCache):
        - Changed cachedDateStringValue to use std::numeric_limits<double>::quiet_NaN()
          to be consistent with other Date code.

2014-04-06  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed speculative 32-bit buildfix after r166837.

        * heap/Heap.cpp:
        (JSC::Heap::updateObjectCounts):

2014-04-06  Dan Bernstein  <mitz@apple.com>

        32-bit build fix.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::setInputCursor):

2014-04-04  Brian J. Burg  <burg@cs.washington.edu>

        Enable WEB_REPLAY for PLATFORM(MAC)
        https://bugs.webkit.org/show_bug.cgi?id=130700

        Reviewed by Timothy Hatcher.

        * Configurations/FeatureDefines.xcconfig:

2014-04-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add missing files from r166837

        * heap/GCLogging.cpp: Added.
        (JSC::GCLogging::levelAsString):
        (JSC::LoggingFunctor::LoggingFunctor):
        (JSC::LoggingFunctor::~LoggingFunctor):
        (JSC::LoggingFunctor::operator()):
        (JSC::LoggingFunctor::log):
        (JSC::LoggingFunctor::reviveCells):
        (JSC::LoggingFunctor::returnValue):
        (JSC::GCLogging::dumpObjectGraph):
        * heap/GCLogging.h: Added.

2014-04-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Enhanced GC logging
        https://bugs.webkit.org/show_bug.cgi?id=131246

        Reviewed by Geoff Garen.

        Getting data on the state of the JSC Heap at runtime is currently in a sad state. 
        The OBJECT_MARK_LOGGING macro enables some basic GC logging, but it requires a full 
        recompile to turn it on. It would be nice if we could runtime enable our GC logging 
        infrastructure while incurring minimal cost when it is disabled. 

        It would also be nice to get a complete view of the Heap. Currently OBJECT_MARK_LOGGING 
        provides us with the discovered roots along with parent-child relationships as objects 
        are scanned. However, once an object is scanned it will never be declared as the child 
        of another object during that collection. This gives us a tree-like view of the 
        Heap (i.e. each scanned node only reports having a single parent), where the actual 
        Heap can be an arbitrary graph.

        This patch replaces OBJECT_MARK_LOGGING and gives us these nice to haves. First it enhances 
        our logGC() runtime Option by changing it to be a tri-state value of None, Basic, or Verbose 
        logging levels. None means no logging is done, Basic is what logGC() = true would have done 
        prior to this patch, and Verbose logs all object relationships.

        JSCell has new dump/dumpToStream methods, the latter of which is "virtual" to allow 
        subclasses to override the default string representation that will be dumped. These 
        methods allow JSCells to be dumped using the standard dataLog() calls similar to much of
        the logging infrastructure in our compilers.

        This patch also adds a GCLogging class that handles dumping the relationships between objects.
        It does this by using the pre-existing visitChildren virtual methods to obtain the immediate
        children of each live cell at the end of garbage collection.

        This change meets our goal of being neutral on the benchmarks we track.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/GCLogging.cpp: Added.
        (JSC::GCLogging::levelAsString):
        (JSC::LoggingFunctor::LoggingFunctor):
        (JSC::LoggingFunctor::operator()):
        (JSC::LoggingFunctor::log):
        (JSC::LoggingFunctor::reviveCells):
        (JSC::LoggingFunctor::returnValue):
        (JSC::GCLogging::dumpObjectGraph):
        * heap/GCLogging.h: Added.
        * heap/GCSegmentedArray.h:
        (JSC::GCSegmentedArray::begin):
        (JSC::GCSegmentedArray::end):
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::visitSmallStrings):
        (JSC::Heap::visitConservativeRoots):
        (JSC::Heap::visitCompilerWorklists):
        (JSC::Heap::visitProtectedObjects):
        (JSC::Heap::visitTempSortVectors):
        (JSC::Heap::visitArgumentBuffers):
        (JSC::Heap::visitException):
        (JSC::Heap::visitStrongHandles):
        (JSC::Heap::visitHandleStack):
        (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
        (JSC::Heap::visitWeakHandles):
        (JSC::Heap::updateObjectCounts):
        (JSC::Heap::collect):
        (JSC::Heap::didFinishCollection):
        * heap/Heap.h:
        * heap/MarkStack.h:
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::dump):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::markStack):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::internalAppend):
        * runtime/ClassInfo.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::dump):
        (JSC::JSCell::dumpToStream):
        (JSC::JSCell::className):
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::visitChildren):
        * runtime/JSString.cpp:
        (JSC::JSString::dumpToStream):
        (JSC::JSString::visitChildren):
        * runtime/JSString.h:
        (JSC::JSString::length):
        (JSC::JSRopeString::RopeBuilder::length):
        * runtime/Options.cpp:
        (JSC::parse):
        (JSC::Options::setOption):
        (JSC::Options::dumpOption):
        * runtime/Options.h:

2014-04-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove bogus ASSERT in -JSVirtualMachine scanObjectGraph
        https://bugs.webkit.org/show_bug.cgi?id=131251

        Reviewed by Geoffrey Garen.

        * API/JSVirtualMachine.mm:
        (scanExternalObjectGraph):
        * API/tests/testapi.mm:

2014-04-03  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: hook up probe samples to TimelineAgent's records
        https://bugs.webkit.org/show_bug.cgi?id=131127

        Reviewed by Timothy Hatcher.

        * inspector/ScriptDebugListener.h: Add a proper forward declaration for ScriptBreakpointAction.

2014-04-04  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r166820.
        https://bugs.webkit.org/show_bug.cgi?id=131256

        Broke builds. (Requested by bdash on #webkit).

        Reverted changeset:

        "WIP for inlining C++.  Added a build target to produce llvm
        ir."
        https://bugs.webkit.org/show_bug.cgi?id=130523
        http://trac.webkit.org/changeset/166820

2014-04-04  Matthew Mirman  <mmirman@apple.com>

        WIP for inlining C++.  Added a build target to produce llvm ir.
        https://bugs.webkit.org/show_bug.cgi?id=130523

        Reviewed by Filip Pizlo.

        The llvm ir gets placed JavaScriptCoreRuntimeToLLVMir.build with the extension .o

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * build_index.py: Added.
        * Configurations/CompileRuntimeToLLVMir.xcconfig: Added.

2014-04-04  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Log JS Exceptions to System Console if JavaScriptCoreOutputConsoleMessagesToSystemConsole enabled
        https://bugs.webkit.org/show_bug.cgi?id=131241

        Reviewed by Timothy Hatcher.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
        Log the exception to the system console if system console output is enabled.

2014-04-04  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Provide a way for JSContext console to log to system console
        https://bugs.webkit.org/show_bug.cgi?id=131050

        Reviewed by Timothy Hatcher.

        Applications often re-expose some log -> NSLog functionality.
        We already have the capability ourselves, which includes extra
        information such as sourceURL:line:column, all arguments instead
        of just one argument, and backtrace information on console.trace.
        Therefore it would be convenient if developers could just use
        the built-in console.log and get rich output in both the inspector
        and the console, without writing their own logger.

        The logging will be enabled in debug builds by default, and can be enabled
        otherwise by setting a user default before creating the first context.
        
        For example, in the application itself:

            [[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"JavaScriptCoreOutputConsoleMessagesToSystemConsole"];

        Or from outside the application:
        
            shell> defaults write <app-bundle-identifier> JavaScriptCoreOutputConsoleMessagesToSystemConsole -bool YES

        * inspector/JSConsoleClient.h:
        * inspector/JSConsoleClient.cpp:
        (Inspector::JSConsoleClient::logToSystemConsole):
        (Inspector::JSConsoleClient::setLogToSystemConsole):
        (Inspector::JSConsoleClient::initializeLogToSystemConsole):
        (Inspector::JSConsoleClient::JSConsoleClient):
        Global setting for logging to system console. Enabled on
        debug builds, and by a user default on supported platforms.

        (Inspector::JSConsoleClient::messageWithTypeAndLevel):
        Log to system console when the static setting is enabled.

        * runtime/ConsoleClient.h:
        * runtime/ConsoleClient.cpp:
        (JSC::appendURLAndPosition):
        (JSC::appendMessagePrefix):
        (JSC::ConsoleClient::printConsoleMessage):
        (JSC::ConsoleClient::printConsoleMessageWithArguments):
        Clean up printing. Build strings and use WTFLogAlways instead of printf
        for consistant logging.

        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::printConsoleMessageWithArguments):
        Clean up printing. If there is no source URL, don't print a leading colon.

2014-04-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Use JSCell::indexingType instead of Structure::indexingType wherever possible
        https://bugs.webkit.org/show_bug.cgi?id=131230

        Reviewed by Mark Lam.

        Avoid the indirection through the Structure.

        * bytecode/ArrayAllocationProfile.cpp:
        (JSC::ArrayAllocationProfile::updateIndexingType):
        * bytecode/ArrayAllocationProfile.h:
        (JSC::ArrayAllocationProfile::selectIndexingType):
        * heap/HeapStatistics.cpp:
        (JSC::StorageStatistics::operator()):
        * runtime/ArrayPrototype.cpp:
        (JSC::attemptFastSort):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::objectPrototypeIsSane):
        (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
        (JSC::JSGlobalObject::stringPrototypeChainIsSane):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):

2014-04-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Use JSCell::type instead of TypeInfo::type wherever possible
        https://bugs.webkit.org/show_bug.cgi?id=131229

        Reviewed by Michael Saboff.

        Avoid going through the Structure and reifying the TypeInfo.

        * runtime/Executable.h:
        (JSC::ExecutableBase::isEvalExecutable):
        (JSC::ExecutableBase::isProgramExecutable):

2014-04-03  Andreas Kling  <akling@apple.com>

        Fast-path for casting JS wrappers to JSNode.
        <https://webkit.org/b/131196>

        Allow code outside of JSC (well, WebCore) to extend the JSType spectrum
        a little bit. We do this by exposing a LastJSCObjectType constant so
        WebCore can encode its own wrapper types after that.

        Reviewed by Mark Hahnenberg and Geoff Garen.

        * runtime/JSType.h:

            Added LastJSCObjectType for use by WebCore.

        * runtime/JSObject.h:
        (JSC::JSObject::isVariableObject):

            Updated since this can no longer assume that types >= VariableObjectType
            are all variable objects.

2014-04-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        All Heap::writeBarriers should be inline
        https://bugs.webkit.org/show_bug.cgi?id=131197

        Reviewed by Mark Lam.

        One is in a JSCellInlines.h, another is in Heap.cpp. These are all critical 
        enough and small enough to belong in HeapInlines.h. Also added the proper 
        ENABLE(GGC) ifdefs to minimize the cost of C++ barriers for !ENABLE(GGC) builds.

        * heap/Heap.cpp:
        (JSC::Heap::writeBarrier): Deleted.
        * heap/Heap.h:
        * heap/HeapInlines.h:
        (JSC::Heap::writeBarrier):
        * runtime/JSCellInlines.h:
        (JSC::Heap::writeBarrier): Deleted.

2014-04-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: JSContext inspection provide a way to opt-out of including Native Call Stacks in Exception traces reported to Web Inspector
        https://bugs.webkit.org/show_bug.cgi?id=131186

        Reviewed by Geoffrey Garen.

        * API/JSContextPrivate.h:
        * API/JSContext.mm:
        (-[JSContext _includesNativeCallStackWhenReportingExceptions]):
        (-[JSContext _setIncludesNativeCallStackWhenReportingExceptions:]):
        JSContext ObjC SPI to opt-out of including native call stacks in exceptions.

        * API/JSContextRefPrivate.h:
        * API/JSContextRef.cpp:
        (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
        (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
        JSContext C SPI to opt-out of including native call stacks in exceptions.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
        Only include the native call stack if the setting is enabled. It is enabled by default.

2014-04-03  Mark Lam  <mark.lam@apple.com>

        Fix bit rot in ARMv7 JIT probe mechanism.
        <https://webkit.org/b/131167>

        Reviewed by Geoffrey Garen.

        1. The macro assembler does not support pushing the SP register.  Worked
           around this by pushing the LR register as a placeholder, and then
           writing the original SP value to that slot.
        2. The CPUState field in the ProbeContext needs to be aligned on a 4
           byte boundary, not an 8 byte boundary.

        * assembler/MacroAssemblerARMv7.cpp:
        (JSC::MacroAssemblerARMv7::probe):
        * jit/JITStubsARMv7.h:

2014-04-02  Mark Lam  <mark.lam@apple.com>

        ARMv7 compare32() should not use TST to do CMP's job.
        <https://webkit.org/b/131146>

        Reviewed by Geoffrey Garen.

        The ARMv7 implementation of "compare32(RegisterID left, TrustedImm32 right)"
        was using "tst reg, reg" to implement "cmp reg, #0".  Unfortunately, the tst
        instruction doesn't set the Overflow (V) flag and this results in random
        results depending on whether there was a preceeding instruction that did set
        the Overflow (V) flag.  This issue was causing emscripten-cube2hash to run
        with a lot of OSR exits where not expected as well as producing wrong results.

        The fix is to use "cmp reg, #0" to do the job properly.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::compare32):

2014-04-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        CodeBlockSet should be generational
        https://bugs.webkit.org/show_bug.cgi?id=127152

        Reviewed by Geoffrey Garen.

        During EdenCollections we now only visit those CodeBlocks that:
        a) Are new since the last collection if they were somehow otherwise reachable.
        b) Are reachable from an Executable that is part of the remembered set.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock): Initialize uninitialized variables.
        (JSC::CodeBlock::visitAggregate): Move the addition of the weak reference harvester after the
        shouldImmediatelyAssumeLivenessDuringScan check since it's redundant if we assume liveness.
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::forEachRelatedCodeBlock): Executes a functor for each CodeBlock reachable from the current CodeBlock (including this).
        We use this to clear marks for the CodeBlocks of remembered Executables (see: CodeBlockSet::clearMarksForEdenCollection).
        (JSC::CodeBlockSet::mark): Also check the set of new CodeBlocks for memebership when doing conservative scanning.
        (JSC::ScriptExecutable::forEachCodeBlock): Executes a functor for each of this Executable's CodeBlocks.
        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::~CodeBlockSet):
        (JSC::CodeBlockSet::add):
        (JSC::CodeBlockSet::promoteYoungCodeBlocks): Moves all CodeBlocks currently in the set of new CodeBlocks into 
        the set of old CodeBlocks.
        (JSC::CodeBlockSet::clearMarksForFullCollection): Clears the marks for all CodeBlocks.
        (JSC::CodeBlockSet::clearMarksForEdenCollection): Clears the marks for CodeBlocks owned by Executables in the 
        remembered set. When an Executable is added to the remembered set it's typically because we need to do something 
        with its CodeBlock.
        (JSC::CodeBlockSet::clearMarks):
        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Fixpoints over either just the new CodeBlocks or all CodeBlocks
        to determine which CodeBlocks are dead and eagerly finalizes/deletes them.
        (JSC::CodeBlockSet::remove):
        (JSC::CodeBlockSet::traceMarked): Iterate only the currently executing CodeBlocks instead of all CodeBlocks.
        (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): Clear m_mayBeExecuting for all currently executing 
        CodeBlocks because we no longer always do this at the beginning of EdenCollections.
        * heap/CodeBlockSet.h:
        (JSC::CodeBlockSet::iterate):
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::deleteAllCompiledCode):
        (JSC::Heap::deleteUnmarkedCompiledCode):
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::installCode): Write barrier code on installation. We do this due to the following situation:
        a) A CodeBlock is created and is compiled on a DFG worker thread.
        b) No GC happens.
        c) The CodeBlock has finished being compiled and is installed in the Executable.
        d) The function never executes before the next GC.
        e) The next GC needs needs to visit the new CodeBlock but the Executable won't be revisited unless 
            it's added to the remembered set.

2014-04-02  Mark Lam  <mark.lam@apple.com>

        Added some more dataLog info for OSR exits.
        <https://webkit.org/b/131120>

        Reviewed by Michael Saboff.

        Adding info about the OSR exit index, the bytecode index of the bytecode
        that is OSR exiting, and the reason for the OSR exit.  This change is
        for debugging code which only comes into play when we use the
        --printEachOSRExit option.

        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:

2014-04-02  Martin Robinson  <mrobinson@igalia.com>

        REGRESSION(r165704): [GTK] Inspector resources not correctly generated
        https://bugs.webkit.org/show_bug.cgi?id=130343

        Reviewed by Gustavo Noronha Silva.

        * CMakeLists.txt: We generate the inspector JavaScript file into a directory like the one
        in which it should be distributed. This allows us to more easily package it for GTK+.

2014-04-01  Timothy Hatcher  <timothy@apple.com>

        Remove HeapProfiler from the Web Inspector protocol.

        https://bugs.webkit.org/show_bug.cgi?id=131070

        Reviewed by Joseph Pecoraro.

        * inspector/agents/InspectorConsoleAgent.h:
        * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
        (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject): Deleted.
        * inspector/agents/JSGlobalObjectConsoleAgent.h:
        * inspector/protocol/Console.json:

2014-03-31  Simon Fraser  <simon.fraser@apple.com>

        Enable WEB_TIMING on Mac and iOS
        https://bugs.webkit.org/show_bug.cgi?id=128064

        Reviewed by Sam Weinig, Brent Fulgham.

        Enable WEB_TIMING.

        * Configurations/FeatureDefines.xcconfig:

2014-03-31  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r166415): JSObject{Get,Set}Private() don't work with proxies objects
        https://bugs.webkit.org/show_bug.cgi?id=130992

        Reviewed by Mark Hahnenberg.

        Forward JSObjectGetPrivate() and JSObjectSetPrivate() to the wrapped object.

        * API/JSObjectRef.cpp:
        (JSObjectGetPrivate):
        (JSObjectSetPrivate):
        * API/tests/testapi.c:
        (main): Added new test case to validate we are properly foarwarding.

2014-03-31  Mark Hahnenberg  <mhahnenberg@apple.com>

        Improve GC_LOGGING
        https://bugs.webkit.org/show_bug.cgi?id=130988

        Reviewed by Geoffrey Garen.

        GC_LOGGING can be useful for diagnosing where we're spending our time during collection, 
        but it doesn't distinguish between Eden and Full collections in the data it gathers. This
        patch updates it so that it can. It also adds the process ID to the beginning of each line 
        of input to be able to distinguish between the output of multiple processes exiting at the 
        same time.

        * heap/Heap.cpp:
        (JSC::Heap::collect):

2014-03-31  Dean Jackson  <dino@apple.com>

        Remove WEB_ANIMATIONS
        https://bugs.webkit.org/show_bug.cgi?id=130989

        Reviewed by Simon Fraser.

        Remove this feature flag until we plan to implement.

        * Configurations/FeatureDefines.xcconfig:

2014-03-31  Filip Pizlo  <fpizlo@apple.com>

        More validation for FTL inline caches
        https://bugs.webkit.org/show_bug.cgi?id=130948

        Reviewed by Geoffrey Garen.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        * runtime/Options.h:

2014-03-31  Filip Pizlo  <fpizlo@apple.com>

        LLVM IR for store barriers should be nicely arranged and they don't need exception checks
        https://bugs.webkit.org/show_bug.cgi?id=130950

        Reviewed by Mark Hahnenberg.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):

2014-03-31  Raphael Kubo da Costa  <raphael.kubo.da.costa@intel.com>

        [CMake] Stop checking for WTF_USE_ICU_UNICODE.
        https://bugs.webkit.org/show_bug.cgi?id=130965

        Reviewed by Martin Robinson.

        This is somewhat of a follow-up to r162782, which got rid of
        WTF_USE_ICU_UNICODE in CMake but did not remove the check in JSC's
        CMakeLists.txt. This meant the includes and libraries were not
        being properly included since then.

        * CMakeLists.txt:

2014-03-31  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        Remove hostThisRegister() and hostThisValue()
        https://bugs.webkit.org/show_bug.cgi?id=130895

        Reviewed by Geoffrey Garen.

        Removed hostThisRegister() and hostThisValue() and instead use thisArgumentOffset() and thisValue() respectively.

        * API/APICallbackFunction.h:
        (JSC::APICallbackFunction::call):
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::call):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
        (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
        (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
        (Inspector::jsInjectedScriptHostPrototypeFunctionType):
        (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
        (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate):
        (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType):
        (Inspector::jsJavaScriptCallFrameAttributeCaller):
        (Inspector::jsJavaScriptCallFrameAttributeSourceID):
        (Inspector::jsJavaScriptCallFrameAttributeLine):
        (Inspector::jsJavaScriptCallFrameAttributeColumn):
        (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
        (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
        (Inspector::jsJavaScriptCallFrameAttributeThisObject):
        (Inspector::jsJavaScriptCallFrameAttributeType):
        * interpreter/CallFrame.h:
        (JSC::ExecState::hostThisRegister): Deleted.
        (JSC::ExecState::hostThisValue): Deleted.
        * runtime/Arguments.cpp:
        (JSC::argumentsFuncIterator):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncConcat):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):
        (JSC::arrayProtoFuncIndexOf):
        (JSC::arrayProtoFuncLastIndexOf):
        (JSC::arrayProtoFuncValues):
        (JSC::arrayProtoFuncEntries):
        (JSC::arrayProtoFuncKeys):
        * runtime/BooleanPrototype.cpp:
        (JSC::booleanProtoFuncToString):
        (JSC::booleanProtoFuncValueOf):
        * runtime/ConsolePrototype.cpp:
        (JSC::consoleLogWithLevel):
        (JSC::consoleProtoFuncClear):
        (JSC::consoleProtoFuncDir):
        (JSC::consoleProtoFuncDirXML):
        (JSC::consoleProtoFuncTable):
        (JSC::consoleProtoFuncTrace):
        (JSC::consoleProtoFuncAssert):
        (JSC::consoleProtoFuncCount):
        (JSC::consoleProtoFuncProfile):
        (JSC::consoleProtoFuncProfileEnd):
        (JSC::consoleProtoFuncTime):
        (JSC::consoleProtoFuncTimeEnd):
        (JSC::consoleProtoFuncTimeStamp):
        (JSC::consoleProtoFuncGroup):
        (JSC::consoleProtoFuncGroupCollapsed):
        (JSC::consoleProtoFuncGroupEnd):
        * runtime/DatePrototype.cpp:
        (JSC::formateDateInstance):
        (JSC::dateProtoFuncToISOString):
        (JSC::dateProtoFuncToLocaleString):
        (JSC::dateProtoFuncToLocaleDateString):
        (JSC::dateProtoFuncToLocaleTimeString):
        (JSC::dateProtoFuncGetTime):
        (JSC::dateProtoFuncGetFullYear):
        (JSC::dateProtoFuncGetUTCFullYear):
        (JSC::dateProtoFuncGetMonth):
        (JSC::dateProtoFuncGetUTCMonth):
        (JSC::dateProtoFuncGetDate):
        (JSC::dateProtoFuncGetUTCDate):
        (JSC::dateProtoFuncGetDay):
        (JSC::dateProtoFuncGetUTCDay):
        (JSC::dateProtoFuncGetHours):
        (JSC::dateProtoFuncGetUTCHours):
        (JSC::dateProtoFuncGetMinutes):
        (JSC::dateProtoFuncGetUTCMinutes):
        (JSC::dateProtoFuncGetSeconds):
        (JSC::dateProtoFuncGetUTCSeconds):
        (JSC::dateProtoFuncGetMilliSeconds):
        (JSC::dateProtoFuncGetUTCMilliseconds):
        (JSC::dateProtoFuncGetTimezoneOffset):
        (JSC::dateProtoFuncSetTime):
        (JSC::setNewValueFromTimeArgs):
        (JSC::setNewValueFromDateArgs):
        (JSC::dateProtoFuncSetYear):
        (JSC::dateProtoFuncGetYear):
        (JSC::dateProtoFuncToJSON):
        * runtime/ErrorPrototype.cpp:
        (JSC::errorProtoFuncToString):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        (JSC::functionProtoFuncBind):
        * runtime/NamePrototype.cpp:
        (JSC::privateNameProtoFuncToString):
        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToExponential):
        (JSC::numberProtoFuncToFixed):
        (JSC::numberProtoFuncToPrecision):
        (JSC::numberProtoFuncClz):
        (JSC::numberProtoFuncToString):
        (JSC::numberProtoFuncToLocaleString):
        (JSC::numberProtoFuncValueOf):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncValueOf):
        (JSC::objectProtoFuncHasOwnProperty):
        (JSC::objectProtoFuncIsPrototypeOf):
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):
        (JSC::objectProtoFuncPropertyIsEnumerable):
        (JSC::objectProtoFuncToLocaleString):
        (JSC::objectProtoFuncToString):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTest):
        (JSC::regExpProtoFuncExec):
        (JSC::regExpProtoFuncCompile):
        (JSC::regExpProtoFuncToString):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncReplace):
        (JSC::stringProtoFuncToString):
        (JSC::stringProtoFuncCharAt):
        (JSC::stringProtoFuncCharCodeAt):
        (JSC::stringProtoFuncConcat):
        (JSC::stringProtoFuncIndexOf):
        (JSC::stringProtoFuncLastIndexOf):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
        (JSC::stringProtoFuncSlice):
        (JSC::stringProtoFuncSplit):
        (JSC::stringProtoFuncSubstr):
        (JSC::stringProtoFuncSubstring):
        (JSC::stringProtoFuncToLowerCase):
        (JSC::stringProtoFuncToUpperCase):
        (JSC::stringProtoFuncLocaleCompare):
        (JSC::stringProtoFuncBig):
        (JSC::stringProtoFuncSmall):
        (JSC::stringProtoFuncBlink):
        (JSC::stringProtoFuncBold):
        (JSC::stringProtoFuncFixed):
        (JSC::stringProtoFuncItalics):
        (JSC::stringProtoFuncStrike):
        (JSC::stringProtoFuncSub):
        (JSC::stringProtoFuncSup):
        (JSC::stringProtoFuncFontcolor):
        (JSC::stringProtoFuncFontsize):
        (JSC::stringProtoFuncAnchor):
        (JSC::stringProtoFuncLink):
        (JSC::stringProtoFuncTrim):
        (JSC::stringProtoFuncTrimLeft):
        (JSC::stringProtoFuncTrimRight):

2014-03-28  Filip Pizlo  <fpizlo@apple.com>

        Land the stackmap register liveness glue with the uses of the liveness disabled
        https://bugs.webkit.org/show_bug.cgi?id=130924

        Reviewed by Oliver Hunt.
        
        Add the liveness and fix other bugs I found.

        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::usedRegistersFor):
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLSlowPathCall.cpp:
        * ftl/FTLSlowPathCallKey.cpp:
        (JSC::FTL::SlowPathCallKey::dump):
        * ftl/FTLSlowPathCallKey.h:
        (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
        (JSC::FTL::SlowPathCallKey::argumentRegisters):
        (JSC::FTL::SlowPathCallKey::withCallTarget):
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Record::locationSet):
        (JSC::FTL::StackMaps::Record::liveOutsSet):
        (JSC::FTL::StackMaps::Record::usedRegisterSet):
        * ftl/FTLStackMaps.h:
        * ftl/FTLThunks.cpp:
        (JSC::FTL::registerClobberCheck):
        (JSC::FTL::slowPathCallThunkGenerator):
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::stackRegisters):
        (JSC::RegisterSet::reservedHardwareRegisters):
        (JSC::RegisterSet::runtimeRegisters):
        (JSC::RegisterSet::specialRegisters):
        (JSC::RegisterSet::dump):
        * jit/RegisterSet.h:
        (JSC::RegisterSet::RegisterSet):
        (JSC::RegisterSet::setAny):
        (JSC::RegisterSet::setMany):
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryCachePutByID):
        (JSC::tryRepatchIn):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2014-03-28  Mark Lam  <mark.lam@apple.com>

        mandreel throws a checksum error on 32-bit x86.
        <https://webkit.org/b/125706>

        Reviewed by Filip Pizlo.

        The 32-bit DFG can emit code that loads double constants from its
        CodeBlock's m_constantRegisters vector.  The emitted instruction will
        embed the address of the constant from the vector's backing store.
        Subsequently, while inserting new constants, the DFG may resize the
        vector, thereby reallocating the backing store.  This renders the
        previously embedded constant addresses stale.

        The fix is to use a dedicated doubles constant pool stored in the DFG
        CommonData instead.  This constant pool won't be reallocated, and
        hence will not manifest this issue.

        * dfg/DFGCommonData.h:
        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::addressOfDoubleConstant):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addressOfDoubleConstant): Deleted.

2014-03-28  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: console.warn is showing as error instead of warning
        https://bugs.webkit.org/show_bug.cgi?id=130921

        Reviewed by Timothy Hatcher.

        * runtime/ConsolePrototype.cpp:
        (JSC::consoleProtoFuncWarn):
        console.warn should be MessageLevel Warning, not Error.

2014-03-28  Oliver Hunt  <oliver@apple.com>

        Fix cloop build.

        * bytecode/BytecodeList.json:

2014-03-28  Michael Saboff  <msaboff@apple.com>

        Unreviewed, rolling r166248 back in.

        Turns out r166070 didn't cause a 2% performance loss in page load times

        Reverted changeset:

        Unreviewed, rolling out r166126.
        Rollout r166126 in prepartion to roll out prerequisite r166070

2014-03-27  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r166376.
        https://bugs.webkit.org/show_bug.cgi?id=130887

        This was a misguided optimization. (Requested by kling on
        #webkit).

        Reverted changeset:

        "Avoid fetching JSObject::structure() repeatedly in
        putDirectInternal."
        https://bugs.webkit.org/show_bug.cgi?id=130857
        http://trac.webkit.org/changeset/166376

2014-03-27  Oliver Hunt  <oliver@apple.com>

        Support spread operand in |new| expressions
        https://bugs.webkit.org/show_bug.cgi?id=130877

        Reviewed by Michael Saboff.

        Add support for the spread operator being applied in
        |new| expressions.  This required adding support for
        a new opcode, op_construct_varargs.  This is a relatively
        simple refactoring of the call_varargs implementation.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink):
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::callTypeFor):
        (JSC::CallLinkInfo::specializationKind):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCallVarargs):
        (JSC::BytecodeGenerator::emitConstructVarargs):
        (JSC::BytecodeGenerator::emitConstruct):
        * bytecompiler/BytecodeGenerator.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::emit_op_construct_varargs):
        (JSC::JIT::emitSlow_op_construct_varargs):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emitSlow_op_construct_varargs):
        (JSC::JIT::emit_op_construct_varargs):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseMemberExpression):

2014-03-27  Filip Pizlo  <fpizlo@apple.com>

        Revert http://trac.webkit.org/changeset/166386 because it broke builds.

        * Configurations/Base.xcconfig:
        * Configurations/LLVMForJSC.xcconfig:

2014-03-27  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, skip this test for now.

        * tests/stress/recurse-infinitely-on-getter.js:

2014-03-27  Filip Pizlo  <fpizlo@apple.com>

        Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
        https://bugs.webkit.org/show_bug.cgi?id=130867
        <rdar://problem/16432456> 

        Reviewed by Mark Hahnenberg.

        * Configurations/Base.xcconfig:
        * Configurations/LLVMForJSC.xcconfig:

2014-03-27  Andreas Kling  <akling@apple.com>

        Avoid fetching JSObject::structure() repeatedly in putDirectInternal.
        <https://webkit.org/b/130857>

        Use the cached Structure* instead of re-fetching it over and over since
        that's a non-trivial operation these days.

        Reviewed by Mark Hahnenberg.

        * runtime/JSObject.h:
        (JSC::JSObject::putDirectInternal):

2014-03-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        Check the remembered set bit faster
        https://bugs.webkit.org/show_bug.cgi?id=130860

        Reviewed by Oliver Hunt.

        Currently we look up the remembered set bit in the MarkedBlock in C++ code, but 
        that bit is also stored in the object. We should look it up there whenever possible.

        * heap/CopiedBlockInlines.h:
        (JSC::CopiedBlock::shouldReportLiveBytes):
        * heap/Heap.cpp:
        (JSC::Heap::addToRememberedSet):
        * heap/Heap.h:
        * heap/HeapInlines.h: Removed.
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::reportExtraMemoryUsage):

2014-03-27  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Provide SPI to disallow remote inspection of a JSContext
        https://bugs.webkit.org/show_bug.cgi?id=130853

        Reviewed by Timothy Hatcher.

        * API/JSContextPrivate.h: Added.
        * API/JSContext.mm:
        (-[JSContext _remoteInspectionEnabled]):
        (-[JSContext _setRemoteInspectionEnabled:]):
        ObjC SPI to enable/disable remote inspection.

        * API/JSContextRefPrivate.h:
        * API/JSContextRef.cpp:
        (JSGlobalContextGetRemoteInspectionEnabled):
        (JSGlobalContextSetRemoteInspectionEnabled):
        C SPI to enable/disable remote inspection.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add new private header, and export as a private header.

2014-03-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        Clean up questionable style in ScriptExecutable::prepareForExecutionImpl
        https://bugs.webkit.org/show_bug.cgi?id=130845

        Reviewed by Filip Pizlo.

        There was a hack added to make sure C Loop LLInt worked which included overriding the 
        global Options::useLLInt setting, which makes no sense to do here. We should put the 
        update of the global setting in Options::recomputeDependentOptions along with the other 
        execution engine flags.

        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::prepareForExecutionImpl):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2014-03-26  Filip Pizlo  <fpizlo@apple.com>

        Enable LLVM stackmap liveOuts computation
        https://bugs.webkit.org/show_bug.cgi?id=130821

        Reviewed by Andy Estes and Sam Weinig.

        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Record::dump):
        * llvm/library/LLVMExports.cpp:
        (initializeAndGetJSCLLVMAPI):

2014-03-26  Filip Pizlo  <fpizlo@apple.com>

        Parse stackmaps liveOuts
        https://bugs.webkit.org/show_bug.cgi?id=130801

        Reviewed by Geoffrey Garen.
        
        This just adds the code to parse them but doesn't do anything with them, yet.

        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::forStackmaps):
        * ftl/FTLLocation.h:
        (JSC::FTL::Location::forRegister):
        (JSC::FTL::Location::forIndirect):
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Location::parse):
        (JSC::FTL::StackMaps::Location::dump):
        (JSC::FTL::StackMaps::LiveOut::parse):
        (JSC::FTL::StackMaps::LiveOut::dump):
        (JSC::FTL::StackMaps::Record::parse):
        (JSC::FTL::StackMaps::Record::dump):
        * ftl/FTLStackMaps.h:

2014-03-26  Mark Lam  <mark.lam@apple.com>

        Build fix after r166307.

        Not reviewed.

        * runtime/JSCell.h:
        - The inline function isAPIValueWrapper() should not be exported.  This
          was causing a linkage error when building for 32-bit x86 on Mac.

2014-03-26  Filip Pizlo  <fpizlo@apple.com>

        Reasoning about DWARF register numbers should be moved out of FTL::Location
        https://bugs.webkit.org/show_bug.cgi?id=130792

        Reviewed by Oliver Hunt.
        
        Moving this code makes it possible for things other than FTL::Location to reason about
        DWARF register encoding. This refactoring also appears to reduce some code duplication
        and makes FTLLocation.cpp cleaner.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLDWARFRegister.cpp: Added.
        (JSC::FTL::DWARFRegister::reg):
        (JSC::FTL::DWARFRegister::dump):
        * ftl/FTLDWARFRegister.h: Added.
        (JSC::FTL::DWARFRegister::DWARFRegister):
        (JSC::FTL::DWARFRegister::dwarfRegNum):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::dump):
        (JSC::FTL::Location::isGPR):
        (JSC::FTL::Location::gpr):
        (JSC::FTL::Location::isFPR):
        (JSC::FTL::Location::fpr):
        * ftl/FTLLocation.h:
        (JSC::FTL::Location::hasDwarfReg):
        (JSC::FTL::Location::dwarfReg):

2014-03-26  Brent Fulgham  <bfulgham@apple.com>

        Unreviewed build fix.

        * runtime/JSCell.h: VS2013 confused about argument type.

2014-03-26  Zoltan Horvath  <zoltan@webkit.org>

        [CSS Shapes] Remove shape-inside support
        https://bugs.webkit.org/show_bug.cgi?id=130698

        Reviewed by David Hyatt.

        * Configurations/FeatureDefines.xcconfig:

2014-03-26  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        Rename hasFastArrayStorage to be more appropriate
        https://bugs.webkit.org/show_bug.cgi?id=130773

        Reviewed by Filip Pizlo.

        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::alreadyChecked):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGWatchpointCollectionPhase.cpp:
        (JSC::DFG::WatchpointCollectionPhase::handle):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNewArray):
        (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
        (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::unshift):
        (JSC::Butterfly::shift):
        * runtime/IndexingHeaderInlines.h:
        (JSC::IndexingHeader::preCapacity):
        * runtime/IndexingType.h:
        (JSC::hasArrayStorage):
        (JSC::hasAnyArrayStorage):
        (JSC::hasFastArrayStorage): Deleted.
        * runtime/JSArray.cpp:
        (JSC::JSArray::sortVector):
        (JSC::JSArray::compactForSorting):
        * runtime/JSArray.h:
        (JSC::JSArray::create):
        (JSC::JSArray::tryCreateUninitialized):
        * runtime/JSGlobalObject.cpp:
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
        * runtime/JSObject.h:
        (JSC::JSObject::ensureArrayStorage):
        (JSC::JSObject::arrayStorage):
        * runtime/StructureTransitionTable.h:
        (JSC::newIndexingType):

2014-03-26  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed. Removing the remaining Automake cruft.

        * GNUmakefile.list.am: Removed.

2014-03-25  Filip Pizlo  <fpizlo@apple.com>

        Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias
        https://bugs.webkit.org/show_bug.cgi?id=130764
        <rdar://problem/16304788>

        Reviewed by Sam Weinig.
        
        Being an arguments alias just means that your OSR exit recovery should attempt arguments
        creation. This is true of arguments locals. We had special cases that tried to make it not
        true of arguments locals. The only consequence of those special cases was to cause crashes
        in case of arguments that are also captured variables (i.e. we have SlowArguments). This
        change just removes those special cases.
        
        This change means that the FTL will now see SetLocals with a FlushedArguments format.
        Previously you wouldn't see them because previously only non-captured variable would be
        arguments aliases, and non-captured variables get completely SSAified - i.e. no SetLocals
        left. Adding handling for FlushedArguments is a benign and simple change since its
        behavior is identical to FlushedJSValue for that code's purposes.

        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
        * tests/stress/captured-arguments-variable.js: Added.
        (foo):
        (noInline):

2014-03-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add HeapInlines
        https://bugs.webkit.org/show_bug.cgi?id=130759

        Reviewed by Filip Pizlo.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.cpp:
        (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
        (JSC::MarkedBlockSnapshotFunctor::operator()):
        * heap/Heap.h: Also reindented while we're here.
        (JSC::Heap::writeBarrierBuffer):
        (JSC::Heap::vm):
        (JSC::Heap::objectSpace):
        (JSC::Heap::machineThreads):
        (JSC::Heap::operationInProgress):
        (JSC::Heap::allocatorForObjectWithoutDestructor):
        (JSC::Heap::allocatorForObjectWithNormalDestructor):
        (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
        (JSC::Heap::storageAllocator):
        (JSC::Heap::notifyIsSafeToCollect):
        (JSC::Heap::isSafeToCollect):
        (JSC::Heap::handleSet):
        (JSC::Heap::handleStack):
        (JSC::Heap::lastFullGCLength):
        (JSC::Heap::lastEdenGCLength):
        (JSC::Heap::increaseLastFullGCLength):
        (JSC::Heap::sizeBeforeLastEdenCollection):
        (JSC::Heap::sizeAfterLastEdenCollection):
        (JSC::Heap::sizeBeforeLastFullCollection):
        (JSC::Heap::sizeAfterLastFullCollection):
        (JSC::Heap::jitStubRoutines):
        (JSC::Heap::isDeferred):
        (JSC::Heap::structureIDTable):
        (JSC::Heap::removeCodeBlock):
        * heap/HeapInlines.h: Added.
        (JSC::Heap::shouldCollect):
        (JSC::Heap::isBusy):
        (JSC::Heap::isCollecting):
        (JSC::Heap::heap):
        (JSC::Heap::isLive):
        (JSC::Heap::isInRememberedSet):
        (JSC::Heap::isMarked):
        (JSC::Heap::testAndSetMarked):
        (JSC::Heap::setMarked):
        (JSC::Heap::isWriteBarrierEnabled):
        (JSC::Heap::writeBarrier):
        (JSC::Heap::reportExtraMemoryCost):
        (JSC::Heap::forEachProtectedCell):
        (JSC::Heap::forEachCodeBlock):
        (JSC::Heap::allocateWithNormalDestructor):
        (JSC::Heap::allocateWithImmortalStructureDestructor):
        (JSC::Heap::allocateWithoutDestructor):
        (JSC::Heap::tryAllocateStorage):
        (JSC::Heap::tryReallocateStorage):
        (JSC::Heap::ascribeOwner):
        (JSC::Heap::blockAllocator):
        (JSC::Heap::releaseSoon):
        (JSC::Heap::incrementDeferralDepth):
        (JSC::Heap::decrementDeferralDepth):
        (JSC::Heap::collectIfNecessaryOrDefer):
        (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
        (JSC::Heap::markListSet):
        * runtime/JSCInlines.h:

2014-03-25  Filip Pizlo  <fpizlo@apple.com>

        DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush
        https://bugs.webkit.org/show_bug.cgi?id=130760

        Reviewed by Mark Hahnenberg.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * tests/stress/assign-argument-in-inlined-call.js: Added.
        (f1):
        (getF2Arguments):
        (f2):
        (f3):
        * tests/stress/assign-captured-argument-in-inlined-call.js: Added.
        (f1):
        (f2):
        (f3):

2014-03-25  Filip Pizlo  <fpizlo@apple.com>

        Fix 32-bit getter call alignment.

        Reviewed by Mark Hahnenberg.

        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub):

2014-03-25  Filip Pizlo  <fpizlo@apple.com>

        Repatch should plant calls to getters directly rather than through a C helper
        https://bugs.webkit.org/show_bug.cgi?id=129589

        Reviewed by Mark Hahnenberg.
        
        As the title says. All of the superstructure for this was already in place, so now it
        was just a matter of actually emitting the call.
        
        8x speed-up for getter microbenchmarks. 

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PolymorphicGetByIdList.h:
        (JSC::GetByIdAccess::doesCalls):
        * jit/AccessorCallJITStubRoutine.cpp: Added.
        (JSC::AccessorCallJITStubRoutine::AccessorCallJITStubRoutine):
        (JSC::AccessorCallJITStubRoutine::~AccessorCallJITStubRoutine):
        (JSC::AccessorCallJITStubRoutine::visitWeak):
        * jit/AccessorCallJITStubRoutine.h: Added.
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::storeCell):
        * jit/GCAwareJITStubRoutine.h:
        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::offsetOfGetter):
        (JSC::GetterSetter::offsetOfSetter):

2014-03-25  Michael Saboff  <msaboff@apple.com>

        Unreviewed, rolling out r166126.

        Rollout r166126 in prepartion to roll out prerequisite r166070

        Reverted changeset:

        "toThis() on a JSWorkerGlobalScope should return a JSProxy and
        not undefined"
        https://bugs.webkit.org/show_bug.cgi?id=130554
        http://trac.webkit.org/changeset/166126

2014-03-25  Oliver Hunt  <oliver@apple.com>

        AST incorrectly conflates readable and writable locations
        https://bugs.webkit.org/show_bug.cgi?id=130734

        Reviewed by Filip Pizlo.

        We need to distinguish between "locations" that are valid for reading
        and writing, vs those that may only be written.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitBytecode):
        (JSC::ForOfNode::emitBytecode):
        * parser/Nodes.h:
        (JSC::ExpressionNode::isAssignmentLocation):

2014-03-24  Oliver Hunt  <oliver@apple.com>

        ASSERTION FAILED in Parser: dst != localReg
        https://bugs.webkit.org/show_bug.cgi?id=130710

        Reviewed by Filip Pizlo.

        Just make sure we don't try to write to a captured constant,
        following the change to track captured variables separately.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::PostfixNode::emitResolve):
        (JSC::PrefixNode::emitResolve):

2014-03-25  Martin Robinson  <mrobinson@igalia.com>

        [GTK] Remove the autotools build
        https://bugs.webkit.org/show_bug.cgi?id=130717

        Reviewed by Anders Carlsson.

        * GNUmakefile.am: Removed.
        * config.h: Remove references to the autotools configure file.

2014-03-24  Filip Pizlo  <fpizlo@apple.com>

        More scaffolding for a stub routine to have a stub recursively embedded inside it
        https://bugs.webkit.org/show_bug.cgi?id=130770

        Reviewed by Oliver Hunt.

        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink): VM& argument is superfluous.
        (JSC::CallLinkInfo::visitWeak): Factor this out, it used to be in CodeBlock::finalizeUnconditionally().
        * bytecode/CallLinkInfo.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally): Factor out some functionality into CallLinkInfo::visitWeak(), and make sure we pass RepatchBuffer& in more places.
        (JSC::CodeBlock::unlinkCalls):
        (JSC::CodeBlock::unlinkIncomingCalls):
        * bytecode/PolymorphicGetByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
        (JSC::GetByIdAccess::visitWeak):
        (JSC::PolymorphicGetByIdList::visitWeak):
        * bytecode/PolymorphicGetByIdList.h:
        * bytecode/PolymorphicPutByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
        (JSC::PutByIdAccess::visitWeak):
        (JSC::PolymorphicPutByIdList::visitWeak):
        * bytecode/PolymorphicPutByIdList.h:
        * bytecode/StructureStubInfo.cpp: Pass RepatchBuffer& through.
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        * jit/ClosureCallStubRoutine.cpp: isClosureCall is unused.
        (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
        * jit/GCAwareJITStubRoutine.cpp:
        (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
        (JSC::createJITStubRoutine):
        * jit/GCAwareJITStubRoutine.h: Make it easier to construct one of these.
        (JSC::GCAwareJITStubRoutine::isClosureCall): Deleted.
        * jit/JITStubRoutine.cpp:
        (JSC::JITStubRoutine::visitWeak): This will allow future JITStubRoutine subclasses to have stubs recursively embedded inside them.
        * jit/JITStubRoutine.h:
        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub): Fix a possible GC bug where we weren't making the stub routine GC aware.
        (JSC::emitCustomSetterStub): Clean up some code.

2014-03-24  Geoffrey Garen  <ggaren@apple.com>

        Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage
        when WebKit is compiled with fcatch-undefined-behavior
        https://bugs.webkit.org/show_bug.cgi?id=130652

        Reviewed by Mark Hahnenberg.

        Use a static member function because the butterfly we pass in might be
        NULL, and passing NULL to a member function is undefined behavior.

        Stylistically, I think this new way reads a little more clearly, since it
        matches createOrGrowArrayRight, and it helps to convey that m_butterfly
        might not exist yet.

        * runtime/Butterfly.h:
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage
        because we might create. Split out the create path to avoid using NULL
        in a member function expression.

        Removed some unused versions of this function.

        * runtime/JSObject.cpp:
        (JSC::JSObject::growOutOfLineStorage): Updated for interface change.

2014-03-24  Oliver Hunt  <oliver@apple.com>

        Strict mode destructuring assignment crashes the parser.
        https://bugs.webkit.org/show_bug.cgi?id=130538

        Reviewed by Michael Saboff.

        The SyntaxChecker mode always return 1 for success, except
        for a small subset of functions where we needed exact information.
        This ends up just being a poor design decision as it means
        the parser can get confused between a function return 1, and
        the Resolve constant which was also 1. So we now use a unique
        type for every creation method.

        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createSourceElements):
        (JSC::SyntaxChecker::createFunctionBody):
        (JSC::SyntaxChecker::createArguments):
        (JSC::SyntaxChecker::createSpreadExpression):
        (JSC::SyntaxChecker::createArgumentsList):
        (JSC::SyntaxChecker::createPropertyList):
        (JSC::SyntaxChecker::createElementList):
        (JSC::SyntaxChecker::createFormalParameterList):
        (JSC::SyntaxChecker::createClause):
        (JSC::SyntaxChecker::createClauseList):
        (JSC::SyntaxChecker::createFuncDeclStatement):
        (JSC::SyntaxChecker::createBlockStatement):
        (JSC::SyntaxChecker::createExprStatement):
        (JSC::SyntaxChecker::createIfStatement):
        (JSC::SyntaxChecker::createForLoop):
        (JSC::SyntaxChecker::createForInLoop):
        (JSC::SyntaxChecker::createForOfLoop):
        (JSC::SyntaxChecker::createEmptyStatement):
        (JSC::SyntaxChecker::createVarStatement):
        (JSC::SyntaxChecker::createReturnStatement):
        (JSC::SyntaxChecker::createBreakStatement):
        (JSC::SyntaxChecker::createContinueStatement):
        (JSC::SyntaxChecker::createTryStatement):
        (JSC::SyntaxChecker::createSwitchStatement):
        (JSC::SyntaxChecker::createWhileStatement):
        (JSC::SyntaxChecker::createWithStatement):
        (JSC::SyntaxChecker::createDoWhileStatement):
        (JSC::SyntaxChecker::createLabelStatement):
        (JSC::SyntaxChecker::createThrowStatement):
        (JSC::SyntaxChecker::createDebugger):
        (JSC::SyntaxChecker::createConstStatement):
        (JSC::SyntaxChecker::appendConstDecl):
        (JSC::SyntaxChecker::combineCommaNodes):
        (JSC::SyntaxChecker::operatorStackPop):

2014-03-24  Brent Fulgham  <bfulgham@apple.com>

        Activate WebVTT Tests Once Merging is Complete
        https://bugs.webkit.org/show_bug.cgi?id=130420

        Reviewed by Eric Carlson.

        * Configurations/FeatureDefines.xcconfig: Turn on ENABLE(WEBVTT_REGIONS)

2014-03-24  Andreas Kling  <akling@apple.com>

        Stop pulling in all the macro assemblers from VM.h
        <https://webkit.org/b/130691>

        Remove #include of "GPRInfo.h". This breaks WebCore's dependency
        on macro assemblers headers and removes 8 includes from every
        .cpp file in the JS bindings.

        Reviewed by Geoff Garen.

        * runtime/VM.h:

2014-03-24  Gavin Barraclough  <barraclough@apple.com>

        Add support for thread QoS
        https://bugs.webkit.org/show_bug.cgi?id=130688

        Reviewed by Andreas Kling.

        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::blockFreeingThreadStartFunc):
            - block freeing is a utility activity.

2014-03-24  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix CLOOP build.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
        (JSC::CodeBlock::resetStubDuringGCInternal): Deleted.
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::callLinkInfosEnd): Deleted.

2014-03-24  Gabor Rapcsanyi  <rgabor@webkit.org>

        [ARM64] GNU assembler doesn't work with LLInt arm64 backend.
        https://bugs.webkit.org/show_bug.cgi?id=130453
        
        Reviewed by Filip Pizlo.

        Change fp and lr to x29 and x30. Add both operand kinds to emitARM64()
        at sxtw and uxtw instructions.

        * offlineasm/arm64.rb:

2014-03-23  Hyowon Kim  <hw1008.kim@samsung.com>

        Move all EFL typedefs into EflTypedefs.h.
        https://bugs.webkit.org/show_bug.cgi?id=130511

        Reviewed by Gyuyoung Kim

        * heap/HeapTimer.h: Remove EFL typedefs.

2014-03-23  Filip Pizlo  <fpizlo@apple.com>

        Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters
        https://bugs.webkit.org/show_bug.cgi?id=130650
        <rdar://problem/16122966>

        Reviewed by Michael Saboff.
        
        Previously, it was only in the case of inlining that we would do SetLocal's beyond the
        previously established numLocals limit. But then we added generalized op_call_varargs
        handling, which results in us emitting SetLocals that didn't previously exist in the
        bytecode.
        
        This factors out the inliner's ensureLocals loop and calls it from op_call_varargs.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ensureLocals):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub): Make this do alignment correctly.
        * runtime/Options.h:
        * tests/stress/call-varargs-from-inlined-code.js: Added.
        * tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added.

2014-03-22  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, adjust sizes for ARM64.

        * ftl/FTLInlineCacheSize.cpp:
        (JSC::FTL::sizeOfCall):

2014-03-22  Filip Pizlo  <fpizlo@apple.com>

        Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant
        https://bugs.webkit.org/show_bug.cgi?id=130649
        <rdar://problem/16399949>

        Reviewed by Andreas Kling.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        * tests/stress/fuzz-bug-16399949.js: Added.
        (tryItOut.f):
        (tryItOut):

2014-03-22  Filip Pizlo  <fpizlo@apple.com>

        Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks
        https://bugs.webkit.org/show_bug.cgi?id=130644

        Reviewed by Andreas Kling.
        
        This is conceptually a really simple change but it involves the following:
        
        - The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2.
        
        - CodeBlock uses a Bag of CallLinkInfos instead of a Vector.
        
        - Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no
          longer has a vector of slow path counts that shadows the CallLinkInfo vector.
        
        - Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions
          and not all relinking.
        
        This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since
        the CallLinkInfo and the call IC slow paths no longer rely on the call being associated
        with a op_call/op_construct instruction and a machine code return PC within such an
        instruction.

        * bytecode/CallLinkInfo.h:
        (JSC::getCallLinkInfoCodeOrigin):
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        (JSC::CallLinkStatus::computeDFGStatuses):
        * bytecode/CallLinkStatus.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::getCallLinkInfoMap):
        (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
        (JSC::CodeBlock::addCallLinkInfo):
        (JSC::CodeBlock::unlinkCalls):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::stubInfoBegin):
        (JSC::CodeBlock::stubInfoEnd):
        (JSC::CodeBlock::callLinkInfosBegin):
        (JSC::CodeBlock::callLinkInfosEnd):
        (JSC::CodeBlock::byValInfo):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGJITCode.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addJSCall):
        (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLInlineCacheSize.cpp:
        (JSC::FTL::sizeOfCall):
        * ftl/FTLJSCall.cpp:
        (JSC::FTL::JSCall::JSCall):
        (JSC::FTL::JSCall::emit):
        (JSC::FTL::JSCall::link):
        * ftl/FTLJSCall.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        (JSC::operationLinkFor):
        (JSC::operationVirtualFor):
        (JSC::operationLinkClosureCallFor):
        * jit/Repatch.cpp:
        (JSC::linkClosureCall):
        * jit/ThunkGenerators.cpp:
        (JSC::slowPathFor):
        (JSC::virtualForThunkGenerator):
        * tests/stress/eval-that-is-not-eval.js: Added.

2014-03-22  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix mispelled test name.

        * tests/stress/constand-folding-osr-exit.js: Removed.
        * tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js.

2014-03-22  Andreas Kling  <akling@apple.com>

        CREATE_DOM_WRAPPER doesn't need the ExecState.
        <https://webkit.org/b/130648>

        Add a fast path from JSGlobalObject to the VM so we don't have
        to dance via the Heap.

        Reviewed by Darin Adler.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::vm):

2014-03-22  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix FTL build.

        * ftl/FTLJITFinalizer.cpp:

2014-03-22  Michael Saboff  <msaboff@apple.com>

        toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined
        https://bugs.webkit.org/show_bug.cgi?id=130554

        Reviewed by Geoffrey Garen.

        Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject.
        Did some cleanup as well.  Moved the setting of the thisObject in a JSGlobalObject to
        happen in finishCreation() so that it will also happen for other derived classes including
        JSWorkerGlobalScopeBase.

        * API/JSContextRef.cpp:
        (JSGlobalContextCreateInGroup):
        * jsc.cpp:
        (GlobalObject::create):
        * API/tests/testapi.c:
        (globalObject_initialize): Eliminated ASSERT that the global object we are creating matches
        the result from JSContextGetGlobalObject() as that will return the proxy.       
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since
        we now call setGlobalThis in finishCreation().
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::finishCreation):
        (JSC::JSGlobalObject::setGlobalThis): Made this a private method.

2014-03-22  Andreas Kling  <akling@apple.com>

        Fix debug build.

        * bytecode/CodeBlock.cpp:
        * runtime/Executable.cpp:

2014-03-22  Andreas Kling  <akling@apple.com>

        Cut down on JSC profiler includes in WebCore & co.
        <https://webkit.org/b/130637>

        Most of WebKit was pulling in JSC's profiler headers via VM.h.

        Reviewed by Darin Adler.

        * dfg/DFGDisassembler.cpp:
        * dfg/DFGDisassembler.h:
        * dfg/DFGJITFinalizer.cpp:
        * jsc.cpp:
        * runtime/VM.cpp:
        * runtime/VM.h:

2014-03-22  Landry Breuil <landry@openbsd.org>

        Use pthread_stackseg_np() to find the stack bounds on OpenBSD.
        https://bugs.webkit.org/show_bug.cgi?id=129965

        Reviewed By Anders Carlsson.

2014-03-21  Mark Lam  <mark.lam@apple.com>

        Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
        <https://webkit.org/b/124508>

        Reviewed by Oliver Hunt.

        The issue is that BreakNode::emitBytecode() is holding onto a LabelScope
        pointer from the BytecodeGenerator's m_localScopes vector, and then it
        calls emitPopScopes().  emitPopScopes() may do finally clause handling
        which will require the m_localScopes to be cloned so that it can change
        the local scopes for the finally block, and then restore it after
        handling the finally clause.  These modifications of the m_localScopes
        vector will result in the LabelScope pointer in BreakNode::emitBytecode()
        becoming stale, thereby causing the crash.

        The same issue applies to the ContinueNode as well.

        The fix is to use the existing LabelScopePtr abstraction instead of raw
        LabelScope pointers.  The LabelScopePtr is resilient to the underlying
        vector re-allocating its backing store.

        I also changed the LabelScopePtr constructor that takes a LabelScopeStore
        to expect a reference to the owner store instead of a pointer because the
        owner store should never be a null pointer.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::newLabelScope):
        (JSC::BytecodeGenerator::breakTarget):
        (JSC::BytecodeGenerator::continueTarget):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/LabelScope.h:
        (JSC::LabelScopePtr::LabelScopePtr):
        (JSC::LabelScopePtr::operator bool):
        (JSC::LabelScopePtr::null):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ContinueNode::trivialTarget):
        (JSC::ContinueNode::emitBytecode):
        (JSC::BreakNode::trivialTarget):
        (JSC::BreakNode::emitBytecode):

2014-03-21  Mark Hahnenberg  <mhahnenberg@apple.com>

        6% SunSpider commandline regression due to r165940
        https://bugs.webkit.org/show_bug.cgi?id=130617

        Reviewed by Michael Saboff.

        In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected 
        before. Some of the benchmarks are never running a single EdenCollection, which causes 
        them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer 
        slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of 
        magnitude more than we normally would.

        The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):

2014-03-21  Filip Pizlo  <fpizlo@apple.com>

        Constants folded by DFG::ByteCodeParser should not be dead.
        https://bugs.webkit.org/show_bug.cgi?id=130576

        Reviewed by Mark Hahnenberg.
        
        This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This
        reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one
        or more folders in LLVM). Doing so has no performance impact since the other constant folders
        already subsume this one.
        
        Also added a test case for the specific bug that instigated this.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getJSConstantForValue):
        (JSC::DFG::ByteCodeParser::getJSConstant):
        (JSC::DFG::ByteCodeParser::inferredConstant):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGNodeFlags.h:
        * tests/stress/constand-folding-osr-exit.js: Added.
        (foo):
        (test):
        (.var):

2014-03-21  Mark Lam  <mark.lam@apple.com>

        StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
        <https://webkit.org/b/130566>

        Reviewed by Filip Pizlo.

        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):

2014-03-20  Filip Pizlo  <fpizlo@apple.com>

        FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values
        https://bugs.webkit.org/show_bug.cgi?id=130562
        <rdar://problem/16382842>

        Reviewed by Geoffrey Garen.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        * tests/stress/uint32array-unsigned-load.js: Added.
        (foo):

2014-03-20  Brian Burg  <bburg@apple.com>

        Web Inspector: add frontend controller and models for replay sessions
        https://bugs.webkit.org/show_bug.cgi?id=130145

        Reviewed by Joseph Pecoraro.

        * inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain.

2014-03-20  Filip Pizlo  <fpizlo@apple.com>

        FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees
        https://bugs.webkit.org/show_bug.cgi?id=130546
        <rdar://problem/16383308>

        Reviewed by Mark Hahnenberg.
        
        Make AI do a better job of folding this.
        
        Also made the FTL backend be more tolerant of data representations. In this case it
        didn't know that "constant" was a valid representation. There is a finite set of
        possible representations, but broadly, we don't write code that presumes anything
        about the representation of an input; that's what methods like lowJSValue() are for.
        ValueToInt32 was previously not relying on those methods at all because it had some
        hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down
        to lowJSValue().

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
        (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
        * tests/stress/value-to-int32-undefined-constant.js: Added.
        (foo):
        * tests/stress/value-to-int32-undefined.js: Added.
        (foo):

2014-03-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add some assertions back
        https://bugs.webkit.org/show_bug.cgi?id=130531

        Reviewed by Geoffrey Garen.

        We removed a useful set of assertions for verifying that MarkedBlocks were 
        in the state that we expected them to be in after clearing marks in the Heap. 
        We should add these back to catch bugs earlier.

        * heap/MarkedBlock.h:
        * heap/MarkedSpace.cpp:
        (JSC::VerifyMarkedOrRetired::operator()):
        (JSC::MarkedSpace::clearMarks):

2014-03-20  Filip Pizlo  <fpizlo@apple.com>

        Implement stackmap header version check and support new stackmap formats
        https://bugs.webkit.org/show_bug.cgi?id=130535
        <rdar://problem/16164284>

        Reviewed by Geoffrey Garen.
        
        Add the notion of versioning so that LLVMers can happily implement new stackmap formats
        without worrying about WebKit getting version-locked to LLVM. In the future, we will have
        to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have
        to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be
        happy to move backward in time to older versions of LLVM.

        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::readObject):
        (JSC::FTL::StackMaps::Constant::parse):
        (JSC::FTL::StackMaps::StackSize::parse):
        (JSC::FTL::StackMaps::Location::parse):
        (JSC::FTL::StackMaps::Record::parse):
        (JSC::FTL::StackMaps::parse):
        (JSC::FTL::StackMaps::dump):
        (JSC::FTL::StackMaps::dumpMultiline):
        * ftl/FTLStackMaps.h:

2014-03-20  Filip Pizlo  <fpizlo@apple.com>

        Crash beneath operationTearOffActivation running this JS compression demo
        https://bugs.webkit.org/show_bug.cgi?id=130295
        <rdar://problem/16332337>

        Reviewed by Oliver Hunt.
        
        Make sure that we flush things as if we were at a terminal, if we are at a block with
        no forward edges. This fixes infinitely loopy code with captured variables.

        Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block.
        
        Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed
        it by itself. Now it's an artifact of CPS rethreading.
        
        Add a bunch of tests. All of them previously either crashed or returned bad output due
        to memory corruption.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::isCaptured):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::flushForTerminal):
        (JSC::DFG::ByteCodeParser::flushForReturn):
        (JSC::DFG::ByteCodeParser::flushIfTerminal):
        (JSC::DFG::ByteCodeParser::branchData):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::run):
        (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
        (JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp):
        (JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::clearFlagsOnAllNodes):
        * dfg/DFGGraph.h:
        * dfg/DFGNode.h:
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGNodeFlags.h:
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * tests/stress/activation-test-loop.js: Added.
        (Inner.this.doStuff):
        (Inner):
        (foo.inner.isDone):
        (foo):
        * tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added.
        (bar):
        (foo):
        (noInline):
        * tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added.
        (bar):
        (foo):
        (noInline):
        * tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added.
        (bar):
        (foo):
        (noInline):
        * tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added.
        (bar):
        (foo):
        (noInline):
        * tests/stress/infinite-loop-that-uses-captured-variables.js: Added.
        (bar):
        (foo):
        (noInline):
        * tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
        (bar):
        (fuzz):
        (foo.f):
        (foo):
        * tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
        (bar):
        (foo.f):
        (foo):
        * tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
        (bar):
        (foo.f):
        (foo):
        * tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added.
        (bar):
        (foo):
        (noInline):

2014-03-20  Oliver Hunt  <oliver@apple.com>

        Incorrect behavior when mutating a typed array during set.
        https://bugs.webkit.org/show_bug.cgi?id=130428

        Reviewed by Geoffrey Garen.

        This fixes a null derefence that occurs if a typed array
        is mutated during the set() operation. The patch gets rid
        of the "Quickly" version of setIndex that is assigning
        JSValues of unknown type, as the numeric conversion can trigger
        side effects that lead to neutering, and so we deref null.

        * runtime/JSGenericTypedArrayView.h:
        (JSC::JSGenericTypedArrayView::setIndex):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::set):
        (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):

2014-03-20  Gavin Barraclough  <barraclough@apple.com>

        Remove IdentifierTable typedef, isIdentifier()
        https://bugs.webkit.org/show_bug.cgi?id=130533

        Rubber stamped by Geoff Garen.

        Code should use AtomicStringTable, isAtomic() directly.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::~OpaqueJSClass):
        (OpaqueJSClassContextData::OpaqueJSClassContextData):
        (OpaqueJSClass::className):
        * API/JSClassRef.h:
        * bytecode/SpeculatedType.cpp:
        (JSC::speculationFromCell):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * interpreter/CallFrame.h:
        (JSC::ExecState::atomicStringTable):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::addVar):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::createBindingPattern):
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        (JSC::evaluate):
        * runtime/Identifier.cpp:
        (JSC::Identifier::checkCurrentAtomicStringTable):
        * runtime/Identifier.h:
        (JSC::Identifier::Identifier):
        * runtime/IdentifierInlines.h:
        (JSC::Identifier::add):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dumpInContext):
        * runtime/JSLock.cpp:
        (JSC::JSLock::didAcquireLock):
        (JSC::JSLock::willReleaseLock):
        (JSC::JSLock::DropAllLocks::DropAllLocks):
        (JSC::JSLock::DropAllLocks::~DropAllLocks):
        * runtime/JSLock.h:
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::find):
        (JSC::PropertyTable::get):
        (JSC::PropertyTable::findWithString):
        * runtime/PropertyName.h:
        (JSC::PropertyName::PropertyName):
        * runtime/PropertyNameArray.cpp:
        (JSC::PropertyNameArray::add):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        * runtime/VM.h:
        (JSC::VM::atomicStringTable):

2014-03-20  Gavin Barraclough  <barraclough@apple.com>

        Merge AtomicString, Identifier
        https://bugs.webkit.org/show_bug.cgi?id=128624

        Reviewed by Geoff Garen.

        WTF::StringImpl currently supports two uniquing mechanism - AtomicString and
        Identifer - that is one too many.

        Remove Identifier in favour of AtomicString. Identifier had two interesting
        mechanisms that we preserve.

        (1) JSC API VMs each get their own string table, switch the string table on
            API entry/exit.
        (2) JSC caches a pointer to the string table on the VM to avoid a thread
            specific access. Adds a new AtomicString::add method to support this.

        * API/JSAPIWrapperObject.mm:
            - updated includes.
        * JavaScriptCore.xcodeproj/project.pbxproj:
            - added IdentifierInlines.h.
        * inspector/JSInjectedScriptHostPrototype.cpp:
        * inspector/JSJavaScriptCallFramePrototype.cpp:
            - updated includes.
        * interpreter/CallFrame.h:
        (JSC::ExecState::atomicStringTable):
            - added, used via AtomicString::add to avoid thread-specific access.
        * runtime/ConsolePrototype.cpp:
            - updated includes.
        * runtime/Identifier.cpp:
        (JSC::Identifier::add):
        (JSC::Identifier::add8):
            - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
        * runtime/Identifier.h:
        (JSC::Identifier::Identifier):
            - added ASSERTS.
        (JSC::Identifier::add):
            - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
        * runtime/IdentifierInlines.h: Added.
        (JSC::Identifier::add):
            - moved from Identifier.h, use AtomicString::add.
        * runtime/JSCInlines.h:
            - added IdentifierInlines.h.
        * runtime/JSLock.h:
            - removed IdentifierTable.
        * runtime/PropertyNameArray.cpp:
            - updated includes.
        * runtime/SmallStrings.cpp:
        (JSC::SmallStringsStorage::SmallStringsStorage):
            - ensure all single character strings are Atomic.
        * runtime/VM.cpp:
        (JSC::VM::VM):
            - instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data.
        * runtime/VM.h:
        (JSC::VM::atomicStringTable):
            - added, used via AtomicString::add to avoid thread-specific access.

2014-03-20  Gabor Rapcsanyi  <rgabor@webkit.org>

        [ARM64] Fix assembler build issues and add cacheFlush support for Linux
        https://bugs.webkit.org/show_bug.cgi?id=130502

        Reviewed by Michael Saboff.

        Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t)
        because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well.
        Add cacheFlush support for Linux.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::linuxPageFlush):
        (JSC::ARM64Assembler::cacheFlush):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch):

2014-03-19  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=130494
        EmptyUnique strings are Identifiers/Atomic

        Reviewed by Geoff Garen.

        EmptyUnique strings should set the Identifier/Atomic flag.

        This fixes an unreproducible bug we believe exists in Identifier handling.
        Expected behaviour is that while Identifiers may reference EmptyUniques
        (StringImpls allocated as UIDs for PrivateNames), these are not created
        through the main Identifier constructor, the Identifier flag is not set
        on PrivateNames, and we should never lookup EmptyUnique strings in the
        IdentifierTable.

        Unfortunately that was happening. Some tables used to implement property
        access in the JIT hold StringImpl*s, and turn these back into Identifiers
        using the identfiier constructor. Since the code generator will now plant
        by-id (cachable) accesses to PrivateNames we can end up passing an
        EmptyUnique to Identifier::add, potentially leading to PrivateNames being
        uniqued together (though hard to prove, since the hash codes are random).

        * runtime/PropertyName.h:
        (JSC::PropertyName::PropertyName):
        (JSC::PropertyName::uid):
        (JSC::PropertyName::publicName):
        (JSC::PropertyName::asIndex):
            - PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
        * runtime/Structure.cpp:
        (JSC::Structure::getPropertyNamesFromStructure):
            - Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().

2014-03-19  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional.

        * dfg/DFGCommon.h:

2014-03-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        GC timer should intelligently choose between EdenCollections and FullCollections
        https://bugs.webkit.org/show_bug.cgi?id=128261

        Reviewed by Geoffrey Garen.

        Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer 
        always does FullCollections. To reduce the impact of the GC timer on the system this patch
        changes Heap so that it has two timers, one for each type of collection. The FullCollection
        timer is notified at the end of EdenCollections how much the Heap has grown since the last 
        FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't 
        be detected by an EdenCollection).

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/EdenGCActivityCallback.cpp: Added.
        (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
        (JSC::EdenGCActivityCallback::doCollection):
        (JSC::EdenGCActivityCallback::lastGCLength):
        (JSC::EdenGCActivityCallback::deathRate):
        (JSC::EdenGCActivityCallback::gcTimeSlice):
        * heap/EdenGCActivityCallback.h: Added.
        (JSC::GCActivityCallback::createEdenTimer):
        * heap/FullGCActivityCallback.cpp: Added.
        (JSC::FullGCActivityCallback::FullGCActivityCallback):
        (JSC::FullGCActivityCallback::doCollection):
        (JSC::FullGCActivityCallback::lastGCLength):
        (JSC::FullGCActivityCallback::deathRate):
        (JSC::FullGCActivityCallback::gcTimeSlice):
        * heap/FullGCActivityCallback.h: Added.
        (JSC::GCActivityCallback::createFullTimer):
        * heap/GCActivityCallback.cpp:
        (JSC::GCActivityCallback::GCActivityCallback):
        (JSC::GCActivityCallback::doWork):
        (JSC::GCActivityCallback::scheduleTimer):
        (JSC::GCActivityCallback::cancelTimer):
        (JSC::GCActivityCallback::didAllocate):
        (JSC::GCActivityCallback::willCollect):
        (JSC::GCActivityCallback::cancel):
        * heap/GCActivityCallback.h:
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::reportAbandonedObjectGraph):
        (JSC::Heap::didAbandon):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::collect):
        (JSC::Heap::willStartCollection):
        (JSC::Heap::updateAllocationLimits):
        (JSC::Heap::didFinishCollection):
        (JSC::Heap::setFullActivityCallback):
        (JSC::Heap::setEdenActivityCallback):
        (JSC::Heap::fullActivityCallback):
        (JSC::Heap::edenActivityCallback):
        (JSC::Heap::setGarbageCollectionTimerEnabled):
        (JSC::Heap::didAllocate):
        (JSC::Heap::shouldDoFullCollection):
        * heap/Heap.h:
        (JSC::Heap::lastFullGCLength):
        (JSC::Heap::lastEdenGCLength):
        (JSC::Heap::increaseLastFullGCLength):
        (JSC::Heap::sizeBeforeLastEdenCollection):
        (JSC::Heap::sizeAfterLastEdenCollection):
        (JSC::Heap::sizeBeforeLastFullCollection):
        (JSC::Heap::sizeAfterLastFullCollection):
        * heap/HeapOperation.h:
        * heap/HeapStatistics.cpp:
        (JSC::HeapStatistics::showObjectStatistics):
        * heap/HeapTimer.cpp:
        (JSC::HeapTimer::timerDidFire):
        * jsc.cpp:
        (functionFullGC):
        (functionEdenGC):
        * runtime/Options.h:

2014-03-19  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r165926.
        https://bugs.webkit.org/show_bug.cgi?id=130488

        broke the iOS build (Requested by estes on #webkit).

        Reverted changeset:

        "GC timer should intelligently choose between EdenCollections
        and FullCollections"
        https://bugs.webkit.org/show_bug.cgi?id=128261
        http://trac.webkit.org/changeset/165926

2014-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        GC timer should intelligently choose between EdenCollections and FullCollections
        https://bugs.webkit.org/show_bug.cgi?id=128261

        Reviewed by Geoffrey Garen.

        Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer 
        always does FullCollections. To reduce the impact of the GC timer on the system this patch
        changes Heap so that it has two timers, one for each type of collection. The FullCollection
        timer is notified at the end of EdenCollections how much the Heap has grown since the last 
        FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be 
        detected by an EdenCollection).

        * heap/GCActivityCallback.cpp:
        (JSC::GCActivityCallback::GCActivityCallback):
        (JSC::GCActivityCallback::doWork):
        (JSC::FullGCActivityCallback::FullGCActivityCallback):
        (JSC::FullGCActivityCallback::doCollection):
        (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
        (JSC::EdenGCActivityCallback::doCollection):
        (JSC::GCActivityCallback::scheduleTimer):
        (JSC::GCActivityCallback::cancelTimer):
        (JSC::GCActivityCallback::didAllocate):
        (JSC::GCActivityCallback::willCollect):
        (JSC::GCActivityCallback::cancel):
        * heap/GCActivityCallback.h:
        (JSC::GCActivityCallback::GCActivityCallback):
        (JSC::GCActivityCallback::createFullTimer):
        (JSC::GCActivityCallback::createEdenTimer):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::didAbandon):
        (JSC::Heap::willStartCollection):
        (JSC::Heap::updateAllocationLimits):
        (JSC::Heap::setFullActivityCallback):
        (JSC::Heap::setEdenActivityCallback):
        (JSC::Heap::fullActivityCallback):
        (JSC::Heap::edenActivityCallback):
        (JSC::Heap::setGarbageCollectionTimerEnabled):
        (JSC::Heap::didAllocate):
        * heap/Heap.h:
        * heap/HeapTimer.cpp:
        (JSC::HeapTimer::timerDidFire):

2014-03-19  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit
        https://bugs.webkit.org/show_bug.cgi?id=130134

        Reviewed by Mark Hahnenberg.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1.
        (JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around.
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want.
        * jit/JITInlineCacheGenerator.h:
        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem.

2014-03-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Normalize some of the older JSC options
        https://bugs.webkit.org/show_bug.cgi?id=128753

        Reviewed by Michael Saboff.

        * runtime/Options.cpp:
        (JSC::Options::initialize):

2014-03-12  Mark Lam  <mark.lam@apple.com>

        Update type of local vars to match the type of String length.
        <https://webkit.org/b/130077>

        Reviewed by Geoffrey Garen.

        * runtime/JSStringJoiner.cpp:
        (JSC::JSStringJoiner::join):

2014-03-18  Filip Pizlo  <fpizlo@apple.com>

        Get rid of Flush in SSA
        https://bugs.webkit.org/show_bug.cgi?id=130440

        Reviewed by Sam Weinig.
        
        This is basically a red patch. We used to use backwards flow for determining what was
        flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't
        accomplish anything. Keeping them around in SSA can only make things hard.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGBasicBlock.cpp:
        (JSC::DFG::BasicBlock::SSAData::SSAData):
        * dfg/DFGBasicBlock.h:
        * dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed.
        * dfg/DFGFlushLivenessAnalysisPhase.h: Removed.
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):

2014-03-18  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix iOS production build.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-03-18  Michael Saboff  <msaboff@apple.com>

        Update RegExp Tracing code
        https://bugs.webkit.org/show_bug.cgi?id=130381

        Reviewed by Andreas Kling.

        Updated the regular expression tracing code for 8/16 bit JIT as
        well as match only entry points.  Also added average string length
        metric.

        * runtime/RegExp.cpp:
        (JSC::RegExp::RegExp):
        (JSC::RegExp::match):
        (JSC::RegExp::printTraceData):
        * runtime/RegExp.h:
        * runtime/VM.cpp:
        (JSC::VM::addRegExpToTrace):
        (JSC::VM::dumpRegExpTrace):
        * runtime/VM.h:
        * yarr/YarrJIT.h:
        (JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr):
        (JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr):
        (JSC::Yarr::YarrCodeBlock::get8BitMatchAddr):
        (JSC::Yarr::YarrCodeBlock::get16BitMatchAddr):

2014-03-17  Filip Pizlo  <fpizlo@apple.com>

        Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:)
        https://bugs.webkit.org/show_bug.cgi?id=130300

        Reviewed by Mark Hahnenberg.
        
        We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's.
        This makes the DFG aware of this.
        
        Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to
        the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL.
        
        This also gives the DFG some abstractions for checking something is a cell or is other.
        This made this patch easier to write and also simplified a bunch of other stuff.
        
        1% speed-up on Octane.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::JumpList::JumpList):
        * bytecode/SpeculatedType.h:
        (JSC::isNotStringVarSpeculation):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::childFor):
        (JSC::DFG::Node::shouldSpeculateNotStringVar):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
        (JSC::DFG::SpeculativeJIT::compileInstanceOf):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::compileBooleanCompare):
        (JSC::DFG::SpeculativeJIT::compileStringEquality):
        (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
        (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
        (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
        (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
        (JSC::DFG::SpeculativeJIT::speculateString):
        (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
        (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
        (JSC::DFG::SpeculativeJIT::speculateNotCell):
        (JSC::DFG::SpeculativeJIT::speculateOther):
        (JSC::DFG::SpeculativeJIT::speculate):
        (JSC::DFG::SpeculativeJIT::emitSwitchChar):
        (JSC::DFG::SpeculativeJIT::emitSwitchString):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::blessedBooleanResult):
        (JSC::DFG::SpeculativeJIT::unblessedBooleanResult):
        (JSC::DFG::SpeculativeJIT::booleanResult):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::branchIsCell):
        (JSC::DFG::branchNotCell):
        (JSC::DFG::SpeculativeJIT::branchIsOther):
        (JSC::DFG::SpeculativeJIT::branchNotOther):
        (JSC::DFG::SpeculativeJIT::moveTrueTo):
        (JSC::DFG::SpeculativeJIT::moveFalseTo):
        (JSC::DFG::SpeculativeJIT::blessBoolean):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        (JSC::DFG::SpeculativeJIT::branchIsCell):
        (JSC::DFG::SpeculativeJIT::branchNotCell):
        (JSC::DFG::SpeculativeJIT::branchIsOther):
        (JSC::DFG::SpeculativeJIT::branchNotOther):
        (JSC::DFG::SpeculativeJIT::moveTrueTo):
        (JSC::DFG::SpeculativeJIT::moveFalseTo):
        (JSC::DFG::SpeculativeJIT::blessBoolean):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::lowString):
        (JSC::FTL::LowerDFGToLLVM::lowStringIdent):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateString):
        (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
        (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar):
        * runtime/JSCJSValue.h:
        * tests/stress/string-ident-to-not-string-var-equality.js: Added.
        (foo):
        (bar):
        (test):

2014-03-18  Joseph Pecoraro  <pecoraro@apple.com>

        Add Copyright to framework.sb
        https://bugs.webkit.org/show_bug.cgi?id=130413

        Reviewed by Timothy Hatcher.

        Other sb files got the copyright. Follow suit.

        * framework.sb:

2014-03-18  Matthew Mirman  <mmirman@apple.com>

        Removed extra parens from if statement in a preprocessor define.
        https://bugs.webkit.org/show_bug.cgi?id=130408

        Reviewed by Filip Pizlo.

        * parser/Parser.cpp:

2014-03-18  Filip Pizlo  <fpizlo@apple.com>

        More FTL enabling.

        Rubber stamped by Dan Bernstein and Mark Hahnenberg.

        * Configurations/FeatureDefines.xcconfig:
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):

2014-03-17  Michael Saboff  <msaboff@apple.com>

        V8 regexp spends most of its time in operationGetById
        https://bugs.webkit.org/show_bug.cgi?id=130380

        Reviewed by Filip Pizlo.

        Added String.length case to tryCacheGetByID that will only help the BaseLine JIT.
        When V8 regexp is run from the command line, this nets a 2% performance improvement.
        When the test is run for a longer amount of time, there is much less benefit as the
        DFG will emit the appropriate code for String.length.  This does remove
        operationGetById as the hottest function whne run from the command line.

        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):

2014-03-17  Andreas Kling  <akling@apple.com>

        Add one-deep cache to opaque roots hashset.
        <https://webkit.org/b/130357>

        The vast majority of WebCore JS wrappers will have their Document*
        as the root(). This change adds a simple optimization where we cache
        the last lookup and avoid going to the hashset for repeated queries.

        Looks like 0.4% progression on DYEB on my MBP.

        Reviewed by Mark Hahnenberg.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/OpaqueRootSet.h: Added.
        (JSC::OpaqueRootSet::OpaqueRootSet):
        (JSC::OpaqueRootSet::contains):
        (JSC::OpaqueRootSet::isEmpty):
        (JSC::OpaqueRootSet::clear):
        (JSC::OpaqueRootSet::add):
        (JSC::OpaqueRootSet::size):
        (JSC::OpaqueRootSet::begin):
        (JSC::OpaqueRootSet::end):
        * heap/SlotVisitor.h:

2014-03-17  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>

        Implement Math.hypot
        https://bugs.webkit.org/show_bug.cgi?id=129486

        Reviewed by Darin Adler.

        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):
        (JSC::mathProtoFuncHypot):

2014-03-17  Zsolt Borbely  <borbezs@inf.u-szeged.hu>

        Fix the !ENABLE(PROMISES) build
        https://bugs.webkit.org/show_bug.cgi?id=130328

        Reviewed by Darin Adler.

        Add missing ENABLE(PROMISES) guards.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        * runtime/JSPromiseDeferred.cpp:
        * runtime/JSPromiseDeferred.h:
        * runtime/JSPromiseReaction.cpp:
        * runtime/JSPromiseReaction.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2014-03-16  Andreas Kling  <akling@apple.com>

        REGRESSION(r165703): JSC tests crashing in StringImpl::destroy().
        <https://webkit.org/b/130304>

        Reviewed by Anders Carlsson.

        Unreviewed, restoring the old behavior of OpaqueJSString::identifier()
        that doesn't put a potentially unwanted string into the Identifier table.

        * API/OpaqueJSString.cpp:
        (OpaqueJSString::identifier):

2014-03-16  Brian Burg  <bburg@apple.com>

        Web Inspector: generated backend commands should reflect build system ENABLE settings
        https://bugs.webkit.org/show_bug.cgi?id=130111

        Reviewed by Timothy Hatcher.

        * CMakeLists.txt:

        Combine only the Inspector domains listed in INSPECTOR_DOMAINS,
        instead of globbing any .json file.

        * DerivedSources.make:

        Force the combined inspector protocol file to be regenerated if
        the content or list of domains itself changes.

2014-03-16  Brian Burg  <bburg@apple.com>

        Web Inspector: vended backend commands file should be generated as part of the build
        https://bugs.webkit.org/show_bug.cgi?id=130110

        Reviewed by Timothy Hatcher.

        * JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the
        private headers directory.

2014-03-16  Darin Adler  <darin@apple.com>

        Remove all uses of deprecatedCharacters from JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=130304

        Reviewed by Anders Carlsson.

        * API/JSValueRef.cpp:
        (JSValueMakeFromJSONString): Use characters16 in the 16-bit code path.
        * API/OpaqueJSString.cpp:
        (OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path.
        (OpaqueJSString::identifier): Get rid of custom Identifier constructor, and
        juse use the standard one that takes a String.
        (OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a
        hand-written alternative.

        * bindings/ScriptValue.cpp:
        (Deprecated::jsToInspectorValue): Create InspectorString from String directly
        instead of involving a character pointer. Use the String from Identifier
        directly instead of making a new String.

        * inspector/ContentSearchUtilities.cpp:
        (Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder
        instead of building a String a character at a time. This is still a very slow
        way to do this. Also use strchr to search for a character instead of building
        a String every time just to use find on it.

        * inspector/InspectorValues.cpp:
        (Inspector::doubleQuoteString): Remove unnecessary trip through a
        character pointer. This is still a really slow way to do this.
        (Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters
        instead of String::deprecatedCharacters. Still slow to always upconvert.

        * runtime/DateConstructor.cpp: Removed unneeded include.
        * runtime/DatePrototype.cpp: Ditto.

        * runtime/Identifier.h: Removed deprecatedCharacters function.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::encode): Added a type cast to avoid ambiguity with the two character-
        appending functions from JSStringBuilder. Removed unneeded code duplicating
        what JSStringBuilder already does in its character append function.
        (JSC::decode): Deleted code that creates a JSStringBuilder that is never used.
        (JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that
        is used outside this file have external linkage. Added a new overload that takes
        a StringView.
        (JSC::parseInt): Use StringView::substring to call parseIntOverflow.
        (JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a
        single character.

        * runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow.

        * runtime/JSStringBuilder.h: Marked this "lightly deprecated".
        (JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters.
        Made one overload private. Fixed a performance bug where we would reserve capacity
        in the 8-bit buffer but then append to the 16-bit buffer.

        * runtime/ObjectPrototype.cpp: Removed unneeded include.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert.
        (JSC::stringProtoFuncLink): Ditto.

2014-03-15  Filip Pizlo  <fpizlo@apple.com>

        FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies
        https://bugs.webkit.org/show_bug.cgi?id=130296

        Reviewed by Andreas Kling.
        
        During the 32-bit structure ID work, the second load of the structure was removed.
        That's wrong. The whole point of loading the structure ID again is that the structure
        ID would have been changed by the arrayification call, and we're verifying that the
        arrayification succeeded in changing the structure. If we check the old structure - as
        the code was doing after the 32-bit structure ID work - then this check is guaranteed
        to fail, causing a significant performance regression.
        
        It's actually amazing that the regression wasn't bigger. The reason is that if FTL
        code pathologically exits but the equivalent DFG code doesn't, then the exponential
        backoff almost perfectly guarantees that we just end up in the DFG. For this code, at
        the time at least, the DFG wasn't much slower so this didn't cause too much pain.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):

2014-03-15  Filip Pizlo  <fpizlo@apple.com>

        FTL should support CheckHasInstance/InstanceOf
        https://bugs.webkit.org/show_bug.cgi?id=130285

        Reviewed by Sam Weinig.
        
        Fairly straightforward; I also discovered an inaccurate FIXME in the process.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance):
        (JSC::FTL::LowerDFGToLLVM::compileInstanceOf):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::phi):
        * tests/stress/instanceof.js: Added.
        * tests/stress/instanceof-not-cell.js: Added.

2014-03-15  Michael Saboff  <msaboff@apple.com>

        It should be possible to adjust DFG and FTL compiler thread priorities
        https://bugs.webkit.org/show_bug.cgi?id=130288

        Reviewed by Filip Pizlo.

        Added ability to change thread priorities relative to its current priority.
        Created options to adjust the priority of the DFG and FTL compilation work thread
        pools.  For two core systems, there might be three runnable threads, the main thread,
        the DFG compilation thread and the FTL compilation thread.  With the same priority,
        the scheduler is free to schedule whatever thread it wants.  By lowering the
        compilation threads, the main thread can run.  Further tests may suggest better values
        for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads.

        For a two-core device, this change has a net positive improvement of 1-3% across
        SunSpider, Octane, Kraken and AsmBench.

        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::finishCreation):
        (JSC::DFG::Worklist::create):
        (JSC::DFG::ensureGlobalDFGWorklist):
        (JSC::DFG::ensureGlobalFTLWorklist):
        * dfg/DFGWorklist.h:
        * runtime/Options.cpp:
        (JSC::computePriorityDeltaOfWorkerThreads):
        * runtime/Options.h:

2014-03-15  David Kilzer  <ddkilzer@apple.com>

        [iOS] Define SYSTEM_VERSION_PREFIX consistently
        <http://webkit.org/b/130293>
        <rdar://problem/15926359>

        Reviewed by Dan Bernstein.

        * Configurations/Version.xcconfig:
        (SYSTEM_VERSION_PREFIX_iphoneos): Sync with
        Source/WebKit/mac/Version.xcconfig.

2014-03-15  David Kilzer  <ddkilzer@apple.com>

        Fix build: using integer absolute value function 'abs' when argument is of floating point type
        <http://webkit.org/b/130286>

        Reviewed by Filip Pizlo.

        Fixes the following build failure using trunk clang:

            JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value]
                    value = abs(value);
                            ^
            JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead
                    value = abs(value);
                            ^~~
                            fabs

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to
        fabs().

2014-03-14  Oliver Hunt  <oliver@apple.com>

        Reinstate intialiser syntax in for-in loops
        https://bugs.webkit.org/show_bug.cgi?id=130269

        Reviewed by Michael Saboff.

        Disallowing the initialiser broke some sites so this patch re-allows
        the syntax.  We still disallow the syntax in 'of' and pattern based
        enumeration.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::isBindingNode):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseVarDeclarationList):
        (JSC::Parser<LexerType>::parseForStatement):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::operatorStackPop):

2014-03-14  Mark Lam  <mark.lam@apple.com>

        Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined.
        <https://webkit.org/b/130279>

        Reviewed by Filip Pizlo.

        If neither the getter nor setter are defined, accessing __lookupGetter__
        and __lookupSetter__ will return undefined as expected.  However, if the
        getter is defined but the setter is not, accessing __lookupSetter__ will
        crash the VM.  Similarly, accessing __lookupGetter__ when only the setter
        is defined will crash the VM.

        The reason is because objectProtoFuncLookupGetter() and
        objectProtoFuncLookupSetter() did not check if the getter and setter
        value is non-null before returning it as an EncodedJSValue.  The fix is
        to add the appropriate null checks.

        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):

2014-03-14  Mark Rowe  <mrowe@apple.com>

        Fix the production build.

        Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't
        be at the expected relative path when working from installed source.

        * Configurations/Base.xcconfig:

2014-03-14  Maciej Stachowiak  <mjs@apple.com>

        Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers
        https://bugs.webkit.org/show_bug.cgi?id=130276
        <rdar://problem/16266927>

        Reviewed by Simon Fraser.

        * API/APICast.h:
        * API/JSBase.cpp:
        * API/JSBase.h:
        * API/JSBasePrivate.h:
        * API/JSCallbackConstructor.cpp:
        * API/JSCallbackConstructor.h:
        * API/JSCallbackFunction.cpp:
        * API/JSCallbackFunction.h:
        * API/JSCallbackObject.cpp:
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        * API/JSClassRef.cpp:
        * API/JSClassRef.h:
        * API/JSContextRef.cpp:
        * API/JSContextRef.h:
        * API/JSContextRefPrivate.h:
        * API/JSObjectRef.cpp:
        * API/JSObjectRef.h:
        * API/JSProfilerPrivate.cpp:
        * API/JSProfilerPrivate.h:
        * API/JSRetainPtr.h:
        * API/JSStringRef.cpp:
        * API/JSStringRef.h:
        * API/JSStringRefBSTR.cpp:
        * API/JSStringRefBSTR.h:
        * API/JSStringRefCF.cpp:
        * API/JSStringRefCF.h:
        * API/JSValueRef.cpp:
        * API/JSValueRef.h:
        * API/JavaScript.h:
        * API/JavaScriptCore.h:
        * API/OpaqueJSString.cpp:
        * API/OpaqueJSString.h:
        * API/tests/JSNode.c:
        * API/tests/JSNode.h:
        * API/tests/JSNodeList.c:
        * API/tests/JSNodeList.h:
        * API/tests/Node.c:
        * API/tests/Node.h:
        * API/tests/NodeList.c:
        * API/tests/NodeList.h:
        * API/tests/minidom.c:
        * API/tests/minidom.js:
        * API/tests/testapi.c:
        * API/tests/testapi.js:
        * DerivedSources.make:
        * bindings/ScriptValue.cpp:
        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        * bytecode/EvalCodeCache.h:
        * bytecode/Instruction.h:
        * bytecode/JumpTable.cpp:
        * bytecode/JumpTable.h:
        * bytecode/Opcode.cpp:
        * bytecode/Opcode.h:
        * bytecode/SamplingTool.cpp:
        * bytecode/SamplingTool.h:
        * bytecode/SpeculatedType.cpp:
        * bytecode/SpeculatedType.h:
        * bytecode/ValueProfile.h:
        * bytecompiler/BytecodeGenerator.cpp:
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/Label.h:
        * bytecompiler/LabelScope.h:
        * bytecompiler/RegisterID.h:
        * debugger/DebuggerCallFrame.cpp:
        * debugger/DebuggerCallFrame.h:
        * dfg/DFGDesiredStructureChains.cpp:
        * dfg/DFGDesiredStructureChains.h:
        * heap/GCActivityCallback.cpp:
        * heap/GCActivityCallback.h:
        * inspector/ConsoleMessage.cpp:
        * inspector/ConsoleMessage.h:
        * inspector/IdentifiersFactory.cpp:
        * inspector/IdentifiersFactory.h:
        * inspector/InjectedScriptManager.cpp:
        * inspector/InjectedScriptManager.h:
        * inspector/InjectedScriptSource.js:
        * inspector/ScriptBreakpoint.h:
        * inspector/ScriptDebugListener.h:
        * inspector/ScriptDebugServer.cpp:
        * inspector/ScriptDebugServer.h:
        * inspector/agents/InspectorAgent.cpp:
        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        * inspector/agents/InspectorDebuggerAgent.h:
        * interpreter/Interpreter.cpp:
        * interpreter/Interpreter.h:
        * interpreter/JSStack.cpp:
        * interpreter/JSStack.h:
        * interpreter/Register.h:
        * jit/CompactJITCodeMap.h:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JITStubsARM.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:
        * os-win32/stdbool.h:
        * parser/SourceCode.h:
        * parser/SourceProvider.h:
        * profiler/LegacyProfiler.cpp:
        * profiler/LegacyProfiler.h:
        * profiler/ProfileNode.cpp:
        * profiler/ProfileNode.h:
        * runtime/ArrayBufferView.cpp:
        * runtime/ArrayBufferView.h:
        * runtime/BatchedTransitionOptimizer.h:
        * runtime/CallData.h:
        * runtime/ConstructData.h:
        * runtime/DumpContext.cpp:
        * runtime/DumpContext.h:
        * runtime/ExceptionHelpers.cpp:
        * runtime/ExceptionHelpers.h:
        * runtime/InitializeThreading.cpp:
        * runtime/InitializeThreading.h:
        * runtime/IntegralTypedArrayBase.h:
        * runtime/IntendedStructureChain.cpp:
        * runtime/IntendedStructureChain.h:
        * runtime/JSActivation.cpp:
        * runtime/JSActivation.h:
        * runtime/JSExportMacros.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSNotAnObject.h:
        * runtime/JSPropertyNameIterator.cpp:
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSSegmentedVariableObject.cpp:
        * runtime/JSSegmentedVariableObject.h:
        * runtime/JSSymbolTableObject.cpp:
        * runtime/JSSymbolTableObject.h:
        * runtime/JSTypeInfo.h:
        * runtime/JSVariableObject.cpp:
        * runtime/JSVariableObject.h:
        * runtime/PropertyTable.cpp:
        * runtime/PutPropertySlot.h:
        * runtime/SamplingCounter.cpp:
        * runtime/SamplingCounter.h:
        * runtime/Structure.cpp:
        * runtime/Structure.h:
        * runtime/StructureChain.cpp:
        * runtime/StructureChain.h:
        * runtime/StructureInlines.h:
        * runtime/StructureTransitionTable.h:
        * runtime/SymbolTable.cpp:
        * runtime/SymbolTable.h:
        * runtime/TypedArrayBase.h:
        * runtime/TypedArrayType.cpp:
        * runtime/TypedArrayType.h:
        * runtime/VM.cpp:
        * runtime/VM.h:
        * yarr/RegularExpression.cpp:
        * yarr/RegularExpression.h:

2014-03-14  Filip Pizlo  <fpizlo@apple.com>

        Final FTL iOS build magic
        https://bugs.webkit.org/show_bug.cgi?id=130281

        Reviewed by Michael Saboff.

        * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X.
        * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/

2014-03-14  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Gracefully handle nil name -[JSContext setName:]
        https://bugs.webkit.org/show_bug.cgi?id=130262

        Reviewed by Mark Hahnenberg.

        * API/JSContext.mm:
        (-[JSContext setName:]):
        Gracefully handle nil input.

        * API/tests/testapi.c:
        (globalContextNameTest):
        * API/tests/testapi.mm:
        Test for nil / NULL names in the ObjC and C APIs.

2014-03-11  Oliver Hunt  <oliver@apple.com>

        Improve dom error messages
        https://bugs.webkit.org/show_bug.cgi?id=130103

        Reviewed by Andreas Kling.

        Add new helper function.

        * runtime/Error.h:
        (JSC::throwVMTypeError):

2014-03-14  László Langó  <llango.u-szeged@partner.samsung.com>

        Remove unused method declaration.
        https://bugs.webkit.org/show_bug.cgi?id=130238

        Reviewed by Filip Pizlo.

        The implementation of CallFrame::dumpCaller was removed in
        http://trac.webkit.org/changeset/153183, but the declaration of it was not.

        * interpreter/CallFrame.h:
        Remove CallFrame::dumpCaller() method declaration.

2014-03-12  Sergio Villar Senin  <svillar@igalia.com>

        Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL
        https://bugs.webkit.org/show_bug.cgi?id=129612

        Reviewed by Darin Adler.

        For new code use static NeverDestroyed<T> instead.

        * API/JSAPIWrapperObject.mm:
        (jsAPIWrapperObjectHandleOwner):
        * API/JSManagedValue.mm:
        (managedValueHandleOwner):
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::objectGroupForBreakpointAction):
        * inspector/scripts/CodeGeneratorInspectorStrings.py:
        * interpreter/JSStack.cpp:
        (JSC::stackStatisticsMutex):
        * jit/ExecutableAllocator.cpp:
        (JSC::DemandExecutableAllocator::allocators):

2014-03-12  Gavin Barraclough  <barraclough@apple.com>

        Reduce memory use for static property maps
        https://bugs.webkit.org/show_bug.cgi?id=129986

        Reviewed by Andreas Kling.

        Static property tables are currently duplicated on first use from read-only memory into dirty memory
        in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
        (we use a custom hash table without a rehash) a lot of memory may be wasted.

        First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
        from string hashes to indicies into a densely packed array of values. Compute the index table at
        compile time as a part of the derived sources step, such that this may be read-only data.

        Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
        directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
        keys, which are Identifiers.

        * create_hash_table:
            - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
        * parser/Lexer.cpp:
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        (JSC::Lexer<T>::parseIdentifierSlowCase):
            - HashEntry -> HashTableValue.
        * parser/Lexer.h:
        (JSC::Keywords::getKeyword):
            - HashEntry -> HashTableValue.
        * runtime/ClassInfo.h:
            - removed HashEntry.
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
            - use HashTable::ConstIterator.
        (JSC::JSObject::put):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::findPropertyHashEntry):
            - HashEntry -> HashTableValue.
        (JSC::JSObject::reifyStaticFunctionsForDelete):
            - changed HashTable::ConstIterator interface.
        * runtime/JSObject.h:
            - HashEntry -> HashTableValue.
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):
            - table -> keys, keys array is now densely packed.
        (JSC::HashTable::deleteTable):
            - table -> keys.
        (JSC::setUpStaticFunctionSlot):
            - HashEntry -> HashTableValue.
        * runtime/Lookup.h:
        (JSC::HashTableValue::builtinGenerator):
        (JSC::HashTableValue::function):
        (JSC::HashTableValue::functionLength):
        (JSC::HashTableValue::propertyGetter):
        (JSC::HashTableValue::propertyPutter):
        (JSC::HashTableValue::lexerValue):
            - added accessor methods from HashEntry.
        (JSC::HashTable::copy):
            - fields changed.
        (JSC::HashTable::initializeIfNeeded):
            - table -> keys.
        (JSC::HashTable::entry):
            - HashEntry -> HashTableValue.
        (JSC::HashTable::ConstIterator::ConstIterator):
            - iterate packed value array, so no need to skipInvalidKeys().
        (JSC::HashTable::ConstIterator::value):
        (JSC::HashTable::ConstIterator::key):
        (JSC::HashTable::ConstIterator::operator->):
            - accessors now get HashTableValue/StringImpl* separately.
        (JSC::HashTable::ConstIterator::operator++):
            - iterate packed value array, so no need to skipInvalidKeys().
        (JSC::HashTable::end):
            - end is now size of dense not sparse array.
        (JSC::getStaticPropertySlot):
        (JSC::getStaticFunctionSlot):
        (JSC::getStaticValueSlot):
        (JSC::putEntry):
        (JSC::lookupPut):
            - HashEntry -> HashTableValue.

2014-03-13  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix Mac no-FTL build.

        * llvm/library/LLVMExports.cpp:
        (initializeAndGetJSCLLVMAPI):

2014-03-13  Juergen Ributzka  <juergen@apple.com>

        Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib
        https://bugs.webkit.org/show_bug.cgi?id=130224

        Reviewed by Filip Pizlo.

        This limits the exported symbols to only initializeAndGetJSCLLVMAPI from
        the LLVM dylib. This allows the dylib to be safely used with other LLVM
        dylibs on the same system. It also reduces the dynamic linking overhead
        and also reduces the size by 6MB, because the linker can now dead strip
        many unused functions.

        * Configurations/LLVMForJSC.xcconfig:

2014-03-13  Andreas Kling  <akling@apple.com>

        VM::discardAllCode() should clear the RegExp cache.
        <https://webkit.org/b/130144>

        Reviewed by Michael Saboff.

        * runtime/VM.cpp:
        (JSC::VM::discardAllCode):

2014-03-13  Andreas Kling  <akling@apple.com>

        Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
        <https://webkit.org/b/129995>

        This code path is not taken anymore on DYEB, and I can't explain why
        it was showing up in my profiles. Backing it out per JoePeck's suggestion.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):

2014-03-13  Filip Pizlo  <fpizlo@apple.com>

        FTL should support IsBlah
        https://bugs.webkit.org/show_bug.cgi?id=130202

        Reviewed by Geoffrey Garen.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
        (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
        (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
        (JSC::FTL::LowerDFGToLLVM::compileIsString):
        (JSC::FTL::LowerDFGToLLVM::compileIsObject):
        (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
        (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
        (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
        (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
        (JSC::FTL::LowerDFGToLLVM::isNumber):
        (JSC::FTL::LowerDFGToLLVM::isNotNumber):
        (JSC::FTL::LowerDFGToLLVM::isBoolean):
        * ftl/FTLOSRExitCompiler.cpp:
        * tests/stress/is-undefined-exit-on-masquerader.js: Added.
        (bar):
        (foo):
        (test):
        * tests/stress/is-undefined-jettison-on-masquerader.js: Added.
        (foo):
        (test):
        * tests/stress/is-undefined-masquerader.js: Added.
        (foo):
        (test):

2014-03-13  Mark Lam  <mark.lam@apple.com>

        JS benchmarks crash with a bus error on 32-bit x86.
        <https://webkit.org/b/130203>

        Reviewed by Geoffrey Garen.

        The issue is that generateGetByIdStub() can potentially use the same register
        for the JSValue base register and the target tag register.  After loading the
        tag value into the target tag register, the JSValue base address is lost.
        The code then proceeds to load the payload value using the base register, and
        this results in a crash.

        The fix is to check if the base register is the same as the target tag register.
        If so, we should make a copy the base register first before loading the tag
        value, and use the copy to load the payload value instead.

        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub):

2014-03-12  Filip Pizlo  <fpizlo@apple.com>

        WebKit shouldn't crash on uniprocessor machines
        https://bugs.webkit.org/show_bug.cgi?id=130176

        Reviewed by Michael Saboff.
        
        Previously the math for computing the number of JIT compiler threads would come up with
        zero threads on uniprocessor machines, and then the Worklist code would assert.

        * runtime/Options.cpp:
        (JSC::computeNumberOfWorkerThreads):
        * runtime/Options.h:

2014-03-13  Radu Stavila  <stavila@adobe.com>

        Webkit not building on XCode 5.1 due to garbage collection no longer being supported
        https://bugs.webkit.org/show_bug.cgi?id=130087

        Reviewed by Mark Rowe.

        Disable garbage collection on macosx when not using internal SDK.

        * Configurations/Base.xcconfig:

2014-03-10  Darin Adler  <darin@apple.com>

        Avoid copy-prone idiom "for (auto item : collection)"
        https://bugs.webkit.org/show_bug.cgi?id=129990

        Reviewed by Geoffrey Garen.

        * heap/CodeBlockSet.h:
        (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
        make explicit that we are iterating through pointers.
        (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
        (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
        get rid of an unneeded local variable.

2014-03-13  Brian Burg  <bburg@apple.com>

        Web Inspector: Remove unused callId parameter from evaluateInWebInspector
        https://bugs.webkit.org/show_bug.cgi?id=129744

        Reviewed by Timothy Hatcher.

        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::enable):
        (Inspector::InspectorAgent::evaluateForTestInFrontend):
        * inspector/agents/InspectorAgent.h:
        * inspector/protocol/InspectorDomain.json:

2014-03-11  Filip Pizlo  <fpizlo@apple.com>

        ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
        https://bugs.webkit.org/show_bug.cgi?id=130069

        Reviewed by Geoffrey Garen.
        
        This was a great assertion, and it represents our strictest interpretation of the rules of
        our intermediate representation. However, fixing DCE to actually preserve the relevant
        property would be hard, and it wouldn't have an observable effect right now because nobody
        actually uses the propery of CPS that this assertion is checking for.
        
        In particular, we do always require, and rely on, the fact that non-captured variables
        have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
        block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
        PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
        broken in this regard. But, in the strictest sense, CPS also means that for captured
        variables, variablesAtTail also continues to point to the last relevant use of the
        variable. In particular, if there are multiple GetLocals, then it should point to the last
        one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
        variables, except to check the VariableAccessData; but in that case, we don't really need
        the *last* relevant use of the variable - any node that mentions the same variable will do
        just fine.
        
        So, this change loosens the assertion and adds a detailed FIXME describing what we would
        have to do if we wanted to preserve the more strict property.
        
        This also makes changes to various debug printing paths so that validation doesn't crash
        during graph dump. This also adds tests for the interesting cases of DCE failing to
        preserve CPS in the strictest sense. This also attempts to win the record for longest test
        name.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::hashAsStringIfPossible):
        (JSC::CodeBlock::dumpAssumingJITType):
        * bytecode/CodeBlock.h:
        * bytecode/CodeOrigin.cpp:
        (JSC::InlineCallFrame::hashAsStringIfPossible):
        (JSC::InlineCallFrame::dumpBriefFunctionInformation):
        * bytecode/CodeOrigin.h:
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::run):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::cleanVariables):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
        * runtime/FunctionExecutableDump.cpp:
        (JSC::FunctionExecutableDump::dump):
        * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
        (foo):
        * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
        (foo):

2014-03-12  Brian Burg  <bburg@apple.com>

        Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
        https://bugs.webkit.org/show_bug.cgi?id=129445

        Reviewed by Timothy Hatcher.

        There was a bug in the replay inputs code generator that would include
        headers for definitions of enum classes, even though they can be safely
        forward-declared.

        * replay/scripts/CodeGeneratorReplayInputs.py:
        (Generator.generate_includes): Only include for copy constructor if the
        type is a heavy scalar (i.e., String, URL), not a normal scalar
        (i.e., int, double, enum classes).

        (Generator.generate_type_forward_declarations): Forward-declare scalars
        that are enums or enum classes.

2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
        https://bugs.webkit.org/show_bug.cgi?id=130118

        Reviewed by Timothy Hatcher.

        * Configurations/FeatureDefines.xcconfig:

2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Hang in Remote Inspection triggering breakpoint from console
        https://bugs.webkit.org/show_bug.cgi?id=130032

        Reviewed by Timothy Hatcher.

        * inspector/EventLoop.h:
        * inspector/EventLoop.cpp:
        (Inspector::EventLoop::remoteInspectorRunLoopMode):
        (Inspector::EventLoop::cycle):
        Expose the run loop mode name so it can be used if needed by others.

        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
        (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
        (Inspector::RemoteInspectorBlock::operator=):
        (Inspector::RemoteInspectorBlock::operator()):
        (Inspector::RemoteInspectorQueueTask):
        Instead of a dispatch_queue, have our own static Vector of debugger tasks.

        (Inspector::RemoteInspectorHandleRunSource):
        (Inspector::RemoteInspectorInitializeQueue):
        Initialize the static queue and run loop source. When the run loop source
        fires, it will exhaust the queue of debugger messages.

        (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
        (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
        When we get a debuggable connection add a run loop source for inspector commands.

        (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
        (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
        Enqueue blocks on our Vector instead of our dispatch_queue.

2014-03-12  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r165482.
        https://bugs.webkit.org/show_bug.cgi?id=130157

        Broke the windows build; "error C2466: cannot allocate an
        array of constant size 0" (Requested by jernoble on #webkit).

        Reverted changeset:

        "Reduce memory use for static property maps"
        https://bugs.webkit.org/show_bug.cgi?id=129986
        http://trac.webkit.org/changeset/165482

2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove HandleSet::m_nextToFinalize
        https://bugs.webkit.org/show_bug.cgi?id=130109

        Reviewed by Mark Lam.

        This is a remnant of when HandleSet contained things that needed to be finalized. 

        * heap/HandleSet.cpp:
        (JSC::HandleSet::HandleSet):
        (JSC::HandleSet::writeBarrier):
        * heap/HandleSet.h:
        (JSC::HandleSet::allocate):
        (JSC::HandleSet::deallocate):

2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Layout Test fast/workers/worker-gc.html is failing
        https://bugs.webkit.org/show_bug.cgi?id=130135

        Reviewed by Geoffrey Garen.

        When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's 
        main list of blocks, i.e. not in the retired list. When shutting down the VM this
        wasn't always the case which was causing ASSERTs to fire. We should rearrange things 
        so that allocators are notified with lastChanceToFinalize. This will give them 
        the chance to move their retired blocks back into the main list before removing them all.

        * heap/MarkedAllocator.cpp:
        (JSC::LastChanceToFinalize::operator()):
        (JSC::MarkedAllocator::lastChanceToFinalize):
        * heap/MarkedAllocator.h:
        * heap/MarkedSpace.cpp:
        (JSC::LastChanceToFinalize::operator()):
        (JSC::MarkedSpace::lastChanceToFinalize):

2014-03-12  Gavin Barraclough  <barraclough@apple.com>

        Reduce memory use for static property maps
        https://bugs.webkit.org/show_bug.cgi?id=129986

        Reviewed by Andreas Kling.

        Static property tables are currently duplicated on first use from read-only memory into dirty memory
        in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
        (we use a custom hash table without a rehash) a lot of memory may be wasted.

        First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
        from string hashes to indicies into a densely packed array of values. Compute the index table at
        compile time as a part of the derived sources step, such that this may be read-only data.

        Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
        directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
        keys, which are Identifiers.

        * create_hash_table:
            - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
        * parser/Lexer.cpp:
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        (JSC::Lexer<T>::parseIdentifierSlowCase):
            - HashEntry -> HashTableValue.
        * parser/Lexer.h:
        (JSC::Keywords::getKeyword):
            - HashEntry -> HashTableValue.
        * runtime/ClassInfo.h:
            - removed HashEntry.
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
            - use HashTable::ConstIterator.
        (JSC::JSObject::put):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::findPropertyHashEntry):
            - HashEntry -> HashTableValue.
        (JSC::JSObject::reifyStaticFunctionsForDelete):
            - changed HashTable::ConstIterator interface.
        * runtime/JSObject.h:
            - HashEntry -> HashTableValue.
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):
            - table -> keys, keys array is now densely packed.
        (JSC::HashTable::deleteTable):
            - table -> keys.
        (JSC::setUpStaticFunctionSlot):
            - HashEntry -> HashTableValue.
        * runtime/Lookup.h:
        (JSC::HashTableValue::builtinGenerator):
        (JSC::HashTableValue::function):
        (JSC::HashTableValue::functionLength):
        (JSC::HashTableValue::propertyGetter):
        (JSC::HashTableValue::propertyPutter):
        (JSC::HashTableValue::lexerValue):
            - added accessor methods from HashEntry.
        (JSC::HashTable::copy):
            - fields changed.
        (JSC::HashTable::initializeIfNeeded):
            - table -> keys.
        (JSC::HashTable::entry):
            - HashEntry -> HashTableValue.
        (JSC::HashTable::ConstIterator::ConstIterator):
            - iterate packed value array, so no need to skipInvalidKeys().
        (JSC::HashTable::ConstIterator::value):
        (JSC::HashTable::ConstIterator::key):
        (JSC::HashTable::ConstIterator::operator->):
            - accessors now get HashTableValue/StringImpl* separately.
        (JSC::HashTable::ConstIterator::operator++):
            - iterate packed value array, so no need to skipInvalidKeys().
        (JSC::HashTable::end):
            - end is now size of dense not sparse array.
        (JSC::getStaticPropertySlot):
        (JSC::getStaticFunctionSlot):
        (JSC::getStaticValueSlot):
        (JSC::putEntry):
        (JSC::lookupPut):
            - HashEntry -> HashTableValue.

2014-03-11  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to build WebKit with FTL on iOS
        https://bugs.webkit.org/show_bug.cgi?id=130116

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
        https://bugs.webkit.org/show_bug.cgi?id=129778

        Reviewed by Geoffrey Garen.
        
        Also deduplicate the GetById getter call caching. Also add some small tests for
        get stubs.
        
        This change reduces the amount of code involved in GetById access caching and it
        creates data structures that can serve as an elegant scaffold for introducing other
        kinds of caches or improving current caching styles. It will definitely make getter
        performance improvements easier to implement.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdCacheStatus):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfo):
        * bytecode/PolymorphicGetByIdList.cpp: Added.
        (JSC::GetByIdAccess::GetByIdAccess):
        (JSC::GetByIdAccess::~GetByIdAccess):
        (JSC::GetByIdAccess::fromStructureStubInfo):
        (JSC::GetByIdAccess::visitWeak):
        (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
        (JSC::PolymorphicGetByIdList::from):
        (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
        (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
        (JSC::PolymorphicGetByIdList::addAccess):
        (JSC::PolymorphicGetByIdList::isFull):
        (JSC::PolymorphicGetByIdList::isAlmostFull):
        (JSC::PolymorphicGetByIdList::didSelfPatching):
        (JSC::PolymorphicGetByIdList::visitWeak):
        * bytecode/PolymorphicGetByIdList.h: Added.
        (JSC::GetByIdAccess::GetByIdAccess):
        (JSC::GetByIdAccess::isSet):
        (JSC::GetByIdAccess::operator!):
        (JSC::GetByIdAccess::type):
        (JSC::GetByIdAccess::structure):
        (JSC::GetByIdAccess::chain):
        (JSC::GetByIdAccess::chainCount):
        (JSC::GetByIdAccess::stubRoutine):
        (JSC::GetByIdAccess::doesCalls):
        (JSC::PolymorphicGetByIdList::isEmpty):
        (JSC::PolymorphicGetByIdList::size):
        (JSC::PolymorphicGetByIdList::at):
        (JSC::PolymorphicGetByIdList::operator[]):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        (JSC::isGetByIdAccess):
        (JSC::StructureStubInfo::initGetByIdList):
        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub):
        (JSC::tryCacheGetByID):
        (JSC::patchJumpToGetByIdStub):
        (JSC::tryBuildGetByIDList):
        (JSC::tryBuildPutByIdList):
        * tests/stress/getter.js: Added.
        (foo):
        (.o):
        * tests/stress/polymorphic-prototype-accesses.js: Added.
        (Foo):
        (Bar):
        (foo):
        * tests/stress/prototype-getter.js: Added.
        (Foo):
        (foo):
        * tests/stress/simple-prototype-accesses.js: Added.
        (Foo):
        (foo):

2014-03-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
        https://bugs.webkit.org/show_bug.cgi?id=129920

        Reviewed by Geoffrey Garen.

        This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
        when the amount of free space in a MarkedBlock drops below a certain threshold.
        Retired blocks are not considered for sweeping.

        This is profitable because it reduces churn during sweeping. To build a free list, 
        we have to scan through each cell in a block. After a collection, all objects that 
        are live in the block will remain live until the next FullCollection, at which time
        we un-retire all previously retired blocks. Thus, a small number of objects in a block
        that die during each EdenCollection could cause us to do a disproportiante amount of 
        sweeping for how much free memory we get back.

        This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.

        * heap/Heap.h:
        (JSC::Heap::didRetireBlockWithFreeListSize):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::removeBlock):
        (JSC::MarkedAllocator::reset):
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::forEachBlock):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::sweepHelper):
        (JSC::MarkedBlock::clearMarksWithCollectionType):
        (JSC::MarkedBlock::didRetireBlock):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::willRemoveBlock):
        (JSC::MarkedBlock::isLive):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::clearNewlyAllocated):
        (JSC::MarkedSpace::clearMarks):
        * runtime/Options.h:

2014-03-11  Andreas Kling  <akling@apple.com>

        Streamline PropertyTable for lookup-only access.
        <https://webkit.org/b/130060>

        The PropertyTable lookup algorithm was written to support both read
        and write access. This wasn't actually needed in most places.

        This change adds a PropertyTable::get() that just returns the value
        type (instead of an insertion iterator.) It also adds an early return
        for empty tables.

        Finally, up the minimum table capacity from 8 to 16. It was lowered
        to 8 in order to save memory, but that was before PropertyTables were
        GC allocated. Nowadays we don't have nearly as many tables, since all
        the unpinned transitions die off.

        Reviewed by Darin Adler.

        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::get):
        * runtime/Structure.cpp:
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        * runtime/StructureInlines.h:
        (JSC::Structure::get):

2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        REGRESSION(r165407): DoYouEvenBench crashes in DRT
        https://bugs.webkit.org/show_bug.cgi?id=130066

        Reviewed by Geoffrey Garen.

        The baseline JIT does a conditional store barrier for the put_by_id, but we need 
        an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.

        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitWriteBarrier):

2014-03-10  Mark Lam  <mark.lam@apple.com>

        Resurrect bit-rotted JIT::probe() mechanism.
        <https://webkit.org/b/130067>

        Reviewed by Geoffrey Garen.

        * jit/JITStubs.cpp:
        - Added the needed #include <wtf/InlineASM.h>.

2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>

        Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.

        Rubber-stamped by Dan Bernstein.

        * Configurations/JavaScriptCore.xcconfig:

2014-03-10  Mark Lam  <mark.lam@apple.com>

        r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
        <https://webkit.org/b/130065>

        Reviewed by Michael Saboff.

        There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
        being able to return InvalidIndex.  Hence, the assertion is invalid.  Ditto for
        FPRInfo::toIndex().

        The fix is to remove the "result != InvalidIndex" assertions.

        * jit/FPRInfo.h:
        (JSC::FPRInfo::toIndex):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toIndex):

2014-03-10  Mark Lam  <mark.lam@apple.com>

        Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
        <https://webkit.org/b/129955>

        Reviewed by Geoffrey Garen.

        The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
        stack memory every time it was called.  This is now fixed.

        * jit/JITOperations.cpp:

2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>

        Better JSContext API for named evaluations (other than //# sourceURL)
        https://bugs.webkit.org/show_bug.cgi?id=129911

        Reviewed by Geoffrey Garen.

        * API/JSBase.h:
        * API/JSContext.h:
        * API/JSContext.mm:
        (-[JSContext evaluateScript:]):
        (-[JSContext evaluateScript:withSourceURL:]):
        Add new evaluateScript:withSourceURL:.

        * API/tests/testapi.c:
        (main):
        * API/tests/testapi.mm:
        (testObjectiveCAPI):
        Add tests for sourceURL in evaluate APIs. It should
        affect the exception objects.

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        Repatch should save and restore all used registers - not just temp ones - when making a call
        https://bugs.webkit.org/show_bug.cgi?id=130041

        Reviewed by Geoffrey Garen and Mark Hahnenberg.
        
        The save/restore code was written back when the only client was the DFG, which only uses a
        subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
        other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
        lead to data corruption on ARM64. 

        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::calleeSaveRegisters):
        (JSC::RegisterSet::numberOfSetGPRs):
        (JSC::RegisterSet::numberOfSetFPRs):
        * jit/RegisterSet.h:
        * jit/Repatch.cpp:
        (JSC::storeToWriteBarrierBuffer):
        (JSC::emitPutTransitionStub):
        * jit/ScratchRegisterAllocator.cpp:
        (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
        (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
        (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
        (JSC::ScratchRegisterAllocator::usedRegistersForCall):
        (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
        (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
        (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
        * jit/ScratchRegisterAllocator.h:

2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove ConditionalStore barrier
        https://bugs.webkit.org/show_bug.cgi?id=130040

        Reviewed by Geoffrey Garen.

        ConditionalStoreBarrier was created when barriers were much more expensive. Now that 
        they're cheap(er), we can get rid of them. This also allows us to get rid of the write 
        barrier logic in emitPutTransitionStub because we always will have executed a write barrier 
        on the base object in the case where we are allocating and storing a new Butterfly into it. 
        Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object, 
        so we'd have to emit a write barrier in the transition case.

        This is performance neutral on the benchmarks we track.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::insertStoreBarrier):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isStoreBarrier):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        * jit/Repatch.cpp:
        (JSC::emitPutTransitionStub):

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        DFG and FTL should know that comparing anything to Misc is cheap and easy
        https://bugs.webkit.org/show_bug.cgi?id=130001

        Reviewed by Geoffrey Garen.
        
        - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
          comparison is just Untyped:.
        
        - This obviates the need for CompareStrictEqConstant, so remove it.
        
        - FTL had a thing called "Nully" which is really "Other". Rename it and add
          OtherUse.
        
        9% speed-up on box2d.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isBinaryUseKind):
        (JSC::DFG::Node::shouldSpeculateOther):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
        (JSC::FTL::LowerDFGToLLVM::isNotOther):
        (JSC::FTL::LowerDFGToLLVM::isOther):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
        (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
        (JSC::FTL::LowerDFGToLLVM::speculateOther):
        (JSC::FTL::LowerDFGToLLVM::speculateMisc):
        * tests/stress/compare-strict-eq-integer-to-misc.js: Added.

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, remove unintended change.

        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        jsc commandline shouldn't have a "console" because that confuses some tests into thinking
        that they're running in the browser.

        Rubber stamped by Mark Hahnenberg.

        * jsc.cpp:
        (GlobalObject::finishCreation):

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        Out-line ScratchRegisterAllocator

        Rubber stamped by Mark Hahnenberg.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * jit/ScratchRegisterAllocator.cpp: Added.
        (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
        (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
        (JSC::ScratchRegisterAllocator::lock):
        (JSC::ScratchRegisterAllocator::allocateScratch):
        (JSC::ScratchRegisterAllocator::allocateScratchGPR):
        (JSC::ScratchRegisterAllocator::allocateScratchFPR):
        (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
        (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
        (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
        (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
        (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
        * jit/ScratchRegisterAllocator.h:

2014-03-10  Brent Fulgham  <bfulgham@apple.com>

        [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
        https://bugs.webkit.org/show_bug.cgi?id=130023

        Reviewed by Dean Jackson.

        * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
        path names to avoid accidental escaping of later string substitutions.

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for testb_i8r when register is accumulator.
        <https://webkit.org/b/130026>

        Generate the shorthand version of "test al, imm" when possible.

        Reviewed by Michael Saboff.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::testb_i8r):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for sub_ir when register is accumulator.
        <https://webkit.org/b/130025>

        Generate the shorthand version of "sub eax, imm" when possible.

        Reviewed by Michael Saboff.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::subl_ir):
        (JSC::X86Assembler::subq_ir):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for add_ir when register is accumulator.
        <https://webkit.org/b/130024>

        Generate the shorthand version of "add eax, imm" when possible.

        Reviewed by Michael Saboff.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::addl_ir):
        (JSC::X86Assembler::addq_ir):

2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        writeBarrier in emitPutReplaceStub is unnecessary
        https://bugs.webkit.org/show_bug.cgi?id=130030

        Reviewed by Filip Pizlo.

        We already emit write barriers for each put-by-id when they're first compiled, so it's 
        redundant to emit a write barrier as part of the repatched code.

        * jit/Repatch.cpp:
        (JSC::emitPutReplaceStub):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for xor_ir when register is accumulator.
        <https://webkit.org/b/130008>

        Generate the shorthand version of "xor eax, imm" when possible.

        Reviewed by Benjamin Poulain.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::xorl_ir):
        (JSC::X86Assembler::xorq_ir):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for or_ir when register is accumulator.
        <https://webkit.org/b/130007>

        Generate the shorthand version of "or eax, imm" when possible.

        Reviewed by Benjamin Poulain.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::orl_ir):
        (JSC::X86Assembler::orq_ir):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for test_ir when register is accumulator.
        <https://webkit.org/b/130006>

        Generate the shorthand version of "test eax, imm" when possible.

        Reviewed by Benjamin Poulain.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::testl_i32r):
        (JSC::X86Assembler::testq_i32r):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for cmp_ir when register is accumulator.
        <https://webkit.org/b/130005>

        Generate the shorthand version of "cmp eax, imm" when possible.

        Reviewed by Benjamin Poulain.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::cmpl_ir):
        (JSC::X86Assembler::cmpq_ir):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
        <https://webkit.org/b/130002>

        Generate this:

            mov [address], imm32

        Instead of this:

            mov scratchRegister, imm32
            mov [address], scratchRegister

        For store64(imm, address) where the 64-bit immediate can be passed as
        a sign-extended 32-bit value.

        Reviewed by Benjamin Poulain.

        * assembler/MacroAssemblerX86_64.h:
        (CAN_SIGN_EXTEND_32_64):
        (JSC::MacroAssemblerX86_64::store64):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for xchg_rr when one register is accumulator.
        <https://webkit.org/b/130004>

        Generate the 1-byte version of "xchg eax, reg" when possible.

        Reviewed by Benjamin Poulain.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::xchgl_rr):
        (JSC::X86Assembler::xchgq_rr):

2014-03-09  Filip Pizlo  <fpizlo@apple.com>

        GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=129998

        Reviewed by Geoffrey Garen.
        
        Not only is that the established contract, but this is used to signal to
        ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
        that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
        some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
        fine but previously it would have led to either an assertion failure, or data corruption, in
        the ScratchRegisterAllocator.

        * jit/GPRInfo.h:
        (JSC::GPRInfo::toIndex):

2014-03-09  Filip Pizlo  <fpizlo@apple.com>

        FTL fails the new equals-masquerader strictEqualConstant test
        https://bugs.webkit.org/show_bug.cgi?id=129996

        Reviewed by Mark Lam.
        
        It turns out that the FTL was trying to do the masquerading stuff for ===null. But
        that's wrong since none of the other engines do it. The DFG even had an ancient
        FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
        don't do it and JSValue::strictEqual() doesn't do it.
        
        Remove the FIXME and remove the extra checks in the FTL.
        
        This is a glorious patch: nothing but red and it fixes a test failure.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):

2014-03-09  Andreas Kling  <akling@apple.com>

        Short-circuit JSGlobalObjectInspectorController when not inspecting.
        <https://webkit.org/b/129995>

        Add an early return in reportAPIException() when the console agent
        is disabled. This avoids expensive symbolication during exceptions
        if there's nobody expecting the fancy backtrace anyway.

        ~2% progression on DYEB on my MBP.

        Reviewed by Geoff Garen.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):

2014-03-09  Andreas Kling  <akling@apple.com>

        Inline the trivial parts of GC deferral.
        <https://webkit.org/b/129984>

        Made most of the functions called by the DeferGC RAII object inline
        to avoid function call overhead.

        Looks like ~1% progression on DYEB.

        Reviewed by Geoffrey Garen.

        * heap/Heap.cpp:
        * heap/Heap.h:
        (JSC::Heap::incrementDeferralDepth):
        (JSC::Heap::decrementDeferralDepth):
        (JSC::Heap::collectIfNecessaryOrDefer):
        (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):

2014-03-08  Mark Lam  <mark.lam@apple.com>

        32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
        <https://webkit.org/b/129969>

        Reviewed by Geoffrey Garen.

        The 32-bit version of handleUncaughtException was missing the handling of an
        edge case for stack overflows where the current frame may already be the
        sentinel frame.  This edge case was handled in the 64-bit version.  The fix
        is to bring the 32-bit version up to parity.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * llint/LowLevelInterpreter32_64.asm:

2014-03-07  Mark Lam  <mark.lam@apple.com>

        Fix bugs in 32-bit Structure implementation.
        <https://webkit.org/b/129947>

        Reviewed by Mark Hahnenberg.

        Added the loading of the Structure (from the JSCell) before use that was
        missing in a few places.  Also added more test cases to equals-masquerader.js.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * llint/LowLevelInterpreter32_64.asm:
        * tests/stress/equals-masquerader.js:
        (equalsNull):
        (notEqualsNull):
        (strictEqualsNull):
        (strictNotEqualsNull):
        (equalsUndefined):
        (notEqualsUndefined):
        (strictEqualsUndefined):
        (strictNotEqualsUndefined):
        (isFalsey):
        (test):

2014-03-07  Andrew Trick  <atrick@apple.com>

        Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
        https://bugs.webkit.org/show_bug.cgi?id=129954

        Reviewed by Filip Pizlo.

        * tests/stress/float32-repeat-out-of-bounds.js:
        * tests/stress/int8-repeat-out-of-bounds.js:

2014-03-07  Michael Saboff  <msaboff@apple.com>

        .cfi directives in LowLevelInterpreter.cpp are providing no benefit
        https://bugs.webkit.org/show_bug.cgi?id=129945

        Reviewed by Mark Lam.

        Removed .cfi directive.  Verified that stack traces didn't regress in crash reporter
        or in lldb.

        * llint/LowLevelInterpreter.cpp:

2014-03-07  Oliver Hunt  <oliver@apple.com>

        Continue hangs when performing for-of over arguments
        https://bugs.webkit.org/show_bug.cgi?id=129915

        Reviewed by Geoffrey Garen.

        Put the continue label in the right place

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitEnumeration):

2014-03-07  peavo@outlook.com  <peavo@outlook.com>

        [Win64] Compile error after r165128.
        https://bugs.webkit.org/show_bug.cgi?id=129807

        Reviewed by Mark Lam.

        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 
        Check platform environment variable to determine if an assembler file should be generated.

2014-03-07  Michael Saboff  <msaboff@apple.com>

        Clarify how we deal with "special" registers
        https://bugs.webkit.org/show_bug.cgi?id=129806

        Already reviewed change being relanded.

        Relanding change set r165196 as it wasn't responsible for the breakage reported in
        https://bugs.webkit.org/show_bug.cgi?id=129822.  That appears to be a build or

        Reviewed by Michael Saboff.
        configuration issue.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::lastRegister):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::nextRegister):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::restoreInto):
        * ftl/FTLSaveRestore.cpp:
        (JSC::FTL::saveAllRegisters):
        (JSC::FTL::restoreAllRegisters):
        * ftl/FTLSlowPathCall.cpp:
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::reservedHardwareRegisters):
        (JSC::RegisterSet::runtimeRegisters):
        (JSC::RegisterSet::specialRegisters):
        (JSC::RegisterSet::calleeSaveRegisters):
        * jit/RegisterSet.h:

2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        Move GCActivityCallback to heap
        https://bugs.webkit.org/show_bug.cgi?id=129457

        Reviewed by Geoffrey Garen.

        All the other GC timer related stuff is there already.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
        * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
        * runtime/GCActivityCallback.cpp: Removed.
        * runtime/GCActivityCallback.h: Removed.

2014-03-07  Andrew Trick  <atrick@apple.com>

        Correct a comment typo from:
        FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
        https://bugs.webkit.org/show_bug.cgi?id=129865

        Reviewed by Mark Lam.

        * ftl/FTLOutput.h:
        (JSC::FTL::Output::doubleRem):

2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        Use OwnPtr in StructureIDTable
        https://bugs.webkit.org/show_bug.cgi?id=129828

        Reviewed by Geoffrey Garen.

        This reduces the amount of boilerplate and fixes a memory leak.

        * runtime/StructureIDTable.cpp:
        (JSC::StructureIDTable::StructureIDTable):
        (JSC::StructureIDTable::resize):
        (JSC::StructureIDTable::flushOldTables):
        (JSC::StructureIDTable::allocateID):
        (JSC::StructureIDTable::deallocateID):
        * runtime/StructureIDTable.h:
        (JSC::StructureIDTable::table):
        (JSC::StructureIDTable::get):

2014-03-07  Andrew Trick  <atrick@apple.com>

        FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
        https://bugs.webkit.org/show_bug.cgi?id=129865

        Reviewed by Filip Pizlo.

        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::doubleRem):

2014-03-06  Filip Pizlo  <fpizlo@apple.com>

        If the FTL is build-time enabled then it should be run-time enabled.

        Rubber stamped by Geoffrey Garen.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>

        [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
        https://bugs.webkit.org/show_bug.cgi?id=129852

        Reviewed by Geoffrey Garen.

        * framework.sb: Added.
        Sandbox extension to allow access to "com.apple.webinspector".

        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add a Copy Resources build phase and include framework.sb.

        * Configurations/JavaScriptCore.xcconfig:
        Do not copy framework.sb on iOS.

2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
        https://bugs.webkit.org/show_bug.cgi?id=129858

        Reviewed by Mark Lam.

        It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock, 
        but now it ends up overwriting the IdentifierTable that JSLock just restored.

        * API/JSContextRef.cpp:
        (JSGlobalContextRelease):

2014-03-06  Oliver Hunt  <oliver@apple.com>

        Fix FTL build.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):

2014-03-06  Brent Fulgham  <bfulgham@apple.com>

        Unreviewed build fix after r165128.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
        performing 'Production' and 'DebugSuffix' type builds.

2014-03-06  Julien Brianceau  <jbriance@cisco.com>

        Unreviewed, fix style in my previous commit.
        https://bugs.webkit.org/show_bug.cgi?id=129833

        * runtime/JSConsole.cpp:

2014-03-06  Julien Brianceau  <jbriance@cisco.com>

        Build fix: add missing include in JSConole.cpp.
        https://bugs.webkit.org/show_bug.cgi?id=129833

        Reviewed by Oliver Hunt.

        * runtime/JSConsole.cpp:

2014-03-06  Oliver Hunt  <oliver@apple.com>

        Fix ARMv7

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):

2014-03-06  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r165196.
        http://trac.webkit.org/changeset/165196
        https://bugs.webkit.org/show_bug.cgi?id=129822

        broke arm64 on hardware (Requested by bfulgham on #webkit).

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::lastRegister):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::isStackRelated):
        (JSC::MacroAssembler::firstRealRegister):
        (JSC::MacroAssembler::nextRegister):
        (JSC::MacroAssembler::secondRealRegister):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::restoreInto):
        * ftl/FTLSaveRestore.cpp:
        (JSC::FTL::saveAllRegisters):
        (JSC::FTL::restoreAllRegisters):
        * ftl/FTLSlowPathCall.cpp:
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::specialRegisters):
        (JSC::RegisterSet::calleeSaveRegisters):
        * jit/RegisterSet.h:

2014-03-06  Mark Lam  <mark.lam@apple.com>

        REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
        <https://webkit.org/b/129813>

        Reviewed by Michael Saboff.

        Fixed broken C loop LLINT build.

        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        * offlineasm/cloop.rb:

2014-03-03  Oliver Hunt  <oliver@apple.com>

        Support caching of custom setters
        https://bugs.webkit.org/show_bug.cgi?id=129519

        Reviewed by Filip Pizlo.

        This patch adds caching of assignment to properties that
        are backed by C functions. This provides most of the leg
        work required to start supporting setters, and resolves
        the remaining regressions from moving DOM properties up
        the prototype chain.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PolymorphicPutByIdList.cpp:
        (JSC::PutByIdAccess::visitWeak):
        (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
        (JSC::PolymorphicPutByIdList::from):
        * bytecode/PolymorphicPutByIdList.h:
        (JSC::PutByIdAccess::transition):
        (JSC::PutByIdAccess::replace):
        (JSC::PutByIdAccess::customSetter):
        (JSC::PutByIdAccess::isCustom):
        (JSC::PutByIdAccess::oldStructure):
        (JSC::PutByIdAccess::chain):
        (JSC::PutByIdAccess::stubRoutine):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        (JSC::PutByIdStatus::computeFor):
        (JSC::PutByIdStatus::dump):
        * bytecode/PutByIdStatus.h:
        (JSC::PutByIdStatus::PutByIdStatus):
        (JSC::PutByIdStatus::takesSlowPath):
        (JSC::PutByIdStatus::makesCalls):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::emitPutById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::emitCustomSetterStub):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        * jit/SpillRegistersMode.h: Added.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::setCacheableCustomProperty):
        (JSC::PutPropertySlot::customSetter):
        (JSC::PutPropertySlot::isCacheablePut):
        (JSC::PutPropertySlot::isCacheableCustomProperty):
        (JSC::PutPropertySlot::cachedOffset):

2014-03-06  Filip Pizlo  <fpizlo@apple.com>

        FTL arity fixup should work on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=129810

        Reviewed by Michael Saboff.
        
        - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
          callee-save.
        
        - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
        
        This makes some more tests pass.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::prologueStackPointerDelta):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/ThunkGenerators.cpp:
        (JSC::arityFixup):
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/arm64.rb:
        * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.

2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
        https://bugs.webkit.org/show_bug.cgi?id=129760

        Reviewed by Geoffrey Garen.

        r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. 
        The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::checkMarkByte):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        * jit/Repatch.cpp:
        (JSC::writeBarrier):

2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
        https://bugs.webkit.org/show_bug.cgi?id=127944

        Reviewed by Geoffrey Garen.

        Always expose the Console object in JSContexts, just like we
        do for web pages. The default behavior will route to an
        attached JSContext inspector. This can be overriden by
        setting the ConsoleClient on the JSGlobalObject, which WebCore
        does to get slightly different behavior.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Update build systems.

        * API/tests/testapi.js:
        * API/tests/testapi.mm:
        Test that "console" exists in C and ObjC contexts.

        * runtime/ConsoleClient.cpp: Added.
        (JSC::ConsoleClient::printURLAndPosition):
        (JSC::ConsoleClient::printMessagePrefix):
        (JSC::ConsoleClient::printConsoleMessage):
        (JSC::ConsoleClient::printConsoleMessageWithArguments):
        (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
        (JSC::ConsoleClient::logWithLevel):
        (JSC::ConsoleClient::clear):
        (JSC::ConsoleClient::dir):
        (JSC::ConsoleClient::dirXML):
        (JSC::ConsoleClient::table):
        (JSC::ConsoleClient::trace):
        (JSC::ConsoleClient::assertCondition):
        (JSC::ConsoleClient::group):
        (JSC::ConsoleClient::groupCollapsed):
        (JSC::ConsoleClient::groupEnd):
        * runtime/ConsoleClient.h: Added.
        (JSC::ConsoleClient::~ConsoleClient):
        New private interface for handling the console object's methods.
        A lot of the methods funnel through messageWithTypeAndLevel.

        * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
        Moved to JSC namespace.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        Create the "console" object when initializing the environment.
        Also set the default console client to be the JS context inspector.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::setConsoleClient):
        (JSC::JSGlobalObject::consoleClient):
        Ability to change the console client, so WebCore can set a custom client.

        * runtime/ConsolePrototype.cpp: Added.
        (JSC::ConsolePrototype::finishCreation):
        (JSC::valueToStringWithUndefinedOrNullCheck):
        (JSC::consoleLogWithLevel):
        (JSC::consoleProtoFuncDebug):
        (JSC::consoleProtoFuncError):
        (JSC::consoleProtoFuncLog):
        (JSC::consoleProtoFuncWarn):
        (JSC::consoleProtoFuncClear):
        (JSC::consoleProtoFuncDir):
        (JSC::consoleProtoFuncDirXML):
        (JSC::consoleProtoFuncTable):
        (JSC::consoleProtoFuncTrace):
        (JSC::consoleProtoFuncAssert):
        (JSC::consoleProtoFuncCount):
        (JSC::consoleProtoFuncProfile):
        (JSC::consoleProtoFuncProfileEnd):
        (JSC::consoleProtoFuncTime):
        (JSC::consoleProtoFuncTimeEnd):
        (JSC::consoleProtoFuncTimeStamp):
        (JSC::consoleProtoFuncGroup):
        (JSC::consoleProtoFuncGroupCollapsed):
        (JSC::consoleProtoFuncGroupEnd):
        * runtime/ConsolePrototype.h: Added.
        (JSC::ConsolePrototype::create):
        (JSC::ConsolePrototype::createStructure):
        (JSC::ConsolePrototype::ConsolePrototype):
        Define the console object interface. Parse out required / expected
        arguments and throw expcetions when methods are misused.

        * runtime/JSConsole.cpp: Added.
        * runtime/JSConsole.h: Added.
        (JSC::JSConsole::createStructure):
        (JSC::JSConsole::create):
        (JSC::JSConsole::JSConsole):
        Empty "console" object. Everything is in the prototype.

        * inspector/JSConsoleClient.cpp: Added.
        (Inspector::JSConsoleClient::JSGlobalObjectConsole):
        (Inspector::JSConsoleClient::count):
        (Inspector::JSConsoleClient::profile):
        (Inspector::JSConsoleClient::profileEnd):
        (Inspector::JSConsoleClient::time):
        (Inspector::JSConsoleClient::timeEnd):
        (Inspector::JSConsoleClient::timeStamp):
        (Inspector::JSConsoleClient::warnUnimplemented):
        (Inspector::JSConsoleClient::internalAddMessage):
        * inspector/JSConsoleClient.h: Added.
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::consoleClient):
        * inspector/JSGlobalObjectInspectorController.h:
        Default JSContext ConsoleClient implementation. Handle nearly
        everything exception profile/profileEnd and timeStamp.

2014-03-06  Andreas Kling  <akling@apple.com>

        Drop unlinked function code on memory pressure.
        <https://webkit.org/b/129789>

        Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
        are not currently being compiled.

        4.5 MB progression on Membuster.

        Reviewed by Geoffrey Garen.

        * heap/Heap.cpp:
        (JSC::Heap::deleteAllUnlinkedFunctionCode):
        * heap/Heap.h:
        * runtime/VM.cpp:
        (JSC::VM::discardAllCode):

2014-03-06  Filip Pizlo  <fpizlo@apple.com>

        Clarify how we deal with "special" registers
        https://bugs.webkit.org/show_bug.cgi?id=129806

        Reviewed by Michael Saboff.
        
        Previously we had two different places that defined what "stack" registers are, a thing
        called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
        "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
        one place and had a baked-in notion of what it meant for a register to be "real" or not.
        
        It's not cool to use words like "real" and "special" to describe registers, especially if you
        fail to qualify what that means. This originally made sense on X86 - "real" registers were
        the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
        you also have to worry about the LR register, which we'd want to say is "not real" but it's
        also not a "stack" register. This got super confusing.
        
        So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
        a "stack" register, and uses the word special only in places where it's clearly defined and
        where no better word comes to mind.
        
        This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
        Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
        magically didn't break anything because you never need to save/restore either FP or Q0, but
        it was still super weird.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::lastRegister):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::nextRegister):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::restoreInto):
        * ftl/FTLSaveRestore.cpp:
        (JSC::FTL::saveAllRegisters):
        (JSC::FTL::restoreAllRegisters):
        * ftl/FTLSlowPathCall.cpp:
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::reservedHardwareRegisters):
        (JSC::RegisterSet::runtimeRegisters):
        (JSC::RegisterSet::specialRegisters):
        (JSC::RegisterSet::calleeSaveRegisters):
        * jit/RegisterSet.h:

2014-03-06  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix build.

        * disassembler/ARM64Disassembler.cpp:

2014-03-06  Filip Pizlo  <fpizlo@apple.com>

        Use the LLVM disassembler on ARM64 if we are enabling the FTL
        https://bugs.webkit.org/show_bug.cgi?id=129785

        Reviewed by Geoffrey Garen.
        
        Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
        is strictly more capable at this point. Use it if it's available.

        * disassembler/ARM64Disassembler.cpp:
        (JSC::tryToDisassemble):

2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Reduce RWI message frequency
        https://bugs.webkit.org/show_bug.cgi?id=129767

        Reviewed by Timothy Hatcher.

        This used to be 0.2s and changed by accident to 0.02s.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::pushListingSoon):

2014-03-05  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r165141, r165157, and r165158.
        http://trac.webkit.org/changeset/165141
        http://trac.webkit.org/changeset/165157
        http://trac.webkit.org/changeset/165158
        https://bugs.webkit.org/show_bug.cgi?id=129772

        "broke ftl" (Requested by olliej_ on #webkit).

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PolymorphicPutByIdList.cpp:
        (JSC::PutByIdAccess::visitWeak):
        (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
        (JSC::PolymorphicPutByIdList::from):
        * bytecode/PolymorphicPutByIdList.h:
        (JSC::PutByIdAccess::transition):
        (JSC::PutByIdAccess::replace):
        (JSC::PutByIdAccess::oldStructure):
        (JSC::PutByIdAccess::chain):
        (JSC::PutByIdAccess::stubRoutine):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        (JSC::PutByIdStatus::computeFor):
        (JSC::PutByIdStatus::dump):
        * bytecode/PutByIdStatus.h:
        (JSC::PutByIdStatus::PutByIdStatus):
        (JSC::PutByIdStatus::takesSlowPath):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::emitPutById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        * jit/SpillRegistersMode.h: Removed.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::isCacheable):
        (JSC::PutPropertySlot::cachedOffset):

2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Prevent possible deadlock in view indication
        https://bugs.webkit.org/show_bug.cgi?id=129766

        Reviewed by Geoffrey Garen.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::receivedIndicateMessage):

2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
        https://bugs.webkit.org/show_bug.cgi?id=129754

        Reviewed by Geoffrey Garen.

        InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.

        * runtime/JSCell.h:
        (JSC::JSCell::inlineTypeFlags):
        * runtime/JSObject.h:
        (JSC::JSObject::fastGetOwnPropertySlot):
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::TypeInfo):
        (JSC::TypeInfo::overridesGetOwnPropertySlot):

2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
        https://bugs.webkit.org/show_bug.cgi?id=129763

        Reviewed by Geoffrey Garen.

        Clear the list of all breakpoints, including unresolved breakpoints.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):

2014-03-05  Mark Lam  <mark.lam@apple.com>

        llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
        <https://webkit.org/b/129768>

        Reviewed by Mark Hahnenberg.

        When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
        and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
        path llint_slow_path_check_has_instance(), and execute a code path that does the
        following:
        1. Adjusts the byte code PC to the jump target PC.
        2. For the purpose of storing the result, get the result registerIndex from the
           1st operand using the PC as if the PC is still pointing to op_check_has_instance
           bytecode.

        The result is that whatever value resides after where the jump target PC is will
        be used as a result register value.  Depending on what that value is, the result
        can be:
        1. the code coincidently works correctly
        2. memory corruption
        3. crashes

        The fix is to only adjust the byte code PC after we have stored the result.
        
        * llint/LLIntSlowPaths.cpp:
        (llint_slow_path_check_has_instance):

2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>

        Another build fix attempt after r165141.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):

2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>

        FTL build fix attempt after r165141.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):

2014-03-05  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=128625
        Add fast mapping from StringImpl to JSString

        Unreviewed roll-out.

        Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.

        * runtime/JSString.cpp:
        * runtime/JSString.h:
        * runtime/VM.cpp:
        (JSC::VM::createLeaked):
        * runtime/VM.h:

2014-03-03  Oliver Hunt  <oliver@apple.com>

        Support caching of custom setters
        https://bugs.webkit.org/show_bug.cgi?id=129519

        Reviewed by Filip Pizlo.

        This patch adds caching of assignment to properties that
        are backed by C functions. This provides most of the leg
        work required to start supporting setters, and resolves
        the remaining regressions from moving DOM properties up
        the prototype chain.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PolymorphicPutByIdList.cpp:
        (JSC::PutByIdAccess::visitWeak):
        (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
        (JSC::PolymorphicPutByIdList::from):
        * bytecode/PolymorphicPutByIdList.h:
        (JSC::PutByIdAccess::transition):
        (JSC::PutByIdAccess::replace):
        (JSC::PutByIdAccess::customSetter):
        (JSC::PutByIdAccess::isCustom):
        (JSC::PutByIdAccess::oldStructure):
        (JSC::PutByIdAccess::chain):
        (JSC::PutByIdAccess::stubRoutine):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        (JSC::PutByIdStatus::computeFor):
        (JSC::PutByIdStatus::dump):
        * bytecode/PutByIdStatus.h:
        (JSC::PutByIdStatus::PutByIdStatus):
        (JSC::PutByIdStatus::takesSlowPath):
        (JSC::PutByIdStatus::makesCalls):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::emitPutById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::emitCustomSetterStub):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        * jit/SpillRegistersMode.h: Added.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::setCacheableCustomProperty):
        (JSC::PutPropertySlot::customSetter):
        (JSC::PutPropertySlot::isCacheablePut):
        (JSC::PutPropertySlot::isCacheableCustomProperty):
        (JSC::PutPropertySlot::cachedOffset):

2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSCell::m_gcData should encode its information differently
        https://bugs.webkit.org/show_bug.cgi?id=129741

        Reviewed by Geoffrey Garen.

        We want to keep track of three GC states for an object:

        1. Not marked (which implies not in the remembered set)
        2. Marked but not in the remembered set
        3. Marked and in the remembered set
        
        Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write 
        barrier, we only want to take the slow path if the object being stored to is in state #2. 
        We'd like to make the test for state #2 as fast as possible, which means making it a 
        compare against 0.

        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::osrWriteBarrier):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkMarkByte):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::allocateCell):
        (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
        * heap/Heap.cpp:
        (JSC::Heap::clearRememberedSet):
        (JSC::Heap::addToRememberedSet):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::checkMarkByte):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::checkMarkByte):
        (JSC::JIT::emitWriteBarrier):
        * jit/Repatch.cpp:
        (JSC::writeBarrier):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSCell.h:
        (JSC::JSCell::mark):
        (JSC::JSCell::remember):
        (JSC::JSCell::forget):
        (JSC::JSCell::isMarked):
        (JSC::JSCell::isRemembered):
        * runtime/JSCellInlines.h:
        (JSC::JSCell::JSCell):
        * runtime/StructureIDBlob.h:
        (JSC::StructureIDBlob::StructureIDBlob):

2014-03-05  Filip Pizlo  <fpizlo@apple.com>

        More FTL ARM fixes
        https://bugs.webkit.org/show_bug.cgi?id=129755

        Reviewed by Geoffrey Garen.
        
        - Be more defensive about inline caches that have degenerate chains.
        
        - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
          platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
        
        - Don't even emit intrinsic declarations on non-x86 platforms.
        
        - More debug printing support.
        
        - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
          but somehow it gets lucky on x86.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::appendVariant):
        (JSC::GetByIdStatus::computeForChain):
        (JSC::GetByIdStatus::computeForStubInfo):
        * bytecode/GetByIdStatus.h:
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::appendVariant):
        (JSC::PutByIdStatus::computeForStubInfo):
        * bytecode/PutByIdStatus.h:
        * bytecode/StructureSet.h:
        (JSC::StructureSet::overlaps):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        * ftl/FTLDataSection.cpp:
        (JSC::FTL::DataSection::DataSection):
        (JSC::FTL::DataSection::~DataSection):
        * ftl/FTLDataSection.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::lower):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::doubleSin):
        (JSC::FTL::Output::doubleCos):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dumpInContext):
        * runtime/JSCell.h:
        (JSC::JSCell::structureID):

2014-03-05  peavo@outlook.com  <peavo@outlook.com>

        [Win32][LLINT] Crash when running JSC stress tests.
        https://bugs.webkit.org/show_bug.cgi?id=129429

        On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
        where the guard page is a barrier between committed and uncommitted memory.
        When data from the guard page is read or written, the guard page is moved, and memory is committed.
        This is how the system grows the stack.
        When using the C stack on Windows we need to precommit the needed stack space.
        Otherwise we might crash later if we access uncommitted stack memory.
        This can happen if we allocate stack space larger than the page guard size (4K).
        The system does not get the chance to move the guard page, and commit more memory,
        and we crash if uncommitted memory is accessed.
        The MSVC compiler fixes this by inserting a call to the _chkstk() function,
        when needed, see http://support.microsoft.com/kb/100775.

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
        * jit/Repatch.cpp:
        (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
        * offlineasm/x86.rb: Compile fix, and small simplification.
        * runtime/VM.cpp:
        (JSC::preCommitStackMemory): Added function to precommit stack memory.
        (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.

2014-03-05  Michael Saboff  <msaboff@apple.com>

        JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
        https://bugs.webkit.org/show_bug.cgi?id=129746

        Reviewed by Filip Pizlo.

        Changed to use a union to manually assemble or disassemble the various types
        from / to the corresponding bytes.  All memory access is now done using
        byte accesses.

        * runtime/JSDataViewPrototype.cpp:
        (JSC::getData):
        (JSC::setData):

2014-03-05  Filip Pizlo  <fpizlo@apple.com>

        FTL loadStructure always generates invalid IR
        https://bugs.webkit.org/show_bug.cgi?id=129747

        Reviewed by Mark Hahnenberg.

        As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
        of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
        to have a pointer to a type, and you can only load things of that type from that
        pointer. Pointer arithmetic is basically not possible except through the bizarre
        getelementptr operator. This doesn't fit with how the JS object model works since
        the JS object model doesn't consist of nice and tidy C types placed in C arrays.
        Also, it would be impossible to use getelementptr and LLVM pointers for accessing
        any of JSC's C or C++ objects unless we went through the exercise of redeclaring
        all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
        this for us, but that would require that to use the FTL, JSC itself would have to
        be compiled with clang. Worse, it would have to be compiled with a clang that uses
        a version of LLVM that is compatible with the one against which the FTL is linked.
        Yuck!

        The solution is to NEVER use LLVM pointers. This has always been the case in the
        FTL. But it causes some confusion.
        
        Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
        pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
        "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
        pointer that has the type that we want. The load and store operations over pointers
        are called Output::load* and Output::store*, where * is one of "8", "16", "32",
        "64", "Ptr", "Float", or "Double.
        
        There is unavoidable confusion here. It would be bizarre for the FTL to call its
        "pointer-wide integers" anything other than "pointers", since they are, in all
        respects that we care about, simply pointers. But they are *not* LLVM pointers and
        they never will be that.
        
        There is one exception to this "no pointers" rule. The FTL does use actual LLVM
        pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
        confusion, we call these "references". So an "FTL reference" is actually an "LLVM
        pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
        methods for access called Output::get and Output::set. These lower to LLVM load
        and store, since FTL references are just LLVM pointers.
        
        This confusion appears to have led to incorrect code in loadStructure().
        loadStructure() was using get() and set() to access FTL pointers. But those methods
        don't work on FTL pointers and never will, since they are for FTL references.
        
        The worst part of this is that it was previously impossible to have test coverage
        for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
        patch fixes this by introducing a Masquerader object to jsc.cpp.
        
        * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
        * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
        * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
        (WTF::Masquerader::Masquerader):
        (WTF::Masquerader::create):
        (WTF::Masquerader::createStructure):
        (GlobalObject::finishCreation):
        (functionMakeMasquerader):
        * tests/stress/equals-masquerader.js: Added.
        (foo):
        (test):

2014-03-05  Anders Carlsson  <andersca@apple.com>

        Tweak after r165109 to avoid extra copies
        https://bugs.webkit.org/show_bug.cgi?id=129745

        Reviewed by Geoffrey Garen.

        * heap/Heap.cpp:
        (JSC::Heap::visitProtectedObjects):
        (JSC::Heap::visitTempSortVectors):
        (JSC::Heap::clearRememberedSet):
        * heap/Heap.h:
        (JSC::Heap::forEachProtectedCell):

2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
        https://bugs.webkit.org/show_bug.cgi?id=129717

        Reviewed by Filip Pizlo.

        * dfg/DFGStoreBarrierElisionPhase.cpp:
        (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
        (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):

2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Use range-based loops where possible in Heap methods
        https://bugs.webkit.org/show_bug.cgi?id=129513

        Reviewed by Mark Lam.

        Replace old school iterator based loops with the new range-based loop hotness
        for a better tomorrow.

        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::~CodeBlockSet):
        (JSC::CodeBlockSet::clearMarks):
        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
        (JSC::CodeBlockSet::traceMarked):
        * heap/Heap.cpp:
        (JSC::Heap::visitProtectedObjects):
        (JSC::Heap::visitTempSortVectors):
        (JSC::Heap::clearRememberedSet):
        * heap/Heap.h:
        (JSC::Heap::forEachProtectedCell):

2014-03-04  Filip Pizlo  <fpizlo@apple.com>

        DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
        https://bugs.webkit.org/show_bug.cgi?id=129563

        Reviewed by Geoffrey Garen.
        
        Rolling this back in after fixing an assertion failure. speculateMisc() should have
        said DFG_TYPE_CHECK instead of typeCheck.
        
        This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
        when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
        user of this was EarleyBoyer, and in that benchmark what it was really doing was
        comparing undefined, null, and booleans to each other.
        
        This also adds support for miscellaneous things that I needed to make my various test
        cases work. This includes comparison over booleans and the various Throw-related node
        types.
        
        This also improves constant folding of CompareStrictEq and CompareEq.
        
        Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
        based on profiling, which caused some downstream badness. We don't actually support
        compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
        emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
        shouldn't factor out the bounds check since the access is not InBounds but then the
        backend would ignore the flag and assume that the bounds check was already emitted.
        This showed up on an existing test but I added a test for this explicitly to have more
        certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
        that we'll have a bounds check anyway.
        
        This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
        general progressions across the board. No speed-up yet on EarleyBoyer, since there is
        still a lot more coverage work to be done there.

        * bytecode/SpeculatedType.cpp:
        (JSC::speculationToAbbreviatedString):
        (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
        (JSC::valuesCouldBeEqual):
        * bytecode/SpeculatedType.h:
        (JSC::isMiscSpeculation):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGArrayMode.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateMisc):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::speculateMisc):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::compileThrow):
        (JSC::FTL::LowerDFGToLLVM::isNotMisc):
        (JSC::FTL::LowerDFGToLLVM::isMisc):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateMisc):
        * tests/stress/float32-array-out-of-bounds.js: Added.
        * tests/stress/weird-equality-folding-cases.js: Added.

2014-03-04  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r165085.
        http://trac.webkit.org/changeset/165085
        https://bugs.webkit.org/show_bug.cgi?id=129729

        Broke imported/w3c/html-templates/template-element/template-
        content.html (Requested by ap on #webkit).

        * bytecode/SpeculatedType.cpp:
        (JSC::speculationToAbbreviatedString):
        * bytecode/SpeculatedType.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGArrayMode.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateBoolean):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        * tests/stress/float32-array-out-of-bounds.js: Removed.
        * tests/stress/weird-equality-folding-cases.js: Removed.

2014-03-04  Brian Burg  <bburg@apple.com>

        Inspector does not restore breakpoints after a page reload
        https://bugs.webkit.org/show_bug.cgi?id=129655

        Reviewed by Joseph Pecoraro.

        Fix a regression introduced by r162096 that erroneously removed
        the inspector backend's mapping of files to breakpoints whenever the
        global object was cleared.

        The inspector's breakpoint mappings should only be cleared when the
        debugger agent is disabled or destroyed. We should only clear the
        debugger's breakpoint state when the global object is cleared.

        To make it clearer what state is being cleared, the two cases have
        been split into separate methods.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::disable):
        (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
        (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
        (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
        * inspector/agents/InspectorDebuggerAgent.h:

2014-03-04  Andreas Kling  <akling@apple.com>

        Streamline JSValue::get().
        <https://webkit.org/b/129720>

        Fetch each Structure and VM only once when walking the prototype chain
        in JSObject::getPropertySlot(), then pass it along to the functions
        we call from there, so they don't have to re-fetch it.

        Reviewed by Geoff Garen.

        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSObject::fastGetOwnPropertySlot):
        (JSC::JSObject::getPropertySlot):

2014-03-01  Filip Pizlo  <fpizlo@apple.com>

        DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
        https://bugs.webkit.org/show_bug.cgi?id=129563

        Reviewed by Geoffrey Garen.
        
        This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
        when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
        user of this was EarleyBoyer, and in that benchmark what it was really doing was
        comparing undefined, null, and booleans to each other.
        
        This also adds support for miscellaneous things that I needed to make my various test
        cases work. This includes comparison over booleans and the various Throw-related node
        types.
        
        This also improves constant folding of CompareStrictEq and CompareEq.
        
        Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
        based on profiling, which caused some downstream badness. We don't actually support
        compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
        emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
        shouldn't factor out the bounds check since the access is not InBounds but then the
        backend would ignore the flag and assume that the bounds check was already emitted.
        This showed up on an existing test but I added a test for this explicitly to have more
        certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
        that we'll have a bounds check anyway.
        
        This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
        general progressions across the board. No speed-up yet on EarleyBoyer, since there is
        still a lot more coverage work to be done there.

        * bytecode/SpeculatedType.cpp:
        (JSC::speculationToAbbreviatedString):
        (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
        (JSC::valuesCouldBeEqual):
        * bytecode/SpeculatedType.h:
        (JSC::isMiscSpeculation):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateMisc):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::speculateMisc):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::compileThrow):
        (JSC::FTL::LowerDFGToLLVM::isNotMisc):
        (JSC::FTL::LowerDFGToLLVM::isMisc):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateMisc):
        * tests/stress/float32-array-out-of-bounds.js: Added.
        * tests/stress/weird-equality-folding-cases.js: Added.

2014-03-04  Andreas Kling  <akling@apple.com>

        Spam static branch prediction hints on JS bindings.
        <https://webkit.org/b/129703>

        Add LIKELY hint to jsDynamicCast since it's always used in a context
        where we expect it to succeed and takes an error path when it doesn't.

        Reviewed by Geoff Garen.

        * runtime/JSCell.h:
        (JSC::jsDynamicCast):

2014-03-04  Andreas Kling  <akling@apple.com>

        Get to Structures more efficiently in JSCell::methodTable().
        <https://webkit.org/b/129702>

        In JSCell::methodTable(), get the VM once and pass that along to
        structure(VM&) instead of using the heavier structure().

        In JSCell::methodTable(VM&), replace calls to structure() with
        calls to structure(VM&).

        Reviewed by Mark Hahnenberg.

        * runtime/JSCellInlines.h:
        (JSC::JSCell::methodTable):

2014-03-04  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
        https://bugs.webkit.org/show_bug.cgi?id=129697

        Reviewed by Timothy Hatcher.

        * inspector/remote/RemoteInspectorXPCConnection.mm:
        (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
        (Inspector::RemoteInspectorXPCConnection::handleEvent):

2014-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Merge API shims and JSLock
        https://bugs.webkit.org/show_bug.cgi?id=129650

        Reviewed by Mark Lam.

        JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason 
        to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.

        * API/APICallbackFunction.h:
        (JSC::APICallbackFunction::call):
        (JSC::APICallbackFunction::construct):
        * API/APIShims.h: Removed.
        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        (JSGarbageCollect):
        (JSReportExtraMemoryCost):
        (JSSynchronousGarbageCollectForDebugging):
        * API/JSCallbackConstructor.cpp:
        * API/JSCallbackFunction.cpp:
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::init):
        (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
        (JSC::JSCallbackObject<Parent>::put):
        (JSC::JSCallbackObject<Parent>::putByIndex):
        (JSC::JSCallbackObject<Parent>::deleteProperty):
        (JSC::JSCallbackObject<Parent>::construct):
        (JSC::JSCallbackObject<Parent>::customHasInstance):
        (JSC::JSCallbackObject<Parent>::call):
        (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
        (JSC::JSCallbackObject<Parent>::getStaticValue):
        (JSC::JSCallbackObject<Parent>::callbackGetter):
        * API/JSContext.mm:
        (-[JSContext setException:]):
        (-[JSContext wrapperForObjCObject:]):
        (-[JSContext wrapperForJSObject:]):
        * API/JSContextRef.cpp:
        (JSContextGroupRelease):
        (JSContextGroupSetExecutionTimeLimit):
        (JSContextGroupClearExecutionTimeLimit):
        (JSGlobalContextCreateInGroup):
        (JSGlobalContextRetain):
        (JSGlobalContextRelease):
        (JSContextGetGlobalObject):
        (JSContextGetGlobalContext):
        (JSGlobalContextCopyName):
        (JSGlobalContextSetName):
        * API/JSManagedValue.mm:
        (-[JSManagedValue value]):
        * API/JSObjectRef.cpp:
        (JSObjectMake):
        (JSObjectMakeFunctionWithCallback):
        (JSObjectMakeConstructor):
        (JSObjectMakeFunction):
        (JSObjectMakeArray):
        (JSObjectMakeDate):
        (JSObjectMakeError):
        (JSObjectMakeRegExp):
        (JSObjectGetPrototype):
        (JSObjectSetPrototype):
        (JSObjectHasProperty):
        (JSObjectGetProperty):
        (JSObjectSetProperty):
        (JSObjectGetPropertyAtIndex):
        (JSObjectSetPropertyAtIndex):
        (JSObjectDeleteProperty):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        (JSObjectIsFunction):
        (JSObjectCallAsFunction):
        (JSObjectCallAsConstructor):
        (JSObjectCopyPropertyNames):
        (JSPropertyNameArrayRelease):
        (JSPropertyNameAccumulatorAddName):
        * API/JSScriptRef.cpp:
        * API/JSValue.mm:
        (isDate):
        (isArray):
        (containerValueToObject):
        (valueToArray):
        (valueToDictionary):
        (objectToValue):
        * API/JSValueRef.cpp:
        (JSValueGetType):
        (JSValueIsUndefined):
        (JSValueIsNull):
        (JSValueIsBoolean):
        (JSValueIsNumber):
        (JSValueIsString):
        (JSValueIsObject):
        (JSValueIsObjectOfClass):
        (JSValueIsEqual):
        (JSValueIsStrictEqual):
        (JSValueIsInstanceOfConstructor):
        (JSValueMakeUndefined):
        (JSValueMakeNull):
        (JSValueMakeBoolean):
        (JSValueMakeNumber):
        (JSValueMakeString):
        (JSValueMakeFromJSONString):
        (JSValueCreateJSONString):
        (JSValueToBoolean):
        (JSValueToNumber):
        (JSValueToStringCopy):
        (JSValueToObject):
        (JSValueProtect):
        (JSValueUnprotect):
        * API/JSVirtualMachine.mm:
        (-[JSVirtualMachine addManagedReference:withOwner:]):
        (-[JSVirtualMachine removeManagedReference:withOwner:]):
        * API/JSWeakObjectMapRefPrivate.cpp:
        * API/JSWrapperMap.mm:
        (constructorHasInstance):
        (makeWrapper):
        (tryUnwrapObjcObject):
        * API/ObjCCallbackFunction.mm:
        (JSC::objCCallbackFunctionCallAsFunction):
        (JSC::objCCallbackFunctionCallAsConstructor):
        (objCCallbackFunctionForInvocation):
        * CMakeLists.txt:
        * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGWorklist.cpp:
        * heap/DelayedReleaseScope.h:
        (JSC::DelayedReleaseScope::~DelayedReleaseScope):
        * heap/HeapTimer.cpp:
        (JSC::HeapTimer::timerDidFire):
        (JSC::HeapTimer::timerEvent):
        * heap/IncrementalSweeper.cpp:
        * inspector/InjectedScriptModule.cpp:
        (Inspector::InjectedScriptModule::ensureInjected):
        * jsc.cpp:
        (jscmain):
        * runtime/GCActivityCallback.cpp:
        (JSC::DefaultGCActivityCallback::doWork):
        * runtime/JSGlobalObjectDebuggable.cpp:
        (JSC::JSGlobalObjectDebuggable::connect):
        (JSC::JSGlobalObjectDebuggable::disconnect):
        (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
        * runtime/JSLock.cpp:
        (JSC::JSLock::lock):
        (JSC::JSLock::didAcquireLock):
        (JSC::JSLock::unlock):
        (JSC::JSLock::willReleaseLock):
        (JSC::JSLock::DropAllLocks::DropAllLocks):
        (JSC::JSLock::DropAllLocks::~DropAllLocks):
        * runtime/JSLock.h:
        * testRegExp.cpp:
        (realMain):

2014-03-04  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r164812.
        http://trac.webkit.org/changeset/164812
        https://bugs.webkit.org/show_bug.cgi?id=129699

        it made things run slower (Requested by pizlo on #webkit).

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        * runtime/BatchedTransitionOptimizer.h:
        (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
        (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):

2014-03-02  Filip Pizlo  <fpizlo@apple.com>

        GetMyArgumentByVal in FTL
        https://bugs.webkit.org/show_bug.cgi?id=128850

        Reviewed by Oliver Hunt.
        
        This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
        They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
        caused it to think that the arity check had failed if the caller had passed more
        arguments than needed. This would cause the call frame copying to sort of go into
        reverse (because the amount-by-which-we-failed-arity would have opposite sign,
        throwing off a bunch of math) and the stack would end up being corrupted.
        
        The bug was revealed by two existing tests although as far as I could tell, neither
        test was intending to cover this case directly. So, I added a new test.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
        (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
        (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
        (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLState.h:
        * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
        * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
        * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
        * tests/stress/ftl-get-my-argument-by-val.js: Added.

2014-03-04  Zan Dobersek  <zdobersek@igalia.com>

        [GTK] Build the Udis86 disassembler
        https://bugs.webkit.org/show_bug.cgi?id=129679

        Reviewed by Michael Saboff.

        * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
        * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.

2014-03-04  Andreas Kling  <akling@apple.com>

        Fix too-narrow assertion I added in r165054.

        It's okay for a 1-character string to come in here. This will happen
        if the VM small string optimization doesn't apply (ch > 0xFF)

        * runtime/JSString.h:
        (JSC::jsStringWithWeakOwner):

2014-03-04  Andreas Kling  <akling@apple.com>

        Micro-optimize Strings in JS bindings.
        <https://webkit.org/b/129673>

        Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
        This avoids branches in length() and operator[].

        Also call JSString::create() directly instead of jsString() and just
        assert that the string length is >1. This way we don't duplicate the
        optimizations for empty and single-character strings.

        Reviewed by Ryosuke Niwa.

        * runtime/JSString.h:
        (JSC::jsStringWithWeakOwner):

2014-03-04  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        Implement Number.prototype.clz()
        https://bugs.webkit.org/show_bug.cgi?id=129479

        Reviewed by Oliver Hunt.

        Implemented Number.prototype.clz() as specified in the ES6 standard.

        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncClz):

2014-03-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
        https://bugs.webkit.org/show_bug.cgi?id=129631

        Reviewed by Timothy Hatcher.

        Avoid deref() too early if a client calls close(). The xpc_connection_close
        will cause another XPC_ERROR event to come in from the queue, deref then.
        Likewise, protect multithreaded access to m_client. If a client calls
        close() we want to immediately clear the pointer to prevent calls to it.

        Overall the multi-threading aspects of RemoteInspectorXPCConnection are
        growing too complicated for probably little benefit. We may want to
        clean this up later.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::xpcConnectionFailed):
        * inspector/remote/RemoteInspectorXPCConnection.h:
        * inspector/remote/RemoteInspectorXPCConnection.mm:
        (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
        (Inspector::RemoteInspectorXPCConnection::close):
        (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
        (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
        (Inspector::RemoteInspectorXPCConnection::handleEvent):
        (Inspector::RemoteInspectorXPCConnection::sendMessage):

2014-03-03  Michael Saboff  <msaboff@apple.com>

        AbstractMacroAssembler::CachedTempRegister should start out invalid
        https://bugs.webkit.org/show_bug.cgi?id=129657

        Reviewed by Filip Pizlo.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
        - Invalidate all cached registers in constructor as we don't know the
          contents of any register at the entry to the code we are going to
          generate.

2014-03-03  Andreas Kling  <akling@apple.com>

        StructureOrOffset should be fastmalloced.
        <https://webkit.org/b/129640>

        Reviewed by Geoffrey Garen.

        * runtime/StructureIDTable.h:

2014-03-03  Michael Saboff  <msaboff@apple.com>

        Crash in JIT code while watching a video @ storyboard.tumblr.com
        https://bugs.webkit.org/show_bug.cgi?id=129635

        Reviewed by Filip Pizlo.

        Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
        construtor.

        * jit/TempRegisterSet.cpp:
        (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
        * jit/TempRegisterSet.h:
        (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
        (JSC::TempRegisterSet::clearAll): New private helper.

2014-03-03  Benjamin Poulain  <benjamin@webkit.org>

        [x86] Improve code generation of byte test
        https://bugs.webkit.org/show_bug.cgi?id=129597

        Reviewed by Geoffrey Garen.

        When possible, test the 8 bit register to itself instead of comparing it
        to a literal.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::test32):

2014-03-03  Mark Lam  <mark.lam@apple.com>

        Web Inspector: debugger statements do not break.
        <https://webkit.org/b/129524>

        Reviewed by Geoff Garen.

        Since we no longer call op_debug hooks unless there is a debugger request
        made on the CodeBlock, the op_debug for the debugger statement never gets
        serviced.

        With this fix, we check in the CodeBlock constructor if any debugger
        statements are present.  If so, we set a m_hasDebuggerStatement flag that
        causes the CodeBlock to show as having debugger requests.  Hence,
        breaking at debugger statements is now restored.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::hasDebuggerRequests):
        (JSC::CodeBlock::clearDebuggerRequests):

2014-03-03  Mark Lam  <mark.lam@apple.com>

        ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
        <https://webkit.org/b/129393>

        Reviewed by Geoffrey Garen.

        The issue manifests because the debugger will iterate all CodeBlocks in
        the heap when setting / clearing breakpoints, but it is possible for a
        CodeBlock to have been instantiate but is not yet registered with the
        debugger.  This can happen because of the following:

        1. DFG worklist compilation is still in progress, and the target
           codeBlock is not ready for installation in its executable yet.

        2. DFG compilation failed and we have a codeBlock that will never be
           installed in its executable, and the codeBlock has not been cleaned
           up by the GC yet.

        The code for installing the codeBlock in its executable is the same code
        that registers it with the debugger.  Hence, these codeBlocks are not
        registered with the debugger, and any pending breakpoints that would map
        to that CodeBlock is as yet unset or will never be set.  As such, an
        attempt to remove a breakpoint in that CodeBlock will fail that assertion.

        To fix this, we do the following:

        1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
           compilation.  This is achieved by providing a
           DeferredCompilationCallback::compilationDidComplete() that does this
           clean up, and have all sub classes call it at the end of their
           compilationDidComplete() methods.

        2. Before the debugger or profiler iterates CodeBlocks in the heap, they
           will wait for all compilations to complete before proceeding.  This
           ensures that:
           1. any zombie CodeBlocks would have been cleaned up, and won't be
              seen by the debugger or profiler.
           2. all CodeBlocks that the debugger and profiler needs to operate on
              will be "ready" for whatever needs to be done to them e.g.
              jettison'ing of DFG codeBlocks.

        * bytecode/DeferredCompilationCallback.cpp:
        (JSC::DeferredCompilationCallback::compilationDidComplete):
        * bytecode/DeferredCompilationCallback.h:
        - Provide default implementation method to clean up zombie CodeBlocks.

        * debugger/Debugger.cpp:
        (JSC::Debugger::forEachCodeBlock):
        - Utility function to iterate CodeBlocks.  It ensures that all compilations
          are complete before proceeding.
        (JSC::Debugger::setSteppingMode):
        (JSC::Debugger::toggleBreakpoint):
        (JSC::Debugger::recompileAllJSFunctions):
        (JSC::Debugger::clearBreakpoints):
        (JSC::Debugger::clearDebuggerRequests):
        - Use the utility iterator function.

        * debugger/Debugger.h:
        * dfg/DFGOperations.cpp:
        - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
        - Remove unneeded code (that was not the best solution anyway) for ensuring
          that we don't generate new DFG codeBlocks after enabling the debugger or
          profiler.  Now that we wait for compilations to complete before proceeding
          with debugger and profiler work, this scenario will never happen.

        * dfg/DFGToFTLDeferredCompilationCallback.cpp:
        (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
        - Call the super class method to clean up zombie codeBlocks.

        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
        (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
        - Call the super class method to clean up zombie codeBlocks.

        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::remove):
        * heap/CodeBlockSet.h:
        * heap/Heap.h:
        (JSC::Heap::removeCodeBlock):
        - New method to remove a codeBlock from the codeBlock set.

        * jit/JITOperations.cpp:
        - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.

        * jit/JITToDFGDeferredCompilationCallback.cpp:
        (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
        - Call the super class method to clean up zombie codeBlocks.

        * runtime/VM.cpp:
        (JSC::VM::waitForCompilationsToComplete):
        - Renamed from prepareToDiscardCode() to be clearer about what it does.

        (JSC::VM::discardAllCode):
        (JSC::VM::releaseExecutableMemory):
        (JSC::VM::setEnabledProfiler):
        - Wait for compilation to complete before enabling the profiler.

        * runtime/VM.h:

2014-03-03  Brian Burg  <bburg@apple.com>

        Another unreviewed build fix attempt for Windows after r164986.

        We never told Visual Studio to copy over the web replay code generator scripts
        and the generated headers for JavaScriptCore replay inputs as if they were
        private headers.

        * JavaScriptCore.vcxproj/copy-files.cmd:

2014-03-03  Brian Burg  <bburg@apple.com>

        Web Replay: upstream input storage, capture/replay machinery, and inspector domain
        https://bugs.webkit.org/show_bug.cgi?id=128782

        Reviewed by Timothy Hatcher.

        Alter the replay inputs code generator so that it knows when it is necessary to
        to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * replay/scripts/CodeGeneratorReplayInputs.py:
        (Framework.fromString):
        (Frameworks): Add WTF as an allowed framework for code generation.
        (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
        (Generator.generate_includes.declaration):
        (Generator.generate_includes.or):
        (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.

2014-03-02  Filip Pizlo  <fpizlo@apple.com>

        PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
        https://bugs.webkit.org/show_bug.cgi?id=129591

        Reviewed by Michael Saboff.

        * bytecode/PolymorphicPutByIdList.cpp:
        (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
        (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
        (JSC::PolymorphicPutByIdList::from):
        * bytecode/PolymorphicPutByIdList.h:
        (JSC::PutByIdAccess::stubRoutine):
        * jit/Repatch.cpp:
        (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.

2014-03-02  Filip Pizlo  <fpizlo@apple.com>

        Debugging improvements from my gbemu investigation session
        https://bugs.webkit.org/show_bug.cgi?id=129599

        Reviewed by Mark Lam.
        
        Various improvements from when I was investigating bug 129411.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionDescribe): Make describe() return a string rather than printing the string.
        (functionDescribeArray): Like describe(), but prints details about arrays.

2014-02-25  Andreas Kling  <akling@apple.com>

        JSDOMWindow::commonVM() should return a reference.
        <https://webkit.org/b/129293>

        Added a DropAllLocks constructor that takes VM& without null checks.

        Reviewed by Geoff Garen.

2014-03-02  Mark Lam  <mark.lam@apple.com>

        CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
        <https://webkit.org/b/129584>

        Reviewed by Darin Adler.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::hasDebuggerRequests):

2014-03-02  Mark Lam  <mark.lam@apple.com>

        Clean up use of Options::enableConcurrentJIT().
        <https://webkit.org/b/129582>

        Reviewed by Filip Pizlo.

        DFG Driver was conditionally checking Options::enableConcurrentJIT()
        only if ENABLE(CONCURRENT_JIT).  Otherwise, it bypasses it with a local
        enableConcurrentJIT set to false.

        Instead we should configure Options::enableConcurrentJIT() to be false
        in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
        check Options::enableConcurrentJIT().  This makes the code read a little
        cleaner.

        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2014-03-01  Filip Pizlo  <fpizlo@apple.com>

        This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
        stress tests.

        * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.

2014-03-01  Andreas Kling  <akling@apple.com>

        JSCell::fastGetOwnProperty() should get the Structure more efficiently.
        <https://webkit.org/b/129560>

        Now that structure() is nontrivial and we have a faster structure(VM&),
        make use of that in fastGetOwnProperty() since we already have VM.

        Reviewed by Sam Weinig.

        * runtime/JSCellInlines.h:
        (JSC::JSCell::fastGetOwnProperty):

2014-03-01  Andreas Kling  <akling@apple.com>

        Avoid going through ExecState for VM when we already have it (in some places.)
        <https://webkit.org/b/129554>

        Tweak some places that jump through unnecessary hoops to get the VM.
        There are many more like this.

        Reviewed by Sam Weinig.

        * runtime/JSObject.cpp:
        (JSC::JSObject::putByIndexBeyondVectorLength):
        (JSC::JSObject::putDirectIndexBeyondVectorLength):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToString):

2014-02-28  Filip Pizlo  <fpizlo@apple.com>

        FTL should support PhantomArguments
        https://bugs.webkit.org/show_bug.cgi?id=113986

        Reviewed by Oliver Hunt.
        
        Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
        object into the FTL's OSR exit compiler.
        
        This isn't a speed-up yet, since there is still more to be done to fully support
        all of the arguments craziness that our varargs benchmarks do.

        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
        (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
        (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
        * dfg/DFGOSRExitCompilerCommon.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLExitValue.cpp:
        (JSC::FTL::ExitValue::dumpInContext):
        * ftl/FTLExitValue.h:
        (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
        (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
        (JSC::FTL::ExitValue::valueFormat):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
        (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
        * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
        * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.

2014-02-28  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):

2014-02-28  Andreas Kling  <akling@apple.com>

        JSObject::findPropertyHashEntry() should take VM instead of ExecState.
        <https://webkit.org/b/129529>

        Callers already have VM in a local, and findPropertyHashEntry() only
        uses the VM, no need to go all the way through ExecState.

        Reviewed by Geoffrey Garen.

        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::findPropertyHashEntry):
        * runtime/JSObject.h:

2014-02-28  Joseph Pecoraro  <pecoraro@apple.com>

        Deadlock remotely inspecting iOS Simulator
        https://bugs.webkit.org/show_bug.cgi?id=129511

        Reviewed by Timothy Hatcher.

        Avoid synchronous setup. Do it asynchronously, and let
        the RemoteInspector singleton know later if it failed.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::setupFailed):
        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorDebuggableConnection::setup):

2014-02-28  Oliver Hunt  <oliver@apple.com>

        REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
        https://bugs.webkit.org/show_bug.cgi?id=129488

        Reviewed by Mark Lam.

        Whoops, modify the right register.

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):

2014-02-28  Filip Pizlo  <fpizlo@apple.com>

        FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
        https://bugs.webkit.org/show_bug.cgi?id=129503

        Reviewed by Mark Lam.

        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::doubleSin):
        (JSC::FTL::Output::doubleCos):
        (JSC::FTL::Output::intrinsicOrOperation):

2014-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix !ENABLE(GGC) builds

        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.

2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        Clean up Heap::collect and Heap::markRoots
        https://bugs.webkit.org/show_bug.cgi?id=129464

        Reviewed by Geoffrey Garen.

        These functions have built up a lot of cruft recently. 
        We should do a bit of cleanup to make them easier to grok.

        * heap/Heap.cpp:
        (JSC::Heap::finalizeUnconditionalFinalizers):
        (JSC::Heap::gatherStackRoots):
        (JSC::Heap::gatherJSStackRoots):
        (JSC::Heap::gatherScratchBufferRoots):
        (JSC::Heap::clearLivenessData):
        (JSC::Heap::visitSmallStrings):
        (JSC::Heap::visitConservativeRoots):
        (JSC::Heap::visitCompilerWorklists):
        (JSC::Heap::markProtectedObjects):
        (JSC::Heap::markTempSortVectors):
        (JSC::Heap::markArgumentBuffers):
        (JSC::Heap::visitException):
        (JSC::Heap::visitStrongHandles):
        (JSC::Heap::visitHandleStack):
        (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
        (JSC::Heap::converge):
        (JSC::Heap::visitWeakHandles):
        (JSC::Heap::clearRememberedSet):
        (JSC::Heap::updateObjectCounts):
        (JSC::Heap::resetVisitors):
        (JSC::Heap::markRoots):
        (JSC::Heap::copyBackingStores):
        (JSC::Heap::deleteUnmarkedCompiledCode):
        (JSC::Heap::collect):
        (JSC::Heap::collectIfNecessaryOrDefer):
        (JSC::Heap::suspendCompilerThreads):
        (JSC::Heap::willStartCollection):
        (JSC::Heap::deleteOldCode):
        (JSC::Heap::flushOldStructureIDTables):
        (JSC::Heap::flushWriteBarrierBuffer):
        (JSC::Heap::stopAllocation):
        (JSC::Heap::reapWeakHandles):
        (JSC::Heap::sweepArrayBuffers):
        (JSC::Heap::snapshotMarkedSpace):
        (JSC::Heap::deleteSourceProviderCaches):
        (JSC::Heap::notifyIncrementalSweeper):
        (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
        (JSC::Heap::resetAllocators):
        (JSC::Heap::updateAllocationLimits):
        (JSC::Heap::didFinishCollection):
        (JSC::Heap::resumeCompilerThreads):
        * heap/Heap.h:

2014-02-27  Ryosuke Niwa  <rniwa@webkit.org>

        indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
        https://bugs.webkit.org/show_bug.cgi?id=129466

        Reviewed by Michael Saboff.

        Refactored the code to avoid calling JSString::value when needle is longer than haystack.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncIndexOf):
        (JSC::stringProtoFuncLastIndexOf):

2014-02-27  Timothy Hatcher  <timothy@apple.com>

        Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.

        https://bugs.webkit.org/show_bug.cgi?id=129458

        Reviewed by Joseph Pecoraro.

        * inspector/ContentSearchUtilities.cpp:
        (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
        (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
        line ending type and don't try to strip the line ending. Use size_t
        (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
        This will include the line ending in the lines, but that is okay.
        (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
        (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.

2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>

        [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
        https://bugs.webkit.org/show_bug.cgi?id=129446

        Reviewed by Timothy Hatcher.

        Remove duplicate header entries in Copy Header build phase.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-02-27  Oliver Hunt  <oliver@apple.com>

        Whoops, include all of last patch.

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):

2014-02-27  Oliver Hunt  <oliver@apple.com>

        Slow cases for function.apply and function.call should not require vm re-entry
        https://bugs.webkit.org/show_bug.cgi?id=129454

        Reviewed by Geoffrey Garen.

        Implement call and apply using builtins. Happily the use
        of @call and @apply don't perform function equality checks
        and just plant direct var_args calls. This did expose a few
        codegen issues, but they're all covered by existing tests
        once call and apply are implemented in JS.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/Function.prototype.js: Added.
        (call):
        (apply):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * interpreter/Interpreter.cpp:
        (JSC::sizeFrameForVarargs):
        (JSC::loadVarargs):
        * interpreter/Interpreter.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::makeFunctionCallNode):
        * parser/Lexer.cpp:
        (JSC::isSafeBuiltinIdentifier):
        * runtime/CommonIdentifiers.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::addFunctionProperties):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectBuiltinFunction):
        (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
        * runtime/JSObject.h:

2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
        https://bugs.webkit.org/show_bug.cgi?id=129443

        Reviewed by Timothy Hatcher.

        This queue is specific to the JSContext debuggable connections,
        there is no XPC involved. Give it a better name.

        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):

2014-02-27  David Kilzer  <ddkilzer@apple.com>

        Remove jsc symlink if it already exists

        This is a follow-up fix for:

        Create symlink to /usr/local/bin/jsc during installation
        <http://webkit.org/b/129399>
        <rdar://problem/16168734>

        * JavaScriptCore.xcodeproj/project.pbxproj:
        (Create /usr/local/bin/jsc symlink): If a jsc symlink already
        exists where we're about to create the symlink, remove the old
        one first.

2014-02-27  Michael Saboff  <msaboff@apple.com>

        Unreviewed build fix for Mac tools after r164814

        * Configurations/ToolExecutable.xcconfig:
        - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
        * JavaScriptCore.xcodeproj/project.pbxproj:
        - Changed productName to testRegExp for testRegExp target.

2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: JSContext inspection should report exceptions in the console
        https://bugs.webkit.org/show_bug.cgi?id=128776

        Reviewed by Timothy Hatcher.

        When JavaScript API functions have an exception, let the inspector
        know so it can log the JavaScript and Native backtrace that caused
        the exception.

        Include some clean up of ConsoleMessage and ScriptCallStack construction.

        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        (JSObjectMakeArray):
        (JSObjectMakeDate):
        (JSObjectMakeError):
        (JSObjectMakeRegExp):
        (JSObjectGetProperty):
        (JSObjectSetProperty):
        (JSObjectGetPropertyAtIndex):
        (JSObjectSetPropertyAtIndex):
        (JSObjectDeleteProperty):
        (JSObjectCallAsFunction):
        (JSObjectCallAsConstructor):
        * API/JSValue.mm:
        (reportExceptionToInspector):
        (valueToArray):
        (valueToDictionary):
        * API/JSValueRef.cpp:
        (JSValueIsEqual):
        (JSValueIsInstanceOfConstructor):
        (JSValueCreateJSONString):
        (JSValueToNumber):
        (JSValueToStringCopy):
        (JSValueToObject):
        When seeing an exception, let the inspector know there was an exception.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
        Log API exceptions by also grabbing the native backtrace.

        * inspector/ScriptCallStack.h:
        * inspector/ScriptCallStack.cpp:
        (Inspector::ScriptCallStack::firstNonNativeCallFrame):
        (Inspector::ScriptCallStack::append):
        Minor extensions to ScriptCallStack to make it easier to work with.

        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::ConsoleMessage):
        (Inspector::ConsoleMessage::autogenerateMetadata):
        Provide better default information if the first call frame was native.

        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::createScriptCallStack):
        (Inspector::extractSourceInformationFromException):
        (Inspector::createScriptCallStackFromException):
        Perform the handling here of inserting a fake call frame for exceptions
        if there was no call stack (e.g. a SyntaxError) or if the first call
        frame had no information.

        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::ConsoleMessage):
        (Inspector::ConsoleMessage::autogenerateMetadata):
        * inspector/ConsoleMessage.h:
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::createScriptCallStack):
        (Inspector::createScriptCallStackForConsole):
        * inspector/ScriptCallStackFactory.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::enable):
        (Inspector::InspectorConsoleAgent::addMessageToConsole):
        (Inspector::InspectorConsoleAgent::count):
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
        ConsoleMessage cleanup.

2014-02-27  David Kilzer  <ddkilzer@apple.com>

        Create symlink to /usr/local/bin/jsc during installation
        <http://webkit.org/b/129399>
        <rdar://problem/16168734>

        Reviewed by Dan Bernstein.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        - Add "Create /usr/local/bin/jsc symlink" build phase script to
          create the symlink during installation.

2014-02-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>

        Math.{max, min}() must not return after first NaN value
        https://bugs.webkit.org/show_bug.cgi?id=104147

        Reviewed by Oliver Hunt.

        According to the spec, ToNumber going to be called on each argument
        even if a `NaN` value was already found

        * runtime/MathObject.cpp:
        (JSC::mathProtoFuncMax):
        (JSC::mathProtoFuncMin):

2014-02-27  Gergo Balogh  <gbalogh.u-szeged@partner.samsung.com>

        JSType upper limit (0xff) assertion can be removed.
        https://bugs.webkit.org/show_bug.cgi?id=129424

        Reviewed by Geoffrey Garen.

        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::TypeInfo):

2014-02-26  Michael Saboff  <msaboff@apple.com>

        Auto generate bytecode information for bytecode parser and LLInt
        https://bugs.webkit.org/show_bug.cgi?id=129181

        Reviewed by Mark Lam.

        Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
        helpers.  It also includes bytecode length and other information used to generate files.
        Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
        in DerivedSources/JavaScriptCore/.

        Added the generation of these files to the "DerivedSource" build step.
        Slighty changed the build order, since the Bytecodes.h file is needed by
        JSCLLIntOffsetsExtractor.  Moved the offline assembly to a separate step since it needs
        to be run after JSCLLIntOffsetsExtractor.

        Made related changes to OPCODE macros and their use.

        Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
        jsc to resolve Mac build issue.

        * CMakeLists.txt:
        * Configurations/JSC.xcconfig:
        * DerivedSources.make:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.vcxproj/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * llint/LLIntCLoop.cpp:
        (JSC::LLInt::CLoop::initialize):
        * llint/LLIntCLoop.h:
        * llint/LLIntData.cpp:
        (JSC::LLInt::initialize):
        * llint/LLIntOpcode.h:
        * llint/LowLevelInterpreter.asm:

2014-02-27  Julien Brianceau   <jbriance@cisco.com>

        Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
        https://bugs.webkit.org/show_bug.cgi?id=129420

        Reviewed by Geoffrey Garen.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
        Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.

2014-02-27  Filip Pizlo  <fpizlo@apple.com>

        Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
        https://bugs.webkit.org/show_bug.cgi?id=129435

        Reviewed by Oliver Hunt.
        
        This is a 5-10% speed-up on Octane/closure.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionClearCodeCache):
        * runtime/BatchedTransitionOptimizer.h:
        (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
        (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):

2014-02-27  Alexey Proskuryakov  <ap@apple.com>

        Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.

        * inspector/scripts: Added property svn:ignore.
        * replay/scripts: Added property svn:ignore.

2014-02-27  Gabor Rapcsanyi  <rgabor@webkit.org>

        r164764 broke the ARM build
        https://bugs.webkit.org/show_bug.cgi?id=129415

        Reviewed by Zoltan Herczeg.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
        (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
        (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
        (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.

2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        r164764 broke the ARM build
        https://bugs.webkit.org/show_bug.cgi?id=129415

        Reviewed by Geoffrey Garen.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::moveWithPatch):

2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        r164764 broke the ARM build
        https://bugs.webkit.org/show_bug.cgi?id=129415

        Reviewed by Geoffrey Garen.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.

2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        EFL build fix

        * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):

2014-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        Make JSCells have 32-bit Structure pointers
        https://bugs.webkit.org/show_bug.cgi?id=123195

        Reviewed by Filip Pizlo.

        This patch changes JSCells such that they no longer have a full 64-bit Structure
        pointer in their header. Instead they now have a 32-bit index into
        a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
        pointers.

        This change frees up an additional 32 bits of information in our object headers.
        We then use this extra space to store the indexing type of the object, the JSType
        of the object, some various type flags, and garbage collection data (e.g. mark bit).
        Because this inline type information is now faster to read, it pays for the slowdown 
        incurred by having to perform an extra indirection through the StructureIDTable.

        This patch also threads a reference to the current VM through more of the C++ runtime
        to offset the cost of having to look up the VM to get the actual Structure pointer.

        * API/JSContext.mm:
        (-[JSContext setException:]):
        (-[JSContext wrapperForObjCObject:]):
        (-[JSContext wrapperForJSObject:]):
        * API/JSContextRef.cpp:
        (JSContextGroupRelease):
        (JSGlobalContextRelease):
        * API/JSObjectRef.cpp:
        (JSObjectIsFunction):
        (JSObjectCopyPropertyNames):
        * API/JSValue.mm:
        (containerValueToObject):
        * API/JSWrapperMap.mm:
        (tryUnwrapObjcObject):
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::patchableBranch32WithPatch):
        (JSC::MacroAssembler::patchableBranch32):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branchPtrWithPatch):
        (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
        (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
        (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::store8):
        (JSC::MacroAssemblerARMv7::branch32WithPatch):
        (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
        (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
        (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::branch32WithPatch):
        (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
        (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::store32):
        (JSC::MacroAssemblerX86_64::moveWithPatch):
        (JSC::MacroAssemblerX86_64::branch32WithPatch):
        (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
        (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
        (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
        * assembler/RepatchBuffer.h:
        (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::revertJumpTo_movq_i64r):
        (JSC::X86Assembler::revertJumpTo_movl_i32r):
        * bytecode/ArrayProfile.cpp:
        (JSC::ArrayProfile::computeUpdatedPrediction):
        * bytecode/ArrayProfile.h:
        (JSC::ArrayProfile::ArrayProfile):
        (JSC::ArrayProfile::addressOfLastSeenStructureID):
        (JSC::ArrayProfile::observeStructure):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::heap):
        * bytecode/UnlinkedCodeBlock.h:
        * debugger/Debugger.h:
        * dfg/DFGAbstractHeap.h:
        * dfg/DFGArrayifySlowPathGenerator.h:
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::branchWeakStructure):
        (JSC::DFG::JITCompiler::branchStructurePtr):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::osrWriteBarrier):
        (JSC::DFG::adjustAndJumpToTarget):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::arrayify):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
        (JSC::DFG::SpeculativeJIT::compileInstanceOf):
        (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
        (JSC::DFG::SpeculativeJIT::speculateObject):
        (JSC::DFG::SpeculativeJIT::speculateFinalObject):
        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
        (JSC::DFG::SpeculativeJIT::speculateString):
        (JSC::DFG::SpeculativeJIT::speculateStringObject):
        (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
        (JSC::DFG::SpeculativeJIT::emitSwitchChar):
        (JSC::DFG::SpeculativeJIT::emitSwitchString):
        (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
        (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGWorklist.cpp:
        * ftl/FTLAbstractHeapRepository.cpp:
        (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
        (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
        (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
        (JSC::FTL::LowerDFGToLLVM::compileToString):
        (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
        (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
        (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
        (JSC::FTL::LowerDFGToLLVM::allocateCell):
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
        (JSC::FTL::LowerDFGToLLVM::isObject):
        (JSC::FTL::LowerDFGToLLVM::isString):
        (JSC::FTL::LowerDFGToLLVM::isArrayType):
        (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
        (JSC::FTL::LowerDFGToLLVM::isType):
        (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
        (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
        (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
        (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
        (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
        (JSC::FTL::LowerDFGToLLVM::loadStructure):
        (JSC::FTL::LowerDFGToLLVM::weakStructure):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::store8):
        * heap/GCAssertions.h:
        * heap/Heap.cpp:
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::collect):
        (JSC::Heap::writeBarrier):
        * heap/Heap.h:
        (JSC::Heap::structureIDTable):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::forEachBlock):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::internalAppend):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::branchIfCellNotObject):
        (JSC::AssemblyHelpers::genericWriteBarrier):
        (JSC::AssemblyHelpers::emitLoadStructure):
        (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emit_op_ret_object_or_this):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::generateFastPathChecks):
        * jit/JITInlineCacheGenerator.h:
        * jit/JITInlines.h:
        (JSC::JIT::emitLoadCharacterString):
        (JSC::JIT::checkStructure):
        (JSC::JIT::emitJumpIfCellNotObject):
        (JSC::JIT::emitAllocateJSObject):
        (JSC::JIT::emitArrayProfilingSiteWithCell):
        (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
        (JSC::JIT::branchStructure):
        (JSC::branchStructure):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_check_has_instance):
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emit_op_is_undefined):
        (JSC::JIT::emit_op_is_string):
        (JSC::JIT::emit_op_ret_object_or_this):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_next_pname):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):
        (JSC::JIT::emit_op_to_this):
        (JSC::JIT::emitSlow_op_to_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_check_has_instance):
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emit_op_is_undefined):
        (JSC::JIT::emit_op_is_string):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_next_pname):
        (JSC::JIT::emit_op_to_this):
        * jit/JITOperations.cpp:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_get_by_pname):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitLoadWithStructureCheck):
        (JSC::JIT::emitSlow_op_get_from_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        (JSC::JIT::checkMarkWord):
        (JSC::JIT::emitWriteBarrier):
        (JSC::JIT::addStructureTransitionCheck):
        (JSC::JIT::emitIntTypedArrayGetByVal):
        (JSC::JIT::emitFloatTypedArrayGetByVal):
        (JSC::JIT::emitIntTypedArrayPutByVal):
        (JSC::JIT::emitFloatTypedArrayPutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_get_by_pname):
        (JSC::JIT::emitLoadWithStructureCheck):
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::emitJumpIfNotType):
        * jit/Repatch.cpp:
        (JSC::repatchByIdSelfAccess):
        (JSC::addStructureTransitionCheck):
        (JSC::replaceWithJump):
        (JSC::generateProtoChainAccessStub):
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::writeBarrier):
        (JSC::emitPutReplaceStub):
        (JSC::emitPutTransitionStub):
        (JSC::tryBuildPutByIdList):
        (JSC::tryRepatchIn):
        (JSC::linkClosureCall):
        (JSC::resetGetByID):
        (JSC::resetPutByID):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::loadJSStringArgument):
        (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
        * jit/ThunkGenerators.cpp:
        (JSC::virtualForThunkGenerator):
        (JSC::arrayIteratorNextThunkGenerator):
        * jit/UnusedPointer.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/Arguments.cpp:
        (JSC::Arguments::createStrictModeCallerIfNecessary):
        (JSC::Arguments::createStrictModeCalleeIfNecessary):
        * runtime/Arguments.h:
        (JSC::Arguments::createStructure):
        * runtime/ArrayPrototype.cpp:
        (JSC::shift):
        (JSC::unshift):
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncReverse):
        (JSC::performSlowSort):
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/Executable.h:
        (JSC::ExecutableBase::isFunctionExecutable):
        (JSC::ExecutableBase::clearCodeVirtual):
        (JSC::ScriptExecutable::unlinkCalls):
        * runtime/GetterSetter.cpp:
        (JSC::callGetter):
        (JSC::callSetter):
        * runtime/InitializeThreading.cpp:
        * runtime/JSArray.cpp:
        (JSC::JSArray::unshiftCountSlowCase):
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::push):
        (JSC::JSArray::shiftCountWithArrayStorage):
        (JSC::JSArray::shiftCountWithAnyIndexingType):
        (JSC::JSArray::unshiftCountWithArrayStorage):
        (JSC::JSArray::unshiftCountWithAnyIndexingType):
        (JSC::JSArray::sortNumericVector):
        (JSC::JSArray::sortNumeric):
        (JSC::JSArray::sortCompactedVector):
        (JSC::JSArray::sort):
        (JSC::JSArray::sortVector):
        (JSC::JSArray::fillArgList):
        (JSC::JSArray::copyToArguments):
        (JSC::JSArray::compactForSorting):
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::toThis):
        (JSC::JSValue::put):
        (JSC::JSValue::putByIndex):
        (JSC::JSValue::equalSlowCaseInline):
        * runtime/JSCell.cpp:
        (JSC::JSCell::put):
        (JSC::JSCell::putByIndex):
        (JSC::JSCell::deleteProperty):
        (JSC::JSCell::deletePropertyByIndex):
        * runtime/JSCell.h:
        (JSC::JSCell::clearStructure):
        (JSC::JSCell::mark):
        (JSC::JSCell::isMarked):
        (JSC::JSCell::structureIDOffset):
        (JSC::JSCell::typeInfoFlagsOffset):
        (JSC::JSCell::typeInfoTypeOffset):
        (JSC::JSCell::indexingTypeOffset):
        (JSC::JSCell::gcDataOffset):
        * runtime/JSCellInlines.h:
        (JSC::JSCell::JSCell):
        (JSC::JSCell::finishCreation):
        (JSC::JSCell::type):
        (JSC::JSCell::indexingType):
        (JSC::JSCell::structure):
        (JSC::JSCell::visitChildren):
        (JSC::JSCell::isObject):
        (JSC::JSCell::isString):
        (JSC::JSCell::isGetterSetter):
        (JSC::JSCell::isProxy):
        (JSC::JSCell::isAPIValueWrapper):
        (JSC::JSCell::setStructure):
        (JSC::JSCell::methodTable):
        (JSC::Heap::writeBarrier):
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::createStructure):
        * runtime/JSDestructibleObject.h:
        (JSC::JSCell::classInfo):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnNonIndexPropertyNames):
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGenericTypedArrayView.h:
        (JSC::JSGenericTypedArrayView::createStructure):
        * runtime/JSObject.cpp:
        (JSC::getCallableObjectSlow):
        (JSC::JSObject::copyButterfly):
        (JSC::JSObject::visitButterfly):
        (JSC::JSFinalObject::visitChildren):
        (JSC::JSObject::getOwnPropertySlotByIndex):
        (JSC::JSObject::put):
        (JSC::JSObject::putByIndex):
        (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
        (JSC::JSObject::enterDictionaryIndexingMode):
        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
        (JSC::JSObject::createInitialIndexedStorage):
        (JSC::JSObject::createInitialUndecided):
        (JSC::JSObject::createInitialInt32):
        (JSC::JSObject::createInitialDouble):
        (JSC::JSObject::createInitialContiguous):
        (JSC::JSObject::createArrayStorage):
        (JSC::JSObject::convertUndecidedToInt32):
        (JSC::JSObject::convertUndecidedToDouble):
        (JSC::JSObject::convertUndecidedToContiguous):
        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
        (JSC::JSObject::convertUndecidedToArrayStorage):
        (JSC::JSObject::convertInt32ToDouble):
        (JSC::JSObject::convertInt32ToContiguous):
        (JSC::JSObject::convertInt32ToArrayStorage):
        (JSC::JSObject::genericConvertDoubleToContiguous):
        (JSC::JSObject::convertDoubleToArrayStorage):
        (JSC::JSObject::convertContiguousToArrayStorage):
        (JSC::JSObject::ensureInt32Slow):
        (JSC::JSObject::ensureDoubleSlow):
        (JSC::JSObject::ensureContiguousSlow):
        (JSC::JSObject::ensureArrayStorageSlow):
        (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
        (JSC::JSObject::switchToSlowPutArrayStorage):
        (JSC::JSObject::setPrototype):
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::JSObject::putDirectNonIndexAccessor):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::hasOwnProperty):
        (JSC::JSObject::deletePropertyByIndex):
        (JSC::JSObject::getPrimitiveNumber):
        (JSC::JSObject::hasInstance):
        (JSC::JSObject::getPropertySpecificValue):
        (JSC::JSObject::getPropertyNames):
        (JSC::JSObject::getOwnPropertyNames):
        (JSC::JSObject::getOwnNonIndexPropertyNames):
        (JSC::JSObject::seal):
        (JSC::JSObject::freeze):
        (JSC::JSObject::preventExtensions):
        (JSC::JSObject::reifyStaticFunctionsForDelete):
        (JSC::JSObject::removeDirect):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
        (JSC::JSObject::putByIndexBeyondVectorLength):
        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
        (JSC::JSObject::putDirectIndexBeyondVectorLength):
        (JSC::JSObject::getNewVectorLength):
        (JSC::JSObject::countElements):
        (JSC::JSObject::increaseVectorLength):
        (JSC::JSObject::ensureLengthSlow):
        (JSC::JSObject::growOutOfLineStorage):
        (JSC::JSObject::getOwnPropertyDescriptor):
        (JSC::putDescriptor):
        (JSC::JSObject::defineOwnNonIndexProperty):
        * runtime/JSObject.h:
        (JSC::getJSFunction):
        (JSC::JSObject::getArrayLength):
        (JSC::JSObject::getVectorLength):
        (JSC::JSObject::putByIndexInline):
        (JSC::JSObject::canGetIndexQuickly):
        (JSC::JSObject::getIndexQuickly):
        (JSC::JSObject::tryGetIndexQuickly):
        (JSC::JSObject::getDirectIndex):
        (JSC::JSObject::canSetIndexQuickly):
        (JSC::JSObject::canSetIndexQuicklyForPutDirect):
        (JSC::JSObject::setIndexQuickly):
        (JSC::JSObject::initializeIndex):
        (JSC::JSObject::hasSparseMap):
        (JSC::JSObject::inSparseIndexingMode):
        (JSC::JSObject::getDirect):
        (JSC::JSObject::getDirectOffset):
        (JSC::JSObject::isSealed):
        (JSC::JSObject::isFrozen):
        (JSC::JSObject::flattenDictionaryObject):
        (JSC::JSObject::ensureInt32):
        (JSC::JSObject::ensureDouble):
        (JSC::JSObject::ensureContiguous):
        (JSC::JSObject::rageEnsureContiguous):
        (JSC::JSObject::ensureArrayStorage):
        (JSC::JSObject::arrayStorage):
        (JSC::JSObject::arrayStorageOrNull):
        (JSC::JSObject::ensureLength):
        (JSC::JSObject::currentIndexingData):
        (JSC::JSObject::getHolyIndexQuickly):
        (JSC::JSObject::currentRelevantLength):
        (JSC::JSObject::isGlobalObject):
        (JSC::JSObject::isVariableObject):
        (JSC::JSObject::isStaticScopeObject):
        (JSC::JSObject::isNameScopeObject):
        (JSC::JSObject::isActivationObject):
        (JSC::JSObject::isErrorInstance):
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSObject::fastGetOwnPropertySlot):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::createStructure):
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::getOwnPropertySlot):
        (JSC::JSProxy::getOwnPropertySlotByIndex):
        (JSC::JSProxy::put):
        (JSC::JSProxy::putByIndex):
        (JSC::JSProxy::defineOwnProperty):
        (JSC::JSProxy::deleteProperty):
        (JSC::JSProxy::deletePropertyByIndex):
        (JSC::JSProxy::getPropertyNames):
        (JSC::JSProxy::getOwnPropertyNames):
        * runtime/JSScope.cpp:
        (JSC::JSScope::objectAtScope):
        * runtime/JSString.h:
        (JSC::JSString::createStructure):
        (JSC::isJSString):
        * runtime/JSType.h:
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::TypeInfo):
        (JSC::TypeInfo::isObject):
        (JSC::TypeInfo::structureIsImmortal):
        (JSC::TypeInfo::zeroedGCDataOffset):
        (JSC::TypeInfo::inlineTypeFlags):
        * runtime/MapData.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyNames):
        (JSC::objectConstructorKeys):
        (JSC::objectConstructorDefineProperty):
        (JSC::defineProperties):
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncToString):
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        (JSC::jsIsObjectType):
        * runtime/Operations.h:
        (JSC::normalizePrototypeChainForChainAccess):
        (JSC::normalizePrototypeChain):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::createStructure):
        * runtime/RegExp.h:
        (JSC::RegExp::createStructure):
        * runtime/SparseArrayValueMap.h:
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::~Structure):
        (JSC::Structure::prototypeChainMayInterceptStoreTo):
        * runtime/Structure.h:
        (JSC::Structure::id):
        (JSC::Structure::idBlob):
        (JSC::Structure::objectInitializationFields):
        (JSC::Structure::structureIDOffset):
        * runtime/StructureChain.h:
        (JSC::StructureChain::createStructure):
        * runtime/StructureIDTable.cpp: Added.
        (JSC::StructureIDTable::StructureIDTable):
        (JSC::StructureIDTable::~StructureIDTable):
        (JSC::StructureIDTable::resize):
        (JSC::StructureIDTable::flushOldTables):
        (JSC::StructureIDTable::allocateID):
        (JSC::StructureIDTable::deallocateID):
        * runtime/StructureIDTable.h: Added.
        (JSC::StructureIDTable::base):
        (JSC::StructureIDTable::get):
        * runtime/SymbolTable.h:
        * runtime/TypedArrayType.cpp:
        (JSC::typeForTypedArrayType):
        * runtime/TypedArrayType.h:
        * runtime/WeakMapData.h:

2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        Unconditional logging in compileFTLOSRExit
        https://bugs.webkit.org/show_bug.cgi?id=129407

        Reviewed by Michael Saboff.

        This was causing tests to fail with the FTL enabled.

        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileFTLOSRExit):

2014-02-26  Oliver Hunt  <oliver@apple.com>

        Remove unused access types
        https://bugs.webkit.org/show_bug.cgi?id=129385

        Reviewed by Filip Pizlo.

        Remove unused cruft.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdCacheStatus):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        * bytecode/StructureStubInfo.h:
        (JSC::isGetByIdAccess):
        (JSC::isPutByIdAccess):

2014-02-26  Oliver Hunt  <oliver@apple.com>

        Function.prototype.apply has a bad time with the spread operator
        https://bugs.webkit.org/show_bug.cgi?id=129381

        Reviewed by Mark Hahnenberg.

        Make sure our apply logic handle the spread operator correctly.
        To do this we simply emit the enumeration logic that we'd normally
        use for other enumerations, but only store the first two results
        to registers.  Then perform a varargs call.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ApplyFunctionCallDotNode::emitBytecode):

2014-02-26  Mark Lam  <mark.lam@apple.com>

        Compilation policy management belongs in operationOptimize(), not the DFG Driver.
        <https://webkit.org/b/129355>

        Reviewed by Filip Pizlo.

        By compilation policy, I mean the rules for determining whether to
        compile, when to compile, when to attempt compilation again, etc.  The
        few of these policy decisions that were previously being made in the
        DFG driver are now moved to operationOptimize() where we keep the rest
        of the policy logic.  Decisions that are based on the capabilities
        supported by the DFG are moved to DFG capabiliityLevel().

        I've run the following benchmarks:
        1. the collection of jsc benchmarks on the jsc executable vs. its
           baseline.
        2. Octane 2.0 in browser without the WebInspector.
        3. Octane 2.0 in browser with the WebInspector open and a breakpoint
           set somewhere where it won't break.

        In all of these, the results came out to be a wash as expected.

        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::isSupported):
        (JSC::DFG::mightCompileEval):
        (JSC::DFG::mightCompileProgram):
        (JSC::DFG::mightCompileFunctionForCall):
        (JSC::DFG::mightCompileFunctionForConstruct):
        (JSC::DFG::mightInlineFunctionForCall):
        (JSC::DFG::mightInlineFunctionForClosureCall):
        (JSC::DFG::mightInlineFunctionForConstruct):
        * dfg/DFGCapabilities.h:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * jit/JITOperations.cpp:

2014-02-26  Mark Lam  <mark.lam@apple.com>

        ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
        <https://webkit.org/b/129364>

        Reviewed by Alexey Proskuryakov.

        InjectedScriptModule::ensureInjected() needs an APIEntryShim.

        * inspector/InjectedScriptModule.cpp:
        (Inspector::InjectedScriptModule::ensureInjected):
        - Added the needed but missing APIEntryShim. 

2014-02-25  Mark Lam  <mark.lam@apple.com>

        Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
        <https://webkit.org/b/128766>

        Reviewed by Geoffrey Garen.

        Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
        The reasoning is that we don't know of any clients that need unordered
        re-entry into the VM from different threads. So, we're enforcing ordered
        re-entry i.e. we must re-grab locks in the reverse order of dropping locks.

        The crash in this bug happened because we were allowing unordered re-entry,
        and the following type of scenario occurred:

        1. Thread T1 locks the VM, and enters the VM to execute some JS code.
        2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
           first time it entered the VM.
           T1 sets VM::m_entryScope to T1's entryScope.
        3. T1 drops all locks.

        4. Thread T2 locks the VM, and enters the VM to execute some JS code.
           On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
           does not set the entryScope.
        5. T2 drops all locks.

        6. T1 re-grabs locks.
        7. T1 returns all the way out of JS code. On exit from the outer most
           JS function, T1 clears VM::m_entryScope (because T1 was the one who
           set it).
        8. T1 unlocks the VM.

        9. T2 re-grabs locks.
        10. T2 proceeds to execute some code and expects VM::m_entryScope to be
            NOT null, but it turns out to be null. Assertion failures and
            crashes ensue.

        With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
        the VM. Hence, the issue will no longer manifest.

        * runtime/JSLock.cpp:
        (JSC::JSLock::dropAllLocks):
        (JSC::JSLock::grabAllLocks):
        * runtime/JSLock.h:
        (JSC::JSLock::DropAllLocks::dropDepth):

2014-02-25  Mark Lam  <mark.lam@apple.com>

        Need to initialize VM stack data even when the VM is on an exclusive thread.
        <https://webkit.org/b/129265>

        Not reviewed.

        Relanding r164627 now that <https://webkit.org/b/129341> is fixed.

        * API/APIShims.h:
        (JSC::APIEntryShim::APIEntryShim):
        (JSC::APICallbackShim::shouldDropAllLocks):
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::addCurrentThread):
        * runtime/JSLock.cpp:
        (JSC::JSLockHolder::JSLockHolder):
        (JSC::JSLockHolder::init):
        (JSC::JSLockHolder::~JSLockHolder):
        (JSC::JSLock::JSLock):
        (JSC::JSLock::setExclusiveThread):
        (JSC::JSLock::lock):
        (JSC::JSLock::unlock):
        (JSC::JSLock::currentThreadIsHoldingLock):
        (JSC::JSLock::dropAllLocks):
        (JSC::JSLock::grabAllLocks):
        * runtime/JSLock.h:
        (JSC::JSLock::hasExclusiveThread):
        (JSC::JSLock::exclusiveThread):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::hasExclusiveThread):
        (JSC::VM::exclusiveThread):
        (JSC::VM::setExclusiveThread):
        (JSC::VM::currentThreadIsHoldingAPILock):

2014-02-25  Filip Pizlo  <fpizlo@apple.com>

        Inline caching in the FTL on ARM64 should "work"
        https://bugs.webkit.org/show_bug.cgi?id=129334

        Reviewed by Mark Hahnenberg.
        
        Gets us to the point where simple tests that use inline caching are passing.

        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        (JSC::LinkBuffer::shrink):
        * ftl/FTLInlineCacheSize.cpp:
        (JSC::FTL::sizeOfGetById):
        (JSC::FTL::sizeOfPutById):
        (JSC::FTL::sizeOfCall):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileFTLOSRExit):
        * ftl/FTLThunks.cpp:
        (JSC::FTL::osrExitGenerationThunkGenerator):
        * jit/GPRInfo.h:
        * offlineasm/arm64.rb:

2014-02-25  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r164627.
        http://trac.webkit.org/changeset/164627
        https://bugs.webkit.org/show_bug.cgi?id=129325

        Broke SubtleCrypto tests (Requested by ap on #webkit).

        * API/APIShims.h:
        (JSC::APIEntryShim::APIEntryShim):
        (JSC::APICallbackShim::shouldDropAllLocks):
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::addCurrentThread):
        * runtime/JSLock.cpp:
        (JSC::JSLockHolder::JSLockHolder):
        (JSC::JSLockHolder::init):
        (JSC::JSLockHolder::~JSLockHolder):
        (JSC::JSLock::JSLock):
        (JSC::JSLock::lock):
        (JSC::JSLock::unlock):
        (JSC::JSLock::currentThreadIsHoldingLock):
        (JSC::JSLock::dropAllLocks):
        (JSC::JSLock::grabAllLocks):
        * runtime/JSLock.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::currentThreadIsHoldingAPILock):

2014-02-25  Filip Pizlo  <fpizlo@apple.com>

        ARM64 rshift64 should be an arithmetic shift
        https://bugs.webkit.org/show_bug.cgi?id=129323

        Reviewed by Mark Hahnenberg.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::rshift64):

2014-02-25  Sergio Villar Senin  <svillar@igalia.com>

        [CSS Grid Layout] Add ENABLE flag
        https://bugs.webkit.org/show_bug.cgi?id=129153

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.

2014-02-25  Michael Saboff  <msaboff@apple.com>

        JIT Engines use the wrong stack limit for stack checks
        https://bugs.webkit.org/show_bug.cgi?id=129314

        Reviewed by Filip Pizlo.

        Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        * runtime/VM.h:
        (JSC::VM::addressOfStackLimit):

2014-02-25  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out http://trac.webkit.org/changeset/164493.
        
        It causes crashes, apparently because it's removing too many barriers. I will investigate
        later.

        * bytecode/SpeculatedType.cpp:
        (JSC::speculationToAbbreviatedString):
        * bytecode/SpeculatedType.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::insertStoreBarrier):
        * dfg/DFGNode.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
        (JSC::FTL::LowerDFGToLLVM::isNotNully):
        (JSC::FTL::LowerDFGToLLVM::isNully):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
        (JSC::FTL::LowerDFGToLLVM::speculateNotCell):

2014-02-24  Oliver Hunt  <oliver@apple.com>

        Fix build.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):

2014-02-24  Oliver Hunt  <oliver@apple.com>

        Spread operator has a bad time when applied to call function
        https://bugs.webkit.org/show_bug.cgi?id=128853

        Reviewed by Geoffrey Garen.

        Follow on from the previous patch the added an extra slot to
        op_call_varargs (and _call, _call_eval, _construct).  We now
        use the slot as an offset to in effect act as a 'slice' on
        the spread subject.  This allows us to automatically retain
        all our existing argument and array optimisatons.  Most of
        this patch is simply threading the offset around.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallVarargs):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::getArgumentByVal):
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::sizeFrameForVarargs):
        (JSC::loadVarargs):
        * interpreter/Interpreter.h:
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Arguments.cpp:
        (JSC::Arguments::copyToArguments):
        * runtime/Arguments.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::copyToArguments):
        * runtime/JSArray.h:

2014-02-24  Mark Lam  <mark.lam@apple.com>

        Need to initialize VM stack data even when the VM is on an exclusive thread.
        <https://webkit.org/b/129265>

        Reviewed by Geoffrey Garen.

        We check VM::exclusiveThread as an optimization to forego the need to do
        JSLock locking. However, we recently started piggy backing on JSLock's
        lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
        and lastStackTop) to appropriate values for the current thread. This is
        needed because we may be acquiring the lock to enter the VM on a different
        thread.

        As a result, we ended up not initializing the VM stack data when
        VM::exclusiveThread causes us to bypass the locking activity. Even though
        the VM::exclusiveThread will not have to deal with the VM being entered
        on a different thread, it still needs to initialize the VM stack data.
        The VM relies on that data being initialized properly once it has been
        entered.

        With this fix, we push the check for exclusiveThread down into the JSLock,
        and handle the bypassing of unneeded locking activity there while still
        executing the necessary the VM stack data initialization.

        * API/APIShims.h:
        (JSC::APIEntryShim::APIEntryShim):
        (JSC::APICallbackShim::shouldDropAllLocks):
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::addCurrentThread):
        * runtime/JSLock.cpp:
        (JSC::JSLockHolder::JSLockHolder):
        (JSC::JSLockHolder::init):
        (JSC::JSLockHolder::~JSLockHolder):
        (JSC::JSLock::JSLock):
        (JSC::JSLock::setExclusiveThread):
        (JSC::JSLock::lock):
        (JSLock::unlock):
        (JSLock::currentThreadIsHoldingLock):
        (JSLock::dropAllLocks):
        (JSLock::grabAllLocks):
        * runtime/JSLock.h:
        (JSC::JSLock::exclusiveThread):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::exclusiveThread):
        (JSC::VM::setExclusiveThread):
        (JSC::VM::currentThreadIsHoldingAPILock):

2014-02-24  Filip Pizlo  <fpizlo@apple.com>

        FTL should do polymorphic PutById inlining
        https://bugs.webkit.org/show_bug.cgi?id=129210

        Reviewed by Mark Hahnenberg and Oliver Hunt.
        
        This makes PutByIdStatus inform us about polymorphic cases by returning an array of
        PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
        selection of multiple inlined PutByIdVariants.
        
        MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
        http://trac.webkit.org/changeset/164207.
        
        This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
        that generate similar code.
        
        1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
        sometimes swaps field insertion order, creating fake polymorphism.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        (JSC::PutByIdStatus::computeFor):
        (JSC::PutByIdStatus::computeForStubInfo):
        (JSC::PutByIdStatus::dump):
        * bytecode/PutByIdStatus.h:
        (JSC::PutByIdStatus::PutByIdStatus):
        (JSC::PutByIdStatus::isSimple):
        (JSC::PutByIdStatus::numVariants):
        (JSC::PutByIdStatus::variants):
        (JSC::PutByIdStatus::at):
        (JSC::PutByIdStatus::operator[]):
        * bytecode/PutByIdVariant.cpp: Added.
        (JSC::PutByIdVariant::dump):
        (JSC::PutByIdVariant::dumpInContext):
        * bytecode/PutByIdVariant.h: Added.
        (JSC::PutByIdVariant::PutByIdVariant):
        (JSC::PutByIdVariant::replace):
        (JSC::PutByIdVariant::transition):
        (JSC::PutByIdVariant::kind):
        (JSC::PutByIdVariant::isSet):
        (JSC::PutByIdVariant::operator!):
        (JSC::PutByIdVariant::structure):
        (JSC::PutByIdVariant::oldStructure):
        (JSC::PutByIdVariant::newStructure):
        (JSC::PutByIdVariant::structureChain):
        (JSC::PutByIdVariant::offset):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::emitPutById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::checkStructureElimination):
        (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
        (JSC::DFG::CSEPhase::putStructureStoreElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        * dfg/DFGNode.cpp:
        (JSC::DFG::MultiPutByOffsetData::writesStructures):
        (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToPutByOffset):
        (JSC::DFG::Node::hasMultiPutByOffsetData):
        (JSC::DFG::Node::multiPutByOffsetData):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
        (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
        (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
        (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
        (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
        (JSC::FTL::LowerDFGToLLVM::loadProperty):
        (JSC::FTL::LowerDFGToLLVM::storeProperty):
        (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
        (JSC::FTL::LowerDFGToLLVM::storageForTransition):
        (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
        * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
        * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
        * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.

2014-02-24  peavo@outlook.com  <peavo@outlook.com>

        JSC regressions after r164494
        https://bugs.webkit.org/show_bug.cgi?id=129272

        Reviewed by Mark Lam.

        * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.

2014-02-24  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>

        Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
        https://bugs.webkit.org/show_bug.cgi?id=129255

        Reviewed by Csaba Osztrogonác.

        ENABLE_WORKERS macro was removed in r159679.
        Support is now also removed from xcconfig files.

        * Configurations/FeatureDefines.xcconfig:

2014-02-24  David Kilzer  <ddkilzer@apple.com>

        Remove redundant setting in FeatureDefines.xcconfig

        * Configurations/FeatureDefines.xcconfig:

2014-02-23  Sam Weinig  <sam@webkit.org>

        Update FeatureDefines.xcconfig

        Rubber-stamped by Anders Carlsson.

        * Configurations/FeatureDefines.xcconfig:

2014-02-23  Dean Jackson  <dino@apple.com>

        Sort the project file with sort-Xcode-project-file.

        Rubber-stamped by Sam Weinig.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-02-23  Sam Weinig  <sam@webkit.org>

        Move telephone number detection behind its own ENABLE macro
        https://bugs.webkit.org/show_bug.cgi?id=129236

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig:
        Add ENABLE_TELEPHONE_NUMBER_DETECTION.

2014-02-22  Filip Pizlo  <fpizlo@apple.com>

        Refine DFG+FTL inlining and compilation limits
        https://bugs.webkit.org/show_bug.cgi?id=129212

        Reviewed by Mark Hahnenberg.
        
        Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
        and set that limit quite high. Institute a limit on inlining-into. The idea here is
        that large functions tend to be autogenerated, and code generators like emscripten
        appear to leave few inlining opportunities anyway. Also, we don't want the code
        size explosion that we would risk if we allowed compilation of a large function and
        then inlined a ton of stuff into it.
        
        This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
        regression. This is a 9% speed-up on AsmBench.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::noticeIncomingCall):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::isSmallEnoughToInlineCodeInto):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLState.h:
        (JSC::FTL::shouldShowDisassembly):
        * runtime/Options.h:

2014-02-22  Dan Bernstein  <mitz@apple.com>

        REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
        https://bugs.webkit.org/show_bug.cgi?id=129227

        Reviewed by Eric Carlson.

        Reverted r164507.

        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        (JSObjectMakeArray):
        (JSObjectMakeDate):
        (JSObjectMakeError):
        (JSObjectMakeRegExp):
        (JSObjectGetProperty):
        (JSObjectSetProperty):
        (JSObjectGetPropertyAtIndex):
        (JSObjectSetPropertyAtIndex):
        (JSObjectDeleteProperty):
        (JSObjectCallAsFunction):
        (JSObjectCallAsConstructor):
        * API/JSValue.mm:
        (valueToArray):
        (valueToDictionary):
        * API/JSValueRef.cpp:
        (JSValueIsEqual):
        (JSValueIsInstanceOfConstructor):
        (JSValueCreateJSONString):
        (JSValueToNumber):
        (JSValueToStringCopy):
        (JSValueToObject):
        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::ConsoleMessage):
        (Inspector::ConsoleMessage::autogenerateMetadata):
        * inspector/ConsoleMessage.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/ScriptCallStack.cpp:
        * inspector/ScriptCallStack.h:
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::createScriptCallStack):
        (Inspector::createScriptCallStackForConsole):
        (Inspector::createScriptCallStackFromException):
        * inspector/ScriptCallStackFactory.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::enable):
        (Inspector::InspectorConsoleAgent::addMessageToConsole):
        (Inspector::InspectorConsoleAgent::count):
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):

2014-02-22  Joseph Pecoraro  <pecoraro@apple.com>

        Remove some unreachable code (-Wunreachable-code)
        https://bugs.webkit.org/show_bug.cgi?id=129220

        Reviewed by Eric Carlson.

        * API/tests/testapi.c:
        (EvilExceptionObject_convertToType):
        * disassembler/udis86/udis86_decode.c:
        (decode_operand):

2014-02-22  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, ARMv7 build fix.

        * assembler/ARMv7Assembler.h:

2014-02-21  Filip Pizlo  <fpizlo@apple.com>

        It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful
        https://bugs.webkit.org/show_bug.cgi?id=124733

        Reviewed by Oliver Hunt.
        
        This also takes the opportunity to de-duplicate some branch compaction code.

        * assembler/ARM64Assembler.h:
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::buffer):
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerData::AssemblerData):
        (JSC::AssemblerBuffer::AssemblerBuffer):
        (JSC::AssemblerBuffer::storage):
        (JSC::AssemblerBuffer::grow):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::executableOffsetFor):
        (JSC::LinkBuffer::applyOffset):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::link):
        * assembler/MacroAssemblerARMv7.h:

2014-02-21  Brent Fulgham  <bfulgham@apple.com>

        Extend media support for WebVTT sources
        https://bugs.webkit.org/show_bug.cgi?id=129156

        Reviewed by Eric Carlson.

        * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS

2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: JSContext inspection should report exceptions in the console
        https://bugs.webkit.org/show_bug.cgi?id=128776

        Reviewed by Timothy Hatcher.

        When JavaScript API functions have an exception, let the inspector
        know so it can log the JavaScript and Native backtrace that caused
        the exception.

        Include some clean up of ConsoleMessage and ScriptCallStack construction.

        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        (JSObjectMakeArray):
        (JSObjectMakeDate):
        (JSObjectMakeError):
        (JSObjectMakeRegExp):
        (JSObjectGetProperty):
        (JSObjectSetProperty):
        (JSObjectGetPropertyAtIndex):
        (JSObjectSetPropertyAtIndex):
        (JSObjectDeleteProperty):
        (JSObjectCallAsFunction):
        (JSObjectCallAsConstructor):
        * API/JSValue.mm:
        (reportExceptionToInspector):
        (valueToArray):
        (valueToDictionary):
        * API/JSValueRef.cpp:
        (JSValueIsEqual):
        (JSValueIsInstanceOfConstructor):
        (JSValueCreateJSONString):
        (JSValueToNumber):
        (JSValueToStringCopy):
        (JSValueToObject):
        When seeing an exception, let the inspector know there was an exception.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
        Log API exceptions by also grabbing the native backtrace.

        * inspector/ScriptCallStack.h:
        * inspector/ScriptCallStack.cpp:
        (Inspector::ScriptCallStack::firstNonNativeCallFrame):
        (Inspector::ScriptCallStack::append):
        Minor extensions to ScriptCallStack to make it easier to work with.

        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::ConsoleMessage):
        (Inspector::ConsoleMessage::autogenerateMetadata):
        Provide better default information if the first call frame was native.

        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::createScriptCallStack):
        (Inspector::extractSourceInformationFromException):
        (Inspector::createScriptCallStackFromException):
        Perform the handling here of inserting a fake call frame for exceptions
        if there was no call stack (e.g. a SyntaxError) or if the first call
        frame had no information.

        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::ConsoleMessage):
        (Inspector::ConsoleMessage::autogenerateMetadata):
        * inspector/ConsoleMessage.h:
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::createScriptCallStack):
        (Inspector::createScriptCallStackForConsole):
        * inspector/ScriptCallStackFactory.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::enable):
        (Inspector::InspectorConsoleAgent::addMessageToConsole):
        (Inspector::InspectorConsoleAgent::count):
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
        ConsoleMessage cleanup.

2014-02-21  Oliver Hunt  <oliver@apple.com>

        Add extra space to op_call and related opcodes
        https://bugs.webkit.org/show_bug.cgi?id=129170

        Reviewed by Mark Lam.

        No change in behaviour, just some refactoring to add an extra
        slot to the op_call instructions, and refactoring to make similar
        changes easier in future.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printCallOp):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallVarargs):
        (JSC::BytecodeGenerator::emitConstruct):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2014-02-21  Mark Lam  <mark.lam@apple.com>

        gatherFromOtherThread() needs to align the sp before gathering roots.
        <https://webkit.org/b/129169>

        Reviewed by Geoffrey Garen.

        The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread().
        gatherFromOtherThread() defines the range of the other thread's stack as
        being bounded by the other thread's stack pointer and stack base. While
        the stack base will always be aligned to sizeof(void*), the stack pointer
        may not be. This is because the other thread may have just pushed a 32-bit
        value on its stack before we suspended it for scanning.

        The fix is to round the stack pointer up to the next aligned address of
        sizeof(void*) and start scanning from there. On 64-bit systems, we will
        effectively ignore the 32-bit word at the bottom of the stack (top of the
        stack for stacks growing up) because it cannot be a 64-bit pointer anyway.
        64-bit pointers should always be stored on 64-bit aligned boundaries (our
        conservative scan algorithm already depends on this assumption).

        On 32-bit systems, the rounding is effectively a no-op.

        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::genericAddSpan):
        - Hardened somne assertions so that we can catch misalignment issues on
          release builds as well.
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::gatherFromOtherThread):

2014-02-21  Matthew Mirman  <mmirman@apple.com>

        Added a GetMyArgumentsLengthSafe and added a speculation check.
        https://bugs.webkit.org/show_bug.cgi?id=129051

        Reviewed by Filip Pizlo.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):

2014-02-21  peavo@outlook.com  <peavo@outlook.com>

        [Win][LLINT] Many JSC stress test failures.
        https://bugs.webkit.org/show_bug.cgi?id=129155

        Reviewed by Michael Saboff.

        Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations.
        Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack.
        E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1).

        * offlineasm/x86.rb: Swap operand order on Windows.

2014-02-21  Filip Pizlo  <fpizlo@apple.com>

        DFG write barriers should do more speculations
        https://bugs.webkit.org/show_bug.cgi?id=129160

        Reviewed by Mark Hahnenberg.
        
        Replace ConditionalStoreBarrier with the cheapest speculation that you could do
        instead.
        
        Miniscule speed-up on some things. It's a decent difference in code size, though.

        * bytecode/SpeculatedType.cpp:
        (JSC::speculationToAbbreviatedString):
        * bytecode/SpeculatedType.h:
        (JSC::isNotCellSpeculation):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::insertStoreBarrier):
        (JSC::DFG::FixupPhase::insertPhantomCheck):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateOther):
        (JSC::DFG::Node::shouldSpeculateNotCell):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
        (JSC::FTL::LowerDFGToLLVM::isNotOther):
        (JSC::FTL::LowerDFGToLLVM::isOther):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
        (JSC::FTL::LowerDFGToLLVM::speculateOther):
        (JSC::FTL::LowerDFGToLLVM::speculateNotCell):

2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>

        Revert r164486, causing a number of test failures.

        Unreviewed rollout.

2014-02-21  Filip Pizlo  <fpizlo@apple.com>

        Revive SABI (aka shouldAlwaysBeInlined)
        https://bugs.webkit.org/show_bug.cgi?id=129159

        Reviewed by Mark Hahnenberg.
        
        This is a small Octane speed-up.

        * jit/Repatch.cpp:
        (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs.

2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: JSContext inspection should report exceptions in the console
        https://bugs.webkit.org/show_bug.cgi?id=128776

        Reviewed by Timothy Hatcher.

        When JavaScript API functions have an exception, let the inspector
        know so it can log the JavaScript and Native backtrace that caused
        the exception.

        Include some clean up of ConsoleMessage and ScriptCallStack construction.

        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        (JSObjectMakeArray):
        (JSObjectMakeDate):
        (JSObjectMakeError):
        (JSObjectMakeRegExp):
        (JSObjectGetProperty):
        (JSObjectSetProperty):
        (JSObjectGetPropertyAtIndex):
        (JSObjectSetPropertyAtIndex):
        (JSObjectDeleteProperty):
        (JSObjectCallAsFunction):
        (JSObjectCallAsConstructor):
        * API/JSValue.mm:
        (reportExceptionToInspector):
        (valueToArray):
        (valueToDictionary):
        * API/JSValueRef.cpp:
        (JSValueIsEqual):
        (JSValueIsInstanceOfConstructor):
        (JSValueCreateJSONString):
        (JSValueToNumber):
        (JSValueToStringCopy):
        (JSValueToObject):
        When seeing an exception, let the inspector know there was an exception.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
        Log API exceptions by also grabbing the native backtrace.

        * inspector/ScriptCallStack.h:
        * inspector/ScriptCallStack.cpp:
        (Inspector::ScriptCallStack::firstNonNativeCallFrame):
        (Inspector::ScriptCallStack::append):
        Minor extensions to ScriptCallStack to make it easier to work with.

        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::ConsoleMessage):
        (Inspector::ConsoleMessage::autogenerateMetadata):
        Provide better default information if the first call frame was native.

        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::createScriptCallStack):
        (Inspector::extractSourceInformationFromException):
        (Inspector::createScriptCallStackFromException):
        Perform the handling here of inserting a fake call frame for exceptions
        if there was no call stack (e.g. a SyntaxError) or if the first call
        frame had no information.

        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::ConsoleMessage):
        (Inspector::ConsoleMessage::autogenerateMetadata):
        * inspector/ConsoleMessage.h:
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::createScriptCallStack):
        (Inspector::createScriptCallStackForConsole):
        * inspector/ScriptCallStackFactory.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::enable):
        (Inspector::InspectorConsoleAgent::addMessageToConsole):
        (Inspector::InspectorConsoleAgent::count):
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
        ConsoleMessage cleanup.

2014-02-20  Anders Carlsson  <andersca@apple.com>

        Modernize JSGlobalLock and JSLockHolder
        https://bugs.webkit.org/show_bug.cgi?id=129105

        Reviewed by Michael Saboff.

        Use std::mutex and std::thread::id where possible.

        * runtime/JSLock.cpp:
        (JSC::GlobalJSLock::GlobalJSLock):
        (JSC::GlobalJSLock::~GlobalJSLock):
        (JSC::GlobalJSLock::initialize):
        (JSC::JSLock::JSLock):
        (JSC::JSLock::lock):
        (JSC::JSLock::unlock):
        (JSC::JSLock::currentThreadIsHoldingLock):
        * runtime/JSLock.h:

2014-02-20  Mark Lam  <mark.lam@apple.com>

        virtualForWithFunction() should not throw an exception with a partially initialized frame.
        <https://webkit.org/b/129134>

        Reviewed by Michael Saboff.

        Currently, when JITOperations.cpp's virtualForWithFunction() fails to
        prepare the callee function for execution, it proceeds to throw the
        exception using the callee frame which is only partially initialized
        thus far. Instead, it should be throwing the exception using the caller
        frame because:
        1. the error happened "in" the caller while preparing the callee for
           execution i.e. the caller frame is the top fully initialized frame
           on the stack.
        2. the callee frame is not fully initialized yet, and the unwind
           mechanism cannot depend on the data in it.

        * jit/JITOperations.cpp:

2014-02-20  Mark Lam  <mark.lam@apple.com>

        DefaultGCActivityCallback::doWork() should reschedule if GC is deferred.
        <https://webkit.org/b/129131>

        Reviewed by Mark Hahnenberg.

        Currently, DefaultGCActivityCallback::doWork() does not check if the GC
        needs to be deferred before commencing. As a result, the GC may crash
        and/or corrupt data because the VM is not in the consistent state needed
        for the GC to run. With this fix, doWork() now checks if the GC is
        supposed to be deferred and re-schedules if needed. It only commences
        with GC'ing when it's safe to do so.

        * runtime/GCActivityCallback.cpp:
        (JSC::DefaultGCActivityCallback::doWork):

2014-02-20  Geoffrey Garen  <ggaren@apple.com>

        Math.imul gives wrong results
        https://bugs.webkit.org/show_bug.cgi?id=126345

        Reviewed by Mark Hahnenberg.

        Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
        Instead, take a slow path that will do the right thing.

        * jit/ThunkGenerators.cpp:
        (JSC::imulThunkGenerator):

2014-02-20  Filip Pizlo  <fpizlo@apple.com>

        DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints
        https://bugs.webkit.org/show_bug.cgi?id=129129

        Reviewed by Geoffrey Garen.
        
        We estimate execution counts based on loop depth, and then use those to estimate branch
        weights. These weights then get carried all the way down to LLVM prof branch_weights
        meta-data.
        
        This is better than letting LLVM do its own static estimates, since by the time we
        generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of
        course, it would be even better if we just slurped in some kind of execution counts
        from profiling, but we don't do that, yet.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGBasicBlock.cpp:
        (JSC::DFG::BasicBlock::BasicBlock):
        * dfg/DFGBasicBlock.h:
        * dfg/DFGBlockInsertionSet.cpp:
        (JSC::DFG::BlockInsertionSet::insert):
        (JSC::DFG::BlockInsertionSet::insertBefore):
        * dfg/DFGBlockInsertionSet.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGCriticalEdgeBreakingPhase.cpp:
        (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
        (JSC::DFG::createPreHeader):
        * dfg/DFGNaturalLoops.h:
        (JSC::DFG::NaturalLoops::loopDepth):
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        (JSC::DFG::OSREntrypointCreationPhase::run):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added.
        (JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase):
        (JSC::DFG::StaticExecutionCountEstimationPhase::run):
        (JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts):
        (JSC::DFG::performStaticExecutionCountEstimation):
        * dfg/DFGStaticExecutionCountEstimationPhase.h: Added.

2014-02-20  Filip Pizlo  <fpizlo@apple.com>

        FTL may not see a compact_unwind section if there weren't any stackmaps
        https://bugs.webkit.org/show_bug.cgi?id=129125

        Reviewed by Geoffrey Garen.
        
        It's OK to not have an unwind section, so long as the function also doesn't have any
        OSR exits.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        (JSC::FTL::compile):
        * ftl/FTLUnwindInfo.cpp:
        (JSC::FTL::UnwindInfo::parse):
        * ftl/FTLUnwindInfo.h:

== Rolled over to ChangeLog-2014-02-20 ==