ChangeLog-2013-10-13   [plain text]


2013-10-13  Anders Carlsson  <andersca@apple.com>

        Try to fix the Lion build.

        * Configurations/JavaScriptCore.xcconfig:

2013-10-12  Alexey Proskuryakov  <ap@apple.com>

        Add a feature define for SubtleCrypto
        https://bugs.webkit.org/show_bug.cgi?id=122683

        Reviewed by Anders Carlsson.

        * Configurations/FeatureDefines.xcconfig:

2013-10-12  Julien Brianceau  <jbriance@cisco.com>

        Fix potential register trampling in JIT since r157313.
        https://bugs.webkit.org/show_bug.cgi?id=122691

        Reviewed by Michael Saboff.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):

2013-10-12  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Add missing spaces in JITStubsSH4.h
        https://bugs.webkit.org/show_bug.cgi?id=122690

        Reviewed by Andreas Kling.

        * jit/JITStubsSH4.h: Space between string concatenation is mandatory with C++11

2013-10-12  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Add missing test32 implementation in macro assembler.
        https://bugs.webkit.org/show_bug.cgi?id=122689

        Reviewed by Andreas Kling.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::test32):

2013-10-11  Darin Adler  <darin@apple.com>

        Change most call sites to call ICU directly instead of through WTF::Unicode
        https://bugs.webkit.org/show_bug.cgi?id=122635

        Reviewed by Alexey Proskuryakov.

        * parser/Lexer.cpp:
        (JSC::isNonLatin1IdentStart): Take a UChar since that's what the only caller wants to pass.
        Use U_GET_GC_MASK instead of WTF::Unicode::category.
        (JSC::isNonLatin1IdentPart): Ditto.

        * parser/Lexer.h:
        (JSC::Lexer::isWhiteSpace): Use u_charType instead of WTF::Unicode::isSeparatorSpace.

        * runtime/JSFunction.cpp: Removed "using namespace" for WTF::Unicode, this will no longer
        compile since this doesn't include anything that defines that namespace.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::isStrWhiteSpace): Use u_charType instead of WTF::Unicode::isSeparatorSpace.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::atomPatternCharacter): Use u_tolower and u_toupper instead of
        Unicode::toLower and Unicode::toUpper. Also added some assertions since this code assumes
        it can convert any UChar to lowercase or uppercase in another UChar, with no risk of needing
        a UChar32 for the result. I guess that's probably true, but it would be good to know in a
        debug build if not.

2013-10-11  Nadav Rotem  <nrotem@apple.com>

        DFG: Add JIT support for  LogicalNot(String/StringIdent)
        https://bugs.webkit.org/show_bug.cgi?id=122627

        Reviewed by Filip Pizlo.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):

2013-10-11  Filip Pizlo  <fpizlo@apple.com>

        sunspider-1.0/math-spectral-norm.js.dfg-eager occasionally fails with Trap 5 (i.e int $3)
        https://bugs.webkit.org/show_bug.cgi?id=122462

        Reviewed by Mark Hahnenberg.
        
        This fixes two bugs, both of which led to GetByVal on Int32 trapping because the
        array no longer had Int32 shape but the check wasn't executed:
        
        1) We weren't snapshotting the structures of mustHandleValues. This led to an awesome
           race where if a mustHandleValue JSValue's structure changed on the main thread
           between runs of the AI, the AI would contradict each other and things would just
           get corrupted in funny ways.
        
        2) The constant folder has a long standing bug! It will fold a node to a constant if
           the AI proved it to be a constant. But it's possible that the original node also
           proved things about the constant's structure. In that case "folding" to a
           JSConstant actually loses information since JSConstant doesn't guarantee anything
           about a constant's structure. There are various things we could do here to ensure
           that a folded constant's structure doesn't change, and that if it does, we
           deoptimize the code. But for now we can just make this sound by disabling folding
           in this pathological case.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        * dfg/DFGGraph.h:
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::initialize):

2013-10-11  Filip Pizlo  <fpizlo@apple.com>

        Fix handling of indirect stackmap locations in FTL OSR exit
        https://bugs.webkit.org/show_bug.cgi?id=122666

        Reviewed by Mark Hahnenberg.
        
        With this change, the llvm.webkit.stackmap-based OSR exit only fails one test, down from
        five tests previously.

        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::gpr): It's OK to call this method when kind() == Indirect, so asserting that isGPR() is wrong; change to assert that involvesGPR().
        (JSC::FTL::Location::restoreInto): Stack-related registers aren't saved to the scratch buffer, so use them directly.
        * ftl/FTLLocation.h: Add comment about requirements for stack layout.
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStubWithOSRExitStackmap): Make enough room on the stack so that saveAllRegisters() has a scratchpad to save things to. Without this, saveAllRegisters() may clobber a spilled value.

2013-10-11  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r157307.
        http://trac.webkit.org/changeset/157307
        https://bugs.webkit.org/show_bug.cgi?id=122671

        Many assertion failures (Requested by ap on #webkit).

        * jit/ThunkGenerators.cpp:
        (JSC::arrayIteratorNextThunkGenerator):
        * jit/ThunkGenerators.h:
        * runtime/ArrayIteratorPrototype.cpp:
        (JSC::ArrayIteratorPrototype::finishCreation):
        (JSC::createIteratorResult):
        (JSC::arrayIteratorPrototypeNext):
        * runtime/Intrinsic.h:
        * runtime/JSArrayIterator.cpp:
        (JSC::JSArrayIterator::finishCreation):
        * runtime/VM.cpp:
        (JSC::thunkGeneratorForIntrinsic):

2013-10-11  Mark Lam  <mark.lam@apple.com>

        Transition op_new_* JITStubs to JIT operations.
        https://bugs.webkit.org/show_bug.cgi?id=122460.

        Reviewed by Michael Saboff.

        Also:
        - Removed the redundant operationNewFunctionExpression().  It is identical to
          operationNewFunctionNoCheck().
        - Sorted JIT operation signature keys in the comment in JITOperations.h.
        - Removed the unused returnValue2Register definition for X86_64.

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitSlow_op_new_object):
        (JSC::JIT::emit_op_new_func):
        (JSC::JIT::emit_op_new_func_exp):
        (JSC::JIT::emit_op_new_array):
        (JSC::JIT::emit_op_new_array_with_size):
        (JSC::JIT::emit_op_new_array_buffer):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emitSlow_op_new_object):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JSInterfaceJIT.h:

2013-10-11  Oliver Hunt  <oliver@apple.com>

        Separate out array iteration intrinsics
        https://bugs.webkit.org/show_bug.cgi?id=122656

        Reviewed by Michael Saboff.

        Separate out the intrinsics for key and values iteration
        of arrays.

        This requires moving moving array iteration into the iterator
        instance, rather than the prototype, but this is essentially
        unobservable so we'll live with it for now.

        * jit/ThunkGenerators.cpp:
        (JSC::arrayIteratorNextThunkGenerator):
        (JSC::arrayIteratorNextKeyThunkGenerator):
        (JSC::arrayIteratorNextValueThunkGenerator):
        * jit/ThunkGenerators.h:
        * runtime/ArrayIteratorPrototype.cpp:
        (JSC::ArrayIteratorPrototype::finishCreation):
        * runtime/Intrinsic.h:
        * runtime/JSArrayIterator.cpp:
        (JSC::JSArrayIterator::finishCreation):
        (JSC::createIteratorResult):
        (JSC::arrayIteratorNext):
        (JSC::arrayIteratorNextKey):
        (JSC::arrayIteratorNextValue):
        (JSC::arrayIteratorNextGeneric):
        * runtime/VM.cpp:
        (JSC::thunkGeneratorForIntrinsic):

2013-10-11  Andreas Kling  <akling@apple.com>

        Pass VM instead of ExecState to JSGenericTypedArrayViewPrototype.
        <https://webkit.org/b/122632>

        Reviewed by Sam Weinig.

        This code was only using the ExecState to find the VM.

2013-10-11  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Fix build after r157209.
        https://bugs.webkit.org/show_bug.cgi?id=122643

        Reviewed by Ryosuke Niwa.

        * assembler/MacroAssemblerSH4.h: Add framePointerRegister declaration.
        * assembler/SH4Assembler.h: Add firstRegister() declaration.
        (JSC::SH4Assembler::firstRegister):

2013-10-10  Filip Pizlo  <fpizlo@apple.com>

        FTL shouldn't pass i1's into llvm.webkit.stackmap's
        https://bugs.webkit.org/show_bug.cgi?id=122629
        <rdar://problem/15203037>

        Reviewed by Sam Weinig and Nadav Rotem.
        
        LLVM's stackmap support requires that we only pass operands with legal types (i.e. types
        that are hardware-representable). i1, which the FTL previously used for Booleans, is not
        legal.
        
        We have two options: either add support in LLVM to legalize stackmap operands, or add
        support to the FTL to legalize stackmap operands. It's easier to fix this in FTL, and
        that's what this patch does.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):

2013-10-09  Oliver Hunt  <oliver@apple.com>

        Further improve ArrayIterator performance
        https://bugs.webkit.org/show_bug.cgi?id=122575

        Reviewed by Mark Hahnenberg.

        Add an assembly thunk for ArrayIterator.@@next so that we
        can avoid marshalling costs when iterating arrays.

        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
        (JSC::SpecializedThunkJIT::loadSpecificClassArgument):
        * jit/ThunkGenerators.cpp:
        (JSC::arrayIteratorNextThunkGenerator):
        * jit/ThunkGenerators.h:
        * runtime/ArrayIteratorPrototype.cpp:
        (JSC::ArrayIteratorPrototype::finishCreation):
        * runtime/Intrinsic.h:
        * runtime/JSArrayIterator.h:
        (JSC::JSArrayIterator::offsetOfIterationKind):
        (JSC::JSArrayIterator::offsetOfIteratedObject):
        (JSC::JSArrayIterator::offsetOfNextIndex):
        * runtime/JSCJSValue.h:
        (JSC::JSValue::offsetOfPayload):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::iteratorResultStructureOffset):
        * runtime/VM.cpp:
        (JSC::thunkGeneratorForIntrinsic):

2013-10-10  Michael Saboff  <msaboff@apple.com>

        transition cti_op_* methods returning int to JIT operations.
        https://bugs.webkit.org/show_bug.cgi?id=122563

        Reviewed by Oliver Hunt.

        Moved serveral operationCompare* functions from DFGOperations to JITOperations as well as changing
        dfgConvertJSValueToBoolean to operationConvertJSValueToBoolean so that they can be shared with the baseline JIT.
        Added JITOperation operationHasProperty().  Added needed callOperation helpers and transitioned baseline JIT code
        to use the new operations.
        
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        * jit/JIT.h:
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitSlow_op_jless):
        (JSC::JIT::emitSlow_op_jlesseq):
        (JSC::JIT::emitSlow_op_jgreater):
        (JSC::JIT::emitSlow_op_jgreatereq):
        (JSC::JIT::emitSlow_op_jnless):
        (JSC::JIT::emitSlow_op_jnlesseq):
        (JSC::JIT::emitSlow_op_jngreater):
        (JSC::JIT::emitSlow_op_jngreatereq):
        (JSC::JIT::emit_compareAndJumpSlow):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_compareAndJumpSlow):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_next_pname):
        (JSC::JIT::emitSlow_op_jfalse):
        (JSC::JIT::emitSlow_op_jtrue):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emitSlow_op_neq):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emitSlow_op_jfalse):
        (JSC::JIT::emitSlow_op_jtrue):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::emit_op_next_pname):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:

2013-10-10  Filip Pizlo  <fpizlo@apple.com>

        OSR exit using llvm.webkit.stackmap should pass more tests
        https://bugs.webkit.org/show_bug.cgi?id=122518

        Reviewed by Mark Hahnenberg.
        
        - Make the X86Assembler capable of dealing with all XMM registers.
        
        - Make the StackMaps code on WebKit's side capable of dealing with XMM registers.
        
        - Factor out most of the smarts of StackMaps::Location into a self-contained object.
          Previously you needed both StackMaps::Location and a StackMaps reference to do most
          things since the Location might have referred to a constant. Now you can just get a
          self-contained Location object.
        
        - Fix a bug where OSR exit generation thunk generator was assuming that the call frame
          register is already in argumentGPR0. In the future, the call frame will just be the
          machine FP and we won't have to do anything special. But for now the "call frame" is
          just a normal value in LLVM IR and may end up in any register. Make the OSR exit
          generation thunk generator polymorphic over the call frame argument's Location.
        
        - Move the stuff that depends on the polymorphic OSR exit generation thunk generator
          into the finalizer, since generating and linking one of those thunks requires a cache
          flush and we need to do that on the main thread.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::firstRegister):
        (JSC::ARMv7Assembler::lastRegister):
        (JSC::ARMv7Assembler::firstFPRegister):
        (JSC::ARMv7Assembler::lastFPRegister):
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::firstFPRegister):
        (JSC::AbstractMacroAssembler::lastFPRegister):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::nextFPRegister):
        * assembler/MacroAssemblerARMv7.h:
        * assembler/MacroAssemblerX86Common.h:
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::firstFPRegister):
        (JSC::X86Assembler::lastFPRegister):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLExitThunkGenerator.cpp:
        (JSC::FTL::ExitThunkGenerator::emitThunk):
        (JSC::FTL::ExitThunkGenerator::emitThunks):
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * ftl/FTLJITFinalizer.h:
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLocation.cpp: Added.
        (JSC::FTL::Location::forStackmaps):
        (JSC::FTL::Location::dump):
        (JSC::FTL::Location::involvesGPR):
        (JSC::FTL::Location::isGPR):
        (JSC::FTL::Location::gpr):
        (JSC::FTL::Location::isFPR):
        (JSC::FTL::Location::fpr):
        (JSC::FTL::Location::restoreInto):
        (WTF::printInternal):
        * ftl/FTLLocation.h: Added.
        (JSC::FTL::Location::Location):
        (JSC::FTL::Location::forRegister):
        (JSC::FTL::Location::forIndirect):
        (JSC::FTL::Location::forConstant):
        (JSC::FTL::Location::kind):
        (JSC::FTL::Location::hasDwarfRegNum):
        (JSC::FTL::Location::dwarfRegNum):
        (JSC::FTL::Location::hasOffset):
        (JSC::FTL::Location::offset):
        (JSC::FTL::Location::hasConstant):
        (JSC::FTL::Location::constant):
        (JSC::FTL::Location::operator!):
        (JSC::FTL::Location::isHashTableDeletedValue):
        (JSC::FTL::Location::operator==):
        (JSC::FTL::Location::hash):
        (JSC::FTL::LocationHash::hash):
        (JSC::FTL::LocationHash::equal):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
        * ftl/FTLSaveRestore.cpp:
        (JSC::FTL::bytesForFPRs):
        (JSC::FTL::requiredScratchMemorySizeInBytes):
        (JSC::FTL::offsetOfFPR):
        (JSC::FTL::saveAllRegisters):
        (JSC::FTL::restoreAllRegisters):
        * ftl/FTLSaveRestore.h:
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Location::restoreInto):
        * ftl/FTLStackMaps.h:
        * ftl/FTLState.h:
        * ftl/FTLThunks.cpp:
        (JSC::FTL::osrExitGenerationWithoutStackMapThunkGenerator):
        (JSC::FTL::osrExitGenerationWithStackMapThunkGenerator):
        * ftl/FTLThunks.h:
        (JSC::FTL::generateIfNecessary):
        (JSC::FTL::Thunks::getOSRExitGenerationThunk):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2013-10-09  Filip Pizlo  <fpizlo@apple.com>

        FTL: Soft-link LLVM as a workaround for LLVM's static initializers and exit-time destructors
        https://bugs.webkit.org/show_bug.cgi?id=122566

        Reviewed by Mark Rowe.
        
        The JSC project now builds a libllvmForJSC.dylib. If FTL is enabled, this
        gets copied into JavaScriptCore.framework/Versions/A/Libraries. JSC will
        load the dylib by finding it using NSBundle APIs and then doing dlopen().
        That will only happen lazily, when something happens that requires LLVM.
        
        This mostly takes care of LLVM static initialization overhead by deferring
        it until it's really needed.
        
        This takes care of LLVM's exit-time destructors because inside
        libllvmForJSC.dylib, we override __cxa_atexit.
        
        * Configurations/JavaScriptCore.xcconfig:
        * Configurations/LLVMForJSC.xcconfig: Added.
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * disassembler/LLVMDisassembler.cpp:
        (JSC::tryToDisassembleWithLLVM):
        * ftl/FTLAbbreviatedTypes.h:
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::voidType):
        (JSC::FTL::int1Type):
        (JSC::FTL::int8Type):
        (JSC::FTL::int16Type):
        (JSC::FTL::int32Type):
        (JSC::FTL::int64Type):
        (JSC::FTL::intPtrType):
        (JSC::FTL::floatType):
        (JSC::FTL::doubleType):
        (JSC::FTL::pointerType):
        (JSC::FTL::structType):
        (JSC::FTL::functionType):
        (JSC::FTL::typeOf):
        (JSC::FTL::mdKindID):
        (JSC::FTL::mdString):
        (JSC::FTL::mdNode):
        (JSC::FTL::setMetadata):
        (JSC::FTL::addFunction):
        (JSC::FTL::setLinkage):
        (JSC::FTL::setFunctionCallingConv):
        (JSC::FTL::getParam):
        (JSC::FTL::constInt):
        (JSC::FTL::constReal):
        (JSC::FTL::constIntToPtr):
        (JSC::FTL::constBitCast):
        (JSC::FTL::appendBasicBlock):
        (JSC::FTL::insertBasicBlock):
        (JSC::FTL::buildPhi):
        (JSC::FTL::addIncoming):
        (JSC::FTL::buildAlloca):
        (JSC::FTL::buildAdd):
        (JSC::FTL::buildSub):
        (JSC::FTL::buildMul):
        (JSC::FTL::buildDiv):
        (JSC::FTL::buildRem):
        (JSC::FTL::buildNeg):
        (JSC::FTL::buildFAdd):
        (JSC::FTL::buildFSub):
        (JSC::FTL::buildFMul):
        (JSC::FTL::buildFDiv):
        (JSC::FTL::buildFRem):
        (JSC::FTL::buildFNeg):
        (JSC::FTL::buildAnd):
        (JSC::FTL::buildOr):
        (JSC::FTL::buildXor):
        (JSC::FTL::buildShl):
        (JSC::FTL::buildAShr):
        (JSC::FTL::buildLShr):
        (JSC::FTL::buildNot):
        (JSC::FTL::buildLoad):
        (JSC::FTL::buildStore):
        (JSC::FTL::buildSExt):
        (JSC::FTL::buildZExt):
        (JSC::FTL::buildFPToSI):
        (JSC::FTL::buildFPToUI):
        (JSC::FTL::buildSIToFP):
        (JSC::FTL::buildUIToFP):
        (JSC::FTL::buildIntCast):
        (JSC::FTL::buildFPCast):
        (JSC::FTL::buildIntToPtr):
        (JSC::FTL::buildPtrToInt):
        (JSC::FTL::buildBitCast):
        (JSC::FTL::buildICmp):
        (JSC::FTL::buildFCmp):
        (JSC::FTL::buildCall):
        (JSC::FTL::setTailCall):
        (JSC::FTL::buildExtractValue):
        (JSC::FTL::buildSelect):
        (JSC::FTL::buildBr):
        (JSC::FTL::buildCondBr):
        (JSC::FTL::buildSwitch):
        (JSC::FTL::addCase):
        (JSC::FTL::buildRet):
        (JSC::FTL::buildUnreachable):
        (JSC::FTL::dumpModule):
        (JSC::FTL::verifyModule):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLFail.cpp:
        (JSC::FTL::fail):
        * ftl/FTLJITCode.h:
        * ftl/FTLJITFinalizer.h:
        * ftl/FTLLink.cpp:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::lower):
        * ftl/FTLOutput.cpp:
        (JSC::FTL::Output::Output):
        (JSC::FTL::Output::~Output):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::appendTo):
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):
        (JSC::FTL::State::~State):
        * ftl/WebKitLLVMLibraryAnchor.cpp: Removed.
        * jsc.cpp:
        (jscmain):
        * llvm: Added.
        * llvm/InitializeLLVM.cpp: Added.
        (JSC::initializeLLVM):
        * llvm/InitializeLLVM.h: Added.
        * llvm/InitializeLLVMMac.mm: Added.
        (JSC::initializeLLVMImpl):
        * llvm/InitializeLLVMPOSIX.cpp: Added.
        (JSC::initializeLLVMPOSIX):
        * llvm/InitializeLLVMPOSIX.h: Added.
        * llvm/LLVMAPI.cpp: Added.
        * llvm/LLVMAPI.h: Added.
        * llvm/LLVMAPIFunctions.h: Added.
        * llvm/LLVMHeaders.h: Added.
        * llvm/library: Added.
        * llvm/library/LLVMAnchor.cpp: Added.
        * llvm/library/LLVMExports.cpp: Added.
        (initializeAndGetJSCLLVMAPI):
        * llvm/library/LLVMOverrides.cpp: Added.
        (__cxa_atexit):
        * llvm/library/config_llvm.h: Added.
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * runtime/Options.h:

2013-10-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        currentThis and currentArguments crash if called from outside a callback
        https://bugs.webkit.org/show_bug.cgi?id=122620

        Reviewed by Filip Pizlo.

        The documentation for these methods claims that they will return nil if called 
        from somewhere other than an API callback, but currently they both crash.

        * API/JSContext.mm:
        (+[JSContext currentThis]):
        (+[JSContext currentArguments]):
        * API/tests/testapi.mm:

2013-10-10  Filip Pizlo  <fpizlo@apple.com>

        Minor clean-ups in the JSC Xcode project.

        Rubber stamped by Mark Rowe.
        
        - When we copy the jsc binary into the framework,
          $(BUILT_PRODUCTS_DIR)/JavaScriptCore.framework/Resources/jsc is the *output* file not
          the input file. The input file is $(BUILT_PRODUCTS_DIR)/jsc.
        
        - Correct capitalization of "JavaScriptcore.framework" in a comment in a shell script in
          the project.
        
        Roll back in after confirming that Mark's fixes make this work right.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-10-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        CallbackData unnecessarily caches the JSValue for currentThis
        https://bugs.webkit.org/show_bug.cgi?id=122616

        Reviewed by Oliver Hunt.

        CallbackData implements its own version of caching the JSValue* for the JSValueRef it stores. 
        +[JSValue valueWithJSValueRef:inContext:] already does caching, thus obviating the need for 
        CallbackData to do its own caching.

        * API/JSContext.mm:
        (+[JSContext currentThis]):
        (-[JSContext beginCallbackWithData:thisValue:argumentCount:arguments:]):
        (-[JSContext endCallbackWithData:]):
        * API/JSContextInternal.h:

2013-10-10  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out r157193. It broke some builds.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-10-10  Mark Rowe  <mrowe@apple.com>

        <rdar://problem/13341666> WebKit should always build against an SDK.

        Have all projects default to building against the OS X Internal SDK for the Production
        configuration. For the Debug and Release configurations, look for UseInternalSDK.xcconfig
        to determine whether the OS X Internal SDK should be used. If not, use the normal OS X SDK.

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:
        * Configurations/DebugRelease.xcconfig:

2013-10-10  Mark Rowe  <mrowe@apple.com>

        <rdar://problem/13871507> JavaScriptCore fails to build with C++ 98 conformance changes

        Reviewed by Andreas Kling.

        * heap/VTableSpectrum.cpp:
        (JSC::VTableSpectrum::dump): strrchr returns a const char* when passed one.
        Update the type of the local variable to accommodate that.

2013-10-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: blocks aren't callable via 'new'
        https://bugs.webkit.org/show_bug.cgi?id=122561

        Reviewed by Oliver Hunt.

        Currently the only way for clients to vend new native objects to JavaScript code 
        is via factory methods in the form of exported class methods or blocks. Blocks can 
        be called like normal functions from JavaScript code, but they cannot be invoked 
        with 'new'. This would give a simple way for clients to expose constructor-like 
        behavior to their JavaScript code.

        This patch adds the ability for blocks to be invoked as if they were a constructor.
        Blocks invoked as constructors are required to return an object. If the block doesn't
        return an object then an error is thrown. The 'this' object is not provided to the 
        block and must be created within the block itself. 

        This patch also unifies the native 'construct' callback used in both the C and Obj-C
        APIs under the APICallbackFunction struct, similar to how we unified the 'call' callback
        between ObjCCallbackFunction and JSCallbackFunction before.

        This patch also adds tests to make sure that different blocks generate objects that
        correctly behave when queried with instanceof. It also makes sure that the correct 
        JS exception is thrown when a block fails to return an object.

        * API/APICallbackFunction.h:
        (JSC::APICallbackFunction::call):
        (JSC::APICallbackFunction::construct):
        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::getConstructData):
        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::constructCallback):
        * API/JSCallbackFunction.h:
        (JSC::JSCallbackFunction::functionCallback):
        * API/ObjCCallbackFunction.h:
        (JSC::ObjCCallbackFunction::functionCallback):
        (JSC::ObjCCallbackFunction::constructCallback):
        * API/ObjCCallbackFunction.mm:
        (JSC::objCCallbackFunctionCallAsConstructor):
        (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
        (JSC::ObjCCallbackFunction::create):
        (JSC::ObjCCallbackFunction::getConstructData):
        * API/tests/testapi.mm:

2013-10-08  Filip Pizlo  <fpizlo@apple.com>

        FTL should be able to do simple OSR exits using llvm.webkit.stackmap
        https://bugs.webkit.org/show_bug.cgi?id=122538

        Reviewed by Oliver Hunt.
        
        This gives the FTL the ability to OSR exit using the llvm.webkit.stackmap intrinsic.
        
        - The FTL compiles all OSR exit calls as calls to llvm.webkit.stackmap with a unique
          ID, passing a requested size that is big enough for own jump replacement.
        
        - After LLVM compilation, we parse the new LLVM stackmap section.
        
        - For all llvm.webkit.stackmaps that we used for OSR exits, we do a jumpReplacement,
          which targets exit thunks that we generate.
        
        - If an exit thunk fires, it causes JSC to compile an exit off-ramp that uses a
          combination of the JSC-internal OSR exit accounting (FTL::ExitValue and friends) and
          LLVM stackmap's accounting of where data actually ended up (register, indirect,
          constant) to reconstruct bytecode state.
        
        This still has shortcomings; for example it cannot handle XMM or YMM registers. Handling
        YMM registers will require adding some basic YMM support to our assemblers - really we
        just need the ability to move a YMM's value into a GPR.
        
        This patch preserves all of the old, intrinsic-less, FTL OSR exit support. Hence it
        manages to pass all existing FTL tests even despite its incompleteness. I think that's
        the right way to go since this is already a big patch, and anyway it would be great to
        keep the intrinsic-less FTL OSR exit support so long as the LLVM side of this hasn't
        landed.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::firstRegister):
        (JSC::AbstractMacroAssembler::lastRegister):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::isStackRelated):
        (JSC::MacroAssembler::firstRealRegister):
        (JSC::MacroAssembler::nextRegister):
        (JSC::MacroAssembler::secondRealRegister):
        * assembler/MacroAssemblerX86Common.h:
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::firstRegister):
        (JSC::X86Assembler::lastRegister):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * ftl/FTLCArgumentGetter.cpp:
        (JSC::FTL::CArgumentGetter::loadNextAndBox):
        * ftl/FTLCArgumentGetter.h:
        (JSC::FTL::CArgumentGetter::loadNextDoubleIntoGPR):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateCodeSection):
        (JSC::FTL::mmAllocateDataSection):
        (JSC::FTL::dumpDataSection):
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        (JSC::FTL::compile):
        * ftl/FTLExitThunkGenerator.cpp:
        (JSC::FTL::ExitThunkGenerator::emitThunk):
        (JSC::FTL::ExitThunkGenerator::emitThunks):
        * ftl/FTLExitThunkGenerator.h:
        * ftl/FTLExitValue.h:
        (JSC::FTL::ExitValue::isInJSStackSomehow):
        (JSC::FTL::ExitValue::valueFormat):
        * ftl/FTLFail.cpp:
        (JSC::FTL::fail):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLJITCode.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::generateExitThunks):
        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
        * ftl/FTLOSRExit.h:
        * ftl/FTLOSRExitCompilationInfo.h:
        (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStubWithOSRExitStackmap):
        (JSC::FTL::compileStubWithoutOSRExitStackmap):
        (JSC::FTL::compileFTLOSRExit):
        * ftl/FTLSaveRestore.cpp: Added.
        (JSC::FTL::bytesForGPRs):
        (JSC::FTL::requiredScratchMemorySizeInBytes):
        (JSC::FTL::offsetOfGPR):
        (JSC::FTL::saveAllRegisters):
        (JSC::FTL::restoreAllRegisters):
        * ftl/FTLSaveRestore.h: Added.
        * ftl/FTLStackMaps.cpp: Added.
        (JSC::FTL::readObject):
        (JSC::FTL::StackMaps::Constant::parse):
        (JSC::FTL::StackMaps::Constant::dump):
        (JSC::FTL::StackMaps::Location::parse):
        (JSC::FTL::StackMaps::Location::dump):
        (JSC::FTL::StackMaps::Location::involvesGPR):
        (JSC::FTL::StackMaps::Location::isGPR):
        (JSC::FTL::StackMaps::Location::gpr):
        (JSC::FTL::StackMaps::Location::restoreInto):
        (JSC::FTL::StackMaps::Record::parse):
        (JSC::FTL::StackMaps::Record::dump):
        (JSC::FTL::StackMaps::parse):
        (JSC::FTL::StackMaps::dump):
        (JSC::FTL::StackMaps::dumpMultiline):
        (JSC::FTL::StackMaps::getRecordMap):
        (WTF::printInternal):
        * ftl/FTLStackMaps.h: Added.
        * ftl/FTLState.h:
        * ftl/FTLThunks.cpp:
        (JSC::FTL::osrExitGenerationThunkGenerator):
        * ftl/FTLValueFormat.cpp:
        (JSC::FTL::reboxAccordingToFormat):
        * ftl/FTLValueFormat.h:
        * runtime/DataView.cpp:
        (JSC::DataView::create):
        * runtime/DataView.h:
        (JSC::DataView::read):
        * runtime/Options.h:

2013-10-09  Filip Pizlo  <fpizlo@apple.com>

        Minor clean-ups in the JSC Xcode project.

        Rubber stamped by Mark Rowe.
        
        - When we copy the jsc binary into the framework,
          $(BUILT_PRODUCTS_DIR)/JavaScriptCore.framework/Resources/jsc is the *output* file not
          the input file. The input file is $(BUILT_PRODUCTS_DIR)/jsc.
        
        - Correct capitalization of "JavaScriptcore.framework" in a comment in a shell script in
          the project.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-10-09  Julien Brianceau  <jbriance@cisco.com>

        [arm] Inverted src and dest FP registers in DFG speculative JIT when using hardfp.
        https://bugs.webkit.org/show_bug.cgi?id=122555

        Reviewed by Michael Saboff.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
        (JSC::DFG::SpeculativeJIT::appendCallSetResult):

2013-10-08  Michael Saboff  <msaboff@apple.com>

        Transition call and construct JITStubs to CCallHelper functions
        https://bugs.webkit.org/show_bug.cgi?id=122453

        Reviewed by Geoffrey Garen.

        Transitioned cti_op_call_eval to operationCallEval.  Migrated baseline JIT to use the same 
        call thunks as the DFG.  Eliminated all of the "oldStyle" thunks and related functions.

        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink):
        * jit/JIT.cpp:
        (JSC::JIT::linkFor):
        (JSC::JIT::linkSlowCall):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileCallEval):
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileCallEval):
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITInlines.h:
        (JSC::JIT::callOperationWithCallFrameRollbackOnException):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/ThunkGenerators.cpp:
        * jit/ThunkGenerators.h:

2013-10-09  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Fix lots of unused parameter warnings.
        https://bugs.webkit.org/show_bug.cgi?id=122545

        Reviewed by Csaba Osztrogonác.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranchPtrWithPatch):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::andlImm8r):
        (JSC::SH4Assembler::orlImm8r):
        (JSC::SH4Assembler::xorlImm8r):
        (JSC::SH4Assembler::cmpEqImmR0):
        (JSC::SH4Assembler::testlImm8r):
        (JSC::SH4Assembler::movwPCReg):
        (JSC::SH4Assembler::movwMemReg):
        (JSC::SH4Assembler::movbMemReg):
        (JSC::SH4Assembler::printInstr):
        (JSC::SH4Assembler::printBlockInstr):

2013-10-09  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Add sh4 support when building with CMake.
        https://bugs.webkit.org/show_bug.cgi?id=122542

        Reviewed by Csaba Osztrogonác.

        * CMakeLists.txt:

2013-10-08  Oliver Hunt  <oliver@apple.com>

        Convert for-of iteration to in-band signalling so we can trivially avoid unnecessary object allocation
        https://bugs.webkit.org/show_bug.cgi?id=122532

        Reviewed by Michael Saboff.

        Switch for-of enumeration to use in band signalling to determine the end
        of iteration.  This allows us to trivially remove an otherwise unnecessary
        object allocation, and paves the way for optimised thunks in future.

        We can re-add explicit .next() functions in future that would marshall
        the true iteration functions, but for now we'll ignore them.

        This results in a huge improvement in the performance of for-of (in the order
        of 2x) but there's still a long way to go in order to get the performance to
        a satisfactory level.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForOfNode::emitBytecode):
        * runtime/ArrayIteratorPrototype.cpp:
        (JSC::ArrayIteratorPrototype::finishCreation):
        (JSC::createIteratorResult):
        * runtime/CommonIdentifiers.cpp:
        (JSC::CommonIdentifiers::CommonIdentifiers):
        * runtime/CommonIdentifiers.h:
        * runtime/Identifier.cpp:
        (JSC::Identifier::addSlowCase):
        * runtime/JSObject.h:
        (JSC::JSFinalObject::create):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2013-10-08  Alex Christensen  <achristensen@webkit.org>

        Fixed compile errors while compiling without the JIT enabled.
        https://bugs.webkit.org/show_bug.cgi?id=122530

        Reviewed by Brent Fulgham.

        * jit/JITOperations.cpp:
        Protected with #if ENABLE(JIT) like the rest of the JIT source.

2013-10-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSManagedValue should be able to store non-object JSValues
        https://bugs.webkit.org/show_bug.cgi?id=122351

        Reviewed by Oliver Hunt.

        We decided not to support this because we thought it didn't make sense to have a 
        "weak" JSValue that wasn't an object.

        Our general thought process was if you have a JSObject-ObjC object pair (i.e. an 
        Obj-C object that you exported to JavaScript-land), it makes more sense to store 
        a non-object JSValue on the JavaScript-land version of the object rather than as 
        an ivar in the Objective-C object.

        In retrospect, this may not have been a good decision at least w.r.t. consistency 
        in client code. If you're storing a bag of JSValues off an Obj-C object, you'd 
        like to store all of them either in ObjC-land or JavaScript-land, but doing some 
        in one and some in the other doesn't sound too good. Also, what if the object you 
        want to hang these values off of doesn't have a corresponding object in JavaScript-
        land in which to store them?

        The solution is to fix JSManagedValue to be able to reference non-object JSValues. 
        Right now, all JSManagedValues contain a Weak<JSObject>. We'll change this so that
        they can contain either a non-cell JSValue or a JSObject*, along with a weak 
        reference to the JSGlobalObject for reconstructing a JSValue later on.

        * API/JSManagedValue.mm:
        (PrimitiveOrObject::PrimitiveOrObject):
        (PrimitiveOrObject::~PrimitiveOrObject):
        (PrimitiveOrObject::clear):
        (PrimitiveOrObject::isClear):
        (PrimitiveOrObject::isSet):
        (PrimitiveOrObject::isPrimitive):
        (PrimitiveOrObject::isObject):
        (PrimitiveOrObject::setPrimitive):
        (PrimitiveOrObject::setObject):
        (PrimitiveOrObject::object):
        (PrimitiveOrObject::primitive):
        (-[JSManagedValue initWithValue:]):
        (-[JSManagedValue value]):
        (-[JSManagedValue disconnectValue]):

2013-10-08  Robert Plociennik  <r.plociennik@samsung.com>

        JavaScriptCore fails to build
        https://bugs.webkit.org/show_bug.cgi?id=122440

        Reviewed by Darin Adler.

        Compilation fails in debug due to 'comparison of unsigned expression >= 0 is
        always true'.

        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::positionForCallFrame): Removed the offending ASSERTS.

2013-10-07  Andreas Kling  <akling@apple.com>

        Pass VM instead of ExecState to JSNotAnObject constructor.
        <https://webkit.org/b/122474>

        Reviewed by Sam Weinig.

        JSNotAnObject was only using the ExecState to find the VM.

2013-10-07  Filip Pizlo  <fpizlo@apple.com>

        FTL memory allocator should be able to allocate data sections in non-executable memory
        https://bugs.webkit.org/show_bug.cgi?id=116189

        Reviewed by Sam Weinig.
        
        Use a RefCountedArray<int64_t> for data sections. This works out great because
        RefCountedArray<> knows its own size and because the reference counting makes passing
        it around very easy (you don't have to stress out about ownership).

        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        (JSC::FTL::compile):
        * ftl/FTLJITCode.cpp:
        (JSC::FTL::JITCode::addDataSection):
        * ftl/FTLJITCode.h:
        (JSC::FTL::JITCode::dataSections):

2013-10-07  Roger Fong  <roger_fong@apple.com>

        Modify JavascriptCore makefile for x64 build.
        https://bugs.webkit.org/show_bug.cgi?id=122467.
        <rdar://problem/15169174>.

        Reviewed by Brent Fulgham.

        * JavaScriptCore.vcxproj/JavaScriptCore.make:

2013-10-07  Nadav Rotem  <nrotem@apple.com>

        FTL: Optimize IsString(@2<String>) -> JSConst(true) + Phantom()
        https://bugs.webkit.org/show_bug.cgi?id=122363

        Reviewed by Filip Pizlo.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2013-10-04  Michael Saboff  <msaboff@apple.com>

        Transition stack check JITStubs to CCallHelper functions
        https://bugs.webkit.org/show_bug.cgi?id=122289

        Reviewed by Filip Pizlo.

        Replaced jit stubs cti_stack_check, cti_op_call_arityCheck and cti_op_construct_arityCheck with
        jit operations operationStackCheck, operationCallArityCheck & operationConstructArityCheck.
        Added new callOperationWithCallFrameRollbackOnException() in baseline and DFG JITs to call
        these new functions.  Added code to unwind one frame in JIT::privateCompileExceptionHandlers() 
        and JITCompiler::compileExceptionHandlers() for these cases that need to throw exceptions in
        their caller frame when the stack is exhausted.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::andPtr): Added to handle masking a pointer with a literal.
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::and64): Added to handle masking a pointer with a literal.
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::linkFunction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
        (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
        (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * interpreter/CallFrame.h:
        (JSC::ExecState::hostCallFrameFlag):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::jitAssertIsNull):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::jitAssertIsNull):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        (JSC::JIT::privateCompileExceptionHandlers):
        * jit/JIT.h:
        (JSC::JIT::exceptionCheckWithCallFrameRollback):
        * jit/JITInlines.h:
        (JSC::JIT::appendCallWithCallFrameRollbackOnException):
        (JSC::JIT::callOperationWithCallFrameRollbackOnException):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:

2013-10-07  Filip Pizlo  <fpizlo@apple.com>

        ASSERTION FAILED: isUInt32() in jsc-layout-tests.yaml/js/script-tests/dfg-uint32-to-number-in-middle-of-copy-propagation.js.layout-dfg-eager-no-cjit
        https://bugs.webkit.org/show_bug.cgi?id=122419

        Reviewed by Oliver Hunt.
        
        AI was using JSValue::asUInt32() incorrectly. That method presumes that the input is
        both a int32 and a uint32 (it's in the range [0, 2^31)). The UInt32ToNumber node is
        instead dealing with an input that is always represented as a int32 but that has the
        meaning of a uint32 - so AI should use JSValue::asInt32() and then do the cast.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):

2013-10-07  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Jump over maxJumpReplacementSize in revertJumpToMove.
        https://bugs.webkit.org/show_bug.cgi?id=120007

        Reviewed by Oliver Hunt.

        Jump over maxJumpReplacementSize in revertJumpToMove, even if there is no constant
        value within the area. This patch fixes debug ASSERTs failures for sh4 architecture.

        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::revertJumpToMove):

2013-10-06  Anders Carlsson  <andersca@apple.com>

        Add OVERRIDE and virtual where appropriate
        https://bugs.webkit.org/show_bug.cgi?id=122439

        Reviewed by Antti Koivisto.

        * API/JSAPIWrapperObject.mm:
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObjectData::~JSCallbackObjectData):
        * API/JSManagedValue.mm:
        * API/JSScriptRef.cpp:
        (OpaqueJSScript::~OpaqueJSScript):
        * bytecode/CodeBlock.h:
        * bytecode/StructureStubClearingWatchpoint.h:
        * dfg/DFGArrayifySlowPathGenerator.h:
        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
        * dfg/DFGFailedFinalizer.h:
        * dfg/DFGJITCode.h:
        * dfg/DFGJITFinalizer.h:
        * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
        * dfg/DFGSlowPathGenerator.h:
        * dfg/DFGSpeculativeJIT64.cpp:
        * heap/Heap.h:
        * heap/IncrementalSweeper.h:
        * heap/SuperRegion.h:
        * jit/ClosureCallStubRoutine.h:
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        * jit/GCAwareJITStubRoutine.h:
        * jit/JITCode.h:
        * jit/JITStubs.cpp:
        * jit/JITToDFGDeferredCompilationCallback.h:
        * jit/JumpReplacementWatchpoint.h:
        * parser/Nodes.h:
        * runtime/DataView.h:
        * runtime/GCActivityCallback.h:
        * runtime/GenericTypedArrayView.h:
        * runtime/RegExpCache.h:
        * runtime/SimpleTypedArrayController.h:
        * runtime/WeakMapData.h:

2013-10-07  Filip Pizlo  <fpizlo@apple.com>

        Trap 5 (most likely int $3) in jsc-layout-tests.yaml/js/script-tests/integer-division-neg2tothe32-by-neg1.js.layout-dfg-eager-no-cjit
        https://bugs.webkit.org/show_bug.cgi?id=122420

        Reviewed by Michael Saboff.
        
        For the (-2^31/-1)|0 case, we were returning the left operand (i.e. -2^31) but we were
        failing to account for the possibility that this operand has high-bit garbage and
        int32Result() requires that the high bits are zero.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithDiv):

2013-10-06  Filip Pizlo  <fpizlo@apple.com>

        ASSERTION FAILED: bitwise_cast<WriteBarrier<Unknown>*>(callFrame) == m_registers in jsc-layout-tests.yaml/js/script-tests/dfg-inline-arguments-capture-throw-exception.js.layout-dfg-eager-no-cjit
        https://bugs.webkit.org/show_bug.cgi?id=122418

        Reviewed by Oliver Hunt.

        This is pretty awesome. With stack compression, Arguments created in the DFG will point
        their m_registers pointers into a different slab of stack than they would have in byte
        code.

        Hence OSR exit must repoint any Arguments objects' m_registers pointers. It previously
        neglected to do so. This patch fixes that.
        
        Fixing this unveiled another bug: the stack reversal broke the reification of inlined
        phantom arguments.
        
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
        (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/Arguments.h:
        (JSC::Arguments::offsetOfNumArguments):
        (JSC::Arguments::offsetOfRegisters):
        (JSC::Arguments::offsetOfSlowArgumentData):
        (JSC::Arguments::offsetOfOverrodeLength):

2013-10-06  Filip Pizlo  <fpizlo@apple.com>

        Unified test infrastructure via the jsc shell
        https://bugs.webkit.org/show_bug.cgi?id=120696

        Reviewed by Oliver Hunt.
        
        Add a mozilla-tests.yaml list. This is autogenerated by create-mozilla-js-test-list.
        I think it's better to leave this checked in; we may even just edit it directly in
        the future. Also generating it is not cheap.
        
        Fix some low-hanging fruit bugs that I caught by introducing more test coverage.
        
        - We were not emitting labels for CFA-unreachable blocks, which caused link errors.
          It's possible for a CFA-unreachable block to be jumped to, if the thing that causes
          it to be unreachable is a speculation in a Branch or peephole compare.
        
        - The register allocation assertions didn't handle peephole branches correctly. Since
          the peephole branch handling returns early from compile(), the clearBlahbittyBlah()
          method wasn't being called.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * tests/mozilla/mozilla-tests.yaml: Added.

2013-10-05  Andreas Kling  <akling@apple.com>

        Pass VM instead of ExecState to StringObject constructor.
        <https://webkit.org/b/122395>

        Reviewed by Sam Weinig.

        StringObject() only uses the ExecState to find the VM.

2013-10-05  Filip Pizlo  <fpizlo@apple.com>

        Compress DFG stack layout
        https://bugs.webkit.org/show_bug.cgi?id=122024

        Reviewed by Oliver Hunt.
        
        The DFG needs to be able to store things at a known offset from frame pointer so that
        the runtime can read those things. Prior to this patch, the DFG would use the exact
        offsets that the bytecode asked for, even in the case of inlining, where it would use
        the callsite stack offset to shift all of the inlined function's variables over just as
        they would have been if a bytecode interpreter had really made the call.
        
        But this won't work once WebKit-LLVM integration is complete. LLVM has no notion of
        storing things at a fixed offset from the frame pointer. We could try to hack LLVM to do
        that, but it would seriously complicate LLVM's stack layout. But what we might be able
        to do is have LLVM tell us (via an addressof intrinsic and a side-channel) where some
        alloca landed relative to the frame pointer. Hence if the DFG can put all of its flushed
        variables in a contiguous range that can be expressed to LLVM as a struct that we
        alloca, then all of this can still work just fine.
        
        Previously the flushed variables didn't fit in a contiguous range, but this patch makes
        them contiguous by allowing the stack layout to be compressed.
        
        What this really means is that there is now a distinction between where the DFG saw a
        variable stored in bytecode and where it will actually store it in the resulting machine
        code. Henceforth when the DFG says "local" or "virtual register" it means the variable
        according to bytecode (with the stack offsetting for inlined code as before), but when
        it says "machine local" or "machine virtual register" it means the actual place where it
        will store things in the resulting machine code. All of the OSR exit, inlined arguments,
        captured variables, and various stack unwinding machine now knows about all of this.
        
        Note that the DFG's abstract interpretation still uses bytecode variables rather than
        machine variables. Same for CSE and abstract heaps. This makes sense since it means that
        we don't have to decide on machine variable allocation just to do those optimizations.
        
        The decision of what a local's machine location becomes is deferred to very late in
        compilation. We only need to assign machine locations to variables that must be stored
        to the stack. It's now mandatory to run some kind of "stack layout phase" that makes the
        decision and updates all data structures.
        
        So far the way that this is being used is just to compress the DFG stack layout, which
        is something that we should have done anyway, a long time ago. And the compression isn't
        even that good - the current StackLayoutPhase just identifies local indices that are
        unused in machine code and slides all other variables towards zero. This doesn't achieve
        particularly good compression but it is better than nothing. Note that this phase makes
        it seem like the bytecode-machine mapping is based on bytecode local indices; for
        example if bytecode local 4 is mapped to machine local 3 then it always will be. That's
        true for the current StackLayoutPhase but it _will not_ be true for all possible stack
        layout phases and it would be incorrect to assume that it should be true. This is why
        the current data structures have each VariableAccessData hold its own copy of the
        machine virtual register, and also have each InlineCallFrame report their own machine
        virtual registers for the various things. The DFG backend is likely to always use the
        dumb StackLayoutPhase since it is very cheap to run, but the FTL backend is likely to
        eventually get a better one, where we do some kind of constraint-based coloring: we
        institute constraints where some VariableAccessData's must have the same indices as some
        other ones, and also must be right next to some other ones; then we process all
        VariableAccessData's and attempt to assign them machine locals while preserving those
        constraints. This could lead to two VariableAccessDatas for the same bytecode local
        ending up with different machine locals.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::isCaptured):
        (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters):
        (JSC::CodeBlock::machineSlowArguments):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::hasSlowArguments):
        * bytecode/CodeOrigin.cpp:
        (JSC::CodeOrigin::dump):
        (JSC::InlineCallFrame::calleeForCallFrame):
        (JSC::InlineCallFrame::dumpInContext):
        * bytecode/CodeOrigin.h:
        (JSC::InlineCallFrame::InlineCallFrame):
        (JSC::InlineCallFrame::calleeConstant):
        * bytecode/Operands.h:
        (JSC::Operands::indexForOperand):
        * dfg/DFGBasicBlock.cpp:
        (JSC::DFG::BasicBlock::SSAData::SSAData):
        * dfg/DFGBasicBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::get):
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::flushDirect):
        (JSC::DFG::ByteCodeParser::flush):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCommon.h:
        * dfg/DFGCommonData.h:
        (JSC::DFG::CommonData::CommonData):
        * dfg/DFGDesiredWriteBarriers.cpp:
        (JSC::DFG::DesiredWriteBarrier::trigger):
        * dfg/DFGDesiredWriteBarriers.h:
        * dfg/DFGFlushLivenessAnalysisPhase.cpp:
        (JSC::DFG::FlushLivenessAnalysisPhase::run):
        (JSC::DFG::FlushLivenessAnalysisPhase::process):
        (JSC::DFG::FlushLivenessAnalysisPhase::reportError):
        * dfg/DFGFlushedAt.cpp: Added.
        (JSC::DFG::FlushedAt::dump):
        (JSC::DFG::FlushedAt::dumpInContext):
        * dfg/DFGFlushedAt.h: Added.
        (JSC::DFG::FlushedAt::FlushedAt):
        (JSC::DFG::FlushedAt::operator!):
        (JSC::DFG::FlushedAt::format):
        (JSC::DFG::FlushedAt::virtualRegister):
        (JSC::DFG::FlushedAt::operator==):
        (JSC::DFG::FlushedAt::operator!=):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::bytecodeRegisterForArgument):
        (JSC::DFG::Graph::argumentsRegisterFor):
        (JSC::DFG::Graph::machineArgumentsRegisterFor):
        (JSC::DFG::Graph::uncheckedArgumentsRegisterFor):
        (JSC::DFG::Graph::activationRegister):
        (JSC::DFG::Graph::uncheckedActivationRegister):
        (JSC::DFG::Graph::machineActivationRegister):
        (JSC::DFG::Graph::uncheckedMachineActivationRegister):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToGetLocalUnlinked):
        (JSC::DFG::Node::convertToGetLocal):
        (JSC::DFG::Node::machineLocal):
        (JSC::DFG::Node::hasUnlinkedMachineLocal):
        (JSC::DFG::Node::setUnlinkedMachineLocal):
        (JSC::DFG::Node::unlinkedMachineLocal):
        (JSC::DFG::Node::hasInlineStartData):
        (JSC::DFG::Node::inlineStartData):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntry.h:
        (JSC::DFG::OSREntryReshuffling::OSREntryReshuffling):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::ScoreBoard):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInlineStart):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::createOSREntries):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
        (JSC::DFG::SpeculativeJIT::callFrameSlot):
        (JSC::DFG::SpeculativeJIT::argumentSlot):
        (JSC::DFG::SpeculativeJIT::callFrameTagSlot):
        (JSC::DFG::SpeculativeJIT::callFramePayloadSlot):
        (JSC::DFG::SpeculativeJIT::argumentTagSlot):
        (JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
        (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters):
        (JSC::DFG::SpeculativeJIT::callOperation):
        (JSC::DFG::SpeculativeJIT::recordSetLocal):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStackLayoutPhase.cpp: Added.
        (JSC::DFG::StackLayoutPhase::StackLayoutPhase):
        (JSC::DFG::StackLayoutPhase::run):
        (JSC::DFG::performStackLayout):
        * dfg/DFGStackLayoutPhase.h: Added.
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::machineLocal):
        (JSC::DFG::VariableAccessData::flushedAt):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):
        * ftl/FTLExitValue.h:
        (JSC::FTL::ExitValue::inJSStack):
        (JSC::FTL::ExitValue::inJSStackAsInt32):
        (JSC::FTL::ExitValue::inJSStackAsInt52):
        (JSC::FTL::ExitValue::inJSStackAsDouble):
        (JSC::FTL::ExitValue::virtualRegister):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
        (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
        (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLValueSource.cpp:
        (JSC::FTL::ValueSource::dump):
        * ftl/FTLValueSource.h:
        (JSC::FTL::ValueSource::ValueSource):
        (JSC::FTL::ValueSource::kind):
        (JSC::FTL::ValueSource::operator!):
        (JSC::FTL::ValueSource::node):
        (JSC::FTL::ValueSource::virtualRegister):
        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::readInlinedFrame):
        (JSC::StackVisitor::Frame::createArguments):
        (JSC::StackVisitor::Frame::existingArguments):
        * interpreter/StackVisitor.h:
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::addressFor):
        (JSC::AssemblyHelpers::tagFor):
        (JSC::AssemblyHelpers::payloadFor):
        (JSC::AssemblyHelpers::offsetOfArgumentsIncludingThis):
        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOff):
        * runtime/Arguments.h:
        (JSC::Arguments::allocateSlowArguments):
        (JSC::Arguments::tryDeleteArgument):
        (JSC::Arguments::isDeletedArgument):
        (JSC::Arguments::isArgument):
        (JSC::Arguments::argument):
        (JSC::Arguments::finishCreation):
        * runtime/JSActivation.h:
        (JSC::JSActivation::create):
        (JSC::JSActivation::JSActivation):
        * runtime/JSFunction.cpp:
        (JSC::RetrieveArgumentsFunctor::operator()):

2013-10-05  Anders Carlsson  <andersca@apple.com>

        Remove createOwned
        https://bugs.webkit.org/show_bug.cgi?id=122388

        Reviewed by Darin Adler.

        * profiler/ProfilerDatabase.cpp:
        (JSC::Profiler::Database::save):

2013-10-05  Darin Adler  <darin@apple.com>

        Cut down on use of String::number
        https://bugs.webkit.org/show_bug.cgi?id=122382

        Reviewed by Anders Carlsson.

        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject::putByIndex): Use Identifier::from instead of calling
        String::number and creating an identifier from that. Can save creating and then
        destroying a string if an identifier already exists.
        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertySlotByIndex): Ditto.
        (JSC::Arguments::getOwnPropertyNames): Ditto.
        (JSC::Arguments::putByIndex): Ditto.
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::::getOwnPropertyNames): Ditto.
        * runtime/StringObject.cpp:
        (JSC::StringObject::getOwnPropertyNames): Ditto.

2013-10-04  Mark Lam  <mark.lam@apple.com>

        Change ScriptDebugServer to use DebuggerCallFrame instead of JavaScriptCallFrame.
        https://bugs.webkit.org/show_bug.cgi?id=121969.

        Reviewed by Geoffrey Garen.

        1. Make JavaScriptCallFrame a thin shell around the DebuggerCallFrame.
           DebuggerCallFrame now tracks whether it is valid instead of needing
           JavaScriptCallFrame do it.
        2. ScriptDebugServer now only instantiates an DebuggerCallFrame when needed
           just before it pauses and calls back to its client, and then invalidates
           it immediately when the callback returns. Every subsequent callback to
           the client will use a new instance of the DebuggerCallFrame.
        3. Similarly, ScriptDebugServer now only creates a JavaScriptCallFrame when
           it "pauses".
        4. DebuggerCallFrame only creates its caller DebuggerCallFrame when
           it is needed i.e. when the client calls callerFrame(). Similarly,
           JavaScriptCallFrame only creates its caller when it's requested.
        5. DebuggerCallFrame's line() and column() now returns a base-zero int.
        6. WebScriptDebugDelegate now only caches the functionName of the frame
           instead of the entire DebuggerCallFrame because that is all that is
           needed.
        7. Also removed evaluateInGlobalCallFrame() which is not used anywhere.

        * debugger/Debugger.cpp:
        * debugger/Debugger.h:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::DebuggerCallFrame):
        (JSC::DebuggerCallFrame::callerFrame):
        (JSC::DebuggerCallFrame::dynamicGlobalObject):
        (JSC::DebuggerCallFrame::sourceId):
        (JSC::DebuggerCallFrame::functionName):
        (JSC::DebuggerCallFrame::scope):
        (JSC::DebuggerCallFrame::type):
        (JSC::DebuggerCallFrame::thisValue):
        (JSC::DebuggerCallFrame::evaluate):
        (JSC::DebuggerCallFrame::evaluateWithCallFrame):
        (JSC::DebuggerCallFrame::invalidate):
        (JSC::DebuggerCallFrame::positionForCallFrame):
        (JSC::DebuggerCallFrame::sourceIdForCallFrame):
        (JSC::DebuggerCallFrame::thisValueForCallFrame):
        * debugger/DebuggerCallFrame.h:
        (JSC::DebuggerCallFrame::create):
        (JSC::DebuggerCallFrame::exec):
        (JSC::DebuggerCallFrame::line):
        (JSC::DebuggerCallFrame::column):
        (JSC::DebuggerCallFrame::position):
        (JSC::DebuggerCallFrame::isValid):
        * interpreter/StackVisitor.cpp:

2013-10-04  Brent Fulgham  <bfulgham@apple.com>

        Silence compiler warning when building 64-bit (on Windows)

        Reviewed by Geoffrey Garen.

        * jit/JSInterfaceJIT.h: Add a static cast for assignment.

2013-10-04  Nadav Rotem  <nrotem@apple.com>

        FTL: Add support for ValueToInt32(bool(x))
        https://bugs.webkit.org/show_bug.cgi?id=122346

        Reviewed by Geoffrey Garen.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):

2013-10-04  Oliver Hunt  <oliver@apple.com>

        Build fix.

        * runtime/JSArrayIterator.cpp:

2013-10-04  Oliver Hunt  <oliver@apple.com>

        Support for-of syntax
        https://bugs.webkit.org/show_bug.cgi?id=122339

        Reviewed by Geoffrey Garen.

        Add support for for-of syntax to JSC.  As part of doing this I had to make
        us support unique empty strings as identifiers.  In a follow on patch i'm
        going to remove the distinction entirely as it's purely a complicating
        separation.

        Otherwise the logic here is fairly self-explanatory.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addConstant):
        (JSC::BytecodeGenerator::emitCall):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallArguments::CallArguments):
        (JSC::ForOfNode::emitBytecode):
        * jit/JITOperations.cpp:
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createForOfLoop):
        * parser/NodeConstructors.h:
        (JSC::EnumerationNode::EnumerationNode):
        (JSC::ForInNode::ForInNode):
        (JSC::ForOfNode::ForOfNode):
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::::parseVarDeclarationList):
        (JSC::::parseForStatement):
        * parser/Parser.h:
        (JSC::Parser::isofToken):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createForOfLoop):
        * runtime/ArrayIteratorPrototype.cpp:
        (JSC::ArrayIteratorPrototype::finishCreation):
        (JSC::arrayIteratorPrototypeIterate):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::create):
        (JSC::ArrayPrototype::finishCreation):
        * runtime/ArrayPrototype.h:
        * runtime/CommonIdentifiers.cpp:
        (JSC::CommonIdentifiers::CommonIdentifiers):
        * runtime/CommonIdentifiers.h:
        * runtime/Identifier.h:
        (JSC::Identifier::from):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dumpInContext):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectNativeFunction):
        * runtime/PrivateName.h:
        (JSC::PrivateName::PrivateName):
        * runtime/PropertyName.h:
        (JSC::PropertyName::PropertyName):

2013-10-04  Michael Saboff  <msaboff@apple.com>

        FTL::OSRExit::convertToForward() shouldn't misuse Operands<>::operator[]
        https://bugs.webkit.org/show_bug.cgi?id=122336

        Reviewed by Geoffrey Garen.

        Changed code in change set r156900 to use the operand() accessor instead of operator[].

        * ftl/FTLOSRExit.cpp:
        (JSC::FTL::OSRExit::convertToForward):

2013-10-04  Michael Saboff  <msaboff@apple.com>

        FTL: Crash in OSRExit::convertToForward() using VirtualRegister.offset() as array index
        https://bugs.webkit.org/show_bug.cgi?id=122332

        Reviewed by Oliver Hunt.

        Changed the uses of .offset(), which returns a negative number for locals, to be
        toLocal() which returns a local's ordinal number.

        * ftl/FTLOSRExit.cpp:
        (JSC::FTL::OSRExit::convertToForward):

2013-10-04  Michael Saboff  <msaboff@apple.com>

        Add callOperation to Baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=122306

        Reviewed by Geoffrey Garen.

        Created baseline JIT compatible versions for a few flavors of callOperation().
        Migrated cti_op_new_regexp() and its caller to callOperation(operationNewRegexp()).

        * dfg/DFGOperations.cpp: Moved operationNewRegexp() to JITOperations
        * dfg/DFGOperations.h:
        * jit/JIT.h:
        (JSC::JIT::appendCall):
        * jit/JITInlines.h:
        (JSC::JIT::appendCallWithExceptionCheck):
        (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
        (JSC::JIT::callOperation):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_regexp):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JSInterfaceJIT.h:

2013-10-03  Mark Rowe  <mrowe@apple.com>

        REGRESSION (r156811): WebCore rebuilds from scratch when doing an incremental build

        The change in r156811 resulted in several public headers in the JavaScriptCore framework having their modification
        date touched on every build, even if their contents had not changed. This resulted in a large portion of WebCore
        needing to rebuilt after an incremental build of JavaScriptCore.

        Reviewed by Dan Bernstein.

        * JavaScriptCore.xcodeproj/project.pbxproj: Have unifdef generate its output to a temporary file. If its exit status
        indicates that the content did not change, remove the temporary file. If the content changed, moved the temporary file
        over the destination.

2013-10-03  Brent Fulgham  <bfulgham@apple.com>

        [Win] Unreviewed gardening.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Clean up the
        paths for various files added outside of Visual Studio. They are all
        displayed in the root of the project, rather than the proper sub-folder.

2013-10-03  Brent Fulgham  <bfulgham@apple.com>

        [Win] Update solutions and projects to support 64-bit builds.
        https://bugs.webkit.org/show_bug.cgi?id=122225

        Reviewed by Anders Carlsson.

        Revise ordering of CPU(X86) and CPU(X86_64) tests, because MSVC always defines
        both when targeting a 64-bit build.

        * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Add an x64 target
        for 64-bit builds.

2013-10-03  Michael Saboff  <msaboff@apple.com>

        Eliminate unused JITStub function declarations
        https://bugs.webkit.org/show_bug.cgi?id=122288

        Reviewed by Geoffrey Garen.

        Removed unused JITStub declarations.

        * jit/JITStubs.h:

2013-10-03  Sergio Correia  <sergio.correia@openbossa.org>

        [EFL] [DEBUG] JavaScriptCore fails to build
        https://bugs.webkit.org/show_bug.cgi?id=122267

        Reviewed by Michael Saboff.

        Build fails due to an expression containing comparison between signed
        and unsigned integer.

        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions): Add cast to avoid signed vs.
        unsigned comparison warning.

2013-10-03  Nadav Rotem  <nrotem@apple.com>

        DFG: ConstProp the pattern ValueToInt32(Bool(x)) -> Int32(x)
        https://bugs.webkit.org/show_bug.cgi?id=122263

        Reviewed by Geoffrey Garen.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):

2013-10-02  Dan Bernstein  <mitz@apple.com>

        REGRESSION (r156811): Objective-C JavaScriptCore API test failing on Mountain Lion bots
        https://bugs.webkit.org/show_bug.cgi?id=122260

        Reviewed by Mark Rowe.

        For the API to work, the tests need to be compiled with a newer version of the LLVM
        compiler. Until the bots are updated to that version, disable the tests on 10.8.

        * API/tests/testapi.mm:

2013-10-02  Mark Lam  <mark.lam@apple.com>

        Make LLINT exception stack unwinding consistent with the JIT.
        https://bugs.webkit.org/show_bug.cgi?id=122255.

        Reviewed by Filip Pizlo.

        Previously, the CommonSlowPaths code is expected to behave in an
        inconsistent way in terms of whether to unwind the stack when handling
        exceptions or not. For the LLINT, the slow path should unwind the stack
        before returning. For the JIT, the slow path should not unwind the stack.
        This can result in the stack being unwound twice when the exception
        being handled is a TerminationException.

        This patch fixes the LLINT's expectation so that it expects the same
        slow path behavior as the JIT does.

        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPathsExceptions.cpp:
        (JSC::CommonSlowPaths::interpreterThrowInCaller):

2013-10-02  Filip Pizlo  <fpizlo@apple.com>

        The DFG should use always DFG::Graph methods for determining where special registers are
        https://bugs.webkit.org/show_bug.cgi?id=122248

        Reviewed by Michael Saboff.
        
        This makes it possible to have the DFG use different registers than the other engines
        for things like activation and arguments.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::setLocalStoreElimination):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::activationRegister):
        (JSC::DFG::Graph::uncheckedActivationRegister):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::baselineArgumentsRegisterFor):

2013-10-02  Dan Bernstein  <mitz@apple.com>

        The Objective-C API should be available in 10.8 builds
        https://bugs.webkit.org/show_bug.cgi?id=122245

        Reviewed by Mark Rowe.

        Enabled the Objective-C API when building on OS X 10.8 with the modern Objective-C runtime,
        but kept the availability attributes in API headers for 10.9 and later as they were.

        * API/JSBase.h: When JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 is defined, made
        JSC_OBJC_API_ENABLED true on 10.8 and above.
        * API/JSContext.h: When JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 is defined, marked the class
        as available on all OS X versions.
        * API/JSManagedValue.h: Ditto.
        * API/JSValue.h: Ditto.
        * API/JSVirtualMachine.h: Ditto.
        * Configurations/Base.xcconfig: Added JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 to
        GCC_PREPROCESSOR_DEFINITIONS.
        * JavaScriptCore.xcodeproj/project.pbxproj: Added a script build phase to unifdef the
        above header files with JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 either defined or not based on
        the OS X version we are targeting.

2013-10-02  Michael Saboff  <msaboff@apple.com>

        Make Baseline JIT exception handling work like the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=122244

        Reviewed by Filip Pizlo.

        Added a jump list (m_exceptionChecks) to JIT as a common place for exception processing within
        generated code.  Added exceptionCheck() helpers that check for an exception which add a branch
        to the list.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        (JSC::JIT::privateCompileExceptionHandlers):
        * jit/JIT.h:
        (JSC::JIT::exceptionCheck):

2013-10-02  Oliver Hunt  <oliver@apple.com>

        Fix MSVC build

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:

2013-10-02  Geoffrey Garen  <ggaren@apple.com>

        Optimized VM access from C++ code
        https://bugs.webkit.org/show_bug.cgi?id=122241

        Reviewed by Filip Pizlo.

        * runtime/JSScope.h:
        (JSC::JSScope::vm): Use MarkedBlock instead of Heap, since both have a
        pointer to the VM, and Heap is one extra load.

2013-10-02  Michael Saboff  <msaboff@apple.com>

        The LLInt should not use JITStackFrame
        https://bugs.webkit.org/show_bug.cgi?id=122231

        Reviewed by Filip Pizlo.

        Replaced uses of JITStackFrame::vm with code to either access the vm via the CodeBlock from
        known JavaScript call frames or via the JSScope* for host call frames.  This eliminates
        all uses of JITStackFrame from the LLInt.

        * heap/MarkedBlock.h: Made LLIntOffsetsExtractor a friend to access member offsets.
        * heap/WeakSet.h: Made LLIntOffsetsExtractor a friend to access member offsets.
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions): Added an ASSERT for the newly added MarkedBlockMask
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2013-10-01  Oliver Hunt  <oliver@apple.com>

        Implement Array key, value and entries iterators
        https://bugs.webkit.org/show_bug.cgi?id=122195

        Reviewed by Filip Pizlo.

        Add implementation of ES6 Array iterators for keys(), values() and entries()

        Fairly self explanatory as we just need a simple implementation so that we can
        implement and test other features.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/ArrayIteratorConstructor.cpp: Added.
        (JSC::ArrayIteratorConstructor::finishCreation):
        * runtime/ArrayIteratorConstructor.h: Added.
        (JSC::ArrayIteratorConstructor::create):
        (JSC::ArrayIteratorConstructor::createStructure):
        (JSC::ArrayIteratorConstructor::ArrayIteratorConstructor):
        * runtime/ArrayIteratorPrototype.cpp: Added.
        (JSC::ArrayIteratorPrototype::finishCreation):
        (JSC::createIteratorResult):
        (JSC::arrayIteratorPrototypeNext):
        * runtime/ArrayIteratorPrototype.h: Added.
        (JSC::ArrayIteratorPrototype::create):
        (JSC::ArrayIteratorPrototype::createStructure):
        (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncValues):
        (JSC::arrayProtoFuncEntries):
        (JSC::arrayProtoFuncKeys):
        * runtime/CommonIdentifiers.h:
        * runtime/Identifier.h:
        (JSC::Identifier::createEmptyUnique):
        * runtime/JSArrayIterator.cpp: Added.
        (JSC::JSArrayIterator::finishCreation):
        * runtime/JSArrayIterator.h: Added.
        (JSC::JSArrayIterator::createStructure):
        (JSC::JSArrayIterator::create):
        (JSC::JSArrayIterator::iterationKind):
        (JSC::JSArrayIterator::iteratedObject):
        (JSC::JSArrayIterator::nextIndex):
        (JSC::JSArrayIterator::setNextIndex):
        (JSC::JSArrayIterator::finish):
        (JSC::JSArrayIterator::JSArrayIterator):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::iteratorResultStructure):

2013-10-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        get_callee and to_this aren't properly cleared during finalizeUnconditionally
        https://bugs.webkit.org/show_bug.cgi?id=122224

        Reviewed by Geoffrey Garen.

        Even though there is code to clear unmarked inline cache objects in finalizeUnconditionally,
        it will never run because get_callee and to_this weren't added to the proper Vector in the 
        UnlinkedCodeBlock that is iterated during finalizeUnconditionally.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitCreateThis):

2013-09-25  Oliver Hunt  <oliver@apple.com>

        Implement prefixed-destructuring assignment
        https://bugs.webkit.org/show_bug.cgi?id=121930

        Reviewed by Mark Hahnenberg.

        Relanding with fix after rollout - it helps to not completely destroy
        optimisations for no reason.

2013-10-02  Nadav Rotem  <nrotem@apple.com>

        FTL: Refactor compileArithDiv and compileArithMod into one function.
        https://bugs.webkit.org/show_bug.cgi?id=122205

        Reviewed by Filip Pizlo.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileAddSub):
        (JSC::FTL::LowerDFGToLLVM::compileArithDivMod):

2013-10-02  Anders Carlsson  <andersca@apple.com>

        Get rid of Qt code from JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=122223

        Reviewed by Oliver Hunt.

        * API/JSStringRefQt.cpp: Removed.
        * API/JSStringRefQt.h: Removed.
        * API/OpaqueJSString.h:
        * DerivedSources.pri: Removed.
        * JavaScriptCore.pri: Removed.
        * JavaScriptCore.pro: Removed.
        * LLIntOffsetsExtractor.pro: Removed.
        * Target.pri: Removed.
        * assembler/AbstractMacroAssembler.h:
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::urshift32):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::shouldBlindForSpecificArch):
        * assembler/MacroAssemblerX86Common.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        * heap/HeapTimer.cpp:
        (JSC::HeapTimer::timerEvent):
        * heap/HeapTimer.h:
        * heap/IncrementalSweeper.cpp:
        (JSC::IncrementalSweeper::scheduleTimer):
        * heap/IncrementalSweeper.h:
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSub32Constant):
        * jsc.cpp:
        (main):
        * jsc.pro: Removed.
        * runtime/DateConstructor.cpp:
        * runtime/GCActivityCallback.cpp:
        (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
        (JSC::DefaultGCActivityCallback::cancelTimer):
        * runtime/GCActivityCallback.h:
        * testRegExp.cpp:
        (main):
        * yarr/yarr.pri: Removed.

2013-10-01  Filip Pizlo  <fpizlo@apple.com>

        FTL should use the new version of LLVM MCJIT memory manager APIs that take a SectionName
        https://bugs.webkit.org/show_bug.cgi?id=122193

        Reviewed by Geoffrey Garen.
        
        Update our usage of the LLVM C API since the API is about to change.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateCodeSection):
        (JSC::FTL::mmAllocateDataSection):

2013-10-01  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(156464): 50% regression on SunSpider/string-fasta
        https://bugs.webkit.org/show_bug.cgi?id=122202

        Unreviewed, roll out r156464.
        
        This is a progression on string-fasta, since it fixes the regression.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::paramString):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitExpressionInfo):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitBytecode):
        (JSC::FuncExprNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createFormalParameterList):
        (JSC::ASTBuilder::createForInLoop):
        (JSC::ASTBuilder::addVar):
        * parser/NodeConstructors.h:
        (JSC::CommaNode::CommaNode):
        (JSC::ParameterNode::ParameterNode):
        (JSC::ForInNode::ForInNode):
        * parser/Nodes.cpp:
        (JSC::FunctionParameters::create):
        (JSC::FunctionParameters::FunctionParameters):
        (JSC::FunctionParameters::~FunctionParameters):
        * parser/Nodes.h:
        (JSC::ExpressionNode::isDotAccessorNode):
        (JSC::CommaNode::append):
        (JSC::ParameterNode::ident):
        (JSC::FunctionParameters::at):
        (JSC::FunctionParameters::identifiers):
        * parser/Parser.cpp:
        (JSC::::Parser):
        (JSC::::parseVarDeclaration):
        (JSC::::parseVarDeclarationList):
        (JSC::::parseForStatement):
        (JSC::::parseFormalParameters):
        (JSC::::parseAssignmentExpression):
        * parser/Parser.h:
        (JSC::Scope::declareParameter):
        (JSC::Parser::declareParameter):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createFormalParameterList):
        (JSC::SyntaxChecker::createForInLoop):
        (JSC::SyntaxChecker::operatorStackPop):
        * runtime/JSONObject.cpp:
        * runtime/JSONObject.h:

2013-10-01  Filip Pizlo  <fpizlo@apple.com>

        Variable event stream (for DFG OSR exit) should be explicit about where on the stack a SetLocal put a value
        https://bugs.webkit.org/show_bug.cgi?id=122178

        Reviewed by Geoffrey Garen.
        
        Now if the DFG stores the value of a variable into the stack explicitly via a SetLocal,
        it will record where on the stack it stored the value in addition to recording where on
        the stack the bytecode would have done the SetLocal. Previously it just recorded the
        format and the bytecode variable. Recording just the bytecode variable is currently fine
        since the DFG always executes SetLocal's to the same stack location that the bytecode
        would have used. But that prevents stack compression (webkit.org/b/122024) so this patch
        allows the SetLocal to say both the bytecode variable that we're speaking of and the
        actual stack location to which the SetLocal stored the value.
        
        This had to touch a lot of code, so I took the opportunity to also resolve
        webkit.org/b/108019.

        * bytecode/Operands.h:
        (JSC::Operands::hasOperand):
        * dfg/DFGFlushFormat.h:
        (JSC::DFG::dataFormatFor):
        * dfg/DFGMinifiedID.h:
        (JSC::DFG::MinifiedID::bits):
        (JSC::DFG::MinifiedID::invalidID):
        (JSC::DFG::MinifiedID::otherInvalidID):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::compileInlineStart):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::recordSetLocal):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValueSource.cpp:
        (JSC::DFG::ValueSource::dump):
        * dfg/DFGValueSource.h:
        (JSC::DFG::ValueSource::ValueSource):
        (JSC::DFG::ValueSource::forFlushFormat):
        (JSC::DFG::ValueSource::forDataFormat):
        (JSC::DFG::ValueSource::isSet):
        (JSC::DFG::ValueSource::kind):
        (JSC::DFG::ValueSource::valueRecovery):
        (JSC::DFG::ValueSource::id):
        (JSC::DFG::ValueSource::virtualRegister):
        * dfg/DFGVariableEvent.cpp:
        (JSC::DFG::VariableEvent::dump):
        (JSC::DFG::VariableEvent::dumpSpillInfo):
        * dfg/DFGVariableEvent.h:
        (JSC::DFG::VariableEvent::fillGPR):
        (JSC::DFG::VariableEvent::fillPair):
        (JSC::DFG::VariableEvent::fillFPR):
        (JSC::DFG::VariableEvent::spill):
        (JSC::DFG::VariableEvent::death):
        (JSC::DFG::VariableEvent::setLocal):
        (JSC::DFG::VariableEvent::movHint):
        (JSC::DFG::VariableEvent::id):
        (JSC::DFG::VariableEvent::gpr):
        (JSC::DFG::VariableEvent::tagGPR):
        (JSC::DFG::VariableEvent::payloadGPR):
        (JSC::DFG::VariableEvent::fpr):
        (JSC::DFG::VariableEvent::spillRegister):
        (JSC::DFG::VariableEvent::bytecodeRegister):
        (JSC::DFG::VariableEvent::machineRegister):
        (JSC::DFG::VariableEvent::variableRepresentation):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):

2013-10-01  Nadav Rotem  <nrotem@apple.com>

        FTL: split overflow checks into non-overflow arithmetic and an additional call to the overflow intrinsic check.
        https://bugs.webkit.org/show_bug.cgi?id=122170

        Reviewed by Filip Pizlo.

        Overflow intrinsics are preventing SCEV and other LLVM analysis passes from analyzing loops. This patch changes the FTL-IR gen by splitting arithmetic calculations into two parts:
        1. Generate the arithmetic calculation (that may overflow)
        2. Generate the overflow check (that is only used by the OSR-exit logic).

        We trust LLVM (SelectionDAG) to merge these calculations into a single opcode.

        This JS function:

        function foo() {
            for (i=0; i < 10000000; i++) { }
        }

        Is now compiled into this LLVM-IR: 

        "OSR exit continuation for @24<Int32>":           ; preds = %"Block #0", %"OSR exit continuation for @24<Int32>2"
          %4 = phi i64 [ %10, %"OSR exit continuation for @24<Int32>2" ], [ -281474976710656, %"Block #0" ]
          %5 = trunc i64 %4 to i32
          %6 = add i32 %5, 1
          %7 = tail call { i32, i1 } @llvm.sadd.with.overflow.i32(i32 %5, i32 1)
          %8 = extractvalue { i32, i1 } %7, 1
          br i1 %8, label %"OSR exit failCase for @24<Int32>1", label %"OSR exit continuation for @24<Int32>2"

         And into this assembly:

        LBB0_1:                                 ## %OSR exit continuation for @24<Int32>
                                        ## =>This Inner Loop Header: Depth=1
            movl  %ecx, %esi
            incl  %esi
            jo  LBB0_4

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileAddSub):
        (JSC::FTL::LowerDFGToLLVM::compileArithMul):
        (JSC::FTL::LowerDFGToLLVM::compileArithNegate):

2013-10-01  Nadav Rotem  <nrotem@apple.com>

        Consolidate multiple OSRExit calls into one.
        https://bugs.webkit.org/show_bug.cgi?id=122168

        Reviewed by Filip Pizlo.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileArithMul):
        (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
        (JSC::FTL::LowerDFGToLLVM::compileArithMod):

2013-09-30  Filip Pizlo  <fpizlo@apple.com>

        SpeculativeJIT::m_arguments/m_variables are vestiges of a time long gone
        https://bugs.webkit.org/show_bug.cgi?id=122140

        Reviewed by Darin Adler.
        
        Just killing code.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::compileInlineStart):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::recordSetLocal):

2013-10-01  Daniel Bates  <dabates@apple.com>

        [iOS] JavaScriptCore fails to build with newer versions of clang
        https://bugs.webkit.org/show_bug.cgi?id=122162

        Reviewed by Darin Adler.

        * runtime/GCActivityCallback.cpp: Add !PLATFORM(IOS)-guard around constant pagingTimeOut
        as we don't compile the code that uses it on iOS.

2013-09-30  Sam Weinig  <sam@webkit.org>

        Remove support for DOMFileSystem
        https://bugs.webkit.org/show_bug.cgi?id=122137

        Reviewed by Anders Carlsson.

        * Configurations/FeatureDefines.xcconfig:

2013-09-30  Dan Bernstein  <mitz@apple.com>

        <rdar://problem/15114974> Assertion failure under -[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:] if no classes conform to JSExport
        https://bugs.webkit.org/show_bug.cgi?id=122124

        Reviewed by Darin Adler.

        * API/JSWrapperMap.mm: Defined an empty class that conforms to the JSExport protocol, to
        ensure that the protocol is always registered with the runtime by the time
        getJSExportProtocol() is called.

2013-09-30  Benjamin Poulain  <benjamin@webkit.org>

        Remove the code guarded by STYLE_SCOPED
        https://bugs.webkit.org/show_bug.cgi?id=122123

        Reviewed by Anders Carlsson.

        * Configurations/FeatureDefines.xcconfig:

2013-09-30  Andreas Kling  <akling@apple.com>

        Pass VM instead of ExecState to ObjectPrototype constructor.
        <https://webkit.org/b/122116>

        Reviewed by Geoffrey Garen.

        The ObjectPrototype constructor was only using the ExecState to get
        to the VM.

2013-09-30  Andreas Kling  <akling@apple.com>

        Pass VM instead of JSGlobalObject to MathObject constructor.
        <https://webkit.org/b/122119>

        Reviewed by Geoffrey Garen.

        The MathObject constructor was only using the global object to get
        to the VM. finishCreation() still uses it to set up functions.

2013-09-30  Filip Pizlo  <fpizlo@apple.com>

        Get rid of the AlreadyInJSStack recoveries since they are totally redundant with the DisplacedInJSStack recoveries
        https://bugs.webkit.org/show_bug.cgi?id=122065

        Reviewed by Mark Hahnenberg.
        
        This mostly just kills a bunch of code.
        
        But incidentaly while killing that code, I uncovered a bug in our FTL OSR entrypoint
        creation phase. The phase inserts a sequence of SetLocal(ExtractOSREntryLocal) nodes.
        If we hoist some type check into the local, then we might inject a conversion node
        between the ExtractOSREntryLocal and the SetLocal - for example we might put in a
        Int32ToDouble node. But currently the FixupPhase will make all conversion nodes placed
        on an edge of a SetLocal use forward exit. This then confuses the OSR exit machinery.
        When OSR exit sees a forward exit, it tries to "roll forward" execution from the exiting
        node to the first node that has a different CodeOrigin. This only works if the nodes
        after the forward exit are MovHints or other tnings that the OSR exit compiler can
        forward-execute. But here, it will see a bunch of SetLocal and ExtractOSREntryLocal
        nodes for the same bytecode index. Two possible solutions exist. We could teach the
        forward-execution logic how to deal with multiple SetLocals and ExtractOSREntryLocals.
        This would be a lot of complexity; right now it just needs to deal with exactly one
        SetLocal-like operation. The alternative is to make sure that the conversion node that
        we inject ends up exiting *backward* rather than forward.
        
        But making the conversion nodes exit backward is somewhat tricky. Before this patch,
        conversion nodes always exit forward for SetLocals and backwards otherwise. It turns out
        that the solution is to rationalize how we choose the speculation direciton for a
        conversion node. The conversion node's speculation direction should be the same as the
        speculation direction of the node for which it is doing a conversion. Since SetLocal's
        already exit forward by default, this policy preserves our previous behavior. But it
        also allows the OSR entrypoint creation phase to make its SetLocals exit backward
        instead.
        
        Of course, if the SetLocal(ExtractOSREntryLocal) sequences exit backward, then we need
        to make sure that the OSR exit machine knows that the local variables are indeed live.
        Consider that if we have:
        
            a: ExtractOSREntryLocal(loc1)
            b: SetLocal(@a, loc1)
            c: ExtractOSRentryLocal(loc2)
            d: SetLocal(@c, loc2)
        
        Without additional magic, the exit at @b will think that loc2 is dead and the OSR exit
        compiler will clobber loc2 with Undefined. So we need to make sure that we actually
        emit code like:
        
            a: ExtractOSREntryLocal(loc1)
            b: ExtractOSREntryLocal(loc2)
            c: SetLocal(@a, loc1)
            d: SetLocal(@b, loc2)
            e: SetLocal(@a, loc1)
            f: SetLocal(@b, loc2)

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeOrigin.h:
        * bytecode/ValueRecovery.cpp: Added.
        (JSC::ValueRecovery::recover):
        (JSC::ValueRecovery::dumpInContext):
        (JSC::ValueRecovery::dump):
        * bytecode/ValueRecovery.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
        (JSC::DFG::FixupPhase::fixEdge):
        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::reconstruct):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::speculationDirection):
        (JSC::DFG::Node::setSpeculationDirection):
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        (JSC::DFG::OSREntrypointCreationPhase::run):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInlineStart):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGValueSource.h:
        (JSC::DFG::ValueSource::valueRecovery):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateMachineInt):
        * interpreter/Register.h:
        (JSC::Register::unboxedStrictInt52):
        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOff):
        * runtime/Arguments.h:

2013-09-30  Alex Christensen  <alex.christensen@flexsim.com>

        Win64 compile fix after r1256490.
        https://bugs.webkit.org/show_bug.cgi?id=122117

        Reviewed by Michael Saboff.

        * jit/JITStubsMSVC64.asm:
        Implemented getHostCallReturnValue for Windows x86_64 processors.

2013-09-30  Andreas Kling  <akling@apple.com>

        Pass VM instead of JSGlobalObject to RegExp constructor.
        <https://webkit.org/b/122113>

        Reviewed by Darin Adler.

        RegExps don't need anything from the global object during their
        construction and only use it to get to the VM. Reduce loads by
        simply passing the VM around instead.

        JSC release binary size -= 120 bytes(!)

2013-09-30  Patrick Gansterer  <paroga@webkit.org>

        Fix compilation for COMPILER(MSVC) && !CPU(X86) after r156490.
        https://bugs.webkit.org/show_bug.cgi?id=122102

        Reviewed by Geoffrey Garen.

        _AddressOfReturnAddress() is supported for all platforms of
        ths Microsoft compiler, so we can use it for !CPU(X86) too.

        * jit/JITOperationWrappers.h:

2013-09-30  Gabor Rapcsanyi  <rgabor@webkit.org>

        Unreviewed. Build fix for DEBUG_VERBOSE mode after r156511.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):

2013-09-30  Gabor Rapcsanyi  <rgabor@webkit.org>

        Unreviewed. Speculative build fix on ARMv7 Thumb2 after r156490.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::fmodAsDFGOperation):

2013-09-29  Nadav Rotem  <nrotem@apple.com>

        FTL: refactor compileAdd and compileArithSub into one function.
        https://bugs.webkit.org/show_bug.cgi?id=122081

        Reviewed by Geoffrey Garen.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileAddSub):

2013-09-29  Andreas Kling  <akling@apple.com>

        Pass VM instead of JSGlobalObject to function constructors.
        <https://webkit.org/b/122082>

        Reviewed by Darin Adler.

        Functions don't need anything from the global object during their
        construction and only use it to get to the VM. Reduce loads by
        simply passing the VM around instead.

        This patch is mostly mechanical, I just changed the signature of
        InternalFunction and worked my way from there until it built.

        JSC release binary size -= 4840 bytes.

2013-09-29  Andreas Kling  <akling@apple.com>

        Pass VM instead of JSGlobalObject to ArrayPrototype constructor.
        <https://webkit.org/b/122079>

        Reviewed by Geoffrey Garen.

        ArrayPrototype doesn't need the global object for anything during
        construction, so reduce the amount of loads by just passing the VM.

2013-09-29  Andreas Kling  <akling@apple.com>

        Pass VM instead of ExecState to simple builtin constructors.
        <https://webkit.org/b/122077>

        Reviewed by Sam Weinig.

        None of the simple builtins need the ExecState for anything during
        their construction, so reduce the amount of loads by just passing
        the VM around instead.

2013-09-29  Nadav Rotem  <nrotem@apple.com>

        Refactor code for finding x86 scratch register.
        https://bugs.webkit.org/show_bug.cgi?id=122072

        Reviewed by Geoffrey Garen.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::getUnusedRegister):
        (JSC::MacroAssemblerX86Common::store8):
        (JSC::MacroAssemblerX86Common::store16):

2013-09-28  Mark Rowe  <mrowe@apple.com>

        Take Xcode's advice and enable some extra warnings.

        Reviewed by Sam Weinig.

        * Configurations/Base.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-09-28  Andreas Kling  <akling@apple.com>

        Pass VM instead of ExecState to JSFunction constructors.
        <https://webkit.org/b/122014>

        Reviewed by Geoffrey Garen.

        JSFunction doesn't need the ExecState for anything during its
        construction, so reduce the amount of loads by just passing the
        VM around instead.

        Factored out putDirectNonIndexAccessor() from the existing
        putDirectAccessor() to avoid snowballing the patch (and because
        it's kinda neat to avoid the extra branch.)

        JSC release binary size -= 9680 bytes.

2013-09-28  Mark Rowe  <mrowe@apple.com>

        JavaScriptCore fails to build with newer versions of clang.

        Reviewed by Sam Weinig.

        * interpreter/Interpreter.cpp: Remove an unused function.
        * parser/SourceProvider.cpp: Ditto.
        * runtime/GCActivityCallback.cpp: #if a constant that's only used on non-CF platforms.
        * runtime/JSCJSValue.cpp: Remove an unused constant.
        * runtime/JSString.cpp: Ditto.

2013-09-27  Filip Pizlo  <fpizlo@apple.com>

        Get rid of SetMyScope/SetCallee; use normal variables for the scope and callee of inlined call frames of closures
        https://bugs.webkit.org/show_bug.cgi?id=122047

        Reviewed by Oliver Hunt.
        
        Currently we have the DFG reserve space for inline call frames at exactly the same stack
        offsets that you would have gotten if the baseline interpreter/JIT had made the calls.
        We need to get rid of that. One of the weirder parts of this is that we have special DFG
        operations for accessing these inlined call frame headers. It's really hard for any
        analysis of DFG IR to see what the liveness of any of those frame header "variables" is;
        the liveness behaves like flushed arguments (it's all live until end of the inlinee) but
        we don't have anything like a Flush node for those special variables.
        
        This patch gets rid of the special operations for accessing inline call frame headers.
        GetMyScope and GetCallee still remain, and are only for accessing the machine call
        frame's scope/callee entries. The inline call frame's scope/callee now behave like
        normal variables, and have Flush behavior just like inline arguments.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getDirect):
        (JSC::DFG::ByteCodeParser::get):
        (JSC::DFG::ByteCodeParser::setDirect):
        (JSC::DFG::ByteCodeParser::set):
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::flush):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::getScope):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::getCalleeLoadElimination):
        (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-09-27  Filip Pizlo  <fpizlo@apple.com>

        Deoptimize 32-bit deoptimization
        https://bugs.webkit.org/show_bug.cgi?id=122025

        Reviewed by Oliver Hunt.
        
        Just simplifying a bunch of code. I don't want the old, super-complicated,
        deoptimization code to get in the way of changes I'll be making to DFG stack layout.

        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::inGPR):
        (JSC::ValueRecovery::isInRegisters):
        (JSC::ValueRecovery::gpr):
        (JSC::ValueRecovery::dumpInContext):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):

2013-09-27  Alex Christensen  <alex.christensen@flexsim.com>

        Fixed Win64 build after r156184.
        https://bugs.webkit.org/show_bug.cgi?id=121994

        Reviewed by Oliver Hunt.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupTwoStubArgsGPR):
        (JSC::CCallHelpers::setupTwoStubArgsFPR):
        Renamed from setupTwoStubArgs.
        Visual Studio x64 compiler fails to see that this is an overloaded template function.
        (JSC::CCallHelpers::setupStubArguments):
        (JSC::CCallHelpers::setupArguments):
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        Use setupTwoStubArgsGPR or setupTwoStubArgsFPR instead of setupTwoStubArgs.

2013-09-27  Gabor Rapcsanyi  <rgabor@webkit.org>

        LLInt alignment problem on ARM in debug mode
        https://bugs.webkit.org/show_bug.cgi?id=122012

        Reviewed by Michael Saboff.

        Force GCC to put the LLInt code to .text section.

        * llint/LowLevelInterpreter.cpp:

2013-09-06  Jer Noble  <jer.noble@apple.com>

        [Mac] Implement the media controls in JavaScript.
        https://bugs.webkit.org/show_bug.cgi?id=120895

        Reviewed by Dean Jackson.

        Define and turn on ENABLE_MEDIA_CONTROLS_SCRIPT.

        * Configurations/FeatureDefines.xcconfig:

2013-09-27  Andreas Kling  <akling@apple.com>

        Pass VM instead of ExecState to JSDateMath functions.
        <https://webkit.org/b/121997>

        Reviewed by Geoffrey Garen.

        The JSC date math functions only need the VM, so pass that from
        callers instead of the whole ExecState.

2013-09-26  Andreas Kling  <akling@apple.com>

        GetterSetter construction should take a VM instead of ExecState.
        <https://webkit.org/b/121993>

        Reviewed by Sam Weinig.

        Pass VM& instead of ExecState* to GetterSetter. Updated surrounding
        code at touched sites to cache VM in a local for fewer loads.

        JSC release binary size -= 4120 bytes.

2013-09-26  Oliver Hunt  <oliver@apple.com>

        Make GCC happy

        * parser/Parser.h:

2013-09-25  Oliver Hunt  <oliver@apple.com>

        Implement prefixed-destructuring assignment
        https://bugs.webkit.org/show_bug.cgi?id=121930

        Reviewed by Mark Hahnenberg.

        Relanding with fix after rollout

2013-09-26  Michael Saboff  <msaboff@apple.com>

        VirtualRegister should be a class
        https://bugs.webkit.org/show_bug.cgi?id=121732

        Reviewed by Geoffrey Garen.

        This is a refactoring change.  Changed VirtualRegister from an enum to a class.
        Moved Operands::operandIsArgument(), operandToArgument(), argumentToOperand()
        and the similar functions for locals to VirtualRegister class.

        This is in preparation for changing the offset for the first local register from
        0 to -1.  This is needed since most native calling conventions have the architected
        frame pointer (e.g. %rbp for X86) point at the slot that stores the previous frame
        pointer.  Local values start below that address.

        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        * bytecode/Instruction.h:
        * bytecode/LazyOperandValueProfile.h:
        * bytecode/MethodOfGettingAValueProfile.cpp:
        * bytecode/Operands.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        * bytecode/UnlinkedCodeBlock.h:
        * bytecode/ValueRecovery.h:
        * bytecode/VirtualRegister.h:
        * bytecompiler/BytecodeGenerator.cpp:
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/RegisterID.h:
        * debugger/DebuggerCallFrame.cpp:
        * dfg/DFGAbstractHeap.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        * dfg/DFGArgumentPosition.h:
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGCFGSimplificationPhase.cpp:
        * dfg/DFGCPSRethreadingPhase.cpp:
        * dfg/DFGCapabilities.cpp:
        * dfg/DFGConstantFoldingPhase.cpp:
        * dfg/DFGFlushLivenessAnalysisPhase.cpp:
        * dfg/DFGGraph.cpp:
        * dfg/DFGGraph.h:
        * dfg/DFGJITCode.cpp:
        * dfg/DFGNode.h:
        * dfg/DFGOSREntry.cpp:
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        * dfg/DFGOSRExitCompiler64.cpp:
        * dfg/DFGRegisterBank.h:
        * dfg/DFGScoreBoard.h:
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:
        * dfg/DFGValidate.cpp:
        * dfg/DFGValueRecoveryOverride.h:
        * dfg/DFGVariableAccessData.h:
        * dfg/DFGVariableEvent.h:
        * dfg/DFGVariableEventStream.cpp:
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        * ftl/FTLExitArgumentForOperand.h:
        * ftl/FTLLink.cpp:
        * ftl/FTLLowerDFGToLLVM.cpp:
        * ftl/FTLOSREntry.cpp:
        * ftl/FTLOSRExit.cpp:
        * ftl/FTLOSRExit.h:
        * ftl/FTLOSRExitCompiler.cpp:
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        * jit/AssemblyHelpers.h:
        * jit/JIT.h:
        * jit/JITCall.cpp:
        * jit/JITCall32_64.cpp:
        * jit/JITInlines.h:
        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * jit/JITPropertyAccess32_64.cpp:
        * jit/JITStubs.cpp:
        * llint/LLIntSlowPaths.cpp:
        * profiler/ProfilerBytecodeSequence.cpp:
        * runtime/CommonSlowPaths.cpp:
        * runtime/JSActivation.cpp:

2013-09-26  Anders Carlsson  <andersca@apple.com>

        Work around another MSVC bug.

        * runtime/PrototypeMap.cpp:
        (JSC::PrototypeMap::emptyObjectStructureForPrototype):

2013-09-26  Anders Carlsson  <andersca@apple.com>

        Attempt to fix the FTL build.

        * ftl/FTLAbstractHeap.cpp:
        (JSC::FTL::IndexedAbstractHeap::atSlow):

2013-09-26  Andreas Kling  <akling@apple.com>

        Pass VM instead of ExecState to many finishCreation() functions.
        <https://webkit.org/b/121975>

        Reviewed by Sam Weinig.

        Reduce unnecessary loads by passing the VM to object creation
        functions that don't need the ExecState.

        There are tons of opportunities in this area, I'm just scratching
        the surface.

2013-09-26  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r156464 and r156480.
        http://trac.webkit.org/changeset/156464
        http://trac.webkit.org/changeset/156480
        https://bugs.webkit.org/show_bug.cgi?id=121981

        Leaking too much and killing buildbot. (Requested by xenon on
        #webkit).

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::paramString):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitExpressionInfo):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitBytecode):
        (JSC::FuncExprNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createFormalParameterList):
        (JSC::ASTBuilder::createForInLoop):
        (JSC::ASTBuilder::addVar):
        * parser/NodeConstructors.h:
        (JSC::CommaNode::CommaNode):
        (JSC::ParameterNode::ParameterNode):
        (JSC::ForInNode::ForInNode):
        * parser/Nodes.cpp:
        (JSC::FunctionParameters::create):
        (JSC::FunctionParameters::FunctionParameters):
        (JSC::FunctionParameters::~FunctionParameters):
        * parser/Nodes.h:
        (JSC::CommaNode::append):
        (JSC::ParameterNode::ident):
        (JSC::FunctionParameters::at):
        (JSC::FunctionParameters::identifiers):
        * parser/Parser.cpp:
        (JSC::::Parser):
        (JSC::::parseVarDeclaration):
        (JSC::::parseVarDeclarationList):
        (JSC::::parseForStatement):
        (JSC::::parseFormalParameters):
        (JSC::::parseAssignmentExpression):
        * parser/Parser.h:
        (JSC::Scope::declareParameter):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createFormalParameterList):
        (JSC::SyntaxChecker::createForInLoop):
        (JSC::SyntaxChecker::operatorStackPop):
        * runtime/JSONObject.cpp:
        * runtime/JSONObject.h:

2013-09-26  Anders Carlsson  <andersca@apple.com>

        Try to fix the Windows build.

        * jit/JITThunks.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITThunks.h:

2013-09-26  Anders Carlsson  <andersca@apple.com>

        Change a couple of HashMap value types from OwnPtr to std::unique_ptr
        https://bugs.webkit.org/show_bug.cgi?id=121973

        Reviewed by Andreas Kling.

        * API/JSClassRef.cpp:
        (OpaqueJSClassContextData::OpaqueJSClassContextData):
        (OpaqueJSClass::contextData):
        * API/JSClassRef.h:
        * bytecode/SamplingTool.h:
        * ftl/FTLAbstractHeap.h:
        * parser/Parser.cpp:
        (JSC::::parseFunctionInfo):
        * parser/SourceProviderCache.cpp:
        (JSC::SourceProviderCache::add):
        * parser/SourceProviderCache.h:
        * parser/SourceProviderCacheItem.h:
        (JSC::SourceProviderCacheItem::create):
        * profiler/ProfilerCompilation.cpp:
        (JSC::Profiler::Compilation::executionCounterFor):
        (JSC::Profiler::Compilation::toJS):
        * profiler/ProfilerCompilation.h:
        * runtime/JSGlobalObject.h:

2013-09-26  Mark Lam  <mark.lam@apple.com>

        Move DFG inline caching logic into jit/.
        https://bugs.webkit.org/show_bug.cgi?id=121749.

        Reviewed by Geoffrey Garen.

        Relanding http://trac.webkit.org/changeset/156235 after rebasing to latest
        revision and fixing build breakages on Windows.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::resetStubInternal):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
        (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator):
        (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
        * dfg/DFGJITCompiler.h:
        * dfg/DFGOSRExitCompiler.h:
        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        * dfg/DFGOperations.h:
        (JSC::DFG::operationNewTypedArrayWithSizeForType):
        (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
        * dfg/DFGRegisterSet.h: Removed.
        * dfg/DFGRepatch.cpp: Removed.
        * dfg/DFGRepatch.h: Removed.
        * dfg/DFGScratchRegisterAllocator.h: Removed.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compare):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        * dfg/DFGThunks.h:
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
        * ftl/FTLOSRExitCompiler.h:
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::writeBarrier):
        * jit/JIT.cpp:
        (JSC::JIT::linkFor):
        (JSC::JIT::linkSlowCall):
        * jit/JITCall.cpp:
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITOperationWrappers.h: Copied from Source/JavaScriptCore/jit/JITOperationWrappers.h.
        * jit/JITOperations.cpp: Copied from Source/JavaScriptCore/jit/JITOperations.cpp.
        (JSC::getHostCallReturnValueWithExecState):
        * jit/JITOperations.h: Copied from Source/JavaScriptCore/jit/JITOperations.h.
        * jit/RegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
        * jit/Repatch.cpp: Copied from Source/JavaScriptCore/jit/Repatch.cpp.
        (JSC::tryBuildGetByIDList):
        * jit/Repatch.h: Copied from Source/JavaScriptCore/jit/Repatch.h.
        * jit/ScratchRegisterAllocator.h: Copied from Source/JavaScriptCore/jit/ScratchRegisterAllocator.h.
        * jit/ThunkGenerators.cpp:
        (JSC::oldStyleGenerateSlowCaseFor):
        (JSC::oldStyleLinkForGenerator):
        (JSC::oldStyleLinkCallGenerator):
        (JSC::oldStyleLinkConstructGenerator):
        (JSC::oldStyleLinkClosureCallGenerator):
        (JSC::oldStyleVirtualForGenerator):
        (JSC::oldStyleVirtualCallGenerator):
        (JSC::oldStyleVirtualConstructGenerator):
        (JSC::emitPointerValidation):
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::slowPathFor):
        (JSC::linkForThunkGenerator):
        (JSC::linkCallThunkGenerator):
        (JSC::linkConstructThunkGenerator):
        (JSC::linkClosureCallThunkGenerator):
        (JSC::virtualForThunkGenerator):
        (JSC::virtualCallThunkGenerator):
        (JSC::virtualConstructThunkGenerator):
        * jit/ThunkGenerators.h:

2013-09-26  Anders Carlsson  <andersca@apple.com>

        Remove PassWeak.h
        https://bugs.webkit.org/show_bug.cgi?id=121971

        Reviewed by Geoffrey Garen.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/PassWeak.h: Removed.
        * heap/WeakInlines.h:

2013-09-26  Anders Carlsson  <andersca@apple.com>

        Stop using PassWeak
        https://bugs.webkit.org/show_bug.cgi?id=121968

        Reviewed by Sam Weinig.

        * heap/Weak.h:
        Remove all knowledge of PassWeak.

        (JSC::Weak::Weak):
        These constructors don't need to be explicit.

        * heap/WeakInlines.h:
        (JSC::weakAdd):
        Change Value to be an rvalue reference and use std::forward.

        * jit/JITThunks.cpp:
        (JSC::JITThunks::hostFunctionStub):
        Remove PassWeak.

        * runtime/RegExpCache.cpp:
        (JSC::RegExpCache::lookupOrCreate):
        Use Weak instead of PassWeak.

        * runtime/SimpleTypedArrayController.cpp:
        Change add and set to take Weak by value and std::move into place.

        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::get):
        (JSC::WeakGCMap::set):
        (JSC::WeakGCMap::add):

2013-09-26  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r156474.
        http://trac.webkit.org/changeset/156474
        https://bugs.webkit.org/show_bug.cgi?id=121966

        Broke the builds. (Requested by xenon on #webkit).

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::registerName):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::createActivation):
        (JSC::CodeBlock::nameForRegister):
        * bytecode/CodeBlock.h:
        (JSC::unmodifiedArgumentsRegister):
        (JSC::CodeBlock::isKnownNotImmediate):
        (JSC::CodeBlock::setThisRegister):
        (JSC::CodeBlock::thisRegister):
        (JSC::CodeBlock::setArgumentsRegister):
        (JSC::CodeBlock::argumentsRegister):
        (JSC::CodeBlock::uncheckedArgumentsRegister):
        (JSC::CodeBlock::setActivationRegister):
        (JSC::CodeBlock::activationRegister):
        (JSC::CodeBlock::uncheckedActivationRegister):
        (JSC::CodeBlock::usesArguments):
        (JSC::CodeBlock::isCaptured):
        * bytecode/Instruction.h:
        * bytecode/LazyOperandValueProfile.h:
        (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey):
        (JSC::LazyOperandValueProfileKey::operator!):
        (JSC::LazyOperandValueProfileKey::hash):
        (JSC::LazyOperandValueProfileKey::operand):
        (JSC::LazyOperandValueProfileKey::isHashTableDeletedValue):
        (JSC::LazyOperandValueProfile::LazyOperandValueProfile):
        * bytecode/MethodOfGettingAValueProfile.cpp:
        (JSC::MethodOfGettingAValueProfile::fromLazyOperand):
        (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
        * bytecode/Operands.h:
        (JSC::localToOperand):
        (JSC::operandIsLocal):
        (JSC::operandToLocal):
        (JSC::operandIsArgument):
        (JSC::operandToArgument):
        (JSC::argumentToOperand):
        (JSC::Operands::operand):
        (JSC::Operands::hasOperand):
        (JSC::Operands::setOperand):
        (JSC::Operands::operandForIndex):
        (JSC::Operands::setOperandFirstTime):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::setThisRegister):
        (JSC::UnlinkedCodeBlock::setActivationRegister):
        (JSC::UnlinkedCodeBlock::setArgumentsRegister):
        (JSC::UnlinkedCodeBlock::usesArguments):
        (JSC::UnlinkedCodeBlock::argumentsRegister):
        (JSC::UnlinkedCodeBlock::usesGlobalObject):
        (JSC::UnlinkedCodeBlock::setGlobalObjectRegister):
        (JSC::UnlinkedCodeBlock::globalObjectRegister):
        (JSC::UnlinkedCodeBlock::thisRegister):
        (JSC::UnlinkedCodeBlock::activationRegister):
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::displacedInJSStack):
        (JSC::ValueRecovery::virtualRegister):
        (JSC::ValueRecovery::dumpInContext):
        * bytecode/VirtualRegister.h:
        (WTF::printInternal):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        (JSC::BytecodeGenerator::addVar):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::createLazyRegisterIfNecessary):
        (JSC::BytecodeGenerator::newRegister):
        (JSC::BytecodeGenerator::emitLoadGlobalObject):
        (JSC::BytecodeGenerator::emitGetArgumentsLength):
        (JSC::BytecodeGenerator::emitGetArgumentByVal):
        (JSC::BytecodeGenerator::createArgumentsIfNecessary):
        (JSC::BytecodeGenerator::emitReturn):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::registerFor):
        * bytecompiler/RegisterID.h:
        (JSC::RegisterID::RegisterID):
        (JSC::RegisterID::setIndex):
        (JSC::RegisterID::index):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::thisObject):
        * dfg/DFGAbstractHeap.h:
        (JSC::DFG::AbstractHeap::Payload::Payload):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        (JSC::DFG::::clobberCapturedVars):
        * dfg/DFGArgumentPosition.h:
        (JSC::DFG::ArgumentPosition::dump):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
        (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::newVariableAccessData):
        (JSC::DFG::ByteCodeParser::getDirect):
        (JSC::DFG::ByteCodeParser::get):
        (JSC::DFG::ByteCodeParser::setDirect):
        (JSC::DFG::ByteCodeParser::set):
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
        (JSC::DFG::ByteCodeParser::findArgumentPosition):
        (JSC::DFG::ByteCodeParser::flush):
        (JSC::DFG::ByteCodeParser::flushDirect):
        (JSC::DFG::ByteCodeParser::getToInt32):
        (JSC::DFG::ByteCodeParser::getThis):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::emitFunctionChecks):
        (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        (JSC::DFG::ByteCodeParser::handleGetByOffset):
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCFGSimplificationPhase.cpp:
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
        * dfg/DFGFlushLivenessAnalysisPhase.cpp:
        (JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::argumentsRegisterFor):
        (JSC::DFG::Graph::uncheckedArgumentsRegisterFor):
        (JSC::DFG::Graph::uncheckedActivationRegisterFor):
        (JSC::DFG::Graph::valueProfileFor):
        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::reconstruct):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::convertToGetLocalUnlinked):
        (JSC::DFG::Node::hasVirtualRegister):
        (JSC::DFG::Node::virtualRegister):
        (JSC::DFG::Node::setVirtualRegister):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        (JSC::DFG::OSREntrypointCreationPhase::run):
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGRegisterBank.h:
        (JSC::DFG::RegisterBank::tryAllocate):
        (JSC::DFG::RegisterBank::allocateSpecific):
        (JSC::DFG::RegisterBank::retain):
        (JSC::DFG::RegisterBank::isInUse):
        (JSC::DFG::RegisterBank::dump):
        (JSC::DFG::RegisterBank::releaseAtIndex):
        (JSC::DFG::RegisterBank::allocateInternal):
        (JSC::DFG::RegisterBank::MapEntry::MapEntry):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::allocate):
        (JSC::DFG::ScoreBoard::use):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::checkConsistency):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::compileInlineStart):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::allocate):
        (JSC::DFG::SpeculativeJIT::fprAllocate):
        (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
        (JSC::DFG::SpeculativeJIT::flushRegisters):
        (JSC::DFG::SpeculativeJIT::isFlushed):
        (JSC::DFG::SpeculativeJIT::argumentSlot):
        (JSC::DFG::SpeculativeJIT::argumentTagSlot):
        (JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
        (JSC::DFG::SpeculativeJIT::valueSourceForOperand):
        (JSC::DFG::SpeculativeJIT::setNodeForOperand):
        (JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand):
        (JSC::DFG::SpeculativeJIT::recordSetLocal):
        (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        (JSC::DFG::Validate::validateCPS):
        (JSC::DFG::Validate::checkOperand):
        (JSC::DFG::Validate::reportValidationContext):
        * dfg/DFGValueRecoveryOverride.h:
        (JSC::DFG::ValueRecoveryOverride::ValueRecoveryOverride):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::operand):
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
        (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
        (JSC::DFG::VariableAccessData::flushFormat):
        * dfg/DFGVariableEvent.h:
        (JSC::DFG::VariableEvent::spill):
        (JSC::DFG::VariableEvent::setLocal):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):
        * ftl/FTLExitArgumentForOperand.h:
        (JSC::FTL::ExitArgumentForOperand::ExitArgumentForOperand):
        (JSC::FTL::ExitArgumentForOperand::operand):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
        (JSC::FTL::LowerDFGToLLVM::compileExtractOSREntryLocal):
        (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::observeMovHint):
        (JSC::FTL::LowerDFGToLLVM::addressFor):
        (JSC::FTL::LowerDFGToLLVM::payloadFor):
        (JSC::FTL::LowerDFGToLLVM::tagFor):
        * ftl/FTLOSREntry.cpp:
        (JSC::FTL::prepareOSREntry):
        * ftl/FTLOSRExit.cpp:
        (JSC::FTL::OSRExit::convertToForward):
        * ftl/FTLOSRExit.h:
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::dumpRegisters):
        (JSC::unwindCallFrame):
        (JSC::Interpreter::unwind):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::addressFor):
        (JSC::AssemblyHelpers::tagFor):
        (JSC::AssemblyHelpers::payloadFor):
        (JSC::AssemblyHelpers::argumentsRegisterFor):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITInlines.h:
        (JSC::JIT::emitGetVirtualRegister):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_tear_off_arguments):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_enter):
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_enter):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * profiler/ProfilerBytecodeSequence.cpp:
        (JSC::Profiler::BytecodeSequence::BytecodeSequence):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::argumentsGetter):

2013-09-26  Oliver Hunt  <oliver@apple.com>

        Attempt to fix MSVC build

        * parser/Parser.cpp:
        (JSC::::createBindingPattern):
        (JSC::::parseDeconstructionPattern):
        * parser/Parser.h:

2013-09-26  Julien Brianceau  <jbriance@cisco.com>

        [sh4] JSValue* exception is unused since r70703 in JITStackFrame.
        https://bugs.webkit.org/show_bug.cgi?id=121962

        This is a cosmetic change, but it could avoid people reading sh4 part to
        waste time to understand why there is a JSValue* here.

        Reviewed by Darin Adler.

        * jit/JITStubs.h:

2013-09-26  Anders Carlsson  <andersca@apple.com>

        WeakGCMap should not inherit from HashMap
        https://bugs.webkit.org/show_bug.cgi?id=121964

        Reviewed by Geoffrey Garen.

        Add the HashMap as a member variable instead and implement the missing member functions.

        * runtime/WeakGCMap.h:

2013-09-25  Michael Saboff  <msaboff@apple.com>

        VirtualRegister should be a class
        https://bugs.webkit.org/show_bug.cgi?id=121732

        Reviewed by Geoffrey Garen.

        This is a refactoring change.  Changed VirtualRegister from an enum to a class.
        Moved Operands::operandIsArgument(), operandToArgument(), argumentToOperand()
        and the similar functions for locals to VirtualRegister class.

        This is in preparation for changing the offset for the first local register from
        0 to -1.  This is needed since most native calling conventions have the architected
        frame pointer (e.g. %rbp for X86) point at the slot that stores the previous frame
        pointer.  Local values start below that address.

        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        * bytecode/Instruction.h:
        * bytecode/LazyOperandValueProfile.h:
        * bytecode/MethodOfGettingAValueProfile.cpp:
        * bytecode/Operands.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        * bytecode/UnlinkedCodeBlock.h:
        * bytecode/ValueRecovery.h:
        * bytecode/VirtualRegister.h:
        * bytecompiler/BytecodeGenerator.cpp:
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/RegisterID.h:
        * debugger/DebuggerCallFrame.cpp:
        * dfg/DFGAbstractHeap.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        * dfg/DFGArgumentPosition.h:
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGCFGSimplificationPhase.cpp:
        * dfg/DFGCPSRethreadingPhase.cpp:
        * dfg/DFGCapabilities.cpp:
        * dfg/DFGConstantFoldingPhase.cpp:
        * dfg/DFGFlushLivenessAnalysisPhase.cpp:
        * dfg/DFGGraph.cpp:
        * dfg/DFGGraph.h:
        * dfg/DFGJITCode.cpp:
        * dfg/DFGNode.h:
        * dfg/DFGOSREntry.cpp:
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        * dfg/DFGOSRExitCompiler64.cpp:
        * dfg/DFGRegisterBank.h:
        * dfg/DFGScoreBoard.h:
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT64.cpp:
        * dfg/DFGValidate.cpp:
        * dfg/DFGValueRecoveryOverride.h:
        * dfg/DFGVariableAccessData.h:
        * dfg/DFGVariableEvent.h:
        * dfg/DFGVariableEventStream.cpp:
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        * ftl/FTLExitArgumentForOperand.h:
        * ftl/FTLLink.cpp:
        * ftl/FTLLowerDFGToLLVM.cpp:
        * ftl/FTLOSREntry.cpp:
        * ftl/FTLOSRExit.cpp:
        * ftl/FTLOSRExit.h:
        * ftl/FTLOSRExitCompiler.cpp:
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        * jit/AssemblyHelpers.h:
        * jit/JIT.h:
        * jit/JITCall.cpp:
        * jit/JITInlines.h:
        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * jit/JITStubs.cpp:
        * llint/LLIntSlowPaths.cpp:
        * profiler/ProfilerBytecodeSequence.cpp:
        * runtime/CommonSlowPaths.cpp:
        * runtime/JSActivation.cpp:

2013-09-26  Anders Carlsson  <andersca@apple.com>

        Weak should have a move constructor and move assignment operator
        https://bugs.webkit.org/show_bug.cgi?id=121963

        Reviewed by Oliver Hunt.

        This is the first step towards getting rid of PassWeak.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype):
        * heap/Weak.h:
        * heap/WeakInlines.h:
        (JSC::::Weak):
        (JSC::::leakImpl):
        * runtime/SimpleTypedArrayController.cpp:
        (JSC::SimpleTypedArrayController::toJS):

2013-09-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        op_to_this shouldn't use value profiling
        https://bugs.webkit.org/show_bug.cgi?id=121920

        Reviewed by Geoffrey Garen.

        Currently it's the only opcode that uses m_singletonValue, which is unnecessary. Our current plan is 
        to remove m_singletonValue so that GenGC can have a simpler story for handling CodeBlocks/FunctionExecutables 
        during nursery collections.

        This patch adds an inline cache for the Structure of to_this so it no longer depends on the ValueProfile's
        m_singletonValue. Since nobody uses m_singletonValue now, this patch also removes m_singletonValue from
        ValueProfile.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
        (JSC::CodeBlock::updateAllValueProfilePredictions):
        (JSC::CodeBlock::updateAllPredictions):
        (JSC::CodeBlock::shouldOptimizeNow):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::updateAllValueProfilePredictions):
        (JSC::CodeBlock::updateAllPredictions):
        * bytecode/LazyOperandValueProfile.cpp:
        (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
        * bytecode/LazyOperandValueProfile.h:
        * bytecode/ValueProfile.h:
        (JSC::ValueProfileBase::ValueProfileBase):
        (JSC::ValueProfileBase::briefDescription):
        (JSC::ValueProfileBase::dump):
        (JSC::ValueProfileBase::computeUpdatedPrediction):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_to_this):
        (JSC::JIT::emitSlow_op_to_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_to_this):
        (JSC::JIT::emitSlow_op_to_this):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):

2013-09-25  Oliver Hunt  <oliver@apple.com>

        Implement prefixed-destructuring assignment
        https://bugs.webkit.org/show_bug.cgi?id=121930

        Reviewed by Mark Hahnenberg.

        This is mostly simple - the semantics of deconstruction are already
        present in the language, so most of the complexity (if you call it
        that) is addition of new AST nodes, and parsing the syntax.

        In order to get correct semantics for the parameter lists, FunctionParameters
        now needs to store refcounted references to the parameter patterns.
        There's also a little work to ensure that variable creation and assignment
        occurs in the correct order while the BytecodeGenerator is being constructed. 

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::paramString):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitExpressionInfo):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitBytecode):
        (JSC::DeconstructingAssignmentNode::emitBytecode):
        (JSC::DeconstructionPatternNode::~DeconstructionPatternNode):
        (JSC::ArrayPatternNode::emitBytecode):
        (JSC::ArrayPatternNode::emitDirectBinding):
        (JSC::ArrayPatternNode::toString):
        (JSC::ArrayPatternNode::collectBoundIdentifiers):
        (JSC::ObjectPatternNode::toString):
        (JSC::ObjectPatternNode::emitBytecode):
        (JSC::ObjectPatternNode::collectBoundIdentifiers):
        (JSC::BindingNode::emitBytecode):
        (JSC::BindingNode::toString):
        (JSC::BindingNode::collectBoundIdentifiers):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createFormalParameterList):
        (JSC::ASTBuilder::createForInLoop):
        (JSC::ASTBuilder::addVar):
        (JSC::ASTBuilder::createDeconstructingAssignment):
        (JSC::ASTBuilder::createArrayPattern):
        (JSC::ASTBuilder::appendArrayPatternSkipEntry):
        (JSC::ASTBuilder::appendArrayPatternEntry):
        (JSC::ASTBuilder::createObjectPattern):
        (JSC::ASTBuilder::appendObjectPatternEntry):
        (JSC::ASTBuilder::createBindingLocation):
        * parser/NodeConstructors.h:
        (JSC::CommaNode::CommaNode):
        (JSC::ParameterNode::ParameterNode):
        (JSC::ForInNode::ForInNode):
        (JSC::DeconstructionPatternNode::DeconstructionPatternNode):
        (JSC::ArrayPatternNode::ArrayPatternNode):
        (JSC::ArrayPatternNode::create):
        (JSC::ObjectPatternNode::ObjectPatternNode):
        (JSC::ObjectPatternNode::create):
        (JSC::BindingNode::create):
        (JSC::BindingNode::BindingNode):
        (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode):
        * parser/Nodes.cpp:
        (JSC::FunctionParameters::create):
        (JSC::FunctionParameters::FunctionParameters):
        (JSC::FunctionParameters::~FunctionParameters):
        * parser/Nodes.h:
        (JSC::ExpressionNode::isDeconstructionNode):
        (JSC::ArrayNode::elements):
        (JSC::CommaNode::append):
        (JSC::ParameterNode::pattern):
        (JSC::FunctionParameters::at):
        (JSC::FunctionParameters::patterns):
        (JSC::DeconstructionPatternNode::isBindingNode):
        (JSC::DeconstructionPatternNode::emitDirectBinding):
        (JSC::ArrayPatternNode::appendIndex):
        (JSC::ObjectPatternNode::appendEntry):
        (JSC::ObjectPatternNode::Entry::Entry):
        (JSC::BindingNode::boundProperty):
        (JSC::BindingNode::isBindingNode):
        (JSC::DeconstructingAssignmentNode::bindings):
        (JSC::DeconstructingAssignmentNode::isLocation):
        (JSC::DeconstructingAssignmentNode::isDeconstructionNode):
        * parser/Parser.cpp:
        (JSC::::Parser):
        (JSC::::parseVarDeclaration):
        (JSC::::parseVarDeclarationList):
        (JSC::::createBindingPattern):
        (JSC::::parseDeconstructionPattern):
        (JSC::::parseForStatement):
        (JSC::::parseFormalParameters):
        (JSC::::parseAssignmentExpression):
        * parser/Parser.h:
        (JSC::Scope::declareBoundParameter):
        (JSC::Parser::declareBoundParameter):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createFormalParameterList):
        (JSC::SyntaxChecker::addVar):
        (JSC::SyntaxChecker::operatorStackPop):
        * runtime/JSONObject.cpp:
        (JSC::escapeStringToBuilder):
        * runtime/JSONObject.h:

2013-09-25  Brady Eidson  <beidson@apple.com>

        Enable the IndexedDB build on Mac, but leave the feature non-functional
        https://bugs.webkit.org/show_bug.cgi?id=121918

        Reviewed by Alexey Proskuryakov.

        * Configurations/FeatureDefines.xcconfig:

2013-09-25  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r156432.
        http://trac.webkit.org/changeset/156432
        https://bugs.webkit.org/show_bug.cgi?id=121932

        some integer conversion things that need brady to fix
        (Requested by thorton on #webkit).

        * Configurations/FeatureDefines.xcconfig:

2013-09-25  Anders Carlsson  <andersca@apple.com>

        Move KeyValuePairTraits inside HashMap
        https://bugs.webkit.org/show_bug.cgi?id=121931

        Reviewed by Sam Weinig.

        * tools/ProfileTreeNode.h:

2013-09-25  Brady Eidson  <beidson@apple.com>

        Enable the IndexedDB build on Mac, but leave the feature non-functional
        https://bugs.webkit.org/show_bug.cgi?id=121918

        Reviewed by Alexey Proskuryakov.

        * Configurations/FeatureDefines.xcconfig:

2013-09-25  Brady Eidson  <beidson@apple.com>

        FeatureDefine.xcconfig cleanup (They should all be identical).
        https://bugs.webkit.org/show_bug.cgi?id=121921

        Reviewed by Mark Rowe.

        * Configurations/FeatureDefines.xcconfig:

2013-09-25  Patrick Gansterer  <paroga@webkit.org>

        Build fix for WinCE after r155098.

        Windows CE does not support getenv().

        * jsc.cpp:
        (main):

2013-09-24  Mark Hahnenberg  <mhahnenberg@apple.com>

        op_get_callee shouldn't use value profiling
        https://bugs.webkit.org/show_bug.cgi?id=121821

        Reviewed by Filip Pizlo.

        Currently it's one of the two opcodes that uses m_singletonValue, which is unnecessary. 
        Our current plan is to remove m_singletonValue so that GenGC can have a simpler story 
        for handling CodeBlocks/FunctionExecutables during nursery collections.

        Instead of using a ValueProfile op_get_callee now has a simple inline cache of the most 
        recent JSFunction that we saw.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCreateThis):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_get_callee):
        (JSC::JIT::emitSlow_op_get_callee):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_get_callee):
        (JSC::JIT::emitSlow_op_get_callee):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:

2013-09-24  Mark Lam  <mark.lam@apple.com>

        Change JSC debug hooks to pass a CallFrame* instead of a DebuggerCallFrame.
        https://bugs.webkit.org/show_bug.cgi?id=121867.

        Reviewed by Geoffrey Garen.

        1. Removed the need for passing the line and column info to the debug hook
           callbacks. We now get the line and column info from the CallFrame.

        2. Simplify BytecodeGenerator::emitDebugHook() to only take 1 line number
           argument. The caller can determine whether to pass in the first or last
           line number of the block of source code as appropriate.
           Note: we still need to pass in the line and column info to emitDebugHook()
           because it uses this info to emit expression info which is later used by
           the StackVisitor to determine the line and column info for its "pc".

        3. Pass the exceptionValue explicitly to the exception() debug hook
           callback. It should not be embedded in the CallFrame / DebuggerCallFrame.

        4. Change the op_debug opcode size to 2 (from 5) since we've removing 3 arg
           values. Update the LLINT and JIT code to handle this.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDebugHook):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ConstStatementNode::emitBytecode):
        (JSC::EmptyStatementNode::emitBytecode):
        (JSC::DebuggerStatementNode::emitBytecode):
        (JSC::ExprStatementNode::emitBytecode):
        (JSC::VarStatementNode::emitBytecode):
        (JSC::IfElseNode::emitBytecode):
        (JSC::DoWhileNode::emitBytecode):
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):
        (JSC::ForInNode::emitBytecode):
        (JSC::ContinueNode::emitBytecode):
        (JSC::BreakNode::emitBytecode):
        (JSC::ReturnNode::emitBytecode):
        (JSC::WithNode::emitBytecode):
        (JSC::SwitchNode::emitBytecode):
        (JSC::LabelNode::emitBytecode):
        (JSC::ThrowNode::emitBytecode):
        (JSC::TryNode::emitBytecode):
        (JSC::ProgramNode::emitBytecode):
        (JSC::EvalNode::emitBytecode):
        (JSC::FunctionBodyNode::emitBytecode):
        * debugger/Debugger.h:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::LineAndColumnFunctor::operator()):
        (JSC::LineAndColumnFunctor::line):
        (JSC::LineAndColumnFunctor::column):
        (JSC::DebuggerCallFrame::DebuggerCallFrame):
        (JSC::DebuggerCallFrame::clear):
        * debugger/DebuggerCallFrame.h:
        (JSC::DebuggerCallFrame::line):
        (JSC::DebuggerCallFrame::column):
        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        (JSC::UnwindFunctor::UnwindFunctor):
        (JSC::UnwindFunctor::operator()):
        (JSC::Interpreter::unwind):
        (JSC::Interpreter::debug):
        * interpreter/Interpreter.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_debug):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_debug):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:

2013-09-24  Filip Pizlo  <fpizlo@apple.com>

        Crashing under JSC::DFG::SpeculativeJIT::spill visiting citicards.com
        https://bugs.webkit.org/show_bug.cgi?id=121844

        Reviewed by Mark Hahnenberg.
        
        Fix some int52 bugs that caused this.

        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::dumpInContext): There's no such thing as int53.
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::spill): Actually spill int52's, instead of hitting an assert and crashing.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): Use the right format (from before when we clobber it).

2013-09-24  Mark Rowe  <mrowe@apple.com>

        <rdar://problem/14971518> WebKit should build against the Xcode default toolchain when targeting OS X 10.8

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:

2013-09-23  Patrick Gansterer  <paroga@webkit.org>

        use NOMINMAX instead of #define min min
        https://bugs.webkit.org/show_bug.cgi?id=73563

        Reviewed by Brent Fulgham.

        Use NOMINMAX instead of #define min/max as a cleaner
        way of ensuring that Windows system header files don't
        define min/max as macro in the first place.

        * config.h:

2013-09-23  Filip Pizlo  <fpizlo@apple.com>

        Never use ReturnPC for exception handling and quit using exception check indices as a lame replica of the CodeOrigin index
        https://bugs.webkit.org/show_bug.cgi?id=121734

        Reviewed by Mark Hahnenberg.
        
        Exception handling can deduce where the exception was thrown from by looking at the
        code origin that was stored into the call frame header. There is no need to pass any
        additional meta-data into the exception throwing logic. But the DFG was still doing it
        anyway.
        
        This removes all of the logic to pass extra meta-data into lookupExceptionHandler()
        and friends. It simplifies a lot of code.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::codeOrigins):
        (JSC::CodeBlock::hasCodeOrigins):
        (JSC::CodeBlock::canGetCodeOrigin):
        (JSC::CodeBlock::codeOrigin):
        * bytecode/CodeOrigin.h:
        (JSC::InlineCallFrame::InlineCallFrame):
        * bytecode/InlineCallFrameSet.cpp: Added.
        (JSC::InlineCallFrameSet::InlineCallFrameSet):
        (JSC::InlineCallFrameSet::~InlineCallFrameSet):
        (JSC::InlineCallFrameSet::add):
        (JSC::InlineCallFrameSet::shrinkToFit):
        * bytecode/InlineCallFrameSet.h: Added.
        (JSC::InlineCallFrameSet::isEmpty):
        (JSC::InlineCallFrameSet::size):
        (JSC::InlineCallFrameSet::at):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGCommonData.cpp:
        (JSC::DFG::CommonData::addCodeOrigin):
        (JSC::DFG::CommonData::shrinkToFit):
        * dfg/DFGCommonData.h:
        * dfg/DFGDesiredWriteBarriers.cpp:
        (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
        (JSC::DFG::DesiredWriteBarrier::trigger):
        * dfg/DFGDesiredWriteBarriers.h:
        (JSC::DFG::DesiredWriteBarriers::add):
        (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
        (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::JITCompiler):
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
        (JSC::DFG::JITCompiler::exceptionCheck):
        (JSC::DFG::JITCompiler::fastExceptionCheck):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryBuildGetByIDList):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
        (JSC::DFG::SpeculativeJIT::appendCallSetResult):
        (JSC::DFG::SpeculativeJIT::appendCall):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::callPreflight):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitExceptionCheck):

2013-09-23  Oliver Hunt  <oliver@apple.com>

        CodeLoad performance regression

        Reviewed by Filip Pizlo.

        Temporarily remove the ExpressionInfo compression until we can
        work out how to make it not clobber performance.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
        (JSC::UnlinkedCodeBlock::addExpressionInfo):
        * bytecode/UnlinkedCodeBlock.h:

2013-09-23  Patrick Gansterer  <paroga@webkit.org>

        Cleanup CMake files in JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=121762

        Reviewed by Gyuyoung Kim.

        Sort files and unify style.

        * CMakeLists.txt:
        * shell/CMakeLists.txt:
        * shell/PlatformBlackBerry.cmake:
        * shell/PlatformEfl.cmake:

2013-09-22  Filip Pizlo  <fpizlo@apple.com>

        Get rid of CodeBlock::RareData::callReturnIndexVector and most of the evil that it introduced
        https://bugs.webkit.org/show_bug.cgi?id=121766

        Reviewed by Andreas Kling.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        (JSC::DFG::JITCompiler::link):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):

2013-09-21  Filip Pizlo  <fpizlo@apple.com>

        Interpreter::unwind() has no need for the bytecodeOffset
        https://bugs.webkit.org/show_bug.cgi?id=121755

        Reviewed by Oliver Hunt.
        
        It was only using the bytecodeOffset for some debugger stuff, but the debugger could
        just get the bytecodeOffset the same way the rest of the machinery does: by using the
        CallFrame's location.
        
        It turns out that a lot of really ugly code was in place just to supply this
        bytecodeOffset. This patch kills most of that code, and allows us to kill even more
        code in a future patch - though most likely that killage will involve further
        refactorings as well, see https://bugs.webkit.org/show_bug.cgi?id=121734.

        * dfg/DFGOperations.cpp:
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::bytecodeOffset):
        (JSC::CallFrame::codeOrigin):
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::unwind):
        * interpreter/Interpreter.h:
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITExceptions.h:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::cti_vm_handle_exception):
        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::doThrow):
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * llint/LLIntExceptions.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPathsExceptions.cpp:
        (JSC::CommonSlowPaths::interpreterThrowInCaller):
        * runtime/CommonSlowPathsExceptions.h:

2013-09-21  Darin Adler  <darin@apple.com>

        Add ExecState::uncheckedArgument and use where possible to shrink a bit
        https://bugs.webkit.org/show_bug.cgi?id=121750

        Reviewed by Andreas Kling.

        * interpreter/CallFrame.h:
        (JSC::ExecState::uncheckedArgument): Added. Like argument, but with an
        assertion rather than a runtime check.

        * API/APICallbackFunction.h:
        (JSC::APICallbackFunction::call): Use uncheckedArgument because we are
        already in a loop over arguments, so don't need a range check.
        * API/JSCallbackConstructor.cpp:
        (JSC::constructJSCallback): Ditto.
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject::construct): Ditto.
        (JSC::JSCallbackObject::call): Ditto.
        * jsc.cpp:
        (functionPrint): Ditto.
        (functionRun): Ditto.
        (functionSetSamplingFlags): Ditto.
        (functionClearSamplingFlags): Ditto.
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncConcat): Ditto.
        (JSC::arrayProtoFuncPush): Use uncheckedArgument because there is already
        code that explicitly checks argumentCount.
        (JSC::arrayProtoFuncSplice): Ditto.
        (JSC::arrayProtoFuncUnShift): Ditto.
        (JSC::arrayProtoFuncReduce): Ditto.
        (JSC::arrayProtoFuncReduceRight): Ditto.
        (JSC::arrayProtoFuncLastIndexOf): Ditto.
        * runtime/DatePrototype.cpp:
        (JSC::fillStructuresUsingTimeArgs): Ditto.
        (JSC::fillStructuresUsingDateArgs): Ditto.
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::constructArrayBuffer): Ditto.
        * runtime/JSArrayBufferPrototype.cpp:
        (JSC::arrayBufferProtoFuncSlice): Ditto.
        * runtime/JSBoundFunction.cpp:
        (JSC::boundFunctionCall): Ditto.
        (JSC::boundFunctionConstruct): Ditto.
        * runtime/JSDataViewPrototype.cpp:
        (JSC::getData): Ditto.
        (JSC::setData): Ditto.
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayView): Ditto.
        * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
        (JSC::genericTypedArrayViewProtoFuncSet): Ditto.
        (JSC::genericTypedArrayViewProtoFuncSubarray): Ditto.
        * runtime/JSONObject.cpp:
        (JSC::JSONProtoFuncParse): Ditto.
        (JSC::JSONProtoFuncStringify): Ditto.
        * runtime/JSPromiseConstructor.cpp:
        (JSC::constructPromise): Ditto.
        (JSC::JSPromiseConstructorFuncFulfill): Ditto.
        (JSC::JSPromiseConstructorFuncResolve): Ditto.
        (JSC::JSPromiseConstructorFuncReject): Ditto.
        * runtime/MathObject.cpp:
        (JSC::mathProtoFuncMax): Ditto.
        (JSC::mathProtoFuncMin): Ditto.

        * runtime/NameConstructor.cpp:
        (JSC::constructPrivateName): Removed unneeded check of argumentCout
        that simply repeats what argument already does.
        * runtime/NativeErrorConstructor.cpp:
        (JSC::Interpreter::constructWithNativeErrorConstructor): Ditto.
        (JSC::Interpreter::callNativeErrorConstructor): Ditto.

        * runtime/NumberConstructor.cpp:
        (JSC::constructWithNumberConstructor): Use uncheckedArgument since
        there is already code that explicitly checks argument count.
        (JSC::callNumberConstructor): Ditto.

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorCreate): Small refactoring to not call argument(0)
        three times.

        * runtime/SetConstructor.cpp:
        (JSC::constructSet): Use uncheckedArgument since we are already in a loop
        over arguments.

        * runtime/StringConstructor.cpp:
        (JSC::stringFromCharCodeSlowCase): In a loop.
        (JSC::stringFromCharCode): Already checked count.
        (JSC::constructWithStringConstructor): Ditto.
        (JSC::callStringConstructor): Ditto.
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncConcat): Already checked count.
        * runtime/TestRunnerUtils.cpp:
        (JSC::numberOfDFGCompiles): Ditto.
        (JSC::setNeverInline): Ditto.

2013-09-21  Filip Pizlo  <fpizlo@apple.com>

        Remove the notion that a CallFrame can have a pointer to an InlineCallFrame, since that doesn't happen anymore
        https://bugs.webkit.org/show_bug.cgi?id=121753

        Reviewed by Darin Adler.

        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::bytecodeOffsetFromCodeOriginIndex):
        * interpreter/CallFrame.h:
        * interpreter/Register.h:

2013-09-21  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix the revert.

        * dfg/DFGRepatch.cpp:

2013-09-21  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, revert http://trac.webkit.org/changeset/156235. It won't work on Windows.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::resetStubInternal):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
        (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator):
        (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
        * dfg/DFGJITCompiler.h:
        * dfg/DFGOSRExitCompiler.h:
        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        * dfg/DFGOperations.h:
        (JSC::DFG::operationNewTypedArrayWithSizeForType):
        (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
        * dfg/DFGRegisterSet.h: Added.
        (JSC::DFG::RegisterSet::RegisterSet):
        (JSC::DFG::RegisterSet::asPOD):
        (JSC::DFG::RegisterSet::copyInfo):
        (JSC::DFG::RegisterSet::set):
        (JSC::DFG::RegisterSet::setGPRByIndex):
        (JSC::DFG::RegisterSet::clear):
        (JSC::DFG::RegisterSet::get):
        (JSC::DFG::RegisterSet::getGPRByIndex):
        (JSC::DFG::RegisterSet::getFreeGPR):
        (JSC::DFG::RegisterSet::setFPRByIndex):
        (JSC::DFG::RegisterSet::getFPRByIndex):
        (JSC::DFG::RegisterSet::setByIndex):
        (JSC::DFG::RegisterSet::getByIndex):
        (JSC::DFG::RegisterSet::numberOfSetGPRs):
        (JSC::DFG::RegisterSet::numberOfSetFPRs):
        (JSC::DFG::RegisterSet::numberOfSetRegisters):
        (JSC::DFG::RegisterSet::setBit):
        (JSC::DFG::RegisterSet::clearBit):
        (JSC::DFG::RegisterSet::getBit):
        * dfg/DFGRepatch.cpp: Added.
        (JSC::DFG::repatchCall):
        (JSC::DFG::repatchByIdSelfAccess):
        (JSC::DFG::addStructureTransitionCheck):
        (JSC::DFG::replaceWithJump):
        (JSC::DFG::emitRestoreScratch):
        (JSC::DFG::linkRestoreScratch):
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::repatchGetByID):
        (JSC::DFG::getPolymorphicStructureList):
        (JSC::DFG::patchJumpToGetByIdStub):
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::buildGetByIDList):
        (JSC::DFG::appropriateGenericPutByIdFunction):
        (JSC::DFG::appropriateListBuildingPutByIdFunction):
        (JSC::DFG::emitPutReplaceStub):
        (JSC::DFG::emitPutTransitionStub):
        (JSC::DFG::tryCachePutByID):
        (JSC::DFG::repatchPutByID):
        (JSC::DFG::tryBuildPutByIdList):
        (JSC::DFG::buildPutByIdList):
        (JSC::DFG::tryRepatchIn):
        (JSC::DFG::repatchIn):
        (JSC::DFG::linkSlowFor):
        (JSC::DFG::linkFor):
        (JSC::DFG::linkClosureCall):
        (JSC::DFG::resetGetByID):
        (JSC::DFG::resetPutByID):
        (JSC::DFG::resetIn):
        * dfg/DFGRepatch.h: Added.
        (JSC::DFG::resetGetByID):
        (JSC::DFG::resetPutByID):
        (JSC::DFG::resetIn):
        * dfg/DFGScratchRegisterAllocator.h: Added.
        (JSC::DFG::ScratchRegisterAllocator::ScratchRegisterAllocator):
        (JSC::DFG::ScratchRegisterAllocator::lock):
        (JSC::DFG::ScratchRegisterAllocator::allocateScratch):
        (JSC::DFG::ScratchRegisterAllocator::allocateScratchGPR):
        (JSC::DFG::ScratchRegisterAllocator::allocateScratchFPR):
        (JSC::DFG::ScratchRegisterAllocator::didReuseRegisters):
        (JSC::DFG::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
        (JSC::DFG::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
        (JSC::DFG::ScratchRegisterAllocator::desiredScratchBufferSize):
        (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
        (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compare):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::emitPointerValidation):
        (JSC::DFG::throwExceptionFromCallSlowPathGenerator):
        (JSC::DFG::slowPathFor):
        (JSC::DFG::linkForThunkGenerator):
        (JSC::DFG::linkCallThunkGenerator):
        (JSC::DFG::linkConstructThunkGenerator):
        (JSC::DFG::linkClosureCallThunkGenerator):
        (JSC::DFG::virtualForThunkGenerator):
        (JSC::DFG::virtualCallThunkGenerator):
        (JSC::DFG::virtualConstructThunkGenerator):
        * dfg/DFGThunks.h:
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
        * ftl/FTLOSRExitCompiler.h:
        * jit/AssemblyHelpers.h:
        * jit/JIT.cpp:
        (JSC::JIT::linkFor):
        (JSC::JIT::linkSlowCall):
        * jit/JITCall.cpp:
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITOperationWrappers.h: Removed.
        * jit/JITOperations.cpp: Removed.
        * jit/JITOperations.h: Removed.
        * jit/RegisterSet.h: Removed.
        * jit/Repatch.cpp: Removed.
        * jit/Repatch.h: Removed.
        * jit/ScratchRegisterAllocator.h: Removed.
        * jit/ThunkGenerators.cpp:
        (JSC::generateSlowCaseFor):
        (JSC::linkForGenerator):
        (JSC::linkCallGenerator):
        (JSC::linkConstructGenerator):
        (JSC::linkClosureCallGenerator):
        (JSC::virtualForGenerator):
        (JSC::virtualCallGenerator):
        (JSC::virtualConstructGenerator):
        * jit/ThunkGenerators.h:

2013-09-21  Filip Pizlo  <fpizlo@apple.com>

        Move DFG inline caching logic into jit/
        https://bugs.webkit.org/show_bug.cgi?id=121749

        Rubber stamped by Sam Weinig.
        
        We want to get rid of the baseline JIT's inline caching machinery and have it use the
        DFG's instead. But before we do that we need to move the DFG's inline caching machine
        out from behind its ENABLE(DFG_JIT) guards and make it available to the whole system.
        This patch does that:
        
        - dfg/DFGRepatch becomes jit/Repatch.
        
        - The thunks used by the DFG IC go into jit/ThunkGenerators, instead of dfg/DFGThunks.
        
        - The operations used by the DFG IC go into jit/JITOperations, instead of
          dfg/DFGOperations.
        
        - The old JIT's thunk generators for calls are renamed to reduce confusion. Previously
          it was easy to know which generators belong to which JIT because the old JIT used
          JSC::virtualCallBlah and the DFG used JSC::DFG::virtualCallBlah, but that's not the
          case anymore. Note that the old JIT's thunk generators will die in a future patch.
        
        No functional changes beyond those moves.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::resetStubInternal):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
        (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator):
        (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
        * dfg/DFGJITCompiler.h:
        * dfg/DFGOSRExitCompiler.h:
        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        * dfg/DFGOperations.h:
        (JSC::DFG::operationNewTypedArrayWithSizeForType):
        (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
        * dfg/DFGRegisterSet.h: Removed.
        * dfg/DFGRepatch.cpp: Removed.
        * dfg/DFGRepatch.h: Removed.
        * dfg/DFGScratchRegisterAllocator.h: Removed.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compare):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        * dfg/DFGThunks.h:
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::writeBarrier):
        * jit/JIT.cpp:
        (JSC::JIT::linkFor):
        (JSC::JIT::linkSlowCall):
        * jit/JITCall.cpp:
        (JSC::JIT::compileCallEval):
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITOperationWrappers.h: Added.
        * jit/JITOperations.cpp: Added.
        * jit/JITOperations.h: Added.
        * jit/RegisterSet.h: Added.
        (JSC::RegisterSet::RegisterSet):
        (JSC::RegisterSet::asPOD):
        (JSC::RegisterSet::copyInfo):
        (JSC::RegisterSet::set):
        (JSC::RegisterSet::setGPRByIndex):
        (JSC::RegisterSet::clear):
        (JSC::RegisterSet::get):
        (JSC::RegisterSet::getGPRByIndex):
        (JSC::RegisterSet::getFreeGPR):
        (JSC::RegisterSet::setFPRByIndex):
        (JSC::RegisterSet::getFPRByIndex):
        (JSC::RegisterSet::setByIndex):
        (JSC::RegisterSet::getByIndex):
        (JSC::RegisterSet::numberOfSetGPRs):
        (JSC::RegisterSet::numberOfSetFPRs):
        (JSC::RegisterSet::numberOfSetRegisters):
        (JSC::RegisterSet::setBit):
        (JSC::RegisterSet::clearBit):
        (JSC::RegisterSet::getBit):
        * jit/Repatch.cpp: Added.
        (JSC::repatchCall):
        (JSC::repatchByIdSelfAccess):
        (JSC::addStructureTransitionCheck):
        (JSC::replaceWithJump):
        (JSC::emitRestoreScratch):
        (JSC::linkRestoreScratch):
        (JSC::generateProtoChainAccessStub):
        (JSC::tryCacheGetByID):
        (JSC::repatchGetByID):
        (JSC::getPolymorphicStructureList):
        (JSC::patchJumpToGetByIdStub):
        (JSC::tryBuildGetByIDList):
        (JSC::buildGetByIDList):
        (JSC::appropriateGenericPutByIdFunction):
        (JSC::appropriateListBuildingPutByIdFunction):
        (JSC::emitPutReplaceStub):
        (JSC::emitPutTransitionStub):
        (JSC::tryCachePutByID):
        (JSC::repatchPutByID):
        (JSC::tryBuildPutByIdList):
        (JSC::buildPutByIdList):
        (JSC::tryRepatchIn):
        (JSC::repatchIn):
        (JSC::linkSlowFor):
        (JSC::linkFor):
        (JSC::linkClosureCall):
        (JSC::resetGetByID):
        (JSC::resetPutByID):
        (JSC::resetIn):
        * jit/Repatch.h: Added.
        (JSC::resetGetByID):
        (JSC::resetPutByID):
        (JSC::resetIn):
        * jit/ScratchRegisterAllocator.h: Added.
        (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
        (JSC::ScratchRegisterAllocator::lock):
        (JSC::ScratchRegisterAllocator::allocateScratch):
        (JSC::ScratchRegisterAllocator::allocateScratchGPR):
        (JSC::ScratchRegisterAllocator::allocateScratchFPR):
        (JSC::ScratchRegisterAllocator::didReuseRegisters):
        (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
        (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
        (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
        (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
        (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
        * jit/ThunkGenerators.cpp:
        (JSC::oldStyleGenerateSlowCaseFor):
        (JSC::oldStyleLinkForGenerator):
        (JSC::oldStyleLinkCallGenerator):
        (JSC::oldStyleLinkConstructGenerator):
        (JSC::oldStyleLinkClosureCallGenerator):
        (JSC::oldStyleVirtualForGenerator):
        (JSC::oldStyleVirtualCallGenerator):
        (JSC::oldStyleVirtualConstructGenerator):
        (JSC::emitPointerValidation):
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::slowPathFor):
        (JSC::linkForThunkGenerator):
        (JSC::linkCallThunkGenerator):
        (JSC::linkConstructThunkGenerator):
        (JSC::linkClosureCallThunkGenerator):
        (JSC::virtualForThunkGenerator):
        (JSC::virtualCallThunkGenerator):
        (JSC::virtualConstructThunkGenerator):
        * jit/ThunkGenerators.h:

2013-09-21  Anders Carlsson  <andersca@apple.com>

        Fix the non-DFG build.

        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::r):

2013-09-21  Filip Pizlo  <fpizlo@apple.com>

        Get rid of IsInlinedCodeTag and its associated methods since it's unused
        https://bugs.webkit.org/show_bug.cgi?id=121737

        Reviewed by Sam Weinig.
        
        This was meant to be easy, but I kept wondering if it was safe to remove the
        inline call frame check in Arguments::tearOff(). The check was clearly dead
        since the bit wasn't being set anywhere.
        
        It turns out that the unwindCallFrame() function was relying on tearOff()
        doing the right thing for inlined code, but it wasn't even passing it an
        inline call frame. I fixed this by having unwindCallFrame() inlining check,
        while also making sure that the code uses the right operand index for the
        arguments register.

        * interpreter/CallFrame.h:
        * interpreter/CallFrameInlines.h:
        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::r):
        * interpreter/StackVisitor.h:
        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOff):

2013-09-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        (un)shiftCountWithAnyIndexingType will start over in the middle of copying if it sees a hole
        https://bugs.webkit.org/show_bug.cgi?id=121717

        Reviewed by Oliver Hunt.

        This bug caused the array to become corrupted. We now check for holes before we start moving things, 
        and start moving things only once we've determined that there are none.

        * runtime/JSArray.cpp:
        (JSC::JSArray::shiftCountWithAnyIndexingType):
        (JSC::JSArray::unshiftCountWithAnyIndexingType):

2013-09-20  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r156047): WebCore hangs inside JSC::toInt32(double)
        https://bugs.webkit.org/show_bug.cgi?id=121648

        Reviewed by Mark Hahnenberg.
        
        The Int52<->StrictInt52 conversion did the opposite fill() than what it was
        supposed to. For example when converting a Int52 to a StrictInt52 it would fill
        as Int52, and vice-versa.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):

2013-09-20  Oliver Hunt  <oliver@apple.com>

        REGRESSION(r153215): New iCloud site crashes
        https://bugs.webkit.org/show_bug.cgi?id=121710

        Reviewed by Filip Pizlo.

        Don't claim to be able to rely on the arguments structure, use the Arguments
        speculation type

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):

2013-09-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Clobberize phase forgets to indicate that it writes GCState for several node types
        https://bugs.webkit.org/show_bug.cgi?id=121702

        Reviewed by Oliver Hunt.

        Added read and write for GCState to the nodes that could end up allocating (and thereby
        cause a garbage collection).

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):

2013-09-19  Filip Pizlo  <fpizlo@apple.com>

        Move CCallHelpers and AssemblyHelpers into jit/ and have JSInterfaceJIT use them
        https://bugs.webkit.org/show_bug.cgi?id=121637

        Rubber stamped by Michael Saboff.
        
        Also moved GPRInfo/FPRInfo into jit/. Rolling back in after fixing JIT-only build
        and tests.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::dumpInContext):
        * dfg/DFGAssemblyHelpers.cpp: Removed.
        * dfg/DFGAssemblyHelpers.h: Removed.
        * dfg/DFGBinarySwitch.h:
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGCCallHelpers.h: Removed.
        * dfg/DFGDisassembler.cpp:
        * dfg/DFGFPRInfo.h: Removed.
        * dfg/DFGGPRInfo.h: Removed.
        * dfg/DFGGraph.cpp:
        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.h:
        * dfg/DFGOSRExit.cpp:
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompiler.h:
        * dfg/DFGOSRExitCompilerCommon.h:
        * dfg/DFGRegisterBank.h:
        * dfg/DFGRegisterSet.h:
        * dfg/DFGRepatch.cpp:
        * dfg/DFGSilentRegisterSavePlan.h:
        * dfg/DFGThunks.cpp:
        * dfg/DFGVariableEvent.cpp:
        * ftl/FTLCArgumentGetter.h:
        (JSC::FTL::CArgumentGetter::CArgumentGetter):
        (JSC::FTL::CArgumentGetter::loadNext8):
        (JSC::FTL::CArgumentGetter::loadNext32):
        (JSC::FTL::CArgumentGetter::loadNext64):
        (JSC::FTL::CArgumentGetter::loadNextPtr):
        (JSC::FTL::CArgumentGetter::loadNextDouble):
        * ftl/FTLCompile.cpp:
        * ftl/FTLExitThunkGenerator.h:
        * ftl/FTLLink.cpp:
        * ftl/FTLThunks.cpp:
        * jit/AssemblyHelpers.cpp: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.cpp.
        * jit/AssemblyHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h.
        (JSC::AssemblyHelpers::AssemblyHelpers):
        (JSC::AssemblyHelpers::debugCall):
        * jit/CCallHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGCCallHelpers.h.
        * jit/FPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGFPRInfo.h.
        (WTF::printInternal):
        * jit/GPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGGPRInfo.h.
        (WTF::printInternal):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::JSInterfaceJIT):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
        (JSC::SpecializedThunkJIT::finalize):
        * jit/ThunkGenerators.cpp:
        (JSC::linkForGenerator):
        (JSC::virtualForGenerator):
        (JSC::stringLengthTrampolineGenerator):
        (JSC::nativeForGenerator):
        (JSC::arityFixup):
        (JSC::charCodeAtThunkGenerator):
        (JSC::charAtThunkGenerator):
        (JSC::fromCharCodeThunkGenerator):
        (JSC::sqrtThunkGenerator):
        (JSC::floorThunkGenerator):
        (JSC::ceilThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::expThunkGenerator):
        (JSC::logThunkGenerator):
        (JSC::absThunkGenerator):
        (JSC::powThunkGenerator):
        (JSC::imulThunkGenerator):
        * llint/LLIntThunks.cpp:
        (JSC::LLInt::generateThunkWithJumpTo):
        * runtime/JSCJSValue.h:

2013-09-20  Allan Sandfeld Jensen  <allan.jensen@digia.com>

        Inline method exported
        https://bugs.webkit.org/show_bug.cgi?id=121664

        Reviewed by Darin Adler.

        WatchDog::didFire() is marked as an exported symbol eventhough it is
        defined inline. This breaks the build on MinGW since it results in dllimport
        being declared on a definition.

        * runtime/Watchdog.h:
        (JSC::Watchdog::didFire):

2013-09-20  Patrick Gansterer  <paroga@webkit.org>

        [CMake] Use COMPILE_DEFINITIONS target property for setting BUILDING_* defines
        https://bugs.webkit.org/show_bug.cgi?id=121672

        Reviewed by Gyuyoung Kim.

        Since the scope of add_definitions() is always a whole file, we need to use
        target properties instead to set definitions only for specific targets.

        * CMakeLists.txt:

2013-09-19  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r156120.
        http://trac.webkit.org/changeset/156120
        https://bugs.webkit.org/show_bug.cgi?id=121651

        Broke windows runtime and all tests (Requested by bfulgham on
        #webkit).

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::dumpInContext):
        * dfg/DFGAssemblyHelpers.cpp: Renamed from Source/JavaScriptCore/jit/AssemblyHelpers.cpp.
        (JSC::DFG::AssemblyHelpers::executableFor):
        (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
        (JSC::DFG::AssemblyHelpers::setSamplingFlag):
        (JSC::DFG::AssemblyHelpers::clearSamplingFlag):
        (JSC::DFG::AssemblyHelpers::jitAssertIsInt32):
        (JSC::DFG::AssemblyHelpers::jitAssertIsJSInt32):
        (JSC::DFG::AssemblyHelpers::jitAssertIsJSNumber):
        (JSC::DFG::AssemblyHelpers::jitAssertIsJSDouble):
        (JSC::DFG::AssemblyHelpers::jitAssertIsCell):
        (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame):
        * dfg/DFGAssemblyHelpers.h: Renamed from Source/JavaScriptCore/jit/AssemblyHelpers.h.
        (JSC::DFG::AssemblyHelpers::AssemblyHelpers):
        (JSC::DFG::AssemblyHelpers::codeBlock):
        (JSC::DFG::AssemblyHelpers::vm):
        (JSC::DFG::AssemblyHelpers::assembler):
        (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
        (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
        (JSC::DFG::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
        (JSC::DFG::AssemblyHelpers::emitPutToCallFrameHeader):
        (JSC::DFG::AssemblyHelpers::emitPutImmediateToCallFrameHeader):
        (JSC::DFG::AssemblyHelpers::branchIfNotCell):
        (JSC::DFG::AssemblyHelpers::addressFor):
        (JSC::DFG::AssemblyHelpers::tagFor):
        (JSC::DFG::AssemblyHelpers::payloadFor):
        (JSC::DFG::AssemblyHelpers::branchIfNotObject):
        (JSC::DFG::AssemblyHelpers::selectScratchGPR):
        (JSC::DFG::AssemblyHelpers::debugCall):
        (JSC::DFG::AssemblyHelpers::jitAssertIsInt32):
        (JSC::DFG::AssemblyHelpers::jitAssertIsJSInt32):
        (JSC::DFG::AssemblyHelpers::jitAssertIsJSNumber):
        (JSC::DFG::AssemblyHelpers::jitAssertIsJSDouble):
        (JSC::DFG::AssemblyHelpers::jitAssertIsCell):
        (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame):
        (JSC::DFG::AssemblyHelpers::boxDouble):
        (JSC::DFG::AssemblyHelpers::unboxDouble):
        (JSC::DFG::AssemblyHelpers::boxInt52):
        (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
        (JSC::DFG::AssemblyHelpers::emitCount):
        (JSC::DFG::AssemblyHelpers::globalObjectFor):
        (JSC::DFG::AssemblyHelpers::strictModeFor):
        (JSC::DFG::AssemblyHelpers::baselineCodeBlockFor):
        (JSC::DFG::AssemblyHelpers::baselineCodeBlock):
        (JSC::DFG::AssemblyHelpers::argumentsRegisterFor):
        (JSC::DFG::AssemblyHelpers::symbolTableFor):
        (JSC::DFG::AssemblyHelpers::offsetOfLocals):
        (JSC::DFG::AssemblyHelpers::offsetOfArgumentsIncludingThis):
        * dfg/DFGBinarySwitch.h:
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGCCallHelpers.h: Renamed from Source/JavaScriptCore/jit/CCallHelpers.h.
        (JSC::DFG::CCallHelpers::CCallHelpers):
        (JSC::DFG::CCallHelpers::resetCallArguments):
        (JSC::DFG::CCallHelpers::addCallArgument):
        (JSC::DFG::CCallHelpers::setupArguments):
        (JSC::DFG::CCallHelpers::setupArgumentsExecState):
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        (JSC::DFG::CCallHelpers::setupTwoStubArgs):
        (JSC::DFG::CCallHelpers::setupStubArguments):
        (JSC::DFG::CCallHelpers::setupResults):
        * dfg/DFGDisassembler.cpp:
        * dfg/DFGFPRInfo.h: Renamed from Source/JavaScriptCore/jit/FPRInfo.h.
        (JSC::DFG::FPRInfo::toRegister):
        (JSC::DFG::FPRInfo::toIndex):
        (JSC::DFG::FPRInfo::toArgumentRegister):
        (JSC::DFG::FPRInfo::debugName):
        * dfg/DFGGPRInfo.h: Renamed from Source/JavaScriptCore/jit/GPRInfo.h.
        (JSC::DFG::JSValueRegs::JSValueRegs):
        (JSC::DFG::JSValueRegs::payloadOnly):
        (JSC::DFG::JSValueRegs::operator!):
        (JSC::DFG::JSValueRegs::gpr):
        (JSC::DFG::JSValueRegs::payloadGPR):
        (JSC::DFG::JSValueSource::JSValueSource):
        (JSC::DFG::JSValueSource::unboxedCell):
        (JSC::DFG::JSValueSource::operator!):
        (JSC::DFG::JSValueSource::isAddress):
        (JSC::DFG::JSValueSource::offset):
        (JSC::DFG::JSValueSource::base):
        (JSC::DFG::JSValueSource::gpr):
        (JSC::DFG::JSValueSource::asAddress):
        (JSC::DFG::JSValueSource::notAddress):
        (JSC::DFG::JSValueRegs::tagGPR):
        (JSC::DFG::JSValueSource::tagGPR):
        (JSC::DFG::JSValueSource::payloadGPR):
        (JSC::DFG::JSValueSource::hasKnownTag):
        (JSC::DFG::JSValueSource::tag):
        (JSC::DFG::GPRInfo::toRegister):
        (JSC::DFG::GPRInfo::toIndex):
        (JSC::DFG::GPRInfo::debugName):
        (JSC::DFG::GPRInfo::toArgumentRegister):
        * dfg/DFGGraph.cpp:
        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.h:
        * dfg/DFGOSRExit.cpp:
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompiler.h:
        * dfg/DFGOSRExitCompilerCommon.h:
        * dfg/DFGRegisterBank.h:
        * dfg/DFGRegisterSet.h:
        * dfg/DFGRepatch.cpp:
        * dfg/DFGSilentRegisterSavePlan.h:
        * dfg/DFGThunks.cpp:
        * dfg/DFGVariableEvent.cpp:
        * ftl/FTLCArgumentGetter.h:
        (JSC::FTL::CArgumentGetter::CArgumentGetter):
        (JSC::FTL::CArgumentGetter::loadNext8):
        (JSC::FTL::CArgumentGetter::loadNext32):
        (JSC::FTL::CArgumentGetter::loadNext64):
        (JSC::FTL::CArgumentGetter::loadNextPtr):
        (JSC::FTL::CArgumentGetter::loadNextDouble):
        * ftl/FTLCompile.cpp:
        * ftl/FTLExitThunkGenerator.h:
        * ftl/FTLLink.cpp:
        * ftl/FTLThunks.cpp:
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::preserveReturnAddressAfterCall):
        (JSC::JSInterfaceJIT::restoreReturnAddressBeforeReturn):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
        (JSC::SpecializedThunkJIT::finalize):
        * jit/ThunkGenerators.cpp:
        (JSC::linkForGenerator):
        (JSC::virtualForGenerator):
        (JSC::stringLengthTrampolineGenerator):
        (JSC::nativeForGenerator):
        (JSC::arityFixup):
        (JSC::charCodeAtThunkGenerator):
        (JSC::charAtThunkGenerator):
        (JSC::fromCharCodeThunkGenerator):
        (JSC::sqrtThunkGenerator):
        (JSC::floorThunkGenerator):
        (JSC::ceilThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::expThunkGenerator):
        (JSC::logThunkGenerator):
        (JSC::absThunkGenerator):
        (JSC::powThunkGenerator):
        (JSC::imulThunkGenerator):
        * llint/LLIntThunks.cpp:
        (JSC::LLInt::generateThunkWithJumpTo):
        * runtime/JSCJSValue.h:

2013-09-19  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix Windows build part 2. m_jitCodeMap should always be there.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::jitCodeMap):

2013-09-19  Filip Pizlo  <fpizlo@apple.com>

        Remove some of the tautologies in DFGRepatch function naming.

        Rubber stamped by Mark Hahnenberg.
        
        For example change DFG::dfgLinkFor() to be DFG::linkFor().

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::resetStubInternal):
        * dfg/DFGOperations.cpp:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::repatchCall):
        (JSC::DFG::repatchByIdSelfAccess):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::repatchGetByID):
        (JSC::DFG::buildGetByIDList):
        (JSC::DFG::tryCachePutByID):
        (JSC::DFG::repatchPutByID):
        (JSC::DFG::buildPutByIdList):
        (JSC::DFG::repatchIn):
        (JSC::DFG::linkFor):
        (JSC::DFG::linkSlowFor):
        (JSC::DFG::linkClosureCall):
        (JSC::DFG::resetGetByID):
        (JSC::DFG::resetPutByID):
        (JSC::DFG::resetIn):
        * dfg/DFGRepatch.h:
        (JSC::DFG::resetGetByID):
        (JSC::DFG::resetPutByID):
        (JSC::DFG::resetIn):

2013-09-19  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix Windows build. ScratchBuffer should always be available regardless of
        ENABLE_DFG_JIT.

        * runtime/VM.h:

2013-09-19  Daniel Bates  <dabates@apple.com>

        [iOS] Add more iOS logic to the JavaScriptCore build configuration files
        https://bugs.webkit.org/show_bug.cgi?id=121635

        Reviewed by Geoffrey Garen.

        Towards building JavaScriptCore for both OS X and iOS using the same
        set of configuration files, add more iOS logic.

        * Configurations/Base.xcconfig:
        * Configurations/JSC.xcconfig:
        * Configurations/JavaScriptCore.xcconfig:
        * Configurations/ToolExecutable.xcconfig:

2013-09-19  Filip Pizlo  <fpizlo@apple.com>

        Move CCallHelpers and AssemblyHelpers into jit/ and have JSInterfaceJIT use them
        https://bugs.webkit.org/show_bug.cgi?id=121637

        Rubber stamped by Michael Saboff.
        
        Also moved GPRInfo/FPRInfo into jit/.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::dumpInContext):
        * dfg/DFGAssemblyHelpers.cpp: Removed.
        * dfg/DFGAssemblyHelpers.h: Removed.
        * dfg/DFGBinarySwitch.h:
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGCCallHelpers.h: Removed.
        * dfg/DFGDisassembler.cpp:
        * dfg/DFGFPRInfo.h: Removed.
        * dfg/DFGGPRInfo.h: Removed.
        * dfg/DFGGraph.cpp:
        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.h:
        * dfg/DFGOSRExit.cpp:
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompiler.h:
        * dfg/DFGOSRExitCompilerCommon.h:
        * dfg/DFGRegisterBank.h:
        * dfg/DFGRegisterSet.h:
        * dfg/DFGRepatch.cpp:
        * dfg/DFGSilentRegisterSavePlan.h:
        * dfg/DFGThunks.cpp:
        * dfg/DFGVariableEvent.cpp:
        * ftl/FTLCArgumentGetter.h:
        (JSC::FTL::CArgumentGetter::CArgumentGetter):
        (JSC::FTL::CArgumentGetter::loadNext8):
        (JSC::FTL::CArgumentGetter::loadNext32):
        (JSC::FTL::CArgumentGetter::loadNext64):
        (JSC::FTL::CArgumentGetter::loadNextPtr):
        (JSC::FTL::CArgumentGetter::loadNextDouble):
        * ftl/FTLCompile.cpp:
        * ftl/FTLExitThunkGenerator.h:
        * ftl/FTLLink.cpp:
        * ftl/FTLThunks.cpp:
        * jit/AssemblyHelpers.cpp: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.cpp.
        * jit/AssemblyHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h.
        (JSC::AssemblyHelpers::AssemblyHelpers):
        (JSC::AssemblyHelpers::debugCall):
        * jit/CCallHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGCCallHelpers.h.
        * jit/FPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGFPRInfo.h.
        (WTF::printInternal):
        * jit/GPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGGPRInfo.h.
        (WTF::printInternal):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::JSInterfaceJIT):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
        (JSC::SpecializedThunkJIT::finalize):
        * jit/ThunkGenerators.cpp:
        (JSC::linkForGenerator):
        (JSC::virtualForGenerator):
        (JSC::stringLengthTrampolineGenerator):
        (JSC::nativeForGenerator):
        (JSC::arityFixup):
        (JSC::charCodeAtThunkGenerator):
        (JSC::charAtThunkGenerator):
        (JSC::fromCharCodeThunkGenerator):
        (JSC::sqrtThunkGenerator):
        (JSC::floorThunkGenerator):
        (JSC::ceilThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::expThunkGenerator):
        (JSC::logThunkGenerator):
        (JSC::absThunkGenerator):
        (JSC::powThunkGenerator):
        (JSC::imulThunkGenerator):
        * llint/LLIntThunks.cpp:
        (JSC::LLInt::generateThunkWithJumpTo):
        * runtime/JSCJSValue.h:

2013-09-19  Daniel Bates  <dabates@apple.com>

        [iOS] Substitute UNREACHABLE_FOR_PLATFORM() for RELEASE_ASSERT_NOT_REACHED()

        Rubber-stamped by Joseph Pecoraro.

        Use UNREACHABLE_FOR_PLATFORM() instead of RELEASE_ASSERT_NOT_REACHED() in
        the non-x86/x86-64 variant of JIT::emitSlow_op_mod() so as to avoid a missing
        noreturn warning in Clang while simultaneously asserting unreachable code.

        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitSlow_op_mod):

2013-09-19  Michael Saboff  <msaboff@apple.com>

        JSC: X86 disassembler shows 16, 32 and 64 bit displacements as unsigned
        https://bugs.webkit.org/show_bug.cgi?id=121625

        Rubber-stamped by Filip Pizlo.

        Chenged 16, 32 and 64 bit offsets to be signed.  Kept the original tab indented
        spacing to match the rest of the file.

        * disassembler/udis86/udis86_syn-att.c:
        (gen_operand):

2013-09-19  Daniel Bates  <dabates@apple.com>

        Remove names of unused arguments from the non-x86/x86-64 function prototype
        for JIT::emitSlow_op_mod()

        Rubber-stamped by Ryosuke Niwa.

        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitSlow_op_mod):

2013-09-18  Sam Weinig  <sam@webkit.org>

        Replace use of OwnArrayPtr<Foo> with std::unique_ptr<Foo[]> in JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=121583

        Reviewed by Anders Carlsson.

        * API/JSStringRefCF.cpp:
        (JSStringCreateWithCFString):
        * API/JSStringRefQt.cpp:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::dumpDisassembly):
        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOff):
        * runtime/Arguments.h:
        (JSC::Arguments::isTornOff):
        (JSC::Arguments::allocateSlowArguments):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSSegmentedVariableObject.h:
        * runtime/JSVariableObject.h:
        * runtime/PropertyNameArray.h:
        * runtime/RegExp.cpp:
        * runtime/StructureChain.h:
        (JSC::StructureChain::finishCreation):
        * runtime/SymbolTable.h:
        (JSC::SharedSymbolTable::setSlowArguments):

2013-09-18  Brent Fulgham  <bfulgham@apple.com>

        [Windows] Unreviewed build fix after r156064.

        * jsc.cpp:
        (jscmain): Need a temporary to perform '&' in VS2010.

2013-09-18  Filip Pizlo  <fpizlo@apple.com>

        Give 'jsc' commandline an option to disable deleting the VM.

        Reviewed by Mark Hahnenberg.

        * jsc.cpp:
        (jscmain):
        * runtime/Options.h:

2013-09-18  Anders Carlsson  <andersca@apple.com>

        RefPtrHashMap should work with move only types
        https://bugs.webkit.org/show_bug.cgi?id=121564

        Reviewed by Andreas Kling.

        * runtime/VM.cpp:
        (JSC::VM::addSourceProviderCache):

2013-09-17  Mark Hahnenberg  <mhahnenberg@apple.com>

        Rename OperationInProgress to HeapOperation and move it out of Heap.h into its own header
        https://bugs.webkit.org/show_bug.cgi?id=121534

        Reviewed by Geoffrey Garen.

        OperationInProgress is a silly name. 

        Many parts of the Heap would like to know what HeapOperation is currently underway, but 
        since they are included in Heap.h they can't directly reference HeapOperation if it also 
        lives in Heap.h. The simplest thing to do is to give HeapOperation its own header. While 
        a bit overkill, it simplifies including it wherever its needed.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
        (JSC::CodeBlock::updateAllValueProfilePredictions):
        (JSC::CodeBlock::updateAllPredictions):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::updateAllValueProfilePredictions):
        (JSC::CodeBlock::updateAllPredictions):
        * bytecode/LazyOperandValueProfile.cpp:
        (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
        * bytecode/LazyOperandValueProfile.h:
        * bytecode/ValueProfile.h:
        (JSC::ValueProfileBase::computeUpdatedPrediction):
        * heap/Heap.h:
        * heap/HeapOperation.h: Added.

2013-09-18  Filip Pizlo  <fpizlo@apple.com>

        DFG should support Int52 for local variables
        https://bugs.webkit.org/show_bug.cgi?id=121064

        Reviewed by Oliver Hunt.
        
        This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
        programs that have local int32 overflows but where a larger int representation can
        prevent us from having to convert all the way up to double.
        
        It's a small speed-up for now. But we're just supporting Int52 for a handful of
        operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
        the groundwork for adding Int52 to JSValue, which will probably be a bigger
        speed-up.
        
        The basic approach is:
        
        - We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
          or HeapTop - i.e. it doesn't arise from JSValues.
        
        - DFG treats Int52 as being part of its FullTop and will treat it as being a
          subtype of double unless instructed otherwise.
        
        - Prediction propagator creates Int52s whenever we have a node going doubly but due
          to large values rather than fractional values, and that node is known to be able
          to produce Int52 natively in the DFG backend.
        
        - Fixup phase converts edges to MachineIntUses in nodes that are known to be able
          to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
          input.
        
        - The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
          are left-shifted by 16 (great for overflow checks) and ones that are
          sign-extended. Both backends know how to convert between Int52s and the other
          representations.

        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::rshift64):
        (JSC::MacroAssemblerX86_64::mul64):
        (JSC::MacroAssemblerX86_64::branchMul64):
        (JSC::MacroAssemblerX86_64::branchNeg64):
        (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::imulq_rr):
        (JSC::X86Assembler::cvtsi2sdq_rr):
        * bytecode/DataFormat.h:
        (JSC::dataFormatToString):
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        * bytecode/OperandsInlines.h:
        (JSC::::dumpInContext):
        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationToAbbreviatedString):
        (JSC::speculationFromValue):
        * bytecode/SpeculatedType.h:
        (JSC::isInt32SpeculationForArithmetic):
        (JSC::isInt52Speculation):
        (JSC::isMachineIntSpeculationForArithmetic):
        (JSC::isInt52AsDoubleSpeculation):
        (JSC::isBytecodeRealNumberSpeculation):
        (JSC::isFullRealNumberSpeculation):
        (JSC::isBytecodeNumberSpeculation):
        (JSC::isFullNumberSpeculation):
        (JSC::isBytecodeNumberSpeculationExpectingDefined):
        (JSC::isFullNumberSpeculationExpectingDefined):
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
        (JSC::ValueRecovery::inGPR):
        (JSC::ValueRecovery::displacedInJSStack):
        (JSC::ValueRecovery::isAlreadyInJSStack):
        (JSC::ValueRecovery::gpr):
        (JSC::ValueRecovery::virtualRegister):
        (JSC::ValueRecovery::dumpInContext):
        * dfg/DFGAbstractInterpreter.h:
        (JSC::DFG::AbstractInterpreter::needsTypeCheck):
        (JSC::DFG::AbstractInterpreter::filterByType):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::set):
        (JSC::DFG::AbstractValue::checkConsistency):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::couldBeType):
        (JSC::DFG::AbstractValue::isType):
        (JSC::DFG::AbstractValue::checkConsistency):
        (JSC::DFG::AbstractValue::validateType):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::boxInt52):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        (JSC::DFG::enableInt52):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::fixupBlock):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
        (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
        (JSC::DFG::FixupPhase::observeUseKindOnNode):
        (JSC::DFG::FixupPhase::fixEdge):
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
        (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
        * dfg/DFGFlushFormat.cpp:
        (WTF::printInternal):
        * dfg/DFGFlushFormat.h:
        (JSC::DFG::resultFor):
        (JSC::DFG::useKindFor):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::initInt52):
        (JSC::DFG::GenerationInfo::initStrictInt52):
        (JSC::DFG::GenerationInfo::isFormat):
        (JSC::DFG::GenerationInfo::isInt52):
        (JSC::DFG::GenerationInfo::isStrictInt52):
        (JSC::DFG::GenerationInfo::fillInt52):
        (JSC::DFG::GenerationInfo::fillStrictInt52):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addShouldSpeculateMachineInt):
        (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
        (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::reconstruct):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGMinifiedNode.h:
        (JSC::DFG::belongsInMinifiedGraph):
        (JSC::DFG::MinifiedNode::hasChild):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateNumber):
        (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
        (JSC::DFG::Node::canSpeculateInt52):
        * dfg/DFGNodeFlags.h:
        (JSC::DFG::nodeCanSpeculateInt52):
        * dfg/DFGNodeType.h:
        (JSC::DFG::permitsOSRBackwardRewiring):
        (JSC::DFG::forwardRewiringSelectionScore):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntry.h:
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        (JSC::DFG::safeToExecute):
        * dfg/DFGSilentRegisterSavePlan.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compileInlineStart):
        (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::speculateMachineInt):
        (JSC::DFG::SpeculativeJIT::speculateNumber):
        (JSC::DFG::SpeculativeJIT::speculateRealNumber):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::canReuse):
        (JSC::DFG::SpeculativeJIT::isFilled):
        (JSC::DFG::SpeculativeJIT::isFilledDouble):
        (JSC::DFG::SpeculativeJIT::use):
        (JSC::DFG::SpeculativeJIT::isKnownInteger):
        (JSC::DFG::SpeculativeJIT::isKnownCell):
        (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
        (JSC::DFG::SpeculativeJIT::int52Result):
        (JSC::DFG::SpeculativeJIT::strictInt52Result):
        (JSC::DFG::SpeculativeJIT::initConstantInfo):
        (JSC::DFG::SpeculativeJIT::isInteger):
        (JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
        (JSC::DFG::SpeculativeJIT::generationInfo):
        (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
        (JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
        (JSC::DFG::SpeculateInt52Operand::edge):
        (JSC::DFG::SpeculateInt52Operand::node):
        (JSC::DFG::SpeculateInt52Operand::gpr):
        (JSC::DFG::SpeculateInt52Operand::use):
        (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
        (JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
        (JSC::DFG::SpeculateStrictInt52Operand::edge):
        (JSC::DFG::SpeculateStrictInt52Operand::node):
        (JSC::DFG::SpeculateStrictInt52Operand::gpr):
        (JSC::DFG::SpeculateStrictInt52Operand::use):
        (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
        (JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
        (JSC::DFG::SpeculateWhicheverInt52Operand::edge):
        (JSC::DFG::SpeculateWhicheverInt52Operand::node):
        (JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
        (JSC::DFG::SpeculateWhicheverInt52Operand::use):
        (JSC::DFG::SpeculateWhicheverInt52Operand::format):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::boxInt52):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileInt52Compare):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::isNumerical):
        * dfg/DFGValueSource.cpp:
        (JSC::DFG::ValueSource::dump):
        * dfg/DFGValueSource.h:
        (JSC::DFG::dataFormatToValueSourceKind):
        (JSC::DFG::valueSourceKindToDataFormat):
        (JSC::DFG::ValueSource::forFlushFormat):
        (JSC::DFG::ValueSource::valueRecovery):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
        (JSC::DFG::VariableAccessData::flushFormat):
        * ftl/FTLCArgumentGetter.cpp:
        (JSC::FTL::CArgumentGetter::loadNextAndBox):
        * ftl/FTLCArgumentGetter.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLExitValue.cpp:
        (JSC::FTL::ExitValue::dumpInContext):
        * ftl/FTLExitValue.h:
        (JSC::FTL::ExitValue::inJSStackAsInt52):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
        (JSC::FTL::LowerDFGToLLVM::compilePhi):
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
        (JSC::FTL::LowerDFGToLLVM::compileAdd):
        (JSC::FTL::LowerDFGToLLVM::compileArithSub):
        (JSC::FTL::LowerDFGToLLVM::compileArithMul):
        (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
        (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
        (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
        (JSC::FTL::LowerDFGToLLVM::lowInt32):
        (JSC::FTL::LowerDFGToLLVM::lowInt52):
        (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
        (JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
        (JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
        (JSC::FTL::LowerDFGToLLVM::opposite):
        (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
        (JSC::FTL::LowerDFGToLLVM::lowCell):
        (JSC::FTL::LowerDFGToLLVM::lowBoolean):
        (JSC::FTL::LowerDFGToLLVM::lowDouble):
        (JSC::FTL::LowerDFGToLLVM::lowJSValue):
        (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
        (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
        (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
        (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
        (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
        (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
        (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
        (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
        (JSC::FTL::LowerDFGToLLVM::setInt52):
        (JSC::FTL::LowerDFGToLLVM::setStrictInt52):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::addWithOverflow64):
        (JSC::FTL::Output::subWithOverflow64):
        (JSC::FTL::Output::mulWithOverflow64):
        * ftl/FTLValueFormat.cpp:
        (WTF::printInternal):
        * ftl/FTLValueFormat.h:
        * ftl/FTLValueSource.cpp:
        (JSC::FTL::ValueSource::dump):
        * ftl/FTLValueSource.h:
        * interpreter/Register.h:
        (JSC::Register::unboxedInt52):
        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOffForInlineCallFrame):
        * runtime/IndexingType.cpp:
        (JSC::leastUpperBoundOfIndexingTypeAndType):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::isMachineInt):
        (JSC::JSValue::asMachineInt):

2013-09-17  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r155771): js/stack-overflow-arrity-catch.html is crashing on non-Mac platforms
        https://bugs.webkit.org/show_bug.cgi?id=121376

        Reviewed by Oliver Hunt.

        Fix stack grow() call for stack growing down.  This should catch running out of stack space before
        we try to move the frame down due to arity mismatch.

        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):

2013-09-18  Andreas Kling  <akling@apple.com>

        YARR: Put UCS2 canonicalization tables in read-only memory.
        <https://webkit.org/b/121547>

        Reviewed by Sam Weinig.

        These tables never mutate so mark them const.

2013-09-18  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r156019 and r156020.
        http://trac.webkit.org/changeset/156019
        http://trac.webkit.org/changeset/156020
        https://bugs.webkit.org/show_bug.cgi?id=121540

        Broke tests (Requested by ap on #webkit).

        * assembler/MacroAssemblerX86_64.h:
        * assembler/X86Assembler.h:
        * bytecode/DataFormat.h:
        (JSC::dataFormatToString):
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        * bytecode/OperandsInlines.h:
        (JSC::::dumpInContext):
        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationToAbbreviatedString):
        (JSC::speculationFromValue):
        * bytecode/SpeculatedType.h:
        (JSC::isInt32SpeculationForArithmetic):
        (JSC::isInt48Speculation):
        (JSC::isMachineIntSpeculationForArithmetic):
        (JSC::isInt48AsDoubleSpeculation):
        (JSC::isRealNumberSpeculation):
        (JSC::isNumberSpeculation):
        (JSC::isNumberSpeculationExpectingDefined):
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::inGPR):
        (JSC::ValueRecovery::displacedInJSStack):
        (JSC::ValueRecovery::isAlreadyInJSStack):
        (JSC::ValueRecovery::gpr):
        (JSC::ValueRecovery::virtualRegister):
        (JSC::ValueRecovery::dumpInContext):
        * dfg/DFGAbstractInterpreter.h:
        (JSC::DFG::AbstractInterpreter::needsTypeCheck):
        (JSC::DFG::AbstractInterpreter::filterByType):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::set):
        (JSC::DFG::AbstractValue::checkConsistency):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::validateType):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::unboxDouble):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::canonicalize):
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
        (JSC::DFG::FixupPhase::observeUseKindOnNode):
        (JSC::DFG::FixupPhase::fixEdge):
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
        (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
        * dfg/DFGFlushFormat.cpp:
        (WTF::printInternal):
        * dfg/DFGFlushFormat.h:
        (JSC::DFG::resultFor):
        (JSC::DFG::useKindFor):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::initInt32):
        (JSC::DFG::GenerationInfo::fillInt32):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addShouldSpeculateMachineInt):
        (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
        (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::reconstruct):
        * dfg/DFGMinifiedNode.h:
        (JSC::DFG::belongsInMinifiedGraph):
        (JSC::DFG::MinifiedNode::hasChild):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateNumber):
        (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
        (JSC::DFG::Node::canSpeculateInt48):
        * dfg/DFGNodeFlags.h:
        (JSC::DFG::nodeCanSpeculateInt48):
        * dfg/DFGNodeType.h:
        (JSC::DFG::forwardRewiringSelectionScore):
        * dfg/DFGOSRExitCompiler.cpp:
        (JSC::DFG::shortOperandsDump):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        (JSC::DFG::safeToExecute):
        * dfg/DFGSilentRegisterSavePlan.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compileInlineStart):
        (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::speculateNumber):
        (JSC::DFG::SpeculativeJIT::speculateRealNumber):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::canReuse):
        (JSC::DFG::SpeculativeJIT::isFilled):
        (JSC::DFG::SpeculativeJIT::isFilledDouble):
        (JSC::DFG::SpeculativeJIT::use):
        (JSC::DFG::SpeculativeJIT::boxDouble):
        (JSC::DFG::SpeculativeJIT::isKnownInteger):
        (JSC::DFG::SpeculativeJIT::isKnownCell):
        (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
        (JSC::DFG::SpeculativeJIT::int32Result):
        (JSC::DFG::SpeculativeJIT::initConstantInfo):
        (JSC::DFG::SpeculativeJIT::isInteger):
        (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::isNumerical):
        * dfg/DFGValueSource.cpp:
        (JSC::DFG::ValueSource::dump):
        * dfg/DFGValueSource.h:
        (JSC::DFG::dataFormatToValueSourceKind):
        (JSC::DFG::valueSourceKindToDataFormat):
        (JSC::DFG::ValueSource::forFlushFormat):
        (JSC::DFG::ValueSource::valueRecovery):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
        (JSC::DFG::VariableAccessData::flushFormat):
        * ftl/FTLCArgumentGetter.cpp:
        (JSC::FTL::CArgumentGetter::loadNextAndBox):
        * ftl/FTLCArgumentGetter.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLExitValue.cpp:
        (JSC::FTL::ExitValue::dumpInContext):
        * ftl/FTLExitValue.h:
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
        (JSC::FTL::LowerDFGToLLVM::compilePhi):
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
        (JSC::FTL::LowerDFGToLLVM::compileAdd):
        (JSC::FTL::LowerDFGToLLVM::compileArithSub):
        (JSC::FTL::LowerDFGToLLVM::compileArithMul):
        (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
        (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
        (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
        (JSC::FTL::LowerDFGToLLVM::lowInt32):
        (JSC::FTL::LowerDFGToLLVM::lowCell):
        (JSC::FTL::LowerDFGToLLVM::lowBoolean):
        (JSC::FTL::LowerDFGToLLVM::lowDouble):
        (JSC::FTL::LowerDFGToLLVM::lowJSValue):
        (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
        (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
        (JSC::FTL::LowerDFGToLLVM::setInt32):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::mulWithOverflow32):
        * ftl/FTLValueFormat.cpp:
        (WTF::printInternal):
        * ftl/FTLValueFormat.h:
        * ftl/FTLValueSource.cpp:
        (JSC::FTL::ValueSource::dump):
        * ftl/FTLValueSource.h:
        * interpreter/Register.h:
        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOffForInlineCallFrame):
        * runtime/IndexingType.cpp:
        (JSC::leastUpperBoundOfIndexingTypeAndType):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:

2013-09-17  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix 32-bit build.

        * runtime/JSCJSValue.h:

2013-09-16  Filip Pizlo  <fpizlo@apple.com>

        DFG should support Int52 for local variables
        https://bugs.webkit.org/show_bug.cgi?id=121064

        Reviewed by Oliver Hunt.
        
        This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
        programs that have local int32 overflows but where a larger int representation can
        prevent us from having to convert all the way up to double.
        
        It's a small speed-up for now. But we're just supporting Int52 for a handful of
        operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
        the groundwork for adding Int52 to JSValue, which will probably be a bigger
        speed-up.
        
        The basic approach is:
        
        - We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
          or HeapTop - i.e. it doesn't arise from JSValues.
        
        - DFG treats Int52 as being part of its FullTop and will treat it as being a
          subtype of double unless instructed otherwise.
        
        - Prediction propagator creates Int52s whenever we have a node going doubly but due
          to large values rather than fractional values, and that node is known to be able
          to produce Int52 natively in the DFG backend.
        
        - Fixup phase converts edges to MachineIntUses in nodes that are known to be able
          to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
          input.
        
        - The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
          are left-shifted by 16 (great for overflow checks) and ones that are
          sign-extended. Both backends know how to convert between Int52s and the other
          representations.

        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::rshift64):
        (JSC::MacroAssemblerX86_64::mul64):
        (JSC::MacroAssemblerX86_64::branchMul64):
        (JSC::MacroAssemblerX86_64::branchNeg64):
        (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::imulq_rr):
        (JSC::X86Assembler::cvtsi2sdq_rr):
        * bytecode/DataFormat.h:
        (JSC::dataFormatToString):
        * bytecode/OperandsInlines.h:
        (JSC::::dumpInContext):
        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationToAbbreviatedString):
        (JSC::speculationFromValue):
        * bytecode/SpeculatedType.h:
        (JSC::isInt32SpeculationForArithmetic):
        (JSC::isMachineIntSpeculationForArithmetic):
        (JSC::isBytecodeRealNumberSpeculation):
        (JSC::isFullRealNumberSpeculation):
        (JSC::isBytecodeNumberSpeculation):
        (JSC::isFullNumberSpeculation):
        (JSC::isBytecodeNumberSpeculationExpectingDefined):
        (JSC::isFullNumberSpeculationExpectingDefined):
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
        (JSC::ValueRecovery::inGPR):
        (JSC::ValueRecovery::displacedInJSStack):
        (JSC::ValueRecovery::isAlreadyInJSStack):
        (JSC::ValueRecovery::gpr):
        (JSC::ValueRecovery::virtualRegister):
        (JSC::ValueRecovery::dumpInContext):
        * dfg/DFGAbstractInterpreter.h:
        (JSC::DFG::AbstractInterpreter::needsTypeCheck):
        (JSC::DFG::AbstractInterpreter::filterByType):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::set):
        (JSC::DFG::AbstractValue::checkConsistency):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::couldBeType):
        (JSC::DFG::AbstractValue::isType):
        (JSC::DFG::AbstractValue::checkConsistency):
        (JSC::DFG::AbstractValue::validateType):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::boxInt52):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        (JSC::DFG::enableInt52):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
        (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
        (JSC::DFG::FixupPhase::observeUseKindOnNode):
        (JSC::DFG::FixupPhase::fixEdge):
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
        (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
        * dfg/DFGFlushFormat.cpp:
        (WTF::printInternal):
        * dfg/DFGFlushFormat.h:
        (JSC::DFG::resultFor):
        (JSC::DFG::useKindFor):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::initInt52):
        (JSC::DFG::GenerationInfo::initStrictInt52):
        (JSC::DFG::GenerationInfo::isFormat):
        (JSC::DFG::GenerationInfo::isInt52):
        (JSC::DFG::GenerationInfo::isStrictInt52):
        (JSC::DFG::GenerationInfo::fillInt52):
        (JSC::DFG::GenerationInfo::fillStrictInt52):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addShouldSpeculateMachineInt):
        (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
        (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::reconstruct):
        * dfg/DFGMinifiedNode.h:
        (JSC::DFG::belongsInMinifiedGraph):
        (JSC::DFG::MinifiedNode::hasChild):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateNumber):
        (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
        * dfg/DFGNodeFlags.h:
        * dfg/DFGNodeType.h:
        (JSC::DFG::forwardRewiringSelectionScore):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        (JSC::DFG::safeToExecute):
        * dfg/DFGSilentRegisterSavePlan.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compileInlineStart):
        (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::speculateMachineInt):
        (JSC::DFG::SpeculativeJIT::speculateNumber):
        (JSC::DFG::SpeculativeJIT::speculateRealNumber):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::canReuse):
        (JSC::DFG::SpeculativeJIT::isFilled):
        (JSC::DFG::SpeculativeJIT::isFilledDouble):
        (JSC::DFG::SpeculativeJIT::use):
        (JSC::DFG::SpeculativeJIT::isKnownInteger):
        (JSC::DFG::SpeculativeJIT::isKnownCell):
        (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
        (JSC::DFG::SpeculativeJIT::int52Result):
        (JSC::DFG::SpeculativeJIT::strictInt52Result):
        (JSC::DFG::SpeculativeJIT::initConstantInfo):
        (JSC::DFG::SpeculativeJIT::isInteger):
        (JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
        (JSC::DFG::SpeculativeJIT::generationInfo):
        (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
        (JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
        (JSC::DFG::SpeculateInt52Operand::edge):
        (JSC::DFG::SpeculateInt52Operand::node):
        (JSC::DFG::SpeculateInt52Operand::gpr):
        (JSC::DFG::SpeculateInt52Operand::use):
        (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
        (JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
        (JSC::DFG::SpeculateStrictInt52Operand::edge):
        (JSC::DFG::SpeculateStrictInt52Operand::node):
        (JSC::DFG::SpeculateStrictInt52Operand::gpr):
        (JSC::DFG::SpeculateStrictInt52Operand::use):
        (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
        (JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
        (JSC::DFG::SpeculateWhicheverInt52Operand::edge):
        (JSC::DFG::SpeculateWhicheverInt52Operand::node):
        (JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
        (JSC::DFG::SpeculateWhicheverInt52Operand::use):
        (JSC::DFG::SpeculateWhicheverInt52Operand::format):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::boxInt52):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileInt52Compare):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::isNumerical):
        * dfg/DFGValueSource.cpp:
        (JSC::DFG::ValueSource::dump):
        * dfg/DFGValueSource.h:
        (JSC::DFG::dataFormatToValueSourceKind):
        (JSC::DFG::valueSourceKindToDataFormat):
        (JSC::DFG::ValueSource::forFlushFormat):
        (JSC::DFG::ValueSource::valueRecovery):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
        (JSC::DFG::VariableAccessData::flushFormat):
        * ftl/FTLCArgumentGetter.cpp:
        (JSC::FTL::CArgumentGetter::loadNextAndBox):
        * ftl/FTLCArgumentGetter.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLExitValue.cpp:
        (JSC::FTL::ExitValue::dumpInContext):
        * ftl/FTLExitValue.h:
        (JSC::FTL::ExitValue::inJSStackAsInt52):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
        (JSC::FTL::LowerDFGToLLVM::compilePhi):
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
        (JSC::FTL::LowerDFGToLLVM::compileAdd):
        (JSC::FTL::LowerDFGToLLVM::compileArithSub):
        (JSC::FTL::LowerDFGToLLVM::compileArithMul):
        (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
        (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
        (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
        (JSC::FTL::LowerDFGToLLVM::lowInt32):
        (JSC::FTL::LowerDFGToLLVM::lowInt52):
        (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
        (JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
        (JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
        (JSC::FTL::LowerDFGToLLVM::opposite):
        (JSC::FTL::LowerDFGToLLVM::Int52s::operator[]):
        (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
        (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52s):
        (JSC::FTL::LowerDFGToLLVM::lowOpposingInt52s):
        (JSC::FTL::LowerDFGToLLVM::lowCell):
        (JSC::FTL::LowerDFGToLLVM::lowBoolean):
        (JSC::FTL::LowerDFGToLLVM::lowDouble):
        (JSC::FTL::LowerDFGToLLVM::lowJSValue):
        (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
        (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
        (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
        (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
        (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
        (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
        (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
        (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
        (JSC::FTL::LowerDFGToLLVM::setInt52):
        (JSC::FTL::LowerDFGToLLVM::setStrictInt52):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::addWithOverflow64):
        (JSC::FTL::Output::subWithOverflow64):
        (JSC::FTL::Output::mulWithOverflow64):
        * ftl/FTLValueFormat.cpp:
        (WTF::printInternal):
        * ftl/FTLValueFormat.h:
        * ftl/FTLValueSource.cpp:
        (JSC::FTL::ValueSource::dump):
        * ftl/FTLValueSource.h:
        * interpreter/Register.h:
        (JSC::Register::unboxedInt52):
        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOffForInlineCallFrame):
        * runtime/IndexingType.cpp:
        (JSC::leastUpperBoundOfIndexingTypeAndType):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::isMachineInt):
        (JSC::JSValue::asMachineInt):

2013-09-17  Filip Pizlo  <fpizlo@apple.com>

        Use CheckStructure for checking the types of typed arrays whenever possible
        https://bugs.webkit.org/show_bug.cgi?id=121514

        Reviewed by Oliver Hunt.

        * bytecode/ArrayProfile.cpp:
        (JSC::ArrayProfile::computeUpdatedPrediction):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::fromObserved):
        (JSC::DFG::ArrayMode::refine):
        (JSC::DFG::ArrayMode::originalArrayStructure):
        (JSC::DFG::arrayClassToString):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::ArrayMode):
        (JSC::DFG::ArrayMode::arrayModesWithIndexingShape):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::isOriginalTypedArrayStructure):

2013-09-17  Filip Pizlo  <fpizlo@apple.com>

        DFG should use the (x & 0x7fffffff) trick for doing overflow and neg-zero checks on negation in one go
        https://bugs.webkit.org/show_bug.cgi?id=121520

        Reviewed by Oliver Hunt.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileArithNegate):

2013-09-17  Andreas Kling  <akling@apple.com>

        Pack create_hash_table tables better.
        <https://webkit.org/b/121517>

        Reviewed by Sam Weinig.

        Reduces JavaScriptCore binary size by 4648 bytes.

        * create_hash_table:
        * runtime/Lookup.h:

            Reorder HashTableValue members to avoid unnecessary padding.

2013-09-17  Mark Hahnenberg  <mhahnenberg@apple.com>

        DFG doesn't properly keep scope alive for op_put_to_scope
        https://bugs.webkit.org/show_bug.cgi?id=121519

        Reviewed by Michael Saboff.

        This was a latent bug that can't actually occur in ToT. It was uncovered by causing slow 
        path calls in the baseline JIT for op_put_to_scope in places where we couldn't before (but 
        which were necessary for gen GC).

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2013-09-17  Filip Pizlo  <fpizlo@apple.com>

        Don't GC while OSR compiling
        https://bugs.webkit.org/show_bug.cgi?id=121513

        Reviewed by Mark Hahnenberg.
        
        Fixes some rare crashes that I see in ConservativeRoots, while in a GC from OSR exit
        compilation.

        * dfg/DFGOSRExitCompiler.cpp:
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileFTLOSRExit):

2013-09-17  Alberto Garcia  <berto@igalia.com>

        Unreviewed make distcheck fix.

        * GNUmakefile.list.am:

2013-09-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        MarkedBlocks shouldn't be put in Allocated state if they didn't produce a FreeList
        https://bugs.webkit.org/show_bug.cgi?id=121236

        Reviewed by Geoffrey Garen.

        Right now, after a collection all MarkedBlocks are in the Marked block state. When lazy sweeping 
        happens, if a block returns an empty free list after being swept, we call didConsumeFreeList(), 
        which moves the block into the Allocated block state. This happens to both the block that was 
        just being allocated out of (i.e. m_currentBlock) as well as any blocks who are completely full. 
        We should distinguish between these two cases: m_currentBlock should transition to 
        Allocated (because we were just allocating out of it) and any subsequent block that returns an 
        empty free list should transition back to the Marked state. This will make the block state more 
        consistent with the actual state the block is in, and it will also allow us to speed up moving 
        all blocks the the Marked state during generational collection.

        Added new RAII-style HeapIterationScope class that notifies the Heap when it is about to be 
        iterated and when iteration has finished. Any clients that need accurate liveness data when 
        iterating over the Heap now need to use a HeapIterationScope so that the state of Heap can 
        be properly restored after they are done iterating. No new GC-allocated objects can be created 
        until this object goes out of scope.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/Debugger.cpp: 
        (JSC::Debugger::recompileAllJSFunctions): Added HeapIterationScope for the Recompiler iteration.
        * heap/Heap.cpp:
        (JSC::Heap::willStartIterating): Callback used by HeapIterationScope to indicate that iteration of 
        the Heap is about to begin. This will cause cell liveness data to be canonicalized by calling stopAllocating.
        (JSC::Heap::didFinishIterating): Same, but indicates that iteration has finished.
        (JSC::Heap::globalObjectCount): Used HeapIterationScope.
        (JSC::Heap::objectTypeCounts): Ditto.
        (JSC::Heap::markDeadObjects): Ditto.
        (JSC::Heap::zombifyDeadObjects): Ditto.
        * heap/Heap.h:
        * heap/HeapIterationScope.h: Added. New RAII-style object for indicating to the Heap that it's about
        to be iterated or that iteration has finished.
        (JSC::HeapIterationScope::HeapIterationScope):
        (JSC::HeapIterationScope::~HeapIterationScope):
        * heap/HeapStatistics.cpp:
        (JSC::HeapStatistics::showObjectStatistics): Used new HeapIterationScope.
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::tryAllocateHelper): We now treat the case where we have just finished 
        allocating out of the current block differently from the case where we sweep a block and it 
        returns an empty free list. This was the primary point of this patch.
        (JSC::MarkedAllocator::allocateSlowCase): ASSERT that nobody is currently iterating the Heap 
        when allocating.
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::reset): All allocators are reset after every collection. We need to make 
        sure that the m_lastActiveBlock gets cleared, which it might not always because we don't call 
        takeCanonicalizedBlock on blocks in the large allocators.
        (JSC::MarkedAllocator::stopAllocating): We shouldn't already have a last active block,
        so ASSERT as much.
        (JSC::MarkedAllocator::resumeAllocating): Do the opposite of what stopAllocating
        does. So, if we don't have a m_lastActiveBlock then we don't have to worry about undoing anything
        done by stopAllocating. If we do, then we call resumeAllocating on the block, which returns the FreeList
        as it was prior to stopping allocation. We then set the current block to the last active block and 
        clear the last active block. 
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::resumeAllocating): Any block resuming allocation should be in 
        the Marked state, so ASSERT as much. We always allocate a m_newlyAllocated Bitmap if we're
        FreeListed, so if we didn't allocate one then we know we were Marked when allocation was stopped,
        so just return early with an empty FreeList. If we do have a non-null m_newlyAllocated Bitmap
        then we need to be swept in order to rebuild our FreeList.
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::didConsumeEmptyFreeList): This is called if we ever sweep a block and get back
        an empty free list. Instead of transitioning to the Allocated state, we now go straight back to the 
        Marked state. This makes sense because we weren't actually allocated out of, so we shouldn't be in 
        the allocated state. Also added some ASSERTs to make sure that we're in the state that we expect: all of
        our mark bits should be set and we should not have a m_newlyAllocated Bitmap.
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::forEachAllocator): Added a new functor-style iteration method so that we can 
        easily iterate over each allocator for, e.g., stopping and resuming allocators without
        duplicating code. 
        (JSC::StopAllocatingFunctor::operator()): New functors for use with forEachAllocator.
        (JSC::MarkedSpace::stopAllocating): Ditto.
        (JSC::ResumeAllocatingFunctor::operator()): Ditto.
        (JSC::MarkedSpace::resumeAllocating): Ditto.
        (JSC::MarkedSpace::willStartIterating): Callback that notifies MarkedSpace that it is being iterated.
        Does some ASSERTs, sets a flag, canonicalizes cell liveness data by calling stopAllocating.
        (JSC::MarkedSpace::didFinishIterating): Ditto, but to signal that iteration has completed.
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::iterationInProgress): Returns true if a HeapIterationScope is currently active.
        (JSC::MarkedSpace::forEachLiveCell): Accepts a HeapIterationScope to enforce the rule that you have to 
        create one prior to iterating over the Heap.
        (JSC::MarkedSpace::forEachDeadCell): Ditto.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::haveABadTime): Changed to use new HeapIterationScope.
        * runtime/VM.cpp:
        (JSC::VM::releaseExecutableMemory): Ditto.

2013-09-16  Filip Pizlo  <fpizlo@apple.com>

        Inlining should work in debug mode (i.e. Executable::newCodeBlock() should call recordParse())
        https://bugs.webkit.org/show_bug.cgi?id=121444

        Reviewed by Mark Hahnenberg.

        * dfg/DFGArgumentPosition.h: Fix a bug discovered by reenabling inlining. ArgumentPosition may point to the non-canonical VariableAccessData but users of someVariable() want the canonical one.
        (JSC::DFG::ArgumentPosition::someVariable):
        * runtime/Executable.cpp: Call recordParse() so that the Executable knows things about itself (like if it has captured variables). Otherwise those fields are uninitialized.
        (JSC::ScriptExecutable::newCodeBlockFor):

2013-09-16  Balazs Kilvady  <kilvadyb@homejinni.com>

        Aligned argument signatures of setupArgumentsWithExecState are missing on MIPS.
        https://bugs.webkit.org/show_bug.cgi?id=121439

        Reviewed by Geoffrey Garen.

        Missing implementations of setupArgumentsWithExecState added.

        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):

2013-09-16  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Fix typo in subp implementation in LLINT.
        https://bugs.webkit.org/show_bug.cgi?id=121438

        Reviewed by Andreas Kling.

        * offlineasm/sh4.rb:

2013-09-16  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Handle subp opcode with 3 operands and bpbeq opcode in LLINT.
        https://bugs.webkit.org/show_bug.cgi?id=121412

        Reviewed by Andreas Kling.

        * offlineasm/sh4.rb:

2013-09-15  Gustavo Noronha Silva  <gns@gnome.org>

        Unreviewed make distcheck fix.

        * GNUmakefile.list.am:

2013-09-15  Filip Pizlo  <fpizlo@apple.com>

        Deoptimize deoptimization: make DFGOSRExitCompiler64.cpp more hackable
        https://bugs.webkit.org/show_bug.cgi?id=121374

        Reviewed by Geoffrey Garen.
        
        This reduces the size of DFGOSRExitCompiler64.cpp by almost 50%, and makes it
        super easy to add new recovery kinds. For recoveries that involve reboxing, it
        allows you to keep most of the code common between the on-stack and in-reg
        cases: they all get funneled through the "load from scratch buffer, convert,
        and then store to stack" logic.
        
        This opens up a bunch of possibilities. It'll make adding Int48 much easier,
        and it probably will come in handy as we do various DFG stack layout changes in
        support of the FTL.

        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::dumpInContext):
        (JSC::ValueRecovery::dump):
        * dfg/DFGOSRExitCompiler.cpp:
        (JSC::DFG::shortOperandsDump):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):

2013-09-14  Filip Pizlo  <fpizlo@apple.com>

        It should be easy to add new nodes that do OSR forward rewiring in both DFG and FTL
        https://bugs.webkit.org/show_bug.cgi?id=121371

        Reviewed by Sam Weinig.
        
        Forward rewiring is a tricky part of OSR that handles the following:
        
            a: Something(...)
               SetLocal(@a, locX)
            b: Int32ToDouble(@a)
            c: SomethingThatExits(@b)
               <no further uses of @a or @b>

        Note that at @c, OSR will think that locX->@a, but @a will be dead. So it must be
        smart enough to find @b, which contains an equivalent value. It must do this for
        any identity functions we support. Currently we support four such functions.
        
        Currently the code for doing this is basically duplicated between the DFG and the
        FTL. Also both versions of the code have some really weirdly written logic for
        picking the "best" identity function to use.
        
        We should fix this by simply having a way to ask "is this node an identity
        function, and if so, then how good is it?"  Then both the DFG and FTL could use
        this and have no hard-wired knowledge of those identity functions.
        
        While we're at it, this also changes some terminology because I found the use of
        the word "needs" confusing. Note that this retains the somewhat confusing behavior
        that we don't search all possible forward/backward uses. We only search one step
        in each direction. This is because we only need to handle cases that FixupPhase
        and the parser insert. All other code that tries to insert intermediate conversion
        nodes should ensure to Phantom the original node. For example, the following
        transformation is illegal:
        
        Before:
            x: SomethingThatExits(@a)
        
        After:
            w: Conversion(@a)
            x: SomethingThatExits(@w)
        
        The correct form of that transformation is one of these:
        
        Correct #1:
        
            v: DoAllChecks(@a) // exit here
            w: Conversion(@a)
            x: Something(@w) // no exit
        
        Correct #2:
        
            w: Conversion(@a)
            x: SomethingThatExits(@w)
            y: Phantom(@a)
        
        Correct #3:
        
            w: Conversion(@a)
            x: SomethingThatExits(@w, @a)
        
        Note that we use #3 for some heap accesses, but of course it requires that the
        node you're using has an extra slot for a "dummy" use child.
        
        Broadly speaking though, such transformations should be relegated to something
        below DFG IR, like LLVM IR.

        * dfg/DFGNodeType.h:
        (JSC::DFG::forwardRewiringSelectionScore):
        (JSC::DFG::needsOSRForwardRewiring):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):

2013-09-14  Filip Pizlo  <fpizlo@apple.com>

        Rename IntegerBranch/IntegerCompare to Int32Branch/Int32Compare.

        Rubber stamped by Mark Hahnenberg.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileInt32Compare):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileInt32Compare):

2013-09-13  Filip Pizlo  <fpizlo@apple.com>

        Rename SpeculativeJIT::integerResult() to int32Result().

        Rubber stamped by Mark Hahnenberg.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
        (JSC::DFG::SpeculativeJIT::compileArithIMul):
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        (JSC::DFG::SpeculativeJIT::compileArithDiv):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
        (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::int32Result):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-09-13  Michael Saboff  <msaboff@apple.com>

        FTL JIT broke after r155711
        https://bugs.webkit.org/show_bug.cgi?id=121332

        Reviewed by Geoffrey Garen.

        Fixed OSR entry to use the local variable's index instead of its VirtualRegister.
        Initialized ExitArgumentForOperand::m_operand to InvalidVirtualRegister instead of -1.
        Fixed compileCallOrConstruct() to update locals on callframe going down.
        Fixed prepareOSREntry() to grow stack down if needed.

        * ftl/FTLExitArgumentForOperand.h:
        (JSC::FTL::ExitArgumentForOperand::ExitArgumentForOperand):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileExtractOSREntryLocal):
        (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
        * ftl/FTLOSREntry.cpp:
        (JSC::FTL::prepareOSREntry):

2013-09-13  Anders Carlsson  <andersca@apple.com>

        Avoid a couple of zero-sized fastMalloc calls
        https://bugs.webkit.org/show_bug.cgi?id=121333

        Reviewed by Geoffrey Garen.

        * API/JSStringRefCF.cpp:
        (JSStringCopyCFString):
        Return an empty constant CFStringRef if the JSStringRef is empty.

        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
        Don't allocate an empty m_jsStrings array if m_jsStringsSize is 0.

2013-09-13  Filip Pizlo  <fpizlo@apple.com>

        DFG AI assumes that ToThis can never return non-object if it is passed an object, and operationToThis will get the wrong value of isStrictMode() if there's inlining
        https://bugs.webkit.org/show_bug.cgi?id=121330

        Reviewed by Mark Hahnenberg and Oliver Hunt.
        
        Also print whether a function is strict mode in debug dumps.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpAssumingJITType):
        * bytecode/CodeOrigin.cpp:
        (JSC::InlineCallFrame::dumpInContext):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-09-13  Anders Carlsson  <andersca@apple.com>

        Use nullptr instead of 0 in calls to HashMap::add
        https://bugs.webkit.org/show_bug.cgi?id=121322

        Reviewed by Sam Weinig.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitLoad):
        (JSC::BytecodeGenerator::addStringConstant):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::cellConstant):

2013-09-13  Oliver Hunt  <oliver@apple.com>

        Try to kill initialiser expression in for-in statements
        https://bugs.webkit.org/show_bug.cgi?id=121311

        Reviewed by Gavin Barraclough.

        We'd like to get rid of this pointless initialiser expression
        in for-in statements.  Unfortunately we have to keep the no_in
        variant of expression parsing to avoid ambiguity in the grammar.
        There's a possibility that this will need to be rolled out, but
        we'll need to live on it to see.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createForInLoop):
        * parser/NodeConstructors.h:
        (JSC::ForInNode::ForInNode):
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::::parseForStatement):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createForInLoop):

2013-09-12  Michael Saboff  <msaboff@apple.com>

        fourthTier: Change JSStack to grow from high to low addresses
        https://bugs.webkit.org/show_bug.cgi?id=118758

        Reviewed by Oliver Hunt.

        Changed the JSC stack to grow down.  Effectively the JSC stack frame is flipped from
        what it was.  See JSStack.h for the new offsets.  Changed JSStack begin() and end()
        to be getBaseOfStack() and getLimitOfStack().  Most of the changes are address or offset
        calculation changes.  Decoupled a local register ordinal (loop variable or array index)
        from the offset into the callFrame using localToOperand() and the inverse operandToLocal().

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::trustedImm32ForShift):
        (JSC::MacroAssembler::lshiftPtr): Added to create scaled addresses with a negative index
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::lshift64): Added to create scaled addresses with a negative index
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::shlq_i8r): Added to create scaled addresses with a negative index
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/CodeBlock.h:
        (JSC::unmodifiedArgumentsRegister):
        (JSC::CodeBlock::isCaptured):
        * bytecode/CodeOrigin.h:
        (JSC::CodeOrigin::stackOffset):
        * bytecode/Operands.h:
        (JSC::localToOperand):
        (JSC::operandIsLocal):
        (JSC::operandToLocal):
        (JSC::operandIsArgument):
        (JSC::operandToArgument):
        (JSC::argumentToOperand):
        * bytecode/VirtualRegister.h: Made InvalidVirtualRegister a positive value that fits in
        31 bits since it can be placed into the 31 bit field "stackOffset" in struct InlineCallFrame.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addVar):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::createLazyRegisterIfNecessary):
        (JSC::BytecodeGenerator::newRegister):
        (JSC::BytecodeGenerator::emitNewArray):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::CallArguments::registerOffset):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallArguments::CallArguments):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::allocate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callFrameSlot):
        (JSC::DFG::SpeculativeJIT::argumentSlot):
        (JSC::DFG::SpeculativeJIT::callFrameTagSlot):
        (JSC::DFG::SpeculativeJIT::callFramePayloadSlot):
        (JSC::DFG::SpeculativeJIT::argumentTagSlot):
        (JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::reportValidationContext):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::genericAddSpan):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::frameExtentInternal):
        * interpreter/CallFrame.h:
        (JSC::ExecState::init):
        (JSC::ExecState::argumentOffset):
        (JSC::ExecState::argumentOffsetIncludingThis):
        (JSC::ExecState::argIndexForRegister):
        * interpreter/Interpreter.cpp:
        (JSC::loadVarargs):
        (JSC::Interpreter::dumpRegisters):
        * interpreter/JSStack.cpp:
        (JSC::JSStack::JSStack):
        (JSC::JSStack::~JSStack):
        (JSC::JSStack::growSlowCase):
        (JSC::JSStack::gatherConservativeRoots):
        (JSC::JSStack::releaseExcessCapacity):
        (JSC::JSStack::disableErrorStackReserve):
        * interpreter/JSStack.h:
        (JSC::JSStack::getBaseOfStack):
        (JSC::JSStack::getLimitOfStack):
        (JSC::JSStack::size):
        (JSC::JSStack::end):
        (JSC::JSStack::containsAddress):
        (JSC::JSStack::lowAddress):
        (JSC::JSStack::highAddress):
        (JSC::JSStack::reservationEnd):
        (JSC::JSStack::shrink):
        (JSC::JSStack::grow):
        * interpreter/JSStackInlines.h:
        (JSC::JSStack::getTopOfFrame):
        (JSC::JSStack::pushFrame):
        (JSC::JSStack::popFrame):
        (JSC::JSStack::installTrapsAfterFrame):
        * interpreter/StackVisitor.cpp:
        (JSC::inlinedFrameOffset):
        (JSC::StackVisitor::readInlinedFrame):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        (JSC::JIT::compileOpCall):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_create_activation):
        (JSC::JIT::emit_op_get_argument_by_val):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_get_argument_by_val):
        * jit/JITStubs.cpp:
        (JSC::throwExceptionFromOpCall):
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/ThunkGenerators.cpp:
        (JSC::arityFixup):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::genericCall):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/ArgList.cpp:
        (JSC::ArgList::getSlice):
        (JSC::MarkedArgumentBuffer::slowAppend):
        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::MarkedArgumentBuffer):
        (JSC::MarkedArgumentBuffer::slotFor):
        (JSC::MarkedArgumentBuffer::mallocBase):
        (JSC::ArgList::at):
        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOff):
        * runtime/ArrayConstructor.cpp:
        (JSC::constructArrayWithSizeQuirk):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/JSActivation.h:
        (JSC::JSActivation::registersOffset):
        (JSC::JSActivation::tearOff):
        (JSC::JSActivation::isValidIndex):
        * runtime/JSArray.h:
        (JSC::constructArrayNegativeIndexed): New method to create an array from registers that grow down.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::globalExec):
        * runtime/JSGlobalObject.h:
        (JSC::constructArrayNegativeIndexed):
        * runtime/JSString.h:
        * runtime/Operations.h:
        (JSC::jsStringFromRegisterArray):
        * runtime/SymbolTable.h:
        (JSC::SharedSymbolTable::captureCount):

2013-09-13  Csaba Osztrogonác  <ossy@webkit.org>

        ARM EABI hardfp buildfix after r155675
        https://bugs.webkit.org/show_bug.cgi?id=121287

        Reviewed by Geoffrey Garen.

        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):

2013-09-13  Youngho Yoo  <youngho33.yoo@lge.com>

        Fixed crash in V8 benchmark suite in ARM,softp,EABI environment. 
        https://bugs.webkit.org/show_bug.cgi?id=117281

        Reviewed by Michael Saboff.

        Fix the missing EABI_32BIT_DUMMY_ARG in FPRReg using callOperation function.

        Test 1 : fast/js/array-with-double-assign.html
        Test 2 : fast/js/array-with-double-push.html

        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):

2013-09-12  Filip Pizlo  <fpizlo@apple.com>

        DFG::Int32Operand and fillInt32() should go away and all uses should be replaced with SpeculateInt32Operand
        https://bugs.webkit.org/show_bug.cgi?id=121268

        Reviewed by Oliver Hunt.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):

2013-09-12  Geoffrey Garen  <ggaren@apple.com>

        Web Inspector shouldn't artificially allocate the arguments object in functions that don't use it
        https://bugs.webkit.org/show_bug.cgi?id=121206
        <rdar://problem/6911886>

        Reviewed by Joseph Pecoraro.

        This is a step toward better tools, and a 23% speedup in a simple
        JavaScript benchmark run with the Web Inspector open.

        We want the Web Inspector to be fast, and we want it to produce reliable
        CPU and memory profiles. We can't do that if just opening the Web Inspector
        incurs huge CPU/memory penalties like the arguments object.

        Also, since use of the 'arguments' identifier is an API for allocating
        an object, I think it's good for the UI to let developers know when
        they've invoked that API and when they haven't.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator): No need to allocate the
        arguments object artificially for the debugger's sake. The activation
        object no longer assumes that the stack frame is laid out for one.

        (Long-term, this code will move out of the activation object, into a
        special object for interfacing with the debugger.)

        * runtime/JSActivation.cpp:
        (JSC::JSActivation::getOwnNonIndexPropertyNames):
        (JSC::JSActivation::getOwnPropertySlot): Don't advertise or provide an
        arguments object if the user function didn't include one. The bytecode
        generator will not have laid out the stack frame to support one.

        (Eventually, we do want the Web Inspector to see an arguments
        object in scope in the console. That's a one-line change in JSActivation,
        but it's blocked by https://bugs.webkit.org/show_bug.cgi?id=121208.)

        (JSC::JSActivation::argumentsGetter):
        * runtime/JSActivation.h: Removed this obsolete performance
        work-around. C++ property access to an activation object is no longer
        hot.

2013-09-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Rolling out r155632

        Broke some tests.

        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::tryAllocateHelper):
        * heap/MarkedBlock.h:

2013-09-12  Ryosuke Niwa  <rniwa@webkit.org>

        Qt build fix. Add a return to make the compiler happy.

        * dfg/DFGGPRInfo.h:
        (JSC::DFG::JSValueRegs::gpr):

2013-09-12  Filip Pizlo  <fpizlo@apple.com>

        DFG::GenerationInfo init/fill methods shouldn't duplicate a bunch of logic
        https://bugs.webkit.org/show_bug.cgi?id=121253

        Reviewed by Oliver Hunt.

        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::initGPR):
        (JSC::DFG::GenerationInfo::initInt32):
        (JSC::DFG::GenerationInfo::initJSValue):
        (JSC::DFG::GenerationInfo::initCell):
        (JSC::DFG::GenerationInfo::initBoolean):
        (JSC::DFG::GenerationInfo::initStorage):
        (JSC::DFG::GenerationInfo::fillGPR):
        (JSC::DFG::GenerationInfo::fillJSValue):
        (JSC::DFG::GenerationInfo::fillCell):
        (JSC::DFG::GenerationInfo::fillInt32):
        (JSC::DFG::GenerationInfo::fillBoolean):
        (JSC::DFG::GenerationInfo::fillStorage):

2013-09-12  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix mispelling (Specualte -> Speculate) that I introduced in an
        earlier patch.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculateInt32Operand::gpr):
        (JSC::DFG::SpeculateStrictInt32Operand::gpr):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):

2013-09-12  Filip Pizlo  <fpizlo@apple.com>

        GPRTemporary's reuse constructor should be templatized to reduce code duplication, and the bool to denote tag or payload should be replaced with an enum
        https://bugs.webkit.org/show_bug.cgi?id=121250

        Reviewed by Oliver Hunt.

        * dfg/DFGGPRInfo.h:
        (JSC::DFG::JSValueRegs::gpr):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::GPRTemporary::GPRTemporary):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileStringEquality):
        (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::JSValueOperand::gpr):
        (JSC::DFG::GPRTemporary::GPRTemporary):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSCJSValue.h:

2013-09-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        MarkedBlocks shouldn't be put in Allocated state if they didn't produce a FreeList
        https://bugs.webkit.org/show_bug.cgi?id=121236

        Reviewed by Geoffrey Garen.

        Right now, after a collection all MarkedBlocks are in the Marked block state. When lazy sweeping 
        happens, if a block returns an empty free list after being swept, we call didConsumeFreeList(), 
        which moves the block into the Allocated block state. This happens to both the block that was 
        just being allocated out of (i.e. m_currentBlock) as well as any blocks who are completely full. 
        We should distinguish between these two cases: m_currentBlock should transition to 
        Allocated (because we were just allocating out of it) and any subsequent block that returns an 
        empty free list should transition back to the Marked state. This will make the block state more 
        consistent with the actual state the block is in, and it will also allow us to speed up moving 
        all blocks to the Marked state during generational collection.

        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::tryAllocateHelper):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::didConsumeEmptyFreeList):

2013-09-12  Mark Lam  <mark.lam@apple.com>

        Change debug hooks to pass sourceID and position info via the DebuggerCallFrame.
        https://bugs.webkit.org/show_bug.cgi?id=121214.

        Reviewed by Geoffrey Garen.

        * debugger/Debugger.h:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::sourceId):
        (JSC::DebuggerCallFrame::clear):
        * debugger/DebuggerCallFrame.h:
        (JSC::DebuggerCallFrame::DebuggerCallFrame):
        (JSC::DebuggerCallFrame::line):
        (JSC::DebuggerCallFrame::column):
        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        (JSC::Interpreter::unwind):
        (JSC::Interpreter::debug):

2013-09-12  Csaba Osztrogonác  <ossy@webkit.org>

        Add back c++11 features removed by buildfixes after all ports did the switch
        https://bugs.webkit.org/show_bug.cgi?id=119266

        Reviewed by Anders Carlsson.

        * bytecode/GetByIdStatus.h:
        (JSC::GetByIdStatus::GetByIdStatus):
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::~Worklist):
        * interpreter/StackVisitor.cpp:
        (JSC::StackVisitor::Frame::codeType):
        (JSC::StackVisitor::Frame::functionName):
        (JSC::StackVisitor::Frame::sourceURL):
        (JSC::StackVisitor::Frame::print):

2013-09-12  Mikhail Pozdnyakov  <mikhail.pozdnyakov@intel.com>

        Remove home-brewed nullptr
        https://bugs.webkit.org/show_bug.cgi?id=119624

        Reviewed by Anders Carlsson.

        The standard C++11 nullptr and std::nullptr_t type should be used now.

        * heap/PassWeak.h:
        * heap/Weak.h:

2013-09-11  Filip Pizlo  <fpizlo@apple.com>

        Rename initInteger() to initInt32()

        Rubber stamped by Mark Hahnenberg.

        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::initInt32):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::integerResult):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-09-11  Filip Pizlo  <fpizlo@apple.com>

        Rename IntegerOperand to Int32Operand and fillInteger() to fillInt32().

        Rubber stamped by Mark Hahnenberg.

        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::fillInt32):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::GPRTemporary::GPRTemporary):
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::Int32Operand::Int32Operand):
        (JSC::DFG::Int32Operand::~Int32Operand):
        (JSC::DFG::Int32Operand::gpr):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInt32):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInt32):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):

2013-09-11  Filip Pizlo  <fpizlo@apple.com>

        FixupPhase should always call fixEdge() exactly once for every edge
        https://bugs.webkit.org/show_bug.cgi?id=121211

        Reviewed by Geoffrey Garen.
        
        Previously we only call fixEdge() on edges that we want to make typed. UntypedUse
        edges don't get fixEdge() called. This makes it difficult to add functionality in
        fixEdge() that runs for UntypedUses. It's difficult to remember to call fixEdge()
        for every edge that we don't want to turn into a typed edge; in an alternative
        universe where we did this, it would mean that every case in FixupPhase would
        have to make a fixEdge() call for *every* edge even ones that it doesn't want to
        modify.
        
        This patch takes a different path. fixEdge() must never be called explicitly with
        UntypedUse. fixEdge() should be used to set the UseKind of edges. Consequently,
        all that FixupPhase has to do is call fixEdge<UntypedUse>(edge) for every edge
        that was still UntypedUse after we are done processing a node.
        
        This is cheap and easy to implement and ought to be easy to maintain. We won't
        have a need to call fixEdge<UntypedUse>(edge) explicitly, so depending on that is
        only natural.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::observeUntypedEdge):
        (JSC::DFG::FixupPhase::observeUseKindOnNode):

2013-09-11  Filip Pizlo  <fpizlo@apple.com>

        FixupPhase's setUseKindAndUnboxBlahbittyblah and fixDoubleEdge methods should be merged and given intuitive names
        https://bugs.webkit.org/show_bug.cgi?id=121202

        Reviewed by Geoffrey Garen.
        
        Got rid of a method whose name was so descriptive that I couldn't ever remember
        it. And despite the descriptive name, I always had to look at its implementation
        to remind myself what it did, anyway.
        
        Now that method is called fixEdge(). This is a good name because we're in a phase
        called FixupPhase, and we call this fixEdge() method on pretty much every edge.
        For the Int48 work, it makes more sense for this method to be a kind of hook into
        which we can place various things: it's just a way of observing edges that need
        attention.
        
        As part of this refactoring, I also fold fixDoubleEdge into fixEdge. This makes
        sense because previously it was never correct to call fixDoubleEdge with non-
        double use kinds; and conversely it was never correct to call fixEdge with double
        use kinds.
        
        Also I found that isDouble() in DFGUseKind.h would return true for KnownInt32Use.
        That's almost certainly wrong, and removing that behavior doesn't fail any tests.
        I'm assuming that was just a bug.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupToPrimitive):
        (JSC::DFG::FixupPhase::fixupToString):
        (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
        (JSC::DFG::FixupPhase::fixEdge):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
        (JSC::DFG::FixupPhase::convertToGetArrayLength):
        (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
        * dfg/DFGUseKind.h:
        (JSC::DFG::isDouble):

2013-09-11  Mark Lam  <mark.lam@apple.com>

        Fixed indentation in JSC Debugger header files.
        https://bugs.webkit.org/show_bug.cgi?id=121203.

        Reviewed by Ryosuke Niwa.

        * debugger/Debugger.h:
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::create):
        (JSC::DebuggerActivation::createStructure):
        * debugger/DebuggerCallFrame.h:
        (JSC::DebuggerCallFrame::DebuggerCallFrame):
        (JSC::DebuggerCallFrame::callFrame):
        (JSC::DebuggerCallFrame::dynamicGlobalObject):
        (JSC::DebuggerCallFrame::scope):
        (JSC::DebuggerCallFrame::exception):

2013-09-11  Filip Pizlo  <fpizlo@apple.com>

        Remove needsDataFormatConversion because it is unused.

        Rubber stamped by Mark Hahnenberg.

        * bytecode/DataFormat.h:

2013-09-11  Filip Pizlo  <fpizlo@apple.com>

        Rename fillSpeculateInt to fillSpeculateInt32.

        Rubber stamped by Mark Hahnenberg.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculateInt32Operand::gpr):
        (JSC::DFG::SpeculateStrictInt32Operand::gpr):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpecualteInt32):
        (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Strict):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpecualteInt32):
        (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Strict):

2013-09-11  Filip Pizlo  <fpizlo@apple.com>

        Rename DataFormatInteger to DataFormatInt32.

        Rubber stamped by Mark Hahnenberg.

        * bytecode/DataFormat.h:
        (JSC::dataFormatToString):
        (JSC::needDataFormatConversion):
        (JSC::isJSInt32):
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::inGPR):
        (JSC::ValueRecovery::displacedInJSStack):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::initInteger):
        (JSC::DFG::GenerationInfo::isJSInt32):
        (JSC::DFG::GenerationInfo::fillInteger):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        (JSC::DFG::SpeculativeJIT::checkConsistency):
        (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::spill):
        (JSC::DFG::SpeculativeJIT::integerResult):
        (JSC::DFG::SpeculativeJIT::jsValueResult):
        (JSC::DFG::SpeculativeJIT::isInteger):
        (JSC::DFG::IntegerOperand::format):
        (JSC::DFG::SpeculateInt32Operand::format):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValueSource.h:
        (JSC::DFG::dataFormatToValueSourceKind):
        (JSC::DFG::valueSourceKindToDataFormat):

2013-09-11  Filip Pizlo  <fpizlo@apple.com>

        Int32ToDouble should be predicted SpecInt48 and predictions should have nothing to do with constant folding
        https://bugs.webkit.org/show_bug.cgi?id=121141

        Reviewed by Oliver Hunt.
        
        Just changing Int32ToDouble to be predicted SpecInt48 breaks constant folding on that
        node because of soooper old code that prevented constant folding on mismatched
        predictions. Kill that code.

        * dfg/DFGAbstractInterpreter.h:
        (JSC::DFG::AbstractInterpreter::setConstant):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):

2013-09-10  Filip Pizlo  <fpizlo@apple.com>

        VariableAccessData::flushFormat() should be the universal way of deciding how to speculate on stores to locals and how locals are formatted
        https://bugs.webkit.org/show_bug.cgi?id=121142

        Reviewed by Geoffrey Garen.
        
        Make everyone rely on VariableAccessData::flushFormat() instead of trying to
        compute that information from scratch. The FTL already used flushFormat(), now
        the DFG does, too.

        * dfg/DFGArgumentPosition.h:
        (JSC::DFG::ArgumentPosition::someVariable):
        (JSC::DFG::ArgumentPosition::flushFormat):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInlineStart):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValueSource.h:
        (JSC::DFG::ValueSource::forFlushFormat):
        * dfg/DFGVariableAccessDataDump.cpp:
        (JSC::DFG::VariableAccessDataDump::dump):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):

2013-09-11  Oliver Hunt  <oliver@apple.com>

        Partial Information Leakage in Hash Table implementations (PrivateName)
        https://bugs.webkit.org/show_bug.cgi?id=120663

        Reviewed by Michael Saboff.

        Undo change to the PropertyTable in my last patch, instead lets just
        use a random value as the initial hash for unique strings.

        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::find):
        (JSC::PropertyTable::findWithString):
        (JSC::PropertyTable::rehash):

2013-09-11  Oliver Hunt  <oliver@apple.com>

        Partial Information Leakage in Hash Table implementations (PrivateName)
        https://bugs.webkit.org/show_bug.cgi?id=120663

        Reviewed by Michael Saboff.

        These hashtables mix keys that are hashed on pointers or user controlled
        data.  To prevent any potential information leak we mask the keys with
        a per table entropy value.

        * runtime/MapData.cpp:
        (JSC::MapData::MapData):
        (JSC::MapData::find):
        (JSC::MapData::add):
        (JSC::MapData::remove):
        * runtime/MapData.h:
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::find):
        (JSC::PropertyTable::findWithString):
        (JSC::PropertyTable::rehash):
        * runtime/PropertyTable.cpp:
        (JSC::PropertyTable::PropertyTable):

2013-09-11  Sam Weinig  <sam@webkit.org>

        MapData and WeakMapData don't need to be objects
        https://bugs.webkit.org/show_bug.cgi?id=121167

        Reviewed by Geoffrey Garen.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::mapStructure):
        Remove MapData and WeakMapData structures (they moved to VM with other non-object Structures).

        * runtime/JSMap.cpp:
        (JSC::JSMap::finishCreation):
        * runtime/JSMap.h:
        (JSC::JSMap::create):
        * runtime/JSSet.cpp:
        (JSC::JSSet::finishCreation):
        * runtime/JSSet.h:
        (JSC::JSSet::create):
        * runtime/JSWeakMap.cpp:
        (JSC::JSWeakMap::finishCreation):
        * runtime/JSWeakMap.h:
        (JSC::JSWeakMap::create):
        Update to not pass a global object to the MapData or WeakMapData Structure.

        * runtime/MapData.cpp:
        (JSC::MapData::MapData):
        * runtime/MapData.h:
        (JSC::MapData::create):
        (JSC::MapData::createStructure):
        * runtime/WeakMapData.cpp:
        (JSC::WeakMapData::WeakMapData):
        (JSC::WeakMapData::set): Change to take a VM rather than a CallFrame, as that it all it needs.
        * runtime/WeakMapData.h:
        (JSC::WeakMapData::create):
        (JSC::WeakMapData::createStructure):
        Instead of inheriting from JSDestructibleObject, inherit from JSCell and mark self as needing destruction
        and having an immortal structure.

        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        Add MapData and WeakMapData Structures.

        * runtime/WeakMapPrototype.cpp:
        (JSC::protoFuncWeakMapSet):
        Pass a VM rather than an ExecState.

2013-09-10  Filip Pizlo  <fpizlo@apple.com>

        Propagate the Int48 stuff into the prediction propagator.
        https://bugs.webkit.org/show_bug.cgi?id=121132

        Reviewed by Mark Hahnenberg.
        
        This still has no effect on codegen since Int48 still looks like a Double right now.

        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        * bytecode/SpeculatedType.cpp:
        (JSC::speculationFromValue):
        * bytecode/SpeculatedType.h:
        (JSC::isMachineIntSpeculation):
        (JSC::isMachineIntSpeculationExpectingDefined):
        (JSC::isMachineIntSpeculationForArithmetic):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addShouldSpeculateMachineInt):
        (JSC::DFG::Graph::mulShouldSpeculateInt32):
        (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
        (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
        (JSC::DFG::Graph::hasExitSite):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateMachineInt):
        (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic):
        (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined):
        (JSC::DFG::Node::canSpeculateInt48):
        * dfg/DFGNodeFlags.h:
        (JSC::DFG::nodeCanSpeculateInt48):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):

2013-09-10  Filip Pizlo  <fpizlo@apple.com>

        Be explicit about backwards propagation properties that care about escaping to bytecode, as opposed to just escaping within DFG code.

        Rubber stamped by Mark Hahnenberg.
        
        We need to care about escaping to bytecode if we're doing a lossy optimization,
        i.e. the optimization means we produce less information and so we can't rescue
        ourselves during OSR exit.
        
        We only need to care about escaping within the DFG code (and can ignore what
        might happen in bytecode) if we're doing an optimization that is lossless, i.e.
        we can always still reconstruct the values that bytecode wants.
        
        Example #1:
        
            Large int32 + int32 which overflows. We want to optimize away the overflow
            check and just do a 32-bit add.
            
            This is lossy; the result should have one extra bit but we simply throw
            that bit away by doing a check-less 32-bit add. Hence we need to know that 
            even the bytecode wouldn't have cared about that bit. This is true in cases
            like (a + b) | 0.
        
        Example #2:
        
            Larbe int32 + int32 which overflows. We want to optimize away the overflow
            check by doing a 64-bit add.
            
            This is lossless. We can always convert the resulting 64-bit int back to a
            double if that's what bytecode wants. Hence we only need to know that the
            DFG code won't want to do something to this value that would make 64-bit
            ints either unprofitable or unsound.
        
        The backwards propagator's notions of flags (NodeUsedAsValue, etc) are for lossy
        optimizations and so should be named in a way that reflects this. This patch
        calls then NodeBytecodeUsesAsValue, etc.
        
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags):
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::arithNodeFlags):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGNodeFlags.h:
        (JSC::DFG::bytecodeUsesAsNumber):
        (JSC::DFG::bytecodeCanTruncateInteger):
        (JSC::DFG::bytecodeCanIgnoreNegativeZero):
        (JSC::DFG::nodeMayNegZero):
        (JSC::DFG::nodeCanSpeculateInt32):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        (JSC::DFG::SpeculativeJIT::compileArithDiv):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileAdd):
        (JSC::FTL::LowerDFGToLLVM::compileArithSub):
        (JSC::FTL::LowerDFGToLLVM::compileArithMul):
        (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
        (JSC::FTL::LowerDFGToLLVM::compileArithMod):
        (JSC::FTL::LowerDFGToLLVM::compileArithNegate):

2013-09-10  Chris Curtis  <chris_curtis@apple.com>

        WebKit crashes when trying to send a msg via 'today's birthdays' dialogue box on Facebook
        https://bugs.webkit.org/show_bug.cgi?id=120612#add_comment
        Reviewed by Geoffrey Garen.

        The codeBlock was assumed to exist when appendSourceToMessage was set.
        This was an invalid assumption. I added a check to ensure that there is a
        valid codeBlock before accessing it.

        * API/tests/testapi.c:
        (valueToObjectExceptionCallAsFunction):
        (valueToObjectExceptionTest):
        (main):
        * runtime/VM.cpp:
        (JSC::VM::throwException):

2013-09-10  Mark Lam  <mark.lam@apple.com>

        Fix some indentation in Interpreter.cpp.
        https://bugs.webkit.org/show_bug.cgi?id=121136.

        Reviewed by Darin Adler.

        * interpreter/Interpreter.cpp:
        (JSC::UnwindFunctor::operator()):

2013-09-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        MapData has some issues
        https://bugs.webkit.org/show_bug.cgi?id=121118

        Reviewed by Geoffrey Garen.

        * heap/CopiedBlock.h: Added some debug-only consistency checking logic. We now make sure that 
        m_liveBytes is consistent with another field, m_liveObjects. m_liveObjects is the number of 
        "objects" that currently reside in the CopiedBlock. If we have zero live bytes then we should have
        zero live objects. The converse and the inverse should also be true.
        (JSC::CopiedBlock::CopiedBlock):
        (JSC::CopiedBlock::didSurviveGC):
        (JSC::CopiedBlock::didEvacuateBytes):
        (JSC::CopiedBlock::canBeRecycled):
        (JSC::CopiedBlock::shouldEvacuate):
        (JSC::CopiedBlock::liveBytes):
        (JSC::CopiedBlock::checkConsistency):
        * heap/CopiedBlockInlines.h:
        (JSC::CopiedBlock::reportLiveBytes):
        * heap/CopyVisitorInlines.h:
        (JSC::CopyVisitor::didCopy):
        * runtime/MapData.cpp:
        (JSC::MapData::replaceAndPackBackingStore): Renamed parameter to be consistent with its meaning.
        (JSC::MapData::replaceBackingStore): Ditto. Also removed an unnecessary local variable.
        (JSC::MapData::visitChildren): Before we passed the size of the MapData to copyLater(), which 
        was wrong. Now we pass capacity * sizeof(Entry).
        (JSC::MapData::copyBackingStore): Before when we reassigned the newly copied backing store, we 
        set the capacity (in elements) to the size (in bytes) of the backing store. This made us think 
        we're way bigger than we actually are. Now we just pass the old capacity in.
        * runtime/MapData.h:
        (JSC::MapData::capacityInBytes): Helper function to calculate the size of the backing store.

2013-09-10  Filip Pizlo  <fpizlo@apple.com>

        We should say Int32 when we mean Int32. Saying Integer is just weird.

        Rubber stamped by Mark Hahnenberg.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupToPrimitive):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::FixupPhase::truncateConstantsIfNecessary):
        (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addSpeculationMode):
        (JSC::DFG::Graph::valueAddSpeculationMode):
        (JSC::DFG::Graph::arithAddSpeculationMode):
        (JSC::DFG::Graph::addShouldSpeculateInt32):
        (JSC::DFG::Graph::mulShouldSpeculateInt32):
        (JSC::DFG::Graph::negateShouldSpeculateInt32):
        (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
        (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateInt32):
        (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
        (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined):
        (JSC::DFG::Node::canSpeculateInt32):
        * dfg/DFGNodeFlags.h:
        (JSC::DFG::nodeCanSpeculateInt32):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::arrayify):
        (JSC::DFG::GPRTemporary::GPRTemporary):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
        (JSC::DFG::SpeculativeJIT::compileArithIMul):
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        (JSC::DFG::SpeculativeJIT::compileArithDiv):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
        (JSC::DFG::SpeculativeJIT::speculateInt32):
        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculateInt32Operand::SpeculateInt32Operand):
        (JSC::DFG::SpeculateInt32Operand::~SpeculateInt32Operand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):

2013-09-10  Filip Pizlo  <fpizlo@apple.com>

        Introduce a SpecInt48 type and be more careful about what we mean by "Top"
        https://bugs.webkit.org/show_bug.cgi?id=121116

        Reviewed by Oliver Hunt.
        
        SpecInt48 will mean that we have something that would be a double if it was a JSValue,
        but it's profitable to represent it as something other than a double.
        
        SpecInt48AsDouble means that it has a value that could have been represented like
        SpecInt48, but we're making a heuristic decision not to do it.

        * bytecode/SpeculatedType.h:
        (JSC::isInt48Speculation):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        (JSC::DFG::::clobberCapturedVars):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::filter):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::makeHeapTop):
        (JSC::DFG::AbstractValue::makeBytecodeTop):
        (JSC::DFG::AbstractValue::isHeapTop):
        (JSC::DFG::AbstractValue::heapTop):
        (JSC::DFG::AbstractValue::validateType):
        (JSC::DFG::AbstractValue::validate):
        (JSC::DFG::AbstractValue::makeTop):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::initialize):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):

2013-09-09  Oliver Hunt  <oliver@apple.com>

        Support WeakMap
        https://bugs.webkit.org/show_bug.cgi?id=120912

        Reviewed by Geoffrey Garen.

        Add support for ES6 WeakMap.  Add the cluster of boilerplate
        classes around the core WeakMapData class.

        WeakMapData is a simple object->value hash table that uses a
        combo of WeakReferenceHarvester to conditionally keep the weak
        value reference live, and UnconditionalFinalizer to clean the
        dead keys from the table post-GC.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::weakMapDataStructure):
        * runtime/JSWeakMap.cpp: Added.
        (JSC::JSWeakMap::finishCreation):
        (JSC::JSWeakMap::visitChildren):
        * runtime/JSWeakMap.h: Added.
        (JSC::JSWeakMap::createStructure):
        (JSC::JSWeakMap::create):
        (JSC::JSWeakMap::weakMapData):
        (JSC::JSWeakMap::JSWeakMap):
        * runtime/WeakMapConstructor.cpp: Added.
        (JSC::WeakMapConstructor::finishCreation):
        (JSC::constructWeakMap):
        (JSC::WeakMapConstructor::getConstructData):
        (JSC::WeakMapConstructor::getCallData):
        * runtime/WeakMapConstructor.h: Added.
        (JSC::WeakMapConstructor::create):
        (JSC::WeakMapConstructor::createStructure):
        (JSC::WeakMapConstructor::WeakMapConstructor):
        * runtime/WeakMapData.cpp: Added.
        (JSC::WeakMapData::WeakMapData):
        (JSC::WeakMapData::finishCreation):
        (JSC::WeakMapData::destroy):
        (JSC::WeakMapData::visitChildren):
        (JSC::WeakMapData::set):
        (JSC::WeakMapData::get):
        (JSC::WeakMapData::remove):
        (JSC::WeakMapData::contains):
        (JSC::WeakMapData::clear):
        (JSC::WeakMapData::DeadKeyCleaner::visitWeakReferences):
        (JSC::WeakMapData::DeadKeyCleaner::finalizeUnconditionally):
        * runtime/WeakMapData.h: Added.
        (JSC::WeakMapData::create):
        (JSC::WeakMapData::createStructure):
        (JSC::WeakMapData::DeadKeyCleaner::DeadKeyCleaner):
        * runtime/WeakMapPrototype.cpp: Added.
        (JSC::WeakMapPrototype::finishCreation):
        (JSC::getWeakMapData):
        (JSC::protoFuncWeakMapClear):
        (JSC::protoFuncWeakMapDelete):
        (JSC::protoFuncWeakMapGet):
        (JSC::protoFuncWeakMapHas):
        (JSC::protoFuncWeakMapSet):
        * runtime/WeakMapPrototype.h: Added.
        (JSC::WeakMapPrototype::create):
        (JSC::WeakMapPrototype::createStructure):
        (JSC::WeakMapPrototype::WeakMapPrototype):

2013-09-10  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: [JSC] Caught exception is treated as uncaught
        https://bugs.webkit.org/show_bug.cgi?id=93607

        Reviewed by Geoff Garen.

        Check up the entire call stack to see if there is an exception handler.

        * interpreter/Interpreter.cpp:
        (JSC::GetExceptionHandlerFunctor::GetExceptionHandlerFunctor):
        (JSC::GetExceptionHandlerFunctor::handler):
        (JSC::GetExceptionHandlerFunctor::operator()):

2013-09-10  Filip Pizlo  <fpizlo@apple.com>

        SpecType should have SpecInt48AsDouble
        https://bugs.webkit.org/show_bug.cgi?id=121065

        Reviewed by Oliver Hunt.

        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationToAbbreviatedString):
        (JSC::speculationFromValue):
        * bytecode/SpeculatedType.h:
        (JSC::isInt48AsDoubleSpeculation):
        (JSC::isIntegerSpeculation):
        (JSC::isDoubleRealSpeculation):

2013-09-10  Filip Pizlo  <fpizlo@apple.com>

        Don't GC while in the OSR-triggered jettison code
        https://bugs.webkit.org/show_bug.cgi?id=121106

        Reviewed by Mark Hahnenberg.

        * dfg/DFGOperations.cpp:

2013-09-10  Filip Pizlo  <fpizlo@apple.com>

        jsc commandline's run() function should take extra arguments
        https://bugs.webkit.org/show_bug.cgi?id=121098

        Reviewed by Michael Saboff.

        * jsc.cpp:
        (functionRun):

2013-09-09  Michael Saboff  <msaboff@apple.com>

        There should be one "invalid" virtual register constant
        https://bugs.webkit.org/show_bug.cgi?id=121057

        Reviewed by Filip Pizlo.

        Unify all references to an invalid virtual register to be the enum InvalidVirtualRegister.
        Changed the value of InvalidVirtualRegister to be maximum integer value.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setArgumentsRegister):
        (JSC::CodeBlock::usesArguments):
        * bytecode/LazyOperandValueProfile.h:
        (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey):
        (JSC::LazyOperandValueProfileKey::operator!):
        (JSC::LazyOperandValueProfileKey::isHashTableDeletedValue):
        (JSC::LazyOperandValueProfile::LazyOperandValueProfile):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::usesArguments):
        (JSC::UnlinkedCodeBlock::usesGlobalObject):
        * bytecode/VirtualRegister.h:

2013-09-09  Michael Saboff  <msaboff@apple.com>

        Change virtual register function arguments from unsigned to int
        https://bugs.webkit.org/show_bug.cgi?id=121055

        Reviewed by Filip Pizlo.

        This is a largely mechanical change.  This changes function paramaters and local variables used to
        represent bytecode operands from being unsigned to be int.

        * bytecode/CodeOrigin.h:
        * dfg/DFGByteCodeParser.cpp:
        * jit/JIT.h:
        * jit/JITArithmetic.cpp:
        * jit/JITArithmetic32_64.cpp:
        * jit/JITInlines.h:
        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * jit/JITPropertyAccess.cpp:
        * jit/JITPropertyAccess32_64.cpp:
        * jit/JITStubCall.h:

2013-09-09  Michael Saboff  <msaboff@apple.com>

        Add local to/from operand helpers similar to argument to/from operand2
        https://bugs.webkit.org/show_bug.cgi?id=121056

        Reviewed by Geoffrey Garen.

        Added localToOperand(), operandToLocal() and operandIsLocal() to Operands.h, very similar to
        argumentToOperand(), et al.  Used the new helpers everywhere where an index into a data
        structure is intended instead of the actual virtual register offset.  When the stack is
        changed to grow down, local register offsets can be negative.  Also added the helper
        DFG::SpeculativeJIT::generationInfoFromVirtualRegister() for the common case accessing 
        m_generationInfo[operandToLocal(val)].

        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        * bytecode/Operands.h:
        (JSC::localToOperand):
        (JSC::operandIsLocal):
        (JSC::operandToLocal):
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        * dfg/DFGByteCodeParser.cpp:
        * dfg/DFGCFGSimplificationPhase.cpp:
        * dfg/DFGCPSRethreadingPhase.cpp:
        * dfg/DFGOSREntry.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        * dfg/DFGOSRExitCompiler64.cpp:
        * dfg/DFGScoreBoard.h:
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:
        * dfg/DFGValidate.cpp:
        * dfg/DFGVariableEventStream.cpp:
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        * jit/JITInlines.h:
        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:

2013-09-09  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, disable GC logging.

        * heap/Heap.cpp:

2013-09-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        CopiedSpace::startedCopying should not call MarkedSpace::capacity
        https://bugs.webkit.org/show_bug.cgi?id=121045

        Reviewed by Geoffrey Garen.

        MarkedSpace::capacity() iterates every block in MarkedSpace. Instead we should just 
        keep track of our total capacity in MarkedSpace as we add and remove MarkedBlocks.

        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::freeBlock):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::didAddBlock):
        (JSC::MarkedSpace::capacity):

2013-09-09  Michael Saboff  <msaboff@apple.com>

        Wrong for SlowPathCall to load callFrame reg from vm.topCallFrame after call
        https://bugs.webkit.org/show_bug.cgi?id=120537

        Reviewed by Geoffrey Garen.

        Changed JITSlowPathCall::call() to update vm.topCallFrame from the callFrameRegister instead of the
        other way around.

        * jit/JIT.h:
        * jit/JITInlines.h:
        * jit/SlowPathCall.h:
        (JSC::JITSlowPathCall::call):

2013-08-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSArray::shiftCountWithArrayStorage doesn't change indexBias when shifting the last element in m_vector
        https://bugs.webkit.org/show_bug.cgi?id=120389

        Reviewed by Michael Saboff.

        Went through and cleaned up shiftCountWithArrayStorage. Gave meaningful variable names
        and commented the confusing parts. This led to realizing how to fix this bug, which has
        been done. The issue was that we were modifying the vector length unconditionally, even
        when we weren't logically changing the length of the vector. Instead, we should only modify
        the vector length when we modify the index bias.

        * runtime/JSArray.cpp:
        (JSC::JSArray::shiftCountWithArrayStorage):

2013-09-08  Anders Carlsson  <andersca@apple.com>

        Begin moving off of TypeTraits.h
        https://bugs.webkit.org/show_bug.cgi?id=121006

        Reviewed by Darin Adler.

        Convert uses of WTF type traits to STL type traits.

        * heap/PassWeak.h:
        * runtime/JSCell.h:
        (JSC::jsCast):
        (JSC::jsDynamicCast):
        * runtime/WriteBarrier.h:
        (JSC::validateCell):

2013-09-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        Calculating the size of the Heap should not require walking over it
        https://bugs.webkit.org/show_bug.cgi?id=120910

        Reviewed by Geoffrey Garen.

        Currently Heap::size() is O(sizeof(Heap)). This is too expensive to 
        call during a collection. We should keep a count of visited and copied 
        bytes as each collection progresses so as to avoid re-walking the Heap 
        at the end of collection.

        * heap/GCThreadSharedData.cpp:
        (JSC::GCThreadSharedData::childBytesVisited):
        (JSC::GCThreadSharedData::childBytesCopied):
        * heap/GCThreadSharedData.h:
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::markRoots):
        (JSC::Heap::sizeAfterCollect):
        (JSC::Heap::collect):
        * heap/Heap.h:
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::SlotVisitor):
        (JSC::SlotVisitor::reset):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::bytesVisited):
        (JSC::SlotVisitor::bytesCopied):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::internalAppend):
        (JSC::SlotVisitor::copyLater):

2013-09-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        Clearing MarkedBlock::m_newlyAllocated should be separate from MarkedBlock::clearMarks
        https://bugs.webkit.org/show_bug.cgi?id=121007

        Reviewed by Oliver Hunt.

        We call clearMarks on every MarkedBlock in the Heap, whereas we only need to clear 
        m_newlyAllocated for the m_currentBlock at the time of the last canonicalizeCellLiveness() 
        for each MarkedAllocator. We also need to call it on every block in the largeAllocators 
        because each one of their blocks is canonicalized as it is used.

        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::getAndClearCanonicalizedBlock):
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::canonicalizeCellLivenessData):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::lastChanceToFinalize):
        (JSC::MarkedBlock::clearMarks):
        (JSC::MarkedBlock::clearNewlyAllocated):
        * heap/MarkedSpace.cpp:
        (JSC::clearNewlyAllocatedInBlock):
        (JSC::ClearNewlyAllocated::operator()):
        (JSC::MarkedSpace::clearNewlyAllocated):
        * heap/MarkedSpace.h:

2013-09-07  Filip Pizlo  <fpizlo@apple.com>

        FTL should support typed array PutByVal
        https://bugs.webkit.org/show_bug.cgi?id=120972

        Reviewed by Oliver Hunt.

        Due to increased FTL coverage, this revealed a bug in LICM where we were trying to
        have AI execute the tail of a block that !cfaDidFinish. We don't need to execute AI
        for such blocks since LICM will bail for them anyway, and AI asserts that cfaDidFinish
        is true.

        * dfg/DFGLICMPhase.cpp:
        (JSC::DFG::LICMPhase::attemptHoist):
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::buildFPToUI):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
        (JSC::FTL::LowerDFGToLLVM::doubleToUInt32):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::fpToUInt):
        (JSC::FTL::Output::fpToUInt32):
        (JSC::FTL::Output::store8):
        (JSC::FTL::Output::store16):
        (JSC::FTL::Output::storeFloat):

2013-09-07  Filip Pizlo  <fpizlo@apple.com>

        FTL should support basic closure operations
        https://bugs.webkit.org/show_bug.cgi?id=120987

        Reviewed by Oliver Hunt.

        * ftl/FTLAbstractHeapRepository.cpp:
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetMyScope):
        (JSC::FTL::LowerDFGToLLVM::compileSkipScope):
        (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
        (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
        (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):

2013-09-07  Filip Pizlo  <fpizlo@apple.com>

        Only run FTL tests if we have the FTL
        https://bugs.webkit.org/show_bug.cgi?id=120974

        Reviewed by Geoffrey Garen.
        
        The test infrastructure is now smart enough to not pass --useExperimentalFTL=true
        unless it knows that we have the FTL.

        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        (JSC::DFG::TierUpCheckInjectionPhase::run):

2013-09-07  Anders Carlsson  <andersca@apple.com>

        Get rid of PassOwnArrayPtr
        https://bugs.webkit.org/show_bug.cgi?id=120964

        Reviewed by Andreas Kling.

        Use OwnArrayPtr instead of PassOwnArrayPtr.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * runtime/SymbolTable.h:
        (JSC::SharedSymbolTable::setSlowArguments):

2013-09-07  Filip Pizlo  <fpizlo@apple.com>

        FTL should support typed array GetByVal and related ops
        https://bugs.webkit.org/show_bug.cgi?id=120965

        Reviewed by Oliver Hunt.
        
        This adds support for typed array instantiations of the following DFG IR ops:
        
        - GetByVal
        
        - GetIndexedPropertyStorage
        
        - CheckArray
        
        - GetArrayLength
        
        This also adds CheckArray for Int32/Double/Contiguous arrays.

        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::toIndexingShape):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::shapeMask):
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::floatType):
        (JSC::FTL::buildSExt):
        (JSC::FTL::buildFPCast):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLCommonValues.cpp:
        (JSC::FTL::CommonValues::CommonValues):
        * ftl/FTLCommonValues.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::compileCheckArray):
        (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (JSC::FTL::LowerDFGToLLVM::isArrayType):
        (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::constIntPtr):
        (JSC::FTL::Output::signExt):
        (JSC::FTL::Output::fpCast):
        (JSC::FTL::Output::loadFloat):

2013-09-07  Anders Carlsson  <andersca@apple.com>

        VectorMover should use std::move
        https://bugs.webkit.org/show_bug.cgi?id=120959

        Reviewed by Geoffrey Garen.

        Work around a bug in GCC by changing the type of the callType bitfield 
        in CallLinkInfo to be unsigned instead of CallType.

        * bytecode/CallLinkInfo.h:

2013-09-07  Anders Carlsson  <andersca@apple.com>

        Get rid of FastAllocBase.h
        https://bugs.webkit.org/show_bug.cgi?id=120952

        Reviewed by Antti Koivisto.

        Include FastMalloc.h instead of FastAllocBase.h.

        * assembler/LinkBuffer.h:
        * bytecode/CodeBlock.h:
        * bytecode/StructureStubClearingWatchpoint.h:
        * dfg/DFGFinalizer.h:
        * dfg/DFGLongLivedState.h:
        * dfg/DFGSlowPathGenerator.h:
        * ftl/FTLAbstractHeap.h:
        * heap/JITStubRoutineSet.h:
        * jit/CompactJITCodeMap.h:
        * profiler/ProfilerDatabase.h:
        * profiler/ProfilerExecutionCounter.h:

2013-09-06  Filip Pizlo  <fpizlo@apple.com>

        FTL should support Call/Construct in the worst way possible
        https://bugs.webkit.org/show_bug.cgi?id=120916

        Reviewed by Oliver Hunt.
        
        This adds support for Call/Construct by just calling out to C code that uses
        the JSC::call/JSC::construct runtime functions for making calls. This is slow
        and terrible, but it dramatically extends FTL coverage.
        
        Supporting calls in a meaningful way meant also supporting
        GlobalVarWatchpoint.
        
        The extension of coverage helped to find a bunch of bugs:
        
        - ObjectOrOtherUse was claimed to be supported in the FTL but speculate()
          didn't support it. That means that any node with an ObjectOrOtherUse edge
          that got DCE'd would cause the FTL to ICE.
        
        - There was a bad fall-through compileCompareStrictEq() that led to ICE.
        
        - The OSR exit reconstruction code was assuming it could do fast checks on
          node->child1() before even determining the type of node; that crashes if
          the node is HasVarArgs. Fixed by checking HasVarArgs first.
        
        - The OSR exit compiler was using the wrong peekOffset for CArgumentGetter.
          The default is 1, which assumes that you didn't push anything onto the
          stack after getting called. The OSR exit thunks push FP, so the offset
          should be 2.
        
        This passes stress tests and is probably huge performance regression if you
        --useExperimentalFTL=true. The regression will be fixed in
        https://bugs.webkit.org/show_bug.cgi?id=113621.

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):

2013-09-06  Filip Pizlo  <fpizlo@apple.com>

        jsc shell should destroy VM as a workaround for LLVM's exit-time destructors
        https://bugs.webkit.org/show_bug.cgi?id=120921

        Reviewed by Oliver Hunt.
        
        LLVM's exit-time destructors will fire when we exit. If there is an on-going
        FTL compile at exit, which will happen if the VM that triggered the compile
        isn't shut down, then we will crash.
        
        We should get rid of LLVM's exit-time destructors. But before we do that, we
        should just do a clean VM shutdown to suppress spurious crashes. This will
        help in expanding LLVM coverage for now.

        * jsc.cpp:
        (jscmain):

2013-09-06  Filip Pizlo  <fpizlo@apple.com>

        FTL ArithMod Int32Use doesn't check for negative zero correctly
        https://bugs.webkit.org/show_bug.cgi?id=120905

        Reviewed by Mark Hahnenberg.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileArithMod):

2013-09-06  Filip Pizlo  <fpizlo@apple.com>

        FTL ArithNeg Int32Use doesn't check negative zero
        https://bugs.webkit.org/show_bug.cgi?id=120900

        Reviewed by Mark Hahnenberg.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileArithNegate):

2013-09-06  Anders Carlsson  <andersca@apple.com>

        Stop using fastNew/fastDelete in JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=120898

        Reviewed by Oliver Hunt.

        Change all the hash table members in ExecState to be OwnPtrs and use
        adoptPtr instead. Also, since none of the hash tables can be null, change their getters
        to return references and propagate the reference types wherever we know that a HashTable can't be null.

        * interpreter/CallFrame.h:
        (JSC::ExecState::arrayConstructorTable):
        (JSC::ExecState::arrayPrototypeTable):
        (JSC::ExecState::booleanPrototypeTable):
        (JSC::ExecState::dataViewTable):
        (JSC::ExecState::dateTable):
        (JSC::ExecState::dateConstructorTable):
        (JSC::ExecState::errorPrototypeTable):
        (JSC::ExecState::globalObjectTable):
        (JSC::ExecState::jsonTable):
        (JSC::ExecState::numberConstructorTable):
        (JSC::ExecState::numberPrototypeTable):
        (JSC::ExecState::objectConstructorTable):
        (JSC::ExecState::privateNamePrototypeTable):
        (JSC::ExecState::regExpTable):
        (JSC::ExecState::regExpConstructorTable):
        (JSC::ExecState::regExpPrototypeTable):
        (JSC::ExecState::stringConstructorTable):
        (JSC::ExecState::promisePrototypeTable):
        (JSC::ExecState::promiseConstructorTable):
        (JSC::ExecState::promiseResolverPrototypeTable):
        * runtime/ClassInfo.h:
        (JSC::ClassInfo::propHashTable):
        * runtime/Lookup.h:
        (JSC::getStaticPropertySlot):
        (JSC::getStaticFunctionSlot):
        (JSC::getStaticValueSlot):
        (JSC::lookupPut):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        * runtime/VM.h:

2013-09-06  Filip Pizlo  <fpizlo@apple.com>

        Concurrent FTL causes !hasOptimizedReplacement() asserts in cti_optimize
        https://bugs.webkit.org/show_bug.cgi?id=120890

        Reviewed by Mark Hahnenberg.
        
        Don't install an FTL code block if the DFG code block has already been jettisoned.

        * dfg/DFGToFTLDeferredCompilationCallback.cpp:
        (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):

2013-09-06  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=120781

        Reviewed by Mark Hahnenberg.
        
        Roll this back in with a build fix.
        
        - Use some method table hacks to detect if the CheckStructure optimization is
          valid for to_this.
        
        - Introduce a FinalObjectUse and use it for ToThis->Identity conversion.
        
        This looks like it might be perf-neutral on the major benchmarks, but it
        introduces some horrible performance cliffs. For example if you add methods to
        the Array prototype, you'll get horrible performance cliffs. As in virtual calls
        to C++ every time you call a JS function even if it's inlined.
        LongSpider/3d-cube appears to hit this.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::emitPutTransitionStub):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculateFinalObject):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::isCell):

2013-09-05  Filip Pizlo  <fpizlo@apple.com>

        Introduce a way to run benchmarks and JSRegress as stress tests with different jsc command-line options
        https://bugs.webkit.org/show_bug.cgi?id=120808

        Reviewed by Mark Hahnenberg and rubber stamped by Geoffrey Garen.
        
        Allow --useExperimentalFTL=true even if FTL isn't built since this simplifies
        testing.

        * dfg/DFGTierUpCheckInjectionPhase.cpp:
        (JSC::DFG::TierUpCheckInjectionPhase::run):

2013-09-06  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed build fix for the GTK port when building with FTL JIT enabled.

        * GNUmakefile.list.am: Add the missing files to the build.

2013-09-05  Oliver Hunt  <oliver@apple.com>

        Make it simpler to introduce new data types to the global object
        https://bugs.webkit.org/show_bug.cgi?id=120801

        Reviewed by Gavin Barraclough.

        Add an iterator macro that lists all the "simple" ES types (e.g. type
        consists of instance, constructor, and prototype classes).  So that
        we don't need to have every new type litter JSGlobalObject.{cpp,h} with
        members, accessors, and manual GC visiting.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:

2013-09-05  Mark Rowe  <mrowe@apple.com>
        
        Roll out r155149 since it broke the build.

2013-09-05  Michael Saboff  <msaboff@apple.com>

        Cleanup formatting of byte code debug output
        Source/JavaScriptCore/ChangeLog

        Rubber stamped by Filip Pizlo.

        Put the formatting of the byte code offset and operation into one common function to
        simplify and unify formatting.  Changed CodeBlock::registerName() to return
        "thist" for argument register 0, "argN" for other argument registers and "locN" for
        local registers.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::registerName):
        (JSC::CodeBlock::printUnaryOp):
        (JSC::CodeBlock::printBinaryOp):
        (JSC::CodeBlock::printConditionalJump):
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::printPutByIdOp):
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::printLocationAndOp):
        (JSC::CodeBlock::printLocationOpAndRegisterOperand):

2013-09-05  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=120781

        Reviewed by Mark Hahnenberg.
        
        - Use some method table hacks to detect if the CheckStructure optimization is
          valid for to_this.
        
        - Introduce a FinalObjectUse and use it for ToThis->Identity conversion.
        
        This looks like it might be perf-neutral on the major benchmarks, but it
        introduces some horrible performance cliffs. For example if you add methods to
        the Array prototype, you'll get horrible performance cliffs. As in virtual calls
        to C++ every time you call a JS function even if it's inlined.
        LongSpider/3d-cube appears to hit this.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculateFinalObject):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::isCell):

2013-09-05  Anders Carlsson  <andersca@apple.com>

        GCAssertions.h should use STL type traits and static_assert
        https://bugs.webkit.org/show_bug.cgi?id=120785

        Reviewed by Andreas Kling.

        There's no need to rely on compiler specific support to figure out if a class is trivially destructable,
        we can just use type traits from STL. Do this, fix the assert macro to use static_assert directly and
        rename it from ASSERT_HAS_TRIVIAL_DESTRUCTOR to STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE to clarify that
        it's a static assert and to match the STL nomenclature.
        
        * API/JSCallbackFunction.cpp:
        * debugger/DebuggerActivation.cpp:
        * heap/GCAssertions.h:
        * runtime/ArrayConstructor.cpp:
        * runtime/BooleanConstructor.cpp:
        * runtime/BooleanObject.cpp:
        * runtime/BooleanPrototype.cpp:
        * runtime/DateConstructor.cpp:
        * runtime/ErrorConstructor.cpp:
        * runtime/ErrorInstance.cpp:
        * runtime/ErrorPrototype.cpp:
        * runtime/ExceptionHelpers.cpp:
        * runtime/FunctionConstructor.cpp:
        * runtime/FunctionPrototype.cpp:
        * runtime/GetterSetter.cpp:
        * runtime/InternalFunction.cpp:
        * runtime/JSAPIValueWrapper.cpp:
        * runtime/JSArray.cpp:
        * runtime/JSCell.cpp:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSONObject.cpp:
        * runtime/JSObject.cpp:
        * runtime/JSPromiseConstructor.cpp:
        * runtime/JSPromisePrototype.cpp:
        * runtime/JSPromiseResolverConstructor.cpp:
        * runtime/JSPromiseResolverPrototype.cpp:
        * runtime/JSProxy.cpp:
        * runtime/JSScope.cpp:
        * runtime/JSWrapperObject.cpp:
        * runtime/MathObject.cpp:
        * runtime/NameConstructor.cpp:
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NumberConstructor.cpp:
        * runtime/NumberObject.cpp:
        * runtime/NumberPrototype.cpp:
        * runtime/ObjectConstructor.cpp:
        * runtime/ObjectPrototype.cpp:
        * runtime/RegExpObject.cpp:
        * runtime/StrictEvalActivation.cpp:
        * runtime/StringConstructor.cpp:
        * runtime/StringObject.cpp:
        * runtime/StringPrototype.cpp:

2013-09-05  Brent Fulgham  <bfulgham@apple.com>

        [Windows] Unreviewed build fix for DebugSuffix target.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Don't build 64-bit assembly in 32-bit build.
        Also correct 'filters' file so that files appear in categories that match their on-disk locations.

2013-09-04  Filip Pizlo  <fpizlo@apple.com>

        jsc tests should have timeouts
        https://bugs.webkit.org/show_bug.cgi?id=120725

        Reviewed by Geoffrey Garen.
        
        Add the timeout logic directly to 'jsc' because that's easier to do than
        writing shell/perl code for it.

        * jsc.cpp:
        (timeoutThreadMain):
        (main):

2013-09-04  Filip Pizlo  <fpizlo@apple.com>

        fast/js/dfg-* tests should wait for the concurrent JIT
        https://bugs.webkit.org/show_bug.cgi?id=120723

        Reviewed by Geoffrey Garen.
        
        * runtime/TestRunnerUtils.cpp:
        (JSC::numberOfDFGCompiles): This should also handle constructors.

2013-09-04  Filip Pizlo  <fpizlo@apple.com>

        run-fast-jsc should work with new-school fast/js tests that loop until the DFG tiers up
        https://bugs.webkit.org/show_bug.cgi?id=120697

        Reviewed by Mark Hahnenberg.

        * API/JSCTestRunnerUtils.cpp:
        (JSC::numberOfDFGCompiles):
        (JSC::setNeverInline):
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionNeverInlineFunction):
        (functionNumberOfDFGCompiles):
        * runtime/TestRunnerUtils.cpp: Added.
        (JSC::getExecutable):
        (JSC::numberOfDFGCompiles):
        (JSC::setNeverInline):
        * runtime/TestRunnerUtils.h: Added.

2013-09-04  Mark Lam  <mark.lam@apple.com>

        Renamed StackIterator to StackVisitor.
        https://bugs.webkit.org/show_bug.cgi?id=120706.

        Reviewed by Geoffrey Garen.

        Also did some minor refactoring:
        - Renamed StackIterator::iterate() to StackVisitor::visit().
        - Make StackVisitor::visit() a static method.
        - Move the instantiation of the StackVisitor instance into StackVisitor::visit()
          from CallFrame::iterate().
        - Removed StackIterator::resetIterator() and inline its body into the
          StackVisitor constructor since this is the only remaining caller of it.

        * API/JSContextRef.cpp:
        (BacktraceFunctor::operator()):
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * interpreter/CallFrame.h:
        (JSC::ExecState::iterate):
        * interpreter/Interpreter.cpp:
        (JSC::DumpRegisterFunctor::operator()):
        (JSC::unwindCallFrame):
        (JSC::getStackFrameCodeType):
        (JSC::GetStackTraceFunctor::operator()):
        (JSC::UnwindFunctor::operator()):
        * interpreter/Interpreter.h:
        * interpreter/StackIterator.cpp: Removed.
        * interpreter/StackIterator.h: Removed.
        * interpreter/StackVisitor.cpp: Copied from Source/JavaScriptCore/interpreter/StackIterator.cpp.
        (JSC::StackVisitor::StackVisitor):
        (JSC::StackVisitor::gotoNextFrame):
        (JSC::StackVisitor::readFrame):
        (JSC::StackVisitor::readNonInlinedFrame):
        (JSC::StackVisitor::readInlinedFrame):
        (JSC::StackVisitor::Frame::codeType):
        (JSC::StackVisitor::Frame::functionName):
        (JSC::StackVisitor::Frame::sourceURL):
        (JSC::StackVisitor::Frame::toString):
        (JSC::StackVisitor::Frame::arguments):
        (JSC::StackVisitor::Frame::computeLineAndColumn):
        (JSC::StackVisitor::Frame::retrieveExpressionInfo):
        (JSC::StackVisitor::Frame::setToEnd):
        (JSC::StackVisitor::Frame::print):
        (DebugPrintFrameFunctor::operator()):
        * interpreter/StackVisitor.h: Copied from Source/JavaScriptCore/interpreter/StackIterator.h.
        (JSC::StackVisitor::visit):
        * jsc.cpp:
        (FunctionJSCStackFunctor::operator()):
        * profiler/ProfileGenerator.cpp:
        (JSC::AddParentForConsoleStartFunctor::operator()):
        * runtime/JSFunction.cpp:
        (JSC::RetrieveArgumentsFunctor::operator()):
        (JSC::RetrieveCallerFunctionFunctor::operator()):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::GlobalFuncProtoGetterFunctor::operator()):
        (JSC::GlobalFuncProtoSetterFunctor::operator()):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):

2013-09-04  Roger Fong  <roger_fong@apple.com>

        Unreviewed Build fix for Windows DebugSuffix configuration.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2013-09-04  Mark Lam  <mark.lam@apple.com>

        Refining the StackIterator callback interface.
        https://bugs.webkit.org/show_bug.cgi?id=120695.

        Reviewed by Geoffrey Garen.

        Introduce CallFrame::iterate() which instantiates a StackIterator and
        invoke its iterate() method with the passed in functor. The only place
        where the client code gets access to the StackIterator now is as an
        argument to the client's functor.

        * API/JSContextRef.cpp:
        (JSContextCreateBacktrace):
        * interpreter/CallFrame.cpp:
        * interpreter/CallFrame.h:
        (JSC::ExecState::iterate):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::dumpRegisters):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::unwind):
        * interpreter/StackIterator.cpp:
        (JSC::StackIterator::StackIterator):
        (DebugPrintFrameFunctor::DebugPrintFrameFunctor):
        (DebugPrintFrameFunctor::operator()):
        (debugPrintCallFrame):
        (debugPrintStack):
        * interpreter/StackIterator.h:
        (JSC::StackIterator::iterate):
        * jsc.cpp:
        (functionJSCStack):
        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::addParentForConsoleStart):
        * runtime/JSFunction.cpp:
        (JSC::retrieveArguments):
        (JSC::RetrieveCallerFunctionFunctor::operator()):
        (JSC::retrieveCallerFunction):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoGetter):
        (JSC::globalFuncProtoSetter):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetPrototypeOf):

2013-09-04  Benjamin Poulain  <benjamin@webkit.org>

        JSGenericTypedArrayViewConstructor.h is referenced twice in the XCode project build section, causing warnings
        https://bugs.webkit.org/show_bug.cgi?id=120698

        Reviewed by Darin Adler.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-09-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        ASSERT in MarkedAllocator::allocateSlowCase is wrong
        https://bugs.webkit.org/show_bug.cgi?id=120639

        Reviewed by Oliver Hunt.

        ASSERT(!m_heap->shouldCollect()) is no longer true due to our use of the GC 
        deferral mechanism. We could technically be beyond our byte allocation limit, 
        but still not try to collect due to deferral. This patch amends shouldCollect() 
        to return false if GC is currently deferred.

        * heap/Heap.h:
        (JSC::Heap::shouldCollect):

2013-09-03  Filip Pizlo  <fpizlo@apple.com>

        The DFG should be able to tier-up and OSR enter into the FTL
        https://bugs.webkit.org/show_bug.cgi?id=112838

        Reviewed by Mark Hahnenberg.
        
        This adds the ability for the DFG to tier-up into the FTL. This works in both
        of the expected tier-up modes:
        
        Replacement: frequently called functions eventually have their entrypoint
        replaced with one that goes into FTL-compiled code. Note, this will be a
        slow-down for now since we don't yet have LLVM calling convention integration.
        
        OSR entry: code stuck in hot loops gets OSR'd into the FTL from the DFG.
        
        This means that if the DFG detects that a function is an FTL candidate, it
        inserts execution counting code similar to the kind that the baseline JIT
        would use. If you trip on a loop count in a loop header that is an OSR
        candidate (it's not an inlined loop), we do OSR; otherwise we do replacement.
        OSR almost always also implies future replacement.
        
        OSR entry into the FTL is really cool. It uses a specialized FTL compile of
        the code, where early in the DFG pipeline we replace the original root block
        with an OSR entrypoint block that jumps to the pre-header of the hot loop.
        The OSR entrypoint loads all live state at the loop pre-header using loads
        from a scratch buffer, which gets populated by the runtime's OSR entry
        preparation code (FTL::prepareOSREntry()). This approach appears to work well
        with all of our subsequent optimizations, including prediction propagation,
        CFA, and LICM. LLVM seems happy with it, too. Best of all, it works naturally
        with concurrent compilation: when we hit the tier-up trigger we spawn a
        compilation plan at the bytecode index from which we triggered; once the
        compilation finishes the next trigger will try to enter, at that bytecode
        index. If it can't - for example because the code has moved on to another
        loop - then we just try again. Loops that get hot enough for OSR entry (about
        25,000 iterations) will probably still be running when a concurrent compile
        finishes, so this doesn't appear to be a big problem.
        
        This immediately gives us a 70% speed-up on imaging-gaussian-blur. We could
        get a bigger speed-up by adding some more intelligence and tweaking LLVM to
        compile code faster. Those things will happen eventually but this is a good
        start. Probably this code will see more tuning as we get more coverage in the
        FTL JIT, but I'll worry about that in future patches.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::hasOptimizedReplacement):
        (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
        * bytecode/CodeBlock.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        (JSC::DFG::compile):
        * dfg/DFGDriver.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::killBlockAndItsContents):
        (JSC::DFG::Graph::killUnreachableBlocks):
        * dfg/DFGGraph.h:
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::initialize):
        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::reconstruct):
        (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
        (JSC::DFG::JITCode::optimizeNextInvocation):
        (JSC::DFG::JITCode::dontOptimizeAnytimeSoon):
        (JSC::DFG::JITCode::optimizeAfterWarmUp):
        (JSC::DFG::JITCode::optimizeSoon):
        (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently):
        (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
        * dfg/DFGJITCode.h:
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::finalize):
        (JSC::DFG::JITFinalizer::finalizeFunction):
        (JSC::DFG::JITFinalizer::finalizeCommon):
        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
        (JSC::DFG::createPreHeader):
        (JSC::DFG::LoopPreHeaderCreationPhase::run):
        * dfg/DFGLoopPreHeaderCreationPhase.h:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasUnlinkedLocal):
        (JSC::DFG::Node::unlinkedLocal):
        * dfg/DFGNodeType.h:
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntrypointCreationPhase.cpp: Added.
        (JSC::DFG::OSREntrypointCreationPhase::OSREntrypointCreationPhase):
        (JSC::DFG::OSREntrypointCreationPhase::run):
        (JSC::DFG::performOSREntrypointCreation):
        * dfg/DFGOSREntrypointCreationPhase.h: Added.
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        (JSC::DFG::Plan::compileInThread):
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPlan.h:
        * dfg/DFGPredictionInjectionPhase.cpp:
        (JSC::DFG::PredictionInjectionPhase::run):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGTierUpCheckInjectionPhase.cpp: Added.
        (JSC::DFG::TierUpCheckInjectionPhase::TierUpCheckInjectionPhase):
        (JSC::DFG::TierUpCheckInjectionPhase::run):
        (JSC::DFG::performTierUpCheckInjection):
        * dfg/DFGTierUpCheckInjectionPhase.h: Added.
        * dfg/DFGToFTLDeferredCompilationCallback.cpp: Added.
        (JSC::DFG::ToFTLDeferredCompilationCallback::ToFTLDeferredCompilationCallback):
        (JSC::DFG::ToFTLDeferredCompilationCallback::~ToFTLDeferredCompilationCallback):
        (JSC::DFG::ToFTLDeferredCompilationCallback::create):
        (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
        (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
        * dfg/DFGToFTLDeferredCompilationCallback.h: Added.
        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: Added.
        (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback):
        (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::~ToFTLForOSREntryDeferredCompilationCallback):
        (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::create):
        (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
        (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h: Added.
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::globalWorklist):
        * dfg/DFGWorklist.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLCapabilities.h:
        * ftl/FTLForOSREntryJITCode.cpp: Added.
        (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode):
        (JSC::FTL::ForOSREntryJITCode::~ForOSREntryJITCode):
        (JSC::FTL::ForOSREntryJITCode::ftlForOSREntry):
        (JSC::FTL::ForOSREntryJITCode::initializeEntryBuffer):
        * ftl/FTLForOSREntryJITCode.h: Added.
        (JSC::FTL::ForOSREntryJITCode::entryBuffer):
        (JSC::FTL::ForOSREntryJITCode::setBytecodeIndex):
        (JSC::FTL::ForOSREntryJITCode::bytecodeIndex):
        (JSC::FTL::ForOSREntryJITCode::countEntryFailure):
        (JSC::FTL::ForOSREntryJITCode::entryFailureCount):
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileBlock):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileExtractOSREntryLocal):
        (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
        (JSC::FTL::LowerDFGToLLVM::addWeakReference):
        * ftl/FTLOSREntry.cpp: Added.
        (JSC::FTL::prepareOSREntry):
        * ftl/FTLOSREntry.h: Added.
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::crashNonTerminal):
        (JSC::FTL::Output::crash):
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):
        * interpreter/Register.h:
        (JSC::Register::unboxedDouble):
        * jit/JIT.cpp:
        (JSC::JIT::emitEnterOptimizationCheck):
        * jit/JITCode.cpp:
        (JSC::JITCode::ftlForOSREntry):
        * jit/JITCode.h:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newReplacementCodeBlockFor):
        * runtime/Options.h:
        * runtime/VM.cpp:
        (JSC::VM::ensureWorklist):
        * runtime/VM.h:

2013-09-03  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock memory cost reporting should be rationalized
        https://bugs.webkit.org/show_bug.cgi?id=120615

        Reviewed by Darin Adler.
        
        Report the size of the instruction stream, and then remind the GC that we're
        using memory when we trace.
        
        This is a slight slow-down on some JSBench tests because it makes us GC a
        bit more frequently. But I think it's well worth it; if we really want those
        tests to GC less frequently then we can achieve that through other kinds of
        tuning. It's better that the GC knows that CodeBlocks do in fact use memory;
        what it does with that information is a somewhat orthogonal question.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::visitAggregate):

2013-09-03  Mark Lam  <mark.lam@apple.com>

        Converting StackIterator to a callback interface.
        https://bugs.webkit.org/show_bug.cgi?id=120564.

        Reviewed by Filip Pizlo.

        * API/JSContextRef.cpp:
        (BacktraceFunctor::BacktraceFunctor):
        (BacktraceFunctor::operator()):
        (JSContextCreateBacktrace):
        * interpreter/CallFrame.cpp:
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        (JSC::DumpRegisterFunctor::DumpRegisterFunctor):
        (JSC::DumpRegisterFunctor::operator()):
        (JSC::Interpreter::dumpRegisters):
        (JSC::unwindCallFrame):
        (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
        (JSC::GetStackTraceFunctor::operator()):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::stackTraceAsString):
        (JSC::UnwindFunctor::UnwindFunctor):
        (JSC::UnwindFunctor::operator()):
        (JSC::Interpreter::unwind):
        * interpreter/Interpreter.h:
        * interpreter/StackIterator.cpp:
        (JSC::StackIterator::numberOfFrames):
        (JSC::StackIterator::gotoFrameAtIndex):
        (JSC::StackIterator::gotoNextFrameWithFilter):
        (JSC::StackIterator::resetIterator):
        (JSC::StackIterator::Frame::print):
        (debugPrintCallFrame):
        (DebugPrintStackFunctor::operator()):
        (debugPrintStack): Added for debugging convenience.
        * interpreter/StackIterator.h:
        (JSC::StackIterator::Frame::index):
        (JSC::StackIterator::iterate):
        * jsc.cpp:
        (FunctionJSCStackFunctor::FunctionJSCStackFunctor):
        (FunctionJSCStackFunctor::operator()):
        (functionJSCStack):
        * profiler/ProfileGenerator.cpp:
        (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
        (JSC::AddParentForConsoleStartFunctor::foundParent):
        (JSC::AddParentForConsoleStartFunctor::operator()):
        (JSC::ProfileGenerator::addParentForConsoleStart):
        * runtime/JSFunction.cpp:
        (JSC::RetrieveArgumentsFunctor::RetrieveArgumentsFunctor):
        (JSC::RetrieveArgumentsFunctor::result):
        (JSC::RetrieveArgumentsFunctor::operator()):
        (JSC::retrieveArguments):
        (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
        (JSC::RetrieveCallerFunctionFunctor::result):
        (JSC::RetrieveCallerFunctionFunctor::operator()):
        (JSC::retrieveCallerFunction):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
        (JSC::GlobalFuncProtoGetterFunctor::result):
        (JSC::GlobalFuncProtoGetterFunctor::operator()):
        (JSC::globalFuncProtoGetter):
        (JSC::GlobalFuncProtoSetterFunctor::GlobalFuncProtoSetterFunctor):
        (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
        (JSC::GlobalFuncProtoSetterFunctor::operator()):
        (JSC::globalFuncProtoSetter):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
        (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
        (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
        (JSC::objectConstructorGetPrototypeOf):

2013-09-03  Oliver Hunt  <oliver@apple.com>

        Support structured clone of Map and Set
        https://bugs.webkit.org/show_bug.cgi?id=120654

        Reviewed by Simon Fraser.

        Make xcode copy the required headers, and add appropriate export attributes

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSMap.h:
        * runtime/JSSet.h:
        * runtime/MapData.h:

2013-09-02  Ryosuke Niwa  <rniwa@webkit.org>

        Support the "json" responseType and JSON response entity in XHR
        https://bugs.webkit.org/show_bug.cgi?id=73648

        Reviewed by Oliver Hunt.

        Based on the patch written by Jarred Nicholls.

        Add JSC::JSONParse. This function will be used in XMLHttpRequest.response of type 'json'.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSONObject.cpp:
        (JSC::JSONParse):
        * runtime/JSONObject.h:

2013-09-02  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock::jettison() should be implicit
        https://bugs.webkit.org/show_bug.cgi?id=120567

        Reviewed by Oliver Hunt.
        
        This is a risky change from a performance standpoint, but I believe it's
        necessary. This makes all CodeBlocks get swept by GC. Nobody but the GC
        can delete CodeBlocks because the GC always holds a reference to them.
        Once a CodeBlock reaches just one reference (i.e. the one from the GC)
        then the GC will free it only if it's not on the stack.
        
        This allows me to get rid of the jettisoning logic. We need this for FTL
        tier-up. Well; we don't need it, but it will help prevent a lot of bugs.
        Previously, if you wanted to to replace one code block with another, you
        had to remember to tell the GC that the previous code block is
        "jettisoned". We would need to do this when tiering up from DFG to FTL
        and when dealing with DFG-to-FTL OSR entry code blocks. There are a lot
        of permutations here - tiering up to the FTL, OSR entering into the FTL,
        deciding that an OSR entry code block is not relevant anymore - just to
        name a few. In each of these cases we'd have to jettison the previous
        code block. It smells like a huge source of future bugs.
        
        So I made jettisoning implicit by making the GC always watch out for a
        CodeBlock being owned solely by the GC.
        
        This change is performance neutral.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::visitAggregate):
        (JSC::CodeBlock::jettison):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setJITCode):
        (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
        (JSC::CodeBlockSet::mark):
        * dfg/DFGCommonData.h:
        (JSC::DFG::CommonData::CommonData):
        * heap/CodeBlockSet.cpp: Added.
        (JSC::CodeBlockSet::CodeBlockSet):
        (JSC::CodeBlockSet::~CodeBlockSet):
        (JSC::CodeBlockSet::add):
        (JSC::CodeBlockSet::clearMarks):
        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
        (JSC::CodeBlockSet::traceMarked):
        * heap/CodeBlockSet.h: Added.
        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::add):
        * heap/ConservativeRoots.h:
        * heap/DFGCodeBlocks.cpp: Removed.
        * heap/DFGCodeBlocks.h: Removed.
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::deleteAllCompiledCode):
        (JSC::Heap::deleteUnmarkedCompiledCode):
        * heap/Heap.h:
        * interpreter/JSStack.cpp:
        (JSC::JSStack::gatherConservativeRoots):
        * interpreter/JSStack.h:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::installCode):
        * runtime/Executable.h:
        * runtime/VM.h:

2013-09-02  Darin Adler  <darin@apple.com>

        [Mac] No need for HardAutorelease, which is same as CFBridgingRelease
        https://bugs.webkit.org/show_bug.cgi?id=120569

        Reviewed by Andy Estes.

        * API/JSValue.mm:
        (valueToString): Use CFBridgingRelease.

2013-08-30  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock refactoring broke profile dumping
        https://bugs.webkit.org/show_bug.cgi?id=120551

        Reviewed by Michael Saboff.
        
        Fix the bug, and did a big clean-up of how Executable returns CodeBlocks. A lot
        of the problems we have with code like CodeBlock::baselineVersion() is that we
        were trying *way too hard* to side-step the fact that Executable can't return a
        CodeBlock*. Previously it could only return CodeBlock&, so if it didn't have a
        CodeBlock yet, you were screwed. And if you didn't know, or weren't sure, if it
        did have a CodeBlock, you were really going to have a bad time. Also it really
        bugs me that the methods were called generatedBytecode(). In all other contexts
        if you ask for a CodeBlock, then method to call is codeBlock(). So I made all
        of those changes.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::baselineVersion):
        (JSC::ProgramCodeBlock::replacement):
        (JSC::EvalCodeBlock::replacement):
        (JSC::FunctionCodeBlock::replacement):
        (JSC::CodeBlock::globalObjectFor):
        * bytecode/CodeOrigin.cpp:
        (JSC::InlineCallFrame::hash):
        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        * jit/JITCode.h:
        (JSC::JITCode::isExecutableScript):
        (JSC::JITCode::isLowerTier):
        * jit/JITStubs.cpp:
        (JSC::lazyLinkFor):
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::traceFunctionPrologue):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::setUpCall):
        * runtime/ArrayPrototype.cpp:
        (JSC::isNumericCompareFunction):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::installCode):
        * runtime/Executable.h:
        (JSC::EvalExecutable::codeBlock):
        (JSC::ProgramExecutable::codeBlock):
        (JSC::FunctionExecutable::eitherCodeBlock):
        (JSC::FunctionExecutable::codeBlockForCall):
        (JSC::FunctionExecutable::codeBlockForConstruct):
        (JSC::FunctionExecutable::codeBlockFor):
        * runtime/FunctionExecutableDump.cpp:
        (JSC::FunctionExecutableDump::dump):

2013-08-30  Oliver Hunt  <oliver@apple.com>

        Implement ES6 Set class
        https://bugs.webkit.org/show_bug.cgi?id=120549

        Reviewed by Filip Pizlo.

        We simply reuse the MapData type from JSMap making the
        it much simpler.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::setStructure):
        * runtime/JSSet.cpp: Added.
        (JSC::JSSet::visitChildren):
        (JSC::JSSet::finishCreation):
        * runtime/JSSet.h: Added.
        (JSC::JSSet::createStructure):
        (JSC::JSSet::create):
        (JSC::JSSet::mapData):
        (JSC::JSSet::JSSet):
        * runtime/SetConstructor.cpp: Added.
        (JSC::SetConstructor::finishCreation):
        (JSC::callSet):
        (JSC::constructSet):
        (JSC::SetConstructor::getConstructData):
        (JSC::SetConstructor::getCallData):
        * runtime/SetConstructor.h: Added.
        (JSC::SetConstructor::create):
        (JSC::SetConstructor::createStructure):
        (JSC::SetConstructor::SetConstructor):
        * runtime/SetPrototype.cpp: Added.
        (JSC::SetPrototype::finishCreation):
        (JSC::getMapData):
        (JSC::setProtoFuncAdd):
        (JSC::setProtoFuncClear):
        (JSC::setProtoFuncDelete):
        (JSC::setProtoFuncForEach):
        (JSC::setProtoFuncHas):
        (JSC::setProtoFuncSize):
        * runtime/SetPrototype.h: Added.
        (JSC::SetPrototype::create):
        (JSC::SetPrototype::createStructure):
        (JSC::SetPrototype::SetPrototype):

2013-08-30  Oliver Hunt  <oliver@apple.com>

        Make JSValue bool conversion less dangerous
        https://bugs.webkit.org/show_bug.cgi?id=120505

        Reviewed by Darin Adler.

        Replaces JSValue::operator bool() with a operator UnspecifiedBoolType* as
        we do elsewhere.  Then fix the places where terrible type coercion was
        happening.  All of the changes made had no fundamental behavioural impact
        as they were coercion results that were ignored (returning undefined 
        after an exception).  

        * dfg/DFGOperations.cpp:
        * interpreter/CallFrame.h:
        (JSC::ExecState::hadException):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::operator UnspecifiedBoolType*):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * runtime/PropertyDescriptor.cpp:
        (JSC::PropertyDescriptor::equalTo)

2013-08-30  Chris Curtis  <chris_curtis@apple.com>

        Cleaning errorDescriptionForValue after r154839
        https://bugs.webkit.org/show_bug.cgi?id=120531
        
        Reviewed by Darin Adler.
        
        Changed the assert to ASSERT_NOT_REACHED, now that r154839 has landed. errorDescriptionForValue 
        can assert again that the parameterized JSValue is !isEmpty().
        
        * runtime/ExceptionHelpers.cpp:
        (JSC::errorDescriptionForValue):

2013-08-30  Antti Koivisto  <antti@apple.com>

        Remove code behind ENABLE(DIALOG_ELEMENT)
        https://bugs.webkit.org/show_bug.cgi?id=120467

        Reviewed by Darin Adler.

        * Configurations/FeatureDefines.xcconfig:

2013-08-29  Andreas Kling  <akling@apple.com>

        De-bork Qt build.

        * Target.pri:

2013-08-29  Ryuan Choi  <ryuan.choi@samsung.com>

        Unreviewed build fix attempt for Windows.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        Renamed JSMapConstructor and JSMapPrototype.

2013-08-29  Ryuan Choi  <ryuan.choi@samsung.com>

        Fix build break after r154861
        https://bugs.webkit.org/show_bug.cgi?id=120503

        Reviewed by Geoffrey Garen.

        Unreviewed build fix attempt for GTK, Qt Windows and CMake based ports.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * Target.pri:
        * runtime/MapData.h:
        (JSC::MapData::KeyType::KeyType):

2013-08-29  Andreas Kling  <akling@apple.com>

        CodeBlock: LLIntCallLinkInfo vector can be sized-to-fit at creation.
        <https://webkit.org/b/120487>

        Reviewed by Oliver Hunt.

        CodeBlock::m_llintCallLinkInfos never changes size after creation, so make it a Vector
        instead of a SegmentedVector. Use resizeToFit() instead of grow() since we know the
        exact amount of space needed.

        * bytecode/CodeBlock.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::shrinkToFit):

2013-08-29  Oliver Hunt  <oliver@apple.com>

        Fix issues found by MSVC (which also happily fixes an unintentional pessimisation)

        * runtime/MapData.h:
        (JSC::MapData::KeyType::KeyType):

2013-08-29  Oliver Hunt  <oliver@apple.com>


        Implement ES6 Map object
        https://bugs.webkit.org/show_bug.cgi?id=120333

        Reviewed by Geoffrey Garen.

        Implement support for the ES6 Map type and related classes.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/CopyToken.h: Add a new token to track copying the backing store
        * runtime/CommonIdentifiers.h: Add new identifiers
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
            Add new structures and prototypes

        * runtime/JSMap.cpp: Added.
        * runtime/JSMap.h: Added.
            New JSMap class to represent a Map instance

        * runtime/MapConstructor.cpp: Added.
        * runtime/MapConstructor.h: Added.
            The Map constructor

        * runtime/MapData.cpp: Added.
        * runtime/MapData.h: Added.
            The most interesting data structure.  The roughly corresponds
            to the ES6 notion of MapData.  It provides the core JSValue->JSValue
            map implementation.  We implement it using 2 hashtables and a flat
            table.  Due to the different semantics of string comparisons vs.
            all others we need have one map keyed by String and the other by
            generic JSValue.  The actual table is represented more or less
            exactly as described in the ES6 draft - a single contiguous list of
            key/value pairs.  The entire map could be achieved with just this
            table, however we need the HashMaps in order to maintain O(1) lookup.

            Deleted values are simply cleared as the draft says, however the
            implementation compacts the storage on copy as long as the are no
            active iterators.

        * runtime/MapPrototype.cpp: Added.
        * runtime/MapPrototype.h: Added.
            Implement Map prototype functions

        * runtime/VM.cpp:
            Add new structures.

2013-08-29  Filip Pizlo  <fpizlo@apple.com>

        Teach DFG::Worklist and its clients that it may be reused for different kinds of compilations
        https://bugs.webkit.org/show_bug.cgi?id=120489

        Reviewed by Geoffrey Garen.
        
        If the baseline JIT hits an OSR entry trigger into the DFG and we already have a
        DFG compilation but we've also started one or more FTL compilations, then we
        shouldn't get confused. Previously we would have gotten confused because we would
        see an in-process deferred compile (the FTL compile) and also an optimized
        replacement (the DFG code).
        
        If the baseline JIT hits an OSR entry trigger into the DFG and we previously
        did two things in this order: triggered a tier-up compilation from the DFG into
        the FTL, and then jettisoned the DFG code because it exited a bunch, then we
        shouldn't be confused by the presence of an in-process deferred compile (the FTL
        compile). Previously we would have waited for that compile to finish; but the more
        sensible thing to do is to let it complete and then invalidate it, while at the
        same time enqueueing a DFG compile to create a new, more valid, DFG code block.
        
        If the DFG JIT hits a loop OSR entry trigger (into the FTL) and it has already
        triggered an FTL compile for replacement, then it should fire off a second compile
        instead of thinking that it can wait for that one to finish. Or vice-versa. We
        need to allow for two FTL compiles to be enqueued at the same time (one for
        replacement and one for OSR entry in a loop).
        
        Then there's also the problem that DFG::compile() is almost certainly going to be
        the hook for triggering both DFG compiles and the two kinds of FTL compiles, but
        right now there is no way to tell it which one you want.
        
        This fixes these problems and removes a bunch of potential confusion by making the
        key for a compile in the DFG::Worklist be a CompilationMode (one of DFGMode,
        FTLMode, or FTLForOSREntryMode). That mode is also passed to DFG::compile().
        
        Awkwardly, this still leaves us in a no DFG->FTL tier-up situation - so
        DFG::compile() is always passed DFGMode and then it might do an FTL compile if
        possible. Fixing that is a bigger issue for a later changeset.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::checkIfOptimizationThresholdReached):
        * dfg/DFGCompilationKey.cpp: Added.
        (JSC::DFG::CompilationKey::dump):
        * dfg/DFGCompilationKey.h: Added.
        (JSC::DFG::CompilationKey::CompilationKey):
        (JSC::DFG::CompilationKey::operator!):
        (JSC::DFG::CompilationKey::isHashTableDeletedValue):
        (JSC::DFG::CompilationKey::profiledBlock):
        (JSC::DFG::CompilationKey::mode):
        (JSC::DFG::CompilationKey::operator==):
        (JSC::DFG::CompilationKey::hash):
        (JSC::DFG::CompilationKeyHash::hash):
        (JSC::DFG::CompilationKeyHash::equal):
        * dfg/DFGCompilationMode.cpp: Added.
        (WTF::printInternal):
        * dfg/DFGCompilationMode.h: Added.
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        (JSC::DFG::compile):
        * dfg/DFGDriver.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        (JSC::DFG::Plan::key):
        * dfg/DFGPlan.h:
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::enqueue):
        (JSC::DFG::Worklist::compilationState):
        (JSC::DFG::Worklist::completeAllReadyPlansForVM):
        (JSC::DFG::Worklist::runThread):
        * dfg/DFGWorklist.h:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2013-08-29  Brent Fulgham  <bfulgham@apple.com>

        [Windows] Unreviewed build fix after r154847.
        If you are going to exclude promises, actually exclude the build components.

        * interpreter/CallFrame.h: Exclude promise declarations
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset): Exclude promise code.
        (JSC::JSGlobalObject::visitChildren): Ditto.
        * runtime/VM.cpp: Ditto.
        (JSC::VM::VM):
        (JSC::VM::~VM):
        * runtime/VM.h:

2013-08-29  Sam Weinig  <sam@webkit.org>

        Add ENABLE guards for Promises
        https://bugs.webkit.org/show_bug.cgi?id=120488

        Reviewed by Andreas Kling.

        * Configurations/FeatureDefines.xcconfig:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSPromise.cpp:
        * runtime/JSPromise.h:
        * runtime/JSPromiseCallback.cpp:
        * runtime/JSPromiseCallback.h:
        * runtime/JSPromiseConstructor.cpp:
        * runtime/JSPromiseConstructor.h:
        * runtime/JSPromisePrototype.cpp:
        * runtime/JSPromisePrototype.h:
        * runtime/JSPromiseResolver.cpp:
        * runtime/JSPromiseResolver.h:
        * runtime/JSPromiseResolverConstructor.cpp:
        * runtime/JSPromiseResolverConstructor.h:
        * runtime/JSPromiseResolverPrototype.cpp:
        * runtime/JSPromiseResolverPrototype.h:

2013-08-29  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix FTL build.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::callCheck):

2013-08-29  Julien Brianceau  <jbriance@cisco.com>

        REGRESSION(r153222, 32-bit): NULL JSValue() seen when running peacekeeper benchmark.
        https://bugs.webkit.org/show_bug.cgi?id=120080

        Reviewed by Michael Saboff.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emitSlow_op_get_argument_by_val): Revert changes introduced by r153222 in this function.

2013-08-29  Filip Pizlo  <fpizlo@apple.com>

        Kill code that became dead after http://trac.webkit.org/changeset/154833

        Rubber stamped by Oliver Hunt.

        * dfg/DFGDriver.h:

2013-08-29  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock's magic for scaling tier-up thresholds should be more reusable
        https://bugs.webkit.org/show_bug.cgi?id=120486

        Reviewed by Oliver Hunt.
        
        Removed the counterValueForBlah() methods and exposed the reusable scaling logic
        as a adjustedCounterValue() method.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::adjustedCounterValue):
        (JSC::CodeBlock::optimizeAfterWarmUp):
        (JSC::CodeBlock::optimizeAfterLongWarmUp):
        (JSC::CodeBlock::optimizeSoon):
        * bytecode/CodeBlock.h:
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::handleExitCounts):

2013-08-29  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock::prepareForExecution() is silly
        https://bugs.webkit.org/show_bug.cgi?id=120453

        Reviewed by Oliver Hunt.
        
        Instead of saying:
        
            codeBlock->prepareForExecution(stuff, BaselineJIT, more stuff)
        
        we should just say:
        
            JIT::compile(stuff, codeBlock, more stuff);
        
        And similarly for the LLInt and DFG.
        
        This kills a bunch of code, since CodeBlock::prepareForExecution() is just a
        wrapper that uses the JITType argument to call into the appropriate execution
        engine, which is what the user wanted to do in the first place.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        (JSC::DFG::compile):
        * dfg/DFGDriver.h:
        (JSC::DFG::tryCompile):
        * dfg/DFGOSRExitPreparation.cpp:
        (JSC::DFG::prepareCodeOriginForOSRExit):
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::globalWorklist):
        * dfg/DFGWorklist.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::JIT::compile):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntEntrypoint.cpp: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.cpp.
        (JSC::LLInt::setFunctionEntrypoint):
        (JSC::LLInt::setEvalEntrypoint):
        (JSC::LLInt::setProgramEntrypoint):
        (JSC::LLInt::setEntrypoint):
        * llint/LLIntEntrypoint.h: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.h.
        * llint/LLIntEntrypoints.cpp: Removed.
        * llint/LLIntEntrypoints.h: Removed.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::prepareForExecutionImpl):

2013-08-29  Mark Lam  <mark.lam@apple.com>

        Gardening: fixed broken non-DFG build.
        https://bugs.webkit.org/show_bug.cgi?id=120481.

        Not reviewed.

        * interpreter/StackIterator.h:

2013-08-29  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock compilation and installation should be simplified and rationalized
        https://bugs.webkit.org/show_bug.cgi?id=120326

        Reviewed by Oliver Hunt.
        
        Rolling r154804 back in after fixing no-LLInt build.
        
        Previously Executable owned the code for generating JIT code; you always had
        to go through Executable. But often you also had to go through CodeBlock,
        because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
        So you'd ask CodeBlock to do something, which would dispatch through a
        virtual method that would select the appropriate Executable subtype's method.
        This all meant that the same code would often be duplicated, because most of
        the work needed to compile something was identical regardless of code type.
        But then we tried to fix this, by having templatized helpers in
        ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
        out what happened when you asked for something to be compiled, you'd go on a
        wild ride that started with CodeBlock, touched upon Executable, and then
        ricocheted into either ExecutionHarness or JITDriver (likely both).
        
        Another awkwardness was that for concurrent compiles, the DFG::Worklist had
        super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
        done once the compilation finished.
        
        Also, most of the DFG JIT drivers assumed that they couldn't install the
        JITCode into the CodeBlock directly - instead they would return it via a
        reference, which happened to be a reference to the JITCode pointer in
        Executable. This was super weird.
        
        Finally, there was no notion of compiling code into a special CodeBlock that
        wasn't used for handling calls into an Executable. I'd like this for FTL OSR
        entry.
        
        This patch solves these problems by reducing all of that complexity into just
        three primitives:
        
        - Executable::newCodeBlock(). This gives you a new code block, either for call
          or for construct, and either to serve as the baseline code or the optimized
          code. The new code block is then owned by the caller; Executable doesn't
          register it anywhere. The new code block has no JITCode and isn't callable,
          but it has all of the bytecode.
        
        - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
          produces a JITCode, and then installs the JITCode into the CodeBlock. This
          method takes a JITType, and always compiles with that JIT. If you ask for
          JITCode::InterpreterThunk then you'll get JITCode that just points to the
          LLInt entrypoints. Once this returns, it is possible to call into the
          CodeBlock if you do so manually - but the Executable still won't know about
          it so JS calls to that Executable will still be routed to whatever CodeBlock
          is associated with the Executable.
        
        - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
          entry for that Executable. This involves unlinking the Executable's last
          CodeBlock, if there was one. This also tells the GC about any effect on
          memory usage and does a bunch of weird data structure rewiring, since
          Executable caches some of CodeBlock's fields for the benefit of virtual call
          fast paths.
        
        This functionality is then wrapped around three convenience methods:
        
        - Executable::prepareForExecution(). If there is no code block for that
          Executable, then one is created (newCodeBlock()), compiled
          (CodeBlock::prepareForExecution()) and installed (installCode()).
        
        - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
          can serve as an optimized replacement of the current one.
        
        - CodeBlock::install(). Asks the Executable to install this code block.
        
        This patch allows me to kill *a lot* of code and to remove a lot of
        specializations for functions vs. not-functions, and a lot of places where we
        pass around JITCode references and such. ExecutionHarness and JITDriver are
        both gone. Overall this patch has more red than green.
        
        It also allows me to work on FTL OSR entry and tier-up:
        
        - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
          to do some compilation, but it will require the DFG::Worklist to do
          something different than what JITStubs.cpp would want, once the compilation
          finishes. This patch introduces a callback mechanism for that purpose.
        
        - FTL OSR entry: this will involve creating a special auto-jettisoned
          CodeBlock that is used only for FTL OSR entry. The new set of primitives
          allows for this: Executable can vend you a fresh new CodeBlock, and you can
          ask that CodeBlock to compile itself with any JIT of your choosing. Or you
          can take that CodeBlock and compile it yourself. Previously the act of
          producing a CodeBlock-for-optimization and the act of compiling code for it
          were tightly coupled; now you can separate them and you can create such
          auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::unlinkIncomingCalls):
        (JSC::CodeBlock::prepareForExecutionImpl):
        (JSC::CodeBlock::prepareForExecution):
        (JSC::CodeBlock::prepareForExecutionAsynchronously):
        (JSC::CodeBlock::install):
        (JSC::CodeBlock::newReplacement):
        (JSC::FunctionCodeBlock::jettisonImpl):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::hasBaselineJITProfiling):
        * bytecode/DeferredCompilationCallback.cpp: Added.
        (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
        (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
        * bytecode/DeferredCompilationCallback.h: Added.
        * dfg/DFGDriver.cpp:
        (JSC::DFG::tryCompile):
        * dfg/DFGDriver.h:
        (JSC::DFG::tryCompile):
        * dfg/DFGFailedFinalizer.cpp:
        (JSC::DFG::FailedFinalizer::finalize):
        (JSC::DFG::FailedFinalizer::finalizeFunction):
        * dfg/DFGFailedFinalizer.h:
        * dfg/DFGFinalizer.h:
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::finalize):
        (JSC::DFG::JITFinalizer::finalizeFunction):
        * dfg/DFGJITFinalizer.h:
        * dfg/DFGOSRExitPreparation.cpp:
        (JSC::DFG::prepareCodeOriginForOSRExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        (JSC::DFG::Plan::compileInThreadImpl):
        (JSC::DFG::Plan::notifyReady):
        (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
        (JSC::DFG::Plan::finalizeAndNotifyCallback):
        * dfg/DFGPlan.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::completeAllReadyPlansForVM):
        (JSC::DFG::Worklist::runThread):
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalize):
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * ftl/FTLJITFinalizer.h:
        * heap/Heap.h:
        (JSC::Heap::isDeferred):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        * jit/JITDriver.h: Removed.
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::jitCompileFor):
        (JSC::lazyLinkFor):
        * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
        (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
        (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
        (JSC::JITToDFGDeferredCompilationCallback::create):
        (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
        (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
        * jit/JITToDFGDeferredCompilationCallback.h: Added.
        * llint/LLIntEntrypoints.cpp:
        (JSC::LLInt::setFunctionEntrypoint):
        (JSC::LLInt::setEvalEntrypoint):
        (JSC::LLInt::setProgramEntrypoint):
        * llint/LLIntEntrypoints.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        (JSC::LLInt::setUpCall):
        * runtime/ArrayPrototype.cpp:
        (JSC::isNumericCompareFunction):
        * runtime/CommonSlowPaths.cpp:
        * runtime/CompilationResult.cpp:
        (WTF::printInternal):
        * runtime/CompilationResult.h:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::installCode):
        (JSC::ScriptExecutable::newCodeBlockFor):
        (JSC::ScriptExecutable::newReplacementCodeBlockFor):
        (JSC::ScriptExecutable::prepareForExecutionImpl):
        * runtime/Executable.h:
        (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
        (JSC::ExecutableBase::offsetOfNumParametersFor):
        (JSC::ScriptExecutable::prepareForExecution):
        (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
        * runtime/ExecutionHarness.h: Removed.

2013-08-29  Mark Lam  <mark.lam@apple.com>

        Change StackIterator to not require writes to the JS stack.
        https://bugs.webkit.org/show_bug.cgi?id=119657.

        Reviewed by Geoffrey Garen.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * interpreter/CallFrame.h:
        - Removed references to StackIteratorPrivate.h.
        * interpreter/StackIterator.cpp:
        (JSC::StackIterator::numberOfFrames):
        (JSC::StackIterator::gotoFrameAtIndex):
        (JSC::StackIterator::gotoNextFrame):
        (JSC::StackIterator::resetIterator):
        (JSC::StackIterator::find):
        (JSC::StackIterator::readFrame):
        (JSC::StackIterator::readNonInlinedFrame):
        - Reads in the current CallFrame's data for non-inlined frames.
        (JSC::inlinedFrameOffset):
        - Convenience function to compute the inlined frame offset based on the
          CodeOrigin. If the offset is 0, then we're looking at the physical frame.
          Otherwise, it's an inlined frame.
        (JSC::StackIterator::readInlinedFrame):
        - Determines the inlined frame's caller frame. Will read in the caller
          frame if it is also an inlined frame i.e. we haven't reached the
          outer most frame yet. Otherwise, will call readNonInlinedFrame() to
          read on the outer most frame.
          This is based on the old StackIterator::Frame::logicalFrame().
        (JSC::StackIterator::updateFrame):
        - Reads the data of the caller frame of the current one. This function
          is renamed and moved from the old StackIterator::Frame::logicalCallerFrame(),
          but is now simplified because it delegates to the readInlinedFrame()
          to get the caller for inlined frames.
        (JSC::StackIterator::Frame::arguments):
        - Fixed to use the inlined frame versions of Arguments::create() and
          Arguments::tearOff() when the frame is an inlined frame.
        (JSC::StackIterator::Frame::print):
        (debugPrintCallFrame):
        (debugPrintStack):
        - Because sometimes, we want to see the whole stack while debugging.
        * interpreter/StackIterator.h:
        (JSC::StackIterator::Frame::argumentCount):
        (JSC::StackIterator::Frame::callerFrame):
        (JSC::StackIterator::Frame::callee):
        (JSC::StackIterator::Frame::scope):
        (JSC::StackIterator::Frame::codeBlock):
        (JSC::StackIterator::Frame::bytecodeOffset):
        (JSC::StackIterator::Frame::inlinedFrameInfo):
        (JSC::StackIterator::Frame::isJSFrame):
        (JSC::StackIterator::Frame::isInlinedFrame):
        (JSC::StackIterator::Frame::callFrame):
        (JSC::StackIterator::Frame::Frame):
        (JSC::StackIterator::Frame::~Frame):
        - StackIterator::Frame now caches commonly used accessed values from
          the CallFrame. It still delegates argument queries to the CallFrame.
        (JSC::StackIterator::operator*):
        (JSC::StackIterator::operator->):
        (JSC::StackIterator::operator!=):
        (JSC::StackIterator::operator++):
        (JSC::StackIterator::end):
        (JSC::StackIterator::operator==):
        * interpreter/StackIteratorPrivate.h: Removed.

2013-08-29  Chris Curtis  <chris_curtis@apple.com>

        VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
        https://bugs.webkit.org/show_bug.cgi?id=120472

        Reviewed by Filip Pizlo.
        
        With the JIT disabled, interpreterThrowInCaller was attempting to throw an error, 
        but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
        throwException can be called when topCallFrame is set.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPathsExceptions.cpp:
        (JSC::CommonSlowPaths::interpreterThrowInCaller):
        * runtime/CommonSlowPathsExceptions.h:

        Renamed genericThrow -> genericUnwind, because this function no longer has the ability
        to throw errors. It unwinds the stack in order to report them. 
        * dfg/DFGOperations.cpp:
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        (JSC::jitThrowNew):
        (JSC::jitThrow):
        * jit/JITExceptions.h:
        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::doThrow):
    
2013-08-29  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r154804.
        http://trac.webkit.org/changeset/154804
        https://bugs.webkit.org/show_bug.cgi?id=120477

        Broke Windows build (assumes LLInt features not enabled on
        this build) (Requested by bfulgham on #webkit).

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::linkIncomingCall):
        (JSC::CodeBlock::unlinkIncomingCalls):
        (JSC::CodeBlock::reoptimize):
        (JSC::ProgramCodeBlock::replacement):
        (JSC::EvalCodeBlock::replacement):
        (JSC::FunctionCodeBlock::replacement):
        (JSC::ProgramCodeBlock::compileOptimized):
        (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
        (JSC::EvalCodeBlock::compileOptimized):
        (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
        (JSC::FunctionCodeBlock::compileOptimized):
        (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
        (JSC::ProgramCodeBlock::jitCompileImpl):
        (JSC::EvalCodeBlock::jitCompileImpl):
        (JSC::FunctionCodeBlock::jitCompileImpl):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::jitType):
        (JSC::CodeBlock::jitCompile):
        * bytecode/DeferredCompilationCallback.cpp: Removed.
        * bytecode/DeferredCompilationCallback.h: Removed.
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        (JSC::DFG::tryFinalizePlan):
        * dfg/DFGDriver.h:
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        (JSC::DFG::tryFinalizePlan):
        * dfg/DFGFailedFinalizer.cpp:
        (JSC::DFG::FailedFinalizer::finalize):
        (JSC::DFG::FailedFinalizer::finalizeFunction):
        * dfg/DFGFailedFinalizer.h:
        * dfg/DFGFinalizer.h:
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::finalize):
        (JSC::DFG::JITFinalizer::finalizeFunction):
        * dfg/DFGJITFinalizer.h:
        * dfg/DFGOSRExitPreparation.cpp:
        (JSC::DFG::prepareCodeOriginForOSRExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        (JSC::DFG::Plan::compileInThreadImpl):
        (JSC::DFG::Plan::finalize):
        * dfg/DFGPlan.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::completeAllReadyPlansForVM):
        (JSC::DFG::Worklist::runThread):
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalize):
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * ftl/FTLJITFinalizer.h:
        * heap/Heap.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        * jit/JITDriver.h: Added.
        (JSC::jitCompileIfAppropriateImpl):
        (JSC::jitCompileFunctionIfAppropriateImpl):
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::jitCompileFor):
        (JSC::lazyLinkFor):
        * jit/JITToDFGDeferredCompilationCallback.cpp: Removed.
        * jit/JITToDFGDeferredCompilationCallback.h: Removed.
        * llint/LLIntEntrypoints.cpp:
        (JSC::LLInt::getFunctionEntrypoint):
        (JSC::LLInt::getEvalEntrypoint):
        (JSC::LLInt::getProgramEntrypoint):
        * llint/LLIntEntrypoints.h:
        (JSC::LLInt::getEntrypoint):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        (JSC::LLInt::setUpCall):
        * runtime/ArrayPrototype.cpp:
        (JSC::isNumericCompareFunction):
        * runtime/CommonSlowPaths.cpp:
        * runtime/CompilationResult.cpp:
        (WTF::printInternal):
        * runtime/CompilationResult.h:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileOptimized):
        (JSC::EvalExecutable::jitCompile):
        (JSC::EvalExecutable::compileInternal):
        (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
        (JSC::ProgramExecutable::compileOptimized):
        (JSC::ProgramExecutable::jitCompile):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
        (JSC::FunctionExecutable::compileOptimizedForCall):
        (JSC::FunctionExecutable::compileOptimizedForConstruct):
        (JSC::FunctionExecutable::jitCompileForCall):
        (JSC::FunctionExecutable::jitCompileForConstruct):
        (JSC::FunctionExecutable::produceCodeBlockFor):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
        (JSC::FunctionExecutable::compileForConstructInternal):
        (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
        * runtime/Executable.h:
        (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
        (JSC::ExecutableBase::offsetOfNumParametersFor):
        (JSC::ExecutableBase::catchRoutineFor):
        (JSC::EvalExecutable::compile):
        (JSC::ProgramExecutable::compile):
        (JSC::FunctionExecutable::compileForCall):
        (JSC::FunctionExecutable::compileForConstruct):
        (JSC::FunctionExecutable::compileFor):
        (JSC::FunctionExecutable::compileOptimizedFor):
        (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
        (JSC::FunctionExecutable::jitCompileFor):
        * runtime/ExecutionHarness.h: Added.
        (JSC::prepareForExecutionImpl):
        (JSC::prepareFunctionForExecutionImpl):
        (JSC::installOptimizedCode):
        (JSC::prepareForExecution):
        (JSC::prepareFunctionForExecution):
        (JSC::replaceWithDeferredOptimizedCode):

2013-08-28  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock compilation and installation should be simplified and rationalized
        https://bugs.webkit.org/show_bug.cgi?id=120326

        Reviewed by Oliver Hunt.
        
        Previously Executable owned the code for generating JIT code; you always had
        to go through Executable. But often you also had to go through CodeBlock,
        because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
        So you'd ask CodeBlock to do something, which would dispatch through a
        virtual method that would select the appropriate Executable subtype's method.
        This all meant that the same code would often be duplicated, because most of
        the work needed to compile something was identical regardless of code type.
        But then we tried to fix this, by having templatized helpers in
        ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
        out what happened when you asked for something to be compiled, you'd go on a
        wild ride that started with CodeBlock, touched upon Executable, and then
        ricocheted into either ExecutionHarness or JITDriver (likely both).
        
        Another awkwardness was that for concurrent compiles, the DFG::Worklist had
        super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
        done once the compilation finished.
        
        Also, most of the DFG JIT drivers assumed that they couldn't install the
        JITCode into the CodeBlock directly - instead they would return it via a
        reference, which happened to be a reference to the JITCode pointer in
        Executable. This was super weird.
        
        Finally, there was no notion of compiling code into a special CodeBlock that
        wasn't used for handling calls into an Executable. I'd like this for FTL OSR
        entry.
        
        This patch solves these problems by reducing all of that complexity into just
        three primitives:
        
        - Executable::newCodeBlock(). This gives you a new code block, either for call
          or for construct, and either to serve as the baseline code or the optimized
          code. The new code block is then owned by the caller; Executable doesn't
          register it anywhere. The new code block has no JITCode and isn't callable,
          but it has all of the bytecode.
        
        - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
          produces a JITCode, and then installs the JITCode into the CodeBlock. This
          method takes a JITType, and always compiles with that JIT. If you ask for
          JITCode::InterpreterThunk then you'll get JITCode that just points to the
          LLInt entrypoints. Once this returns, it is possible to call into the
          CodeBlock if you do so manually - but the Executable still won't know about
          it so JS calls to that Executable will still be routed to whatever CodeBlock
          is associated with the Executable.
        
        - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
          entry for that Executable. This involves unlinking the Executable's last
          CodeBlock, if there was one. This also tells the GC about any effect on
          memory usage and does a bunch of weird data structure rewiring, since
          Executable caches some of CodeBlock's fields for the benefit of virtual call
          fast paths.
        
        This functionality is then wrapped around three convenience methods:
        
        - Executable::prepareForExecution(). If there is no code block for that
          Executable, then one is created (newCodeBlock()), compiled
          (CodeBlock::prepareForExecution()) and installed (installCode()).
        
        - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
          can serve as an optimized replacement of the current one.
        
        - CodeBlock::install(). Asks the Executable to install this code block.
        
        This patch allows me to kill *a lot* of code and to remove a lot of
        specializations for functions vs. not-functions, and a lot of places where we
        pass around JITCode references and such. ExecutionHarness and JITDriver are
        both gone. Overall this patch has more red than green.
        
        It also allows me to work on FTL OSR entry and tier-up:
        
        - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
          to do some compilation, but it will require the DFG::Worklist to do
          something different than what JITStubs.cpp would want, once the compilation
          finishes. This patch introduces a callback mechanism for that purpose.
        
        - FTL OSR entry: this will involve creating a special auto-jettisoned
          CodeBlock that is used only for FTL OSR entry. The new set of primitives
          allows for this: Executable can vend you a fresh new CodeBlock, and you can
          ask that CodeBlock to compile itself with any JIT of your choosing. Or you
          can take that CodeBlock and compile it yourself. Previously the act of
          producing a CodeBlock-for-optimization and the act of compiling code for it
          were tightly coupled; now you can separate them and you can create such
          auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::prepareForExecution):
        (JSC::CodeBlock::install):
        (JSC::CodeBlock::newReplacement):
        (JSC::FunctionCodeBlock::jettisonImpl):
        (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::hasBaselineJITProfiling):
        * bytecode/DeferredCompilationCallback.cpp: Added.
        (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
        (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
        * bytecode/DeferredCompilationCallback.h: Added.
        * dfg/DFGDriver.cpp:
        (JSC::DFG::tryCompile):
        * dfg/DFGDriver.h:
        (JSC::DFG::tryCompile):
        * dfg/DFGFailedFinalizer.cpp:
        (JSC::DFG::FailedFinalizer::finalize):
        (JSC::DFG::FailedFinalizer::finalizeFunction):
        * dfg/DFGFailedFinalizer.h:
        * dfg/DFGFinalizer.h:
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::finalize):
        (JSC::DFG::JITFinalizer::finalizeFunction):
        * dfg/DFGJITFinalizer.h:
        * dfg/DFGOSRExitPreparation.cpp:
        (JSC::DFG::prepareCodeOriginForOSRExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        (JSC::DFG::Plan::compileInThreadImpl):
        (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
        (JSC::DFG::Plan::finalizeAndNotifyCallback):
        * dfg/DFGPlan.h:
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::completeAllReadyPlansForVM):
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalize):
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * ftl/FTLJITFinalizer.h:
        * heap/Heap.h:
        (JSC::Heap::isDeferred):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        * jit/JITDriver.h: Removed.
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::jitCompileFor):
        (JSC::lazyLinkFor):
        * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
        (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
        (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
        (JSC::JITToDFGDeferredCompilationCallback::create):
        (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
        * jit/JITToDFGDeferredCompilationCallback.h: Added.
        * llint/LLIntEntrypoints.cpp:
        (JSC::LLInt::setFunctionEntrypoint):
        (JSC::LLInt::setEvalEntrypoint):
        (JSC::LLInt::setProgramEntrypoint):
        * llint/LLIntEntrypoints.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        (JSC::LLInt::setUpCall):
        * runtime/ArrayPrototype.cpp:
        (JSC::isNumericCompareFunction):
        * runtime/CommonSlowPaths.cpp:
        * runtime/CompilationResult.cpp:
        (WTF::printInternal):
        * runtime/CompilationResult.h:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::installCode):
        (JSC::ScriptExecutable::newCodeBlockFor):
        (JSC::ScriptExecutable::newReplacementCodeBlockFor):
        (JSC::ScriptExecutable::prepareForExecutionImpl):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::prepareForExecution):
        (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
        * runtime/ExecutionHarness.h: Removed.

2013-08-28  Chris Curtis  <chris_curtis@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=119548
        Refactoring Exception throws.
        
        Reviewed by Geoffrey Garen.
        
        Gardening of exception throws. The act of throwing an exception was being handled in 
        different ways depending on whether the code was running in the LLint, Baseline JIT, 
        or the DFG Jit. This made development in the vm exception and error objects difficult.
        
         * runtime/VM.cpp:
        (JSC::appendSourceToError): 
        This function moved from the interpreter into the VM. It views the developers code
        (if there is a codeBlock) to extract what was trying to be evaluated when the error
        occurred.
        
        (JSC::VM::throwException):
        This function takes in the error object and sets the following:
            1: The VM's exception stack
            2: The VM's exception 
            3: Appends extra information on the error message(via appendSourceToError)
            4: The error object's line number
            5: The error object's column number
            6: The error object's sourceURL
            7: The error object's stack trace (unless it already exists because the developer 
                created the error object). 

        (JSC::VM::getExceptionInfo):
        (JSC::VM::setExceptionInfo):
        (JSC::VM::clearException):
        (JSC::clearExceptionStack):
        * runtime/VM.h:
        (JSC::VM::exceptionOffset):
        (JSC::VM::exception):
        (JSC::VM::addressOfException):
        (JSC::VM::exceptionStack):
        VM exception and exceptionStack are now private data members.

        * interpreter/Interpreter.h:
        (JSC::ClearExceptionScope::ClearExceptionScope):
        Created this structure to temporarily clear the exception within the VM. This 
        needed to see if addition errors occur when setting the debugger as we are 
        unwinding the stack.

         * interpreter/Interpreter.cpp:
        (JSC::Interpreter::unwind): 
        Removed the code that would try to add error information if it did not exist. 
        All of this functionality has moved into the VM and all error information is set 
        at the time the error occurs. 

        The rest of these functions reference the new calling convention to throw an error.

        * API/APICallbackFunction.h:
        (JSC::APICallbackFunction::call):
        * API/JSCallbackConstructor.cpp:
        (JSC::constructJSCallback):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::getOwnPropertySlot):
        (JSC::::defaultValue):
        (JSC::::put):
        (JSC::::putByIndex):
        (JSC::::deleteProperty):
        (JSC::::construct):
        (JSC::::customHasInstance):
        (JSC::::call):
        (JSC::::getStaticValue):
        (JSC::::staticFunctionGetter):
        (JSC::::callbackGetter):
        * debugger/Debugger.cpp:
        (JSC::evaluateInGlobalCallFrame):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::evaluate):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::callCheck):
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * interpreter/CallFrame.h:
        (JSC::ExecState::clearException):
        (JSC::ExecState::exception):
        (JSC::ExecState::hadException):
        * interpreter/Interpreter.cpp:
        (JSC::eval):
        (JSC::loadVarargs):
        (JSC::stackTraceAsString):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        * interpreter/Interpreter.h:
        (JSC::ClearExceptionScope::ClearExceptionScope):
        * jit/JITCode.cpp:
        (JSC::JITCode::execute):
        * jit/JITExceptions.cpp:
        (JSC::genericThrow):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_catch):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_catch):
        * jit/JITStubs.cpp:
        (JSC::returnToThrowTrampoline):
        (JSC::throwExceptionFromOpCall):
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::jitCompileFor):
        (JSC::lazyLinkFor):
        (JSC::putByVal):
        (JSC::cti_vm_handle_exception):
        * jit/SlowPathCall.h:
        (JSC::JITSlowPathCall::call):
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator):
        * jsc.cpp:
        (functionRun):
        (functionLoad):
        (functionCheckSyntax):
        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::doThrow):
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/ArrayConstructor.cpp:
        (JSC::constructArrayWithSizeQuirk):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::opIn):
        * runtime/CommonSlowPathsExceptions.cpp:
        (JSC::CommonSlowPaths::interpreterThrowInCaller):
        * runtime/Completion.cpp:
        (JSC::evaluate):
        * runtime/Error.cpp:
        (JSC::addErrorInfo):
        (JSC::throwTypeError):
        (JSC::throwSyntaxError):
        * runtime/Error.h:
        (JSC::throwVMError):
        * runtime/ExceptionHelpers.cpp:
        (JSC::throwOutOfMemoryError):
        (JSC::throwStackOverflowError):
        (JSC::throwTerminatedExecutionException):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::create):
        (JSC::FunctionExecutable::produceCodeBlockFor):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunction):
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        (JSC::JSArray::put):
        (JSC::JSArray::push):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::toObjectSlowCase):
        (JSC::JSValue::synthesizePrototype):
        (JSC::JSValue::putToPrimitive):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::::create):
        (JSC::::createUninitialized):
        (JSC::::validateRange):
        (JSC::::setWithSpecificType):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::encode):
        (JSC::decode):
        (JSC::globalFuncProtoSetter):
        * runtime/JSNameScope.cpp:
        (JSC::JSNameScope::put):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::appendStringifiedValue):
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::defaultValue):
        (JSC::JSObject::hasInstance):
        (JSC::JSObject::defaultHasInstance):
        (JSC::JSObject::defineOwnNonIndexProperty):
        (JSC::throwTypeError):
        * runtime/ObjectConstructor.cpp:
        (JSC::toPropertyDescriptor):
        * runtime/RegExpConstructor.cpp:
        (JSC::constructRegExp):
        * runtime/StringObject.cpp:
        (JSC::StringObject::defineOwnProperty):
        * runtime/StringRecursionChecker.cpp:
        (JSC::StringRecursionChecker::throwStackOverflowError):

2013-08-28  Zan Dobersek  <zdobersek@igalia.com>

        [GTK] Add support for building JSC with FTL JIT enabled
        https://bugs.webkit.org/show_bug.cgi?id=120270

        Reviewed by Filip Pizlo.

        * GNUmakefile.am: Add LLVM_LIBS to the list of linker flags and LLVM_CFLAGS to the list of
        compiler flags for the JSC library.
        * GNUmakefile.list.am: Add the missing build targets.
        * ftl/FTLAbbreviations.h: Include the <cstring> header and use std::strlen. This avoids compilation
        failures when using the Clang compiler with the libstdc++ standard library.
        (JSC::FTL::mdKindID):
        (JSC::FTL::mdString):

2013-08-23  Andy Estes  <aestes@apple.com>

        Fix issues found by the Clang Static Analyzer
        https://bugs.webkit.org/show_bug.cgi?id=120230

        Reviewed by Darin Adler.

        * API/JSValue.mm:
        (valueToString): Don't leak every CFStringRef when in Objective-C GC.
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): Don't
        release m_invocation's target since NSInvocation will do it for us on
        -dealloc.
        (objCCallbackFunctionForBlock): Tell NSInvocation to retain its target
        and -release our reference to the copied block.
        * API/tests/minidom.c:
        (createStringWithContentsOfFile): Free buffer before returning.
        * API/tests/testapi.c:
        (createStringWithContentsOfFile): Ditto.

2013-08-26  Brent Fulgham  <bfulgham@apple.com>

        [Windows] Unreviewed build fix after r154629.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing build files.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2013-08-26  Ryosuke Niwa  <rniwa@webkit.org>

        Windows build fix attempt after r154629.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:

2013-08-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
        https://bugs.webkit.org/show_bug.cgi?id=120278

        Reviewed by Geoffrey Garen.

        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):

2013-08-26  Filip Pizlo  <fpizlo@apple.com>

        Fix indention of Executable.h.

        Rubber stamped by Mark Hahnenberg.

        * runtime/Executable.h:

2013-08-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
        https://bugs.webkit.org/show_bug.cgi?id=120314

        Reviewed by Darin Adler.

        Currently with the way that defineProperty works, we leave a stray low bit set in 
        PropertyDescriptor::m_attributes in the following code:

        var o = {};
        Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
        
        This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1 
        instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF, 
        but only the top three bits mean anything. Even in the case above, the top three bits are set 
        to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.

        Since some of these attributes and their corresponding values are exposed in the JavaScriptCore 
        framework's public C API, it's safer to just change how we calculate the default value, which is
        where the weirdness was originating from in the first place.

        * runtime/PropertyDescriptor.cpp:

2013-08-24  Sam Weinig  <sam@webkit.org>

        Add support for Promises
        https://bugs.webkit.org/show_bug.cgi?id=120260

        Reviewed by Darin Adler.

        Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises.
        - Despite Promises being defined in the DOM, the implementation is being put in JSC
          in preparation for the Promises eventually being defined in ECMAScript.

        * CMakeLists.txt:
        * DerivedSources.make:
        * DerivedSources.pri:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        Add new files.

        * jsc.cpp:
        Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's
        you can't quite use Promises with with the command line tool yet.
    
        * interpreter/CallFrame.h:
        (JSC::ExecState::promisePrototypeTable):
        (JSC::ExecState::promiseConstructorTable):
        (JSC::ExecState::promiseResolverPrototypeTable):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        * runtime/VM.h:
        Add supporting code for the new static lookup tables.

        * runtime/CommonIdentifiers.h:
        Add 3 new identifiers, "Promise", "PromiseResolver", and "then".

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        Add supporting code Promise and PromiseResolver's constructors and structures.

        * runtime/JSGlobalObject.h:
        (JSC::TaskContext::~TaskContext):
        Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop.

        (JSC::JSGlobalObject::promisePrototype):
        (JSC::JSGlobalObject::promiseResolverPrototype):
        (JSC::JSGlobalObject::promiseStructure):
        (JSC::JSGlobalObject::promiseResolverStructure):
        (JSC::JSGlobalObject::promiseCallbackStructure):
        (JSC::JSGlobalObject::promiseWrapperCallbackStructure):
        Add supporting code Promise and PromiseResolver's constructors and structures.

        * runtime/JSPromise.cpp: Added.
        * runtime/JSPromise.h: Added.
        * runtime/JSPromiseCallback.cpp: Added.
        * runtime/JSPromiseCallback.h: Added.
        * runtime/JSPromiseConstructor.cpp: Added.
        * runtime/JSPromiseConstructor.h: Added.
        * runtime/JSPromisePrototype.cpp: Added.
        * runtime/JSPromisePrototype.h: Added.
        * runtime/JSPromiseResolver.cpp: Added.
        * runtime/JSPromiseResolver.h: Added.
        * runtime/JSPromiseResolverConstructor.cpp: Added.
        * runtime/JSPromiseResolverConstructor.h: Added.
        * runtime/JSPromiseResolverPrototype.cpp: Added.
        * runtime/JSPromiseResolverPrototype.h: Added.
        Add Promise implementation.

2013-08-26  Zan Dobersek  <zdobersek@igalia.com>

        Plenty of -Wcast-align warnings in KeywordLookup.h
        https://bugs.webkit.org/show_bug.cgi?id=120316

        Reviewed by Darin Adler.

        * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting
        the character pointers to types of larger size. This avoids spewing lots of warnings
        in the KeywordLookup.h header when compiling with the -Wcast-align option.

2013-08-26  Gavin Barraclough  <barraclough@apple.com>

        RegExpMatchesArray should not call [[put]]
        https://bugs.webkit.org/show_bug.cgi?id=120317

        Reviewed by Oliver Hunt.

        This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
        property called index or input to either of these prototypes will result in broken behavior.

        * runtime/RegExpMatchesArray.cpp:
        (JSC::RegExpMatchesArray::reifyAllProperties):
            - put -> putDirect

2013-08-24  Filip Pizlo  <fpizlo@apple.com>

        FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions
        https://bugs.webkit.org/show_bug.cgi?id=120228

        Reviewed by Oliver Hunt.
        
        It turns out that there were three problems:
        
        - Using jsNumber() meant that we were converting doubles to integers and then
          possibly back again whenever doing a set() between floating point arrays.
        
        - Slow-path accesses to double typed arrays were slower than necessary because
          of the to-int conversion attempt.
        
        - The use of JSValue as an intermediate for converting between differen types
          in typedArray.set() resulted in worse code than I had previously expected.
        
        This patch solves the problem by using template double-dispatch to ensure that
        that C++ compiler sees the simplest possible combination of casts between any
        combination of typed array types, while still preserving JS and typed array
        conversion semantics. Conversions are done as follows:
        
            SourceAdaptor::convertTo<TargetAdaptor>(value)
        
        Internally, convertTo() calls one of three possible methods on TargetAdaptor,
        with one method for each of int32_t, uint32_t, and double. This means that the
        C++ compiler will at worst see a widening cast to one of those types followed
        by a narrowing conversion (not necessarily a cast - may have clamping or the
        JS toInt32() function).
        
        This change doesn't just affect typedArray.set(); it also affects slow-path
        accesses to typed arrays as well. This patch also adds a bunch of new test
        coverage.
        
        This change is a ~50% speed-up on typedArray.set() involving floating point
        types.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/GenericTypedArrayView.h:
        (JSC::GenericTypedArrayView::set):
        * runtime/JSDataViewPrototype.cpp:
        (JSC::setData):
        * runtime/JSGenericTypedArrayView.h:
        (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
        (JSC::JSGenericTypedArrayView::setIndexQuickly):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::::setWithSpecificType):
        (JSC::::set):
        * runtime/ToNativeFromValue.h: Added.
        (JSC::toNativeFromValue):
        * runtime/TypedArrayAdaptors.h:
        (JSC::IntegralTypedArrayAdaptor::toJSValue):
        (JSC::IntegralTypedArrayAdaptor::toDouble):
        (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32):
        (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32):
        (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
        (JSC::IntegralTypedArrayAdaptor::convertTo):
        (JSC::FloatTypedArrayAdaptor::toJSValue):
        (JSC::FloatTypedArrayAdaptor::toDouble):
        (JSC::FloatTypedArrayAdaptor::toNativeFromInt32):
        (JSC::FloatTypedArrayAdaptor::toNativeFromUint32):
        (JSC::FloatTypedArrayAdaptor::toNativeFromDouble):
        (JSC::FloatTypedArrayAdaptor::convertTo):
        (JSC::Uint8ClampedAdaptor::toJSValue):
        (JSC::Uint8ClampedAdaptor::toDouble):
        (JSC::Uint8ClampedAdaptor::toNativeFromInt32):
        (JSC::Uint8ClampedAdaptor::toNativeFromUint32):
        (JSC::Uint8ClampedAdaptor::toNativeFromDouble):
        (JSC::Uint8ClampedAdaptor::convertTo):

2013-08-24  Dan Bernstein  <mitz@apple.com>

        [mac] link against libz in a more civilized manner
        https://bugs.webkit.org/show_bug.cgi?id=120258

        Reviewed by Darin Adler.

        * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE.
        * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s
        Link Binary With Libraries build phase.

2013-08-23  Laszlo Papp  <lpapp@kde.org>

        Failure building with python3
        https://bugs.webkit.org/show_bug.cgi?id=106645

        Reviewed by Benjamin Poulain.

        Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well.
        Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5.

        * disassembler/udis86/itab.py:
        (UdItabGenerator.genInsnTable):
        * disassembler/udis86/ud_opcode.py:
        (UdOpcodeTables.print_table):
        * disassembler/udis86/ud_optable.py:
        (UdOptableXmlParser.parseDef):
        (UdOptableXmlParser.parse):
        (printFn):

2013-08-23  Filip Pizlo  <fpizlo@apple.com>

        Incorrect TypedArray#set behavior
        https://bugs.webkit.org/show_bug.cgi?id=83818

        Reviewed by Oliver Hunt and Mark Hahnenberg.
        
        This was so much fun! typedArray.set() is like a memmove on steroids, and I'm
        not smart enough to figure out optimal versions for *all* of the cases. But I
        did come up with optimal implementations for most of the cases, and I wrote
        spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart
        enough to write optimal code for.

        * runtime/JSArrayBufferView.h:
        (JSC::JSArrayBufferView::hasArrayBuffer):
        * runtime/JSArrayBufferViewInlines.h:
        (JSC::JSArrayBufferView::buffer):
        (JSC::JSArrayBufferView::existingBufferInButterfly):
        (JSC::JSArrayBufferView::neuter):
        (JSC::JSArrayBufferView::byteOffset):
        * runtime/JSGenericTypedArrayView.h:
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::::setWithSpecificType):
        (JSC::::set):
        (JSC::::existingBuffer):

2013-08-23  Alex Christensen  <achristensen@apple.com>

        Re-separating Win32 and Win64 builds.
        https://bugs.webkit.org/show_bug.cgi?id=120178

        Reviewed by Brent Fulgham.

        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
        Pass PlatformArchitecture as a command line parameter to bash scripts.
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
        * JavaScriptCore.vcxproj/build-generated-files.sh:
        Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).

2013-08-22  Filip Pizlo  <fpizlo@apple.com>

        build-jsc --ftl-jit should work
        https://bugs.webkit.org/show_bug.cgi?id=120194

        Reviewed by Oliver Hunt.

        * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
        * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
        * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
        * ftl/FTLLowerDFGToLLVM.cpp: Build fix
        (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
        (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):

2013-08-23  Oliver Hunt  <oliver@apple.com>

        Re-sort xcode project file

        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-08-23  Oliver Hunt  <oliver@apple.com>

        Support in memory compression of rarely used data
        https://bugs.webkit.org/show_bug.cgi?id=120143

        Reviewed by Gavin Barraclough.

        Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector.  This saves ~200k on google maps.

        * Configurations/JavaScriptCore.xcconfig:
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
        (JSC::UnlinkedCodeBlock::addExpressionInfo):
        * bytecode/UnlinkedCodeBlock.h:

2013-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSObject and JSArray code shouldn't have to tiptoe around garbage collection
        https://bugs.webkit.org/show_bug.cgi?id=120179

        Reviewed by Geoffrey Garen.

        There are many places in the code for JSObject and JSArray where they are manipulating their 
        Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 
        these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 
        like it will make this dance even more intricate. To make everybody's lives easier we should use 
        the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 
        code and trivially safe. Deferring collections will usually only last marginally longer, thus we 
        should not incur any additional overhead.

        * heap/Heap.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::unshiftCountSlowCase):
        * runtime/JSObject.cpp:
        (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
        (JSC::JSObject::createInitialUndecided):
        (JSC::JSObject::createInitialInt32):
        (JSC::JSObject::createInitialDouble):
        (JSC::JSObject::createInitialContiguous):
        (JSC::JSObject::createArrayStorage):
        (JSC::JSObject::convertUndecidedToArrayStorage):
        (JSC::JSObject::convertInt32ToArrayStorage):
        (JSC::JSObject::convertDoubleToArrayStorage):
        (JSC::JSObject::convertContiguousToArrayStorage):
        (JSC::JSObject::increaseVectorLength):
        (JSC::JSObject::ensureLengthSlow):
        * runtime/JSObject.h:
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
        (JSC::JSObject::putDirectWithoutTransition):

2013-08-22  Filip Pizlo  <fpizlo@apple.com>

        Update LLVM binary drops and scripts to the latest version from SVN
        https://bugs.webkit.org/show_bug.cgi?id=120184

        Reviewed by Mark Hahnenberg.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):

2013-08-22  Gavin Barraclough  <barraclough@apple.com>

        Don't leak registers for redeclared variables
        https://bugs.webkit.org/show_bug.cgi?id=120174

        Reviewed by Geoff Garen.

        We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
        Only allocate new registers when necessary.

        No performance impact.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::initializeGlobalProperties):
            - Don't allocate the register here.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::addGlobalVar):
            - Allocate the register here instead.

2013-08-22  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=120128
        Remove putDirectVirtual

        Unreviewed, checked in commented out code. :-(

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
            - delete commented out code

2013-08-22  Gavin Barraclough  <barraclough@apple.com>

        Error.stack should not be enumerable
        https://bugs.webkit.org/show_bug.cgi?id=120171

        Reviewed by Oliver Hunt.

        Breaks ECMA tests.

        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::finishCreation):
            - None -> DontEnum

2013-08-21  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=120128
        Remove putDirectVirtual

        Reviewed by Sam Weinig.

        This could most generously be described as 'vestigial'.
        No performance impact.

        * API/JSObjectRef.cpp:
        (JSObjectSetProperty):
            - changed to use defineOwnProperty
        * debugger/DebuggerActivation.cpp:
        * debugger/DebuggerActivation.h:
            - remove putDirectVirtual
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
            - changed to use defineOwnProperty
        * runtime/ClassInfo.h:
        * runtime/JSActivation.cpp:
        * runtime/JSActivation.h:
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSObject.cpp:
        * runtime/JSObject.h:
        * runtime/JSProxy.cpp:
        * runtime/JSProxy.h:
        * runtime/JSSymbolTableObject.cpp:
        * runtime/JSSymbolTableObject.h:
            - remove putDirectVirtual
        * runtime/PropertyDescriptor.h:
        (JSC::PropertyDescriptor::PropertyDescriptor):
            - added constructor for convenience

2013-08-22  Chris Curtis  <chris_curtis@apple.com>

        errorDescriptionForValue() should not assume error value is an Object
        https://bugs.webkit.org/show_bug.cgi?id=119812

        Reviewed by Geoffrey Garen.

        Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
        has no type, the function now returns the empty string. 
        * runtime/ExceptionHelpers.cpp:
        (JSC::errorDescriptionForValue):

2013-08-22  Julien Brianceau  <jbrianceau@nds.com>

        Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
        https://bugs.webkit.org/show_bug.cgi?id=120107

        Reviewed by Yong Li.

        EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):

2013-08-21  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r154416.
        http://trac.webkit.org/changeset/154416
        https://bugs.webkit.org/show_bug.cgi?id=120147

        Broke Windows builds (Requested by rniwa on #webkit).

        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
        * JavaScriptCore.vcxproj/build-generated-files.sh:

2013-08-21  Gavin Barraclough  <barraclough@apple.com>

        Clarify var/const/function declaration
        https://bugs.webkit.org/show_bug.cgi?id=120144

        Reviewed by Sam Weinig.

        Add methods to JSGlobalObject to declare vars, consts, and functions.

        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::initializeGlobalProperties):
        * runtime/Executable.h:
            - Moved declaration code to JSGlobalObject
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::addGlobalVar):
            - internal implementation of addVar, addConst, addFunction
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::addVar):
        (JSC::JSGlobalObject::addConst):
        (JSC::JSGlobalObject::addFunction):
            - Added methods to declare vars, consts, and functions

2013-08-21  Yi Shen  <max.hong.shen@gmail.com>

        https://bugs.webkit.org/show_bug.cgi?id=119900
        Exception in global setter doesn't unwind correctly

        Reviewed by Geoffrey Garen.

        Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.

        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>

        Rename/refactor setButterfly/setStructure
        https://bugs.webkit.org/show_bug.cgi?id=120138

        Reviewed by Geoffrey Garen.

        setButterfly becomes setStructureAndButterfly.

        Also removed the Butterfly* argument from setStructure and just implicitly
        used m_butterfly internally since that's what every single client of setStructure
        was doing already.

        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSObject.cpp:
        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
        (JSC::JSObject::createInitialUndecided):
        (JSC::JSObject::createInitialInt32):
        (JSC::JSObject::createInitialDouble):
        (JSC::JSObject::createInitialContiguous):
        (JSC::JSObject::createArrayStorage):
        (JSC::JSObject::convertUndecidedToInt32):
        (JSC::JSObject::convertUndecidedToDouble):
        (JSC::JSObject::convertUndecidedToContiguous):
        (JSC::JSObject::convertUndecidedToArrayStorage):
        (JSC::JSObject::convertInt32ToDouble):
        (JSC::JSObject::convertInt32ToContiguous):
        (JSC::JSObject::convertInt32ToArrayStorage):
        (JSC::JSObject::genericConvertDoubleToContiguous):
        (JSC::JSObject::convertDoubleToArrayStorage):
        (JSC::JSObject::convertContiguousToArrayStorage):
        (JSC::JSObject::switchToSlowPutArrayStorage):
        (JSC::JSObject::setPrototype):
        (JSC::JSObject::putDirectAccessor):
        (JSC::JSObject::seal):
        (JSC::JSObject::freeze):
        (JSC::JSObject::preventExtensions):
        (JSC::JSObject::reifyStaticFunctionsForDelete):
        (JSC::JSObject::removeDirect):
        * runtime/JSObject.h:
        (JSC::JSObject::setStructureAndButterfly):
        (JSC::JSObject::setStructure):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
        (JSC::JSObject::putDirectWithoutTransition):
        * runtime/Structure.cpp:
        (JSC::Structure::flattenDictionaryStructure):

2013-08-21  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=120127
        Remove JSObject::propertyIsEnumerable

        Unreviewed typo fix

        * runtime/JSObject.h:
            - fix typo

2013-08-21  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=120139
        PropertyDescriptor argument to define methods should be const

        Rubber stamped by Sam Weinig.

        This should never be modified, and this way we can use rvalues.

        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::defineOwnProperty):
        * debugger/DebuggerActivation.h:
        * runtime/Arguments.cpp:
        (JSC::Arguments::defineOwnProperty):
        * runtime/Arguments.h:
        * runtime/ClassInfo.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        * runtime/JSArray.h:
        * runtime/JSArrayBuffer.cpp:
        (JSC::JSArrayBuffer::defineOwnProperty):
        * runtime/JSArrayBuffer.h:
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::defineOwnProperty):
        * runtime/JSArrayBufferView.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::defineOwnProperty):
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSFunction.h:
        * runtime/JSGenericTypedArrayView.h:
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::::defineOwnProperty):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::defineOwnProperty):
        * runtime/JSGlobalObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::putIndexedDescriptor):
        (JSC::JSObject::defineOwnIndexedProperty):
        (JSC::putDescriptor):
        (JSC::JSObject::defineOwnNonIndexProperty):
        (JSC::JSObject::defineOwnProperty):
        * runtime/JSObject.h:
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::defineOwnProperty):
        * runtime/JSProxy.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::defineOwnProperty):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::defineOwnProperty):
        * runtime/RegExpObject.h:
        * runtime/StringObject.cpp:
        (JSC::StringObject::defineOwnProperty):
        * runtime/StringObject.h:
            - make PropertyDescriptor const

2013-08-21  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION: Crash under JITCompiler::link while loading Gmail
        https://bugs.webkit.org/show_bug.cgi?id=119872

        Reviewed by Mark Hahnenberg.
        
        Apparently, unsigned + signed = unsigned. Work around it with a cast.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2013-08-21  Alex Christensen  <achristensen@apple.com>

        <https://webkit.org/b/120137> Separating Win32 and Win64 builds.

        Reviewed by Brent Fulgham.

        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
        Pass PlatformArchitecture as a command line parameter to bash scripts.
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
        * JavaScriptCore.vcxproj/build-generated-files.sh:
        Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).

2013-08-21  Filip Pizlo  <fpizlo@apple.com>

        Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
        https://bugs.webkit.org/show_bug.cgi?id=120099

        Reviewed by Mark Hahnenberg.
        
        JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
        JSDataView may have ordinary JS indexed properties.

        * runtime/ClassInfo.h:
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
        (JSC::JSArrayBufferView::finishCreation):
        * runtime/JSArrayBufferView.h:
        (JSC::hasArrayBuffer):
        * runtime/JSArrayBufferViewInlines.h:
        (JSC::JSArrayBufferView::buffer):
        (JSC::JSArrayBufferView::neuter):
        (JSC::JSArrayBufferView::byteOffset):
        * runtime/JSCell.cpp:
        (JSC::JSCell::slowDownAndWasteMemory):
        * runtime/JSCell.h:
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::JSDataView):
        (JSC::JSDataView::create):
        (JSC::JSDataView::slowDownAndWasteMemory):
        * runtime/JSDataView.h:
        (JSC::JSDataView::buffer):
        * runtime/JSGenericTypedArrayView.h:
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::::visitChildren):
        (JSC::::slowDownAndWasteMemory):

2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove incorrect ASSERT from CopyVisitor::visitItem

        Rubber stamped by Filip Pizlo.

        * heap/CopyVisitorInlines.h:
        (JSC::CopyVisitor::visitItem):

2013-08-21  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=120127
        Remove JSObject::propertyIsEnumerable

        Reviewed by Sam Weinig.

        This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.

        * runtime/JSObject.cpp:
        * runtime/JSObject.h:
            - remove propertyIsEnumerable
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncPropertyIsEnumerable):
            - Move implementation here using getOwnPropertyDescriptor directly.

2013-08-20  Filip Pizlo  <fpizlo@apple.com>

        DFG should inline new typedArray()
        https://bugs.webkit.org/show_bug.cgi?id=120022

        Reviewed by Oliver Hunt.
        
        Adds inlining of typed array allocations in the DFG. Any operation of the
        form:
        
            new foo(blah)
        
        or:
        
            foo(blah)
        
        where 'foo' is a typed array constructor and 'blah' is exactly one argument,
        is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
        is predicted integer, we generate inline code for an allocation. Otherwise
        it turns into a call to an operation that behaves like the constructor would
        if it was passed one argument (i.e. it may wrap a buffer or it may create a
        copy or another array, or it may allocate an array of that length).

        * bytecode/SpeculatedType.cpp:
        (JSC::speculationFromTypedArrayType):
        (JSC::speculationFromClassInfo):
        * bytecode/SpeculatedType.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::putStructureStoreElimination):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasTypedArrayType):
        (JSC::DFG::Node::typedArrayType):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        (JSC::DFG::newTypedArrayWithSize):
        (JSC::DFG::newTypedArrayWithOneArgument):
        * dfg/DFGOperations.h:
        (JSC::DFG::operationNewTypedArrayWithSizeForType):
        (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_object):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_new_object):
        * runtime/JSArray.h:
        (JSC::JSArray::allocationSize):
        * runtime/JSArrayBufferView.h:
        (JSC::JSArrayBufferView::allocationSize):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayView):
        * runtime/JSObject.h:
        (JSC::JSFinalObject::allocationSize):
        * runtime/TypedArrayType.cpp:
        (JSC::constructorClassInfoForType):
        * runtime/TypedArrayType.h:
        (JSC::indexToTypedArrayType):

2013-08-21  Julien Brianceau  <jbrianceau@nds.com>

        <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.

        Reviewed by Geoffrey Garen.

        * dfg/DFGOperations.h:

2013-08-20  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=120093
        Remove getOwnPropertyDescriptor trap

        Reviewed by Geoff Garen.

        All implementations of this method are now called via the method table, and equivalent in behaviour.
        Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.

        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        * debugger/DebuggerActivation.cpp:
        * debugger/DebuggerActivation.h:
        * runtime/Arguments.cpp:
        * runtime/Arguments.h:
        * runtime/ArrayConstructor.cpp:
        * runtime/ArrayConstructor.h:
        * runtime/ArrayPrototype.cpp:
        * runtime/ArrayPrototype.h:
        * runtime/BooleanPrototype.cpp:
        * runtime/BooleanPrototype.h:
            - remove getOwnPropertyDescriptor
        * runtime/ClassInfo.h:
            - remove getOwnPropertyDescriptor from MethodTable
        * runtime/DateConstructor.cpp:
        * runtime/DateConstructor.h:
        * runtime/DatePrototype.cpp:
        * runtime/DatePrototype.h:
        * runtime/ErrorPrototype.cpp:
        * runtime/ErrorPrototype.h:
        * runtime/JSActivation.cpp:
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        * runtime/JSArray.h:
        * runtime/JSArrayBuffer.cpp:
        * runtime/JSArrayBuffer.h:
        * runtime/JSArrayBufferView.cpp:
        * runtime/JSArrayBufferView.h:
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        * runtime/JSDataView.cpp:
        * runtime/JSDataView.h:
        * runtime/JSDataViewPrototype.cpp:
        * runtime/JSDataViewPrototype.h:
        * runtime/JSFunction.cpp:
        * runtime/JSFunction.h:
        * runtime/JSGenericTypedArrayView.h:
        * runtime/JSGenericTypedArrayViewInlines.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSNotAnObject.h:
        * runtime/JSONObject.cpp:
        * runtime/JSONObject.h:
            - remove getOwnPropertyDescriptor
        * runtime/JSObject.cpp:
        (JSC::JSObject::propertyIsEnumerable):
            - switch to call new getOwnPropertyDescriptor member function
        (JSC::JSObject::getOwnPropertyDescriptor):
            - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
        (JSC::JSObject::defineOwnNonIndexProperty):
            - switch to call new getOwnPropertyDescriptor member function
        * runtime/JSObject.h:
        * runtime/JSProxy.cpp:
        * runtime/JSProxy.h:
        * runtime/NamePrototype.cpp:
        * runtime/NamePrototype.h:
        * runtime/NumberConstructor.cpp:
        * runtime/NumberConstructor.h:
        * runtime/NumberPrototype.cpp:
        * runtime/NumberPrototype.h:
            - remove getOwnPropertyDescriptor
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyDescriptor):
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
            - switch to call new getOwnPropertyDescriptor member function
        * runtime/ObjectConstructor.h:
            - remove getOwnPropertyDescriptor
        * runtime/PropertyDescriptor.h:
            - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
        * runtime/RegExpConstructor.cpp:
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.cpp:
        * runtime/RegExpMatchesArray.h:
        * runtime/RegExpObject.cpp:
        * runtime/RegExpObject.h:
        * runtime/RegExpPrototype.cpp:
        * runtime/RegExpPrototype.h:
        * runtime/StringConstructor.cpp:
        * runtime/StringConstructor.h:
        * runtime/StringObject.cpp:
        * runtime/StringObject.h:
            - remove getOwnPropertyDescriptor

2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption

        Reviewed by Oliver Hunt.

        When we flatten an object in dictionary mode, we compact its properties. If the object 
        had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
        compaction its properties fit inline, the object's Structure "forgets" that the object 
        has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
        with bytes = 0, which causes all sorts of badness in CopiedSpace.

        Instead, after we flatten a dictionary, if properties fit inline we should clear the 
        Butterfly pointer so that the GC doesn't get confused later.

        This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
        JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
        agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
        that the number of bytes reported to SlotVisitor::copyLater is non-zero.

        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::copyLater):
        * runtime/JSObject.cpp:
        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
        (JSC::JSObject::convertUndecidedToInt32):
        (JSC::JSObject::convertUndecidedToDouble):
        (JSC::JSObject::convertUndecidedToContiguous):
        (JSC::JSObject::convertInt32ToDouble):
        (JSC::JSObject::convertInt32ToContiguous):
        (JSC::JSObject::genericConvertDoubleToContiguous):
        (JSC::JSObject::switchToSlowPutArrayStorage):
        (JSC::JSObject::setPrototype):
        (JSC::JSObject::putDirectAccessor):
        (JSC::JSObject::seal):
        (JSC::JSObject::freeze):
        (JSC::JSObject::preventExtensions):
        (JSC::JSObject::reifyStaticFunctionsForDelete):
        (JSC::JSObject::removeDirect):
        * runtime/JSObject.h:
        (JSC::JSObject::setButterfly):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::setStructure):
        (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
        * runtime/Structure.cpp:
        (JSC::Structure::flattenDictionaryStructure):

2013-08-20  Alex Christensen  <achristensen@apple.com>

        Compile fix for Win64 after r154156.

        Rubber stamped by Oliver Hunt.

        * jit/JITStubsMSVC64.asm:
        Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
        cti_vm_throw_slowpath to cti_vm_handle_exception.

2013-08-20  Alex Christensen  <achristensen@apple.com>

        <https://webkit.org/b/120076> More work towards a Win64 build

        Reviewed by Brent Fulgham.

        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
        * JavaScriptCore.vcxproj/copy-files.cmd:
        * JavaScriptCore.vcxproj/jsc/jscCommon.props:
        * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
        Use PlatformArchitecture macro instead of bin32, lib32, and obj32.

2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML

        Reviewed by Geoffrey Garen.

        More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
        initializeLazyWriteBarrierFor* wrapper functions more sane. 

        Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
        and index when triggering the WriteBarrier at the end of compilation. 

        The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
        in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
        little extra work that really shouldn't have been its responsibility.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addConstant):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGDesiredWriteBarriers.cpp:
        (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
        (JSC::DFG::DesiredWriteBarrier::trigger):
        * dfg/DFGDesiredWriteBarriers.h:
        (JSC::DFG::DesiredWriteBarriers::add):
        (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
        (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
        (JSC::DFG::initializeLazyWriteBarrierForConstant):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::truncateConstantToInt32):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::constantRegisterForConstant):

2013-08-20  Michael Saboff  <msaboff@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=120075
        REGRESSION (r128400): BBC4 website not displaying pictures

        Reviewed by Oliver Hunt.

        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
        so that the match results will be reified before any other modification to the results array.

2013-08-19  Filip Pizlo  <fpizlo@apple.com>

        Incorrect behavior on emscripten-compiled cube2hash
        https://bugs.webkit.org/show_bug.cgi?id=120033

        Reviewed by Mark Hahnenberg.
        
        If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
        then we should bail attempts to CSE.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::scopedVarLoadElimination):
        (JSC::DFG::CSEPhase::scopedVarStoreElimination):

2013-08-20  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=120073
        Remove use of GOPD from JSFunction::defineProperty

        Reviewed by Oliver Hunt.

        Call getOwnPropertySlot to check for existing properties instead.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::defineOwnProperty):
            - getOwnPropertyDescriptor -> getOwnPropertySlot

2013-08-20  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=120067
        Remove getPropertyDescriptor

        Reviewed by Oliver Hunt.

        This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
        Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().

        * runtime/JSObject.cpp:
        * runtime/JSObject.h:
            - remove getPropertyDescriptor
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):
            - replace call to getPropertyDescriptor with getPropertySlot
        * runtime/PropertyDescriptor.h:
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::isAccessor):
        (JSC::PropertySlot::isCacheableGetter):
        (JSC::PropertySlot::getterSetter):
            - rename isGetter() to isAccessor()

2013-08-20  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=120054
        Remove some dead code following getOwnPropertyDescriptor cleanup

        Reviewed by Oliver Hunt.

        * runtime/Lookup.h:
        (JSC::getStaticFunctionSlot):
            - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.

2013-08-20  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=120052
        Remove custom getOwnPropertyDescriptor for JSProxy

        Reviewed by Geoff Garen.

        GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
        Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
        object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
        assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
        the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.

        * runtime/JSProxy.cpp:
            - Remove custom getOwnPropertyDescriptor implementation.
        * runtime/PropertyDescriptor.h:
            - Modify own property access check to perform toThis conversion.

2013-08-20  Alex Christensen  <achristensen@apple.com>

        Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
        https://bugs.webkit.org/show_bug.cgi?id=119512

        Reviewed by Brent Fulgham.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
        Replaced obj32, bin32, and lib32 with macros for 64-bit build.

2013-08-20  Julien Brianceau  <jbrianceau@nds.com>

        <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.

        Reviewed by Allan Sandfeld Jensen.

        branchPtrWithPatch() of baseline JIT must ensure that space is available for its
        instructions and two constants now DFG is enabled for sh4 architecture.
        These missing ensureSpace calls lead to random crashes.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::branchPtrWithPatch):

2013-08-19  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=120034
        Remove custom getOwnPropertyDescriptor for global objects

        Reviewed by Geoff Garen.

        Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.

        * runtime/JSGlobalObject.cpp:
            - Remove custom getOwnPropertyDescriptor implementation.
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTableGet):
            - The symbol table does not store the DontDelete attribute, we should be adding it back in.
        * runtime/PropertyDescriptor.h:
            - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::setUndefined):
            - This is used by WebCore when blocking access to properties on cross-frame access.
              Mark blocked properties as read-only, non-configurable to prevent defineProperty.

2013-08-17  Filip Pizlo  <fpizlo@apple.com>

        DFG should inline typedArray.byteOffset
        https://bugs.webkit.org/show_bug.cgi?id=119962

        Reviewed by Oliver Hunt.
        
        This adds a new node, GetTypedArrayByteOffset, which inlines
        typedArray.byteOffset.
        
        Also, I improved a bunch of the clobbering logic related to typed arrays
        and clobbering in general. For example, PutByOffset/PutStructure are not
        clobber-world so they can be handled by most default cases in CSE. Also,
        It's better to use the 'Class_field' notation for typed arrays now that
        they no longer involve magical descriptor thingies.

        * bytecode/SpeculatedType.h:
        * dfg/DFGAbstractHeap.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::neverNeedsStorage):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::checkArrayElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
        (JSC::DFG::FixupPhase::convertToGetArrayLength):
        (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
        * runtime/ArrayBuffer.h:
        (JSC::ArrayBuffer::offsetOfData):
        * runtime/Butterfly.h:
        (JSC::Butterfly::offsetOfArrayBuffer):
        * runtime/IndexingHeader.h:
        (JSC::IndexingHeader::offsetOfArrayBuffer):

2013-08-18  Filip Pizlo  <fpizlo@apple.com>

        <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects

        Reviewed by Geoffrey Garen.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):

2013-08-18  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=119995
        Start removing custom implementations of getOwnPropertyDescriptor

        Reviewed by Oliver Hunt.

        This can now typically implemented in terms of getOwnPropertySlot.
        Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
        Switch over most classes in JSC & the WebCore bindings generator to use this.

        * API/JSCallbackObjectFunctions.h:
        * debugger/DebuggerActivation.cpp:
        * runtime/Arguments.cpp:
        * runtime/ArrayConstructor.cpp:
        * runtime/ArrayPrototype.cpp:
        * runtime/BooleanPrototype.cpp:
        * runtime/DateConstructor.cpp:
        * runtime/DatePrototype.cpp:
        * runtime/ErrorPrototype.cpp:
        * runtime/JSActivation.cpp:
        * runtime/JSArray.cpp:
        * runtime/JSArrayBuffer.cpp:
        * runtime/JSArrayBufferView.cpp:
        * runtime/JSCell.cpp:
        * runtime/JSDataView.cpp:
        * runtime/JSDataViewPrototype.cpp:
        * runtime/JSFunction.cpp:
        * runtime/JSGenericTypedArrayViewInlines.h:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSONObject.cpp:
        * runtime/JSObject.cpp:
        * runtime/NamePrototype.cpp:
        * runtime/NumberConstructor.cpp:
        * runtime/NumberPrototype.cpp:
        * runtime/ObjectConstructor.cpp:
            - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
        * runtime/PropertyDescriptor.h:
            - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::isValue):
        (JSC::PropertySlot::isGetter):
        (JSC::PropertySlot::isCustom):
        (JSC::PropertySlot::isCacheableValue):
        (JSC::PropertySlot::isCacheableGetter):
        (JSC::PropertySlot::isCacheableCustom):
        (JSC::PropertySlot::attributes):
        (JSC::PropertySlot::getterSetter):
            - Add accessors necessary to convert PropertySlot to descriptor.
        * runtime/RegExpConstructor.cpp:
        * runtime/RegExpMatchesArray.cpp:
        * runtime/RegExpMatchesArray.h:
        * runtime/RegExpObject.cpp:
        * runtime/RegExpPrototype.cpp:
        * runtime/StringConstructor.cpp:
        * runtime/StringObject.cpp:
            - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.

2013-08-19  Michael Saboff  <msaboff@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com

        Reviewed by Sam Weinig.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
        DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
        all versions of fillSpeculateBoolean().

2013-08-19  Michael Saboff  <msaboff@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests

        Reviewed by Benjamin Poulain.

        Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
        Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::branchTest32):

2013-08-16  Oliver Hunt  <oliver@apple.com>

        <https://webkit.org/b/119860> Crash during exception unwinding

        Reviewed by Filip Pizlo.

        Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
        to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.

        We need this so that Throw and ThrowReferenceError no longer need to be treated as
        terminals and the subsequent flush keeps the activation (and other registers) live.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isTerminal):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>

        <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken

        Reviewed by Oliver Hunt.

        Guard the compilation of these files only if DFG_JIT is enabled.

        * dfg/DFGDesiredTransitions.cpp:
        * dfg/DFGDesiredTransitions.h:
        * dfg/DFGDesiredWeakReferences.cpp:
        * dfg/DFGDesiredWeakReferences.h:
        * dfg/DFGDesiredWriteBarriers.cpp:
        * dfg/DFGDesiredWriteBarriers.h:

2013-08-17  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
        https://bugs.webkit.org/show_bug.cgi?id=119961

        Reviewed by Mark Hahnenberg.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2013-08-18  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=119972
        Add attributes field to PropertySlot

        Reviewed by Geoff Garen.

        For all JSC types, this makes getOwnPropertyDescriptor redundant.
        There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
        (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).

        No performance impact.

        * runtime/PropertySlot.h:
        (JSC::PropertySlot::setValue):
        (JSC::PropertySlot::setCustom):
        (JSC::PropertySlot::setCacheableCustom):
        (JSC::PropertySlot::setCustomIndex):
        (JSC::PropertySlot::setGetterSlot):
        (JSC::PropertySlot::setCacheableGetterSlot):
            - These mathods now all require 'attributes'.
        * runtime/JSObject.h:
        (JSC::JSObject::getDirect):
        (JSC::JSObject::getDirectOffset):
        (JSC::JSObject::inlineGetOwnPropertySlot):
            - Added variants of getDirect, getDirectOffset that return the attributes.
        * API/JSCallbackObjectFunctions.h:
        (JSC::::getOwnPropertySlot):
        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertySlotByIndex):
        (JSC::Arguments::getOwnPropertySlot):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::symbolTableGet):
        (JSC::JSActivation::getOwnPropertySlot):
        * runtime/JSArray.cpp:
        (JSC::JSArray::getOwnPropertySlot):
        * runtime/JSArrayBuffer.cpp:
        (JSC::JSArrayBuffer::getOwnPropertySlot):
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::getOwnPropertySlot):
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::getOwnPropertySlot):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::::getOwnPropertySlot):
        (JSC::::getOwnPropertySlotByIndex):
        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnPropertySlotByIndex):
        (JSC::JSObject::fillGetterPropertySlot):
        * runtime/JSString.h:
        (JSC::JSString::getStringPropertySlot):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTableGet):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::getStaticPropertySlot):
        (JSC::getStaticPropertyDescriptor):
        (JSC::getStaticValueSlot):
        (JSC::getStaticValueDescriptor):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::getOwnPropertySlot):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayEntry::get):
            - Pass attributes to PropertySlot::set* methods.

2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>

        <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML

        Reviewed by Filip Pizlo.

        Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
        Vector of WriteBarriers rather than the specific address. The fact that we were 
        arbitrarily storing into a Vector's backing store for constants at the end of 
        compilation after the Vector could have resized was causing crashes.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::constants):
        (JSC::CodeBlock::addConstantLazily):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addConstant):
        * dfg/DFGDesiredWriteBarriers.cpp:
        (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
        (JSC::DFG::DesiredWriteBarrier::trigger):
        (JSC::DFG::initializeLazyWriteBarrierForConstant):
        * dfg/DFGDesiredWriteBarriers.h:
        (JSC::DFG::DesiredWriteBarriers::add):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::truncateConstantToInt32):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::constantRegisterForConstant):

2013-08-16  Filip Pizlo  <fpizlo@apple.com>

        DFG should optimize typedArray.byteLength
        https://bugs.webkit.org/show_bug.cgi?id=119909

        Reviewed by Oliver Hunt.
        
        This adds typedArray.byteLength inlining to the DFG, and does so without changing
        the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
        legal since the byteLength of a typed array cannot exceed
        numeric_limits<int32_t>::max().

        * bytecode/SpeculatedType.cpp:
        (JSC::typedArrayTypeFromSpeculation):
        * bytecode/SpeculatedType.h:
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::toArrayType):
        * dfg/DFGArrayMode.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
        (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
        (JSC::DFG::FixupPhase::convertToGetArrayLength):
        (JSC::DFG::FixupPhase::prependGetArrayLength):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::constantRegisterForConstant):
        (JSC::DFG::Graph::convertToConstant):
        * runtime/TypedArrayType.h:
        (JSC::logElementSize):
        (JSC::elementSize):

2013-08-16  Filip Pizlo  <fpizlo@apple.com>

        DFG optimizes out strict mode arguments tear off
        https://bugs.webkit.org/show_bug.cgi?id=119504

        Reviewed by Mark Hahnenberg and Oliver Hunt.
        
        Don't do the optimization for strict mode.

        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):

2013-08-16  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] x86: improve code generation for xxxTest32
        https://bugs.webkit.org/show_bug.cgi?id=119876

        Reviewed by Geoffrey Garen.

        Try to use testb whenever possible when testing for an immediate value.

        When the input is an address and an offset, we can tweak the mask
        and offset to be able to generate testb for any byte of the mask.

        When the input is a register, we can use testb if we are only interested
        in testing the low bits.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::branchTest32):
        (JSC::MacroAssemblerX86Common::test32):
        (JSC::MacroAssemblerX86Common::generateTest32):

2013-08-16  Mark Lam  <mark.lam@apple.com>

        <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
        error message that an object is not a constructor though it expects a function

        Reviewed by Michael Saboff.

        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2013-08-16  Filip Pizlo  <fpizlo@apple.com>

        Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
        https://bugs.webkit.org/show_bug.cgi?id=119897

        Reviewed by Oliver Hunt.
        
        6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
        on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
        to turn objects into dictionaries when you're storing using bracket syntax or using
        eval is still in place.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::putByIdContext):
        * dfg/DFGOperations.cpp:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/JSObject.h:
        (JSC::JSObject::putDirectInternal):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::PutPropertySlot):
        (JSC::PutPropertySlot::context):
        * runtime/Structure.cpp:
        (JSC::Structure::addPropertyTransition):
        * runtime/Structure.h:

2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>

        <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException

        Reviewed by Allan Sandfeld Jensen.

        ctiVMHandleException must jump/return using register ra (r31).

        * jit/JITStubsMIPS.h:

2013-08-16  Julien Brianceau  <jbrianceau@nds.com>

        <https://webkit.org/b/119879> Fix sh4 build after r154156.

        Reviewed by Allan Sandfeld Jensen.

        Fix typo in JITStubsSH4.h file.

        * jit/JITStubsSH4.h:

2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers

        Reviewed by Oliver Hunt.

        The concurrent compilation thread should interact minimally with the Heap, including not 
        triggering WriteBarriers. This is a prerequisite for generational GC.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::addOrFindConstant):
        (JSC::CodeBlock::findConstant):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addConstantLazily):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getJSConstantForValue):
        (JSC::DFG::ByteCodeParser::constantUndefined):
        (JSC::DFG::ByteCodeParser::constantNull):
        (JSC::DFG::ByteCodeParser::one):
        (JSC::DFG::ByteCodeParser::constantNaN):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGCommonData.cpp:
        (JSC::DFG::CommonData::notifyCompilingStructureTransition):
        * dfg/DFGCommonData.h:
        * dfg/DFGDesiredTransitions.cpp: Added.
        (JSC::DFG::DesiredTransition::DesiredTransition):
        (JSC::DFG::DesiredTransition::reallyAdd):
        (JSC::DFG::DesiredTransitions::DesiredTransitions):
        (JSC::DFG::DesiredTransitions::~DesiredTransitions):
        (JSC::DFG::DesiredTransitions::addLazily):
        (JSC::DFG::DesiredTransitions::reallyAdd):
        * dfg/DFGDesiredTransitions.h: Added.
        * dfg/DFGDesiredWeakReferences.cpp: Added.
        (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
        (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
        (JSC::DFG::DesiredWeakReferences::addLazily):
        (JSC::DFG::DesiredWeakReferences::reallyAdd):
        * dfg/DFGDesiredWeakReferences.h: Added.
        * dfg/DFGDesiredWriteBarriers.cpp: Added.
        (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
        (JSC::DFG::DesiredWriteBarrier::trigger):
        (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
        (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
        (JSC::DFG::DesiredWriteBarriers::addImpl):
        (JSC::DFG::DesiredWriteBarriers::trigger):
        * dfg/DFGDesiredWriteBarriers.h: Added.
        (JSC::DFG::DesiredWriteBarriers::add):
        (JSC::DFG::initializeLazyWriteBarrier):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::truncateConstantToInt32):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::convertToConstant):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addWeakReference):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        (JSC::DFG::Plan::reallyAdd):
        * dfg/DFGPlan.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase::set):
        (JSC::WriteBarrier::WriteBarrier):

2013-08-15  Benjamin Poulain  <benjamin@webkit.org>

        Fix x86 32bits build after r154158

        * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.

2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>

        Build fix attempt after r154156.

        * jit/JITStubs.cpp:
        (JSC::cti_vm_handle_exception): encode!

2013-08-15  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] x86: Use inc and dec when possible
        https://bugs.webkit.org/show_bug.cgi?id=119831

        Reviewed by Geoffrey Garen.

        When incrementing or decrementing by an immediate of 1, use the insctructions
        inc and dec instead of add and sub.
        The instructions have good timing and their encoding is smaller.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86_64::add32):
        (JSC::MacroAssemblerX86_64::sub32):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::add64):
        (JSC::MacroAssemblerX86_64::sub64):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::dec_r):
        (JSC::X86Assembler::decq_r):
        (JSC::X86Assembler::inc_r):
        (JSC::X86Assembler::incq_r):

2013-08-15  Filip Pizlo  <fpizlo@apple.com>

        Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
        https://bugs.webkit.org/show_bug.cgi?id=119874

        Reviewed by Oliver Hunt and Mark Hahnenberg.
        
        It was a confusion between heuristics in DFG::ArrayMode that are assuming that
        you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
        sometimes for typed array length accesses, and the FixupPhase assuming that a
        ForceExit ArrayMode means that it should continue using a generic GetById.

        This fixes the confusion.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2013-08-15  Mark Lam  <mark.lam@apple.com>

        Fix crash when performing activation tearoff.
        https://bugs.webkit.org/show_bug.cgi?id=119848

        Reviewed by Oliver Hunt.

        The activation tearoff crash was due to a bug in the baseline JIT.
        If we have a scenario where the a baseline JIT frame calls a LLINT
        frame, an exception may be thrown while in the LLINT.

        Interpreter::throwException() which handles the exception will unwind
        all frames until it finds a catcher or sees a host frame. When we
        return from the LLINT to the baseline JIT code, the baseline JIT code
        errorneously sets topCallFrame to the value in its call frame register,
        and starts unwinding the stack frames that have already been unwound.

        The fix is:
        1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
           This is a more accurate description of what this runtime function
           is supposed to do i.e. it handles the exception which include doing
           nothing (if there are no more frames to unwind).
        2. Fix up topCallFrame values so that the HostCallFrameFlag is never
           set on it.
        3. Reloading the call frame register from topCallFrame when we're
           returning from a callee and detect exception handling in progress.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::unwindCallFrame):
        - Ensure that topCallFrame is not set with the HostCallFrameFlag.
        (JSC::Interpreter::getStackTrace):
        * interpreter/Interpreter.h:
        (JSC::TopCallFrameSetter::TopCallFrameSetter):
        (JSC::TopCallFrameSetter::~TopCallFrameSetter):
        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
        - Ensure that topCallFrame is not set with the HostCallFrameFlag.
        * jit/JIT.h:
        * jit/JITExceptions.cpp:
        (JSC::uncaughtExceptionHandler):
        - Convenience function to get the handler for uncaught exceptions.
        * jit/JITExceptions.h:
        * jit/JITInlines.h:
        (JSC::JIT::reloadCallFrameFromTopCallFrame):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
        * jit/JITStubs.cpp:
        (JSC::throwExceptionFromOpCall):
        - Ensure that topCallFrame is not set with the HostCallFrameFlag.
        (JSC::cti_vm_handle_exception):
        - Check for the case when there are no more frames to unwind.
        * jit/JITStubs.h:
        * jit/JITStubsARM.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsMIPS.h:
        * jit/JITStubsSH4.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:
        - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
        * jit/SlowPathCall.h:
        (JSC::JITSlowPathCall::call):
        - reload cfr from topcallFrame when handling an exception.
        - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        - reload cfr from topcallFrame when handling an exception.
        * runtime/VM.cpp:
        (JSC::VM::VM):
        - Ensure that topCallFrame is not set with the HostCallFrameFlag.

2013-08-15  Filip Pizlo  <fpizlo@apple.com>

        Remove some code duplication.
        
        Rubber stamped by Mark Hahnenberg.

        * runtime/JSDataViewPrototype.cpp:
        (JSC::getData):
        (JSC::setData):

2013-08-15  Julien Brianceau  <jbrianceau@nds.com>

        [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
        https://bugs.webkit.org/show_bug.cgi?id=119794

        Reviewed by Filip Pizlo.

        This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.

        * dfg/DFGUseKind.h:
        (JSC::DFG::isNumerical):
        (JSC::DFG::isDouble):

2013-08-15  Filip Pizlo  <fpizlo@apple.com>

        http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.

        Rubber stamped by Oliver Hunt.
        
        This was causing some test crashes for me.

        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):

2013-08-15  Brent Fulgham  <bfulgham@apple.com>

        [Windows] Clear up improper export declaration.

        * runtime/ArrayBufferView.h:

2013-08-15  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, remove some unnecessary periods from exceptions.

        * runtime/JSDataViewPrototype.cpp:
        (JSC::getData):
        (JSC::setData):

2013-08-15  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix 32-bit build.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-08-14  Filip Pizlo  <fpizlo@apple.com>

        Typed arrays should be rewritten
        https://bugs.webkit.org/show_bug.cgi?id=119064

        Reviewed by Oliver Hunt.
        
        Typed arrays were previously deficient in several major ways:
        
        - They were defined separately in WebCore and in the jsc shell. The two
          implementations were different, and the jsc shell one was basically wrong.
          The WebCore one was quite awful, also.
        
        - Typed arrays were not visible to the JIT except through some weird hooks.
          For example, the JIT could not ask "what is the Structure that this typed
          array would have if I just allocated it from this global object". Also,
          it was difficult to wire any of the typed array intrinsics, because most
          of the functionality wasn't visible anywhere in JSC.
        
        - Typed array allocation was brain-dead. Allocating a typed array involved
          two JS objects, two GC weak handles, and three malloc allocations.
        
        - Neutering. It involved keeping tabs on all native views but not the view
          wrappers, even though the native views can autoneuter just by asking the
          buffer if it was neutered anytime you touch them; while the JS view
          wrappers are the ones that you really want to reach out to.
        
        - Common case-ing. Most typed arrays have one buffer and one view, and
          usually nobody touches the buffer. Yet we created all of that stuff
          anyway, using data structures optimized for the case where you had a lot
          of views.
        
        - Semantic goofs. Typed arrays should, in the future, behave like ES
          features rather than DOM features, for example when it comes to exceptions.
          Firefox already does this and I agree with them.
        
        This patch cleanses our codebase of these sins:
        
        - Typed arrays are almost entirely defined in JSC. Only the lifecycle
          management of native references to buffers is left to WebCore.
        
        - Allocating a typed array requires either two GC allocations (a cell and a
          copied storage vector) or one GC allocation, a malloc allocation, and a
          weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
          latter). The latter is only used for oversize arrays. Remember that before
          it was 7 allocations no matter what.
        
        - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
          mode/length, void* vector. Before it was a lot more than that - remember,
          there were five additional objects that did absolutely nothing for anybody.
        
        - Native views aren't tracked by the buffer, or by the wrappers. They are
          transient. In the future we'll probably switch to not even having them be
          malloc'd.
        
        - Native array buffers have an efficient way of tracking all of their JS view
          wrappers, both for neutering, and for lifecycle management. The GC
          special-cases native array buffers. This saves a bunch of grief; for example
          it means that a JS view wrapper can refer to its buffer via the butterfly,
          which would be dead by the time we went to finalize.
        
        - Typed array semantics now match Firefox, which also happens to be where the
          standards are going. The discussion on webkit-dev seemed to confirm that
          Chrome is also heading in this direction. This includes making
          Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
          ArrayBufferView as a JS-visible construct.
        
        This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
        It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
        further typed array optimizations in the JSC JITs, including inlining typed
        array allocation, inlining more of the accessors, reducing the cost of type
        checks, etc.
        
        An additional property of this patch is that typed arrays are mostly
        implemented using templates. This deduplicates a bunch of code, but does mean
        that we need some hacks for exporting s_info's of template classes. See
        JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
        low-impact compared to code duplication.
        
        Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.

        * CMakeLists.txt:
        * DerivedSources.make:
        * GNUmakefile.list.am:
        * JSCTypedArrayStubs.h: Removed.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/ByValInfo.h:
        (JSC::hasOptimizableIndexingForClassInfo):
        (JSC::jitArrayModeForClassInfo):
        (JSC::typedArrayTypeForJITArrayMode):
        * bytecode/SpeculatedType.cpp:
        (JSC::speculationFromClassInfo):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::toTypedArrayType):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::typedArrayType):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * heap/CopyToken.h:
        * heap/DeferGC.h:
        (JSC::DeferGCForAWhile::DeferGCForAWhile):
        (JSC::DeferGCForAWhile::~DeferGCForAWhile):
        * heap/GCIncomingRefCounted.h: Added.
        (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
        (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
        (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
        (JSC::GCIncomingRefCounted::incomingReferenceAt):
        (JSC::GCIncomingRefCounted::singletonFlag):
        (JSC::GCIncomingRefCounted::hasVectorOfCells):
        (JSC::GCIncomingRefCounted::hasAnyIncoming):
        (JSC::GCIncomingRefCounted::hasSingleton):
        (JSC::GCIncomingRefCounted::singleton):
        (JSC::GCIncomingRefCounted::vectorOfCells):
        * heap/GCIncomingRefCountedInlines.h: Added.
        (JSC::::addIncomingReference):
        (JSC::::filterIncomingReferences):
        * heap/GCIncomingRefCountedSet.h: Added.
        (JSC::GCIncomingRefCountedSet::size):
        * heap/GCIncomingRefCountedSetInlines.h: Added.
        (JSC::::GCIncomingRefCountedSet):
        (JSC::::~GCIncomingRefCountedSet):
        (JSC::::addReference):
        (JSC::::sweep):
        (JSC::::removeAll):
        (JSC::::removeDead):
        * heap/Heap.cpp:
        (JSC::Heap::addReference):
        (JSC::Heap::extraSize):
        (JSC::Heap::size):
        (JSC::Heap::capacity):
        (JSC::Heap::collect):
        (JSC::Heap::decrementDeferralDepth):
        (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
        * heap/Heap.h:
        * interpreter/CallFrame.h:
        (JSC::ExecState::dataViewTable):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompileGetByVal):
        (JSC::JIT::privateCompilePutByVal):
        (JSC::JIT::emitIntTypedArrayGetByVal):
        (JSC::JIT::emitFloatTypedArrayGetByVal):
        (JSC::JIT::emitIntTypedArrayPutByVal):
        (JSC::JIT::emitFloatTypedArrayPutByVal):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        * runtime/ArrayBuffer.cpp:
        (JSC::ArrayBuffer::transfer):
        * runtime/ArrayBuffer.h:
        (JSC::ArrayBuffer::createAdopted):
        (JSC::ArrayBuffer::ArrayBuffer):
        (JSC::ArrayBuffer::gcSizeEstimateInBytes):
        (JSC::ArrayBuffer::pin):
        (JSC::ArrayBuffer::unpin):
        (JSC::ArrayBufferContents::tryAllocate):
        * runtime/ArrayBufferView.cpp:
        (JSC::ArrayBufferView::ArrayBufferView):
        (JSC::ArrayBufferView::~ArrayBufferView):
        (JSC::ArrayBufferView::setNeuterable):
        * runtime/ArrayBufferView.h:
        (JSC::ArrayBufferView::isNeutered):
        (JSC::ArrayBufferView::buffer):
        (JSC::ArrayBufferView::baseAddress):
        (JSC::ArrayBufferView::byteOffset):
        (JSC::ArrayBufferView::verifySubRange):
        (JSC::ArrayBufferView::clampOffsetAndNumElements):
        (JSC::ArrayBufferView::calculateOffsetAndLength):
        * runtime/ClassInfo.h:
        * runtime/CommonIdentifiers.h:
        * runtime/DataView.cpp: Added.
        (JSC::DataView::DataView):
        (JSC::DataView::create):
        (JSC::DataView::wrap):
        * runtime/DataView.h: Added.
        (JSC::DataView::byteLength):
        (JSC::DataView::getType):
        (JSC::DataView::get):
        (JSC::DataView::set):
        * runtime/Float32Array.h:
        * runtime/Float64Array.h:
        * runtime/GenericTypedArrayView.h: Added.
        (JSC::GenericTypedArrayView::data):
        (JSC::GenericTypedArrayView::set):
        (JSC::GenericTypedArrayView::setRange):
        (JSC::GenericTypedArrayView::zeroRange):
        (JSC::GenericTypedArrayView::zeroFill):
        (JSC::GenericTypedArrayView::length):
        (JSC::GenericTypedArrayView::byteLength):
        (JSC::GenericTypedArrayView::item):
        (JSC::GenericTypedArrayView::checkInboundData):
        (JSC::GenericTypedArrayView::getType):
        * runtime/GenericTypedArrayViewInlines.h: Added.
        (JSC::::GenericTypedArrayView):
        (JSC::::create):
        (JSC::::createUninitialized):
        (JSC::::subarray):
        (JSC::::wrap):
        * runtime/IndexingHeader.h:
        (JSC::IndexingHeader::arrayBuffer):
        (JSC::IndexingHeader::setArrayBuffer):
        * runtime/Int16Array.h:
        * runtime/Int32Array.h:
        * runtime/Int8Array.h:
        * runtime/JSArrayBuffer.cpp: Added.
        (JSC::JSArrayBuffer::JSArrayBuffer):
        (JSC::JSArrayBuffer::finishCreation):
        (JSC::JSArrayBuffer::create):
        (JSC::JSArrayBuffer::createStructure):
        (JSC::JSArrayBuffer::getOwnPropertySlot):
        (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
        (JSC::JSArrayBuffer::put):
        (JSC::JSArrayBuffer::defineOwnProperty):
        (JSC::JSArrayBuffer::deleteProperty):
        (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
        * runtime/JSArrayBuffer.h: Added.
        (JSC::JSArrayBuffer::impl):
        (JSC::toArrayBuffer):
        * runtime/JSArrayBufferConstructor.cpp: Added.
        (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
        (JSC::JSArrayBufferConstructor::finishCreation):
        (JSC::JSArrayBufferConstructor::create):
        (JSC::JSArrayBufferConstructor::createStructure):
        (JSC::constructArrayBuffer):
        (JSC::JSArrayBufferConstructor::getConstructData):
        (JSC::JSArrayBufferConstructor::getCallData):
        * runtime/JSArrayBufferConstructor.h: Added.
        * runtime/JSArrayBufferPrototype.cpp: Added.
        (JSC::arrayBufferProtoFuncSlice):
        (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
        (JSC::JSArrayBufferPrototype::finishCreation):
        (JSC::JSArrayBufferPrototype::create):
        (JSC::JSArrayBufferPrototype::createStructure):
        * runtime/JSArrayBufferPrototype.h: Added.
        * runtime/JSArrayBufferView.cpp: Added.
        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
        (JSC::JSArrayBufferView::JSArrayBufferView):
        (JSC::JSArrayBufferView::finishCreation):
        (JSC::JSArrayBufferView::getOwnPropertySlot):
        (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
        (JSC::JSArrayBufferView::put):
        (JSC::JSArrayBufferView::defineOwnProperty):
        (JSC::JSArrayBufferView::deleteProperty):
        (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
        (JSC::JSArrayBufferView::finalize):
        * runtime/JSArrayBufferView.h: Added.
        (JSC::JSArrayBufferView::sizeOf):
        (JSC::JSArrayBufferView::ConstructionContext::operator!):
        (JSC::JSArrayBufferView::ConstructionContext::structure):
        (JSC::JSArrayBufferView::ConstructionContext::vector):
        (JSC::JSArrayBufferView::ConstructionContext::length):
        (JSC::JSArrayBufferView::ConstructionContext::mode):
        (JSC::JSArrayBufferView::ConstructionContext::butterfly):
        (JSC::JSArrayBufferView::mode):
        (JSC::JSArrayBufferView::vector):
        (JSC::JSArrayBufferView::length):
        (JSC::JSArrayBufferView::offsetOfVector):
        (JSC::JSArrayBufferView::offsetOfLength):
        (JSC::JSArrayBufferView::offsetOfMode):
        * runtime/JSArrayBufferViewInlines.h: Added.
        (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
        (JSC::JSArrayBufferView::buffer):
        (JSC::JSArrayBufferView::impl):
        (JSC::JSArrayBufferView::neuter):
        (JSC::JSArrayBufferView::byteOffset):
        * runtime/JSCell.cpp:
        (JSC::JSCell::slowDownAndWasteMemory):
        (JSC::JSCell::getTypedArrayImpl):
        * runtime/JSCell.h:
        * runtime/JSDataView.cpp: Added.
        (JSC::JSDataView::JSDataView):
        (JSC::JSDataView::create):
        (JSC::JSDataView::createUninitialized):
        (JSC::JSDataView::set):
        (JSC::JSDataView::typedImpl):
        (JSC::JSDataView::getOwnPropertySlot):
        (JSC::JSDataView::getOwnPropertyDescriptor):
        (JSC::JSDataView::slowDownAndWasteMemory):
        (JSC::JSDataView::getTypedArrayImpl):
        (JSC::JSDataView::createStructure):
        * runtime/JSDataView.h: Added.
        * runtime/JSDataViewPrototype.cpp: Added.
        (JSC::JSDataViewPrototype::JSDataViewPrototype):
        (JSC::JSDataViewPrototype::create):
        (JSC::JSDataViewPrototype::createStructure):
        (JSC::JSDataViewPrototype::getOwnPropertySlot):
        (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
        (JSC::getData):
        (JSC::setData):
        (JSC::dataViewProtoFuncGetInt8):
        (JSC::dataViewProtoFuncGetInt16):
        (JSC::dataViewProtoFuncGetInt32):
        (JSC::dataViewProtoFuncGetUint8):
        (JSC::dataViewProtoFuncGetUint16):
        (JSC::dataViewProtoFuncGetUint32):
        (JSC::dataViewProtoFuncGetFloat32):
        (JSC::dataViewProtoFuncGetFloat64):
        (JSC::dataViewProtoFuncSetInt8):
        (JSC::dataViewProtoFuncSetInt16):
        (JSC::dataViewProtoFuncSetInt32):
        (JSC::dataViewProtoFuncSetUint8):
        (JSC::dataViewProtoFuncSetUint16):
        (JSC::dataViewProtoFuncSetUint32):
        (JSC::dataViewProtoFuncSetFloat32):
        (JSC::dataViewProtoFuncSetFloat64):
        * runtime/JSDataViewPrototype.h: Added.
        * runtime/JSFloat32Array.h: Added.
        * runtime/JSFloat64Array.h: Added.
        * runtime/JSGenericTypedArrayView.h: Added.
        (JSC::JSGenericTypedArrayView::byteLength):
        (JSC::JSGenericTypedArrayView::byteSize):
        (JSC::JSGenericTypedArrayView::typedVector):
        (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
        (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
        (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
        (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
        (JSC::JSGenericTypedArrayView::getIndexQuickly):
        (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
        (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
        (JSC::JSGenericTypedArrayView::setIndexQuickly):
        (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
        (JSC::JSGenericTypedArrayView::typedImpl):
        (JSC::JSGenericTypedArrayView::createStructure):
        (JSC::JSGenericTypedArrayView::info):
        (JSC::toNativeTypedView):
        * runtime/JSGenericTypedArrayViewConstructor.h: Added.
        * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
        (JSC::::JSGenericTypedArrayViewConstructor):
        (JSC::::finishCreation):
        (JSC::::create):
        (JSC::::createStructure):
        (JSC::constructGenericTypedArrayView):
        (JSC::::getConstructData):
        (JSC::::getCallData):
        * runtime/JSGenericTypedArrayViewInlines.h: Added.
        (JSC::::JSGenericTypedArrayView):
        (JSC::::create):
        (JSC::::createUninitialized):
        (JSC::::validateRange):
        (JSC::::setWithSpecificType):
        (JSC::::set):
        (JSC::::getOwnPropertySlot):
        (JSC::::getOwnPropertyDescriptor):
        (JSC::::put):
        (JSC::::defineOwnProperty):
        (JSC::::deleteProperty):
        (JSC::::getOwnPropertySlotByIndex):
        (JSC::::putByIndex):
        (JSC::::deletePropertyByIndex):
        (JSC::::getOwnNonIndexPropertyNames):
        (JSC::::getOwnPropertyNames):
        (JSC::::visitChildren):
        (JSC::::copyBackingStore):
        (JSC::::slowDownAndWasteMemory):
        (JSC::::getTypedArrayImpl):
        * runtime/JSGenericTypedArrayViewPrototype.h: Added.
        * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
        (JSC::genericTypedArrayViewProtoFuncSet):
        (JSC::genericTypedArrayViewProtoFuncSubarray):
        (JSC::::JSGenericTypedArrayViewPrototype):
        (JSC::::finishCreation):
        (JSC::::create):
        (JSC::::createStructure):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::arrayBufferPrototype):
        (JSC::JSGlobalObject::arrayBufferStructure):
        (JSC::JSGlobalObject::typedArrayStructure):
        * runtime/JSInt16Array.h: Added.
        * runtime/JSInt32Array.h: Added.
        * runtime/JSInt8Array.h: Added.
        * runtime/JSTypedArrayConstructors.cpp: Added.
        * runtime/JSTypedArrayConstructors.h: Added.
        * runtime/JSTypedArrayPrototypes.cpp: Added.
        * runtime/JSTypedArrayPrototypes.h: Added.
        * runtime/JSTypedArrays.cpp: Added.
        * runtime/JSTypedArrays.h: Added.
        * runtime/JSUint16Array.h: Added.
        * runtime/JSUint32Array.h: Added.
        * runtime/JSUint8Array.h: Added.
        * runtime/JSUint8ClampedArray.h: Added.
        * runtime/Operations.h:
        * runtime/Options.h:
        * runtime/SimpleTypedArrayController.cpp: Added.
        (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
        (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
        (JSC::SimpleTypedArrayController::toJS):
        * runtime/SimpleTypedArrayController.h: Added.
        * runtime/Structure.h:
        (JSC::Structure::couldHaveIndexingHeader):
        * runtime/StructureInlines.h:
        (JSC::Structure::hasIndexingHeader):
        * runtime/TypedArrayAdaptors.h: Added.
        (JSC::IntegralTypedArrayAdaptor::toNative):
        (JSC::IntegralTypedArrayAdaptor::toJSValue):
        (JSC::IntegralTypedArrayAdaptor::toDouble):
        (JSC::FloatTypedArrayAdaptor::toNative):
        (JSC::FloatTypedArrayAdaptor::toJSValue):
        (JSC::FloatTypedArrayAdaptor::toDouble):
        (JSC::Uint8ClampedAdaptor::toNative):
        (JSC::Uint8ClampedAdaptor::toJSValue):
        (JSC::Uint8ClampedAdaptor::toDouble):
        (JSC::Uint8ClampedAdaptor::clamp):
        * runtime/TypedArrayController.cpp: Added.
        (JSC::TypedArrayController::TypedArrayController):
        (JSC::TypedArrayController::~TypedArrayController):
        * runtime/TypedArrayController.h: Added.
        * runtime/TypedArrayDescriptor.h: Removed.
        * runtime/TypedArrayInlines.h: Added.
        * runtime/TypedArrayType.cpp: Added.
        (JSC::classInfoForType):
        (WTF::printInternal):
        * runtime/TypedArrayType.h: Added.
        (JSC::toIndex):
        (JSC::isTypedView):
        (JSC::elementSize):
        (JSC::isInt):
        (JSC::isFloat):
        (JSC::isSigned):
        (JSC::isClamped):
        * runtime/TypedArrays.h: Added.
        * runtime/Uint16Array.h:
        * runtime/Uint32Array.h:
        * runtime/Uint8Array.h:
        * runtime/Uint8ClampedArray.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        * runtime/VM.h:

2013-08-15  Oliver Hunt  <oliver@apple.com>

        <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure

        Reviewed by Filip Pizlo.

        Make sure dfgCapabilities doesn't report a Dynamic put as
        being compilable when we don't actually support it.  

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):

2013-08-15  Brent Fulgham  <bfulgham@apple.com>

        [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
        https://bugs.webkit.org/show_bug.cgi?id=119847

        Reviewed by Oliver Hunt.

        * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
        * runtime/ArrayBufferView.h: Ditto.

2013-08-15  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=119843
        PropertySlot::setValue is ambiguous

        Reviewed by Geoff Garen.

        There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
        The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
        Unify on always providing the object, and remove the version that just takes a value.
        This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
        Provide a version of setValue that takes a JSString as the owner of the property.
        We won't store this, but it makes it clear that this interface should only be used from JSString.

        * API/JSCallbackObjectFunctions.h:
        (JSC::::getOwnPropertySlot):
        * JSCTypedArrayStubs.h:
        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertySlotByIndex):
        (JSC::Arguments::getOwnPropertySlot):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::symbolTableGet):
        (JSC::JSActivation::getOwnPropertySlot):
        * runtime/JSArray.cpp:
        (JSC::JSArray::getOwnPropertySlot):
        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnPropertySlotByIndex):
        * runtime/JSString.h:
        (JSC::JSString::getStringPropertySlot):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTableGet):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayEntry::get):
            - Pass object containing property to PropertySlot::setValue
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::setValue):
            - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
        (JSC::PropertySlot::setUndefined):
            - removed setValue(JSValue), added setValue(JSString*, JSValue)

2013-08-15  Oliver Hunt  <oliver@apple.com>

        Remove bogus assertion.

        RS=Filip Pizlo

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):

2013-08-15  Allan Sandfeld Jensen  <allan.jensen@digia.com>

        REGRESSION(r148790) Made 7 tests fail on x86 32bit
        https://bugs.webkit.org/show_bug.cgi?id=114913

        Reviewed by Filip Pizlo.

        The X87 register was not freed before some calls. Instead
        of inserting resetX87Registers to the last call sites,
        the two X87 registers are now freed in every call.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/instructions.rb:
        * offlineasm/x86.rb:

2013-08-14  Michael Saboff  <msaboff@apple.com>

        Fixed jit on Win64.
        https://bugs.webkit.org/show_bug.cgi?id=119601

        Reviewed by Oliver Hunt.

        * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
        * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
        * jit/SlowPathCall.h:
        (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.

2013-08-14  Alex Christensen  <achristensen@apple.com>

        Compile fix for Win64 with jit disabled.
        https://bugs.webkit.org/show_bug.cgi?id=119804

        Reviewed by Michael Saboff.

        * offlineasm/cloop.rb: Added std:: before isnan.

2013-08-14  Julien Brianceau  <jbrianceau@nds.com>

        DFG_JIT implementation for sh4 architecture.
        https://bugs.webkit.org/show_bug.cgi?id=119737

        Reviewed by Oliver Hunt.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::invert):
        (JSC::MacroAssemblerSH4::add32):
        (JSC::MacroAssemblerSH4::and32):
        (JSC::MacroAssemblerSH4::lshift32):
        (JSC::MacroAssemblerSH4::mul32):
        (JSC::MacroAssemblerSH4::or32):
        (JSC::MacroAssemblerSH4::rshift32):
        (JSC::MacroAssemblerSH4::sub32):
        (JSC::MacroAssemblerSH4::xor32):
        (JSC::MacroAssemblerSH4::store32):
        (JSC::MacroAssemblerSH4::swapDouble):
        (JSC::MacroAssemblerSH4::storeDouble):
        (JSC::MacroAssemblerSH4::subDouble):
        (JSC::MacroAssemblerSH4::mulDouble):
        (JSC::MacroAssemblerSH4::divDouble):
        (JSC::MacroAssemblerSH4::negateDouble):
        (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
        (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
        (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
        (JSC::MacroAssemblerSH4::swap):
        (JSC::MacroAssemblerSH4::jump):
        (JSC::MacroAssemblerSH4::branchNeg32):
        (JSC::MacroAssemblerSH4::branchAdd32):
        (JSC::MacroAssemblerSH4::branchMul32):
        (JSC::MacroAssemblerSH4::urshift32):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::SH4Assembler):
        (JSC::SH4Assembler::labelForWatchpoint):
        (JSC::SH4Assembler::label):
        (JSC::SH4Assembler::debugOffset):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
        (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
        (JSC::DFG::AssemblyHelpers::debugCall):
        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupArguments):
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        * dfg/DFGFPRInfo.h:
        (JSC::DFG::FPRInfo::toRegister):
        (JSC::DFG::FPRInfo::toIndex):
        (JSC::DFG::FPRInfo::debugName):
        * dfg/DFGGPRInfo.h:
        (JSC::DFG::GPRInfo::toRegister):
        (JSC::DFG::GPRInfo::toIndex):
        (JSC::DFG::GPRInfo::debugName):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * jit/JITStubs.h:
        * jit/JITStubsSH4.h:

2013-08-13  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix build.

        * API/JSValue.mm:
        (isDate):
        (isArray):
        * API/JSWrapperMap.mm:
        (tryUnwrapObjcObject):
        * API/ObjCCallbackFunction.mm:
        (tryUnwrapBlock):

2013-08-13  Filip Pizlo  <fpizlo@apple.com>

        Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
        https://bugs.webkit.org/show_bug.cgi?id=119770

        Reviewed by Mark Hahnenberg.

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::finishCreation):
        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::createStructure):
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::finishCreation):
        * API/JSCallbackFunction.h:
        (JSC::JSCallbackFunction::createStructure):
        * API/JSCallbackObject.cpp:
        (JSC::::createStructure):
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::visitChildren):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::asCallbackObject):
        (JSC::::finishCreation):
        * API/JSObjectRef.cpp:
        (JSObjectGetPrivate):
        (JSObjectSetPrivate):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        * API/JSValueRef.cpp:
        (JSValueIsObjectOfClass):
        * API/JSWeakObjectMapRefPrivate.cpp:
        * API/ObjCCallbackFunction.h:
        (JSC::ObjCCallbackFunction::createStructure):
        * JSCTypedArrayStubs.h:
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::CallLinkStatus):
        (JSC::CallLinkStatus::function):
        (JSC::CallLinkStatus::internalFunction):
        * bytecode/CodeBlock.h:
        (JSC::baselineCodeBlockForInlineCallFrame):
        * bytecode/SpeculatedType.cpp:
        (JSC::speculationFromClassInfo):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::visitChildren):
        (JSC::UnlinkedCodeBlock::visitChildren):
        (JSC::UnlinkedProgramCodeBlock::visitChildren):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::createStructure):
        (JSC::UnlinkedProgramCodeBlock::createStructure):
        (JSC::UnlinkedEvalCodeBlock::createStructure):
        (JSC::UnlinkedFunctionCodeBlock::createStructure):
        * debugger/Debugger.cpp:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::visitChildren):
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::createStructure):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::functionName):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
        (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::isInternalFunctionConstant):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::virtualForThunkGenerator):
        * interpreter/Interpreter.cpp:
        (JSC::loadVarargs):
        * jsc.cpp:
        (GlobalObject::createStructure):
        * profiler/LegacyProfiler.cpp:
        (JSC::LegacyProfiler::createCallIdentifier):
        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildren):
        * runtime/Arguments.h:
        (JSC::Arguments::createStructure):
        (JSC::asArguments):
        (JSC::Arguments::finishCreation):
        * runtime/ArrayConstructor.cpp:
        (JSC::arrayConstructorIsArray):
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::createStructure):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        (JSC::arrayProtoFuncConcat):
        (JSC::attemptFastSort):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::createStructure):
        * runtime/BooleanConstructor.h:
        (JSC::BooleanConstructor::createStructure):
        * runtime/BooleanObject.cpp:
        (JSC::BooleanObject::finishCreation):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::createStructure):
        (JSC::asBooleanObject):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::finishCreation):
        (JSC::booleanProtoFuncToString):
        (JSC::booleanProtoFuncValueOf):
        * runtime/BooleanPrototype.h:
        (JSC::BooleanPrototype::createStructure):
        * runtime/DateConstructor.cpp:
        (JSC::constructDate):
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::createStructure):
        * runtime/DateInstance.cpp:
        (JSC::DateInstance::finishCreation):
        * runtime/DateInstance.h:
        (JSC::DateInstance::createStructure):
        (JSC::asDateInstance):
        * runtime/DatePrototype.cpp:
        (JSC::formateDateInstance):
        (JSC::DatePrototype::finishCreation):
        (JSC::dateProtoFuncToISOString):
        (JSC::dateProtoFuncToLocaleString):
        (JSC::dateProtoFuncToLocaleDateString):
        (JSC::dateProtoFuncToLocaleTimeString):
        (JSC::dateProtoFuncGetTime):
        (JSC::dateProtoFuncGetFullYear):
        (JSC::dateProtoFuncGetUTCFullYear):
        (JSC::dateProtoFuncGetMonth):
        (JSC::dateProtoFuncGetUTCMonth):
        (JSC::dateProtoFuncGetDate):
        (JSC::dateProtoFuncGetUTCDate):
        (JSC::dateProtoFuncGetDay):
        (JSC::dateProtoFuncGetUTCDay):
        (JSC::dateProtoFuncGetHours):
        (JSC::dateProtoFuncGetUTCHours):
        (JSC::dateProtoFuncGetMinutes):
        (JSC::dateProtoFuncGetUTCMinutes):
        (JSC::dateProtoFuncGetSeconds):
        (JSC::dateProtoFuncGetUTCSeconds):
        (JSC::dateProtoFuncGetMilliSeconds):
        (JSC::dateProtoFuncGetUTCMilliseconds):
        (JSC::dateProtoFuncGetTimezoneOffset):
        (JSC::dateProtoFuncSetTime):
        (JSC::setNewValueFromTimeArgs):
        (JSC::setNewValueFromDateArgs):
        (JSC::dateProtoFuncSetYear):
        (JSC::dateProtoFuncGetYear):
        * runtime/DatePrototype.h:
        (JSC::DatePrototype::createStructure):
        * runtime/Error.h:
        (JSC::StrictModeTypeErrorFunction::createStructure):
        * runtime/ErrorConstructor.h:
        (JSC::ErrorConstructor::createStructure):
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::finishCreation):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::createStructure):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::finishCreation):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::createStructure):
        * runtime/ExceptionHelpers.cpp:
        (JSC::isTerminatedExecutionException):
        * runtime/ExceptionHelpers.h:
        (JSC::TerminatedExecutionError::createStructure):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::visitChildren):
        (JSC::ProgramExecutable::visitChildren):
        (JSC::FunctionExecutable::visitChildren):
        (JSC::ExecutableBase::hashFor):
        * runtime/Executable.h:
        (JSC::ExecutableBase::createStructure):
        (JSC::NativeExecutable::createStructure):
        (JSC::EvalExecutable::createStructure):
        (JSC::ProgramExecutable::createStructure):
        (JSC::FunctionExecutable::compileFor):
        (JSC::FunctionExecutable::compileOptimizedFor):
        (JSC::FunctionExecutable::createStructure):
        * runtime/FunctionConstructor.h:
        (JSC::FunctionConstructor::createStructure):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        (JSC::functionProtoFuncApply):
        (JSC::functionProtoFuncBind):
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::createStructure):
        * runtime/GetterSetter.cpp:
        (JSC::GetterSetter::visitChildren):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::createStructure):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::finishCreation):
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::createStructure):
        (JSC::asInternalFunction):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::visitChildren):
        (JSC::JSActivation::argumentsGetter):
        * runtime/JSActivation.h:
        (JSC::JSActivation::createStructure):
        (JSC::asActivation):
        * runtime/JSArray.h:
        (JSC::JSArray::createStructure):
        (JSC::asArray):
        (JSC::isJSArray):
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::finishCreation):
        (JSC::JSBoundFunction::visitChildren):
        * runtime/JSBoundFunction.h:
        (JSC::JSBoundFunction::createStructure):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dumpInContext):
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::isFunction):
        * runtime/JSCell.h:
        (JSC::jsCast):
        (JSC::jsDynamicCast):
        * runtime/JSCellInlines.h:
        (JSC::allocateCell):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::finishCreation):
        (JSC::JSFunction::visitChildren):
        (JSC::skipOverBoundFunctions):
        (JSC::JSFunction::callerGetter):
        * runtime/JSFunction.h:
        (JSC::JSFunction::createStructure):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::visitChildren):
        (JSC::slowValidateCell):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::createStructure):
        * runtime/JSNameScope.cpp:
        (JSC::JSNameScope::visitChildren):
        * runtime/JSNameScope.h:
        (JSC::JSNameScope::createStructure):
        * runtime/JSNotAnObject.h:
        (JSC::JSNotAnObject::createStructure):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::finishCreation):
        (JSC::unwrapBoxedPrimitive):
        (JSC::Stringifier::Stringifier):
        (JSC::Stringifier::appendStringifiedValue):
        (JSC::Stringifier::Holder::Holder):
        (JSC::Walker::walk):
        (JSC::JSONProtoFuncStringify):
        * runtime/JSONObject.h:
        (JSC::JSONObject::createStructure):
        * runtime/JSObject.cpp:
        (JSC::getCallableObjectSlow):
        (JSC::JSObject::visitChildren):
        (JSC::JSObject::copyBackingStore):
        (JSC::JSFinalObject::visitChildren):
        (JSC::JSObject::ensureInt32Slow):
        (JSC::JSObject::ensureDoubleSlow):
        (JSC::JSObject::ensureContiguousSlow):
        (JSC::JSObject::ensureArrayStorageSlow):
        * runtime/JSObject.h:
        (JSC::JSObject::finishCreation):
        (JSC::JSObject::createStructure):
        (JSC::JSNonFinalObject::createStructure):
        (JSC::JSFinalObject::createStructure):
        (JSC::isJSFinalObject):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::visitChildren):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::createStructure):
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::visitChildren):
        * runtime/JSProxy.h:
        (JSC::JSProxy::createStructure):
        * runtime/JSScope.cpp:
        (JSC::JSScope::visitChildren):
        * runtime/JSSegmentedVariableObject.cpp:
        (JSC::JSSegmentedVariableObject::visitChildren):
        * runtime/JSString.h:
        (JSC::JSString::createStructure):
        (JSC::isJSString):
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::visitChildren):
        * runtime/JSVariableObject.h:
        * runtime/JSWithScope.cpp:
        (JSC::JSWithScope::visitChildren):
        * runtime/JSWithScope.h:
        (JSC::JSWithScope::createStructure):
        * runtime/JSWrapperObject.cpp:
        (JSC::JSWrapperObject::visitChildren):
        * runtime/JSWrapperObject.h:
        (JSC::JSWrapperObject::createStructure):
        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):
        * runtime/MathObject.h:
        (JSC::MathObject::createStructure):
        * runtime/NameConstructor.h:
        (JSC::NameConstructor::createStructure):
        * runtime/NameInstance.h:
        (JSC::NameInstance::createStructure):
        (JSC::NameInstance::finishCreation):
        * runtime/NamePrototype.cpp:
        (JSC::NamePrototype::finishCreation):
        (JSC::privateNameProtoFuncToString):
        * runtime/NamePrototype.h:
        (JSC::NamePrototype::createStructure):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::visitChildren):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::createStructure):
        (JSC::NativeErrorConstructor::finishCreation):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::finishCreation):
        * runtime/NumberConstructor.h:
        (JSC::NumberConstructor::createStructure):
        * runtime/NumberObject.cpp:
        (JSC::NumberObject::finishCreation):
        * runtime/NumberObject.h:
        (JSC::NumberObject::createStructure):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::finishCreation):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::createStructure):
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::createStructure):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::finishCreation):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::createStructure):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::createStructure):
        * runtime/PropertyTable.cpp:
        (JSC::PropertyTable::visitChildren):
        * runtime/RegExp.h:
        (JSC::RegExp::createStructure):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::finishCreation):
        (JSC::RegExpConstructor::visitChildren):
        (JSC::constructRegExp):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::createStructure):
        (JSC::asRegExpConstructor):
        * runtime/RegExpMatchesArray.cpp:
        (JSC::RegExpMatchesArray::visitChildren):
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::createStructure):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::finishCreation):
        (JSC::RegExpObject::visitChildren):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::createStructure):
        (JSC::asRegExpObject):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTest):
        (JSC::regExpProtoFuncExec):
        (JSC::regExpProtoFuncCompile):
        (JSC::regExpProtoFuncToString):
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::createStructure):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayValueMap::createStructure):
        * runtime/SparseArrayValueMap.h:
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::createStructure):
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::createStructure):
        * runtime/StringObject.cpp:
        (JSC::StringObject::finishCreation):
        * runtime/StringObject.h:
        (JSC::StringObject::createStructure):
        (JSC::asStringObject):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):
        (JSC::stringProtoFuncReplace):
        (JSC::stringProtoFuncToString):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
        (JSC::stringProtoFuncSplit):
        * runtime/StringPrototype.h:
        (JSC::StringPrototype::createStructure):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::get):
        (JSC::Structure::visitChildren):
        * runtime/Structure.h:
        (JSC::Structure::typeInfo):
        (JSC::Structure::previousID):
        (JSC::Structure::outOfLineSize):
        (JSC::Structure::totalStorageCapacity):
        (JSC::Structure::materializePropertyMapIfNecessary):
        (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::visitChildren):
        * runtime/StructureChain.h:
        (JSC::StructureChain::createStructure):
        * runtime/StructureInlines.h:
        (JSC::Structure::get):
        * runtime/StructureRareData.cpp:
        (JSC::StructureRareData::createStructure):
        (JSC::StructureRareData::visitChildren):
        * runtime/StructureRareData.h:
        * runtime/SymbolTable.h:
        (JSC::SharedSymbolTable::createStructure):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::StackPreservingRecompiler::operator()):
        (JSC::VM::releaseExecutableMemory):
        * runtime/WriteBarrier.h:
        (JSC::validateCell):
        * testRegExp.cpp:
        (GlobalObject::createStructure):

2013-08-13  Arunprasad Rajkumar  <arurajku@cisco.com>

        [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
        https://bugs.webkit.org/show_bug.cgi?id=119762

        Reviewed by Geoffrey Garen.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::markRoots):
        (JSC::Heap::collect):
        * jsc.cpp:
        (StopWatch::start):
        (StopWatch::stop):
        * testRegExp.cpp:
        (StopWatch::start):
        (StopWatch::stop):

2013-08-13  Julien Brianceau  <jbrianceau@nds.com>

        [sh4] Prepare LLINT for DFG_JIT implementation.
        https://bugs.webkit.org/show_bug.cgi?id=119755

        Reviewed by Oliver Hunt.

        * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
        * offlineasm/sh4.rb:
            - Handle storeb opcode.
            - Make relative jumps when possible using braf opcode.
            - Update bmulio implementation to be consistent with baseline JIT.
            - Remove useless code from leap opcode.
            - Fix incorrect comment.

2013-08-13  Julien Brianceau  <jbrianceau@nds.com>

        [sh4] Prepare baseline JIT for DFG_JIT implementation.
        https://bugs.webkit.org/show_bug.cgi?id=119758

        Reviewed by Oliver Hunt.

        * assembler/MacroAssemblerSH4.h:
            - Introduce a loadEffectiveAddress function to avoid code duplication.
            - Add ASSERTs and clean code.
        * assembler/SH4Assembler.h:
            - Prepare DFG_JIT implementation.
            - Add ASSERTs.
        * jit/JITStubs.cpp:
            - Add SH4 specific call for assertions.
        * jit/JITStubs.h:
            - Cosmetic change.
        * jit/JITStubsSH4.h:
            - Use constants to be more flexible with sh4 JIT stack frame.
        * jit/JSInterfaceJIT.h:
            - Cosmetic change.

2013-08-13  Oliver Hunt  <oliver@apple.com>

        Harden executeConstruct against incorrect return types from host functions
        https://bugs.webkit.org/show_bug.cgi?id=119757

        Reviewed by Mark Hahnenberg.

        Add logic to guard against bogus return types.  There doesn't seem to be any
        class in webkit that does this wrong, but the typed array stubs in debug JSC
        do exhibit this bad behaviour.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeConstruct):

2013-08-13  Allan Sandfeld Jensen  <allan.jensen@digia.com>

        [Qt] Fix C++11 build with gcc 4.4 and 4.5
        https://bugs.webkit.org/show_bug.cgi?id=119736

        Reviewed by Anders Carlsson.

        Don't force C++11 mode off anymore.

        * Target.pri:

2013-08-12  Oliver Hunt  <oliver@apple.com>

        Remove CodeBlock's notion of adding identifiers entirely
        https://bugs.webkit.org/show_bug.cgi?id=119708

        Reviewed by Geoffrey Garen.

        Remove addAdditionalIdentifier entirely, including the bogus assertion.
        Move the addition of identifiers to DFGPlan::reallyAdd

        * bytecode/CodeBlock.h:
        * dfg/DFGDesiredIdentifiers.cpp:
        (JSC::DFG::DesiredIdentifiers::reallyAdd):
        * dfg/DFGDesiredIdentifiers.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::reallyAdd):
        (JSC::DFG::Plan::finalize):
        * dfg/DFGPlan.h:

2013-08-12  Oliver Hunt  <oliver@apple.com>

        Build fix

        * runtime/JSCell.h:

2013-08-12  Oliver Hunt  <oliver@apple.com>

        Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
        https://bugs.webkit.org/show_bug.cgi?id=119705

        Reviewed by Geoffrey Garen.

        Relatively trivial refactoring

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::numberOfAdditionalIdentifiers):
        (JSC::CodeBlock::addAdditionalIdentifier):
        (JSC::CodeBlock::identifier):
        (JSC::CodeBlock::numberOfIdentifiers):
        * dfg/DFGCommonData.h:

2013-08-12  Oliver Hunt  <oliver@apple.com>

        Stop making unnecessary copy of CodeBlock Identifier Vector
        https://bugs.webkit.org/show_bug.cgi?id=119702

        Reviewed by Michael Saboff.

        Make CodeBlock simply use a separate Vector for additional Identifiers
        and use the UnlinkedCodeBlock for the initial set of identifiers.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::dumpStructure):
        (JSC::dumpChain):
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::printPutByIdOp):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::numberOfIdentifiers):
        (JSC::CodeBlock::numberOfAdditionalIdentifiers):
        (JSC::CodeBlock::addAdditionalIdentifier):
        (JSC::CodeBlock::identifier):
        * dfg/DFGDesiredIdentifiers.cpp:
        (JSC::DFG::DesiredIdentifiers::reallyAdd):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitSlow_op_get_arguments_length):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::compileGetByIdSlowCase):
        (JSC::JIT::emitSlow_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::compileGetByIdSlowCase):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2013-08-08  Mark Lam  <mark.lam@apple.com>

        Restoring use of StackIterator instead of Interpreter::getStacktrace().
        https://bugs.webkit.org/show_bug.cgi?id=119575.

        Reviewed by Oliver Hunt.

        * interpreter/Interpreter.h:
        - Made getStackTrace() private.
        * interpreter/StackIterator.cpp:
        (JSC::StackIterator::StackIterator):
        (JSC::StackIterator::numberOfFrames):
        - Computes the number of frames by iterating through the whole stack
          from the starting frame. The iterator will save its current frame
          position before counting the frames, and then restoring it after
          the counting.
        (JSC::StackIterator::gotoFrameAtIndex):
        (JSC::StackIterator::gotoNextFrame):
        (JSC::StackIterator::resetIterator):
        - Points the iterator to the starting frame.
        * interpreter/StackIteratorPrivate.h:

2013-08-08  Mark Lam  <mark.lam@apple.com>

        Moved ErrorConstructor and NativeErrorConstructor helper functions into
        the Interpreter class.
        https://bugs.webkit.org/show_bug.cgi?id=119576.

        Reviewed by Oliver Hunt.

        This change is needed to prepare for making Interpreter::getStackTrace()
        private. It does not change the behavior of the code, only the lexical
        scoping.

        * interpreter/Interpreter.h:
        - Added helper functions for ErrorConstructor and NativeErrorConstructor.
        * runtime/ErrorConstructor.cpp:
        (JSC::Interpreter::constructWithErrorConstructor):
        (JSC::ErrorConstructor::getConstructData):
        (JSC::Interpreter::callErrorConstructor):
        (JSC::ErrorConstructor::getCallData):
        - Don't want ErrorConstructor to call Interpreter::getStackTrace()
          directly. So, we moved the helper functions into the Interpreter
          class.
        * runtime/NativeErrorConstructor.cpp:
        (JSC::Interpreter::constructWithNativeErrorConstructor):
        (JSC::NativeErrorConstructor::getConstructData):
        (JSC::Interpreter::callNativeErrorConstructor):
        (JSC::NativeErrorConstructor::getCallData):
        - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
          directly. So, we moved the helper functions into the Interpreter
          class.

2013-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
        https://bugs.webkit.org/show_bug.cgi?id=119555

        Reviewed by Geoffrey Garen.

        It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
        This was causing crashes on maps.google.com in 32-bit debug builds.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-08-06  Michael Saboff  <msaboff@apple.com>

        REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=119405

        Reviewed by Geoffrey Garen.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
        ourselves to save a register and then load from it.

2013-08-06  Filip Pizlo  <fpizlo@apple.com>

        DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
        https://bugs.webkit.org/show_bug.cgi?id=119528

        Reviewed by Geoffrey Garen.

        Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
        uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
        the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
        format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
        from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.

        This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        * runtime/JSObject.h:
        (JSC::JSObject::getIndexQuickly):
        (JSC::JSObject::tryGetIndexQuickly):

2013-08-08  Stephanie Lewis  <slewis@apple.com>

        <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file

        Unreviewed.

        Ensure llint symbols are in source order.

        * JavaScriptCore.order:

2013-08-06  Mark Lam  <mark.lam@apple.com>

        Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
        https://bugs.webkit.org/show_bug.cgi?id=119532.

        Reviewed by Oliver Hunt.

        * parser/Parser.cpp:
        (JSC::::Parser):
        - Just need to initialize the Parser's JSTokenLocation's initial line and
          startOffset as well during Parser construction.

2013-08-06  Stephanie Lewis  <slewis@apple.com>

        Update Order Files for Safari
        <rdar://problem/14517392>

        Unreviewed.

        * JavaScriptCore.order:

2013-08-04  Sam Weinig  <sam@webkit.org>

        Remove support for HTML5 MicroData
        https://bugs.webkit.org/show_bug.cgi?id=119480

        Reviewed by Anders Carlsson.

        * Configurations/FeatureDefines.xcconfig:

2013-08-05  Oliver Hunt  <oliver@apple.com>

        Delay Arguments creation in strict mode
        https://bugs.webkit.org/show_bug.cgi?id=119505

        Reviewed by Geoffrey Garen.

        Make use of the write tracking performed by the parser to
        allow us to know if we're modifying the parameters to a function.
        Then use that information to make strict mode function opt out
        of eager arguments creation.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::createArgumentsIfNecessary):
        (JSC::BytecodeGenerator::emitReturn):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
        * parser/Nodes.h:
        (JSC::ScopeNode::modifiesParameter):
        * parser/Parser.cpp:
        (JSC::::parseInner):
        * parser/Parser.h:
        (JSC::Scope::declareParameter):
        (JSC::Scope::getCapturedVariables):
        (JSC::Parser::declareWrite):
        * parser/ParserModes.h:

2013-08-06  Patrick Gansterer  <paroga@webkit.org>

        Remove useless code from COMPILER(RVCT) JITStubs
        https://bugs.webkit.org/show_bug.cgi?id=119521

        Reviewed by Geoffrey Garen.

        * jit/JITStubsARMv7.h:
        (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
        (JSC::ctiOpThrowNotCaught): Ditto.

2013-07-23  David Farler  <dfarler@apple.com>

        Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
        https://bugs.webkit.org/show_bug.cgi?id=117762

        Reviewed by Mark Rowe.

        * Configurations/DebugRelease.xcconfig:
        Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
        * Configurations/JavaScriptCore.xcconfig:
        Add ASAN_OTHER_LDFLAGS.
        * Configurations/ToolExecutable.xcconfig:
        Don't use ASAN for build tools.

2013-08-06  Patrick Gansterer  <paroga@webkit.org>

        Build fix for ARM MSVC after r153222 and r153648.

        * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.

2013-08-06  Patrick Gansterer  <paroga@webkit.org>

        Build fix for ARM MSVC after r150109.

        Read the stub template from a header files instead of the JITStubs.cpp.

        * CMakeLists.txt:
        * DerivedSources.pri:
        * create_jit_stubs:

2013-08-05  Oliver Hunt  <oliver@apple.com>

        Move TypedArray implementation into JSC
        https://bugs.webkit.org/show_bug.cgi?id=119489

        Reviewed by Filip Pizlo.

        Move TypedArray implementation into JSC in advance of re-implementation

        * GNUmakefile.list.am:
        * JSCTypedArrayStubs.h:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
        (JSC::ArrayBuffer::transfer):
        (JSC::ArrayBuffer::addView):
        (JSC::ArrayBuffer::removeView):
        * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
        (JSC::ArrayBufferContents::ArrayBufferContents):
        (JSC::ArrayBufferContents::data):
        (JSC::ArrayBufferContents::sizeInBytes):
        (JSC::ArrayBufferContents::transfer):
        (JSC::ArrayBufferContents::copyTo):
        (JSC::ArrayBuffer::isNeutered):
        (JSC::ArrayBuffer::~ArrayBuffer):
        (JSC::ArrayBuffer::clampValue):
        (JSC::ArrayBuffer::create):
        (JSC::ArrayBuffer::createUninitialized):
        (JSC::ArrayBuffer::ArrayBuffer):
        (JSC::ArrayBuffer::data):
        (JSC::ArrayBuffer::byteLength):
        (JSC::ArrayBuffer::slice):
        (JSC::ArrayBuffer::sliceImpl):
        (JSC::ArrayBuffer::clampIndex):
        (JSC::ArrayBufferContents::tryAllocate):
        (JSC::ArrayBufferContents::~ArrayBufferContents):
        * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
        (JSC::ArrayBufferView::ArrayBufferView):
        (JSC::ArrayBufferView::~ArrayBufferView):
        (JSC::ArrayBufferView::neuter):
        * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
        (JSC::ArrayBufferView::buffer):
        (JSC::ArrayBufferView::baseAddress):
        (JSC::ArrayBufferView::byteOffset):
        (JSC::ArrayBufferView::setNeuterable):
        (JSC::ArrayBufferView::isNeuterable):
        (JSC::ArrayBufferView::verifySubRange):
        (JSC::ArrayBufferView::clampOffsetAndNumElements):
        (JSC::ArrayBufferView::setImpl):
        (JSC::ArrayBufferView::setRangeImpl):
        (JSC::ArrayBufferView::zeroRangeImpl):
        (JSC::ArrayBufferView::calculateOffsetAndLength):
        * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
        (JSC::Float32Array::set):
        (JSC::Float32Array::getType):
        (JSC::Float32Array::create):
        (JSC::Float32Array::createUninitialized):
        (JSC::Float32Array::Float32Array):
        (JSC::Float32Array::subarray):
        * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
        (JSC::Float64Array::set):
        (JSC::Float64Array::getType):
        (JSC::Float64Array::create):
        (JSC::Float64Array::createUninitialized):
        (JSC::Float64Array::Float64Array):
        (JSC::Float64Array::subarray):
        * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
        (JSC::Int16Array::getType):
        (JSC::Int16Array::create):
        (JSC::Int16Array::createUninitialized):
        (JSC::Int16Array::Int16Array):
        (JSC::Int16Array::subarray):
        * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
        (JSC::Int32Array::getType):
        (JSC::Int32Array::create):
        (JSC::Int32Array::createUninitialized):
        (JSC::Int32Array::Int32Array):
        (JSC::Int32Array::subarray):
        * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
        (JSC::Int8Array::getType):
        (JSC::Int8Array::create):
        (JSC::Int8Array::createUninitialized):
        (JSC::Int8Array::Int8Array):
        (JSC::Int8Array::subarray):
        * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
        (JSC::IntegralTypedArrayBase::set):
        (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
        * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
        (JSC::TypedArrayBase::data):
        (JSC::TypedArrayBase::set):
        (JSC::TypedArrayBase::setRange):
        (JSC::TypedArrayBase::zeroRange):
        (JSC::TypedArrayBase::length):
        (JSC::TypedArrayBase::byteLength):
        (JSC::TypedArrayBase::item):
        (JSC::TypedArrayBase::checkInboundData):
        (JSC::TypedArrayBase::TypedArrayBase):
        (JSC::TypedArrayBase::create):
        (JSC::TypedArrayBase::createUninitialized):
        (JSC::TypedArrayBase::subarrayImpl):
        (JSC::TypedArrayBase::neuter):
        * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
        (JSC::Uint16Array::getType):
        (JSC::Uint16Array::create):
        (JSC::Uint16Array::createUninitialized):
        (JSC::Uint16Array::Uint16Array):
        (JSC::Uint16Array::subarray):
        * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
        (JSC::Uint32Array::getType):
        (JSC::Uint32Array::create):
        (JSC::Uint32Array::createUninitialized):
        (JSC::Uint32Array::Uint32Array):
        (JSC::Uint32Array::subarray):
        * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
        (JSC::Uint8Array::getType):
        (JSC::Uint8Array::create):
        (JSC::Uint8Array::createUninitialized):
        (JSC::Uint8Array::Uint8Array):
        (JSC::Uint8Array::subarray):
        * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
        (JSC::Uint8ClampedArray::getType):
        (JSC::Uint8ClampedArray::create):
        (JSC::Uint8ClampedArray::createUninitialized):
        (JSC::Uint8ClampedArray::zeroFill):
        (JSC::Uint8ClampedArray::set):
        (JSC::Uint8ClampedArray::Uint8ClampedArray):
        (JSC::Uint8ClampedArray::subarray):
        * runtime/VM.h:

2013-08-03  Filip Pizlo  <fpizlo@apple.com>

        Copied space should be able to handle more than one copied backing store per JSCell
        https://bugs.webkit.org/show_bug.cgi?id=119471

        Reviewed by Mark Hahnenberg.
        
        This allows a cell to call copyLater() multiple times for multiple different
        backing stores, and then have copyBackingStore() called exactly once for each
        of those. A token tells it which backing store to copy. All backing stores
        must be named using the CopyToken, an enumeration which currently cannot
        exceed eight entries.
        
        When copyBackingStore() is called, it's up to the callee to (a) use the token
        to decide what to copy and (b) call its base class's copyBackingStore() in
        case the base class had something that needed copying. The only exception is
        that JSCell never asks anything to be copied, and so if your base is JSCell
        then you don't have to do anything.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/CopiedBlock.h:
        * heap/CopiedBlockInlines.h:
        (JSC::CopiedBlock::reportLiveBytes):
        * heap/CopyToken.h: Added.
        * heap/CopyVisitor.cpp:
        (JSC::CopyVisitor::copyFromShared):
        * heap/CopyVisitor.h:
        * heap/CopyVisitorInlines.h:
        (JSC::CopyVisitor::visitItem):
        * heap/CopyWorkList.h:
        (JSC::CopyWorklistItem::CopyWorklistItem):
        (JSC::CopyWorklistItem::cell):
        (JSC::CopyWorklistItem::token):
        (JSC::CopyWorkListSegment::get):
        (JSC::CopyWorkListSegment::append):
        (JSC::CopyWorkListSegment::data):
        (JSC::CopyWorkListIterator::get):
        (JSC::CopyWorkListIterator::operator*):
        (JSC::CopyWorkListIterator::operator->):
        (JSC::CopyWorkList::append):
        * heap/SlotVisitor.h:
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::copyLater):
        * runtime/ClassInfo.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::copyBackingStore):
        * runtime/JSCell.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::visitButterfly):
        (JSC::JSObject::copyBackingStore):
        * runtime/JSObject.h:

2013-08-05  Zan Dobersek  <zdobersek@igalia.com>

        [Automake] Define ENABLE_JIT through the Autoconf header
        https://bugs.webkit.org/show_bug.cgi?id=119445

        Reviewed by Martin Robinson.

        * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.

2013-08-03  Filip Pizlo  <fpizlo@apple.com>

        hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
        https://bugs.webkit.org/show_bug.cgi?id=119470

        Reviewed by Oliver Hunt.
        
        Structure can still tell you if the object "could" (in the conservative sense)
        have an indexing header; that's used by the compiler.
        
        Most of the time if you want to know if there's an indexing header, you ask the
        JSObject.
        
        In some cases, the JSObject wants to know if it would have an indexing header if
        it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCachePutByID):
        (JSC::DFG::tryBuildPutByIdList):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::create):
        (JSC::Butterfly::growPropertyStorage):
        (JSC::Butterfly::growArrayRight):
        (JSC::Butterfly::resizeArray):
        * runtime/JSObject.cpp:
        (JSC::JSObject::copyButterfly):
        (JSC::JSObject::visitButterfly):
        * runtime/JSObject.h:
        (JSC::JSObject::hasIndexingHeader):
        (JSC::JSObject::setButterfly):
        * runtime/Structure.h:
        (JSC::Structure::couldHaveIndexingHeader):
        (JSC::Structure::hasIndexingHeader):

2013-08-02  Chris Curtis  <chris_curtis@apple.com>

        Give the error object's stack property accessor attributes.
        https://bugs.webkit.org/show_bug.cgi?id=119404

        Reviewed by Geoffrey Garen.
        
        Changed the attributes of error object's stack property to allow developers to write
        and delete the stack property. This will match the functionality of Chrome. Firefox  
        allows developers to write the error's stack, but not delete it. 

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::addStackTraceIfNecessary):
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::finishCreation):

2013-08-02  Oliver Hunt  <oliver@apple.com>

        Incorrect type speculation reported by ToPrimitive
        https://bugs.webkit.org/show_bug.cgi?id=119458

        Reviewed by Mark Hahnenberg.

        Make sure that we report the correct type possibilities for the output
        from ToPrimitive

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):

2013-08-02  Gavin Barraclough  <barraclough@apple.com>

        Remove no-arguments constructor to PropertySlot
        https://bugs.webkit.org/show_bug.cgi?id=119460

        Reviewed by Geoff Garen.

        This constructor was unsafe if getValue is subsequently called,
        and the property is a getter. Simplest to just remove it.

        * runtime/Arguments.cpp:
        (JSC::Arguments::defineOwnProperty):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::getOwnPropertyDescriptor):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertyDescriptor):
        (JSC::JSFunction::getOwnNonIndexPropertyNames):
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::defineOwnProperty):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::hasOwnPropertyForWrite):
        * runtime/JSNameScope.cpp:
        (JSC::JSNameScope::put):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::Holder::appendNextProperty):
        (JSC::Walker::walk):
        * runtime/JSObject.cpp:
        (JSC::JSObject::hasProperty):
        (JSC::JSObject::hasOwnProperty):
        (JSC::JSObject::reifyStaticFunctionsForDelete):
        * runtime/Lookup.h:
        (JSC::getStaticPropertyDescriptor):
        (JSC::getStaticFunctionDescriptor):
        (JSC::getStaticValueDescriptor):
        * runtime/ObjectConstructor.cpp:
        (JSC::defineProperties):
        * runtime/PropertySlot.h:

2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        DFG validation can cause assertion failures due to dumping
        https://bugs.webkit.org/show_bug.cgi?id=119456

        Reviewed by Geoffrey Garen.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::hasHash):
        (JSC::CodeBlock::isSafeToComputeHash):
        (JSC::CodeBlock::hash):
        (JSC::CodeBlock::dumpAssumingJITType):
        * bytecode/CodeBlock.h:

2013-08-02  Chris Curtis  <chris_curtis@apple.com>

        Have vm's exceptionStack match java's vm's exceptionStack.
        https://bugs.webkit.org/show_bug.cgi?id=119362

        Reviewed by Geoffrey Garen.
        
        The error object's stack is only updated if it does not exist yet. This matches 
        the functionality of other browsers, and Java VMs. 

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::addStackTraceIfNecessary):
        (JSC::Interpreter::throwException):
        * runtime/VM.cpp:
        (JSC::VM::clearExceptionStack):
        * runtime/VM.h:
        (JSC::VM::lastExceptionStack):

2013-08-02  Julien Brianceau  <jbrianceau@nds.com>

        REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
        https://bugs.webkit.org/show_bug.cgi?id=119447

        Reviewed by Geoffrey Garen.

        Fix .cpload, update call frame and do not restore registers from JIT stack frame in
        mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
        r153583 (sh4) and r153648 (ARM).

        * jit/JITStubsMIPS.h:

2013-08-01  Filip Pizlo  <fpizlo@apple.com>

        hasIndexingHeader should be a property of the Structure, not just the IndexingType
        https://bugs.webkit.org/show_bug.cgi?id=119422

        Reviewed by Oliver Hunt.
        
        This simplifies some code and also allows Structure to claim that an object
        has an indexing header even if it doesn't have indexed properties.
        
        I also changed some calls to use hasIndexedProperties() since in some cases,
        that's what we actually meant. Currently the two are synonyms.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCachePutByID):
        (JSC::DFG::tryBuildPutByIdList):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::create):
        (JSC::Butterfly::growPropertyStorage):
        (JSC::Butterfly::growArrayRight):
        (JSC::Butterfly::resizeArray):
        * runtime/IndexingType.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::copyButterfly):
        (JSC::JSObject::visitButterfly):
        (JSC::JSObject::setPrototype):
        * runtime/JSObject.h:
        (JSC::JSObject::setButterfly):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):
        * runtime/Structure.h:
        (JSC::Structure::hasIndexingHeader):

2013-08-02  Julien Brianceau  <jbrianceau@nds.com>

        REGRESSION: ARM still crashes after change set r153612.
        https://bugs.webkit.org/show_bug.cgi?id=119433

        Reviewed by Michael Saboff.

        Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
        implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
        for sh4 architecture.

        * jit/JITStubsARM.h:
        * jit/JITStubsARMv7.h:

2013-08-02  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r153612): It made jsc and layout tests crash
        https://bugs.webkit.org/show_bug.cgi?id=119440

        Reviewed by Csaba Osztrogonác.

        Made the changes if changeset r153612 only apply to 32 bit builds.

        * jit/JITExceptions.cpp:
        * jit/JITExceptions.h:
        * jit/JITStubs.cpp:
        (JSC::cti_vm_throw_slowpath):
        * jit/JITStubs.h:

2013-08-02  Patrick Gansterer  <paroga@webkit.org>

        Add JSCTestRunnerUtils to the list of forwarding headers to fix build.

        * CMakeLists.txt:

2013-08-01  Ruth Fong  <ruth_fong@apple.com>

        [Forms: color] <input type='color'> popover color well implementation
        <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356

        Reviewed by Benjamin Poulain.

        * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.

2013-08-01  Oliver Hunt  <oliver@apple.com>

        DFG is not enforcing correct ordering of ToString conversion in MakeRope
        https://bugs.webkit.org/show_bug.cgi?id=119408

        Reviewed by Filip Pizlo.

        Construct ToString and Phantom nodes in advance of MakeRope
        nodes to ensure that ordering is ensured, and correct values
        will be reified on OSR exit.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2013-08-01  Michael Saboff  <msaboff@apple.com>

        REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
        https://bugs.webkit.org/show_bug.cgi?id=119140

        Reviewed by Filip Pizlo.

        Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.

        * jit/JITExceptions.cpp:
        (JSC::encode):
        * jit/JITExceptions.h:
        * jit/JITStubs.cpp:
        (JSC::cti_vm_throw_slowpath):
        * jit/JITStubs.h:

2013-08-01  Julien Brianceau  <jbrianceau@nds.com>

        REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
        https://bugs.webkit.org/show_bug.cgi?id=119391

        Reviewed by Csaba Osztrogonác.

        * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
            - Call frame is in r14 register.
            - Do not restore registers from JIT stack frame here.

2013-07-31  Gavin Barraclough  <barraclough@apple.com>

        More cleanup in PropertySlot
        https://bugs.webkit.org/show_bug.cgi?id=119359

        Reviewed by Geoff Garen.

        m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
        This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
            - No need to ASSERT slotBase is an object.
        * jit/JITStubs.cpp:
        (JSC::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):
            - No need to ASSERT slotBase is an object.
        * runtime/JSObject.cpp:
        (JSC::JSObject::getOwnPropertySlotByIndex):
        (JSC::JSObject::fillGetterPropertySlot):
            - Pass an object through to setGetterSlot.
        * runtime/JSObject.h:
        (JSC::PropertySlot::getValue):
            - Moved from PropertySlot (need to know anout JSObject).
        * runtime/PropertySlot.cpp:
        (JSC::PropertySlot::functionGetter):
            - update per member name changes
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::PropertySlot):
            - Argument to constructor set to 'thisValue'.
        (JSC::PropertySlot::slotBase):
            - This returns a JSObject*.
        (JSC::PropertySlot::setValue):
        (JSC::PropertySlot::setCustom):
        (JSC::PropertySlot::setCacheableCustom):
        (JSC::PropertySlot::setCustomIndex):
        (JSC::PropertySlot::setGetterSlot):
        (JSC::PropertySlot::setCacheableGetterSlot):
            - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayEntry::get):
            - Pass an object through to setGetterSlot.
        * runtime/SparseArrayValueMap.h:
            - Pass an object through to setGetterSlot.

2013-07-31  Yi Shen  <max.hong.shen@gmail.com>

        Reduce JSC API static value setter/getter overhead.
        https://bugs.webkit.org/show_bug.cgi?id=119277

        Reviewed by Geoffrey Garen.

        Add property name to the static value entry, so that OpaqueJSString::create() doesn't
        need to get called every time when set or get the static value.

        * API/JSCallbackObjectFunctions.h:
        (JSC::::put):
        (JSC::::putByIndex):
        (JSC::::getStaticValue):
        * API/JSClassRef.cpp:
        (OpaqueJSClassContextData::OpaqueJSClassContextData):
        * API/JSClassRef.h:
        (StaticValueEntry::StaticValueEntry):

2013-07-31  Kwang Yul Seo  <skyul@company100.net>

        Use emptyString instead of String("")
        https://bugs.webkit.org/show_bug.cgi?id=119335

        Reviewed by Darin Adler.

        Use emptyString() instead of String("") because it is better style and
        faster. This is a followup to r116908, removing all occurrences of
        String("") from WebKit.

        * runtime/RegExpConstructor.cpp:
        (JSC::constructRegExp):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncCompile):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):

2013-07-31  Ruth Fong  <ruth_fong@apple.com>

        <input type=color> Mac UI behaviour
        <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276

        Reviewed by Brady Eidson.

        * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.

2013-07-31  Mark Hahnenberg  <mhahnenberg@apple.com>

        DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=119349

        Reviewed by Geoffrey Garen.

        Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for 
        SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
        on code it compiled with any switch statements to have been run in the baseline JIT first. 
        However, if the DFG chooses to inline a function that has never been compiled by the baseline 
        JIT then this resizing never happens and we crash at link time in the DFG.

        We can fix this by also doing the resize in the DFG to catch this case.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):

2013-07-31  Gavin Barraclough  <barraclough@apple.com>

        Speculative Windows build fix.

        Reviewed by NOBODY

        * runtime/JSString.cpp:
        (JSC::JSRopeString::getIndexSlowCase):
        * runtime/JSString.h:

2013-07-30  Gavin Barraclough  <barraclough@apple.com>

        Some cleanup in JSValue::get
        https://bugs.webkit.org/show_bug.cgi?id=119343

        Reviewed by Geoff Garen.

        JSValue::get is implemented to:
            1) Check if the value is a cell – if not, synthesize a prototype to search,
            2) call getOwnPropertySlot on the cell,
            3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
        By all rights this should crash when passed a string and accessing a property that does not exist, because
        the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
        To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
        prototype chain, and faking out a return value of undefined if no property is found.

        This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
        from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.

        The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
        slots anyway.

        Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.

2013-07-31  Michael Saboff  <msaboff@apple.com>

        [Win] JavaScript crash.
        https://bugs.webkit.org/show_bug.cgi?id=119339

        Reviewed by Mark Hahnenberg.

        * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
        ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.

2013-07-30  Mark Hahnenberg  <mhahnenberg@apple.com>

        GetByVal on Arguments does the wrong size load when checking the Arguments object length
        https://bugs.webkit.org/show_bug.cgi?id=119281

        Reviewed by Geoffrey Garen.

        This leads to out of bounds accesses and subsequent crashes.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-07-30  Oliver Hunt  <oliver@apple.com>

        Add an assertion to SpeculateCellOperand
        https://bugs.webkit.org/show_bug.cgi?id=119276

        Reviewed by Michael Saboff.

        More assertions are better

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compile):

2013-07-30  Mark Lam  <mark.lam@apple.com>

        Fix problems with divot and lineStart mismatches.
        https://bugs.webkit.org/show_bug.cgi?id=118662.

        Reviewed by Oliver Hunt.

        r152494 added the recording of lineStart values for divot positions.
        This is needed for the computation of column numbers. Similarly, it also
        added the recording of line numbers for the divot positions. One problem
        with the approach taken was that the line and lineStart values were
        recorded independently, and hence were not always guaranteed to be
        sampled at the same place that the divot position is recorded. This
        resulted in potential mismatches that cause some assertions to fail.

        The solution is to introduce a JSTextPosition abstraction that records
        the divot position, line, and lineStart as a single quantity. Wherever
        we record the divot position as an unsigned int previously, we now record
        its JSTextPosition which captures all 3 values in one go. This ensures
        that the captured line and lineStart will always match the captured divot
        position.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallEval):
        (JSC::BytecodeGenerator::emitCallVarargs):
        (JSC::BytecodeGenerator::emitConstruct):
        (JSC::BytecodeGenerator::emitDebugHook):
        - Use JSTextPosition instead of passing line and lineStart explicitly.
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitExpressionInfo):
        - Use JSTextPosition instead of passing line and lineStart explicitly.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ThrowableExpressionData::emitThrowReferenceError):
        (JSC::ResolveNode::emitBytecode):
        (JSC::BracketAccessorNode::emitBytecode):
        (JSC::DotAccessorNode::emitBytecode):
        (JSC::NewExprNode::emitBytecode):
        (JSC::EvalFunctionCallNode::emitBytecode):
        (JSC::FunctionCallValueNode::emitBytecode):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::FunctionCallBracketNode::emitBytecode):
        (JSC::FunctionCallDotNode::emitBytecode):
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        (JSC::PostfixNode::emitResolve):
        (JSC::PostfixNode::emitBracket):
        (JSC::PostfixNode::emitDot):
        (JSC::DeleteResolveNode::emitBytecode):
        (JSC::DeleteBracketNode::emitBytecode):
        (JSC::DeleteDotNode::emitBytecode):
        (JSC::PrefixNode::emitResolve):
        (JSC::PrefixNode::emitBracket):
        (JSC::PrefixNode::emitDot):
        (JSC::UnaryOpNode::emitBytecode):
        (JSC::BinaryOpNode::emitStrcat):
        (JSC::BinaryOpNode::emitBytecode):
        (JSC::ThrowableBinaryOpNode::emitBytecode):
        (JSC::InstanceOfNode::emitBytecode):
        (JSC::emitReadModifyAssignment):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::AssignDotNode::emitBytecode):
        (JSC::ReadModifyDotNode::emitBytecode):
        (JSC::AssignBracketNode::emitBytecode):
        (JSC::ReadModifyBracketNode::emitBytecode):
        (JSC::ForInNode::emitBytecode):
        (JSC::WithNode::emitBytecode):
        (JSC::ThrowNode::emitBytecode):
        - Use JSTextPosition instead of passing line and lineStart explicitly.
        * parser/ASTBuilder.h:
        - Replaced ASTBuilder::PositionInfo with JSTextPosition.
        (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
        (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
        (JSC::ASTBuilder::createResolve):
        (JSC::ASTBuilder::createBracketAccess):
        (JSC::ASTBuilder::createDotAccess):
        (JSC::ASTBuilder::createRegExp):
        (JSC::ASTBuilder::createNewExpr):
        (JSC::ASTBuilder::createAssignResolve):
        (JSC::ASTBuilder::createExprStatement):
        (JSC::ASTBuilder::createForInLoop):
        (JSC::ASTBuilder::createReturnStatement):
        (JSC::ASTBuilder::createBreakStatement):
        (JSC::ASTBuilder::createContinueStatement):
        (JSC::ASTBuilder::createLabelStatement):
        (JSC::ASTBuilder::createWithStatement):
        (JSC::ASTBuilder::createThrowStatement):
        (JSC::ASTBuilder::appendBinaryExpressionInfo):
        (JSC::ASTBuilder::appendUnaryToken):
        (JSC::ASTBuilder::unaryTokenStackLastStart):
        (JSC::ASTBuilder::assignmentStackAppend):
        (JSC::ASTBuilder::createAssignment):
        (JSC::ASTBuilder::setExceptionLocation):
        (JSC::ASTBuilder::makeDeleteNode):
        (JSC::ASTBuilder::makeFunctionCallNode):
        (JSC::ASTBuilder::makeBinaryNode):
        (JSC::ASTBuilder::makeAssignNode):
        (JSC::ASTBuilder::makePrefixNode):
        (JSC::ASTBuilder::makePostfixNode):
        - Use JSTextPosition instead of passing line and lineStart explicitly.
        * parser/Lexer.cpp:
        (JSC::::lex):
        - Added support for capturing the appropriate JSTextPositions instead
          of just the character offset.
        * parser/Lexer.h:
        (JSC::Lexer::currentPosition):
        (JSC::::lexExpectIdentifier):
        - Added support for capturing the appropriate JSTextPositions instead
          of just the character offset.
        * parser/NodeConstructors.h:
        (JSC::Node::Node):
        (JSC::ResolveNode::ResolveNode):
        (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
        (JSC::FunctionCallValueNode::FunctionCallValueNode):
        (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
        (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
        (JSC::FunctionCallDotNode::FunctionCallDotNode):
        (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
        (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
        (JSC::PostfixNode::PostfixNode):
        (JSC::DeleteResolveNode::DeleteResolveNode):
        (JSC::DeleteBracketNode::DeleteBracketNode):
        (JSC::DeleteDotNode::DeleteDotNode):
        (JSC::PrefixNode::PrefixNode):
        (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
        (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
        (JSC::AssignBracketNode::AssignBracketNode):
        (JSC::AssignDotNode::AssignDotNode):
        (JSC::ReadModifyDotNode::ReadModifyDotNode):
        (JSC::AssignErrorNode::AssignErrorNode):
        (JSC::WithNode::WithNode):
        (JSC::ForInNode::ForInNode):
        - Use JSTextPosition instead of passing line and lineStart explicitly.
        * parser/Nodes.cpp:
        (JSC::StatementNode::setLoc):
        - Use JSTextPosition instead of passing line and lineStart explicitly.
        * parser/Nodes.h:
        (JSC::Node::lineNo):
        (JSC::Node::startOffset):
        (JSC::Node::lineStartOffset):
        (JSC::Node::position):
        (JSC::ThrowableExpressionData::ThrowableExpressionData):
        (JSC::ThrowableExpressionData::setExceptionSourceCode):
        (JSC::ThrowableExpressionData::divot):
        (JSC::ThrowableExpressionData::divotStart):
        (JSC::ThrowableExpressionData::divotEnd):
        (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
        (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
        (JSC::ThrowableSubExpressionData::subexpressionDivot):
        (JSC::ThrowableSubExpressionData::subexpressionStart):
        (JSC::ThrowableSubExpressionData::subexpressionEnd):
        (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
        (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
        (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
        (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
        (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
        - Use JSTextPosition instead of passing line and lineStart explicitly.
        * parser/Parser.cpp:
        (JSC::::Parser):
        (JSC::::parseInner):
        - Use JSTextPosition instead of passing line and lineStart explicitly.
        (JSC::::didFinishParsing):
        - Remove setting of m_lastLine value. We always pass in the value from
          m_lastLine anyway. So, this assignment is effectively a nop.
        (JSC::::parseVarDeclaration):
        (JSC::::parseVarDeclarationList):
        (JSC::::parseForStatement):
        (JSC::::parseBreakStatement):
        (JSC::::parseContinueStatement):
        (JSC::::parseReturnStatement):
        (JSC::::parseThrowStatement):
        (JSC::::parseWithStatement):
        (JSC::::parseTryStatement):
        (JSC::::parseBlockStatement):
        (JSC::::parseFunctionDeclaration):
        (JSC::LabelInfo::LabelInfo):
        (JSC::::parseExpressionOrLabelStatement):
        (JSC::::parseExpressionStatement):
        (JSC::::parseAssignmentExpression):
        (JSC::::parseBinaryExpression):
        (JSC::::parseProperty):
        (JSC::::parsePrimaryExpression):
        (JSC::::parseMemberExpression):
        (JSC::::parseUnaryExpression):
        - Use JSTextPosition instead of passing line and lineStart explicitly.
        * parser/Parser.h:
        (JSC::Parser::next):
        (JSC::Parser::nextExpectIdentifier):
        (JSC::Parser::getToken):
        (JSC::Parser::tokenStartPosition):
        (JSC::Parser::tokenEndPosition):
        (JSC::Parser::lastTokenEndPosition):
        (JSC::::parse):
        - Use JSTextPosition instead of passing line and lineStart explicitly.
        * parser/ParserTokens.h:
        (JSC::JSTextPosition::JSTextPosition):
        (JSC::JSTextPosition::operator+):
        (JSC::JSTextPosition::operator-):
        (JSC::JSTextPosition::operator int):
        - Added JSTextPosition.
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::makeFunctionCallNode):
        (JSC::SyntaxChecker::makeAssignNode):
        (JSC::SyntaxChecker::makePrefixNode):
        (JSC::SyntaxChecker::makePostfixNode):
        (JSC::SyntaxChecker::makeDeleteNode):
        (JSC::SyntaxChecker::createResolve):
        (JSC::SyntaxChecker::createBracketAccess):
        (JSC::SyntaxChecker::createDotAccess):
        (JSC::SyntaxChecker::createRegExp):
        (JSC::SyntaxChecker::createNewExpr):
        (JSC::SyntaxChecker::createAssignResolve):
        (JSC::SyntaxChecker::createForInLoop):
        (JSC::SyntaxChecker::createReturnStatement):
        (JSC::SyntaxChecker::createBreakStatement):
        (JSC::SyntaxChecker::createContinueStatement):
        (JSC::SyntaxChecker::createWithStatement):
        (JSC::SyntaxChecker::createLabelStatement):
        (JSC::SyntaxChecker::createThrowStatement):
        (JSC::SyntaxChecker::appendBinaryExpressionInfo):
        (JSC::SyntaxChecker::operatorStackPop):
        - Use JSTextPosition instead of passing line and lineStart explicitly.

2013-07-29  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing files to compilation.
        * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
        include FTL header files not included in the compilation.
        * dfg/DFGDriver.cpp: Ditto.
        * dfg/DFGPlan.cpp: Ditto.

2013-07-29  Chris Curtis  <chris_curtis@apple.com>

        Eager stack trace for error objects.
        https://bugs.webkit.org/show_bug.cgi?id=118918

        Reviewed by Geoffrey Garen.
        
        Chrome and Firefox give error objects the stack property and we wanted to match
        that functionality. This allows developers to see the stack without throwing an object.

        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::finishCreation):
         For error objects that are not thrown as an exception, we pass the stackTrace in 
         as a parameter. This allows the error object to have the stack property.
        
        * interpreter/Interpreter.cpp:
        (JSC::stackTraceAsString):
        Helper function used to eliminate duplicate code.

        (JSC::Interpreter::addStackTraceIfNecessary):
        When an error object is created by the user the vm->exceptionStack is not set.
        If the user throws this error object later the stack that is in the error object 
        may not be the correct stack for the throw, so when we set the vm->exception stack,
        the stack property on the error object is set as well.
        
        * runtime/ErrorConstructor.cpp:
        (JSC::constructWithErrorConstructor):
        (JSC::callErrorConstructor):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::constructWithNativeErrorConstructor):
        (JSC::callNativeErrorConstructor):
        These functions indicate that the user created an error object. For all error objects 
        that the user explicitly creates, the topCallFrame is at a new frame created to 
        handle the user's call. In this case though, the error object needs the caller's 
        frame to create the stack trace correctly.
        
        * interpreter/Interpreter.h:
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::create):

2013-07-29  Gavin Barraclough  <barraclough@apple.com>

        Some cleanup in PropertySlot
        https://bugs.webkit.org/show_bug.cgi?id=119189

        Reviewed by Geoff Garen.

        PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
        The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
        is set to a special value to indicate the type (other than custom), and the type is also tracked by
        an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
        (this is invalidOffset if not cacheable).

            * Internally, always track the type of the property using an enum value, PropertyType.
            * Use m_offset to indicate cacheable.
            * Keep the external interface (CachedPropertyType) unchanged.
            * Better pack data into the m_data union.

        Performance neutral.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
            - cachedPropertyType() -> isCacheable*()
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
            - cachedPropertyType() -> isCacheable*()
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
            - cachedPropertyType() -> isCacheable*()
        * jit/JITStubs.cpp:
        (JSC::tryCacheGetByID):
            - cachedPropertyType() -> isCacheable*()
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
            - cachedPropertyType() -> isCacheable*()
        * runtime/PropertySlot.cpp:
        (JSC::PropertySlot::functionGetter):
            - refactoring described above.
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::PropertySlot):
        (JSC::PropertySlot::getValue):
        (JSC::PropertySlot::isCacheable):
        (JSC::PropertySlot::isCacheableValue):
        (JSC::PropertySlot::isCacheableGetter):
        (JSC::PropertySlot::isCacheableCustom):
        (JSC::PropertySlot::cachedOffset):
        (JSC::PropertySlot::customGetter):
        (JSC::PropertySlot::setValue):
        (JSC::PropertySlot::setCustom):
        (JSC::PropertySlot::setCacheableCustom):
        (JSC::PropertySlot::setCustomIndex):
        (JSC::PropertySlot::setGetterSlot):
        (JSC::PropertySlot::setCacheableGetterSlot):
        (JSC::PropertySlot::setUndefined):
        (JSC::PropertySlot::slotBase):
        (JSC::PropertySlot::setBase):
            - refactoring described above.

2013-07-28  Oliver Hunt  <oliver@apple.com>

        REGRESSION: Crash when opening Facebook.com
        https://bugs.webkit.org/show_bug.cgi?id=119155

        Reviewed by Andreas Kling.

        Scope nodes are always objects, so we should be using SpecObjectOther
        rather than SpecCellOther.  Marking Scopes as CellOther leads to a
        contradiction in the CFA, resulting in bogus codegen.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):

2013-07-26  Oliver Hunt  <oliver@apple.com>

        REGRESSION(FTL?): Crashes in plugin tests
        https://bugs.webkit.org/show_bug.cgi?id=119141

        Reviewed by Michael Saboff.

        Re-export getStackTrace

        * interpreter/Interpreter.h:

2013-07-26  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION: Crash when opening a message on Gmail
        https://bugs.webkit.org/show_bug.cgi?id=119105

        Reviewed by Oliver Hunt and Mark Hahnenberg.
        
        - GetById patching in the DFG needs to be more disciplined about how it derives the
          slow path.
        
        - Fix some dumping code thread safety issues.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::dump):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::getPolymorphicStructureList):
        (JSC::DFG::tryBuildGetByIDList):

2013-07-26  Balazs Kilvady  <kilvadyb@homejinni.com>

        [mips] Fix LLINT build for mips backend
        https://bugs.webkit.org/show_bug.cgi?id=119152

        Reviewed by Oliver Hunt.

        * offlineasm/mips.rb:

2013-07-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Setting a large numeric property on an object causes it to allocate a huge backing store
        https://bugs.webkit.org/show_bug.cgi?id=118914

        Reviewed by Geoffrey Garen.

        There are two distinct actions that we're trying to optimize for:

        new Array(100000);

        and:

        a = [];
        a[100000] = 42;
        
        In the first case, the programmer has indicated that they expect this Array to be very big, 
        so they should get a contiguous array up until some threshold, above which we perform density 
        calculations to see if it is indeed dense enough to warrant being contiguous.
        
        In the second case, the programmer hasn't indicated anything about the size of the Array, so 
        we should be more conservative and assume it should be sparse until we've proven otherwise.
        
        Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish 
        between them for the purposes of not over-allocating large backing stores like we see on 
        http://www.peekanalytics.com/burgerjoints/
        
        The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and 
        introduce a new heuristic for the second case. If we are putting to an index above a certain 
        threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse 
        map instead. So for example, in the second case above the empty array has a blank indexing 
        type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.

        This fix is ~800x speedup on the accompanying regression test :-o

        * runtime/ArrayConventions.h:
        (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
        (JSC::JSObject::putByIndexBeyondVectorLength):
        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):

2013-07-26  Julien Brianceau  <jbrianceau@nds.com>

        REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
        https://bugs.webkit.org/show_bug.cgi?id=119148

        Reviewed by Csaba Osztrogonác.

        * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
        * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
        in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
        code duplication.

2013-07-26  Julien Brianceau  <jbrianceau@nds.com>

        REGRESSION(FTL): Crash in sh4 baseline JIT.
        https://bugs.webkit.org/show_bug.cgi?id=119138

        Reviewed by Csaba Osztrogonác.

        This crash is due to incomplete report of r150146 and r148474.

        * jit/JITStubsSH4.h:

2013-07-26  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed.

        * Target.pri: Adding missing DFG files to the Qt build.

2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>

        GTK and Qt buildfix after the intrusive win buildfix r153360.

        * GNUmakefile.list.am:
        * Target.pri:

2013-07-25  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

        Unreviewed, fix build break after r153360.

        * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.

2013-07-25  Roger Fong  <roger_fong@apple.com>

        Unreviewed build fix, AppleWin port.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.vcxproj/copy-files.cmd:

2013-07-25  Roger Fong  <roger_fong@apple.com>

        Unreviewed. Followup to r153360.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2013-07-25  Michael Saboff  <msaboff@apple.com>

        [Windows] Speculative build fix.

        Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
        that is always compiled.  Made LLInt::returnToThrow() conditional on LLINT being enabled.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * llint/LLIntExceptions.cpp:
        * llint/LLIntExceptions.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPathsExceptions.cpp: Added.
        (JSC::CommonSlowPaths::interpreterThrowInCaller):
        * runtime/CommonSlowPathsExceptions.h: Added.

2013-07-25  Brent Fulgham  <bfulgham@apple.com>

        [Windows] Unreviewed build fix.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
        parser/SourceCode.h,.cpp.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.

2013-07-25  Anders Carlsson  <andersca@apple.com>

        ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
        https://bugs.webkit.org/show_bug.cgi?id=119108

        Reviewed by Mark Hahnenberg.

        Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::tryAllocateSlowCase):
        * heap/Heap.cpp:
        (JSC::Heap::protect):
        (JSC::Heap::unprotect):
        (JSC::Heap::collect):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateSlowCase):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/VM.h:
        (JSC::VM::currentThreadIsHoldingAPILock):

2013-07-25  Zan Dobersek  <zdobersek@igalia.com>

        REGRESSION(FTL): Most layout tests crashes
        https://bugs.webkit.org/show_bug.cgi?id=119089

        Reviewed by Oliver Hunt.

        * runtime/ExecutionHarness.h:
        (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
        code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
        RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
        Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
        JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
        (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.

2013-07-25  Brent Fulgham  <bfulgham@apple.com>

        [Windows] Unreviewed build fix.

        * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
        include path.

2013-07-25  Brent Fulgham  <bfulgham@apple.com>

        [Windows] Unreviewed build fix.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
        runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.

2013-07-25  Oliver Hunt  <oliver@apple.com>

        Make all jit & non-jit combos build cleanly
        https://bugs.webkit.org/show_bug.cgi?id=119102

        Reviewed by Anders Carlsson.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::counterValueForOptimizeSoon):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::optimizeAfterWarmUp):
        (JSC::CodeBlock::numberOfDFGCompiles):

2013-07-25  Oliver Hunt  <oliver@apple.com>

        32 bit portion of load validation logic
        https://bugs.webkit.org/show_bug.cgi?id=118878

        Reviewed by NOBODY (Build fix).

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-07-25  Oliver Hunt  <oliver@apple.com>

        More 32bit build fixes

        - Apparnetly some compilers don't track the fastcall directive everywhere we expect

        * API/APICallbackFunction.h:
        (JSC::APICallbackFunction::call):
        * bytecode/CodeBlock.cpp:
        * runtime/Structure.cpp:

2013-07-25  Yi Shen  <max.hong.shen@gmail.com>

        Optimize the thread locks for API Shims
        https://bugs.webkit.org/show_bug.cgi?id=118573

        Reviewed by Geoffrey Garen.

        Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM 
        only used by WebCore's main thread).

        * API/APIShims.h:
        (JSC::APIEntryShim::APIEntryShim):
        (JSC::APICallbackShim::APICallbackShim):
        * runtime/JSLock.cpp:
        (JSC::JSLockHolder::JSLockHolder):
        (JSC::JSLockHolder::init):
        (JSC::JSLockHolder::~JSLockHolder):
        (JSC::JSLock::DropAllLocks::DropAllLocks):
        (JSC::JSLock::DropAllLocks::~DropAllLocks):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2013-07-25  Christophe Dumez  <ch.dumez@sisa.samsung.com>

        Unreviewed build fix after r153218.

        Broke the EFL port build with gcc 4.7.

        * interpreter/StackIterator.cpp:
        (JSC::printif):

2013-07-25  Julien Brianceau  <jbrianceau@nds.com>

        Build fix: add missing #include.
        https://bugs.webkit.org/show_bug.cgi?id=119087

        Reviewed by Allan Sandfeld Jensen.

        * bytecode/ArrayProfile.cpp:

2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>

        Unreviewed, build fix on the EFL port.

        * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.

2013-07-25  Julien Brianceau  <jbrianceau@nds.com>

        [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
        https://bugs.webkit.org/show_bug.cgi?id=119083

        Reviewed by Allan Sandfeld Jensen.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::store8):

2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>

        [Qt] Fix test build after FTL upstream

        Unreviewed build fix.

        * Target.pri:

2013-07-25  Allan Sandfeld Jensen  <allan.jensen@digia.com>

        [Qt] Build fix after FTL.

        Un Reviewed build fix.

        * Target.pri:
        * interpreter/StackIterator.cpp:
        (JSC::StackIterator::Frame::print):

2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>

        Unreviewed build fix after FTL upstream.

        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::~Worklist):

2013-07-25  Ryuan Choi  <ryuan.choi@samsung.com>

        Unreviewed, build fix on the EFL port.

        * CMakeLists.txt:
        Added SourceCode.cpp and removed BlackBerry file.
        * jit/JITCode.h:
        (JSC::JITCode::nextTierJIT):
        Fixed to build break because of -Werror=return-type
        * parser/Lexer.cpp: Includes JSFunctionInlines.h
        * runtime/JSScope.h:
        (JSC::makeType):
        Fixed to build break because of -Werror=return-type

2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>

        Unreviewed build fixing after FTL upstream.

        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::produceCodeBlockFor):

2013-07-25  Julien Brianceau  <jbrianceau@nds.com>

        Add missing implementation of bxxxnz in sh4 LLINT.
        https://bugs.webkit.org/show_bug.cgi?id=119079

        Reviewed by Allan Sandfeld Jensen.

        * offlineasm/sh4.rb:

2013-07-25  Gabor Rapcsanyi  <rgabor@webkit.org>

        Unreviewed, build fix on the Qt port.

        * Target.pri: Add additional build files for the FTL.

2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>

        Unreviewed buildfix after FTL upstream..

        * interpreter/StackIterator.cpp:
        (JSC::StackIterator::Frame::codeType):
        (JSC::StackIterator::Frame::functionName):
        (JSC::StackIterator::Frame::sourceURL):
        (JSC::StackIterator::Frame::logicalFrame):

2013-07-25  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed.

        * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
        method is not left undefined, causing build failures on (at least) the GTK port.

2013-07-25  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed, further build fixing on the GTK port.

        * GNUmakefile.list.am: Add CompilationResult source files to the build.

2013-07-25  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed GTK build fixing.

        * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
        * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.

2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>

        Buildfix after this error:
        error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThread):

2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>

        One more buildfix after FTL upstream.

        Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.

        * dfg/DFGLazyJSValue.cpp:
        (JSC::DFG::LazyJSValue::getValue):
        (JSC::DFG::LazyJSValue::strictEqual):

2013-07-25  Julien Brianceau  <jbrianceau@nds.com>

        Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
        https://bugs.webkit.org/show_bug.cgi?id=119076

        Reviewed by Allan Sandfeld Jensen.

        * offlineasm/mips.rb:
        * offlineasm/sh4.rb:

2013-07-25  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed GTK build fix.

        * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.

2013-07-25  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
        for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.

        * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.

2013-07-25  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.

        * GNUmakefile.am:
        * GNUmakefile.list.am:

2013-07-25  Ádám Kallai  <kadam@inf.u-szeged.hu>

        Unreviewed buildfix after FTL upstream.

        * runtime/JSScope.h:
        (JSC::needsVarInjectionChecks):

2013-07-25  Csaba Osztrogonác  <ossy@webkit.org>

        One more fix after FTL upstream.

        * Target.pri:
        * bytecode/CodeBlock.h:
        * bytecode/GetByIdStatus.h:
        (JSC::GetByIdStatus::GetByIdStatus):

2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed buildfix after FTL upstream.

        Add ftl directory as include path.

        * CMakeLists.txt:
        * JavaScriptCore.pri:

2013-07-24  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed buildfix after FTL upstream for non C++11 builds.

        * interpreter/CallFrame.h:
        * interpreter/StackIteratorPrivate.h:
        (JSC::StackIterator::end):

2013-07-24  Oliver Hunt  <oliver@apple.com>

        Endeavour to fix CMakelist builds

        * CMakeLists.txt:

2013-07-24  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG IR dumps should be easier to read
        https://bugs.webkit.org/show_bug.cgi?id=119050

        Reviewed by Mark Hahnenberg.
        
        Added a DumpContext that includes support for printing an endnote
        that describes all structures in full, while the main flow of the
        dump just uses made-up names for the structures. This is helpful
        since Structure::dump() may print a lot. The stuff it prints is
        useful, but if it's all inline with the surrounding thing you're        
        dumping (often, a node in the DFG), then you get a ridiculously
        long print-out. All classes that dump structures (including
        Structure itself) now have dumpInContext() methods that use
        inContext() for dumping anything that might transitively print a
        structure. If Structure::dumpInContext() is called with a NULL
        context, it just uses dump() like before. Hence you don't have to
        know anything about DumpContext unless you want to.
        
        inContext(*structure, context) dumps something like %B4:Array,
        and the endnote will have something like:
        
            %B4:Array    = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
        
        where B4 is the inferred name that StringHashDumpContext came up
        with.
        
        Also shortened a bunch of other dumps, removing information that
        isn't so important.
        
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/ArrayProfile.cpp:
        (JSC::dumpArrayModes):
        * bytecode/CodeBlockHash.cpp:
        (JSC):
        (JSC::CodeBlockHash::CodeBlockHash):
        (JSC::CodeBlockHash::dump):
        * bytecode/CodeOrigin.cpp:
        (JSC::CodeOrigin::dumpInContext):
        (JSC):
        (JSC::InlineCallFrame::dumpInContext):
        (JSC::InlineCallFrame::dump):
        * bytecode/CodeOrigin.h:
        (CodeOrigin):
        (InlineCallFrame):
        * bytecode/Operands.h:
        (JSC::OperandValueTraits::isEmptyForDump):
        (Operands):
        (JSC::Operands::dump):
        (JSC):
        * bytecode/OperandsInlines.h: Added.
        (JSC):
        (JSC::::dumpInContext):
        * bytecode/StructureSet.h:
        (JSC::StructureSet::dumpInContext):
        (JSC::StructureSet::dump):
        (StructureSet):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::dump):
        (DFG):
        (JSC::DFG::AbstractValue::dumpInContext):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::operator!):
        (AbstractValue):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGCommon.cpp:
        * dfg/DFGCommon.h:
        (JSC::DFG::NodePointerTraits::isEmptyForDump):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::createDumpList):
        * dfg/DFGDisassembler.h:
        (Disassembler):
        * dfg/DFGFlushFormat.h:
        (WTF::inContext):
        (WTF):
        * dfg/DFGFlushLivenessAnalysisPhase.cpp:
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpCodeOrigin):
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::dumpBlockHeader):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGLazyJSValue.cpp:
        (JSC::DFG::LazyJSValue::dumpInContext):
        (JSC::DFG::LazyJSValue::dump):
        (DFG):
        * dfg/DFGLazyJSValue.h:
        (LazyJSValue):
        * dfg/DFGNode.h:
        (JSC::DFG::nodeMapDump):
        (WTF::inContext):
        (WTF):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGStructureAbstractValue.h:
        (JSC::DFG::StructureAbstractValue::dumpInContext):
        (JSC::DFG::StructureAbstractValue::dump):
        (StructureAbstractValue):
        * ftl/FTLExitValue.cpp:
        (JSC::FTL::ExitValue::dumpInContext):
        (JSC::FTL::ExitValue::dump):
        (FTL):
        * ftl/FTLExitValue.h:
        (ExitValue):
        * ftl/FTLLowerDFGToLLVM.cpp:
        * ftl/FTLValueSource.cpp:
        (JSC::FTL::ValueSource::dumpInContext):
        (FTL):
        * ftl/FTLValueSource.h:
        (ValueSource):
        * runtime/DumpContext.cpp: Added.
        (JSC):
        (JSC::DumpContext::DumpContext):
        (JSC::DumpContext::~DumpContext):
        (JSC::DumpContext::isEmpty):
        (JSC::DumpContext::dump):
        * runtime/DumpContext.h: Added.
        (JSC):
        (DumpContext):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dump):
        (JSC):
        (JSC::JSValue::dumpInContext):
        * runtime/JSCJSValue.h:
        (JSC):
        (JSValue):
        * runtime/Structure.cpp:
        (JSC::Structure::dumpInContext):
        (JSC):
        (JSC::Structure::dumpBrief):
        (JSC::Structure::dumpContextHeader):
        * runtime/Structure.h:
        (JSC):
        (Structure):

2013-07-22  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG should do a high-level LICM before going to FTL
        https://bugs.webkit.org/show_bug.cgi?id=118749

        Reviewed by Oliver Hunt.
        
        Implements LICM hoisting for nodes that never write anything and never read
        things that are clobbered by the loop. There are some other preconditions for
        hoisting, see DFGLICMPhase.cpp.

        Also did a few fixes:
        
        - ClobberSet::add was failing to switch Super entries to Direct entries in
          some cases.
        
        - DFGClobberize.cpp needed to #include "Operations.h".
        
        - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
        
        - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
          Knowing the indexInBlock is an optional optimization that all other clients
          of AI still opt into, but LICM doesn't.
        
        This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractInterpreter.h:
        (AbstractInterpreter):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        (JSC::DFG::::execute):
        (DFG):
        (JSC::DFG::::clobberWorld):
        (JSC::DFG::::clobberStructures):
        * dfg/DFGAtTailAbstractState.cpp: Added.
        (DFG):
        (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
        (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
        (JSC::DFG::AtTailAbstractState::createValueForNode):
        (JSC::DFG::AtTailAbstractState::forNode):
        * dfg/DFGAtTailAbstractState.h: Added.
        (DFG):
        (AtTailAbstractState):
        (JSC::DFG::AtTailAbstractState::initializeTo):
        (JSC::DFG::AtTailAbstractState::forNode):
        (JSC::DFG::AtTailAbstractState::variables):
        (JSC::DFG::AtTailAbstractState::block):
        (JSC::DFG::AtTailAbstractState::isValid):
        (JSC::DFG::AtTailAbstractState::setDidClobber):
        (JSC::DFG::AtTailAbstractState::setIsValid):
        (JSC::DFG::AtTailAbstractState::setBranchDirection):
        (JSC::DFG::AtTailAbstractState::setFoundConstants):
        (JSC::DFG::AtTailAbstractState::haveStructures):
        (JSC::DFG::AtTailAbstractState::setHaveStructures):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::insertBeforeLast):
        * dfg/DFGBasicBlockInlines.h:
        (DFG):
        * dfg/DFGClobberSet.cpp:
        (JSC::DFG::ClobberSet::add):
        (JSC::DFG::ClobberSet::addAll):
        * dfg/DFGClobberize.cpp:
        (JSC::DFG::doesWrites):
        * dfg/DFGClobberize.h:
        (DFG):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::DCEPhase):
        (JSC::DFG::DCEPhase::run):
        (JSC::DFG::DCEPhase::fixupBlock):
        (DCEPhase):
        * dfg/DFGEdgeDominates.h: Added.
        (DFG):
        (EdgeDominates):
        (JSC::DFG::EdgeDominates::EdgeDominates):
        (JSC::DFG::EdgeDominates::operator()):
        (JSC::DFG::EdgeDominates::result):
        (JSC::DFG::edgesDominate):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::checkArray):
        * dfg/DFGLICMPhase.cpp: Added.
        (LICMPhase):
        (JSC::DFG::LICMPhase::LICMPhase):
        (JSC::DFG::LICMPhase::run):
        (JSC::DFG::LICMPhase::attemptHoist):
        (DFG):
        (JSC::DFG::performLICM):
        * dfg/DFGLICMPhase.h: Added.
        (DFG):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):

2013-07-21  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
        https://bugs.webkit.org/show_bug.cgi?id=118910

        Reviewed by Sam Weinig.
        
        Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
        the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
        engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
        be inexpensive to use (they just give you a TBAA node) but expensive to create (you
        create them all up front). FTL AbstractHeaps also don't actually give you the
        ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
        The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
        They also give you aliasing machinery. The DFG AbstractHeaps are represented
        internally by a int64_t. Many comparisons between them are just integer comaprisons.
        AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
        Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
        payload is the direct subtype of its corresponding TOP Kind).
        
        Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
        clobbered. It represents the set that results from unifying a bunch of
        AbstractHeaps, and is intended to quickly answer overlap questions: does the given
        AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
        AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
        its ancestors. An AbstractHeap is said to overlap a set if any direct or super
        member is equal to it, or if any of its ancestors are equal to a direct member.
        
        Example #1:
        
            - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
              is a subtype of Variables, which is a subtype of World.
            - You query Variables. I.e. Variables with a TOP payload, which is the
              supertype of Variables(X) for any X, and a subtype of World.
            
            The set will have Variables(5) as a direct member, and Variables and World as
            super members. The Variables query will immediately return true, because
            Variables is indeed a super member.
        
        Example #2:
        
            - I add Variables(5)
            - You query NamedProperties
            
            NamedProperties is not a member at all (neither direct or super). We next
            query World. World is a member, but it's a super member, so we return false.
        
        Example #3:
        
            - I add Variables
            - You query Variables(5)
            
            The set will have Variables as a direct member, and World as a super member.
            The Variables(5) query will not find Variables(5) in the set, but then it
            will query Variables. Variables is a direct member, so we return true.
        
        Example #4:
        
            - I add Variables
            - You query NamedProperties(5)
            
            Neither NamedProperties nor NamedProperties(5) are members. We next query
            World. World is a member, but it's a super member, so we return false.
        
        Overlap queries require that either the heap being queried is in the set (either
        direct or super), or that one of its ancestors is a direct member. Another way to
        think about how this works is that two heaps A and B are said to overlap if
        A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
        single-inheritance heirarchy. Consider that we wanted to implement a set that holds
        heaps and answers the question, "is any member in the set an ancestor (i.e.
        supertype) of some other heap". We would have the set contain the heaps themselves,
        and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
        chain of A, and repeatedly querying its membership in the set. This is what the
        "direct" members of our set do. Now consider the other part, where we want to ask if
        any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
        would implement this by implementing set.add(B) as adding not just B but also all of
        B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
        in the set. With two such sets - one that answers isSubtypeOfAny() and another that
        answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
        heap" question. ClobberSet does this, but combines the two sets into a single
        HashMap. The HashMap's value, "direct", means that the key is a member of both the
        supertype set and the subtype set; if it's false then it's only a member of one of
        them.
        
        Finally, this adds a functorized clobberize() method that adds the read and write
        clobbers of a DFG::Node to read and write functors. Common functors for adding to
        ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
        are also provided. This allows you to say things like:
        
            ClobberSet set;
            addWrites(graph, node1, set);
            if (readsOverlap(graph, node2, set))
                // We know that node1 may write to something that node2 may read from.
        
        Currently this facility is only used to improve graph dumping, but it will be
        instrumental in both LICM and GVN. In the future, I want to completely kill the
        NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
        of accomplishing almost exactly what AbstractHeap gives you.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractHeap.cpp: Added.
        (DFG):
        (JSC::DFG::AbstractHeap::Payload::dump):
        (JSC::DFG::AbstractHeap::dump):
        (WTF):
        (WTF::printInternal):
        * dfg/DFGAbstractHeap.h: Added.
        (DFG):
        (AbstractHeap):
        (Payload):
        (JSC::DFG::AbstractHeap::Payload::Payload):
        (JSC::DFG::AbstractHeap::Payload::top):
        (JSC::DFG::AbstractHeap::Payload::isTop):
        (JSC::DFG::AbstractHeap::Payload::value):
        (JSC::DFG::AbstractHeap::Payload::valueImpl):
        (JSC::DFG::AbstractHeap::Payload::operator==):
        (JSC::DFG::AbstractHeap::Payload::operator!=):
        (JSC::DFG::AbstractHeap::Payload::operator<):
        (JSC::DFG::AbstractHeap::Payload::isDisjoint):
        (JSC::DFG::AbstractHeap::Payload::overlaps):
        (JSC::DFG::AbstractHeap::AbstractHeap):
        (JSC::DFG::AbstractHeap::operator!):
        (JSC::DFG::AbstractHeap::kind):
        (JSC::DFG::AbstractHeap::payload):
        (JSC::DFG::AbstractHeap::isDisjoint):
        (JSC::DFG::AbstractHeap::overlaps):
        (JSC::DFG::AbstractHeap::supertype):
        (JSC::DFG::AbstractHeap::hash):
        (JSC::DFG::AbstractHeap::operator==):
        (JSC::DFG::AbstractHeap::operator!=):
        (JSC::DFG::AbstractHeap::operator<):
        (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
        (JSC::DFG::AbstractHeap::payloadImpl):
        (JSC::DFG::AbstractHeap::encode):
        (JSC::DFG::AbstractHeapHash::hash):
        (JSC::DFG::AbstractHeapHash::equal):
        (AbstractHeapHash):
        (WTF):
        * dfg/DFGClobberSet.cpp: Added.
        (DFG):
        (JSC::DFG::ClobberSet::ClobberSet):
        (JSC::DFG::ClobberSet::~ClobberSet):
        (JSC::DFG::ClobberSet::add):
        (JSC::DFG::ClobberSet::addAll):
        (JSC::DFG::ClobberSet::contains):
        (JSC::DFG::ClobberSet::overlaps):
        (JSC::DFG::ClobberSet::clear):
        (JSC::DFG::ClobberSet::direct):
        (JSC::DFG::ClobberSet::super):
        (JSC::DFG::ClobberSet::dump):
        (JSC::DFG::ClobberSet::setOf):
        (JSC::DFG::addReads):
        (JSC::DFG::addWrites):
        (JSC::DFG::addReadsAndWrites):
        (JSC::DFG::readsOverlap):
        (JSC::DFG::writesOverlap):
        * dfg/DFGClobberSet.h: Added.
        (DFG):
        (ClobberSet):
        (JSC::DFG::ClobberSet::isEmpty):
        (ClobberSetAdd):
        (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
        (JSC::DFG::ClobberSetAdd::operator()):
        (ClobberSetOverlaps):
        (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
        (JSC::DFG::ClobberSetOverlaps::operator()):
        (JSC::DFG::ClobberSetOverlaps::result):
        * dfg/DFGClobberize.cpp: Added.
        (DFG):
        (JSC::DFG::didWrites):
        * dfg/DFGClobberize.h: Added.
        (DFG):
        (JSC::DFG::clobberize):
        (NoOpClobberize):
        (JSC::DFG::NoOpClobberize::NoOpClobberize):
        (JSC::DFG::NoOpClobberize::operator()):
        (CheckClobberize):
        (JSC::DFG::CheckClobberize::CheckClobberize):
        (JSC::DFG::CheckClobberize::operator()):
        (JSC::DFG::CheckClobberize::result):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):

2013-07-21  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: It should be easy to figure out which blocks nodes belong to
        https://bugs.webkit.org/show_bug.cgi?id=118957

        Reviewed by Sam Weinig.

        * dfg/DFGGraph.cpp:
        (DFG):
        (JSC::DFG::Graph::initializeNodeOwners):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGNode.h:

2013-07-21  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
        https://bugs.webkit.org/show_bug.cgi?id=118956

        Reviewed by Sam Weinig.
        
        We had two way of expressing that something exits forward: the NodeExitsForward
        flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
        makes it just be a flag.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::int32ToDoubleCSE):
        (JSC::DFG::CSEPhase::checkStructureElimination):
        (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
        (JSC::DFG::CSEPhase::putStructureStoreElimination):
        (JSC::DFG::CSEPhase::checkArrayElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
        * dfg/DFGMinifiedNode.h:
        (JSC::DFG::belongsInMinifiedGraph):
        (JSC::DFG::MinifiedNode::hasChild):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
        (JSC::DFG::Node::hasStructureSet):
        (JSC::DFG::Node::hasStructure):
        (JSC::DFG::Node::hasArrayMode):
        (JSC::DFG::Node::willHaveCodeGenOrOSR):
        * dfg/DFGNodeType.h:
        (DFG):
        (JSC::DFG::needsOSRForwardRewiring):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::run):
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):

2013-07-21  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
        https://bugs.webkit.org/show_bug.cgi?id=118946

        Reviewed by Geoffrey Garen.
        
        We want to decouple the exit target code origin of a node from the code origin
        for all other purposes. The purposes of code origins are:
        
        - Where the node will exit, if it exits. The exit target should be consistent with
          the surrounding nodes, in that if you just looked at the code origins of nodes in
          the graph, they would be consistent with the code origins in bytecode. This is
          necessary for live-at-bytecode analyses to work, and to preserve the original
          bytecode semantics when exiting.
        
        - What kind of code the node came from, for semantics thingies. For example, we
          might use the code origin to find the node's global object for doing an original
          array check. Or we might use it to determine if the code is in strict mode. Or
          other similar things. When we use the code origin in this way, we're basically
          using it as a way of describing the node's meta-data without putting it into the
          node directly, to save space. In the absurd extreme you could imagine nodes not
          even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
          what bytecode the node originated from. We won't do that, but you can think of
          this use of code origins as just a way of compressing meta-data.
        
        - What code origin we should supply profiling to, if we exit. This is closely
          related to the semantics thingies, in that the exit profiling is a persistent
          kind of semantic meta-data that survives between recompiles, and the only way to
          do that is to ascribe it to the original bytecode via the code origin.
        
        If we hoist a node, we need to change the exit target code origin, but we must not
        change the code origin for other purposes. The best way to do this is to decouple
        the two kinds of code origin.
        
        OSR exit data structures already do this, because they may edit the exit target
        code origin while keeping the code origin for profiling intact. This happens for
        forward exits. So, we just need to thread separation all the way back to DFG::Node.
        That's what this patch does.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (Node):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        * dfg/DFGOSRExitBase.h:
        (JSC::DFG::OSRExitBase::OSRExitBase):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (LowerDFGToLLVM):
        * ftl/FTLOSRExit.cpp:
        (JSC::FTL::OSRExit::OSRExit):
        * ftl/FTLOSRExit.h:
        (OSRExit):

2013-07-20  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
        https://bugs.webkit.org/show_bug.cgi?id=118866

        Reviewed by Sam Weinig.
        
        Adds a safeToExecute() method that takes a node and an abstract state and tells you
        if the node will run without crashing under that state.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * dfg/DFGCFAPhase.cpp:
        (CFAPhase):
        (JSC::DFG::CFAPhase::CFAPhase):
        (JSC::DFG::CFAPhase::run):
        (JSC::DFG::CFAPhase::performBlockCFA):
        (JSC::DFG::CFAPhase::performForwardCFA):
        * dfg/DFGSafeToExecute.h: Added.
        (DFG):
        (SafeToExecuteEdge):
        (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
        (JSC::DFG::SafeToExecuteEdge::operator()):
        (JSC::DFG::SafeToExecuteEdge::result):
        (JSC::DFG::safeToExecute):
        * dfg/DFGStructureAbstractValue.h:
        (JSC::DFG::StructureAbstractValue::isValidOffset):
        (StructureAbstractValue):
        * runtime/Options.h:
        (JSC):

2013-07-20  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
        https://bugs.webkit.org/show_bug.cgi?id=118948

        Reviewed by Sam Weinig.
        
        - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
          This allows doing "what if" experiments with IR generation, even if the generated IR
          can't yet execute.
        
        - Add an OSR exit path that just calls an intrinsic that combines the branch and the
          off-ramp.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * ftl/FTLFail.cpp: Added.
        (FTL):
        (JSC::FTL::fail):
        * ftl/FTLFail.h: Added.
        (FTL):
        * ftl/FTLIntrinsicRepository.h:
        (FTL):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        * runtime/Options.h:
        (JSC):

2013-07-19  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: StringObjectUse uses structures, and CSE should know that
        https://bugs.webkit.org/show_bug.cgi?id=118940

        Reviewed by Geoffrey Garen.
        
        This is asymptomatic right now, but we should fix it.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::putStructureStoreElimination):
        * dfg/DFGEdgeUsesStructure.h: Added.
        (DFG):
        (EdgeUsesStructure):
        (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
        (JSC::DFG::EdgeUsesStructure::operator()):
        (JSC::DFG::EdgeUsesStructure::result):
        (JSC::DFG::edgesUseStructure):
        * dfg/DFGUseKind.h:
        (DFG):
        (JSC::DFG::usesStructure):

2013-07-19  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: String GetByVal out-of-bounds handling is so wrong
        https://bugs.webkit.org/show_bug.cgi?id=118935

        Reviewed by Geoffrey Garen.
        
        Bunch of String GetByVal out-of-bounds fixes:
        
        - Even if the string proto chain is sane, we need to watch out for negative
          indices. They may get values or call getters in the prototypes, since proto
          sanity doesn't check for negative indexed properties, as they are not
          technically indexed properties.
        
        - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
          given this information.
        
        - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
          given this information.
        
        Also fixed some other things:
        
        - If the DFG is disabled, the testRunner should pretend that we've done a
          bunch of DFG compiles. That's necessary to prevent the tests from timing
          out.
        
        - Disassembler shouldn't try to dump source code since it's not safe in the
          concurrent JIT.

        * API/JSCTestRunnerUtils.cpp:
        (JSC::numberOfDFGCompiles):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::dumpHeader):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::byValIsPure):
        * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
        (DFG):
        (SaneStringGetByValSlowPathGenerator):
        (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
        (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):

2013-07-19  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
        https://bugs.webkit.org/show_bug.cgi?id=118911

        Reviewed by Geoffrey Garen.
        
        We could also have a separate method like "willNotCrash(offset)", but that's not
        what isValidOffset() is intended to mean.

        * runtime/Structure.h:
        (JSC::Structure::isValidOffset):

2013-07-19  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
        https://bugs.webkit.org/show_bug.cgi?id=118878

        Reviewed by Oliver Hunt.
        
        - Change Structure::isValidOffset() to actually answer the question "If I attempted
          to load from an object of this structure, at this offset, would I commit suicide
          or would I get back some kind of value?"
        
        - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
          way from the start.
        
        - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
        
        - Make GetByOffset also reference the base object in addition to the butterfly.
        
        The future use of this power will be to answer questions like "If I hoisted this
        GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
        fine?"
        
        I don't currently plan to use this power to perform validation, since the CSE has
        the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
        remove - both in the case of StructureSets where size >= 2 and in the case of
        CheckStructures that match across PutStructures. At first I tried to write a
        validator that was aware of this, but the validation code got way too complicated
        and I started having nightmares of spurious assertion bugs being filed against me.
        
        This also changes some of the code for how we hash FunctionExecutable's for debug
        dumps, since that code still had some thread-safety issues. Basically, the
        concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
        that could transitively try to compute the hash from the source code. The source
        code is a string that may be lazily computed, and that involves all manner of thread
        unsafe things.

        * bytecode/CodeOrigin.cpp:
        (JSC::InlineCallFrame::hash):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleGetByOffset):
        (JSC::DFG::ByteCodeParser::handlePutByOffset):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        (StorageAccessData):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToGetByOffset):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
        (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
        * runtime/FunctionExecutableDump.cpp:
        (JSC::FunctionExecutableDump::dump):
        * runtime/Structure.h:
        (Structure):
        (JSC::Structure::isValidOffset):

2013-07-18  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
        https://bugs.webkit.org/show_bug.cgi?id=118880

        Reviewed by Sam Weinig.
        
        It should be possible to have an AbstractState that is backed by a HashMap. But to
        do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
        the map, since otherwise the idiom of getting a reference to the AbstractValue
        returned by forNode() would cause really subtle memory corruption bugs.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGInPlaceAbstractState.h:
        (JSC::DFG::InPlaceAbstractState::createValueForNode):
        (InPlaceAbstractState):

2013-07-18  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
        https://bugs.webkit.org/show_bug.cgi?id=118835

        Reviewed by Oliver Hunt.
        
        This separates AbstractState into two things:
        
        - InPlaceAbstractState, which can tell you the abstract state of anything you
          might care about, and uses the old AbstractState's algorithms and data
          structures for doing so.
        
        - AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with
          respect to an AbstractStateType. Currently we always use
          AbstractStateType = InPlaceAbstractState. But we could drop in an other
          class that supports basic primitives like forNode() and variables().
        
        This is important because:
        
        - We want to hoist things out of loops.

        - We don't know what things rely on what type checks.

        - We only want to hoist type checks out of loops if they aren't clobbered.

        - We may want to still hoist things that depended on those type checks, if it's
          safe to do those things based on the CFA state at the tail of the loop
          pre-header.

        - We don't want things to rely on their type checks by way of a token, because
          that's just weird.

        So, we want to be able to have a special form of the CFA that can
        incrementally update a basic block's state-at-tail, and we want to be able to
        do this for multiple blocks simultaneously. This requires *not* storing the
        per-node state in the nodes themselves, but instead using the at-tail HashMap
        directly.

        Hence we need to have a way of making the abstract interpreter (i.e.
        AbstractState::execute) polymorphic with respect to state representation. Put
        another way, we need to separate the way that abstract state is represented
        from the way DFG IR is abstractly interpreted.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractInterpreter.h: Added.
        (DFG):
        (AbstractInterpreter):
        (JSC::DFG::AbstractInterpreter::forNode):
        (JSC::DFG::AbstractInterpreter::variables):
        (JSC::DFG::AbstractInterpreter::needsTypeCheck):
        (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
        (JSC::DFG::AbstractInterpreter::filter):
        (JSC::DFG::AbstractInterpreter::filterArrayModes):
        (JSC::DFG::AbstractInterpreter::filterByValue):
        (JSC::DFG::AbstractInterpreter::trySetConstant):
        (JSC::DFG::AbstractInterpreter::filterByType):
        * dfg/DFGAbstractInterpreterInlines.h: Added.
        (DFG):
        (JSC::DFG::::AbstractInterpreter):
        (JSC::DFG::::~AbstractInterpreter):
        (JSC::DFG::::booleanResult):
        (JSC::DFG::::startExecuting):
        (JSC::DFG::::executeEdges):
        (JSC::DFG::::verifyEdge):
        (JSC::DFG::::verifyEdges):
        (JSC::DFG::::executeEffects):
        (JSC::DFG::::execute):
        (JSC::DFG::::clobberWorld):
        (JSC::DFG::::clobberCapturedVars):
        (JSC::DFG::::clobberStructures):
        (JSC::DFG::::dump):
        (JSC::DFG::::filter):
        (JSC::DFG::::filterArrayModes):
        (JSC::DFG::::filterByValue):
        * dfg/DFGAbstractState.cpp: Removed.
        * dfg/DFGAbstractState.h: Removed.
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::CFAPhase):
        (JSC::DFG::CFAPhase::performBlockCFA):
        (CFAPhase):
        * dfg/DFGCFGSimplificationPhase.cpp:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (ConstantFoldingPhase):
        * dfg/DFGInPlaceAbstractState.cpp: Added.
        (DFG):
        (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
        (JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState):
        (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
        (JSC::DFG::setLiveValues):
        (JSC::DFG::InPlaceAbstractState::initialize):
        (JSC::DFG::InPlaceAbstractState::endBasicBlock):
        (JSC::DFG::InPlaceAbstractState::reset):
        (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
        (JSC::DFG::InPlaceAbstractState::merge):
        (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
        (JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks):
        * dfg/DFGInPlaceAbstractState.h: Added.
        (DFG):
        (InPlaceAbstractState):
        (JSC::DFG::InPlaceAbstractState::forNode):
        (JSC::DFG::InPlaceAbstractState::variables):
        (JSC::DFG::InPlaceAbstractState::block):
        (JSC::DFG::InPlaceAbstractState::didClobber):
        (JSC::DFG::InPlaceAbstractState::isValid):
        (JSC::DFG::InPlaceAbstractState::setDidClobber):
        (JSC::DFG::InPlaceAbstractState::setIsValid):
        (JSC::DFG::InPlaceAbstractState::setBranchDirection):
        (JSC::DFG::InPlaceAbstractState::setFoundConstants):
        (JSC::DFG::InPlaceAbstractState::haveStructures):
        (JSC::DFG::InPlaceAbstractState::setHaveStructures):
        * dfg/DFGMergeMode.h: Added.
        (DFG):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
        (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
        (JSC::DFG::SpeculativeJIT::speculateStringObject):
        (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::needsTypeCheck):
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (FTL):
        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateNumber):
        (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
        (LowerDFGToLLVM):

2013-07-18  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access
        https://bugs.webkit.org/show_bug.cgi?id=118867

        Reviewed by Mark Hahnenberg.
        
        This allows us to kill off a bunch of code in the parser, in fixup, and to simplify
        ArrayProfile.

        It also makes it easier to ask any array-using node how to create its type check.
        
        Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into
        an array profile, thinking that it was storing into a value profile. Reshuffling the
        fields in ArrayProfile revealed this.

        * bytecode/ArrayProfile.cpp:
        (JSC::ArrayProfile::computeUpdatedPrediction):
        (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
        * bytecode/ArrayProfile.h:
        (JSC::ArrayProfile::ArrayProfile):
        (ArrayProfile):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::updateAllArrayPredictions):
        (JSC::CodeBlock::updateAllPredictions):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::updateAllArrayPredictions):
        * dfg/DFGArrayMode.h:
        (ArrayMode):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (FixupPhase):
        (JSC::DFG::FixupPhase::checkArray):
        (JSC::DFG::FixupPhase::blessArrayOperation):
        * llint/LowLevelInterpreter64.asm:

2013-07-18  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: CFA should consider live-at-head for clobbering and dumping
        https://bugs.webkit.org/show_bug.cgi?id=118857

        Reviewed by Mark Hahnenberg.
        
        - clobberStructures() was not considering nodes live-at-head when in SSA
          form. This means it would fail to clobber some structures.
        
        - dump() was not considering nodes live-at-head when in SSA form. This
          means it wouldn't dump everything that you might be interested in.
        
        - AbstractState::m_currentNode is a useless variable and we should get
          rid of it.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::AbstractState):
        (JSC::DFG::AbstractState::beginBasicBlock):
        (JSC::DFG::AbstractState::reset):
        (JSC::DFG::AbstractState::startExecuting):
        (JSC::DFG::AbstractState::clobberStructures):
        (JSC::DFG::AbstractState::dump):
        * dfg/DFGAbstractState.h:
        (AbstractState):

2013-07-16  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Add a phase to create loop pre-headers
        https://bugs.webkit.org/show_bug.cgi?id=118778

        Reviewed by Oliver Hunt.
        
        Add a loop pre-header creation phase. Any loop that doesn't already have
        just one predecessor that isn't part of the loop has a pre-header
        prepended. All non-loop predecessors then jump to that pre-header.
        
        Also fix a handful of bugs:
        
        - DFG::Analysis should set m_valid before running the analysis, since that
          makes it easier to use ASSERT(m_valid) in the analysis' methods, which
          may be called by the analysis before the analysis completes. NaturalLoops
          does this with loopsOf().
        
        - NaturalLoops::headerOf() was missing a check for innerMostLoopOf()
          returning 0, since that'll happen if the block isn't in any loop.
        
        - Change BlockInsertionSet to dethread the graph, since anyone using it
          will want to do so.
        
        - Change dethreading to ignore SSA form graphs.
        
        This also adds NaturalLoops::belongsTo(), which I always used in the
        pre-header creation phase. I didn't end up using it but I'll probably use
        it in the near future.
        
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAnalysis.h:
        (JSC::DFG::Analysis::computeIfNecessary):
        * dfg/DFGBlockInsertionSet.cpp:
        (JSC::DFG::BlockInsertionSet::execute):
        * dfg/DFGCriticalEdgeBreakingPhase.cpp:
        (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dethread):
        * dfg/DFGLoopPreHeaderCreationPhase.cpp: Added.
        (DFG):
        (LoopPreHeaderCreationPhase):
        (JSC::DFG::LoopPreHeaderCreationPhase::LoopPreHeaderCreationPhase):
        (JSC::DFG::LoopPreHeaderCreationPhase::run):
        (JSC::DFG::performLoopPreHeaderCreation):
        * dfg/DFGLoopPreHeaderCreationPhase.h: Added.
        (DFG):
        * dfg/DFGNaturalLoops.h:
        (NaturalLoop):
        (JSC::DFG::NaturalLoops::headerOf):
        (JSC::DFG::NaturalLoops::innerMostLoopOf):
        (JSC::DFG::NaturalLoops::innerMostOuterLoop):
        (JSC::DFG::NaturalLoops::belongsTo):
        (NaturalLoops):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):

2013-07-16  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Rationalize Node::replacement
        https://bugs.webkit.org/show_bug.cgi?id=118774

        Reviewed by Oliver Hunt.
        
        - Clearing of replacements is now done in Graph::clearReplacements().
        
        - New nodes now have replacement set to 0.
        
        - Node::replacement is now part of a 'misc' union. I'll be putting at least
          one other field into that union as part of LICM work (see
          https://bugs.webkit.org/show_bug.cgi?id=118749).

        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::run):
        (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::run):
        (JSC::DFG::CSEPhase::setReplacement):
        (JSC::DFG::CSEPhase::performBlockCSE):
        * dfg/DFGGraph.cpp:
        (DFG):
        (JSC::DFG::Graph::clearReplacements):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::performSubstitutionForEdge):
        (Graph):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):

2013-07-16  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: NaturalLoops should be able to quickly answer questions like "what loops own this basic block"
        https://bugs.webkit.org/show_bug.cgi?id=118750

        Reviewed by Mark Hahnenberg.

        * dfg/DFGBasicBlock.h:
        (BasicBlock):
        * dfg/DFGNaturalLoops.cpp:
        (JSC::DFG::NaturalLoops::compute):
        (JSC::DFG::NaturalLoops::loopsOf):
        * dfg/DFGNaturalLoops.h:
        (DFG):
        (JSC::DFG::NaturalLoop::NaturalLoop):
        (NaturalLoop):
        (JSC::DFG::NaturalLoop::index):
        (JSC::DFG::NaturalLoop::isOuterMostLoop):
        (JSC::DFG::NaturalLoop::addBlock):
        (JSC::DFG::NaturalLoops::headerOf):
        (JSC::DFG::NaturalLoops::innerMostLoopOf):
        (NaturalLoops):
        (JSC::DFG::NaturalLoops::innerMostOuterLoop):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):

2013-07-16  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: don't GC when shutting down the VM
        https://bugs.webkit.org/show_bug.cgi?id=118751

        Reviewed by Mark Hahnenberg.

        * heap/Heap.h:
        (Heap):
        * runtime/VM.cpp:
        (JSC::VM::~VM):

2013-07-12  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG should have an SSA form for use by FTL
        https://bugs.webkit.org/show_bug.cgi?id=118338

        Reviewed by Mark Hahnenberg.
        
        Adds an SSA form to the DFG. We can convert ThreadedCPS form into SSA form
        after breaking critical edges. The conversion algorithm follows Aycock and
        Horspool, and the SSA form itself follows something I've done before, where
        instead of having Phi functions specify input nodes corresponding to block
        predecessors, we instead have Upsilon functions in the predecessors that
        specify which value in that block goes into which subsequent Phi. Upsilons
        don't have to dominate Phis (usually they don't) and they correspond to a
        non-SSA "mov" into the Phi's "variable". This gives all of the good
        properties of SSA, while ensuring that a bunch of CFG transformations don't
        have to be SSA-aware.
        
        So far the only DFG phases that are SSA-aware are DCE and CFA. CFG
        simplification is probably SSA-aware by default, though I haven't tried it.
        Constant folding probably needs a few tweaks, but is likely ready. Ditto
        for CSE, though it's not clear that we'd want to use block-local CSE when
        we could be doing GVN.
        
        Currently only the FTL can generate code from the SSA form, and there is no
        way to convert from SSA to ThreadedCPS or LoadStore. There probably will
        never be such a capability.
        
        In order to handle OSR exit state in the SSA, we place MovHints at Phi
        points. Other than that, you can reconstruct state-at-exit by forward
        propagating MovHints. Note that MovHint is the new SetLocal in SSA.
        SetLocal and GetLocal only survive into SSA if they are on captured
        variables, or in the case of flushes. A "live SetLocal" will be
        NodeMustGenerate and will always correspond to a flush. Computing the
        state-at-exit requires running SSA liveness analysis, OSR availability
        analysis, and flush liveness analysis. The FTL runs all of these prior to
        generating code. While OSR exit continues to be tricky, much of the logic
        is now factored into separate phases and the backend has to do less work
        to reason about what happened outside of the basic block that is being
        lowered.
        
        Conversion from DFG SSA to LLVM SSA is done by ensuring that we generate
        code in depth-first order, thus guaranteeing that a node will always be
        lowered (and hence have a LValue) before any of the blocks dominated by
        that node's block have code generated. For Upsilon/Phi, we just use
        alloca's. We could do something more clever there, but it's probably not
        worth it, at least not now.
        
        Finally, while the SSA form is currently only being converted to LLVM IR,
        there is nothing that prevents us from considering other backends in the
        future - with the caveat that this form is designed to be first lowered to
        a lower-level SSA before actual machine code generation commences. So we
        ought to either use LLVM (the intended path) or we will have to write our
        own SSA low-level backend.
        
        This runs all of the code that the FTL was known to run previously. No
        change in performance for now. But it does open some exciting
        possibilities!

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/Operands.h:
        (JSC::OperandValueTraits::dump):
        (JSC::Operands::fill):
        (Operands):
        (JSC::Operands::clear):
        (JSC::Operands::operator==):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::beginBasicBlock):
        (JSC::DFG::setLiveValues):
        (DFG):
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::endBasicBlock):
        (JSC::DFG::AbstractState::executeEffects):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        (JSC::DFG::AbstractState::merge):
        * dfg/DFGAbstractState.h:
        (AbstractState):
        * dfg/DFGAdjacencyList.h:
        (JSC::DFG::AdjacencyList::justOneChild):
        (AdjacencyList):
        * dfg/DFGBasicBlock.cpp: Added.
        (DFG):
        (JSC::DFG::BasicBlock::BasicBlock):
        (JSC::DFG::BasicBlock::~BasicBlock):
        (JSC::DFG::BasicBlock::ensureLocals):
        (JSC::DFG::BasicBlock::isInPhis):
        (JSC::DFG::BasicBlock::isInBlock):
        (JSC::DFG::BasicBlock::removePredecessor):
        (JSC::DFG::BasicBlock::replacePredecessor):
        (JSC::DFG::BasicBlock::dump):
        (JSC::DFG::BasicBlock::SSAData::SSAData):
        (JSC::DFG::BasicBlock::SSAData::~SSAData):
        * dfg/DFGBasicBlock.h:
        (BasicBlock):
        (JSC::DFG::BasicBlock::operator[]):
        (JSC::DFG::BasicBlock::successor):
        (JSC::DFG::BasicBlock::successorForCondition):
        (SSAData):
        * dfg/DFGBasicBlockInlines.h:
        (DFG):
        * dfg/DFGBlockInsertionSet.cpp: Added.
        (DFG):
        (JSC::DFG::BlockInsertionSet::BlockInsertionSet):
        (JSC::DFG::BlockInsertionSet::~BlockInsertionSet):
        (JSC::DFG::BlockInsertionSet::insert):
        (JSC::DFG::BlockInsertionSet::insertBefore):
        (JSC::DFG::BlockInsertionSet::execute):
        * dfg/DFGBlockInsertionSet.h: Added.
        (DFG):
        (BlockInsertionSet):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::run):
        * dfg/DFGCFGSimplificationPhase.cpp:
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
        * dfg/DFGCommon.cpp:
        (WTF::printInternal):
        * dfg/DFGCommon.h:
        (JSC::DFG::doesKill):
        (DFG):
        (JSC::DFG::killStatusForDoesKill):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
        * dfg/DFGCriticalEdgeBreakingPhase.cpp: Added.
        (DFG):
        (CriticalEdgeBreakingPhase):
        (JSC::DFG::CriticalEdgeBreakingPhase::CriticalEdgeBreakingPhase):
        (JSC::DFG::CriticalEdgeBreakingPhase::run):
        (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
        (JSC::DFG::performCriticalEdgeBreaking):
        * dfg/DFGCriticalEdgeBreakingPhase.h: Added.
        (DFG):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::run):
        (JSC::DFG::DCEPhase::findTypeCheckRoot):
        (JSC::DFG::DCEPhase::countNode):
        (DCEPhase):
        (JSC::DFG::DCEPhase::countEdge):
        (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGEdge.cpp:
        (JSC::DFG::Edge::dump):
        * dfg/DFGEdge.h:
        (JSC::DFG::Edge::Edge):
        (JSC::DFG::Edge::setNode):
        (JSC::DFG::Edge::useKindUnchecked):
        (JSC::DFG::Edge::setUseKind):
        (JSC::DFG::Edge::setProofStatus):
        (JSC::DFG::Edge::willNotHaveCheck):
        (JSC::DFG::Edge::willHaveCheck):
        (Edge):
        (JSC::DFG::Edge::killStatusUnchecked):
        (JSC::DFG::Edge::killStatus):
        (JSC::DFG::Edge::setKillStatus):
        (JSC::DFG::Edge::doesKill):
        (JSC::DFG::Edge::doesNotKill):
        (JSC::DFG::Edge::shift):
        (JSC::DFG::Edge::makeWord):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGFlushFormat.cpp: Added.
        (WTF):
        (WTF::printInternal):
        * dfg/DFGFlushFormat.h: Added.
        (DFG):
        (JSC::DFG::resultFor):
        (JSC::DFG::useKindFor):
        (WTF):
        * dfg/DFGFlushLivenessAnalysisPhase.cpp: Added.
        (DFG):
        (FlushLivenessAnalysisPhase):
        (JSC::DFG::FlushLivenessAnalysisPhase::FlushLivenessAnalysisPhase):
        (JSC::DFG::FlushLivenessAnalysisPhase::run):
        (JSC::DFG::FlushLivenessAnalysisPhase::process):
        (JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
        (JSC::DFG::FlushLivenessAnalysisPhase::flushFormat):
        (JSC::DFG::performFlushLivenessAnalysis):
        * dfg/DFGFlushLivenessAnalysisPhase.h: Added.
        (DFG):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::dumpBlockHeader):
        (DFG):
        (JSC::DFG::Graph::addForDepthFirstSort):
        (JSC::DFG::Graph::getBlocksInDepthFirstOrder):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::convertToConstant):
        (JSC::DFG::Graph::valueProfileFor):
        (Graph):
        * dfg/DFGInsertionSet.h:
        (DFG):
        (JSC::DFG::InsertionSet::execute):
        * dfg/DFGLivenessAnalysisPhase.cpp: Added.
        (DFG):
        (LivenessAnalysisPhase):
        (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
        (JSC::DFG::LivenessAnalysisPhase::run):
        (JSC::DFG::LivenessAnalysisPhase::process):
        (JSC::DFG::LivenessAnalysisPhase::addChildUse):
        (JSC::DFG::performLivenessAnalysis):
        * dfg/DFGLivenessAnalysisPhase.h: Added.
        (DFG):
        * dfg/DFGNode.cpp:
        (JSC::DFG::Node::hasVariableAccessData):
        (DFG):
        * dfg/DFGNode.h:
        (DFG):
        (Node):
        (JSC::DFG::Node::hasLocal):
        (JSC::DFG::Node::variableAccessData):
        (JSC::DFG::Node::hasPhi):
        (JSC::DFG::Node::phi):
        (JSC::DFG::Node::takenBlock):
        (JSC::DFG::Node::notTakenBlock):
        (JSC::DFG::Node::successor):
        (JSC::DFG::Node::successorForCondition):
        (JSC::DFG::nodeComparator):
        (JSC::DFG::nodeListDump):
        (JSC::DFG::nodeMapDump):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Added.
        (DFG):
        (OSRAvailabilityAnalysisPhase):
        (JSC::DFG::OSRAvailabilityAnalysisPhase::OSRAvailabilityAnalysisPhase):
        (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
        (JSC::DFG::performOSRAvailabilityAnalysis):
        * dfg/DFGOSRAvailabilityAnalysisPhase.h: Added.
        (DFG):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPredictionInjectionPhase.cpp:
        (JSC::DFG::PredictionInjectionPhase::run):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSSAConversionPhase.cpp: Added.
        (DFG):
        (SSAConversionPhase):
        (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
        (JSC::DFG::SSAConversionPhase::run):
        (JSC::DFG::SSAConversionPhase::forwardPhiChildren):
        (JSC::DFG::SSAConversionPhase::forwardPhi):
        (JSC::DFG::SSAConversionPhase::forwardPhiEdge):
        (JSC::DFG::SSAConversionPhase::deduplicateChildren):
        (JSC::DFG::SSAConversionPhase::addFlushedLocalOp):
        (JSC::DFG::SSAConversionPhase::addFlushedLocalEdge):
        (JSC::DFG::performSSAConversion):
        * dfg/DFGSSAConversionPhase.h: Added.
        (DFG):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        (Validate):
        (JSC::DFG::Validate::validateCPS):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::flushFormat):
        (VariableAccessData):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::lower):
        (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
        (JSC::FTL::LowerDFGToLLVM::compileBlock):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
        (LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::compilePhi):
        (JSC::FTL::LowerDFGToLLVM::compileJSConstant):
        (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
        (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
        (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
        (JSC::FTL::LowerDFGToLLVM::compileAdd):
        (JSC::FTL::LowerDFGToLLVM::compileArithSub):
        (JSC::FTL::LowerDFGToLLVM::compileArithMul):
        (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
        (JSC::FTL::LowerDFGToLLVM::compileArithMod):
        (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
        (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
        (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
        (JSC::FTL::LowerDFGToLLVM::compileBitAnd):
        (JSC::FTL::LowerDFGToLLVM::compileBitOr):
        (JSC::FTL::LowerDFGToLLVM::compileBitXor):
        (JSC::FTL::LowerDFGToLLVM::compileBitRShift):
        (JSC::FTL::LowerDFGToLLVM::compileBitLShift):
        (JSC::FTL::LowerDFGToLLVM::compileBitURShift):
        (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
        (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
        (JSC::FTL::LowerDFGToLLVM::compileGetButterfly):
        (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
        (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
        (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
        (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
        (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
        (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
        (JSC::FTL::LowerDFGToLLVM::speculateBackward):
        (JSC::FTL::LowerDFGToLLVM::lowInt32):
        (JSC::FTL::LowerDFGToLLVM::lowCell):
        (JSC::FTL::LowerDFGToLLVM::lowBoolean):
        (JSC::FTL::LowerDFGToLLVM::lowDouble):
        (JSC::FTL::LowerDFGToLLVM::lowJSValue):
        (JSC::FTL::LowerDFGToLLVM::lowStorage):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateBoolean):
        (JSC::FTL::LowerDFGToLLVM::isLive):
        (JSC::FTL::LowerDFGToLLVM::use):
        (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
        (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
        (JSC::FTL::LowerDFGToLLVM::setInt32):
        (JSC::FTL::LowerDFGToLLVM::setJSValue):
        (JSC::FTL::LowerDFGToLLVM::setBoolean):
        (JSC::FTL::LowerDFGToLLVM::setStorage):
        (JSC::FTL::LowerDFGToLLVM::setDouble):
        (JSC::FTL::LowerDFGToLLVM::isValid):
        * ftl/FTLLoweredNodeValue.h: Added.
        (FTL):
        (LoweredNodeValue):
        (JSC::FTL::LoweredNodeValue::LoweredNodeValue):
        (JSC::FTL::LoweredNodeValue::isSet):
        (JSC::FTL::LoweredNodeValue::operator!):
        (JSC::FTL::LoweredNodeValue::value):
        (JSC::FTL::LoweredNodeValue::block):
        * ftl/FTLValueFromBlock.h:
        (JSC::FTL::ValueFromBlock::ValueFromBlock):
        (ValueFromBlock):
        * ftl/FTLValueSource.cpp:
        (JSC::FTL::ValueSource::dump):
        * ftl/FTLValueSource.h:

2013-07-11  Mark Lam  <mark.lam@apple.com>

        Resurrect the CLoop LLINT on the FTL branch.
        https://bugs.webkit.org/show_bug.cgi?id=118144.

        Reviewed by Mark Hahnenberg.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::jitType):
          - Fix the CodeBlock jitType to be InterpreterThunk when !ENABLE_JIT.
        * bytecode/JumpTable.h:
        (JSC::SimpleJumpTable::clear):
        * interpreter/StackIterator.cpp:
        (JSC::StackIterator::Frame::bytecodeOffset):
        (JSC::StackIterator::Frame::print):
        * jit/JITCode.cpp:
        (JSC):
        * jit/JITExceptions.cpp:
        (JSC::getExceptionLocation):
        * llint/LowLevelInterpreter.cpp:
        * offlineasm/cloop.rb:
        * runtime/Structure.cpp:

2013-07-08  Filip Pizlo  <fpizlo@apple.com>

        NaturalLoops + Profiler = Crash
        https://bugs.webkit.org/show_bug.cgi?id=118486

        Reviewed by Geoffrey Garen.
        
        I borked dominators in:
        http://trac.webkit.org/changeset/152431/branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGDominators.h
        
        This patch also adds some debug support, and fixes the loop that adds a block to
        an already-existing natural loop. Note that we currently don't take that path in
        most programs, but it will arise, for example if you use 'continue' - though you'd
        have to use it rather cleverly since the bytecode will not jump to the loop header
        in most uses of 'continue'.

        * dfg/DFGDominators.cpp:
        (JSC::DFG::Dominators::dump):
        (DFG):
        * dfg/DFGDominators.h:
        (JSC::DFG::Dominators::dominates):
        (Dominators):
        * dfg/DFGNaturalLoops.cpp:
        (JSC::DFG::NaturalLoops::compute):

2013-07-08  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG::AbstractState::beginBasicBlock() should set m_haveStructures if any of the valuesAtHead have either a current known structure or a non-top/non-bottom array modes
        https://bugs.webkit.org/show_bug.cgi?id=118489

        Reviewed by Mark Hahnenberg.

        * bytecode/ArrayProfile.h:
        (JSC::arrayModesAreClearOrTop):
        (JSC):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::beginBasicBlock):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::hasClobberableState):
        (AbstractValue):

2013-07-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        CheckArray should call the right version of filterArrayModes
        https://bugs.webkit.org/show_bug.cgi?id=118488

        Reviewed by Filip Pizlo.

        Currently in the CFA CheckArray doesn't call the right filterArrayMode which can cause 
        the CFA to ignore when it sees a contradiction.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):

2013-07-07  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Graph::clearAndDerefChild() makes no sense anymore, and neither does Nop
        https://bugs.webkit.org/show_bug.cgi?id=118452

        Reviewed by Sam Weinig.
        
        Noticed that ArgumentsSimplificationPhase was converting something to a Nop and then
        resetting its children using clearAndDerefChild(). Using Nop instead of Phantom is a
        holdover from back when we needed a no-MustGenerate no-op. We don't anymore. Using
        clearAndDerefChild() was necessary back when we did eager reference counting. We
        don't need to do that anymore, and in fact clearAndDerefChild() appeared to not do
        any reference counting, so it was badly named to begin with.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::willHaveCodeGenOrOSR):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-07-04  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should better report its compile-times and it should be able to run in a mode where it doesn't spend time generating OSR exits
        https://bugs.webkit.org/show_bug.cgi?id=118401

        Reviewed by Sam Weinig.
        
        Add two new OSR exit modes, which are useful only for playing with compile times:
        
        - All OSR exits are llvm.trap().
        
        - OSR exits don't take arguments and have no exit value marshaling.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThread):
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPlan.h:
        (Plan):
        * ftl/FTLIntrinsicRepository.h:
        (FTL):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::trap):
        * runtime/Options.h:
        (JSC):

2013-07-04  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG should refer to BasicBlocks by BasicBlock* and not BlockIndex
        https://bugs.webkit.org/show_bug.cgi?id=118339

        Reviewed by Michael Saboff.
        
        This accomplishes two goals:

        1) Simplifies a bunch of code. You can now much more directly get to a successor
           or predecessor, since you just get the pointer directly. The backend(s) always
           hold onto a pointer to the block they're on, so you don't have to do work to
           get the block from the index.
        
        2) It allows for the possibility of inserting blocks into the program.
           Previously, if you did that, you'd have to edit all references to blocks since
           those references would have outdated indexing after an insertion. Now, if you
           change the indexing, you just have to invalidate some analyses and make sure
           that you change each block's BasicBlock::index accordingly.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::endBasicBlock):
        (JSC::DFG::AbstractState::mergeToSuccessors):
        * dfg/DFGAbstractState.h:
        (AbstractState):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::run):
        * dfg/DFGBasicBlock.h:
        (DFG):
        (JSC::DFG::BasicBlock::BasicBlock):
        (JSC::DFG::BasicBlock::size):
        (JSC::DFG::BasicBlock::isEmpty):
        (JSC::DFG::BasicBlock::at):
        (JSC::DFG::BasicBlock::operator[]):
        (JSC::DFG::BasicBlock::last):
        (JSC::DFG::BasicBlock::resize):
        (JSC::DFG::BasicBlock::grow):
        (BasicBlock):
        (JSC::DFG::BasicBlock::append):
        (JSC::DFG::BasicBlock::numSuccessors):
        (JSC::DFG::BasicBlock::successor):
        (JSC::DFG::BasicBlock::successorForCondition):
        (JSC::DFG::BasicBlock::dump):
        (UnlinkedBlock):
        (JSC::DFG::UnlinkedBlock::UnlinkedBlock):
        (JSC::DFG::getBytecodeBeginForBlock):
        (JSC::DFG::blockForBytecodeOffset):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (InlineStackEntry):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::linkBlock):
        (JSC::DFG::ByteCodeParser::linkBlocks):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        (JSC::DFG::CFAPhase::performForwardCFA):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::convertToJump):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
        (JSC::DFG::CPSRethreadingPhase::propagatePhis):
        (CPSRethreadingPhase):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::run):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::run):
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::run):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::Disassembler):
        (JSC::DFG::Disassembler::createDumpList):
        * dfg/DFGDisassembler.h:
        (JSC::DFG::Disassembler::setForBlockIndex):
        * dfg/DFGDominators.cpp:
        (JSC::DFG::Dominators::compute):
        (JSC::DFG::Dominators::iterateForBlock):
        * dfg/DFGDominators.h:
        (JSC::DFG::Dominators::dominates):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::dumpBlockHeader):
        (JSC::DFG::Graph::handleSuccessor):
        (JSC::DFG::Graph::determineReachability):
        (JSC::DFG::Graph::resetReachability):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::numBlocks):
        (JSC::DFG::Graph::block):
        (JSC::DFG::Graph::lastBlock):
        (Graph):
        (JSC::DFG::Graph::appendBlock):
        (JSC::DFG::Graph::killBlock):
        (DFG):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::JITCompiler):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::setForBlockIndex):
        * dfg/DFGNaturalLoops.cpp:
        (JSC::DFG::NaturalLoop::dump):
        (JSC::DFG::NaturalLoops::compute):
        (JSC::DFG::NaturalLoops::loopsOf):
        * dfg/DFGNaturalLoops.h:
        (JSC::DFG::NaturalLoop::NaturalLoop):
        (JSC::DFG::NaturalLoop::addBlock):
        (JSC::DFG::NaturalLoop::header):
        (JSC::DFG::NaturalLoop::at):
        (JSC::DFG::NaturalLoop::operator[]):
        (JSC::DFG::NaturalLoop::contains):
        (NaturalLoop):
        (JSC::DFG::NaturalLoops::headerOf):
        (NaturalLoops):
        * dfg/DFGNode.h:
        (DFG):
        (JSC::DFG::SwitchCase::SwitchCase):
        (JSC::DFG::SwitchCase::withBytecodeIndex):
        (SwitchCase):
        (JSC::DFG::SwitchCase::targetBytecodeIndex):
        (JSC::DFG::SwitchData::SwitchData):
        (JSC::DFG::SwitchData::setFallThroughBytecodeIndex):
        (JSC::DFG::SwitchData::fallThroughBytecodeIndex):
        (SwitchData):
        (JSC::DFG::Node::setTakenBlock):
        (JSC::DFG::Node::setNotTakenBlock):
        (JSC::DFG::Node::takenBlock):
        (JSC::DFG::Node::notTakenBlock):
        (JSC::DFG::Node::successor):
        (JSC::DFG::Node::successorForCondition):
        * dfg/DFGPredictionInjectionPhase.cpp:
        (JSC::DFG::PredictionInjectionPhase::run):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagateForward):
        (JSC::DFG::PredictionPropagationPhase::propagateBackward):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::createOSREntries):
        (JSC::DFG::SpeculativeJIT::linkOSREntries):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::compileRegExpExec):
        (JSC::DFG::SpeculativeJIT::addBranch):
        (JSC::DFG::SpeculativeJIT::linkBranches):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::nextBlock):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::branchDouble):
        (JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
        (JSC::DFG::SpeculativeJIT::branch32):
        (JSC::DFG::SpeculativeJIT::branchTest32):
        (JSC::DFG::SpeculativeJIT::branch64):
        (JSC::DFG::SpeculativeJIT::branch8):
        (JSC::DFG::SpeculativeJIT::branchPtr):
        (JSC::DFG::SpeculativeJIT::branchTestPtr):
        (JSC::DFG::SpeculativeJIT::branchTest8):
        (JSC::DFG::SpeculativeJIT::jump):
        (JSC::DFG::SpeculativeJIT::addBranch):
        (JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
        (StringSwitchCase):
        (JSC::DFG::SpeculativeJIT::BranchRecord::BranchRecord):
        (BranchRecord):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::run):
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
        (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
        * dfg/DFGUnificationPhase.cpp:
        (JSC::DFG::UnificationPhase::run):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        (JSC::DFG::Validate::checkOperand):
        (JSC::DFG::Validate::reportValidationContext):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::lower):
        (JSC::FTL::LowerDFGToLLVM::compileBlock):
        (JSC::FTL::LowerDFGToLLVM::compileJump):
        (JSC::FTL::LowerDFGToLLVM::compileBranch):
        (JSC::FTL::LowerDFGToLLVM::lowBlock):

2013-07-04  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, add a helpful comment for why DCE is needed in the FTL.

        I believe I've now twice down the experiment of disabling DCE in the FTL,
        only to realize that this can't work, and that DCE is needed. I'd kind of
        like to not make that mistake again.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):

2013-07-02  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG::Node::m_opInfo2 should also be a uintptr_t
        https://bugs.webkit.org/show_bug.cgi?id=118340

        Reviewed by Sam Weinig.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):

2013-07-02  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix 32-bit build.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::comparePtr):
        (MacroAssembler):
        * dfg/DFGBinarySwitch.cpp:
        (JSC::DFG::BinarySwitch::advance):
        * dfg/DFGBinarySwitch.h:
        (JSC::DFG::BinarySwitch::caseValue):

2013-07-02  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Have fewer Arrayify's
        https://bugs.webkit.org/show_bug.cgi?id=118335

        Reviewed by Mark Hahnenberg.
        
        A lot of Arrayify's arise because some program saw Int32 arrays early on in
        execution, but then they all got converted to Double arrays and the program
        will never see Int32 arrays ever again. Prior to this change you would always
        have an Arrayify in this case. But with this change, the first time that an
        ArrayProfile is about to go polymorphic in computeUpdatedPrediction(), it
        instead forcibly monomorphises itself to the latest-seen structure.
        Thereafter it will never again perform this monomorphisation. This is
        controlled by ArrayProfile::m_didPerformFirstRunPruning. This is a 5%
        speed-up on Kraken/imaging-gaussian-blur with the FTL enabled, and it
        unblocks a bunch of stuff we want to do in the future because it makes a
        bunch of loops effect-free.
        
        We will still want to implement Arrayify hoisting in the future, but this is
        great anyway because it's better to not have Arrayifications than it is to
        have hoisted Arrayifications.

        * bytecode/ArrayProfile.cpp:
        (JSC::ArrayProfile::computeUpdatedPrediction):
        (JSC::ArrayProfile::briefDescription):
        (JSC):
        (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
        * bytecode/ArrayProfile.h:
        (JSC::ArrayProfile::ArrayProfile):
        (ArrayProfile):

2013-07-02  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: add option to disable OSR entry in loops
        https://bugs.webkit.org/show_bug.cgi?id=118329

        Reviewed by Mark Hahnenberg.
        
        This adds that option, and also makes the OSR exit reoptimization trigger rely less on
        OSR entry failing. Now even if we never attempt OSR entry but our execution counter gets
        high after a small number of OSR exits, we will recompile.

        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::handleExitCounts):
        * dfg/DFGOperations.cpp:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_loop_hint):
        (JSC::JIT::emitSlow_op_loop_hint):
        * runtime/Options.h:
        (JSC):

2013-07-02  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: since the FTL disassembly hacks cannot distinguish between code and data, the LLVM disassembler symbol table callback should be able to deal gracefully with arbitrary garbage
        https://bugs.webkit.org/show_bug.cgi?id=118313

        Reviewed by Mark Hahnenberg.
        
        Give it a mode where we can still crash on unrecognized reference types, so that we might
        implement them in the future, but by default just print some stuff and keep going.

        * disassembler/LLVMDisassembler.cpp:
        (JSC):
        (JSC::symbolLookupCallback):

2013-07-02  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should use the equivalent of llvm opt -O2 by default
        https://bugs.webkit.org/show_bug.cgi?id=118311

        Reviewed by Mark Hahnenberg.
        
        Use a PassManagerBuilder instead of rolling our own.
        
        This boosts our speed-up by another 5% or so.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * runtime/Options.h:
        (JSC):

2013-07-01  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should run LICM after AA setup
        https://bugs.webkit.org/show_bug.cgi?id=118277

        Reviewed by Maciej Stachowiak.
        
        LICM queries alias analysis. Hence, just like GVN, it should run after
        we have set up the alias analysis.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):

2013-07-01  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should run AA passes before GVN
        https://bugs.webkit.org/show_bug.cgi?id=118276

        Rubber stamped by Geoffrey Garen.
        
        These enable load elimination in GVN.
        
        Immediately gives us a speed-up on a bunch of benchmarks I hacked to run
        properly in the FTL. One example is 20% on imaging-gaussian-blur. (Fair
        warning: the stock version of that benchmark won't see speed-ups -
        probably slow-downs instead - because the FTL can't do OSR entry yet.)
        Another example is the findGraphNode function, which now sees a 7%
        speed-up, and that's without even doing LICM or other good things.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):

2013-06-27  Filip Pizlo  <fpizlo@apple.com>

        Make Graph::substituteGetLocal() out-of-line

        Rubber stamped by Geoffrey Garen.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::substituteGetLocal):
        (DFG):
        * dfg/DFGGraph.h:
        (Graph):

2013-06-27  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG should know how to find natural loops
        https://bugs.webkit.org/show_bug.cgi?id=118152

        Reviewed by Mark Hahnenberg.
        
        There are a bunch of things we can do when we know where the loops are.
        Previously we didn't. With this patch, we do.
        
        This patch adds the classic dominator based natural loop finder.
        
        The only client of this right now is the DFG::Disassembler. It prints out
        a summary of the analysis for each block.
        
        This will become more important when I do
        https://bugs.webkit.org/show_bug.cgi?id=118151, which definitely requires
        this kind of analysis, at least if we want to do the optimization over
        DFG IR (and I'm pretty sure we do).

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAnalysis.h: Added.
        (DFG):
        (Analysis):
        (JSC::DFG::Analysis::Analysis):
        (JSC::DFG::Analysis::invalidate):
        (JSC::DFG::Analysis::computeIfNecessary):
        (JSC::DFG::Analysis::isValid):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::createDumpList):
        * dfg/DFGDominators.cpp:
        (JSC::DFG::Dominators::Dominators):
        (JSC::DFG::Dominators::compute):
        * dfg/DFGDominators.h:
        (Dominators):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpBlockHeader):
        (JSC::DFG::Graph::invalidateCFG):
        (DFG):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGNaturalLoops.cpp: Added.
        (DFG):
        (JSC::DFG::NaturalLoop::dump):
        (JSC::DFG::NaturalLoops::NaturalLoops):
        (JSC::DFG::NaturalLoops::~NaturalLoops):
        (JSC::DFG::NaturalLoops::compute):
        (JSC::DFG::NaturalLoops::loopsOf):
        (JSC::DFG::NaturalLoops::dump):
        * dfg/DFGNaturalLoops.h: Added.
        (DFG):
        (NaturalLoop):
        (JSC::DFG::NaturalLoop::NaturalLoop):
        (JSC::DFG::NaturalLoop::addBlock):
        (JSC::DFG::NaturalLoop::header):
        (JSC::DFG::NaturalLoop::size):
        (JSC::DFG::NaturalLoop::at):
        (JSC::DFG::NaturalLoop::operator[]):
        (JSC::DFG::NaturalLoop::contains):
        (NaturalLoops):
        (JSC::DFG::NaturalLoops::numLoops):
        (JSC::DFG::NaturalLoops::loop):
        (JSC::DFG::NaturalLoops::headerOf):

2013-06-27  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: JSC's disassembly infrastructure should be able to disassemble the code that LLVM generates
        https://bugs.webkit.org/show_bug.cgi?id=118148

        Reviewed by Anders Carlsson.
        
        Oh boy. UDis86 cannot disassemble the AVX (or whatever it's called) stuff
        that LLVM generates for floating point. So the right decision is to
        switch to the LLVM disassembler, right? Wrong!! LLVM's disassembler
        cannot disassemble the load-from-absolute-address-into-%rax instructions
        that our JIT generates quite a lot of.
        
        So, this keeps the UDis86 disassembler, but adds the LLVM disassembler,
        and requires the caller of disassemble() to hint which one is likely to
        be less wrong for the given code.
        
        Maybe in the future LLVM will catch up to UDis86, but it's definitely not
        there right now.
        
        This now allows us to disassemble all of the code that LLVM generates.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * disassembler/Disassembler.cpp:
        (JSC::disassemble):
        * disassembler/Disassembler.h:
        (JSC::tryToDisassemble):
        (JSC):
        * disassembler/LLVMDisassembler.cpp: Added.
        (JSC):
        (JSC::symbolLookupCallback):
        (JSC::tryToDisassembleWithLLVM):
        * disassembler/LLVMDisassembler.h: Added.
        (JSC):
        (JSC::tryToDisassembleWithLLVM):
        * disassembler/UDis86Disassembler.cpp:
        (JSC::tryToDisassembleWithUDis86):
        * disassembler/UDis86Disassembler.h: Added.
        (JSC):
        (JSC::tryToDisassembleWithUDis86):
        * disassembler/X86Disassembler.cpp: Added.
        (JSC):
        (JSC::tryToDisassemble):
        * ftl/FTLAbbreviatedTypes.h:
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLJITCode.h:
        * ftl/FTLJITFinalizer.h:
        * ftl/FTLLLVMHeaders.h: Removed.
        * ftl/FTLLink.cpp:
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * runtime/Options.h:
        (JSC):

2013-06-27  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should be able to dump disassembly
        https://bugs.webkit.org/show_bug.cgi?id=118141

        Reviewed by Geoffrey Garen.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):

2013-06-27  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix build for LLVM ToT.

        This doesn't affect those using the binary drops, but if you're building from
        LLVM ToT you'll get link errors. These arise because we expect there to be a
        libLLVMArchive, but that is no longer built by LLVM ToT. This casues the linker
        to fall back on the system's libLLVMArchive, which is incompatible with the
        other LLVM libs we pull in.
        
        Also, we didn't need that library anyway and shouldn't have been linking
        against it.

        * Configurations/JavaScriptCore.xcconfig:

2013-06-26  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support hole/OOB PutByVal's
        https://bugs.webkit.org/show_bug.cgi?id=118112

        Reviewed by Geoffrey Garen.
        
        Added a common code generator for the out-of-bounds case that is reused by
        all contiguous-like arrays (Int32, Double, Contiguous).
        
        This is relatively straight-forward, except that it's the first time that
        the FTL has to call DFG operations that take more than two arguments.

        * ftl/FTLAbbreviations.h:
        (JSC::FTL::functionType):
        (JSC::FTL::buildCall):
        * ftl/FTLAbstractHeapRepository.h:
        (FTL):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        (FTL):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
        (JSC::FTL::LowerDFGToLLVM::vmCall):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::call):

2013-06-26  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL::canCompile(Graph&) should not consider nodes that won't be compiled
        https://bugs.webkit.org/show_bug.cgi?id=118097

        Reviewed by Mark Hahnenberg.
        
        This increases coverage to include programs that have unprofiled paths. Those paths will
        often have nodes that appear to do untyped speculations, and the FTL sometimes doesn't
        support those; except that it doesn't matter since the reason why they were untyped is
        that they were unprofiled and anyway we won't run them because we'll exit before them.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):

2013-06-26  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support ArrayifyToStructure
        https://bugs.webkit.org/show_bug.cgi?id=118095

        Reviewed by Mark Hahnenberg.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        (FTL):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
        (LowerDFGToLLVM):

2013-06-26  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support ForwardCheckStructure/ForwardStructureTransitionWatchpoint and doing so shouldn't break V8/crypto
        https://bugs.webkit.org/show_bug.cgi?id=118091

        Reviewed by Mark Hahnenberg.
        
        I was going to just add ForwardCheckStructure/ForwardStructureTransitionWatchpoint support,
        which is trivial. But doing so increases coverage a lot, and revealed long-standing bugs in
        the FTL. I then fixed those bugs, also:
        
        - The FTL should not attempt to compile a block that is not reachable according to the CFA.
          This is analogous to terminating basic block compilation if the CFA becomes !isValid().
          Attempting to compile such a block means that you're running on broken CFA state, and the
          CFA will become inconsistent with the code you're generating, leading to some
          strangeness. For example, the FTL relies on the CFA to tell it that we gave up compiling
          a node and hence don't have LValue's for that node (by virtue of us giving up due to
          !isValid()). But the CFA's isValid() bit will not be set correctly for blocks that
          weren't visited by the CFA at all, and the CFA expects you to know this because it
          expects that you already checked BasicBlock::cfaHasVisited.
        
        - SetLocal needs to change the ValueSource of the operand to indicate that its value has
          been stashed in the local (i.e. the "reference" corresponding to the operand in FTL
          speak). This is because although OSR exit already knows that the value of the operand is
          stored in the Node, and it already knows what LValue corresponds to the node, OSR exit
          will also assume that if the Node dies then the value-at-exit for that operand should be
          Dead (i.e. jsUndefined). But the Node dying, and the local dying, are two distinct
          things; in particular the local always outlives the Node in the case of a SetLocal. So,
          we just need to have SetLocal have the ValueSource be BlahInLocal rather than HaveNode,
          to ensure that OSR exit knows that the darn thing is really live until the end of the
          basic block, as opposed to until whenever the Node dies (which could be at any time).
        
        - PutByOffset was erroneously storing to an offset from the base object, rather than an
          offset from the storage. Note that the storage will be the base object (exactly - i.e.
          same node, same value) for inline stores, but will be a distinct thing for out-of-line
          stores.
        
        - At-head set-up of OSR exit state was using ValueInLocals for variables forced double,
          when it should have been using DoubleInLocals.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileBlock):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
        (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
        (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):

2013-06-26  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support PutByVal
        https://bugs.webkit.org/show_bug.cgi?id=118075

        Reviewed by Mark Hahnenberg.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::lower):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):

2013-06-25  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Convert versus AsIs should have no bearing on whether we can do the SaneChain optimization for double array GetByVals
        https://bugs.webkit.org/show_bug.cgi?id=118028

        Reviewed by Sam Weinig.
        
        The SaneChain optimization allows us to get rid of the NaN check on loading from
        a double array, if the result is used in an arithmetic op that wouldn't
        distinguish between NaN and undefined. Normally the NaN check would be needed
        because NaN is the hole marker.
        
        The SaneChain optimization definitely requires that you're an Original array,
        since we need to watchpoint the array prototype chain. And so it also needs to
        be a JSArray, and not an object that has indexed double properties. We also
        require an in-bounds access, since the backend is only capable of the
        optimization in the in-bounds case (though we could extend it to OOB in the
        future). But whether the array is being converted or is as-is isn't relevant.
        Either way, if it's a double original array in-bounds access by the time that
        the array check (or conversion!) completes, we can do the optimization.
        
        Ever-so-slight speed-up on Kraken/imaging-gaussian-blur.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2013-06-25  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG should support switch_string
        https://bugs.webkit.org/show_bug.cgi?id=117967

        Reviewed by Sam Weinig.
        
        Add a reusable binary switch creator.
        
        Implement switch on string using three modes:
        
        - Binary switch on StringImpl* in the case of identifiers.
        
        - Trie of binary switches on characters in the case of a not-too-big
          switch over not-too-big 8-bit strings.
        
        - Hash lookup if all else fails.
        
        Anywhere from a 2x to 3x speed-up on microbenchmarks that stress
        string switches. 25-35% speed-up on HashMap tests. 4% speed-up on
        pdfjs.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/JumpTable.h:
        (StringJumpTable):
        (JSC::StringJumpTable::clear):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGBinarySwitch.cpp: Added.
        (DFG):
        (JSC::DFG::BinarySwitch::BinarySwitch):
        (JSC::DFG::BinarySwitch::advance):
        (JSC::DFG::BinarySwitch::build):
        * dfg/DFGBinarySwitch.h: Added.
        (DFG):
        (BinarySwitch):
        (JSC::DFG::BinarySwitch::caseIndex):
        (JSC::DFG::BinarySwitch::caseValue):
        (JSC::DFG::BinarySwitch::fallThrough):
        (JSC::DFG::BinarySwitch::Case::Case):
        (Case):
        (JSC::DFG::BinarySwitch::Case::operator<):
        (JSC::DFG::BinarySwitch::BranchCode::BranchCode):
        (BranchCode):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGLazyJSValue.cpp:
        (JSC::DFG::LazyJSValue::getValue):
        (JSC::DFG::equalToStringImpl):
        (DFG):
        (JSC::DFG::LazyJSValue::strictEqual):
        (JSC::DFG::LazyJSValue::dump):
        * dfg/DFGLazyJSValue.h:
        (JSC::DFG::LazyJSValue::knownStringImpl):
        (LazyJSValue):
        (JSC::DFG::LazyJSValue::stringImpl):
        (JSC::DFG::LazyJSValue::switchLookupValue):
        * dfg/DFGNode.cpp:
        (WTF::printInternal):
        * dfg/DFGNode.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitSwitchChar):
        (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<):
        (DFG):
        (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
        (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
        (JSC::DFG::SpeculativeJIT::emitSwitchString):
        (JSC::DFG::SpeculativeJIT::emitSwitch):
        (JSC::DFG::SpeculativeJIT::addBranch):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (JSC::DFG::SpeculativeJIT::branch8):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
        (StringSwitchCase):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileSwitch):
        * runtime/Options.h:
        (JSC):

2013-06-24  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Count external memory usage towards heap footprint
        https://bugs.webkit.org/show_bug.cgi?id=117948

        Reviewed by Geoffrey Garen.

        Currently just count strings. Strings get counted in such a way that we won't re-count strings
        that are aliased, by dividing by the reference count. This then ups the GC footprint and allows
        the collector to appropriately amortize itself.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::size):
        (JSC::Heap::collect):
        * heap/Heap.h:
        (Heap):
        * heap/SlotVisitor.h:
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::reportExtraMemoryUsage):
        (JSC):
        * runtime/JSString.cpp:
        (JSC::JSString::visitChildren):

2013-06-23  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG should optimize identifier string equality
        https://bugs.webkit.org/show_bug.cgi?id=117920

        Reviewed by Sam Weinig.
        
        This is a 20% speed-up for string equality comparisons when both strings are
        identifiers.
        
        This is important for two reasons:
        
        1) Using strings as enumerations is an idiom. A great example is typeof. It
           would be great if this performed better.
        
        2) When I implement switch_string in the DFG, it would be great to optimize
           the case where the switched-on value is an identifier. That would involve
           a simple binary switch rather than a more complicated trie-switch over
           characters.

        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationToAbbreviatedString):
        (JSC::speculationFromCell):
        * bytecode/SpeculatedType.h:
        (JSC):
        (JSC::isStringIdentSpeculation):
        (JSC::isStringSpeculation):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateStringIdent):
        (Node):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::compileStringEquality):
        (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
        (DFG):
        (JSC::DFG::SpeculativeJIT::speculateString):
        (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
        (JSC::DFG::SpeculativeJIT::speculateStringIdent):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::isCell):

2013-06-22  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG shouldn't exit just because a String GetByVal went out-of-bounds
        https://bugs.webkit.org/show_bug.cgi?id=117906

        Reviewed by Mark Hahnenberg.
        
        This does the obvious thing, but also makes sure that out-of-bounds accesses
        don't fall off into a C call, but try to do the fast thing if the prototype
        chain is sane. We ought to probably do this for other array accesses in the
        future, as well, since it's so darn easy.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::objectPrototypeIsSane):
        (JSC):
        (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
        (JSC::JSGlobalObject::stringPrototypeChainIsSane):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):

2013-06-22  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: GC's put_by_id transition fixpoint should converge more quickly
        https://bugs.webkit.org/show_bug.cgi?id=117912

        Reviewed by Mark Hahnenberg.

        This was a rookie mistake. The GC does a classic forward data flow fixpoint. These work well so long as you
        iterate the program in program order, or at least something close to program order. Because I enjoy reverse
        loops ("while (n--) blah"), I ended up iterating in *reverse* of program order which ensured worst-case
        pathologies every single time. And unsurprisingly, this slowed down a program, namely pdfjs.

        Flipping the loops to iterate forward fixes a 90% regression in Octane/pdfjs and is otherwise neutral.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::propagateTransitions):

2013-06-21  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG should CSE MakeRope
        https://bugs.webkit.org/show_bug.cgi?id=117905

        Reviewed by Geoffrey Garen.
        
        Adds MakeRope to the CSE phase and removes the comment that says that
        we could do it but aren't doing it.
        
        Also fixed SpeculatedType dumping so that if you have a Cell type then
        it just prints "Cell" and if you just have Object then it just prints
        "Object", instead of printing the long list of types.

        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):

2013-06-21  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG should't exit just because it GetByVal'd a big character
        https://bugs.webkit.org/show_bug.cgi?id=117899

        Reviewed by Mark Hahnenberg.
        
        Add a slow path. Also clarify handling of GetByVal in PutStructure elimination.
        Previously it would fail due to canExit() but now we can also fail because
        GetByVal(String) can allocate. Just make it so GetByVal is totally poisoned, in
        a very explicit way.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::putStructureStoreElimination):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (SpeculativeJIT):

2013-06-21  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Small strings shouldn't get GC'd
        https://bugs.webkit.org/show_bug.cgi?id=117897

        Reviewed by Mark Hahnenberg.
        
        Kill off the code needed to allocate them lazily and finalize them.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * runtime/JSString.h:
        (JSC::jsSingleCharacterString):
        (JSC::jsSingleCharacterSubstring):
        (JSC::jsString):
        (JSC::jsSubstring8):
        (JSC::jsSubstring):
        (JSC::jsOwnedString):
        * runtime/NumberPrototype.cpp:
        (JSC::integerValueToString):
        * runtime/SmallStrings.cpp:
        (JSC):
        (JSC::SmallStrings::initializeCommonStrings):
        (JSC::SmallStrings::visitStrongReferences):
        * runtime/SmallStrings.h:
        (JSC::SmallStrings::singleCharacterString):
        (SmallStrings):

2013-06-20  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Structure should have a dump()
        https://bugs.webkit.org/show_bug.cgi?id=117859

        Reviewed by Geoffrey Garen.
        
        This is pretty cool. Anywhere we previously printed Structure pointers in dumps,
        we now print a bunch of other info as well. For example, for an object literal
        like "{f:42, g:64, h:24}", when we print the structure we'll now get:

            0x107a0af80:[Object, {f:0, g:1, h:2}, NonArray, Proto:0x107a8fff0]
        
        This also changes a bunch of places to use the dump method.

        * bytecode/StructureSet.h:
        (JSC::StructureSet::dump):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGStructureAbstractValue.h:
        (JSC::DFG::StructureAbstractValue::dump):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dump):
        * runtime/Structure.cpp:
        (JSC::Structure::dump):
        (JSC):
        * runtime/Structure.h:
        (Structure):

2013-06-20  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: There should only be one table of SimpleJumpTables
        https://bugs.webkit.org/show_bug.cgi?id=117856

        Reviewed by Geoffrey Garen.
        
        Having multiple tables of SimpleJumpTables just means we have to duplicate a
        ton of code. This patch deduplicates all of it.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::numberOfSwitchJumpTables):
        (JSC::CodeBlock::addSwitchJumpTable):
        (JSC::CodeBlock::switchJumpTable):
        (JSC::CodeBlock::clearSwitchJumpTables):
        (RareData):
        * bytecode/PreciseJumpTargets.cpp:
        (JSC):
        (JSC::computePreciseJumpTargets):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::shrinkToFit):
        (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables):
        (JSC::UnlinkedCodeBlock::addSwitchJumpTable):
        (JSC::UnlinkedCodeBlock::switchJumpTable):
        (RareData):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC):
        (JSC::prepareJumpTableForSwitch):
        (JSC::BytecodeGenerator::endSwitch):
        * dfg/DFGByteCodeParser.cpp:
        (InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JITCompiler):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
        (DFG):
        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
        (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2013-06-20  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should clear character switch jump tables
        https://bugs.webkit.org/show_bug.cgi?id=117852

        Reviewed by Sam Weinig.
        
        The FTL just uses LLVM's switch, which results in LLVM allocating its own switch
        jump tables as needed.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::clearCharacterSwitchJumpTables):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):

2013-06-20  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support SwitchChar
        https://bugs.webkit.org/show_bug.cgi?id=117849

        Reviewed by Geoffrey Garen.
        
        This adds Switch(SwitchChar) to the FTL and also implicitly does some other things.
        SwitchChar requires calling a slow path to resolve ropes. Previously the FTL had no
        support for calling slow paths, and we avoided adding coverage that would require
        that. Well, this patch adds the ability to call slow paths and just uses that for
        resolving ropes for SwitchChar. Also SwitchChar required adding awareness of strings,
        so I did that, too.

        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::addCodeOrigin):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNode.cpp:
        (WTF):
        (WTF::printInternal):
        * dfg/DFGNode.h:
        (WTF):
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::int16Type):
        (JSC::FTL::constInt):
        * ftl/FTLAbstractHeapRepository.h:
        (FTL):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLCommonValues.cpp:
        (JSC::FTL::CommonValues::CommonValues):
        * ftl/FTLCommonValues.h:
        (CommonValues):
        * ftl/FTLIntrinsicRepository.cpp:
        (JSC::FTL::IntrinsicRepository::IntrinsicRepository):
        (FTL):
        * ftl/FTLIntrinsicRepository.h:
        (FTL):
        (IntrinsicRepository):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::lower):
        (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments):
        (JSC::FTL::LowerDFGToLLVM::compileJump):
        (JSC::FTL::LowerDFGToLLVM::compileBranch):
        (JSC::FTL::LowerDFGToLLVM::compileSwitch):
        (JSC::FTL::LowerDFGToLLVM::buildSwitch):
        (LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::lowString):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::isObject):
        (JSC::FTL::LowerDFGToLLVM::isNotString):
        (JSC::FTL::LowerDFGToLLVM::isString):
        (JSC::FTL::LowerDFGToLLVM::isNotObject):
        (JSC::FTL::LowerDFGToLLVM::speculateObject):
        (JSC::FTL::LowerDFGToLLVM::speculateString):
        (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
        (JSC::FTL::LowerDFGToLLVM::vmCall):
        (JSC::FTL::LowerDFGToLLVM::callPreflight):
        (JSC::FTL::LowerDFGToLLVM::callCheck):
        (JSC::FTL::LowerDFGToLLVM::lowBlock):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::constBool):
        (JSC::FTL::Output::constInt8):
        (JSC::FTL::Output::constInt32):
        (JSC::FTL::Output::constIntPtr):
        (JSC::FTL::Output::constInt64):
        (JSC::FTL::Output::load16):
        (JSC::FTL::Output::isNull):
        (JSC::FTL::Output::notNull):
        (JSC::FTL::Output::testIsZero32):
        (JSC::FTL::Output::testNonZero32):
        (Output):
        (JSC::FTL::Output::operation):
        (JSC::FTL::Output::crash):

2013-06-18  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG should have switch_char
        https://bugs.webkit.org/show_bug.cgi?id=117710

        Reviewed by Michael Saboff.
        
        Add op_switch_char. Most of this is fairly simple, except for the whole
        LazyJSValue thing.
        
        It's long been the case that anytime you wanted the DFG to speak of a string
        that didn't appear in the constant pool, you would have a hard time since
        the DFG isn't allowed to allocate in the GC heap. For example, if you know
        that you want to speak of a single character string, you might find that
        the one you wanted to speak of had been GC'd. Another example is if you
        wanted to add constant folding for string concatenation - something we don't
        have yet but will want eventually.
        
        I solve this by finally adding the notion of LazyJSValue. In the future I
        anticipate using this for a variety of string-related things. The idea here
        is that the DFG can either say that it already knows what the value is, or
        it can describe the value. For example, in this patch I needed to be able to
        describe single-character strings.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/JumpTable.h:
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGPRInfo.h:
        (JSC::DFG::JSValueRegs::payloadGPR):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::jumpTable):
        (DFG):
        (JSC::DFG::JITCompiler::numberOfJumpTables):
        (JSC::DFG::JITCompiler::linkSwitches):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JITCompiler):
        * dfg/DFGLazyJSValue.cpp: Added.
        (DFG):
        (JSC::DFG::LazyJSValue::getValue):
        (JSC::DFG::equalToSingleCharacter):
        (JSC::DFG::LazyJSValue::strictEqual):
        (JSC::DFG::LazyJSValue::dump):
        * dfg/DFGLazyJSValue.h: Added.
        (DFG):
        (LazyJSValue):
        (JSC::DFG::LazyJSValue::LazyJSValue):
        (JSC::DFG::LazyJSValue::singleCharacterString):
        (JSC::DFG::LazyJSValue::tryGetValue):
        (JSC::DFG::LazyJSValue::value):
        (JSC::DFG::LazyJSValue::character):
        (JSC::DFG::LazyJSValue::switchLookupValue):
        * dfg/DFGNode.h:
        (JSC::DFG::SwitchCase::SwitchCase):
        (SwitchCase):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
        (JSC::DFG::SpeculativeJIT::emitSwitchImmIntJump):
        (DFG):
        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
        (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
        (JSC::DFG::SpeculativeJIT::emitSwitchChar):
        (JSC::DFG::SpeculativeJIT::emitSwitch):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):

2013-06-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Refactor ObjCCallbackFunction to inherit directly from InternalFunction
        https://bugs.webkit.org/show_bug.cgi?id=117595

        Reviewed by Geoffrey Garen.

        * API/APICallbackFunction.h: Added. New struct that allows JSCallbackFunction and 
        ObjCCallbackFunction to share their host call() implementation through the magic of 
        templates.
        (JSC::APICallbackFunction::call):
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::getCallData): Changed to get the template-ized version of 
        the host function.
        * API/JSCallbackFunction.h:
        * API/ObjCCallbackFunction.h: Now inherits directly from InternalFunction.
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
        (JSC::ObjCCallbackFunction::getCallData): Ditto.
        * GNUmakefile.list.am: Build files!
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-06-19  Michael Saboff  <msaboff@apple.com>

        fourthTier: Arity fixup should be done while on same stack
        https://bugs.webkit.org/show_bug.cgi?id=117102

        Reviewed by Oliver Hunt.

        Removed the fixup part of op_call_arityCheck() and op_construct_arityCheck() and moved it to
        a thunk for the JITs and as assembly for the llint.  This patch provides the plumbing needed to
        move to the C stack for JS execution.  The fixup thunk and llint code would need to be change to
        work with a stack that grows down when we do move to the C stack.
        
        Due to an issue with the offline assembler, I moved the const at the top of LowLevelInterpreter64.asm
        and LowLevelInterpreter32_64.asm to LowLevelInterpreter.asm.  The problem is that a const defined in
        one file that are used in a macro doesn't resolve the const if the macro is used in another file.  This
        seemed like the quickest path.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::linkFunction):
        * dfg/DFGJITCompiler.h:
        (JITCompiler):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        * jit/ThunkGenerators.cpp:
        (JSC::arityFixup):
        * jit/ThunkGenerators.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):

2013-06-19  Michael Saboff  <msaboff@apple.com>

        FTL: arm build is broken in ToT
        https://bugs.webkit.org/show_bug.cgi?id=117800

        Unreviewed build fixes.

        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler): Merge of r147941
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_mod): Moved variable declaration back inside #ifdef where used.

2013-06-17  Michael Saboff  <msaboff@apple.com>

        FTL: Add another temp register regT4 to JSInterfaceJIT
        https://bugs.webkit.org/show_bug.cgi?id=117719

        Reviewed by Geoffrey Garen.

        Made the dedicated bucketCounterRegister to be regT4 and then used regT4 wherever
        bucketCounterRegister had been used.  Since it is masked whenever it is used and
        we are looking for some randomness in the register anyway, we can use it without
        any issues.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::JIT::emitValueProfilingSite):
        * jit/JITCall.cpp:
        (JSC::JIT::emitPutCallResult):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emitPutCallResult):
        * jit/JITInlines.h:
        (JSC::JIT::emitValueProfilingSite):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_to_this):
        (JSC::JIT::emit_op_get_callee):
        (JSC::JIT::emit_op_get_argument_by_val):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_get_callee):
        (JSC::JIT::emit_op_to_this):
        (JSC::JIT::emit_op_get_argument_by_val):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emit_op_get_from_scope):
        (JSC::JIT::emitSlow_op_get_from_scope):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emit_op_get_from_scope):
        (JSC::JIT::emitSlow_op_get_from_scope):
        * jit/JITStubCall.h:
        (JSC::JITStubCall::callWithValueProfiling):
        * jit/JSInterfaceJIT.h:
        (JSInterfaceJIT):

2013-06-17  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support Switch
        https://bugs.webkit.org/show_bug.cgi?id=117704

        Reviewed by Oliver Hunt.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::clearImmediateSwitchJumpTables):
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::buildFPToSI):
        (JSC::FTL::buildSwitch):
        (JSC::FTL::addCase):
        (FTL):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileSwitch):
        (LowerDFGToLLVM):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::fpToInt):
        (JSC::FTL::Output::fpToInt32):
        (Output):
        (JSC::FTL::Output::switchInstruction):
        * ftl/FTLSwitchCase.h: Added.
        (FTL):
        (SwitchCase):
        (JSC::FTL::SwitchCase::SwitchCase):
        (JSC::FTL::SwitchCase::value):
        (JSC::FTL::SwitchCase::target):

2013-06-15  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Add CFG simplification for Switch
        https://bugs.webkit.org/show_bug.cgi?id=117677

        Reviewed by Mark Hahnenberg.
        
        This is for completeness. It only speeds up a microbenchmark at this point.
        Broadly, we want all control constructs to be known to the CFG simplifier.

        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::convertToJump):
        (CFGSimplificationPhase):
        (JSC::DFG::CFGSimplificationPhase::noBlocks):
        (JSC::DFG::CFGSimplificationPhase::oneBlock):
        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
        * runtime/JSCJSValue.h:
        (JSValue):
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::pureStrictEqual):
        (JSC):

2013-06-13  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG should support op_switch_imm
        https://bugs.webkit.org/show_bug.cgi?id=117559

        Reviewed by Oliver Hunt.
        
        Implement integer (i.e. immediate) switches in the DFG. Reduce the minimum
        threshold for using op_switch.
        
        Also get rid of edge code support, since we haven't used it in the year since
        I introduced it. It was supposed to allow us to break critical edges late in
        the backend, thus enabling global register allocation from an SSA-form graph.
        But we aren't doing that so I figure we should just kill the code for now. It
        would have made implementing switch harder.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::timesPtr):
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodePtr::dumpWithName):
        (MacroAssemblerCodePtr):
        (JSC::MacroAssemblerCodePtr::dump):
        (MacroAssemblerCodeRef):
        (JSC::MacroAssemblerCodeRef::dump):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/JumpTable.h:
        (SimpleJumpTable):
        (JSC::SimpleJumpTable::clear):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        (JSC::DFG::AbstractState::mergeToSuccessors):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::linkBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGCommon.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::determineReachability):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::JITCompiler):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JITCompiler):
        (JSC::DFG::JITCompiler::blockHeads):
        * dfg/DFGNode.h:
        (DFG):
        (JSC::DFG::SwitchCase::SwitchCase):
        (SwitchCase):
        (SwitchData):
        (JSC::DFG::SwitchData::SwitchData):
        (Node):
        (JSC::DFG::Node::isSwitch):
        (JSC::DFG::Node::isTerminal):
        (JSC::DFG::Node::switchData):
        (JSC::DFG::Node::numSuccessors):
        (JSC::DFG::Node::successor):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::createOSREntries):
        (JSC::DFG::SpeculativeJIT::emitSwitchImmIntJump):
        (DFG):
        (JSC::DFG::SpeculativeJIT::emitSwitchImm):
        (JSC::DFG::SpeculativeJIT::emitSwitch):
        (JSC::DFG::SpeculativeJIT::linkBranches):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::branchDouble):
        (JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
        (JSC::DFG::SpeculativeJIT::branch32):
        (JSC::DFG::SpeculativeJIT::branchTest32):
        (JSC::DFG::SpeculativeJIT::branch64):
        (JSC::DFG::SpeculativeJIT::branchPtr):
        (JSC::DFG::SpeculativeJIT::branchTestPtr):
        (JSC::DFG::SpeculativeJIT::branchTest8):
        (JSC::DFG::SpeculativeJIT::jump):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * parser/Nodes.h:
        (CaseBlockNode):

2013-06-15  Filip Pizlo  <fpizlo@apple.com>

        Concurrent JIT shouldn't try to recompute the CodeBlockHash as part of debug dumps, since doing so may fail if dealing with a CachedScript that doesn't have its script string handy
        https://bugs.webkit.org/show_bug.cgi?id=117676

        Reviewed by Sam Weinig.

        CodeBlock now caches m_hash, and the DFG Driver will force its computation if we're doing debug dumps of any kind.
        
        Also made sure that CodeBlock::CodeBlock initializes all of its fields; it was previously missing the
        initialization of m_capabilityLevelState.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::hash):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * bytecode/CodeBlockHash.cpp:
        (JSC::CodeBlockHash::CodeBlockHash):
        * bytecode/CodeBlockHash.h:
        (CodeBlockHash):
        (JSC::CodeBlockHash::isSet):
        (JSC::CodeBlockHash::operator!):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):

2013-06-11  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG should support op_in and it should use patching to make it fast
        https://bugs.webkit.org/show_bug.cgi?id=117385

        Reviewed by Geoffrey Garen.
        
        Implement op_in in the DFG and give it patching. The code we generate is just
        a jump on the hot path, and the slow paths generate stubs and link the jump to
        them. I didn't want to bother with patching structures and load offsets and
        the like, although I probably could have.
        
        This is a ginormous speed-up on microbenchmarks for "in", obviously.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpAssumingJITType):
        (JSC::CodeBlock::resetStubInternal):
        (JSC::structureStubInfoLessThan):
        (JSC):
        (JSC::CodeBlock::sortStructureStubInfos):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        (JSC::isInAccess):
        (JSC):
        (StructureStubInfo):
        (JSC::StructureStubInfo::initInList):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCCallHelpers.h:
        (JSC::DFG::CCallHelpers::setupResults):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGPRInfo.h:
        (JSC::DFG::JSValueRegs::payloadOnly):
        (JSValueRegs):
        (JSC::DFG::JSValueRegs::JSValueRegs):
        (JSC::DFG::JSValueRegs::operator!):
        (JSC::DFG::JSValueSource::operator!):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::InRecord::InRecord):
        (InRecord):
        (DFG):
        (JITCompiler):
        (JSC::DFG::JITCompiler::addIn):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryRepatchIn):
        (DFG):
        (JSC::DFG::dfgRepatchIn):
        (JSC::DFG::dfgResetIn):
        * dfg/DFGRepatch.h:
        (DFG):
        (JSC::DFG::dfgResetIn):
        * dfg/DFGSlowPathGenerator.h:
        (JSC::DFG::CallSlowPathGenerator::CallSlowPathGenerator):
        (JSC::DFG::CallSlowPathGenerator::tearDown):
        (JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::generateInternal):
        (JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::generateInternal):
        (JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::generateInternal):
        (JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::generateInternal):
        (JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::generateInternal):
        (JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::generateInternal):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::extractResult):
        (DFG):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::callOperation):
        (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
        (JSC::DFG::SpeculativeJIT::appendCallSetResult):
        (JSC::DFG::JSValueOperand::tagGPR):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dump):
        * runtime/JSString.h:
        (JSString):
        (JSC::JSString::tryGetValueImpl):
        (JSC):
        * runtime/Operations.h:
        (JSC::normalizePrototypeChainForChainAccess):

2013-06-12  Geoffrey Garen  <ggaren@apple.com>

        The Math object should not be polymorphic
        https://bugs.webkit.org/show_bug.cgi?id=117576

        Reviewed by Oliver Hunt.

        Fill in the Math object eagerly, to avoid its structure changing during
        execution. There are lots of ways to skin this cat; this one seemed
        easiest, and justified given the relative hotness of math operations.

        20% speedup on DSP-filtrr tests, small speedups on a few Kraken tests.

        * DerivedSources.make:
        * JavaScriptCore.order:
        * create_hash_table:
        * interpreter/CallFrame.h:
        (JSC::ExecState::jsonTable): Removed the Math object's static table.

        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectNativeFunctionWithoutTransition):
        * runtime/JSObject.h:
        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):
        * runtime/MathObject.h:
        (JSC::MathObject::create): Set up the Math object at construction time.

        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        * runtime/VM.h: Removed the Math object's static table.

2013-06-09  Geoffrey Garen  <ggaren@apple.com>

        Unreviewed, rolled back in http://trac.webkit.org/changeset/151342.

        I filled in the missing return register loads, and tests
        seem to pass now.

                2013-06-07  Michael Saboff  <msaboff@apple.com>

                        fourthTier: The baseline jit and LLint should use common slow paths
                        https://bugs.webkit.org/show_bug.cgi?id=116889

2013-06-07  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out http://trac.webkit.org/changeset/151342
        It broke Kraken crypto tests in debug build. That results in a pretty bad
        loss of test coverage.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jit/JIT.cpp:
        (JSC):
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        (JIT):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitSlow_op_negate):
        (JSC::JIT::emitSlow_op_lshift):
        (JSC::JIT::emitSlow_op_rshift):
        (JSC::JIT::emitSlow_op_urshift):
        (JSC::JIT::emitSlow_op_bitand):
        (JSC::JIT::emitSlow_op_inc):
        (JSC::JIT::emitSlow_op_dec):
        (JSC::JIT::emitSlow_op_mod):
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::compileBinaryArithOpSlowCase):
        (JSC::JIT::emit_op_add):
        (JSC::JIT::emitSlow_op_add):
        (JSC::JIT::emitSlow_op_mul):
        (JSC::JIT::emitSlow_op_div):
        (JSC::JIT::emitSlow_op_sub):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSlow_op_negate):
        (JSC::JIT::emitSlow_op_lshift):
        (JSC::JIT::emitRightShiftSlowCase):
        (JSC::JIT::emitSlow_op_bitand):
        (JSC::JIT::emitSlow_op_bitor):
        (JSC::JIT::emitSlow_op_bitxor):
        (JSC::JIT::emitSlow_op_inc):
        (JSC::JIT::emitSlow_op_dec):
        (JSC::JIT::emit_op_add):
        (JSC::JIT::emitSlow_op_add):
        (JSC::JIT::emitSlow_op_sub):
        (JSC::JIT::emitSlow_op_mul):
        (JSC::JIT::emitSlow_op_div):
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITExceptions.cpp:
        (JSC):
        (JSC::genericThrow):
        * jit/JITExceptions.h:
        (ExceptionHandler):
        (JSC):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_strcat):
        (JSC::JIT::emitSlow_op_create_this):
        (JSC::JIT::emitSlow_op_to_this):
        (JSC::JIT::emitSlow_op_to_primitive):
        (JSC::JIT::emitSlow_op_not):
        (JSC::JIT::emitSlow_op_bitxor):
        (JSC::JIT::emitSlow_op_bitor):
        (JSC::JIT::emitSlow_op_stricteq):
        (JSC::JIT::emitSlow_op_nstricteq):
        (JSC::JIT::emitSlow_op_to_number):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emitSlow_op_to_primitive):
        (JSC::JIT::emit_op_strcat):
        (JSC::JIT::emitSlow_op_not):
        (JSC::JIT::emitSlow_op_stricteq):
        (JSC::JIT::emitSlow_op_nstricteq):
        (JSC::JIT::emitSlow_op_to_number):
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emitSlow_op_create_this):
        (JSC::JIT::emitSlow_op_to_this):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC):
        * jit/JITStubs.h:
        (JSC):
        * jit/JITStubsARM.h:
        (JSC):
        * jit/JITStubsARMv7.h:
        (JSC):
        * jit/JITStubsMIPS.h:
        (JSC):
        * jit/JITStubsSH4.h:
        (JSC):
        * jit/JITStubsX86.h:
        (JSC):
        * jit/JITStubsX86_64.h:
        (JSC):
        * jit/JSInterfaceJIT.h:
        (JSInterfaceJIT):
        * jit/SlowPathCall.h: Removed.
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (LLInt):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        (SlowPathReturnType):
        (JSC::LLInt::encodeResult):
        (JSC::LLInt::decodeResult):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter.cpp:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp: Removed.
        * runtime/CommonSlowPaths.h:
        * runtime/JSCJSValue.h:
        (JSValue):

2013-06-07  Michael Saboff  <msaboff@apple.com>

        fourthTier: The baseline jit and LLint should use common slow paths
        https://bugs.webkit.org/show_bug.cgi?id=116889

        Reviewed by Filip Pizlo.

        Moved the llint_slow_paths that return JSValue along with several others to CommonSlowPaths.cpp.
        Eliminated the related JIT stubs.  Changes the baseline JIT to call these new common stubs.
        Added a simple slow path call class that uses argument registers or the stack instead of
        JITStackFrame.  Changes the exception mechanism for to check for an exception after making
        a slowpath call instead of returning to the handler directly form the slowpath function.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        (JIT):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitSlow_op_negate):
        (JSC::JIT::emitSlow_op_lshift):
        (JSC::JIT::emitSlow_op_rshift):
        (JSC::JIT::emitSlow_op_urshift):
        (JSC::JIT::emitSlow_op_bitand):
        (JSC::JIT::emitSlow_op_inc):
        (JSC::JIT::emitSlow_op_dec):
        (JSC::JIT::emitSlow_op_mod):
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::compileBinaryArithOpSlowCase):
        (JSC::JIT::emit_op_add):
        (JSC::JIT::emitSlow_op_add):
        (JSC::JIT::emitSlow_op_mul):
        (JSC::JIT::emitSlow_op_div):
        (JSC::JIT::emitSlow_op_sub):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSlow_op_negate):
        (JSC::JIT::emitSlow_op_lshift):
        (JSC::JIT::emitRightShiftSlowCase):
        (JSC::JIT::emitSlow_op_bitand):
        (JSC::JIT::emitSlow_op_bitor):
        (JSC::JIT::emitSlow_op_bitxor):
        (JSC::JIT::emitSlow_op_inc):
        (JSC::JIT::emitSlow_op_dec):
        (JSC::JIT::emit_op_add):
        (JSC::JIT::emitSlow_op_add):
        (JSC::JIT::emitSlow_op_sub):
        (JSC::JIT::emitSlow_op_mul):
        (JSC::JIT::emitSlow_op_div):
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITExceptions.cpp:
        (JSC::getExceptionLocation):
        (JSC::genericThrow):
        (JSC::jitThrowNew):
        * jit/JITExceptions.h:
        (ExceptionHandler):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_strcat):
        (JSC::JIT::emitSlow_op_create_this):
        (JSC::JIT::emitSlow_op_to_this):
        (JSC::JIT::emitSlow_op_to_primitive):
        (JSC::JIT::emitSlow_op_not):
        (JSC::JIT::emitSlow_op_bitxor):
        (JSC::JIT::emitSlow_op_bitor):
        (JSC::JIT::emitSlow_op_stricteq):
        (JSC::JIT::emitSlow_op_nstricteq):
        (JSC::JIT::emitSlow_op_to_number):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emitSlow_op_to_primitive):
        (JSC::JIT::emit_op_strcat):
        (JSC::JIT::emitSlow_op_not):
        (JSC::JIT::emitSlow_op_stricteq):
        (JSC::JIT::emitSlow_op_nstricteq):
        (JSC::JIT::emitSlow_op_to_number):
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emitSlow_op_create_this):
        (JSC::JIT::emitSlow_op_to_this):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::cti_vm_throw_slowpath):
        * jit/JITStubs.h:
        * jit/JITStubsARM.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsMIPS.h:
        * jit/JITStubsSH4.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:
        * jit/JSInterfaceJIT.h:
        (JSInterfaceJIT):
        * jit/SlowPathCall.h: Added.
        (JITSlowPathCall):
        (JSC::JITSlowPathCall::JITSlowPathCall):
        (JSC::JITSlowPathCall::call):
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator):
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter.cpp:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp: Added.
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:
        (SlowPathReturnType):
        (JSC::encodeResult):
        (JSC::decodeResult):
        * runtime/JSCJSValue.h:
        (JSValue):

2013-06-11  Geoffrey Garen  <ggaren@apple.com>

        Rolled back in <http://trac.webkit.org/changeset/151363>.

        Rubber stamped by Phil Pizlo.

        The ASSERTs were due to the bytecode parser performing a
        StructureTransitionWatchpoint optimization in a case where the CFA
        wouldn't because the CFA could prove that the watchpoint would contradict
        a preceding CheckStructure.

        I fixed this by removing the bytecode parser optimization: now, we fully
        rely on CFA and constant folding to optimize structure checks when
        possible.

        I verified that there's no performance change vs doing the optimization
        in the bytecode parser. (The optimization is very simple, so this is not
        surprising.)

2013-06-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        isContravenedByStructure is backwards
        https://bugs.webkit.org/show_bug.cgi?id=117366

        We should be checking if arrayModeForStructure(structure) is a 
        subset of arrayModesThatPassFiltering(), not the other way around.
        Also renamed isContravenedByStructure to better reflect what the 
        function is trying to determine.

        Rubber stamped by Filip Pizlo.

        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::structureWouldPassArrayModeFiltering):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheckAccountingForArrayMode):
        (JSC::DFG::ArrayTypeCheck::isContravenedByValue):

2013-06-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        isContravenedByStructure is backwards
        https://bugs.webkit.org/show_bug.cgi?id=117366

        We should be checking if arrayModeForStructure(structure) is a 
        subset of arrayModesThatPassFiltering(), not the other way around.
        Also renamed isContravenedByStructure to better reflect what the 
        function is trying to determine.

        Rubber stamped by Filip Pizlo.

        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::structureWouldPassArrayModeFiltering):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheckAccountingForArrayMode):
        (JSC::DFG::ArrayTypeCheck::isContravenedByValue):

2013-06-11  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Type check hoisting phase has a dead if statement
        https://bugs.webkit.org/show_bug.cgi?id=117510

        Reviewed by Geoffrey Garen.

        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):

2013-06-10  Mark Lam  <mark.lam@apple.com>

        Introducing the StackIterator class.
        https://bugs.webkit.org/show_bug.cgi?id=117390.

        Reviewed by Geoffrey Garen.

        The StackIterator class is meant to unify the way we iterate the JS
        stack. It also makes it so that we don't have to copy the frame data
        into the intermediate StackFrame struct before processing it.
        Unfortunately we still can't get rid of StackFrame because it is used
        to record frame information for the Exception stack that is expected
        to persist beyond when the frames have been popped off the JS stack.

        The StackIterator will iterate over all "logical" frames (i.e. including
        inlined frames). As it iterates the JS stack, if it encounters a DFG
        frame that has inlined frames, the iterator will canonicalize the
        inlined frames before returning. Once canonicalized, the frame can be
        read like any other frame.

        The StackIterator implements a Frame class that inherits from CallFrame.
        The StackIterator::Frame serves as reader of the CallFrame that makes
        it easier to access information about the frame. The StackIterator::Frame
        only adds functions, and no additional data fields.

        * API/JSContextRef.cpp:
        (JSContextCreateBacktrace):
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::begin):
        (JSC::CallFrame::beginAt):
        * interpreter/CallFrame.h:
        (JSC::ExecState::setInlineCallFrame):
        (ExecState):
        (JSC::ExecState::end):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::dumpRegisters):
        (JSC::Interpreter::unwindCallFrame):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::throwException):
        (JSC::Interpreter::debug):
        * interpreter/Interpreter.h:
        (Interpreter):
        * interpreter/StackIterator.cpp: Added.
        (JSC::StackIterator::StackIterator):
        (JSC::StackIterator::beginAt):
        (JSC::StackIterator::gotoNextFrame):
        - Based on the deleted Interpreter::findFunctionCallFrameFromVMCode().
        (JSC::StackIterator::findFrameForFunction):
        - Based on the deleted Interpreter::retrieveCallerFromVMCode().
        (JSC::StackIterator::Frame::codeType):
        - Based on the deleted getStackFrameCodeType().
        (JSC::StackIterator::Frame::functionName):
        - Based on StackFrame::friendlyFunctionName().
        (JSC::StackIterator::Frame::sourceURL):
        - Based on StackFrame::friendlySourceURL().
        (JSC::StackIterator::Frame::toString):
        - Based on StackFrame::toString().
        (JSC::StackIterator::Frame::bytecodeOffset):
        (JSC::StackIterator::Frame::line):
        - Based on StackFrame::line().
        (JSC::StackIterator::Frame::column):
        - Based on StackFrame::column().
        (JSC::StackIterator::Frame::arguments):
        - Based on the deleted Interpreter::retrieveArgumentsFromVMCode().
        (JSC::StackIterator::Frame::retrieveExpressionInfo):
        - Based on StackFrame::expressionInfo().
        (JSC::StackIterator::Frame::logicalFrame):
        - Based on the now deleted CallFrame::trueCallFrame().
        (JSC::StackIterator::Frame::logicalCallerFrame):
        - Based on the now deleted CallFrame::trueCallerFrame().
        (JSC::jitTypeName):
        (JSC::printIndents):
        (JSC::printif):
        (JSC::StackIterator::Frame::print):
        (debugPrintCallFrame):
        - Prints the contents of the frame for debugging purposes.
          There are 2 versions that can be used as follows:

          1. When you have a valid StackIterator, you can print
             the current frame's content using the print instance
             method:
                 iter->print(indentLevel);

          2. When you have a CallFrame* that you want to dump from a debugger
             console, you can print its content as follows:
                 (gdb) call debugPrintCallFrame(callFrame)

          A sample of the output looks like this:

              frame 0x1510c70b0 {
                 name 'shouldBe'
                 sourceURL 'testapi.js'
                 hostFlag 0
                 isInlinedFrame 0
                 callee 0x15154efb0
                 returnPC 0x10ed0786d
                 callerFrame 0x1510c7058
                 logicalCallerFrame 0x1510c7058
                 rawLocationBits 27 0x1b
                 codeBlock 0x7fe79b037200
                    bytecodeOffset 27 0x1b / 210
                    line 46
                    column 20
                    jitType 3 <BaselineJIT> isOptimizingJIT 0
                    hasCodeOrigins 0
              }

        * interpreter/StackIterator.h: Added.
        (StackIterator::Frame):
        (JSC::StackIterator::Frame::create):
        (JSC::StackIterator::Frame::isJSFrame):
        (JSC::StackIterator::Frame::callFrame):
        * interpreter/StackIteratorPrivate.h: Added.
        (StackIterator):
        (JSC::StackIterator::operator*):
        (JSC::StackIterator::operator->):
        (JSC::StackIterator::operator==):
        (JSC::StackIterator::operator!=):
        (JSC::StackIterator::operator++):
        (JSC::StackIterator::end):
        (JSC::StackIterator::empty):
        * jsc.cpp:
        (functionJSCStack):
        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::addParentForConsoleStart):
        * profiler/ProfileNode.h:
        (ProfileNode):
        * runtime/JSFunction.cpp:
        (JSC::retrieveArguments):
        (JSC::JSFunction::argumentsGetter):
        (JSC::skipOverBoundFunctions):
        (JSC::retrieveCallerFunction):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::getOwnPropertyDescriptor):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoGetter):
        (JSC::globalFuncProtoSetter):
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetPrototypeOf):
        * runtime/Operations.h:

2013-06-09  Filip Pizlo  <fpizlo@apple.com>

        Marge trunk r146653.

    2013-03-22  Filip Pizlo  <fpizlo@apple.com>
    
            DFG folding of PutById to SimpleReplace should consider the specialized function case
            https://bugs.webkit.org/show_bug.cgi?id=113093
    
            Reviewed by Geoffrey Garen and Mark Hahnenberg.
    
            * bytecode/PutByIdStatus.cpp:
            (JSC::PutByIdStatus::computeFor):
    
2013-06-09  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG GetById patching shouldn't distinguish between self lists and proto lists
        https://bugs.webkit.org/show_bug.cgi?id=117377

        Reviewed by Geoffrey Garen.
        
        Previously if you did self accesses and then wanted to do a prototype access, you'd
        have a bad time: the prototype accesses would be forced to take slow path because
        the self list wouldn't allow prototype accesses. Likewise if you did prototype (or
        chain) accesses and then wanted to do a self access, similar stupidity would ensue.
        
        This fixes the stupidity.

        I believe that this was introduced way back in the days of the old interpreter,
        where distinguishing between self lists, proto lists, and chain lists was meaningful
        for interpreter performance: it meant fewer branches to evaluate those lists. Then
        it got mostly carried over to the old JIT since the old JIT was just initially an
        optimized version of the old interpreter, and then later it got carried over to the
        DFG because I didn't know any better at the time. Now I do know better and I'm
        fixing it.

        * bytecode/PolymorphicAccessStructureList.h:
        (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::initGetByIdSelfList):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::getPolymorphicStructureList):
        (DFG):
        (JSC::DFG::patchJumpToGetByIdStub):
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::dfgBuildGetByIDList):

2013-06-09  Mark Lam  <mark.lam@apple.com>

        Fix broken no-DFG build.
        https://bugs.webkit.org/show_bug.cgi?id=117381.

        Reviewed by Geoffrey Garen.

        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (ProgramCodeBlock):
        (EvalCodeBlock):
        (FunctionCodeBlock):
        * dfg/DFGCapabilities.h:
        * dfg/DFGDriver.h:
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        * dfg/DFGJITCode.cpp:
        * dfg/DFGRepatch.h:
        (JSC::DFG::dfgResetGetByID):
        (JSC::DFG::dfgResetPutByID):
        * heap/DFGCodeBlocks.cpp:
        (JSC::DFGCodeBlocks::jettison):
        * interpreter/CallFrame.h:
        (ExecState):
        (JSC::ExecState::trueCallFrame):
        * interpreter/Interpreter.cpp:
        (JSC::getCallerInfo):
        * runtime/Executable.cpp:
        * runtime/Executable.h:
        (EvalExecutable):
        (ProgramExecutable):
        (FunctionExecutable):
        * runtime/ExecutionHarness.h:
        * runtime/VM.cpp:
        (JSC::VM::~VM):

2013-06-08  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Recursive deadlock in DFG::ByteCodeParser
        https://bugs.webkit.org/show_bug.cgi?id=117376

        Reviewed by Mark Hahnenberg.
        
        Leave the lock early to prevent a deadlock beneath get().

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2013-06-08  Mark Lam  <mark.lam@apple.com>

        Removed bogus assertion in CallFrame::setLocationAsBytecodeOffset().
        https://bugs.webkit.org/show_bug.cgi?id=117373.

        Reviewed by Oliver Hunt.

        The assertion wrongly assumes that the incoming offset argument is in
        units of bytes. This is not true. It is in units of Instruction*. Hence,
        the assertion which checks for the low 2 bits to be clear can fail.

        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::setLocationAsBytecodeOffset):

2013-06-07  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: don't insert ForceOSRExits except for inadequate coverage
        https://bugs.webkit.org/show_bug.cgi?id=117363

        Reviewed by Mark Hahnenberg.
        
        Previously (in http://trac.webkit.org/changeset/151303) I made it so that we
        inserted ForceOSRExits more eagerly.  I now think it's better to have
        contradictions execute normally and exit with full OSR exit profiling.  It's
        better at catching the few cases where the DFG will end up with different
        types than the baseline engines.
        
        This simplifies a bunch of code. For example it gets rid of
        ConstantFoldingPhase::paintUnreachableCode().
        
        You can think of this as a partial roll-out of r151303, except that it uses
        the facilities introduced by that patch to give us run-time assertions that
        check the CFA's correctness: if the CFA thought that something was a
        contradiction but the code didn't exit, we'll now trap.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::AbstractState):
        (JSC::DFG::AbstractState::startExecuting):
        (JSC::DFG::AbstractState::executeEffects):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::filter):
        (JSC::DFG::AbstractState::filterArrayModes):
        (JSC::DFG::AbstractState::filterByValue):
        (DFG):
        * dfg/DFGAbstractState.h:
        (AbstractState):
        (JSC::DFG::AbstractState::filter):
        (JSC::DFG::AbstractState::filterArrayModes):
        (JSC::DFG::AbstractState::filterByValue):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::run):
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (ConstantFoldingPhase):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):

2013-06-07  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix release build.

        * ftl/FTLLink.cpp:

2013-06-06  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Reenable the DFG optimization fixpoint now that it's profitable to do so with concurrent compilation
        https://bugs.webkit.org/show_bug.cgi?id=117331

        Rubber stamped by Sam Weinig.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):

2013-06-05  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG CFA should know when it hits a contradiction
        https://bugs.webkit.org/show_bug.cgi?id=117272

        Reviewed by Oliver Hunt.
        
        This makes the DFG CFA immediately detect when it hit a contradiction. Previously
        we might not know this: for example if we did an int32 type check on a known string;
        the code would definitely always exit but the CFA would think that we wouldn't have
        even though it would have computed a BOTTOM (i.e. contradictory) value for that
        variable.
        
        This requires two other changes:
        
        - CFA must report contradictions as if they are frequent exit sites, since
          contradictory speculations will subsequently get replaced with ForceOSRExit.
          ForceOSRExit cannot itself report profiling data back to the DFG::ExitProfile. So,
          we do this on behalf of the speculation, eagerly, within the CFA. This also has
          the effect of speeding convergence somewhat. We may want to revisit this later;
          for example we might want to instead have the notion of a ForceOSRExit that knows
          the set of speculations that got folded into it.
        
        - This revealed a bug where the CFA was modeling CheckStructure on a node that had
          a known singleton m_futurePossibleStructure set somewhat differently than the
          constant folder. If the CheckStructure was checking a structure set with two or
          more structures in it, it would not filter the abstract value. But the constant
          folder would turn this into a watchpoint on the singleton structure, thereby
          filtering the value. This discrepancy meant that we wouldn't realize the
          contradiction until the backend, and the AbstractState::bail() method asserts that
          we always realize contradictions in the constant folder.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addFrequentExitSite):
        (JSC::CodeBlock::hasExitSite):
        (CodeBlock):
        * bytecode/DFGExitProfile.cpp:
        (JSC::DFG::ExitProfile::add):
        (JSC::DFG::ExitProfile::hasExitSite):
        (JSC::DFG::QueryableExitProfile::QueryableExitProfile):
        (JSC::DFG::QueryableExitProfile::~QueryableExitProfile):
        (DFG):
        (JSC::DFG::QueryableExitProfile::initialize):
        * bytecode/DFGExitProfile.h:
        (JSC::DFG::FrequentExitSite::FrequentExitSite):
        (ExitProfile):
        (JSC::DFG::ExitProfile::hasExitSite):
        (QueryableExitProfile):
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::AbstractState):
        (JSC::DFG::AbstractState::beginBasicBlock):
        (JSC::DFG::AbstractState::reset):
        (JSC::DFG::AbstractState::startExecuting):
        (JSC::DFG::AbstractState::executeEffects):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::filter):
        (DFG):
        (JSC::DFG::AbstractState::filterArrayModes):
        (JSC::DFG::AbstractState::filterByValue):
        (JSC::DFG::AbstractState::bail):
        * dfg/DFGAbstractState.h:
        (AbstractState):
        (JSC::DFG::AbstractState::filter):
        (JSC::DFG::AbstractState::filterArrayModes):
        (JSC::DFG::AbstractState::filterByValue):
        (JSC::DFG::AbstractState::filterByType):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::filter):
        (JSC::DFG::AbstractValue::filterArrayModes):
        (DFG):
        (JSC::DFG::AbstractValue::filterByValue):
        (JSC::DFG::AbstractValue::normalizeClarity):
        * dfg/DFGAbstractValue.h:
        (AbstractValue):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::debugFail):
        (JSC::DFG::capabilityLevel):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (ConstantFoldingPhase):
        (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
        * dfg/DFGFiltrationResult.h: Added.
        (DFG):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOSRExitBase.cpp:
        (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
        * dfg/DFGOSRExitBase.h:
        (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
        (JSC::DFG::SpeculativeJIT::bail):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
        (JSC::DFG::SpeculativeJIT::speculateStringObject):
        (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):

2013-06-07  Mark Lam  <mark.lam@apple.com>

        32-bit CallFrame::Location should use Instruction* for BytecodeLocation, not bytecodeOffset.
        https://bugs.webkit.org/show_bug.cgi?id=117327.

        Reviewed by Michael Saboff.

        - Renamed CallFrame::Location's Type to TypeTag.
        - Made the CallFrame::Location::TypeTag private, and provided type
          specific encoder functions. This reduces verbosity in client code.
        - Fixed the DFG's reifyInlinedCallFrames() on 32-bit ports to store a
          bytecode Instruction* in the CallFrame location instead of a bytecode
          offset.
        - Fixed places in JIT and FTL code which populate the CallFrame location
          (i.e. ArgumentCount tag) to use a Location encoder instead of storing
          the bytecodeOffset directly. This doesn't make any semantic difference,
          but it does assert that the stored value does not have bits where we
          would expect Location TypeTags to be.

        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::beginCall):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::setLocationAsBytecodeOffset):
        * interpreter/CallFrame.h:
        (Location):
        * interpreter/CallFrameInlines.h:
        (JSC::CallFrame::Location::encodeAsBytecodeOffset):
        (JSC::CallFrame::Location::encodeAsBytecodeInstruction):
        (JSC::CallFrame::Location::encodeAsCodeOriginIndex):
        (JSC::CallFrame::Location::encodeAsInlinedCode):
        (JSC::CallFrame::Location::isBytecodeLocation):
        (JSC::CallFrame::setIsInlinedFrame):
        (JSC::CallFrame::hasLocationAsBytecodeOffset):
        (JSC::CallFrame::setLocationAsBytecodeOffset):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITInlines.h:
        (JSC::JIT::updateTopCallFrame):

2013-06-06  Mark Lam  <mark.lam@apple.com>

        Encode CallFrame::Location flags in the low bits when USE(JSVALUE32_64).
        https://bugs.webkit.org/show_bug.cgi?id=117312.

        Reviewed by Michael Saboff.

        For USE(JSVALUE32_64), we store the location flags in the low 2 bits of
        the word because we need the high bits for address bits.

        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::setLocationAsBytecodeOffset):
        * interpreter/CallFrame.h:
        * interpreter/CallFrameInlines.h:
        (JSC::CallFrame::Location::encode):
        (JSC::CallFrame::Location::decode):
        (JSC::CallFrame::Location::isCodeOriginIndex):
        (JSC::CallFrame::Location::isInlinedCode):

2013-06-06  Mark Lam  <mark.lam@apple.com>

        CallFrame::trueCallFrame() should populate the bytecodeOffset field
        when reifying inlined frames..
        https://bugs.webkit.org/show_bug.cgi?id=117209.

        Reviewed by Geoffrey Garen.

        When reifying an inlined frame, we fill in its CodeBlock, and
        bytecodeOffset. We also set the InlinedFrame bit in the location field.
        This is needed in order to iterate the stack correctly. Here's why:

            Let's say we have the following stack trace:
              X calls A inlines B inlines C calls D

            Based on the above scenario,
            1. D's callerFrame points to A (not C).
            2. A has a codeOriginIndex that points to C.

        When iterating the stack (from D back towards X), we will encounter A
        twice:

            t1. when trying to find C as D's caller.
                This is the time when we reify B and C using the
                codeOriginIndex in A, and return C as the caller frame of D.

            t2. when getting's the reified B's caller.
                This time, we don't run the reification process, and
                just take A as the caller frame of B.

        To discern which treatment of the DFG frame (i.e. A) we need to apply,
        we check if the callee is an inlined frame:

            If callee is NOT an inlined frame (e.g. frame D), apply treatment t1.
            If callee is an inlined frame (e.g. frame B), apply treatment t2.

        Why not just reify A by replacing its codeOriginIndex with A's
        bytecodeOffset?

        We can't do this because D's callerFrame pointer still points to A, and
        needs to remain that way because we did not deopt A. It remains a DFG
        frame which inlined B and C.

        If we replace the codeOriginIndex in A with A's bytecodeOffset, we will
        only get to iterate the stack correctly once. If we try to iterate the
        stack a second time, we will not have the information from the
        codeOriginIndex to tell us that D's caller is actually the inlined C,
        and not A.

        To recap, when reifying frames for stack iteration purposes, the DFG
        frame needs to hold on to its codeOriginIndex. This in turn means the
        DFG frame will need to be treated in 2 possible ways, and we need to
        know if a callee frame is an inlined frame in order to choose the
        correct treatment for the DFG frame.

        Other changes:
        - Simplified Interpreter::getCallerInfo().
        - Removed CodeBlock::codeOriginForReturn() and supporting code
          which is now unneeded.
        - Moved CallFrame location bit encoding from the CodeOrigin to the
          new CallFrame::Location class.
        - Explicitly tagged inlined frames. This is necessary in order to
          iterate the stack correctly as explained above.

        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::codeOrigins):
        (CodeBlock):
        (JSC::CodeBlock::codeOrigin):
        (RareData):
        * bytecode/CodeOrigin.h:
        (CodeOrigin):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::beginCall):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::trueCallFrame):
        (JSC::CallFrame::trueCallerFrame):
        (JSC::CallFrame::bytecodeOffsetFromCodeOriginIndex):
        * interpreter/CallFrame.h:
        (Location):
        (ExecState):
        (JSC::ExecState::trueCallerFrame):
        (JSC::ExecState::callerFrameNoFlags):
        * interpreter/CallFrameInlines.h:
        (JSC::CallFrame::Location::encode):
        (JSC::CallFrame::Location::decode):
        (JSC::CallFrame::Location::isBytecodeOffset):
        (JSC::CallFrame::Location::isCodeOriginIndex):
        (JSC::CallFrame::Location::isInlinedFrame):
        (JSC::CallFrame::isInlinedFrame):
        (JSC::CallFrame::setIsInlinedFrame):
        (JSC::CallFrame::hasLocationAsBytecodeOffset):
        (JSC::CallFrame::hasLocationAsCodeOriginIndex):
        (JSC::CallFrame::locationAsBytecodeOffset):
        (JSC::CallFrame::setLocationAsBytecodeOffset):
        (JSC::CallFrame::locationAsCodeOriginIndex):
        * interpreter/Interpreter.cpp:
        (JSC::getCallerInfo):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::findFunctionCallFrameFromVMCode):
        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOff):

2013-06-05  Filip Pizlo  <fpizlo@apple.com>

        DFG CFA shouldn't filter ArrayModes with ALL_NON_ARRAY_ARRAY_MODES if the speculated type is not SpecArray
        https://bugs.webkit.org/show_bug.cgi?id=117279

        Reviewed by Mark Hahnenberg.
        
        The normalization of abstract value clarity introduced in r151229 revealed a
        long-standing bug where we filtered ArrayModes incorrectly and sometimes ended
        up with BOTTOM incorrectly.
        
        This patch fixes that bug, and cleans up a bunch of debugging infrastructure
        that I needed to resurrect to track this down.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::resetStubInternal):
        (JSC::CodeBlock::noticeIncomingCall):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::filterArrayModesByType):
        * dfg/DFGCFAPhase.cpp:
        (CFAPhase):
        (JSC::DFG::CFAPhase::run):
        (JSC::DFG::CFAPhase::performBlockCFA):
        (JSC::DFG::CFAPhase::performForwardCFA):
        * runtime/Options.h:
        (JSC):

2013-06-05  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix release build.

        * interpreter/Interpreter.cpp:
        * jit/JITStubs.cpp:

2013-06-05  Mark Lam  <mark.lam@apple.com>

        Disambiguate between CallFrame bytecodeOffset and codeOriginIndex.
        https://bugs.webkit.org/show_bug.cgi?id=117262.

        Reviewed by Geoffrey Garen.

        When writing to the ArgumentCount tag in CallFrame, we will set the high
        bit if the written value is a codeOriginIndex.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeOrigin.h:
        (CodeOrigin):
        (JSC::CodeOrigin::isHandle):
        (JSC::CodeOrigin::encodeHandle):
        (JSC::CodeOrigin::decodeHandle):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::beginCall):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryBuildGetByIDList):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::locationAsBytecodeOffset):
        (JSC::CallFrame::setLocationAsBytecodeOffset):
        (JSC::CallFrame::currentVPC):
        (JSC::CallFrame::setCurrentVPC):
        (JSC::CallFrame::trueCallFrame):
        * interpreter/CallFrame.h:
        (ExecState):
        (JSC::ExecState::inlineCallFrame):
        * interpreter/CallFrameInlines.h: Added.
        (JSC::CallFrame::hasLocationAsBytecodeOffset):
        (JSC::CallFrame::hasLocationAsCodeOriginIndex):
        (JSC::CallFrame::locationAsRawBits):
        (JSC::CallFrame::setLocationAsRawBits):
        (JSC::CallFrame::locationAsBytecodeOffset):
        (JSC::CallFrame::setLocationAsBytecodeOffset):
        (JSC::CallFrame::locationAsCodeOriginIndex):
        * interpreter/Interpreter.cpp:
        (JSC::getBytecodeOffsetForCallFrame):
        (JSC::getCallerInfo):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2013-06-05  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix release build.

        * interpreter/Interpreter.cpp:
        * jit/JITStubs.cpp:

2013-06-04  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Clean up AbstractValue
        https://bugs.webkit.org/show_bug.cgi?id=117217

        Reviewed by Oliver Hunt.
        
        This started as an attempt to make it so that when AbstractValue becomes empty,
        its m_type always becomes SpecNone. I wanted this to happen naturally. That turns
        out to be basically impossible, since AbstractValue is a set that is dynamically
        computed from the intersection of several internal sets: so the value becomes
        empty when any of the sets go empty. It's OK if we're imprecise here because it's
        always safe for the AbstractValue to seem to overapproximate the set of values
        that we see. So I mostly gave up on cleaning up that aspect of AbstractValue. But
        while trying to make this happen, I encountered two bugs:
        
        - filterValueByType() ignores the case when m_type contravenes m_value. Namely,
          we might filter the AbstractValue against a SpeculatedType leading to m_value
          becoming inconsistent with the new m_type. This change fixes that case. This
          wasn't a symptomatic bug but it was a silly oversight.
        
        - filterFuturePossibleStructure() was never right. The one call to this method,
          in filter(Graph&, const StructureSet&), assumed that the previous notions of
          what structures the value could have in the future were still relevant. This
          could lead to a bug where we:
          
          1) CheckStructure(@foo, S1)
          
             Where S1 has a valid watchpoint. Now @foo's abstract value will have current
             and future structure = S1.
          
          2) Clobber the world.
          
             Now @foo's abstract value will have current structure = TOP, and future
             possible structure = S1.
          
          3) CheckStructure(@foo, S2)
          
             Now @foo's abstract value will have current structure = S2 and future
             possible structure = S1 intersect S2 = BOTTOM.
          
          Now we will think that any subsequent watchpoint on @foo is valid because the
          value is effectively BOTTOM. That would only be correct if we had actually set
          a watchpoint on S1. If we had done so, then (3) would only pass (i.e. @foo
          would only have structure S2) if S1's watchpoint fired, in which case (3)
          wouldn't have been reachable. But we didn't actually set a watchpoint on S1:
          we just observed that we *could* have set the watchpoint. Hence future possible
          structure should only be set to either the known structure at compile-time, or
          it should be the structure we just checked; in both cases it should only be set
          if the structure is watchable.
        
        Then, in addition to all of this, I changed AbstractValue's filtering methods to
        call clear() if the AbstractValue is effectively clear. This is just meant to
        simplify the recognition of truly empty AbstractValues, but doesn't actually have
        any other implications.

        * bytecode/StructureSet.h:
        (JSC::StructureSet::dump):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::filter):
        (DFG):
        (JSC::DFG::AbstractValue::filterArrayModes):
        (JSC::DFG::AbstractValue::filterValueByType):
        (JSC::DFG::AbstractValue::filterArrayModesByType):
        (JSC::DFG::AbstractValue::shouldBeClear):
        (JSC::DFG::AbstractValue::normalizeClarity):
        (JSC::DFG::AbstractValue::checkConsistency):
        * dfg/DFGAbstractValue.h:
        (JSC::DFG::AbstractValue::isClear):
        (AbstractValue):

2013-06-04  Mark Lam  <mark.lam@apple.com>

        The DFG JIT should populate frame bytecodeOffsets on OSR exit.
        https://bugs.webkit.org/show_bug.cgi?id=117103.

        Reviewed by Geoffrey Garen.

        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):

2013-06-03  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: all cached put_by_id transitions, even ones that weren't inlined by the DFG, should be propagated by the GC
        https://bugs.webkit.org/show_bug.cgi?id=117170

        Reviewed by Mark Hahnenberg.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        (JSC::CodeBlock::propagateTransitions):
        (JSC):
        (JSC::CodeBlock::determineLiveness):
        (JSC::CodeBlock::visitWeakReferences):
        (JSC::CodeBlock::finalizeUnconditionally):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * bytecode/PolymorphicPutByIdList.h:
        (JSC):
        (PutByIdAccess):
        (PolymorphicPutByIdList):
        * bytecode/StructureStubInfo.h:
        (StructureStubInfo):
        * jit/JITCode.h:
        (JSC::JITCode::couldBeInterpreted):
        (JITCode):

2013-06-02  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Get rid of StructureStubInfo::bytecodeIndex
        https://bugs.webkit.org/show_bug.cgi?id=117127

        Reviewed by Mark Hahnenberg.
        
        StructureStubInfo already has a CodeOrigin field, which also has a bytecodeIndex.
        It makes sense to just always use the CodeOrigin.

        * bytecode/StructureStubInfo.h:
        (StructureStubInfo):
        (JSC::getStructureStubInfoBytecodeIndex):
        * jit/JIT.cpp:
        (JSC::PropertyStubCompilationInfo::copyToStubInfo):
        * jit/JIT.h:
        (JSC::JIT::compileGetByIdProto):
        (JSC::JIT::compileGetByIdSelfList):
        (JSC::JIT::compileGetByIdProtoList):
        (JSC::JIT::compileGetByIdChainList):
        (JSC::JIT::compileGetByIdChain):
        (JSC::JIT::compilePutByIdTransition):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):

2013-06-01  Filip Pizlo  <fpizlo@apple.com>

        Fix some minor issues in the DFG's profiling of heap accesses
        https://bugs.webkit.org/show_bug.cgi?id=113010

        Reviewed by Goeffrey Garen.
        
        Carefully merge r146669 from trunk. This required some fiddling since it
        wasn't a clean apply.
        
        Original changelog:

            1) If a CodeBlock gets jettisoned by GC, we should count the exit sites.
    
            2) If a CodeBlock clears a structure stub during GC, it should record this, and
            the DFG should prefer to not inline that access (i.e. treat it as if it had an
            exit site).
    
            3) If a PutById was seen by the baseline JIT, and the JIT attempted to cache it,
            but it chose not to, then assume that it will take slow path.
    
            4) If we frequently exited because of a structure check on a weak constant,
            don't try to inline that access in the future.
    
            5) Treat all exits that were counted as being frequent.
            
            81% speed-up on Octane/gbemu. Small speed-ups elsewhere, and no regressions.
    
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC):
        (JSC::CodeBlock::resetStubDuringGCInternal):
        (JSC::CodeBlock::reoptimize):
        (JSC::CodeBlock::jettison):
        (JSC::ProgramCodeBlock::jettisonImpl):
        (JSC::EvalCodeBlock::jettisonImpl):
        (JSC::FunctionCodeBlock::jettisonImpl):
        (JSC::CodeBlock::tallyFrequentExitSites):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::tallyFrequentExitSites):
        (ProgramCodeBlock):
        (EvalCodeBlock):
        (FunctionCodeBlock):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        * bytecode/StructureStubInfo.h:
        (JSC::StructureStubInfo::StructureStubInfo):
        (StructureStubInfo):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGOSRExitBase.cpp:
        (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
        * dfg/DFGOSRExitBase.h:
        (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
        (OSRExitBase):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Options.h:
        (JSC):

2013-05-31  Filip Pizlo  <fpizlo@apple.com>

        Remove CodeOrigin::valueProfileOffset since it was only needed for op_call_put_result.

        Rubber stamped by Mark Hahnenberg.

        * bytecode/CodeOrigin.h:
        (CodeOrigin):
        (JSC::CodeOrigin::CodeOrigin):
        (JSC::CodeOrigin::isSet):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::currentCodeOrigin):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueProfileFor):

2013-05-31  Filip Pizlo  <fpizlo@apple.com>

        Remove finalDestinationOrIgnored since it isn't called anymore.

        Rubber stamped by Mark Hahnenberg.

        * bytecompiler/BytecodeGenerator.h:
        (BytecodeGenerator):

2013-05-31  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: get rid of op_call_put_result
        https://bugs.webkit.org/show_bug.cgi?id=117047

        Reviewed by Gavin Barraclough.
        
        op_call_put_result is an oddball. Its semantics are that it takes the return
        value of a call instruction, which is set aside in regT0/regT1, and places them
        into some stack slot. This is weird since there is an implicit contract with the
        preceding bytecode instruction, and it's even weirder since it means that it
        doesn't make sense to jump to it; for example OSR exit from the preceding call
        instruction must make sure to jump over the op_call_put_result.
        
        So this patch gets rid of op_call_put_result:
        
        - In bytecode, all calls return a value and we always allocate a temporary for
          that value even if it isn't used.
        
        - The LLInt does the return value saving as part of dispatchAfterCall().
        
        - The JIT and DFG do the return value saving as part of normal code generation.
          The DFG already did the right thing.
        
        - DFG->JIT OSR exit in the case of inlining will make the return PC's point at
          the CallLinkInfo::callReturnLocation, rather than the machine PC associated
          with the op_call_put_result instruction.
        
        - Tons of code gets removed. The DFG had to track whether or not a call had a
          return value in a bunch of places. It had to track the fact that we would
          exit to after the op_call_put_result. It was a mess. That mess is now gone.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFromLLInt):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::dumpArrayProfiling):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallVarargs):
        (JSC::BytecodeGenerator::emitConstruct):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::NewExprNode::emitBytecode):
        (JSC::FunctionCallValueNode::emitBytecode):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::FunctionCallBracketNode::emitBytecode):
        (JSC::FunctionCallDotNode::emitBytecode):
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::currentCodeOrigin):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        (JSC::DFG::ByteCodeParser::getPrediction):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        (JIT):
        * jit/JITCall.cpp:
        (JSC::JIT::emitPutCallResult):
        (JSC::JIT::compileLoadVarargs):
        (JSC::JIT::compileCallEval):
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::emit_op_call):
        (JSC):
        (JSC::JIT::emit_op_call_eval):
        (JSC::JIT::emit_op_call_varargs):
        (JSC::JIT::emit_op_construct):
        (JSC::JIT::emitSlow_op_call):
        (JSC::JIT::emitSlow_op_call_eval):
        (JSC::JIT::emitSlow_op_call_varargs):
        (JSC::JIT::emitSlow_op_construct):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emitPutCallResult):
        (JSC::JIT::compileLoadVarargs):
        (JSC::JIT::compileCallEval):
        (JSC::JIT::compileCallEvalSlowCase):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITOpcodes.cpp:
        (JSC):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::genericCall):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2013-05-30  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: LLInt shouldn't store an offset call PC during op_call-like calls
        https://bugs.webkit.org/show_bug.cgi?id=117048

        Reviewed by Mark Hahnenberg.
        
        This just makes everything consistent in the LLInt: anytime any op calls out,
        it stores its PC and never the next op's PC.
        
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::linkIncomingCall):
        (JSC::CodeBlock::bytecodeOffset):
        * bytecode/CodeBlock.h:
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCallVarargs):
        * llint/LLIntExceptions.cpp:
        (JSC::LLInt::interpreterThrowInCaller):
        (JSC::LLInt::returnToThrow):
        (JSC::LLInt::callToThrow):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2013-05-28  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support ArithAbs
        https://bugs.webkit.org/show_bug.cgi?id=116890

        Reviewed by Oliver Hunt.
        
        Implements ArithAbs in the FTL, and cleans up the DFG implementation. The
        DFG implementation was previously doing zero extensions manually when it
        is probably better to just use StrictInt32Operand instead.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        (FTL):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
        (LowerDFGToLLVM):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::doubleAbs):

2013-05-28  Mark Lam  <mark.lam@apple.com>

        Misc JIT probe enhacements.
        https://bugs.webkit.org/show_bug.cgi?id=116586.

        Reviewed by Michael Saboff.

        1. Added JIT probe support for ARMv7 and traditional ARM.
           Built and tested on ARMv7. ARM version not tested nor built. 
        2. Fix the following bugs in the X86 and X86_64 probes:
           a. Cannot assume that the stack pointer is already aligned when
              we push args for the probe. Instead, we ensure the stack
              alignment at runtime when we set up the probe call.
              This is now done in the ctiMasmProbeTrampoline.
           b. On return, the user probe function may have altered the stack
              pointer value to be restored. Previously, if the sp restore value
              points to some of the other register restore values in the
              ProbeContext record, we will fail to return from the probe having
              those user specified value as we're expected to do.
              This is now fixed.
        3. Rearranged the X86/X86_64 registers order to organize them like gdb
           expects on X86_64.
        4. We also now preserve the condition code registers.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/ARMAssembler.h:
        * assembler/ARMv7Assembler.h:
        (ARMRegisters):
        * assembler/MacroAssemblerARM.cpp:
        (JSC::isVFPPresent):
        (JSC::MacroAssemblerARM::ProbeContext::dumpCPURegisters):
        (JSC::MacroAssemblerARM::ProbeContext::dump):
        (JSC::MacroAssemblerARM::probe):
        * assembler/MacroAssemblerARM.h:
        (MacroAssemblerARM):
        (CPUState):
        (ProbeContext):
        (JSC::MacroAssemblerARM::trustedImm32FromPtr):
        * assembler/MacroAssemblerARMv7.h:
        (MacroAssemblerARMv7):
        (CPUState):
        (ProbeContext):
        (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
        * assembler/MacroAssemblerX86.h:
        (MacroAssemblerX86):
        (JSC::MacroAssemblerX86::probe):
        * assembler/MacroAssemblerX86Common.cpp:
        (JSC::MacroAssemblerX86Common::ProbeContext::dumpCPURegisters):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::probe):
        * assembler/X86Assembler.h:
        * config.h:
        * jit/JITStubsARM.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86Common.h:
        * jit/JITStubsX86_64.h:

2013-05-28  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should call masqueradesAsUndefinedWatchpointIfIsStillValid() in all of the places where it currently calls masqueradesAsUndefinedWatchpointIsStillValid()
        https://bugs.webkit.org/show_bug.cgi?id=116892

        Reviewed by Oliver Hunt.
        
        All of those places mean to plant the watchpoint if it's still valid.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
        (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):

2013-05-28  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support ArithMin/ArithMax
        https://bugs.webkit.org/show_bug.cgi?id=116885

        Reviewed by Oliver Hunt.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):

2013-05-28  Filip Pizlo  <fpizlo@apple.com>

        testRunner should have a way of disabling inlining of functions
        https://bugs.webkit.org/show_bug.cgi?id=116875

        Reviewed by Mark Hahnenberg.

        * API/JSCTestRunnerUtils.cpp:
        (JSC::getExecutable):
        (JSC):
        (JSC::numberOfDFGCompiles):
        (JSC::setNeverInline):
        * API/JSCTestRunnerUtils.h:
        (JSC):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpAssumingJITType):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::mightInlineFunctionForCall):
        (JSC::DFG::mightInlineFunctionForClosureCall):
        (JSC::DFG::mightInlineFunctionForConstruct):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::ScriptExecutable):
        (ScriptExecutable):
        (JSC::ScriptExecutable::setNeverInline):
        (JSC::ScriptExecutable::neverInline):
        (JSC::ScriptExecutable::isInliningCandidate):

2013-05-27  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support ArithMod
        https://bugs.webkit.org/show_bug.cgi?id=116792

        Reviewed by Oliver Hunt.

        * ftl/FTLAbbreviations.h:
        (JSC::FTL::buildFRem):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileArithMod):
        (LowerDFGToLLVM):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::doubleRem):

2013-05-27  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to record heap operations (both FastMalloc and JSC GC)
        https://bugs.webkit.org/show_bug.cgi?id=116848

        Reviewed by Mark Hahnenberg.
        
        Record GC heap operations if ENABLE(ALLOCATION_LOGGING).

        * API/JSManagedValue.mm:
        * dfg/DFGOperations.cpp:
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * heap/Heap.h:
        (Heap):
        (JSC::Heap::allocateWithNormalDestructor):
        (JSC::Heap::allocateWithImmortalStructureDestructor):
        (JSC::Heap::allocateWithoutDestructor):
        (JSC::Heap::tryAllocateStorage):
        (JSC::Heap::tryReallocateStorage):
        (JSC):
        (JSC::Heap::ascribeOwner):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::append):
        (JSC::SlotVisitor::internalAppend):
        * heap/SlotVisitor.h:
        (SlotVisitor):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::append):
        (JSC::SlotVisitor::appendUnbarrieredPointer):
        (JSC::SlotVisitor::appendUnbarrieredValue):
        (JSC::SlotVisitor::appendUnbarrieredWeak):
        (JSC::SlotVisitor::internalAppend):
        (JSC):
        (JSC::SlotVisitor::appendValues):
        * jit/JITWriteBarrier.h:
        (JSC::SlotVisitor::append):
        * llint/LLIntCommon.h:
        * runtime/Butterfly.h:
        (Butterfly):
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::createUninitialized):
        (JSC::Butterfly::create):
        (JSC::Butterfly::growPropertyStorage):
        (JSC::Butterfly::createOrGrowArrayRight):
        (JSC):
        (JSC::Butterfly::growArrayRight):
        (JSC::Butterfly::resizeArray):
        * runtime/JSArray.cpp:
        (JSC::createArrayButterflyInDictionaryIndexingMode):
        (JSC::JSArray::unshiftCountSlowCase):
        * runtime/JSArray.h:
        (JSC::createContiguousArrayButterfly):
        (JSC::createArrayButterfly):
        (JSC):
        (JSC::JSArray::create):
        (JSC::JSArray::tryCreateUninitialized):
        * runtime/JSObject.cpp:
        (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
        (JSC::JSObject::createInitialIndexedStorage):
        (JSC::JSObject::createArrayStorage):
        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
        (JSC::JSObject::increaseVectorLength):
        (JSC::JSObject::ensureLengthSlow):
        (JSC::JSObject::growOutOfLineStorage):
        * runtime/JSObject.h:
        (JSC::JSObject::JSObject):
        * runtime/Operations.h:
        * runtime/RegExpMatchesArray.cpp:
        (JSC::RegExpMatchesArray::create):
        * runtime/StructureInlines.h:
        (JSC):
        * runtime/WriteBarrier.h:
        (JSC):

2013-05-27  Filip Pizlo  <fpizlo@apple.com>

        testRunner should be able to tell you if a function is DFG compiled
        https://bugs.webkit.org/show_bug.cgi?id=116847

        Reviewed by Mark Hahnenberg.

        * API/JSCTestRunnerUtils.cpp: Added.
        (JSC):
        (JSC::numberOfDFGCompiles):
        * API/JSCTestRunnerUtils.h: Added.
        (JSC):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::numberOfDFGCompiles):
        (JSC):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::runThread):
        * runtime/Executable.h:
        (JSC):
        * runtime/JSFunctionInlines.h: Added.
        (JSC):
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::jsExecutable):
        (JSC::JSFunction::isHostFunction):
        (JSC::JSFunction::nativeFunction):
        (JSC::JSFunction::nativeConstructor):
        * runtime/Operations.h:

2013-05-27  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG ArithMod should have the !nodeUsedAsNumber optimizations that ArithDiv has
        https://bugs.webkit.org/show_bug.cgi?id=116841

        Reviewed by Mark Hahnenberg.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMod):

2013-05-26  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: clean up ArithDiv/ArithMod in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=116793

        Reviewed by Mark Hahnenberg.
        
        This makes ArithDiv and ArithMod behave similarly, and moves both of their
        implementations entirely into DFGSpeculativeJIT.cpp into methods named like
        the ones for ArithSub/ArithMul.
        
        Specifically, ArithMod now uses the wrap-in-conversion-nodes idiom that
        ArithDiv used for platforms that don't support integer division. Previously
        ArithMod had its own int-to-double and double-to-int conversions for this
        purpose.
        
        As well, this gets rid of confusing methods like compileSoftModulo() (which
        did no such thing, there wasn't anything "soft" about it) and 
        compileIntegerArithDivForX86() (which is accurately named but we don't use
        the platform-specific method convention anywhere else).
        
        Finally, this takes the optimized power-of-two modulo operation that was
        previously only for ARMv7s, and makes it available for all platforms. Well,
        sort of: I actually rewrote it to do what latest LLVM appears to do, which
        is a crazy straight-line power-of-2 modulo based on a combination of shifts,
        ands, additions, and subtractions. I can kind of understand it well enough
        to see that it complies with both C and JS power-of-2 modulo semantics. I've
        also confirmed that it does by testing (hence the corresponding improvements
        to one of the division tests). But, I don't claim to know exactly how this
        code works other than to observe that it is super leet.
        
        Overall, this patch has the effect of killing some code (no more hackish
        int-to-double conversions in ArithMod), making some optimization work on
        more platforms, and making the compiler less confusing by doing more things
        with the same idiom.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileArithDiv):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-05-25  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: cti_optimize shouldn't allow GCs to get in the way of it seeing the state of its CodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=116748

        Reviewed by Geoffrey Garen.
        
        This fixes the following race: an optimized version of our code block could be installed
        by the GC just as we return from completeAllReadyPlansForVM(), leading us to believe
        that the code block isn't ready yet even though it is. Currently this triggers a
        RELEASE_ASSERT. We could remove that assertion, but then this case would lead to the
        code in question entering into optimizeAfterWarmUp mode. That seems pretty wasteful.
        
        Fix the bug, and hopefully close the door on these bugs for a while, by wrapping
        cti_optimize in a DeferGC. There is little downside to doing so since the only
        "allocations" in cti_optimize are the ones where we inform the GC about extra memory
        usage.
        
        I had a more comprehensive solution (see the bug, "work in progress" patch) but that
        one involved adding *more* raciness to cti_optimize. I decided that was a less good
        approach once I came to appreciate the simplicity of just using DeferGC.

        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2013-05-25  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support ArithDiv
        https://bugs.webkit.org/show_bug.cgi?id=116771

        Reviewed by Oliver Hunt.

        * ftl/FTLAbbreviations.h:
        (JSC::FTL::buildDiv):
        (JSC::FTL::buildRem):
        (JSC::FTL::buildFDiv):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLCommonValues.cpp:
        (JSC::FTL::CommonValues::CommonValues):
        * ftl/FTLCommonValues.h:
        (CommonValues):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileArithMul):
        (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
        (LowerDFGToLLVM):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::div):
        (JSC::FTL::Output::rem):
        (JSC::FTL::Output::doubleDiv):

2013-05-25  Mark Lam  <mark.lam@apple.com>

        Remove Interpreter::retrieveLastCaller().
        https://bugs.webkit.org/show_bug.cgi?id=116753.

        Reviewed by Geoffrey Garen.

        This is part of the refactoring effort to get rid of functions walking
        the JS stack in their own way.

        * API/JSContextRef.cpp:
        (JSContextCreateBacktrace):
        * interpreter/CallFrame.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::getStackTrace):
        (JSC::Interpreter::addStackTraceIfNecessary):
        * interpreter/Interpreter.h:
        (StackFrame):
        (JSC::StackFrame::StackFrame):
        (Interpreter):
        * jsc.cpp:
        (functionJSCStack):
        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::addParentForConsoleStart):

2013-05-24  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL boolify should support ObjectOrOtherUse
        https://bugs.webkit.org/show_bug.cgi?id=116741

        Reviewed by Geoffrey Garen.
        
        Just reusing what was already there in equalNullOrUndefined(). Note that we will
        sometimes generate some redundant IR - like having some spurious bitNot's in
        places - but it's safe to assume that LLVM will simplify those, and that it won't
        be the longest pole in the tent for compile times.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
        (JSC::FTL::LowerDFGToLLVM::boolify):
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):

2013-05-24  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support LogicalNot and Branch on Int32 and Number
        https://bugs.webkit.org/show_bug.cgi?id=116739

        Reviewed by Gavin Barraclough.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
        (JSC::FTL::LowerDFGToLLVM::compileBranch):
        (JSC::FTL::LowerDFGToLLVM::boolify):
        (LowerDFGToLLVM):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::isZero32):
        (JSC::FTL::Output::notZero32):

2013-05-23  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: add heuristics to reduce the likelihood of a trivially inlineable function being independently compiled by the concurrent JIT
        https://bugs.webkit.org/show_bug.cgi?id=116557

        Reviewed by Geoffrey Garen.
        
        This introduces a fairly comprehensive mechanism for preventing trivially inlineable
        functions from being compiled independently of all of the things into which they end
        up being inlined.
        
        The trick is CodeBlock::m_shouldAlwaysBeInlined, or SABI for short (that's what the
        debug logging calls it). A SABI function is one that we currently believe should
        never be DFG optimized because it should always be inlined into the functions that
        call it. SABI follows "innocent until proven guilty": all functions start out SABI
        and have SABI set to false if we see proof that that function may be called in some
        possibly non-inlineable way. So long as a function is SABI, it will not tier up to
        the DFG: cti_optimize will perpetually postpone its optimization. Because SABI has
        such a severe effect, we make the burden of proof of guilt quite low. SABI gets
        cleared if any of the following happen:
        
        - You get called from native code (either through CallData or CachedCall).
        
        - You get called from an eval, since eval code takes a long time to get DFG
          optimized.
        
        - You get called from global code, since often global code doesn't tier-up since
          it's run-once.
        
        - You get called recursively, where recursion is detected by a stack walk of depth
          Options::maximumInliningDepth().
        
        - You get called through an unlinked virtual call.
        
        - You get called from DFG code, since if the caller was already DFG optimized and
          didn't inline you then obviously, you might not get inlined.
        
        - You've tiered up to the baseline JIT and you get called from the interpreter.
          The idea here is that this kind of ensures that you stay SABI only if you're
          called no more frequently than any of your callers.
        
        - You get called from a code block that isn't a DFG candidate.
        
        - You aren't an inlining candidate.
        
        Most of the heuristics for SABI are in CodeBlock::noticeIncomingCall().
        
        This is neutral on SunSpider and V8Spider, and appears to be a slight speed-up on
        V8v7, which was previously adversely affected by concurrent compilation. I also
        confirmed that for example on V8/richards, it dramatically reduces the number of
        code blocks that get DFG compiled. It is a speed-up on those V8v7 benchmarks that
        saw regressions from concurrent compilation.
        
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpAssumingJITType):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::linkIncomingCall):
        (JSC):
        (JSC::CodeBlock::noticeIncomingCall):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::mightInlineFunction):
        (DFG):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThread):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgLinkFor):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        (JSC::JIT::linkFor):
        * jit/JIT.h:
        (JIT):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::lazyLinkFor):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::setUpCall):

2013-05-23  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: rationalize DFG::CapabilityLevel and DFGCapabilities.[h|cpp]
        https://bugs.webkit.org/show_bug.cgi?id=116696

        Reviewed by Sam Weinig.
        
        Make it so that all capability calculation is funneled through one function, which tells
        you everything you wanted to know: can it be inlined, and can it be compiled.
        
        This work will help with https://bugs.webkit.org/show_bug.cgi?id=116557, since now the
        JIT has a fairly authoritative answer to the "can it be inlined" question.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::ProgramCodeBlock::capabilityLevelInternal):
        (JSC::EvalCodeBlock::capabilityLevelInternal):
        (JSC::FunctionCodeBlock::capabilityLevelInternal):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::capabilityLevel):
        (JSC::CodeBlock::capabilityLevelState):
        (ProgramCodeBlock):
        (EvalCodeBlock):
        (FunctionCodeBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::debugFail):
        (DFG):
        (JSC::DFG::canInlineResolveOperations):
        (JSC::DFG::capabilityLevel):
        * dfg/DFGCapabilities.h:
        (DFG):
        (JSC::DFG::capabilityLevel):
        (JSC::DFG::evalCapabilityLevel):
        (JSC::DFG::programCapabilityLevel):
        (JSC::DFG::functionForCallCapabilityLevel):
        (JSC::DFG::functionForConstructCapabilityLevel):
        (JSC::DFG::canInlineFunctionForCall):
        (JSC::DFG::canInlineFunctionForClosureCall):
        (JSC::DFG::canInlineFunctionForConstruct):
        * dfg/DFGCommon.h:
        (JSC::DFG::canCompile):
        (DFG):
        (JSC::DFG::canInline):
        (JSC::DFG::leastUpperBound):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        * tools/CodeProfile.cpp:
        (JSC::CodeProfile::sample):

2013-05-22  Filip Pizlo  <fpizlo@apple.com>

        Rename getJITCode and getJITType to jitCode and jitType.
        
        Rubber stampted by Mark Hahnenberg.

        * assembler/RepatchBuffer.h:
        (JSC::RepatchBuffer::RepatchBuffer):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::visitAggregate):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::resetStubInternal):
        (JSC::CodeBlock::stronglyVisitWeakReferences):
        (JSC::CodeBlock::baselineVersion):
        (JSC::CodeBlock::hasOptimizedReplacement):
        (JSC::CodeBlock::bytecodeOffset):
        (JSC::CodeBlock::codeOriginForReturn):
        (JSC::ProgramCodeBlock::compileOptimized):
        (JSC::EvalCodeBlock::compileOptimized):
        (JSC::FunctionCodeBlock::compileOptimized):
        (JSC::ProgramCodeBlock::jettison):
        (JSC::EvalCodeBlock::jettison):
        (JSC::FunctionCodeBlock::jettison):
        (JSC::ProgramCodeBlock::jitCompileImpl):
        (JSC::EvalCodeBlock::jitCompileImpl):
        (JSC::FunctionCodeBlock::jitCompileImpl):
        (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
        (JSC::CodeBlock::adjustedExitCountThreshold):
        (JSC::CodeBlock::tallyFrequentExitSites):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::getCallLinkInfo):
        (JSC::CodeBlock::jitCode):
        (JSC::CodeBlock::jitCodeWithArityCheck):
        (JSC::CodeBlock::jitType):
        (JSC::CodeBlock::hasBaselineJITProfiling):
        (JSC::CodeBlock::jitCompile):
        (JSC::CodeBlock::addFrequentExitSite):
        (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
        (JSC::ExecState::isInlineCallFrame):
        * dfg/DFGAssemblyHelpers.cpp:
        (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::AssemblyHelpers):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::codeLocationForRepatch):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        (JSC::DFG::adjustAndJumpToTarget):
        * dfg/DFGOperations.cpp:
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):
        * ftl/FTLOSRExit.cpp:
        (JSC::FTL::OSRExit::codeLocationForRepatch):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileFTLOSRExit):
        * heap/DFGCodeBlocks.cpp:
        (JSC::DFGCodeBlocks::~DFGCodeBlocks):
        (JSC::DFGCodeBlocks::jettison):
        (JSC::DFGCodeBlocks::clearMarks):
        (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks):
        (JSC::DFGCodeBlocks::traceMarkedCodeBlocks):
        * interpreter/Interpreter.cpp:
        (JSC::getLineNumberForCallFrame):
        (JSC::getCallerInfo):
        * jit/JITDriver.h:
        (JSC::jitCompileIfAppropriateImpl):
        (JSC::jitCompileFunctionIfAppropriateImpl):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::entryOSR):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Executable.cpp:
        (JSC::jettisonCodeBlock):
        (JSC::EvalExecutable::compileOptimized):
        (JSC::EvalExecutable::jettisonOptimizedCode):
        (JSC::ProgramExecutable::compileOptimized):
        (JSC::ProgramExecutable::jettisonOptimizedCode):
        (JSC::FunctionExecutable::baselineCodeBlockFor):
        (JSC::FunctionExecutable::compileOptimizedForCall):
        (JSC::FunctionExecutable::compileOptimizedForConstruct):
        (JSC::FunctionExecutable::jettisonOptimizedCodeForCall):
        (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct):
        * tools/CodeProfile.cpp:
        (JSC::CodeProfile::sample):

2013-05-22  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Race between LLInt->Baseline tier-up and DFG reading Baseline profiling data
        https://bugs.webkit.org/show_bug.cgi?id=116633

        Reviewed by Mark Hahnenberg.
        
        Previously we would check if we had Baseline JIT profiling data by seeing if the
        appropriate vector was non-empty. This is horrible if we're doing LLInt->Baseline
        tier-up at the same time. This will happen for code we are inlining, if we're
        deciding to inline it before the LLInt->Baseline tier-up happened for that code.
        
        This changes things to take advantage of the fact that the very last thing that
        LLInt->Baseline tier-up will do (in JITDriver.h) is setJITCode(). We now precede
        the actual work in setJITCode() with a store-store fence to ensure that all
        stores to modify the CodeBlock happen before setting the JITCode, and we modify
        CodeBlock::getJITType() to use load-load fences to ensure that if you see
        JITCode::BaselineJIT then you will also see all of those vectors. Then this
        changes all of the code that scrapes Baseline JIT profiles to check if
        getJITType() returns JITCode::BaselineJIT instead of checking vector sizes.
        
        The outcome is that for the non-racy cases we behave as we did before (we fall
        back on LLInt profiling if the tier-up hasn't happened) and for racy cases we
        use LLInt profiling conservatively.
        
        Note that for some (but not all!) of the cases where we scrape Baseline JIT
        profiling, we would have anyway been holding the CodeBlock::m_lock so we can also
        fix those cases by just having setJITCode graph that lock. This patch does that
        also, mainly because although we only call setJITCode() from the main thread, in
        general it's dangerous to have a pointer to a ref-counted object being modified
        in a racy way. So, this patch just does the most conservative thing possible that
        does we can afford to do.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setJITCode):
        (JSC::CodeBlock::getJITType):
        (JSC::CodeBlock::hasBaselineJITProfiling):
        (JSC::CodeBlock::likelyToTakeSlowCase):
        (JSC::CodeBlock::couldTakeSlowCase):
        (JSC::CodeBlock::likelyToTakeSpecialFastCase):
        (JSC::CodeBlock::couldTakeSpecialFastCase):
        (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
        (JSC::CodeBlock::likelyToTakeAnySlowCase):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):

2013-05-22  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: It should be possible to use more than one compiler thread
        https://bugs.webkit.org/show_bug.cgi?id=116630

        Reviewed by Mark Hahnenberg.
        
        This gives us the ability to use more compiler threads, but doesn't actually
        enable the functionality because it isn't a speed-up on any benchmark. It can
        even be a slow-down. This also adds the ability to disable concurrent
        compilation if we're on a uniprocessor machine, and adds more logging to the
        worklist code to allow us to investigate how many threads are active. It
        appears that even on the most compiler-heavy benchmarks, we never have enough
        work for more than 4 threads, and even then the 4 threads are all active for
        a short time.
        
        Something that having more threads does accomplish is that it shakes out bugs.
        This patch fixes a bug with Watchpoint not being thread-safe ref-counted,
        which enabling 7 compilation threads did catch.
        
        As it stands, this patch is performance-neutral and just fixes bugs and adds
        some options.

        * bytecode/Watchpoint.h:
        * dfg/DFGCommon.h:
        (JSC::DFG::enableConcurrentJIT):
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::Worklist):
        (JSC::DFG::Worklist::~Worklist):
        (JSC::DFG::Worklist::finishCreation):
        (JSC::DFG::Worklist::create):
        (JSC::DFG::Worklist::enqueue):
        (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
        (JSC::DFG::Worklist::dump):
        (JSC::DFG::Worklist::runThread):
        (JSC::DFG::initializeGlobalWorklistOnce):
        * dfg/DFGWorklist.h:
        * runtime/Options.cpp:
        (JSC::computeNumberOfWorkerThreads):
        (JSC):
        (JSC::computeNumberOfGCMarkers):
        * runtime/Options.h:
        (JSC):

2013-05-22  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL shouldn't use the LLVM global context, and should instead create its own context for each compilation
        https://bugs.webkit.org/show_bug.cgi?id=116631

        Reviewed by Mark Hahnenberg.
        
        In the future we might want to share contexts for multiple compilations, but for
        now using one context per compilation is a progression over just constantly using
        the global context.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThread):
        (DFG):
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPlan.h:
        * ftl/FTLAbbreviatedTypes.h:
        (FTL):
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::voidType):
        (JSC::FTL::int1Type):
        (JSC::FTL::int8Type):
        (JSC::FTL::int32Type):
        (JSC::FTL::int64Type):
        (JSC::FTL::intPtrType):
        (JSC::FTL::doubleType):
        (JSC::FTL::structType):
        (JSC::FTL::mdKindID):
        (JSC::FTL::mdString):
        (JSC::FTL::mdNode):
        (JSC::FTL::appendBasicBlock):
        (JSC::FTL::insertBasicBlock):
        * ftl/FTLAbstractHeap.cpp:
        (JSC::FTL::AbstractHeap::tbaaMetadataSlow):
        (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
        (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
        (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
        * ftl/FTLAbstractHeap.h:
        (IndexedAbstractHeap):
        (NumberedAbstractHeap):
        (AbsoluteAbstractHeap):
        * ftl/FTLAbstractHeapRepository.cpp:
        (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
        * ftl/FTLAbstractHeapRepository.h:
        (AbstractHeapRepository):
        * ftl/FTLCommonValues.cpp:
        (JSC::FTL::CommonValues::CommonValues):
        * ftl/FTLCommonValues.h:
        (CommonValues):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateCodeSection):
        * ftl/FTLIntrinsicRepository.cpp:
        (JSC::FTL::IntrinsicRepository::IntrinsicRepository):
        * ftl/FTLIntrinsicRepository.h:
        (FTL):
        (IntrinsicRepository):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::lower):
        * ftl/FTLOutput.cpp:
        (JSC::FTL::Output::Output):
        * ftl/FTLOutput.h:
        (Output):
        (JSC::FTL::Output::newBlock):
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):
        (JSC::FTL::State::~State):
        (FTL):
        * ftl/FTLState.h:
        (State):
        * runtime/Options.h:
        (JSC):

2013-05-18  Filip Pizlo  <fpizlo@apple.com>

        FTL should force LLVM to use our own JIT memory allocator, and we shouldn't have to keep around an LLVMExecutionEngineRef to keep code alive
        https://bugs.webkit.org/show_bug.cgi?id=113619

        Reviewed by Geoffrey Garen.
        
        This uses new API that I've exposed, which allows for memory manager callbacks
        from within LLVM. LLVM may allocate multiple independent chunks of memory for
        a module, and we track all of those in a Vector in FTL::JITCode.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateCodeSection):
        (FTL):
        (JSC::FTL::mmAllocateDataSection):
        (JSC::FTL::mmApplyPermissions):
        (JSC::FTL::mmDestroy):
        (JSC::FTL::compile):
        * ftl/FTLJITCode.cpp:
        (JSC::FTL::JITCode::JITCode):
        (JSC::FTL::JITCode::~JITCode):
        (JSC::FTL::JITCode::addHandle):
        (FTL):
        (JSC::FTL::JITCode::initializeCode):
        * ftl/FTLJITCode.h:
        (JITCode):
        (JSC::FTL::JITCode::handles):
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::~JITFinalizer):
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * ftl/FTLJITFinalizer.h:
        (JSC::FTL::JITFinalizer::initializeEntrypointLinkBuffer):
        (JITFinalizer):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):
        * ftl/FTLState.h:
        (State):

2013-05-12  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL shouldn't use FastISel and Small code model should be turned off for now
        https://bugs.webkit.org/show_bug.cgi?id=115998

        Reviewed by Oliver Hunt.
        
        This switches off FastISel and makes it possible to turn off Small code model.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * runtime/Options.h:
        (JSC):

2013-05-21  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: should use ConcurrentJITLock[er] directly and not through typedef
        https://bugs.webkit.org/show_bug.cgi?id=116561

        Rubber stamped by Geoffrey Garen.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/ArrayProfile.cpp:
        (JSC::ArrayProfile::computeUpdatedPrediction):
        (JSC::ArrayProfile::briefDescription):
        * bytecode/ArrayProfile.h:
        (ArrayProfile):
        (JSC::ArrayProfile::expectedStructure):
        (JSC::ArrayProfile::structureIsPolymorphic):
        (JSC::ArrayProfile::hasDefiniteStructure):
        (JSC::ArrayProfile::observedArrayModes):
        (JSC::ArrayProfile::mayInterceptIndexedAccesses):
        (JSC::ArrayProfile::mayStoreToHole):
        (JSC::ArrayProfile::outOfBounds):
        (JSC::ArrayProfile::usesOriginalArrayStructures):
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpValueProfiling):
        (JSC::CodeBlock::dumpArrayProfiling):
        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
        (JSC::CodeBlock::updateAllArrayPredictions):
        (JSC::CodeBlock::nameForRegister):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
        (CodeBlock):
        * bytecode/CodeBlockLock.h: Removed.
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        * bytecode/LazyOperandValueProfile.cpp:
        (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
        (JSC::CompressedLazyOperandValueProfileHolder::add):
        (JSC::LazyOperandValueProfileParser::initialize):
        (JSC::LazyOperandValueProfileParser::prediction):
        * bytecode/LazyOperandValueProfile.h:
        (CompressedLazyOperandValueProfileHolder):
        (LazyOperandValueProfileParser):
        * bytecode/MethodOfGettingAValueProfile.cpp:
        (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        * bytecode/ResolveGlobalStatus.cpp:
        (JSC::ResolveGlobalStatus::computeFor):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfileBase::briefDescription):
        (JSC::ValueProfileBase::computeUpdatedPrediction):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addVar):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::fromObserved):
        * dfg/DFGArrayMode.h:
        (ArrayMode):
        (JSC::DFG::ArrayMode::withProfile):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        (JSC::DFG::ByteCodeParser::getArrayMode):
        (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
        (JSC::DFG::ByteCodeParser::parseResolveOperations):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGPredictionInjectionPhase.cpp:
        (JSC::DFG::PredictionInjectionPhase::run):
        * jit/JITInlines.h:
        (JSC::JIT::chooseArrayMode):
        * jit/JITStubs.cpp:
        (JSC::tryCachePutByID):
        (JSC::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::lazyLinkFor):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::setUpCall):
        * profiler/ProfilerBytecodeSequence.cpp:
        (JSC::Profiler::BytecodeSequence::BytecodeSequence):
        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::addGlobalVar):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::getOwnNonIndexPropertyNames):
        (JSC::JSActivation::symbolTablePutWithAttributes):
        * runtime/JSScope.cpp:
        (JSC::JSScope::resolveContainingScopeInternal):
        (JSC::JSScope::resolvePut):
        * runtime/JSSegmentedVariableObject.cpp:
        (JSC::JSSegmentedVariableObject::findRegisterIndex):
        (JSC::JSSegmentedVariableObject::addRegisters):
        * runtime/JSSegmentedVariableObject.h:
        (JSSegmentedVariableObject):
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTableGet):
        (JSC::symbolTablePut):
        (JSC::symbolTablePutWithAttributes):
        * runtime/Structure.cpp:
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::takePropertyTableOrCloneIfPinned):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::remove):
        (JSC::Structure::createPropertyMap):
        * runtime/Structure.h:
        (Structure):
        * runtime/SymbolTable.h:
        (SymbolTable):
        (JSC::SymbolTable::find):
        (JSC::SymbolTable::get):
        (JSC::SymbolTable::inlineGet):
        (JSC::SymbolTable::begin):
        (JSC::SymbolTable::end):
        (JSC::SymbolTable::size):
        (JSC::SymbolTable::add):
        (JSC::SymbolTable::set):
        (JSC::SymbolTable::contains):

2013-05-20  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG should be able to run on a separate thread
        https://bugs.webkit.org/show_bug.cgi?id=112839

        Reviewed by Geoffrey Garen.
        
        This is the final bit of concurrent JITing. The idea is that there is a
        single global worklist, and a single global thread, that does all
        optimizing compilation. This is the DFG::Worklist. It contains a queue of
        DFG::Plans, and a map from CodeBlock* (the baseline code block we're
        trying to optimize) to DFG::Plan. If the DFGDriver tries to concurrently
        compile something, it puts the Plan on the Worklist. The Worklist's
        thread will compile that Plan eventually, and when it's done, it will
        signal its completion by (1) notifying anyone waiting for the Worklist to
        be done, and (2) forcing the CodeBlock::m_jitExecuteCounter to take slow
        path. The next Baseline JIT cti_optimize call will then install all ready
        (i.e. compiled) Plans for that VM. Note that (1) is only for the GC and
        VM shutdown, which will want to ensure that there aren't any outstanding
        async compilations before proceeding. They do so by simply waiting for
        all of the plans for the current VM to complete. (2) is the actual way
        that code typically gets installed.
        
        This is all very racy by design. For example, just as we try to force the
        execute counter to take slow path, the main thread may be setting the
        execute counter to some other value. The main thread must set it to
        another value because (a) JIT code is constantly incrementing the counter
        in a racy way, (b) the cti_optimize slow path will set it to some
        large-ish negative value to ensure that cti_optimize isn't called
        repeatedly, and (c) OSR exits from previously jettisoned code blocks may
        still want to reset the counter values. This "race" is made benign, by
        ensuring that while there is an asynchronous compilation, we at worse set
        the counter to optimizeAfterWarmUp and never to deferIndefinitely. Hence
        if the race happens then the worst case is that we wait another ~1000
        counts before installing the optimized code. Another defense is that if
        any CodeBlock calls into cti_optimize, then it will check for all ready
        plans for the VM - so even if a code block has to wait another ~1000
        executions before it calls cti_optimize to do the installation, it may
        actually end up being installed sooner because a different code block had
        called cti_optimize, potentially for an unrelated reason.
        
        Special care is taken to ensure that installing plans informs the GC
        about the increased memory usage, but also ensures that we don't recurse
        infinitely - since at start of GC we try to install outstanding plans.
        This is done by introducing a new GC deferral mechanism (the DeferGC
        block-scoped thingy), which will ensure that GCs don't happen in the
        scope but are allowed to happen after. This still leaves the strange
        corner case that cti_optimize may install outstanding plans, then GC, and
        that GC may jettison the code block that was installed. This, and the
        fact that the plan that we took slow path to install could have been a
        failed or invalid compile, mean that we have to take special precautions
        in cti_optimize.
        
        This patch also fixes a number of small concurrency bugs that I found
        when things started running. There are probably more of those bugs still
        left to fix. This patch just fixes the ones I know about.
        
        Concurrent compilation is right now only enabled on X86_64 Mac. We need
        platforms that are sufficiently CAStastic so that we can do the various
        memory fence and CAS tricks that make this safe. We also need a platform
        that uses JSVALUE64. And we need pthread_once. So, that pretty much means
        just X64_64 for now. Enabling Linux-64_64 should be a breeze, but I'll
        leave that up to the Qt and GTK+ ports to do at their discretion.
        
        This is a solid speed-up on SunSpider (8-9%) and V8Spider (16%), our two
        main compile-time benchmarks. Most peculiarly, this also appears to
        reduce measurement noise, rather than increasing it as you would have
        expected. I don't understand that result but I like it anyway. On the
        other hand, this is a slight (1%) slow-down on V8v7. I will continue to
        investigate this but I think that the results are already good enough
        that we should land this as-is. So far, it appears that the slow-down is
        due to this breaking the don't-compile-inlineables heuristics. See
        investigation in https://bugs.webkit.org/show_bug.cgi?id=116556 and the
        bug https://bugs.webkit.org/show_bug.cgi?id=116557.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::resetStubInternal):
        (JSC::CodeBlock::baselineVersion):
        (JSC::CodeBlock::hasOptimizedReplacement):
        (JSC::CodeBlock::optimizationThresholdScalingFactor):
        (JSC::CodeBlock::checkIfOptimizationThresholdReached):
        (JSC::CodeBlock::optimizeNextInvocation):
        (JSC::CodeBlock::dontOptimizeAnytimeSoon):
        (JSC::CodeBlock::optimizeAfterWarmUp):
        (JSC::CodeBlock::optimizeAfterLongWarmUp):
        (JSC::CodeBlock::optimizeSoon):
        (JSC::CodeBlock::forceOptimizationSlowPathConcurrently):
        (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
        (JSC::CodeBlock::updateAllArrayPredictions):
        (JSC::CodeBlock::shouldOptimizeNow):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::jitCompile):
        * bytecode/CodeBlockLock.h:
        (JSC):
        * bytecode/ExecutionCounter.cpp:
        (JSC::ExecutionCounter::forceSlowPathConcurrently):
        (JSC):
        (JSC::ExecutionCounter::setThreshold):
        * bytecode/ExecutionCounter.h:
        (ExecutionCounter):
        * debugger/Debugger.cpp:
        (JSC::Debugger::recompileAllJSFunctions):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
        (JSC::DFG::ByteCodeParser::getArrayMode):
        (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
        * dfg/DFGCommon.h:
        (JSC::DFG::enableConcurrentJIT):
        (DFG):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOperations.cpp:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        (JSC::DFG::Plan::compileInThread):
        (JSC::DFG::Plan::key):
        (DFG):
        * dfg/DFGPlan.h:
        (DFG):
        (Plan):
        * dfg/DFGWorklist.cpp: Added.
        (DFG):
        (JSC::DFG::Worklist::Worklist):
        (JSC::DFG::Worklist::~Worklist):
        (JSC::DFG::Worklist::finishCreation):
        (JSC::DFG::Worklist::create):
        (JSC::DFG::Worklist::enqueue):
        (JSC::DFG::Worklist::compilationState):
        (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
        (JSC::DFG::Worklist::removeAllReadyPlansForVM):
        (JSC::DFG::Worklist::completeAllReadyPlansForVM):
        (JSC::DFG::Worklist::completeAllPlansForVM):
        (JSC::DFG::Worklist::queueLength):
        (JSC::DFG::Worklist::dump):
        (JSC::DFG::Worklist::runThread):
        (JSC::DFG::Worklist::threadFunction):
        (JSC::DFG::initializeGlobalWorklistOnce):
        (JSC::DFG::globalWorklist):
        * dfg/DFGWorklist.h: Added.
        (DFG):
        (Worklist):
        * heap/CopiedSpaceInlines.h:
        (JSC::CopiedSpace::allocateBlock):
        * heap/DeferGC.h: Added.
        (JSC):
        (DeferGC):
        (JSC::DeferGC::DeferGC):
        (JSC::DeferGC::~DeferGC):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::reportExtraMemoryCostSlowCase):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::collect):
        (JSC::Heap::collectIfNecessaryOrDefer):
        (JSC):
        (JSC::Heap::incrementDeferralDepth):
        (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
        * heap/Heap.h:
        (Heap):
        (JSC::Heap::isCollecting):
        (JSC):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateSlowCase):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        (JSC::LLInt::entryOSR):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * profiler/ProfilerBytecodes.h:
        * runtime/ConcurrentJITLock.h: Added.
        (JSC):
        * runtime/ExecutionHarness.h:
        (JSC::replaceWithDeferredOptimizedCode):
        * runtime/JSSegmentedVariableObject.cpp:
        (JSC::JSSegmentedVariableObject::findRegisterIndex):
        (JSC::JSSegmentedVariableObject::addRegisters):
        * runtime/JSSegmentedVariableObject.h:
        (JSSegmentedVariableObject):
        * runtime/Options.h:
        (JSC):
        * runtime/Structure.h:
        (Structure):
        * runtime/StructureInlines.h:
        (JSC::Structure::propertyTable):
        * runtime/SymbolTable.h:
        (SymbolTable):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        (JSC::VM::prepareToDiscardCode):
        (JSC):
        (JSC::VM::discardAllCode):
        (JSC::VM::releaseExecutableMemory):
        * runtime/VM.h:
        (DFG):
        (VM):

2013-05-17  Mark Hahnenberg  <mhahnenberg@apple.com>

        CheckArrays should be hoisted
        https://bugs.webkit.org/show_bug.cgi?id=116353

        Performance neutral. This will be more important when we start depending on CheckArray for flat arrays.

        Reviewed by Filip Pizlo.

        * dfg/DFGAbstractState.cpp: Add ForwardCheckArray to wherever we had a CheckArray before.
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGArrayMode.h:
        (JSC::DFG::ArrayMode::isContravenedByStructure): Checks if the ArrayMode derived from a specific Structure 
        would contradict the ArrayModes that would be filtered by the current ArrayMode. This is used to detect
        if any specific CheckStructures would contradict our CheckArray so that we can defer to the CheckStructure's
        judgment.
        * dfg/DFGByteCodeParser.cpp: Fill in checkArrayHoistingFailed where we previously exited due to a BadIndexingType.
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::checkArrayElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasArrayMode):
        * dfg/DFGNodeType.h: New ForwardCheckArray node type.
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGTypeCheckHoistingPhase.cpp: Refactored most of TypeCheckHoistingPhase into separate functions, some 
        of which are now generic to both CheckStructure and CheckArray hoisting while others are specific to one or the
        other. Both of the non-zero CheckBallot values must be 1 because we use them as an index into an array of 
        length 2 inside the VariableAccessData.
        (CheckData): Moved structure outside of TypeCheckHoistingPhase so that ArrayTypeCheck and StructureTypeCheck
        can access it. Also added new fields for tracking ArrayModes. We need the m_arrayModeIsValid because there 
        isn't a good sentinel value for "this ArrayMode is invalid and meaningless" like there is for m_structure.
        We need m_arrayModeHoistingOkay for when we want to permanently disable hoisting for that particular variable.
        (JSC::DFG::CheckData::CheckData):
        (JSC::DFG::CheckData::disableCheckArrayHoisting): Helper function for disabling CheckArray hoisting for a 
        specific CheckData.
        (JSC::DFG::TypeCheckHoistingPhase::run): We now do both CheckStructure and CheckArray hoisting, although we prefer
        CheckStructure hoisting when given the possibility to do both.
        (TypeCheckHoistingPhase):
        (JSC::DFG::TypeCheckHoistingPhase::clearVariableVotes): Clears all of the VariableAccessData votes since they 
        can only have two types of votes at any particular time.
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): Very similar to identifyRedundantStructureChecks,
        but with a few different nodes that are important, namely CheckArray (instead of CheckStructure) and the Arrayify-like
        nodes always disable hoisting since they always change the IndexingType. 
        (JSC::DFG::TypeCheckHoistingPhase::disableHoistingForVariablesWithInsufficientVotes):
        (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
        (JSC::DFG::TypeCheckHoistingPhase::disableCheckArrayHoisting): Helper that looks up the CheckData for the 
        specified variable and disables CheckArray hoisting on it.
        (JSC::DFG::TypeCheckHoistingPhase::shouldConsiderForHoisting):
        (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheck):
        (JSC::DFG::TypeCheckHoistingPhase::noticeCheckArray):
        (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheckAccountingForArrayMode): We want to take CheckStructure nodes
        into account when hoisting CheckArrays, so we make sure that if we contradict what a CheckStructure says then we 
        give up on hoisting the CheckArray.
        (JSC::DFG::ArrayTypeCheck::isValidToHoist):
        (ArrayTypeCheck): Structure that houses some of the specifics on how to hoist CheckArrays. This structure
        is used a template argument to allow some of the very similar code to statically parameterized and reused
        for both CheckStructure and CheckArray hoisting.
        (JSC::DFG::ArrayTypeCheck::disableHoisting):
        (JSC::DFG::ArrayTypeCheck::isContravenedByValue):
        (JSC::DFG::ArrayTypeCheck::hasEnoughVotesToHoist):
        (JSC::DFG::ArrayTypeCheck::hoistingPreviouslyFailed):
        (JSC::DFG::StructureTypeCheck::isValidToHoist):
        (StructureTypeCheck): Same as ArrayTypeCheck, but specific to CheckStructure hoisting.
        (JSC::DFG::StructureTypeCheck::disableHoisting):
        (JSC::DFG::StructureTypeCheck::isContravenedByValue):
        (JSC::DFG::StructureTypeCheck::hasEnoughVotesToHoist):
        (JSC::DFG::StructureTypeCheck::hoistingPreviouslyFailed):
        * dfg/DFGUnificationPhase.cpp: Added merging of whether or not CheckArray hoisting failed.
        (JSC::DFG::UnificationPhase::run):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::mergeCheckArrayHoistingFailed):
        (VariableAccessData):
        (JSC::DFG::VariableAccessData::checkArrayHoistingFailed):
        * runtime/Options.h:

2013-05-17  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: getCTIStub should be thread-safe
        https://bugs.webkit.org/show_bug.cgi?id=116126

        Reviewed by Dan Bernstein.
        
        It's called from the compilation thread. Give it locks.

        * jit/JITThunks.cpp:
        (JSC::JITThunks::ctiStub):
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITThunks.h:
        (JITThunks):

2013-05-17  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Executable and CodeBlock should be aware of DFG::Plans that complete asynchronously
        https://bugs.webkit.org/show_bug.cgi?id=116350

        Reviewed by Oliver Hunt.
        
        This refactors compilation so that:
        
        - JITStubs knows exactly what the result of compilation was. For example, if
          compilation was deferred, it will now know this.
        
        - The set of things that has to happen to install compiled code is now factored
          out into JSC::installOptimizedCode().
        
        - A bunch of the code in Executable.cpp is now made more common to reduce code
          duplication. For example, the heap heuristics stuff is now in one place.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::ProgramCodeBlock::compileOptimized):
        (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
        (JSC):
        (JSC::EvalCodeBlock::compileOptimized):
        (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
        (JSC::FunctionCodeBlock::compileOptimized):
        (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
        (JSC::ProgramCodeBlock::jitCompileImpl):
        (JSC::EvalCodeBlock::jitCompileImpl):
        (JSC::FunctionCodeBlock::jitCompileImpl):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::jitCompile):
        (ProgramCodeBlock):
        (EvalCodeBlock):
        (FunctionCodeBlock):
        * dfg/DFGDesiredIdentifiers.cpp:
        (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
        (DFG):
        (JSC::DFG::DesiredIdentifiers::at):
        * dfg/DFGDesiredIdentifiers.h:
        (JSC):
        (DesiredIdentifiers):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        (JSC::DFG::tryFinalizePlan):
        (DFG):
        * dfg/DFGDriver.h:
        (DFG):
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        (JSC::DFG::tryFinalizePlan):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::finalizeCommon):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        (JSC::DFG::Plan::compileInThread):
        (JSC::DFG::Plan::reallyAdd):
        * dfg/DFGPlan.h:
        (JSC):
        (Plan):
        (DFG):
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * jit/JITDriver.h:
        (JSC::jitCompileIfAppropriateImpl):
        (JSC::jitCompileFunctionIfAppropriateImpl):
        (JSC):
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):
        * runtime/CompilationResult.cpp: Added.
        (WTF):
        (WTF::printInternal):
        * runtime/CompilationResult.h: Added.
        (JSC):
        (WTF):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileOptimized):
        (JSC::EvalExecutable::jitCompile):
        (JSC::EvalExecutable::compileInternal):
        (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
        (JSC):
        (JSC::ProgramExecutable::compileOptimized):
        (JSC::ProgramExecutable::jitCompile):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
        (JSC::FunctionExecutable::compileOptimizedForCall):
        (JSC::FunctionExecutable::compileOptimizedForConstruct):
        (JSC::FunctionExecutable::jitCompileForCall):
        (JSC::FunctionExecutable::jitCompileForConstruct):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
        (JSC::FunctionExecutable::compileForConstructInternal):
        (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
        * runtime/Executable.h:
        (ScriptExecutable):
        (EvalExecutable):
        (ProgramExecutable):
        (FunctionExecutable):
        (JSC::FunctionExecutable::compileOptimizedFor):
        (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
        (JSC::FunctionExecutable::jitCompileFor):
        * runtime/ExecutionHarness.h:
        (JSC::prepareForExecutionImpl):
        (JSC::prepareFunctionForExecutionImpl):
        (JSC):
        (JSC::installOptimizedCode):
        (JSC::prepareForExecution):
        (JSC::prepareFunctionForExecution):
        (JSC::replaceWithDeferredOptimizedCode):

2013-05-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        observeUseKindOnNode doesn't contain a case for KnownCellUse
        https://bugs.webkit.org/show_bug.cgi?id=116130

        This would just lead to us being overly conservative when deciding
        whether we should unbox GetLocals with KnownCellUse UseKinds.

        Reviewed by Filip Pizlo.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::observeUseKindOnNode):

2013-05-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        fourthTier: infrequent segfault in DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks()
        https://bugs.webkit.org/show_bug.cgi?id=116134

        CodeBlock and JITCode should be ThreadSafeRefCounted. We're going to
        start using them on more threads very soon (with concurrent
        compilation). This patch also fixes the specific place where we were
        superfluously creating a RefPtr.

        Reviewed by Oliver Hunt.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::getJITType):
        * jit/JITCode.h:

2013-05-16  Mark Lam  <mark.lam@apple.com>

        Implement a probe mechanism for JIT generated code.
        https://bugs.webkit.org/show_bug.cgi?id=115705.

        Reviewed by Geoffrey Garen.

        Edit: For C++ code, you can do debugging by adding printfs to your
        code. For JIT generated code, you can now do the equivalent by
        inserting a probe and have it emit a call to your probe function.

        The probe is in the form of a MacroAssembler pseudo instruction.
        It takes 3 arguments: a ProbeFunction, and 2 void* args.

        When inserted into the JIT at some code generation site, the probe
        pseudo "instruction" will emit a minimal amount of code to save the
        stack pointer, 1 (or more) scratch register(s), and the probe
        arguments into a ProbeContext record on the stack. The emitted code
        will then call a probe trampoline to do the rest of the work, which
        consists of:
        1. saving the remaining registers into the ProbeContext.
        2. calling the ProbeFunction, and passing it the ProbeContext pointer.
        3. restoring the registers from the ProbeContext after the ProbeFunction
           returns, and then returning to the JIT generated code.

        The ProbeContext is stack allocated and is only valid for the duration
        that the ProbeFunction is executing.

        If the user supplied ProbeFunction alters the register values in the
        ProbeContext, the new values will be installed into the registers upon
        returning from the probe. This can be useful for some debugging or
        testing purposes.

        The probe mechanism is built conditional on USE(MASM_PROBE) which is
        defined in config.h. USE(MASM_PROBE) will off by default.

        This changeset only implements the probe mechanism for X86 and X86_64.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::shouldBlind):
        (JSC::MacroAssembler::store32):
        * assembler/MacroAssemblerX86.h:
        (MacroAssemblerX86):
        (JSC::MacroAssemblerX86::trustedImm32FromPtr):
        (JSC::MacroAssemblerX86::probe):
        * assembler/MacroAssemblerX86Common.cpp: Added.
        (JSC::MacroAssemblerX86Common::ProbeContext::dumpCPURegisters):
        - CPU specific register dumper called by ProbeContext::dump().
        (JSC::MacroAssemblerX86Common::ProbeContext::dump):
        - Prints the ProbeContext to the DataLog.
        * assembler/MacroAssemblerX86Common.h:
        (MacroAssemblerX86Common):
        (CPUState): Added.
        (ProbeContext): Added.
        * assembler/MacroAssemblerX86_64.h:
        (MacroAssemblerX86_64):
        (JSC::MacroAssemblerX86_64::trustedImm64FromPtr):
        (JSC::MacroAssemblerX86_64::probe):
        * assembler/X86Assembler.h:
        * config.h: Added WTF_USE_MASM_PROBE flag.
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86Common.h: Added.
        * jit/JITStubsX86_64.h:

2013-05-15  Mark Lam  <mark.lam@apple.com>

        Fix for broken 32-bit build in SpeculativeJIT::checkArray().
        https://bugs.webkit.org/show_bug.cgi?id=116184.

        Rubber stamped by Mark Hahnenberg.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArray):

2013-05-15  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG should separate link phase into things that must be done concurrently and things that must be done synchronously, and have a way of passing data from one to the other
        https://bugs.webkit.org/show_bug.cgi?id=116060

        Reviewed by Gavin Barraclough.
        
        This introduces the concept of a DFG::Plan, which corresponds to:
        
        - The data that the concurrent DFG or FTL need to start compiling a CodeBlock.
          This mostly includes basic things like CodeBlock*, but also a list of
          must-handle values for OSR entry.
        
        - The data that the synchronous linker need to link in code compiled by a
          concurrent compilation thread. This is further encapsulated by DFG::Finalizer,
          since the data, and the actions that need to be taken, are different in DFG
          versus FTL. This patch also institutes the policy that the concurrent
          compilation thread shall not use LinkBuffer::performFinalization(), since that
          code assumes that it's running on the same thread that will actually run the
          code.
        
        - The actions that need to be taken to compile code. In other words, most of the
          code that previously lived in DFGDriver.cpp now lives in
          DFG::Plan::compileInThread().
        
        - The actions that need to be taken when synchronously linking the code. This
          includes "really" adding watchpoints and identifiers, checking watchpoint and
          chain validity, and running the DFG::Finalizer.
        
        Currently, DFGDriver just creates a Plan and runs it synchronously. But in the
        future, we will be able to malloc some Plans and enqueue them, and have the
        concurrent thread dequeue them and call Plan::compileInThread().
        
        For now, this has no behavior or performance change.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::performFinalization):
        * assembler/LinkBuffer.h:
        (LinkBuffer):
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::~LinkBuffer):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::setFuturePossibleStructure):
        (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::parseResolveOperations):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
        * dfg/DFGDriver.cpp:
        (DFG):
        (JSC::DFG::compile):
        * dfg/DFGFailedFinalizer.cpp: Added.
        (DFG):
        (JSC::DFG::FailedFinalizer::FailedFinalizer):
        (JSC::DFG::FailedFinalizer::~FailedFinalizer):
        (JSC::DFG::FailedFinalizer::finalize):
        (JSC::DFG::FailedFinalizer::finalizeFunction):
        * dfg/DFGFailedFinalizer.h: Added.
        (DFG):
        (FailedFinalizer):
        * dfg/DFGFinalizer.cpp: Added.
        (DFG):
        (JSC::DFG::Finalizer::Finalizer):
        (JSC::DFG::Finalizer::~Finalizer):
        * dfg/DFGFinalizer.h: Added.
        (DFG):
        (Finalizer):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::dump):
        (DFG):
        * dfg/DFGGraph.h:
        (Graph):
        (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid):
        (JSC::DFG::Graph::compilation):
        (JSC::DFG::Graph::identifiers):
        (JSC::DFG::Graph::watchpoints):
        (JSC::DFG::Graph::chains):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::linkFunction):
        (DFG):
        (JSC::DFG::JITCompiler::disassemble):
        * dfg/DFGJITCompiler.h:
        (JITCompiler):
        (JSC::DFG::JITCompiler::addLazily):
        * dfg/DFGJITFinalizer.cpp: Added.
        (DFG):
        (JSC::DFG::JITFinalizer::JITFinalizer):
        (JSC::DFG::JITFinalizer::~JITFinalizer):
        (JSC::DFG::JITFinalizer::finalize):
        (JSC::DFG::JITFinalizer::finalizeFunction):
        (JSC::DFG::JITFinalizer::finalizeCommon):
        * dfg/DFGJITFinalizer.h: Added.
        (DFG):
        (JITFinalizer):
        * dfg/DFGPlan.cpp: Added.
        (DFG):
        (JSC::DFG::dumpAndVerifyGraph):
        (JSC::DFG::Plan::Plan):
        (JSC::DFG::Plan::~Plan):
        (JSC::DFG::Plan::compileInThread):
        (JSC::DFG::Plan::isStillValid):
        (JSC::DFG::Plan::reallyAdd):
        (JSC::DFG::Plan::finalize):
        * dfg/DFGPlan.h: Added.
        (DFG):
        (Plan):
        (JSC::DFG::Plan::vm):
        * dfg/DFGPredictionInjectionPhase.cpp:
        (JSC::DFG::PredictionInjectionPhase::run):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::identifierUID):
        (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::run):
        * ftl/FTLGeneratedFunction.h: Added.
        (FTL):
        * ftl/FTLJITFinalizer.cpp: Added.
        (FTL):
        (JSC::FTL::JITFinalizer::JITFinalizer):
        (JSC::FTL::JITFinalizer::~JITFinalizer):
        (JSC::FTL::JITFinalizer::finalize):
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * ftl/FTLJITFinalizer.h: Added.
        (FTL):
        (JITFinalizer):
        (JSC::FTL::JITFinalizer::initializeExitThunksLinkBuffer):
        (JSC::FTL::JITFinalizer::initializeEntrypointLinkBuffer):
        (JSC::FTL::JITFinalizer::initializeCode):
        (JSC::FTL::JITFinalizer::initializeFunction):
        (JSC::FTL::JITFinalizer::initializeArityCheck):
        (JSC::FTL::JITFinalizer::initializeJITCode):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLink.h:
        (FTL):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):
        * ftl/FTLState.h:
        (FTL):
        (State):

2013-05-14  Mark Lam  <mark.lam@apple.com>

        Refactor JITStubs.cpp to move CPU specific parts out into their own files.
        https://bugs.webkit.org/show_bug.cgi?id=116135.

        Reviewed by Michael Saboff.

        This mod only moves the CPU specific parts out. There is no code change.
        Tested on debug builds of X86, X86_64, ARM and ARMv7. The SH4 and MIPS
        ports are untested. Windows port also not tested.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jit/JITStubs.cpp:
        (JSC::performPlatformSpecificJITAssertions):
        * jit/JITStubsARM.h: Added.
        (JSC::ctiTrampoline):
        (JSC::ctiTrampolineEnd):
        (JSC::ctiVMThrowTrampoline):
        (JSC::ctiOpThrowNotCaught):
        (JSC::performARMJITAssertions):
        * jit/JITStubsARMv7.h: Added.
        (JSC::ctiTrampoline):
        (JSC::ctiVMThrowTrampoline):
        (JSC::ctiOpThrowNotCaught):
        (JSC::performARMv7JITAssertions):
        * jit/JITStubsMIPS.h: Added.
        (JSC::performMIPSJITAssertions):
        * jit/JITStubsSH4.h: Added.
        * jit/JITStubsX86.h: Added.
        * jit/JITStubsX86_64.h: Added.

2013-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        fourthTier: Segfault in jsc with simple test program when running with profile dumping enabled
        https://bugs.webkit.org/show_bug.cgi?id=116082

        It's crashing because CodeBlock::baselineVersion() doesn't know how to handle the case where 'this' is the 
        baseline version but it hasn't been assigned to the m_blahCodeBlock field in BlahExecutable. The fix is to 
        check if we're the baseline version in baselineVersion() and return this if so.

        Reviewed by Filip Pizlo.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::baselineVersion):

2013-05-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        Rename StructureCheckHoistingPhase to TypeCheckHoistingPhase
        https://bugs.webkit.org/show_bug.cgi?id=115938

        We're going to add some more types of check hoisting soon, so let's have
        the right name here.

        Rubber stamped by Filip Pizlo.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGStructureCheckHoistingPhase.cpp: Removed.
        * dfg/DFGStructureCheckHoistingPhase.h: Removed.
        * dfg/DFGTypeCheckHoistingPhase.cpp: Added.
        (DFG):
        (TypeCheckHoistingPhase):
        (JSC::DFG::TypeCheckHoistingPhase::TypeCheckHoistingPhase):
        (JSC::DFG::TypeCheckHoistingPhase::run):
        (JSC::DFG::TypeCheckHoistingPhase::shouldConsiderForHoisting):
        (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheck):
        (CheckData):
        (JSC::DFG::TypeCheckHoistingPhase::CheckData::CheckData):
        (JSC::DFG::performTypeCheckHoisting):
        * dfg/DFGTypeCheckHoistingPhase.h: Added.

2013-05-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        SpeculativeJIT::checkArray should use the correct ExitKind
        https://bugs.webkit.org/show_bug.cgi?id=115943

        Currently it uses Uncountable, which gives us no information if we end up exiting due to a 
        mismatched ClassInfo pointer. It should instead use BadType and should pass the correct 
        JSValueSource and Node instead of passing empty values.

        Reviewed by Filip Pizlo.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArray):

2013-05-11  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support Jump and ForceOSRExit
        https://bugs.webkit.org/show_bug.cgi?id=115942

        Reviewed by Oliver Hunt.
        
        Added two obvious nodes: Jump and ForceOSRExit. We already had everything we needed
        to support them.
        
        Adding these increases our coverage a fair bit, and revealed a bug: LLVM's full
        instruction selector currently appears to mishandle doubles in constant pools (or
        just constant pools in general) with the small code model in the MCJIT. But switching
        to FastISel "fixes" it. That's what this patch does, for now. This will probably
        actually be permanent; the FastISel does pretty much everything we would ever want,
        at least in the foreseeable future.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        (FTL):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileBlock):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileJSConstant):
        (LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::compileJump):
        (JSC::FTL::LowerDFGToLLVM::compileReturn):
        (JSC::FTL::LowerDFGToLLVM::compileForceOSRExit):
        * runtime/Options.h:
        (JSC):

2013-05-10  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support CompareStrictEqConstant
        https://bugs.webkit.org/show_bug.cgi?id=115941

        Reviewed by Mark Hahnenberg.
        
        Pretty simple, but factors out the craziness of comparing against null or undefined
        in a way that is reusable for both == and ===.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
        (LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):

2013-05-10  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support CompareEqConstant
        https://bugs.webkit.org/show_bug.cgi?id=115939

        Reviewed by Oliver Hunt and Mark Hahnenberg.
        
        The most interesting part of this patch is the way I make it easier to deal with
        the inputs to Phi functions. This adds the notion of ValueFromBlock, which you
        can get by doing m_out.anchor(value). You can build up a vector of these, and then
        pass them to m_out.phi(type, vector) in one go.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * ftl/FTLAbbreviatedTypes.h: Added.
        (FTL):
        * ftl/FTLAbbreviations.h:
        (FTL):
        (JSC::FTL::addIncoming):
        (JSC::FTL::buildPhi):
        * ftl/FTLAbstractHeapRepository.h:
        (FTL):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
        (LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::lowDouble):
        (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIfIsStillValid):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::phi):
        (Output):
        (JSC::FTL::Output::anchor):
        * ftl/FTLValueFromBlock.h: Added.
        (FTL):
        (ValueFromBlock):
        (JSC::FTL::ValueFromBlock::ValueFromBlock):
        (JSC::FTL::ValueFromBlock::value):
        (JSC::FTL::ValueFromBlock::block):

2013-05-10  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support CompareStrictEq
        https://bugs.webkit.org/show_bug.cgi?id=115927

        Reviewed by Mark Hahnenberg.
        
        Do the sensible thing, and make it so that for common cases, CompareEq is
        implemented in terms of CompareStrictEq in the FTL backend. All of the cases
        we currently support can be done this way.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):

2013-05-10  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support Int32ToDouble
        https://bugs.webkit.org/show_bug.cgi?id=115926

        Reviewed by Mark Hahnenberg.
        
        This node exists mainly to help the DFG see that a node may have both an int
        and a double representation. But in the FTL, nodes already have multiple
        representations. So this is just a no-op for the FTL.
        
        I considered making it so that the node isn't even inserted if we're doing
        FTL compilation, but that would have required a bunch of conditionalizing in
        the DFG's optimization phases, which sort of expect this node to be present
        and necessary.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
        (LowerDFGToLLVM):

2013-05-10  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support LogicalNot
        https://bugs.webkit.org/show_bug.cgi?id=115924

        Reviewed by Mark Hahnenberg.

        * ftl/FTLAbbreviations.h:
        (JSC::FTL::buildNot):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
        (LowerDFGToLLVM):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::bitNot):

2013-05-10  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should support CompareGreater, CompareLessEq, and CompareGreaterEq
        https://bugs.webkit.org/show_bug.cgi?id=115923

        Reviewed by Mark Hahnenberg.
        
        Also fixed a bug where double CompareLess would assert.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
        (LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
        (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):

2013-05-10  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL CompareEq ObjectUse should handle masquerading
        https://bugs.webkit.org/show_bug.cgi?id=115920

        Reviewed by Mark Hahnenberg.
        
        We don't yet support watchpoints, but this does all the wiring right up to the
        part where we would have emitted watchpoints. I've also written this in a way that
        makes it easy to use the case where you would have anyway speculated non-masquerading
        even if the watchpoint was invalidated.
        
        This is inherently racy, of course: but the only race here is that you might first
        set the watchpoint, and then the watchpoint is invalidated, and then you compile rest
        of the code in a way that doesn't need the watchpoint. That's fine, since the FTL
        will remember that it had set the watchpoint and then cancel the compilation.

        * ftl/FTLAbbreviations.h:
        (JSC::FTL::int8Type):
        * ftl/FTLAbstractHeapRepository.h:
        (FTL):
        * ftl/FTLCommonValues.cpp:
        (JSC::FTL::CommonValues::CommonValues):
        * ftl/FTLCommonValues.h:
        (CommonValues):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::lowNonNullObject):
        (LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
        (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIsStillValid):
        (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIfIsStillValid):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::constInt8):
        (JSC::FTL::Output::load8):
        (JSC::FTL::Output::isZero8):
        (JSC::FTL::Output::notZero8):
        (JSC::FTL::Output::testIsZero8):
        (JSC::FTL::Output::testNonZero8):

2013-05-09  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG shouldn't allocate in the GC heap
        https://bugs.webkit.org/show_bug.cgi?id=115598

        Reviewed by Geoffrey Garen.
        
        I believe that we've now fixed this, and this patch just adds the relevant assertion.

        * runtime/JSCellInlines.h:
        (JSC::JSCell::JSCell):

2013-05-09  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: CodeBlock should be RefCounted
        https://bugs.webkit.org/show_bug.cgi?id=115594

        Reviewed by Geoffrey Garen.
        
        This makes it possible to have the currently-being-compiled CodeBlock not be
        installed in Executable, while also allowing it to point to its intended
        alternative(). So long as we were using ownership and not reference counting, it
        would have been difficult to have both CodeBlock::m_alternative and
        Executable::m_codeBlockForBlah point to the previous CodeBlock.
        
        I also took the opportunity to clean up a bunch of code that appears to have
        rotted.

        * assembler/MacroAssemblerCodeRef.h:
        (MacroAssemblerCodePtr):
        (JSC::MacroAssemblerCodePtr::operator==):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::releaseAlternative):
        (JSC::CodeBlock::setAlternative):
        (CodeBlock):
        (JSC::GlobalCodeBlock::GlobalCodeBlock):
        (JSC::ProgramCodeBlock::ProgramCodeBlock):
        (JSC::EvalCodeBlock::EvalCodeBlock):
        (JSC::FunctionCodeBlock::FunctionCodeBlock):
        * heap/DFGCodeBlocks.cpp:
        (JSC::DFGCodeBlocks::~DFGCodeBlocks):
        (JSC::DFGCodeBlocks::jettison):
        (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks):
        * heap/DFGCodeBlocks.h:
        (DFGCodeBlocks):
        * heap/Heap.cpp:
        (JSC::Heap::jettisonDFGCodeBlock):
        * heap/Heap.h:
        * jit/JITDriver.h:
        (JSC::jitCompileIfAppropriate):
        (JSC::jitCompileFunctionIfAppropriate):
        * runtime/Executable.cpp:
        (JSC::jettisonCodeBlock):
        (JSC::EvalExecutable::jitCompile):
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::jitCompile):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::jitCompileForCall):
        (JSC::FunctionExecutable::jitCompileForConstruct):
        (JSC::FunctionExecutable::produceCodeBlockFor):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (EvalExecutable):
        (FunctionExecutable):
        (JSC::FunctionExecutable::codeBlockFor):
        * runtime/ExecutionHarness.h:
        (JSC::prepareForExecution):
        (JSC::prepareFunctionForExecution):

2013-05-09  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG should have its own notion of StructureChain, and it should be possible to validate it after compilation finishes
        https://bugs.webkit.org/show_bug.cgi?id=115841

        Reviewed by Oliver Hunt.
        
        This adds IntendedStructureChain, which is like StructureChain, except that it holds a bit
        more information and can be validated independantly of its owning Structure and lexical
        GlobalObject, since it remembers both of those things. It's also malloc'd and RefCounted
        rather than GC'd, so it can be allocated in a concurrent compilation thread.
        
        Gave this class a bunch of methods to allow the following idiom:
        
        - Snapshot a structure chain concurrently. This structure chain may end up being
          wrong in case of races, but in that case we will find out when we try to validate
          it.
        
        - Perform validation on the structure chain itself, without recomputing the chain.
          Previously, many chain validation methods (prototypeChainMayInterceptStoreTo() for
          example) recomputed the chain, and hence, were inherently racy: you could build one
          chain and then validate against a different chain, and hence not realize that the
          chain you did build was actually broken for your purposes, because the chain you
          checked was a different one.
        
        - Validate that the chain is still the right one at any time, allowing the cancellation
          of compilation if there was a race.
        
        Also added DFG::DesiredStructureChains, which tracks those intended structure chains that
        the compiler had already chosen to use. If any of those are invalid at link time, throw
        out the compilation.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForChain):
        (JSC::GetByIdStatus::computeFor):
        * bytecode/GetByIdStatus.h:
        (JSC::GetByIdStatus::GetByIdStatus):
        (JSC::GetByIdStatus::chain):
        (GetByIdStatus):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        (JSC::PutByIdStatus::computeFor):
        * bytecode/PutByIdStatus.h:
        (JSC::PutByIdStatus::PutByIdStatus):
        (JSC::PutByIdStatus::structureChain):
        (PutByIdStatus):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDesiredStructureChains.cpp: Added.
        (DFG):
        (JSC::DFG::DesiredStructureChains::DesiredStructureChains):
        (JSC::DFG::DesiredStructureChains::~DesiredStructureChains):
        (JSC::DFG::DesiredStructureChains::areStillValid):
        * dfg/DFGDesiredStructureChains.h: Added.
        (DFG):
        (DesiredStructureChains):
        (JSC::DFG::DesiredStructureChains::addLazily):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::isStillValid):
        (DFG):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::linkFunction):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * runtime/IntendedStructureChain.cpp: Added.
        (JSC):
        (JSC::IntendedStructureChain::IntendedStructureChain):
        (JSC::IntendedStructureChain::~IntendedStructureChain):
        (JSC::IntendedStructureChain::isStillValid):
        (JSC::IntendedStructureChain::matches):
        (JSC::IntendedStructureChain::chain):
        (JSC::IntendedStructureChain::mayInterceptStoreTo):
        (JSC::IntendedStructureChain::isNormalized):
        (JSC::IntendedStructureChain::terminalPrototype):
        * runtime/IntendedStructureChain.h: Added.
        (JSC):
        (IntendedStructureChain):
        (JSC::IntendedStructureChain::head):
        (JSC::IntendedStructureChain::size):
        (JSC::IntendedStructureChain::at):
        (JSC::IntendedStructureChain::operator[]):
        (JSC::IntendedStructureChain::last):
        * runtime/Structure.cpp:
        (JSC::Structure::prototypeChainMayInterceptStoreTo):
        * runtime/Structure.h:
        (Structure):
        * runtime/StructureInlines.h:
        (JSC::Structure::storedPrototypeObject):
        (JSC):
        (JSC::Structure::storedPrototypeStructure):

2013-05-06  Mark Lam  <mark.lam@apple.com>

        Fix broken 32-bit build + some clean up in JITStubs.cpp.
        https://bugs.webkit.org/show_bug.cgi?id=115684.

        Reviewed by Geoffrey Garen.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITStubs.cpp:
        - removed unneeded stubs for CPU(X86_64) && USE(JSVALUE32_64).
        - added some line breaks to more clearly delineate between
          ports/configurations of stub code.

2013-05-05  Geoffrey Garen  <ggaren@apple.com>

        Rolled back in r149527 with crash fixed.

        Reviewed by Oliver Hunt.

            Rationalized 'this' value conversion
            https://bugs.webkit.org/show_bug.cgi?id=115542

            This fixes a bunch of Sputnik tests, and some bad pointer access.

            The new model is that the callee always performs 'this' value conversion.

            My ultimate goal is to break up resolve_with_this into single-result 
            opcodes. This step avoids having to add a special form of convert_this
            that distinguishes callers vs callees.

            Only the callee knows whether it uses 'this' and/or whether 'this'
            conversion should use StrictMode, so it's most natural to perform
            convert_this in the callee. 

            * API/JSCallbackFunction.cpp:
            (JSC::JSCallbackFunction::call): Perform 'this' value conversion for
            our callee, since it may observe 'this'.

            * API/JSCallbackObjectFunctions.h:
            (JSC::::call): Ditto.

            * API/JSContextRef.cpp:
            (JSGlobalContextCreateInGroup): Use a proxy 'this' object in global scope
            even when we're not in the browser. This eliminates some odd cases where
            API clients used to be able to get a direct reference to an environment
            record. Now, any reference to an environment record unambiguously means
            that the VM resolved that record in the scope chain.

            (JSContextGetGlobalObject): Removed an incorrect comment. Now that JSC
            participates in the proxy 'this' object scheme, the behavior is not
            WebCore-only.

            * API/JSObjectRef.cpp:
            (JSObjectSetPrototype):
            (JSObjectCallAsFunction): Don't perform 'this' value conversion in the
            caller; the callee will do it if needed.

            * JavaScriptCore.order: Order!

            * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
            * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
            What are the chances that this will work?

            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::dumpBytecode):
            (JSC::CodeBlock::CodeBlock): Renamed convert_this to to_this, to match our
            other conversion opcodes.

            * bytecode/CodeOrigin.h:
            (CodeOrigin):
            (InlineCallFrame):
            (JSC::CodeOrigin::codeOriginOwner): Use the more precise type for our
            executable, so compilation can discover where we're in strict mode.

            * bytecode/Opcode.h:
            (JSC::padOpcodeName): Updated for rename.

            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::BytecodeGenerator): Always emit to_this when
            'this' is in use -- strict mode still needs to convert environment
            records to 'undefined'.

            * dfg/DFGAbstractState.cpp:
            (JSC::DFG::AbstractState::executeEffects):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::parseBlock):
            * dfg/DFGCapabilities.h:
            (JSC::DFG::canCompileOpcode): Updated for renames.

            * dfg/DFGFixupPhase.cpp:
            (JSC::DFG::FixupPhase::fixupNode): Tightened up this code to consider
            strict mode (a new requirement) and to consider the global object (which
            was always a requirement).

            * dfg/DFGGraph.h:
            (JSC::DFG::Graph::globalThisObjectFor):
            (JSC::DFG::Graph::executableFor):
            * dfg/DFGNodeType.h:
            * dfg/DFGOperations.cpp:
            * dfg/DFGOperations.h:
            * dfg/DFGPredictionPropagationPhase.cpp:
            (JSC::DFG::PredictionPropagationPhase::propagate):
            * dfg/DFGSpeculativeJIT32_64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGSpeculativeJIT64.cpp:
            (JSC::DFG::SpeculativeJIT::compile): Ditto.

            * interpreter/Interpreter.cpp:
            (JSC::eval):
            (JSC::Interpreter::execute):
            (JSC::Interpreter::executeCall):
            * interpreter/Interpreter.h: Don't ASSERT about 'this' -- it's our job
            to fix it up if needed.

            * jit/JIT.cpp:
            (JSC::JIT::privateCompileMainPass):
            (JSC::JIT::privateCompileSlowCases):
            * jit/JIT.h:
            (JIT):
            * jit/JITOpcodes.cpp:
            (JSC::JIT::emit_op_to_this):
            (JSC::JIT::emitSlow_op_to_this):
            * jit/JITOpcodes32_64.cpp:
            (JSC::JIT::emit_op_to_this):
            (JSC::JIT::emitSlow_op_to_this):
            * jit/JITStubs.cpp:
            (JSC::DEFINE_STUB_FUNCTION):
            * jit/JITStubs.h: Removed special-case code for various kinds of
            conversions. The baseline fast path is now final objects only. It hurt
            my brain to think through how to keep the other fast paths working, and
            our benchmarks do not object.

            * llint/LLIntData.cpp:
            (JSC::LLInt::Data::performAssertions):
            * llint/LLIntSlowPaths.cpp:
            (JSC::LLInt::LLINT_SLOW_PATH_DECL):
            * llint/LLIntSlowPaths.h:
            (LLInt):
            * llint/LowLevelInterpreter.asm:
            * llint/LowLevelInterpreter32_64.asm:
            * llint/LowLevelInterpreter64.asm: Updated for renames. Removed some
            special case code, as in the JIT above.

            * profiler/ProfileGenerator.cpp:
            (JSC::ProfileGenerator::addParentForConsoleStart):
            * runtime/CallData.cpp:
            (JSC::call):
            * runtime/ClassInfo.h:
            (MethodTable):
            * runtime/Completion.cpp:
            (JSC::evaluate):
            * runtime/DatePrototype.cpp:
            (JSC::dateProtoFuncToJSON): The callee performs 'this' conversion, not
            the caller.

            * runtime/GetterSetter.cpp:
            (JSC::callGetter):
            (JSC::callSetter):
            * runtime/GetterSetter.h: Added helper functions for invoking getters
            and setters from C++ code, since this was duplicated in a bunch of
            places.

            * runtime/JSActivation.cpp:
            (JSC::JSActivation::toThis):
            * runtime/JSActivation.h:
            (JSActivation):
            * runtime/JSCJSValue.cpp:
            (JSC::JSValue::toThisSlowCase):
            (JSC::JSValue::putToPrimitive):
            * runtime/JSCJSValue.h:
            (JSValue):
            * runtime/JSCJSValueInlines.h:
            (JSC::JSValue::toThis):
            * runtime/JSCell.cpp:
            (JSC::JSCell::toThis):
            * runtime/JSCell.h:
            (JSCell):
            * runtime/JSGlobalObject.cpp:
            (JSC::JSGlobalObject::toThis):
            * runtime/JSGlobalObject.h:
            (JSGlobalObject): Filled out runtime support for converting 'this'
            values as needed, according to the appropriate strictness, using
            helper functions where getter/setter code was duplicated.

            * runtime/JSGlobalObjectFunctions.cpp:
            (JSC::globalFuncProtoGetter):
            (JSC::globalFuncProtoSetter): Perform 'this' value conversion, since we
            observe 'this'.

            * runtime/JSNameScope.cpp:
            (JSC::JSNameScope::toThis):
            * runtime/JSNameScope.h:
            (JSNameScope): Same as JSActivation.

            * runtime/JSObject.cpp:
            (JSC::JSObject::put):
            (JSC::JSObject::setPrototypeWithCycleCheck): Bug fix. Don't peform
            'this' value conversion in this helper function. The __proto__
            setter does this for us, since it's the function that logically observes
            'this' -- and we can ASSERT so. Also, the previous code used
            "globalExec()->thisValue()", which is a read past the beginning of a
            buffer! I don't think this ever worked on purpose.

            (JSC::JSObject::toThis):
            (JSC::JSObject::fillGetterPropertySlot):
            * runtime/JSObject.h:
            (JSC::JSObject::inlineGetOwnPropertySlot):
            * runtime/JSScope.cpp:
            (JSC::JSScope::resolveWithThis):
            * runtime/JSString.cpp:
            (JSC::JSString::toThis):
            * runtime/JSString.h:
            (JSString):
            * runtime/PropertySlot.cpp:
            (JSC::PropertySlot::functionGetter):
            * runtime/PropertySlot.h:
            (JSC):
            (JSC::PropertySlot::setGetterSlot):
            (JSC::PropertySlot::setCacheableGetterSlot):
            * runtime/SparseArrayValueMap.cpp:
            (JSC::SparseArrayEntry::get):
            (JSC::SparseArrayEntry::put):
            * runtime/StrictEvalActivation.cpp:
            (JSC::StrictEvalActivation::toThis):
            * runtime/StrictEvalActivation.h:
            (StrictEvalActivation): Ditto.

2013-05-03  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG::ByteCodeParser doesn't need ExecState*
        https://bugs.webkit.org/show_bug.cgi?id=115582

        Reviewed by Geoffrey Garen.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (ByteCodeParser):
        (JSC::DFG::parse):
        * dfg/DFGByteCodeParser.h:
        (DFG):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):

2013-05-02  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Profiler should be thread-safe
        https://bugs.webkit.org/show_bug.cgi?id=115445

        Reviewed by Geoffrey Garen.
        
        Change the Profiler::Database API for Compilation creation so that we don't add
        it to the Database until it's completely constructed. This prevents the Database
        from seeing Compilations that are being concurrently constructed.
        
        Change the Profiler::Database itself to do locking for creation of Bytecodes and
        for modifying the map. This map may be consulted by both the main thread and the
        concurrent thread.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::linkFunction):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * profiler/ProfilerBytecodes.h:
        * profiler/ProfilerDatabase.cpp:
        (JSC::Profiler::Database::ensureBytecodesFor):
        (JSC::Profiler::Database::notifyDestruction):
        (JSC::Profiler::Database::addCompilation):
        * profiler/ProfilerDatabase.h:
        (Database):

2013-05-02  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG tries to ref/deref StringImpls in a ton of places
        https://bugs.webkit.org/show_bug.cgi?id=115300

        Reviewed by Geoffrey Garen.
        
        Change any code transitively called from DFG compilation to use StringImpl*
        directly instead of String, Identifier, or PropertyName. I use the convention
        of passing "StringImpl* uid" instead of an Identifier or PropertyName.
        
        Switch over any code transitively called from DFG compilation to use CStrings
        whenever possible for all of its debug dumping.
        
        This makes it possible to compile things without hitting the ref/deref
        assertion in StringImpl.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::inferredName):
        (JSC::CodeBlock::sourceCodeForTools):
        (JSC::CodeBlock::sourceCodeOnOneLine):
        (JSC::constantName):
        (JSC::idName):
        (JSC::CodeBlock::registerName):
        (JSC::regexpToSourceString):
        (JSC::regexpName):
        (JSC::pointerToSourceString):
        (JSC::CodeBlock::printUnaryOp):
        (JSC::CodeBlock::printBinaryOp):
        (JSC::CodeBlock::printConditionalJump):
        (JSC::CodeBlock::printGetByIdOp):
        (JSC::dumpStructure):
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::printPutByIdOp):
        (JSC::CodeBlock::printStructure):
        (JSC::CodeBlock::printStructures):
        (JSC::CodeBlock::dumpBytecode):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * bytecode/CodeBlockHash.cpp:
        (JSC::CodeBlockHash::CodeBlockHash):
        * bytecode/CodeOrigin.cpp:
        (JSC::InlineCallFrame::inferredName):
        * bytecode/CodeOrigin.h:
        (InlineCallFrame):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        (JSC::GetByIdStatus::computeForChain):
        (JSC::GetByIdStatus::computeFor):
        * bytecode/GetByIdStatus.h:
        (JSC):
        (GetByIdStatus):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        (JSC::PutByIdStatus::computeFor):
        * bytecode/PutByIdStatus.h:
        (JSC):
        (PutByIdStatus):
        * bytecode/ReduceWhitespace.cpp:
        (JSC::reduceWhitespace):
        * bytecode/ReduceWhitespace.h:
        (JSC):
        * bytecode/ResolveGlobalStatus.cpp:
        (JSC::computeForStructure):
        (JSC::ResolveGlobalStatus::computeFor):
        * bytecode/ResolveGlobalStatus.h:
        (JSC):
        (ResolveGlobalStatus):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::parseResolveOperations):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDesiredIdentifiers.cpp: Added.
        (DFG):
        (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
        (JSC::DFG::DesiredIdentifiers::~DesiredIdentifiers):
        (JSC::DFG::DesiredIdentifiers::addLazily):
        (JSC::DFG::DesiredIdentifiers::reallyAdd):
        * dfg/DFGDesiredIdentifiers.h: Added.
        (DFG):
        (DesiredIdentifiers):
        (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
        (JSC::DFG::DesiredIdentifiers::at):
        (JSC::DFG::DesiredIdentifiers::operator[]):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
        (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryBuildGetByIDList):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::identifierUID):
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * parser/SourceCode.cpp: Added.
        (JSC):
        (JSC::SourceCode::toUTF8):
        * parser/SourceCode.h:
        (SourceCode):
        * profiler/ProfilerBytecodes.cpp:
        (JSC::Profiler::Bytecodes::toJS):
        * profiler/ProfilerBytecodes.h:
        (JSC::Profiler::Bytecodes::inferredName):
        (JSC::Profiler::Bytecodes::sourceCode):
        (Bytecodes):
        * runtime/Identifier.h:
        (JSC::Identifier::utf8):
        (JSC):
        * runtime/Structure.cpp:
        (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
        (JSC::Structure::addPropertyTransitionToExistingStructure):
        (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
        (JSC::Structure::getConcurrently):
        (JSC::Structure::prototypeChainMayInterceptStoreTo):
        (JSC):
        * runtime/Structure.h:
        (Structure):
        * runtime/StructureInlines.h:
        (JSC::Structure::getConcurrently):

2013-05-02  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Structure transition table keys don't have to ref their StringImpl's
        https://bugs.webkit.org/show_bug.cgi?id=115525

        Reviewed by Geoffrey Garen.
        
        The structure transition table basically maps string to structure. The string is
        always also stored, and ref'd, in the structure in Structure::m_nameInPrevious.
        m_nameInPrevious is never mutated, and never cleared. The string cannot die unless
        the structure dies. If the structure dies, then that entry in the transition map
        becomes a zombie anyway and we will detect this separately.
        
        So, we don't need to use RefPtr<StringImpl>. We can just use StringImpl*.
        
        This also fixes a goof where we were getting the StringImpl's hash rather than
        using a pointer hash. Not only is the latter faster, but it prevents my change
        from leading to crashes: with my change we can have zombie keys, not just zombie
        values. They will exist only until the next map mutation, which will clear them.
        Lookups will work fine because the lookup routine will reject zombies. But it
        does mean that the HashMap will have to deal with dangling StringImpl*'s; all it
        takes to make this work is to ensure that the HashMap itself never dereferences
        them. Using a pointer hash rather than StringImpl::existingHash() accomplishes
        this.
        
        This also ensures that we don't accidentally call ref() or deref() from the
        compilation thread, if the compilation thread inspects the transition table.
        
        And no, we wouldn't have been able to use the HashMap<RefPtr<...>, ...>
        specialization, because the transition table is actually
        HashMap<pair<RefPtr<StringImpl>, unsigned>, ...>: hence that specialization
        doesn't kick in. We could have written a new specialization or something, but
        that seemed like a lot of work given that we don't need the table to be ref'ing
        the strings anyways.

        * runtime/Structure.cpp:
        (JSC::StructureTransitionTable::add):
        * runtime/StructureTransitionTable.h:
        (StructureTransitionTable):
        (Hash):
        (JSC::StructureTransitionTable::Hash::hash):

2013-05-01  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Structure::addPropertyTransitionToExistingStructure should be thread-safe
        https://bugs.webkit.org/show_bug.cgi?id=115468

        Reviewed by Geoffrey Garen.
        
        This makes the main thread modify the transition table while holding a lock. Note
        that the GC might modify its weak pointers without locking, but the GC will lock out
        the compilation thread anyway. The map will then only reshape in response to add()
        and set(), which happen while holding a lock.
        
        This allows the compilation thread to now query transition tables safely, provided it
        holds a lock when doing so.
        
        Also changed LLVM asm printer initialization to just initialize the X86 one. It makes
        sense for us to just initialize the asm printer(s) that we actually use; you could
        imagine us being linked to a system LLVM that has cross-compilation support; there is
        no point in the WebKit or JSC process doing work to initialize all of those targets.
        That part was rubber stamped by Mark Hahnenberg.
        
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * runtime/Structure.cpp:
        (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
        (JSC::Structure::addPropertyTransitionToExistingStructure):
        (JSC):
        (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::nonPropertyTransition):
        * runtime/Structure.h:
        (Structure):

2013-04-30  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Structure::getConcurrently() may be called from for uncacheable dictionaries, and this is safe
        https://bugs.webkit.org/show_bug.cgi?id=115464

        Reviewed by Oliver Hunt and Geoffrey Garen.
        
        This can happen for example transitively from JSObject::put(). getCurrently() does
        work for uncacheable dictionaries; it just has the obvious race that right after it
        returns, the result it returned may no longer be right. This isn't an issue if it was
        called on the main thread, and may not be an issue in some other situations.
        
        So, we should just remove the assertion, since the only thing it buys us is crashes.

        * runtime/Structure.cpp:
        (JSC::Structure::getConcurrently):

2013-04-30  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Don't link gtest into JavaScriptCore

        Rubber stamped by Mark Rowe.

        * Configurations/JavaScriptCore.xcconfig:

2013-04-29  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: String::utf8() should also be available as StringImpl::utf8() so that you don't have to ref() a StringImpl just to get its utf8()
        https://bugs.webkit.org/show_bug.cgi?id=115393

        Reviewed by Geoffrey Garen.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::encode):

2013-07-16  Oliver Hunt <oliver@apple.com>

        Merge dfgFourthTier r149301

    2013-04-28  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: ASSERT that commonly used not-thread-safe methods in the runtime are not being called during compilation
        https://bugs.webkit.org/show_bug.cgi?id=115297

        Reviewed by Geoffrey Garen.
        
        Put in assertions that we're not doing bad things in compilation threads. Also
        factored compilation into compile+link so that even though we don't yet have
        concurrent compilation, we can be explicit about which parts of DFG work are
        meant to be concurrent, and which aren't.
        
        Also fix a handful of bugs found by these assertions.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/ResolveGlobalStatus.cpp:
        (JSC::computeForStructure):
        * bytecode/Watchpoint.cpp:
        (JSC::WatchpointSet::add):
        (JSC::InlineWatchpointSet::inflateSlow):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::~JITCompiler):
        (DFG):
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::linkFunction):
        * dfg/DFGJITCompiler.h:
        (JITCompiler):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLCompile.h:
        (FTL):
        * ftl/FTLLink.cpp: Added.
        (FTL):
        (JSC::FTL::compileEntry):
        (JSC::FTL::link):
        * ftl/FTLLink.h: Added.
        (FTL):
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):
        * ftl/FTLState.h:
        (FTL):
        (State):
        * runtime/Structure.cpp:
        (JSC::Structure::get):
        (JSC::Structure::prototypeChainMayInterceptStoreTo):
        * runtime/Structure.h:
        (JSC::Structure::materializePropertyMapIfNecessary):
        * runtime/StructureInlines.h:
        (JSC::Structure::get):

2013-04-27  Filip Pizlo  <fpizlo@apple.com>

        FTL should support double variables
        https://bugs.webkit.org/show_bug.cgi?id=113624

        Reviewed by Geoffrey Garen.
        
        Made all of the operations that the FTL already supports, also support doubles.
        OSR exit already basically had everything it needed, so no changes there. This
        mostly just glues together bits of DFG IR to LLVM IR, in a straight-forward way.

        * ftl/FTLAbbreviations.h:
        (FTL):
        (JSC::FTL::doubleType):
        (JSC::FTL::constReal):
        (JSC::FTL::buildPhi):
        (JSC::FTL::addIncoming):
        (JSC::FTL::buildFAdd):
        (JSC::FTL::buildFSub):
        (JSC::FTL::buildFMul):
        (JSC::FTL::buildFNeg):
        (JSC::FTL::buildSIToFP):
        (JSC::FTL::buildUIToFP):
        (JSC::FTL::buildBitCast):
        (JSC::FTL::buildFCmp):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLCommonValues.cpp:
        (JSC::FTL::CommonValues::CommonValues):
        * ftl/FTLCommonValues.h:
        (CommonValues):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::lower):
        (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
        (JSC::FTL::LowerDFGToLLVM::compileAdd):
        (JSC::FTL::LowerDFGToLLVM::compileArithSub):
        (JSC::FTL::LowerDFGToLLVM::compileArithMul):
        (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
        (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
        (JSC::FTL::LowerDFGToLLVM::lowDouble):
        (LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::lowJSValue):
        (JSC::FTL::LowerDFGToLLVM::isCellOrMisc):
        (JSC::FTL::LowerDFGToLLVM::unboxDouble):
        (JSC::FTL::LowerDFGToLLVM::boxDouble):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateNumber):
        (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::constDouble):
        (Output):
        (JSC::FTL::Output::phi):
        (JSC::FTL::Output::doubleAdd):
        (JSC::FTL::Output::doubleSub):
        (JSC::FTL::Output::doubleMul):
        (JSC::FTL::Output::doubleNeg):
        (JSC::FTL::Output::intToFP):
        (JSC::FTL::Output::intToDouble):
        (JSC::FTL::Output::unsignedToFP):
        (JSC::FTL::Output::unsignedToDouble):
        (JSC::FTL::Output::bitCast):
        (JSC::FTL::Output::loadDouble):
        (JSC::FTL::Output::storeDouble):
        (JSC::FTL::Output::doubleEqual):
        (JSC::FTL::Output::doubleNotEqualOrUnordered):
        (JSC::FTL::Output::doubleLessThan):
        (JSC::FTL::Output::doubleLessThanOrEqual):
        (JSC::FTL::Output::doubleGreaterThan):
        (JSC::FTL::Output::doubleGreaterThanOrEqual):
        (JSC::FTL::Output::doubleEqualOrUnordered):
        (JSC::FTL::Output::doubleNotEqual):
        (JSC::FTL::Output::doubleLessThanOrUnordered):
        (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
        (JSC::FTL::Output::doubleGreaterThanOrUnordered):
        (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
        (JSC::FTL::Output::testIsZero64):

2013-04-27  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: SymbolTable should be thread-safe
        https://bugs.webkit.org/show_bug.cgi?id=115301

        Reviewed by Geoffrey Garen.
        
        Makes SymbolTable thread-safe. Relies on SymbolTableEntry already being immutable,
        other than the WatchpointSet; but the WatchpointSet already has a righteous
        concurrency protocol. So, this patch just protects the SymbolTable's HashMap.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::nameForRegister):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addVar):
        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::addGlobalVar):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::getOwnNonIndexPropertyNames):
        (JSC::JSActivation::symbolTablePutWithAttributes):
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTableGet):
        (JSC::symbolTablePut):
        (JSC::symbolTablePutWithAttributes):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::SymbolTable):
        (JSC::SymbolTable::~SymbolTable):
        * runtime/SymbolTable.h:
        (JSC::SymbolTable::find):
        (JSC::SymbolTable::get):
        (JSC::SymbolTable::inlineGet):
        (JSC::SymbolTable::begin):
        (JSC::SymbolTable::end):
        (JSC::SymbolTable::size):
        (JSC::SymbolTable::add):
        (JSC::SymbolTable::set):
        (JSC::SymbolTable::contains):

2013-04-26  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: WatchpointSet should make racy uses easier to reason about
        https://bugs.webkit.org/show_bug.cgi?id=115299

        Reviewed by Anders Carlsson.
        
        The compiler often does things like:

        1c) Observe something that would imply that a WatchpointSet ought to be invalid

        2c) Check that it is invalid

        The main thread often does things like:

        1m) Fire the watchpoint set

        2m) Do some other thing that would cause the compiler to assume that the WatchpointSet
        ought to be invalid

        An example is structure transitions, where (1c) is the compiler noticing that a
        put_by_id inline cache is in a transition state, with the source structure being S;
        (2c) is the compiler asserting that S's watchpoint set is invalid; (1m) is the main
        thread firing S's watchpoint set before it does the first transition away from S; and
        (2m) is the main thread caching the put_by_id transition away from S.

        This is totally fine, except that (1c) and (2c), and (1m) and (2m) could be reordered.
        Probably, in most cases, this ought to do enough things that the main thread probably
        already has some fencing. But the compiler thread definitely doesn't have fencing. In
        any case, we should play it safe and just have additional fencing in all of the
        relevant places.

        We already have some idioms to put load-load and store-store fences in the right
        places. But this change just makes WatchpointSet take care of this for us, thus
        reducing the chances of us getting this wrong.

        * bytecode/Watchpoint.cpp:
        (JSC::WatchpointSet::notifyWriteSlow):
        * bytecode/Watchpoint.h:
        (WatchpointSet):
        (JSC::WatchpointSet::isStillValid):
        (JSC::WatchpointSet::hasBeenInvalidated):
        (JSC::InlineWatchpointSet::hasBeenInvalidated):
        (JSC::InlineWatchpointSet::notifyWrite):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGDesiredWatchpoints.h:
        (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState):

2013-07-16  Oliver Hunt <oliver@apple.com>

        Merge dfgFourthTier r149233

    2013-04-26  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: CFA should defend against results seeming inconsistent due to a watchpoint firing during compilation
        https://bugs.webkit.org/show_bug.cgi?id=115083

        Reviewed by Geoffrey Garen.
        
        This ruggedizes our racyness with respect to watchpoints. We want to be able to assert,
        in some places, that a watchpoint-based optimization has only occurred if the
        watchpoint set was still valid. But currently we *can* soundly do watchpoint-based
        optimizations even for invalid watchpoints, so long as we recorded in the IR that we
        had done so; this will then lead to the code being insta-jettisoned after compilation
        completes. Obviously, we don't want this to happen often - but we do want to allow it
        precisely in the case of watchpoint races.
        
        This adds the ability to assert that we hadn't over-watchpointed ourselves, with and
        exemption for races.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::setFuturePossibleStructure):
        (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
        (JSC::DFG::ByteCodeParser::parseResolveOperations):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
        * dfg/DFGDesiredWatchpoints.h:
        (GenericDesiredWatchpoints):
        (JSC::DFG::GenericDesiredWatchpoints::isStillValid):
        (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState):
        (JSC::DFG::GenericDesiredWatchpoints::isValidOrMixed):
        (JSC::DFG::DesiredWatchpoints::isStillValid):
        (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState):
        (JSC::DFG::DesiredWatchpoints::isValidOrMixed):
        (DesiredWatchpoints):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid):
        (Graph):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addLazily):
        (JITCompiler):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
        (JSC::DFG::SpeculativeJIT::speculationWatchpointForMasqueradesAsUndefined):
        (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLState.h:
        (State):

2013-04-23  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: AbstractValue methods that deal with watchpoints should have access to Graph, so that in debug mode, Graph can track the history of watchpoint states and detect races
        https://bugs.webkit.org/show_bug.cgi?id=115084

        Reviewed by Geoffrey Garen.
        
        The idea is that as part of https://bugs.webkit.org/show_bug.cgi?id=115083, I'll have
        Graph record the initial state of a watchpoint at the time that we decide to take
        advantage of it; then I will use this to disable any watchpoint-related assertions
        in debug mode. Note that this "watchpoint cache" will only be maintained in debug
        mode, so there will be no release performance implications. But to do this, I need to
        ensure that all of the places that reason about watchpoints have access to Graph.
        For example, I'll want AbstractValue::setFuturePossibleStructure to record the state
        of the watchpoint in Graph so that subsequent assertions can check if the watchpoint's
        state had changed since that decision was made.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::executeEffects):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        * dfg/DFGAbstractState.h:
        (JSC::DFG::AbstractState::trySetConstant):
        * dfg/DFGAbstractValue.cpp: Added.
        (DFG):
        (JSC::DFG::AbstractValue::setMostSpecific):
        (JSC::DFG::AbstractValue::set):
        (JSC::DFG::AbstractValue::filter):
        (JSC::DFG::AbstractValue::setFuturePossibleStructure):
        (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
        (JSC::DFG::AbstractValue::dump):
        * dfg/DFGAbstractValue.h:
        (DFG):
        (AbstractValue):
        (JSC::DFG::AbstractValue::setType):
        (JSC::DFG::AbstractValue::filterByValue):

2013-07-16  Oliver Hunt <oliver@apple.com>

        Merge dfgFourthTier r148936

    2013-04-22  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Create an equivalent of Structure::get() that can work from a compilation thread
        https://bugs.webkit.org/show_bug.cgi?id=114987

        Reviewed by Geoffrey Garen.
        
        This completes the work started by r148570. That patch made it possible to do
        Structure::get() without modifying Structure. This patch takes this further, and
        makes this thread-safe (for non-uncacheable-dictionaries) via
        Structure::getConcurrently(). This method not only doesn't modify Structure, but
        also ensures that any concurrent attempts to add to, remove from, or steal the
        table from that structure doesn't mess up the result of the call. The call may
        return invalidOffset even if a property is *just* about to be added, but it will
        never do the reverse: if it returns a property then you can be sure that the
        structure really does have that property and always will have it.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        (JSC::GetByIdStatus::computeForChain):
        (JSC::GetByIdStatus::computeFor):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        (JSC::PutByIdStatus::computeFor):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
        * runtime/PropertyMapHashTable.h:
        (PropertyTable):
        (JSC::PropertyTable::findConcurrently):
        (JSC):
        (JSC::PropertyTable::add):
        (JSC::PropertyTable::remove):
        (JSC::PropertyTable::reinsert):
        (JSC::PropertyTable::rehash):
        * runtime/PropertyTable.cpp:
        (JSC::PropertyTable::PropertyTable):
        * runtime/Structure.cpp:
        (JSC::Structure::findStructuresAndMapForMaterialization):
        (JSC::Structure::getConcurrently):
        * runtime/Structure.h:
        (Structure):
        * runtime/StructureInlines.h:
        (JSC::Structure::getConcurrently):

2013-07-16  Oliver Hunt <oliver@apple.com>

        Merge dfgFourthTier r148850

    2013-04-21  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: WebKit's build system should relink JavaScriptCore if LLVM's libraries changed but its headers didn't
        https://bugs.webkit.org/show_bug.cgi?id=114926

        Reviewed by Geoffrey Garen.
        
        Use a phony file that includes a phony header to force JavaScriptCore to be relinked
        if necessary. The external LLVM-importing scripts will touch the header if the libraries
        are known to have changed.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * ftl/WebKitLLVMLibraryAnchor.cpp: Added.

2013-07-16  Oliver Hunt <oliver@apple.com>

        Merge dfgFourthTier r148836

    2013-04-21  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: It should be possible to query WatchpointSets, and add Watchpoints, even if the compiler is running in another thread
        https://bugs.webkit.org/show_bug.cgi?id=114909

        Reviewed by Oliver Hunt.
        
        The idea here is that a concurrent compiler will use watchpoint sets as follows:
        
        During concurrent compilation: It will create Watchpoints, and query WatchpointSets only
        for the purpose of profiling. That is, it will use decide whether it is profitable to
        compile the code "as if" the watchpoint sets are valid.
        
        During synchronous linking: By "linking" I don't necessarily mean the LinkBuffer stuff,
        but just the very bitter end of compilation where we make the JIT code callable. This
        can happen after LinkBuffer stuff. Anyway, this will have to happen synchronously, and
        at that point we can (a) check that all WatchpointSets that we assumed were valid are
        still valid and (b) if they are then we add the watchpoints to those sets. If any of the
        sets are invalid, we give up on this compilation and try again later.
        
        The querying of WatchpointSets is engineered to say that the set is still valid if it
        is so *right now*, but this is done in a racy way and so it may say so spuriously: we
        may, with hopefully low probability, have a set that says it is valid even though it was
        just invalidated. The goal is only to ensure that (i) a set never claims to be invalid
        if it is actually valid, (ii) a set doesn't claim to be valid if it was invalidated
        before compilation even began, and (iii) querying the validity of a set doesn't cause us
        to crash.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/Watchpoint.cpp:
        (JSC::InlineWatchpointSet::inflateSlow):
        * bytecode/Watchpoint.h:
        (WatchpointSet):
        (InlineWatchpointSet):
        (JSC::InlineWatchpointSet::hasBeenInvalidated):
        (JSC::InlineWatchpointSet::isThin):
        (JSC::InlineWatchpointSet::isFat):
        (JSC::InlineWatchpointSet::fat):
        * dfg/DFGDesiredWatchpoints.cpp: Added.
        (DFG):
        (JSC::DFG::DesiredWatchpoints::DesiredWatchpoints):
        (JSC::DFG::DesiredWatchpoints::~DesiredWatchpoints):
        (JSC::DFG::DesiredWatchpoints::addLazily):
        (JSC::DFG::DesiredWatchpoints::reallyAdd):
        (JSC::DFG::DesiredWatchpoints::areStillValid):
        * dfg/DFGDesiredWatchpoints.h: Added.
        (DFG):
        (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
        (WatchpointForGenericWatchpointSet):
        (GenericDesiredWatchpoints):
        (JSC::DFG::GenericDesiredWatchpoints::GenericDesiredWatchpoints):
        (JSC::DFG::GenericDesiredWatchpoints::addLazily):
        (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
        (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
        (DesiredWatchpoints):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addLazily):
        (JITCompiler):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLCompile.h:
        (FTL):
        * ftl/FTLState.h:
        (State):
        * runtime/JSFunction.h:
        (JSFunction):
        (JSC::JSFunction::allocationProfileWatchpointSet):
        * runtime/Structure.h:
        (Structure):
        (JSC::Structure::transitionWatchpointSet):

2013-07-16  Oliver Hunt <oliver@apple.com>

        Merge dfgFourthTier r148804

    2013-04-20  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: value profiles and array profiles should be thread-safe enough to be accessible in a concurrent compilation thread
        https://bugs.webkit.org/show_bug.cgi?id=114906

        Reviewed by Oliver Hunt.
        
        This introduces thread safety to value profiles, array profiles, and
        array allocation profiles.
        
        We already have three separate operations that happen on profiles:
        (1) writing, which the JIT, LLInt, and OSR exit do; (2) updating,
        which happens during GC, from OSR entry slow-paths, and in the DFG;
        and (3) reading, which happens in the DFG. For example, the JIT/LLInt
        and OSR exit write to ValueProfile::m_buckets, which gets synthesized
        into ValueProfile::m_prediction (and other fields) during update, and
        the latter gets read by the DFG. Note that (2) must also happen in
        the DFG since only the DFG knows which code blocks it will inline,
        and those blocks' profiles may not have otherwise been updated via
        any other mechanism.
        
        I refer to these three operations as writing, updating, and reading.
        
        Consequently, both profile updating and profile reading may happen
        asynchronously, if the JIT is asynchronous.
        
        The locking protocol for profiles works as follows:
        
        - Writing does not require locking, but is only allowed on the main
          thread. We require that these fields can be stored atomically by
          the profiling code, even without locks. For value profiles, this
          only works on 64-bit platforms, currently. For array profiles,
          which consist of multiple separate fields, this means that an
          asynchronous update of the profile may see slight inconsistencies
          (like a structure that doesn't quite match the array modes bits),
          but these should be harmless: at worst, the DFG will specialize
          too much and we'll have OSR exits.
        
        - Updating a value profile requires holding a lock, but must assume
          that the fields written by the profiling code in JIT/LLInt may
          be written to without locking.
        
        - Reading a value profile requires holding a lock.
        
        The one major exception to these rules is the ArrayAllocationProfile,
        which requires no locking. We do this because it's used so often and
        in places where we don't necessarily have access to the owning
        CodeBlock, so if we did want it to be locked it would have to have
        its own lock. Also, I believe that it is sound to just make this
        profile racy and not worry about locking at all. All that was needed
        were some changes to ensure that we explicitly read some raced-over
        fields only once.

        Two additional interesting things in this change:
        
        - To make it easy to see which profile methods require locking, they
          take a const CodeBlockLocker& as an argument. I saw this idiom for
          identifying which methods require which locks to be held being used
          in LLVM, and I quite like it.
        
        - Lazy operand value profiles, which are created lazily and at any
          time, require the CodeBlockLock to be held when they are being
          created. Writes to them are lockless and main-thread-only, but as
          with other profiles, updates and reads require locking.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/ArrayAllocationProfile.cpp:
        (JSC::ArrayAllocationProfile::updateIndexingType):
        * bytecode/ArrayAllocationProfile.h:
        (JSC::ArrayAllocationProfile::selectIndexingType):
        * bytecode/ArrayProfile.cpp:
        (JSC::ArrayProfile::computeUpdatedPrediction):
        (JSC::ArrayProfile::briefDescription):
        * bytecode/ArrayProfile.h:
        (ArrayProfile):
        (JSC::ArrayProfile::expectedStructure):
        (JSC::ArrayProfile::structureIsPolymorphic):
        (JSC::ArrayProfile::hasDefiniteStructure):
        (JSC::ArrayProfile::observedArrayModes):
        (JSC::ArrayProfile::mayInterceptIndexedAccesses):
        (JSC::ArrayProfile::mayStoreToHole):
        (JSC::ArrayProfile::outOfBounds):
        (JSC::ArrayProfile::usesOriginalArrayStructures):
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpValueProfiling):
        (JSC::CodeBlock::dumpArrayProfiling):
        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
        (JSC::CodeBlock::updateAllArrayPredictions):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
        (JSC::CodeBlock::updateAllPredictionsAndCheckIfShouldOptimizeNow):
        (CodeBlock):
        * bytecode/CodeBlockLock.h: Added.
        (JSC):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        * bytecode/LazyOperandValueProfile.cpp:
        (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
        (JSC::CompressedLazyOperandValueProfileHolder::add):
        (JSC::LazyOperandValueProfileParser::LazyOperandValueProfileParser):
        (JSC::LazyOperandValueProfileParser::~LazyOperandValueProfileParser):
        (JSC):
        (JSC::LazyOperandValueProfileParser::initialize):
        (JSC::LazyOperandValueProfileParser::prediction):
        * bytecode/LazyOperandValueProfile.h:
        (CompressedLazyOperandValueProfileHolder):
        (LazyOperandValueProfileParser):
        * bytecode/MethodOfGettingAValueProfile.cpp:
        (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        * bytecode/ResolveGlobalStatus.cpp:
        (JSC::ResolveGlobalStatus::computeFor):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfileBase::briefDescription):
        (ValueProfileBase):
        (JSC::ValueProfileBase::computeUpdatedPrediction):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::fromObserved):
        * dfg/DFGArrayMode.h:
        (ArrayMode):
        (JSC::DFG::ArrayMode::withProfile):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        (JSC::DFG::ByteCodeParser::getArrayMode):
        (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
        (JSC::DFG::ByteCodeParser::parseResolveOperations):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGOSRExitPreparation.cpp:
        (JSC::DFG::prepareCodeOriginForOSRExit):
        * dfg/DFGPredictionInjectionPhase.cpp:
        (JSC::DFG::PredictionInjectionPhase::run):
        * jit/JITInlines.h:
        (JSC::JIT::chooseArrayMode):
        * jit/JITStubs.cpp:
        (JSC::tryCachePutByID):
        (JSC::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::lazyLinkFor):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::setUpCall):
        * profiler/ProfilerBytecodeSequence.cpp:
        (JSC::Profiler::BytecodeSequence::BytecodeSequence):
        * runtime/JSScope.cpp:
        (JSC::JSScope::resolveContainingScopeInternal):
        (JSC::JSScope::resolvePut):

2013-04-17  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: all inline caches should thread-safe enough to allow a concurrent compilation thread to read them safely
        https://bugs.webkit.org/show_bug.cgi?id=114762

        Reviewed by Mark Hahnenberg.
        
        For most inline caches this is easy: the inline cache has a clean temporal
        separation between doing the requested action (which may take an unbounded
        amount of time, may recurse, and may do arbitrary things) and recording the
        relevant information in the cache. So, we just put locks around the
        recording bit. That part is always O(1) and does not recurse. The lock we
        use is per-CodeBlock to achieve a good balance between locking granularity
        and low space overhead. So a concurrent compilation thread will only block
        if an inline cache ping-pongs in the code block being compiled (or inlined)
        and never when other inline caches do things.
        
        For resolve operations, it's a bit tricky. The global resolve bit works
        like any other IC in that it has the clean temporal separation. But the
        operations vector itself doesn't have this separation, since we will be
        filling it in tandem with actions that may take a long time. This patch
        gets around this by having a m_ready bit in the ResolveOperations and
        PutToBaseOperation. This is set while holding the CodeBlock's lock. If the
        DFG observes the m_ready bit not set (while holding the lock) then it
        conservatively assumes that the resolve hasn't happened yet and just
        plants a ForceOSRExit.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        * bytecode/ResolveGlobalStatus.cpp:
        (JSC::ResolveGlobalStatus::computeFor):
        * bytecode/ResolveOperation.h:
        (JSC::ResolveOperations::ResolveOperations):
        (ResolveOperations):
        (JSC::PutToBaseOperation::PutToBaseOperation):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseResolveOperations):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * jit/JITStubs.cpp:
        (JSC::tryCachePutByID):
        (JSC::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::lazyLinkFor):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::setUpCall):
        * runtime/JSScope.cpp:
        (JSC::JSScope::resolveContainingScopeInternal):
        (JSC::JSScope::resolveContainingScope):
        (JSC::JSScope::resolvePut):

2013-04-16  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: DFG should be able to query Structure without modifying it
        https://bugs.webkit.org/show_bug.cgi?id=114708

        Reviewed by Oliver Hunt.
        
        This is work towards allowing the DFG, and FTL, to run on a separate thread.
        The idea is that the most evil thing that the DFG does that has thread-safety
        issues is fiddling with Structures by calling Structure::get(). This can lead
        to rematerialization of property tables, which is definitely not thread-safe
        due to how StringImpl works. So, this patch completely side-steps the problem
        by creating a new version of Structure::get, called
        Structure::getWithoutMaterializing, which may choose to do an O(n) search if
        necessary to avoid materialization. I believe this should be fine - the DFG
        does't call into these code path often enough for this to matter, and most of
        the time, the Structure that we call this on will already have a property
        table because some inline cache would have already called ::get() on that
        Structure.
        
        Also cleaned up the materialization logic: we can stop the search as soon as
        we find any Structure with a property table rather than searching all the way
        for a pinned one.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        (JSC::PutByIdStatus::computeFor):
        * runtime/Structure.cpp:
        (JSC::Structure::findStructuresAndMapForMaterialization):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::getWithoutMaterializing):
        (JSC):
        * runtime/Structure.h:
        (Structure):
        * runtime/StructureInlines.h:
        (JSC::Structure::getWithoutMaterializing):
        (JSC):

2013-04-13  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: Fix release build.

        * dfg/DFGOSRExitCompilerCommon.cpp:
        * ftl/FTLExitValue.cpp:
        * ftl/FTLOSRExitCompiler.cpp:

2013-04-13  Filip Pizlo  <fpizlo@apple.com>

        fourthTier: FTL should have OSR exit
        https://bugs.webkit.org/show_bug.cgi?id=113623

        Reviewed by Oliver Hunt.
        
        This implements OSR exit, and hilariously, it actually works. The idea is to have
        LLVM call a no-return function on the off-ramp, passing it everything we know about
        bytecode state that isn't already flushed to the call frame. Our own JIT takes care
        of the rest.
        
        We can now run all of SunSpider, V8, and Kraken with the FTL enabled.
        
        The details are described in FTLOSRExit.h.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * assembler/AbstractMacroAssembler.h:
        (Address):
        (JSC::AbstractMacroAssembler::Address::withOffset):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::offsetOf):
        (LinkBuffer):
        * assembler/MacroAssemblerX86Common.h:
        * assembler/RepatchBuffer.h:
        (JSC::RepatchBuffer::RepatchBuffer):
        (JSC::RepatchBuffer::~RepatchBuffer):
        (RepatchBuffer):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::tallyFrequentExitSites):
        * bytecode/Operands.h:
        (Operands):
        (JSC):
        (JSC::::dump):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        * dfg/DFGGPRInfo.h:
        (DFG):
        (GPRInfo):
        * dfg/DFGMinifiedNode.h:
        (JSC::DFG::belongsInMinifiedGraph):
        * dfg/DFGNodeType.h:
        (JSC::DFG::needsOSRBackwardRewiring):
        (DFG):
        (JSC::DFG::needsOSRForwardRewiring):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        (DFG):
        (JSC::DFG::OSRExit::convertToForward):
        * dfg/DFGOSRExit.h:
        (OSRExit):
        * dfg/DFGOSRExitBase.cpp: Added.
        (DFG):
        (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
        (JSC::DFG::OSRExitBase::doSearchForForwardConversion):
        * dfg/DFGOSRExitBase.h: Added.
        (DFG):
        (JSC::DFG::OSRExitBase::OSRExitBase):
        (OSRExitBase):
        (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::handleExitCounts):
        (JSC::DFG::reifyInlinedCallFrames):
        (JSC::DFG::adjustAndJumpToTarget):
        * dfg/DFGOSRExitCompilerCommon.h:
        (DFG):
        * dfg/DFGOSRExitPreparation.cpp: Added.
        (DFG):
        (JSC::DFG::prepareCodeOriginForOSRExit):
        * dfg/DFGOSRExitPreparation.h: Added.
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        * dfg/DFGValueSource.h:
        (JSC::DFG::ValueSource::forSpeculation):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::functionType):
        (FTL):
        (JSC::FTL::typeOf):
        (JSC::FTL::appendBasicBlock):
        (JSC::FTL::insertBasicBlock):
        (JSC::FTL::buildCall):
        (JSC::FTL::setTailCall):
        * ftl/FTLCArgumentGetter.cpp: Added.
        (FTL):
        (JSC::FTL::CArgumentGetter::loadNextAndBox):
        * ftl/FTLCArgumentGetter.h: Added.
        (FTL):
        (JSC::FTL::isArgumentRegister):
        (CArgumentGetter):
        (JSC::FTL::CArgumentGetter::CArgumentGetter):
        (JSC::FTL::CArgumentGetter::loadNext8):
        (JSC::FTL::CArgumentGetter::loadNext32):
        (JSC::FTL::CArgumentGetter::loadNext64):
        (JSC::FTL::CArgumentGetter::loadNextPtr):
        (JSC::FTL::CArgumentGetter::loadNextDouble):
        (JSC::FTL::CArgumentGetter::nextAddress):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * ftl/FTLExitArgument.cpp: Added.
        (FTL):
        (JSC::FTL::ExitArgument::dump):
        * ftl/FTLExitArgument.h: Added.
        (FTL):
        (ExitArgumentRepresentation):
        (ExitArgument):
        (JSC::FTL::ExitArgument::ExitArgument):
        (JSC::FTL::ExitArgument::operator!):
        (JSC::FTL::ExitArgument::format):
        (JSC::FTL::ExitArgument::argument):
        (JSC::FTL::ExitArgument::withFormat):
        (JSC::FTL::ExitArgument::representation):
        * ftl/FTLExitArgumentForOperand.cpp: Added.
        (FTL):
        (JSC::FTL::ExitArgumentForOperand::dump):
        * ftl/FTLExitArgumentForOperand.h: Added.
        (FTL):
        (ExitArgumentForOperand):
        (JSC::FTL::ExitArgumentForOperand::ExitArgumentForOperand):
        (JSC::FTL::ExitArgumentForOperand::operator!):
        (JSC::FTL::ExitArgumentForOperand::exitArgument):
        (JSC::FTL::ExitArgumentForOperand::operand):
        (JSC::FTL::lesserArgumentIndex):
        * ftl/FTLExitArgumentList.h: Added.
        (FTL):
        * ftl/FTLExitThunkGenerator.cpp: Added.
        (FTL):
        (JSC::FTL::ExitThunkGenerator::ExitThunkGenerator):
        (JSC::FTL::ExitThunkGenerator::~ExitThunkGenerator):
        (JSC::FTL::ExitThunkGenerator::emitThunk):
        * ftl/FTLExitThunkGenerator.h: Added.
        (FTL):
        (ExitThunkGenerator):
        (JSC::FTL::ExitThunkGenerator::didThings):
        * ftl/FTLExitValue.cpp: Added.
        (FTL):
        (JSC::FTL::ExitValue::dump):
        * ftl/FTLExitValue.h: Added.
        (FTL):
        (ExitValue):
        (JSC::FTL::ExitValue::ExitValue):
        (JSC::FTL::ExitValue::operator!):
        (JSC::FTL::ExitValue::dead):
        (JSC::FTL::ExitValue::inJSStack):
        (JSC::FTL::ExitValue::inJSStackAsInt32):
        (JSC::FTL::ExitValue::inJSStackAsDouble):
        (JSC::FTL::ExitValue::constant):
        (JSC::FTL::ExitValue::exitArgument):
        (JSC::FTL::ExitValue::kind):
        (JSC::FTL::ExitValue::isDead):
        (JSC::FTL::ExitValue::isInJSStackSomehow):
        (JSC::FTL::ExitValue::isConstant):
        (JSC::FTL::ExitValue::isArgument):
        * ftl/FTLFormattedValue.h:
        (FTL):
        (JSC::FTL::noValue):
        (JSC::FTL::int32Value):
        (JSC::FTL::uInt32Value):
        (JSC::FTL::booleanValue):
        (JSC::FTL::jsValueValue):
        (JSC::FTL::doubleValue):
        * ftl/FTLJITCode.cpp:
        (JSC::FTL::JITCode::initializeExitThunks):
        (FTL):
        (JSC::FTL::JITCode::exitThunks):
        * ftl/FTLJITCode.h:
        (JITCode):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (FTL):
        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::lower):
        (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments):
        (JSC::FTL::LowerDFGToLLVM::compileBlock):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
        (LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::compileMovHint):
        (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
        (JSC::FTL::LowerDFGToLLVM::compileMovHintAndCheck):
        (JSC::FTL::LowerDFGToLLVM::compileAdd):
        (JSC::FTL::LowerDFGToLLVM::compileArithSub):
        (JSC::FTL::LowerDFGToLLVM::compileArithMul):
        (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
        (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
        (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (JSC::FTL::LowerDFGToLLVM::speculateBackward):
        (JSC::FTL::LowerDFGToLLVM::speculateForward):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::terminate):
        (JSC::FTL::LowerDFGToLLVM::backwardTypeCheck):
        (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck):
        (JSC::FTL::LowerDFGToLLVM::typeCheck):
        (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
        (JSC::FTL::LowerDFGToLLVM::lowInt32):
        (JSC::FTL::LowerDFGToLLVM::lowCell):
        (JSC::FTL::LowerDFGToLLVM::lowBoolean):
        (JSC::FTL::LowerDFGToLLVM::speculateObject):
        (JSC::FTL::LowerDFGToLLVM::isLive):
        (JSC::FTL::LowerDFGToLLVM::use):
        (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
        (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
        (JSC::FTL::LowerDFGToLLVM::addExitArgument):
        (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
        (JSC::FTL::LowerDFGToLLVM::observeMovHint):
        * ftl/FTLOSRExit.cpp: Added.
        (FTL):
        (JSC::FTL::OSRExit::OSRExit):
        (JSC::FTL::OSRExit::codeLocationForRepatch):
        (JSC::FTL::OSRExit::convertToForward):
        * ftl/FTLOSRExit.h: Added.
        (FTL):
        (OSRExit):
        * ftl/FTLOSRExitCompilationInfo.h: Added.
        (FTL):
        (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
        (OSRExitCompilationInfo):
        * ftl/FTLOSRExitCompiler.cpp: Added.
        (FTL):
        (JSC::FTL::compileStub):
        (JSC::FTL::compileFTLOSRExit):
        * ftl/FTLOSRExitCompiler.h: Added.
        (FTL):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::newBlock):
        (JSC::FTL::Ou