2013-08-03  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/14642129> iOS: Crash in JIT code @ pivotaltracker.com due to incorrect ToPrimitive reported type speculations

        Merge ToT WebKit r153674.

    2013-08-02  Oliver Hunt  <oliver@apple.com>

        Incorrect type speculation reported by ToPrimitive
        https://bugs.webkit.org/show_bug.cgi?id=119458

        Reviewed by Mark Hahnenberg.

        Make sure that we report the correct type possibilities for the output
        from ToPrimitive

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):

2013-08-03  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/14642073> iOS: Incorrect ToString/liveness in MakeRope construction

        Merge ToT WebKit r153615.

    2013-08-01  Oliver Hunt  <oliver@apple.com>

        DFG is not enforcing correct ordering of ToString conversion in MakeRope
        https://bugs.webkit.org/show_bug.cgi?id=119408

        Reviewed by Filip Pizlo.

        Construct ToString and Phantom nodes in advance of MakeRope
        nodes to ensure that ordering is ensured, and correct values
        will be reified on OSR exit.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2013-08-03  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/14641805> iOS: REGRESSION: Crash when opening Facebook.com (119155)

        Merge ToT WebKit r153410.

    2013-07-28  Oliver Hunt  <oliver@apple.com>

        REGRESSION: Crash when opening Facebook.com
        https://bugs.webkit.org/show_bug.cgi?id=119155

        Reviewed by Andreas Kling.

        Scope nodes are always objects, so we should be using SpecObjectOther
        rather than SpecCellOther.  Marking Scopes as CellOther leads to a
        contradiction in the CFA, resulting in bogus codegen.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):

2013-08-03  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/14641772> iOS: Removed unused sourceOffset from JSTokenLocation. (118996)

        Merge ToT WebKit r153071.

    2013-07-23  Mark Lam  <mark.lam@apple.com>

        Removed unused sourceOffset from JSTokenLocation.
        https://bugs.webkit.org/show_bug.cgi?id=118996.

        Reviewed by Geoffrey Garen.

        This also removes the assertion reported in the bug because it is now
        moot, thereby resolving the assertion failure issue on Windows.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::toArgumentList):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        * parser/Lexer.cpp:
        (JSC::::lex):
        * parser/Lexer.h:
        (JSC::::lexExpectIdentifier):
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::::Parser):
        (JSC::::parseFunctionInfo):
        (JSC::::parseExpressionOrLabelStatement):
        (JSC::::parseMemberExpression):
        * parser/Parser.h:
        (JSC::::parse):
        * parser/ParserTokens.h:
        (JSC::JSTokenLocation::JSTokenLocation):

2013-07-31  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/14605489> iOS: Crash beneath jsTypeStringForValue @ zazzle.com (read past the end of the Arguments array)

        Merge ToT WebKit r153500.

    2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>

        GetByVal on Arguments does the wrong size load when checking the Arguments object length
        https://bugs.webkit.org/show_bug.cgi?id=119281

        Reviewed by Geoffrey Garen.

        This leads to out of bounds accesses and subsequent crashes.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-07-31  Andy Estes  <aestes@apple.com>

        <rdar://problem/14601962> iOS: CodeBlock DFG entry list isn't getting shrunk-to-fit after linking. (118875)

        Merged ToT WebKit r152882.

    2013-07-18  Andreas Kling  <akling@apple.com>

        CodeBlock DFG entry list isn't getting shrunk-to-fit after linking.
        <http://webkit.org/b/118875>
        <rdar://problem/14488577>

        Reviewed by Geoffrey Garen.

        Move the CodeBlock::shrinkToFit() call out of JITCompiler::link() and to the call sites
        so SpeculativeJIT::linkOSREntries() can fill in CodeBlock::m_dfgData->osrEntry first.

        886 kB progression on <http://twitter.com/awesomekling>

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):

2013-07-31  Andy Estes  <aestes@apple.com>

        <rdar://problem/14601537> iOS: CodeBlock::m_argumentValueProfiles wastes a lot of memory. (118852)

        Merged ToT WebKit r152848.

    2013-07-18  Andreas Kling  <akling@apple.com>

        CodeBlock::m_argumentValueProfiles wastes a lot of memory.
        <http://webkit.org/b/118852>
        <rdar://problem/14481659>

        Reviewed by Anders Carlsson.

        Use Vector::resizeToFit() for CodeBlock::m_argumentValueProfiles. We don't need any padding
        for growth, since we won't be appending to it anyway.

        921 KB progression on <http://twitter.com/awesomekling>

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::setNumParameters):

2013-07-30  Andy Estes  <aestes@apple.com>

        <rdar://problem/14600834> iOS: [JavaScriptCore] reference to non-existent header in JSValue.h
        
        Merged ToT WebKit r152737.
        
    2013-07-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove reference to JSValueStructSupport.h from JSExport.h
        https://bugs.webkit.org/show_bug.cgi?id=118746

        Reviewed by Filip Pizlo.

        * API/JSExport.h: No such header exists, so it doesn't make sense to reference it.

2013-07-30  Daniel Bates  <dabates@apple.com>

        <rdar://problem/14592535> iOS: Given an empty string, JSStringCreateWithCFString() should not return a JSStringRef whose characters member is NULL

        Merge ToT WebKit r152807.

    2013-07-30  Geoffrey Garen  <ggaren@apple.com>

            JSStringCreateWithCFString should not convert the empty string into the NULL string
            https://bugs.webkit.org/show_bug.cgi?id=118816

            Reviewed by Sam Weinig.

            * API/JSStringRef.cpp:
            (JSStringCreateWithUTF8CString): Removed an extraneous comment, which
            a previous version of the patch made incorrect.

            * API/JSStringRefCF.cpp:
            (JSStringCreateWithCFString): Don't convert the empty string into the
            null string.

2013-07-24  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/14534782> iOS: DFG string concatenation optimizations might emit speculative nodes after emitting nodes that kill the original inputs (119032)

        Merge ToT WebKit r153075.

    2013-07-23  Filip Pizlo  <fpizlo@apple.com>

        DFG string concatenation optimizations might emit speculative nodes after emitting nodes that kill the original inputs
        https://bugs.webkit.org/show_bug.cgi?id=119032

        Reviewed by Oliver Hunt.

        It just needs some Phantom action.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):

2013-07-21  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/14495049> iOS: LLInt get_argument_by_val for JSVALUE64 stores into the array profile when it meant to store into the value profile (118865)

        Merge ToT WebKit r152868.

    2013-07-18  Filip Pizlo  <fpizlo@apple.com>

        LLInt get_argument_by_val for JSVALUE64 stores into the array profile when it meant to store into the value profile
        https://bugs.webkit.org/show_bug.cgi?id=118865

        Reviewed by Mark Hahnenberg.

        * llint/LowLevelInterpreter64.asm:

2013-07-21  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/14495065> iOS: DFG assumes that NewFunction will never pass its input through (118798)

        Merge ToT WebKit r152813, r152818.

    2013-07-17  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix 32-bit after http://trac.webkit.org/changeset/152813

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

    2013-07-17  Filip Pizlo  <fpizlo@apple.com>

        DFG assumes that NewFunction will never pass its input through
        https://bugs.webkit.org/show_bug.cgi?id=118798

        Reviewed by Sam Weinig.
        
        Previously the DFG was assuming that NewFunction always returns a function. That's not
        the case. It may return whatever was passed to it, if it wasn't passed SpecEmpty.
        
        This fact needed to be wired through the compiler.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::makeTop):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-07-10  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/14417366> JavaScriptCore Uninitialized Memory Vulnerability [V-v31xnbnoc5]

        Merge OpenSource r152573

    2013-07-10  Oliver Hunt  <oliver@apple.com>

        NativeExecutable cache needs to use both call and construct functions for key
        https://bugs.webkit.org/show_bug.cgi?id=118545

        Reviewed by Geoffrey Garen.

        Make the native executable cache make use a key pair so we don't decide to
        treat all subsequent functions as not being constructors.

        * jit/JITThunks.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITThunks.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::create):
        * runtime/JSCell.cpp:
        (JSC::JSCell::getCallData):
        (JSC::JSCell::getConstructData):

2013-07-01  Joseph Pecoraro  <pecoraro@apple.com>

        <rdar://problem/14308371> Gracefully handle dropping support for <input type="datetime">

        Drop the ENABLE so that <input type="datetime"> fallsback to the
        appearance of an <input type="text">. It was already handling like
        a textfield due to RuntimeEnabledFeatures.

        Reviewed by Jon Lee.

        * Configurations/FeatureDefines.xcconfig:

2013-07-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        <rdar://problem/14171014> Seed 1 #2 hang - MobileSafari failed to resume in time (0x8badf00d) due to JSLock deadlock between Reader detection and JS confirm dialog

        Reviewed by Geoff Garen.

        DropAllLocks needs to be more judicious with locking the SpinLock when modifying
        any of JSLock's auxiliary variables (e.g. m_lockCount, m_ownerThread, etc.).

        * runtime/JSLock.cpp:
        (JSC::JSLock::unlock):
        (JSC::JSLock::dropAllLocks): Changed to require a held SpinLock as an argument.
        (JSC::JSLock::dropAllLocksUnconditionally): Ditto.
        (JSC::JSLock::grabAllLocks): Ditto. Also now unlocks the SpinLock around acquiring 
        the mutex and then reacquires it after it gets the mutex. We have to do this since we 
        no longer control the locking of the SpinLock.
        (JSC::JSLock::DropAllLocks::DropAllLocks): DropAllLocks now takes the SpinLock before
        calling the helper functions.
        (JSC::JSLock::DropAllLocks::~DropAllLocks): Similarly, ~DropAllLocks now takes the SpinLock
        before calling grabAllLocks.
        * runtime/JSLock.h:

2013-06-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        J85: 11B404: Very high JIT memory usage in vmmap
        <rdar://problem/14235816>  

        Rubber stamped by Geoff Garen.

        CPU(ARM) doesn't include CPU(ARM64), which is how we determine the size of our fixed 
        pool of executable memory.

        * jit/ExecutableAllocator.h:

2013-06-26  Anders Carlsson  <andersca@apple.com>

        <rdar://problem/14279905> Add JSStringCreateWithCharactersNoCopy SPI (118074)
        
        Merge ToT WebKit r152052.
        
    2013-06-26  Anders Carlsson  <andersca@apple.com>

        Add JSStringCreateWithCharactersNoCopy SPI
        https://bugs.webkit.org/show_bug.cgi?id=118074
        <rdar://problem/14279905>

        Reviewed by Geoffrey Garen.

        * API/JSStringRef.cpp:
        (JSStringCreateWithCharactersNoCopy):
        Create a new OpaqueJSString, using the newly added StringImpl::createWithoutCopying function.

        * API/JSStringRefPrivate.h: Added.
        Add a home for the JSStringCreateWithCharactersNoCopy function.

        * API/OpaqueJSString.h:
        (OpaqueJSString::OpaqueJSString):
        Just call isolatedCopy on the passed in string.

        * API/tests/testapi.c:
        Add an API test for JSStringCreateWithCharactersNoCopy.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add new files.

2013-05-30  David Farler  <dfarler@apple.com>

        <rdar://problem/13952116> run-javascriptcore-tests always returns 0 on Mountain Lion

		Merged ToT WebKit r150998

	2013-05-30  David Farler  <dfarler@apple.com>

		Fix jscore-test when not using --sdk option with jsDriver.pl
		https://bugs.webkit.org/show_bug.cgi?id=116339

		Reviewed by Joe Pecoraro.

		* tests/mozilla/jsDriver.pl:
		(execute_tests):
		With each test, the shell_command needs to be started from scratch.

		This fix will clear the shell_command and start over as before with
		the opt_arch option when not using --sdk with jsDriver.pl.

2013-05-30  David Farler  <dfarler@apple.com>

        <rdar://problem/13952116> run-javascriptcore-tests always returns 0 on Mountain Lion

        Merged ToT WebKit r150994

    2013-05-22  David Farler  <dfarler@apple.com>

        Add --sdk option to jsDriver.pl to run with iOS Simulator
        https://bugs.webkit.org/show_bug.cgi?id=116339

        Reviewed by David Kilzer.

        * tests/mozilla/jsDriver.pl:
        (execute_tests):
        Prefix shell command with the path to the "sim" tool.
        (parse_args):
        Add -d / --sdk option.
        (usage):
        Help message for -d / --sdk option.

2013-05-29  Roger Fong  <roger_fong@apple.com>

        Disable some feature flags.
        <rdar://problem/12952646>.

        Rubberstamped by Jon Lee.

        Disabled flags:
        ENABLE_CSS_COMPOSITING
        ENABLE_CSS_EXCLUSIONS
        ENABLE_CSS_SHADERS
        ENABLE_IFRAME_SEAMLESS
        ENABLE_CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED
        ENABLE_SHARED_WORKERS

        * Configurations/FeatureDefines.xcconfig:

2013-05-23  Chris Fleizach  <cfleizach@apple.com>

        <rdar://problem/13974584> WEB SPEECH: enable WebSpeech for iOS

        Reviewed by David Kilzer.

        * Configurations/FeatureDefines.xcconfig:

2013-05-22  David Farler  <dfarler@apple.com>

        Add --sdk flag to jsDriver.pl to allow running in the iOS simulator
        https://bugs.webkit.org/show_bug.cgi?id=116339

        Reviewed by Joe Pecoraro.

        * tests/mozilla/jsDriver.pl:
        (execute_tests):
        Use -find to prevent false return 0 from xcrun on Mountain Lion.

2013-05-20  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/11855076> CrashTracer: Crash ReaderController::collectReadingListItemInformation() due to passing a NULL ctx to JSValueIsObject(

        Merged ToT WebKit r150381

    2013-05-20  Oliver Hunt  <oliver@apple.com>

        Make C API more robust against null contexts
        https://bugs.webkit.org/show_bug.cgi?id=116462

        Reviewed by Anders Carlsson.

        Handle null contexts in a non-crashy way.  It's a bug to ever call the
        API with a null context, and the absence of a context means we can't
        produce a meaningful result, so we still assert in debug builds.

        Now where possible we detect and early return, returning null for any
        pointer type, NaN for doubles, and false for any boolean result.

        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        (JSReportExtraMemoryCost):
        * API/JSContextRef.cpp:
        (JSContextGetGlobalObject):
        (JSContextGetGroup):
        (JSContextGetGlobalContext):
        (JSContextCreateBacktrace):
        * API/JSObjectRef.cpp:
        (JSObjectMake):
        (JSObjectMakeFunctionWithCallback):
        (JSObjectMakeConstructor):
        (JSObjectMakeFunction):
        (JSObjectMakeArray):
        (JSObjectMakeDate):
        (JSObjectMakeError):
        (JSObjectMakeRegExp):
        (JSObjectGetPrototype):
        (JSObjectSetPrototype):
        (JSObjectHasProperty):
        (JSObjectGetProperty):
        (JSObjectSetProperty):
        (JSObjectGetPropertyAtIndex):
        (JSObjectSetPropertyAtIndex):
        (JSObjectDeleteProperty):
        (JSObjectCopyPropertyNames):
        * API/JSValueRef.cpp:
        (JSValueGetType):
        (JSValueIsUndefined):
        (JSValueIsNull):
        (JSValueIsBoolean):
        (JSValueIsNumber):
        (JSValueIsString):
        (JSValueIsObject):
        (JSValueIsObjectOfClass):
        (JSValueIsEqual):
        (JSValueIsStrictEqual):
        (JSValueIsInstanceOfConstructor):
        (JSValueMakeUndefined):
        (JSValueMakeNull):
        (JSValueMakeBoolean):
        (JSValueMakeNumber):
        (JSValueMakeString):
        (JSValueMakeFromJSONString):
        (JSValueCreateJSONString):
        (JSValueToBoolean):
        (JSValueToNumber):
        (JSValueToStringCopy):
        (JSValueToObject):
        (JSValueProtect):
        * API/JSWeakObjectMapRefPrivate.cpp:

2013-05-17  David Farler  <dfarler@apple.com>

        <rdar://problem/13907880> MobileSafari buildbot: jscore-test fails for the simulator: dyld: Symbol not found: _objc_isAuto

        Reviewed by David Kilzer and Joe Pecoraro.

        * tests/mozilla/jsDriver.pl: Add -d/--sdk option to use a simulator SDK.
        (execute_tests): Prefix jsc command with xcrun sim call if SDK is set.

2013-05-15  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/13888177> REGRESSION: Crash beneath createScriptCallStackFromException @ www.cars.com
        Merged ToT WebKit 150160

    2013-05-15  Oliver Hunt  <oliver@apple.com>

        RefCountedArray needs to use vector initialisers for its backing store
        https://bugs.webkit.org/show_bug.cgi?id=116194

        Reviewed by Gavin Barraclough.

        Use an out of line function to clear the exception stack to avoid
        needing to include otherwise unnecessary headers all over the place.

        Everything else is just being updated to use that.

        * bytecompiler/BytecodeGenerator.cpp:
        * interpreter/CallFrame.h:
        (JSC::ExecState::clearSupplementaryExceptionInfo):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::addStackTraceIfNecessary):
        (JSC::Interpreter::throwException):
        * runtime/JSGlobalObject.cpp:
        (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope):
        * runtime/VM.cpp:
        (JSC):
        (JSC::VM::clearExceptionStack):
        * runtime/VM.h:
        (VM):
        (JSC::VM::exceptionStack):

2013-05-14  Mark Lam  <mark.lam@apple.com>

        Rename globalData to vm to match the renaming in the rest of the code.
        This unbreaks the debug build for arm64.

        Reviewed by Mark Hahnenberg.

        * jit/JITStubs.cpp:
        (JSC::performPlatformSpecificJITAssertions):

2013-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        <rdar://problem/13889005> Objective-C API: Bridging between C API and Obj-C API should be part of the public interface

        Merged ToT WebKit r149401

    2013-04-30  Geoffrey Garen  <ggaren@apple.com>
    
        Objective-C JavaScriptCore API should publicly support bridging to C
        https://bugs.webkit.org/show_bug.cgi?id=115447
    
        Reviewed by Mark Hahnenberg.
    
        For consistency, I renamed
    
            +[JSValue valueWithValue:] => +[JSValue valueWithJSValueRef]
            +[JSContext contextWithGlobalContextRef] => +[JSContext contextWithJSGlobalContextRef]
            -[JSContext globalContext] => -[JSContext JSGlobalContextRef]
    
        I searched svn to verify that these functions don't have clients yet,
        so we won't break anything.
    
        I also exported as public API
    
            +[JSValue valueWithJSValueRef:]
            +[JSContext contextWithJSGlobalContextRef:]
    
        It's hard to integrate with the C API without these.

2013-05-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        <rdar://problem/13877067> REGRESSION: Deadlock in AdSheet during JavaScript GC

        Merged ToT WebKit r150050.
    
    2013-05-13  Mark Hahnenberg  <mhahnenberg@apple.com>
    
        Objective-C API: scanExternalObjectGraph should not create new JSVirtualMachine wrappers
        https://bugs.webkit.org/show_bug.cgi?id=116074

        If scanExternalObjectGraph creates a new JSVirtualMachine wrapper during collection, when the 
        scanExternalObjectGraph call finishes and the autorelease pool is drained we will dealloc the 
        JSVirtualMachine which will cause us to try to take the API lock for the corresponding VM. 
        If this happens on a GC thread other than the "main" thread, we will deadlock. The solution 
        is to just check the VM cache, and if there is no JSVirtualMachine wrapper, return early.

        Reviewed by Darin Adler.

        * API/JSVirtualMachine.mm:
        (scanExternalObjectGraph):

2013-05-09  Michael Saboff  <msaboff@apple.com>

        Merged ToT WebKit r149821.

    2013-05-08  Michael Saboff  <msaboff@apple.com>

        JSC: There should be a disassembler for ARM Thumb 2
        https://bugs.webkit.org/show_bug.cgi?id=115827

        Reviewed by Filip Pizlo.

        Added a new disassembler for ARMv7 Thumb2 instructions for use by the JSC debugging
        and profiling code.  The opcode coverage is currently not complete.  It covers all
        of the integer instructions JSC currently emits, but only a limited number of
        floating point opcodes.  Currently that is just the 64 bit vmov and vmsr instructions.

        The disassembler is structured as a base opcode class ARMv7DOpcode with sub-classes
        for each instruction group.  There is a public format method that does the bulk of
        the disassembly work.  There are two broad sub-classes, ARMv7D16BitOpcode and
        ARMv7D32BitOpcode, for the 16 bit and 32 bit opcodes.  There are sub-classes under
        those two classes for individual and related groups of opcodes.  Instructions are
        "dispatched" to the right subclass via two arrays of linked lists in the inner classes
        OpcodeGroup.  There is one such inner class for each ARMv7D16BitOpcode and ARMv7D32BitOpcode.
        Each OpcodeGroup has a mask and a pattern that it applies to the instruction to determine
        that it matches a particular group.  OpcodeGroup uses a static method to reinterpret_cast
        the Opcode object to the right base class for the instruction group for formatting.
        The cast eliminates the need of allocating an object for each decoded instruction.
        Unknown instructions are formatted as ".word 1234" or ".long 12345678" depending whether
        the instruction is 16 or 32 bit.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * disassembler/ARMv7: Added.
        * disassembler/ARMv7/ARMv7DOpcode.cpp: Added.
        (ARMv7Disassembler):
        (OpcodeGroupInitializer):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::init):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::startITBlock):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::saveITConditionAt):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::fetchOpcode):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::disassemble):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::bufferPrintf):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::appendInstructionName):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterName):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::appendFPRegisterName):
        (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::init):
        (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::doDisassemble):
        (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::defaultFormat):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddRegisterT2::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSPPlusImmediate::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchConditionalT1::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchExchangeT1::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchT2::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareImmediateT1::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT1::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT2::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeGeneratePCRelativeAddress::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadFromLiteralPool::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscBreakpointT1::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscByteHalfwordOps::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscHint16::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscIfThenT1::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveImmediateT1::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveRegisterT1::format):
        (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::init):
        (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::doDisassemble):
        (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::defaultFormat):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::appendModifiedImmediate):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::appendImmShift):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::appendFPRegister):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegShift::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegParallel::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegMisc::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadRegister::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadUnsignedImmediate::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopSingle::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate12::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleRegister::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::format):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMSR::format):
        * disassembler/ARMv7/ARMv7DOpcode.h: Added.
        (ARMv7Disassembler):
        (ARMv7DOpcode):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::ARMv7DOpcode):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::is32BitInstruction):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::isFPInstruction):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::conditionName):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::shiftName):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::inITBlock):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::startingITBlock):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::endITBlock):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::appendInstructionNameNoITBlock):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::appendSeparator):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::appendCharacter):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::appendString):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::appendShiftType):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::appendSignedImmediate):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::appendUnsignedImmediate):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::appendPCRelativeOffset):
        (JSC::ARMv7Disassembler::ARMv7DOpcode::appendShiftAmount):
        (ARMv7D16BitOpcode):
        (OpcodeGroup):
        (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::OpcodeGroup):
        (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::setNext):
        (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::next):
        (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::matches):
        (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::format):
        (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::rm):
        (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::rd):
        (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::opcodeGroupNumber):
        (ARMv7DOpcodeAddRegisterT2):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddRegisterT2::rdn):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddRegisterT2::rm):
        (ARMv7DOpcodeAddSPPlusImmediate):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSPPlusImmediate::rd):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSPPlusImmediate::immediate8):
        (ARMv7DOpcodeAddSubtract):
        (ARMv7DOpcodeAddSubtractT1):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::rm):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::rn):
        (ARMv7DOpcodeAddSubtractImmediate3):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::immediate3):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::rn):
        (ARMv7DOpcodeAddSubtractImmediate8):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::rdn):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::immediate8):
        (ARMv7DOpcodeBranchConditionalT1):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchConditionalT1::condition):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchConditionalT1::offset):
        (ARMv7DOpcodeBranchExchangeT1):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchExchangeT1::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchExchangeT1::rm):
        (ARMv7DOpcodeBranchT2):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchT2::immediate11):
        (ARMv7DOpcodeCompareImmediateT1):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareImmediateT1::rn):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareImmediateT1::immediate8):
        (ARMv7DOpcodeCompareRegisterT1):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT1::rn):
        (ARMv7DOpcodeCompareRegisterT2):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT2::rn):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT2::rm):
        (ARMv7DOpcodeDataProcessingRegisterT1):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::rm):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::rdn):
        (ARMv7DOpcodeGeneratePCRelativeAddress):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeGeneratePCRelativeAddress::rd):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeGeneratePCRelativeAddress::immediate8):
        (ARMv7DOpcodeLoadFromLiteralPool):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadFromLiteralPool::rt):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadFromLiteralPool::immediate8):
        (ARMv7DOpcodeLoadStoreRegisterImmediate):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::immediate5):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::rn):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::rt):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::scale):
        (ARMv7DOpcodeLoadStoreRegisterImmediateWordAndByte):
        (ARMv7DOpcodeLoadStoreRegisterImmediateHalfWord):
        (ARMv7DOpcodeLoadStoreRegisterOffsetT1):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::opB):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::rm):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::rn):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::rt):
        (ARMv7DOpcodeLoadStoreRegisterSPRelative):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::rt):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::immediate8):
        (ARMv7DOpcodeLogicalImmediateT1):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::immediate5):
        (ARMv7DOpcodeMiscAddSubSP):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::immediate7):
        (ARMv7DOpcodeMiscByteHalfwordOps):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscByteHalfwordOps::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscByteHalfwordOps::op):
        (ARMv7DOpcodeMiscBreakpointT1):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscBreakpointT1::immediate8):
        (ARMv7DOpcodeMiscCompareAndBranch):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::immediate6):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::rn):
        (ARMv7DOpcodeMiscHint16):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscHint16::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscHint16::opA):
        (ARMv7DOpcodeMiscIfThenT1):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscIfThenT1::firstCondition):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscIfThenT1::mask):
        (ARMv7DOpcodeMiscPushPop):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask):
        (ARMv7DOpcodeMoveImmediateT1):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveImmediateT1::rd):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveImmediateT1::immediate8):
        (ARMv7DOpcodeMoveRegisterT1):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveRegisterT1::rd):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveRegisterT1::rm):
        (ARMv7D32BitOpcode):
        (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::OpcodeGroup):
        (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::setNext):
        (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::next):
        (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::matches):
        (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::format):
        (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rd):
        (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rm):
        (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rn):
        (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rt):
        (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::opcodeGroupNumber):
        (ARMv7DOpcodeBranchRelative):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::sBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::j1):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::j2):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::immediate11):
        (ARMv7DOpcodeConditionalBranchT3):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::offset):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::condition):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::immediate6):
        (ARMv7DOpcodeBranchOrBranchLink):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::offset):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::immediate10):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::isBL):
        (ARMv7DOpcodeDataProcessingLogicalAndRithmetic):
        (ARMv7DOpcodeDataProcessingModifiedImmediate):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::sBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::immediate12):
        (ARMv7DOpcodeDataProcessingShiftedReg):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::sBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::immediate5):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::type):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::tbBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::tBit):
        (ARMv7DOpcodeDataProcessingReg):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingReg::op1):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingReg::op2):
        (ARMv7DOpcodeDataProcessingRegShift):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegShift::opName):
        (ARMv7DOpcodeDataProcessingRegExtend):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::opExtendName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::opExtendAndAddName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::rotate):
        (ARMv7DOpcodeDataProcessingRegParallel):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegParallel::opName):
        (ARMv7DOpcodeDataProcessingRegMisc):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegMisc::opName):
        (ARMv7DOpcodeHint32):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::isDebugHint):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::debugOption):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::op):
        (ARMv7DOpcodeFPTransfer):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opH):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opL):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::rt):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opC):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opB):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::vd):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::vn):
        (ARMv7DOpcodeDataLoad):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataLoad::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataLoad::op):
        (ARMv7DOpcodeLoadRegister):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadRegister::immediate2):
        (ARMv7DOpcodeLoadSignedImmediate):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::pBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::uBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::wBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::immediate8):
        (ARMv7DOpcodeLoadUnsignedImmediate):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadUnsignedImmediate::immediate12):
        (ARMv7DOpcodeLongMultipleDivide):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::smlalOpName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::smlaldOpName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::smlsldOpName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::rdLo):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::rdHi):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::op1):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::op2):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::nBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::mBit):
        (ARMv7DOpcodeDataPushPopSingle):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopSingle::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopSingle::op):
        (ARMv7DOpcodeDataStoreSingle):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataStoreSingle::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeDataStoreSingle::op):
        (ARMv7DOpcodeStoreSingleImmediate12):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate12::immediate12):
        (ARMv7DOpcodeStoreSingleImmediate8):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::pBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::uBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::wBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::immediate8):
        (ARMv7DOpcodeStoreSingleRegister):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleRegister::immediate2):
        (ARMv7DOpcodeUnmodifiedImmediate):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::opName):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::shBit):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::bitNumOrSatImmediate):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::immediate5):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::immediate12):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::immediate16):
        (ARMv7DOpcodeVMOVDoublePrecision):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt2):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::vm):
        (ARMv7DOpcodeVMOVSinglePrecision):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::op):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt2):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::vm):
        (ARMv7DOpcodeVMSR):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMSR::opL):
        (JSC::ARMv7Disassembler::ARMv7DOpcodeVMSR::rt):
        * disassembler/ARMv7Disassembler.cpp: Added.
        (JSC::tryToDisassemble):

2013-04-29  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/13443266> Make sure that CSS shaders are not enabled when we ship Innsbruck

        Reviewed by Joseph Pecoraro.

        * Configurations/FeatureDefines.xcconfig: Turn off
        ENABLE_CSS_SHADERS on iOS.

2013-04-26  Benjamin Poulain  <bpoulain@apple.com>

        Use frintp instead of calling ceil() on ARMv8

        Reviewed by Filip Pizlo.

        Like floor(), it is about two times faster than calling the C function.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::ceilDouble):
        (MacroAssemblerARM64):
        * jit/ThunkGenerators.cpp:
        (JSC::ceilThunkGenerator):

2013-04-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        Support OS-version-specific install paths for JavaScriptCore.framework
        <rdar://problem/13696872> 

        Reviewed by David Kilzer.

        * API/JSBase.cpp: Added special symbols that tell the linker where to find JSC on older systems.

2013-04-25  Benjamin Poulain  <bpoulain@apple.com>

        Use frintm instead of calling floor() on ARMv8

        Reviewed by Filip Pizlo.

        We can do floor() in one instruction on ARMv8. Add floorDouble() to the
        MacroAssembler and use that instead of invoking the C function floor().

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::floorDouble):
        (MacroAssemblerARM64):
        * jit/ThunkGenerators.cpp:
        (JSC::floorThunkGenerator):

2013-04-25  Benjamin Poulain  <bpoulain@apple.com>

        Special thunks for math functions should work on ARMv8

        Reviewed by Filip Pizlo.

        * jit/ThunkGenerators.cpp:
        Add a ARMv8 thunks for math functions similar to Filip's optimization
        on ARMv7.

2013-04-25  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/13716112> PEP Web: N41/11A344: MobileSafari crashed at JSC::speculationFromValue when running Alexa test.

        Merged ToT WebKit r149128.

    2013-04-25  Michael Saboff  <msaboff@apple.com>
   
        32 Bit: Crash due to RegExpTest nodes not setting result type to Boolean
        https://bugs.webkit.org/show_bug.cgi?id=115188

        Reviewed by Geoff Garen.

        Changed the RegExpTest node to set the AbstractValue to boolean, since that
        what it is.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):

2013-04-24  Filip Pizlo  <fpizlo@apple.com>

        Merge r149082. Nice speedup on Kraken with ARMv7.

    2013-04-24  Filip Pizlo  <fpizlo@apple.com>

        Special thunks for math functions should work on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=115144

        Reviewed by Gavin Barraclough and Oliver Hunt.
        
        The only hard bit here was ensuring that we implemented the very special
        "cheap C call" convention on ARMv7.

        * assembler/AbstractMacroAssembler.h:
        (JSC::isARMv7s):
        (JSC):
        (JSC::isX86):
        * dfg/DFGCommon.h:
        * jit/SpecializedThunkJIT.h:
        (SpecializedThunkJIT):
        (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
        * jit/ThunkGenerators.cpp:
        (JSC::floorThunkGenerator):
        (JSC::ceilThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::expThunkGenerator):
        (JSC::logThunkGenerator):

2013-04-08  David Farler  <dfarler@apple.com>

        <rdar://problem/13598231> jsc codesign is failing on engineering
        builds and on some buildbots

        Reviewed by NOBODY (OOPS!).

        For the simulator, the tail end of the invocation is ending up
        as "... --entitlements jsc", because there are no entitlements
        for the simulator.

        For the device, we have to use --force to protect incremental
        builds. If jsc isn't rebuilt and copied, it'll already be signed
        and codesign will return non-zero even though nothing is wrong.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        - Add a check for $CODE_SIGNING_ALLOWED &&
        &AD_HOC_CODE_SIGNING_ALLOWED around the resigning block.
        - Add --force to the codesign invocation to protect second-round
        builds of jsc.
        - Use one invocation of codesign with ${CODE_SIGN_IDENTITY:=-}
        instead of an if statement.

2013-04-07  David Farler  <dfarler@apple.com>

        <rdar://problem/10387627> MAP_JIT Entitlements set inconsistently for jsc command-line binaries

        Reviewed by NOBODY (OOPS!).

        * JavaScriptCore.xcodeproj/project.pbxproj:
        If the configuration is Production or the action is "install",
        the install path for jsc will be set to the framework path and
        will be codesigned.

        For other configurations and actions, the jsc binary is placed
        in the build products directory and is also signed.

        However, when copying that binary into the framework, the code
        signature is lost. We can resign the binary with the same
        entitlements and identity (parameterized for safety here, but
        ad-hoc in practice).

2013-03-19  Joseph Pecoraro  <pecoraro@apple.com>

        <rdar://problem/8939634> Sub-TLF: Add JS APIs to trigger AirPlay from web pages, for HTML5 <video>

        Add ENABLE(IOS_AIRPLAY) guard for iOS airplay feature enhancements.

        Reviewed by David Kilzer.

        * Configurations/FeatureDefines.xcconfig:

2013-03-30  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/13541888> Innsbruck11A321: checkForBugs: realpath() failed on /BuildRoot/…/PrivateFrameworks/JavaScriptCore.framework/JavaScriptCore

        Reviewed by Mark Hahnenberg.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        (Add symlink from public to private framework): Create relative
        symlink instead of absolute symlink.

2013-03-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        <rdar://problem/13351449> Objective-C API: Move JSC framework to public frameworks directory on Innsbruck

        Reviewed by NOBODY (OOPS!).

        Change JavaScriptCore to be installed into the public Frameworks directory. Also add a symlink between the 
        new and old location in case other projects link against JSC's absolute path.

        * Configurations/Base.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-03-22  Andy Estes  <aestes@apple.com>

        <rdar://problem/13469374> Enable cache partitioning on iOS WebKit

        Re-enable the feature after I rolled it out in r1197821.

        * Configurations/FeatureDefines.xcconfig:

2013-03-22  Andy Estes  <aestes@apple.com>

        <rdar://problem/13469374> Enable cache partitioning on iOS WebKit

        Patch by Jeffrey Pfau.
        Rubber-stamped by David Kilzer.

        * Configurations/FeatureDefines.xcconfig:

2013-03-20  Yongjun Zhang  <yongjun_zhang@apple.com>

        <rdar://problem/13406788> Crash in JSC::CodeBlock::handlerForBytecodeOffset loading nba.com with merge #7

        Merged ToT WebKit r146255.

    2013-03-19  Oliver Hunt  <oliver@apple.com>

            RELEASE_ASSERT fires in exception handler lookup

            RS=Geoff Garen.

            Temporarily switch this RELEASE_ASSERT into a regular ASSERT 
            as currently this is producing fairly bad crashiness.

            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::handlerForBytecodeOffset):

2013-03-16  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/13425917> ImageBufferData::getData taking 14x (36ms -> 535ms) more time on apple.com webpage

        Reviewed by Joseph Pecoraro.

        Turn off ENABLE_HIGH_DPI_CANVAS on iOS. It got enabled by mistake in merge #4 <rdar://problem/12511066>.

        * Configurations/FeatureDefines.xcconfig:

2013-03-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Merge of ToT WebKit r145842 for <rdar://problem/13422001>.

    2013-03-14  Mark Hahnenberg  <mhahnenberg@apple.com>
    
            Objective-C API: Nested dictionaries are not converted properly in the Objective-C binding
            https://bugs.webkit.org/show_bug.cgi?id=112377
    
            Reviewed by Oliver Hunt.
    
            Accidental reassignment of the root task in the container conversion logic was causing the last 
            array or dictionary processed to be returned in the case of nested containers.
    
            * API/JSValue.mm:
            (containerValueToObject):
            * API/tests/testapi.mm:

2013-03-11  Michael Saboff  <msaboff@apple.com>

        Merge of ToT WebKit r145417.

    2013-03-11  Michael Saboff  <msaboff@apple.com>

            Crash beneath operationCreateInlinedArguments running fast/js/dfg-create-inlined-arguments-in-closure-inline.html (32-bit only)
            https://bugs.webkit.org/show_bug.cgi?id=112067

            Reviewed by Geoffrey Garen.

            We weren't setting the tag in SetCallee.  Therefore set it to CellTag.

            * dfg/DFGSpeculativeJIT32_64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):

2013-03-07  Michael Saboff  <msaboff@apple.com>

        Merge ToT WebKit r145150.

    2013-03-07  Michael Saboff  <msaboff@apple.com>

            Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article
            https://bugs.webkit.org/show_bug.cgi?id=111777

            Reviewed by Filip Pizlo.

            Moved register allocations to be above any generated control flow so that any
            resulting spill would be visible to all subsequently generated code.

            * dfg/DFGSpeculativeJIT32_64.cpp:
            (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
            (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGSpeculativeJIT64.cpp:
            (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
            (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
            (JSC::DFG::SpeculativeJIT::compile):

2013-03-06  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/13319989> GPRInfo.debugName for CPU(ARM) is wrong (and might be wrong for CPU(ARM64) as well)

        Reviewed by David Kilzer.

	Restored THUMB2 to what is in open source and cleaned up ARM64 for both toIndex() and debugName().  Added
	static_cast's to ARM64 code. 

        * dfg/DFGGPRInfo.h:
        (JSC::DFG::GPRInfo::toIndex):
        (JSC::DFG::GPRInfo::debugName):

2013-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Merge ToT WebKit r143637 and follow-up build fixes r143750, r144545, r144546, and r144662.

    2013-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>
    
            Objective-C API: Need a way to use the Objective-C JavaScript API with WebKit
            https://bugs.webkit.org/show_bug.cgi?id=106059
    
            Reviewed by Geoffrey Garen.
            
            * API/JSBase.h: Renamed enable flag for API.
            * API/JSBlockAdaptor.h: Using new flag.
            * API/JSBlockAdaptor.mm: Ditto.
            * API/JSContext.h: Add convenience C API conversion function for JSGlobalContextRef.
            * API/JSContext.mm: 
            (-[JSContext JSGlobalContextRef]): Implementation of C API convenience function.
            (-[JSContext initWithVirtualMachine:]): We don't use the m_apiData field any more.
            (-[JSContext initWithGlobalContextRef:]): init method for allocating new JSContexts given a JSGlobalContextRef.
            (-[JSContext dealloc]): No more m_apiData.
            (-[JSContext wrapperForObjCObject:]): Renamed wrapperForObject. 
            (-[JSContext wrapperForJSObject:]): Fetches or allocates the JSValue for the specified JSValueRef in this JSContext.
            (+[JSContext contextWithGlobalContextRef:]): Helper function to grab the lightweight JSContext wrapper for a given
            JSGlobalContextRef from the global wrapper cache or allocate a new one if there isn't already one.
            * API/JSContextInternal.h: New flag, new method declaration for initWithGlobalContextRef.
            * API/JSExport.h: New flag.
            * API/JSValue.h: New flag and new C API convenience method.
            * API/JSValue.mm:
            (-[JSValue JSValueRef]): Implementation of the C API convenience method.
            (objectToValueWithoutCopy):
            (+[JSValue valueWithValue:inContext:]): We now ask the JSContext for an Objective-C JSValue wrapper, which it can cache
            in its internal JSWrapperMap.
            * API/JSValueInternal.h:
            * API/JSVirtualMachine.h:
            * API/JSVirtualMachine.mm: Added global cache that maps JSContextGroupRef -> JSVirtualMachine lightweight wrappers.
            (wrapperCacheLock):
            (initWrapperCache):
            (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]):
            (+[JSVMWrapperCache wrapperForJSContextGroupRef:]):
            (-[JSVirtualMachine init]):
            (-[JSVirtualMachine initWithContextGroupRef:]):
            (-[JSVirtualMachine dealloc]):
            (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
            (-[JSVirtualMachine contextForGlobalContextRef:]):
            (-[JSVirtualMachine addContext:forGlobalContextRef:]):
            * API/JSVirtualMachineInternal.h:
            * API/JSWrapperMap.h:
            * API/JSWrapperMap.mm:
            (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We use the JSObjectSetPrototype C API call because 
            setting the __proto__ property causes all sorts of bad things to happen behind the scenes, which can cause crashes based on 
            when it gets called.
            (-[JSWrapperMap initWithContext:]):
            (-[JSWrapperMap jsWrapperForObject:]):
            (-[JSWrapperMap objcWrapperForJSValueRef:]):

2013-03-01  Dan Bernstein  <mitz@apple.com>

        Removed unused legacy build configurations

        Reviewed by Enrica Casucci.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-03-01  David Kilzer  <ddkilzer@apple.com>

        BUILD FIX: testapi should link to Foundation, not CoreFoundation

        Merge ToT WebKit r144521.

    2013-03-01  David Kilzer  <ddkilzer@apple.com>

        BUILD FIX: testapi should link to Foundation, not CoreFoundation

        * JavaScriptCore.xcodeproj/project.pbxproj: Change testapi to
        link to Foundation.framework instead of CoreFoundation.framework
        since it uses NS types.

2013-03-01  Michael Saboff  <msaboff@apple.com>

        Merged ToT WebKit r143667

    2013-02-21  Filip Pizlo  <fpizlo@apple.com>

        Object allocation profiling will refuse to create objects with more than JSFinalObject::maxInlineCapacity() inline slots, but JSFunction::allocationProfile() asserts that the number of inline slots is always what it asked for
        https://bugs.webkit.org/show_bug.cgi?id=110519
        <rdar://problem/13218566>

        Reviewed by Geoffrey Garen.

        * runtime/JSFunction.h:
        (JSC::JSFunction::allocationProfile):

2013-03-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix the JavaScriptCoreEmbedded build

        Reviewed by David Kilzer.

        * API/ObjCCallbackFunction.mm: Include JSCJSValueInlines.h, which has some symbols that weren't making it
        into the file.

2013-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        <rdar://problem/13227154> Objective-C API should work on Innsbruck

        Reviewed by David Kilzer.

        * API/JSBase.h: Added the inlined version of PLATFORM(IOS) and PLATFORM(IOS_SIMULATOR) to the 
        JS_OBJC_API_ENABLED macro.
        * API/JSContext.h: Made the JSContext class available on 7.0.
        * API/JSValue.h: Ditto for JSValue. Also added import for CoreGraphics since some of the JSValue
        API uses CoreGraphics types.
        * API/JSValue.mm: Added some casting to fix some compiler warnings about double narrowing to float.
        (-[JSValue toPoint]):
        (-[JSValue toSize]):
        * API/JSVirtualMachine.h: Made JSVirtualMachine available on 7.0.
        * API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7.

2013-02-27  Pratik Solanki  <psolanki@apple.com>

        Merged ToT WebKit r143759, r143765, r143768.

    2013-02-22  Geoffrey Garen  <ggaren@apple.com>

        Not reviewed.

        Fix the 32-bit build by using the right data type in more places.

        * runtime/CodeCache.h:
        (CodeCacheMap):

    2013-02-22  Geoffrey Garen  <ggaren@apple.com>

        Not reviewed.

        Fix the 32-bit build by using the right data type.

        * runtime/CodeCache.h:
        (JSC::CodeCacheMap::find):

    2013-02-21  Geoffrey Garen  <ggaren@apple.com>

        Code cache size should adapt to workload
        https://bugs.webkit.org/show_bug.cgi?id=110560

        Reviewed by Antti Koivisto.

        (*) 5% PLT arithmetic mean speedup
        (*) 10% PLT geometric mean speedup
        (*) 3.4X microbenchmark speedup
        (*) Reduces initial cache capacity by 16X

        * runtime/CodeCache.cpp:
        (JSC::CodeCache::CodeCache): Updated for interface change.

        * runtime/CodeCache.h:
        (JSC::SourceCodeValue::SourceCodeValue):
        (SourceCodeValue): Turned the cache value into a struct so it can track its age.

        (CodeCacheMap):
        (JSC::CodeCacheMap::CodeCacheMap):
        (JSC::CodeCacheMap::find):
        (JSC::CodeCacheMap::set):
        (JSC::CodeCacheMap::clear):
        (JSC::CodeCacheMap::pruneIfNeeded):
        (CodeCache): Grow and shrink in response to usage.

2013-02-27  Eric Carlson  <eric.carlson@apple.com>

        <rdar://problem/13305536> Define ENABLE_VIDEO_TRACK again

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig: Define ENABLE_VIDEO_TRACK again.

2013-02-21  Andy Estes  <aestes@apple.com>

        Fix the ARMV7S build.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s):

2013-02-21  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/13102630> 25-30% regression in V8 RayTrace test with JIT disabled, 11A192 to 11A193

        Merge ToT WebKit r143677

    2013-02-21  Michael Saboff  <msaboff@apple.com>

        25-30% regression in V8 RayTrace test in 32 bit builds with JIT disabled
        https://bugs.webkit.org/show_bug.cgi?id=110539

        Reviewed by Filip Pizlo.

        Change the scale used to lookup pointers in JSGlobalObject::m_specialPointers to be 4 bytes for
        the 32 bit version of the interpreter.

        * llint/LowLevelInterpreter32_64.asm:

2013-02-14  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/13208373> Set GCC_WARN_64_TO_32_BIT_CONVERSION=NO for 64-bit archs on all WebKit projects (except ANGLE)

        Merge ToT WebKit r142903.

    2013-02-14  David Kilzer  <ddkilzer@apple.com>

        [Mac] Clean up WARNING_CFLAGS
        <http://webkit.org/b/109747>
        <rdar://problem/13208373>

        Reviewed by Mark Rowe.

        * Configurations/Base.xcconfig: Use
        GCC_WARN_64_TO_32_BIT_CONVERSION to enable and disable
        -Wshorten-64-to-32 rather than WARNING_CFLAGS.

2013-02-12  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/13195432> ARM64: Expand use of temp register cache for store{32,64} immediate

        Reviewed by Filip Pizlo.

        Added store32 and store64 of immediate operand to paths that try the temporary register cache.
        Also added code in tryMoveUsingCacheRegisterContents() to try using mov immediate pseudo before
        trying move multiple.

        This change is neutral on the normal benchmarks.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::store64):
        (JSC::MacroAssemblerARM64::store32):
        (JSC::MacroAssemblerARM64::tryMoveUsingCacheRegisterContents):
        (JSC::MacroAssemblerARM64::moveToCachedReg):

2013-02-12  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/13195431> ARM64: Use tst <reg>, #imm where possible

        Reviewed by Gavin Barraclough.

        Try to see is a tst immediate will work before loading a temporary register and testing against it.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branchTest32):
        (JSC::MacroAssemblerARM64::branchTest64):
        * disassembler/ARM64/A64DOpcode.cpp:
        (JSC::ARM64Disassembler::A64DOpcodeLogicalImmediate::format): Fixed spelling of "tst" pseudo.

2013-02-12  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/13195430> ARM64: Use mov <reg>, #imm where possible instead of move wide

        Reviewed by Gavin Barraclough.

        Add check to see if we can use mov immediate pseudo in moveInternal.  If possible, it will
        only produce one instruction.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::moveInternal):
        * disassembler/ARM64/A64DOpcode.h:
        (JSC::ARM64Disassembler::A64DOpcodeLogicalImmediate::nBit): Fixed disassembler bug for logical immediates.

2013-02-08  Joseph Pecoraro  <pecoraro@apple.com>

        <rdar://problem/9489229> Implement Page Visibility API (60576) (html5test.com)

        Reviewed by Ian Henderson.

        * Configurations/FeatureDefines.xcconfig:

2013-02-06  Joseph Pecoraro  <pecoraro@apple.com>

        <rdar://problem/13028628> Disable FULLSCREEN_API on iOS

        Merge OpenSource r141477.

    2013-01-31  Joseph Pecoraro  <pecoraro@apple.com>

            Disable ENABLE_FULLSCREEN_API on iOS
            https://bugs.webkit.org/show_bug.cgi?id=108250

            Reviewed by Benjamin Poulain.

            * Configurations/FeatureDefines.xcconfig:

2013-02-08  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/13147108> PEP Web: REGRESSION: MobileSafari crashed in JSC::Interpreter::execute at loading www.thechive.com when running Alexa test.

        Merge ToT WebKit r141168.

    2013-01-29  Oliver Hunt  <oliver@apple.com>

        REGRESSION (r140594): RELEASE_ASSERT_NOT_REACHED in JSC::Interpreter::execute
        https://bugs.webkit.org/show_bug.cgi?id=108097

        Reviewed by Geoffrey Garen.

        LiteralParser was accepting a bogus 'var a.b = c' statement

        * runtime/LiteralParser.cpp:
        (JSC::::tryJSONPParse):

2013-02-07  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12540077> ARM64 inline cache patching should be able to deal with negative offsets

        Reviewed by Filip Pizlo.

        Changed {load,store}{32,64}WithAddressOffsetPatch() to use a signed extended 32 bit index register 
        instead of the full 64 bit register.  Made repatchInt32() tolerate existing movn instructions in Debug
        builds.  Reverted back to the default MacroAssembler version of isPtrAlignedAddressOffset().

        This patch is neutral on sunspider, v8v7, js-regress and kraken.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::repatchInt32):
        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::isPtrAlignedAddressOffset):
        * assembler/MacroAssemblerARM64.h:
        (MacroAssemblerARM64):
        (JSC::MacroAssemblerARM64::load64WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::load32WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::store64WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::store32WithAddressOffsetPatch):

2013-02-05  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/13144376> PEP Web: REGRESSION: MobileSafari crashed at JSC::call when loading www.gap.com.

        Merged r141951: <http://trac.webkit.org/changeset/141951> from open source.

    2013-02-05  Michael Saboff  <msaboff@apple.com>

            Crash at JSC::call when loading www.gap.com with JSVALUE32_64 Enabled
            https://bugs.webkit.org/show_bug.cgi?id=108991

            Reviewed by Oliver Hunt.

            Changed the restoration from calleeGPR to nonArgGPR0 because the restoration of the return location
            may step on calleeGPR is it happen to be nonArgGPR2.

            * dfg/DFGRepatch.cpp:
            (JSC::DFG::dfgLinkClosureCall):

2013-02-04  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/12204959> Innsbruck11A161: JavaScriptCore_Sim-1104 fails to installhdrs: 'Availability.h' file not found

        Reviewed by Joseph Pecoraro.

        Revert r1147142 (using scrub-ifdefs.pl to remove PLATFORM(IOS)
        macros from private header files) and instead use a solution
        that defines the "WTF_PLATFORM_IOS" macro in JSBase.h in the
        absence of the <wtf/Platform.h> header, and switches to using a
        check for WTF_PLATFORM_IOS in JSBasePrivate.h.

        This also merges ToT WebKit r141786.

        * API/JSBase.h: If WTF_PLATFORM_IOS has not been defined,
        include TargetConditionals.h and define WTF_PLATFORM_IOS if
        we're building for iOS or iOS Simulator.
        * API/JSBasePrivate.h: Switch from PLATFORM(IOS) to checking
        WTF_PLATFORM_IOS.
        * API/tests/testapi.c: Remove include of config.h header which
        worked around the use of the PLATFORM(IOS) macro in
        JSBasePrivate.h.
        * JavaScriptCore.xcodeproj/project.pbxproj:
        - Remove "Scrub Installed Headers" build phase.  (Accidentally
          removed in r1177684 with Merge #4.)
        - Add PrivateHeaders/JSBasePrivate.h to "Check for Inappropriate
          Macros in External Headers" build phase script (merge ToT
          WebKit r141786).
        * scrub-ifdefs.pl: Remove.

2013-02-04  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/13091387> Port ARM64 integer division DFG enhancements back to ARMv7s

        Although developed first on iOS, I landed this in OpenSource so this change is effectively
        a merge back to iOS.  Since puzzlebox is ~1 week behind OpenSource, this version doesn't
        have the Node& to Node* changes.

    2013-02-04  Michael Saboff  <msaboff@apple.com>

            For ARMv7s use integer divide instruction for divide and modulo when possible
            https://bugs.webkit.org/show_bug.cgi?id=108840

            Reviewed in person by Filip Pizlo.

            Added ARMv7s integer divide path for ArithDiv and ArithMod where operands and results are integer.
            This is patterned after the similar code for X86.  Also added modulo power of 2 optimization
            that uses logical and.  Added sdiv and udiv to the ARMv7 disassembler.  Put all the changes
            behind #if CPU(APPLE_ARMV7S).

            * assembler/ARMv7Assembler.h:
            (ARMv7Assembler):
            (JSC::ARMv7Assembler::sdiv):
            (JSC::ARMv7Assembler::udiv):
            * dfg/DFGCommon.h:
            (JSC::DFG::isARMv7s):
            * dfg/DFGFixupPhase.cpp:
            (JSC::DFG::FixupPhase::fixupNode):
            * dfg/DFGSpeculativeJIT.cpp:
            (JSC::DFG::SpeculativeJIT::compileSoftModulo):
            (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s):
            * dfg/DFGSpeculativeJIT.h:
            (SpeculativeJIT):
            * dfg/DFGSpeculativeJIT32_64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):

2013-02-01  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/13137591> ARM64: Cache the contents of macro assembler temp register values to use prior contents

        Reviewed by Filip Pizlo.

        Added CachedTempRegister class to the abstract macro assembler to store the contents and state
        of a temp register.  Refactored the access and use of temporary registers in A64 macro assembler.
        When we want to put an immediate value in a register with wide move instructions, or we want to
        load/store using the address in a temporary register, we consult the cache to see if we have a
        valid value that we can use all or part.  In the case of a load / store, we first try an offset
        to the existing value and then emit one or two movk to change the half word(s) to get the address
        we need.  For simple uses where we put a temporary value for immediate use, e.g. add immediate,
        there isn't any change in functionality.  The contents of the cache is invalidated for any label.

        Also fixed the canEncodePImmOffset() which had reverse logic to enable use of ldr/str with
        scaled positive offsets.

        This changes is performance neutral on sunspider, a 2.7% speed up on JS-regress and a
        1.9% speed up on V8.  V8 sped up due to a 8% speed up in raytrace.  Code improvement
        details are in the radar.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::canEncodePImmOffset):
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::Label::Label):
        (JSC::AbstractMacroAssembler::Jump::link):
        (CachedTempRegister):
        (JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
        (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
        (JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
        (JSC::AbstractMacroAssembler::CachedTempRegister::value):
        (JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
        (JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
        (AbstractMacroAssembler):
        (JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
        (JSC::AbstractMacroAssembler::isTempRegisterValid):
        (JSC::AbstractMacroAssembler::clearTempRegisterValid):
        (JSC::AbstractMacroAssembler::setTempRegisterValid):
        * assembler/MacroAssemblerARM64.h:
        (MacroAssemblerARM64):
        (JSC::MacroAssemblerARM64::MacroAssemblerARM64):
        (JSC::MacroAssemblerARM64::add32):
        (JSC::MacroAssemblerARM64::add64):
        (JSC::MacroAssemblerARM64::and32):
        (JSC::MacroAssemblerARM64::and64):
        (JSC::MacroAssemblerARM64::mul32):
        (JSC::MacroAssemblerARM64::or32):
        (JSC::MacroAssemblerARM64::or64):
        (JSC::MacroAssemblerARM64::sub32):
        (JSC::MacroAssemblerARM64::sub64):
        (JSC::MacroAssemblerARM64::xor32):
        (JSC::MacroAssemblerARM64::xor64):
        (JSC::MacroAssemblerARM64::load64):
        (JSC::MacroAssemblerARM64::load64WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::load32):
        (JSC::MacroAssemblerARM64::load32WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::load16):
        (JSC::MacroAssemblerARM64::load16Signed):
        (JSC::MacroAssemblerARM64::load8):
        (JSC::MacroAssemblerARM64::load8Signed):
        (JSC::MacroAssemblerARM64::store64):
        (JSC::MacroAssemblerARM64::store64WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::store32):
        (JSC::MacroAssemblerARM64::store32WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::store16):
        (JSC::MacroAssemblerARM64::store8):
        (JSC::MacroAssemblerARM64::branchConvertDoubleToInt32):
        (JSC::MacroAssemblerARM64::branchTruncateDoubleToInt32):
        (JSC::MacroAssemblerARM64::convertInt32ToDouble):
        (JSC::MacroAssemblerARM64::loadDouble):
        (JSC::MacroAssemblerARM64::loadFloat):
        (JSC::MacroAssemblerARM64::storeDouble):
        (JSC::MacroAssemblerARM64::storeFloat):
        (JSC::MacroAssemblerARM64::pushToSave):
        (JSC::MacroAssemblerARM64::swap):
        (JSC::MacroAssemblerARM64::branch32):
        (JSC::MacroAssemblerARM64::branch64):
        (JSC::MacroAssemblerARM64::branch8):
        (JSC::MacroAssemblerARM64::branchTest32):
        (JSC::MacroAssemblerARM64::branchTest64):
        (JSC::MacroAssemblerARM64::branchTest8):
        (JSC::MacroAssemblerARM64::branchAdd32):
        (JSC::MacroAssemblerARM64::branchAdd64):
        (JSC::MacroAssemblerARM64::branchMul32):
        (JSC::MacroAssemblerARM64::branchSub32):
        (JSC::MacroAssemblerARM64::branchSub64):
        (JSC::MacroAssemblerARM64::call):
        (JSC::MacroAssemblerARM64::jump):
        (JSC::MacroAssemblerARM64::tailRecursiveCall):
        (JSC::MacroAssemblerARM64::compare32):
        (JSC::MacroAssemblerARM64::compare64):
        (JSC::MacroAssemblerARM64::compare8):
        (JSC::MacroAssemblerARM64::test32):
        (JSC::MacroAssemblerARM64::test8):
        (JSC::MacroAssemblerARM64::test64):
        (JSC::MacroAssemblerARM64::branchPtrWithPatch):
        (JSC::MacroAssemblerARM64::storePtrWithPatch):
        (JSC::MacroAssemblerARM64::getCachedDataTempRegisterIDAndInvalidate):
        (JSC::MacroAssemblerARM64::getCachedMemoryTempRegisterIDAndInvalidate):
        (JSC::MacroAssemblerARM64::isInIntRange):
        (JSC::MacroAssemblerARM64::load):
        (JSC::MacroAssemblerARM64::store):
        (JSC::MacroAssemblerARM64::tryMoveUsingCacheRegisterContents):
        (JSC::MacroAssemblerARM64::moveToCachedReg):

2013-02-02  David Kilzer  <ddkilzer@apple.com>

        Upstream iOS FeatureDefines

        Merge ToT WebKit r141699.

        * Configurations/FeatureDefines.xcconfig:
        - Move iOS features near the top of the file.
        - Define FEATURE_DEFINES_iphoneos and
          FEATURE_DEFINES_iphonesimulator.
        - Do not set ENABLE_PDFKIT_PLUGIN on iOS.

    2013-02-02  David Kilzer  <ddkilzer@apple.com>

        Upstream iOS FeatureDefines
        <http://webkit.org/b/108753>

        Reviewed by Anders Carlsson.

        * Configurations/FeatureDefines.xcconfig:
        - ENABLE_DEVICE_ORIENTATION: Add iOS configurations.
        - ENABLE_PLUGIN_PROXY_FOR_VIDEO: Ditto.
        - FEATURE_DEFINES: Add ENABLE_PLUGIN_PROXY_FOR_VIDEO.  Add
          PLATFORM_NAME variant to reduce future merge conflicts. 

2013-01-30  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/12927168> iOS WebKit merge #5: stabilizing merge branch to ToT r140978 (starts Wed, Jan 17)

        Merge up to OpenSource WebKit r140978.

2013-01-29  Pratik Solanki  <psolanki@apple.com>

        Merge ToT WebKit r141189.

    2013-01-29  Filip Pizlo  <fpizlo@apple.com>

        offlineasm BaseIndex handling is broken on ARM due to MIPS changes
        https://bugs.webkit.org/show_bug.cgi?id=108261

        Reviewed by Oliver Hunt.
        
        Backends shouldn't override each other's methods. That's not cool.

        * offlineasm/mips.rb:

2013-01-29  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to run "hello world" on JSC command-line on ARM64

        Reviewed by Geoffrey Garen.

        arm64.rb was using the destination register where it meant to use the base in the code generation for lea.

        * offlineasm/arm64.rb:

2013-01-29  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix the build.

        Xcode forgot about some files, Profiler was renamed, assertions made the compiler sad, and
        some code got moved and deleted during the merge.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITStubs.h:
        (JITStackFrame):
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator):

2013-01-29  Pratik Solanki  <psolanki@apple.com>

        Merge ToT WebKit r141189.

    2013-01-29  Filip Pizlo  <fpizlo@apple.com>

        offlineasm BaseIndex handling is broken on ARM due to MIPS changes
        https://bugs.webkit.org/show_bug.cgi?id=108261

        Reviewed by Oliver Hunt.
        
        Backends shouldn't override each other's methods. That's not cool.

        * offlineasm/mips.rb:

2013-01-29  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to run "hello world" on JSC command-line on ARM64

        Reviewed by Geoffrey Garen.

        arm64.rb was using the destination register where it meant to use the base in the code generation for lea.

        * offlineasm/arm64.rb:

2013-01-29  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix the build.

        Xcode forgot about some files, Profiler was renamed, assertions made the compiler sad, and
        some code got moved and deleted during the merge.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITStubs.h:
        (JITStackFrame):
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator):

2013-01-28  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/13099146> Merge WebKit r136927 to Puzzlebox

        Merged WebKit r136927 to bring puzzle box closer to open source.

    2012-12-06  Filip Pizlo  <fpizlo@apple.com>

            Incorrect inequality for checking whether a statement is within bounds of a handler
            https://bugs.webkit.org/show_bug.cgi?id=104313
            <rdar://problem/12808934>

            Reviewed by Geoffrey Garen.

            The most relevant change is in handlerForBytecodeOffset(), which fixes the inequality
            used for checking whether a handler is pertinent to the current instruction. '<' is
            correct, but '<=' isn't, since the 'end' is not inclusive.
            
            Also found, and addressed, a benign goof in how the finally inliner works: sometimes
            we will have end > start. This falls out naturally from how the inliner works and how
            we pop scopes in the bytecompiler, but it's sufficiently surprising that, to avoid any
            future confusion, I added a comment and some code to prune those handlers out. Because
            of how the handler resolution works, these handlers would have been skipped anyway.
            
            Also made various fixes to debugging code, which was necessary for tracking this down.

            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::dumpBytecode):
            (JSC::CodeBlock::handlerForBytecodeOffset):
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::generate):
            * bytecompiler/Label.h:
            (JSC::Label::bind):
            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::throwException):
            * llint/LLIntExceptions.cpp:
            (JSC::LLInt::interpreterThrowInCaller):
            (JSC::LLInt::returnToThrow):
            (JSC::LLInt::callToThrow):
            * llint/LLIntSlowPaths.cpp:
            (JSC::LLInt::LLINT_SLOW_PATH_DECL):
            (JSC::LLInt::handleHostCall):

2013-01-28  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/13097368> UPSTREAM: Merge formatting of registers names in DFGFPRInfo.h to match webkit

        Reviewed by David Kilzer.

        Changed the formatting of the register names to be 4 per line to match open source.

        * dfg/DFGFPRInfo.h:
        (JSC::DFG::FPRInfo::debugName):

2013-01-28  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/13096905> Remove extraneous nop() from assembler/ARMAssembler.h

        Reviewed by David Kilzer.

        Removed second definition of nop() that won't even compile.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::nop):

2013-01-27  David Kilzer  <ddkilzer@apple.com>

        Make BytecodeGenerator.h match ToT WebKit

        No actual code changes; just reformatting to match ToT WebKit.

        * bytecompiler/BytecodeGenerator.h:
        (JSC): Add blank line.

2013-01-24  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12976134> Faster code for modulo in cases of simple numbers

        Reviewed by Filip Pizlo.

        Added ARM64 path to perform integer modulo using bitwise-and for constant power of 2 and 
        integer division followed by multiplication to find remainder for other cases.

        This is 1.5% win on SunSpider, neutral on V8, 10.5% win on kraken and a 38% win on js-regress.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):

2013-01-18  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/13046790> Merge r140221 from https://bugs.webkit.org/show_bug.cgi?id=107340

        Merged ToT WebKit r139949.

    2013-01-18  Michael Saboff  <msaboff@apple.com>

            Change set r140201 broke editing/selection/move-by-word-visually-multi-line.html
            https://bugs.webkit.org/show_bug.cgi?id=107340

            Reviewed by Filip Pizlo.

            Due to the change landed in r140201, more nodes might end up
            generating Int32ToDouble nodes.  Therefore, changed the JSVALUE64
            constant path of compileInt32ToDouble() to use the more
            restrictive isInt32Constant() check on the input.  This check was
            the same as the existing ASSERT() so the ASSERT was eliminated.

            * dfg/DFGSpeculativeJIT.cpp:
            (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):

2013-01-18  Michael Saboff  <msaboff@apple.com>

        Unreviewed fix eliminating overzealous ASSERT().  This ASSERT was never added to OpenSource.

        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):

2013-01-18  Michael Saboff  <msaboff@apple.com>

	Unreviewed build fix for building JSC with DFG_ENABLE_DEBUG_VERBOSE and 
	DFG_ENABLE_DEBUG_PROPAGATION_VERBOSE enabled in DFGCommon.h.  These changes came from 
	cherry picking individual file changes landed in open source.

        * bytecode/CodeBlock.cpp:
        (JSC::valueToSourceString):
        (JSC::CodeBlock::finalizeUnconditionally):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfileBase::dump):
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::dump):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::dump):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::dumpRegisters):
        * jsc.cpp:
        (functionDescribe):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::llint_trace_value):
        * runtime/IndexingType.cpp:
        (JSC::dumpIndexingType):
        * runtime/IndexingType.h:
        * runtime/JSValue.cpp:
        (JSC::JSValue::dump):
        * runtime/JSValue.h:
        (JSValue):

2013-01-17  Pratik Solanki  <psolanki@apple.com>

        Delete MMAP_FLAGS define since it is not used anywhere.

        Rubber-stamped by Dan Bernstein.

        * jit/ExecutableAllocatorFixedVMPool.cpp:

2013-01-17  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12645632> Crash at DFG::SpeculativeJIT::convertLastOSRExitToForward() playing a video @ m.youtube.com

        Reviewed by Filip Pizlo.

        Change the logic so that we insert an Int32ToDouble node when the existing edge is not SpecDouble.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixDoubleEdge):

2013-01-17  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12645632> Crash at DFG::SpeculativeJIT::convertLastOSRExitToForward() playing a video @ m.youtube.com

        Reviewed by Filip Pizlo.

        Split out the Int32ToDouble node insertion from fixDoubleEdge() and used it directly when we're fixing up
        an ArithDiv node with integer inputs and output for platforms that don't have integer division.
        This is needed since we could fail the shouldSpeculateInteger() check in fixDoubleEdge() and end up
        not creating the Int32ToDouble node(s) for the inputs.  Every time we re-enter the fixup phase, we'll go through
        the same "have int operands, expect int result" check in ArithDiv processing and add another DoubleToInt32
        node after us.  The code we generate is bad both before and after the actual FP division.

        Since we are checking that our inputs should be ints, we can just insert the Int32ToDouble node without
        any further checks.  This restores the idempotent guarentee that fixDoubleEdge() is built upon.
        ArithDiv is the only node type that has this issue at the current time.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixDoubleEdge):
        (FixupPhase):
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):

2013-01-17  Mark Hahnenberg  <mhahnenberg@apple.com>

        <rdar://problem/13009810> MobileSafari is crashing on cnn.com at JavaScriptCore: JSC::JSObject::visitChildren

        Merged ToT WebKit r139949.

    2013-01-16  Filip Pizlo  <fpizlo@apple.com>
    
            DFG 32_64 backend doesn't check for hasArrayStorage() in NewArrayWithSize
            https://bugs.webkit.org/show_bug.cgi?id=107081
    
            Reviewed by Michael Saboff.
    
            This bug led to the 32_64 backend emitting contiguous allocation code to allocate
            ArrayStorage arrays. This then led to all manner of heap corruption, since
            subsequent array accesses would be accessing the contiguous array "as if" it was
            an arraystorage array.
    
            * dfg/DFGSpeculativeJIT32_64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):

2013-01-15  Yongjun Zhang  <yongjun_zhang@apple.com>

        <rdar://problem/13020391> PEP Web: WebKit sometimes leak big chunk of memory (>512KB) after loading nytimes.com.

        Merged ToT WebKit r136773.

    2013-12-05  Oliver Hunt  <oliver@apple.com>

            Empty parse cache when receiving a low memory warning
            https://bugs.webkit.org/show_bug.cgi?id=104161

            Reviewed by Filip Pizlo.

            This adds a function to the globaldata to empty all code related data
            structures (code in the heap and the code cache).
            It also adds a function to allow the CodeCache to actually be cleared
            at all. 

            * runtime/CodeCache.h:
            (CacheMap):
            (JSC::CacheMap::clear):
            (JSC::CodeCache::clear):
            (CodeCache):
            * runtime/JSGlobalData.cpp:
            (JSC::JSGlobalData::discardAllCode):
            (JSC):
            * runtime/JSGlobalData.h:
            (JSGlobalData):


2013-01-15  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/13015824> Remove IOS_PPT code

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig: Remove IOS_PPT setting.

2013-01-13  David Kilzer  <ddkilzer@apple.com>

        [Mac] Add Build Phase to Check Headers for Inappropriate Macros (Platform.h macros)
        https://bugs.webkit.org/show_bug.cgi?id=104279

        Merge ToT WebKit r138064.

        Needed as part of: <rdar://problem/12204959> Innsbruck11A161: JavaScriptCore_Sim-1104 fails to installhdrs: 'Availability.h' file not found

    2012-12-18  Joseph Pecoraro  <pecoraro@apple.com>

        [Mac] Add Build Phase to Check Headers for Inappropriate Macros (Platform.h macros)
        https://bugs.webkit.org/show_bug.cgi?id=104279

        Reviewed by David Kilzer.

        Add a build phase to check the public JavaScriptCore headers for
        inappropriate macros.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-01-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Merge r138067 from open source to fix <rdar://problem/13009810>

    2012-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>

            Restrictions on oversize CopiedBlock allocations should be relaxed
            https://bugs.webkit.org/show_bug.cgi?id=105339
    
            Reviewed by Filip Pizlo.
    
            Currently the DFG has a single branch in the inline allocation path for property/array storage where 
            it checks to see if the number of bytes requested will fit in the current block. This does not match 
            what the C++ allocation path does; it checks if the requested number of bytes is oversize, and then 
            if it's not, it tries to fit it in the current block. The garbage collector assumes that ALL allocations 
            that are greater than 16KB are in oversize blocks. Therefore, this mismatch can lead to crashes when 
            the collector tries to perform some operation on a CopiedBlock.
    
            To avoid adding an extra branch to the inline allocation path in the JIT, we should make it so that 
            oversize blocks are allocated on the same alignment boundaries so that there is a single mask to find 
            the block header of any CopiedBlock (rather than two, one for normal and one for oversize blocks), and 
            we should figure out if a block is oversize by some other method than just whatever the JSObject says 
            it is. One way we could record this info Region of the block, since we allocate a one-off Region for 
            oversize blocks.

            * heap/BlockAllocator.h:
            (JSC::Region::isCustomSize):
            (Region):
            (JSC::Region::createCustomSize):
            (JSC::Region::Region):
            (JSC::BlockAllocator::deallocateCustomSize):
            * heap/CopiedBlock.h:
            (CopiedBlock):
            (JSC::CopiedBlock::isOversize):
            (JSC):
            * heap/CopiedSpace.cpp:
            (JSC::CopiedSpace::tryAllocateOversize):
            (JSC::CopiedSpace::tryReallocate):
            (JSC::CopiedSpace::tryReallocateOversize):
            * heap/CopiedSpace.h:
            (CopiedSpace):
            * heap/CopiedSpaceInlines.h:
            (JSC::CopiedSpace::contains):
            (JSC::CopiedSpace::tryAllocate):
            (JSC):
            * heap/CopyVisitor.h:
            (CopyVisitor):
            * heap/CopyVisitorInlines.h:
            (JSC::CopyVisitor::checkIfShouldCopy):
            (JSC::CopyVisitor::didCopy):
            * heap/SlotVisitorInlines.h:
            (JSC::SlotVisitor::copyLater):
            * runtime/JSObject.cpp:
            (JSC::JSObject::copyButterfly):

2013-01-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Merge r137961 from open source for <rdar://problem/13009810>

    2012-12-17  Mark Hahnenberg  <mhahnenberg@apple.com>

            Butterfly::growArrayRight shouldn't be called on null Butterfly objects
            https://bugs.webkit.org/show_bug.cgi?id=105221
    
            Reviewed by Filip Pizlo.
    
            Currently we depend upon the fact that Butterfly::growArrayRight works with null Butterfly 
            objects purely by coincidence. We should add a new static function that null checks the old 
            Butterfly object and creates a new one if it's null, or calls growArrayRight if it isn't for 
            use in the couple of places in JSObject that expect such behavior to work.

            * runtime/Butterfly.h:
            (Butterfly):
            * runtime/ButterflyInlines.h:
            (JSC::Butterfly::createOrGrowArrayRight):
            (JSC):
            * runtime/JSObject.cpp:
            (JSC::JSObject::createInitialIndexedStorage):
            (JSC::JSObject::createArrayStorage):

2013-01-11  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12976133> Investigate using integer divide and multiply to compute a remainder

        Reviewed by Phil Pizlo.

        Changed ArithDiv processing for ARM64 to be very much like X86.  The ARM64 sdiv instruction doesn't trap,
        so we don't need to have the two pre-division checks that the X86 code has (divide by zero and -2^31-1 / -1).
        The sdiv instruction handles the divide by 0 directly by returning a 0 quotient and the other case is handled
        by an overflow check with the multiply.

        This is a 3.68x win for SunSpider math-spectral-norm and a 3% improvement for string-tagcloud.  Overall
        this is a 3.4% win on SunSpider.

        * dfg/DFGCommon.h:
        (JSC::DFG::isARM64):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARM64):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-01-09  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12976132> Patchable branches should be one branch instead of two

        Reviewed by Phil Pizlo.

        Changed the processing of patchable conditional branches from always being a conditional branch
        (b.<cc>, cb[n]z and tb[n]z) around an unconditional branch to being the conditional branch
        followed by a nop when the offset of the conditional branch is sufficient to reach the destination.
        Where relinkJumpOrCall only had to patch the unconditional branch, it now checks to see if the
        instruction to patch is a nop.  If so, we know we planted the nop as part of a patchable conditional
        branch, therefore try linking directly using the offset space provided in the conditional branch and
        follow it with a nop.  If there aren't enough offset bit to get to the destination, fall back to a
        branch around a branch.

        This change is performance neutral on SunSpider and V8.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::hint):
        (JSC::ARM64Assembler::nop):
        (JSC::ARM64Assembler::linkJump):
        (JSC::ARM64Assembler::relinkJump):
        (JSC::ARM64Assembler::relinkCall):
        (JSC::ARM64Assembler::link):
        (ARM64Assembler):
        (JSC::ARM64Assembler::linkJumpOrCall):
        (JSC::ARM64Assembler::linkCompareAndBranch):
        (JSC::ARM64Assembler::linkConditionalBranch):
        (JSC::ARM64Assembler::linkTestAndBranch):
        (JSC::ARM64Assembler::relinkJumpOrCall):
        (JSC::ARM64Assembler::disassembleNop):
        (JSC::ARM64Assembler::disassembleCompareAndBranchImmediate):
        (JSC::ARM64Assembler::disassembleConditionalBranchImmediate):
        (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
        (JSC::ARM64Assembler::hintPseudo):
        (JSC::ARM64Assembler::nopPseudo):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::makeBranch):
        (JSC::MacroAssemblerARM64::makeCompareAndBranch):
        (JSC::MacroAssemblerARM64::makeTestBitAndBranch):

2013-01-09  David Kilzer  <ddkilzer@apple.com>

        Remove unused .call files

        Reviewed by Joseph Pecoraro.

        * .call: Removed with apologies to Ken Kocienda.

2013-01-04  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12954053> Merge #4: Crash in JIT code @ cnn.com iPhone site

        Reviewed by Phil Pizlo.

        Change the way reverting a BranchPtrWithPatch is done when it has been replaced with a 
        jump.  We cannot rely on the existing instructions and must create from scratch.
        This is limited to the wide moves needed to fill the temp register with the restored
        pointer value.  Added a new common setPointer() method to ARM64Assembler that writes
        out the instructions and flushes the I-cache.  Both the existing linkPointer and new
        setPointer() use this common method.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::repatchPointer):
        (ARM64Assembler):
        (JSC::ARM64Assembler::setPointer):
        (JSC::ARM64Assembler::linkPointer):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::reemitInitialMoveWithPatch):
        (JSC::MacroAssemblerARM64::revertJumpReplacementToBranchPtrWithPatch):

2013-01-04  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12954053> Merge #4: Crash in JIT code @ cnn.com iPhone site

        Reviewed by Phil Pizlo.

        Improper merge of the patchableBranch pass through methods for ARM64.  Added patchableBranchTest32()
        as a patchable method for ARM64.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::patchableBranchTest32):
        (MacroAssembler):

2013-01-02  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12927415> iOS WebKit merge #4: Arm64 Root crashes immediately running JavaScript

        Rubber-stamped by Phil Pizlo.

        The label returned from one of branchPtrWithPatch() methods is the address of the first move wide
        instruction.  Therefore we don't need to offset the address in startOfBranchPtrWithPatchOnRegister().

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::startOfBranchPtrWithPatchOnRegister):

2013-01-03  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12953903> 11A243: JavaScriptCore fails to compile in debug ARM64 config

        Reviewed by Phil Pizlo.

        Use casts when comparing FPRReg with integers. This change for ARM code is similar to r1176464.

        * dfg/DFGFPRInfo.h:
        (JSC::DFG::FPRInfo::toIndex):
        (JSC::DFG::FPRInfo::debugName):

2013-01-03  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12954264> ARM64 Disassembler doesn't handle variable shift / rotate instructions correctly

        Reviewed by Phil Pizlo.

        Fixed the generation of opNameIndex() to extract bits 0, 1 and 3 from the "opcode" field which are bits
        10, 11 and 13 from the instruction.

        * disassembler/ARM64/A64DOpcode.h:
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::opNameIndex):

2013-01-02  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/12945902> 11A242: JavaScriptCore fails to compile in debug config

        Reviewed by Dan Bernstein.

        Use casts when comparing GPRReg/FPRReg with integers. This change for ARM code is similar to
        r132752 made in opensource to fix the same compiler error.

        * dfg/DFGFPRInfo.h:
        (JSC::DFG::FPRInfo::debugName):
        * dfg/DFGGPRInfo.h:
        (JSC::DFG::GPRInfo::toIndex):
        (JSC::DFG::GPRInfo::debugName):

2012-12-21  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12922052> ARM64: BranchTestNN() where the immediate has only one bit set should use the tbz instruction

        Reviewed by Phil Pizlo.

        Check for a single bit immediate and if so, use it with the test bit and branch instruction.

        Made a common hasOneBitSet() in wtf/MathExtras.h.  Made isPowerOf2() in PropertyMapHashTable.h
        a wrapper function for readability.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branchTest32):
        (JSC::MacroAssemblerARM64::branchTest64):
        * runtime/PropertyMapHashTable.h:
        (JSC::isPowerOf2):

2012-12-20  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12922051> ARM64: StoreXX(TrustedImm) where the immediate is 0 should use the ZR register

        Reviewed by Phil Pizlo.

        Use the zr register for stores when the immediate is 0.

        No measured performance change running SunSpider.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::store64):
        (JSC::MacroAssemblerARM64::store32):
        (JSC::MacroAssemblerARM64::store8):

2012-12-20  Michael Saboff  <msaboff@apple.com>

        Changes made to match the changes while back merging the "unusedPointer" part of r12913496.

        Rubber stamped by Phil Pizlo.

        Changed the name of emptyPointer to unusedPointer.  Follow-on changes as a result of the
        name change.  OpenSource changes landed in r138308: <http://trac.webkit.org/changeset/138308>.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/MethodCallLinkInfo.cpp:
        (JSC::MethodCallLinkInfo::reset):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgResetGetByID):
        (JSC::DFG::dfgResetPutByID):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * jit/EmptyPointer.h: Removed.
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::resetPatchGetById):
        (JSC::JIT::resetPatchPutById):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::resetPatchGetById):
        (JSC::JIT::resetPatchPutById):
        * jit/JITWriteBarrier.h:
        (JSC::JITWriteBarrierBase::clearToUnusedPointer):
        (JSC::JITWriteBarrierBase::get):
        * jit/UnusedPointer.h: Copied from Source/JavaScriptCore/jit/EmptyPointer.h.

2012-12-19  Michael Saboff  <msaboff@apple.com>

        Unreviewed build fix.

        Adding updated project file inadvertently left off from prior checkin.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-12-19  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12913496> ARM64: Use only 48 bits for patchable pointers in JIT'ed code

        Reviewed by Gavin Barraclough.

        Changed pointer code in the JIT and macro assembler to only manipulate the lower 48 bits.
        Changed "empty pointer" logic from using -1 to using a constant (0xd1e7beef) and put that
        constant into the new header file jit/EmptyPointer.h.

        Changed occurances that use -1 to now use emptyPointer.

        Performance impact of this change is +.6% on SunSpider, neutral on V8 and +.3% on Kraken.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::readPointer):
        (JSC::ARM64Assembler::readCallTarget):
        (JSC::ARM64Assembler::linkPointer):
        * assembler/MacroAssemblerARM64.h:
        (MacroAssemblerARM64):
        (JSC::MacroAssemblerARM64::moveWithFixedWidth):
        * bytecode/MethodCallLinkInfo.cpp:
        (JSC::MethodCallLinkInfo::reset):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgResetGetByID):
        (JSC::DFG::dfgResetPutByID):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * jit/EmptyPointer.h: Added.
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::resetPatchGetById):
        (JSC::JIT::resetPatchPutById):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::resetPatchGetById):
        (JSC::JIT::resetPatchPutById):
        * jit/JITWriteBarrier.h:
        (JSC::JITWriteBarrierBase::clearToEmptyPointer):
        (JSC::JITWriteBarrierBase::get):

2012-12-19  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12910064> ARM64: Operations with an AbsoluteAddress source and destination should reuse address in temp register

        Reviewed by Oliver Hunt.

        When memoryTempRegister hasn't been reused, we store directly to memoryTempRegister.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::add32):
        (JSC::MacroAssemblerARM64::add64):
        (JSC::MacroAssemblerARM64::or32):
        (JSC::MacroAssemblerARM64::sub32):
        (JSC::MacroAssemblerARM64::branchAdd32):

2012-12-18  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12903309> ARM64: Further optimizations for test/compare and branch with branch compaction

        Reviewed by Phil Pizlo.

        Added support for CompareAndBranch (cbz/cbnz) instructions.  Made makeTestBitAndBranch() generally usable.
        Added code to compact both CompareAndBranch and TestBitAndBranch instructions.  Cleaned up the ARM64
        specific branch compaction code, specifically the ASSERTS in linkJumpConditionDirect() and eliminated 
        the now unused disassembleConditionalBranchImmediate() as we are never pointing at a b.<cond> instruction
        when we write one out with the linked address.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::LinkRecord::LinkRecord):
        (JSC::ARM64Assembler::LinkRecord::is64Bit):
        (JSC::ARM64Assembler::LinkRecord::bitNumber):
        (JSC::ARM64Assembler::LinkRecord::compareRegister):
        (LinkRecord):
        (JSC::ARM64Assembler::linkJump):
        (ARM64Assembler):
        (JSC::ARM64Assembler::canCompact):
        (JSC::ARM64Assembler::computeJumpType):
        (JSC::ARM64Assembler::link):
        (JSC::ARM64Assembler::linkJumpCompareAndBranch):
        (JSC::ARM64Assembler::linkJumpConditionDirect):
        (JSC::ARM64Assembler::linkJumpCompareAndBranchDirect):
        (JSC::ARM64Assembler::linkJumpTestBitDirect):
        (JSC::ARM64Assembler::compareAndBranchImmediate):
        * assembler/AbstractMacroAssembler.h:
        (Jump):
        (JSC::AbstractMacroAssembler::Jump::Jump):
        (JSC::AbstractMacroAssembler::Jump::link):
        (JSC::AbstractMacroAssembler::Jump::linkTo):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branchConvertDoubleToInt32):
        (JSC::MacroAssemblerARM64::branchTest32):
        (JSC::MacroAssemblerARM64::branchTest64):
        (MacroAssemblerARM64):
        (JSC::MacroAssemblerARM64::makeCompareAndBranch):
        (JSC::MacroAssemblerARM64::makeTestBitAndBranch):

2012-12-18  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12903449> ARM64: Indexed Load and Store operations should used the scaled index ldr/str instructions when possible

        Reviewed by Oliver Hunt.

        Added path to use the scaled indexed load and store instructions for naturally indexed ops where the
        offset is 0.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::load64):
        (JSC::MacroAssemblerARM64::load32):
        (JSC::MacroAssemblerARM64::load16):
        (JSC::MacroAssemblerARM64::load16Signed):
        (JSC::MacroAssemblerARM64::load8):
        (JSC::MacroAssemblerARM64::load8Signed):
        (JSC::MacroAssemblerARM64::store64):
        (JSC::MacroAssemblerARM64::store32):
        (JSC::MacroAssemblerARM64::store16):
        (JSC::MacroAssemblerARM64::store8):
        (JSC::MacroAssemblerARM64::loadDouble):
        (JSC::MacroAssemblerARM64::loadFloat):
        (JSC::MacroAssemblerARM64::storeDouble):
        (JSC::MacroAssemblerARM64::storeFloat):

2012-12-18  Michael Saboff  <msaboff@apple.com>

        Merge of OpenSource WebKit r137976 & r138032

    2012-12-17  Michael Saboff  <msaboff@apple.com>

            DFG: Refactor DFGCorrectableJumpPoint to reduce size of OSRExit data
            https://bugs.webkit.org/show_bug.cgi?id=105237

            Reviewed by Filip Pizlo.

            Replaced DFGCorrectableJumpPoint with OSRExitCompilationInfo which is used and kept alive only while we are
            compiling in the DFG.  Moved the patchable branch offset directly into OSRExit.

            * CMakeLists.txt:
            * GNUmakefile.list.am:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * Target.pri:
            * assembler/AbstractMacroAssembler.h:
            * dfg/DFGCorrectableJumpPoint.cpp: Removed.
            * dfg/DFGCorrectableJumpPoint.h: Removed.
            * dfg/DFGJITCompiler.cpp:
            (JSC::DFG::JITCompiler::linkOSRExits):
            (JSC::DFG::JITCompiler::link):
            * dfg/DFGJITCompiler.h:
            (JSC::DFG::JITCompiler::appendExitJump):
            (JITCompiler):
            * dfg/DFGOSRExit.cpp:
            (JSC::DFG::OSRExit::OSRExit):
            (JSC::DFG::OSRExit::setPatchableCodeOffset):
            (JSC::DFG::OSRExit::getPatchableCodeOffsetAsJump):
            (JSC::DFG::OSRExit::codeLocationForRepatch):
            (JSC::DFG::OSRExit::correctJump):
            * dfg/DFGOSRExit.h:
            (OSRExit):
            * dfg/DFGOSRExitCompilationInfo.h: Added.
            (OSRExitCompilationInfo):
            (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
            (JSC::DFG::OSRExitCompilationInfo::failureJump):
            * dfg/DFGOSRExitCompiler.cpp:
            * dfg/DFGSpeculativeJIT.cpp:
            (JSC::DFG::SpeculativeJIT::speculationCheck):
            (JSC::DFG::SpeculativeJIT::speculationWatchpoint):

    2012-12-18  Michael Saboff  <msaboff@apple.com>

            [Qt] Fix the ARMv7 build after r137976
            https://bugs.webkit.org/show_bug.cgi?id=105270

            Reviewed by Csaba Osztrogonác.

            Add default value for Jump parameter to fix build.

            * assembler/AbstractMacroAssembler.h:
            (JSC::AbstractMacroAssembler::Jump::Jump):

2012-12-14  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12883938> ARM64 DFG: SoftModulo will OSR exit with overflow when the result is 0

        Reviewed by Geoffrey Garen.

        Changed the generated code in branchConvertDoubleToInt32() to conditionally check for a negative value
        before checking for 0 and only take the failure path for negative 0.0.  Since branchConvertDoubleToInt32()
        is used for more than just modulo, only made the modulo case generate the added check.
        Added the parameter to all of the macro assemblers, but the parameter is only used in the ARM64 version
        at this point.

        To support this patch, added the new test bit and branch (for the tbz/tbnz instruction) jump type to the
        ARM64 macro assembler.  As other branches we initially generate a tb[n]z instruction with inverted
        condition around an unconditional branch.  The branch around a branch is usually compacted during the
        link phase.  The compacting of tb[n]z will be done in a subsequent patch.

        This change is worth >3.5% on SunSpider to to 10-20% gains on 3d-raytrace, crypto-aes and string-validate-input
        with lesser gains on other tests.

        This patch will be back ported to OpenSource.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::computeJumpType):
        (JSC::ARM64Assembler::link):
        (JSC::ARM64Assembler::linkJumpTestBit):
        (ARM64Assembler):
        * assembler/AbstractMacroAssembler.h:
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branchConvertDoubleToInt32):
        (JSC::MacroAssemblerARM64::makeTestBitAndBranch):
        (MacroAssemblerARM64):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::branchConvertDoubleToInt32):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::branchConvertDoubleToInt32):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):

2012-12-13  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12869956> SWB: JavaScriptCore-1136 failed to build with clang-426.2.3: -Wshift-op-parentheses

        Rubber stamped by Jessie Berlin.

        Added parens to quiet the newly added -Wshift-op-parentheses warning.

        * disassembler/ARM64/A64DOpcode.cpp:
        (JSC::ARM64Disassembler::rotateRight):

2012-12-12  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12870469> ARM64 Add Data Processing 3 Source and FP Data Processing 1 Source instruction groups to disassembler

        Reviewed by Phil Pizlo.

        Added support for the two missin instruction groups.

        * disassembler/ARM64/A64DOpcode.cpp:
        (ARM64Disassembler):
        (JSC::ARM64Disassembler::A64DOpcodeBitfield::format):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::format):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointDataProcessing1Source::format):
        * disassembler/ARM64/A64DOpcode.h:
        (A64DOpcodeDataProcessing3Source):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::opName):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::ra):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::op54):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::op31):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::op0):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing3Source::opNum):
        (ARM64Disassembler):
        (A64DOpcodeFloatingPointDataProcessing1Source):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointDataProcessing1Source::opName):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointDataProcessing1Source::opNum):

2012-12-12  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12858410> ARM64 SunSpider crypto-md5 test is 40x slower compared to ARMv7

        Reviewed by Gavin Barraclough.

        Fix a problem in the add32/sub32 with an address case where we materialize the address into
        the temporary register memoryTempRegister.  The problem is that the store uses memoryTempRegister
        where the result of the add/sub is sitting.  We were writing out the lower 32 bits of the address
        into the memory at the address.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::add32):
        (JSC::MacroAssemblerARM64::add64):
        (JSC::MacroAssemblerARM64::sub32):
        (JSC::MacroAssemblerARM64::branchAdd32):

2012-12-11  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12856193> Add option so that JSC will crash if it can't allocate executable memory for the JITs

        Reviewed by Phil Pizlo.

        Added new option "crashIfCantAllocateJITMemory".  If this option is true, we crash when checking 
        the executable allocator.  The default is false, but jsc sets it to true.  Coded this so that
        is useJIT and useRegExpJIT are both false, we don't crash since we aren't using any JITs.

        * jsc.cpp:
        (main):
        * runtime/JSGlobalData.cpp:
        (JSC::enableAssembler):
        * runtime/Options.h:
        (JSC)::Options::crashIfCantAllocateJITMemory

2012-12-10  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12821654> ARM64 Should compact compare then branch around branch when possible

        Reviewed by Phil Pizlo.

        Added branch compaction to ARM64 in a similar way as was done for ARMv7.  We convert code like.

                      cmp    xM, xN                              cmp    xM, xN
          FROM        b.!cond continue                TO         b.cond labelIfCond
               cont:  b      labelIfCond

        Abstracted the compaction code in LinkBuffer::linkCode by instruction size to new helper
        LinkBuffer::copyCompactAndLinkCode().  Added JumpType, JumpLinkType and LinkRecord to ARM64Assembler.
        Added ARM64 versions of the helper methods needed by copyCompactAndLink.

        Abstracted out the jump type date used in DFG::CorrectableJumpPoint to be part of the MacroAssembler
        instead of the two assemblers that do compaction.

        * assembler/ARM64Assembler.h:
        (LinkRecord):
        (JSC::ARM64Assembler::LinkRecord::LinkRecord):
        (JSC::ARM64Assembler::LinkRecord::operator=):
        (JSC::ARM64Assembler::LinkRecord::from):
        (JSC::ARM64Assembler::LinkRecord::setFrom):
        (JSC::ARM64Assembler::LinkRecord::to):
        (JSC::ARM64Assembler::LinkRecord::type):
        (JSC::ARM64Assembler::LinkRecord::linkType):
        (JSC::ARM64Assembler::LinkRecord::setLinkType):
        (JSC::ARM64Assembler::LinkRecord::condition):
        (JSC::ARM64Assembler::unlinkedCode):
        (JSC::ARM64Assembler::linkJump):
        (ARM64Assembler):
        (JSC::ARM64Assembler::jumpSizeDelta):
        (JSC::ARM64Assembler::linkRecordSourceComparator):
        (JSC::ARM64Assembler::canCompact):
        (JSC::ARM64Assembler::computeJumpType):
        (JSC::ARM64Assembler::recordLinkOffsets):
        (JSC::ARM64Assembler::jumpsToLink):
        (JSC::ARM64Assembler::link):
        (JSC::ARM64Assembler::linkJumpNoCondition):
        (JSC::ARM64Assembler::linkJumpConditionDirect):
        (JSC::ARM64Assembler::linkJumpCondition):
        (JSC::ARM64Assembler::disassembleConditionalBranchImmediate):
        (JSC::ARM64Assembler::compareAndBranchImmediate):
        (JSC::ARM64Assembler::conditionalBranchImmediate):
        * assembler/AbstractMacroAssembler.h:
        (Jump):
        (JSC::AbstractMacroAssembler::Jump::Jump):
        (JSC::AbstractMacroAssembler::Jump::link):
        (JSC::AbstractMacroAssembler::Jump::linkTo):
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        (JSC::LinkBuffer::linkCode):
        * assembler/LinkBuffer.h:
        (LinkBuffer):
        * assembler/MacroAssembler.h:
        (MacroAssembler):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::MacroAssemblerARM64):
        (MacroAssemblerARM64):
        (JSC::MacroAssemblerARM64::jumpsToLink):
        (JSC::MacroAssemblerARM64::unlinkedCode):
        (JSC::MacroAssemblerARM64::canCompact):
        (JSC::MacroAssemblerARM64::computeJumpType):
        (JSC::MacroAssemblerARM64::recordLinkOffsets):
        (JSC::MacroAssemblerARM64::jumpSizeDelta):
        (JSC::MacroAssemblerARM64::link):
        (JSC::MacroAssemblerARM64::executableOffsetFor):
        (JSC::MacroAssemblerARM64::branchTest32):
        (JSC::MacroAssemblerARM64::jump):
        (JSC::MacroAssemblerARM64::patchableBranchPtr):
        (JSC::MacroAssemblerARM64::patchableBranchTest32):
        (JSC::MacroAssemblerARM64::patchableBranch32):
        (JSC::MacroAssemblerARM64::patchableBranchPtrWithPatch):
        (JSC::MacroAssemblerARM64::patchableJump):
        (JSC::MacroAssemblerARM64::makeBranch):
        * assembler/MacroAssemblerARMv7.h:
        (MacroAssemblerARMv7):
        * dfg/DFGCorrectableJumpPoint.h:
        (JSC::DFG::CorrectableJumpPoint::CorrectableJumpPoint):
        (JSC::DFG::CorrectableJumpPoint::switchToLateJump):
        (JSC::DFG::CorrectableJumpPoint::correctInitialJump):
        (JSC::DFG::CorrectableJumpPoint::getJump):
        (CorrectableJumpPoint):

2012-12-10  Michael Saboff  <msaboff@apple.com>

        Merge OpenSource WebKit r132991 to fix <rdar://problem/12831284>

    2012-10-30  Yuqiang Xian  <yuqiang.xian@intel.com>

            glsl-function-atan.html WebGL conformance test fails after https://bugs.webkit.org/show_bug.cgi?id=99154
            https://bugs.webkit.org/show_bug.cgi?id=100789

            Reviewed by Filip Pizlo.

            We accidently missed a bitwise double to int64 conversion.

            * dfg/DFGSpeculativeJIT.h:
            (JSC::DFG::SpeculativeJIT::silentFill):

2012-12-10  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12821760> ARM64 disassembler should cover the instructions the various JSC JIT's generate

        Reviewed by Phil Pizlo.

        Added decoding for CompareAndBranch, Data processing 2 sources, FP compare, FP processing 2 source,
        FP fixed point conversion, FP integer conversion and TestAndBranch instruction groups.
        Cleaned up some remaining changes to the printing code that weren't made before the original patch
        was landed.

        * disassembler/ARM64/A64DOpcode.cpp:
        (ARM64Disassembler):
        (JSC::ARM64Disassembler::A64DOpcode::appendRegisterName):
        (JSC::ARM64Disassembler::A64DOpcodeCompareAndBranchImmediate::format):
        (JSC::ARM64Disassembler::A64DOpcodeConditionalBranchImmediate::format):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::format):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointCompare::format):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointDataProcessing2Source::format):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingFixedPointConversions::format):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointIntegerConversions::format):
        (JSC::ARM64Disassembler::A64DOpcodeHint::format):
        (JSC::ARM64Disassembler::A64DOpcodeTestAndBranchImmediate::format):
        * disassembler/ARM64/A64DOpcode.h:
        (A64DOpcodeCompareAndBranchImmediate):
        (JSC::ARM64Disassembler::A64DOpcodeCompareAndBranchImmediate::opBit):
        (JSC::ARM64Disassembler::A64DOpcodeCompareAndBranchImmediate::immediate19):
        (ARM64Disassembler):
        (A64DOpcodeDataProcessing2Source):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::opName):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::sBit):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::opCode):
        (JSC::ARM64Disassembler::A64DOpcodeDataProcessing2Source::opNameIndex):
        (A64DOpcodeFloatingPointOps):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointOps::mBit):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointOps::sBit):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointOps::type):
        (A64DOpcodeFloatingPointCompare):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointCompare::opName):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointCompare::op):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointCompare::opCode2):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointCompare::opNum):
        (A64DOpcodeFloatingPointDataProcessing2Source):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointDataProcessing2Source::opName):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointDataProcessing2Source::opNum):
        (A64DOpcodeFloatingFixedPointConversions):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingFixedPointConversions::opName):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingFixedPointConversions::rmode):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingFixedPointConversions::opcode):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingFixedPointConversions::scale):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingFixedPointConversions::opNum):
        (A64DOpcodeFloatingPointIntegerConversions):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointIntegerConversions::opName):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointIntegerConversions::rmode):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointIntegerConversions::opcode):
        (JSC::ARM64Disassembler::A64DOpcodeFloatingPointIntegerConversions::opNum):
        (A64DOpcodeTestAndBranchImmediate):
        (JSC::ARM64Disassembler::A64DOpcodeTestAndBranchImmediate::bitNumber):
        (JSC::ARM64Disassembler::A64DOpcodeTestAndBranchImmediate::opBit):
        (JSC::ARM64Disassembler::A64DOpcodeTestAndBranchImmediate::immediate14):

2012-12-04  Benjamin Poulain  <bpoulain@apple.com>

        Merge OpenSource WebKit r132752 to fix the build with newer SDKs.

    2012-10-28  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, make always-true enum-to-int comparisons use casts.

        * dfg/DFGFPRInfo.h:
        (JSC::DFG::FPRInfo::debugName):
        * dfg/DFGGPRInfo.h:
        (JSC::DFG::JSValueSource::tagGPR):
        (JSC::DFG::GPRInfo::toIndex):
        (JSC::DFG::GPRInfo::debugName):
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::TypeInfo):

2012-12-03  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12801153> JSC should have an ARM64 disassembler

        Reviewed by Phil Pizlo.

        Framework for a new ARM 64 disassembler with decoding for almost all integer instruction the
        current JIT's emit.  The disassembler is structured as a base opcode class A64DOpcode with
        sub-classes for each instruction group.  There is a public format method that does the bulk of
        the disassebly work.  Instructions are "dispatched" to the right subclass via an array of linked
        lists in the inner class OpcodeGroup.  The array is indexed using bits 24..28 of the instruction.
        OpcodeGroup has a mask and a pattern that it applies to the instruction to determine that it
        matches a particular group.  OpcodeGroup uses a static method to reinterpret_cast the Opcode
        object to the right base class for the instruction group for formatting.  The cast eliminates 
        the need of allocating an object for each decoded instruction.  Unknown instructions are
        formatted as "  .long 12345678".

        The disassembler does not currently cover FP operations or what appear to be currently unused
        opcodes.  FP operations and soon to be used instructions like compare and branch and test and branch
        will be added in a subsequent patch.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * disassembler/ARM64: Added.
        * disassembler/ARM64/A64DOpcode.cpp: Added.
        (ARM64Disassembler):
        (JSC::ARM64Disassembler::A64DOpcode::format):
        (JSC::ARM64Disassembler::A64DOpcode::appendRegisterName):
        (JSC::ARM64Disassembler::A64DOpcode::appendFPRegisterName):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtractImmediate::format):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtractExtendedRegister::format):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtractShiftedRegister::format):
        (JSC::ARM64Disassembler::A64DOpcodeBitfield::format):
        (JSC::ARM64Disassembler::A64DOpcodeConditionalBranchImmediate::format):
        (JSC::ARM64Disassembler::A64DOpcodeConditionalSelect::format):
        (JSC::ARM64Disassembler::A64OpcodeExceptionGeneration::format):
        (JSC::ARM64Disassembler::A64DOpcodeExtract::format):
        (JSC::ARM64Disassembler::A64DOpcodeHint::format):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreImmediate::format):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreRegisterOffset::format):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreUnsignedImmediate::format):
        (JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::format):
        (JSC::ARM64Disassembler::highestBitSet):
        (JSC::ARM64Disassembler::rotateRight):
        (JSC::ARM64Disassembler::replicate):
        (JSC::ARM64Disassembler::A64DOpcodeLogicalImmediate::format):
        (JSC::ARM64Disassembler::A64DOpcodeMoveWide::format):
        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchImmediate::format):
        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::format):
        (OpcodeGroupInitializer):
        (JSC::ARM64Disassembler::A64DOpcode::init):
        (JSC::ARM64Disassembler::A64DOpcode::disassemble):
        * disassembler/ARM64/A64DOpcode.h: Added.
        (ARM64Disassembler):
        (A64DOpcode):
        (OpcodeGroup):
        (JSC::ARM64Disassembler::A64DOpcode::OpcodeGroup::OpcodeGroup):
        (JSC::ARM64Disassembler::A64DOpcode::OpcodeGroup::setNext):
        (JSC::ARM64Disassembler::A64DOpcode::OpcodeGroup::next):
        (JSC::ARM64Disassembler::A64DOpcode::OpcodeGroup::matches):
        (JSC::ARM64Disassembler::A64DOpcode::OpcodeGroup::format):
        (JSC::ARM64Disassembler::A64DOpcode::A64DOpcode):
        (JSC::ARM64Disassembler::A64DOpcode::conditionName):
        (JSC::ARM64Disassembler::A64DOpcode::shiftName):
        (JSC::ARM64Disassembler::A64DOpcode::optionName):
        (JSC::ARM64Disassembler::A64DOpcode::FPRegisterPrefix):
        (JSC::ARM64Disassembler::A64DOpcode::opcodeGroupNumber):
        (JSC::ARM64Disassembler::A64DOpcode::is64Bit):
        (JSC::ARM64Disassembler::A64DOpcode::size):
        (JSC::ARM64Disassembler::A64DOpcode::option):
        (JSC::ARM64Disassembler::A64DOpcode::rd):
        (JSC::ARM64Disassembler::A64DOpcode::rt):
        (JSC::ARM64Disassembler::A64DOpcode::rn):
        (JSC::ARM64Disassembler::A64DOpcode::rm):
        (JSC::ARM64Disassembler::A64DOpcode::appendInstructionName):
        (JSC::ARM64Disassembler::A64DOpcode::appendSPOrRegisterName):
        (JSC::ARM64Disassembler::A64DOpcode::appendZROrRegisterName):
        (JSC::ARM64Disassembler::A64DOpcode::appendSeparator):
        (JSC::ARM64Disassembler::A64DOpcode::appendCharacter):
        (JSC::ARM64Disassembler::A64DOpcode::appendString):
        (JSC::ARM64Disassembler::A64DOpcode::appendShiftType):
        (JSC::ARM64Disassembler::A64DOpcode::appendSignedImmediate):
        (JSC::ARM64Disassembler::A64DOpcode::appendUnsignedImmediate):
        (JSC::ARM64Disassembler::A64DOpcode::appendUnsignedImmediate64):
        (JSC::ARM64Disassembler::A64DOpcode::appendPCRelativeOffset):
        (JSC::ARM64Disassembler::A64DOpcode::appendShiftAmount):
        (A64DOpcodeAddSubtract):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtract::opName):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtract::cmpName):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtract::isCMP):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtract::op):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtract::sBit):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtract::opAndS):
        (A64DOpcodeAddSubtractImmediate):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtractImmediate::isMovSP):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtractImmediate::shift):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtractImmediate::immed12):
        (A64DOpcodeAddSubtractExtendedRegister):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtractExtendedRegister::immediate3):
        (A64DOpcodeAddSubtractShiftedRegister):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtractShiftedRegister::isNeg):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtractShiftedRegister::negName):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtractShiftedRegister::shift):
        (JSC::ARM64Disassembler::A64DOpcodeAddSubtractShiftedRegister::immediate6):
        (A64DOpcodeBitfield):
        (JSC::ARM64Disassembler::A64DOpcodeBitfield::opName):
        (JSC::ARM64Disassembler::A64DOpcodeBitfield::extendPseudoOpNames):
        (JSC::ARM64Disassembler::A64DOpcodeBitfield::insertOpNames):
        (JSC::ARM64Disassembler::A64DOpcodeBitfield::extractOpNames):
        (JSC::ARM64Disassembler::A64DOpcodeBitfield::opc):
        (JSC::ARM64Disassembler::A64DOpcodeBitfield::nBit):
        (JSC::ARM64Disassembler::A64DOpcodeBitfield::immediateR):
        (JSC::ARM64Disassembler::A64DOpcodeBitfield::immediateS):
        (A64DOpcodeConditionalBranchImmediate):
        (JSC::ARM64Disassembler::A64DOpcodeConditionalBranchImmediate::condition):
        (JSC::ARM64Disassembler::A64DOpcodeConditionalBranchImmediate::immediate19):
        (A64DOpcodeConditionalSelect):
        (JSC::ARM64Disassembler::A64DOpcodeConditionalSelect::opName):
        (JSC::ARM64Disassembler::A64DOpcodeConditionalSelect::opNum):
        (JSC::ARM64Disassembler::A64DOpcodeConditionalSelect::op):
        (JSC::ARM64Disassembler::A64DOpcodeConditionalSelect::sBit):
        (JSC::ARM64Disassembler::A64DOpcodeConditionalSelect::condition):
        (JSC::ARM64Disassembler::A64DOpcodeConditionalSelect::op2):
        (A64OpcodeExceptionGeneration):
        (JSC::ARM64Disassembler::A64OpcodeExceptionGeneration::opc):
        (JSC::ARM64Disassembler::A64OpcodeExceptionGeneration::op2):
        (JSC::ARM64Disassembler::A64OpcodeExceptionGeneration::ll):
        (JSC::ARM64Disassembler::A64OpcodeExceptionGeneration::immediate16):
        (A64DOpcodeExtract):
        (JSC::ARM64Disassembler::A64DOpcodeExtract::op21):
        (JSC::ARM64Disassembler::A64DOpcodeExtract::nBit):
        (JSC::ARM64Disassembler::A64DOpcodeExtract::o0Bit):
        (JSC::ARM64Disassembler::A64DOpcodeExtract::immediateS):
        (A64DOpcodeHint):
        (JSC::ARM64Disassembler::A64DOpcodeHint::opName):
        (JSC::ARM64Disassembler::A64DOpcodeHint::immediate7):
        (A64DOpcodeLoadStore):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStore::opName):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStore::size):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStore::vBit):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStore::opc):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStore::opNumber):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStore::is64BitRT):
        (A64DOpcodeLoadStoreImmediate):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreImmediate::unprivilegedOpName):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreImmediate::unscaledOpName):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreImmediate::type):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreImmediate::immediate9):
        (A64DOpcodeLoadStoreRegisterOffset):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreRegisterOffset::option):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreRegisterOffset::sBit):
        (A64DOpcodeLoadStoreUnsignedImmediate):
        (JSC::ARM64Disassembler::A64DOpcodeLoadStoreUnsignedImmediate::immediate12):
        (A64DOpcodeLogical):
        (JSC::ARM64Disassembler::A64DOpcodeLogical::opName):
        (JSC::ARM64Disassembler::A64DOpcodeLogical::opc):
        (JSC::ARM64Disassembler::A64DOpcodeLogical::nBit):
        (A64DOpcodeLogicalImmediate):
        (JSC::ARM64Disassembler::A64DOpcodeLogicalImmediate::isTst):
        (JSC::ARM64Disassembler::A64DOpcodeLogicalImmediate::isMov):
        (JSC::ARM64Disassembler::A64DOpcodeLogicalImmediate::opNumber):
        (JSC::ARM64Disassembler::A64DOpcodeLogicalImmediate::shift):
        (JSC::ARM64Disassembler::A64DOpcodeLogicalImmediate::immediateR):
        (JSC::ARM64Disassembler::A64DOpcodeLogicalImmediate::immediateS):
        (A64DOpcodeLogicalShiftedRegister):
        (JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::isTst):
        (JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::isMov):
        (JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::opNumber):
        (JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::shift):
        (JSC::ARM64Disassembler::A64DOpcodeLogicalShiftedRegister::immediate6):
        (A64DOpcodeMoveWide):
        (JSC::ARM64Disassembler::A64DOpcodeMoveWide::opc):
        (JSC::ARM64Disassembler::A64DOpcodeMoveWide::hw):
        (JSC::ARM64Disassembler::A64DOpcodeMoveWide::immediate16):
        (A64DOpcodeUnconditionalBranchImmediate):
        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchImmediate::op):
        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchImmediate::immediate26):
        (A64DOpcodeUnconditionalBranchRegister):
        (JSC::ARM64Disassembler::A64DOpcodeUnconditionalBranchRegister::opc):
        * disassembler/ARM64Disassembler.cpp: Added.
        (JSC::tryToDisassemble):

2012-12-03  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12801180> ARM64 Macro Assembler doesn't generate optimum wide move instruction for mostly negative values

        Reviewed by Phil Pizlo.

        Since the compiler implicitly casts a uint16_t to an int before '~' operator, I changed the check for
        0xffff from if (~x) to if (x == 0xffff).  Found and fixed a minor ASSERT() error found during debugging.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::moveInternal):

2012-11-28  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12531894> Crash in HeapTimer::didStartVMShutdown exiting AppleTV movie trailer

        Reviewed by Oliver Hunt.

        Added check before use without #ifdef IOS for all uses of m_activityCallback and Heap::activityCallback().
        Created Heap::synchronizeActivityCallback() so a null m_activityCallback doesn't leak out of a Heap object.
        Called cancel() directly in DefaultGCActivityCallback::doWork() since we know it is outselves and we don't
        need to get the activity callback from our heap.

        * API/APIShims.h:
        (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
        * heap/Heap.cpp:
        (JSC::Heap::didAbandon):
        (JSC::Heap::collect):
        (JSC::Heap::setGarbageCollectionTimerEnabled):
        (JSC::Heap::synchronizeActivityCallback):
        (JSC::Heap::didAllocate):
        (JSC::Heap::didStartVMShutdown):
        * heap/Heap.h:
        (JSC::Heap::synchronizeActivityCallback):
        * runtime/GCActivityCallback.cpp:
        (JSC::DefaultGCActivityCallback::doWork):

2012-11-27  Michael Saboff  <msaboff@apple.com>

        Cherry-pick merge of r132546 for <rdar://problem/12636065>.

    2012-10-25  Filip Pizlo  <fpizlo@apple.com>

            REGRESSION (r131793-r131826): Crash going to wikifonia.org
            https://bugs.webkit.org/show_bug.cgi?id=100281

            Reviewed by Oliver Hunt.

            Restore something that got lost in the resolve refactoring: the ability to give up on life if
            we see a resolve of 'arguments'.

            * runtime/JSScope.cpp:
            (JSC::JSScope::resolveContainingScopeInternal):

2012-11-09  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12665471> ARM64 ExtendType enum has types in the wrong order

        Reviewed by Gavin Barraclough.

        Corrected the order of ARM64Assembler::ExtendType to match instruction reference.  The UTX? should appear before
        the STX? values.

        * assembler/ARM64Assembler.h:
        ARM64Assembler::ExtendType:

2012-11-09  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12640867> Crash in JSC::Interpreter::execute() running SunSpider

        Reviewed by Gavin Barraclough.

        This is a speculative fix as I can't reproduce this in ToT.  In the JavaScriptCore delivered with 11A207, it
        appears that x19 is not being saved by ctiTrampoline and is subsequently being clobbered.  This change
        adds x19 and x20 as calle save registers per the current ABI documents.

        * assembler/ARM64Assembler.h:
        * jit/JITStubs.cpp:
        (JSC::JITThunks::JITThunks):
        * jit/JITStubs.h:
        (JITStackFrame):

2012-11-07  Joseph Pecoraro  <pecoraro@apple.com>

        <rdar://problem/12640110> CRASH: ARM64 OSRExitCompiler::compileExit -> JSC::MacroAssemblerARM64::push after merging up to r132276

        Patch by Filip Pizlo.

        Use the supported push/pop for ARM64.

        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):

2012-11-02  Joseph Pecoraro  <pecoraro@apple.com>

        <rdar://problem/12630041> JavaScriptCore fails to compile for ARM64 after merging up to r132276

        Reviewed by Geoff Garen and Filip Pizlo.

        Update ARM64 after some OpenSource changes when merging up to r132276.
        
          r130726:
            - RegisterFile -> JSStack

          r131426, r131858, r131860:
            - x32 MacroAssembler refactoring from opPtr to op64 for 64bit
            - x32 follow up changes and build fix for 64bit refactoring

        * assembler/AbstractMacroAssembler.h:
        (TrustedImm64):
        (Imm64):
        Include generic 64bit code in CPU(ARM64).

        * assembler/MacroAssembler.h:
        (MacroAssembler):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::add64):
        (JSC::MacroAssemblerARM64::and64):
        (JSC::MacroAssemblerARM64::neg64):
        (JSC::MacroAssemblerARM64::or64):
        (JSC::MacroAssemblerARM64::rotateRight64):
        (JSC::MacroAssemblerARM64::sub64):
        (MacroAssemblerARM64):
        (JSC::MacroAssemblerARM64::load64):
        (JSC::MacroAssemblerARM64::load64WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::load64WithCompactAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::store64):
        (JSC::MacroAssemblerARM64::store64WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::moveDoubleTo64):
        (JSC::MacroAssemblerARM64::move64ToDouble):
        (JSC::MacroAssemblerARM64::popToRestore):
        (JSC::MacroAssemblerARM64::pushToSave):
        (JSC::MacroAssemblerARM64::branch64):
        (JSC::MacroAssemblerARM64::branchTest64):
        (JSC::MacroAssemblerARM64::branchAdd64):
        (JSC::MacroAssemblerARM64::branchSub64):
        (JSC::MacroAssemblerARM64::call):
        (JSC::MacroAssemblerARM64::jump):
        (JSC::MacroAssemblerARM64::compare64):
        (JSC::MacroAssemblerARM64::test64):
        (JSC::MacroAssemblerARM64::branchPtrWithPatch):
        (JSC::MacroAssemblerARM64::storePtrWithPatch):
        Rename fooPtr to foo64 where appropriate.

        (JSC::MacroAssemblerARM64::move):
        Added move for TrustedImm64.

        (JSC::MacroAssemblerARM64::xor64):
        Simple xor implementation, provided by Gavin!

        * dfg/DFGCCallHelpers.h:
        (CCallHelpers):
        Match x86_64.

        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::JITThunks):
        * jit/JITStubs.h:
        (JITStackFrame):
        Handle RegisterFile -> JSStack renames.

2012-11-08  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12640555> 11A207/N51: Crash under RegExpObject::match() when loading nytimes.com

        Reviewed by Gavin Barraclough.

        The ABI doesn't define the behavior for the upper bits of a value that takes less than 64 bits.
        Therefore, we zero extend both the count and length registers to assure that these unsigned values
        don't have garbage upper bits.  Made the change for X86_64 as it could happen there as well although
        there isn't any known problem.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generateEnter):

2012-10-26  Benjamin Poulain  <bpoulain@apple.com>

        Merge OpenSource WebKit r130418.

    2012-10-04  Benjamin Poulain  <bpoulain@apple.com>

        Use copyLCharsFromUCharSource() for IdentifierLCharFromUCharTranslator translation
        https://bugs.webkit.org/show_bug.cgi?id=98335

        Reviewed by Michael Saboff.

        Michael Saboff added an optimized version of UChar->LChar conversion in r125846.
        Use this function in JSC::Identifier.

        * runtime/Identifier.cpp:
        (JSC::IdentifierLCharFromUCharTranslator::translate):

2012-11-02  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12624771> ARM64 Macro Assembler Logical with immediate instructions should use native immediate instructions

        Reviewed by Oliver Hunt.

        Changed and, or and xor for 32 bit and 64 bit to use LogicalImmediate.  We create a LogicalImmediate and if
        we can encode the immediate, we generate the immediate version of the instruction, otherwise we fallback to the
        "put immediate into temp register" form.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::and32):
        (JSC::MacroAssemblerARM64::andPtr):
        (JSC::MacroAssemblerARM64::or32):
        (JSC::MacroAssemblerARM64::orPtr):
        (JSC::MacroAssemblerARM64::xor32):
        (JSC::MacroAssemblerARM64::xorPtr):

2012-10-30  Eric Carlson  <eric.carlson@apple.com>

        <rdar://problem/12593706> Support text tracks for in-line video playback

        Reviewed by NOBODY (OOPS!).

        * Configurations/FeatureDefines.xcconfig: Define ENABLE_VIDEO_TRACK.

2012-10-29  Jer Noble  <jer.noble@apple.com>

        <rdar://problem/8978236> Sub-TLF: Support fullscreen API on iOS

        Reviewed by Ian Henderson.

        Enable WebKit Full Screen API by setting ENABLE_FULLSCREEN_API.

        * Configurations/FeatureDefines.xcconfig:

2012-10-30  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12593651> Improve ARM64 Macro Assembler generation of wide moves

        Reviewed by Phil Pizlo.

        Created a new templated helper moveInternal() that can move a 32 or 64 bit literal value into a destination
        register using the move wide instructions.  This method figures out the minimum number of half words that need to be 
        loaded by looking for half words that are all zeros or all ones.  Based on that check we choose a movz path or movn
        path.  The first half word that is filled also fills the whole register and subsequent half words ore filled using
        the movk instruction.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::move): Changed to use new helper.
        (JSC::MacroAssemblerARM64::moveInternal): New helper.

2012-10-24  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12566747> ARM64 Macro Assembler: Add support for using immediate ops for all add() and sub() methods

        Reviewed by Phil Pizlo.

        Added code to use 12 bit immediate add, cmp and sub to add, sub and branch instructions
        where possible.

        * assembler/ARM64Assembler.h:
        (JSC::isUInt12): Overloaded to take intptr_t.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::addPtr):
        (JSC::MacroAssemblerARM64::sub32):
        (JSC::MacroAssemblerARM64::subPtr):
        (JSC::MacroAssemblerARM64::branch32):
        (JSC::MacroAssemblerARM64::branchPtr):
        (JSC::MacroAssemblerARM64::branchAdd32):
        (JSC::MacroAssemblerARM64::branchAddPtr):
        (JSC::MacroAssemblerARM64::branchSub32):
        (JSC::MacroAssemblerARM64::branchSubPtr):

2012-10-24  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12561633> ARM64 Macro Assembler doesn't use load and store imeediate instructions

        Reviewed by Gavin Barraclough.

        To the ARM64 assembler, added helpers to determine if we can use the unsigned scaled and
        signed unscaled offsets.

        To the ARM64 macro assembler, added templated load and store methods for general registers for
        both unsigned scaled and signed unscaled offsets to work with all data sizes supported by the
        architecture.  Added tryLoadWithOffset and tryStoreWithOffset that will generate the approriate
        load or store instruction and return true if one of the two offset types can be used.
        Otherwise we fall back to the current method that uses a temp register to calculate the memory address.

        * assembler/ARM64Assembler.h:
        (ARM64Assembler):
        (JSC::ARM64Assembler::canEncodePImmOffset):
        (JSC::ARM64Assembler::canEncodeSImmOffset):

        * assembler/MacroAssemblerARM64.h:
        Added call to try using an offset load instruction
        (JSC::MacroAssemblerARM64::loadPtr):
        (JSC::MacroAssemblerARM64::load32):
        (JSC::MacroAssemblerARM64::load16):
        (JSC::MacroAssemblerARM64::load8):
        (JSC::MacroAssemblerARM64::loadDouble):

        Added call to try using an offset store instruction
        (JSC::MacroAssemblerARM64::storePtr):
        (JSC::MacroAssemblerARM64::store32):
        (JSC::MacroAssemblerARM64::storeDouble):

        Added templated load and store methods for unsigned scaled and signed scaled offsets
        (JSC::MacroAssemblerARM64::loadUnsignedImmediate):
        (JSC::MacroAssemblerARM64::loadUnscaledImmediate):
        (JSC::MacroAssemblerARM64::storeUnsignedImmediate):
        (JSC::MacroAssemblerARM64::storeUnscaledImmediate):

        New try to load/store with an offset instruction methods
        (JSC::MacroAssemblerARM64::tryLoadWithOffset):
        (JSC::MacroAssemblerARM64::tryStoreWithOffset):

2012-10-24  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/12561632> ARM64 Assembler doesn't constrain negative immediates when generating instructions

        Reviewed by Gavin Barraclough.

        Masked all signed immediate valuesbefore shifting when creating instructions.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::addSubtractExtendedRegister):
        (JSC::ARM64Assembler::addSubtractImmediate):
        (JSC::ARM64Assembler::addSubtractShiftedRegister):
        (JSC::ARM64Assembler::conditionalCompareImmediate):
        (JSC::ARM64Assembler::floatingPointImmediate):
        (JSC::ARM64Assembler::loadRegisterLiteral):
        (JSC::ARM64Assembler::loadStoreRegisterPostIndex):
        (JSC::ARM64Assembler::loadStoreRegisterUnscaledImmediate):
        (JSC::ARM64Assembler::loadStoreRegisterUnsignedImmediate):
        (JSC::ARM64Assembler::logicalShiftedRegister):
        (JSC::ARM64Assembler::testAndBranchImmediate):

2012-10-19  Filip Pizlo  <fpizlo@apple.com>

        <rdar://problem/12511832> N51: Safari crashes in llint_slow_path_put_by_id while loading apple.com

        Reviewed by Michale Saboff.

        On ARMv7, we know that any offset that we can store into a ptrdiff_t is an offset that we
        can patch into a non-compact offset load or store, since ptrdiff_t is 32-bit and the
        non-compact offsets are 32-bit. But on ARM64, the non-compact offsets are 32-bit unsigned,
        and ptrdiff_t is 64-bit signed. Hence, we can end up manufacturing an offset that cannot be
        patched.
        
        The correct fix is to have the patching machinery defend itself against offsets it knows to
        be impossible.
        
        But the specific reason we were crashing here was because we had a small negative offset.
        This change makes even those small negative offsets take slow path. That's somewhat
        unfortunate. In the future, the right fix will be to have non-compact offsets be 32-bit
        signed rather than 32-bit unsigned. I'll leave that for a future patch.
        See <rdar://problem/12540077>.

        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::isPtrAlignedAddressOffset):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::isPtrAlignedAddressOffset):
        (MacroAssemblerARM64):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCachePutByID):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::tryCachePutByID):

2012-10-19  Filip Pizlo  <fpizlo@apple.com>

        <rdar://problem/12538954> N51: MacroAssembler::push and ::pop are incompatible with the stack conventions of ARM64

        Reviewed by Michael Saboff.

        I've fixed this by forcing a distinction between push() used for setting up the stack
        (which is only used on x86 and will now CRASH() on ARM64) and push() used for doing a
        quick-and-dirty register spill. The latter is now called pushToSave()/popToRestore(),
        and does 16 byte alignment on-the-fly. This wastes stack space, but we probably don't
        care since it's on the slow paths anyway.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::loadStoreRegisterPreIndex):
        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::pushToSave):
        (JSC::MacroAssembler::popToRestore):
        * assembler/MacroAssemblerARM64.h:
        (MacroAssemblerARM64):
        (JSC::MacroAssemblerARM64::popToRestore):
        (JSC::MacroAssemblerARM64::pushToSave):
        (JSC::MacroAssemblerARM64::pushToSAve):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::emitRestoreScratch):
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::emitPutReplaceStub):
        * dfg/DFGScratchRegisterAllocator.h:
        (JSC::DFG::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
        (JSC::DFG::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::emitPointerValidation):

2012-10-17  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/12511832> N51: Safari crashes in llint_slow_path_put_by_id while loading apple.com

        Reviewed by Sam Weinig.

        * llint/LowLevelInterpreter64.asm:
            - Fix mismerge.

2012-10-15  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/12476025> build-webkit --development tries to build WKSI and DRT for x86_64, but only builds WebKit for i386

        Reviewed by David Carson.

        * Configurations/DebugRelease.xcconfig: Use
        ARCHS_STANDARD_32_64_BIT.

2012-10-05  Filip Pizlo  <fpizlo@apple.com>

        <rdar://problem/12442679> Assertion failure on ToT puzzlebox in JSArray::unshiftCount

        Reviewed by Mark Hahnenberg.

        Either because of a merge glitch or because I'm not a smart person, I put the assertion
        that should have been in shiftCount (i.e. that count <= length) in unshiftCount instead.
        So, if you tried to use unshift() to, say, initialize an array, which is a correct albeit
        silly thing to do, then you'd assert every time.

        * runtime/JSArray.cpp:
        (JSC::JSArray::shiftCount):
        (JSC::JSArray::unshiftCount):

2012-10-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        <rdar://problem/12391706> REGRESSION: Crash beneath IncrementalSweeper::doSweep() when running PLT3

        Reviewed by Phil Pizlo.

        From the Radar: We need a "WebSafeIncrementalSweeper" to match  "WebSafeGCActivityCallback" -- it ensures 
        that callbacks only happen on the web thread, which in turn ensures that the web thread lock has been acquired.

        In JSC, I just exported a few additional symbols and added an explicit out-of-line destructor for IncrementalSweeper
        to allay any linker errors when inheriting from IncrementalSweeper in WebCore.

        * heap/Heap.cpp:
        (JSC::Heap::setIncrementalSweeper):
        (JSC):
        * heap/Heap.h:
        (Heap):
        * heap/IncrementalSweeper.cpp:
        (JSC::IncrementalSweeper::~IncrementalSweeper):
        (JSC):
        * heap/IncrementalSweeper.h:
        (IncrementalSweeper):

2012-10-01  Matt Lilek  <mrl@apple.com>

        <rdar://problem/12268376> SWB: WTF/JSC/WebCore/WebKit build fixes to work with clang-424

        Merge OpenSource r123239, r123989, and r128234.

        Reviewed by Pratik Solanki.

        * parser/NodeConstructors.h:
        (JSC::ForInNode::ForInNode):
        * parser/Nodes.h:
        (ForInNode):
        * runtime/PropertyNameArray.h:
        (JSC::PropertyNameArray::PropertyNameArray):
        (PropertyNameArray):

2012-10-01  Filip Pizlo  <fpizlo@apple.com>

        Merge OpenSource WebKit r130102.

    2012-10-01  Filip Pizlo  <fpizlo@apple.com>
    
            Address a FIXME in JSArray::sort
            https://bugs.webkit.org/show_bug.cgi?id=98080
            <rdar://problem/12407844>
    
            Reviewed by Oliver Hunt.
    
            Get rid of fast sorting of sparse maps. I don't know that it's broken but I do know that we don't
            have coverage for it. Then also address the FIXME in JSArray::sort regarding side-effecting
            compare functions.
    
            * runtime/ArrayPrototype.cpp:
            (JSC::arrayProtoFuncSort):
            * runtime/JSArray.cpp:
            (JSC::JSArray::sortNumeric):
            (JSC::JSArray::sort):
            (JSC::JSArray::compactForSorting):
            * runtime/JSArray.h:
            (JSArray):
            * runtime/JSObject.h:
            (JSC::JSObject::hasSparseMap):
            (JSObject):
    
2012-09-29  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/12402196> YARR JIT should keep stack aligned on ARM64

        Reviewed by Filip Pizlo.

        This is a better fix for <rdar://problem/12316828>

        * assembler/MacroAssemblerARM64.h:
        (MacroAssemblerARM64):
        (JSC::MacroAssemblerARM64::loadPtr):
        (JSC::MacroAssemblerARM64::loadPtrWithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::load32):
        (JSC::MacroAssemblerARM64::load32WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::load16):
        (JSC::MacroAssemblerARM64::load8):
        (JSC::MacroAssemblerARM64::storePtr):
        (JSC::MacroAssemblerARM64::storePtrWithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::store32):
        (JSC::MacroAssemblerARM64::store32WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::store16):
        (JSC::MacroAssemblerARM64::store8):
        (JSC::MacroAssemblerARM64::loadDouble):
        (JSC::MacroAssemblerARM64::loadFloat):
        (JSC::MacroAssemblerARM64::storeDouble):
        (JSC::MacroAssemblerARM64::storeFloat):
        (JSC::MacroAssemblerARM64::branchTest8):
            - Revert these changes, they were just working around the stack alignment issue.
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
        (JSC::Yarr::YarrGenerator::initCallFrame):
        (JSC::Yarr::YarrGenerator::removeCallFrame):
            - Add code to keep the stack aligned.

2012-09-29  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/12402175> DFG JIT on ARM64 accidentally disabled

        Reviewed by Filip Pizlo.

        * dfg/DFGGPRInfo.h:
        (GPRInfo):
            - Added nonArgGPRs for ARM64.

2012-09-28  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/12316828> Safari crashes in JSC::RegExpObject::match when going to www.apple.com on N51

        Reviewed by Oliver Hunt.

        Bizarre - something seems to have changed, causing base/index addresses with a base of sp to start failing.
        Will follow up with the architecture teams, for now, make sure we don't do that.

        * assembler/MacroAssemblerARM64.h:
        (MacroAssemblerARM64):
        (JSC::MacroAssemblerARM64::load):
        (JSC::MacroAssemblerARM64::loadh):
        (JSC::MacroAssemblerARM64::loadb):
        (JSC::MacroAssemblerARM64::store):
        (JSC::MacroAssemblerARM64::storeh):
        (JSC::MacroAssemblerARM64::storeb):
            - Added wrappers to base/index memory accesses, where the base is sp turn into an add.
        (JSC::MacroAssemblerARM64::loadPtr):
        (JSC::MacroAssemblerARM64::loadPtrWithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::load32):
        (JSC::MacroAssemblerARM64::load32WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::load16):
        (JSC::MacroAssemblerARM64::load8):
        (JSC::MacroAssemblerARM64::storePtr):
        (JSC::MacroAssemblerARM64::storePtrWithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::store32):
        (JSC::MacroAssemblerARM64::store32WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::store16):
        (JSC::MacroAssemblerARM64::store8):
        (JSC::MacroAssemblerARM64::loadDouble):
        (JSC::MacroAssemblerARM64::loadFloat):
        (JSC::MacroAssemblerARM64::storeDouble):
        (JSC::MacroAssemblerARM64::storeFloat):
        (JSC::MacroAssemblerARM64::branchTest8):
            - Changed to use new wrappers.

2012-09-25  Filip Pizlo  <fpizlo@apple.com>

        Merge Open Source WebKit r129577.

    2012-09-25  Filip Pizlo  <fpizlo@apple.com>
    
            We shouldn't use the optimized versions of shift/unshift if the user is doing crazy things to the array
            https://bugs.webkit.org/show_bug.cgi?id=97603
            <rdar://problem/12370864>
    
            Reviewed by Gavin Barraclough.
    
            You changed the length behind our backs? No optimizations for you then!
    
            * runtime/ArrayPrototype.cpp:
            (JSC::shift):
            (JSC::unshift):
            * runtime/JSArray.cpp:
            (JSC::JSArray::shiftCount):
    
2012-09-19  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/12329156> REGRESSION (Merge1): 56 jscore test failures after merge

        Reviewed by Ian Henderson.

        Make sure shouldInterruptScriptBeforeTimeout is the last field in the struct since we have
        initialization code that relies on the order.

        * runtime/JSGlobalObject.h:
        (GlobalObjectMethodTable):

2012-09-18  Pratik Solanki  <psolanki@apple.com>

        Part of <rdar://problem/12317875> JavaScriptCore fails to compile for ARM64 after merge to r122402

        Reviewed by Filip Pizlo.

        r119857 in open source changed SYMBOL_STRING_RELOCATION to LOCAL_REFERENCE. Do the same for
        ARM64 code.

        * dfg/DFGOperations.cpp:
        (JSC):
        * jit/JITStubs.cpp:

2012-09-18  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/12317875> JavaScriptCore fails to compile for ARM64 after merge to r122402

        Patch by Gavin Barraclough.
        Reviewed by Filip Pizlo.

        Implement ARM64 routines for assembler functionality added in opensource.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::ARM64Assembler):
        (ARM64Assembler):
        (JSC::ARM64Assembler::labelIgnoringWatchpoints):
        (JSC::ARM64Assembler::labelForWatchpoint):
        (JSC::ARM64Assembler::label):
        (JSC::ARM64Assembler::replaceWithJump):
        (JSC::ARM64Assembler::maxJumpReplacementSize):
        (JSC::ARM64Assembler::replaceWithLoad):
        (JSC::ARM64Assembler::replaceWithAddressComputation):
        (JSC::ARM64Assembler::disassembleXOrZrOrSp):
        (JSC::ARM64Assembler::disassembleAddSubtractImmediate):
        (JSC::ARM64Assembler::loadStoreRegisterUnscaledImmediate):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::convertibleLoadPtr):
        (MacroAssemblerARM64):
        (JSC::MacroAssemblerARM64::load8):
        (JSC::MacroAssemblerARM64::branchTest8):
        (JSC::MacroAssemblerARM64::replaceWithJump):
        (JSC::MacroAssemblerARM64::maxJumpReplacementSize):

2012-09-14  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/12304546> DFG JIT for ARM64

        Reviewed by Filip Pizlo.

        * dfg/DFGAssemblyHelpers.h:
        (AssemblyHelpers):
        (JSC::DFG::AssemblyHelpers::debugCall):
            - Calling conventions match a mix of ARMv7 & X86_64.
        * dfg/DFGCCallHelpers.h:
        (CCallHelpers):
            - Calling conventions match a mix of ARMv7 & X86_64.
        * dfg/DFGFPRInfo.h:
        (JSC::DFG::FPRInfo::debugName):
        (DFG):
        (FPRInfo):
        (JSC::DFG::FPRInfo::toRegister):
        (JSC::DFG::FPRInfo::toIndex):
            - Add ARM64 register assignments.
        * dfg/DFGGPRInfo.h:
        (JSC::DFG::GPRInfo::debugName):
        (GPRInfo):
        (DFG):
        (JSC::DFG::GPRInfo::toRegister):
        (JSC::DFG::GPRInfo::toIndex):
            - Add ARM64 register assignments.
        * dfg/DFGOperations.cpp:
            - Added asm function wrappers.
        * dfg/DFGOperations.h:
            - DFGHandler implementation should be related to JSVALUE64, not X86_64.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
            - compileIntegerArithDivForX86 only exists on X86[_64].

2012-09-14  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/12304570> Fix ARM64 assembler for DFG JIT

        Reviewed by Filip Pizlo.

        * assembler/ARM64Assembler.h:
            - Updated a comment to correctly document ABI.
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::add32):
        (JSC::MacroAssemblerARM64::addPtr):
        (JSC::MacroAssemblerARM64::sub32):
            - Updated to match other memory ops, use memoryTempRegister for the memory
              operand rather than dataTempRegister.
        (JSC::MacroAssemblerARM64::supportsFloatingPoint):
        (JSC::MacroAssemblerARM64::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerARM64::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerARM64::supportsFloatingPointAbs):
            - Floating point supported is already complete, and appears to work!
        (JSC::MacroAssemblerARM64::branchAdd32):
        (JSC::MacroAssemblerARM64::branchNeg32):
            - Added - required fir DFG JIT.

2012-09-13  Filip Pizlo  <fpizlo@apple.com>

        <rdar://problem/12281506> LLInt for 64-bit ARM

        Reviewed by Gavin Barraclough.
        
        Adds an ARM64 backend to the offlineasm, and makes slight modifications to the LLInt
        so that it understands the nuances of ARM64 ABI.
        
        The backend is designed to share as much code as possible with ARMv7. Both backends
        use the same lowering microphases, which are designed for flexibility rather than
        speed (the LLInt is, afterall, fairly small, so offlineasm performance is currently
        a non-goal).
        
        Also made a couple slight changes elsehwere: getHostCallReturnValue, which is shared
        with the DFG, has been updated to support ARM64, and the bytecode generator now
        emits loop hints even with DFG disabled since it is actually shared between
        LLInt->JIT OSR and JIT->DFG OSR.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitLoopHint):
        * dfg/DFGOperations.cpp:
        (JSC):
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::handleHostCall):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/arm64.rb: Added.
        * offlineasm/armv7.rb:
        * offlineasm/backends.rb:
        * offlineasm/risc.rb:
        * offlineasm/risc_arm64.rb: Added.
        * offlineasm/transform.rb:
        * offlineasm/x86.rb:

2012-09-11  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/12248207> 11A165: safari crashing in JIT code when loading www.apple.com on N51

        Reviewed by Oliver Hunt.

        The JIT trampolines shouldn't fall through from one block of global code to another, in case the
        linker reorders them.

        * jit/JITStubs.cpp:
            - Copy ctiOpThrowNotCaught into the tail of ctiTrampoline, to avoid thefallthrough.

2012-09-10  Filip Pizlo  <fpizlo@apple.com>

        Towards <rdar://problem/10293804>: Merged ToT WebKit r128100

    2012-09-10  Filip Pizlo  <fpizlo@apple.com>
    
            offlineasm has some impossible to implement, and unused, instructions
            https://bugs.webkit.org/show_bug.cgi?id=96310
    
            Reviewed by Mark Hahnenberg.
    
            * offlineasm/armv7.rb:
            * offlineasm/instructions.rb:
            * offlineasm/risc.rb:
            * offlineasm/x86.rb:
    
2012-09-05  Filip Pizlo  <fpizlo@apple.com>

        Towards <rdar://problem/10293804>: offlineasm RISC support should not be
        conflating 'p' (pointer) and 'i' (int32).

        Reviewed by Gavin Barraclough.
        
        Though this would have been safe on ARMv7, it's not safe on ARM64.

        * offlineasm/armv7.rb:
        * offlineasm/instructions.rb:
        * offlineasm/risc.rb:

2012-09-05  Filip Pizlo  <fpizlo@apple.com>

        Towards <rdar://problem/10293804>: refactor offlineasm to support a common
        infrastructure for RISC targets.

        Reviewed by Geoffrey Garen.
        
        This will allow roughly 1/2 of the ARM backend code to be shared between
        ARMv7 and ARM64.

        * offlineasm/armv7.rb:
        * offlineasm/instructions.rb:
        * offlineasm/risc.rb: Added.

2012-08-29  Simon Fraser  <simon.fraser@apple.com>

        Prerequisite for <rdar://problem/11507731> Support sticky layouts

        Merged ToT WebKit r123379.

    2012-07-23  Simon Fraser  <simon.fraser@apple.com>
    
            Part 2 of: Implement sticky positioning
            https://bugs.webkit.org/show_bug.cgi?id=90046
    
            Reviewed by Ojan Vafai.
    
            Turn on ENABLE_CSS_STICKY_POSITION.
    
            * Configurations/FeatureDefines.xcconfig:

2012-08-29  Simon Fraser  <simon.fraser@apple.com>

        Prerequisite for <rdar://problem/11507731> Support sticky layouts

        Merged ToT WebKit r123350.

    2012-07-23  Simon Fraser  <simon.fraser@apple.com>
    
            Part 1 of: Implement sticky positioning
            https://bugs.webkit.org/show_bug.cgi?id=90046
    
            Reviewed by Ojan Vafai.
    
            Add ENABLE_CSS_STICKY_POSITION, defaulting to off initially.
            
            Sort the ENABLE_CSS lines in the file. Make sure all the flags
            are in FEATURE_DEFINES.
    
            * Configurations/FeatureDefines.xcconfig:

2012-08-30  Matt Lilek  <mrl@apple.com>

        <rdar://problem/11960197> SWB: JavaScriptCore-1096 fails to build in Innsbruck with clang-422.2.3: -Wmismatched-tags

        Merge OpenSource r119429, r121986, r126475, r126476, r126481, r126511, and r126515.

        Not reviewed, build fixes.

        * heap/Handle.h:
        (Handle):
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::MachineThreads):
        * heap/MachineStackMarker.h:
        (MachineThreads):
        * jit/JITStubCall.h:
        (JSC::JITStubCall::JITStubCall):
        (JITStubCall):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
        * jit/ThunkGenerators.cpp:
        (JSC::charCodeAtThunkGenerator):
        (JSC::charAtThunkGenerator):
        (JSC::fromCharCodeThunkGenerator):
        (JSC::sqrtThunkGenerator):
        (JSC::floorThunkGenerator):
        (JSC::ceilThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::expThunkGenerator):
        (JSC::logThunkGenerator):
        (JSC::absThunkGenerator):
        (JSC::powThunkGenerator):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createAssignResolve):
        (JSC::ASTBuilder::createForLoop):
        (JSC::ASTBuilder::createForInLoop):
        (JSC::ASTBuilder::makeAssignNode):
        (JSC::ASTBuilder::makePrefixNode):
        (JSC::ASTBuilder::makePostfixNode):
        * parser/NodeConstructors.h:
        (JSC::PostfixErrorNode::PostfixErrorNode):
        (JSC::PrefixErrorNode::PrefixErrorNode):
        (JSC::AssignResolveNode::AssignResolveNode):
        (JSC::AssignErrorNode::AssignErrorNode):
        (JSC::ForNode::ForNode):
        (JSC::ForInNode::ForInNode):
        * parser/Nodes.h:
        (FunctionCallResolveNode):
        (PostfixErrorNode):
        (PrefixErrorNode):
        (ReadModifyResolveNode):
        (AssignResolveNode):
        (AssignErrorNode):
        (ForNode):
        (ForInNode):
        * parser/Parser.cpp:
        (JSC::::parseVarDeclarationList):
        (JSC::::parseForStatement):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createAssignResolve):
        (JSC::SyntaxChecker::createForLoop):

2012-08-29  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/10293804> TLF: Nitro for 64-bit ARM

        Reviewed by Filip Pizlo.

        Implement baseline JIT for arm64.

        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitSlow_op_mod):
            - Build fix - mark this function as NO_RETURN_DUE_TO_ASSERT.
        * jit/JITInlineMethods.h:
        (JSC::JIT::restoreArgumentReferenceForTrampoline):
            - Same implementation as armv7.
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
            - Implement native call argument setup for arm64.
        * jit/JITStubs.cpp:
        (JSC::JITThunks::JITThunks):
            - Implement asm JIT entry trampolines, stub wrapper.
        * jit/JITStubs.h:
        (JITStackFrame):
        (JSC::JITStackFrame::returnAddressSlot):
            - arm64 stack frame.
        * jit/JSInterfaceJIT.h:
        (JSInterfaceJIT):
            - Added baseline JIT's static register mapping for arm64.

2012-08-29  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/10293804> TLF: Nitro for 64-bit ARM

        Merge opensource r127066.

    2012-08-29  Gavin Barraclough  <barraclough@apple.com>

            PutById uses DataLabel32, not DataLabelCompact
            https://bugs.webkit.org/show_bug.cgi?id=95245

            Reviewed by Geoff Garen.

            JIT::resetPatchPutById calls the the wrong thing on x86-64 – this is moot right now,
            since they currently both do the same thing, but if we were to ever make compact mean
            8-bit this could be a real problem. Also, relying on the object still being in eax
            on entry to the transition stub isn't very robust - added nonArgGPR1 to at least make
            this explicit.

            * jit/JITPropertyAccess.cpp:
            (JSC::JIT::emitSlow_op_put_by_id):
                - copy regT0 to nonArgGPR1
            (JSC::JIT::privateCompilePutByIdTransition):
                - DataLabelCompact -> DataLabel32
            (JSC::JIT::resetPatchPutById):
                - reload regT0 from nonArgGPR1
            * jit/JSInterfaceJIT.h:
            (JSInterfaceJIT):
                - added nonArgGPR1

2012-08-28  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/10293804> TLF: Nitro for 64-bit ARM

        Reviewed by Filip Pizlo.

        MacroAssemblerARM64 fixes.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::addPtr):
            - imm should be treated as signed.
        (JSC::MacroAssemblerARM64::addDouble):
        (JSC::MacroAssemblerARM64::divDouble):
        (JSC::MacroAssemblerARM64::mulDouble):
        (JSC::MacroAssemblerARM64::and32):
        (JSC::MacroAssemblerARM64::or32):
        (JSC::MacroAssemblerARM64::orPtr):
        (JSC::MacroAssemblerARM64::xor32):
            - 2-op form (src,dest) is equivalent to 3-op (dest,src,dest), not (src,dest,dest)
              (these are equivalent for comutative operations, but divide was producing the
              reciprocal result).
        (JSC::MacroAssemblerARM64::xorPtr):
            - As above, and renamed from xor64 (oops!)
        (JSC::MacroAssemblerARM64::loadPtrWithCompactAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::load32WithCompactAddressOffsetPatch):
            - don't ignore address.offset.
        (JSC::MacroAssemblerARM64::branch32):
        (JSC::MacroAssemblerARM64::branchPtr):
        (JSC::MacroAssemblerARM64::branch8):
        (JSC::MacroAssemblerARM64::branchTest32):
        (JSC::MacroAssemblerARM64::branchTestPtr):
        (JSC::MacroAssemblerARM64::branchMul32):
            - for branches comparing to memory, use memoryTempRegister for the memory address
              AND operand value, use dataTempRegister only for immediate operands.
        (JSC::MacroAssemblerARM64::comparePtr):
            - This was accidentally the load.
        (JSC::MacroAssemblerARM64::compare8):
            - Added missing compare.
        (JSC::MacroAssemblerARM64::testPtr):
            - Added missing test.
        (JSC::MacroAssemblerARM64::breakpoint):
            - This now works (fastsim was catching the brks).
        (JSC::MacroAssemblerARM64::readCallTarget):
            - Added.

2012-08-28  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/10293804> TLF: Nitro for 64-bit ARM

        Reviewed by Filip Pizlo.

        Fix trivial bugs in encodeShiftAmount/encodePositiveImmediate/sxtw/uxtw/linkJumpOrCall,
        detailed descriptions below.

        Add some missing relink/repatch functionality.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::encodeShiftAmount):
        (JSC::ARM64Assembler::encodePositiveImmediate):
            - Return type should not be bool - results being saturated to 1-bit!
        (JSC::ARM64Assembler::sxtw):
        (JSC::ARM64Assembler::uxtw):
            - template argument to mnemonic should be 64, no DataSize_64.
        (JSC::ARM64Assembler::linkPointer):
        (JSC::ARM64Assembler::repatchPointer):
        (JSC::ARM64Assembler::repatchInt32):
        (JSC::ARM64Assembler::readPointer):
        (JSC::ARM64Assembler::readCallTarget):
        (JSC::ARM64Assembler::relinkJump):
        (JSC::ARM64Assembler::relinkCall):
        (JSC::ARM64Assembler::repatchCompact):
            - Added missing relink/repatch functionality.
        (JSC::ARM64Assembler::linkJumpOrCall):
            - linkJumpOrCall is ignoring 'link'; always producing a jump.
        (JSC::ARM64Assembler::checkMovk):
        (JSC::ARM64Assembler::disassembleLoadStoreRegisterUnsignedImmediate):
            - Internal helper functions, used by relink/repatch methods.

2012-08-22  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/12130658> JavaScriptCore should not use PLATFORM(IOS) for private headers that might be used externally

        Reviewed by Gavin Barraclough.

        * JavaScriptCore.xcodeproj/project.pbxproj: Add "Scrub Installed
        Headers" build phase script that only scrubs APIShims.h and
        JSBasePrivate.h, since neither of those were using any WTF
        macros prior to the fix for <rdar://problem/12129375> in
        puzzlebox svn r1146513.
        * scrub-ifdefs.pl: Added.  Copied from
        Source/WebKit/mac/scrub-ifdefs.pl.

2012-08-20  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/12138735> Innsbruck: JavaScript GC threads leak mach ports, which can cause kernel memory exhaustion when repeatedly allocating and deallocating virtual machines

        Merge iOS r1146731 from Sundance branch to trunk.

    2012-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        <rdar://problem/12126411> JavaScript GC threads leak mach ports, which can cause kernel memory exhaustion when repeatedly allocating and deallocating virtual machines

        Reviewed by Gavin Barraclough.

        Used the SPI from <rdar://problem/12118189> to also disable the block freeing thread
        and to instead eagerly free blocks upon deallocation.

        * debugger/Debugger.cpp:
        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::BlockAllocator):
        (JSC::BlockAllocator::~BlockAllocator):
        * heap/BlockAllocator.h:
        (JSC::BlockAllocator::deallocate):

2012-08-18  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/12129375> Innsbruck: Add SPI to disable allocation of GC timers (Heap timers leak CFRunLoops and CFRunLoopTimers, which can cause port exhaustion when repeatedly allocating and deallocating virtual machines)

        Merge iOS r1146509 from Sundance branch to trunk.

        * API/tests/testapi.c: Include config.h.

    2012-08-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        <rdar://problem/12118189> Heap timers leak CFRunLoops and CFRunLoopTimers, which can cause port exhaustion when repeatedly allocating and deallocating virtual machines

        Reviewed by Gavin Barraclough.

        Added SPI to allow AppleTV to disable allocation of GC timers, thereby reducing the number of 
        Mach port leaks.

        * API/APIShims.h:
        (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
        * API/JSBase.cpp:
        (JSDisableGCTimer):
        * API/JSBasePrivate.h:
        * heap/Heap.cpp:
        (JSC::Heap::didAbandon):
        (JSC::Heap::collect):
        (JSC::Heap::didAllocate):
        * runtime/GCActivityCallback.h:
        (GCActivityCallback):
        (JSC::DefaultGCActivityCallback::create):
        * runtime/GCActivityCallbackCF.cpp:
        (JSC):
        * runtime/JSGlobalData.cpp:
        (JSC::enableAssembler):
        (JSC::JSGlobalData::~JSGlobalData):

2012-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Merge open source r121607

    2012-06-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove warning about protected values when the Heap is being destroyed
        https://bugs.webkit.org/show_bug.cgi?id=90302

        Reviewed by Geoffrey Garen.

        Having to do book-keeping about whether values allocated from a certain 
        VM are or are not protected makes the JSC API much more difficult to use 
        correctly. Clients should be able to throw an entire VM away and not have 
        to worry about unprotecting all of the values that they protected earlier.

        * heap/Heap.cpp:
        (JSC::Heap::lastChanceToFinalize):

2012-07-25  Filip Pizlo  <fpizlo@apple.com>

        <rdar://problem/11952210> REGRESSION (r114511): Some Google Docs spreadsheets cannot be scrolled and go blank when switching sheets

        Reviewed by Gavin Barraclough.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2012-07-12  Benjamin Poulain  <bpoulain@apple.com>

        <rdar://problem/11766228> Disable CSS3 Flexbox for Sundance

        * Configurations/FeatureDefines.xcconfig:

2012-07-11  Filip Pizlo  <fpizlo@apple.com>

        <rdar://problem/11854646> LLInt shouldn't rely on ordering of symbols

        Reviewed by Sam Weinig.
        
        The bug was caused by our "optimization" to have looping bytecodes drop
        down to jumping bytecodes. This optimization is wrong because the global
        LLInt labels may be moved around by the compiler (see Cameron's comment
        in the linked-to bug).
        
        With this change, the LLInt code no longer relies on the ordering of
        global labels. We still rely on ordering of local labels; but that's
        just a matter of basic compiler sanity - without it many other things
        would break.

        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:

2012-07-11  Benjamin Poulain  <bpoulain@apple.com>

        <rdar://problem/11850045> Simplify the copying of JSC ARMv7's LinkRecord (90930)
        Merge WebKit OpenSource r122347.

    2012-07-11  Benjamin Poulain  <bpoulain@apple.com>

        Simplify the copying of JSC ARMv7's LinkRecord
        https://bugs.webkit.org/show_bug.cgi?id=90930

        Reviewed by Filip Pizlo.

        The class LinkRecord is used by value everywhere in ARMv7Assembler. The compiler uses
        memmove() to move the objects.

        The problem is memmove() is overkill for this object, moving the value can be done with
        3 load-store. This patch adds an operator= to the class doing more efficient copying.
        This reduces the link time by 19%.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::LinkRecord::LinkRecord):
        (JSC::ARMv7Assembler::LinkRecord::operator=):
        (JSC::ARMv7Assembler::LinkRecord::from):
        (JSC::ARMv7Assembler::LinkRecord::setFrom):
        (JSC::ARMv7Assembler::LinkRecord::to):
        (JSC::ARMv7Assembler::LinkRecord::type):
        (JSC::ARMv7Assembler::LinkRecord::linkType):
        (JSC::ARMv7Assembler::LinkRecord::setLinkType):
        (JSC::ARMv7Assembler::LinkRecord::condition):

2012-07-10  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/11844717> javascript logging "scheduled GC timer for n seconds" while running scripter

        Reviewed by Oliver Hunt.

        * runtime/GCActivityCallbackCF.cpp:
        (JSC::scheduleTimer):
            - remove accidentally landed dataLog

2012-07-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        <rdar://problem/11231897> NFX: Entering Netflix while a match song is playing caused an AppleTV crash

        Merge r121381

    2012-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSLock should be per-JSGlobalData
        https://bugs.webkit.org/show_bug.cgi?id=89123

        Reviewed by Geoffrey Garen.

        * API/APIShims.h:
        (APIEntryShimWithoutLock):
        (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): Added an extra parameter to the constructor to 
        determine whether we should ref the JSGlobalData or not. We want to ref all the time except for in the 
        HeapTimer class because timerDidFire could run after somebody has started to tear down that particular 
        JSGlobalData, so we wouldn't want to resurrect the ref count of that JSGlobalData from 0 back to 1 after 
        its destruction has begun. 
        (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock):
        (JSC::APIEntryShim::APIEntryShim):
        (APIEntryShim):
        (JSC::APIEntryShim::~APIEntryShim):
        (JSC::APIEntryShim::init): Factored out common initialization code for the various APIEntryShim constructors.
        Also moved the timeoutChecker stop and start here because we need to start after we've grabbed the API lock
        and before we've released it, which can only done in APIEntryShim.
        (JSC::APICallbackShim::~APICallbackShim): We no longer need to synchronize here.
        * API/JSContextRef.cpp:
        (JSGlobalContextCreate):
        (JSGlobalContextCreateInGroup):
        (JSGlobalContextRelease):
        (JSContextCreateBacktrace):
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::tryAllocateSlowCase):
        * heap/Heap.cpp:
        (JSC::Heap::protect):
        (JSC::Heap::unprotect):
        (JSC::Heap::collect):
        (JSC::Heap::setActivityCallback):
        (JSC::Heap::activityCallback):
        (JSC::Heap::sweeper):
        * heap/Heap.h: Changed m_activityCallback and m_sweeper to be raw pointers rather than OwnPtrs because they 
        are now responsible for their own lifetime. Also changed the order of declaration of the GCActivityCallback
        and the IncrementalSweeper to make sure they're the last things that get initialized during construction to 
        prevent any issues with uninitialized memory in the JSGlobalData/Heap they might care about.
        (Heap):
        * heap/HeapTimer.cpp: Refactored to allow for thread-safe operation and shutdown.
        (JSC::HeapTimer::~HeapTimer):
        (JSC::HeapTimer::invalidate):
        (JSC):
        (JSC::HeapTimer::didStartVMShutdown): Called at the beginning of ~JSGlobalData. If we're on the same thread 
        that the HeapTimer is running on, we kill the HeapTimer ourselves. If not, then we set some state in the 
        HeapTimer and schedule it to fire immediately so that it can notice and kill itself.
        (JSC::HeapTimer::timerDidFire): We grab our mutex and check our JSGlobalData pointer. If it has been zero-ed
        out, then we know the VM has started to shutdown and we should kill ourselves. Otherwise, grab the APIEntryShim,
        but without ref-ing the JSGlobalData (we don't want to bring the JSGlobalData's ref-count from 0 to 1) in case 
        we were interrupted between releasing our mutex and trying to grab the APILock.
        * heap/HeapTimer.h:
        (HeapTimer):
        * heap/IncrementalSweeper.cpp:
        (JSC::IncrementalSweeper::doWork): We no longer need the API shim here since HeapTimer::timerDidFire handles 
        all of that for us. 
        (JSC::IncrementalSweeper::create):
        * heap/IncrementalSweeper.h:
        (IncrementalSweeper):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateSlowCase):
        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::reap):
        * jsc.cpp:
        (functionGC):
        (functionReleaseExecutableMemory):
        (jscmain):
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        (JSC::evaluate):
        * runtime/GCActivityCallback.h:
        (DefaultGCActivityCallback):
        (JSC::DefaultGCActivityCallback::create):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData): Signals to the two HeapTimers (GCActivityCallback and IncrementalSweeper)
        that the VM has started shutting down. It then waits until the HeapTimer is done with whatever activity 
        it needs to do before continuing with any further destruction. Also asserts that we do not currently hold the 
        APILock because this could potentially cause deadlock when we try to signal to the HeapTimers using their mutexes.
        (JSC::JSGlobalData::sharedInstance): Protect the initialization for the shared instance with the GlobalJSLock.
        (JSC::JSGlobalData::sharedInstanceInternal):
        * runtime/JSGlobalData.h: Change to be ThreadSafeRefCounted so that we don't have to worry about refing and 
        de-refing JSGlobalDatas on separate threads since we don't do it that often anyways.
        (JSGlobalData):
        (JSC::JSGlobalData::apiLock):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::~JSGlobalObject):
        (JSC::JSGlobalObject::init):
        * runtime/JSLock.cpp:
        (JSC):
        (JSC::GlobalJSLock::GlobalJSLock): For accessing the shared instance.
        (JSC::GlobalJSLock::~GlobalJSLock):
        (JSC::JSLockHolder::JSLockHolder): MutexLocker for JSLock. Also refs the JSGlobalData to keep it alive so that 
        it can successfully unlock it later without it disappearing from underneath it.
        (JSC::JSLockHolder::~JSLockHolder):
        (JSC::JSLock::JSLock):
        (JSC::JSLock::~JSLock):
        (JSC::JSLock::lock): Uses the spin lock for guarding the lock count and owner thread fields. Uses the mutex for 
        actually waiting for long periods. 
        (JSC::JSLock::unlock):
        (JSC::JSLock::currentThreadIsHoldingLock):
        (JSC::JSLock::dropAllLocks):
        (JSC::JSLock::dropAllLocksUnconditionally):
        (JSC::JSLock::grabAllLocks):
        (JSC::JSLock::DropAllLocks::DropAllLocks):
        (JSC::JSLock::DropAllLocks::~DropAllLocks):
        * runtime/JSLock.h:
        (JSC):
        (GlobalJSLock):
        (JSLockHolder):
        (JSLock):
        (DropAllLocks):
        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::set):
        * testRegExp.cpp:
        (realMain):

2012-07-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Roll out r1135419

        Caused a variety of issues, including deadlocks and animation performance degradation.

2012-07-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        <rdar://problem/11231897> NFX: Entering Netflix while a match song is playing caused an AppleTV crash

        Merge r121381

    2012-06-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSLock should be per-JSGlobalData
        https://bugs.webkit.org/show_bug.cgi?id=89123

        Reviewed by Geoffrey Garen.

        * API/APIShims.h:
        (APIEntryShimWithoutLock):
        (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock): Added an extra parameter to the constructor to 
        determine whether we should ref the JSGlobalData or not. We want to ref all the time except for in the 
        HeapTimer class because timerDidFire could run after somebody has started to tear down that particular 
        JSGlobalData, so we wouldn't want to resurrect the ref count of that JSGlobalData from 0 back to 1 after 
        its destruction has begun. 
        (JSC::APIEntryShimWithoutLock::~APIEntryShimWithoutLock):
        (JSC::APIEntryShim::APIEntryShim):
        (APIEntryShim):
        (JSC::APIEntryShim::~APIEntryShim):
        (JSC::APIEntryShim::init): Factored out common initialization code for the various APIEntryShim constructors.
        Also moved the timeoutChecker stop and start here because we need to start after we've grabbed the API lock
        and before we've released it, which can only done in APIEntryShim.
        (JSC::APICallbackShim::~APICallbackShim): We no longer need to synchronize here.
        * API/JSContextRef.cpp:
        (JSGlobalContextCreate):
        (JSGlobalContextCreateInGroup):
        (JSGlobalContextRelease):
        (JSContextCreateBacktrace):
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::tryAllocateSlowCase):
        * heap/Heap.cpp:
        (JSC::Heap::protect):
        (JSC::Heap::unprotect):
        (JSC::Heap::collect):
        (JSC::Heap::setActivityCallback):
        (JSC::Heap::activityCallback):
        (JSC::Heap::sweeper):
        * heap/Heap.h: Changed m_activityCallback and m_sweeper to be raw pointers rather than OwnPtrs because they 
        are now responsible for their own lifetime. Also changed the order of declaration of the GCActivityCallback
        and the IncrementalSweeper to make sure they're the last things that get initialized during construction to 
        prevent any issues with uninitialized memory in the JSGlobalData/Heap they might care about.
        (Heap):
        * heap/HeapTimer.cpp: Refactored to allow for thread-safe operation and shutdown.
        (JSC::HeapTimer::~HeapTimer):
        (JSC::HeapTimer::invalidate):
        (JSC):
        (JSC::HeapTimer::didStartVMShutdown): Called at the beginning of ~JSGlobalData. If we're on the same thread 
        that the HeapTimer is running on, we kill the HeapTimer ourselves. If not, then we set some state in the 
        HeapTimer and schedule it to fire immediately so that it can notice and kill itself.
        (JSC::HeapTimer::timerDidFire): We grab our mutex and check our JSGlobalData pointer. If it has been zero-ed
        out, then we know the VM has started to shutdown and we should kill ourselves. Otherwise, grab the APIEntryShim,
        but without ref-ing the JSGlobalData (we don't want to bring the JSGlobalData's ref-count from 0 to 1) in case 
        we were interrupted between releasing our mutex and trying to grab the APILock.
        * heap/HeapTimer.h:
        (HeapTimer):
        * heap/IncrementalSweeper.cpp:
        (JSC::IncrementalSweeper::doWork): We no longer need the API shim here since HeapTimer::timerDidFire handles 
        all of that for us. 
        (JSC::IncrementalSweeper::create):
        * heap/IncrementalSweeper.h:
        (IncrementalSweeper):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateSlowCase):
        * heap/WeakBlock.cpp:
        (JSC::WeakBlock::reap):
        * jsc.cpp:
        (functionGC):
        (functionReleaseExecutableMemory):
        (jscmain):
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        (JSC::evaluate):
        * runtime/GCActivityCallback.h:
        (DefaultGCActivityCallback):
        (JSC::DefaultGCActivityCallback::create):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData): Signals to the two HeapTimers (GCActivityCallback and IncrementalSweeper)
        that the VM has started shutting down. It then waits until the HeapTimer is done with whatever activity 
        it needs to do before continuing with any further destruction. Also asserts that we do not currently hold the 
        APILock because this could potentially cause deadlock when we try to signal to the HeapTimers using their mutexes.
        (JSC::JSGlobalData::sharedInstance): Protect the initialization for the shared instance with the GlobalJSLock.
        (JSC::JSGlobalData::sharedInstanceInternal):
        * runtime/JSGlobalData.h: Change to be ThreadSafeRefCounted so that we don't have to worry about refing and 
        de-refing JSGlobalDatas on separate threads since we don't do it that often anyways.
        (JSGlobalData):
        (JSC::JSGlobalData::apiLock):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::~JSGlobalObject):
        (JSC::JSGlobalObject::init):
        * runtime/JSLock.cpp:
        (JSC):
        (JSC::GlobalJSLock::GlobalJSLock): For accessing the shared instance.
        (JSC::GlobalJSLock::~GlobalJSLock):
        (JSC::JSLockHolder::JSLockHolder): MutexLocker for JSLock. Also refs the JSGlobalData to keep it alive so that 
        it can successfully unlock it later without it disappearing from underneath it.
        (JSC::JSLockHolder::~JSLockHolder):
        (JSC::JSLock::JSLock):
        (JSC::JSLock::~JSLock):
        (JSC::JSLock::lock): Uses the spin lock for guarding the lock count and owner thread fields. Uses the mutex for 
        actually waiting for long periods. 
        (JSC::JSLock::unlock):
        (JSC::JSLock::currentThreadIsHoldingLock):
        (JSC::JSLock::dropAllLocks):
        (JSC::JSLock::dropAllLocksUnconditionally):
        (JSC::JSLock::grabAllLocks):
        (JSC::JSLock::DropAllLocks::DropAllLocks):
        (JSC::JSLock::DropAllLocks::~DropAllLocks):
        * runtime/JSLock.h:
        (JSC):
        (GlobalJSLock):
        (JSLockHolder):
        (JSLock):
        (DropAllLocks):
        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::set):
        * testRegExp.cpp:
        (realMain):

2012-06-28  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/11699761> REGRESSION: Web thread hangs beneath XHR ready state change handler @ *.blogspot.com (JIT only)

        Merge r121466

    2012-06-28  Oliver Hunt  <oliver@apple.com>

        32bit DFG incorrectly claims an fpr is fillable even if it has not been proven double
        https://bugs.webkit.org/show_bug.cgi?id=90127

        Reviewed by Filip Pizlo.

        The 32-bit version of fillSpeculateDouble doesn't handle Number->fpr loads
        correctly.  This patch fixes this by killing the fill info in the GenerationInfo
        when the spillFormat doesn't guarantee the value is a double.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):

2012-06-27  Benjamin Poulain  <bpoulain@apple.com>

        Add back CSS Flexbox temporarily

        * ChangeLog:
        * Configurations/FeatureDefines.xcconfig:

2012-06-06  Mark Rowe  <mrowe@apple.com>

        Merge r118995.

    2012-05-30  Oliver Hunt  <oliver@apple.com>

        Really provide error information with the inspector disabled
        https://bugs.webkit.org/show_bug.cgi?id=87910

        Reviewed by Filip Pizlo.

        Don't bother checking for anything other than pre-existing error info.
        In the absence of complete line number information you'll only get the
        line a function starts on, but at least it's something.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):

2012-06-06  Mark Rowe  <mrowe@apple.com>

        Merge r118992.

    2012-05-30  Filip Pizlo  <fpizlo@apple.com>

        LLInt broken on x86-32 with JIT turned off
        https://bugs.webkit.org/show_bug.cgi?id=87906

        Reviewed by Geoffrey Garen.
        
        Fixed the code to not clobber registers that contain important things, like the call frame.

        * llint/LowLevelInterpreter32_64.asm:

2012-05-31  Tim Horton  <timothy_horton@apple.com>

        Add feature defines for web-facing parts of CSS Regions and Exclusions
        https://bugs.webkit.org/show_bug.cgi?id=87442
        <rdar://problem/10887709>

        Reviewed by Dan Bernstein.

        * Configurations/FeatureDefines.xcconfig:

2012-05-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118956

    2012-05-30  Oliver Hunt  <oliver@apple.com>

            DFG does not correctly handle exceptions caught in the LLInt
            https://bugs.webkit.org/show_bug.cgi?id=87885

            Reviewed by Filip Pizlo.

            Make the DFG use genericThrow, rather than reimplementing a small portion of it.
            Also make the LLInt slow paths validate that their PC is correct.

            * dfg/DFGOperations.cpp:
            * llint/LLIntSlowPaths.cpp:
            (LLInt):

2012-05-30  Lucas Forschler  <lforschler@apple.com>

    Merge 118810

    2012-05-29  Mark Hahnenberg  <mhahnenberg@apple.com>

            CopiedSpace::doneCopying could start another collection
            https://bugs.webkit.org/show_bug.cgi?id=86538

            Reviewed by Geoffrey Garen.

            It's possible that if we don't have anything at the head of to-space 
            after a collection and the BlockAllocator doesn't have any fresh blocks 
            to give us right now we could start another collection while still in 
            the middle of the first collection when we call CopiedSpace::addNewBlock(). 

            One way to resolve this would be to have Heap::shouldCollect() check that 
            m_operationInProgress is NoOperation. This would prevent the path in 
            getFreshBlock() that starts the collection if we're already in the middle of one.

            I could not come up with a test case to reproduce this crash on ToT.

            * heap/Heap.h:
            (JSC::Heap::shouldCollect): We shouldn't collect if we're already in the middle
            of a collection, i.e. the current operation should be NoOperation.

2012-05-30  Lucas Forschler  <lforschler@apple.com>

    Merge <rdar://problem/11519288>

2012-05-21  Lucas Forschler  <lforschler@apple.com>

    Merge 117523

    2012-05-17  Filip Pizlo  <fpizlo@apple.com>

            Setting array index -1 and looping over array causes bad behavior
            https://bugs.webkit.org/show_bug.cgi?id=86733
            <rdar://problem/11477670>

            Reviewed by Oliver Hunt.

            * dfg/DFGOperations.cpp:

2012-05-21  Lucas Forschler  <lforschler@apple.com>

    Merge 117193

    2012-05-15  Oliver Hunt  <oliver@apple.com>

            Make error information available even if all we have is line number information.
            https://bugs.webkit.org/show_bug.cgi?id=86547

            Reviewed by Filip Pizlo.

            We don't need expression information to generate useful line, file, and stack information,
            so only require that we have line number info available.

            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::throwException):
            * runtime/Executable.h:
            (JSC):

2012-05-21  Lucas Forschler  <lforschler@apple.com>

    Merge 117201

    2012-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>

            Block freeing thread should not free blocks when we are actively requesting them
            https://bugs.webkit.org/show_bug.cgi?id=86519

            Reviewed by Geoff Garen.

            * heap/BlockAllocator.h:
            (JSC::BlockAllocator::allocate): Reordering the setting of the flag so its done 
            while we hold the lock to ensure proper locking.

2012-05-21  Lucas Forschler  <lforschler@apple.com>

    Merge 117183

    2012-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>

            Block freeing thread should not free blocks when we are actively requesting them
            https://bugs.webkit.org/show_bug.cgi?id=86519

            Reviewed by Geoffrey Garen.

            The block freeing thread shoots us in the foot if it decides to run while we're actively 
            requesting blocks and returning them. This situation can arise when there is a lot of copying 
            collection going on in steady state. We allocate a large swath of pages to copy into, then we 
            return all the newly free old pages to the BlockAllocator. In this state, if the block freeing 
            thread wakes up in between collections (which is more likely than it waking up during a 
            collection) and frees half of these pages, they will be needed almost immediately during the 
            next collection, causing a storm of VM allocations which we know are going to be very slow.

            What we'd like is for when things have quieted down the block freeing thread can then return 
            memory to the OS. Usually this will be when a page has fully loaded and has a low allocation 
            rate. In this situation, our opportunistic collections will only be running at least every few 
            seconds, thus the extra time spent doing VM allocations won't matter nearly as much as, say, 
            while a page is loading.

            * heap/BlockAllocator.cpp:
            (JSC::BlockAllocator::BlockAllocator): Initialize our new field.
            (JSC::BlockAllocator::blockFreeingThreadMain): We check if we've seen any block requests recently.
            If so, reset our flag and go back to sleep. We also don't bother with locking here. If we miss out 
            on an update, we'll see it when we wake up again.
            * heap/BlockAllocator.h: Add new field to track whether or not we've received recent block requests.
            (BlockAllocator):
            (JSC::BlockAllocator::allocate): If we receive a request for a block, set our field that tracks 
            that to true. We don't bother locking since we assume that writing to a bool is atomic.

2012-06-10  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/11634375> Debug code in JSC::Heap::getConservativeRegisterRoots() doesn't match ToT WebKit

        Reviewed by David Carson.

        The JSC::Heap::getConservativeRegisterRoots() method was added
        in ToT WebKit r89885 and its assertion has never changed on ToT.
        The current iOS code was added in iOS WebKit r1047630 for
        Telluride because isValidThreadState() wasn't merged back to iOS
        WebKit at the time.

        This change reverts iOS WebKit r1047630.

        * heap/Heap.cpp:
        (JSC::Heap::getConservativeRegisterRoots): Replace temporary
        debug code merged for Telluride with assertion from ToT WebKit.

2012-06-07  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/11621272> Math.pow is inaccurate on iOS

        Merged ToT WebKit r119775

    2012-06-07  Gavin Barraclough  <barraclough@apple.com>

            Math.pow on iOS does not support denormal numbers.
            https://bugs.webkit.org/show_bug.cgi?id=88592

            Reviewed by Filip Pizlo.

            Import an implementation from fdlibm, detect cases where it is safe to use the system
            implementation & where we should fall back to fdlibm.

            * runtime/MathObject.cpp:
            (JSC::isDenormal):
            (JSC::isEdgeCase):
            (JSC::mathPow):
                - On iOS, detect cases where denormal support may be required & use fdlibm in these cases.
            (JSC::mathProtoFuncPow):
                - Changed to use mathPow.
            (JSC::fdlibmScalbn):
            (JSC::fdlibmPow):
                - These functions imported from fdlibm; original style retained to ease future merging.

2012-06-06  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/11340413> Iteration order of properties of global object is not stable between global/eval code.

        Merged ToT WebKit r119623

    2012-06-06  Gavin Barraclough  <barraclough@apple.com>
    
            Assigning to a static property should not change iteration order
            https://bugs.webkit.org/show_bug.cgi?id=88401
    
            Reviewed by Geoff Garen.
    
            A specific iteration order is not defined by the spec, but test-262 somewhat tenuously
            requires that it is at least stable, e.g. ch10/10.4/10.4.2/S10.4.2_A1.1_T1.js
    
            Whilst it is not clear that this behavior really arises from the specification, it
            would seem like common sense to conform to this.
    
            The problem here is that we allow properties in the structure to shadow those in the
            static table, and we iterate the properties in the structure first - which means that
            as values of existing properties are modified, their iteration order changes too.
    
            The easy fix is to iterate the properties from the static table first. This has a
            further benefit, since it will mean that user added properties will come after those
            present in the static table (respected the expected insertion-order).
    
            * runtime/JSObject.cpp:
            (JSC::JSObject::getOwnPropertyNames):
                - Iterate static properties first.

2012-06-06  Michael Saboff  <msaboff@apple.com>

    <rdar://problem/11607363> Merge: JSGlobalData ScratchBuffers Are Not Visited During Garbage Collection

    Merge r117729, r117860 andr118239 from OpenSource WebKit.

        2012-05-20  Michael Saboff  <msaboff@apple.com>

        JSGlobalData ScratchBuffers Are Not Visited During Garbage Collection
        https://bugs.webkit.org/show_bug.cgi?id=86553

        Reviewed by Gavin Barraclough.

        Scratch buffers can contain the only reference to live objects.
        Therefore visit scratch buffer contents as conservative roots.
        Changed the scratch buffers to be a struct with an "active"
        length and the actual buffer.  The users of the scratch
        buffer emit code where needed to set and clear the active
        length as appropriate.  During marking, the active count is
        used for conservative marking.

        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::debugCall):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitGenerationThunkGenerator):
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::gatherConservativeRoots):
        * runtime/JSGlobalData.h:
        (JSC::ScratchBuffer::ScratchBuffer):
        (ScratchBuffer):
        (JSC::ScratchBuffer::allocationSize):
        (JSC::ScratchBuffer::setActiveLength):
        (JSC::ScratchBuffer::activeLength):
        (JSC::ScratchBuffer::activeLengthPtr):
        (JSC::ScratchBuffer::dataBuffer):
        (JSGlobalData):
        (JSC::JSGlobalData::scratchBufferForSize):

    2012-05-21  Michael Saboff  <msaboff@apple.com>

        Cleanup of Calls to operationStrCat and operationNewArray and Use Constructor after r117729
        https://bugs.webkit.org/show_bug.cgi?id=87027

        Reviewed by Oliver Hunt.

        Change calls to operationStrCat and operationNewArray to provide the
        pointer to the EncodedJSValue* data buffer instead of the ScratchBuffer
        that contains it.  Added a ScratchBuffer::create() function.
        This is a clean-up to r117729.

        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSGlobalData.h:
        (JSC::ScratchBuffer::create):
        (JSC::ScratchBuffer::dataBuffer):
        (JSC::JSGlobalData::scratchBufferForSize):

    2012-05-23  Filip Pizlo  <fpizlo@apple.com>

        Every OSR exit on ARM results in a crash
        https://bugs.webkit.org/show_bug.cgi?id=87307

        Reviewed by Geoffrey Garen.

        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitGenerationThunkGenerator):

2012-06-06  Mark Lam  <mark.lam@apple.com>

        <rdar://problem/11578367> ASSERTION FAILED: key->isIdentifier() under operationGetByIdOptimizeWithReturnAddress @ my.yahoo.com

        Merge http://trac.webkit.org/changeset/118257

    2012-05-23  Filip Pizlo  <fpizlo@apple.com>

            It should be possible to make C function calls from DFG code on ARM in debug mode
            https://bugs.webkit.org/show_bug.cgi?id=87313

            Reviewed by Gavin Barraclough.

            * dfg/DFGSpeculativeJIT.h:
            (SpeculativeJIT):

2012-06-05  Michael Saboff  <msaboff@apple.com>

    <rdar://problem/11600087> MERGE: Entry into JSC should CRASH() if the Heap is busy

    Merge r119518 from OpenSource WebKit.

        2012-06-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Entry into JSC should CRASH() if the Heap is busy
        https://bugs.webkit.org/show_bug.cgi?id=88355

        Reviewed by Geoffrey Garen.

        Interpreter::execute() returns jsNull() right now if we try to enter it while
        the Heap is busy (e.g. with a collection), which is okay, but some code paths
        that call Interpreter::execute() allocate objects before checking if the Heap
        is busy. Attempting to execute JS code while the Heap is busy should not be
        allowed and should be enforced by a release-mode CRASH() to prevent vague,
        unhelpful backtraces later on if somebody makes a mistake. Normally, recursively
        executing JS code is okay, e.g. for evals, but it should not occur during a
        Heap allocation or collection because the Heap is not guaranteed to be in a
        consistent state (especially during collections). We are protected from
        executing JS on the same Heap concurrently on two separate threads because
        they must each take a JSLock first. However, we are not protected from reentrant
        execution of JS on the same thread because JSLock allows reentrancy. Therefore,
        we should fail early if we detect an entrance into JS code while the Heap is busy.

        * heap/Heap.cpp: Changed Heap::collect so that it sets the m_operationInProgress field
        at the beginning of collection and then unsets it at the end so that it is set at all
        times throughout the duration of a collection rather than sporadically during various
        phases. There is no reason to unset during a collection because our collector does
        not currently support running additional JS between the phases of a collection.
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::markRoots):
        (JSC::Heap::collect):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute): Crash if the Heap is busy.
        * runtime/Completion.cpp: Crash if the Heap is busy. We do it here before we call
        Interpreter::execute() because we do some allocation prior to calling execute() which
        could cause Heap corruption if, for example, that allocation caused a collection.
        (JSC::evaluate):

2012-06-03  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/11585758> Complete MacroAssemblerARM64

        Reviewed by Filip Pizlo.

        The new MacroAssembler is currently missing some support for features not required by the
        Yarr JIT. This patch implements all the features stubbed out in the initial implementation,
        specifically floating point, compare/test, memory accesses -WithMemoryOffsetPatch, and Call
        repatching.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::linkPointer):
            - Now implemented in terms of repatchPointer.
        (JSC::ARM64Assembler::repatchPointer):
            - Added, called by ARM64Assembler::repatchCall.
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::loadPtr):
        (JSC::MacroAssemblerARM64::load32):
        (JSC::MacroAssemblerARM64::load16):
        (JSC::MacroAssemblerARM64::load16Signed):
        (JSC::MacroAssemblerARM64::load8):
        (JSC::MacroAssemblerARM64::load8Signed):
        (JSC::MacroAssemblerARM64::storePtr):
        (JSC::MacroAssemblerARM64::store32):
        (JSC::MacroAssemblerARM64::store16):
        (JSC::MacroAssemblerARM64::store8):
            - Replace some nasty casting & move() with signExtend32ToPtr().
        (JSC::MacroAssemblerARM64::loadPtrWithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::loadPtrWithCompactAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::load32WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::load32WithCompactAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::storePtrWithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::store32WithAddressOffsetPatch):
            - Implemented, using new signExtend32ToPtrWithFixedWidth method.
        (JSC::MacroAssemblerARM64::absDouble):
        (JSC::MacroAssemblerARM64::addDouble):
        (JSC::MacroAssemblerARM64::branchConvertDoubleToInt32):
        (JSC::MacroAssemblerARM64::branchDouble):
        (JSC::MacroAssemblerARM64::branchDoubleNonZero):
        (JSC::MacroAssemblerARM64::branchDoubleZeroOrNaN):
        (JSC::MacroAssemblerARM64::branchTruncateDoubleToInt32):
        (JSC::MacroAssemblerARM64::branchTruncateDoubleToUint32):
        (JSC::MacroAssemblerARM64::convertDoubleToFloat):
        (JSC::MacroAssemblerARM64::convertFloatToDouble):
        (JSC::MacroAssemblerARM64::convertInt32ToDouble):
        (JSC::MacroAssemblerARM64::divDouble):
        (JSC::MacroAssemblerARM64::loadDouble):
        (JSC::MacroAssemblerARM64::loadFloat):
        (JSC::MacroAssemblerARM64::moveDouble):
        (JSC::MacroAssemblerARM64::moveDoubleToPtr):
        (JSC::MacroAssemblerARM64::movePtrToDouble):
        (JSC::MacroAssemblerARM64::mulDouble):
        (JSC::MacroAssemblerARM64::negateDouble):
        (JSC::MacroAssemblerARM64::sqrtDouble):
        (JSC::MacroAssemblerARM64::storeDouble):
        (JSC::MacroAssemblerARM64::storeFloat):
        (JSC::MacroAssemblerARM64::subDouble):
        (JSC::MacroAssemblerARM64::truncateDoubleToInt32):
        (JSC::MacroAssemblerARM64::truncateDoubleToUint32):
            - Implemented floating point operations.
        (JSC::MacroAssemblerARM64::compare32):
        (JSC::MacroAssemblerARM64::comparePtr):
        (JSC::MacroAssemblerARM64::test32):
        (JSC::MacroAssemblerARM64::test8):
            - Implemented compare/test operations.
        (JSC::MacroAssemblerARM64::signExtend32ToPtrWithFixedWidth):
            - Used to implement WithAddressOffsetPatch memory accesses.
        (JSC::MacroAssemblerARM64::repatchCall):
            - Implemented using new repatchPointer methods.

2012-05-30  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/11569194> MERGE: CrashTracer: 270 crashes in WebProcess at com.apple.JavaScriptCore: llint_op_jfalse + 69

    Merged ToT WebKit r118956

    2012-05-30  Oliver Hunt  <oliver@apple.com>

        DFG does not correctly handle exceptions caught in the LLInt
        https://bugs.webkit.org/show_bug.cgi?id=87885

        Reviewed by Filip Pizlo.

        Make the DFG use genericThrow, rather than reimplementing a small portion of it.
        Also make the LLInt slow paths validate that their PC is correct.

        * dfg/DFGOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (LLInt):

2012-05-30  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/11561506> ScriptDebugServer wants sourceIDs that are non-zero because that's what HashMaps want, so JSC should placate it (87887)

    Merged ToT WebKit r118960 and r118966

    2012-05-30  Filip Pizlo  <fpizlo@apple.com>

        ScriptDebugServer wants sourceIDs that are non-zero because that's what HashMaps want, so JSC should placate it
        https://bugs.webkit.org/show_bug.cgi?id=87887

        Reviewed by Darin Adler.
        
        Better fix - we now never call SourceProvider::asID() if SourceProvider* is 0.

        * parser/Nodes.h:
        (JSC::ScopeNode::sourceID):
        * parser/SourceCode.h:
        (JSC::SourceCode::providerID):
        (SourceCode):
        * parser/SourceProvider.h:
        (SourceProvider):
        (JSC::SourceProvider::asID):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::sourceID):

    2012-05-30  Filip Pizlo  <fpizlo@apple.com>

        ScriptDebugServer wants sourceIDs that are non-zero because that's what HashMaps want, so JSC should placate it
        https://bugs.webkit.org/show_bug.cgi?id=87887

        Reviewed by Geoffrey Garen.

        * parser/SourceProvider.h:
        (JSC::SourceProvider::asID):

2012-05-30  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/11524413> MERGE: MailCompositionService CRASH()'d once in JavaScriptCore: JSC::Heap::markRoots

    Merged ToT WebKit r118810.

    2012-05-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        CopiedSpace::doneCopying could start another collection
        https://bugs.webkit.org/show_bug.cgi?id=86538

        Reviewed by Geoffrey Garen.

        It's possible that if we don't have anything at the head of to-space 
        after a collection and the BlockAllocator doesn't have any fresh blocks 
        to give us right now we could start another collection while still in 
        the middle of the first collection when we call CopiedSpace::addNewBlock(). 

        One way to resolve this would be to have Heap::shouldCollect() check that 
        m_operationInProgress is NoOperation. This would prevent the path in 
        getFreshBlock() that starts the collection if we're already in the middle of one.

        I could not come up with a test case to reproduce this crash on ToT.

        * heap/Heap.h:
        (JSC::Heap::shouldCollect): We shouldn't collect if we're already in the middle
        of a collection, i.e. the current operation should be NoOperation.

2012-05-30  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/11561724> iOS: LLInt broken on x86-32 with JIT turned off (87906)

        Merged ToT WebKit r118992.

    2012-05-30  Filip Pizlo  <fpizlo@apple.com>

        LLInt broken on x86-32 with JIT turned off
        https://bugs.webkit.org/show_bug.cgi?id=87906

        Reviewed by Geoffrey Garen.
        
        Fixed the code to not clobber registers that contain important things, like the call frame.

        * llint/LowLevelInterpreter32_64.asm:

2012-05-27  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/11543239> Complete ARM64Assembler

        Reviewed by Oliver Hunt & Filip Pizlo.

        Primarily this patch adds support for the ARMv8 floating point instruction set.
        In addition, there were a few integer instructions that were missing, and that
        we'll likely want: hlt (this is useful as a I'm-really-not-kidding breakpoint,
        since the userspace debugger takes a casual disinterest in brk instructions),
        ldr/ldrsw literal (PC relative), conditional compare & select instructions, and
        logical operations with immediate operands (which includes the movi alias).

        Also, there were a couple of bits of cleanup that were necessitated by this
        patch. The marshalling of parameters for load/store formatters was a bit of a
        mess (lots of meaningless magic numbers), I've added a MemOpSize enum & some
        helper macros & functions to clean this up, as a part of which the macro 'SF'
        has been renamed to the still terse but slightly more descriptive 'DATASIZE'.

        Finally, it made sense to rename the floating point registers to better match
        the naming used for the integer registers. In ARMv8 the integer registers are
        referred to as Wn or Xn for 32-bit or 64-bit respectively, or Rn to refer to a
        general purpose register without indicating a size. The floating point / SIMD
        registers are referred to as Bn, Hn, Sn, Dn, and Qn when indicating a size, or
        Vn more abstractly. We were using the naming scheme of labeling the general
        purpose registers as x0..x30 and the floating point registers as v0..v31,
        which mixes use of the largest concrete register size with the abstract name.
        I've sided with using the largest concrete register size (hence q0..q31)
        since the names rN, vN seem generic and ambiguous within the compiler as a
        whole, whereas xN, qN seem a little more distinctive and easily identifiable.

        * assembler/ARM64Assembler.h:
        (JSC::isUInt5):
        (JSC):
        (UInt5):
        (JSC::UInt5::UInt5):
        (JSC::UInt5::operator int):
            - Added, used by ccmn/ccmp.
        (LogicalImmediate):
        (JSC::LogicalImmediate::create32):
        (JSC::LogicalImmediate::create64):
        (JSC::LogicalImmediate::value):
        (JSC::LogicalImmediate::isValid):
        (JSC::LogicalImmediate::is64bit):
        (JSC::LogicalImmediate::LogicalImmediate):
        (JSC::LogicalImmediate::mask):
        (JSC::LogicalImmediate::partialHSB):
        (JSC::LogicalImmediate::highestSetBit):
        (JSC::LogicalImmediate::findBitRange):
        (JSC::LogicalImmediate::encodeLogicalImmediate):
            - Type used to identify values that can be encoded as logical immediates,
              and to encode them appropriately.
        (JSC::ARM64Assembler::invert):
            - Moved from MacroAssemblerARM64; used by some alias mnemonics.
        (ARM64Assembler):
        (JSC::ARM64Assembler::canEncodeFPImm):
        (JSC::ARM64Assembler::encodeFPImm):
            - Methods used to identify values that can be encoded as floating-point,
              immediates and to encode them appropriately.
        (JSC::ARM64Assembler::encodeShiftAmount):
        (JSC::ARM64Assembler::encodePositiveImmediate):
            - Methods to assist in formatting of load/store instructions.
        (JSC::ARM64Assembler::adc):
        (JSC::ARM64Assembler::add):
        (JSC::ARM64Assembler::and_):
        (JSC::ARM64Assembler::asrv):
        (JSC::ARM64Assembler::bfm):
        (JSC::ARM64Assembler::bic):
        (JSC::ARM64Assembler::cbnz):
        (JSC::ARM64Assembler::cbz):
        (JSC::ARM64Assembler::ccmn):
        (JSC::ARM64Assembler::ccmp):
        (JSC::ARM64Assembler::cinc):
        (JSC::ARM64Assembler::cinv):
        (JSC::ARM64Assembler::cls):
        (JSC::ARM64Assembler::clz):
        (JSC::ARM64Assembler::cneg):
        (JSC::ARM64Assembler::csel):
        (JSC::ARM64Assembler::cset):
        (JSC::ARM64Assembler::csetm):
        (JSC::ARM64Assembler::csinc):
        (JSC::ARM64Assembler::csinv):
        (JSC::ARM64Assembler::csneg):
        (JSC::ARM64Assembler::eon):
        (JSC::ARM64Assembler::eor):
        (JSC::ARM64Assembler::extr):
        (JSC::ARM64Assembler::hlt):
        (JSC::ARM64Assembler::ldr):
        (JSC::ARM64Assembler::ldr_literal):
        (JSC::ARM64Assembler::ldrb):
        (JSC::ARM64Assembler::ldrh):
        (JSC::ARM64Assembler::ldrsb):
        (JSC::ARM64Assembler::ldrsh):
        (JSC::ARM64Assembler::ldrsw):
        (JSC::ARM64Assembler::ldrsw_literal):
        (JSC::ARM64Assembler::ldur):
        (JSC::ARM64Assembler::ldurb):
        (JSC::ARM64Assembler::ldurh):
        (JSC::ARM64Assembler::ldursb):
        (JSC::ARM64Assembler::ldursh):
        (JSC::ARM64Assembler::ldursw):
        (JSC::ARM64Assembler::lslv):
        (JSC::ARM64Assembler::lsrv):
        (JSC::ARM64Assembler::madd):
        (JSC::ARM64Assembler::movi):
        (JSC::ARM64Assembler::movk):
        (JSC::ARM64Assembler::movn):
        (JSC::ARM64Assembler::movz):
        (JSC::ARM64Assembler::msub):
        (JSC::ARM64Assembler::orn):
        (JSC::ARM64Assembler::orr):
        (JSC::ARM64Assembler::rbit):
        (JSC::ARM64Assembler::rev16):
        (JSC::ARM64Assembler::rorv):
        (JSC::ARM64Assembler::sbc):
        (JSC::ARM64Assembler::sbfm):
        (JSC::ARM64Assembler::sdiv):
        (JSC::ARM64Assembler::str):
        (JSC::ARM64Assembler::strb):
        (JSC::ARM64Assembler::strh):
        (JSC::ARM64Assembler::stur):
        (JSC::ARM64Assembler::sturb):
        (JSC::ARM64Assembler::sturh):
        (JSC::ARM64Assembler::sub):
        (JSC::ARM64Assembler::tst):
        (JSC::ARM64Assembler::ubfm):
        (JSC::ARM64Assembler::udiv):
        (JSC::ARM64Assembler::fabs):
        (JSC::ARM64Assembler::fadd):
        (JSC::ARM64Assembler::fccmp):
        (JSC::ARM64Assembler::fccmpe):
        (JSC::ARM64Assembler::fcmp):
        (JSC::ARM64Assembler::fcmp_0):
        (JSC::ARM64Assembler::fcmpe):
        (JSC::ARM64Assembler::fcmpe_0):
        (JSC::ARM64Assembler::fcsel):
        (JSC::ARM64Assembler::fcvt):
        (JSC::ARM64Assembler::fcvtas):
        (JSC::ARM64Assembler::fcvtau):
        (JSC::ARM64Assembler::fcvtms):
        (JSC::ARM64Assembler::fcvtmu):
        (JSC::ARM64Assembler::fcvtns):
        (JSC::ARM64Assembler::fcvtnu):
        (JSC::ARM64Assembler::fcvtps):
        (JSC::ARM64Assembler::fcvtpu):
        (JSC::ARM64Assembler::fcvtzs):
        (JSC::ARM64Assembler::fcvtzu):
        (JSC::ARM64Assembler::fdiv):
        (JSC::ARM64Assembler::fmadd):
        (JSC::ARM64Assembler::fmax):
        (JSC::ARM64Assembler::fmaxnm):
        (JSC::ARM64Assembler::fmin):
        (JSC::ARM64Assembler::fminnm):
        (JSC::ARM64Assembler::fmov):
        (JSC::ARM64Assembler::fmov_top):
        (JSC::ARM64Assembler::fmsub):
        (JSC::ARM64Assembler::fmul):
        (JSC::ARM64Assembler::fneg):
        (JSC::ARM64Assembler::fnmadd):
        (JSC::ARM64Assembler::fnmsub):
        (JSC::ARM64Assembler::fnmul):
        (JSC::ARM64Assembler::frinta):
        (JSC::ARM64Assembler::frinti):
        (JSC::ARM64Assembler::frintm):
        (JSC::ARM64Assembler::frintn):
        (JSC::ARM64Assembler::frintp):
        (JSC::ARM64Assembler::frintx):
        (JSC::ARM64Assembler::frintz):
        (JSC::ARM64Assembler::fsqrt):
        (JSC::ARM64Assembler::fsub):
        (JSC::ARM64Assembler::scvtf):
        (JSC::ARM64Assembler::ucvtf):
        (JSC::ARM64Assembler::label):
        (JSC::ARM64Assembler::align):
        (JSC::ARM64Assembler::getRelocatedAddress):
        (JSC::ARM64Assembler::getDifferenceBetweenLabels):
        (JSC::ARM64Assembler::executableOffsetFor):
        (JSC::ARM64Assembler::executableCopy):
        (JSC::ARM64Assembler::codeSize):
        (JSC::ARM64Assembler::getCallReturnOffset):
        (JSC::ARM64Assembler::linkJump):
        (JSC::ARM64Assembler::xOrZrAsFPR):
        (JSC::ARM64Assembler::xOrZrOrSp):
        (JSC::ARM64Assembler::addSubtractExtendedRegister):
        (JSC::ARM64Assembler::addSubtractImmediate):
        (JSC::ARM64Assembler::conditionalCompareImmediate):
        (JSC::ARM64Assembler::conditionalCompareRegister):
        (JSC::ARM64Assembler::conditionalSelect):
        (JSC::ARM64Assembler::floatingPointCompare):
        (JSC::ARM64Assembler::floatingPointConditionalCompare):
        (JSC::ARM64Assembler::floatingPointConditionalSelect):
        (JSC::ARM64Assembler::floatingPointImmediate):
        (JSC::ARM64Assembler::floatingPointIntegerConversions):
        (JSC::ARM64Assembler::floatingPointDataProcessing1Source):
        (JSC::ARM64Assembler::floatingPointDataProcessing2Source):
        (JSC::ARM64Assembler::floatingPointDataProcessing3Source):
        (JSC::ARM64Assembler::loadRegisterLiteral):
        (JSC::ARM64Assembler::loadStoreRegisterPostIndex):
        (JSC::ARM64Assembler::loadStoreRegisterPreIndex):
        (JSC::ARM64Assembler::loadStoreRegisterRegisterOffset):
        (JSC::ARM64Assembler::loadStoreRegisterUnscaledImmediate):
        (JSC::ARM64Assembler::loadStoreRegisterUnsignedImmediate):
        (JSC::ARM64Assembler::logicalImmediate):
        * assembler/MacroAssemblerARM64.h:
        (MacroAssemblerARM64):
        (JSC::MacroAssemblerARM64::call):
        (JSC::MacroAssemblerARM64::tailRecursiveCall):
            - Fixed typo, REPTACH -> REPATCH.
        (JSC::MacroAssemblerARM64::breakpoint):
            - Switched from an infinite loop to a hlt instruction.
              (We now have a userspce debugger that will catch this, but not a brk!)
        (JSC::MacroAssemblerARM64::invert):
            - Moved to ARM64Assembler.
        (JSC::MacroAssemblerARM64::makeBranch):
        (JSC::MacroAssemblerARM64::linkCall):
            - Fixed typo, REPTACH -> REPATCH.

2012-05-26  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/11541338> FeatureDefines.xcconfig should match across projects

        Reviewed by David Carson.

        * Configurations/FeatureDefines.xcconfig:
        - Remove ENABLE_CSS_SHADERS setting (matches ToT).
        - Add ENABLE_LEGACY_CSS_VENDOR_PREFIXES setting.

2012-05-25  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/11536267> YARR JIT for arm64

        Reviewed by Filip Pizlo.

        Enable support for the YARR regular expression JIT on arm64. This patch
        introduces the arm64 assembler & MacroAssembler classes, along with a
        couple of small tweaks to existing files to make sure these are included
        & provide an assignment of registers for the JIT to use.

        The assembler & MacroAssembler are largely complete, with the following
        work still to be undertaken:
            - Floating point support has not yet been implemented.
            - Test/Comare operations are not yet supported.
            - Branch compaction has not yet been implemented for arm64.
            - Constant blinding is currently disabled.
            - Address calculations for loads/stores is overly simplistic, only using indexed addressing forms.
            - Immediate forms of arithmetic operations are not being generated.

        * JavaScriptCore.xcodeproj/project.pbxproj:
            - Added ARM64Assembler.h, MacroAssemblerARM64.h.
        * assembler/ARM64Assembler.h: Added.
        (JSC):
        (JSC::isInt9):
        (JSC::isUInt12):
            - helper functions to test sizes of integers.
        (UInt12):
        (JSC::UInt12::UInt12):
        (JSC::UInt12::operator int):
            - Type to make it explicit where an immediate must be 12-bit.
        (PostIndex):
        (JSC::PostIndex::PostIndex):
        (JSC::PostIndex::operator int):
        (PreIndex):
        (JSC::PreIndex::PreIndex):
        (JSC::PreIndex::operator int):
            - Types to convey pre/post indexing (normally denoted in arm asm syntax through punctuation!)
        (JSC::getHalfword):
            - Used to extract 16-bit chunks from larger immediates.
        (JSC::ARM64Registers::isSp):
        (JSC::ARM64Registers::isZr):
        (ARM64Assembler):
        (JSC::ARM64Assembler::isSp):
        (JSC::ARM64Assembler::isZr):
            - Helper functions.
        (JSC::ARM64Assembler::adc):
        (JSC::ARM64Assembler::add):
        (JSC::ARM64Assembler::adr):
        (JSC::ARM64Assembler::adrp):
        (JSC::ARM64Assembler::and_):
            - ('and' is a reserved word, so using 'and_' instead)
        (JSC::ARM64Assembler::asr):
        (JSC::ARM64Assembler::asrv):
        (JSC::ARM64Assembler::b):
        (JSC::ARM64Assembler::b_cond):
            - ('b.cond' is not a valid identifier, so using 'b_cond' instead)
        (JSC::ARM64Assembler::bfi):
        (JSC::ARM64Assembler::bfm):
        (JSC::ARM64Assembler::bfxil):
        (JSC::ARM64Assembler::bic):
        (JSC::ARM64Assembler::bl):
        (JSC::ARM64Assembler::blr):
        (JSC::ARM64Assembler::br):
        (JSC::ARM64Assembler::brk):
        (JSC::ARM64Assembler::cbnz):
        (JSC::ARM64Assembler::cbz):
        (JSC::ARM64Assembler::cls):
        (JSC::ARM64Assembler::clz):
        (JSC::ARM64Assembler::cmn):
        (JSC::ARM64Assembler::cmp):
        (JSC::ARM64Assembler::eon):
        (JSC::ARM64Assembler::eor):
        (JSC::ARM64Assembler::extr):
        (JSC::ARM64Assembler::hint):
        (JSC::ARM64Assembler::ldr):
        (JSC::ARM64Assembler::ldrb):
        (JSC::ARM64Assembler::ldrh):
        (JSC::ARM64Assembler::ldrsb):
        (JSC::ARM64Assembler::ldrsh):
        (JSC::ARM64Assembler::ldrsw):
        (JSC::ARM64Assembler::ldur):
        (JSC::ARM64Assembler::ldurb):
        (JSC::ARM64Assembler::ldurh):
        (JSC::ARM64Assembler::ldursb):
        (JSC::ARM64Assembler::ldursh):
        (JSC::ARM64Assembler::ldursw):
        (JSC::ARM64Assembler::lsl):
        (JSC::ARM64Assembler::lslv):
        (JSC::ARM64Assembler::lsr):
        (JSC::ARM64Assembler::lsrv):
        (JSC::ARM64Assembler::madd):
        (JSC::ARM64Assembler::mneg):
        (JSC::ARM64Assembler::mov):
        (JSC::ARM64Assembler::movk):
        (JSC::ARM64Assembler::movn):
        (JSC::ARM64Assembler::movz):
        (JSC::ARM64Assembler::msub):
        (JSC::ARM64Assembler::mul):
        (JSC::ARM64Assembler::mvn):
        (JSC::ARM64Assembler::neg):
        (JSC::ARM64Assembler::ngc):
        (JSC::ARM64Assembler::nop):
        (JSC::ARM64Assembler::orn):
        (JSC::ARM64Assembler::orr):
        (JSC::ARM64Assembler::rbit):
        (JSC::ARM64Assembler::ret):
        (JSC::ARM64Assembler::rev):
        (JSC::ARM64Assembler::rev16):
        (JSC::ARM64Assembler::rev32):
        (JSC::ARM64Assembler::ror):
        (JSC::ARM64Assembler::rorv):
        (JSC::ARM64Assembler::sbc):
        (JSC::ARM64Assembler::sbfiz):
        (JSC::ARM64Assembler::sbfm):
        (JSC::ARM64Assembler::sbfx):
        (JSC::ARM64Assembler::sdiv):
        (JSC::ARM64Assembler::smaddl):
        (JSC::ARM64Assembler::smnegl):
        (JSC::ARM64Assembler::smsubl):
        (JSC::ARM64Assembler::smulh):
        (JSC::ARM64Assembler::smull):
        (JSC::ARM64Assembler::str):
        (JSC::ARM64Assembler::strb):
        (JSC::ARM64Assembler::strh):
        (JSC::ARM64Assembler::stur):
        (JSC::ARM64Assembler::sturb):
        (JSC::ARM64Assembler::sturh):
        (JSC::ARM64Assembler::sub):
        (JSC::ARM64Assembler::sxtb):
        (JSC::ARM64Assembler::sxth):
        (JSC::ARM64Assembler::sxtw):
        (JSC::ARM64Assembler::tbz):
        (JSC::ARM64Assembler::tbnz):
        (JSC::ARM64Assembler::tst):
        (JSC::ARM64Assembler::ubfiz):
        (JSC::ARM64Assembler::ubfm):
        (JSC::ARM64Assembler::ubfx):
        (JSC::ARM64Assembler::udiv):
        (JSC::ARM64Assembler::umaddl):
        (JSC::ARM64Assembler::umnegl):
        (JSC::ARM64Assembler::umsubl):
        (JSC::ARM64Assembler::umulh):
        (JSC::ARM64Assembler::umull):
        (JSC::ARM64Assembler::uxtb):
        (JSC::ARM64Assembler::uxth):
        (JSC::ARM64Assembler::uxtw):
            - Instruction formatters. The function names & arguments match arm64 mnemonics,
              see https://mobsi-svn.ecs.apple.com/svn/mobsi/docs/ARM_V8/ISA/index.xml
        (JSC::ARM64Assembler::label):
        (JSC::ARM64Assembler::align):
        (JSC::ARM64Assembler::getRelocatedAddress):
        (JSC::ARM64Assembler::getDifferenceBetweenLabels):
        (JSC::ARM64Assembler::executableOffsetFor):
        (JSC::ARM64Assembler::executableCopy):
        (JSC::ARM64Assembler::codeSize):
        (JSC::ARM64Assembler::getCallReturnOffset):
            - Misc admin functions.
        (JSC::ARM64Assembler::linkJump):
        (JSC::ARM64Assembler::linkCall):
        (JSC::ARM64Assembler::linkPointer):
        (JSC::ARM64Assembler::cacheFlush):
            - Public linking interface.
        (JSC::ARM64Assembler::linkJumpOrCall):
        (JSC::ARM64Assembler::addressOf):
        (JSC::ARM64Assembler::disassembleXOrSp):
        (JSC::ARM64Assembler::disassembleXOrZr):
        (JSC::ARM64Assembler::disassembleMoveWideImediate):
        (JSC::ARM64Assembler::disassembleUnconditionalBranchImmediate):
            - Internal helpers for linking & patching code.
        (JSC::ARM64Assembler::xOrSp):
        (JSC::ARM64Assembler::xOrZr):
            - Used to convert sp & zr enum values to integer representation, 31.
        (JSC::ARM64Assembler::insn):
            - used to add a formatted instruction to the AssemblerBuffer.
        (JSC::ARM64Assembler::addSubtractExtendedRegister):
        (JSC::ARM64Assembler::addSubtractImmediate):
        (JSC::ARM64Assembler::addSubtractShiftedRegister):
        (JSC::ARM64Assembler::addSubtractWithCarry):
        (JSC::ARM64Assembler::bitfield):
        (JSC::ARM64Assembler::compareAndBranchImmediate):
        (JSC::ARM64Assembler::conditionalBranchImmediate):
        (JSC::ARM64Assembler::dataProcessing1Source):
        (JSC::ARM64Assembler::dataProcessing2Source):
        (JSC::ARM64Assembler::dataProcessing3Source):
        (JSC::ARM64Assembler::excepnGeneration):
        (JSC::ARM64Assembler::extract):
        (JSC::ARM64Assembler::loadStoreRegisterPostIndex):
        (JSC::ARM64Assembler::loadStoreRegisterPreIndex):
        (JSC::ARM64Assembler::loadStoreRegisterRegisterOffset):
        (JSC::ARM64Assembler::loadStoreRegisterUnscaledImmediate):
        (JSC::ARM64Assembler::loadStoreRegisterUnsignedImmediate):
        (JSC::ARM64Assembler::logicalShiftedRegister):
        (JSC::ARM64Assembler::moveWideImediate):
        (JSC::ARM64Assembler::unconditionalBranchImmediate):
        (JSC::ARM64Assembler::pcRelative):
        (JSC::ARM64Assembler::system):
        (JSC::ARM64Assembler::testAndBranchImmediate):
        (JSC::ARM64Assembler::unconditionalBranchRegister):
            - Internal formatters, the function names & arguments match the arm64 encoding tables,
              see https://mobsi-svn.ecs.apple.com/svn/mobsi/docs/ARM_V8/ISA/encodingindex.xml
        * assembler/MacroAssembler.h:
        (MacroAssembler):
        * assembler/MacroAssemblerARM64.h: Added.
        (JSC):
        (MacroAssemblerARM64):
        (JSC::MacroAssemblerARM64::add32):
        (JSC::MacroAssemblerARM64::addPtr):
        (JSC::MacroAssemblerARM64::add64):
        (JSC::MacroAssemblerARM64::and32):
        (JSC::MacroAssemblerARM64::andPtr):
        (JSC::MacroAssemblerARM64::countLeadingZeros32):
        (JSC::MacroAssemblerARM64::lshift32):
        (JSC::MacroAssemblerARM64::mul32):
        (JSC::MacroAssemblerARM64::neg32):
        (JSC::MacroAssemblerARM64::or32):
        (JSC::MacroAssemblerARM64::orPtr):
        (JSC::MacroAssemblerARM64::rotateRightPtr):
        (JSC::MacroAssemblerARM64::rshift32):
        (JSC::MacroAssemblerARM64::sub32):
        (JSC::MacroAssemblerARM64::subPtr):
        (JSC::MacroAssemblerARM64::urshift32):
        (JSC::MacroAssemblerARM64::xor32):
        (JSC::MacroAssemblerARM64::xor64):
        (JSC::MacroAssemblerARM64::loadPtr):
        (JSC::MacroAssemblerARM64::loadPtrWithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::loadPtrWithCompactAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::load32):
        (JSC::MacroAssemblerARM64::load32WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::load32WithCompactAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::load32WithUnalignedHalfWords):
        (JSC::MacroAssemblerARM64::load16):
        (JSC::MacroAssemblerARM64::load16Unaligned):
        (JSC::MacroAssemblerARM64::load16Signed):
        (JSC::MacroAssemblerARM64::load8):
        (JSC::MacroAssemblerARM64::load8Signed):
        (JSC::MacroAssemblerARM64::storePtr):
        (JSC::MacroAssemblerARM64::storePtrWithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::store32):
        (JSC::MacroAssemblerARM64::store32WithAddressOffsetPatch):
        (JSC::MacroAssemblerARM64::store16):
        (JSC::MacroAssemblerARM64::store8):
        (JSC::MacroAssemblerARM64::supportsFloatingPoint):
        (JSC::MacroAssemblerARM64::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerARM64::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerARM64::supportsFloatingPointAbs):
        (JSC::MacroAssemblerARM64::absDouble):
        (JSC::MacroAssemblerARM64::addDouble):
        (JSC::MacroAssemblerARM64::branchConvertDoubleToInt32):
        (JSC::MacroAssemblerARM64::branchDouble):
        (JSC::MacroAssemblerARM64::branchDoubleNonZero):
        (JSC::MacroAssemblerARM64::branchDoubleZeroOrNaN):
        (JSC::MacroAssemblerARM64::branchTruncateDoubleToInt32):
        (JSC::MacroAssemblerARM64::branchTruncateDoubleToUint32):
        (JSC::MacroAssemblerARM64::convertDoubleToFloat):
        (JSC::MacroAssemblerARM64::convertFloatToDouble):
        (JSC::MacroAssemblerARM64::convertInt32ToDouble):
        (JSC::MacroAssemblerARM64::divDouble):
        (JSC::MacroAssemblerARM64::loadDouble):
        (JSC::MacroAssemblerARM64::loadFloat):
        (JSC::MacroAssemblerARM64::moveDouble):
        (JSC::MacroAssemblerARM64::moveDoubleToPtr):
        (JSC::MacroAssemblerARM64::movePtrToDouble):
        (JSC::MacroAssemblerARM64::mulDouble):
        (JSC::MacroAssemblerARM64::negateDouble):
        (JSC::MacroAssemblerARM64::sqrtDouble):
        (JSC::MacroAssemblerARM64::storeDouble):
        (JSC::MacroAssemblerARM64::storeFloat):
        (JSC::MacroAssemblerARM64::subDouble):
        (JSC::MacroAssemblerARM64::truncateDoubleToInt32):
        (JSC::MacroAssemblerARM64::truncateDoubleToUint32):
        (JSC::MacroAssemblerARM64::pop):
        (JSC::MacroAssemblerARM64::push):
        (JSC::MacroAssemblerARM64::move):
        (JSC::MacroAssemblerARM64::swap):
        (JSC::MacroAssemblerARM64::signExtend32ToPtr):
        (JSC::MacroAssemblerARM64::zeroExtend32ToPtr):
        (JSC::MacroAssemblerARM64::branch32):
        (JSC::MacroAssemblerARM64::branchPtr):
        (JSC::MacroAssemblerARM64::branch8):
        (JSC::MacroAssemblerARM64::branchTest32):
        (JSC::MacroAssemblerARM64::branchTestPtr):
        (JSC::MacroAssemblerARM64::branchTest8):
        (JSC::MacroAssemblerARM64::branch32WithUnalignedHalfWords):
        (JSC::MacroAssemblerARM64::branchAdd32):
        (JSC::MacroAssemblerARM64::branchAddPtr):
        (JSC::MacroAssemblerARM64::branchMul32):
        (JSC::MacroAssemblerARM64::branchSub32):
        (JSC::MacroAssemblerARM64::branchSubPtr):
        (JSC::MacroAssemblerARM64::call):
        (JSC::MacroAssemblerARM64::jump):
        (JSC::MacroAssemblerARM64::makeTailRecursiveCall):
        (JSC::MacroAssemblerARM64::nearCall):
        (JSC::MacroAssemblerARM64::ret):
        (JSC::MacroAssemblerARM64::tailRecursiveCall):
        (JSC::MacroAssemblerARM64::compare32):
        (JSC::MacroAssemblerARM64::comparePtr):
        (JSC::MacroAssemblerARM64::test32):
        (JSC::MacroAssemblerARM64::test8):
        (JSC::MacroAssemblerARM64::moveWithPatch):
        (JSC::MacroAssemblerARM64::branchPtrWithPatch):
        (JSC::MacroAssemblerARM64::storePtrWithPatch):
        (JSC::MacroAssemblerARM64::breakpoint):
        (JSC::MacroAssemblerARM64::nop):
        (JSC::MacroAssemblerARM64::invert):
        (JSC::MacroAssemblerARM64::makeBranch):
        (JSC::MacroAssemblerARM64::ARM64Condition):
        (JSC::MacroAssemblerARM64::moveWithFixedWidth):
        (JSC::MacroAssemblerARM64::linkCall):
        (JSC::MacroAssemblerARM64::repatchCall):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
            - Fix #ifdef typo, to enable ASSEMBLER but !JIT builds.
        * yarr/YarrJIT.cpp:
        (YarrGenerator):
            - Add ARM64 register assignment.
        * yarr/YarrJIT.h:
        (YarrCodeBlock):
            - As for X86-64, return match start/end in two registers.

2012-05-24  Gavin Barraclough  <barraclough@apple.com>

        Merged Open Source WebKit r118413.

    2012-05-24  Gavin Barraclough  <barraclough@apple.com>

            Move cacheFlush from ExecutableAllocator to Assembler classes
            https://bugs.webkit.org/show_bug.cgi?id=87420

            Reviewed by Oliver Hunt.

            Makes more sense there, & remove a pile of #ifdefs.

            * assembler/ARMAssembler.cpp:
            (JSC):
            (JSC::ARMAssembler::cacheFlush):
            * assembler/ARMAssembler.h:
            (ARMAssembler):
            (JSC::ARMAssembler::cacheFlush):
            * assembler/ARMv7Assembler.h:
            (JSC::ARMv7Assembler::relinkJump):
            (JSC::ARMv7Assembler::cacheFlush):
            (ARMv7Assembler):
            (JSC::ARMv7Assembler::setInt32):
            (JSC::ARMv7Assembler::setUInt7ForLoad):
            * assembler/AbstractMacroAssembler.h:
            (JSC::AbstractMacroAssembler::cacheFlush):
            * assembler/LinkBuffer.h:
            (JSC::LinkBuffer::performFinalization):
            * assembler/MIPSAssembler.h:
            (JSC::MIPSAssembler::relinkJump):
            (JSC::MIPSAssembler::relinkCall):
            (JSC::MIPSAssembler::repatchInt32):
            (JSC::MIPSAssembler::cacheFlush):
            (MIPSAssembler):
            * assembler/SH4Assembler.h:
            (JSC::SH4Assembler::repatchCompact):
            (JSC::SH4Assembler::cacheFlush):
            (SH4Assembler):
            * assembler/X86Assembler.h:
            (X86Assembler):
            (JSC::X86Assembler::cacheFlush):
            * jit/ExecutableAllocator.cpp:
            (JSC):
            * jit/ExecutableAllocator.h:
            (ExecutableAllocator):

2012-05-15  Sam Weinig  <sam@webkit.org>

        <rdar://problem/11401642> ENABLE_IFRAME_SEAMLESS should be turned off on the branch

        Reviewed by Andy Estes.

        * Configurations/FeatureDefines.xcconfig:
        Disable ENABLE_IFRAME_SEAMLESS.

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116925

    2012-05-13  Filip Pizlo  <fpizlo@apple.com>

            DFG performs incorrect constant folding on double-to-uint32 conversion in
            Uint32Array PutByVal
            https://bugs.webkit.org/show_bug.cgi?id=86330

            Reviewed by Darin Adler.

            static_cast<int>(d) is wrong, since JS semantics require us to use toInt32(d).
            In particular, C++ casts on typical hardware (like x86 and similar) will
            return 0x80000000 for double values that are out of range of the int32 domain
            (i.e. less than -2^31 or greater than or equal to 2^31). But JS semantics call
            for wrap-around; for example the double value 4294967297 ought to become the
            int32 value 1, not 0x80000000.

            * dfg/DFGSpeculativeJIT.cpp:
            (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116809

    2012-05-11  Geoffrey Garen  <ggaren@apple.com>

            Clarified JSGlobalData (JavaScript VM) lifetime
            https://bugs.webkit.org/show_bug.cgi?id=85142

            Reviewed by Alexey Proskuryakov.

            (Follow-up fix.)

            * API/JSContextRef.cpp:
            (JSGlobalContextCreate): Restored some code I removed because I misread an #ifdef.
            (We don't need to test BUILDING_ON_LEOPARD, but we still need the linked-on
            test, because apps might have been linked on older OS's.)

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116813

    2012-05-11  Filip Pizlo  <fpizlo@apple.com>

            JIT memory allocator is not returning memory to the OS on Darwin
            https://bugs.webkit.org/show_bug.cgi?id=86047

            Reviewed by Geoff Garen.

            * jit/ExecutableAllocatorFixedVMPool.cpp:
            (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116593

    2012-05-09  Filip Pizlo  <fpizlo@apple.com>

            JIT memory allocator is not returning memory to the OS on Darwin
            https://bugs.webkit.org/show_bug.cgi?id=86047
            <rdar://problem/11414948>

            Reviewed by Geoff Garen.

            Work around the problem by using a different madvise() flag, but only for the JIT memory
            allocator. Also put in ASSERTs that the call is actually working.

            * jit/ExecutableAllocatorFixedVMPool.cpp:
            (JSC::FixedVMPoolExecutableAllocator::notifyNeedPage):
            (JSC::FixedVMPoolExecutableAllocator::notifyPageIsFree):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116565

    2012-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>

            CopiedSpace does not add pinned blocks back to the to-space filter
            https://bugs.webkit.org/show_bug.cgi?id=86011

            Reviewed by Geoffrey Garen.

            After a collection has finished, we go through the blocks in from-space
            and move any of them that are pinned into to-space. At the beginning of
            collection, we reset the to-space block filter that is used during
            conservative scanning and add back the blocks that are filled during the
            collection. However, we neglect to add back those blocks that are moved
            from from-space to to-space, which can cause the conservative scan to
            think that some pinned items are not actually in CopiedSpace.

            * heap/CopiedSpace.cpp:
            (JSC::CopiedSpace::doneCopying): Add the pinned blocks back to the
            to-space filter. Also added a comment and assert for future readers that
            indicates that it's okay that we don't also add the block to the
            to-space block set since it was never removed.

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116484

    2012-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>

            Heap should not continually allocate new pages in steady state
            https://bugs.webkit.org/show_bug.cgi?id=85936

            Reviewed by Geoff Garen.

            Currently, in steady state (i.e. a constant amount of live GC
            memory with a constant rate of allocation) assuming we've just
            finished a collection with X live blocks in CopiedSpace, we
            increase our working set by X blocks in CopiedSpace with each
            collection we perform. This is due to the fact that we allocate
            until we run out of free blocks to use in the Heap before we
            consider whether we should run a collection.

            In the longer term, this issue will be mostly resolved by
            implementing quick release for the CopiedSpace. In the shorter
            term, we should change our policy to check whether we should
            allocate before trying to use a free block from the Heap. We
            can change our policy to something more appropriate once we
            have implemented quick release.

            This change should also have the convenient side effect of
            reducing the variance in GC-heavy tests (e.g. v8-splay) due
            to fact that we are doing less VM allocation during copying
            collection. Overall, this patch is performance neutral across
            the benchmarks we track.

            * heap/CopiedSpace.cpp:
            (JSC::CopiedSpace::getFreshBlock): Shuffle the request from the BlockAllocator
            around so that we only do it if the block request must succeed
            i.e. after we've already checked whether we should do a collection.
            * heap/MarkedAllocator.cpp:
            (JSC::MarkedAllocator::allocateSlowCase): Ditto.
            (JSC::MarkedAllocator::allocateBlock): We no longer have a failure mode in this
            function because by the time we've called it, we've already checked whether we
            should run a collection so there's no point in returning null.
            * heap/MarkedAllocator.h: Removing old arguments from function declaration.
            (MarkedAllocator):

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116372

    2012-05-07  Oliver Hunt  <oliver@apple.com>

            Rolling out r110287

            RS=Filip Pizlo

            r110287 was meant to be refactoring only, but changed behavior
            enough to break some websites, including qq.com.

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116361

    2012-05-07  Oliver Hunt  <oliver@apple.com>

            LLInt doesn't check for Ropes when performing a character switch
            https://bugs.webkit.org/show_bug.cgi?id=85837

            Reviewed by Filip Pizlo.

            Make LLint check if the scrutinee of a char switch is a rope, and if
            so fall back to a slow case.

            * llint/LLIntSlowPaths.cpp:
            (JSC::LLInt::LLINT_SLOW_PATH_DECL):
            (LLInt):
            * llint/LowLevelInterpreter32_64.asm:
            * llint/LowLevelInterpreter64.asm:

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116367

    2012-05-07  Andy Estes  <aestes@apple.com>

            ENABLE_IFRAME_SEAMLESS should be part of FEATURE_DEFINES.

            * Configurations/FeatureDefines.xcconfig:

2012-05-15  Lucas Forschler  <lforschler@apple.com>

    Merge 116356

    2012-05-07  Eric Seidel  <eric@webkit.org>

            Add ENABLE_IFRAME_SEAMLESS so Apple can turn off SEAMLESS if needed
            https://bugs.webkit.org/show_bug.cgi?id=85822

            Reviewed by Adam Barth.

            * Configurations/FeatureDefines.xcconfig:

2012-05-14  Benjamin Poulain  <bpoulain@apple.com>

        <rdar://problem/11406944> iOS WebKit merge: stabilizing merge branch to ToT r116210 (starts Mon, May 14)

        Merge up to OpenSource WebKit r116210.

2012-05-08  Benjamin Poulain  <bpoulain@apple.com>

        Merge 115093 from Open Source for <rdar://problem/11339602>.

    2012-04-23  Filip Pizlo  <fpizlo@apple.com>

        DFG on ARMv7 should not OSR exit on every integer division
        https://bugs.webkit.org/show_bug.cgi?id=84661

        Reviewed by Oliver Hunt.

        On ARMv7, ArithDiv no longer has to know whether or not to speculate integer (since
        that was broken with the introduction of Int32ToDouble) nor does it have to know
        whether or not to convert its result to integer. This is now taken care of for free
        with the addition of the DoubleAsInt32 node, which represents a double-is-really-int
        speculation.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
        * dfg/DFGOSRExit.h:
        (OSRExit):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-05-03  Joseph Pecoraro  <pecoraro@apple.com>

       Merged Open Source WebKit r116054.

    2012-05-03  Oliver Hunt  <oliver@apple.com>

           Regression(r114702): Clobbering the caller frame register before we've stored it.
           https://bugs.webkit.org/show_bug.cgi?id=85564

           Reviewed by NOBODY (OOPS!).

           Don't use t0 as a temporary, when we're about to use the value in t0.

            * llint/LowLevelInterpreter32_64.asm:

2012-05-03  Joseph Pecoraro  <pecoraro@apple.com>

       Merged Open Source WebKit r116054.

    2012-05-03  Oliver Hunt  <oliver@apple.com>

           Regression(r114702): Clobbering the caller frame register before we've stored it.
           https://bugs.webkit.org/show_bug.cgi?id=85564

           Reviewed by NOBODY (OOPS!).

           Don't use t0 as a temporary, when we're about to use the value in t0.

            * llint/LowLevelInterpreter32_64.asm:

2012-05-07  Benjamin Poulain  <bpoulain@apple.com>

        Build fix for iOS Simulator after r115523

        Rubber-stamped by Gavin Barraclough.

        The header and code is only relevant for ARM thumb2.

        * jsc.cpp:
        (main):

2012-05-03  Joseph Pecoraro  <pecoraro@apple.com>

       Merged Open Source WebKit r116054.

    2012-05-03  Oliver Hunt  <oliver@apple.com>

           Regression(r114702): Clobbering the caller frame register before we've stored it.
           https://bugs.webkit.org/show_bug.cgi?id=85564

           Reviewed by NOBODY (OOPS!).

           Don't use t0 as a temporary, when we're about to use the value in t0.

            * llint/LowLevelInterpreter32_64.asm:

2012-05-07  Benjamin Poulain  <bpoulain@apple.com>

        Build fix for iOS Simulator after r115523

        Rubber-stamped by Gavin Barraclough.

        The header and code is only relevant for ARM thumb2.

        * jsc.cpp:
        (main):

2012-04-25  Pratik Solanki  <psolanki@apple.com>

        Merged Open Source WebKit r114845.

    2012-04-21  Darin Adler  <darin@apple.com>

        Change JavaScript lexer to use 0 instead of -1 for sentinel, eliminating the need to put characters into ints
        https://bugs.webkit.org/show_bug.cgi?id=84523

        Reviewed by Oliver Hunt.

        Profiles showed that checks against -1 were costly, and I saw they could be eliminated.
        Streamlined this code to use standard character types and 0 rather than -1. One benefit
        of this is that there's no widening and narrowing. Another is that there are many cases
        where we already have the correct behavior for 0, so can eliminate a branch that was
        used to test for -1 before. Also eliminates typecasts in the code.

        * parser/Lexer.cpp:
        (JSC::Lexer::invalidCharacterMessage): Updated use of String::format since m_current is now a
        character type, not an int.
        (JSC::Lexer::setCode): Use 0 rather than -1 when past the end.
        (JSC::Lexer::shift): Ditto. Also spruced up the comment a bit.
        (JSC::Lexer::atEnd): Added. New function that distinguishes an actual 0 character from the end
        of the code. This can be used places we used to cheeck for -1.
        (JSC::Lexer::peek): Updated to use -1 instead of 0. Removed meaningless comment.
        (JSC::Lexer::parseFourDigitUnicodeHex): Changed to use character types instead of int.
        (JSC::Lexer::shiftLineTerminator): Removed now-unneeded type casts. Changed local variable that
        had a data-member-style name.
        (JSC::Lexer::parseIdentifier): Removed now-unneeded explicit checks for -1, since the isIdentPart
        function already returns false for the 0 character. Updated types in a couple other places. Used
        the atEnd function where needed.
        (JSC::Lexer::parseIdentifierSlowCase): More of the same.
        (JSC::characterRequiresParseStringSlowCase): Added overloaded helper function for parseString.
        (JSC::Lexer::parseString): Ditto.
        (JSC::Lexer::parseStringSlowCase): Ditto.
        (JSC::Lexer::parseMultilineComment): Ditto.
        (JSC::Lexer::lex): More of the same. Also changed code to set the startOffset directly in
        the tokenInfo instead of putting it in a local variable first, saving some memory access.
        (JSC::Lexer::scanRegExp): Ditto.
        (JSC::Lexer::skipRegExp): Ditto.

        * parser/Lexer.h: Changed return type of the peek function and type of m_current from int to
        the character type. Added atEnd function.
        (JSC::Lexer::setOffset): Used 0 instead of -1 and removed an overzealous attempt to optimize. 
        (JSC::Lexer::lexExpectIdentifier): Used 0 instead of -1.

2012-04-25  Pratik Solanki  <psolanki@apple.com>

        Merged Open Source WebKit r114844.

    2012-04-21  Darin Adler  <darin@apple.com>

        Change JavaScript lexer to use 0 instead of -1 for sentinel, eliminating the need to put characters into ints
        https://bugs.webkit.org/show_bug.cgi?id=84523

        Reviewed by Oliver Hunt.

        Separate preparation step of copyright dates, renaming, and other small tweaks.

        * parser/Lexer.cpp:
        (JSC::Lexer::invalidCharacterMessage): Removed "get" from name to match WebKit naming conventions.
        (JSC::Lexer::peek): Removed meaningless comment.
        (JSC::Lexer::parseFourDigitUnicodeHex): Renamed from getUnicodeCharacter to be more precise about
        what this function does.
        (JSC::Lexer::shiftLineTerminator): Renamed local variable that had a data-member-style name.
        (JSC::Lexer::parseStringSlowCase): Updated for new name of parseFourDigitUnicodeHex.
        (JSC::Lexer::lex): Updated for new name of invalidCharacterMessage.

        * parser/Lexer.h: Removed an unneeded forward declaration of the RegExp class.
        Renamed getInvalidCharMessage to invalidCharacterMessage and made it const. Renamed
        getUnicodeCharacter to parseFourDigitUnicodeHex.

2012-04-26  Benjamin Poulain  <bpoulain@apple.com>

        Merge OpenSource WebKit r115290.

    2012-04-25  Benjamin Poulain  <benjamin@webkit.org>

        Add a version of StringImpl::find() without offset
        https://bugs.webkit.org/show_bug.cgi?id=83968

        Reviewed by Sam Weinig.

        Add support for the new StringImpl::find() to UString.

        Change stringProtoFuncIndexOf() to specifically take advatage of the feature.
        This gives a 12% gains on a distribution of strings between 30 and 100 characters.

        * runtime/StringPrototype.cpp:
        (JSC::substituteBackreferences):
        (JSC::stringProtoFuncIndexOf):
        * runtime/UString.h:
        (UString):
        (JSC::UString::find):

2012-04-26  Benjamin Poulain  <bpoulain@apple.com>

        Merge OpenSource WebKit r115132.

    2012-04-24  Benjamin Poulain  <bpoulain@apple.com>

        Generalize the single character optimization of r114072
        https://bugs.webkit.org/show_bug.cgi?id=83961

        Reviewed by Eric Seidel.

        Use the regular String::find(StringImpl*) in all cases now that it has been made faster.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingStringSearch):

2012-04-26  Benjamin Poulain  <bpoulain@apple.com>

        Merge OpenSource WebKit r114793.

    2012-04-20  Benjamin Poulain  <bpoulain@apple.com>

        Inline the JSArray constructor
        https://bugs.webkit.org/show_bug.cgi?id=84416

        Reviewed by Geoffrey Garen.

        The constructor is trivial, no reason to jump for it.

        This makes the creation of array ~5% faster (on non-trivial cases, no empty arrays).

        * runtime/JSArray.cpp:
        (JSC):
        * runtime/JSArray.h:
        (JSC::JSArray::JSArray):
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-04-26  Benjamin Poulain  <bpoulain@apple.com>

        Merge OpenSource WebKit r114539.

    2012-04-18  Benjamin Poulain  <bpoulain@apple.com>

        Remove m_subclassData from JSArray, move the attribute to subclass as needed
        https://bugs.webkit.org/show_bug.cgi?id=84249

        Reviewed by Geoffrey Garen.

        JSArray's m_subclassData is only used by WebCore's RuntimeArray. This patch moves
        the attribute to RuntimeArray to avoid allocating memory for the pointer in the common
        case.

        This gives ~1% improvement in JSArray creation microbenchmark thanks to fewer allocations
        of CopiedSpace.

        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateJSArray):
        * runtime/JSArray.cpp:
        (JSC::JSArray::JSArray):
        * runtime/JSArray.h:

2012-04-26  Benjamin Poulain  <bpoulain@apple.com>

        Merge OpenSource WebKit r114521.

    2012-04-18  Benjamin Poulain  <bpoulain@apple.com>

        replaceUsingStringSearch: delay the creation of the replace string until needed
        https://bugs.webkit.org/show_bug.cgi?id=83841

        Reviewed by Geoffrey Garen.

        We do not need to obtain the replaceValue until we have a match. By moving the intialization
        of replaceValue when needed, we save a few instructions when there is no match.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):
        (JSC::replaceUsingStringSearch):
        (JSC::stringProtoFuncReplace):

2012-04-26  Benjamin Poulain  <bpoulain@apple.com>

        Merge OpenSource WebKit r114072.

    2012-04-12  Benjamin Poulain  <bpoulain@apple.com>

        Improve replaceUsingStringSearch() for case of a single character searchValue
        https://bugs.webkit.org/show_bug.cgi?id=83738

        Reviewed by Geoffrey Garen.

        This patch improves replaceUsingStringSearch() with the following:
        -Add a special case for single character search, taking advantage of the faster WTF::find().
        -Inline replaceUsingStringSearch().
        -Use StringImpl::create() instead of UString::substringSharingImpl() since we know we are in the bounds
         by definition.

        This gives less than 1% improvement for the multicharacter replace.
        The single character search show about 9% improvement.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingStringSearch):

2012-04-26  Benjamin Poulain  <bpoulain@apple.com>

        Merge OpenSource WebKit r113886.

    2012-04-11  Benjamin Poulain  <bpoulain@apple.com>

        Optimize String.split() for 1 character separator
        https://bugs.webkit.org/show_bug.cgi?id=83546

        Reviewed by Gavin Barraclough.

        This patch adds a serie of optimizations to make stringProtoFuncSplit() faster in the common case
        where the separator is a single character.

        The two main gains are:
        -Use of the find() function with a single character instead of doing a full string matching.
        -Use of WTF::find() instead of UString::find() to avoid branching on is8Bit() and have a simpler inline
         function.

        The code is also changed to avoid making unnecessary allocations by converting the 8bit string to 16bits.

        This makes String.split() faster by about 13% in that particular case.

        * runtime/StringPrototype.cpp:
        (JSC):
        (JSC::splitStringByOneCharacterImpl):
        (JSC::stringProtoFuncSplit):

2012-04-26  Benjamin Poulain  <bpoulain@apple.com>

        Merge OpenSource WebKit r113530.

    2012-04-06  Benjamin Poulain  <bpoulain@apple.com>

        Do not abuse ArrayStorage's m_length for testing array consistency
        https://bugs.webkit.org/show_bug.cgi?id=83403

        Reviewed by Geoffrey Garen.

        Array creation from a list of values is a 3 steps process:
        -JSArray::tryCreateUninitialized()
        -JSArray::initializeIndex() for each values
        -JSArray::completeInitialization()

        Previously, the attribute m_length was not set to the final size
        JSArray::tryCreateUninitialized() because it was used to test the array
        consistency JSArray::initializeIndex().

        This caused the initialization loop using JSArray::initializeIndex() maintain
        two counters:
        -index of the loop
        -storage->m_length++

        This patch fixes this by using the index of the initialization loop for the indinces of
        JSArray::initializeIndex(). For testing consistency, the variable m_initializationIndex
        is introduced if CHECK_ARRAY_CONSISTENCY is defined.

        The patch also fixes minor unrelated build issue when CHECK_ARRAY_CONSISTENCY is defined.

        This improves the performance of JSArray creation from literals by 8%.

        * runtime/JSArray.cpp:
        (JSC::JSArray::tryFinishCreationUninitialized):
        (JSC::JSArray::checkConsistency):
        * runtime/JSArray.h:
        (ArrayStorage):
        (JSC::JSArray::initializeIndex):
        (JSC::JSArray::completeInitialization):

2012-04-24  Yongjun Zhang  <yongjun_zhang@apple.com>

        <rdar://problem/11210742> iOS WebKit merge: stabilizing merge branch to ToT r113485

        Merge up to OpenSource WebKit r113485.

2012-04-18  Filip Pizlo  <fpizlo@apple.com>

        Merge r114434 from OpenSource WebKit.
        <rdar://problem/10767252>

    2012-04-17  Filip Pizlo  <fpizlo@apple.com>
    
            DFG and LLInt should not clobber the frame pointer on ARMv7
            https://bugs.webkit.org/show_bug.cgi?id=84185
            <rdar://problem/10767252>
    
            Reviewed by Gavin Barraclough.
            
            Changed LLInt to use a different register. Changed DFG to use one fewer
            registers. We should revisit this and switch the DFG to use a different
            register instead of r7, but we can do that in a subsequent step since
            the performance effect is tiny.
    
            * dfg/DFGGPRInfo.h:
            (GPRInfo):
            (JSC::DFG::GPRInfo::toRegister):
            (JSC::DFG::GPRInfo::toIndex):
            * offlineasm/armv7.rb:
    
2012-04-16  Filip Pizlo  <fpizlo@apple.com>

        <rdar://problem/11244632> REGRESSION(Sundance): Crash in JSC::JSCell::toPrimitive trying to pay bill on usbank.com
        Merge r111244 from OpenSource WebKit.

    2012-03-19  Filip Pizlo  <fpizlo@apple.com>
    
            LLInt get_by_pname slow path incorrectly assumes that the operands are not constants
            https://bugs.webkit.org/show_bug.cgi?id=81559
    
            Reviewed by Michael Saboff.
    
            * llint/LLIntSlowPaths.cpp:
            (JSC::LLInt::LLINT_SLOW_PATH_DECL):
    
2012-04-13  Benjamin Poulain  <bpoulain@apple.com>

        <rdar://problem/10951750> GEOLOCATION_PERMISSION_CACHE is incorrect

        Reviewed by David Kilzer.

        Remove the flag GEOLOCATION_PERMISSION_CACHE.

        * wtf/Platform.h:

2012-04-13  Michael Saboff  <msaboff@apple.com>
        Merge r113253 from OpenSource WebKit.
        <rdar://problem/11179731>

    2012-04-04  Michael Saboff  <msaboff@apple.com>

            Constant Blinding for add/sub immediate crashes in ArmV7 when dest is SP
            https://bugs.webkit.org/show_bug.cgi?id=83191

            Reviewed by Oliver Hunt.

            Make are that blinded constant pairs are similarly aligned to the
            original immediate values so that instructions that expect that
            alignment work correctly.  One example is ARMv7 add/sub imm to SP.

            * assembler/ARMv7Assembler.h:
            (JSC::ARMv7Assembler::add): Added ASSERT that immediate is word aligned.
            (JSC::ARMv7Assembler::sub): Added ASSERT that immediate is word aligned.
            (JSC::ARMv7Assembler::sub_S): Added ASSERT that immediate is word aligned.
            * assembler/MacroAssembler.h:
            (JSC::MacroAssembler::additionBlindedConstant):

2012-04-09  Filip Pizlo  <fpizlo@apple.com>

        Merge r113642 from OpenSource WebKit.
        <rdar://problem/11204572>
        
        Note that the OpenSource changeset included a fix in dfg/DFGOperations.cpp that
        had already been applied to iOS WebKit.

    2012-04-09  Filip Pizlo  <fpizlo@apple.com>
    
            Unreviewed, modernize and clean up uses of ARM assembly mnemonics in inline asm blocks.
    
            * offlineasm/armv7.rb:
    
2012-04-06  Benjamin Poulain  <bpoulain@apple.com>

        Merge r111433 from Open Source WebKit.

        Running some benchmarks without this patch is useless as it changes the profile
        radically.

    2012-03-20  Benjamin Poulain  <bpoulain@apple.com>

        Cache the type string of JavaScript object
        https://bugs.webkit.org/show_bug.cgi?id=81446

        Reviewed by Geoffrey Garen.

        Instead of creating the JSString every time, we create
        lazily the strings in JSGlobalData.

        This avoid the construction of the StringImpl and of the JSString,
        which gives some performance improvements.

        * runtime/CommonIdentifiers.h:
        * runtime/JSValue.cpp:
        (JSC::JSValue::toStringSlowCase):
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::SmallStrings):
        (JSC::SmallStrings::finalizeSmallStrings):
        (JSC::SmallStrings::initialize):
        (JSC):
        * runtime/SmallStrings.h:
        (SmallStrings):

2012-04-06  Benjamin Poulain  <bpoulain@apple.com>

        Merge r111306 from Open Source WebKit.

    2012-03-19  Benjamin Poulain  <bpoulain@apple.com>

        Simplify SmallStrings
        https://bugs.webkit.org/show_bug.cgi?id=81445

        Reviewed by Gavin Barraclough.

        SmallStrings had two methods that should not be public: count() and clear().

        The method clear() is effectively replaced by finalizeSmallStrings(). The body
        of the method was moved to the constructor since the code is obvious.

        The method count() is unused.

        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::SmallStrings):
        * runtime/SmallStrings.h:
        (SmallStrings):

2012-04-06  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/9587937> Switch c++0x and switch from libstdc++ to libc++ when building with clang

        Reviewed by Sam Weinig.

        * Configurations/Base.xcconfig: Set CLANG_CXX_LIBRARY based on
        REAL_PLATFORM_NAME.

2012-04-04  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/11184606> UIKit-806c85 failed to build in the Innsbruck autoBot for sim

        Reviewed by Matt Lilek.

        * Configurations/Base.xcconfig: Hard-code VALID_ARCHS for
        iphoneos and iphonesimulator.

2012-04-03  Pratik Solanki  <psolanki@apple.com>

        Merged Open Source WebKit r113113.

    2012-04-03  Filip Pizlo  <fpizlo@apple.com>

        Offlineasm ARM backend uses the wrong mnemonic for multiply
        https://bugs.webkit.org/show_bug.cgi?id=83098
        <rdar://problem/11168744>

        Reviewed by Gavin Barraclough.
        
        Use "mul" instead of "muls" since we're passing three operands, not two.

        * offlineasm/armv7.rb:

2012-04-03  Pratik Solanki  <psolanki@apple.com>

        Merged Open Source WebKit r113113.

    2012-04-03  Filip Pizlo  <fpizlo@apple.com>

        Offlineasm ARM backend uses the wrong mnemonic for multiply
        https://bugs.webkit.org/show_bug.cgi?id=83098
        <rdar://problem/11168744>

        Reviewed by Gavin Barraclough.
        
        Use "mul" instead of "muls" since we're passing three operands, not two.

        * offlineasm/armv7.rb:

2012-04-03  Pratik Solanki  <psolanki@apple.com>

        Merged Open Source WebKit r113113.

    2012-04-03  Filip Pizlo  <fpizlo@apple.com>

        Offlineasm ARM backend uses the wrong mnemonic for multiply
        https://bugs.webkit.org/show_bug.cgi?id=83098
        <rdar://problem/11168744>

        Reviewed by Gavin Barraclough.
        
        Use "mul" instead of "muls" since we're passing three operands, not two.

        * offlineasm/armv7.rb:

2012-04-03  Pratik Solanki  <psolanki@apple.com>

        Merged Open Source WebKit r113113.

    2012-04-03  Filip Pizlo  <fpizlo@apple.com>

        Offlineasm ARM backend uses the wrong mnemonic for multiply
        https://bugs.webkit.org/show_bug.cgi?id=83098
        <rdar://problem/11168744>

        Reviewed by Gavin Barraclough.
        
        Use "mul" instead of "muls" since we're passing three operands, not two.

        * offlineasm/armv7.rb:

2012-04-04  Pratik Solanki  <psolanki@apple.com>

        Merged Open Source WebKit r113113.

    2012-04-03  Filip Pizlo  <fpizlo@apple.com>

        Offlineasm ARM backend uses the wrong mnemonic for multiply
        https://bugs.webkit.org/show_bug.cgi?id=83098
        <rdar://problem/11168744>

        Reviewed by Gavin Barraclough.
        
        Use "mul" instead of "muls" since we're passing three operands, not two.

        * offlineasm/armv7.rb:

2012-04-04  Pratik Solanki  <psolanki@apple.com>

        Merge Open Source WebKit r112285.

    2012-03-27  Pratik Solanki  <psolanki@apple.com>

        Compiler warning when JIT is not enabled
        https://bugs.webkit.org/show_bug.cgi?id=82352

        Reviewed by Filip Pizlo.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):

2012-04-04  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/11142625> iOS WebKit merge: stabilizing merge branch to ToT r111184

        Merge up to OpenSource WebKit r111184.

2012-04-01  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/10429650> Remove resources from JavaScriptCore.framework in carrier/customer images

        Reviewed by David Carson.

        This patch sets SKIP_INSTALL=YES for testRegExp to prevent its
        installation.  Previously, SKIP_INSTALL was set to NO in the
        Xcode project file, overriding the setting in
        ToolExecutable.xcconfig and causing testRegExp to be installed.

        The remaining changes are simply removing duplicate settings in
        the Xcode project file that are already in JSC.xcconfig or
        ToolExecutable.xcconfig.

        * Configurations/ToolExecutable.xcconfig: Added
        CODE_SIGN_ENTITLEMENTS for iphoneos platform.
        * JavaScriptCore.xcodeproj/project.pbxproj:
        (testRegExp Production_Deployment): Remove INSTALL_PATH_* and
        SKIP_INSTALL macros.
        (testRegExp Production_Hardware): Remove CODE_SIGN_ENTITLEMENTS,
        INSTALL_PATH and SKIP_INSTALL macros.
        (minidom Production_Hardware): Remove CODE_SIGN_ENTITLEMENTS.
        (jsc Production_Hardware): Remove CODE_SIGN_ENTITLEMENTS,
        INSTALL_PATH and SKIP_INSTALL macros.
        (minidom Development_Hardware): Remove CODE_SIGN_ENTITLEMENTS.
        (testapi Development): Remove INSTALL_PATH_* macros.
        (jsc Development): Ditto.
        (minidom Deployment_Hardware): Remove CODE_SIGN_ENTITLEMENTS.
        (testapi Deployment): Ditto.
        (jsc Deployment): Ditto.
        (testapi Production_Deployment): Remove INSTALL_PATH_* and
        SKIP_INSTALL macros.
        (jsc Production_Deployment): Ditto.

2012-03-29  Yongjun Zhang  <yongjun_zhang@apple.com>

        Merge ToT WebKit r112595.
 
    2012-03-29  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for non-x86 platforms.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSlow_op_mod):

2012-03-29  Yongjun Zhang  <yongjun_zhang@apple.com>

        Merge ToT WebKit r112595.
 
    2012-03-29  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for non-x86 platforms.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSlow_op_mod):

2012-03-29  Yongjun Zhang  <yongjun_zhang@apple.com>

        Merge ToT WebKit r112595.
 
    2012-03-29  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for non-x86 platforms.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSlow_op_mod):

2012-03-29  Yongjun Zhang  <yongjun_zhang@apple.com>

        Merge ToT WebKit r112595.
 
    2012-03-29  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for non-x86 platforms.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSlow_op_mod):

2012-03-28  David Kilzer  <ddkilzer@apple.com>

        minidom configurations should be based on ToolExecutable.xcconfig
        <http://webkit.org/b/82513>

        Merged ToT WebKit r112496.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        - Base all iOS configurations for minidom on
          ToolExecutable.xcconfig.
        - Remove redundant variables in iOS configurations for minidom:
          INSTALL_PATH, INSTALL_PATH_ACTUAL, PRODUCT_NAME, SKIP_INSTALL.

    2012-03-28  David Kilzer  <ddkilzer@apple.com>

        minidom configurations should be based on ToolExecutable.xcconfig
        <http://webkit.org/b/82513>

        Reviewed by Mark Rowe.

        Note that this patch changes minidom from being installed in
        /usr/local/bin to JavaScriptCore.framework/Resources.

        * Configurations/ToolExecutable.xcconfig: Add semi-colon.
        * JavaScriptCore.xcodeproj/project.pbxproj: Base minidom
        configurations on ToolExecutable.xcconfig.  Remove redundant
        PRODUCT_NAME and SKIP_INSTALL variables.

2012-03-28  David Kilzer  <ddkilzer@apple.com>

        Make Debug/Release/Production configurations work with iOS JavaScriptCore

        Reviewed by Joseph Pecoraro.

        Part of: <rdar://problem/10568199> WebKit: Switch to Debug/Release/Production configurations for iphoneos and iphonesimulator builds

        This change makes Debug, Release and Production configurations
        work when building from Xcode and ~rc/bin/buildit and targeting
        an iOS SDK.  The Development, Deployment, Production_Deployment
        configurations and the Development_Hardware, Deployment_Hardware
        and Production_Hardware configurations still work, but will be
        removed once B&I switches over to Production targets and once
        build-webkit is updated to use Debug and Release for local iOS
        engineering builds.

        The only real change in B&I builds is that testRegExp is no
        longer installed when building for the iphoneos platform, which
        matches OS X builds.

        * Configurations/Base.xcconfig:
        - Include iOS.xcconfig.
        - Fix VALID_ARCHS for each platform.
        - Define INSTALL_PATH for OS X builds just like it's defined in
          AspenFamily.xcconfig.  This makes it possible to define the
          install path only once for both iOS and OS X, and makes the
          definition of INSTALL_PATH* variables much simpler in other
          xcconfig files.
        * Configurations/Indigo.xcconfig: Removed.  This isn't needed
          anymore since AspenFamily.xcconfig is included in
          Base.xcconfig via iOS.xcconfig.
        * Configurations/JSC.xcconfig: Rename INSTALL_PATH to
          INSTALL_PATH_ACTUAL.  Use .../Resources instead of
          .../Versions/A/Resources since the former works on both iOS
          and OS X.  ToolExecutable.xcconfig already does this.
        * Configurations/JavaScriptCore.xcconfig: Simplify the
          INSTALL_PATH mess.  (This is what can happen if INSTALL_PATH
          is not defined in Base.xcconfig.)
        * Configurations/ToolExecutable.xcconfig: Rename INSTALL_PATH to
          INSTALL_PATH_ACTUAL.
        * Configurations/iOS.xcconfig: Use this xcconfig file to obscure
          the path to and name of AspenFamily.xcconfig.  Normally it
          would have been removed just like Indigo.xcconfig, but we want
          to repurpose it.
        * JavaScriptCore.xcodeproj/project.pbxproj:
        - Remove references to IndigoSDK.xcconfig and AspenSDK.xcconfig.
          These are AppleInternal files that are not part of the
          project.  They were originally added for convenience.
        - Remove Indigo.xcconfig since it was deleted.
        - Update the base xcconfig files for targets in the legacy iOS
          configurations.  The iOS configurations now match their Debug,
          Release, and Production counterparts.

2012-03-28  David Kilzer  <ddkilzer@apple.com>

        Let Xcode 4.5 update the JavaScriptCore project file

        Reviewed by Pratik Solanki.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        - Remove references to non-existent AllocationSpace.{h|cpp}
          files.
        - Re-sort Development configuration for JSCLLIntOffsetsExtractor
          by UUID.
        - Fix the configuration names in the "LLInt Offsets" target.

2012-03-27  David Kilzer  <ddkilzer@apple.com>

        Fix path setting for ios folder

        Rubber-stamped by Anders Carlsson.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-03-27  David Kilzer  <ddkilzer@apple.com>

        Remove duplicate copy of CommonSlowPaths.h

        Reviewed by Joseph Pecoraro.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-03-27  Matt Lilek  <mrl@apple.com>

        <rdar://problem/11124194> JavaScriptCore-1049 fails to build with clang-421.1.5 due to -fno-var-tracking flag
    
        Merge OpenSource r112313.

    2012-03-27  Matt Lilek  <mrl@apple.com>

        Stop compiling Interpreter.cpp with -fno-var-tracking
        https://bugs.webkit.org/show_bug.cgi?id=82299

        Reviewed by Anders Carlsson.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-03-23  Alexey Proskuryakov  <ap@apple.com>

    <rdar://problem/8268351> Enable BLOB

    Merge OpenSource r111931.

    2012-03-23  Alexey Proskuryakov  <ap@apple.com>
    
            [Mac] No need for platform-specific ENABLE_BLOB values
            https://bugs.webkit.org/show_bug.cgi?id=82102
    
            Reviewed by David Kilzer.
    
            * Configurations/FeatureDefines.xcconfig:

2012-03-21  Filip Pizlo  <fpizlo@apple.com>

        GC should not attempt to clear LLInt instruction inline caches for code blocks that are in
        the process of being generated
        https://bugs.webkit.org/show_bug.cgi?id=81565
        <rdar://problem/10987024>

        Reviewed by Oliver Hunt.
        
        Merge OpenSource r111264.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally):

2012-03-20  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/11083923> Having LLINT enabled without JIT entitlements results in crashes

    Merge OpenSource r111431

    2012-03-20  Oliver Hunt  <oliver@apple.com>

            Allow LLINT to work even when executable allocation fails.
            https://bugs.webkit.org/show_bug.cgi?id=81693

            Reviewed by Gavin Barraclough.

            Don't crash if executable allocation fails if we can fall back on LLINT

            * jit/ExecutableAllocatorFixedVMPool.cpp:
            (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
            * wtf/OSAllocatorPosix.cpp:
            (WTF::OSAllocator::reserveAndCommit):

2012-03-19  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/11077141> iOS WebKit merge: stabilizing merge branch to ToT r110032

        Merge up to OpenSource WebKit r110032.

        Also needed to pull in ARMv7 fix from r110751 to ensure we have a working JIT.

2012-03-16  Matt Lilek  <mrl@apple.com>

        <rdar://problem/11013563> WeatherApp fails to build in xcodebuild due to warnings about ENABLE_INSPECTOR being redefined

        ENABLE_INSPECTOR is already defined above and since we don't need to worry about armv6 anymore, we can use the logic
        above to handle ENABLE_PURGEABLE_MEMORY.

        Reviewed by Paul Knight and Joseph Pecoraro.

        * wtf/Platform.h:

2012-03-16  Matt Lilek  <mrl@apple.com>

        <rdar://problem/11055309> JavaScriptCore-1044 fails to build with clang-421.1.4: pre-UAL syntax in inline assembly

        Reviewed by Geoff Garen.

        * dfg/DFGOperations.cpp:
        (JSC):

2012-03-08  Matt Lilek  <mrl@apple.com>

    <rdar://problem/10821239> ENABLE_VIDEO_TRACK should not be defined for iOS

    Merge OpenSource r110212.

    2012-03-08  Matt Lilek  <mrl@apple.com>

            Don't enable VIDEO_TRACK on all OS X platforms
            https://bugs.webkit.org/show_bug.cgi?id=80635

            Reviewed by Eric Carlson.

            * Configurations/FeatureDefines.xcconfig:

2012-03-04  David Kilzer  <ddkilzer@apple.com>

        Fix build when the classic interpreter is enabled

        Merged ToT WebKit r109678.

    2012-03-04  David Kilzer  <ddkilzer@apple.com>

        Fix build when the classic interpreter is enabled

        Reviewed by Gavin Barraclough.

        Fixes the following build error when running the "Generate
        Derived Sources" build phase script:

            offlineasm: Parsing JavaScriptCore/llint/LowLevelInterpreter.asm and ../../JSCLLIntOffsetsExtractor and creating assembly file LLIntAssembly.h.
            ./JavaScriptCore/offlineasm/offsets.rb:145:in `offsetsAndConfigurationIndex': unhandled exception
                    from JavaScriptCore/offlineasm/asm.rb:131
            Command /bin/sh failed with exit code 1

        Gavin's fix in r109674 avoided the #error statement in
        JITStubs.h when compiling LLIntOffsetsExtractor.cpp, but it
        caused the "Generate Derived Sources" build phase script to fail
        when JavaScriptCore/offlineasm/asm.rb was run.  The solution is
        to detect when the classic interpreter is being built and simply
        exit early from asm.rb in that case.

        * llint/LLIntOffsetsExtractor.cpp:
        (JSC::LLIntOffsetsExtractor::dummy): Return NULL pointer if the
        JIT is disabled.  Note that offsets.rb doesn't care about the
        return value here, but instead it cares about finding the magic
        values in the binary.  The magic values are no longer present
        when the JIT is disabled.
        * offlineasm/asm.rb: Catch MissingMagicValuesException and exit
        early with a status message.
        * offlineasm/offsets.rb:
        (MissingMagicValuesException): Add new exception class.
        (offsetsAndConfigurationIndex): Throw
        MissingMagicValuesException when no magic values are found.

2012-03-04  Gavin Barraclough  <barraclough@apple.com>

        Merge ToT r109674 - this fixes the Innsbruck build.

    2012-03-04  Gavin Barraclough  <barraclough@apple.com>

            Unreviewed build fix.

            * jit/JITStubs.h:
                - Move ENABLE(JIT) to head of file.

2012-03-02  Filip Pizlo  <fpizlo@apple.com>

        Cherry-pick merge of r109519 and r109522. <rdar://problem/10974632>

    2012-03-02  Filip Pizlo  <fpizlo@apple.com>
    
            Unreviewed build fix for platforms that have DFG_JIT disabled but PARALLEL_GC enabled.
    
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::visitAggregate):
    
    2012-03-01  Filip Pizlo  <fpizlo@apple.com>
    
            DFGCodeBlocks should not trace CodeBlocks that are also going to be traced by
            virtue of being in the transitive closure
            https://bugs.webkit.org/show_bug.cgi?id=80098
     
            Reviewed by Anders Carlsson.
            
            If DFGCodeBlocks traces a CodeBlock that might also be traced via its owner Executable,
            then you might have the visitAggregate() method called concurrently by multiple threads.
            This is benign on 64-bit -- visitAggregate() and everything it calls turns out to be
            racy and slightly imprecise but not unsound. But on 32-bit, visitAggregate() may crash
            due to word tearing in ValueProfile bucket updates inside of computeUpdatedPrediction().
            
            It would seem that the fix is just to have DFGCodeBlocks not trace CodeBlocks that are
            not jettisoned. But CodeBlocks may be jettisoned later during the GC, so it must trace
            any CodeBlock that it knows to be live by virtue of it being reachable from the stack.
            Hence the real fix is to make sure that concurrent calls into CodeBlock::visitAggregate()
            don't lead to two threads racing over each other as they clobber state. This patch
            achieves this with a simple CAS loop: whichever thread wins the CAS race (which is
            trivially linearizable) will get to trace the CodeBlock; all other threads give up and
            go home.
            
            Unfortunately there will be no new tests. It's possible to reproduce this maybe 1/10
            times by running V8-v6's raytrace repeatedly, using the V8 harness hacked to rerun it
            even when it's gotten sufficient counts. But that takes a while - sometimes up to a
            minute to get a crash. I have no other reliable repro case.
    
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::visitAggregate):
            * bytecode/CodeBlock.h:
            (DFGData):
            * heap/DFGCodeBlocks.cpp:
            (JSC::DFGCodeBlocks::clearMarks):
    
    2012-03-01  Filip Pizlo  <fpizlo@apple.com>

        Fix the build of universal binary with ARMv7s of JavaScriptCore

        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter.asm:

2012-02-29  Benjamin Poulain  <bpoulain@apple.com>

        Stabilization: fix the debug/development build

        Reviewed by David Kilzer.

        On iOS, there is an extra assertion for pthread_main_np(). This was failing in
        Debug due to the function being undefined.

        * wtf/text/StringStatics.cpp:

2012-03-01  Benjamin Poulain  <bpoulain@apple.com>

        <rdar://problem/10922144> iOS WebKit merge: stabilizing merge branch to ToT r108448 or later (to pick up LLInt)

        Integrate the merge branch of Matt up to OpenSource WebKit r109201.

2012-02-28  Benjamin Poulain  <bpoulain@apple.com>

        <rdar://problem/8976264> MobileSafari should switch to client-based geolocation

        Reviewed by David Kilzer.

        * Configurations/FeatureDefines.xcconfig: Enable Client Based Geolocation.

2012-02-28  Dean Jackson  <dino@apple.com>

        <rdar://problem/10042073> Make CSS filters work on iOS

        Reviewed by Joseph Pecoraro.

        Turn ENABLE_CSS_FILTERS on for iOS.

        * Configurations/FeatureDefines.xcconfig:

2012-02-27  Tim Horton  <timothy_horton@apple.com>

        <rdar://problem/6136646> iOS: Enable SVG filters

        Reviewed by Dean Jackson.

        Enable SVG filters.

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2012-02-24  Chris Marrin  <cmarrin@apple.com>

        Make requestAnimationFrame work on iOS (change CVDisplayLink to CADisplayLink)
        <rdar://problem/10406593>

        Turn on requestAnimationFrame flags for iOS

        Reviewed by Dean Jackson.

        * wtf/Platform.h:

2012-02-23  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/10922577> Define WTF_USE_COREMEDIA on Sundance only

        Reviewed by Simon Fraser.

        This allows us to build and run ToT WebKit on Hoodoo. USE(COREMEDIA) code requires header
        files that are not present on Hoodoo.

        * wtf/Platform.h:

2012-02-23  Benjamin Poulain  <bpoulain@apple.com>

        Remove JavaScriptCore.exp

        Reviewed by Joseph Pecoraro.

        For some reason, the file was not deleted in the merge branch. It was supposed
        to disappear following https://bugs.webkit.org/show_bug.cgi?id=72854

        * JavaScriptCore.exp: Removed.

2012-02-22  Benjamin Poulain <bpoulain@apple.com>

        Merge Open Source WebKit r108432.

    2012-02-21  Oliver Hunt  <oliver@apple.com>

        Unbreak double-typed arrays on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=79177

        Reviewed by Gavin Barraclough.

        The existing code had completely broken address arithmetic.

        * JSCTypedArrayStubs.h:
        (JSC):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::storeDouble):
        (JSC::MacroAssemblerARMv7::storeFloat):

2012-02-15  Jer Noble  <jer.noble@apple.com>

        <rdar://problem/10326923> Support HTML5 media synchronization through AVFoundation

        Merged ToT revisions 106978, 106996

    2012-02-06 Jer Noble <jer.noble@apple.com>

        Use CMClock as a timing source for PlatformClock where available.

        https://bugs.webkit.org/show_bug.cgi?id=77885

        Reviewed by Eric Carlson.

        * wtf/Platform.h: Added WTF_USE_COREMEDIA.

2012-02-14  Michael Saboff  <msaboff@apple.com>

        Merged TOT revision 107400

    2012-02-10  Michael Saboff  <msaboff@apple.com>

            Yarr assert with regexp where alternative in *-quantified group matches empty
            https://bugs.webkit.org/show_bug.cgi?id=67752        

            Reviewed by Gavin Barraclough.

            Added backtracking for the prior alternative if it matched
            but didn't consume any input characters.

            * yarr/YarrJIT.cpp:
            (YarrOp): New jump.
            (JSC::Yarr::YarrGenerator::generate): Emit conditional jump
            when an alternative matches and no input was consumed.  Moved the
            zero length match check for a set of alternatives to the alternative
            code from the parentheses cases to the alternative end cases.
            Converted the existing zero length checks in the parentheses cases
            to runtime assertion checks.
            (JSC::Yarr::YarrGenerator::backtrack): Link new jump to backtrack
            to prior term.

2012-02-14  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/10861737> Unexpected syntax error

        Merge ToT r106297

    2012-01-30  Oliver Hunt  <oliver@apple.com>

        Unexpected syntax error
        https://bugs.webkit.org/show_bug.cgi?id=77340

        Reviewed by Gavin Barraclough.

        Function calls and new expressions have the same semantics for
        assignment, so should simply share their lhs handling.

        * parser/Parser.cpp:
        (JSC::::parseMemberExpression):

2012-02-14  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/10861648> Make DFG update topCallFrame

        Merge ToT r105905

    2012-01-24  Oliver Hunt  <oliver@apple.com>

        Make DFG update topCallFrame
        https://bugs.webkit.org/show_bug.cgi?id=76969

        Reviewed by Filip Pizlo.

        Add NativeCallFrameTracer to manage topCallFrame assignment
        in the DFG operations, and make use of it.

        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        ():
        * interpreter/Interpreter.h:
        (JSC):
        (NativeCallFrameTracer):
        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):

2012-02-14  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/10861562> GetByteArrayLength is incorrect

        Merged ToT r104324 

    2012-01-06  Oliver Hunt  <oliver@apple.com>

        GetByteArrayLength is incorrect
        https://bugs.webkit.org/show_bug.cgi?id=75735

        Reviewed by Filip Pizlo.

        Load the byte array length from the correct location.
        This stops an existing test from hanging.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-02-13  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/10853544> Get ToT WebKit to compile on Hoodoo

        Reviewed by Scott Grant.

        * wtf/Platform.h:

2012-02-13  Gavin Barraclough  <barraclough@apple.com>

        Merged TOT revisions 106512, 106748, 106783, 106999

    2012-02-07  Gavin Barraclough  <barraclough@apple.com>
    
            Crash on http://www.rickshawbags.com/
            https://bugs.webkit.org/show_bug.cgi?id=78045
    
            Reviewed by Darin Adler.
    
            Problem URL is: http://www.rickshawbags.com/customize/custom-bag#!thl=rickshaw/bag()
            
            This is a bug introduced by https://bugs.webkit.org/show_bug.cgi?id=71933,
            isVariableObject() checks were excluding StaticScopeObjects, this patch
            inadvertently changed them to be included.
    
            * runtime/JSType.h:
                - sort JSType enum such that StaticScopeObjectType comes before VariableObjectType,
                  and thus is excluded from isVariableObject() checks.
    
    2012-02-05  Gavin Barraclough  <barraclough@apple.com>

            Remove JSObject defineGetter/defineSetter lookupGetter/lookupSetter
            https://bugs.webkit.org/show_bug.cgi?id=77451

            Reviewed by Sam Weinig.

            These can now all be implemented in terms of defineOwnProperty & getPropertyDescriptor.
            Also remove initializeGetterSetterProperty, since this is equivalent to putDirectAccessor.

            * JavaScriptCore.exp:
            * debugger/DebuggerActivation.cpp:
            (JSC::DebuggerActivation::defineOwnProperty):
            * debugger/DebuggerActivation.h:
            (DebuggerActivation):
            * runtime/ClassInfo.h:
            (MethodTable):
            (JSC):
            * runtime/JSBoundFunction.cpp:
            (JSC::JSBoundFunction::finishCreation):
            * runtime/JSCell.cpp:
            (JSC):
            * runtime/JSCell.h:
            (JSCell):
            * runtime/JSFunction.cpp:
            (JSC::JSFunction::getOwnPropertySlot):
            (JSC::JSFunction::getOwnPropertyDescriptor):
            * runtime/JSGlobalObject.cpp:
            (JSC::JSGlobalObject::defineOwnProperty):
            (JSC):
            * runtime/JSGlobalObject.h:
            (JSGlobalObject):
            * runtime/JSObject.cpp:
            (JSC):
            * runtime/JSObject.h:
            (JSObject):
            * runtime/ObjectPrototype.cpp:
            (JSC::objectProtoFuncDefineGetter):
            (JSC::objectProtoFuncDefineSetter):
            (JSC::objectProtoFuncLookupGetter):
            (JSC::objectProtoFuncLookupSetter):

    2012-02-04  Gavin Barraclough  <barraclough@apple.com>
    
            Rubber stamped by Sam Weinig.
    
            * yarr/YarrPattern.cpp:
            (JSC::Yarr::YarrPatternConstructor::quantifyAtom):
                - Fix comment.
    
    2012-02-01  Gavin Barraclough  <barraclough@apple.com>

            calling function on catch block scope containing an eval result in wrong this value being passed
            https://bugs.webkit.org/show_bug.cgi?id=77581

            Reviewed by Oliver Hunt.

            javascript:function F(){ return 'F' in this; }; try { throw F; } catch (e) { eval(""); alert(e()); }

            * bytecompiler/NodesCodegen.cpp:
            (JSC::TryNode::emitBytecode):
            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::execute):
            * parser/ASTBuilder.h:
            (JSC::ASTBuilder::createTryStatement):
            * parser/NodeConstructors.h:
            (JSC::TryNode::TryNode):
            * parser/Nodes.h:
            (TryNode):
            * parser/Parser.cpp:
            (JSC::::parseTryStatement):
            * parser/SyntaxChecker.h:
            (JSC::SyntaxChecker::createTryStatement):
            * runtime/JSObject.h:
            (JSObject):
            (JSC::JSObject::isStaticScopeObject):
            (JSC):

2012-02-11  Filip Pizlo  <fpizlo@apple.com>

        Merged WebKit ToT r107492.

    2012-02-11  Filip Pizlo  <fpizlo@apple.com>
    
            [DFG] Misuse of WeakJSConstants in silentFillGPR code.
            https://bugs.webkit.org/show_bug.cgi?id=78423
            <rdar://problem/10849353> <rdar://problem/10804043>
    
            Reviewed by Sam Weinig.
            
            The code was using Node::isConstant(), when it was supposed to use Node::hasConstant().
            This patch is a surgical fix; the bigger problem is: why do we have isConstant() and
            hasConstant() when hasConstant() is correct and isConstant() is almost always wrong?
    
            * dfg/DFGSpeculativeJIT.h:
            (JSC::DFG::SpeculativeJIT::silentFillGPR):
    
2012-02-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        Merging WebKit ToT r106676 r106677

    2012-02-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        Refactor MarkedBlock::SizeClass into a separate class
        https://bugs.webkit.org/show_bug.cgi?id=77600

        Reviewed by Geoffrey Garen.

        We pulled SizeClass out into its own class, named MarkedAllocator, and gave it
        the responsibility of allocating objects from the collection of MarkedBlocks 
        that it manages. Also limited the amount of coupling to internal data fields 
        from other places, although it's mostly unavoidable in the JIT code.

        Eventually MarkedAllocator will implement various policies to do with object 
        management, e.g. whether or not to run destructors on objects that it manages.
        MarkedSpace will manage a collection of MarkedAllocators with varying policies,
        as it does now but to a larger extent. 

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        (JSC::Heap::resetAllocators):
        * heap/Heap.h:
        (JSC::Heap::allocatorForObject):
        (Heap):
        * heap/MarkedAllocator.cpp: Added.
        (JSC):
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::tryAllocate):
        (JSC::MarkedAllocator::allocateSlowCase):
        (JSC::MarkedAllocator::allocateBlock):
        (JSC::MarkedAllocator::addBlock):
        (JSC::MarkedAllocator::removeBlock):
        * heap/MarkedAllocator.h: Added.
        (JSC):
        (DFG):
        (MarkedAllocator):
        (JSC::MarkedAllocator::cellSize):
        (JSC::MarkedAllocator::heap):
        (JSC::MarkedAllocator::setHeap):
        (JSC::MarkedAllocator::setCellSize):
        (JSC::MarkedAllocator::setMarkedSpace):
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::allocate):
        (JSC::MarkedAllocator::reset):
        (JSC::MarkedAllocator::zapFreeList):
        (JSC::MarkedAllocator::forEachBlock):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::resetAllocators):
        (JSC::MarkedSpace::canonicalizeCellLivenessData):
        (JSC::TakeIfUnmarked::operator()):
        * heap/MarkedSpace.h:
        (MarkedSpace):
        (JSC::MarkedSpace::allocatorFor):
        (JSC::MarkedSpace::allocate):
        (JSC::MarkedSpace::forEachBlock):
        (JSC::MarkedSpace::didAddBlock):
        (JSC::MarkedSpace::didConsumeFreeList):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicJSObject):

    2012-02-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        Build fix

        Unreviewed build fix

        Forgot to add a couple files.

        * heap/MarkedAllocator.cpp: Added.
        (JSC):
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::tryAllocate):
        (JSC::MarkedAllocator::allocateSlowCase):
        (JSC::MarkedAllocator::allocateBlock):
        (JSC::MarkedAllocator::addBlock):
        (JSC::MarkedAllocator::removeBlock):
        * heap/MarkedAllocator.h: Added.
        (JSC):
        (DFG):
        (MarkedAllocator):
        (JSC::MarkedAllocator::cellSize):
        (JSC::MarkedAllocator::heap):
        (JSC::MarkedAllocator::setHeap):
        (JSC::MarkedAllocator::setCellSize):
        (JSC::MarkedAllocator::setMarkedSpace):
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::allocate):
        (JSC::MarkedAllocator::reset):
        (JSC::MarkedAllocator::zapFreeList):
        (JSC::MarkedAllocator::forEachBlock):


2012-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>

       Merged ToT WebKit r106078

    2012-01-26  Mark Hahnenberg  <mhahnenberg@apple.com>

       Merge AllocationSpace into MarkedSpace
       https://bugs.webkit.org/show_bug.cgi?id=77116

       Reviewed by NOBODY (OOPS!).

       Merging AllocationSpace and MarkedSpace in preparation for future refactoring/enhancement to 
       MarkedSpace allocation.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * heap/AllocationSpace.cpp: Removed.
        * heap/AllocationSpace.h: Removed.
        * heap/BumpSpace.h:
        (BumpSpace):
        * heap/Heap.h:
        (JSC::Heap::objectSpace):
        (Heap):
        ():
        * heap/HeapBlock.h:
        ():
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::tryAllocateHelper):
        (JSC):
        (JSC::MarkedSpace::tryAllocate):
        (JSC::MarkedSpace::allocateSlowCase):
        (JSC::MarkedSpace::allocateBlock):
        (JSC::MarkedSpace::freeBlocks):
        (TakeIfUnmarked):
        (JSC::TakeIfUnmarked::TakeIfUnmarked):
        (JSC::TakeIfUnmarked::operator()):
        (JSC::TakeIfUnmarked::returnValue):
        (JSC::MarkedSpace::shrink):
        (GatherDirtyCells):
        (JSC::GatherDirtyCells::returnValue):
        (JSC::GatherDirtyCells::GatherDirtyCells):
        (JSC::GatherDirtyCells::operator()):
        (JSC::MarkedSpace::gatherDirtyCells):
        * heap/MarkedSpace.h:
        (MarkedSpace):
        (JSC::MarkedSpace::blocks):
        (JSC::MarkedSpace::forEachCell):
        (JSC):
        (JSC::MarkedSpace::allocate):

2012-02-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Merged ToT r105638

    2012-01-23  Mark Hahnenberg  <mhahnenberg@apple.com> 

        Remove StackBounds from JSGlobalData 
        https://bugs.webkit.org/show_bug.cgi?id=76310 

        Reviewed by Sam Weinig. 

        Removed StackBounds and the stack() function from JSGlobalData since it no  
        longer accessed any members of JSGlobalData. 

        * bytecompiler/BytecodeGenerator.cpp: 
        (JSC::BytecodeGenerator::BytecodeGenerator): 
        * heap/MachineStackMarker.cpp: 
        (JSC::MachineThreads::addCurrentThread): 
        (JSC::MachineThreads::gatherFromCurrentThread): 
        * parser/Parser.cpp: 
        (JSC::::Parser): 
        * runtime/JSGlobalData.cpp: 
        (JSC::JSGlobalData::JSGlobalData): 
        * runtime/JSGlobalData.h: 

2012-02-02  Michael Saboff  <msaboff@apple.com>

        Merged TOT revision 106521

    2012-02-01  Michael Saboff  <msaboff@apple.com>

            Yarr crash with regexp replace
            https://bugs.webkit.org/show_bug.cgi?id=67454

            Reviewed by Gavin Barraclough.

            Properly handle the case of a back reference to an unmatched
            subpattern by always matching without consuming any characters.

            * yarr/YarrInterpreter.cpp:
            (JSC::Yarr::Interpreter::matchBackReference):
            (JSC::Yarr::Interpreter::backtrackBackReference):

2012-02-01  Michael Saboff  <msaboff@apple.com>

        Merged TOT revision 106417

    2012-01-31  Michael Saboff  <msaboff@apple.com>

            StringProtoFuncToUpperCase should call StringImpl::upper similar to StringProtoToLowerCase
            https://bugs.webkit.org/show_bug.cgi?id=76647

            Reviewed by Darin Adler.

            Changed stringProtoFuncToUpperCase to call StringImpl::upper() in a manor similar
            to stringProtoFuncToLowerCase().  Fixed StringImpl::upper() to handle to special
            cases.  One case is s-sharp (0xdf) which converts to "SS".  The other case is 
            for characters which become 16 bit values when converted to upper case.  For
            those, we up convert the the source string and use the 16 bit path.

            * runtime/StringPrototype.cpp:
            (JSC::stringProtoFuncToUpperCase):
            * wtf/text/StringImpl.cpp:
            (WTF::StringImpl::upper):
            * wtf/unicode/CharacterNames.h:
            (smallLetterSharpS): New constant

2012-02-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        Merged ToT r106496.

    2012-02-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        Replace JSArray destructor with finalizer
        https://bugs.webkit.org/show_bug.cgi?id=77488

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.exp:
        * runtime/JSArray.cpp:
        (JSC::JSArray::finalize): Added finalizer.
        (JSC::JSArray::allocateSparseMap): Factored out code for allocating new sparse maps.
        (JSC):
        (JSC::JSArray::deallocateSparseMap): Factored out code for deallocating sparse maps.
        (JSC::JSArray::enterDictionaryMode): Renamed enterSparseMode to enterDictionaryMode 
        because the old name was confusing because we could have a sparse array that never 
        called enterSparseMode.
        (JSC::JSArray::defineOwnNumericProperty):
        (JSC::JSArray::setLengthWritable):
        (JSC::JSArray::putByIndexBeyondVectorLength):
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::sort):
        (JSC::JSArray::compactForSorting):
        * runtime/JSArray.h:
        (JSArray):

2012-01-30  Geoffrey Garen  <ggaren@apple.com>

        Merged TOT revision 106429.

    2012-01-30  Geoffrey Garen  <ggaren@apple.com>

            Stop using -fomit-frame-pointer
            https://bugs.webkit.org/show_bug.cgi?id=77403
            
            Reviewed by Filip Pizlo.
            
            JavaScriptCore is too fast. I'm just the man to fix it.

            * Configurations/JavaScriptCore.xcconfig:

2012-01-31  Mark Hahnenberg  <mhahnenberg@apple.com>

            Merged ToT WebKit r105816

        2012-01-24  Mark Hahnenberg  <mhahnenberg@apple.com>

            Use copying collector for out-of-line JSObject property storage
            https://bugs.webkit.org/show_bug.cgi?id=76665

            Reviewed by Geoffrey Garen.

            * runtime/JSObject.cpp:
            (JSC::JSObject::visitChildren): Changed to use copyAndAppend whenever the property storage is out-of-line.
            Also added a temporary variable to avoid warnings from GCC.
            (JSC::JSObject::allocatePropertyStorage): Changed to use tryAllocateStorage/tryReallocateStorage as opposed to 
            operator new. Also added a temporary variable to avoid warnings from GCC.
            * runtime/JSObject.h:

2012-01-31  Michael Saboff  <msaboff@apple.com>

        Merged TOT revision 106370.

    2012-01-31  Michael Saboff  <msaboff@apple.com>

            ASSERT(m_jumpsToLink.isEmpty()) failing in ARMv7Assembler dtor
            https://bugs.webkit.org/show_bug.cgi?id=77443

            Reviewed by NOBODY (OOPS!).

            Removed failing ASSERT() and thus destructor.  The ASSERT isn't needed.
            We are hitting it in the YARR JIT case where we bail out and go to the
            interpreter with a partially JIT'ed function.  Since we haven't linked
            the JIT'ed code, there is likely to be some unresolved jumps in the vector
            when the ARMv7Assembler destructor is called.  For the case where we
            complete the JIT process, we clear the vector at the end of
            LinkBuffer::linkCode (LinkBuffer.h:292).

            * assembler/ARMv7Assembler.h:
            (ARMv7Assembler):

2012-01-31  Mark Hahnenberg  <mhahnenberg@apple.com>

            Merged ToT WebKit r105442

        2012-01-19  Mark Hahnenberg  <mhahnenberg@apple.com> 

            Implement a new allocator for backing stores 
            https://bugs.webkit.org/show_bug.cgi?id=75181 

            Reviewed by Filip Pizlo.

            We want to move away from using fastMalloc for the backing stores for 
            some of our objects (e.g. JSArray, JSObject, JSString, etc). These backing 
            stores have a nice property in that they only have a single owner (i.e. a 
            single pointer to them at any one time). One way that we can take advantage 
            of this property is to implement a simple bump allocator/copying collector, 
            which will run alongside our normal mark/sweep collector, that only needs to 
            update the single owner pointer rather than having to redirect an arbitrary 
            number of pointers in from-space to to-space.

            This plan can give us a number of benefits. We can beat fastMalloc in terms 
            of both performance and memory usage, we can track how much memory we're using 
            far more accurately than our rough estimation now through the use of 
            reportExtraMemoryCost, and we can allocate arbitrary size objects (as opposed 
            to being limited to size classes like we have been historically). This is also 
            another step toward moving away from lazy destruction, which will improve our memory footprint.
            We start by creating said allocator and moving the ArrayStorage for JSArray 
            to use it rather than fastMalloc.

            The design of the collector is as follows:
            Allocation:
            -The collector allocates 64KB chunks from the OS to use for object allocation.
            -Each chunk contains an offset, a flag indicating if the block has been pinned, 
            and a payload, along with next and prev pointers so that they can be put in DoublyLinkedLists.
            -Any allocation greater than 64KB gets its own separate oversize block, which 
            is managed separately from the rest.
            -If the allocator receives a request for more than the remaining amount in the 
            current block, it grabs a fresh block.
            -Grabbing a fresh block means grabbing one off of the global free list (which is now 
            shared between the mark/sweep allocator and the bump allocator) if there is one. 
            If there isn't a new one we do one of two things: allocate a new block from the OS 
            if we're not ready for a GC yet, or run a GC and then try again. If we still don't 
            have enough space after the GC, we allocate a new block from the OS.

            Garbage collection:
            -At the start of garbage collection during conservative stack scanning, if we encounter 
            what appears to be a pointer to a bump-allocated block of memory, we pin that block so 
            that it will not be copied for this round of collection.
            -We also pin any oversize blocks that we encounter, which effectively doubles as a 
            "mark bit" for that block. Any oversize blocks that aren't pinned at the end of copying 
            are given back to the OS.
            -Marking threads are now also responsible for copying bump-allocated objects to newSpace
            -Each marking thread has a private 64KB block into which it copies bump-allocated objects that it encounters.
            -When that block fills up, the marking thread gives it back to the allocator and requests a new one.
            -When all marking has concluded, each thread gives back its copy block, even if it isn't full.
            -At the conclusion of copying (which is done by the end of the marking phase), we un-pin 
            any pinned blocks and give any blocks left in from-space to the global free list.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * heap/AllocationSpace.cpp:
        (JSC::AllocationSpace::allocateSlowCase):
        (JSC::AllocationSpace::allocateBlock):
        (JSC::AllocationSpace::freeBlocks):
        * heap/AllocationSpace.h:
        (JSC::AllocationSpace::waterMark):
        * heap/BumpBlock.h: Added.
        (JSC::BumpBlock::BumpBlock):
        * heap/BumpSpace.cpp: Added.
        (JSC::BumpSpace::tryAllocateSlowCase):
        * heap/BumpSpace.h: Added.
        (JSC::BumpSpace::isInCopyPhase):
        (JSC::BumpSpace::totalMemoryAllocated):
        (JSC::BumpSpace::totalMemoryUtilized):
        * heap/BumpSpaceInlineMethods.h: Added.
        (JSC::BumpSpace::BumpSpace):
        (JSC::BumpSpace::init):
        (JSC::BumpSpace::contains):
        (JSC::BumpSpace::pin):
        (JSC::BumpSpace::startedCopying):
        (JSC::BumpSpace::doneCopying):
        (JSC::BumpSpace::doneFillingBlock):
        (JSC::BumpSpace::recycleBlock):
        (JSC::BumpSpace::getFreshBlock):
        (JSC::BumpSpace::borrowBlock):
        (JSC::BumpSpace::addNewBlock):
        (JSC::BumpSpace::allocateNewBlock):
        (JSC::BumpSpace::fitsInBlock):
        (JSC::BumpSpace::fitsInCurrentBlock):
        (JSC::BumpSpace::tryAllocate):
        (JSC::BumpSpace::tryAllocateOversize):
        (JSC::BumpSpace::allocateFromBlock):
        (JSC::BumpSpace::tryReallocate):
        (JSC::BumpSpace::tryReallocateOversize):
        (JSC::BumpSpace::isOversize):
        (JSC::BumpSpace::isPinned):
        (JSC::BumpSpace::oversizeBlockFor):
        (JSC::BumpSpace::blockFor):
        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::ConservativeRoots):
        (JSC::ConservativeRoots::genericAddPointer):
        (JSC::ConservativeRoots::add):
        * heap/ConservativeRoots.h:
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::blockFreeingThreadMain):
        (JSC::Heap::reportExtraMemoryCostSlowCase):
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::markRoots):
        (JSC::Heap::collect):
        (JSC::Heap::releaseFreeBlocks):
        * heap/Heap.h:
        (JSC::Heap::waterMark):
        (JSC::Heap::highWaterMark):
        (JSC::Heap::setHighWaterMark):
        (JSC::Heap::tryAllocateStorage):
        (JSC::Heap::tryReallocateStorage):
        * heap/HeapBlock.h: Added.
        (JSC::HeapBlock::HeapBlock):
        * heap/MarkStack.cpp:
        (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
        (JSC::SlotVisitor::drain):
        (JSC::SlotVisitor::drainFromShared):
        (JSC::SlotVisitor::startCopying):
        (JSC::SlotVisitor::allocateNewSpace):
        (JSC::SlotVisitor::copy):
        (JSC::SlotVisitor::copyAndAppend):
        (JSC::SlotVisitor::doneCopying):
        * heap/MarkStack.h:
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::recycle):
        (JSC::MarkedBlock::MarkedBlock):
        * heap/MarkedBlock.h:
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::allocate):
        (JSC::MarkedSpace::forEachBlock):
        (JSC::MarkedSpace::SizeClass::resetAllocator):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::SlotVisitor):
        * heap/TinyBloomFilter.h:
        (JSC::TinyBloomFilter::reset):
        * runtime/JSArray.cpp:
        (JSC::JSArray::JSArray):
        (JSC::JSArray::finishCreation):
        (JSC::JSArray::tryFinishCreationUninitialized):
        (JSC::JSArray::~JSArray):
        (JSC::JSArray::enterSparseMode):
        (JSC::JSArray::defineOwnNumericProperty):
        (JSC::JSArray::setLengthWritable):
        (JSC::JSArray::getOwnPropertySlotByIndex):
        (JSC::JSArray::getOwnPropertyDescriptor):
        (JSC::JSArray::putByIndexBeyondVectorLength):
        (JSC::JSArray::deletePropertyByIndex):
        (JSC::JSArray::getOwnPropertyNames):
        (JSC::JSArray::increaseVectorLength):
        (JSC::JSArray::unshiftCountSlowCase):
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::unshiftCount):
        (JSC::JSArray::visitChildren):
        (JSC::JSArray::sortNumeric):
        (JSC::JSArray::sort):
        (JSC::JSArray::compactForSorting):
        (JSC::JSArray::subclassData):
        (JSC::JSArray::setSubclassData):
        (JSC::JSArray::checkConsistency):
        * runtime/JSArray.h:
        (JSC::JSArray::inSparseMode):
        (JSC::JSArray::isLengthWritable):
        * wtf/CheckedBoolean.h: Added.
        (CheckedBoolean::CheckedBoolean):
        (CheckedBoolean::~CheckedBoolean):
        (CheckedBoolean::operator bool):
        * wtf/DoublyLinkedList.h:
        (WTF::::push):
        * wtf/StdLibExtras.h:
        (WTF::isPointerAligned):

2012-01-31  Michael Saboff  <msaboff@apple.com>

        Merged TOT revisions: 106019, 106020, 106253, 106254, 106257 & 106260.

    2012-01-30  Michael Saboff  <msaboff@apple.com>

            CaseFoldingHash::hash() doesn't handle 8 bit strings directly
            https://bugs.webkit.org/show_bug.cgi?id=76652

            Reviewed by Andreas Kling.

            * wtf/text/StringHash.h:
            (WTF::CaseFoldingHash::hash): Added 8 bit string code path.

    2012-01-30  Michael Saboff  <msaboff@apple.com>

            stringProtoFuncReplace converts 8 bit strings to 16 bit during replacement
            https://bugs.webkit.org/show_bug.cgi?id=76651

            Reviewed by Geoffrey Garen.

            Made local function substituteBackreferencesSlow a template function
            based on character width.  Cleaned up getCharacters() in both UString
            and StringImpl.  Changed getCharacters<UChar> to up convert an 8 bit
            string to 16 bits if necessary.

            * runtime/StringPrototype.cpp:
            (JSC::substituteBackreferencesSlow):
            (JSC::substituteBackreferences):
            * runtime/UString.h:
            (JSC::LChar):
            (JSC::UChar):
            * wtf/text/StringImpl.h:
            (WTF::UChar):

    2012-01-30  Michael Saboff  <msaboff@apple.com>

            Dromaeo tests call parseSimpleLengthValue() on 8 bit strings
            https://bugs.webkit.org/show_bug.cgi?id=76649

            Reviewed by Geoffrey Garen.

            * JavaScriptCore.exp: Added export for charactersToDouble.

    2012-01-30  Michael Saboff  <msaboff@apple.com>

            WebCore decodeEscapeSequences unnecessarily converts 8 bit strings to 16 bit when decoding.
            https://bugs.webkit.org/show_bug.cgi?id=76648

            Reviewed by Geoffrey Garen.

            Added a new overloaded append member that takes a String& argument, an offest
            and a length to do direct sub string appending to a StringBuilder.

            * wtf/text/StringBuilder.h:
            (WTF::StringBuilder::append):

    2012-01-26  Michael Saboff  <msaboff@apple.com>

            String::latin1() should take advantage of 8 bit strings
            https://bugs.webkit.org/show_bug.cgi?id=76646

            Reviewed by Geoffrey Garen.

            * wtf/text/WTFString.cpp:
            (WTF::String::latin1): For 8 bit strings, use existing buffer
            without conversion.

    2012-01-26  Michael Saboff  <msaboff@apple.com>

            Dromaeo tests usage of StringImpl find routines cause 8->16 bit conversions
            https://bugs.webkit.org/show_bug.cgi?id=76645

            Reviewed by Geoffrey Garen.

            * wtf/text/StringImpl.cpp:
            (WTF::equalIgnoringCase): New LChar version.
            (WTF::findInner): New helper function.
            (WTF::StringImpl::find): Added 8 bit path.
            (WTF::reverseFindInner): New helper funciton.
            (WTF::StringImpl::reverseFind): Added 8 bit path.
            (WTF::StringImpl::reverseFindIgnoringCase): Added 8 bit path.
            * wtf/text/StringImpl.h:
            (WTF):

2012-01-30  Gavin Barraclough  <barraclough@apple.com>

        Failed to svn add some new files, merging ToT WebKit r106197.

        * tools: Added.
        * tools/CodeProfile.cpp: Added.
        (JSC::symbolName):
        (JSC::truncateTrace):
        (JSC::CodeProfile::sample):
        (JSC::CodeProfile::report):
        * tools/CodeProfile.h: Added.
        (JSC::CodeProfile::CodeProfile):
        (JSC::CodeProfile::parent):
        (JSC::CodeProfile::addChild):
        (JSC::CodeProfile::CodeRecord::CodeRecord):
        * tools/CodeProfiling.cpp: Added.
        (JSC::setProfileTimer):
        (JSC::profilingTimer):
        (JSC::CodeProfiling::sample):
        (JSC::CodeProfiling::notifyAllocator):
        (JSC::CodeProfiling::getOwnerUIDForPC):
        (JSC::CodeProfiling::begin):
        (JSC::CodeProfiling::end):
        * tools/CodeProfiling.h: Added.
        (JSC::CodeProfiling::CodeProfiling):
        (JSC::CodeProfiling::~CodeProfiling):
        (JSC::CodeProfiling::enabled):
        (JSC::CodeProfiling::beVerbose):
        (JSC::CodeProfiling::beVeryVerbose):
        * tools/ProfileTreeNode.h: Added.
        (JSC::ProfileTreeNode::ProfileTreeNode):
        (JSC::ProfileTreeNode::~ProfileTreeNode):
        (JSC::ProfileTreeNode::sampleChild):
        (JSC::ProfileTreeNode::dump):
        (JSC::ProfileTreeNode::count):
        (JSC::ProfileTreeNode::childCount):
        (JSC::ProfileTreeNode::dumpInternal):
        (JSC::ProfileTreeNode::compareEntries):
        * tools/TieredMMapArray.h: Added.
        (JSC::TieredMMapArray::TieredMMapArray):
        (JSC::TieredMMapArray::~TieredMMapArray):
        (JSC::TieredMMapArray::operator[]):
        (JSC::TieredMMapArray::append):
        (JSC::TieredMMapArray::size):

2012-01-27  Gavin Barraclough  <barraclough@apple.com>

        Merged ToT WebKit r104886, r104899, r105636, r105646, r105840, r106197, r106198, r106255, r106264, r106276, r106277, r106288.

    2012-01-30  Gavin Barraclough  <barraclough@apple.com>

            Speculative Windows build fix.

            * assembler/MacroAssemblerCodeRef.h:
            (FunctionPtr):

    2012-01-30  Gavin Barraclough  <barraclough@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=77163
            MacroAssemblerCodeRef.h uses OS(WIN) instead of OS(WINDOWS)

            Rubber stamped by Geoff Garen

            * assembler/MacroAssemblerCodeRef.h:

    2012-01-30  Gavin Barraclough  <barraclough@apple.com>

            Unreviewed build fix for interpreter builds.

            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::CodeBlock):
            * bytecode/CodeBlock.h:
            (CodeBlock):
            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::privateExecute):
            * tools/CodeProfile.cpp:
            (JSC::CodeProfile::sample):

    2012-01-30  Gavin Barraclough  <barraclough@apple.com>

            Unreviewed build fix following bug#76855

            * JavaScriptCore.exp:

    2012-01-30  Gavin Barraclough  <barraclough@apple.com>

            Clean up putDirect
            https://bugs.webkit.org/show_bug.cgi?id=76232

            Reviewed by Sam Weinig.

            Part 3 - merge op_put_getter & op_put_setter.

            Putting these separately is inefficient (and makes future optimiation,
            e.g. making GetterSetter immutable) harder. Change to emit a single
            op_put_getter_setter bytecode op. Ultimately we should probably be
            able to merge this with put direct, to create a common op to initialize
            object literal properties.

            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::dump):
            * bytecode/Opcode.h:
            (JSC):
            ():
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::emitPutGetterSetter):
            * bytecompiler/BytecodeGenerator.h:
            (BytecodeGenerator):
            * bytecompiler/NodesCodegen.cpp:
            (JSC::PropertyListNode::emitBytecode):
            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::privateExecute):
            * jit/JIT.cpp:
            (JSC::JIT::privateCompileMainPass):
            * jit/JIT.h:
            (JIT):
            * jit/JITPropertyAccess.cpp:
            (JSC::JIT::emit_op_put_getter_setter):
            * jit/JITPropertyAccess32_64.cpp:
            (JSC::JIT::emit_op_put_getter_setter):
            * jit/JITStubs.cpp:
            (JSC::DEFINE_STUB_FUNCTION):
            * jit/JITStubs.h:
            ():
            * runtime/JSObject.cpp:
            (JSC::JSObject::putDirectVirtual):
            (JSC::JSObject::putDirectAccessor):
            (JSC):
            (JSC::putDescriptor):
            (JSC::JSObject::defineOwnProperty):
            * runtime/JSObject.h:
            ():
            (JSC::JSObject::putDirectInternal):
            (JSC::JSObject::putDirect):
            (JSC::JSObject::putDirectWithoutTransition):

    2012-01-28  Gavin Barraclough  <barraclough@apple.com>

            Reserve 'let'
            https://bugs.webkit.org/show_bug.cgi?id=77293

            Rubber stamped by Oliver Hunt.

            'let' may become a keyword in ES6.  We're going to try experimentally reserving it,
            to see if this breaks the web.

            * parser/Keywords.table:

    2012-01-27  Gavin Barraclough  <barraclough@apple.com>

            Implement a JIT-code aware sampling profiler for JSC
            https://bugs.webkit.org/show_bug.cgi?id=76855

            Reviewed by Oliver Hunt.

            To enable the profiler, set the JSC_CODE_PROFILING environment variable to
            1 (no tracing the C stack), 2 (trace one level of C code) or 3 (recursively
            trace all samples).

            The profiler requires -fomit-frame-pointer to be removed from the build flags.

            * JavaScriptCore.exp:
                - Removed an export.
            * JavaScriptCore.xcodeproj/project.pbxproj:
                - Added new files
            * bytecode/CodeBlock.cpp:
                - For baseline codeblocks, cache the result of canCompileWithDFG.
            * bytecode/CodeBlock.h:
                - For baseline codeblocks, cache the result of canCompileWithDFG.
            * jit/ExecutableAllocator.cpp:
            (JSC::ExecutableAllocator::initializeAllocator):
                - Notify the profiler when the allocator is created.
            (JSC::ExecutableAllocator::allocate):
                - Inform the allocated of the ownerUID.
            * jit/ExecutableAllocatorFixedVMPool.cpp:
            (JSC::ExecutableAllocator::initializeAllocator):
                - Notify the profiler when the allocator is created.
            (JSC::ExecutableAllocator::allocate):
                - Inform the allocated of the ownerUID.
            * jit/JITStubs.cpp:
                - If profiling, don't mask the return address in JIT code.
                  (We do so to provide nicer backtraces in debug builds).
            * runtime/Completion.cpp:
            (JSC::evaluate):
                - Notify the profiler of script evaluations.
            * tools: Added.
            * tools/CodeProfile.cpp: Added.
            (JSC::symbolName):
                - Helper function to get the name of a symbol in the framework.
            (JSC::truncateTrace):
                - Helper to truncate traces into methods know to have uninformatively deep stacks.
            (JSC::CodeProfile::sample):
                - Record a stack trace classifying samples.
            (JSC::CodeProfile::report):
                - {Print profiler output.
            * tools/CodeProfile.h: Added.
                - new class, captures a set of samples associated with an evaluated script,
                  and nested to record samples from subscripts.
            * tools/CodeProfiling.cpp: Added.
            (JSC::CodeProfiling::profilingTimer):
                - callback fired then a timer event occurs.
            (JSC::CodeProfiling::notifyAllocator):
                - called when the executable allocator is constructed.
            (JSC::CodeProfiling::getOwnerUIDForPC):
                - helper to lookup the codeblock from an address in JIT code
            (JSC::CodeProfiling::begin):
                - enter a profiling scope.
            (JSC::CodeProfiling::end):
                - exit a profiling scope.
            * tools/CodeProfiling.h: Added.
                - new class, instantialed from Completion to define a profiling scope.
            * tools/ProfileTreeNode.h: Added.
                - new class, used to construct a tree of samples.
            * tools/TieredMMapArray.h: Added.
                - new class, a malloc-free vector (can be used while the main thread is suspended,
                  possibly holding the malloc heap lock).
            * wtf/MetaAllocator.cpp:
            (WTF::MetaAllocatorHandle::MetaAllocatorHandle):
            (WTF::MetaAllocator::allocate):
                - Allow allocation handles to track information about their owner.
            * wtf/MetaAllocator.h:
            (MetaAllocator):
                - Allow allocation handles to track information about their owner.
            * wtf/MetaAllocatorHandle.h:
            (MetaAllocatorHandle):
            (WTF::MetaAllocatorHandle::ownerUID):
                - Allow allocation handles to track information about their owner.
            * wtf/OSAllocator.h:
            (WTF::OSAllocator::reallocateCommitted):
                - reallocate an existing, committed memory allocation.

    2012-01-24  Gavin Barraclough  <barraclough@apple.com>
    
            https://bugs.webkit.org/show_bug.cgi?id=76855
            Implement a JIT-code aware sampling profiler for JSC
    
            Reviewed by Oliver Hunt.
    
            Add support to MetaAllocator.cpp to track all live handles in a map,
            allowing lookup based on any address within the allocation.
    
            * wtf/MetaAllocator.cpp:
            (WTF::MetaAllocatorTracker::notify):
            (WTF::MetaAllocatorTracker::release):
                - Track live handle objects in a map.
            (WTF::MetaAllocator::release):
                - Removed support for handles with null m_allocator (no longer used).
                - Notify the tracker of handles being released.
            (WTF::MetaAllocatorHandle::~MetaAllocatorHandle):
                - Moved functionality out into MetaAllocator::release.
            (WTF::MetaAllocatorHandle::shrink):
                - Removed support for handles with null m_allocator (no longer used).
            (WTF::MetaAllocator::MetaAllocator):
                - Initialize m_tracker.
            (WTF::MetaAllocator::allocate):
                - Notify the tracker of new allocations.
            * wtf/MetaAllocator.h:
            (WTF::MetaAllocatorTracker::find):
                - Lookup a MetaAllocatorHandle based on an address inside the allocation.
            (WTF::MetaAllocator::trackAllocations):
                - Register a callback object to track allocation state.
            * wtf/MetaAllocatorHandle.h:
                - Remove unused createSelfManagedHandle/constructor.
            (WTF::MetaAllocatorHandle::key):
                - Added, for use in RedBlackTree.
    
    2012-01-23  Gavin Barraclough  <barraclough@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=76855
            Implement a JIT-code aware sampling profiler for JSC

            Reviewed by Geoff Garen.

            Step 2: generalize RedBlackTree. The profiler is going to want tio use
            a RedBlackTree, allow this class to work with subclasses of
            RedBlackTree::Node, Node should not need to know the names of the m_key
            and m_value fields (the subclass can provide a key() accessor), and
            RedBlackTree does not need to know anything about ValueType.

            * JavaScriptCore.exp:
            * wtf/MetaAllocator.cpp:
            (WTF::MetaAllocator::findAndRemoveFreeSpace):
            (WTF::MetaAllocator::debugFreeSpaceSize):
            (WTF::MetaAllocator::addFreeSpace):
            * wtf/MetaAllocator.h:
            (WTF::MetaAllocator::FreeSpaceNode::FreeSpaceNode):
            (WTF::MetaAllocator::FreeSpaceNode::key):
            * wtf/MetaAllocatorHandle.h:
            (WTF::MetaAllocatorHandle::key):
            * wtf/RedBlackTree.h:
            (WTF::RedBlackTree::Node::successor):
            (WTF::RedBlackTree::Node::predecessor):
            (WTF::RedBlackTree::Node::parent):
            (WTF::RedBlackTree::Node::setParent):
            (WTF::RedBlackTree::Node::left):
            (WTF::RedBlackTree::Node::setLeft):
            (WTF::RedBlackTree::Node::right):
            (WTF::RedBlackTree::Node::setRight):
            (WTF::RedBlackTree::insert):
            (WTF::RedBlackTree::remove):
            (WTF::RedBlackTree::findExact):
            (WTF::RedBlackTree::findLeastGreaterThanOrEqual):
            (WTF::RedBlackTree::findGreatestLessThanOrEqual):
            (WTF::RedBlackTree::first):
            (WTF::RedBlackTree::last):
            (WTF::RedBlackTree::size):
            (WTF::RedBlackTree::treeMinimum):
            (WTF::RedBlackTree::treeMaximum):
            (WTF::RedBlackTree::treeInsert):
            (WTF::RedBlackTree::leftRotate):
            (WTF::RedBlackTree::rightRotate):
            (WTF::RedBlackTree::removeFixup):

    2012-01-23  Gavin Barraclough  <barraclough@apple.com>

            Implement a JIT-code aware sampling profiler for JSC
            https://bugs.webkit.org/show_bug.cgi?id=76855

            Rubber stanmped by Geoff Garen.

            Mechanical change - pass CodeBlock through to the executable allocator,
            such that we will be able to map ranges of JIT code back to their owner.

            * assembler/ARMAssembler.cpp:
            (JSC::ARMAssembler::executableCopy):
            * assembler/ARMAssembler.h:
            * assembler/AssemblerBuffer.h:
            (JSC::AssemblerBuffer::executableCopy):
            * assembler/AssemblerBufferWithConstantPool.h:
            (JSC::AssemblerBufferWithConstantPool::executableCopy):
            * assembler/LinkBuffer.h:
            (JSC::LinkBuffer::LinkBuffer):
            (JSC::LinkBuffer::linkCode):
            * assembler/MIPSAssembler.h:
            (JSC::MIPSAssembler::executableCopy):
            * assembler/SH4Assembler.h:
            (JSC::SH4Assembler::executableCopy):
            * assembler/X86Assembler.h:
            (JSC::X86Assembler::executableCopy):
            (JSC::X86Assembler::X86InstructionFormatter::executableCopy):
            * dfg/DFGJITCompiler.cpp:
            (JSC::DFG::JITCompiler::compile):
            (JSC::DFG::JITCompiler::compileFunction):
            * dfg/DFGOSRExitCompiler.cpp:
            * dfg/DFGRepatch.cpp:
            (JSC::DFG::generateProtoChainAccessStub):
            (JSC::DFG::tryCacheGetByID):
            (JSC::DFG::tryBuildGetByIDList):
            (JSC::DFG::tryCachePutByID):
            * dfg/DFGThunks.cpp:
            (JSC::DFG::osrExitGenerationThunkGenerator):
            * jit/ExecutableAllocator.cpp:
            (JSC::ExecutableAllocator::allocate):
            * jit/ExecutableAllocator.h:
            * jit/ExecutableAllocatorFixedVMPool.cpp:
            (JSC::ExecutableAllocator::allocate):
            * jit/JIT.cpp:
            (JSC::JIT::privateCompile):
            * jit/JITOpcodes.cpp:
            (JSC::JIT::privateCompileCTIMachineTrampolines):
            * jit/JITOpcodes32_64.cpp:
            (JSC::JIT::privateCompileCTIMachineTrampolines):
            (JSC::JIT::privateCompileCTINativeCall):
            * jit/JITPropertyAccess.cpp:
            (JSC::JIT::stringGetByValStubGenerator):
            (JSC::JIT::privateCompilePutByIdTransition):
            (JSC::JIT::privateCompilePatchGetArrayLength):
            (JSC::JIT::privateCompileGetByIdProto):
            (JSC::JIT::privateCompileGetByIdSelfList):
            (JSC::JIT::privateCompileGetByIdProtoList):
            (JSC::JIT::privateCompileGetByIdChainList):
            (JSC::JIT::privateCompileGetByIdChain):
            * jit/JITPropertyAccess32_64.cpp:
            (JSC::JIT::stringGetByValStubGenerator):
            (JSC::JIT::privateCompilePutByIdTransition):
            (JSC::JIT::privateCompilePatchGetArrayLength):
            (JSC::JIT::privateCompileGetByIdProto):
            (JSC::JIT::privateCompileGetByIdSelfList):
            (JSC::JIT::privateCompileGetByIdProtoList):
            (JSC::JIT::privateCompileGetByIdChainList):
            (JSC::JIT::privateCompileGetByIdChain):
            * jit/JITStubs.cpp:
            * jit/SpecializedThunkJIT.h:
            (JSC::SpecializedThunkJIT::finalize):
            * yarr/YarrJIT.cpp:
            (JSC::Yarr::YarrGenerator::compile):

    2012-01-12  Gavin Barraclough  <barraclough@apple.com>

            Clean up putDirect (part 2)
            https://bugs.webkit.org/show_bug.cgi?id=76232

            Reviewed by Sam Weinig.

            Rename putWithAttributes to putDirectVirtual, to identify that this
            has the same unchecked-DefineOwnProperty behaviour, change putDirectInternal
            to be templated on an enum indicating which behaviour it is supposed to be
            implementing, and change clients that are defining properties to call
            putDirectInternal correctly.

            * API/JSObjectRef.cpp:
            (JSObjectSetProperty):
            * JavaScriptCore.exp:
            * debugger/DebuggerActivation.cpp:
            (JSC::DebuggerActivation::putDirectVirtual):
            * debugger/DebuggerActivation.h:
            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::execute):
            * runtime/ClassInfo.h:
            * runtime/Error.cpp:
            (JSC::addErrorInfo):
            * runtime/JSActivation.cpp:
            (JSC::JSActivation::putDirectVirtual):
            * runtime/JSActivation.h:
            * runtime/JSCell.cpp:
            (JSC::JSCell::putDirectVirtual):
            * runtime/JSCell.h:
            * runtime/JSGlobalObject.cpp:
            (JSC::JSGlobalObject::putDirectVirtual):
            * runtime/JSGlobalObject.h:
            * runtime/JSObject.cpp:
            (JSC::JSObject::put):
            (JSC::JSObject::putDirectVirtual):
            (JSC::JSObject::defineGetter):
            (JSC::JSObject::initializeGetterSetterProperty):
            (JSC::JSObject::defineSetter):
            (JSC::putDescriptor):
            * runtime/JSObject.h:
            (JSC::JSObject::putDirectInternal):
            (JSC::JSObject::putOwnDataProperty):
            (JSC::JSObject::putDirect):
            * runtime/JSStaticScopeObject.cpp:
            (JSC::JSStaticScopeObject::putDirectVirtual):
            * runtime/JSStaticScopeObject.h:
            * runtime/JSVariableObject.cpp:
            (JSC::JSVariableObject::putDirectVirtual):
            * runtime/JSVariableObject.h:

    2012-01-12  Gavin Barraclough  <barraclough@apple.com>

            Clean up putDirect (part 1)
            https://bugs.webkit.org/show_bug.cgi?id=76232

            Reviewed by Sam Weinig.

            putDirect has ambiguous semantics, clean these up a bit.

            putDirect generally behaves a bit like a fast defineOwnProperty, but one that
            always creates the property, with no checking to validate the put it permitted.

            It also encompasses two slightly different behaviors.
            (1) a fast form of put for JSActivation, which doesn't have to handle searching
                the prototype chain, getter/setter properties, or the magic __proto__ value.
                Break this out as a new method, 'putOwnDataProperty'.
            (2) the version of putDirect on JSValue will also check for overwriting ReadOnly
                values, in strict mode. This is, however, not so smart on a few level, since
                it is only called from op_put_by_id with direct set, which is only used with
                an object as the base, and is only used to put new properties onto objects.

            * dfg/DFGOperations.cpp:
            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::privateExecute):
            * jit/JITStubs.cpp:
            (JSC::DEFINE_STUB_FUNCTION):
            * runtime/JSActivation.cpp:
            (JSC::JSActivation::put):
            * runtime/JSFunction.cpp:
            (JSC::JSFunction::getOwnPropertySlot):
            * runtime/JSObject.h:
            (JSC::JSObject::putOwnDataProperty):
            * runtime/JSValue.h:

2012-01-26  Geoffrey Garen  <ggaren@apple.com>

        Merged TOT revisions: 105698; 105702; 105703; 105713; 105811.

    2012-01-24  Geoffrey Garen  <ggaren@apple.com>

            JSValue::toString() should return a JSString* instead of a UString
            https://bugs.webkit.org/show_bug.cgi?id=76861

            Fixed two failing layout tests after my last patch.

            Reviewed by Gavin Barraclough.

            * runtime/ArrayPrototype.cpp:
            (JSC::arrayProtoFuncSort): Call value() after calling toString(), as
            in all other cases.
            
            I missed this case because the JSString* type has a valid operator<,
            so the compiler didn't complain.

    2012-01-24  Ilya Tikhonovsky  <loislo@chromium.org>

            Unreviewed build fix for Qt LinuxSH4 build after r105698.

            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::privateExecute):

    2012-01-23  Geoffrey Garen  <ggaren@apple.com>

            JSValue::toString() should return a JSString* instead of a UString
            https://bugs.webkit.org/show_bug.cgi?id=76861

            Reviewed by Gavin Barraclough.
            
            This makes the common case -- toString() on a string -- faster and
            inline-able. (Not a measureable speedup, but we can now remove a bunch
            of duplicate hand-rolled code for this optimization.)
            
            This also clarifies the boundary between "C++ strings" and "JS strings".
            
            In all cases other than true, false, null, undefined, and multi-digit
            numbers, the JS runtime was just retrieving a UString from a JSString,
            so returning a JSString* is strictly better. In the other cases, we can
            optimize to avoid creating a new JSString if we care to, but it doesn't
            seem to be a big deal.

            * JavaScriptCore.exp: Export!
            
            * jsc.cpp:
            (functionPrint):
            (functionDebug):
            (functionRun):
            (functionLoad):
            (functionCheckSyntax):
            (runWithScripts):
            (runInteractive):
            * API/JSValueRef.cpp:
            (JSValueToStringCopy):
            * bytecode/CodeBlock.cpp:
            (JSC::valueToSourceString): Call value() after calling toString(), to
            convert from "JS string" (JSString*) to "C++ string" (UString), since
            toString() no longer returns a "C++ string".

            * dfg/DFGOperations.cpp:
            (JSC::DFG::operationValueAddNotNumber):
            * jit/JITStubs.cpp:
            (op_add): Updated for removal of toPrimitiveString():
            all '+' operands can use toString(), except for object operands, which
            need to take a slow path to call toPrimitive().

            * runtime/ArrayPrototype.cpp:
            (JSC::arrayProtoFuncToString):
            (JSC::arrayProtoFuncToLocaleString):
            (JSC::arrayProtoFuncJoin):
            (JSC::arrayProtoFuncPush):
            * runtime/CommonSlowPaths.h:
            (JSC::CommonSlowPaths::opIn):
            * runtime/DateConstructor.cpp:
            (JSC::dateParse):
            * runtime/DatePrototype.cpp:
            (JSC::formatLocaleDate): Call value() after calling toString(), as above.

            * runtime/ErrorInstance.h:
            (JSC::ErrorInstance::create): Simplified down to one canonical create()
            function, to make string handling easier.

            * runtime/ErrorPrototype.cpp:
            (JSC::errorProtoFuncToString):
            * runtime/ExceptionHelpers.cpp:
            (JSC::createInvalidParamError):
            (JSC::createNotAConstructorError):
            (JSC::createNotAFunctionError):
            (JSC::createNotAnObjectError):
            * runtime/FunctionConstructor.cpp:
            (JSC::constructFunctionSkippingEvalEnabledCheck):
            * runtime/FunctionPrototype.cpp:
            (JSC::functionProtoFuncBind):
            * runtime/JSArray.cpp:
            (JSC::JSArray::sort): Call value() after calling toString(), as above.

            * runtime/JSCell.cpp:
            * runtime/JSCell.h: Removed JSCell::toString() because JSValue does this
            job now. Doing it in JSCell is slower (requires extra type checking), and
            creates the misimpression that language-defined toString() behavior is
            an implementation detail of JSCell.
            
            * runtime/JSGlobalObjectFunctions.cpp:
            (JSC::encode):
            (JSC::decode):
            (JSC::globalFuncEval):
            (JSC::globalFuncParseInt):
            (JSC::globalFuncParseFloat):
            (JSC::globalFuncEscape):
            (JSC::globalFuncUnescape): Call value() after calling toString(), as above.

            * runtime/JSONObject.cpp:
            (JSC::unwrapBoxedPrimitive):
            (JSC::Stringifier::Stringifier):
            (JSC::JSONProtoFuncParse): Removed some manual optimization that toString()
            takes care of.

            * runtime/JSObject.cpp:
            (JSC::JSObject::toString):
            * runtime/JSObject.h: Updated to return JSString*.

            * runtime/JSString.cpp:
            * runtime/JSString.h:
            (JSC::JSValue::toString): Removed, since I removed JSCell::toString().

            * runtime/JSValue.cpp:
            (JSC::JSValue::toStringSlowCase): Removed toPrimitiveString(), and re-
            spawned toStringSlowCase() from its zombie corpse, since toPrimitiveString()
            basically did what we want all the time. (Note that the toPrimitive()
            preference changes from NoPreference to PreferString, because that's
            how ToString is defined in the language. op_add does not want this behavior.)

            * runtime/NumberPrototype.cpp:
            (JSC::numberProtoFuncToString):
            (JSC::numberProtoFuncToLocaleString): A little simpler, now that toString()
            returns a JSString*.

            * runtime/ObjectConstructor.cpp:
            (JSC::objectConstructorGetOwnPropertyDescriptor):
            (JSC::objectConstructorDefineProperty):
            * runtime/ObjectPrototype.cpp:
            (JSC::objectProtoFuncHasOwnProperty):
            (JSC::objectProtoFuncDefineGetter):
            (JSC::objectProtoFuncDefineSetter):
            (JSC::objectProtoFuncLookupGetter):
            (JSC::objectProtoFuncLookupSetter):
            (JSC::objectProtoFuncPropertyIsEnumerable): More calls to value(), as above.

            * runtime/Operations.cpp:
            (JSC::jsAddSlowCase): Need to check for object before taking the toString()
            fast path becuase adding an object to a string requires calling toPrimitive()
            on the object, not toString(). (They differ in their preferred conversion
            type.)

            * runtime/Operations.h:
            (JSC::jsString):
            (JSC::jsStringFromArguments): This code gets simpler, now that toString()
            does the right thing.

            (JSC::jsAdd): Now checks for object, just like jsAddSlowCase().

            * runtime/RegExpConstructor.cpp:
            (JSC::setRegExpConstructorInput):
            (JSC::constructRegExp):
            * runtime/RegExpObject.cpp:
            (JSC::RegExpObject::match):
            * runtime/RegExpPrototype.cpp:
            (JSC::regExpProtoFuncCompile):
            (JSC::regExpProtoFuncToString): More calls to value(), as above.

            * runtime/StringConstructor.cpp:
            (JSC::constructWithStringConstructor):
            (JSC::callStringConstructor): This code gets simpler, now that toString()
            does the right thing.

            * runtime/StringPrototype.cpp:
            (JSC::replaceUsingRegExpSearch):
            (JSC::replaceUsingStringSearch):
            (JSC::stringProtoFuncReplace):
            (JSC::stringProtoFuncCharAt):
            (JSC::stringProtoFuncCharCodeAt):
            (JSC::stringProtoFuncConcat):
            (JSC::stringProtoFuncIndexOf):
            (JSC::stringProtoFuncLastIndexOf):
            (JSC::stringProtoFuncMatch):
            (JSC::stringProtoFuncSearch):
            (JSC::stringProtoFuncSlice):
            (JSC::stringProtoFuncSplit):
            (JSC::stringProtoFuncSubstr):
            (JSC::stringProtoFuncSubstring):
            (JSC::stringProtoFuncToLowerCase):
            (JSC::stringProtoFuncToUpperCase):
            (JSC::stringProtoFuncLocaleCompare):
            (JSC::stringProtoFuncBig):
            (JSC::stringProtoFuncSmall):
            (JSC::stringProtoFuncBlink):
            (JSC::stringProtoFuncBold):
            (JSC::stringProtoFuncFixed):
            (JSC::stringProtoFuncItalics):
            (JSC::stringProtoFuncStrike):
            (JSC::stringProtoFuncSub):
            (JSC::stringProtoFuncSup):
            (JSC::stringProtoFuncFontcolor):
            (JSC::stringProtoFuncFontsize):
            (JSC::stringProtoFuncAnchor):
            (JSC::stringProtoFuncLink):
            (JSC::trimString): Some of this code gets simpler, now that toString()
            does the right thing. More calls to value(), as above.

2012-01-24  Yongjun Zhang  <yongjun_zhang@apple.com>

        <rdar://problem/10092396> TLF: Safari should not jetsam across the top 1M sites (Memory pressure logging)

        Merged ToT r104125.

    2012-01-24  Mark Rowe  <mrowe@apple.com>

            <http://webkit.org/b/75606> [Mac] WTF logging functions should output to both stderr and ASL

            We should always log to both ASL and stderr on platforms where this won't result in launchd
            duplicating the messages.

            Reviewed by Dan Bernstein.

            * wtf/Assertions.cpp:
            (vprintf_stderr_common):

2012-01-19  Geoffrey Garen  <ggaren@apple.com>

        Merged TOT revision 105539.

    2012-01-19  Geoffrey Garen  <ggaren@apple.com>

            Removed some regexp entry boilerplate code
            https://bugs.webkit.org/show_bug.cgi?id=76687

            Reviewed by Darin Adler.
            
            1% - 2% speedup on regexp tests, no change overall.

            * runtime/RegExp.cpp:
            (JSC::RegExp::match):
                - ASSERT that our startIndex is non-negative, because anything less
                would be uncivilized.
                
                - ASSERT that our input is not the null string for the same reason.

                - No need to test for startOffset being past the end of the string,
                since the regular expression engine will do this test for us.

                - No need to initialize the output vector, since the regular expression
                engine will fill it in for us.

            * yarr/YarrInterpreter.cpp:
            (JSC::Yarr::Interpreter::interpret):
            * yarr/YarrJIT.cpp:
            (JSC::Yarr::YarrGenerator::compile):
            
                RegExp used to do these jobs for us, but now we do them for ourselves
                because it's a better separation of concerns, and the JIT can do them
                more efficiently than C++ code:

                - Test for "past the end" before doing any matching -- otherwise
                a* will match with zero length past the end of the string, which is wrong.

                - Initialize the output vector before doing any matching.

2012-01-19  Geoffrey Garen  <ggaren@apple.com>

        Merged TOT revision 105444.

    2012-01-19  Geoffrey Garen  <ggaren@apple.com>

            Implicit creation of a regular expression should eagerly check for syntax errors
            https://bugs.webkit.org/show_bug.cgi?id=76642

            Reviewed by Oliver Hunt.
            
            This is a correctness fix and a slight optimization.

            * runtime/StringPrototype.cpp:
            (JSC::stringProtoFuncMatch):
            (JSC::stringProtoFuncSearch): Check for syntax errors because that's the
            correct behavior.

            * runtime/RegExp.cpp:
            (JSC::RegExp::match): ASSERT that we aren't a syntax error. (One line
            of code change, many lines of indentation change.)

            Since we have no clients that try to match a RegExp that is a syntax error,
            let's optimize out the check.

2012-01-17  Geoffrey Garen  <ggaren@apple.com>

        Merged TOT revision 105223.

    2012-01-17  Geoffrey Garen  <ggaren@apple.com>

            Factored out some code into a helper function.
            
            I think this might help getting rid of omit-frame-pointer.

            Reviewed by Sam Weinig.
            
            No benchmark change.

            * runtime/StringPrototype.cpp:
            (JSC::removeUsingRegExpSearch): Moved to here...
            (JSC::replaceUsingRegExpSearch): ...from here.

2012-01-12  Gavin Barraclough  <barraclough@apple.com>

        Merged ToT revisions 104602, 104604, 104611, 104620, 104777, 104784, 104836, 104871.

    2012-01-12  Gavin Barraclough  <barraclough@apple.com>
    
            https://bugs.webkit.org/show_bug.cgi?id=76141
            defineSetter/defineGetter may fail to update Accessor attribute
    
            Reviewed by Oliver Hunt.
    
            * runtime/JSObject.cpp:
            (JSC::JSObject::defineGetter):
            (JSC::JSObject::initializeGetterSetterProperty):
            (JSC::JSObject::defineSetter):
            * runtime/Structure.cpp:
            (JSC::Structure::attributeChangeTransition):
            * runtime/Structure.h:
    
    2012-01-11  Gavin Barraclough  <barraclough@apple.com>
    
            Allow accessor get/set property to be set to undefined
            https://bugs.webkit.org/show_bug.cgi?id=76148
    
            Reviewed by Oliver Hunt.
    
            AccessorDescriptor properties may have their get & set properties defined to reference a function
            (Callable object) or be set to undefined. Valid PropertyDescriptors created by toPropertyDescriptor
            (defined from JS code via Object.defineProperty, etc) have get and set properties that are in one of
            three states (1) nonexistent, (2) set to undefined, or (3) a function (any Callable object).
    
            On the PropertyDescriptor object these three states are represneted by JSValue(), jsUndefined(), and
            any JSObject* (with a constraint that this must be callable).
    
            Logically the get/set property of an accessor descriptor on an object might be in any of the three
            states above, but in practice there is no way to distinguish between the first two states. As such
            we stor the get/set values in property storage in a JSObject* field, with 0 indicating absent or
            undefined. When unboxing to a PropertyDescriptor, map this back to a JS undefined value.
    
            * runtime/GetterSetter.h:
            (JSC::GetterSetter::setGetter):
            (JSC::GetterSetter::setSetter):
                - Allow the getter/setter to be cleared.
            * runtime/JSArray.cpp:
            (JSC::JSArray::putDescriptor):
                - Changed to call getterObject/setterObject.
            (JSC::JSArray::defineOwnNumericProperty):
                - Added ASSERT.
            * runtime/JSObject.cpp:
            (JSC::putDescriptor):
            (JSC::JSObject::defineOwnProperty):
                - Changed to call getterObject/setterObject.
            * runtime/ObjectConstructor.cpp:
            (JSC::objectConstructorGetOwnPropertyDescriptor):
                - getter/setter values read from properties on object are never missing, they will now be set as undefined by 'setDescriptor'.
            (JSC::toPropertyDescriptor):
                - Do not translate undefined->empty, this loses an important distinction between a get/set property being absent, or being explicitly set to undefined.
            * runtime/PropertyDescriptor.cpp:
            (JSC::PropertyDescriptor::getterObject):
            (JSC::PropertyDescriptor::setterObject):
                - Accessors to convert the get/set property to an object pointer, converting undefined to 0.
            (JSC::PropertyDescriptor::setDescriptor):
            (JSC::PropertyDescriptor::setAccessorDescriptor):
                - Translate a getter/setter internally represented at 0 to undefined, indicating that it is present.
            * runtime/PropertyDescriptor.h:
                - Declare getterObject/setterObject.
    
    2012-01-11  Gavin Barraclough  <barraclough@apple.com>
    
            Merge 'Getter'/'Setter' attributes into 'Accessor'
            https://bugs.webkit.org/show_bug.cgi?id=76141
    
            Reviewed by Filip Pizlo.
    
            These are currently ambiguous (and used inconsistently). It would logically appear
            that either being bit set implies that the corresponding type of accessor is present
            but (a) we don't correctly enforce this, and (b) this means the attributes would not
            be able to distinguish between a data descriptor and an accessor descriptor with
            neither a getter nor setter defined (which is a descriptor permissible under the spec).
            This ambiguity would lead to unsafe property caching behavior (though this does not
            represent an actual current bug, since we are currently unable to create descriptors
            that have neither a getter nor setter, it just prevents us from doing so).
    
            * runtime/Arguments.cpp:
            (JSC::Arguments::createStrictModeCallerIfNecessary):
            (JSC::Arguments::createStrictModeCalleeIfNecessary):
            * runtime/JSArray.cpp:
            (JSC::SparseArrayValueMap::put):
            (JSC::JSArray::putDescriptor):
            * runtime/JSBoundFunction.cpp:
            (JSC::JSBoundFunction::finishCreation):
            * runtime/JSFunction.cpp:
            (JSC::JSFunction::getOwnPropertySlot):
            (JSC::JSFunction::getOwnPropertyDescriptor):
            * runtime/JSObject.cpp:
            (JSC::JSObject::defineGetter):
            (JSC::JSObject::initializeGetterSetterProperty):
            (JSC::JSObject::defineSetter):
            (JSC::putDescriptor):
            (JSC::JSObject::defineOwnProperty):
            * runtime/JSObject.h:
            * runtime/ObjectConstructor.cpp:
            (JSC::objectConstructorDefineProperty):
            * runtime/PropertyDescriptor.cpp:
            (JSC::PropertyDescriptor::setDescriptor):
            (JSC::PropertyDescriptor::setAccessorDescriptor):
            (JSC::PropertyDescriptor::setSetter):
            (JSC::PropertyDescriptor::setGetter):
            (JSC::PropertyDescriptor::attributesOverridingCurrent):
    
    2012-01-11  Gavin Barraclough  <barraclough@apple.com>
    
            Object.defineProperty([], 'length', {}) should not make length read-only
            https://bugs.webkit.org/show_bug.cgi?id=76097
    
            Reviewed by Oliver Hunt.
    
            * runtime/JSArray.cpp:
            (JSC::JSArray::defineOwnProperty):
                - We should be checking writablePresent().
    
    2012-01-10  Gavin Barraclough  <barraclough@apple.com>
    
            Windows build fix.
    
            * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
    
    2012-01-10  Gavin Barraclough  <barraclough@apple.com>
    
            Use SameValue to compare property descriptor values
            https://bugs.webkit.org/show_bug.cgi?id=75975
    
            Reviewed by Sam Weinig.
    
            Rather than strictEqual.
    
            * runtime/JSArray.cpp:
            (JSC::JSArray::defineOwnNumericProperty):
                - Missing configurablePresent() check.
            * runtime/JSObject.cpp:
            (JSC::JSObject::defineOwnProperty):
                - call sameValue.
            * runtime/PropertyDescriptor.cpp:
            (JSC::sameValue):
                - Moved from JSArray.cpp, fix NaN comparison.
            (JSC::PropertyDescriptor::equalTo):
                - call sameValue.
            * runtime/PropertyDescriptor.h:
                - Added declaration for sameValue.
    2011-12-26  Gavin Barraclough  <barraclough@apple.com>

            Build fix following https://bugs.webkit.org/show_bug.cgi?id=75935

            Fix 32-bit builds.

            * runtime/JSArray.cpp:
            (JSC::JSArray::getOwnPropertyNames):
            (JSC::JSArray::setLength):

    2012-01-10  Gavin Barraclough  <barraclough@apple.com>
  
            Do not allow Array length to be set if it is non-configurable
            https://bugs.webkit.org/show_bug.cgi?id=75935
    
            Reviewed by Sam Weinig.
    
            Do not allow Array length to be set if it is non-configurable, and if the new
            length is less than the old length then intervening properties should removed
            in reverse order. Removal of properties should cease if an intervening indexed
            property being removed is non-configurable.
    
            * JavaScriptCore.exp:
                - Removed export for setLength.
            * runtime/ArrayPrototype.cpp:
            (JSC::arrayProtoFuncConcat):
                - JSArray::setLength now takes an ExecState*
            (JSC::arrayProtoFuncSlice):
                - JSArray::setLength now takes an ExecState*
            * runtime/JSArray.cpp:
            (JSC::JSArray::defineOwnProperty):
                - JSArray::setLength now takes an ExecState*
            (JSC::JSArray::put):
                - JSArray::setLength now takes an ExecState*
            (JSC::compareKeysForQSort):
                - Keys extracted from the map can be stored as unsigneds.
            (JSC::JSArray::getOwnPropertyNames):
                - Keys extracted from the map can be stored as unsigneds.
            (JSC::JSArray::setLength):
                - Check lengthIsReadOnly(), rather than copying the entire map to iterate
                  over to determine which keys to remove, instead just copy the keys from
                  the map to a Vector. When inSparseMode sort the keys in the Vector so
                  that we can remove properties in reverse order.
            * runtime/JSArray.h:
                - JSArray::setLength now takes an ExecState*
    
2012-01-11  Geoffrey Garen  <ggaren@apple.com>

        Merged TOT revision 104770.

    2012-01-11  Geoffrey Garen  <ggaren@apple.com>

            Bytecode dumping is broken for call opcodes (due to two new operands)
            https://bugs.webkit.org/show_bug.cgi?id=75886

            Reviewed by Oliver Hunt.

            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::printCallOp): Made a helper function, so I wouldn't have
            to fix this more than once. The helper function skips the extra two operands
            at the end of the opcode, used for optimization.
            
            (JSC::CodeBlock::dump): Used the helper function.

2012-01-09  Geoffrey Garen  <ggaren@apple.com>

        Merged TOT revision 104762.

    2012-01-09  Geoffrey Garen  <ggaren@apple.com>

            REGRESSION: d3 Bullet Charts demo doesn't work (call with argument assignment is broken)
            https://bugs.webkit.org/show_bug.cgi?id=75911

            * bytecompiler/BytecodeGenerator.h:
            (JSC::BytecodeGenerator::emitNodeForLeftHandSide): Cleanup: No need to
            explicitly cast to our return type in C++.

            * bytecompiler/NodesCodegen.cpp:
            (JSC::FunctionCallResolveNode::emitBytecode):
            (JSC::ApplyFunctionCallDotNode::emitBytecode): Make sure to copy our function
            into a temporary register before evaluating our arguments, since argument
            evaluation might include function calls or assignments that overwrite our callee by name.

2012-01-11  Michael Saboff  <msaboff@apple.com>

        Merged ToT revision 104751

    2012-01-11  Michael Saboff  <msaboff@apple.com>

            v8-regexp spends 35% of its time allocating and copying internal regexp results data
            https://bugs.webkit.org/show_bug.cgi?id=76079

            Reviewed by Geoffrey Garen.

            Added a new RegExpResults struct that has the input string, the number of
            subexpressions and the output vector.  Changed RegExpConstructor to
            include a RegExpConstructorPrivate instead of having a reference to one.
            Changed RegExpMatchesArray to include a RegExpResults instead of a
            reference to a RegExpConstructorPrivate.  Created an overloaded assignment
            operator to assign a RegExpConstructorPrivate to a RegExpResults.
            Collectively this change is worth 24% performance improvement to v8-regexp.

            * runtime/RegExpConstructor.cpp:
            (JSC::RegExpResult::operator=):
            (JSC::RegExpConstructor::RegExpConstructor):
            (JSC::RegExpMatchesArray::RegExpMatchesArray):
            (JSC::RegExpMatchesArray::finishCreation):
            (JSC::RegExpMatchesArray::~RegExpMatchesArray):
            (JSC::RegExpMatchesArray::fillArrayInstance):
            (JSC::RegExpConstructor::arrayOfMatches):
            (JSC::RegExpConstructor::getBackref):
            (JSC::RegExpConstructor::getLastParen):
            (JSC::RegExpConstructor::getLeftContext):
            (JSC::RegExpConstructor::getRightContext):
            (JSC::RegExpConstructor::setInput):
            (JSC::RegExpConstructor::input):
            (JSC::RegExpConstructor::setMultiline):
            (JSC::RegExpConstructor::multiline):
            * runtime/RegExpConstructor.h:
            (JSC::RegExpResult::RegExpResult):
            (JSC::RegExpConstructor::performMatch):
            * runtime/RegExpMatchesArray.h:
            (JSC::RegExpMatchesArray::create):
            (JSC::RegExpMatchesArray::getOwnPropertySlot):
            (JSC::RegExpMatchesArray::getOwnPropertySlotByIndex):
            (JSC::RegExpMatchesArray::getOwnPropertyDescriptor):
            (JSC::RegExpMatchesArray::put):
            (JSC::RegExpMatchesArray::putByIndex):
            (JSC::RegExpMatchesArray::deleteProperty):
            (JSC::RegExpMatchesArray::deletePropertyByIndex):
            (JSC::RegExpMatchesArray::getOwnPropertyNames):

2012-01-10  Filip Pizlo  <fpizlo@apple.com>
        
        Merged ToT revision r103023.

    2011-12-15  Filip Pizlo  <fpizlo@apple.com>
    
            Value profiling should distinguished between NaN and non-NaN doubles
            https://bugs.webkit.org/show_bug.cgi?id=74682
    
            Reviewed by Gavin Barraclough.
            
            Added PredictDoubleReal and PredictDoubleNaN. PredictDouble is now the union
            of the two.
    
            * bytecode/PredictedType.cpp:
            (JSC::predictionToString):
            (JSC::predictionFromValue):
            * bytecode/PredictedType.h:
            (JSC::isDoubleRealPrediction):
            (JSC::isDoublePrediction):
    
2012-01-10  Filip Pizlo  <fpizlo@apple.com>
        
        Merged ToT revision r104630.

    2012-01-10  Filip Pizlo  <fpizlo@apple.com>
    
            CodeBlock::m_numParameters should be encapsulated
            https://bugs.webkit.org/show_bug.cgi?id=75985
            <rdar://problem/10671020>
    
            Reviewed by Oliver Hunt.
            
            Encapsulated CodeBlock::m_numParameters and hooked argument profile creation
            into it.  This appears to be performance neutral.
    
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::CodeBlock):
            (JSC::CodeBlock::setNumParameters):
            (JSC::CodeBlock::addParameter):
            * bytecode/CodeBlock.h:
            (JSC::CodeBlock::numParameters):
            (JSC::CodeBlock::addressOfNumParameters):
            (JSC::CodeBlock::offsetOfNumParameters):
            (JSC::CodeBlock::numberOfArgumentValueProfiles):
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::BytecodeGenerator):
            (JSC::BytecodeGenerator::addParameter):
            (JSC::BytecodeGenerator::emitReturn):
            * dfg/DFGAbstractState.cpp:
            (JSC::DFG::AbstractState::AbstractState):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::ByteCodeParser):
            (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::predictArgumentTypes):
            * dfg/DFGJITCompiler.cpp:
            (JSC::DFG::JITCompiler::compileFunction):
            * dfg/DFGOperations.cpp:
            * dfg/DFGSpeculativeJIT.cpp:
            (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
            * dfg/DFGSpeculativeJIT.h:
            (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::slideRegisterWindowForCall):
            (JSC::Interpreter::dumpRegisters):
            (JSC::Interpreter::execute):
            (JSC::Interpreter::prepareForRepeatCall):
            * jit/JIT.cpp:
            (JSC::JIT::privateCompile):
            * jit/JITStubs.cpp:
            (JSC::arityCheckFor):
            (JSC::lazyLinkFor):
            * runtime/Executable.cpp:
            (JSC::FunctionExecutable::compileForCallInternal):
            (JSC::FunctionExecutable::compileForConstructInternal):
    
2012-01-9   Michael Saboff  <msaboff@apple.com>

        Merged ToT WebKit r104429

    2012-01-08  Ryosuke Niwa  <rniwa@webkit.org>

            WinCE build fix after r104415.

            * jit/JITExceptions.cpp:
            * jit/JITExceptions.h:

2012-01-08  Filip Pizlo  <fpizlo@apple.com>

        Merged ToT WebKit r104415.

    2012-01-08  Filip Pizlo  <fpizlo@apple.com>
    
            The JIT's protocol for exception handling should be available to other parts of the system
            https://bugs.webkit.org/show_bug.cgi?id=75808
            <rdar://problem/10661025>
    
            Reviewed by Oliver Hunt.
    
            * CMakeLists.txt:
            * GNUmakefile.list.am:
            * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * Target.pri:
            * jit/JITExceptions.cpp: Added.
            (JSC::genericThrow):
            (JSC::jitThrow):
            * jit/JITExceptions.h: Added.
            * jit/JITStubs.cpp:
            * runtime/JSGlobalData.h:

2012-01-08  Filip Pizlo  <fpizlo@apple.com>

        Merged ToT WebKit r104349.

    2012-01-06  Filip Pizlo  <fpizlo@apple.com>
    
            JIT stub slow paths that would be identical to that of an interpreter should be factored out
            https://bugs.webkit.org/show_bug.cgi?id=75743
            <rdar://problem/10657024>
    
            Reviewed by Geoff Garen.
    
            * GNUmakefile.list.am:
            * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * jit/JITStubs.cpp:
            (JSC::DEFINE_STUB_FUNCTION):
            * runtime/CommonSlowPaths.h: Added.
            (JSC::CommonSlowPaths::opInstanceOfSlow):
            (JSC::CommonSlowPaths::opIn):
            (JSC::CommonSlowPaths::opResolve):
            (JSC::CommonSlowPaths::opResolveSkip):
            (JSC::CommonSlowPaths::opResolveWithBase):
            (JSC::CommonSlowPaths::opResolveWithThis):
    
2012-01-06  Filip Pizlo  <fpizlo@apple.com>

        Fixing jsc so that it will run without crashing on device.
        
        Reviewed by Gavin Barraclough.

        * jsc.cpp:
        (main):

2012-01-05  Michael Saboff  <msaboff@apple.com>

        Merged ToT WebKit JavaScriptCore Changes up to r104219

        This change includes merges from OpenSource from the following JavaScriptCore
        changes sets and corresponding changes in other parts of WebCore where needed.
        It also includes the proposed fix for bugzilla bug 75595.
        r100006 r100030 r100031 r100037 r100039 r100080 r100081 r100082 r100095 r100165
        r100166 r100167 r100168 r100171 r100175 r100195 r100197 r100200 r100202 r100205
        r100205 r100208 r100219 r100221 r100223 r100224 r100227 r100242 r100244 r100260
        r100310 r100314 r100315 r100320 r100363 r100375 r100385 r100391 r100405 r100412
        r100417 r100418 r100462 r100469 r100493 r100510 r100514 r100516 r100518 r100521
        r100523 r100527 r100537 r100540 r100544 r100556 r100672 r100729 r100810 r100820
        r100822 r100829 r100876 r100878 r100879 r100880 r100881 r100883 r100888 r100972
        r100975 r101042 r101054 r101147 r101148 r101151 r101152 r101186 r101187 r101217
        r101278 r101283 r101291 r101295 r101298 r101304 r101305 r101324 r101332 r101334
        r101426 r101443 r101447 r101448 r101450 r101457 r101473 r101521 r101528 r101539
        r101582 r101598 r101604 r101615 r101639 r101693 r101713 r101729 r101747 r101806
        r101886 r101910 r101942 r101945 r101946 r101964 r102011 r102017 r102028 r102038
        r102042 r102057 r102059 r102061 r102065 r102082 r102084 r102146 r102167 r102169
        r102179 r102182 r102194 r102200 r102220 r102261 r102293 r102295 r102298 r102302
        r102380 r102442 r102459 r102475 r102485 r102489 r102508 r102509 r102522 r102534
        r102545 r102546 r102547 r102549 r102550 r102623 r102629 r102631 r102692 r102694
        r102707 r102709 r102723 r102728 r102743 r102811 r102831 r102869 r102917 r102931
        r103023 r103028 r103083 r103127 r103144 r103202 r103218 r103243 r103287 r103292
        r103294 r103299 r103306 r103356 r103364 r103380 r103384 r103390 r103392 r103482
        r103522 r103587 r103594 r103598 r103599 r103604 r103626 r103636 r103637 r103641
        r103665 r103672 r103674 r103689 r103691 r103697 r103698 r103699 r103728 r103758
        r103792 r103818 r103823 r103887 r103921 r103922 r103924 r103926 r103958 r103960
        r103964 r103981 r104016 r104086 r104090 r104094 r104105 r104107 r104119 r104120
        r104184 r104212 r104219

2011-12-19  Gavin Barraclough  <barraclough@apple.com>

        <rdar://problem/10537229> MERGE2: Crash on http://alibaba.com/

        Merged ToT WebKit r102200, r102811, and r103294.

    2011-12-06  Filip Pizlo  <fpizlo@apple.com>

            DFG 32_64 call linking does not handle non-cell callees correctly
            https://bugs.webkit.org/show_bug.cgi?id=73965

            Reviewed by Sam Weinig.

            * dfg/DFGSpeculativeJIT32_64.cpp:
            (JSC::DFG::SpeculativeJIT::emitCall):

    2011-12-14  Gavin Barraclough  <barraclough@apple.com>

            DFG relies on returning a struct in registers
            https://bugs.webkit.org/show_bug.cgi?id=74527

            Reviewed by Geoff Garen.

            This will not work on all platforms. Returning a uint64_t will more reliably achieve
            what we want, on 32-bit platforms (on 64-bit, stick with the struct return).

            * dfg/DFGOperations.cpp:
            * dfg/DFGOperations.h:
            (JSC::DFG::DFGHandler::dfgHandlerEncoded):

    2011-12-19  Gavin Barraclough  <barraclough@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=74903
            Exceptions not thrown correctly from DFG JIT on 32bit

            Reviewed by Oliver Hunt.

            Arguments for lookupExceptionHandler are not setup correctly.
            In the case of ARMv7 we rely on lr being preserved over a call,
            this in invalid. On x86 we don't should be poking the arguments onto the stack!

            * bytecode/CodeBlock.h:
            (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
            * dfg/DFGAssemblyHelpers.h:
            (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
            * dfg/DFGGPRInfo.h:
            * dfg/DFGJITCompiler.cpp:
            (JSC::DFG::JITCompiler::compileBody):
            * dfg/DFGJITCompiler.h:
            (JSC::DFG::JITCompiler::addExceptionCheck):
            (JSC::DFG::JITCompiler::addFastExceptionCheck):
            * dfg/DFGOperations.cpp:
            * dfg/DFGOperations.h:

2011-12-18  Benjamin Poulain  <bpoulain@apple.com>

        De-virtualize iOS methods of for JSObjects

        Reviewed by NOBODY (OOPS!).

        The patches r98203 and r99997 remove the virtual functions from JSObjects.

        After r103083, the iOS virtual functions break the build because the virtual
        destructors are removed.

        This patch implement shouldInterruptScriptBeforeTimeout() in a non-virtual way,
        similarly to what was done in r99997.

        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout):
        * runtime/TimeoutChecker.cpp:
        (JSC::TimeoutChecker::didTimeOut):

2011-12-09  Joseph Pecoraro  <pecoraro@apple.com>

        <rdar://problem/9878650> Remove WebInspectorServer*HTTP code

        Reviewed by David Kilzer.

        * Configurations/FeatureDefines.xcconfig: Remove ENABLE_HTTP_INSPECTOR_SERVER

2011-12-09  Joseph Pecoraro  <pecoraro@apple.com>

        Merged ToT WebKit r102011.

    2011-12-06  Filip Pizlo  <fpizlo@apple.com>

            Zapping a block that is Marked leads to dead objects being mistaken for live ones
            https://bugs.webkit.org/show_bug.cgi?id=73982

            Reviewed by Geoff Garen.

            Changed the zapping code to ignore blocks that are Marked or Zapped. Additionally,
            the code asserts that:

            - If we zap a Marked or Zapped block then the free list is empty, because this
              can only happen if the block was never free-listed.

            - Zapping can only happen for Marked, Zapped, or FreeListed blocks, since Allocated
              blocks are those that cannot be referred to by SizeClass::currentBlock (since
              SizeClass::currentBlock only refers to blocks that are candidates for allocation,
              and Allocated blocks are those who have been exhausted by allocation and will not
              be allocated from again), and New blocks cannot be referred to by anything except
              during a brief window inside the allocation slow-path.

            * heap/MarkedBlock.cpp:
            (JSC::MarkedBlock::zapFreeList):

2011-11-29  Jer Noble  <jer.noble@apple.com>

        iOS: Enable the Web Audio API
        <rdar://problem/10388394>

        Reviewed by NOBODY (OOPS!).

        Define the ENABLE_WEB_AUDIO macro in PLATFORM(IOS).

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2011-12-06  Joseph Pecoraro  <pecoraro@apple.com>

        Merged ToT WebKit r102011.

    2011-12-01  Gavin Barraclough  <barraclough@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=73624
            JIT + INTERPRETER builds are broken

            Reviewed by Geoff Garen, Sam Weinig.

            These don't fallback to the interpreter correctly.
            Thunk creation assumes that is the JIT is compiled in, then it is enabled.

            * jit/JITStubs.cpp:
            (JSC::JITThunks::JITThunks):
            * runtime/Executable.h:
            (JSC::NativeExecutable::create):
            (JSC::NativeExecutable::finishCreation):
            * runtime/JSGlobalData.cpp:
            (JSC::JSGlobalData::getHostFunction):

2011-12-06  Joseph Pecoraro  <pecoraro@apple.com>

        Merged ToT WebKit r102011.

    2011-12-01  Gavin Barraclough  <barraclough@apple.com>

            https://bugs.webkit.org/show_bug.cgi?id=73624
            JIT + INTERPRETER builds are broken

            Reviewed by Geoff Garen, Sam Weinig.

            These don't fallback to the interpreter correctly.
            Thunk creation assumes that is the JIT is compiled in, then it is enabled.

            * jit/JITStubs.cpp:
            (JSC::JITThunks::JITThunks):
            * runtime/Executable.h:
            (JSC::NativeExecutable::create):
            (JSC::NativeExecutable::finishCreation):
            * runtime/JSGlobalData.cpp:
            (JSC::JSGlobalData::getHostFunction):

2011-12-05  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/10525873> Homebrew: JavaScriptCore-1009 failed to build ( #error Target architecture was not detected as supported by Double-Conversion. )

        Reviewed by Ian Henderson and Cameron "Nobody would design an FPU like Intel did these days" Zwarich.

        * wtf/dtoa/utils.h: Define
        DOUBLE_CONVERSION_CORRECT_DOUBLE_OPERATIONS for CPU(ARM64).

2011-12-03  Benjamin Poulain <bpoulain@apple.com>

        Merge WebKit ToT 100518.

    2011-11-16  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed. Build fix for !ENABLE(JIT) after r100363.

        * bytecode/CodeBlock.h:

2011-11-14  Joseph Pecoraro  <pecoraro@apple.com>

        Remove unused StringImpl::wordCount.

        Reviewed by Paul Knight.

        * wtf/text/StringImpl.cpp:
        * wtf/text/StringImpl.h:

2011-11-10  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/10423071> /System/Library/Frameworks/JavaScriptCore.framework should not exist, but does (72049)

        Merged ToT WebKit r99906.

    2011-11-10  David Kilzer  <ddkilzer@apple.com>

        <http://webkit.org/b/72049> Specify testapi.js install path using JAVASCRIPTCORE_FRAMEWORKS_DIR

        Reviewed by Joseph Pecoraro.

        * JavaScriptCore.xcodeproj/project.pbxproj: The testapi.js
        script should use JAVASCRIPTCORE_FRAMEWORKS_DIR in its dstPath
        for installation.  Also removed "Versions/A/" from the path
        since this is unneeded due the default symlinks present in the
        framework.

2011-11-04  Pratik Solanki  <psolanki@apple.com>

        Merged ToT WebKit r99333 to fix compiler warning in debug builds.

    2011-11-04  Pratik Solanki  <psolanki@apple.com>

        sqrtDouble and andnotDouble should be declared noreturn
        https://bugs.webkit.org/show_bug.cgi?id=71592

        Reviewed by Sam Weinig.

        * assembler/MacroAssemblerARMv7.h:

2011-10-16  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/10291619> Fix arm64 build of JavaScriptCore, WebCore, WebKit

        Reviewed by Cameron Zwarich.

        * Configurations/Base.xcconfig: Don't use -Wshorten-64-to-32
        when building arm64.  This matches Mac OS X 64-bit builds.
        * Configurations/JavaScriptCore.xcconfig: Set
        JSVALUE_MODEL_arm64 so the correct export file is found.
        * heap/MachineStackMarker.cpp: Update for arm64.
        (JSC::getPlatformThreadRegisters):
        (JSC::otherThreadStackPointer):
        * wtf/Platform.h: Define CPU(ARM64) and WTF_ARM_ARCH_VERSION for
        arm64 architecture.  Disable the JIT on arm64 because it does
        not exist.  Set WTF_USE_JSVALUE64 for arm64.

2011-10-14  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/10255213> JavaScriptCore_Sim fails to build for x86_64

        Reviewed by Joseph Pecoraro.

        * Configurations/Base.xcconfig: Don't use -Wshorten-64-to-32
        when building the 64-bit simulator.  Matches Mac OS X 64-bit
        builds.
        * wtf/Platform.h: Removed IOS_4_3_OR_LATER macro.  Updated
        interpreter/JIT/YARR settings to separate iOS Simulator from
        current hardware, and removed old iOS and armv6 settings.  This
        fixes a bug where WTF_USE_JSVALUE32_64 was being set for the
        simulator regardless of architecture.

2011-09-30  Dan Bernstein  <mitz@apple.com>

        Reviewed by Dave Kilzer.

        Renamed iPhone.xcconfig to iOS.xcconfig

        * Configurations/iOS.xcconfig: Copied from Source/JavaScriptCore/Configurations/iPhone.xcconfig.
        * Configurations/iPhone.xcconfig: Removed.
        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-09-22  Dan Bernstein  <mitz@apple.com>

        Reviewed by Sam Weinig.

        Renamed directories and groups in the Xcode project from "iphone" to "ios".

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CrossThreadRefCounted.h:
        * wtf/MainThread.cpp:
        * wtf/ios: Copied from Source/JavaScriptCore/wtf/iphone.
        * wtf/iphone: Removed.
        * wtf/iphone/WebCoreThread.cpp: Removed.
        * wtf/iphone/WebCoreThread.h: Removed.

2011-09-01  David Kilzer  <ddkilzer@apple.com>

        Part 2 of 2: <rdar://problem/9139206> Build iOS WebKit with clang

        Reviewed by David Carson.

        * Configurations/CompilerVersion.xcconfig: Switch to using clang
        for both iphoneos and iphonesimulator platforms.

2011-08-24  Matt Lilek  <mlilek@apple.com>

        <rdar://problem/10018843> iOS: CVE-2011-2788: Buffer overrun in WebCore::InspectorBasicValue::writeJSON (52791)

        Merge OpenSource r88444.

    2011-06-08  Mikołaj Małecki  <m.malecki@samsung.com>

        Reviewed by Pavel Feldman.

        Web Inspector: Crash by buffer overrun crash when serializing inspector object tree.
        https://bugs.webkit.org/show_bug.cgi?id=52791

        No new tests. The problem can be reproduced by trying to create InspectorValue
        from 1.0e-100 and call ->toJSONString() on this.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        export 2 functions DecimalNumber::bufferLengthForStringExponential and
        DecimalNumber::toStringExponential.

2011-08-19  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/9987571> iOS: REGRESSION: crash in JSC::setUpStaticFunctionSlot, found on jsfunfuzz

        Merged ToT WebKit r93048.

    2011-08-15  Gavin Barraclough  <barraclough@apple.com>

        Crash accessing static property on sealed object
        https://bugs.webkit.org/show_bug.cgi?id=66242

        Reviewed by Sam Weinig.

        * runtime/JSObject.h:
        (JSC::JSObject::putDirectInternal):
            - should only check isExtensible if checkReadOnly.

2011-08-16  Michael Saboff  <msaboff@apple.com>

        <rdar://problem/9931094> REGRESSION (9A294-9A296): Crash in Structure::visitChildren running iAd.js regression test suite under memory pressure
        https://bugs.webkit.org/show_bug.cgi?id=66351

        Merge OpenSource r93189.

    2011-08-16  Michael Saboff  <msaboff@apple.com>

        Crash in Structure::visitChildren running iAd.js regression test suite under memory pressure
        https://bugs.webkit.org/show_bug.cgi?id=66351

        JIT::privateCompilePutByIdTransition expects that regT0 and regT1
        have the basePayload and baseTag respectively.  In some cases,
        we may get to this generated code with one or both of these
        registers trash.  One know case is that regT0 on ARM may be
        trashed as regT0 (r0) is also arg0 and can be overrun with sp due
        to calls to JIT::restoreReturnAddress().  This patch uses the
        values on the stack.  A longer term solution is to work out all
        cases so that the register entry assumptions can assured.

        While fixing this, also determined that the additional stack offset
        of sizeof(void*) is not needed for ARM.

        Reviewed by Gavin Barraclough.

        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):

2011-07-31  Matt Lilek  <mlilek@apple.com>

        <rdar://problem/9778751> iOS: CSSPrimitiveValue::getIntValue() and getFloatValue() should clamp to avoid overflow (53449)

        Merge OpenSource r89705.

    2011-06-24  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Darin Adler.

        Match other clampTo* functions in style with clampToInteger(float)
        function.
        https://bugs.webkit.org/show_bug.cgi?id=53449

        * wtf/MathExtras.h:
        (clampToInteger):
        (clampToFloat):
        (clampToPositiveInteger):

2011-07-31  Matt Lilek  <mlilek@apple.com>

        <rdar://problem/9739105> iOS: Crash running regexp /(?:(?=g))|(?:m).{2147483648,}/ (61585)

        Merge OpenSource r89614.

    2011-06-23  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=61585
        Crash running regexp /(?:(?=g))|(?:m).{2147483648,}/

        This is due to use of int instead of unsigned, bad math around
        the 2^31 boundary.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::emitDisjunction):
            - Change some uses of int to unsigned, refactor compare logic to
              restrict to the range 0..2^32-1 (rather than -2^32-1..2^32-1).
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generate):
        (JSC::Yarr::YarrGenerator::backtrack):
            - Ditto.

2011-07-31  Matt Lilek  <mlilek@apple.com>

        <rdar://problem/9739059> iOS: CVE-2011-2354: REGRESSION (r82516): SecuritySaver: *exploitable* OOB read in WebCore::ImageBufferData::getData (61135)

        Merge OpenSource r87103.

    2011-05-23  Matthew Delaney  <mdelaney@apple.com>

        Reviewed by Simon Fraser.

        Remove safeFloatToInt() in FloatRect.cpp and replace with working version of clampToInteger()
        https://bugs.webkit.org/show_bug.cgi?id=58216

        * wtf/MathExtras.h:
        (clampToInteger):
        (clampToPositiveInteger):

2011-08-10  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/9913449> REGRESSION: stringByEvaluatingJavaScriptFromString returns parameter passed to function instead of return value

        Merge WebKit TOT r92785

    2011-08-10  Oliver Hunt  <oliver@apple.com>

        JSEvaluteScript does not return the correct object when given JSONP data
        https://bugs.webkit.org/show_bug.cgi?id=66003

        Reviewed by Gavin Barraclough.

        Make sure we propagate the result of the function call rather than the
        argument.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):

2011-08-08  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/9910251> Unable to free up JIT code due to guard pages

        Marge WebKit TOT r92635

    2011-08-08  Oliver Hunt  <oliver@apple.com>

        Using mprotect to create guard pages breaks our use of madvise to release executable memory
        https://bugs.webkit.org/show_bug.cgi?id=65870

        Reviewed by Gavin Barraclough.

        Use mmap rather than mprotect to clear guard page permissions.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit):

2011-08-07  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/9884604> Should clean up JIT code when we get a memory warning

        Reviewed by Oliver Hunt.

        * JavaScriptCore.exp: Export JSGlobalData::recompileAllJSFunctions

2011-08-06  Dan Bernstein  <mitz@apple.com>

        Reviewed by Andy Estes.

        <rdar://problem/9909069> AtomicString::fromUTF8Internal() is not taking the AtomicString table lock

        * wtf/text/AtomicString.cpp:
        (WTF::AtomicString::fromUTF8Internal): Take the lock before calling addToStringTable().

2011-08-04  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by David Carson.

        <rdar://problem/9795993> Remote Inspector: breakpoint hit inside touchend event prevents Safari from refreshing

        * wtf/MainThread.cpp:
        (WTF::setMainThreadCallbacksPaused): This is called when pausing
        JavaScript and is fine to call as long as the WebThread is locked.

2011-07-28  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/9897283> Interpreter can potentially GC in the middle of initializing a structure chain (https://bugs.webkit.org/show_bug.cgi?id=65638)

        Merge WebKit TOT r92393

    2011-08-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Interpreter can potentially GC in the middle of initializing a structure chain
        https://bugs.webkit.org/show_bug.cgi?id=65638

        Reviewed by Oliver Hunt.

        Moved the allocation of a prototype StructureChain before the initialization of 
        the structure chain within the interpreter that was causing intermittent GC crashes.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::tryCachePutByID):

2011-08-02  Dan Bernstein  <mitz@apple.com>

        Reviewed by Simon Fraser.

        <rdar://problem/9394430> WebKit can't show these emoji glyphs 1⃣2⃣3⃣4⃣5⃣6⃣7⃣ correctly unless proper font is being specified

        * wtf/unicode/CharacterNames.h: Added a constant for U+20E3 COMBINING ENCLOSING KEYCAP.

2011-07-29  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/9864012> Clean up compiler settings (ANGLE project doesn't specify compiler correctly)

        Reviewed by Joseph Pecoraro.

        * Configurations/CompilerVersion.xcconfig: Build Development
        and Development_Hardware configurations using clang.
        Deployment, Deployment_Hardware, Production_Deployment and
        Production_Hardware configurations still use llvm-gcc-4.2.

2011-07-28  Oliver Hunt  <oliver@apple.com>

        Reviewed by Joe Pecoraro.

        <rdar://problem/9859981> Remove accidentally committed ASSERT from interpreter

        Remove bogus assertion.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):

2011-07-27  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/9826969> CRASH after running out of executable memory @ washingtonpost.com

        Merge WebKit TOT r91871

    2011-07-27  Oliver Hunt  <oliver@apple.com>

        Handle callback oriented JSONP
        https://bugs.webkit.org/show_bug.cgi?id=65271

        Reviewed by Gavin Barraclough.

        Handle the callback oriented versions of JSONP.  The Literal parser
        now handles <Identifier> (. <Identifier>)* (jsonData).

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser::tryJSONPParse):
        (JSC::LiteralParser::Lexer::lex):
        * runtime/LiteralParser.h:

2011-07-26  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/9844317> preventExtensions on host functions crashes

        Merge WebKit TOT r90402 and r90404

    2011-07-05  Gavin Barraclough  <barraclough@apple.com>

        Build fix following last patch.

        * runtime/JSFunction.cpp:
        (JSC::createPrototypeProperty):

    2011-07-05  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=63947
        ASSERT running Object.preventExtensions(Math.sin)

        Reviewed by Oliver Hunt.

        This is due to calling scope() on a hostFunction as a part of
        calling createPrototypeProperty to reify the prototype property.
        But host functions don't have a prototype property anyway!

        Prevent callling createPrototypeProperty on a host function.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::createPrototypeProperty):
        (JSC::JSFunction::preventExtensions):


2011-07-25  Andy Estes  <aestes@apple.com>

        Reviewed by Darin Adler.

        <rdar://problem/9827302> Add a compile-time option to enable the HTTP inspector server on the device.

        * Configurations/FeatureDefines.xcconfig: Add ENABLE_HTTP_INSPECTOR_SERVER.

2011-07-25  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/8727143> Investigate moving to the C CFNetwork APIs

        Reviewed by David Carson.

        Re-enable USE(CFNETWORK) on iOS. The issues with gmail are not as severe as I had initially
        thought.

        * wtf/Platform.h:

2011-07-25  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/9837878> export JSContextCreateBacktrace as SPI in JSContextRefPrivate.h

        Merge WebKit TOT r91627

    2011-07-22  Sommer Panage  <panage@apple.com>

        Reviewed by Oliver Hunt.

        export JSContextCreateBacktrace as SPI in JSContextRefPrivate.h
        https://bugs.webkit.org/show_bug.cgi?id=64981

        UIAutomation for iOS would like to support a Javascript backtrace in our error logs.
        Currently, the C API does not provide the tools to do this. However, the private API
        does expose the necessary functionality to get a backtrace
        (via Interpreter::retrieveLastCaller). We recognize this information may result in
        failure in the cases of programs run by 'eval', stack frames beneath host function
        call frames, and in programs run from other programs. Thus, we propose exporting our
        JSContextCreateBacktrace in JSContextRefPrivate.h. This will provide us with the tools
        we need while not advertising an API that isn't really ready for full use.

        * API/JSContextRef.cpp:
        * API/JSContextRefPrivate.h:
        * JavaScriptCore.exp:

2011-07-25  Jon Lee  <jonlee@apple.com>

        Assertion called in ExecutableBase::generatedJITCodeForCall() when JIT is not available
        https://bugs.webkit.org/show_bug.cgi?id=65132
        <rdar://problem/9836297>

        Merge WebKit TOT r91706
        
    2011-07-25  Jon Lee  <jonlee@apple.com>
        
        Reviewed by Oliver Hunt.
        
        Make sure the JIT is available to use before running the following calls:

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::unlinkCalls): Added check, return early if JIT is not available.
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addMethodCallLinkInfos): Added assertion.

2011-07-22  Pratik Solanki  <psolanki@apple.com>

        Unreviewed. Disable USE(CFNETWORK) until we can fix issues with gmail <rdar://9826491>.

        * wtf/Platform.h:

2011-07-22  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/8727143> Investigate moving to the C CFNetwork APIs

        Reviewed by David Carson.

        Enable USE(CFNETWORK) on iOS. Instead of using the Foundation based network loader in
        WebCore, we now use the CF based loader. This gives us around 3% perf win on the PLT power
        pages. While this is a big change, I have been living on versions of this change for over a
        week now. I have also run the stress test and not seen any issues related to this change.

        * wtf/Platform.h:

2011-07-19  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/9804094> API GC throws away compiled code; can cause pathological compilation churn
        
        Merge WebKit TOT r91401

    2011-07-20  Oliver Hunt  <oliver@apple.com>

        Don't throw away code when JSGarbageCollect API is called
        https://bugs.webkit.org/show_bug.cgi?id=64894

        Reviewed by Sam Weinig.

        Just call collectAllGarbage.  That will clean up all unneeded
        code without causing any pathological recompilation problems.

        * API/JSBase.cpp:
        (JSGarbageCollect):

2011-07-19  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/9734627> MarketDash crashed in JSC::slowValidateCell

        Merge WebKit TOT r91394

    2011-07-20  Oliver Hunt  <oliver@apple.com>

        Codeblock doesn't visit cached structures in global resolve instructions
        https://bugs.webkit.org/show_bug.cgi?id=64889

        Reviewed by Sam Weinig.

        Visit the global resolve instructions.  This fixes a couple
        of random crashes seen in the jquery tests when using the
        interpreter.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):

2011-07-19  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/9652614> Turn GC Validation off again

        Reviewed by Gavin Barraclough.

        Return GC validation to its normal debug only mode.

        * wtf/Platform.h:

2011-07-14  Michael Saboff  <msaboff@apple.com>

    <rdar://problem/9776826> Optimise performance of .*string.* regexps in browser mark

    Merge WebKit TOT r90962

    2011-07-13  Michael Saboff  <msaboff@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64202
        Enh: Improve handling of RegExp in the form of /.*blah.*/

        Reviewed by Gavin Barraclough.

        Added code to both the Yarr interpreter and JIT to handle
        these expressions a little differently.  First off, the terms
        in between the leading and trailing .*'s cannot capture and
        also this enhancement is limited to single alternative expressions.
        If an expression is of the right form with the aforementioned
        restrictions, we process the inner terms and then look for the
        beginning of the string and end of the string.  There is handling 
        for multiline expressions to allow the beginning and end to be 
        right after and right before newlines.

        This enhancement speeds up expressions of this type 12x on
        a MacBookPro.

        Cleaned up 'case' statement indentation.

        A new set of tests was added as LayoutTests/fast/regex/dotstar.html

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::InputStream::end):
        (JSC::Yarr::Interpreter::matchDotStarEnclosure):
        (JSC::Yarr::Interpreter::matchDisjunction):
        (JSC::Yarr::ByteCompiler::assertionDotStarEnclosure):
        (JSC::Yarr::ByteCompiler::emitDisjunction):
        * yarr/YarrInterpreter.h:
        (JSC::Yarr::ByteTerm::DotStarEnclosure):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
        (JSC::Yarr::YarrGenerator::backtrackDotStarEnclosure):
        (JSC::Yarr::YarrGenerator::generateTerm):
        (JSC::Yarr::YarrGenerator::backtrackTerm):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
        (JSC::Yarr::YarrPatternConstructor::containsCapturingTerms):
        (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
        (JSC::Yarr::YarrPattern::compile):
        * yarr/YarrPattern.h:
        (JSC::Yarr::PatternTerm::PatternTerm):

2011-07-12  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/9760209> ASSERT_GC_OBJECT_INHERITS failure loading sportscheck.com

    Marge TOT WebKit r90875

    2011-07-12  Oliver Hunt  <oliver@apple.com>

        Overzealous type validation in method_check
        https://bugs.webkit.org/show_bug.cgi?id=64415

        Reviewed by Gavin Barraclough.

        method_check is essentially just a value look up
        optimisation, but it internally stores the value
        as a JSFunction, even though it never relies on
        this fact.  Under GC validation however we end up
        trying to enforce that assumption.  The fix is
        simply to store the value as a correct supertype.

        * bytecode/CodeBlock.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgRepatchGetMethodFast):
        (JSC::DFG::tryCacheGetMethod):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::patchMethodCallProto):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2011-07-08  Dan Bernstein  <mitz@apple.com>

        Some preparation for <rdar://problem/9394430> WebKit can't show these emoji glyphs correctly unless proper font is being specified

        Merged TOT WebKit r88477.

    2011-06-09  Dan Bernstein  <mitz@apple.com>

        Reviewed by Anders Carlsson.

        Add Vector::reverse()
        https://bugs.webkit.org/show_bug.cgi?id=62393

        * wtf/Vector.h:
        (WTF::Vector::reverse): Added

2011-07-07  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/9147974> 12% of nytimes.com uncached page load spent beneath JIT::privateCompile

    Merge WebKit TOT r90586

    2011-07-07  Oliver Hunt  <oliver@apple.com>

        Encode jump and link sizes into the appropriate enums
        https://bugs.webkit.org/show_bug.cgi?id=64123

        Reviewed by Sam Weinig.

        Finally kill off the out of line jump and link size arrays, 
        so we can avoid icky loads and constant fold the linking arithmetic.

        * assembler/ARMv7Assembler.cpp:
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::jumpSizeDelta):
        (JSC::ARMv7Assembler::computeJumpType):

2011-07-06  Oliver Hunt  <oliver@apple.com>

        Reviewed by Pratik Solanki.

        <rdar://problem/9723249> core.caseware.com does not run correctly in telluride.

        The 32bit path for call code generation was not correctly setting
        the call type flag on its call info.  This then caused us to link
        the wrong linking thunk when we unlinked a call site.  This broke
        core.caseware.com due to memory pressure triggering our unlinking
        logic.  After the fix for rdar://problem/9722210 we ended up
        using this unlinking logic much more often, so breaking a variety
        of other sites.

        This isn't a ToT WebKit merge as ToT WebKit has some substantial
        refactoring to the call logic so a straight merge would be pointless.

        Equivalent ToT WebKit change was part of
        https://bugs.webkit.org/show_bug.cgi?id=63980
        http://trac.webkit.org/changeset/90443

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):

2011-07-05  David Kilzer  <ddkilzer@apple.com>

        Switch to using llvm-gcc-4.2 when compiling for the iOS Simulator

        Reviewed by Paul Knight.

        Fixes: <rdar://problem/9723537> SWB: JavaScriptCore_Sim hardcodes use of (soon-to-be-obsolete) gcc-4.2

        * Configurations/CompilerVersion.xcconfig:
        (TARGET_GCC_VERSION_iphonesimulator): Switched to LLVM_GCC_42.

2011-07-05  Oliver Hunt  <oliver@apple.com>

        <rdar://problem/9147974> 12% of nytimes.com uncached page load spent beneath JIT::privateCompile

        Merge WebKit TOT r90426

    2011-07-05  Oliver Hunt  <oliver@apple.com>

        Force inlining of simple functions that show up as not being inlined
        https://bugs.webkit.org/show_bug.cgi?id=63964

        Reviewed by Gavin Barraclough.

        Looking at profile data indicates the gcc is failing to inline a
        number of trivial functions.  This patch hits the ones that show
        up in profiles with the ALWAYS_INLINE hammer.

        We also replace the memcpy() call in linking with a manual loop.
        Apparently memcpy() is almost never faster than an inlined loop.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::add):
        (JSC::ARMv7Assembler::add_S):
        (JSC::ARMv7Assembler::ARM_and):
        (JSC::ARMv7Assembler::asr):
        (JSC::ARMv7Assembler::b):
        (JSC::ARMv7Assembler::blx):
        (JSC::ARMv7Assembler::bx):
        (JSC::ARMv7Assembler::clz):
        (JSC::ARMv7Assembler::cmn):
        (JSC::ARMv7Assembler::cmp):
        (JSC::ARMv7Assembler::eor):
        (JSC::ARMv7Assembler::it):
        (JSC::ARMv7Assembler::ldr):
        (JSC::ARMv7Assembler::ldrCompact):
        (JSC::ARMv7Assembler::ldrh):
        (JSC::ARMv7Assembler::ldrb):
        (JSC::ARMv7Assembler::lsl):
        (JSC::ARMv7Assembler::lsr):
        (JSC::ARMv7Assembler::movT3):
        (JSC::ARMv7Assembler::mov):
        (JSC::ARMv7Assembler::movt):
        (JSC::ARMv7Assembler::mvn):
        (JSC::ARMv7Assembler::neg):
        (JSC::ARMv7Assembler::orr):
        (JSC::ARMv7Assembler::orr_S):
        (JSC::ARMv7Assembler::ror):
        (JSC::ARMv7Assembler::smull):
        (JSC::ARMv7Assembler::str):
        (JSC::ARMv7Assembler::sub):
        (JSC::ARMv7Assembler::sub_S):
        (JSC::ARMv7Assembler::tst):
        (JSC::ARMv7Assembler::linkRecordSourceComparator):
        (JSC::ARMv7Assembler::link):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp5Reg3Imm8):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp5Imm5Reg3Reg3):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Reg3Reg3Reg3):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp8Imm8):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp8RegReg143):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp9Imm7):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp10Reg3Reg3):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg4FourFours):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp16FourFours):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp16Op16):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp5i6Imm4Reg4EncodedImm):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg4Reg4Imm12):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::vfpOp):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::vfpMemOp):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::linkCode):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::nearCall):
        (JSC::MacroAssemblerARMv7::call):
        (JSC::MacroAssemblerARMv7::ret):
        (JSC::MacroAssemblerARMv7::moveWithPatch):
        (JSC::MacroAssemblerARMv7::branchPtrWithPatch):
        (JSC::MacroAssemblerARMv7::storePtrWithPatch):
        (JSC::MacroAssemblerARMv7::tailRecursiveCall):
        (JSC::MacroAssemblerARMv7::makeTailRecursiveCall):
        (JSC::MacroAssemblerARMv7::jump):
        (JSC::MacroAssemblerARMv7::makeBranch):

2011-07-05  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/9722210> Don't recompile repeatedly during page loading

    Merge WebKit TOT r90415

    2011-07-05  Oliver Hunt  <oliver@apple.com>

        Don't throw out compiled code repeatedly
        https://bugs.webkit.org/show_bug.cgi?id=63960

        Reviewed by Gavin Barraclough.

        Stop throwing away all compiled code every time
        we're told to do a full GC.  Instead unlink all
        callsites during such GC passes to maximise the
        number of collectable functions, but otherwise
        leave compiled functions alone.

        * API/JSBase.cpp:
        (JSGarbageCollect):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage):
        * heap/MarkStack.h:
        (JSC::MarkStack::shouldUnlinkCalls):
        (JSC::MarkStack::setShouldUnlinkCalls):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::recompileAllJSFunctions):
        (JSC::JSGlobalData::releaseExecutableMemory):
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::invalidateCode):
        * runtime/RegExp.h:

2011-07-01  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/9706758> IE Web Workers demo crashes in JSC::SlotVisitor::visitChildren() (63732)

    Merge WebKit ToT r90282

    2011-07-01  Oliver Hunt  <oliver@apple.com>

        IE Web Workers demo crashes in JSC::SlotVisitor::visitChildren()
        https://bugs.webkit.org/show_bug.cgi?id=63732

        Reviewed by Gavin Barraclough.

        Initialise the memory at the head of the new storage so that
        GC is safe if triggered by reportExtraMemoryCost.

        * runtime/JSArray.cpp:
        (JSC::JSArray::increaseVectorPrefixLength):

2011-07-01  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/9655973> GC allocation sequencing can be incorrect

    Merge WebKit ToT r90273

    2011-07-01  Oliver Hunt  <oliver@apple.com>

        GC sweep can occur before an object is completely initialised
        https://bugs.webkit.org/show_bug.cgi?id=63836

        Reviewed by Gavin Barraclough.

        In rare cases it's possible for a GC sweep to occur while a
        live, but not completely initialised object is on the stack.
        In such a case we may incorrectly choose to mark it, even
        though it has no children that need marking.

        We resolve this by always zeroing out the structure of any
        value returned from JSCell::operator new(), and making the
        markstack tolerant of a null structure. 

        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::~JSCell):
        (JSC::JSCell::JSCell::operator new):
        * runtime/Structure.h:
        (JSC::MarkStack::internalAppend):

2011-07-01  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/9674091> JavaScriptCore should build for armv7f and armv7s

        Reviewed by David Carson.

        Original patch by Denis Palmans <dpalmans@apple.com>.

        * Configurations/Base.xcconfig: Don't override VALID_ARCHS when
        building for iphoneos or iphonesimulator SDKs.  This keeps the
        original value of VALID_ARCHS and only adds platform-specific
        values for macosx.
        * Configurations/JavaScriptCore.xcconfig: Added support for
        armv7f and armv7s when setting JSVALUE_MODEL.
        * wtf/Platform.h: Make sure WTF_ARM_ARCH_VERSION and
        WTF_THUMB_ARCH_VERSION are set for armv7f and armv7s.

2011-07-01  Oliver Hunt  <oliver@apple.com>

        Debug build fix.  Apparently I didn't do a debug build
        following one of yesterdays merges.

        * heap/Heap.cpp:
        (JSC::Heap::getConservativeRegisterRoots):

2011-07-01  David Kilzer  <ddkilzer@apple.com>

        Fix clang build error in JITOpcodes32_64.cpp

        Merge ToT WebKit r90232.

    2011-07-01  David Kilzer  <ddkilzer@apple.com>

        <http://webkit.org/b/63814> Fix clang build error in JITOpcodes32_64.cpp

        Fixes the following build error in clang:

            JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36:{741:9-741:35}: error: operator '?:' has lower precedence than '+'; '+' will be evaluated first [-Werror,-Wparentheses,3]
                 map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
                     ~~~~~~~~~~~~~~~~~~~~~~~~~~ ^
            JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36: note: place parentheses around the '+' expression to silence this warning [3]
                 map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
                                                ^
                     (                         )
            fix-it:"JavaScriptCore/jit/JITOpcodes32_64.cpp":{741:9-741:9}:"("
            fix-it:"JavaScriptCore/jit/JITOpcodes32_64.cpp":{741:35-741:35}:")"
            JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36:{741:28-741:94}: note: place parentheses around the '?:' expression to evaluate it first [3]
                 map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
                                        ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            1 error generated.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_resolve_global): Add parenthesis to make the
        tertiary expression evaluate first.

2011-06-30  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/9665160> ASSERT in JSC::JITCode::size() when running non-JIT enabled scripter

    Merge WebKit ToT r89964

    2011-06-28  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        ASSERT when launching debug builds with interpreter and jit enabled
        https://bugs.webkit.org/show_bug.cgi?id=63566

        Add appropriate guards to the various Executable's memory reporting
        logic.

        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):

2011-06-30  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/8961198> Crashes seen after running out of executable memory

    Merge WebKit ToT r89630, r89885, r89887

    2011-06-27  Ryosuke Niwa  <rniwa@webkit.org>

        Build fix attempt after r89885.

        * JavaScriptCore.exp:
        * jsc.cpp:

    2011-06-27  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Support throwing away non-running code even while other code is running
        https://bugs.webkit.org/show_bug.cgi?id=63485

        Add a function to CodeBlock to support unlinking direct linked callsites,
        and then with that in place add logic to discard code from any function
        that is not currently on the stack.

        The unlinking completely reverts any optimized call sites, such that they
        may be relinked again in future.

        * JavaScriptCore.exp:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::unlinkCalls):
        (JSC::CodeBlock::clearEvalCache):
        * bytecode/CodeBlock.h:
        (JSC::CallLinkInfo::CallLinkInfo):
        (JSC::CallLinkInfo::unlink):
        * bytecode/EvalCodeCache.h:
        (JSC::EvalCodeCache::clear):
        * heap/Heap.cpp:
        (JSC::Heap::getConservativeRegisterRoots):
        * heap/Heap.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITWriteBarrier.h:
        (JSC::JITWriteBarrierBase::clear):
        * jsc.cpp:
        (GlobalObject::GlobalObject):
        (functionReleaseExecutableMemory):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::unlinkCalls):
        (JSC::ProgramExecutable::unlinkCalls):
        (JSC::FunctionExecutable::discardCode):
        (JSC::FunctionExecutable::unlinkCalls):
        * runtime/Executable.h:
        * runtime/JSGlobalData.cpp:
        (JSC::SafeRecompiler::returnValue):
        (JSC::SafeRecompiler::operator()):
        (JSC::JSGlobalData::releaseExecutableMemory):

    2011-06-23  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Add the ability to dynamically modify linked call sites
        https://bugs.webkit.org/show_bug.cgi?id=63291

        Add JITWriteBarrier as a writebarrier class that allows
        reading and writing directly into the code stream.

        This required adding logic to all the assemblers to allow
        us to read values back out of the instruction stream.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::readPointer):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::readPointer):
        (JSC::ARMv7Assembler::readInt32):
        (JSC::ARMv7Assembler::decodeTwoWordOp5i6Imm4Reg4EncodedImmFirst):
        (JSC::ARMv7Assembler::decodeTwoWordOp5i6Imm4Reg4EncodedImmSecond):
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::readPointer):
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::readInt32):
        (JSC::MIPSAssembler::readPointer):
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodePtr::operator!):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::readPCrelativeAddress):
        (JSC::SH4Assembler::readPointer):
        (JSC::SH4Assembler::readInt32):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::readPointer):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * bytecode/CodeBlock.h:
        (JSC::MethodCallLinkInfo::seenOnce):
        (JSC::MethodCallLinkInfo::setSeen):
        * heap/MarkStack.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        (JSC::JIT::linkCall):
        (JSC::JIT::linkConstruct):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::patchMethodCallProto):
        * jit/JITPropertyAccess32_64.cpp:
        * jit/JITWriteBarrier.h: Added.
        (JSC::JITWriteBarrierBase::operator UnspecifiedBoolType*):
        (JSC::JITWriteBarrierBase::operator!):
        (JSC::JITWriteBarrierBase::setFlagOnBarrier):
        (JSC::JITWriteBarrierBase::isFlagged):
        (JSC::JITWriteBarrierBase::setLocation):
        (JSC::JITWriteBarrierBase::location):
        (JSC::JITWriteBarrierBase::JITWriteBarrierBase):
        (JSC::JITWriteBarrierBase::set):
        (JSC::JITWriteBarrierBase::get):
        (JSC::JITWriteBarrier::JITWriteBarrier):
        (JSC::JITWriteBarrier::set):
        (JSC::JITWriteBarrier::get):
        (JSC::MarkStack::append):

2011-06-30  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/8913432> Crash after running out of executable memory @ syntensity.com python simulator (requires 33.7MB for large array literals)

    Merge WebKit ToT r89954, r89959

    2011-06-28  Oliver Hunt  <oliver@apple.com>

        Fix interpreter build.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

    2011-06-28  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Make constant array optimisation less strict about what constitutes a constant
        https://bugs.webkit.org/show_bug.cgi?id=63554

        Now allow string constants in array literals to actually be considered constant,
        and so avoid codegen in array literals with strings in them.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addConstantBuffer):
        (JSC::CodeBlock::constantBuffer):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addConstantBuffer):
        (JSC::BytecodeGenerator::addStringConstant):
        (JSC::BytecodeGenerator::emitNewArray):
        * bytecompiler/BytecodeGenerator.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2011-06-30  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/8940085> Stress Test Crash: JavaScriptCore: JSC::RegExp::match(JSC::UString const&, int, WTF::Vector<int, 32ul>*) (RefPtr.h:60)

    Merge WebKit TOT r89729

    2011-06-24  Michael Saboff  <msaboff@apple.com>

        Reviewed by Gavin Barraclough.

        Arm Assembler, Immediate stack offset values truncated to 8 bits for add & sub
        https://bugs.webkit.org/show_bug.cgi?id=63345

        The methods ARMThumbImmediate::getUInt9 and ARMThumbImmediate::getUInt10
        return 9 and 10 bit quantities, therefore changed their return type from
        uint8_t to uint16_t.  Also casted the places where they are used as they
        are currently shifted and used as 7 or 8 bit values.

        These methods are currently used for literals for stack offsets, 
        including creating and destroying stack frames.  The prior truncation of
        the upper bits caused stack frames to be too small, thus allowing a
        JIT'ed function to access and overwrite stack space outside of the
        incorrectly sized stack frame.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMThumbImmediate::getUInt9):
        (JSC::ARMThumbImmediate::getUInt10):
        (JSC::ARMv7Assembler::add):
        (JSC::ARMv7Assembler::ldr):
        (JSC::ARMv7Assembler::str):
        (JSC::ARMv7Assembler::sub):
        (JSC::ARMv7Assembler::sub_S):

2011-06-21  Oliver Hunt  <oliver@apple.com>

        Reviewed by Dave Carson and Geoff Garen.

        <rdar://problem/9473586> Crash in JSC::Structure::visitChildren running AdSheet tests

        Enabling GC validation for all builds to once again try 
        to track down some of GC crashers.
        
        Turning validation off again is tracked by:
        <rdar://problem/9652614> Turn GC Validation off again

        * wtf/Platform.h:

2011-06-20  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/8938997> Crash after running out of executable memory @ apidock.com (requires 13.1MB for JSONP)

    Merge WebKit TOT r89219, r89226, r89228

    2011-06-19  Oliver Hunt  <oliver@apple.com>

        Reviewed by Sam Weinig.

        Correct logic for putting errors on the correct line when handling JSONP
        https://bugs.webkit.org/show_bug.cgi?id=62962

        Minor fix for the minor fix.  *sigh*

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):

    2011-06-19  Oliver Hunt  <oliver@apple.com>

        Minor fix to correct layout test results.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):

    2011-06-17  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        JSONP is unnecessarily slow
        https://bugs.webkit.org/show_bug.cgi?id=62920

        JSONP has unfortunately become a fairly common idiom online, yet
        it triggers very poor performance in JSC as we end up doing codegen
        for a large number of property accesses that will
           * only be run once, so the vast amount of logic we dump to handle
             caching of accesses is unnecessary.
           * We are doing codegen that is directly proportional to just
             creating the object in the first place.

        This patch extends the use of the literal parser to JSONP-like structures
        in global code, handling a number of different forms I have seen online.
        In an extreme case this improves performance of JSONP by more than 2x
        due to removal of code generation and execution time, and a few optimisations
        that I made to the parser itself.

        * API/JSValueRef.cpp:
        (JSValueMakeFromJSONString):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::callEval):
        (JSC::Interpreter::execute):
        * parser/Lexer.cpp:
        (JSC::Lexer::isKeyword):
        * parser/Lexer.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * runtime/JSONObject.cpp:
        (JSC::JSONProtoFuncParse):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser::tryJSONPParse):
        (JSC::LiteralParser::makeIdentifier):
        (JSC::LiteralParser::Lexer::lex):
        (JSC::LiteralParser::Lexer::next):
        (JSC::isSafeStringCharacter):
        (JSC::LiteralParser::Lexer::lexString):
        (JSC::LiteralParser::Lexer::lexNumber):
        (JSC::LiteralParser::parse):
        * runtime/LiteralParser.h:
        (JSC::LiteralParser::LiteralParser):
        (JSC::LiteralParser::tryLiteralParse):
        (JSC::LiteralParser::Lexer::Lexer):

2011-06-17  Simon Fraser  <simon.fraser@apple.com>

    <rdar://problem/9632485> ASSERT(m_codeEnd - m_code >= maxTokenLength) loading nytimes.com
    
    Merge WebKit ToT r88082.

    2011-06-03  Oliver Hunt  <oliver@apple.com>
    
            Whoops, fix last minute bug.
    
            * parser/Lexer.cpp:
            (JSC::Lexer::parseIdentifier):
    
2011-06-16  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/9626197> JS API is too aggressive about throwing exceptions for NULL get or set operations (61678)

    Merged TOT WebKit r87588

    2011-05-27  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        JS API is too aggressive about throwing exceptions for NULL get or set operations
        https://bugs.webkit.org/show_bug.cgi?id=61678

        * API/JSCallbackObject.h: Changed our staticValueGetter to a regular
        function that returns a JSValue, so it can fail and still forward to
        normal property lookup.

        * API/JSCallbackObjectFunctions.h:
        (JSC::::getOwnPropertySlot): Don't throw an exception when failing to
        access a static property -- just forward the access. This allows objects
        to observe get/set operations but still let the JS object manage lifetime.

        (JSC::::put): Ditto.

        (JSC::::getStaticValue): Same as JSCallbackObject.h.

        * API/tests/testapi.c:
        (MyObject_set_nullGetForwardSet):
        * API/tests/testapi.js: Updated tests to reflect slightly less strict
        behavior, which matches headerdoc claims.

2011-06-16  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/9626170> Property caching is too aggressive for API objects (61677)

    Merged TOT WebKit r87586

    2011-05-27  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Property caching is too aggressive for API objects
        https://bugs.webkit.org/show_bug.cgi?id=61677

        * API/JSCallbackObject.h: Opt in to ProhibitsPropertyCaching, since our
        callback APIs allow the client to change its mind about our propertis at
        any time.

        * API/tests/testapi.c:
        (PropertyCatchalls_getProperty):
        (PropertyCatchalls_setProperty):
        (PropertyCatchalls_getPropertyNames):
        (PropertyCatchalls_class):
        (main):
        * API/tests/testapi.js: Some tests for dynamic API objects.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::tryCachePutByID):
        (JSC::Interpreter::tryCacheGetByID):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::tryCachePutByID):
        (JSC::JITThunks::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION): Opt out of property caching if the client
        requires it.

        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::TypeInfo):
        (JSC::TypeInfo::isFinal):
        (JSC::TypeInfo::prohibitsPropertyCaching):
        (JSC::TypeInfo::flags): Added a flag to track opting out of property
        caching. Fixed an "&&" vs "&" typo that was previously harmless, but
        is now harmful since m_flags2 can have more than one bit set.

2011-06-16  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/8913432> Crash after running out of executable memory @ syntensity.com python simulator (requires 33.7MB for large array literals)

    Merged TOT WebKit r88873, r88962, r89058

    2011-06-15  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Reduce memory usage of resolve_global
        https://bugs.webkit.org/show_bug.cgi?id=62765

        If we have a large number of resolve_globals in a single
        block start planting plain resolve instructions instead 
        whenever we aren't in a loop.  This allows us to reduce
        the code size for extremely large functions without
        losing the performance benefits of op_resolve_global.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::globalResolveInfoCount):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::shouldAvoidResolveGlobal):
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveWithBase):
        * bytecompiler/BytecodeGenerator.h:

    2011-06-15  Oliver Hunt  <oliver@apple.com>

        Reviewed by Sam Weinig.

        Reduce the size of global_resolve
        https://bugs.webkit.org/show_bug.cgi?id=62738

        Reduce the code size of global_resolve in the JIT by replacing
        multiple pointer loads with a single pointer move + two offset
        loads.

        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_resolve_global):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_resolve_global):

    2011-06-14  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Constant array literals result in unnecessarily large amounts of code
        https://bugs.webkit.org/show_bug.cgi?id=62658

        Add a new version of op_new_array that simply copies values from a buffer
        we hang off of the CodeBlock, rather than generating code to place each
        entry into the registerfile, and then copying it from the registerfile into
        the array.  This is a slight improvement on some sunspider tests, but no
        measurable overall change.  That's okay though as our goal was to reduce
        code size without hurting performance.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addImmediateBuffer):
        (JSC::CodeBlock::immediateBuffer):
        * bytecode/Opcode.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addImmediateBuffer):
        (JSC::BytecodeGenerator::emitNewArray):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_array):
        (JSC::JIT::emit_op_new_array_buffer):
        * jit/JITOpcodes32_64.cpp:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:

2011-06-16  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/9306516> First-time JavaScript parse in app store can take ~130ms (was 160ms)

    Merging r87177, r87838, r88076, r88082, r88083, r88084, r88094, r88394, r88668, r88719, r88974

    2011-06-15  Oliver Hunt  <oliver@apple.com>

        Reviewed by Darin Adler.

        REGRESSION (r88719): 5by5.tv schedule is not visible
        https://bugs.webkit.org/show_bug.cgi?id=62720

        Problem here is that the lexer wasn't considering '$' to be
        a valid character in an identifier.

        * parser/Lexer.h:
        (JSC::Lexer::lexExpectIdentifier):

    2011-06-13  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Fix llocp and lvalp names in the lexer to something more meaningful
        https://bugs.webkit.org/show_bug.cgi?id=62605

        A simple rename

        * parser/Lexer.cpp:
        (JSC::Lexer::parseIdentifier):
        (JSC::Lexer::parseString):
        (JSC::Lexer::lex):
        * parser/Lexer.h:
        (JSC::Lexer::lexExpectIdentifier):

    2011-06-13  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Make it possible to inline the common case of identifier lexing
        https://bugs.webkit.org/show_bug.cgi?id=62600

        Add a lexing function that expects to lex an "normal" alpha numeric
        identifier (that ignores keywords) so it's possible to inline the
        common parsing cases.  This comes out as a reasonable parsing speed
        boost.

        * parser/JSParser.cpp:
        (JSC::JSParser::nextExpectIdentifier):
        (JSC::JSParser::parseProperty):
        (JSC::JSParser::parseMemberExpression):
        * parser/Lexer.cpp:
        * parser/Lexer.h:
        (JSC::Lexer::makeIdentifier):
        (JSC::Lexer::lexExpectIdentifier):

    2011-06-13  Oliver Hunt  <oliver@apple.com>

        Reviewed by Simon Fraser.

        Make it possible to inline Identifier::equal
        https://bugs.webkit.org/show_bug.cgi?id=62584

        Move Identifier::equal to the Identifier header file.

        * runtime/Identifier.cpp:
        * runtime/Identifier.h:
        (JSC::Identifier::equal):

    2011-06-03  Oliver Hunt  <oliver@apple.com>

        Reviewed by Maciej Stachowiak.

        Lexer needs to provide Identifier for reserved words
        https://bugs.webkit.org/show_bug.cgi?id=62086

        Alas it is necessary to provide an Identifier reference for keywords
        so that we can do the right thing when they're used in object literals.
        We now keep Identifiers for all reserved words in the CommonIdentifiers
        structure so that we can access them without a hash lookup.

        * KeywordLookupGenerator.py:
        * parser/Lexer.cpp:
        (JSC::Lexer::parseIdentifier):
        * parser/Lexer.h:
        * runtime/CommonIdentifiers.cpp:
        (JSC::CommonIdentifiers::CommonIdentifiers):
        * runtime/CommonIdentifiers.h:

    2011-06-03  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Force inlining of some hot lexer functions
        https://bugs.webkit.org/show_bug.cgi?id=62079

        Fix more GCC stupidity

        * parser/Lexer.h:
        (JSC::Lexer::isWhiteSpace):
        (JSC::Lexer::isLineTerminator):

    2011-06-03  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        GCC not inlining some functions that it really should be
        https://bugs.webkit.org/show_bug.cgi?id=62075

        Add ALWAYS_INLINE to a number of parsing and lexing functions
        that should always be inlined.  This gets us ~1.4% on my ad hoc
        parser test.

        * KeywordLookupGenerator.py:
        * parser/JSParser.cpp:
        (JSC::JSParser::next):
        (JSC::JSParser::nextTokenIsColon):
        (JSC::JSParser::consume):
        (JSC::JSParser::match):
        (JSC::JSParser::tokenStart):
        (JSC::JSParser::tokenLine):
        (JSC::JSParser::tokenEnd):
        * parser/Lexer.cpp:
        (JSC::isIdentPart):

2011-06-05  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/9495270> Merge iOS WebKit to Safari Jazz FCS

        Merged ToT WebKit r86871-r88061 on safari-534-branch branch.

    2011-06-02  Lucas Forschler  <lforschler@apple.com>

    Merged 87826.

    2011-05-31  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Freezing a function and its prototype causes browser to crash.
        https://bugs.webkit.org/show_bug.cgi?id=61758

        Make JSObject::preventExtensions virtual so that we can override it
        and instantiate all lazy

        * JavaScriptCore.exp:
        * runtime/JSFunction.cpp:
        (JSC::createPrototypeProperty):
        (JSC::JSFunction::preventExtensions):
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSFunction.h:
        * runtime/JSObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::seal):
        (JSC::JSObject::seal):

    2011-05-27  Mark Rowe  <mrowe@apple.com>

        Merge r87580.

    2011-05-27  Stephanie Lewis  <slewis@apple.com>

        Unreviewed.

        Fix a typo in the order_file flag.

        * Configurations/Base.xcconfig:

    2011-05-27  Mark Rowe  <mrowe@apple.com>

        Merge r87520.

    2011-05-27  Stephanie Lewis  <slewis@apple.com>

        Rubber Stamped by Adam Roben.

        Update Order Files.  Use -order_file flag since it can order more of the binary.

        * Configurations/Base.xcconfig:
        * JavaScriptCore.order:

    2011-05-26  Lucas Forschler  <lforschler@apple.com>

    Merged r87157.

    2011-05-23  Michael Saboff  <msaboff@apple.com>

        Reviewed by Mark Rowe.

        Safari often freezes when clicking "Return free memory" in Caches dialog
        https://bugs.webkit.org/show_bug.cgi?id=61325

        There are two fixes and improvement in instrumentation code used to find 
        one of the problems.
        Changed ReleaseFreeList() to set the "decommitted" bit when releasing
        pages to the system and moving Spans from the normal list to the returned 
        list.
        Added a "not making forward progress" check to TCMalloc_PageHeap::scavenge
        to eliminate an infinite loop if we can't meet the pagesToRelease target.
        Added a check for the decommitted bit being set properly in 
        TCMalloc_PageHeap::CheckList.

        * wtf/FastMalloc.cpp:
        (WTF::TCMalloc_PageHeap::scavenge):
        (WTF::TCMalloc_PageHeap::Check):
        (WTF::TCMalloc_PageHeap::CheckList):
        (WTF::ReleaseFreeList):

    2011-05-23  Gavin Barraclough  <barraclough@apple.com>

    Merged r87109.

    2011-05-23  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.

        https://bugs.webkit.org/show_bug.cgi?id=61306

        The begin characters optimization currently has issues (#61129),
        and does not appear to still be a performance win. The prudent
        next step seems to be to disable while we ascertain whether this
        is still a useful performance optimization.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::matchDisjunction):
        (JSC::Yarr::Interpreter::interpret):
        * yarr/YarrInterpreter.h:
        (JSC::Yarr::BytecodePattern::BytecodePattern):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
        (JSC::Yarr::YarrPattern::compile):
        (JSC::Yarr::YarrPattern::YarrPattern):
        * yarr/YarrPattern.h:
        (JSC::Yarr::YarrPattern::reset):

    2011-05-24  Steve Falkenburg  <sfalken@apple.com>

        Reviewed by Adam Roben.

        Disable features on safari-534-branch.
        <rdar://problem/9261347> 

        * Configurations/FeatureDefines.xcconfig:

    2011-05-22  Lucas Forschler  <lforschler@apple.com>

    Merge r86972.
    
    2011-05-20  Brady Eidson  <beidson@apple.com>

        Reviewed by Sam Weinig.

        <rdar://problem/9472883> and https://bugs.webkit.org/show_bug.cgi?id=61203
        Horrendous bug in callOnMainThreadAndWait

        * wtf/MainThread.cpp:
        (WTF::dispatchFunctionsFromMainThread): Before signaling the background thread with the
          syncFlag condition, reacquire the mutex first.

    2011-05-22  Lucas Forschler  <lforschler@apple.com>

    Merge r86779.
    
    2011-05-18  Oliver Hunt  <oliver@apple.com>

        Reviewed by Adam Roben.

        Disable gc validation in release builds
        https://bugs.webkit.org/show_bug.cgi?id=60680

        Add back the NDEBUG check

        * wtf/Platform.h:

    2011-05-19  Lucas Forschler  <lforschler@apple.com

    Merged r86850.
    
    2011-05-19  Adam Roben  <aroben@apple.com>

        Remove a redundant and broken data export

        Data can't be exported from JavaScriptCore.dll by listing it in the .def file. The
        JS_EXPORTDATA macro must be used instead. (In this case it was already being used, leading
        to a linker warning about multiple definitions.)

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Removed JSGlobalData::s_info.

    2011-05-19  Lucas Forschler  <lforschler@apple.com

    Merged r86809.
    
    2011-05-18  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Some tests crashing in JSC::MarkStack::validateValue beneath ScriptController::clearWindowShell on SnowLeopard Intel Release (WebKit2 Tests)
        https://bugs.webkit.org/show_bug.cgi?id=61064

        Switch NonFinalObject to using WriteBarrier<> rather than WriteBarrierBase<>
        for its inline storage.  This resolves the problem of GC occurring before
        a subclass has initialised its anonymous storage.

        * runtime/JSObject.h:

    2011-05-19  Lucas Forschler  <lforschler@apple.com

    Merged r86785.
    
    2011-05-18  Oliver Hunt  <oliver@apple.com>

        Reviewed by Sam Weinig.

        JSGlobalObject and some others do GC allocation during initialization, which can cause heap corruption
        https://bugs.webkit.org/show_bug.cgi?id=61090

        Remove the Structure-free JSGlobalObject constructor and instead always
        pass the structure into the JSGlobalObject constructor.
        Stop DebuggerActivation creating a new structure every time, and simply
        use a single shared structure held by the GlobalData.

        * API/JSContextRef.cpp:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::DebuggerActivation):
        * jsc.cpp:
        (GlobalObject::GlobalObject):
        (functionRun):
        (jscmain):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::clearBuiltinStructures):
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.h:

    2011-05-19  Lucas Forschler  <lforschler@apple.com>

    Merge r86727.

    2011-05-16  Geoffrey Garen  <ggaren@apple.com>

        Rolling back in r86653 with build fixed.

        Reviewed by Gavin Barraclough and Oliver Hunt.

        Global object initialization is expensive
        https://bugs.webkit.org/show_bug.cgi?id=60933
        
        Changed a bunch of globals to allocate their properties lazily, and changed
        the global object to allocate a bunch of its globals lazily.
        
        This reduces the footprint of a global object from 287 objects with 58
        functions for 24K to 173 objects with 20 functions for 15K.

        Large patch, but it's all mechanical.

        * DerivedSources.make:
        * JavaScriptCore.exp: Build!

        * create_hash_table: Added a special case for fromCharCode, since it uses
        a custom "thunk generator".

        * heap/Heap.cpp:
        (JSC::TypeCounter::operator()): Fixed a bug where the type counter would
        overcount objects that were owned through more than one mechanism because
        it was getting in the way of counting the results for this patch.

        * interpreter/CallFrame.h:
        (JSC::ExecState::arrayConstructorTable):
        (JSC::ExecState::arrayPrototypeTable):
        (JSC::ExecState::booleanPrototypeTable):
        (JSC::ExecState::dateConstructorTable):
        (JSC::ExecState::errorPrototypeTable):
        (JSC::ExecState::globalObjectTable):
        (JSC::ExecState::numberConstructorTable):
        (JSC::ExecState::numberPrototypeTable):
        (JSC::ExecState::objectPrototypeTable):
        (JSC::ExecState::regExpPrototypeTable):
        (JSC::ExecState::stringConstructorTable): Added new tables.

        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::ArrayConstructor):
        (JSC::ArrayConstructor::getOwnPropertySlot):
        (JSC::ArrayConstructor::getOwnPropertyDescriptor):
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::createStructure):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::getOwnPropertySlot):
        (JSC::ArrayPrototype::getOwnPropertyDescriptor):
        * runtime/ArrayPrototype.h:
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::BooleanPrototype):
        (JSC::BooleanPrototype::getOwnPropertySlot):
        (JSC::BooleanPrototype::getOwnPropertyDescriptor):
        * runtime/BooleanPrototype.h:
        (JSC::BooleanPrototype::createStructure):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::DateConstructor):
        (JSC::DateConstructor::getOwnPropertySlot):
        (JSC::DateConstructor::getOwnPropertyDescriptor):
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::createStructure):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        (JSC::ErrorPrototype::getOwnPropertySlot):
        (JSC::ErrorPrototype::getOwnPropertyDescriptor):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::createStructure): Standardized these objects
        to use static tables for function properties.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h: Added new tables.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::addStaticGlobals):
        (JSC::JSGlobalObject::getOwnPropertySlot):
        (JSC::JSGlobalObject::getOwnPropertyDescriptor):
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        * runtime/JSGlobalObjectFunctions.h: Changed JSGlobalObject to use a
        static table for its global functions. This required uninlining some
        things to avoid a circular header dependency. However, those things
        probably shouldn't have been inlined in the first place.
        
        Even more global object properties can be made lazy, but that requires
        more in-depth changes.

        * runtime/MathObject.cpp:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getOwnPropertySlot):
        (JSC::NumberConstructor::getOwnPropertyDescriptor):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::NumberPrototype):
        (JSC::NumberPrototype::getOwnPropertySlot):
        (JSC::NumberPrototype::getOwnPropertyDescriptor):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::createStructure):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::ObjectPrototype):
        (JSC::ObjectPrototype::put):
        (JSC::ObjectPrototype::getOwnPropertySlot):
        (JSC::ObjectPrototype::getOwnPropertyDescriptor):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::createStructure):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::RegExpPrototype):
        (JSC::RegExpPrototype::getOwnPropertySlot):
        (JSC::RegExpPrototype::getOwnPropertyDescriptor):
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::createStructure):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::StringConstructor):
        (JSC::StringConstructor::getOwnPropertySlot):
        (JSC::StringConstructor::getOwnPropertyDescriptor):
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::createStructure): Standardized these objects
        to use static tables for function properties.

2011-06-05  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/9556885> iOS: Disable C++ exceptions when building with clang

        Reviewed by Anders Carlsson.

        Set GCC_ENABLE_CPP_EXCEPTIONS_LLVM_COMPILER to NO.

        * Configurations/Base.xcconfig:

2011-05-27  Oliver Hunt  <oliver@apple.com>

        Further build fix.

        * runtime/JSGlobalData.cpp:

2011-05-27  Oliver Hunt  <oliver@apple.com>

    Build fix

    Merge r87550

    2011-05-27  Patrick Gansterer  <paroga@webkit.org>

            Unreviewed. Build fix for !ENABLE(ASSEMBLER) after r87527.

            * runtime/JSGlobalData.cpp:
            (JSGlobalData::JSGlobalData):

2011-05-27  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/8943166> Crash after running out of executable memory @ palmbrasil.com.br (requires 22.2MB)

    Merging r87327, r87436, r87445, and r87527

    2011-05-27  Oliver Hunt  <oliver@apple.com>

            Reviewed by Geoffrey Garen.

            Try to release unused executable memory when the FixedVMPool allocator is under pressure
            https://bugs.webkit.org/show_bug.cgi?id=61651

            Rather than crashing when full the FixedVMPool allocator now returns a null
            allocation.  We replace the code that used to CRASH() on null allocations
            with logic that asks the provided globalData to release any executable memory
            that it can.  Currently this just means throwing away all regexp code, but
            in future we'll try to be more aggressive.

            * assembler/ARMAssembler.cpp:
            (JSC::ARMAssembler::executableCopy):
            * assembler/ARMAssembler.h:
            * assembler/AssemblerBuffer.h:
            (JSC::AssemblerBuffer::executableCopy):
            * assembler/AssemblerBufferWithConstantPool.h:
            * assembler/LinkBuffer.h:
            (JSC::LinkBuffer::LinkBuffer):
            (JSC::LinkBuffer::linkCode):
            * assembler/MIPSAssembler.h:
            (JSC::MIPSAssembler::executableCopy):
            * assembler/SH4Assembler.h:
            (JSC::SH4Assembler::executableCopy):
            * assembler/X86Assembler.h:
            (JSC::X86Assembler::executableCopy):
            (JSC::X86Assembler::X86InstructionFormatter::executableCopy):
            * dfg/DFGJITCompiler.cpp:
            (JSC::DFG::JITCompiler::compileFunction):
            * jit/ExecutableAllocator.h:
            (JSC::ExecutablePool::create):
            (JSC::ExecutablePool::alloc):
            (JSC::ExecutableAllocator::ExecutableAllocator):
            (JSC::ExecutableAllocator::poolForSize):
            (JSC::ExecutablePool::ExecutablePool):
            (JSC::ExecutablePool::poolAllocate):
            * jit/ExecutableAllocatorFixedVMPool.cpp:
            (JSC::FixedVMPoolAllocator::alloc):
            * jit/JIT.cpp:
            (JSC::JIT::privateCompile):
            * jit/JITOpcodes.cpp:
            (JSC::JIT::privateCompileCTIMachineTrampolines):
            * jit/JITOpcodes32_64.cpp:
            (JSC::JIT::privateCompileCTIMachineTrampolines):
            (JSC::JIT::privateCompileCTINativeCall):
            * jit/JITPropertyAccess.cpp:
            (JSC::JIT::stringGetByValStubGenerator):
            (JSC::JIT::privateCompilePutByIdTransition):
            (JSC::JIT::privateCompilePatchGetArrayLength):
            (JSC::JIT::privateCompileGetByIdProto):
            (JSC::JIT::privateCompileGetByIdSelfList):
            (JSC::JIT::privateCompileGetByIdProtoList):
            (JSC::JIT::privateCompileGetByIdChainList):
            (JSC::JIT::privateCompileGetByIdChain):
            * jit/JITPropertyAccess32_64.cpp:
            (JSC::JIT::stringGetByValStubGenerator):
            (JSC::JIT::privateCompilePutByIdTransition):
            (JSC::JIT::privateCompilePatchGetArrayLength):
            (JSC::JIT::privateCompileGetByIdProto):
            (JSC::JIT::privateCompileGetByIdSelfList):
            (JSC::JIT::privateCompileGetByIdProtoList):
            (JSC::JIT::privateCompileGetByIdChainList):
            (JSC::JIT::privateCompileGetByIdChain):
            * jit/SpecializedThunkJIT.h:
            (JSC::SpecializedThunkJIT::finalize):
            * jit/ThunkGenerators.cpp:
            (JSC::charCodeAtThunkGenerator):
            (JSC::charAtThunkGenerator):
            (JSC::fromCharCodeThunkGenerator):
            (JSC::sqrtThunkGenerator):
            (JSC::powThunkGenerator):
            * runtime/JSGlobalData.cpp:
            (JSC::JSGlobalData::JSGlobalData):
            (JSC::JSGlobalData::releaseExecutableMemory):
            (JSC::releaseExecutableMemory):
            * runtime/JSGlobalData.h:
            * runtime/RegExpCache.cpp:
            (JSC::RegExpCache::invalidateCode):
            * runtime/RegExpCache.h:
            * yarr/YarrJIT.cpp:
            (JSC::Yarr::YarrGenerator::compile):

    2011-05-26  Oliver Hunt  <oliver@apple.com>

            Reviewed by Geoffrey Garen.

            Make RegExpCache a weak map
            https://bugs.webkit.org/show_bug.cgi?id=61554

            Switch to a weak map for the regexp cache, and hide that
            behaviour behind RegExp::create.

            When a RegExp is compiled it attempts to add itself to
            the "strong" cache.  This cache is a simple round-robin
            buffer as was the old strong cache.  Happily this can
            be smaller than the old strong cache as RegExps are only
            added when they're compiled so it is under less pressure
            to evict.

            * bytecompiler/NodesCodegen.cpp:
            (JSC::RegExpNode::emitBytecode):
            * runtime/RegExp.cpp:
            (JSC::RegExp::RegExp):
            (JSC::RegExp::create):
            (JSC::RegExp::match):
            * runtime/RegExp.h:
            (JSC::RegExp::gcShouldInvalidateCode):
            (JSC::RegExp::hasCode):
            (JSC::RegExp::key):
            * runtime/RegExpCache.cpp:
            (JSC::RegExpCache::lookupOrCreate):
            (JSC::RegExpCache::RegExpCache):
            (JSC::RegExpCache::isReachableFromOpaqueRoots):
            (JSC::RegExpCache::finalize):
            * runtime/RegExpCache.h:
            * runtime/RegExpConstructor.cpp:
            (JSC::constructRegExp):
            * runtime/RegExpPrototype.cpp:
            (JSC::regExpProtoFuncCompile):
            * runtime/StringPrototype.cpp:
            (JSC::stringProtoFuncMatch):
            (JSC::stringProtoFuncSearch):

    2011-05-25  Oliver Hunt  <oliver@apple.com>

            Reviewed by Geoffrey Garen.

            Make RegExp GC allocated
            https://bugs.webkit.org/show_bug.cgi?id=61490

            Make RegExp GC allocated.  Basically mechanical change to replace
            most use of [Pass]RefPtr<RegExp> with RegExp* or WriteBarrier<RegExp>
            where actual ownership happens.

            Made the RegExpCache use Strong<> references currently to avoid any
            changes in behaviour.

            * JavaScriptCore.exp:
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::visitAggregate):
            * bytecode/CodeBlock.h:
            (JSC::CodeBlock::addRegExp):
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::addRegExp):
            (JSC::BytecodeGenerator::emitNewRegExp):
            * bytecompiler/BytecodeGenerator.h:
            * runtime/JSCell.h:
            * runtime/JSGlobalData.cpp:
            (JSC::JSGlobalData::JSGlobalData):
            (JSC::JSGlobalData::clearBuiltinStructures):
            (JSC::JSGlobalData::addRegExpToTrace):
            * runtime/JSGlobalData.h:
            * runtime/JSGlobalObject.cpp:
            (JSC::JSGlobalObject::reset):
            * runtime/RegExp.cpp:
            (JSC::RegExp::RegExp):
            (JSC::RegExp::create):
            (JSC::RegExp::invalidateCode):
            * runtime/RegExp.h:
            (JSC::RegExp::createStructure):
            * runtime/RegExpCache.cpp:
            (JSC::RegExpCache::lookupOrCreate):
            (JSC::RegExpCache::create):
            * runtime/RegExpCache.h:
            * runtime/RegExpConstructor.cpp:
            (JSC::constructRegExp):
            * runtime/RegExpObject.cpp:
            (JSC::RegExpObject::RegExpObject):
            (JSC::RegExpObject::visitChildren):
            * runtime/RegExpObject.h:
            (JSC::RegExpObject::setRegExp):
            (JSC::RegExpObject::RegExpObjectData::RegExpObjectData):
            * runtime/RegExpPrototype.cpp:
            (JSC::RegExpPrototype::RegExpPrototype):
            (JSC::regExpProtoFuncCompile):
            * runtime/RegExpPrototype.h:
            * runtime/StringPrototype.cpp:
            (JSC::stringProtoFuncMatch):
            (JSC::stringProtoFuncSearch):

    2011-05-25  Oliver Hunt  <oliver@apple.com>

            Reviewed by Geoffrey Garen.

            Generate regexp code lazily
            https://bugs.webkit.org/show_bug.cgi?id=61476

            RegExp construction now simply validates the RegExp, it does
            not perform actual codegen.

            * runtime/RegExp.cpp:
            (JSC::RegExp::RegExp):
            (JSC::RegExp::recompile):
            (JSC::RegExp::compile):
            (JSC::RegExp::match):
            * runtime/RegExp.h:
            (JSC::RegExp::recompileIfNecessary):
            * runtime/RegExpConstructor.h:
            (JSC::RegExpConstructor::performMatch):
            * runtime/RegExpObject.cpp:
            (JSC::RegExpObject::match):
            * runtime/StringPrototype.cpp:
            (JSC::stringProtoFuncReplace):
            (JSC::stringProtoFuncMatch):
            (JSC::stringProtoFuncSearch):
            (JSC::stringProtoFuncSplit):

2011-05-25  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/9501227> REGRESSION(r1024836): Crash in JSC::JIT::privateCompileCTIMachineTrampolines in many apps on resume

    Merge ToT WebKit r87308

    2011-05-25  Oliver Hunt  <oliver@apple.com>

            Reviewed by Geoffrey Garen.

            Make allocations with guard pages ensure that the allocation succeeded
            https://bugs.webkit.org/show_bug.cgi?id=61453

            Add null checks, and make PageBlock's operator bool() use
            the realbase, rather than the start of usable memory.

            * wtf/OSAllocatorPosix.cpp:
            (WTF::OSAllocator::reserveAndCommit):
            * wtf/PageBlock.h:
            (WTF::PageBlock::operator bool):
            (WTF::PageBlock::PageBlock):

2011-05-24  Oliver Hunt  <oliver@apple.com>

    Remove accidental change to Source/JavaScriptCore/ChangeLog

    * ChangeLog: revert accidentally committed change

2011-05-24  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/9231233> exception handler being called incorrectly in Interpreter

    Merged ToT WebKit r86960

    2011-05-20  Oliver Hunt  <oliver@apple.com>

            Reviewed by Sam Weinig.

            Interpreter uses wrong bytecode offset for determining exception handler
            https://bugs.webkit.org/show_bug.cgi?id=61191

            The bytecode offset given for the returnPC from the JIT is
            actually the offset for the start of the instruction triggering
            the call, whereas in the interpreter it is the actual return
            VPC.  This means if the next instruction following a call was
            in an exception region we would incorrectly redirect to its
            handler.  Long term we want to completely redo how exceptions
            are handled anyway so the simplest and lowest risk fix here is
            to simply subtract one from the return vPC so that we have an
            offset in the triggering instruction.

            It turns out this is caught by a couple of tests already.

            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::unwindCallFrame):

2011-05-24  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/8887771> Add a guard page on each side of the JIT executable region

    Merged ToT WebKit r86906

    2011-05-19  Oliver Hunt  <oliver@apple.com>

            Reviewed by Gavin Barraclough.

            Add guard pages to each end of the memory region used by the fixedvm allocator
            https://bugs.webkit.org/show_bug.cgi?id=61150

            Add mechanism to notify the OSAllocator that pages at either end of an
            allocation should be considered guard pages.  Update PageReservation,
            PageAllocation, etc to handle this.

            * JavaScriptCore.exp:
            * jit/ExecutableAllocatorFixedVMPool.cpp:
            (JSC::FixedVMPoolAllocator::FixedVMPoolAllocator):
            * wtf/OSAllocator.h:
            * wtf/OSAllocatorPosix.cpp:
            (WTF::OSAllocator::reserveUncommitted):
            (WTF::OSAllocator::reserveAndCommit):
            * wtf/PageAllocation.h:
            (WTF::PageAllocation::PageAllocation):
            * wtf/PageAllocationAligned.h:
            (WTF::PageAllocationAligned::PageAllocationAligned):
            * wtf/PageBlock.h:
            (WTF::PageBlock::PageBlock):
            * wtf/PageReservation.h:
            (WTF::PageReservation::reserve):
            (WTF::PageReservation::reserveWithGuardPages):
                Add a new function to make a reservation that will add guard
                pages to the ends of an allocation.
            (WTF::PageReservation::PageReservation):

2011-05-24  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/9470482> GC allocated executables are destroyed lazily, so release executable memory slowly
    
    Merged ToT WebKit r86883
    
    2011-05-19  Oliver Hunt  <oliver@apple.com>

            Reviewed by Geoffrey Garen.

            Make Executables release their JIT code as soon as they become dead
            https://bugs.webkit.org/show_bug.cgi?id=61134

            Add an ability to clear an Executable's jit code without requiring
            it to be destroyed, and then call that from a finalizer.

            * heap/Weak.h:
            (JSC::Weak::Weak):
            (JSC::Weak::leak):
            * jit/JITCode.h:
            (JSC::JITCode::clear):
            * runtime/Executable.cpp:
            (JSC::ExecutableFinalizer::finalize):
            (JSC::ExecutableBase::executableFinalizer):
            * runtime/Executable.h:
            (JSC::ExecutableBase::ExecutableBase):
            (JSC::ExecutableBase::clearExecutableCode):

2011-05-24  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/9240218> Consider removing branchConvertDoubleToInt32

    Merged ToT WebKit r86968

    2011-05-20  Oliver Hunt  <oliver@apple.com>

            Reviewed by Sam Weinig.

            Remove unnecessary double->int conversion at the end of op_div
            https://bugs.webkit.org/show_bug.cgi?id=61198

            We don't attempt this conversion on 64bit, removing it actually speeds
            up sunspider and v8 slightly, and it reduces code size.

            * jit/JITArithmetic32_64.cpp:
            (JSC::JIT::emit_op_div):

2011-05-24  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/8881410> Investigation: Harden against JIT spraying attacks

    Merged ToT WebKit r86919

    2011-05-19  Oliver Hunt  <oliver@apple.com>

            Reviewed by Gavin Barraclough.

            Randomise code starting location a little
            https://bugs.webkit.org/show_bug.cgi?id=61161

            Add a nop() function to the Assemblers so that we
            can randomise code offsets slightly at no real cost.

            * assembler/ARMAssembler.h:
            (JSC::ARMAssembler::nop):
            * assembler/ARMv7Assembler.h:
            (JSC::ARMv7Assembler::nop):
            * assembler/MacroAssemblerARM.h:
            (JSC::MacroAssemblerARM::nop):
            * assembler/MacroAssemblerARMv7.h:
            (JSC::MacroAssemblerARMv7::nop):
            * assembler/MacroAssemblerMIPS.h:
            (JSC::MacroAssemblerMIPS::nop):
            * assembler/MacroAssemblerSH4.h:
            (JSC::MacroAssemblerSH4::nop):
            * assembler/MacroAssemblerX86Common.h:
            (JSC::MacroAssemblerX86Common::nop):
            * assembler/X86Assembler.h:
            (JSC::X86Assembler::nop):
            * jit/JIT.cpp:
            (JSC::JIT::JIT):
            (JSC::JIT::privateCompile):
            * jit/JIT.h:
            * runtime/WeakRandom.h:
            (JSC::WeakRandom::getUint32):

2011-05-24  Oliver Hunt  <oliver@apple.com>

    <rdar://problem/8247576> JSC should limit inline PIC offsets to fit in single instruction loads on ARMv7

    Merged ToT WebKit r86999

    2011-05-20  Oliver Hunt  <oliver@apple.com>

            Reviewed by Gavin Barraclough.

            Reduce size of inline cache path of get_by_id on ARMv7
            https://bugs.webkit.org/show_bug.cgi?id=61221

            This reduces the code size of get_by_id by 20 bytes

            * assembler/ARMv7Assembler.h:
            (JSC::ARMv7Assembler::ldrCompact):
            (JSC::ARMv7Assembler::repatchCompact):
            (JSC::ARMv7Assembler::setUInt7ForLoad):
            * assembler/MacroAssemblerARMv7.h:
            (JSC::MacroAssemblerARMv7::load32WithCompactAddressOffsetPatch):
            * jit/JIT.h:

2011-05-24  Oliver Hunt  <oliver@apple.com>

     <rdar://problem/9493374> scripter crashing in JavaScriptCore: JSC::slowValidateCell
     
     Merged ToT WebKit r87190

     2011-05-24  Oliver Hunt  <oliver@apple.com>

            Reviewed by Gavin Barraclough.

            Interpreter crashes with gc validation enabled due to failure to mark initial cache structure
            https://bugs.webkit.org/show_bug.cgi?id=61385

            The interpreter uses the structure slot of get_by_id and put_by_id to hold
            the initial structure it encountered so that it can identify whether a
            given access is stable.

            When marking though we only visit the slot when we've decided to cache, and
            so this value could die.  This was "safe" as the value was only used for a
            pointer compare, but it was incorrect.  We now just mark the slot like we
            should have been doing already.

            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::visitStructures):

2011-05-16  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/9449255> No need to explicitly cleanup JIT code when handling memory warning

        Reviewed by Geoffrey Garen.

        Revert changes made for <rdar://problem/9392975> since we now clean up JIT code on
        JavaScript garbage collection. This behavior was added in the merge of opensource r86510.

        * JavaScriptCore.exp:

2011-05-16  Pratik Solanki  <psolanki@apple.com>

        Part of <rdar://problem/9449162> REGRESSION: SunSpider ~7% slower in browser than on command line (was 17%)

        Merged ToT WebKit r86510.

    2011-05-15  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Maciej Stachowiak.

        Partial fix for <rdar://problem/9417875> REGRESSION: SunSpider ~17% slower
        in browser than on command line
        
        This patch fixes a few issues in generated code that could unreasonably
        prolong object lifetimes.

        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage): Throw away all function code before doing
        a major collection. We want to clear polymorphic caches, since they can
        keep alive large object graphs that have gone "stale". For the same reason,
        but to a lesser extent, we also want to clear linked functions and other
        one-off caches.

        This has the side-benefit of reducing memory footprint from run-once
        functions, and of allowing predictions and caches that have failed to
        re-specialize.

        Eventually, if compilation costs rise far enough, we may want a more
        limited strategy for de-specializing code without throwing it away
        completely, but this works for now, and it's the simplest solution.

        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITStubs.h:
        * runtime/JSFunction.cpp: Made the host function stub cache weak --
        otherwise it's effectively a memory leak that can seriously fragment the
        GC and JIT heaps.

        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::visitChildren): Cleared up some comments that confused
        me when working with this code.

2011-05-16  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/9446250> Exceptions not disabled in ARM builds

        Merged ToT WebKit r86598.

    2011-05-16  David Kilzer  <ddkilzer@apple.com>

        <http://webkit.org/b/60913> C++ exceptions should not be enabled when building with llvm-gcc-4.2
        <rdar://problem/9446430>

        Reviewed by Mark Rowe.

        * Configurations/Base.xcconfig: Fixed typo.

2011-05-05  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by Simon Fraser.

        Remove ENABLE(RANGETYPE_AS_TEXT).

        * wtf/Platform.h:

2011-05-09  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/9392975> Should clean up JIT code when we get a memory warning

        Reviewed by Oliver Hunt and David Kilzer.

        * JavaScriptCore.exp: Export JSGlobalData::recompileAllJSFunctions

2011-05-02  Oliver Hunt  <oliver@apple.com>

        Rubber stamped by Gavin Barraclough.

        <rdar://problem/9344858> Crash in Scripter beneath Structure::materializePropertyMap running URL stress test

        Merge <http://trac.webkit.org/changeset/85523>.

        2011-05-02  Oliver Hunt  <oliver@apple.com>

                Reviewed by Gavin Barraclough.

                Correct marking of interpreter data in mixed mode builds
                https://bugs.webkit.org/show_bug.cgi?id=59962

                We had a few places in mixed mode builds where we would not
                track data used by the interpreter for marking.  This patch
                corrects the problem and adds a number of assertions to catch
                live Structures being collected.

                * JavaScriptCore.exp:
                * assembler/ARMv7Assembler.h:
                (JSC::ARMv7Assembler::ARMInstructionFormatter::debugOffset):
                * bytecode/CodeBlock.cpp:
                (JSC::CodeBlock::dump):
                * bytecode/CodeBlock.h:
                (JSC::CodeBlock::addPropertyAccessInstruction):
                (JSC::CodeBlock::addGlobalResolveInstruction):
                (JSC::CodeBlock::addStructureStubInfo):
                (JSC::CodeBlock::addGlobalResolveInfo):
                * bytecompiler/BytecodeGenerator.cpp:
                (JSC::BytecodeGenerator::emitResolve):
                (JSC::BytecodeGenerator::emitResolveWithBase):
                (JSC::BytecodeGenerator::emitGetById):
                (JSC::BytecodeGenerator::emitPutById):
                (JSC::BytecodeGenerator::emitDirectPutById):
                * runtime/Structure.cpp:
                (JSC::Structure::materializePropertyMap):
                * runtime/Structure.h:
                (JSC::Structure::typeInfo):
                (JSC::Structure::previousID):
                (JSC::Structure::propertyStorageCapacity):
                (JSC::Structure::propertyStorageSize):
                (JSC::Structure::get):
                (JSC::Structure::materializePropertyMapIfNecessary):

2011-04-29  Andy Estes  <aestes@apple.com>

        Rubber-stamped by Simon Fraser.

        Merge <http://trac.webkit.org/changeset/85361>.
        
        2011-04-29  Gavin Barraclough  <barraclough@apple.com> 

         	    Reviewed by Oliver Hunt & Geoff Garen. 

         	    https://bugs.webkit.org/show_bug.cgi?id=59221 
         	    [RegexFuzz] Regression blocking testing 

         	    Okay, so the bug here is that when, in the case of a TypeParentheticalAssertion 
         	    node, emitDisjunction recursively calls to itself to emit the nested disjunction 
         	    the value of parenthesesInputCountAlreadyChecked is bogus (doesn't take into 
         	    account the uncheck that has just taken place). 

         	    Also, the special handling given to countToCheck in the case of parenthetical 
         	    assertions is nonsense, delete it, along with the isParentheticalAssertion argument. 

         	    * yarr/YarrInterpreter.cpp: 
         	    (JSC::Yarr::ByteCompiler::emitDisjunction):

2011-04-27  Yongjun Zhang  <yongjun_zhang@apple.com>

        Reviewed by NOBODY (OOPS!).

        <rdar://problem/9349760> Merge Stabilization: Merge iOS WebKit up to ToT WebKit r84942

        Filed open source bug https://bugs.webkit.org/show_bug.cgi?id=59770, will remove this change if open source
        change gets landed.

        ToT WebKit r81135 added WTF_EXPORT_PRIVATE to wtf/Assertions.  The macro is defined in JavaScriptCore's or
        WebCore's config.h which is included as the first header file for each source file. However, for projects like
        UIKit or MobileSafari, config.h doesn't exist and compiler complains the undefined WTF_EXPORT_PRIVATE. Since
        WTF_EXPORT_PRIVATE only makes sense when compiling JavaScriptCore, we can always turn it to empty macro if
        it is not defined.

        * wtf/Assertions.h:

2011-04-15  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by NOBODY (OOPS!).

        <rdar://problem/6591720> Support Web Inspector on iPhone Simulator using MobileSafari/Web.app

        * Configurations/FeatureDefines.xcconfig: Add REMOTE_INSPECTOR Feature.

2011-03-28  Joseph Pecoraro  <joepeck@webkit.org>

        <rdar://problem/9197849> Leaked JSC::PropertyTable seen in AppStore

        Merged ToT WebKit r81420.

    2011-03-17  Geoffrey Garen  <ggaren@apple.com>

            Reviewed by Mark Rowe.

            Fixed some string leaks seen on the buildbot
            https://bugs.webkit.org/show_bug.cgi?id=56619

            * runtime/PropertyMapHashTable.h:
            (JSC::PropertyTable::~PropertyTable): DEref!

2011-03-24  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        <rdar://problem/9083011> REGRESSION (Telluride): CRASH beneath JSC::call @ yahoo.com, redfin.com, and others
        
        Merged ToT WebKit r81904.

2011-03-23  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoff Garen.

        <rdar://problem/9123439> Crash in JSC::JSParser::Scope::declareParameter loading google.com

        Export function for registering a thread from JSC so that it can be used from WebCore.

        * JavaScriptCore.exp:

2011-03-23  Geoffrey Garen  <ggaren@apple.com>

        Rubber-stamped by David Kilzer.

        Fixed one case of <rdar://problem/9083011> REGRESSION (Telluride): CRASH
        beneath JSC::call when tapping on links or activating Reader @ yahoo.com

        Merged OpenSource trunk r81751.

        * debugger/Debugger.cpp:
        * runtime/JSGlobalData.cpp:
        (WTF::Recompiler::operator()):

2011-03-22  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/8772865> Webkit should use no-copy-cache CFNetwork SPI

        Reviewed by David Kilzer.

        * wtf/Platform.h: Enable HAVE_CFNETWORK_DATA_ARRAY_CALLBACK on iOS.

2011-02-25  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by Yongjun Zhang.

        WebKit Merge Stabilization.

        We were reaching the MaxLargeThreadReentryDepth on the WebThread
        when running fast/xmlhttprequest/xmlhttprequest-recursive-sync-event.html.
        The WebThread's stack size, defined in WebCore/wak/WebCoreThread.mm,
        is 800kb. Rather than increase that size, we will slightly decrease
        the maximum recursion depth to 93. For this test case, 94 works,
        but 95 doesn't. Setting it a little lower allows for some leeway
        for future changes.

        * interpreter/Interpreter.h: decrease MaxLargeThreadReentryDepth from 100 to 93.

2011-02-23  Yongjun Zhang  <yongjun_zhang@apple.com>

        Reviewed by Joseph Pecoraro.

        WebKit Merge Stabilization.

        Revert back to old behavior which used to return 0 instead of
        CRASHing when checking if we can allocate executable memory.
        This is because on iOS isValid() mmap will only return successfully
        when the JIT is enabled and allowed for an application, but
        fail when the JIT is not allowed for an application; yet, all
        applications will take this path and check isValid before
        we know if we are allowed to use the JIT or not.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit): return 0 instead of crashing
        when checking if the allocating executable memory works.

2011-02-23  Yongjun Zhang  <yongjun_zhang@apple.com>

        Reviewed by Joseph Pecoraro.

        WebKit Merge Stabilization.

        Instead of using StackBounds cached in JSGlobalData, we need to retrieve the current StackBounds from
        thread local storage, because in iOS WebKit both main thread and web thread could access the same JSGlobalData.
        We also need to skip consistency check in StackBounds if the current thread is not the thread that initially
        created this stack.

        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::stack): use StackBounds cached in thread local storage.
        * wtf/StackBounds.cpp:
        (WTF::StackBounds::checkConsistency): don't check consistency if the current thread is not the thread created this stack.
        * wtf/StackBounds.h:
        * wtf/WTFThreadData.cpp: initialize StackBounds for the current thread in iOS.
        (WTF::WTFThreadData::WTFThreadData):

2011-02-24  David Kilzer  <ddkilzer@apple.com>

        Part 3 of 3: <rdar://problem/9000689> Symlink JavaScriptCore.framework/Resources/jsc to /usr/local/bin/jsc

        Reviewed by David Carson.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        (Copy Into Framework): For Production builds, create a relative
        symlink from JavaScriptCore.framework/Resources/jsc to
        /usr/local/bin/jsc.

2011-02-24  David Kilzer  <ddkilzer@apple.com>

        Part 2 of 3: <rdar://problem/9000689> Symlink JavaScriptCore.framework/Resources/jsc to /usr/local/bin/jsc

        Merged ToT WebKit r79131.

        * JavaScriptCore.xcodeproj/project.pbxproj: Set the INSTALL_PATH
        for the Production_Hardware configuration of jsc target and
        INSTALL_PATH_ACTUAL for the Production_Deployment confifguration.

    2011-02-19  David Kilzer  <ddkilzer@apple.com>

        <http://webkit.org/b/54808> Change jsc target to build directly into JavaScriptCore.framework/Resources/jsc

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig: Added
        JAVASCRIPTCORE_FRAMEWORKS_DIR variable.
        * Configurations/JavaScriptCore.xcconfig: Used
        JAVASCRIPTCORE_FRAMEWORKS_DIR to define INSTALL_PATH.
        * JavaScriptCore.xcodeproj/project.pbxproj: Set the INSTALL_PATH
        for Production configuration of jsc target.
        (Copy Into Framework): Removed old build phase.
        (Fix Framework Reference): Renamed build phase to "Copy Into
        Framework".  Added "set -x" call to make the script print the
        commands it is running.  Added code to exit early for Production
        builds since this was never intended for them.  Added code to
        copy jsc into the JavaScriptCore.framework/Resources directory.

2011-02-24  David Kilzer  <ddkilzer@apple.com>

        Part 1 of 3: <rdar://problem/9000689> Symlink JavaScriptCore.framework/Resources/jsc to /usr/local/bin/jsc

        Revert iOS WebKit r999313.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        (Codesign jsc in Framework Bundle): Remove build phase script.

2011-02-17  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8969982> Enable 3D_CANVAS once ANGLE is in the builds

        Reviewed by Joseph Pecoraro.

        Backed out puzzlebox svn r998105 plus fixes.

        * wtf/Platform.h: Re-enable 3D_CANVAS for iOS (but not armv6).

2011-02-15  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/9005073> INSTALL_PATH set incorrectly for Development_Hardware and other configurations

        Reviewed by David Kilzer.

        Do not set INSTALL_PATH to $(BUILT_PRODUCTS_DIR) - it sets the wrong install_name on
        frameworks and breaks loading.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-02-14  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/9000068> Define INSTALL_PATH_ACTUAL for all iOS Simulator targets

        Reviewed by Joseph Pecoraro.

        INSTALL_PATH_ACTUAL must be defined for all iOS Simulator
        targets since it's used in more than just INSTALL_PATH.

        * Configurations/JavaScriptCore.xcconfig: Changed
        INSTALL_PATH_iphonesimulator to be defined as it is in
        IndigoSDK.xcconfig. Added INSTALL_PATH_ACTUAL and
        INSTALL_PATH_ACTUAL_iphonesimulator definitions to cover
        Development, Deployment and Production_Deployment configurations
        of the JavaScriptCore target.
        * JavaScriptCore.xcodeproj/project.pbxproj: Removed
        INSTALL_PATH_ACTUAL for the Production_Deployment configuration
        of the JavaScriptCore target.  Added/updated INSTALL_PATH and
        INSTALL_PATH_ACTUAL definitions for Development, Deployment and
        Production_Deployment configurations of jsc, minidom and testapi
        targets.

2011-02-14  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/8995444> Project file changes for Xcode 4

        Rubber-stamped by David Kilzer.

        Add SUPPORTED_PLATFORMS to indicate the platforms supported for each
        configuration. Also set the Base SDK to internal iPhoneOS for all iOS
        targets.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-02-12  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8977538> /System/Library/PrivateFrameworks/JavaScriptCore.framework/Resources/jsc is missing JIT entitlement

        Rubber-stamped by David Carson.

        * JavaScriptCore.xcodeproj/project.pbxproj: Add a
        "Codesign jsc in Framework Bundle" build phase script.

2011-02-11  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by David Kilzer.

        <rdar://problem/8992976> r999053 causes WebCore to have the wrong install_name

        Restore INSTALL_PATH_ACTUAL to prevent breaking
        LD_DYLIB_INSTALL_NAME_mh_dylib for Production_Deployment
        simulator builds.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-02-11  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8984033> Clean up INSTALL_PATH and INSTALL_PATH_ACUTAL in JavaScriptCore/WebCore/WebKit

        Reviewed by Joseph Pecoraro.

        There are two main fixes here:

        1. Define INSTALL_PATH in ProjectName.xcconfig for all
        platforms (iphoneos, iphonesimulator, macosx).

        2. Clean up the Xcode project file to define INSTALL_PATH only
        when the Mac OS X configurations (Debug, Release, Production)
        define it, or when a target doesn't use ProjectName.xcconfig to
        define INSTALL_PATH.

        In all cases we eschew INSTALL_PATH_ACTUAL in favor of using
        INDIGO_INSTALL_PATH_PREFIX for iOS Simulator configurations. The
        only exceptions are Development and Deployment configurations
        which always build into BUILT_PRODUCTS_DIR.

        * Configurations/JavaScriptCore.xcconfig: Define INSTALL_PATH
        for all platforms.
        * JavaScriptCore.xcodeproj/project.pbxproj: Clean up use of
        INSTALL_PATH and INSTALL_PATH_ACTUAL to match Mac OS X
        configurations.

2011-02-11  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by Pratik Solanki.

        <rdar://problem/8967636> Re-enable JIT support for Telluride

        Re-enable the JIT. Patch by Gavin Barraclough.
        mmap won't normally allow RWX memory on iOS, if you request
        RWX it'll actually just give you RW. By passing MAP_JIT we
        can get RWX.

        * wtf/PageAllocation.h:
        (WTF::PageAllocation::systemAllocateAt): pass MAP_JIT when we want executable memory.
        * wtf/Platform.h:

2011-02-10  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by Geoffrey Garen.

        <rdar://problem/8978376> REGRESSION(9A126): Crash in JSC::DefaultGCActivityCallback::DefaultGCActivityCallback running jsc and scripter

        Normal DefaultGCActivity should happen on the runloop of the thread that creates
        the Heap. That way when timer based Garbage Collection needs to happen, it can
        safely happen on the runloop of the single thread that has access to that Heap.

        In r998045 I attempted to schedule all DefaultGCActivityCallback timers on a
        WebThreadRunLoop. This was incorrect because it did not correctly handle
        Workers that create separate Heaps on Worker threads, and also direct users
        of JavaScriptCore who don't even have WebThreads! That change is reverted here.

        This solution leaves the general case alone and more directly schedules Garbage
        Collection of WebCore's shared JSGlobalData (commonJSGlobalData) Heap on the
        WebThread's runloop. It does this by implementing a custom WebSafeGCActivityCallback,
        and sets that as the activity callback when the commonJSGlobalData is created.
        This custom callback is scheduled on the WebThread's run loop.

        I've tested this with scripter on a device (main thread using JSC without WebCore),
        and verified that this does not regress the Worker thread case which had an
        attempted fixed in r998436.

        Many of the changes here landed in ToT WebKit r78291 and r78292.

        * JavaScriptCore.exp: export the protected GCActivityCallback pieces.
        * JavaScriptCore.xcodeproj/project.pbxproj: export GCActivityCallback.h so WebCore can access it.
        * runtime/GCActivityCallback.h:
        * runtime/GCActivityCallbackCF.cpp:
        (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback): added a constructor that can specify the CFRunLoop.
        (JSC::DefaultGCActivityCallback::commonConstructor): common initialization with a heap and run loop.
        (JSC::DefaultGCActivityCallback::operator()):
        * wtf/iphone/WebCoreThread.cpp: no longer need access to WebThreadRunLoop.
        * wtf/iphone/WebCoreThread.h: no longer need access to WebThreadRunLoop.

2011-02-08  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/8972084> LayoutTest: DRT crash on fast/workers/worker-cloneport.html

        Reviewed by David Carson.

        GC triggered on Worker threads needs to occur on that thread. The code would try schedule
        all GCs on the web thread which caused assertions to be triggered when worker threads were
        used. Updated the code so that GC from main thread gets scheduled on the web thread but in
        all other cases GC runs on the same thread.

        * runtime/GCActivityCallbackCF.cpp:
        (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):

2011-02-07  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by David Carson.

        <rdar://problem/8969648> Disable 3D_CANVAS until ANGLE is in the builds

        * wtf/Platform.h: temporarily disable 3D_CANVAS.

2011-02-07  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by Yongjun Zhang.

        WebKit Merge Stabilization

        Temporarily disable the JIT on Telluride.

        * wtf/Platform.h:

2011-02-04  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by Yongjun Zhang.

        WebKit Merge Stabilization

        Garbage collection happens on a CFRunLoop. We want to ensure
        that it happens on the WebThread's run loop, because otherwise
        there could be conflicts if the WebThread was doing work
        with the objects being collected.

        * JavaScriptCore.exp: export the function to be filled.
        * runtime/GCActivityCallbackCF.cpp:
        (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback): use the WebThreadRunLoop for Garbage Collection events.
        * wtf/iphone/WebCoreThread.cpp: expose a function to be filled by WebCore to get the WebThreadRunLoop.
        * wtf/iphone/WebCoreThread.h: expose a function to be filled by WebCore to get the WebThreadRunLoop.

2011-02-04  Joseph Pecoraro  <joepeck@webkit.org>

        Merge ToT WebKit r69096.

    2010-10-05  Oliver Hunt  <oliver@apple.com>

            Reviewed by Darin Adler.

            REGRESSION(r68338): JavaScript error on PowerPC only (crashes on Interpreter built for x86_64)
            https://bugs.webkit.org/show_bug.cgi?id=46690

            Use the correct register value when initialising the arguments
            object in the interpreter.  This is covered by existing tests.

            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::privateExecute):

2011-01-29  Cameron Zwarich  <zwarich@apple.com>

        Remove a comment that suggests removing a call to strncpy(). strncpy() is the safe one!

        Reviewed by David Kilzer.

        * runtime/NumberPrototype.cpp:
        (JSC::integerPartNoExp):

2011-01-29  Cameron Zwarich  <zwarich@apple.com>

        Not reviewed.

        Merge ToT WebKit r77065.

    2011-01-29  Cameron Zwarich  <zwarich@apple.com>

        Reviewed by Oliver Hunt.

        JavaScriptCoreUseJIT environment variable broken
        https://bugs.webkit.org/show_bug.cgi?id=53372

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData): Check the actual value in the string returned
        by getenv() rather than just doing a NULL check on the return value.

2011-01-28  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.

        <rdar://problem/8902297> REGRESSION: After loading ~100 websites,
        Safari often crashes due to executable memory limit (8F162)

        The crashes here seem to come from external fragmentation in the
        FixedVMPoolAllocator. Switch from best fit to first fit.

        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::AllocationTableSizeClass::AllocationTableSizeClass):
        (JSC::AllocationTableSizeClass::blockSize):
        (JSC::AllocationTableSizeClass::blockCount):
        (JSC::AllocationTableSizeClass::blockAlignment):
        (JSC::AllocationTableSizeClass::size):
        (JSC::AllocationTableLeaf::AllocationTableLeaf):
        (JSC::AllocationTableLeaf::~AllocationTableLeaf):
        (JSC::AllocationTableLeaf::allocate):
        (JSC::AllocationTableLeaf::free):
        (JSC::AllocationTableLeaf::isEmpty):
        (JSC::AllocationTableLeaf::isFull):
        (JSC::AllocationTableLeaf::size):
        (JSC::AllocationTableLeaf::classForSize):
        (JSC::AllocationTableLeaf::dump):
        (JSC::LazyAllocationTable::LazyAllocationTable):
        (JSC::LazyAllocationTable::~LazyAllocationTable):
        (JSC::LazyAllocationTable::allocate):
        (JSC::LazyAllocationTable::free):
        (JSC::LazyAllocationTable::isEmpty):
        (JSC::LazyAllocationTable::isFull):
        (JSC::LazyAllocationTable::size):
        (JSC::LazyAllocationTable::dump):
        (JSC::LazyAllocationTable::classForSize):
        (JSC::AllocationTableDirectory::AllocationTableDirectory):
        (JSC::AllocationTableDirectory::~AllocationTableDirectory):
        (JSC::AllocationTableDirectory::allocate):
        (JSC::AllocationTableDirectory::free):
        (JSC::AllocationTableDirectory::isEmpty):
        (JSC::AllocationTableDirectory::isFull):
        (JSC::AllocationTableDirectory::size):
        (JSC::AllocationTableDirectory::classForSize):
        (JSC::AllocationTableDirectory::dump):
        (JSC::FixedVMPoolAllocator::FixedVMPoolAllocator):
        (JSC::FixedVMPoolAllocator::alloc):
        (JSC::FixedVMPoolAllocator::free):
        (JSC::FixedVMPoolAllocator::isValid):
        (JSC::FixedVMPoolAllocator::release):
        (JSC::FixedVMPoolAllocator::reuse):
        (JSC::FixedVMPoolAllocator::classForSize):
        (JSC::FixedVMPoolAllocator::offsetToPointer):
        (JSC::FixedVMPoolAllocator::pointerToOffset):
        (JSC::ExecutableAllocator::isValid):
        (JSC::ExecutablePool::systemAlloc):
        (JSC::ExecutablePool::underMemoryPressure):

2011-01-21  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8098953> Use PLATFORM(IOS) instead of PLATFORM(IPHONE) in WebKit

        Reviewed by Joseph Pecoraro.

        The following macros have been renamed:

        ENABLE(IPHONE_PPT) => ENABLE(IOS_PPT)
        OS(IPHONE_OS) => OS(IOS)
        PLATFORM(IPHONE) => PLATFORM(IOS)
        PLATFORM(IPHONE_SIMULATOR) => PLATFORM(IOS_SIMULATOR)

        The following Xcode variable (in FeatureDefines.xcconfig and
        elsewhere) has been renamed:

        ENABLE_IOS_PPT => ENABLE_IOS_PPT
        WTF_PLATFORM_IPHONE => WTF_PLATFORM_IOS

        [File list elided.]

2011-01-05  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Darin Adler.

        <rdar://problem/8810722>
        MobileSafari: chews up all memory when loading maps.google.com due to ARM codegen bug

        The bug here is that zeroDouble was working inforrectly,
        leading to op_loop_if_true failing - specifically in the
        case where the value being checked is 0.0 encoded as a
        double (rather than an integer immediate).

        This was resulting in an infinite loop pushing to an array
        on maps.google.com, and ultimately memory exhaustion.

        Additionally this patch removes a redundant duplicate compare
        in some (many) case.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::vcmp_F64):
        (JSC::ARMv7Assembler::vcmpz_F64):
            Added support for VCMPZ.
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branchDoubleNotEqual):
            Changing the interface to benefit ARMv7.
        (JSC::MacroAssemblerARM::branchDoubleEqualOrUnordered):
            Changing the interface to benefit ARMv7.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branchDoubleNotEqual):
            Combine these operations, to make use of VMCPZ.
        (JSC::MacroAssemblerARMv7::branchDoubleEqualOrUnordered):
            Combine these operations, to make use of VMCPZ.
        (JSC::MacroAssemblerARMv7::compare32):
            remove redundant duplicate compare.
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::branchDoubleNotEqual):
            Changing the interface to benefit ARMv7.
        (JSC::MacroAssemblerX86Common::branchDoubleEqualOrUnordered):
            Changing the interface to benefit ARMv7.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_jfalse):
            Switch to use branchDoubleEqualOrUnordered.
        (JSC::JIT::emit_op_jtrue):
            Switch to use branchDoubleNotEqual.

2010-12-17  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.

        <rdar://problem/8781129>
        Deeply nested JS expressions can exhaust the stack
        (jsc-tests js1_5/Regress/regress-96526-002.js)

        The stack recursion limit is too high for iOS.
        For now, fix this bug by adjusting the limits and accelerating
        the rate we increment in certain functions which require large
        frames. In the longer term we should actually check stack usage.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::IncreaseEmitNodeDepth::IncreaseEmitNodeDepth):
        (JSC::IncreaseEmitNodeDepth::~IncreaseEmitNodeDepth):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::BinaryOpNode::emitStrcat):
        (JSC::ForInNode::emitBytecode):
        (JSC::TryNode::emitBytecode):

2010-12-16  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/8737284> Investigate time spent in sys_icache_invalidate and sys_dcache_flush

        Merged ToT WebKit r74210.

    2010-12-16  Pratik Solanki  <psolanki@apple.com>

        Reviewed by Geoffrey Garen.

        https://bugs.webkit.org/show_bug.cgi?id=51166
        ExecutableAllocator::cacheFlush should call sys_cache_control

        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::cacheFlush): Use the more correct and forward looking API -
        sys_cache_control(kCacheFunctionPrepareForExecution,...).

2010-12-15  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Pratik Solanki.

        Fixed incorrect #ifdef in Gavin's last patch.

        * runtime/RegExpCache.h: Use PLATFORM(IPHONE), since PLATFORM(IOS) doesn't
        exist on the Durango branch.

2010-12-14  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/8771026> Merge r68764 - Remove unnecessary cacheFlush calls from thumb-2

        Merged ToT WebKit r68764.

    2010-09-30  Gabor Loki  <loki@webkit.org>

        Reviewed by Csaba Osztrogonác.

        Remove unnecessary cacheFlush calls from Thumb-2
        https://bugs.webkit.org/show_bug.cgi?id=46702

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::relinkCall):
        (JSC::ARMv7Assembler::repatchInt32):
        (JSC::ARMv7Assembler::repatchPointer):

2010-12-14  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.

        <rdar://problem/8765333> CRASH running out of executable memory, loading io9.com

        The problem here is that each page uses a reasonable amount of memory, (~4Mb),
        and that when miultiple pages are open we keep all JIT code for all functions
        in all pages alive.

        Add a check to detect high memory pressure situations in the executable allocator
        (>50% of available memory allocated), and upon a top level entry into JSC (no code
        running on the stack) in this situation throw away all JIT code.

        * JavaScriptCore.exp:
        * debugger/Debugger.cpp:
        (JSC::Debugger::recompileAllJSFunctions): stop passing exec to recompile.
        * jit/ExecutableAllocator.h:
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutablePool::systemAlloc): Count allocations.
        (JSC::ExecutablePool::systemRelease): Count deallocations.
        (JSC::ExecutablePool::underMemoryPressure): Check memory pressure.
        * jit/ExecutableAllocatorPosix.cpp:
        (JSC::ExecutablePool::underMemoryPressure): Stub out; only meaningful with FixedVMPool.
        * jit/ExecutableAllocatorWin.cpp:
        (JSC::ExecutablePool::underMemoryPressure): Stub out; only meaningful with FixedVMPool.
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::recompile): Remove ExecState argument to recompile.
        * runtime/Executable.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::recompileAllJSFunctions): throws away all JIT code.
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.h:
        (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): add check / call to throw away.

2010-12-14  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.

        <rdar://problem/8241425> JIT executable memory excessive usage due to regex caching

        Reduce the amount of memory the RegExpCache can hold on to.
        Currently the RegExpCache can hold 256 RegExp objects. If each falls into a separate
        ExecutablePool, with a common size of 16Kb, this means we end up holding onto 4Mb of
        memory. Firstly, we can reduce this by simply reducing the size of the cache to 32
        entries. Secondly, we can use a separate set of ExecutablePools for JIT code generated
        from RegExp objects. This helps in two ways (1) it increases the probability that
        RegExps in the cache share the same pool, and (2) it means that a RegExp can't end
        up holding on to a large ExecutablePool containing a translation of JS code.
        (A RegExp could end up keeping a larger RegExp alive that happened to be sharing the
        same pool, but large RegExp patterns are less common).

        * runtime/JSGlobalData.h:
        * runtime/RegExpCache.h:
        * yarr/RegexJIT.cpp:
        (JSC::Yarr::RegexGenerator::compile):

2010-12-14  Cameron Zwarich  <zwarich@apple.com>

      <rdar://problem/8762579> JavaScriptCore should build successfully with Clang

      Not reviewed.

        Merge Clang build fix r74029 from Open Source.

          2010-12-13  Cameron Zwarich  <zwarich@apple.com>

                  Reviewed by Eric Seidel.

                  Clang fails to build the JSC interpreter
                  https://bugs.webkit.org/show_bug.cgi?id=51016

                  Clang does not allow indirect gotos out of scopes with cleanup. GCC 4.2 allows
                  them, but it does not correctly generate the cleanup, causing a leak if the
                  cleanup decrements a reference count.

                  * interpreter/Interpreter.cpp:
                  (JSC::Interpreter::privateExecute): Put an Identifier into its own scope.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2010-12-13  Cameron Zwarich  <zwarich@apple.com>

        <rdar://problem/8762579> JavaScriptCore should build successfully with Clang

        Not reviewed.

        Merge Clang build fix r73981 from Open Source.

          2010-12-13  Cameron Zwarich  <zwarich@apple.com>

                  Reviewed by Gavin Barraclough.

                  JavaScriptCore should not use "asm volatile" outside of a function
                  https://bugs.webkit.org/show_bug.cgi?id=50991

                  * jit/JITStubs.cpp: Remove the volatile keyword from asm statements.

        * jit/JITStubs.cpp:

2010-12-13  Cameron Zwarich  <zwarich@apple.com>

        <rdar://problem/8762579> JavaScriptCore should build successfully with Clang

        Not reviewed.

        Merge Clang build fix r61203 from Open source.

          2010-06-15  Anders Carlsson  <andersca@apple.com>

                  Reviewed by Sam Weinig.

                  Make JavaScriptCore build with clang++.

                  * jit/JITInlineMethods.h:
                  (JSC::JIT::emitPutVirtualRegister):
                  Explicitly cast to an int.

                  * yarr/RegexCompiler.cpp:
                  (JSC::Yarr::compileRegex):
                  Return 0 instead of false.

        * jit/JITInlineMethods.h:
        (JSC::JIT::emitPutVirtualRegister):
        * yarr/RegexCompiler.cpp:
        (JSC::Yarr::compileRegex):

2010-12-13  Cameron Zwarich  <zwarich@apple.com>

        <rdar://problem/8762579> JavaScriptCore should build successfully with Clang

        Not reviewed.

        Merge Clang build fixes r63578, r73465, and r73467 from Open Source.

          2010-07-16  Anders Carlsson  <andersca@apple.com>

                  Reviewed by Sam Weinig.

                  clang++ build fixes for JavaScriptCore and WebCore
                  https://bugs.webkit.org/show_bug.cgi?id=42478

                  * runtime/RegExpKey.h:
                  (JSC::operator==):
                  Move the RegExpKey equals operator into the JSC namespace so it can be found by ADL.

          2010-12-07  Anders Carlsson  <andersca@apple.com>

                  Reviewed by Darin Adler.

                  Fix clang++ build
                  https://bugs.webkit.org/show_bug.cgi?id=50645

                  Explicitly cast offset to int.

                  * pcre/pcre_ucp_searchfuncs.cpp:
                  (jsc_pcre_ucp_othercase):

          2010-12-07  Anders Carlsson  <andersca@apple.com>

                  Build fix follow up build fix.

                  * pcre/pcre_ucp_searchfuncs.cpp:
                  (jsc_pcre_ucp_othercase):

        * pcre/pcre_ucp_searchfuncs.cpp:
        (jsc_pcre_ucp_othercase):
        * runtime/RegExpKey.h:
        (JSC::operator==):

2010-12-05  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8185630> jsc, minidom and testapi should be built with the entitlement that allows the JIT

        Reviewed by Cameron Zwarich.

        * JavaScriptCore.xcodeproj/project.pbxproj: Added entitlement to
        jsc, minidom and testapi targets for the Development_Hardware,
        Deployment_Hardware and Production_Hardware configurations.
        * entitlements.plist: Added.

2010-11-17  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/6264399> Connect WebKit to memory notifications for all apps

        Reviewed by David Kilzer.

        * JavaScriptCore.exp: Add JSGlobalData::sharedInstanceExists to export list.

2010-11-12  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8655073> Default to armv7 for JavaScriptCore, WebCore, WebKitSystemInterface, WebKit hardware builds

        Reviewed by David Carson.

        * Configurations/DebugRelease.xcconfig: Make armv7 the default
        for hardware builds.

2010-10-28  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by Pratik Solanki, David Kilzer, Ian Henderson, and Yongjun Zhang.

        <rdar://problem/5900435> Image limiting in WebKit is too aggressive

        Add a new ENABLE flag for a DISK_IMAGE_CACHE feature. This feature
        will allow us to memory map images that are taking up a large
        amount of memory on the page and in the Cache. It is disabled by
        default and enabled for iOS.

        * wtf/Platform.h:

2010-11-02  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8620879> contenteditable support should only be enabled for Telluride or later

        Reviewed by Ian Henderson.

        Renamed ENABLE_CONTENTEDITABLE to ENABLE_IOS_CONTENTEDITABLE
        since this macro is only used on iOS WebKit.

        * wtf/Platform.h: Added IOS_5_0_OR_LATER macro.  Changed
        ENABLE_IOS_CONTENTEDITABLE to only be enabled for iOS 5.0 or
        later.

2010-10-19  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/6592830> Enable HTML5 Worker threads

        Reviewed by David Kilzer.

        * Configurations/FeatureDefines.xcconfig: Enable WORKERS, SHARED_WORKERS and
        CHANNEL_MESSAGING.
        * JavaScriptCore.exp:
        * wtf/ThreadSpecific.h:
        (WTF::::replace): Added. Allows caller to replace the thread-specific data with
        the one passed.

2010-10-10  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/8502487> Seed: Safari consistently crashes when using .pac file for proxy

        Reviewed by Geoff Garen and Alexey Proskuryakov.

        We need a per-thread WTFThreadData so that JavaScript executing on a
        different thread does not use the IdentifierTable for the main thread.
        Otherwise pac file processing on the CFNetwork thread can result in a
        crash when JavaScript is running on the WebThread.

        But we have to take care that JavaScript running on the main thread and
        the web thread access a shared IdentifierTable. Similarly for
        AtomicStringTable - we have a shared AtomicStringTable between the two
        threads.

        * wtf/MainThread.h:
        * wtf/WTFThreadData.cpp:
        (WTF::WTFThreadData::WTFThreadData):
        * wtf/WTFThreadData.h:
        * wtf/mac/MainThreadMac.mm:
        (WTF::isWebThread):
        * wtf/text/AtomicString.cpp:
        (WebCore::AtomicStringTable::create):

2010-10-08  David Kilzer  <ddkilzer@apple.com>

        Move *.order files into the SDKROOT for iOS

        Reviewed by David Carson.

        Fixes: <rdar://problem/8454660> JavaScriptCore: Move order files to AppleInternal/OrderFiles

        * Configurations/Base.xcconfig: Updated SECTORDER_FLAGS_iphoneos
        to point to JavaScriptCore.order in the SDKROOT.  Removed
        SECTORDER_FLAGS_iphonesimulator since the *.order files are only
        installed in the iPhoneOS.Internal SDK and we don't care about
        Simluator performace.
        * JavaScriptCore.iPhone.order: Removed.

2010-10-03  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8507290> iOS: [INTERPRETER] Two tests fail with SputnikError: #1.1: if argArray is neither an array nor an arguments object (see 10.1.8), a TypeError exception is thrown (44245)

        Merged ToT WebKit r68076.

    2010-09-22  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        [INTERPRETER] Two tests fail with SputnikError: #1.1: if argArray is neither an array nor an arguments object (see 10.1.8), a TypeError exception is thrown
        https://bugs.webkit.org/show_bug.cgi?id=44245

        Remove incorrect code from op_load_varargs in the interpreter.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2010-10-01  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7826910> iOS: Integer overflows in WebCore: StringBuffer.h

        Merged ToT WebKit r68812.

    2010-09-29  Sam Weinig  <sam@webkit.org>

        Reviewed by Darin Adler.

        Add additional checks to StringBuffer.
        <rdar://problem/7756381>

        * wtf/text/StringBuffer.h:
        (WTF::StringBuffer::StringBuffer):
        (WTF::StringBuffer::resize):

2010-10-01  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/8498709> ALWAYS_INLINE should be specified on the function declaration

        Merge in r68899.

    2010-10-01  Pratik Solanki  <psolanki@apple.com>

        Reviewed by Geoffrey Garen.
        Specify ALWAYS_INLINE at function declaration not function definition
        https://bugs.webkit.org/show_bug.cgi?id=46960

        For functions defined with ALWAYS_INLINE, add the attribute to the declaration as well.

        * bytecompiler/BytecodeGenerator.h:
        * wtf/FastMalloc.cpp:

2010-09-27  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Darin Adler.

        <rdar://problem/8362752> REGRESSION: ~6.4% sunspider regression in interpreter on iphone due to 54925
        Random fluctuations in interpreter performance due to function inlining. :-(
        Stop inlining some functions to make the interpreter build happier.

        This change tracked in opensource by https://bugs.webkit.org/show_bug.cgi?id=46680 (landed in r68455).

        * interpreter/Interpreter.cpp:
        (JSC::concatenateStrings):
        (JSC::Interpreter::privateExecute):

2010-09-24  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8362956> REGRESSION: ~9.6% sunspider regression in interpreter on iphone due to 55564

        Merged ToT WebKit r68212.

        This merges the changes made to open source WebKit back to iOS
        WebKit.  There is no change in functionality.

    2010-09-23  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8460731> ~9.9% speedup when compiling interpreter with llvm-gcc-4.2
        https://bugs.webkit.org/show_bug.cgi?id=46423

        Reviewed by Oliver Hunt.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute): Disable the gcc computed
        goto hacks added in r55564 when compiling with llvm-gcc-4.2.

2010-09-22  Pratik Solanki  <psolanki@apple.com>

        Reviewed by Cameron Zwarich.

        <rdar://problem/8338046> Use _pthread_getspecific_direct in FastMalloc for 1.3% JS iBench speed boost.

        * wtf/Platform.h: Enable pthread_getspecific for all iOS versions now
        that the blocking radar is fixed.

2010-09-21  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8459236> iOS: REGRESSION: ~1.4% sunspider regression in interpreter on iphone due to 54724 and 54596

        Merged ToT WebKit r67972.

    2010-09-21  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        <rdar://problem/8363003> REGRESSION: ~1.4% sunspider regression in
        interpreter due to 54724 and 54596
        
        Fixed a typo (using "UNLIKELY" instead of "LIKELY").
        
        * wtf/PassRefPtr.h:
        (WTF::refIfNotNull):
        (WTF::derefIfNotNull): It is likely that m_ptr != 0 because most RefPtrs
        hold real data. Also, in cases where they do not hold real data, the
        compiler usually sees a call to release() right before the call to the
        destructor, so it can probably optimize out the test completely.

2010-09-15  David Kilzer  <ddkilzer@apple.com>

        Remove unnecessary HEADER_SEARCH_PATHS variables from Xcode project

        Reviewed by Paul Knight.

        * JavaScriptCore.xcodeproj/project.pbxproj: Removed
        HEADER_SEARCH_PATHS variables that overrode the value in
        Configurations/Base.xcconfig.

2010-09-10  Dean Jackson  <dino@apple.com>

        Reviewed by David Carson.

        <rdar://problem/8414203> Turn WebGL on in compile, but only enable via private API

        Add ENABLE_CANVAS_3D to FeatureDefines for iOS.
        Also, turned on compilation for armv7 but off for armv6 in Platform.h. This
        will stop hardware that doesn't support GLES 2.0 from compiling the code in.

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2010-09-02  Yongjun Zhang  <yongjun_zhang@apple.com>

        <rdar://problem/8347745> iOS: REGRESSION (r62896): Interpreter incorrectly excludes prototype chain when validating put_by_id_transition (44240)

        Merged ToT WebKit r65847.

    2010-08-23  Oliver Hunt  <oliver@apple.com>

            Reviewed by Darin Adler.

            [REGRESSION] Interpreter incorrectly excludes prototype chain when validating put_by_id_transition
            https://bugs.webkit.org/show_bug.cgi?id=44240
            <rdar://problem/8328995>

            Fix an error I introduced when cleaning up the interpreter side of the logic
            to prevent setters being called in object initialisers.

            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::privateExecute):

2010-09-02  Yongjun Zhang  <yongjun_zhang@apple.com>

        <rdar://problem/6068284> iOS: Improve Safari protection against JavaScript hijacking Object literal notation

        Merged ToT WebKit r62896.

        * interpreter/Interpreter.cpp: Changed codeBlock to callFrame->codeBlock() since local variable codeBlock is added in an earlier patch.

    2010-07-08  Oliver Hunt  <oliver@apple.com>

            Reviewed by Sam Weinig.

            Property declarations in an object literal should not consider the prototype chain when being added to the new object
            https://bugs.webkit.org/show_bug.cgi?id=41929

            To fix this all we need to do is ensure that all new properties are
            added with putDirect rather than a fully generic call to put.  This
            is safe as an object literal is by definition going to produce a
            completely normal object.

            Rather than duplicating all the put_by_id logic we add an additional
            flag to op_put_by_id to indicate it should be using putDirect.  In
            the interpreter this adds a runtime branch, but in the jit this is
            essentially free as the branch is taken at compile time.  This does
            actually improve object literal creation time even in the interpreter
            as we no longer need to walk the prototype chain to verify that the
            cached put is safe.

            We still emit normal put_by_id code when emitting __proto__ as we want
            to get the correct handling for changing the prototype.

            Sunspider claims this is a 0.7% speedup which is conceivably real due
            to the performance improvement in object literals, but I suspect its
            really just the result of code motion.

            * bytecode/Opcode.h:
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::emitPutById):
            (JSC::BytecodeGenerator::emitDirectPutById):
            * bytecompiler/BytecodeGenerator.h:
            * bytecompiler/NodesCodegen.cpp:
            (JSC::PropertyListNode::emitBytecode):
            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::privateExecute):
            * jit/JIT.h:
            (JSC::JIT::compilePutByIdTransition):
            * jit/JITPropertyAccess.cpp:
            (JSC::JIT::emit_op_put_by_id):
            (JSC::JIT::emitSlow_op_put_by_id):
            (JSC::JIT::privateCompilePutByIdTransition):
            (JSC::JIT::patchPutByIdReplace):
            * jit/JITPropertyAccess32_64.cpp:
            (JSC::JIT::emitSlow_op_put_by_id):
            (JSC::JIT::privateCompilePutByIdTransition):
            (JSC::JIT::patchPutByIdReplace):
            * jit/JITStubs.cpp:
            (JSC::JITThunks::tryCachePutByID):
            (JSC::DEFINE_STUB_FUNCTION):
            * jit/JITStubs.h:
            (JSC::):
            * runtime/JSGlobalData.cpp:
            (JSC::JSGlobalData::JSGlobalData):
            * runtime/JSObject.h:
            (JSC::JSObject::putDirect):
            (JSC::JSValue::putDirect):
            * runtime/JSValue.h:

2010-08-31  Dean Jackson  <dino@apple.com>

        Reviewed by Chris Marrin
        
        <rdar://problem/7557398> iOS: Implement WebGL

        * Configurations/FeatureDefines.xcconfig:
            - ENABLE_3D_CANVAS defines

2010-08-30  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/8348440> Disable purgeable memory for N82 and N72

        Reviewed by David Carson.

        * wtf/Platform.h:

2010-08-28  Pratik Solanki  <psolanki@apple.com>

        Part of <rdar://problem/8348440> Disable purgeable memory for N82 and N72

        Merged ToT WebKit r66301.

    2010-08-28  Pratik Solanki  <psolanki@apple.com>

        Reviewed by Dan Bernstein.

        Add an ENABLE define for purgeable memory support
        https://bugs.webkit.org/show_bug.cgi?id=44777

        * wtf/Platform.h:

2010-08-27  Oliver Hunt  <oliver@apple.com>

        Reviewed by Joe Pecoraro.

        REGRESSION: ~9.6% sunspider regression in interpreter on iphone due to 55564
        <rdar://problem/8362956>

        llvm-gcc has its own version of pathological badness in Interpreter::privateExecute
        that is caused by the computed goto jumps we do to appease gcc.  This patch disables
        the gcc hacks when compiling with llvm-gcc and gives us back 8.7% -- completely removing
        r55564 and related patches only gets us 8.5% so i assume that the 8.7% win here
        is completely getting rid of this regression.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2010-08-26  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8208495> iOS: Multiplication overflow in JavaScriptCore StringImpl::replace() (42502)

        Merged ToT WebKit r66119.

    2010-08-25  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Improve overflow handling in StringImpl::Replace
        https://bugs.webkit.org/show_bug.cgi?id=42502
        <rdar://problem/8203794>

        Harden StringImpl::replace against overflow -- I can't see how this
        could be abused, but it's better to be safe than sorry.

        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::replace):

2010-08-25  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by David Kilzer.

        <rdar://problem/8327102> Disable Compile Time INSPECTOR Flag for N82

        * wtf/Platform.h: Disable ENABLE_INSPECTOR flag for ARMv6 devices like N82.

2010-08-25  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8171034> iOS: [JSC] Math.random is predictable which may lead to cross-domain information leakage and temporary user tracking attacks (41868)

        Merged ToT WebKit r65947.

        * wtf/RandomNumber.h: Merged part of ToT WebKit r58941.

    2010-08-24  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoff Garen.

        Don't seed the JS random number generator from time()
        https://bugs.webkit.org/show_bug.cgi?id=41868
        <rdar://problem/8171025>

        Switch to using the secure random number generator to
        seed the fast random generator, and make the generator
        be per global object.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::JSGlobalObjectData::JSGlobalObjectData):
        (JSC::JSGlobalObject::weakRandomNumber):
        * runtime/MathObject.cpp:
        (JSC::mathProtoFuncRandom):

2010-08-24  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8344233> iOS: JSON.stringify is much slower than Firefox on particular pathological input

        Merged ToT WebKit r65834.

    2010-08-23  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        JSON.stringify is much slower than Firefox on particular pathological input
        https://bugs.webkit.org/show_bug.cgi?id=44456

        Make StringBuilder::reserveCapacity reserve additional space so we don't end up
        repeatedly copying the entire result string.

        * runtime/StringBuilder.h:
        (JSC::StringBuilder::append):
        (JSC::StringBuilder::reserveCapacity):

2010-08-23  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Dave Carson.

        <rdar://problem/8283061> Enable JIT support for Durango
        Tested on 8F61.

        * wtf/Platform.h:

2010-08-20  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/8025275> iOS: Use _pthread_getspecific_direct or __thread in FastMalloc for 1.3% JS iBench speed boost.

        Reviewed by David Carson.

        Use the SPI pthread_getspecific_direct() a small perf win. Sunspider
        scores improves by about 0.5% overall, string subsection improves by
        2%.

        * wtf/FastMalloc.cpp:
        (WTF::TCMalloc_ThreadCache::InitTSD):
        * wtf/Platform.h:

2010-08-19  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by David Kilzer.

        <rdar://problem/8327102> Disable Compile Time INSPECTOR Flag for N82

        * wtf/Platform.h: Disable ENABLE_INSPECTOR flag for ARMv6 devices like N82.

2010-08-17  Enrica Casucci  <enrica@apple.com>

        Reviewed by David Kilzer.

         <rdar://problem/5245015>
         Support WYSIWYG DHTML contentEditable editing areas (Google docs are not editable on P2)

        * wtf/Platform.h: Added ENABLE_CONTENTEDITABLE for iOS 4.3 or later.

2010-08-17  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by David Kilzer.

        <rdar://problem/8283060> Disable JIT support for Jasper

        * wtf/Platform.h:
            Change the ENABLE_JIT define so the JIT is compiled out. This change disables the
            JIT on all PLATFORM(IPHONE) builds, but leaves the settings in place (guarded by
            a '&& 0') to be able to quickly reenable when the blocking bug to enabling the
            JIT for Durango is fixed.

2010-08-17  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8319473> Replace build train names with iOS version numbers in Platform.h

        Reviewed by David Carson.

        * wtf/Platform.h: Removed build train names in favor of version
        numbers.  Also moved "_OR_LATER" macros so that they're only
        defined on iOS WebKit builds.

2010-08-14  Dean Jackson  <dino@apple.com>

        Reviewed by David Kilzer.

        <rdar://problem/8071468> TLF: Add Gyro DOM events
        <rdar://problem/5440938> TLF: Add Accelerometer DOM events

        Enable DEVICE_ORIENTATION in Features.

        * Configurations/FeatureDefines.xcconfig:

2010-08-13  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8210340> SWB: ld64-116.2 of JavaScriptCore: cannot export symbol

        Reviewed by David Carson.

        The problem is that the iOS-specific configurations for the jsc,
        minidom and testapi targets were using Indigo.xcconfig for
        Simulator configurations and iPhone.xcconfig for hardware
        configurations.  Both pulled in JavaScriptCore.xcconfig, which
        set EXPORTED_SYMBOLS_FILE to JavaScriptCore.exp, which caused
        the build failure.

        The fix is to use IndigoSDK.xcconfig in place of Indigo.xcconfig
        and AspenSDK.xcconfig in place of iPhone.xcconfig for the iOS
        configurations of jsc, minidom and testapi.

        * JavaScriptCore.xcodeproj/project.pbxproj: Updated jsc, minidom
        and testapi targets to be based on xcconfig files that do not
        pull in JavaScriptCore.xcconfig.

2010-08-12  David Kilzer  <ddkilzer@apple.com>

        Relanding: <rdar://problem/7854586> iOS: Enable Ruby support

        Reviewed by David Carson.

        * Configurations/FeatureDefines.xcconfig: Enable Ruby support
        for all SDKs except iOS SDK 4.2.

2010-08-12  Andy Estes  <aestes@apple.com>

        <rdar://problem/8295061> Merge open source r64390, which added support
        for compiling open source WebKit against iOS SDKs.

        Relanded with fix:  <rdar://problem/8300652> Jasper8C73: WebKit_Sim-591 installhdrs failed

        Reviewed by David Kilzer.

        * Configurations/Base.xcconfig:
        * Configurations/FeatureDefines.xcconfig:

2010-08-11  Yongjun Zhang  <yongjun_zhang@apple.com>

        <rdar://problem/8272261> iOS: parseFloat can be used to load arbitrary JSValues into JS, leading to badness (43461)

        Merged ToT WebKit r64706.

    2010-08-04  Geoffrey Garen  <ggaren@apple.com>

            Reviewed by Oliver Hunt and Beth Dakin.

            https://bugs.webkit.org/show_bug.cgi?id=43461
            Invalid NaN parsing

            * wtf/dtoa.cpp: Turn off the dtoa feature that allows you to specify a
            non-standard NaN representation, since our NaN encoding assumes that all
            true NaNs have the standard bit pattern.

            * API/JSValueRef.cpp:
            (JSValueMakeNumber): Don't allow an API client to accidentally specify
            a non-standard NaN either.

2010-08-10  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8210895> Change MACOSX_DEPLOYMENT_TARGET from 10.5 to 10.6

        Reviewed by David Carson.

        * Configurations/DebugRelease.xcconfig: Changed
        MACOSX_DEPLOYMENT_TARGET from "10.5" and "10.6" for iphoneos and
        iphonesimulator platforms.

2010-08-09  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7902157> Enable web sockets once the spec has stabilized

        Reviewed by David Carson.

        * Configurations/FeatureDefines.xcconfig: Updated to enable
        web sockets for iOS WebKit.

2010-08-07  Dan Bernstein  <mitz@apple.com>

    <rdar://problem/8285101> Merge Open Source changes needed for color bitmap font support

    Merged TOT WebKit r64915.

    2010-08-07  Dan Bernstein  <mitz@apple.com>

        Reviewed by Anders Carlsson.

        Created a separate SimpleFontData constructor exclusively for SVG fonts and moved the CTFontRef
        from SimpleFontData to FontPlatformData.
        https://bugs.webkit.org/show_bug.cgi?id=43674

        * wtf/Platform.h: Moved definitions of WTF_USE_CORE_TEXT and WTF_USE_ATSUI here from WebCore/config.h.

2010-08-07  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8279408> Move some member variables around to reduce class sizes. (38961)

        Merged ToT WebKit r59197-r59198.

    2010-05-11  Anders Carlsson  <andersca@apple.com>

        Reviewed by Sam Weinig.

        Add a compile time assert that sizeof(String) == sizeof(AtomicString).

        * wtf/text/AtomicString.cpp:

    2010-05-11  Anders Carlsson  <andersca@apple.com>

        Reviewed by Mark Rowe.

        https://bugs.webkit.org/show_bug.cgi?id=38961
        Move some member variables around to reduce class sizes.
        
        Make AtomicString no longer inherit from FastAllocBase.

        Since AtomicString's first (and only) member variable, a RefPtr, also inherits from FastAllocBase this
        was causing the size of AtomicString to contain sizeof(void*) bytes of padding.

        * wtf/text/AtomicString.h:

2010-08-07  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8282609> Enable sandboxed iframes

        Reviewed by David Carson.

        * Configurations/FeatureDefines.xcconfig: Updated to enable
        sandboxed iframes for iOS WebKit.

2010-08-05  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8275644> REGRESSION (Havoc merge I): Assertion failure in JSC::Heap::registerThread() when running regression tests

        Reviewed by Pratik Solanki.

        * runtime/Collector.cpp:
        (JSC::Heap::registerThread): Removed ASSERT() hack added during
        <rdar://problem/7781582> in r242248.

2010-08-05  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6645438> Merge Soil.xcconfig into Base.xcconfig

        Reviewed by David Carson.

        The BUILD_TYPE definitions don't need to be in a separate
        xcconfig file, so move them into Base.xcconfig.

        * Configurations/Base.xcconfig: Added BUILD_TYPE definitions
        from Soil.xcconfig.
        * Configurations/Soil.xcconfig: Removed.
        * JavaScriptCore.xcodeproj/project.pbxproj: Removed references
        to Soil.xcconfig.

2010-08-04  David Kilzer  <ddkilzer@apple.com>

        Part 2 of 2: <rdar://problem/7781582> Merge WebKit with Safari Havoc Final/Safari Gemini

        Merged ToT WebKit r58930-r63936 from Safari Havoc and Gemini
        branches to iOS WebKit.

        870 files changed, 65193 insertions(+), 36489 deletions(-)

2010-08-02  David Kilzer  <ddkilzer@apple.com>

        Part 1 of 2: <rdar://problem/7781582> Merge WebKit with Safari Havoc Final/Safari Gemini

        Merged ToT WebKit r54085-r58928 to iOS WebKit.

        The second part will merge commits on the Havoc and Gemini branches.

        45864 files changed, 1788569 insertions(+), 269116 deletions(-)

2010-07-30  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by Yongjun Zhang.

        <rdar://problem/8256224> Web Inspector: Turn on ENABLE_INSPECTOR by Default

        * wtf/Platform.h: enable ENABLE_INSPECTOR for PLATFORM(IPHONE)

2010-07-29  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by NOBODY (OOPS!).

        Patch originally by David Goodwin.

        This change is functionally the same as:
        https://bugs.webkit.org/show_bug.cgi?id=43162
        (but very different, since code has moved around since then).

        Add support for MADV_FREE to ExecutableAllocatorFixedVMPool, so that
        unused memory pages in the JIT buffers can be returned to the system.

        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolAllocator::release):
        (JSC::FixedVMPoolAllocator::reuse):

2010-07-26  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7937509> JavaScriptCore-564 fails to build in Damnation

        Reviewed by David Carson.

        The iPhone Simulator in Durango and Telluride now apparently
        uses Barolo headers, so it needs to initialize the additional
        fields in the malloc_introspection_t struct.

        This rolls out iOS WebKit r235486.

        * wtf/FastMalloc.cpp:
        (jscore_fastmalloc_introspection): Include additional fields
        when compiling for the iPhone Simulator on Durango and newer.

2010-07-23  Greg Bolsinga  <bolsinga@apple.com>

        Reviewed by David Kilzer.

        <rdar://problem/6845619> Reset CoreLocation Warnings will not reset Geolocation warnings

        * wtf/Platform.h: Turn on ENABLE_GEOLOCATION_PERMISSION_CACHE.

2010-07-21  Gavin Barraclough  <barraclough@apple.com>

        Enable the JIT for Jasper.
        
        *** This change will not work on Jasper pre-8C55 - please update! ***

        Roll in patches r55834, r56000, r57608, r59037, r62306, r62419, r62437,
        r62612, r62799, r63023, r63056, r63336, r63341, and r63404 from open source.

        Change mmap in FixedVMPoolAllocator to pass MAP_JIT, and check the result for MAP_FAILED (fixes a bug in ToT).

        Makes the following changes to Platform.h:
          * Enable JIT for Jasper on ARMv7 (interpret only on future build trains until they pick up kernel changes,
            & on ARMv6).
          * Enable ENABLE_EXECUTABLE_ALLOCATOR_FIXED (the JIT uses a signle allocation).
          * Disable ENABLE_ASSEMBLER_WX_EXCLUSIVE (the JIt now uses RWX memory).

        Once future kernel changes have been made, if mmap with MAP_JIT returns MAP_FAILED (where the
        appropriate entitlement is not available) then JSC should gracefully fallback to the interpreter.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMRegisters::):
        (JSC::ARMRegisters::asSingle):
        (JSC::ARMRegisters::asDouble):
        (JSC::VFPImmediate::VFPImmediate):
        (JSC::VFPImmediate::isValid):
        (JSC::VFPImmediate::value):
        (JSC::ARMv7Assembler::singleRegisterMask):
        (JSC::ARMv7Assembler::doubleRegisterMask):
        (JSC::ARMv7Assembler::):
        (JSC::ARMv7Assembler::add_S):
        (JSC::ARMv7Assembler::ldrb):
        (JSC::ARMv7Assembler::neg):
        (JSC::ARMv7Assembler::orr_S):
        (JSC::ARMv7Assembler::sub):
        (JSC::ARMv7Assembler::sub_S):
        (JSC::ARMv7Assembler::vadd_F64):
        (JSC::ARMv7Assembler::vcmp_F64):
        (JSC::ARMv7Assembler::vcvt_F64_S32):
        (JSC::ARMv7Assembler::vcvtr_S32_F64):
        (JSC::ARMv7Assembler::vdiv_F64):
        (JSC::ARMv7Assembler::vldr):
        (JSC::ARMv7Assembler::vmov_F64_0):
        (JSC::ARMv7Assembler::vmov):
        (JSC::ARMv7Assembler::vmrs):
        (JSC::ARMv7Assembler::vmul_F64):
        (JSC::ARMv7Assembler::vstr):
        (JSC::ARMv7Assembler::vsub_F64):
        (JSC::ARMv7Assembler::repatchLoadPtrToLEA):
        (JSC::ARMv7Assembler::VFPOperand::VFPOperand):
        (JSC::ARMv7Assembler::VFPOperand::bits1):
        (JSC::ARMv7Assembler::VFPOperand::bits4):
        (JSC::ARMv7Assembler::vcvtOp):
        (JSC::ARMv7Assembler::linkJumpAbsolute):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::vfpOp):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::vfpMemOp):
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::ImmPtr::ImmPtr):
        * assembler/MacroAssemblerARM.h:
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::fpTempRegisterAsSingle):
        (JSC::MacroAssemblerARMv7::neg32):
        (JSC::MacroAssemblerARMv7::load8):
        (JSC::MacroAssemblerARMv7::loadDouble):
        (JSC::MacroAssemblerARMv7::divDouble):
        (JSC::MacroAssemblerARMv7::convertInt32ToDouble):
        (JSC::MacroAssemblerARMv7::branchDouble):
        (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
        (JSC::MacroAssemblerARMv7::zeroDouble):
        (JSC::MacroAssemblerARMv7::branch8):
        (JSC::MacroAssemblerARMv7::branchTest8):
        (JSC::MacroAssemblerARMv7::branchOr32):
        (JSC::MacroAssemblerARMv7::set32):
        (JSC::MacroAssemblerARMv7::set8):
        (JSC::MacroAssemblerARMv7::setTest8):
        * assembler/MacroAssemblerX86Common.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::bytecodeOffset):
        * bytecode/Instruction.h:
        (JSC::Instruction::Instruction):
        * bytecode/Opcode.h:
        * interpreter/CallFrame.h:
        (JSC::ExecState::returnPC):
        (JSC::ExecState::returnVPC):
        * interpreter/Interpreter.cpp:
        (JSC::bytecodeOffsetForPC):
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::isOpcode):
        (JSC::Interpreter::unwindCallFrame):
        (JSC::Interpreter::throwException):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::prepareForRepeatCall):
        (JSC::Interpreter::privateExecute):
        (JSC::Interpreter::retrieveLastCaller):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::getOpcode):
        (JSC::Interpreter::getOpcodeID):
        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::reprotectRegion):
        (JSC::ExecutableAllocator::cacheFlush):
        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::ExecutableAllocator):
        (JSC::ExecutableAllocator::poolForSize):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolAllocator::FixedVMPoolAllocator):
        (JSC::FixedVMPoolAllocator::alloc):
        (JSC::FixedVMPoolAllocator::free):
        (JSC::FixedVMPoolAllocator::isValid):
        (JSC::ExecutableAllocator::isValid):
        (JSC::ExecutablePool::systemAlloc):
        (JSC::ExecutablePool::systemRelease):
        * jit/ExecutableAllocatorPosix.cpp:
        (JSC::ExecutableAllocator::isValid):
        * jit/ExecutableAllocatorSymbian.cpp:
        * jit/ExecutableAllocatorWin.cpp:
        (JSC::ExecutableAllocator::isValid):
        * jit/JIT.cpp:
        (JSC::JIT::linkCall):
        * jit/JIT.h:
        (JSC::JIT::compileCTIMachineTrampolines):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCallVarargs):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITOpcodes.cpp:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::JITThunks):
        (JSC::JITThunks::tryCacheGetByID):
        * runtime/ArrayPrototype.cpp:
        (JSC::isNumericCompareFunction):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::generateJITCode):
        (JSC::ProgramExecutable::generateJITCode):
        (JSC::FunctionExecutable::generateJITCode):
        (JSC::FunctionExecutable::reparseExceptionInfo):
        (JSC::EvalExecutable::reparseExceptionInfo):
        * runtime/Executable.h:
        (JSC::NativeExecutable::NativeExecutable):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::canUseJIT):
        * wtf/Platform.h:
        * yarr/RegexCompiler.cpp:
        (JSC::Yarr::RegexPatternConstructor::atomBackReference):
        (JSC::Yarr::RegexPatternConstructor::quantifyAtom):
        * yarr/RegexJIT.cpp:
        (JSC::Yarr::RegexGenerator::generateTerm):
        (JSC::Yarr::RegexGenerator::RegexGenerator):
        (JSC::Yarr::jitCompileRegex):
        * yarr/RegexJIT.h:
        (JSC::Yarr::RegexCodeBlock::operator!):
        * yarr/RegexPattern.h:
        (JSC::Yarr::RegexPattern::RegexPattern):
        (JSC::Yarr::RegexPattern::reset):

2010-07-14  David Kilzer  <ddkilzer@apple.com>

        Remove duplicate #include statement from ProfilerSerer.mm

        Rubber-stamped by Greg Bolsinga.

        * profiler/ProfilerServer.mm: Removed duplicate include.

2010-07-14  Greg Bolsinga  <bolsinga@apple.com>

        Let Xcode 3.2.4 update the project file.

        Reviewed by Paul Knight.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2010-07-05  David Kilzer  <ddkilzer@apple.com>

        Part 2: <rdar://problem/8144692> iOS: Overflow in JSArray::copyToRegisters (41351)

        Merged ToT WebKit r62456, r62464.

    2010-07-04  Mark Rowe  <mrowe@apple.com>

        Build fix after r62456.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute): Be slightly more consistent in using uint32_t to prevent
        warnings about comparisons between signed and unsigned types, and attempts to call an overload
        of std::min that doesn't exist.

    2010-07-03  Yong Li  <yoli@rim.com>

        Reviewed by Darin Adler.

        Make Arguments::MaxArguments clamping work for numbers >= 0x80000000 in
        the interpreter as well as the JIT.

        https://bugs.webkit.org/show_bug.cgi?id=41351
        rdar://problem/8142141

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute): Fix signed integer overflow problem
        in op_load_varargs handling. 0xFFFFFFFF was read as -1.

2010-07-03  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8144692> iOS: Overflow in JSArray::copyToRegisters (41351)

        Merged ToT WebKit r62432.

    2010-07-02  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Clamp the number of arguments supported by function.apply
        https://bugs.webkit.org/show_bug.cgi?id=41351
        <rdar://problem/8142141>

        Add clamping logic to function.apply similar to that
        enforced by firefox.  We have a smaller clamp than
        firefox as our calling convention means that stack
        usage is proportional to argument count -- the firefox
        limit is larger than you could actually call.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Arguments.h:
        (JSC::Arguments::):

2010-07-02  David Kilzer  <ddkilzer@apple.com>

        Use snprintf instead of sprintf everywhere in JavaScriptCore

        Merged ToT WebKit r62414.

    2010-07-02  Sam Weinig  <sam@webkit.org>

        Reviewed by Geoffrey Garen.

        Patch for https://bugs.webkit.org/show_bug.cgi?id=41548
        Use snprintf instead of sprintf everywhere in JavaScriptCore

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::encode):
        (JSC::globalFuncEscape):
        * runtime/UString.cpp:
        (JSC::UString::from):

2010-07-01  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by David Carson.

		Switch ASSERTs to ASSERT_UNUSEDs to, to allow JIT to build Deployment on iPhone.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branchMul32):

2010-07-01  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8058479> Damnation8Z5059: JavaScriptCore_Sim-579 fails to build

        Reviewed by Cameron Zwarich.

        The iPhone Simulator in Durango and Telluride still uses
        pre-Barolo headers, so it doesn't need to initialize the
        additional fields in the malloc_introspection_t struct.

        * wtf/FastMalloc.cpp:
        (jscore_fastmalloc_introspection): Don't include the additional
        fields when compiling for the iPhone Simulator on Durango and
        newer.

2010-06-29  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8122363> iPhone: Safari 5 crashes due to incorrect handling of BOMs in JSC

        Merged ToT WebKit r61450.

    2010-06-18  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Incorrect handling of multiple BOMs scattered through a file.
        https://bugs.webkit.org/show_bug.cgi?id=40865

        When determining the offset of open and close braces in a source
        with BOMs we were finishing our count early as we failed to account
        for BOMs prior to the open/close brace positions effecting those
        positions.

        * parser/Lexer.cpp:
        (JSC::Lexer::sourceCode):

2010-05-20  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/8010351> Enable JavaScriptCore dtrace probes for iPhone Simulator

        Reviewed by Greg Bolsinga.

        * Configurations/Base.xcconfig: Enable dtrace probes for the
        iPhone Simulator.

2010-05-17  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7937509> JavaScriptCore-564 fails to build in Damnation

        Merged ToT WebKit r57457.

    2010-04-11  Mark Rowe  <mrowe@apple.com>

        Reviewed by Sam Weinig.

        <rdar://problem/7851332> Fix the build.

        * wtf/FastMalloc.cpp:
        (WTF::TCMallocStats::): Initialize extra members of malloc_introspection_t to zero.

2010-05-13  Yongjun Zhang  <yongjun_zhang@apple.com>

    <rdar://problem/7977658> MobileSafari has 2 MB of VM_TAG_FOR_COLLECTOR_MEMORY resident in the background
    
    Merge ToT WebKit r54428, r54574, r54696, r54701

        2010-02-09  Geoffrey Garen  <ggaren@apple.com>

            Reviewed by Oliver Hunt.

            Small refactoring to the small strings cache to allow it to be cleared
            dynamically.

            * runtime/SmallStrings.cpp:
            (JSC::SmallStrings::SmallStrings):
            (JSC::SmallStrings::clear):
            * runtime/SmallStrings.h: Moved initialization code into a shared function,
            and changed the constructor to call it.

        2010-02-11  Geoffrey Garen  <ggaren@apple.com>

            Reviewed by Oliver Hunt and Darin Adler.

            The rest of the fix for
            https://bugs.webkit.org/show_bug.cgi?id=34864 | <rdar://problem/7594198>
            Many objects left uncollected after visiting mail.google.com and closing
            window
        
            Don't unconditionally hang onto small strings. Instead, hang onto all
            small strings as long as any small string is still referenced.
        
            SunSpider reports no change.

            * runtime/Collector.cpp:
            (JSC::Heap::markRoots): Mark the small strings cache last, so it can
            check if anything else has kept any strings alive.

            * runtime/SmallStrings.cpp:
            (JSC::isMarked):
            (JSC::SmallStrings::markChildren): Only keep our strings alive if some
            other reference to at least one of them exists, too.

        2010-02-04  Geoffrey Garen  <ggaren@apple.com>

            Reviewed by Gavin Barraclough.

            Some progress toward fixing
            Reviewed by Oliver Hunt.

            Clearing a WeakGCPtr is weird
            https://bugs.webkit.org/show_bug.cgi?id=34627

            Added a WeakGCPtr::clear interface.
        
            As discussed in https://bugs.webkit.org/show_bug.cgi?id=33383, the old
            interface made it pretty weird for a client to conditionally clear a
            WeakGCPtr, which is exactly what clients want to do when objects are
            finalized.

            * API/JSClassRef.cpp:
            (clearReferenceToPrototype): Use the new WeakGCPtr::clear() interface. 

            * runtime/WeakGCPtr.h:
            (JSC::WeakGCPtr::clear): Added an interface for clearing a WeakGCPtr,
            iff its current value is the value passed in. It's cumbersome for the
            client to do this test, since WeakGCPtr sometimes pretends to be null.

        2010-02-11  Geoffrey Garen  <ggaren@apple.com>
    
            Reviewed by Gavin Barraclough. 
    
            https://bugs.webkit.org/show_bug.cgi?id=34864 | <rdar://problem/7594198>
            Many objects left uncollected after visiting mail.google.com and closing
            window
        
            SunSpider reports no change.
        
            Keep weak references, rather than protected references, to cached for-in
            property name enumerators.
        
            One problem with protected references is that a chain like 
                [ gc object 1 ] => [ non-gc object ] => [ gc object 2 ]
            takes two GC passes to break, since the first pass collects [ gc object 1 ],
            releasing [ non-gc object ] and unprotecting [ gc object 2 ], and only
            then can a second pass collect [ gc object 2 ].
        
            Another problem with protected references is that they can keep a bunch
            of strings alive long after they're useful. In SunSpider and a few popular
            websites, the size-speed tradeoff seems to favor weak references.

            * runtime/JSPropertyNameIterator.cpp:
            (JSC::JSPropertyNameIterator::JSPropertyNameIterator): Moved this constructor
            into the .cpp file, since it's not used elsewhere.

            (JSC::JSPropertyNameIterator::~JSPropertyNameIterator): Added a destructor
            to support our weak reference.

            * runtime/JSPropertyNameIterator.h:
            (JSC::Structure::setEnumerationCache):
            (JSC::Structure::clearEnumerationCache):
            (JSC::Structure::enumerationCache): Added a function for clearing a
            Structure's enumeration cache, used by our new destructor. Also fixed
            indentation to match the rest of the file.

            * runtime/Structure.h: Changed from protected pointer to weak pointer.

2010-05-04  Yongjun Zhang  <yongjun_zhang@apple.com>

        <rdar://problem/7928746> WebKit crashes at DebuggerCallFrame::functionName() if m_callFrame is the top global callframe.

        Merged ToT WebKit r58779

    2010-05-04  Yongjun Zhang  <yongjun_zhang@apple.com>

        Reviewed by Darin Adler.

        WebKit crashes at DebuggerCallFrame::functionName() if m_callFrame is the top global callframe.
        https://bugs.webkit.org/show_bug.cgi?id=38535

        Don't call asFunction if callee is not a FunctionType to prevent assertion failure
        in JSCell::isObject().

        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::functionName):
        (JSC::DebuggerCallFrame::calculatedFunctionName):

2010-04-24  Greg Bolsinga  <bolsinga@apple.com>

        Reviewed by Paul Knight.

        <rdar://problem/7542676> iPhone WebKit should not have ENABLE(DATALIST) defined

        * Configurations/FeatureDefines.xcconfig: Turn off DATALIST for iPhone.

2010-04-23  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7901486> Disable WebSockets since the standard is still in flux

        Reviewed by Paul Knight.

        * Configurations/FeatureDefines.xcconfig: Disabled web sockets
        for iPhone OS and iPhone Simulator builds.

2010-04-18  Dan Bernstein  <mitz@apple.com>

        Reviewed by Dave Kilzer.

        JavaScriptCore part of <rdar://problem/7877559> Use Developer directory-relative #inlcudes in .xcconfig files
        Changed absolute #include paths to <DEVELOPER_DIR>-relative paths.

        * Configurations/Indigo.xcconfig:
        * Configurations/iPhone.xcconfig:

2010-04-18  David Kilzer  <ddkilzer@apple.com>

        Remove workarounds for iPhone OS 3.2 and earlier

        Reviewed by Greg Bolsinga.

        * wtf/FastMalloc.cpp:
        (WTF::TCMallocStats::): Removed workaround for iPhone OS 3.2.
        * wtf/Platform.h: Ditto.

2010-04-17  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7876459> iPhone: REGRESSION: Crash beneath JSGlobalContextRelease when typing in Google search field with GuardMalloc/full page heap enabled

        Merged ToT WebKit r54785.

    2010-02-15  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Fixed <rdar://problem/7628524> Crash beneath JSGlobalContextRelease when
        typing in Google search field with GuardMalloc/full page heap enabled

        * API/JSContextRef.cpp: Don't use APIEntryShim, since that requires
        a JSGlobalData, which this function destroys. Do use setCurrentIdentifierTable
        and JSLock instead, since those are the two features of APIEntryShim we
        require.

2010-04-17  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7548905> Change build version of WebKit from 10.5 (Leopard) to 10.6 (Snow Leopard)

        Reviewed by Joseph Pecoraro.

        This changes the WebKit version from 5532.9 to 6532.9 to signify
        that iPhone OS 4.0 is closer to SnowLeopard's version of WebKit
        than Leopard's version of WebKit.

        * Configurations/Version.xcconfig: Changed
        SYSTEM_VERSION_PREFIX_iphoneos from 5 to 6.

2010-04-16  Mike Knippers  <knippers@apple.com>

        Reviewed by David Kilzer.

        Updated JavaScriptCore order file for Apex.

        <rdar://problem/7869012> Update JavascriptCore order file for Apex

        * JavaScriptCore.iPhone.order:

2010-04-08  Greg Bolsinga  <bolsinga@apple.com>

        Reviewed by David Carson.

        <rdar://problem/7674554> Safari hangs when user replies to Hotmail email (flat frame code needs lots of help)
        
        Remove ENABLE(FRAME_FLATTENING_DEPRECATED) code so that OpenSource code can be merged in for this feature.

        * wtf/Platform.h:

2010-04-07  Enrica Casucci  <enrica@apple.com>

    <rdar://problem/7702452> N90/Apex8A211: Text gets "white-out" by the insertion cursor
    
    Merged ToT WebKit r57218.

    2010-04-07  Enrica Casucci  <enrica@apple.com>

            Reviewed by Darin Adler.

            https://bugs.webkit.org/show_bug.cgi?id=37219
            
            This change disables text caret for the iPhone platflorm.
            
            * wtf/Platform.h: Disabled text caret for iPhone.
    
2010-04-07  Greg Bolsinga  <bolsinga@apple.com>

        <rdar://problem/7822422> Event Targets are lost in a non-deterministic fashion

        Merged ToT WebKit r54402.

    2010-02-04  Geoffrey Garen  <ggaren@apple.com>

        Build fix: export a header.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2010-04-06  Greg Bolsinga  <bolsinga@apple.com>

        Reviewed by David Carson.

        <rdar://problem/6845619> Reset CoreLocation Warnings will not reset Geolocation warnings
        
        This is clean up in preparation to update to Open Source Geolocation. ENABLE_GEOLOCATION_PERMISSION_CACHE
        is an iPhone only concept that doesn't even work due to <rdar://problem/7835511>.

        * wtf/Platform.h: Add ENABLE_GEOLOCATION_PERMISSION_CACHE, which is always off.

2010-04-05  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/7830163> Enable pthread_setname_np

        Reviewed by Greg Bolsinga.

        We don't need to check for !IPHONE_SIMULATOR since the SDK requires
        Snow Leopard. Also, remove the check for 4.0.

        * wtf/Platform.h:

2010-03-31  David Kilzer  <ddkilzer@apple.com>

        Make iPhone WebKit source build Mac OS X WebKit

        Reviewed by Greg Bolsinga and David Carson.

        Needed to test <rdar://problem/7763309> after merging.

        * wtf/CrossThreadRefCounted.h: Added #if PLATFORM(IPHONE)/#endif
        macros around iPhone-only header.

2010-03-29  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by David Kilzer.

        <rdar://problem/7786502> ASSERT Crash when Using Local Storage

          Provide Function Pointers to be filled in by WebCore. These are the
          same name as WebCore's function, but prefixed with "WebCore". This
          introduces WebCoreWebThreadIsLockedOrDisabled.

        * wtf/iphone/WebCoreThread.cpp: Added. Function pointers to be filled.
        * wtf/iphone/WebCoreThread.h: Added. Function pointers to be filled.
        * wtf/CrossThreadRefCounted.h: Uses the improved function in the ASSERT
        (WTF::::ref): use the existing ASSERT
        (WTF::::deref): use the existing ASSERT
        (WTF::::crossThreadCopy): use the existing ASSERT

          Build System and other File Handling.

        * JavaScriptCore.exp: export the function pointers to be filled.
        * JavaScriptCore.xcodeproj/project.pbxproj: Added new Files.

2010-03-27  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7748481> iPhone: TCMalloc should tag its memory, so it shows up distinctly in vmmap

        Merged ToT WebKit r55483.

    2010-03-03  Mark Rowe  <mrowe@apple.com>

        Reviewed by Geoff Garen.

        Add virtual memory tags for TCMalloc and WebCore's purgeable buffers.

        * wtf/TCSystemAlloc.cpp:
        (TryMmap): Use the VM tag.
        * wtf/VMTags.h: Make use of VM_MEMORY_TCMALLOC and VM_MEMORY_WEBCORE_PURGEABLE_BUFFERS.

2010-03-25  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7796325> Baker (4.1) needs to use llvm-gcc-4.2 to compile JavaScriptCore, WebCore, WKSI, WebKit

        Reviewed by Joseph Pecoraro.

        * Configurations/Base.xcconfig: Switched to use
        $(REAL_PLATFORM_NAME) to determine which compiler to use.  For
        the iphoneos SDK, we always want llvm-gcc-4.2.  For the
        iphonesimulator SDK, we just want the default compiler: gcc-4.2.

2010-03-25  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7650521> iPhone: REGRESSION(r52116): WebCore::ImageEventSender::dispatchPendingEvents() crashes in certain conditions (34490)

        Merged ToT WebKit r54618, r54619.

    2010-02-10  Alexey Proskuryakov  <ap@apple.com>

        Addressing issues found by style bot.

        * wtf/ValueCheck.h: Renamed header guard to match final file name.

        * wtf/Vector.h: (WTF::::checkConsistency): Remove braces around a one-line clause.

    2010-02-09  Alexey Proskuryakov  <ap@apple.com>

        Reviewed by Geoffrey Garen.

        https://bugs.webkit.org/show_bug.cgi?id=34490
        WebCore::ImageEventSender::dispatchPendingEvents() crashes in certain conditions

        * GNUmakefile.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Added ValueCheck.h.

        * wtf/ValueCheck.h: Added. Moved code out of HashTraits, since it would be awkward to
        include that from Vector.h.
        (WTF::ValueCheck::checkConsistency): Allow null pointers, those are pretty consistent.

        * wtf/HashTraits.h: Moved value checking code out of here.

        * wtf/HashTable.h: (WTF::::checkTableConsistencyExceptSize): Updated for the above changes.

        * wtf/Vector.h:
        (WTF::::checkConsistency): Check all vector elements.
        (WTF::ValueCheck): Support checking a Vector as an element in other containers. Currently
        unused.

2010-03-25  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7597676> iPhone: JSC is failing to propagate anonymous slot count on some transitions

        Merged ToT WebKit r54100, r54129, r54141, r54265.

    2010-02-02  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Crash in CollectorBitmap::get at nbcolympics.com
        https://bugs.webkit.org/show_bug.cgi?id=34504

        This was caused by the use of m_offset to determine the offset of
        a new property into the property storage.  This patch corrects
        the effected cases by incorporating the anonymous slot count. It
        also removes the duplicate copy of anonymous slot count from the
        property table as keeping this up to date merely increased the
        chance of a mismatch.  Finally I've added a large number of
        assertions in an attempt to prevent such a bug from happening
        again.

        With the new assertions in place the existing anonymous slot tests
        all fail without the m_offset fixes.

        * runtime/PropertyMapHashTable.h:
        * runtime/Structure.cpp:
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::addPropertyTransitionToExistingStructure):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::removePropertyTransition):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::get):
        (JSC::Structure::put):
        (JSC::Structure::remove):
        (JSC::Structure::insertIntoPropertyMapHashTable):
        (JSC::Structure::createPropertyMapHashTable):
        (JSC::Structure::rehashPropertyMapHashTable):
        (JSC::Structure::checkConsistency):

    2010-02-01  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Structure not accounting for anonymous slots when computing property storage size
        https://bugs.webkit.org/show_bug.cgi?id=34441

        Previously any Structure with anonymous storage would have a property map, so we
        were only including anonymous slot size if there was a property map.  Given this
        is no longer the case we should always include the anonymous slot count in the
        property storage size.

        * runtime/Structure.h:
        (JSC::Structure::propertyStorageSize):

    2010-01-31  Oliver Hunt  <oliver@apple.com>

        Reviewed by Maciej Stachowiak.

        JSC is failing to propagate anonymous slot count on some transitions
        https://bugs.webkit.org/show_bug.cgi?id=34321

        Remove secondary Structure constructor, and make Structure store a copy
        of the number of anonymous slots directly so saving an immediate allocation
        of a property map for all structures with anonymous storage, which also
        avoids the leaked property map on new property transition in the original
        version of this patch.

        We need to propagate the the anonymous slot count otherwise we can end up
        with a structure recording incorrect information about the available and
        needed space for property storage, or alternatively incorrectly reusing
        some slots.

        * JavaScriptCore.exp:
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::getterSetterTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::put):
        (JSC::Structure::remove):
        (JSC::Structure::insertIntoPropertyMapHashTable):
        (JSC::Structure::createPropertyMapHashTable):
        * runtime/Structure.h:
        (JSC::Structure::create):
        (JSC::Structure::hasAnonymousSlots):
        (JSC::Structure::anonymousSlotCount):

    2010-01-29  Mark Rowe  <mrowe@apple.com>

        Roll out r54073 as it introduced many thousands of leaks.

        * runtime/JSObject.h:
        (JSC::JSObject::setStructure):
        * runtime/Structure.cpp:
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::getterSetterTransition):
        (JSC::Structure::toDictionaryTransition):
        * runtime/Structure.h:
        (JSC::Structure::create):

2010-03-23  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7771301> JavaScriptCore, WebCore, WebKit projects only built for armv7 (missing armv6)

        Reviewed by Greg Bolsinga.

        ARCHS_UNIVERSAL_IPHONE_OS isn't as universal as the name
        suggests, so switch to using ARCHS_STANDARD_32_BIT instead.

        * Configurations/Base.xcconfig: Break out VALID_ARCHS by
        REAL_PLATFORM_NAME.  Use ARCHS_STANDARD_32_BIT for iphoneos and
        iphonesimulator.
        * Configurations/DebugRelease.xcconfig: Switched from using
        ARCHS_UNIVERSAL_IPHONE_OS to using ARCHS_STANDARD_32_BIT.
        * JavaScriptCore.xcodeproj/project.pbxproj: Changed the base
        configuration for jsc, minidom and testapi targets to
        iPhone.xcconfig for Development_Hardware and Deployment_Hardware
        configurations, and to Indigo.xcconfig for Development and
        Deployment configurations.  Note that Production_Deployment and
        Production_Hardware configurations were already based on
        Indigo.xccconfig and iPhone.xcconfig, respectively.

2010-03-22  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7559240> Disable sandboxed iframe feature after Havoc merge

        Merged ToT WebKit r55043.

        * Configurations/FeatureDefines.xcconfig: Disable ENABLE_SANDBOX
        by default for iPhone WebKit.

    2010-02-19  Maciej Stachowiak  <mjs@apple.com>

        Reviewed by David Levin.

        Add an ENABLE flag for sandboxed iframes to make it possible to disable it in releases
        https://bugs.webkit.org/show_bug.cgi?id=35147

        * Configurations/FeatureDefines.xcconfig:

2010-03-21  Philippe Champeaux  <champeaux.p@apple.com>

        <rdar://problem/7616665> WebKit should switch from MobileQuickLook to QuickLook

        Reviewed by David Kilzer.

        * wtf/Platform.h: Changed "USE(MOBILE_QUICK_LOOK)" to
        "USE(QUICK_LOOK)".

2010-03-21  David Kilzer  <ddkilzer@apple.com>

        Part 2 of 2: <rdar://problem/7767168> Disable Ruby support for Apex

        Reviewed by David Carson.

        * Configurations/FeatureDefines.xcconfig: Disable Ruby support
        on iPhone OS and iPhone Simulator builds.

2010-03-21  David Kilzer  <ddkilzer@apple.com>

        Part 1 of 2: <rdar://problem/7767168> Disable Ruby support for Apex

        Merge ToT WebKit r54649.

    2010-02-08  Maciej Stachowiak  <mjs@apple.com>

        Reviewed by Cameron Zwarich.

        Restore ENABLE_RUBY flag so vendors can ship with Ruby disabled if they choose.
        https://bugs.webkit.org/show_bug.cgi?id=34698

        * Configurations/FeatureDefines.xcconfig:

2010-03-17  Joseph Pecoraro  <joepeck@webkit.org>

        Reviewed by David Carson.

        <rdar://problem/7756577> REGRESSION: LayoutTests/fast/css/pseudo-required-optional-005.html fails on background of input type="range"

        Add ENABLE(RANGETYPE_AS_TEXT), which makes an <input type=range> display
        as a textfield. This is the preferred fallback behavior if the range
        input is not supported. The range input will still correctly respond
        with the "range" type, and handle the "required" attribute correctly.

        * wtf/Platform.h:

2010-03-08  Greg Bolsinga  <bolsinga@apple.com>

        Reviewed by Simon Fraser.

        Add ENABLE(FRAME_FLATTENING_DEPRECATED), which wraps the code that explodes iframes within their parents.
        
        Investigation done for <rdar://problem/7674554>, Apex only.

        * wtf/Platform.h:

2010-03-13  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7751767> WebCore has a weak export of WebCore::jsString(JSC::ExecState*, WebCore::String const&)

        Merged ToT WebKit r54405.

    2010-02-04  Mark Rowe  <mrowe@apple.com>

        Reviewed by Timothy Hatcher.

        Build fix.  Remove a symbol corresponding to an inline function from the linker export
        file to prevent a weak external failure.

        * JavaScriptCore.xcodeproj/project.pbxproj: Accommodate rename of script.

2010-03-13  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7610586> Merge Safari Havoc changes from ToT WebKit (r53218-r54084)

        Merged ToT WebKit r53218-r54084 on trunk.

        2593 files changed, 102315 insertions(+), 46263 deletions(-)

2010-02-05  David Kilzer  <ddkilzer@apple.com>

        Fix definition of ENABLE_SHARED_WORKERS

        Rubber-stamped by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig: Fixed
        ENABLE_SHARED_WORKERS definition to be a variable.

2010-02-05  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7618590> REGRESSION: JavaScriptCore is compiling with WTF_USE_JSVALUE32 instead of WTF_USE_JSVALUE32_64

        Reviewed by David Carson.

        * wtf/Platform.h: A "CPU(ARM)" test was added for USE(JSVALUE32)
        which caused iPhone OS builds to define that macro instead of
        USE(JSVALUE32_64).  The fix is to change that to
        "CPU(ARM) && !PLATFORM(IPHONE)" so that it evaluates to false.

2010-02-03  David Kilzer  <ddkilzer@apple.com>

        BUILD FIX: Disable YARR and YARR_JIT features for PLATFORM(IPHONE)

        Reviewed by build-webkit --development --hardware ARCHS="armv7".

        Fixes the following build error:

            cc1plus: warnings being treated as errors
            In file included from JavaScriptCore/assembler/MacroAssembler.h:34,
                             from JavaScriptCore/bytecode/Instruction.h:32,
                             from JavaScriptCore/bytecode/CodeBlock.h:34,
                             from JavaScriptCore/runtime/JSActivation.h:32,
                             from JavaScriptCore/runtime/Arguments.h:27,
                             from JavaScriptCore/runtime/Arguments.cpp:26:
            JavaScriptCore/assembler/MacroAssemblerARMv7.h:874: warning: unused parameter 'cond'
            JavaScriptCore/assembler/MacroAssemblerARMv7.h:882: warning: unused parameter 'cond'

        * wtf/Platform.h: Explicitly disable the YARR an YARR_JIT
        features for PLATFORM(IPHONE).  Previously they were being
        enabled for armv7 builds, which caused the ASSEMBLER feature to
        be enabled, which caused the build error.

2010-02-03  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6973416> TLF: Merge with OS X WebKit (Safari Havoc)

        Merged ToT WebKit r45705-r53217 on trunk.

        12615 files changed, 743109 insertions(+), 175794 deletions(-)

2010-01-28  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7588478> WebKit fails to build with http pipelining enabled in Apex

        Reviewed by Aaron Golden.

        The iPhone availibility macros are defined in Availability.h not
        AvailabilityMacros.h.  Because Availability.h was not included,
        the net effect was that anything that tested for _IPHONE_4_0 was
        effectively disabled.  By including Availability.h in Platform.h
        we ensure that these macros are defined properly everywhere.

        * wtf/FastMalloc.cpp: Removed unneeded #include <Availability.h>.
        * wtf/Platform.h: Added #include <Availability.h>.

2010-01-19  Pratik Solanki  <psolanki@apple.com>

        <rdar://problem/7534560> REGRESSION: Embedded Google Map does not show all information

        Merge in r53341 from WebKit open source. Also merge in part of r49734
        which refactors countPrototypeChainEntriesAndCheckForProxies to
        normalizePrototypeChain.

        Reviewed by David Kilzer.

        (JSC::Interpreter::tryCacheGetByID):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Operations.h:
        (JSC::normalizePrototypeChain):

    2010-01-14  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        REGRESISON: Google maps buttons not working properly
        https://bugs.webkit.org/show_bug.cgi?id=31871

        REGRESSION(r52948): JavaScript exceptions thrown on Google Maps when
        getting directions for a second time
        https://bugs.webkit.org/show_bug.cgi?id=33446
        
        SunSpider and v8 report no change.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::tryCacheGetByID): Update our cached offset in case
        flattening the dictionary changed any of its offsets.

        * jit/JITStubs.cpp:
        (JSC::JITThunks::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Operations.h:
        (JSC::normalizePrototypeChain): ditto

2010-01-19  Pratik Solanki  <psolanki@apple.com>

        Rename countPrototypeChainEntriesAndCheckForProxies to normalizePrototypeChain.
        This is part of the change from r49734 in open source WebKit.

        This is needed to merge in the fix for <rdar://7534560>

        Reviewed by David Kilzer.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::tryCacheGetByID): Updated for rename to
        "normalizePrototypeChain"
        * jit/JITStubs.cpp:
        (JSC::JITThunks::tryCacheGetByID): Updated for rename to
        "normalizePrototypeChain"
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Operations.h:
        (JSC::normalizePrototypeChain): Renamed countPrototypeChainEntriesAndCheckForProxies
        to normalizePrototypeChain, since it changes dictionary prototypes to
        non-dictionary objects.

2010-01-12  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7387208> Enable http pipelining in WebKit

        Reviewed by David Carson.

        * wtf/Platform.h: Added ENABLE(HTTP_PIPELINING) macro and
        enabled it for PLATFORM(IPHONE) on Apex and later.

2010-01-08  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7519233> Assertion failure in Interpreter.cpp:1047 !baseObject->structure()->isUncacheableDictionary()

        Merged ToT WebKit r50704.

        * runtime/Structure.cpp:
        (JSC::Structure::flattenDictionaryStructure): Since the
        anonymousSlotCount changes haven't been merged, just set the
        value to 0.  Change suggested by Geoff Garen.

    2009-11-09  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Can cache prototype lookups on uncacheable dictionaries.
        https://bugs.webkit.org/show_bug.cgi?id=31198

        Replace fromDictionaryTransition with flattenDictionaryObject and
        flattenDictionaryStructure.  This change is necessary as we need to
        guarantee that our attempt to convert away from a dictionary structure
        will definitely succeed, and in some cases this requires mutating the
        object storage itself.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::tryCacheGetByID):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/BatchedTransitionOptimizer.h:
        (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
        * runtime/JSObject.h:
        (JSC::JSObject::flattenDictionaryObject):
        * runtime/Operations.h:
        (JSC::normalizePrototypeChain):
        * runtime/Structure.cpp:
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::comparePropertyMapEntryIndices):
        * runtime/Structure.h:

2009-12-25  Cameron Zwarich  <zwarich@apple.com>

        <rdar://problem/7498357> Enable WTF_USE_JSVALUE32_64 for armv6 with llvm-gcc-4.2

        Reviewed by David Kilzer.

        * wtf/Platform.h: Now that WebKit is being compiled with LLVM to match JavaScriptCore
        and WebCore, reenable JSVALUE32_64 on armv6 with llvm-gcc-4.2.

2009-12-24  Cameron Zwarich  <zwarich@apple.com>

        <rdar://problem/7493635> Crashes in JavaScriptCore::Heap::unprotect() in apps using UIWebView

        Reviewed by David Kilzer.

        * wtf/Platform.h: Roll out r125950, the fix for <rdar://problem/7488182> Enable
        WTF_USE_JSVALUE32_64 for armv6 with llvm-gcc-4.2. It appears to be hitting a bug
        in the compiler.

2009-12-20  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7488182> Enable WTF_USE_JSVALUE32_64 for armv6 with llvm-gcc-4.2

        Reviewed by Cameron Zwarich.

        * wtf/Platform.h: Updated to enable USE(JSVALUE32_64) when
        compiling with llvm-gcc-4.2 and targeting armv6 since it doesn't
        have this compiler bug (<rdar://problem/7478149>).

2009-12-19  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7486926> Change Register constructors to assignment operators to work around gcc-4.2 bug

        Merge ToT WebKit r52343.

    2009-12-18  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Cameron Zwarich and Gavin Barraclough.

        Changed Register constructors to assignment operators, to streamline
        moving values into registers. (In theory, there's no difference between
        the two, since the constructor should just inline away, but there seems
        to be a big difference in the addled mind of the GCC optimizer.)

        In the interpreter, this is a 3.5% SunSpider speedup and a 1K-2K
        reduction in stack usage per privateExecute stack frame.

        * interpreter/CallFrame.h:
        (JSC::ExecState::setCalleeArguments):
        (JSC::ExecState::setCallerFrame):
        (JSC::ExecState::setScopeChain):
        (JSC::ExecState::init):
        (JSC::ExecState::setArgumentCount):
        (JSC::ExecState::setCallee):
        (JSC::ExecState::setCodeBlock): Added a little bit of casting so these
        functions could use the new Register assignment operators.

        * interpreter/Register.h:
        (JSC::Register::withInt):
        (JSC::Register::Register):
        (JSC::Register::operator=): Swapped in assignment operators for constructors.

2009-12-17  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7451823> Investigate using WTF_USE_JSVALUE32_64 on ARM

        Reviewed by Cameron Zwarich.

        Merged ToT WebKit r52231 to fix the recursion crash after
        enabling USE(JSVALUE32_64).  Also worked around a gcc-4.2 bug
        on armv6 (<rdar://problem/7478149>) by using USE(JSVALUE32) when
        compiling armv6.

        This also addresses:
        <rdar://problem/7469369> SunSpider times regressed from Wildcat7B279 to Wildcat 7B280a

        * wtf/Platform.h: Enable USE(JSVALUE32_64) for armv7.  Continue
        using USE(JSVALUE32) for armv6 until <rdar://problem/7478149> is
        fixed.

    2009-12-16  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Fixed <rdar://problem/7355025> Interpreter::privateExecute macro generates
        bloated code

        This patch cuts Interpreter stack use by about a third.

        * bytecode/Opcode.h: Changed Opcode to const void* to work with the
        const static initiliazation we want to do in Interpreter::privateExecute.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::Interpreter): Moved hashtable initialization here to
        avoid polluting Interpreter::privateExecute's stack, and changed it from a
        series of add() calls to one add() call in a loop, to cut down on code size.

        (JSC::Interpreter::privateExecute): Changed a series of label computations
        to a copy of a compile-time constant array to cut down on code size.

2009-12-17  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7002948> Backout workaround for bogus -Wmissing-prototypes warnings on SnowLeopard

        Reviewed by Greg Bolsinga.

        * Configurations/Base.xcconfig: Re-enable -Wmissing-prototypes
        for hardware builds.

2009-12-10  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7266331> Merge WebKit engine changes from Safari Bronco

        Merged ToT WebKit r46833-r50479 on the safari-4-branch to iPhone WebKit.
        
2009-12-10  David Kilzer  <ddkilzer@apple.com>

        Don't enable the fast malloc scavenge thread on iPhone OS

        * wtf/FastMalloc.cpp: Until we can measure the performance
        impact and/or benefits, don't enable the scavenge thread on
        iPhone OS.

2009-12-10  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7450578> CrashTracer: [USER] 3 crashes in DumpRenderTree at JavaScriptCore: JSC::stringProtoFuncReplace + 12

        * wtf/Platform.h: Continue using WTF_USE_JSVALUE32 for
        PLATFORM(IPHONE) since WTF_USE_JSVALUE32_64 causes crashes.

2009-12-04  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7437124> Build JavaScriptCore with LLVM for Apex

        Reviewed by Greg Bolsinga.

        * Configurations/Base.xcconfig: Don't build JavaScriptCore with
        llvm-gcc-4.2 for the iPhone Simulator just yet.

2009-12-04  David Kilzer  <ddkilzer@apple.com>

        BUILD FIX: Make sure malloc_introspection_t is NULL-terminated for Wildcat hardware builds

        * wtf/FastMalloc.cpp:
        (jscore_fastmalloc_introspection): When defining this struct,
        the NULL terminator is required on Wildcat hardware, Apex
        hardware and Apex simulator builds, but not Wildcat simulator
        builds.  Thus, we have to restore the __IPHONE_3_2 check that
        was removed in r123040 and keep the __IPHONE_4_0 check.  (The
        Apex simulator build will continue to fail until the next Apex
        SDK is released with Snow Leopard's CF/Foundation integrated.)

2009-12-03  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7437124> Build JavaScriptCore with LLVM for Apex

        Reviewed by Cameron Zwarich.

        * Configurations/Base.xcconfig: Use llvm-gcc-4.2 when building
        for the iPhone OS 4.0 Internal SDK and iPhone Simulator 4.0 SDK.

2009-11-10  David Kilzer  <ddkilzer@apple.com>

        Introduce ENABLE(TEXT_AUTOSIZING)

        Reviewed by Greg Bolsinga.

        * wtf/Platform.h: Defined ENABLE_TEXT_AUTOSIZING to 1 for
        PLATFORM(IPHONE) and 0 for all other platforms.

2009-11-08  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7311412> iPhone: REGRESSION (r48687): Pages on ucas.com appear blank (30424)

        Reverted iPhone WebKit r112546, which originally fixed:
        <rdar://problem/7239662> iPhone: CrashTracer: [USER] 1 crash in Safari at com.apple.WebCore • WebCore::ThreadTimers::fireTimers + 135 • abort() called

        The eventual fix will be picked up with the merge for Safari
        Bronco.

        * wtf/Forward.h:

2009-09-30  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7239662> iPhone: CrashTracer: [USER] 1 crash in Safari at com.apple.WebCore • WebCore::ThreadTimers::fireTimers + 135 • abort() called

        Merged ToT WebKit r48650.

    2009-09-22  Darin Adler  <darin@apple.com>

        Reviewed by Sam Weinig.

        * wtf/Forward.h: Added PassOwnPtr.

2009-09-28  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7257975> LayoutTests/fast/js/postfix-syntax.html fails on interpreter

        Merged ToT WebKit r45904 from <http://webkit.org/b/27294>.

    2009-07-15  Oliver Hunt  <oliver@apple.com>

        Reviewed by Simon Hausmann.

        REGRESSION: fast/js/postfix-syntax.html fails with interpreter
        https://bugs.webkit.org/show_bug.cgi?id=27294

        When postfix operators operating on locals assign to the same local
        the order of operations has to be to store the incremented value, then
        store the unmodified number.  Rather than implementing this subtle
        semantic in the interpreter I've just made the logic explicit in the
        bytecode generator, so x=x++ effectively becomes x=ToNumber(x) (for a
        local var x).

        * parser/Nodes.cpp:
        (JSC::emitPostIncOrDec):

2009-09-28  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7258042> LayoutTests/fast/js/kde/arguments-scope.html fails on interpreter

        Merged ToT WebKit r45903 from <http://webkit.org/b/27259>.

    2009-07-15  Oliver Hunt  <oliver@apple.com>

        Reviewed by Simon Hausmann.

        REGRESSION(43559): fast/js/kde/arguments-scope.html fails with interpreter
        https://bugs.webkit.org/show_bug.cgi?id=27259

        The interpreter was incorrectly basing its need to create the arguments object
        based on the presence of the callframe's argument reference rather than the local
        arguments reference.  Based on this it then overrode the local variable reference.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2009-09-23  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7241653> Changes to export files not always picked up

        Merged ToT WebKit r48685 from <http://webkit.org/b/29660>.

    2009-09-23  David Kilzer  <ddkilzer@apple.com>

        Move definition of USE(PLUGIN_HOST_PROCESS) from WebKitPrefix.h to Platform.h

        Reviewed by Mark Rowe.

        * wtf/Platform.h: Define WTF_USE_PLUGIN_HOST_PROCESS to 1 when
        building on 64-bit SnowLeopard.  Define to 0 elsewhere.

2009-09-22  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7241653> Changes to export files not always picked up

        Reviewed by Paul Knight.

        * JavaScriptCore.xcodeproj/project.pbxproj: Fixed order of build
        phase scripts to match ToT WebKit.

2009-09-21  Greg Bolsinga  <bolsinga@apple.com>

        Merged TOT WebKit r48609.

        Thsi brings over the Open Source change for 
        ENABLE(ORIENTATION_EVENTS), and removes the previous
        portions that do not apply and fixes bugs.

        * wtf/Platform.h:

2009-09-16  Greg Bolsinga  <bolsinga@apple.com>

        Merged TOT WebKit r48430.

        This basically brings over the Open Source change for
        ENABLE_INSPECTOR, and removes the previous portions
        that do not apply (FeatureDefines.xcconfig, build-webkit,
        and EXCLUDED_SOURCE_FILE_NAMES changes).

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2009-09-16  Greg Bolsinga  <bolsinga@apple.com>

        Merged TOT WebKit r48429.

        This basically brings over the Open Source change for
        ENABLE_CONTEXT_MENUS, and removes the previous portions
        that do not apply (FeatureDefines.xcconfig, build-webkit,
        and EXCLUDED_SOURCE_FILE_NAMES changes).

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2009-09-16  Greg Bolsinga  <bolsinga@apple.com>

        Fix a bad merge in the previous commit.
        
        * wtf/Platform.h:

2009-09-16  Greg Bolsinga  <bolsinga@apple.com>

        Merged TOT WebKit r46437.
        
        This basically brings over the Open Source change for 
        ENABLE_DRAG_SUPPORT, and removes the previous portions
        that do not apply (FeatureDefines.xcconfig, build-webkit, 
        and EXCLUDED_SOURCE_FILE_NAMES changes).

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2009-09-11  Greg Bolsinga  <bolsinga@apple.com>

        Reviewed by David Carson.

        <rdar://problem/6732593> Add ENABLE(CONTEXT_MENU)

        Set up defaults for ENABLE_CONTEXT_MENU (off for iPhone, on for Mac OS X)

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2009-09-11  Greg Bolsinga  <bolsinga@apple.com>

        Reviewed by David Carson.

        <rdar://problem/6732599> Add ENABLE(DRAG_SUPPORT)

        Set up defaults for ENABLE_DRAG_SUPPORT (off for iPhone, on for Mac OS X)

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2009-09-10  Greg Bolsinga  <bolsinga@apple.com>

        Reviewed by Cameron Zwarich.

        <rdar://problem/6732605> Add ENABLE(INSPECTOR)
        
        Set up defaults for ENABLE_INSPECTOR (off for iPhone, on for Mac OS X)

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2009-08-21  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7154895> Annotate WTF assertion methods to prevent false-positives from clang static analyzer

        Reviewed by David Carson.

        * wtf/Assertions.h: Added CLANG_ANALYZER_NORETURN macro
        definition. Added #include <stdbool.h> for definition of false
        in C source.
        (WTFReportAssertionFailure): Added CLANG_ANALYZER_NORETURN
        annotation to fix false-positives in ASSERT() macro.
        (WTFReportAssertionFailureWithMessage): Ditto for
        ASSERT_WITH_MESSAGE() macro.
        (WTFReportArgumentAssertionFailure): Ditto for ASSERT_ARG()
        macro.
        (WTFReportFatalError): Ditto for FATAL() macro.

2009-08-16  David Kilzer  <ddkilzer@apple.com>

        Move #define _DONT_USE_CTYPE_INLINE_ to <wtf/DisallowCType.h>

        Reviewed by Greg Bolsinga.

        All source files fail to build for the iPhone OS SDK and the
        iPhone Simulator SDK unless _DONT_USE_CTYPE_INLINE_ is defined
        before including <ctype.h>.  Instead of defining it in
        WebCorePrefix.h and WebKitPrefix.h, move the definition to
        DisallowCType.h since that header is already included in
        WebCore/config.h and WebKit/WebKitPrefix.h.

        * wtf/DisallowCType.h: Added #define _DONT_USE_CTYPE_INLINE_ for
        PLATFORM(IPHONE).

2009-08-11  David Carson  <dacarson@apple.com>

        <rdar://problem/7125030> Reproducible assertion failure in JavaScriptCore with google maps

        Reviewed by Greg Bolsinga

        Comment out ASSERTs as MobileSafari allocs on main thread and frees on Web thread.

        * wtf/CrossThreadRefCounted.h:
        (WTF::::ref):
        (WTF::::deref):

2009-08-07  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7128246> Soft link MobileQuickLook only once

        Reviewed by Cameron Zwarich.

        * wtf/Platform.h: Added USE(MOBILE_QUICK_LOOK) macro.

2009-08-02  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6907691> TLF: Merge Safari 4.0.3 SnowLeopard GM2 release (Rocket)

        Merged ToT WebKit r45764-r46452 on safari-4-branch (Safari Rocket branch).

        276 files changed, 4992 insertions(+), 3928 deletions(-)

2009-08-02  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6907691> TLF: Merge Safari 4.0.3 SnowLeopard GM2 release (Rocket)

        Merged ToT WebKit r43832-r45704 on trunk (up to the Rocket branch point).

        3104 files changed, 429041 insertions(+), 273643 deletions(-)

2009-07-23  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/7082861> Eclair content isn't working after Jetstream merge

        Reviewed by Cameron Zwarich.

        * wtf/Platform.h: Define WTF_USE_ACCELERATED_COMPOSITING for
        PLATFORM(IPHONE).  It's also currently defined in
        WebCore/config.h, but not in such a way as to enable it for
        iPhone WebKit, and the config.h definition will be removed in a
        later merge.

2009-06-24  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6930369> Simulator should build with MACOSX_DEPLOYMENT_TARGET=10.5 on SnowLeopard

        Reviewed by Cameron Zwarich.

        * Configurations/DebugRelease.xcconfig: Set
        MACOSX_DEPLOYMENT_TARGET=10.5 when building for iphoneos and
        iphonesimulator platforms.

2009-06-24  David Kilzer  <ddkilzer@apple.com>

        Disable -Wmissing-prototypes when compiling for iphoneos

        Reviewed by Cameron Zwarich.

        This is a workaround for: <rdar://problem/6930844> SnowLeopard+Kirkwood: cc1plus: warning: command line option "-Wmissing-prototypes" is valid for C/ObjC but not for C++

        * Configurations/Base.xcconfig: Disable -Wmissing-prototypes
        when compiling for iphoneos.

2009-06-18  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6954277> JavaScriptCore-525 fails to build in Wildcat

        Reviewed by David Carson.

        * wtf/FastMalloc.cpp:
        (WTF::TCMallocStats::): The CoreOS changes to
        malloc_introspection_t have been merged into Northstar+1, so
        change the macro test accordingly.

2009-06-03  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6830711> JavascriptCore fails to verify when built armv5

        Patch by Anthony O'Blennis Yvanovich.  Reviewed by David Kilzer.

        * Configurations/Base.xcconfig: Added
        GCC_GENERATE_DEBUGGING_SYMBOLS_armv5.
        * Configurations/JavaScriptCore.xcconfig: Added
        EXPORTED_SYMBOLS_FILE_armv5.

2009-06-01  Cameron Zwarich  <zwarich@apple.com>

        Reviewed by David Kilzer.

        <rdar://problem/6888365> CrashTracer: [USER] 1 crash in MobileSafari at WebCore • WebCore::JSEventTargetNode::getOwnPropertySlot + 9

        When using WebKit in threaded mode on iPhone, JavaScriptCore runs in the
        web thread, which is a secondary thread and thus has 512 kb of stack space
        by default. The relatively low amount of stack space was causing stack
        overflows when approaching the JavaScriptCore reentrancy limit. The solution
        is to simultaneously decrease the reentrancy limit while increasing the
        amount of stack space available for the web thread.

        * interpreter/Interpreter.h: decrease the reentrancy limit from 128 to
        100. I have never seen an actual web page that requires a limit higher
        than 65, but the Celtic Kane benchmark requires a limit of 94, at least
        with our current implementation of certain runtime methods. While this
        benchmark is completely stupid, it is still important that we are able
        to run it.

2009-05-23  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6917404> JavaScriptCore_Sim fails to build in Apex

        Since the iPhone Simulator is currently built on Leopard (not
        SnowLeopard), we must exclude the malloc_introspection_t fix
        when building JavaScriptCore_Sim for Apex.

        * wtf/FastMalloc.cpp:
        (WTF::jscore_fastmalloc_introspection): Added check for
        !PLATFORM(IPHONE_SIMULATOR) when building on Apex or newer.

2009-05-21  Cameron Zwarich  <zwarich@apple.com>

        Reviewed by David Kilzer.

        I wanted to merge our change to tag TCMalloc memory, but Mark Rowe
        informed me that this is pointless, because TCMalloc has its own
        MallocZone and vmmap only needs tags to distinguish between
        allocations if they are not associated with a zone.

        *  wtf/TCSystemAlloc.cpp: remove mmapFileDescriptor.
        (TryMMap): pass -1 to mmap instead of mmapFileDescriptor, matching
        desktop WebKit.
        (TCMalloc_SystemRelease): ditto.

2009-05-21  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6912575> iPhone: REGRESSION: cached DOM global object property access fails in browser (25921)

        Merged ToT WebKit r44016.

    2009-05-21  Oliver Hunt  <oliver@apple.com>

        Reviewed by Maciej Stachowiak.

        <rdar://problem/6910264> REGRESSION: Cached DOM global object property access fails in browser (25921)
        <https://bugs.webkit.org/show_bug.cgi?id=25921>

        When caching properties on the global object we need to ensure that we're
        not attempting to cache through a shell object.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::resolveGlobal):
        * jit/JITStubs.cpp:
        (JSC::JITStubs::cti_op_resolve_global):

2009-05-21  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6886808> JavaScriptCore fails to build in RacerFive

        Merged ToT WebKit r41023.

    2009-02-16  Mark Rowe  <mrowe@apple.com>

        Build fix.

        * wtf/FastMalloc.cpp:
        (WTF::TCMallocStats::):
        (WTF::TCMallocStats::FastMallocZone::FastMallocZone):

2009-05-03  Antti Koivisto  <antti@apple.com>

        Reviewed by David Carson.

        <rdar://problem/6850915> REGRESSION (SUTimberline): Reduce the size of the FastMalloc thread cache (from 6410061)

        Merge back r73166 from SUTimberline.

        --- Submission Information ---
        - Risk level: Low
        - Risk details: Changes constant back to SUTimberline value.
        - Code reviewed by: David Carson.
        - Testing details: Tested that a rerun of a short session
          (google->nytimes->wsj->google) produces 1MB difference in
          FastMalloc dirty pages.  Verified basic browsing was
          unaffected.

        * wtf/FastMalloc.cpp: Changed thread cache size from 2MB to 0.5MB.

2009-04-30  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6842050> MERGE: Javascript, ParseInt and Negative value

        Merged ToT WebKit r42607.

        --- Submission Information ---
        - Risk level: Low
        - Risk details: Fixed parsing of negative integer values.
        - Code reviewed by: Oliver Hunt.
        - Testing details: Ran javascriptcore and layout tests.
          Verified basic browsing was unaffected.

    2009-04-08  Mihnea Ovidenie  <mihnea@adobe.com>

        Reviewed by Oliver Hunt.

        Bug 25027: JavaScript parseInt wrong on negative numbers
        <https://bugs.webkit.org/show_bug.cgi?id=25027>

        When dealing with negative numbers, parseInt should use ceil instead of floor.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncParseInt):

2009-04-29  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6015733> iPhone: UString::expandCapacity called with addition as parameter, that could overflow

        Merged ToT WebKit r42988.

        --- Submission Information ---
        - Risk level: Low
        - Risk details: Updated integer overflow check.
        - Code reviewed by: Maciej Stachowiak.
        - Testing details: Ran javascriptcore and layout tests.
          Verified basic browsing was unaffected.

    2009-04-28  David Kilzer  <ddkilzer@apple.com>

        A little more hardening for UString

        Reviewed by Maciej Stachowiak.

        Revised fix for <rdar://problem/5861045> in r42644.

        * runtime/UString.cpp:
        (JSC::newCapacityWithOverflowCheck): Added.
        (JSC::concatenate): Used newCapacityWithOverflowCheck().
        (JSC::UString::append): Ditto.

2009-04-29  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6836543> Build system issues with ENABLE_RESPECT_EXIF_ORIENTATION

        Reviewed by Greg Bolsinga.

        --- Submission Information ---
        - Risk level: Low
        - Risk details: Removed unneeded FEATURE_DEFINES from *.xcconfig
          files and build-webkit.  Does not affect B&I builds.
        - Code reviewed by: Greg Bolsinga.
        - Testing details: Built Development and Deployment_Hardware
          configurations using build-webkit.

        * Configurations/JavaScriptCore.xcconfig: Removed unneeded
        ENABLE_RESPECT_EXIF_ORIENTATION from FEATURE_DEFINES.

2009-04-28  Greg Bolsinga  <bolsinga@apple.com>

        <rdar://problem/6832549> REGR: Canvas is busted
        --- Submission Information ---
        - Risk level: Medium
        - Risk details: Images could still be screwed up somehow in a way not yet found.
        - Code reviewed by: David Kilzer
        - Testing details: The canvas example in the bug and photos copied from Photos to Mail to verify the bug that broke canvas still works.

        * Configurations/JavaScriptCore.xcconfig:
        * wtf/Platform.h:
        Add ENABLE_RESPECT_EXIF_ORIENTATION where needed.

2009-04-20  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6015744> iPhone: Integer overflow in JSStringCreateWithCFString

        Merged ToT WebKit r42659, r42662.

        --- Submission Information ---
        - Risk level: Low
        - Risk details: Added sanity check to prevent integer overflow.
        - Code reviewed by: Dan Bernstein and Darin Adler.  Patch by Sam Weinig.
        - Testing details: Ran layout tests.  Verified basic browsing
          was unaffected.

    2009-04-19  Sam Weinig  <sam@webkit.org>

        Reviewed by Darin Adler.

        Better fix for JSStringCreateWithCFString hardening.

        * API/JSStringRefCF.cpp:
        (JSStringCreateWithCFString):

    2009-04-19  Sam Weinig  <sam@webkit.org>

        Reviewed by Dan Bernstein.

        Fix for <rdar://problem/5860954>
        Harden JSStringCreateWithCFString against malformed CFStringRefs.

        * API/JSStringRefCF.cpp:
        (JSStringCreateWithCFString):

2009-04-18  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6015733> iPhone: UString::expandCapacity called with addition as parameter, that could overflow

        Merged ToT WebKit r42644.

        --- Submission Information ---
        - Risk level: Low
        - Risk details: Added sanity checks to prevent integer overflow exploits.
        - Code reviewed by: Mark Rowe.  Patch by Sam Weinig.
        - Testing details: Ran layout tests.  Verified basic browsing
          was unaffected.

    2009-04-18  Sam Weinig  <sam@webkit.org>

        Reviewed by Mark Rowe.

        Fix for <rdar://problem/5861045>
        A little bit of hardening for UString.

        * runtime/UString.cpp:
        (JSC::concatenate):
        (JSC::UString::append):

2009-04-18  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6015721> iPhone: Integer overflow (m_size + dataSize) in wtf::Vector::append

        Merged ToT WebKit r42643.

        --- Submission Information ---
        - Risk level: Low
        - Risk details: Added sanity check to prevent integer overflow exploits.
        - Code reviewed by: Mark Rowe and Dan Bernstein.  Patch by Sam Weinig.
        - Testing details: Ran layout tests.  Verified basic browsing
          was unaffected.

    2009-04-18  Sam Weinig  <sam@webkit.org>

        Reviewed by Mark Rowe and Dan Bernstein.

        Fix for <rdar://problem/5861188>
        A little bit of hardening for Vector.

        * wtf/Vector.h:
        (WTF::Vector<T, inlineCapacity>::append):
        (WTF::Vector<T, inlineCapacity>::insert):

2009-04-17  David Carson  <dacarson@apple.com>

        Reviewed by David Kilzer, Richard Williamson

        <rdar://problem/6674885> Pasted image from Camera album is rotated

        Read the orientation from the image data and make it available to
        the drawing code. When drawing the image, orientate the image
        according to the EXIF orientation code.
        This patch is a copy of the patch attached to WebKit bug:
        https://bugs.webkit.org/show_bug.cgi?id=19688

        --- Submission Information ---
        - Risk level: Med
        - Risk details: Web sites could have mis-matched orientation
          data. Though, I could not find any such site.
        - Code reviewed by: David Kilzer, Richard Williamson
        - Testing details: Tested pasting images into mail that
          were taken with the iPhone camera. Tested photo sites
          flickr.com, picasaweb.google.com and MobileMe.

        * wtf/Platform.h:
          Turn on ENABLE_RESPECT_EXIF_ORIENTATION

2009-04-17  Drew Wilson  <amw@apple.com>

        Reviewed by Dan Bernstein, Debbie Goldsmith, Brad Moore.

        * ChangeLog-PEP:
        * wtf/unicode/icu/UnicodeIcu.h:
        (WTF::Unicode::hasLineBreakingPropertyComplexContextOrIdeographic):

2009-04-08  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6718589> Turn off SVG DOM Objective-C bindings in WebCore and WebKit

        Merged ToT WebKit r42345.

        --- Submission Information ---
        - Risk level: Medium
        - Risk details: Disabling a feature that has been present since
          BigBear (iPhone OS 2.0).
        - Code reviewed by: Darin Adler and Maciej Stachowiak.
        - Testing details: Built Development, Deployment,
          Development_Hardware and Deployment_Hardware configurations of
          JavaScriptCore, WebCore and WebKit.  Verified basic browsing
          was unaffected.

    2009-04-08  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6718589> Option to turn off SVG DOM Objective-C bindings

        Reviewed by Darin Adler and Maciej Stachowiak.

        Introduce the ENABLE_SVG_DOM_OBJC_BINDINGS feature define so
        that SVG DOM Objective-C bindings may be optionally disabled.

        * Configurations/JavaScriptCore.xcconfig: Added
        ENABLE_SVG_DOM_OBJC_BINDINGS variable and use it in
        FEATURE_DEFINES.

2009-04-03  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6511168> MERGE: iPhone: Thai text selection in Safari is incorrect

        Merged ToT WebKit r41607.

    2009-03-11  Dan Bernstein  <mitz@apple.com>

        Reviewed by Darin Adler.

        - WTF support for fixing <rdar://problem/3919124> Thai text selection
          in Safari is incorrect

        * wtf/unicode/icu/UnicodeIcu.h:
        (WTF::Unicode::hasLineBreakingPropertyComplexContext): Added. Returns
        whether the character has Unicode line breaking property value SA
        ("Complex Context").
        * wtf/unicode/qt4/UnicodeQt4.h:
        (WTF::Unicode::hasLineBreakingPropertyComplexContext): Added an
        implementation that always returns false.

2009-04-02  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6746155> WebCore and WebKit Development_Hardware ARCHS seems wrong.

        Reviewed by Simon Fraser.

        This change only affects local Development[_Hardware] and
        Deployment[_Hardware] builds using Xcode, whose configurations
        are based on DebugRelease.xcconfig.

        * Configurations/DebugRelease.xcconfig: Simplified ARCHS value
        and used $(ARCHS_STANDARD_32_BIT) for iphoneos platform instead
        of hard-coding "armv6".

2009-04-01  Greg Bolsinga  <bolsinga@apple.com>

        Reviewed by David Kilzer.

        <rdar://problem/6746296> Update order file for JavaScriptCore

        * Configurations/Base.xcconfig:
        * JavaScriptCore.iPhone.order: Added.

2009-04-01  Greg Bolsinga  <bolsinga@apple.com>

        Bring over https://bugs.webkit.org/show_bug.cgi?id=24990
        
        Reviewed by David Kilzer
    
    2009-04-01  Greg Bolsinga  <bolsinga@apple.com>

            Reviewed by Mark Rowe.
            
            https://bugs.webkit.org/show_bug.cgi?id=24990
            Put SECTORDER_FLAGS into xcconfig files.

            * Configurations/Base.xcconfig:
            * Configurations/DebugRelease.xcconfig:

2009-03-29  David Kilzer  <ddkilzer@apple.com>

        Bug 23676: Speed up uses of reserveCapacity on new vectors by adding a new reserveInitialCapacity

        <https://bugs.webkit.org/show_bug.cgi?id=23676>

        Merged ToT WebKit r40501.  Needed to fix <rdar://problem/6733652>.

    2009-02-02  Darin Adler  <darin@apple.com>

        Reviewed by Dave Hyatt.

        Bug 23676: Speed up uses of reserveCapacity on new vectors by adding a new reserveInitialCapacity
        https://bugs.webkit.org/show_bug.cgi?id=23676

        * API/JSObjectRef.cpp:
        (JSObjectCopyPropertyNames): Use reserveInitialCapacity.
        * parser/Lexer.cpp:
        (JSC::Lexer::Lexer): Ditto.
        (JSC::Lexer::clear): Ditto.

        * wtf/Vector.h: Added reserveInitialCapacity, a more efficient version of
        reserveCapacity for use when the vector is brand new (still size 0 with no
        capacity other than the inline capacity).

2009-03-23  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6712454> Fix JavaScript function compatability issues

        Merged ToT WebKit r41851 and r41895.

        Note that the testapi.c changes were not merged with r41895.

    2009-03-21  Oliver Hunt  <oliver@apple.com>

        Reviewed by Cameron Zwarich.

        Ensure that JSObjectMakeFunction doesn't produce incorrect line numbers.

        Also make test api correctly propagate failures.

        * API/tests/testapi.c:
        (main):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunction):

    2009-03-19  Cameron Zwarich  <cwzwarich@uwaterloo.ca>

        Reviewed by Oliver Hunt.

        Bug 24350: REGRESSION: Safari 4 breaks SPAW wysiwyg editor multiple instances
        <https://bugs.webkit.org/show_bug.cgi?id=24350>
        <rdar://problem/6674182>

        The SPAW editor's JavaScript assumes that toString() on a function
        constructed with the Function constructor produces a function with
        a newline after the opening brace.

        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunction): Add a newline after the opening brace of the
        function's source code.

2009-03-23  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6464366> REGRESSION: Fix Debug Console message printed for slow script (10 second) timeout

        Merged ToT WebKit r41912.

    2009-03-23  David Kilzer  <ddkilzer@apple.com>

        Provide JavaScript exception information after slow script timeout

        Reviewed by Oliver Hunt.

        * runtime/Completion.cpp:
        (JSC::evaluate): Set the exception object as the Completion
        object's value for slow script timeouts.  This is used in
        WebCore when reporting the exception.
        * runtime/ExceptionHelpers.cpp:
        (JSC::InterruptedExecutionError::toString): Added.  Provides a
        description message for the exception when it is reported.

2009-03-21  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6708484> iPhone: REGRESSION (Safari 4): regular expression pattern size limit lower than Safari 3.2, other browsers, breaks SAP (14873)

        Merged ToT WebKit r41842.

    2009-03-19  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Sam Weinig.

        Fixed <rdar://problem/6603562> REGRESSION (Safari 4): regular expression
        pattern size limit lower than Safari 3.2, other browsers, breaks SAP (14873)

        Bumped the pattern size limit to 1MB, and standardized it between PCRE
        and WREC. (Empirical testing says that we can easily compile a 1MB regular
        expression without risking a hang. Other browsers support bigger regular
        expressions, but also hang.)

        SunSpider reports no change.

        I started with a patch posted to Bugzilla by Erik Corry (erikcorry@google.com).

        * pcre/pcre_internal.h:
        (put3ByteValue):
        (get3ByteValue):
        (put3ByteValueAndAdvance):
        (putLinkValueAllowZero):
        (getLinkValueAllowZero): Made PCRE's "LINK_SIZE" (the number of bytes
        used to record jumps between bytecodes) 3, to accomodate larger potential
        jumps. Bumped PCRE's "MAX_PATTERN_SIZE" to 1MB. (Technically, at this
        LINK_SIZE, we can support even larger patterns, but we risk a hang during
        compilation, and it's not clear that such large patterns are important
        on the web.)

        * wrec/WREC.cpp:
        (JSC::WREC::Generator::compileRegExp): Match PCRE's maximum pattern size,
        to avoid quirks between platforms.

2009-03-20  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6696219> iPhone: REGRESSION (Safari 4): Incorrect function return value when using IE "try ... finally" memory leak work-around (24654)

        Merged ToT WebKit r41806.

    2009-03-17  Oliver Hunt  <oliver@apple.com>

        Reviewed by Cameron Zwarich.

        <rdar://problem/6692138> REGRESSION (Safari 4): Incorrect function return value when using IE "try ... finally" memory leak work-around (24654)
        <https://bugs.webkit.org/show_bug.cgi?id=24654>

        If the return value for a function is in a local register we need
        to copy it before executing any finalisers, otherwise it is possible
        for the finaliser to clobber the result.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::hasFinaliser):
        * parser/Nodes.cpp:
        (JSC::ReturnNode::emitBytecode):

2009-03-20  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6033956> iPhone: integer overflow and lack of null check in KJS::Collector::heapAllocate

        Merged ToT WebKit r41854.

    2009-03-19  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Fixed <rdar://problem/6033712> -- a little bit of hardening in the Collector.

        SunSpider reports no change. I also verified in the disassembly that
        we end up with a single compare to constant.

        * runtime/Collector.cpp:
        (JSC::Heap::heapAllocate):

2009-03-15  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6666796> iPhone: REGRESSION (r38635): Single line JavaScript comment prevents HTML button click handler execution (24291)

        Merged ToT WebKit r41565.

    2009-03-10  Cameron Zwarich  <cwzwarich@uwaterloo.ca>

        Reviewed by Geoff Garen.

        Bug 24291: REGRESSION (r38635): Single line JavaScript comment prevents HTML button click handler execution
        <https://bugs.webkit.org/show_bug.cgi?id=24291>
        <rdar://problem/6663472>

        Add an extra newline to the end of the body of the program text constructed
        by the Function constructor for parsing. This allows single line comments to
        be handled correctly by the parser.

        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunction):

2009-03-15  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6586232> Merge commits on Safari Hurricane branch

        Merged ToT Safari Hurricane branch (webkit/branches/Safari-6528)
        through r41575 on the branch.

        278 files changed, 26981 insertions(+), 16358 deletions(-)

2009-03-05  Antti Koivisto  <antti@apple.com>

        Reviewed by Dave Hyatt.
        
        <rdar://problem/6591072> REGRESSION: Bring back repaint throttling during page loading

        Intergrate r41431 from the open source TOT.
        
        Enable it for the phone.

        * wtf/Platform.h:

2009-03-05  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6645446> JavaScriptCore and WebCore should compile with -Wshorten-64-to-32

        Reviewed by David Carson.

        * Configurations/Base.xcconfig: Added -Wshorten-64-to-32 to
        iphoneos and iphonesimulator builds.  No other code changes
        required.

2009-03-04  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6571915> WebKit-333 doesn't install complete headers during installhdrs

        Merged ToT WebKit r41417.

        * Configurations/Base.xcconfig: Switched from PLATFORM_NAME to
        REAL_PLATFORM_NAME in iPhone-only variables.
        * Configurations/DebugRelease.xcconfig: Ditto.
        * Configurations/JavaScriptCore.xcconfig: Ditto.

    2009-03-03  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6581203> WebCore and WebKit should install the same set of headers during installhdrs phase as build phase

        Reviewed by Mark Rowe.

        * Configurations/Base.xcconfig: Defined REAL_PLATFORM_NAME based
        on PLATFORM_NAME to work around the missing definition on Tiger.
        Updated HAVE_DTRACE to use REAL_PLATFORM_NAME.

2009-03-01  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6580941> webkit can enable dtrace probes

        Merged ToT WebKit r41350.

        * Configurations/Base.xcconfig: Added line for iphoneos to
        enable dtrace probes.  Added line for iphonesimulator to
        disable dtrace probes based on Leopard issue.

    2009-03-01  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6635688> Move HAVE_DTRACE check to Base.xcconfig

        Reviewed by Mark Rowe.

        * Configurations/Base.xcconfig: Set HAVE_DTRACE Xcode variable
        based on PLATFORM_NAME and MAC_OS_X_VERSION_MAJOR.  Also define
        it as a preprocessor macro by modifying
        GCC_PREPROCESSOR_DEFINITIONS.
        * JavaScriptCore.xcodeproj/project.pbxproj: Changed "Generate
        DTrace header" script phase to check for HAVE_DTRACE instead of
        MACOSX_DEPLOYMENT_TARGET.
        * wtf/Platform.h: Removed definition of HAVE_DTRACE macro since
        it's defined in Base.xcconfig now.

2009-03-01  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6548277> Project setting default to Xcode 2.4; need to change to Xcode 3.1

        Reviewed by Andre Boule.

        * JavaScriptCore.xcodeproj/project.pbxproj: Switched
        compatibilityVersion from "Xcode 2.4" to "Xcode 3.1".

2009-03-01  David Kilzer  <ddkilzer@apple.com>

        <rdar://problem/6217293> WebKit projects get warning when building with BlackOpal

        Reviewed by Scott Goodson.

        * JavaScriptCore.xcodeproj/project.pbxproj: Changed productType
        back to the non-shallow version.