2014-04-21  Eric Carlson  <eric.carlson@apple.com>

        [Mac] implement WebKitDataCue
        https://bugs.webkit.org/show_bug.cgi?id=131799

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.

2014-04-21  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed test gardening, run the repeat-out-of-bounds tests again.

        * tests/stress/float32-repeat-out-of-bounds.js:
        * tests/stress/int8-repeat-out-of-bounds.js:

2014-04-21  Filip Pizlo  <fpizlo@apple.com>

        OSR exit should know about Int52 and Double constants
        https://bugs.webkit.org/show_bug.cgi?id=131945

        Reviewed by Oliver Hunt.
        
        The DFG OSR exit machinery's ignorance would lead to some constants becoming
        jsUndefined() after OSR exit.
        
        The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
        stackmap constant rather than baking the constant into the OSRExit data structure.
        So, not a big deal, but worth fixing.
        
        Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGMinifiedNode.h:
        (JSC::DFG::belongsInMinifiedGraph):
        (JSC::DFG::MinifiedNode::hasConstantNumber):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionOtherFalse):
        (functionUndefined):
        * runtime/Intrinsic.h:
        * tests/stress/fold-to-double-constant-then-exit.js: Added.
        (foo):
        * tests/stress/fold-to-int52-constant-then-exit.js: Added.
        (foo):

2014-04-21  Filip Pizlo  <fpizlo@apple.com>

        Provide feedback when we encounter an unrecognied node in the FTL backend.

        Rubber stamped by Alexey Proskuryakov.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):

2014-04-21  Andreas Kling  <akling@apple.com>

        Move the JSString cache from DOMWrapperWorld to VM.
        <https://webkit.org/b/131940>

        Reviewed by Geoff Garen.

        * runtime/VM.h:

2014-04-19  Filip Pizlo  <fpizlo@apple.com>

        Take block execution count estimates into account when voting double
        https://bugs.webkit.org/show_bug.cgi?id=131906

        Reviewed by Geoffrey Garen.
        
        This was a drama in three acts.
        
        Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
            number of uses of a variable that want double or non-double. Easy as pie. This
            gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
            else.
        
        Act II: Realize that there were some programs where our previous double voting was
            just on the edge of disaster and making it more precise tipped it over. In
            particular, if you had an integer variable that would infrequently be used in a
            computation that resulted in a variable that was frequently used as an array index,
            the outer infrequentness would be the thing we'd use in the vote. So, an array
            index would become double. We fix this by reviving global backwards propagation
            and introducing the concept of ReallyWantsInt, which is used just for array
            indices. Any variable transitively flagged as ReallyWantsInt will never be forced
            double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
            be set in bitops for RageConversion but using it for double forcing is too much.
            Basically, it's cheaper to have to convert a double to an int for a bitop than it
            is to convert a double to an int for an array index; also a variable being used as
            an array index is a much stronger hint that it ought to be an int. This recovered
            performance on everything except programs that used FTL OSR entry.
        
        Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
            count, which then completely pollutes the weighting - essentially all votes go
            NaN. Fix this with some surgical defenses. Basically, any client of execution
            counts should allow for them to be NaN and shouldn't completely fall off a cliff
            when it happens.
        
        This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
        7% speed-up on AsmBench and 2% speed-up on Kraken.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::run):
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpBlockHeader):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::voteNode):
        (JSC::DFG::Graph::voteChildren):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGNodeFlags.h:
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        (JSC::DFG::OSREntrypointCreationPhase::run):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        * dfg/DFGVariableAccessData.cpp: Added.
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::mergeIsCaptured):
        (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
        (JSC::DFG::VariableAccessData::predict):
        (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
        (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
        (JSC::DFG::VariableAccessData::mergeDoubleFormatState):
        (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
        (JSC::DFG::VariableAccessData::flushFormat):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::vote):
        (JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
        (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
        (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
        (JSC::DFG::VariableAccessData::predict): Deleted.
        (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
        (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
        (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
        (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
        (JSC::DFG::VariableAccessData::flushFormat): Deleted.

2014-04-21  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r167591): ARM64 and ARM traditional builds broken
        https://bugs.webkit.org/show_bug.cgi?id=131935

        Reviewed by Mark Hahnenberg.

        Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
        macro assemblers.  Added a new test for the original patch.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::store8):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::store8):
        * tests/stress/dfg-create-arguments-inline-alloc.js: New test.

2014-04-21  Mark Hahnenberg  <mhahnenberg@apple.com>

        Inline allocate Arguments objects in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=131897

        Reviewed by Geoffrey Garen.

        Many libraries/frameworks depend on the arguments object for overloaded API entry points. 
        This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create 
        for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateArguments):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/Arguments.h:
        (JSC::Arguments::offsetOfActivation):
        (JSC::Arguments::offsetOfOverrodeLength):
        (JSC::Arguments::offsetOfIsStrictMode):
        (JSC::Arguments::offsetOfRegisterArray):
        (JSC::Arguments::offsetOfCallee):
        (JSC::Arguments::allocationSize):

2014-04-20  Andreas Kling  <akling@apple.com>

        Speed up jsStringWithCache() through WeakGCMap inlining.
        <https://webkit.org/b/131923>

        Always inline WeakGCMap::add() but move the slow garbage collecting
        path out-of-line.

        Reviewed by Darin Adler.

        * runtime/WeakGCMap.h:
        (JSC::WeakGCMap::add):
        (JSC::WeakGCMap::gcMap):

2014-04-20  László Langó  <llango.u-szeged@partner.samsung.com>

        JavaScriptCore: ARM build fix after r167094.
        https://bugs.webkit.org/show_bug.cgi?id=131612

        Reviewed by Michael Saboff.

        After r167094 there are many build errors on ARM like these:

            /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
            /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
            /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
            /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup

        Problem is caused by the wrong generated assembly like:
            "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741

        `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
        the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
        Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
        use case: move rn, (label1-label2) which is translated to movw and movt.

        * llint/LowLevelInterpreter.asm:
        * offlineasm/arm.rb:
        * offlineasm/instructions.rb:

2014-04-20  Csaba Osztrogonác  <ossy@webkit.org>

        [ARM] Unreviewed build fix after r167336.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branchAdd32):

2014-04-20  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167501.
        https://bugs.webkit.org/show_bug.cgi?id=131913

        It broke DYEBench (Requested by mhahnenberg on #webkit).

        Reverted changeset:

        "Deleting properties poisons objects"
        https://bugs.webkit.org/show_bug.cgi?id=131551
        http://trac.webkit.org/changeset/167501

2014-04-19  Filip Pizlo  <fpizlo@apple.com>

        It should be OK to store new fields into objects that have no prototypes
        https://bugs.webkit.org/show_bug.cgi?id=131905

        Reviewed by Mark Hahnenberg.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
        * tests/stress/put-by-id-transition-null-prototype.js: Added.
        (foo):

2014-04-19  Benjamin Poulain  <bpoulain@apple.com>

        Make the CSS JIT compile for ARM64
        https://bugs.webkit.org/show_bug.cgi?id=131834

        Reviewed by Gavin Barraclough.

        Extend the ARM64 MacroAssembler to support the code generation required by
        the CSS JIT.

        * assembler/MacroAssembler.h:
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::addPtrNoFlags):
        (JSC::MacroAssemblerARM64::or32):
        (JSC::MacroAssemblerARM64::branchPtr):
        (JSC::MacroAssemblerARM64::test32):
        (JSC::MacroAssemblerARM64::branch):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::test32):

2014-04-19  Andreas Kling  <akling@apple.com>

        Two little shortcuts to the JSType.
        <https://webkit.org/b/131896>

        Tweak two sites that take the long road through JSCell::structure()->typeInfo()
        to look at data that's already in JSCell::type().

        Reviewed by Darin Adler.

        * runtime/NameInstance.h:
        (JSC::isName):
        * runtime/NumberPrototype.cpp:
        (JSC::toThisNumber):

2014-04-19  Filip Pizlo  <fpizlo@apple.com>

        Make it easier to check if an integer sum would overflow
        https://bugs.webkit.org/show_bug.cgi?id=131900

        Reviewed by Darin Adler.

        * dfg/DFGOperations.cpp:
        * runtime/Operations.h:
        (JSC::jsString):

2014-04-19  Filip Pizlo  <fpizlo@apple.com>

        Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.

        * dfg/DFGOperations.cpp:
        * runtime/JSString.h:
        (JSC::JSRopeString::RopeBuilder::append):

2014-04-18  Mark Lam  <mark.lam@apple.com>

        REGRESSION(r164205): WebKit crash @StructureIDTable::get.
        <https://webkit.org/b/130539>

        Reviewed by Geoffrey Garen.

        prepareOSREntry() prepares for OSR entry by first copying the local var
        values from the baseline frame to a scartch buffer, which is then used
        to fill in the locals in their new position in the DFG frame.  Unfortunately,
        prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
        size of the baseline frame.  As a result, some values of locals in the
        baseline frame were not saved off, and the DFG frame may get initialized
        with random content that happened to be in the uninitialized (and possibly
        unallocated) portions of the scratch buffer.

        The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
        number of locals in the baseline frame that we want to copy to the scratch
        buffer.

        Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
        at offset 0 in the scratch buffer.  So, we continue to write that value
        there, not the baseline frame size.

        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):

2014-04-18  Timothy Hatcher  <timothy@apple.com>

        Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=131673

        Passes existing profiler and inspector tests.

        Reviewed by Joseph Pecoraro.

        * CMakeLists.txt:
        * DerivedSources.make:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/JSConsoleClient.cpp:
        (Inspector::JSConsoleClient::JSConsoleClient):
        (Inspector::JSConsoleClient::profile):
        (Inspector::JSConsoleClient::profileEnd):
        (Inspector::JSConsoleClient::count): Deleted.
        * inspector/JSConsoleClient.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        * inspector/agents/InspectorProfilerAgent.cpp: Added.
        (Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
        (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
        (Inspector::InspectorProfilerAgent::addProfile):
        (Inspector::InspectorProfilerAgent::createProfileHeader):
        (Inspector::InspectorProfilerAgent::enable):
        (Inspector::InspectorProfilerAgent::disable):
        (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
        (Inspector::InspectorProfilerAgent::getProfileHeaders):
        (Inspector::buildInspectorObject):
        (Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
        (Inspector::InspectorProfilerAgent::getCPUProfile):
        (Inspector::InspectorProfilerAgent::removeProfile):
        (Inspector::InspectorProfilerAgent::reset):
        (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
        (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
        (Inspector::InspectorProfilerAgent::start):
        (Inspector::InspectorProfilerAgent::stop):
        (Inspector::InspectorProfilerAgent::setRecordingProfile):
        (Inspector::InspectorProfilerAgent::startProfiling):
        (Inspector::InspectorProfilerAgent::stopProfiling):
        * inspector/agents/InspectorProfilerAgent.h: Added.
        * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
        (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
        (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
        * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
        * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
        * profiler/Profile.h:
        * runtime/ConsoleClient.h:

2014-04-18  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167527.
        https://bugs.webkit.org/show_bug.cgi?id=131883

        Broke 32-bit build (Requested by ap on #webkit).

        Reverted changeset:

        "[Mac] implement WebKitDataCue"
        https://bugs.webkit.org/show_bug.cgi?id=131799
        http://trac.webkit.org/changeset/167527

2014-04-18  Eric Carlson  <eric.carlson@apple.com>

        [Mac] implement WebKitDataCue
        https://bugs.webkit.org/show_bug.cgi?id=131799

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.

2014-04-18  Filip Pizlo  <fpizlo@apple.com>

        Actually address Mark's review feedback.

        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::handleExitCounts):

2014-04-18  Filip Pizlo  <fpizlo@apple.com>

        Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
        https://bugs.webkit.org/show_bug.cgi?id=131850

        Reviewed by Mark Hahnenberg.
        
        Templatize ExecutionCounter to allow for two different styles of calculating the
        checkpoint threshold.
        
        Appears to be a slight speed-up on DYEBench.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::llintExecuteCounter):
        (JSC::CodeBlock::offsetOfJITExecuteCounter):
        (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
        (JSC::CodeBlock::offsetOfJITExecutionTotalCount):
        (JSC::CodeBlock::jitExecuteCounter):
        * bytecode/ExecutionCounter.cpp:
        (JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
        (JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
        (JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
        (JSC::ExecutionCounter<countingVariant>::setNewThreshold):
        (JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
        (JSC::applyMemoryUsageHeuristics):
        (JSC::applyMemoryUsageHeuristicsAndConvertToInt):
        (JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
        (JSC::ExecutionCounter<countingVariant>::setThreshold):
        (JSC::ExecutionCounter<countingVariant>::reset):
        (JSC::ExecutionCounter<countingVariant>::dump):
        (JSC::ExecutionCounter::ExecutionCounter): Deleted.
        (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
        (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
        (JSC::ExecutionCounter::setNewThreshold): Deleted.
        (JSC::ExecutionCounter::deferIndefinitely): Deleted.
        (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
        (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
        (JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
        (JSC::ExecutionCounter::setThreshold): Deleted.
        (JSC::ExecutionCounter::reset): Deleted.
        (JSC::ExecutionCounter::dump): Deleted.
        * bytecode/ExecutionCounter.h:
        (JSC::formattedTotalExecutionCount):
        (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
        (JSC::ExecutionCounter::clippedThreshold):
        (JSC::ExecutionCounter::formattedTotalCount): Deleted.
        * dfg/DFGJITCode.h:
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::handleExitCounts):
        * llint/LowLevelInterpreter.asm:
        * runtime/Options.h:

2014-04-17  Mark Hahnenberg  <mhahnenberg@apple.com>

        Deleting properties poisons objects
        https://bugs.webkit.org/show_bug.cgi?id=131551

        Reviewed by Geoffrey Garen.

        This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
        (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of 
        Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache 
        delete transitions, but we allow transitioning from them.
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
        (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.

2014-04-17  Filip Pizlo  <fpizlo@apple.com>

        InlineCallFrameSet should be refcounted
        https://bugs.webkit.org/show_bug.cgi?id=131829

        Reviewed by Geoffrey Garen.
        
        And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
        became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
        Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
        the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
        
        So, just make the darn thing refcounted.

        * bytecode/InlineCallFrameSet.h:
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGCommonData.h:
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::requiredRegisterCountForExit):
        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::Plan):
        * dfg/DFGPlan.h:
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        * ftl/FTLFail.cpp:
        (JSC::FTL::fail):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):

2014-04-17  Filip Pizlo  <fpizlo@apple.com>

        FTL::fail() should manage memory "correctly"
        https://bugs.webkit.org/show_bug.cgi?id=131823
        <rdar://problem/16384297>

        Reviewed by Oliver Hunt.

        * ftl/FTLFail.cpp:
        (JSC::FTL::fail):

2014-04-17  Filip Pizlo  <fpizlo@apple.com>

        Prediction propagator should correctly model Int52s flowing through arguments
        https://bugs.webkit.org/show_bug.cgi?id=131822
        <rdar://problem/16641408>

        Reviewed by Oliver Hunt.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * tests/stress/int52-argument.js: Added.
        (foo):
        * tests/stress/int52-variable.js: Added.
        (foo):

2014-04-17  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
        https://bugs.webkit.org/show_bug.cgi?id=131798

        Reviewed by Alexey Proskuryakov.
        
        Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
        of this assertion can return. For now, it's not clear that the assertion is guarding
        any truly undesirable behavior - so it should just go away and be replaced with a
        FIXME.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfo):
        * runtime/Structure.h:
        (JSC::Structure::takesSlowPathInDFGForImpureProperty):

2014-04-17  David Kilzer  <ddkilzer@apple.com>

        Blind attempt to fix Windows build after r166837
        <http://webkit.org/b/131246>

        Hoping to fix this build error:

            warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result.  The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
        boo-boo by changing the GCLogging.cpp ClCompile entry to a
        GCLogging.h ClInclude entry.

2014-04-16  Filip Pizlo  <fpizlo@apple.com>

        AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
        https://bugs.webkit.org/show_bug.cgi?id=131764

        Reviewed by Geoffrey Garen.
        
        The attached test case can be made to not crash by deleting old code. It used to be
        the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
        long ago. At this point, these guards just make life difficult. So get rid of them.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * tests/stress/bug-131764.js: Added.
        (test1):
        (test2):

2014-04-17  Darin Adler  <darin@apple.com>

        Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
        https://bugs.webkit.org/show_bug.cgi?id=131785
        rdar://problem/16003108

        Reviewed by Brady Eidson.

        * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.

2014-04-16  Alexey Proskuryakov  <ap@apple.com>

        Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)

        * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):

2014-04-16  Filip Pizlo  <fpizlo@apple.com>

        Extra error reporting for invalid value conversions
        https://bugs.webkit.org/show_bug.cgi?id=131786

        Rubber stamped by Ryosuke Niwa.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):

2014-04-16  Filip Pizlo  <fpizlo@apple.com>

        Sink NaN sanitization to uses and remove it when it's unnecessary
        https://bugs.webkit.org/show_bug.cgi?id=131419

        Reviewed by Oliver Hunt.
        
        This moves NaN purification to stores that could see an impure NaN.
        
        5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
        though, because of the other bug that causes that benchmark to box doubles in a loop.

        * bytecode/SpeculatedType.h:
        (JSC::isInt32SpeculationForArithmetic):
        (JSC::isMachineIntSpeculationForArithmetic):
        (JSC::isDoubleSpeculation):
        (JSC::isDoubleSpeculationForArithmetic):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::fixTypeForRepresentation):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueRep):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileValueRep):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        * runtime/PureNaN.h:
        * tests/stress/float32-array-nan-inlined.js: Added.
        (foo):
        (test):
        * tests/stress/float32-array-nan.js: Added.
        (foo):
        (test):
        * tests/stress/float64-array-nan-inlined.js: Added.
        (foo):
        (isBigEndian):
        (test):
        * tests/stress/float64-array-nan.js: Added.
        (foo):
        (isBigEndian):
        (test):

2014-04-16  Brent Fulgham  <bfulgham@apple.com>

        [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
        to 32-bit builds, and revise the comment to explain what we are
        doing.

        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::isMachineInt): Provide motivation for the new
        'isinf' check for our 32-bit code path.

2014-04-16  Juergen Ributzka  <juergen@apple.com>

        Allocate the data section on the heap again for FTL on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=130156

        Reviewed by Geoffrey Garen and Filip Pizlo.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        * ftl/FTLDataSection.cpp:
        (JSC::FTL::DataSection::DataSection):
        (JSC::FTL::DataSection::~DataSection):
        * ftl/FTLDataSection.h:

2014-04-16  Mark Lam  <mark.lam@apple.com>

        Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
        <https://webkit.org/b/131747>

        Reviewed by Filip Pizlo.

        When the debugger is about to activate (e.g. enter stepping mode), it first
        waits for all DFG compilations to complete.  However, when the DFG completes,
        if compilation is successful, it will install a new DFG codeBlock.  The
        CodeBlock installation process is required to register codeBlocks with the
        debugger.  Debugger::registerCodeBlock() will eventually call
        CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
        trying to install.  Thereafter, chaos ensues.

        This jettison'ing only happens because the debugger currently set its
        m_steppingMode flag before waiting for compilation to complete.  The fix is
        simply to set that flag only after compilation is complete.

        * debugger/Debugger.cpp:
        (JSC::Debugger::setSteppingMode):
        (JSC::Debugger::registerCodeBlock):

2014-04-16  Filip Pizlo  <fpizlo@apple.com>

        Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
        https://bugs.webkit.org/show_bug.cgi?id=131420

        Reviewed by Oliver Hunt.
        
        Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
        replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
        goes through the purifyNaN() API.
        
        SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
        
        Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
        have to be too cautious since most prediction-based logic only cares about whether or not
        a value could be an integer.
        
        AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
        anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
        soundly and precisely.
        
        No performance change because this just unblocks
        https://bugs.webkit.org/show_bug.cgi?id=131419.

        * API/JSValueRef.cpp:
        (JSValueMakeNumber):
        (JSValueToNumber):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationFromValue):
        (JSC::typeOfDoubleSum):
        (JSC::typeOfDoubleDifference):
        (JSC::typeOfDoubleProduct):
        (JSC::polluteDouble):
        (JSC::typeOfDoubleQuotient):
        (JSC::typeOfDoubleMinMax):
        (JSC::typeOfDoubleNegation):
        (JSC::typeOfDoubleAbs):
        (JSC::typeOfDoubleFRound):
        (JSC::typeOfDoubleBinaryOp):
        (JSC::typeOfDoubleUnaryOp):
        * bytecode/SpeculatedType.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGCriticalEdgeBreakingPhase.cpp:
        (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
        (JSC::DFG::createPreHeader):
        * dfg/DFGNode.h:
        (JSC::DFG::BranchTarget::BranchTarget):
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        (JSC::DFG::OSREntrypointCreationPhase::run):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (JSC::FTL::LowerDFGToLLVM::compileArrayPush):
        (JSC::FTL::LowerDFGToLLVM::compileArrayPop):
        (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
        (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
        (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
        * ftl/FTLValueFormat.cpp:
        (JSC::FTL::reboxAccordingToFormat):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::purifyNaN):
        (JSC::AssemblyHelpers::sanitizeDouble): Deleted.
        * jit/AssemblyHelpers.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitFloatTypedArrayGetByVal):
        * runtime/DateConstructor.cpp:
        (JSC::constructDate):
        * runtime/DateInstanceCache.h:
        (JSC::DateInstanceData::DateInstanceData):
        (JSC::DateInstanceCache::reset):
        * runtime/ExceptionHelpers.cpp:
        (JSC::TerminatedExecutionError::defaultValue):
        * runtime/JSArray.cpp:
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::shiftCountWithAnyIndexingType):
        (JSC::JSArray::sortVector):
        (JSC::JSArray::compactForSorting):
        * runtime/JSArray.h:
        (JSC::JSArray::create):
        (JSC::JSArray::tryCreateUninitialized):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::toNumberSlowCase):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::jsNaN):
        (JSC::JSValue::JSValue):
        (JSC::JSValue::getPrimitiveNumber):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::parseInt):
        (JSC::jsStrDecimalLiteral):
        (JSC::toDouble):
        (JSC::jsToNumber):
        (JSC::parseFloat):
        * runtime/JSObject.cpp:
        (JSC::JSObject::createInitialDouble):
        (JSC::JSObject::convertUndecidedToDouble):
        (JSC::JSObject::convertInt32ToDouble):
        (JSC::JSObject::deletePropertyByIndex):
        (JSC::JSObject::ensureLengthSlow):
        * runtime/MathObject.cpp:
        (JSC::mathProtoFuncMax):
        (JSC::mathProtoFuncMin):
        * runtime/PureNaN.h: Added.
        (JSC::pureNaN):
        (JSC::isImpureNaN):
        (JSC::purifyNaN):
        * runtime/TypedArrayAdaptors.h:
        (JSC::FloatTypedArrayAdaptor::toJSValue):

2014-04-16  Juergen Ributzka  <juergen@apple.com>

        Enable system library calls in FTL for ARM64
        https://bugs.webkit.org/show_bug.cgi?id=130154

        Reviewed by Geoffrey Garen and Filip Pizlo.

        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::doubleRem):
        (JSC::FTL::Output::doubleSin):
        (JSC::FTL::Output::doubleCos):

2014-04-16  peavo@outlook.com  <peavo@outlook.com>

        Fix JSC Debug Regressions on Windows
        https://bugs.webkit.org/show_bug.cgi?id=131182

        Reviewed by Brent Fulgham.

        The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
        and set the st floating point register tags, if the value of the number parameter is infinite.
        If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
        This can be avoided by checking for infinity first.

        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions): Re-enable jit for Windows.

2014-04-16  Oliver Hunt  <oliver@apple.com>

        Simple ES6 feature:Array.prototype.fill
        https://bugs.webkit.org/show_bug.cgi?id=131703

        Reviewed by David Hyatt.

        Add support for Array.prototype.fill

        * builtins/Array.prototype.js:
        (fill):
        * runtime/ArrayPrototype.cpp:

2014-04-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=131728

        Reviewed by Darin Adler.

        * runtime/JSObject.cpp:
        (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the 
        path we expect to never take. Also shut up confused compilers about uninitialized things.

2014-04-16  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, ARMv7 build fix after r167336.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branchAdd32):

2014-04-16  Gabor Rapcsanyi  <rgabor@webkit.org>

        Unreviewed, ARM64 buildfix after r167336.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branchAdd32): Add missing function.

2014-04-15  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2014-04-15  Filip Pizlo  <fpizlo@apple.com>

        compileMakeRope does not emit necessary bounds checks
        https://bugs.webkit.org/show_bug.cgi?id=130684
        <rdar://problem/16398388>

        Reviewed by Oliver Hunt.
        
        Add string length bounds checks in a bunch of places. We should never allow a string
        to have a length greater than 2^31-1 because it's not clear that the language has
        semantics for it and because there is code that assumes that this cannot happen.
        
        Also add a bunch of tests to that effect to cover the various ways in which this was
        previously allowed to happen.

        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileMakeRope):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileMakeRope):
        * runtime/JSString.cpp:
        (JSC::JSRopeString::RopeBuilder::expand):
        * runtime/JSString.h:
        (JSC::JSString::create):
        (JSC::JSRopeString::RopeBuilder::append):
        (JSC::JSRopeString::RopeBuilder::release):
        (JSC::JSRopeString::append):
        * runtime/Operations.h:
        (JSC::jsString):
        (JSC::jsStringFromRegisterArray):
        (JSC::jsStringFromArguments):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncIndexOf):
        (JSC::stringProtoFuncSlice):
        (JSC::stringProtoFuncSubstring):
        (JSC::stringProtoFuncToLowerCase):
        * tests/stress/make-large-string-jit-strcat.js: Added.
        (foo):
        * tests/stress/make-large-string-jit.js: Added.
        (foo):
        * tests/stress/make-large-string-strcat.js: Added.
        * tests/stress/make-large-string.js: Added.

2014-04-15  Julien Brianceau  <jbriance@cisco.com>

        Remove invalid sh4 specific code in JITInlines header.
        https://bugs.webkit.org/show_bug.cgi?id=131692

        Reviewed by Geoffrey Garen.

        * jit/JITInlines.h:
        (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
        anymore since r160244, so the sh4 specific code is invalid now
        and has to be removed.

2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix precedence issue in JSCell:setRemembered

        Rubber stamped by Filip Pizlo.

        * runtime/JSCell.h:
        (JSC::JSCell::setRemembered):

2014-04-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API external object graphs don't handle generational collection properly
        https://bugs.webkit.org/show_bug.cgi?id=131634

        Reviewed by Geoffrey Garen.

        If the set of Objective-C objects transitively reachable through an object changes, we 
        need to update the set of opaque roots accordingly. If we don't, the next EdenCollection 
        won't rescan the external object graph, which would lead us to consider a newly allocated 
        JSManagedValue to be dead.

        * API/JSBase.cpp:
        (JSSynchronousEdenCollectForDebugging):
        * API/JSVirtualMachine.mm:
        (-[JSVirtualMachine initWithContextGroupRef:]):
        (-[JSVirtualMachine dealloc]):
        (-[JSVirtualMachine isOldExternalObject:]):
        (-[JSVirtualMachine addExternalRememberedObject:]):
        (-[JSVirtualMachine addManagedReference:withOwner:]):
        (-[JSVirtualMachine removeManagedReference:withOwner:]):
        (-[JSVirtualMachine externalRememberedSet]):
        (scanExternalObjectGraph):
        (scanExternalRememberedSet):
        * API/JSVirtualMachineInternal.h:
        * API/tests/testapi.mm:
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        * heap/Heap.h:
        (JSC::Heap::slotVisitor):
        * heap/SlotVisitor.h:
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::containsOpaqueRoot):
        (JSC::SlotVisitor::containsOpaqueRootTriState):

2014-04-15  Filip Pizlo  <fpizlo@apple.com>

        DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
        https://bugs.webkit.org/show_bug.cgi?id=131423

        Reviewed by Geoffrey Garen.
        
        This introduces more static typing into DFG IR. Previously we just had the notion of
        JSValues and Storage. This was weird because doubles weren't always convertible to
        JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
        sort of insert explicit conversion nodes just for the places where we knew that an
        implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
        we'd get bugs from forgetting to do the right conversion.
        
        This patch introduces a hard and fast rule: doubles can never be implicitly converted to
        anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
        nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
        conversions. They are like Identity but return the same value using a different
        representation. Likewise, constants may now be represented using either JSConstant,
        Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
        Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
        Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
        we speculate DoubleReal and expect Double representation.
        
        In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
        this also makes it easier to introduce optimizations in the future. It's now possible for
        AI to model when/how conversion take place. For example if doing a conversion results in
        NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
        what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
        
        This was a big change, so I had to do some interesting things, like finally get rid of
        the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
        the ByteCodeParser no longer emits Identity nodes since that was always pointless.
        
        No performance change because this mostly just rationalizes preexisting behavior.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssemblerX86.h:
        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        * dfg/DFGAbstractInterpreter.h:
        (JSC::DFG::AbstractInterpreter::setBuiltInConstant):
        (JSC::DFG::AbstractInterpreter::setConstant):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAbstractValue.cpp:
        (JSC::DFG::AbstractValue::set):
        (JSC::DFG::AbstractValue::fixTypeForRepresentation):
        (JSC::DFG::AbstractValue::checkConsistency):
        * dfg/DFGAbstractValue.h:
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGBasicBlock.h:
        * dfg/DFGBasicBlockInlines.h:
        (JSC::DFG::BasicBlock::appendNode):
        (JSC::DFG::BasicBlock::appendNonTerminal):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::constantCSE):
        (JSC::DFG::CSEPhase::performNodeCSE):
        (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
        * dfg/DFGCapabilities.h:
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::fixupBlock):
        * dfg/DFGEdge.h:
        (JSC::DFG::Edge::willNotHaveCheck):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
        (JSC::DFG::FixupPhase::observeUseKindOnNode):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
        (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
        (JSC::DFG::FixupPhase::tryToRelaxRepresentation):
        (JSC::DFG::FixupPhase::fixEdgeRepresentation):
        (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
        (JSC::DFG::FixupPhase::addRequiredPhantom):
        (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
        (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
        (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
        * dfg/DFGFlushFormat.h:
        (JSC::DFG::resultFor):
        (JSC::DFG::useKindFor):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addNode):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::initialize):
        * dfg/DFGInsertionSet.h:
        (JSC::DFG::InsertionSet::insertNode):
        (JSC::DFG::InsertionSet::insertConstant):
        (JSC::DFG::InsertionSet::insertConstantForUse):
        * dfg/DFGIntegerCheckCombiningPhase.cpp:
        (JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
        (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
        * dfg/DFGNode.cpp:
        (JSC::DFG::Node::convertToIdentity):
        (WTF::printInternal):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::setResult):
        (JSC::DFG::Node::result):
        (JSC::DFG::Node::isConstant):
        (JSC::DFG::Node::hasConstant):
        (JSC::DFG::Node::convertToConstant):
        (JSC::DFG::Node::valueOfJSConstant):
        (JSC::DFG::Node::hasResult):
        (JSC::DFG::Node::hasInt32Result):
        (JSC::DFG::Node::hasInt52Result):
        (JSC::DFG::Node::hasNumberResult):
        (JSC::DFG::Node::hasDoubleResult):
        (JSC::DFG::Node::hasJSResult):
        (JSC::DFG::Node::hasBooleanResult):
        (JSC::DFG::Node::hasStorageResult):
        (JSC::DFG::Node::defaultUseKind):
        (JSC::DFG::Node::defaultEdge):
        (JSC::DFG::Node::convertToIdentity): Deleted.
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGNodeFlags.h:
        (JSC::DFG::canonicalResultRepresentation):
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGResurrectionForValidationPhase.cpp:
        (JSC::DFG::ResurrectionForValidationPhase::run):
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
        (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
        (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
        (JSC::DFG::JSValueRegsTemporary::regs):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileDoubleRep):
        (JSC::DFG::SpeculativeJIT::compileValueRep):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileArithSub):
        (JSC::DFG::SpeculativeJIT::compileArithNegate):
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        (JSC::DFG::SpeculativeJIT::compileArithDiv):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::speculateNumber):
        (JSC::DFG::SpeculativeJIT::speculateDoubleReal):
        (JSC::DFG::SpeculativeJIT::speculate):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
        (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
        (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::allocate):
        (JSC::DFG::SpeculativeJIT::use):
        (JSC::DFG::SpeculativeJIT::boxDouble):
        (JSC::DFG::SpeculativeJIT::spill):
        (JSC::DFG::SpeculativeJIT::jsValueResult):
        (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
        (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
        (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        (JSC::DFG::shouldNotHaveTypeCheck):
        (JSC::DFG::mayHaveTypeCheck):
        (JSC::DFG::isNumerical):
        (JSC::DFG::isDouble):
        (JSC::DFG::isCell):
        (JSC::DFG::usesStructure):
        (JSC::DFG::useKindForResult):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        * dfg/DFGVariadicFunction.h: Removed.
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
        (JSC::FTL::LowerDFGToLLVM::compilePhi):
        (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
        (JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
        (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
        (JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
        (JSC::FTL::LowerDFGToLLVM::compileValueRep):
        (JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
        (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
        (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
        (JSC::FTL::LowerDFGToLLVM::compileArithMul):
        (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
        (JSC::FTL::LowerDFGToLLVM::compileArithMod):
        (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
        (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
        (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::compare):
        (JSC::FTL::LowerDFGToLLVM::boolify):
        (JSC::FTL::LowerDFGToLLVM::lowInt52):
        (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
        (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
        (JSC::FTL::LowerDFGToLLVM::lowDouble):
        (JSC::FTL::LowerDFGToLLVM::lowJSValue):
        (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
        (JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateNumber):
        (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
        (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
        (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
        (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
        (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
        (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
        * ftl/FTLValueFormat.cpp:
        (JSC::FTL::reboxAccordingToFormat):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::sanitizeDouble):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::boxDouble):

2014-04-15  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167199 and r167251.
        https://bugs.webkit.org/show_bug.cgi?id=131678

        Caused a DYEBench regression and does not seem to improve perf
        on relevant websites (Requested by rniwa on #webkit).

        Reverted changesets:

        "Rewrite Function.bind as a builtin"
        https://bugs.webkit.org/show_bug.cgi?id=131083
        http://trac.webkit.org/changeset/167199

        "Update test result"
        http://trac.webkit.org/changeset/167251

2014-04-14  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167272.
        https://bugs.webkit.org/show_bug.cgi?id=131666

        Broke multiple tests (Requested by ap on #webkit).

        Reverted changeset:

        "Function.bind itself is too slow"
        https://bugs.webkit.org/show_bug.cgi?id=131636
        http://trac.webkit.org/changeset/167272

2014-04-14  Geoffrey Garen  <ggaren@apple.com>

        ASSERT when firing low memory warning
        https://bugs.webkit.org/show_bug.cgi?id=131659

        Reviewed by Mark Hahnenberg.

        * heap/Heap.cpp:
        (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
        called when no GC is happening because that is what we do when a low
        memory warning fires, and it is harmless.

2014-04-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        emit_op_put_by_id should not emit a write barrier that filters on value
        https://bugs.webkit.org/show_bug.cgi?id=131654

        Reviewed by Filip Pizlo.

        The 32-bit implementation does this, and it can cause crashes if we later repatch the 
        code to allocate and store new Butterflies.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on 
        32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag 
        load down into the if statement so that we don't do it if we're not filtering on the value.
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_id):

2014-04-14  Oliver Hunt  <oliver@apple.com>

        Function.bind itself is too slow
        https://bugs.webkit.org/show_bug.cgi?id=131636

        Reviewed by Geoffrey Garen.

        Rather than forcing creation of an activation, we now store
        bound function properties directly on the returned closure.
        This is necessary to deal with code that creates many function
        bindings, but does not call them very often.

        This is a 60% speed up in the included js/regress test.

        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createBuiltinExecutable):
        * builtins/Function.prototype.js:
        (bind.bindingFunction):
        (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
        (bind.else.switch.case.1.bindingFunction):
        (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
        (bind.else.switch.case.2.bindingFunction):
        (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
        (bind.else.switch.case.3.bindingFunction):
        (bind.else.switch.bindingFunction):
        (bind):
        (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted.
        (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted.
        (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted.
        * runtime/CommonIdentifiers.h:

2014-04-14  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Allow use of SubImmediates in LLINT.
        https://bugs.webkit.org/show_bug.cgi?id=131608

        Reviewed by Mark Lam.

        Allow use of SubImmediates with const pool so the sh4 architecture can
        share the arm path for setEntryAddress macro. It reduces architecture
        specific code and lead to a more optimal generated code for sh4.

        * llint/LowLevelInterpreter.asm:
        * offlineasm/sh4.rb:

2014-04-14  Andreas Kling  <akling@apple.com>

        Array.prototype.concat should allocate output storage only once.
        <https://webkit.org/b/131609>

        Do a first pass across 'this' and any arguments to compute the
        final size of the resulting array from Array.prototype.concat.
        This avoids having to grow the output incrementally as we go.

        This also includes two other micro-optimizations:

        - Mark getProperty() with ALWAYS_INLINE.

        - Use JSArray::length() instead of taking the generic property
          lookup path when we know an argument is an Array.

        My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.

        Reviewed by Oliver & Darin.

        * runtime/ArrayPrototype.cpp:
        (JSC::getProperty):
        (JSC::arrayProtoFuncConcat):

2014-04-14  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167249.
        https://bugs.webkit.org/show_bug.cgi?id=131621

        broke 3 tests on cloop (Requested by kling on #webkit).

        Reverted changeset:

        "Array.prototype.concat should allocate output storage only
        once."
        https://bugs.webkit.org/show_bug.cgi?id=131609
        http://trac.webkit.org/changeset/167249

2014-04-14  Alex Christensen  <achristensen@webkit.org>

        Fixed potential integer truncation.
        https://bugs.webkit.org/show_bug.cgi?id=131615

        Reviewed by Darin Adler.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::fillNops):
        Truncate the size_t to an unsigned after it is limited to 15 instead of before.

2014-04-14  Andreas Kling  <akling@apple.com>

        Array.prototype.concat should allocate output storage only once.
        <https://webkit.org/b/131609>

        Do a first pass across 'this' and any arguments to compute the
        final size of the resulting array from Array.prototype.concat.
        This avoids having to grow the output incrementally as we go.

        This also includes two other micro-optimizations:

        - Mark getProperty() with ALWAYS_INLINE.

        - Use JSArray::length() instead of taking the generic property
          lookup path when we know an argument is an Array.

        My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.

        Reviewed by Darin Adler.

        * runtime/ArrayPrototype.cpp:
        (JSC::getProperty):
        (JSC::arrayProtoFuncConcat):

2014-04-14  Benjamin Poulain  <benjamin@webkit.org>

        [JSC] Improve the call site of string comparison in some hot path
        https://bugs.webkit.org/show_bug.cgi?id=131605

        Reviewed by Darin Adler.

        When resolved, the String of a JSString is never null. It can be empty but not null.
        The null value is reserved for ropes but those would be resolved when getting the value.

        Consequently, we should use the equal() operation that do not handle null values.
        Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason.

        * jit/JITOperations.cpp:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::equalSlowCaseInline):
        (JSC::JSValue::strictEqualSlowCaseInline):
        (JSC::JSValue::pureStrictEqual):

2014-04-08  Oliver Hunt  <oliver@apple.com>

        Rewrite Function.bind as a builtin
        https://bugs.webkit.org/show_bug.cgi?id=131083

        Reviewed by Geoffrey Garen.

        This change removes the existing function.bind implementation
        entirely so JSBoundFunction is no more.

        Instead we just return a regular JS closure with a few
        private properties hanging off it that allow us to perform
        the necessary bound function fakery.  While most of this is
        simple, a couple of key changes:

        - The parser and lexer now directly track whether they're
          parsing code for call or construct and convert the private
          name @IsConstructor into TRUETOK or FALSETOK as appropriate.
          This automatically gives us the ability to vary behaviour
          from within the builtin. It also leaves a lot of headroom
          for trivial future improvements.
        - The instanceof operator now uses the prototypeForHasInstance
          private name, and we have a helper function to ensure that
          all objects that need to can update their magical 'prototype'
          property pair correctly.

        * API/JSScriptRef.cpp:
        (parseScript):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createBuiltinExecutable):
        * builtins/Function.prototype.js:
        (bind.bindingFunction):
        (bind.else.bindingFunction):
        (bind):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::InstanceOfNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::Lexer):
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        * parser/Lexer.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parseInner):
        * parser/Parser.h:
        (JSC::parse):
        * parser/ParserModes.h:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CommonIdentifiers.h:
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::checkSyntax):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::addFunctionProperties):
        (JSC::functionProtoFuncBind): Deleted.
        * runtime/JSBoundFunction.cpp: Removed.
        * runtime/JSBoundFunction.h: Removed.
        * runtime/JSFunction.cpp:
        (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
        (JSC::RetrieveCallerFunctionFunctor::operator()):
        (JSC::retrieveCallerFunction):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncSetTypeErrorAccessor):
        * runtime/JSGlobalObjectFunctions.h:
        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):

2014-04-12  Filip Pizlo  <fpizlo@apple.com>

        Math.fround() should be an intrinsic
        https://bugs.webkit.org/show_bug.cgi?id=131583

        Reviewed by Geoffrey Garen.
        
        Makes programs that use Math.fround() run up to 6x faster.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileArithFRound):
        * runtime/Intrinsic.h:
        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):

2014-04-12  Filip Pizlo  <fpizlo@apple.com>

        FTL should use stackmap register liveness
        https://bugs.webkit.org/show_bug.cgi?id=130791

        Reviewed by Goeffrey Garen.
        
        Enable the stackmap register liveness support by fixing the two last bugs:
        
        - If everything is dead after the patchpoint - a good possibility for a put_by_id -
          then we shouldn't crash due to a null scratch buffer.
        
        - Always consider callee-saves as if they were live. More precisely, we should
          consider those callee-saves that are not saved by the enclosing function to be live.
          For now we do the much simpler thing and consider callee-saves to be always live
          since it has minimal impact on the scratch register allocator. It will know not to
          preserve those for calls, anyway.
        
        I tried writing a test for the null scratch buffer thing, but failed. I will land the
        test anyway since it seems useful.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::usedRegistersFor):
        * jit/ScratchRegisterAllocator.cpp:
        (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
        (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
        * runtime/Options.h:
        * tests/stress/repeated-put-by-id-reallocating-transition.js: Added.
        (foo):

2014-04-11  Filip Pizlo  <fpizlo@apple.com>

        DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled
        https://bugs.webkit.org/show_bug.cgi?id=131424

        Reviewed by Geoffrey Garen.
        
        This defers type conversion injection until we've decided on types. This makes the
        process of deciding types a bit more flexible - for example we can naturally fixpoint
        and change our minds. Only when things are settled do we actually insert conversions.
        
        This is a necessary prerequisite for keeping double, int52, and JSValue data flow
        separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize
        that there are typed uses. If we were eagerly inserting type conversions then we would
        first insert a to/from-JSValue conversion in some cases only to then replace it by
        the other conversions. It's probably trivial to remove those redundant conversions later
        but I think it's better if we don't insert them to begin with.

        * bytecode/CodeOrigin.h:
        (JSC::CodeOrigin::operator!):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupBlock):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
        (JSC::DFG::FixupPhase::fixEdge):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
        (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
        (JSC::DFG::FixupPhase::addRequiredPhantom):
        (JSC::DFG::FixupPhase::addPhantomsIfNecessary):
        (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
        (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted.
        (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted.
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted.

2014-04-11  Brian J. Burg  <burg@cs.washington.edu>

        Web Replay: code generator should consider enclosing class when computing duplicate type names
        https://bugs.webkit.org/show_bug.cgi?id=131554

        Reviewed by Timothy Hatcher.

        We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name
        can coexist without triggering a "duplicate types" error. Now, such enums must be referenced
        by the enclosing class and enum name.

        Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change.

        * replay/scripts/CodeGeneratorReplayInputs.py:
        (Type.type_name): Prepend the enclosing class name.
        (Type.type_name.is):
        * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added.
        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added.
        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added.
        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline.
        * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added.
        * replay/scripts/tests/generate-enums-with-same-base-name.json: Added.

2014-04-11  Gavin Barraclough  <baraclough@apple.com>

        Rollout - Rewrite Function.bind as a builtin
        https://bugs.webkit.org/show_bug.cgi?id=131083

        Unreviewed.

        Rolling out r167020 while investigating a performance regression.

        * API/JSObjectRef.cpp:
        (JSObjectMakeConstructor):
        * API/JSScriptRef.cpp:
        (parseScript):
        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createBuiltinExecutable):
        * builtins/Function.prototype.js:
        (apply):
        (bind.bindingFunction): Deleted.
        (bind.else.bindingFunction): Deleted.
        (bind): Deleted.
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::InstanceOfNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::Lexer):
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        * parser/Lexer.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parseInner):
        * parser/Parser.h:
        (JSC::parse):
        * parser/ParserModes.h:
        * runtime/ArgumentsIteratorConstructor.cpp:
        (JSC::ArgumentsIteratorConstructor::finishCreation):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::finishCreation):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::finishCreation):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CommonIdentifiers.h:
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::finishCreation):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::finishCreation):
        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::checkSyntax):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::finishCreation):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::addFunctionProperties):
        (JSC::functionProtoFuncBind):
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::JSArrayBufferConstructor::finishCreation):
        * runtime/JSBoundFunction.cpp: Added.
        (JSC::boundFunctionCall):
        (JSC::boundFunctionConstruct):
        (JSC::JSBoundFunction::create):
        (JSC::JSBoundFunction::destroy):
        (JSC::JSBoundFunction::customHasInstance):
        (JSC::JSBoundFunction::JSBoundFunction):
        (JSC::JSBoundFunction::finishCreation):
        (JSC::JSBoundFunction::visitChildren):
        * runtime/JSBoundFunction.h: Added.
        (JSC::JSBoundFunction::targetFunction):
        (JSC::JSBoundFunction::boundThis):
        (JSC::JSBoundFunction::boundArgs):
        (JSC::JSBoundFunction::createStructure):
        * runtime/JSFunction.cpp:
        (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
        (JSC::RetrieveCallerFunctionFunctor::operator()):
        (JSC::retrieveCallerFunction):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::getOwnNonIndexPropertyNames):
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncSetTypeErrorAccessor): Deleted.
        * runtime/JSGlobalObjectFunctions.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectPrototypeProperty): Deleted.
        (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted.
        * runtime/JSObject.h:
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructor::finishCreation):
        * runtime/MapConstructor.cpp:
        (JSC::MapConstructor::finishCreation):
        * runtime/MapIteratorConstructor.cpp:
        (JSC::MapIteratorConstructor::finishCreation):
        * runtime/NameConstructor.cpp:
        (JSC::NameConstructor::finishCreation):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::finishCreation):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::finishCreation):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::finishCreation):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::finishCreation):
        * runtime/SetConstructor.cpp:
        (JSC::SetConstructor::finishCreation):
        * runtime/SetIteratorConstructor.cpp:
        (JSC::SetIteratorConstructor::finishCreation):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::finishCreation):
        * runtime/WeakMapConstructor.cpp:
        (JSC::WeakMapConstructor::finishCreation):

2014-04-11  David Kilzer  <ddkilzer@apple.com>

        [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib
        <http://webkit.org/b/131556>
        <rdar://problem/16591856>

        Reviewed by Brent Fulgham.

        * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear
        OTHER_LDFLAGS so the ASan build does not try to link to
        libclang_rt.asan_osx_dynamic.dylib.

2014-04-11  Mark Lam  <mark.lam@apple.com>

        JSMainThreadExecState::call() should clear exceptions before returning.
        <https://webkit.org/b/131530>

        Reviewed by Geoffrey Garen.

        Added a version of JSC::call() that return any uncaught exception instead
        of leaving it pending in the VM.

        As part of this change, I updated various parts of the code base to use the
        new API as needed.

        * bindings/ScriptFunctionCall.cpp:
        (Deprecated::ScriptFunctionCall::call):
        - ScriptFunctionCall::call() is only used by the inspector to inject scripts.
          The injected scripts that will include Inspector scripts that should catch
          and handle any exceptions that were thrown.  We should not be seeing any
          exceptions returned from this call.  However, we do have checks for
          exceptions in case there are bugs in the Inspector scripts which allowed
          the exception to leak through.  Hence, it is proper to clear the exception
          here, and only record the fact that an exception was seen (if present).

        * bindings/ScriptFunctionCall.h:
        * inspector/InspectorEnvironment.h:
        * runtime/CallData.cpp:
        (JSC::call):
        * runtime/CallData.h:

2014-04-11  Oliver Hunt  <oliver@apple.com>

        Add BuiltinLog function to make debugging builtins easier
        https://bugs.webkit.org/show_bug.cgi?id=131550

        Reviewed by Andreas Kling.

        Add a logging function that builtins can use for debugging.

        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncBuiltinLog):
        * runtime/JSGlobalObjectFunctions.h:

2014-04-11  Julien Brianceau  <jbriance@cisco.com>

        Fix LLInt for sh4 architecture (broken since C stack merge).
        https://bugs.webkit.org/show_bug.cgi?id=131532

        Reviewed by Mark Lam.

        This patch fixes build and also implements sh4 parts for initPCRelative and
        setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094.

        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * offlineasm/instructions.rb:
        * offlineasm/sh4.rb:

2014-04-10  Michael Saboff  <msaboff@apple.com>

        Crash beneath DFG JIT code @ video.disney.com
        https://bugs.webkit.org/show_bug.cgi?id=131447

        Reviewed by Geoffrey Garen.

        The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
        'tag not less than Undefined' check.  The first check was incorrectly elided if we
        knew that the value *was* an int32, when it should have been elided if we already
        knew that the value *was not* an int32.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculateMisc):
        * tests/stress/test-spec-misc.js: Added test.
        (getX):
        (foo):
        (bar):

2014-04-08  Filip Pizlo  <fpizlo@apple.com>

        Make room for additional types in SpeculatedType.h
        https://bugs.webkit.org/show_bug.cgi?id=131422

        Reviewed by Sam Weinig.
        
        This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN.

        * bytecode/SpeculatedType.h:

2014-04-10  Alex Christensen  <achristensen@webkit.org>

        Compile fix for Win64.
        https://bugs.webkit.org/show_bug.cgi?id=131508

        Reviewed by Geoffrey Garen.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::fillNops):
        Added unsigned template parameter to distinguish between size_t and unsigned long.

2014-04-10  Michael Saboff  <msaboff@apple.com>

        LLInt interpreter code should be generated as part of one function
        https://bugs.webkit.org/show_bug.cgi?id=131205

        Reviewed by Mark Lam.

        Changed the generation of llint opcodes so that they are all part of the same
        global function, llint_entry.  That function is used to fill in an entry point
        table that includes each of the opcodes and helpers.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Added appropriate use of new -I option to offline assembler and offset
        generator scripts.

        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter.cpp:
        * llint/LowLevelInterpreter.h:
        * offlineasm/arm.rb:
        * offlineasm/arm64.rb:
        * offlineasm/asm.rb:
        * offlineasm/ast.rb:
        * offlineasm/backends.rb:
        * offlineasm/cloop.rb:
        * offlineasm/generate_offset_extractor.rb:
        * offlineasm/instructions.rb:
        * offlineasm/parser.rb:
        * offlineasm/registers.rb:
        * offlineasm/self_hash.rb:
        * offlineasm/settings.rb:
        * offlineasm/transform.rb:
        * offlineasm/x86.rb:
        Added a new "global" keyword to the offline assembler that denotes a label that
        should be exported.  Added opcode and operand support to get the absolute
        address of a local label using position independent calculations.  Updated the
        offline assembler to handle included files, both when generating the checksum
        as well as including files from other than the local directory via a newly
        added -I option.  The offline assembler now automatically determines external
        functions by keeping track of referenced functions that are defined within the
        assembly source.  This is used both for choosing the correct macro for external
        references as well as generating the needed EXTERN directives for masm.
        Updated the generation of the masm only .sym file to be written once at the end
        of the offline assembler.

        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
        (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JITStubs.h:
        * llint/LLIntCLoop.cpp:
        (JSC::LLInt::initialize):
        * llint/LLIntData.h:
        (JSC::LLInt::getCodeFunctionPtr):
        (JSC::LLInt::getOpcode): Deleted.
        (JSC::LLInt::getCodePtr): Deleted.
        * llint/LLIntOpcode.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntThunks.cpp:
        (JSC::LLInt::functionForCallEntryThunkGenerator):
        (JSC::LLInt::functionForConstructEntryThunkGenerator):
        (JSC::LLInt::functionForCallArityCheckThunkGenerator):
        (JSC::LLInt::functionForConstructArityCheckThunkGenerator):
        (JSC::LLInt::evalEntryThunkGenerator):
        (JSC::LLInt::programEntryThunkGenerator):
        * llint/LLIntThunks.h:
        Changed references to llint helpers to go through the entry point table populated
        by llint_entry.  Added helpers to OpcodeID enum for all builds.

        * bytecode/BytecodeList.json:
        * generate-bytecode-files:
        * llint/LLIntCLoop.cpp:
        (JSC::LLInt::CLoop::initialize):
        Reordered sections to match the order that the functions are added to the entry point
        table.  Added new "asmPrefix" property for symbols that have one name but are generated
        with a prefix, e.g. op_enter -> llint_op_enter.  Eliminated the "emitDefineID" property
        as we are using enums for all bytecode references.  Changed the C Loop only
        llint_c_loop_init to llint_entry.

2014-04-10  Matthew Mirman  <mmirman@apple.com>

        WIP for inlining C++.  Added a build target to produce LLVM IR.
        https://bugs.webkit.org/show_bug.cgi?id=130523

        Reviewed by Mark Rowe.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * build-symbol-table-index.py: Added.
        * build-symbol-table-index.sh: Added.
        * Configurations/CompileRuntimeToLLVMIR.xcconfig: Added.
        * copy-llvm-ir-to-derived-sources.sh: Added.

2014-04-10  Brian J. Burg  <burg@cs.washington.edu>

        Web Replay: memoize plugin data for navigator.mimeTypes and navigator.plugins
        https://bugs.webkit.org/show_bug.cgi?id=131341

        Reviewed by Timothy Hatcher.

        Add support for encoding/decoding unsigned long with EncodedValue.
        It is a distinct type from uint32_t and uint64_t.

        * replay/EncodedValue.cpp:
        (JSC::EncodedValue::convertTo<unsigned long>):
        * replay/EncodedValue.h:

2014-04-10  Mark Lam  <mark.lam@apple.com>

        LLINT loadisFromInstruction should handle the big endian case.
        <https://webkit.org/b/131495>

        Reviewed by Mark Hahnenberg.

        The LLINT loadisFromInstruction macro aims to load the least significant
        32-bit word from the 64-bit bytecode instruction stream and sign extend
        it.  For big endian machines, the current implementation would load the
        wrong 32-bit word.

        Without this fix, the JSC tests will crash on big endian machines.
        Thanks to Tomas Popela for diagnosing this issue.

        * llint/LowLevelInterpreter.asm:

2014-04-09  Mark Lam  <mark.lam@apple.com>

        Temporarily disable the JIT for the Windows port.
        <https://webkit.org/b/131470>

        Reviewed by Brent Fulgham.

        This is a temporary stop gap measure to green the Windows bots until
        we have a fix for https://webkit.org/b/131182.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2014-04-09  Juergen Ributzka  <juergen@apple.com>

        [FTL] Emit multibyte NOPs on X86-64
        https://bugs.webkit.org/show_bug.cgi?id=131394

        Reviewed by Michael Saboff.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::fillNops):

2014-04-09  Julien Brianceau  <jbriance@cisco.com>

        Get rid of JITOperationWrappers.h header file.
        https://bugs.webkit.org/show_bug.cgi?id=131450

        Reviewed by Michael Saboff.

        JITOperationWrappers header file contains architecture specific code that is
        not needed anymore, so get rid of it.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGOperations.cpp:
        * jit/JITOperationWrappers.h: Removed.
        * jit/JITOperations.cpp:

2014-04-09  Mark Lam  <mark.lam@apple.com>

        Ensure that LLINT accessing of the ProtoCallFrame is big endian friendly.
        <https://webkit.org/b/131449>

        Reviewed by Mark Hahnenberg.

        Change ProtoCallFrame::paddedArgCount to be of type uint32_t.  The argCount
        that it pads is of type int anyway.  It doesn't need to be 64 bit.  This
        also makes it work with the LLINT which is loading it with a loadi
        instruction.

        We should add the PayLoadOffset to ProtoCallFrame::argCountAndCodeOriginValue
        when loading the argCount.

        The paddedArgCount issue was causing failures when running the JSC tests on a
        64-bit big endian machine.  In this case, the paddedArgCount in the
        ProtoCallFrame has the value 2.  However, because the paddedArgCount was stored
        as a 64-bit size_t and the LLINT was loading only the low address 32-bits of
        that field, the LLINT got a value of 0 instead of the expected 2.  With this
        patch, we now have a matching store and load of a 32-bit value, and endianness
        no longer comes into play.

        As for ProtoCallFrame::argCountAndCodeOriginValue, the argCount is stored in
        the payload field of the Register.  In the definition of EncodedValueDescriptor,
        We already ensure that that the payload is in the least significant 32-bits for
        little endian machines, and in the most significant 32-bits for big endian
        machines.  This means that there is no endianness bug when loading this value
        using loadi.  However, adding the PayLoadOffset clarifies the intent of the
        code to load the payload part of the Register value.

        * interpreter/ProtoCallFrame.h:
        (JSC::ProtoCallFrame::setPaddedArgCount):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2014-04-08  Oliver Hunt  <oliver@apple.com>

        Rewrite Function.bind as a builtin
        https://bugs.webkit.org/show_bug.cgi?id=131083

        Reviewed by Geoffrey Garen.

        This change removes the existing function.bind implementation
        entirely so JSBoundFunction is no more.

        Instead we just return a regular JS closure with a few
        private properties hanging off it that allow us to perform
        the necessary bound function fakery.  While most of this is
        simple, a couple of key changes:

        - The parser and lexer now directly track whether they're
          parsing code for call or construct and convert the private
          name @IsConstructor into TRUETOK or FALSETOK as appropriate.
          This automatically gives us the ability to vary behaviour
          from within the builtin. It also leaves a lot of headroom
          for trivial future improvements.
        - The instanceof operator now uses the prototypeForHasInstance
          private name, and we have a helper function to ensure that
          all objects that need to can update their magical 'prototype'
          property pair correctly.

        * API/JSScriptRef.cpp:
        (parseScript):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createBuiltinExecutable):
        * builtins/Function.prototype.js:
        (bind.bindingFunction):
        (bind.else.bindingFunction):
        (bind):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::InstanceOfNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        * parser/Lexer.cpp:
        (JSC::Lexer<T>::Lexer):
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        * parser/Lexer.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::Parser):
        (JSC::Parser<LexerType>::parseInner):
        * parser/Parser.h:
        (JSC::parse):
        * parser/ParserModes.h:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CommonIdentifiers.h:
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        * runtime/Executable.cpp:
        (JSC::ProgramExecutable::checkSyntax):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::addFunctionProperties):
        (JSC::functionProtoFuncBind): Deleted.
        * runtime/JSBoundFunction.cpp: Removed.
        * runtime/JSBoundFunction.h: Removed.
        * runtime/JSFunction.cpp:
        (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
        (JSC::RetrieveCallerFunctionFunctor::operator()):
        (JSC::retrieveCallerFunction):
        (JSC::JSFunction::getOwnPropertySlot):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncSetTypeErrorAccessor):
        * runtime/JSGlobalObjectFunctions.h:
        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):

2014-04-08  Jon Lee  <jonlee@apple.com>

        Turn MSE on by default
        https://bugs.webkit.org/show_bug.cgi?id=131313
        <rdar://problem/16525223>

        Reviewed by Jer Noble.

        * Configurations/FeatureDefines.xcconfig:

2014-04-08  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Prevent deadlocks receiving WIRPermissionDenied message
        https://bugs.webkit.org/show_bug.cgi?id=131406

        Reviewed by Timothy Hatcher.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::stop):
        (Inspector::RemoteInspector::stopInternal):
        (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
        Provide a way to stop externally and a path to stop when in
        the middle of handling a message already with the locked mutex.

        * inspector/remote/RemoteInspectorXPCConnection.h:
        * inspector/remote/RemoteInspectorXPCConnection.mm:
        (Inspector::RemoteInspectorXPCConnection::close):
        (Inspector::RemoteInspectorXPCConnection::closeFromMessage):
        Provide a way to close externally and a path to close when in
        the middle of handling a message already with a mutex.

2014-04-08  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Address stale FIXMEs concerning console in JSContext inspection
        https://bugs.webkit.org/show_bug.cgi?id=131398

        Reviewed by Timothy Hatcher.

        * inspector/InjectedScriptSource.js:
        The console object can be deleted from a page or JSContext,
        so keep code that expects that it could have been deleted
        to be resilient in those cases.

        * inspector/JSGlobalObjectScriptDebugServer.h:
        * inspector/agents/JSGlobalObjectDebuggerAgent.h:
        * inspector/agents/JSGlobalObjectRuntimeAgent.h:
        Change the FIXMEs to NOTEs that explain why these functions
        have empty implementations for JSContext inspection.

2014-04-08  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix a goofy assertion to fix debug.

        * bytecode/PolymorphicPutByIdList.h:
        (JSC::PutByIdAccess::isSetter):
        (JSC::PutByIdAccess::oldStructure):
        (JSC::PutByIdAccess::chain):
        (JSC::PutByIdAccess::stubRoutine):
        (JSC::PutByIdAccess::customSetter):

2014-04-08  Filip Pizlo  <fpizlo@apple.com>

        Fail silently if the LLVM dylib isn't found
        https://bugs.webkit.org/show_bug.cgi?id=131385

        Reviewed by Mark Hahnenberg.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * llvm/InitializeLLVM.cpp:
        (JSC::initializeLLVM):
        * llvm/InitializeLLVM.h:
        * llvm/InitializeLLVMPOSIX.cpp:
        (JSC::initializeLLVMPOSIX):

2014-04-07  Filip Pizlo  <fpizlo@apple.com>

        Repatch should support setters and plant calls to them directly
        https://bugs.webkit.org/show_bug.cgi?id=130750

        Reviewed by Geoffrey Garen.
        
        All of the infrastructure was in place so this just enables setter optimization.
        
        This is a 12x speed-up on setter microbenchmarks. This is a 1% speed-up on Octane.

        * bytecode/PolymorphicPutByIdList.cpp:
        (JSC::PutByIdAccess::visitWeak):
        * bytecode/PolymorphicPutByIdList.h:
        (JSC::PutByIdAccess::setter):
        (JSC::PutByIdAccess::customSetter): Deleted.
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        * jit/Repatch.cpp:
        (JSC::toString):
        (JSC::kindFor):
        (JSC::customFor):
        (JSC::generateByIdStub):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::setCacheableSetter):
        (JSC::PutPropertySlot::isCacheableSetter):
        (JSC::PutPropertySlot::isCacheableCustom):
        (JSC::PutPropertySlot::setCacheableCustomProperty): Deleted.
        (JSC::PutPropertySlot::isCacheableCustomProperty): Deleted.
        * tests/stress/setter.js: Added.
        (foo):

2014-04-07  Filip Pizlo  <fpizlo@apple.com>

        Setters are just getters that take an extra argument and don't return a value
        https://bugs.webkit.org/show_bug.cgi?id=131336

        Reviewed by Geoffrey Garen.
        
        Other than that, they're totally the same thing.
        
        This isn't as dumb as it sounds.        

        Most of the work in calling an accessor has to do with emitting the necessary checks for
        figuring out whether we're calling the accessor we expected, followed by the boilerplate
        needed for setting up a call inside of a stub. It makes sense for the code to be totally
        common.

        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::storeValue):
        (JSC::AssemblyHelpers::moveTrustedValue):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupResults):
        * jit/Repatch.cpp:
        (JSC::kindFor):
        (JSC::customFor):
        (JSC::generateByIdStub):
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        (JSC::generateGetByIdStub): Deleted.
        (JSC::emitCustomSetterStub): Deleted.
        * runtime/JSCJSValue.h:
        (JSC::JSValue::asValue):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::cachedOffset):

2014-04-07  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Hang in debuggable application after receiving WIRPermissionDenied
        https://bugs.webkit.org/show_bug.cgi?id=131321

        Reviewed by Mark Rowe.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
        Avoid attempting to take the same lock twice. Move the received message
        lock grab after the WIRPermissionDenied branch, which takes the lock
        inside RemoteInspector::stop.

2014-04-07  Filip Pizlo  <fpizlo@apple.com>

        Make it possible to disable some of the FTL's more interesting features
        https://bugs.webkit.org/show_bug.cgi?id=131312

        Reviewed by Mark Hahnenberg.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        (JSC::DFG::ByteCodeParser::parse):
        * runtime/Options.h:

2014-04-04  Mark Lam  <mark.lam@apple.com>

        Date object needs to check for ES5 15.9.1.14 TimeClip limit.
        <https://webkit.org/b/131248>

        Reviewed by Mark Hahnenberg.

        The current Date object code does not adequately check for the ES5
        15.9.1.14 TimeClip limit.  As a result, some calculations can underflow
        / overflow and produce unexpected results.

        For example, we were getting an assertion failure in
        WTF::equivalentYearForDST() due int underflows in this function, which
        in turn were due to an int overflow in WTF::msToYear().

        This patch adds the needed checks, and adds some assertions to ensure
        that the used values are sane.

        The changes have no noticeable impact on benchmark results.

        * runtime/DateConstructor.cpp:
        (JSC::callDate):
        * runtime/JSDateMath.cpp:
        (JSC::localTimeOffset):
        (JSC::gregorianDateTimeToMS):
        (JSC::msToGregorianDateTime):
        (JSC::parseDateFromNullTerminatedCharacters):
        (JSC::parseDate):
        * runtime/JSDateMath.h:
        - parseDateFromNullTerminatedCharacters() does not need to be public.
          Made it a static function.
        * runtime/VM.cpp:
        (JSC::VM::resetDateCache):
        - Changed cachedDateStringValue to use std::numeric_limits<double>::quiet_NaN()
          to be consistent with other Date code.

2014-04-06  Csaba Osztrogonác  <ossy@webkit.org>

        Unreviewed speculative 32-bit buildfix after r166837.

        * heap/Heap.cpp:
        (JSC::Heap::updateObjectCounts):

2014-04-06  Dan Bernstein  <mitz@apple.com>

        32-bit build fix.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::setInputCursor):

2014-04-04  Brian J. Burg  <burg@cs.washington.edu>

        Enable WEB_REPLAY for PLATFORM(MAC)
        https://bugs.webkit.org/show_bug.cgi?id=130700

        Reviewed by Timothy Hatcher.

        * Configurations/FeatureDefines.xcconfig:

2014-04-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add missing files from r166837

        * heap/GCLogging.cpp: Added.
        (JSC::GCLogging::levelAsString):
        (JSC::LoggingFunctor::LoggingFunctor):
        (JSC::LoggingFunctor::~LoggingFunctor):
        (JSC::LoggingFunctor::operator()):
        (JSC::LoggingFunctor::log):
        (JSC::LoggingFunctor::reviveCells):
        (JSC::LoggingFunctor::returnValue):
        (JSC::GCLogging::dumpObjectGraph):
        * heap/GCLogging.h: Added.

2014-04-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Enhanced GC logging
        https://bugs.webkit.org/show_bug.cgi?id=131246

        Reviewed by Geoff Garen.

        Getting data on the state of the JSC Heap at runtime is currently in a sad state. 
        The OBJECT_MARK_LOGGING macro enables some basic GC logging, but it requires a full 
        recompile to turn it on. It would be nice if we could runtime enable our GC logging 
        infrastructure while incurring minimal cost when it is disabled. 

        It would also be nice to get a complete view of the Heap. Currently OBJECT_MARK_LOGGING 
        provides us with the discovered roots along with parent-child relationships as objects 
        are scanned. However, once an object is scanned it will never be declared as the child 
        of another object during that collection. This gives us a tree-like view of the 
        Heap (i.e. each scanned node only reports having a single parent), where the actual 
        Heap can be an arbitrary graph.

        This patch replaces OBJECT_MARK_LOGGING and gives us these nice to haves. First it enhances 
        our logGC() runtime Option by changing it to be a tri-state value of None, Basic, or Verbose 
        logging levels. None means no logging is done, Basic is what logGC() = true would have done 
        prior to this patch, and Verbose logs all object relationships.

        JSCell has new dump/dumpToStream methods, the latter of which is "virtual" to allow 
        subclasses to override the default string representation that will be dumped. These 
        methods allow JSCells to be dumped using the standard dataLog() calls similar to much of
        the logging infrastructure in our compilers.

        This patch also adds a GCLogging class that handles dumping the relationships between objects.
        It does this by using the pre-existing visitChildren virtual methods to obtain the immediate
        children of each live cell at the end of garbage collection.

        This change meets our goal of being neutral on the benchmarks we track.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/GCLogging.cpp: Added.
        (JSC::GCLogging::levelAsString):
        (JSC::LoggingFunctor::LoggingFunctor):
        (JSC::LoggingFunctor::operator()):
        (JSC::LoggingFunctor::log):
        (JSC::LoggingFunctor::reviveCells):
        (JSC::LoggingFunctor::returnValue):
        (JSC::GCLogging::dumpObjectGraph):
        * heap/GCLogging.h: Added.
        * heap/GCSegmentedArray.h:
        (JSC::GCSegmentedArray::begin):
        (JSC::GCSegmentedArray::end):
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::visitSmallStrings):
        (JSC::Heap::visitConservativeRoots):
        (JSC::Heap::visitCompilerWorklists):
        (JSC::Heap::visitProtectedObjects):
        (JSC::Heap::visitTempSortVectors):
        (JSC::Heap::visitArgumentBuffers):
        (JSC::Heap::visitException):
        (JSC::Heap::visitStrongHandles):
        (JSC::Heap::visitHandleStack):
        (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
        (JSC::Heap::visitWeakHandles):
        (JSC::Heap::updateObjectCounts):
        (JSC::Heap::collect):
        (JSC::Heap::didFinishCollection):
        * heap/Heap.h:
        * heap/MarkStack.h:
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::dump):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::markStack):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::internalAppend):
        * runtime/ClassInfo.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::dump):
        (JSC::JSCell::dumpToStream):
        (JSC::JSCell::className):
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::visitChildren):
        * runtime/JSString.cpp:
        (JSC::JSString::dumpToStream):
        (JSC::JSString::visitChildren):
        * runtime/JSString.h:
        (JSC::JSString::length):
        (JSC::JSRopeString::RopeBuilder::length):
        * runtime/Options.cpp:
        (JSC::parse):
        (JSC::Options::setOption):
        (JSC::Options::dumpOption):
        * runtime/Options.h:

2014-04-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove bogus ASSERT in -JSVirtualMachine scanObjectGraph
        https://bugs.webkit.org/show_bug.cgi?id=131251

        Reviewed by Geoffrey Garen.

        * API/JSVirtualMachine.mm:
        (scanExternalObjectGraph):
        * API/tests/testapi.mm:

2014-04-03  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: hook up probe samples to TimelineAgent's records
        https://bugs.webkit.org/show_bug.cgi?id=131127

        Reviewed by Timothy Hatcher.

        * inspector/ScriptDebugListener.h: Add a proper forward declaration for ScriptBreakpointAction.

2014-04-04  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r166820.
        https://bugs.webkit.org/show_bug.cgi?id=131256

        Broke builds. (Requested by bdash on #webkit).

        Reverted changeset:

        "WIP for inlining C++.  Added a build target to produce llvm
        ir."
        https://bugs.webkit.org/show_bug.cgi?id=130523
        http://trac.webkit.org/changeset/166820

2014-04-04  Matthew Mirman  <mmirman@apple.com>

        WIP for inlining C++.  Added a build target to produce llvm ir.
        https://bugs.webkit.org/show_bug.cgi?id=130523

        Reviewed by Filip Pizlo.

        The llvm ir gets placed JavaScriptCoreRuntimeToLLVMir.build with the extension .o

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * build_index.py: Added.
        * Configurations/CompileRuntimeToLLVMir.xcconfig: Added.

2014-04-04  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Log JS Exceptions to System Console if JavaScriptCoreOutputConsoleMessagesToSystemConsole enabled
        https://bugs.webkit.org/show_bug.cgi?id=131241

        Reviewed by Timothy Hatcher.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
        Log the exception to the system console if system console output is enabled.

2014-04-04  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Provide a way for JSContext console to log to system console
        https://bugs.webkit.org/show_bug.cgi?id=131050

        Reviewed by Timothy Hatcher.

        Applications often re-expose some log -> NSLog functionality.
        We already have the capability ourselves, which includes extra
        information such as sourceURL:line:column, all arguments instead
        of just one argument, and backtrace information on console.trace.
        Therefore it would be convenient if developers could just use
        the built-in console.log and get rich output in both the inspector
        and the console, without writing their own logger.

        The logging will be enabled in debug builds by default, and can be enabled
        otherwise by setting a user default before creating the first context.
        
        For example, in the application itself:

            [[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"JavaScriptCoreOutputConsoleMessagesToSystemConsole"];

        Or from outside the application:
        
            shell> defaults write <app-bundle-identifier> JavaScriptCoreOutputConsoleMessagesToSystemConsole -bool YES

        * inspector/JSConsoleClient.h:
        * inspector/JSConsoleClient.cpp:
        (Inspector::JSConsoleClient::logToSystemConsole):
        (Inspector::JSConsoleClient::setLogToSystemConsole):
        (Inspector::JSConsoleClient::initializeLogToSystemConsole):
        (Inspector::JSConsoleClient::JSConsoleClient):
        Global setting for logging to system console. Enabled on
        debug builds, and by a user default on supported platforms.

        (Inspector::JSConsoleClient::messageWithTypeAndLevel):
        Log to system console when the static setting is enabled.

        * runtime/ConsoleClient.h:
        * runtime/ConsoleClient.cpp:
        (JSC::appendURLAndPosition):
        (JSC::appendMessagePrefix):
        (JSC::ConsoleClient::printConsoleMessage):
        (JSC::ConsoleClient::printConsoleMessageWithArguments):
        Clean up printing. Build strings and use WTFLogAlways instead of printf
        for consistant logging.

        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::printConsoleMessageWithArguments):
        Clean up printing. If there is no source URL, don't print a leading colon.

2014-04-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Use JSCell::indexingType instead of Structure::indexingType wherever possible
        https://bugs.webkit.org/show_bug.cgi?id=131230

        Reviewed by Mark Lam.

        Avoid the indirection through the Structure.

        * bytecode/ArrayAllocationProfile.cpp:
        (JSC::ArrayAllocationProfile::updateIndexingType):
        * bytecode/ArrayAllocationProfile.h:
        (JSC::ArrayAllocationProfile::selectIndexingType):
        * heap/HeapStatistics.cpp:
        (JSC::StorageStatistics::operator()):
        * runtime/ArrayPrototype.cpp:
        (JSC::attemptFastSort):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::objectPrototypeIsSane):
        (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
        (JSC::JSGlobalObject::stringPrototypeChainIsSane):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):

2014-04-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Use JSCell::type instead of TypeInfo::type wherever possible
        https://bugs.webkit.org/show_bug.cgi?id=131229

        Reviewed by Michael Saboff.

        Avoid going through the Structure and reifying the TypeInfo.

        * runtime/Executable.h:
        (JSC::ExecutableBase::isEvalExecutable):
        (JSC::ExecutableBase::isProgramExecutable):

2014-04-03  Andreas Kling  <akling@apple.com>

        Fast-path for casting JS wrappers to JSNode.
        <https://webkit.org/b/131196>

        Allow code outside of JSC (well, WebCore) to extend the JSType spectrum
        a little bit. We do this by exposing a LastJSCObjectType constant so
        WebCore can encode its own wrapper types after that.

        Reviewed by Mark Hahnenberg and Geoff Garen.

        * runtime/JSType.h:

            Added LastJSCObjectType for use by WebCore.

        * runtime/JSObject.h:
        (JSC::JSObject::isVariableObject):

            Updated since this can no longer assume that types >= VariableObjectType
            are all variable objects.

2014-04-03  Mark Hahnenberg  <mhahnenberg@apple.com>

        All Heap::writeBarriers should be inline
        https://bugs.webkit.org/show_bug.cgi?id=131197

        Reviewed by Mark Lam.

        One is in a JSCellInlines.h, another is in Heap.cpp. These are all critical 
        enough and small enough to belong in HeapInlines.h. Also added the proper 
        ENABLE(GGC) ifdefs to minimize the cost of C++ barriers for !ENABLE(GGC) builds.

        * heap/Heap.cpp:
        (JSC::Heap::writeBarrier): Deleted.
        * heap/Heap.h:
        * heap/HeapInlines.h:
        (JSC::Heap::writeBarrier):
        * runtime/JSCellInlines.h:
        (JSC::Heap::writeBarrier): Deleted.

2014-04-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: JSContext inspection provide a way to opt-out of including Native Call Stacks in Exception traces reported to Web Inspector
        https://bugs.webkit.org/show_bug.cgi?id=131186

        Reviewed by Geoffrey Garen.

        * API/JSContextPrivate.h:
        * API/JSContext.mm:
        (-[JSContext _includesNativeCallStackWhenReportingExceptions]):
        (-[JSContext _setIncludesNativeCallStackWhenReportingExceptions:]):
        JSContext ObjC SPI to opt-out of including native call stacks in exceptions.

        * API/JSContextRefPrivate.h:
        * API/JSContextRef.cpp:
        (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
        (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
        JSContext C SPI to opt-out of including native call stacks in exceptions.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
        Only include the native call stack if the setting is enabled. It is enabled by default.

2014-04-03  Mark Lam  <mark.lam@apple.com>

        Fix bit rot in ARMv7 JIT probe mechanism.
        <https://webkit.org/b/131167>

        Reviewed by Geoffrey Garen.

        1. The macro assembler does not support pushing the SP register.  Worked
           around this by pushing the LR register as a placeholder, and then
           writing the original SP value to that slot.
        2. The CPUState field in the ProbeContext needs to be aligned on a 4
           byte boundary, not an 8 byte boundary.

        * assembler/MacroAssemblerARMv7.cpp:
        (JSC::MacroAssemblerARMv7::probe):
        * jit/JITStubsARMv7.h:

2014-04-02  Mark Lam  <mark.lam@apple.com>

        ARMv7 compare32() should not use TST to do CMP's job.
        <https://webkit.org/b/131146>

        Reviewed by Geoffrey Garen.

        The ARMv7 implementation of "compare32(RegisterID left, TrustedImm32 right)"
        was using "tst reg, reg" to implement "cmp reg, #0".  Unfortunately, the tst
        instruction doesn't set the Overflow (V) flag and this results in random
        results depending on whether there was a preceeding instruction that did set
        the Overflow (V) flag.  This issue was causing emscripten-cube2hash to run
        with a lot of OSR exits where not expected as well as producing wrong results.

        The fix is to use "cmp reg, #0" to do the job properly.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::compare32):

2014-04-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        CodeBlockSet should be generational
        https://bugs.webkit.org/show_bug.cgi?id=127152

        Reviewed by Geoffrey Garen.

        During EdenCollections we now only visit those CodeBlocks that:
        a) Are new since the last collection if they were somehow otherwise reachable.
        b) Are reachable from an Executable that is part of the remembered set.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock): Initialize uninitialized variables.
        (JSC::CodeBlock::visitAggregate): Move the addition of the weak reference harvester after the
        shouldImmediatelyAssumeLivenessDuringScan check since it's redundant if we assume liveness.
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::forEachRelatedCodeBlock): Executes a functor for each CodeBlock reachable from the current CodeBlock (including this).
        We use this to clear marks for the CodeBlocks of remembered Executables (see: CodeBlockSet::clearMarksForEdenCollection).
        (JSC::CodeBlockSet::mark): Also check the set of new CodeBlocks for memebership when doing conservative scanning.
        (JSC::ScriptExecutable::forEachCodeBlock): Executes a functor for each of this Executable's CodeBlocks.
        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::~CodeBlockSet):
        (JSC::CodeBlockSet::add):
        (JSC::CodeBlockSet::promoteYoungCodeBlocks): Moves all CodeBlocks currently in the set of new CodeBlocks into 
        the set of old CodeBlocks.
        (JSC::CodeBlockSet::clearMarksForFullCollection): Clears the marks for all CodeBlocks.
        (JSC::CodeBlockSet::clearMarksForEdenCollection): Clears the marks for CodeBlocks owned by Executables in the 
        remembered set. When an Executable is added to the remembered set it's typically because we need to do something 
        with its CodeBlock.
        (JSC::CodeBlockSet::clearMarks):
        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Fixpoints over either just the new CodeBlocks or all CodeBlocks
        to determine which CodeBlocks are dead and eagerly finalizes/deletes them.
        (JSC::CodeBlockSet::remove):
        (JSC::CodeBlockSet::traceMarked): Iterate only the currently executing CodeBlocks instead of all CodeBlocks.
        (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): Clear m_mayBeExecuting for all currently executing 
        CodeBlocks because we no longer always do this at the beginning of EdenCollections.
        * heap/CodeBlockSet.h:
        (JSC::CodeBlockSet::iterate):
        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::deleteAllCompiledCode):
        (JSC::Heap::deleteUnmarkedCompiledCode):
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::installCode): Write barrier code on installation. We do this due to the following situation:
        a) A CodeBlock is created and is compiled on a DFG worker thread.
        b) No GC happens.
        c) The CodeBlock has finished being compiled and is installed in the Executable.
        d) The function never executes before the next GC.
        e) The next GC needs needs to visit the new CodeBlock but the Executable won't be revisited unless 
            it's added to the remembered set.

2014-04-02  Mark Lam  <mark.lam@apple.com>

        Added some more dataLog info for OSR exits.
        <https://webkit.org/b/131120>

        Reviewed by Michael Saboff.

        Adding info about the OSR exit index, the bytecode index of the bytecode
        that is OSR exiting, and the reason for the OSR exit.  This change is
        for debugging code which only comes into play when we use the
        --printEachOSRExit option.

        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:

2014-04-02  Martin Robinson  <mrobinson@igalia.com>

        REGRESSION(r165704): [GTK] Inspector resources not correctly generated
        https://bugs.webkit.org/show_bug.cgi?id=130343

        Reviewed by Gustavo Noronha Silva.

        * CMakeLists.txt: We generate the inspector JavaScript file into a directory like the one
        in which it should be distributed. This allows us to more easily package it for GTK+.

2014-04-01  Timothy Hatcher  <timothy@apple.com>

        Remove HeapProfiler from the Web Inspector protocol.

        https://bugs.webkit.org/show_bug.cgi?id=131070

        Reviewed by Joseph Pecoraro.

        * inspector/agents/InspectorConsoleAgent.h:
        * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
        (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject): Deleted.
        * inspector/agents/JSGlobalObjectConsoleAgent.h:
        * inspector/protocol/Console.json:

2014-03-31  Simon Fraser  <simon.fraser@apple.com>

        Enable WEB_TIMING on Mac and iOS
        https://bugs.webkit.org/show_bug.cgi?id=128064

        Reviewed by Sam Weinig, Brent Fulgham.

        Enable WEB_TIMING.

        * Configurations/FeatureDefines.xcconfig:

2014-03-31  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r166415): JSObject{Get,Set}Private() don't work with proxies objects
        https://bugs.webkit.org/show_bug.cgi?id=130992

        Reviewed by Mark Hahnenberg.

        Forward JSObjectGetPrivate() and JSObjectSetPrivate() to the wrapped object.

        * API/JSObjectRef.cpp:
        (JSObjectGetPrivate):
        (JSObjectSetPrivate):
        * API/tests/testapi.c:
        (main): Added new test case to validate we are properly foarwarding.

2014-03-31  Mark Hahnenberg  <mhahnenberg@apple.com>

        Improve GC_LOGGING
        https://bugs.webkit.org/show_bug.cgi?id=130988

        Reviewed by Geoffrey Garen.

        GC_LOGGING can be useful for diagnosing where we're spending our time during collection, 
        but it doesn't distinguish between Eden and Full collections in the data it gathers. This
        patch updates it so that it can. It also adds the process ID to the beginning of each line 
        of input to be able to distinguish between the output of multiple processes exiting at the 
        same time.

        * heap/Heap.cpp:
        (JSC::Heap::collect):

2014-03-31  Dean Jackson  <dino@apple.com>

        Remove WEB_ANIMATIONS
        https://bugs.webkit.org/show_bug.cgi?id=130989

        Reviewed by Simon Fraser.

        Remove this feature flag until we plan to implement.

        * Configurations/FeatureDefines.xcconfig:

2014-03-31  Filip Pizlo  <fpizlo@apple.com>

        More validation for FTL inline caches
        https://bugs.webkit.org/show_bug.cgi?id=130948

        Reviewed by Geoffrey Garen.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        * runtime/Options.h:

2014-03-31  Filip Pizlo  <fpizlo@apple.com>

        LLVM IR for store barriers should be nicely arranged and they don't need exception checks
        https://bugs.webkit.org/show_bug.cgi?id=130950

        Reviewed by Mark Hahnenberg.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):

2014-03-31  Raphael Kubo da Costa  <raphael.kubo.da.costa@intel.com>

        [CMake] Stop checking for WTF_USE_ICU_UNICODE.
        https://bugs.webkit.org/show_bug.cgi?id=130965

        Reviewed by Martin Robinson.

        This is somewhat of a follow-up to r162782, which got rid of
        WTF_USE_ICU_UNICODE in CMake but did not remove the check in JSC's
        CMakeLists.txt. This meant the includes and libraries were not
        being properly included since then.

        * CMakeLists.txt:

2014-03-31  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        Remove hostThisRegister() and hostThisValue()
        https://bugs.webkit.org/show_bug.cgi?id=130895

        Reviewed by Geoffrey Garen.

        Removed hostThisRegister() and hostThisValue() and instead use thisArgumentOffset() and thisValue() respectively.

        * API/APICallbackFunction.h:
        (JSC::APICallbackFunction::call):
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::call):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * inspector/JSInjectedScriptHostPrototype.cpp:
        (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
        (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
        (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
        (Inspector::jsInjectedScriptHostPrototypeFunctionType):
        (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
        (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate):
        (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType):
        (Inspector::jsJavaScriptCallFrameAttributeCaller):
        (Inspector::jsJavaScriptCallFrameAttributeSourceID):
        (Inspector::jsJavaScriptCallFrameAttributeLine):
        (Inspector::jsJavaScriptCallFrameAttributeColumn):
        (Inspector::jsJavaScriptCallFrameAttributeFunctionName):
        (Inspector::jsJavaScriptCallFrameAttributeScopeChain):
        (Inspector::jsJavaScriptCallFrameAttributeThisObject):
        (Inspector::jsJavaScriptCallFrameAttributeType):
        * interpreter/CallFrame.h:
        (JSC::ExecState::hostThisRegister): Deleted.
        (JSC::ExecState::hostThisValue): Deleted.
        * runtime/Arguments.cpp:
        (JSC::argumentsFuncIterator):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncConcat):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):
        (JSC::arrayProtoFuncIndexOf):
        (JSC::arrayProtoFuncLastIndexOf):
        (JSC::arrayProtoFuncValues):
        (JSC::arrayProtoFuncEntries):
        (JSC::arrayProtoFuncKeys):
        * runtime/BooleanPrototype.cpp:
        (JSC::booleanProtoFuncToString):
        (JSC::booleanProtoFuncValueOf):
        * runtime/ConsolePrototype.cpp:
        (JSC::consoleLogWithLevel):
        (JSC::consoleProtoFuncClear):
        (JSC::consoleProtoFuncDir):
        (JSC::consoleProtoFuncDirXML):
        (JSC::consoleProtoFuncTable):
        (JSC::consoleProtoFuncTrace):
        (JSC::consoleProtoFuncAssert):
        (JSC::consoleProtoFuncCount):
        (JSC::consoleProtoFuncProfile):
        (JSC::consoleProtoFuncProfileEnd):
        (JSC::consoleProtoFuncTime):
        (JSC::consoleProtoFuncTimeEnd):
        (JSC::consoleProtoFuncTimeStamp):
        (JSC::consoleProtoFuncGroup):
        (JSC::consoleProtoFuncGroupCollapsed):
        (JSC::consoleProtoFuncGroupEnd):
        * runtime/DatePrototype.cpp:
        (JSC::formateDateInstance):
        (JSC::dateProtoFuncToISOString):
        (JSC::dateProtoFuncToLocaleString):
        (JSC::dateProtoFuncToLocaleDateString):
        (JSC::dateProtoFuncToLocaleTimeString):
        (JSC::dateProtoFuncGetTime):
        (JSC::dateProtoFuncGetFullYear):
        (JSC::dateProtoFuncGetUTCFullYear):
        (JSC::dateProtoFuncGetMonth):
        (JSC::dateProtoFuncGetUTCMonth):
        (JSC::dateProtoFuncGetDate):
        (JSC::dateProtoFuncGetUTCDate):
        (JSC::dateProtoFuncGetDay):
        (JSC::dateProtoFuncGetUTCDay):
        (JSC::dateProtoFuncGetHours):
        (JSC::dateProtoFuncGetUTCHours):
        (JSC::dateProtoFuncGetMinutes):
        (JSC::dateProtoFuncGetUTCMinutes):
        (JSC::dateProtoFuncGetSeconds):
        (JSC::dateProtoFuncGetUTCSeconds):
        (JSC::dateProtoFuncGetMilliSeconds):
        (JSC::dateProtoFuncGetUTCMilliseconds):
        (JSC::dateProtoFuncGetTimezoneOffset):
        (JSC::dateProtoFuncSetTime):
        (JSC::setNewValueFromTimeArgs):
        (JSC::setNewValueFromDateArgs):
        (JSC::dateProtoFuncSetYear):
        (JSC::dateProtoFuncGetYear):
        (JSC::dateProtoFuncToJSON):
        * runtime/ErrorPrototype.cpp:
        (JSC::errorProtoFuncToString):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        (JSC::functionProtoFuncBind):
        * runtime/NamePrototype.cpp:
        (JSC::privateNameProtoFuncToString):
        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToExponential):
        (JSC::numberProtoFuncToFixed):
        (JSC::numberProtoFuncToPrecision):
        (JSC::numberProtoFuncClz):
        (JSC::numberProtoFuncToString):
        (JSC::numberProtoFuncToLocaleString):
        (JSC::numberProtoFuncValueOf):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncValueOf):
        (JSC::objectProtoFuncHasOwnProperty):
        (JSC::objectProtoFuncIsPrototypeOf):
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):
        (JSC::objectProtoFuncPropertyIsEnumerable):
        (JSC::objectProtoFuncToLocaleString):
        (JSC::objectProtoFuncToString):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTest):
        (JSC::regExpProtoFuncExec):
        (JSC::regExpProtoFuncCompile):
        (JSC::regExpProtoFuncToString):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncReplace):
        (JSC::stringProtoFuncToString):
        (JSC::stringProtoFuncCharAt):
        (JSC::stringProtoFuncCharCodeAt):
        (JSC::stringProtoFuncConcat):
        (JSC::stringProtoFuncIndexOf):
        (JSC::stringProtoFuncLastIndexOf):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
        (JSC::stringProtoFuncSlice):
        (JSC::stringProtoFuncSplit):
        (JSC::stringProtoFuncSubstr):
        (JSC::stringProtoFuncSubstring):
        (JSC::stringProtoFuncToLowerCase):
        (JSC::stringProtoFuncToUpperCase):
        (JSC::stringProtoFuncLocaleCompare):
        (JSC::stringProtoFuncBig):
        (JSC::stringProtoFuncSmall):
        (JSC::stringProtoFuncBlink):
        (JSC::stringProtoFuncBold):
        (JSC::stringProtoFuncFixed):
        (JSC::stringProtoFuncItalics):
        (JSC::stringProtoFuncStrike):
        (JSC::stringProtoFuncSub):
        (JSC::stringProtoFuncSup):
        (JSC::stringProtoFuncFontcolor):
        (JSC::stringProtoFuncFontsize):
        (JSC::stringProtoFuncAnchor):
        (JSC::stringProtoFuncLink):
        (JSC::stringProtoFuncTrim):
        (JSC::stringProtoFuncTrimLeft):
        (JSC::stringProtoFuncTrimRight):

2014-03-28  Filip Pizlo  <fpizlo@apple.com>

        Land the stackmap register liveness glue with the uses of the liveness disabled
        https://bugs.webkit.org/show_bug.cgi?id=130924

        Reviewed by Oliver Hunt.
        
        Add the liveness and fix other bugs I found.

        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::usedRegistersFor):
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLSlowPathCall.cpp:
        * ftl/FTLSlowPathCallKey.cpp:
        (JSC::FTL::SlowPathCallKey::dump):
        * ftl/FTLSlowPathCallKey.h:
        (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
        (JSC::FTL::SlowPathCallKey::argumentRegisters):
        (JSC::FTL::SlowPathCallKey::withCallTarget):
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Record::locationSet):
        (JSC::FTL::StackMaps::Record::liveOutsSet):
        (JSC::FTL::StackMaps::Record::usedRegisterSet):
        * ftl/FTLStackMaps.h:
        * ftl/FTLThunks.cpp:
        (JSC::FTL::registerClobberCheck):
        (JSC::FTL::slowPathCallThunkGenerator):
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::stackRegisters):
        (JSC::RegisterSet::reservedHardwareRegisters):
        (JSC::RegisterSet::runtimeRegisters):
        (JSC::RegisterSet::specialRegisters):
        (JSC::RegisterSet::dump):
        * jit/RegisterSet.h:
        (JSC::RegisterSet::RegisterSet):
        (JSC::RegisterSet::setAny):
        (JSC::RegisterSet::setMany):
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryCachePutByID):
        (JSC::tryRepatchIn):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2014-03-28  Mark Lam  <mark.lam@apple.com>

        mandreel throws a checksum error on 32-bit x86.
        <https://webkit.org/b/125706>

        Reviewed by Filip Pizlo.

        The 32-bit DFG can emit code that loads double constants from its
        CodeBlock's m_constantRegisters vector.  The emitted instruction will
        embed the address of the constant from the vector's backing store.
        Subsequently, while inserting new constants, the DFG may resize the
        vector, thereby reallocating the backing store.  This renders the
        previously embedded constant addresses stale.

        The fix is to use a dedicated doubles constant pool stored in the DFG
        CommonData instead.  This constant pool won't be reallocated, and
        hence will not manifest this issue.

        * dfg/DFGCommonData.h:
        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::addressOfDoubleConstant):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addressOfDoubleConstant): Deleted.

2014-03-28  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: console.warn is showing as error instead of warning
        https://bugs.webkit.org/show_bug.cgi?id=130921

        Reviewed by Timothy Hatcher.

        * runtime/ConsolePrototype.cpp:
        (JSC::consoleProtoFuncWarn):
        console.warn should be MessageLevel Warning, not Error.

2014-03-28  Oliver Hunt  <oliver@apple.com>

        Fix cloop build.

        * bytecode/BytecodeList.json:

2014-03-28  Michael Saboff  <msaboff@apple.com>

        Unreviewed, rolling r166248 back in.

        Turns out r166070 didn't cause a 2% performance loss in page load times

        Reverted changeset:

        Unreviewed, rolling out r166126.
        Rollout r166126 in prepartion to roll out prerequisite r166070

2014-03-27  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r166376.
        https://bugs.webkit.org/show_bug.cgi?id=130887

        This was a misguided optimization. (Requested by kling on
        #webkit).

        Reverted changeset:

        "Avoid fetching JSObject::structure() repeatedly in
        putDirectInternal."
        https://bugs.webkit.org/show_bug.cgi?id=130857
        http://trac.webkit.org/changeset/166376

2014-03-27  Oliver Hunt  <oliver@apple.com>

        Support spread operand in |new| expressions
        https://bugs.webkit.org/show_bug.cgi?id=130877

        Reviewed by Michael Saboff.

        Add support for the spread operator being applied in
        |new| expressions.  This required adding support for
        a new opcode, op_construct_varargs.  This is a relatively
        simple refactoring of the call_varargs implementation.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink):
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::callTypeFor):
        (JSC::CallLinkInfo::specializationKind):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCallVarargs):
        (JSC::BytecodeGenerator::emitConstructVarargs):
        (JSC::BytecodeGenerator::emitConstruct):
        * bytecompiler/BytecodeGenerator.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::emit_op_construct_varargs):
        (JSC::JIT::emitSlow_op_construct_varargs):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emitSlow_op_construct_varargs):
        (JSC::JIT::emit_op_construct_varargs):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseMemberExpression):

2014-03-27  Filip Pizlo  <fpizlo@apple.com>

        Revert http://trac.webkit.org/changeset/166386 because it broke builds.

        * Configurations/Base.xcconfig:
        * Configurations/LLVMForJSC.xcconfig:

2014-03-27  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, skip this test for now.

        * tests/stress/recurse-infinitely-on-getter.js:

2014-03-27  Filip Pizlo  <fpizlo@apple.com>

        Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
        https://bugs.webkit.org/show_bug.cgi?id=130867
        <rdar://problem/16432456> 

        Reviewed by Mark Hahnenberg.

        * Configurations/Base.xcconfig:
        * Configurations/LLVMForJSC.xcconfig:

2014-03-27  Andreas Kling  <akling@apple.com>

        Avoid fetching JSObject::structure() repeatedly in putDirectInternal.
        <https://webkit.org/b/130857>

        Use the cached Structure* instead of re-fetching it over and over since
        that's a non-trivial operation these days.

        Reviewed by Mark Hahnenberg.

        * runtime/JSObject.h:
        (JSC::JSObject::putDirectInternal):

2014-03-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        Check the remembered set bit faster
        https://bugs.webkit.org/show_bug.cgi?id=130860

        Reviewed by Oliver Hunt.

        Currently we look up the remembered set bit in the MarkedBlock in C++ code, but 
        that bit is also stored in the object. We should look it up there whenever possible.

        * heap/CopiedBlockInlines.h:
        (JSC::CopiedBlock::shouldReportLiveBytes):
        * heap/Heap.cpp:
        (JSC::Heap::addToRememberedSet):
        * heap/Heap.h:
        * heap/HeapInlines.h: Removed.
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::reportExtraMemoryUsage):

2014-03-27  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Provide SPI to disallow remote inspection of a JSContext
        https://bugs.webkit.org/show_bug.cgi?id=130853

        Reviewed by Timothy Hatcher.

        * API/JSContextPrivate.h: Added.
        * API/JSContext.mm:
        (-[JSContext _remoteInspectionEnabled]):
        (-[JSContext _setRemoteInspectionEnabled:]):
        ObjC SPI to enable/disable remote inspection.

        * API/JSContextRefPrivate.h:
        * API/JSContextRef.cpp:
        (JSGlobalContextGetRemoteInspectionEnabled):
        (JSGlobalContextSetRemoteInspectionEnabled):
        C SPI to enable/disable remote inspection.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add new private header, and export as a private header.

2014-03-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        Clean up questionable style in ScriptExecutable::prepareForExecutionImpl
        https://bugs.webkit.org/show_bug.cgi?id=130845

        Reviewed by Filip Pizlo.

        There was a hack added to make sure C Loop LLInt worked which included overriding the 
        global Options::useLLInt setting, which makes no sense to do here. We should put the 
        update of the global setting in Options::recomputeDependentOptions along with the other 
        execution engine flags.

        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::prepareForExecutionImpl):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2014-03-26  Filip Pizlo  <fpizlo@apple.com>

        Enable LLVM stackmap liveOuts computation
        https://bugs.webkit.org/show_bug.cgi?id=130821

        Reviewed by Andy Estes and Sam Weinig.

        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Record::dump):
        * llvm/library/LLVMExports.cpp:
        (initializeAndGetJSCLLVMAPI):

2014-03-26  Filip Pizlo  <fpizlo@apple.com>

        Parse stackmaps liveOuts
        https://bugs.webkit.org/show_bug.cgi?id=130801

        Reviewed by Geoffrey Garen.
        
        This just adds the code to parse them but doesn't do anything with them, yet.

        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::forStackmaps):
        * ftl/FTLLocation.h:
        (JSC::FTL::Location::forRegister):
        (JSC::FTL::Location::forIndirect):
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Location::parse):
        (JSC::FTL::StackMaps::Location::dump):
        (JSC::FTL::StackMaps::LiveOut::parse):
        (JSC::FTL::StackMaps::LiveOut::dump):
        (JSC::FTL::StackMaps::Record::parse):
        (JSC::FTL::StackMaps::Record::dump):
        * ftl/FTLStackMaps.h:

2014-03-26  Mark Lam  <mark.lam@apple.com>

        Build fix after r166307.

        Not reviewed.

        * runtime/JSCell.h:
        - The inline function isAPIValueWrapper() should not be exported.  This
          was causing a linkage error when building for 32-bit x86 on Mac.

2014-03-26  Filip Pizlo  <fpizlo@apple.com>

        Reasoning about DWARF register numbers should be moved out of FTL::Location
        https://bugs.webkit.org/show_bug.cgi?id=130792

        Reviewed by Oliver Hunt.
        
        Moving this code makes it possible for things other than FTL::Location to reason about
        DWARF register encoding. This refactoring also appears to reduce some code duplication
        and makes FTLLocation.cpp cleaner.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLDWARFRegister.cpp: Added.
        (JSC::FTL::DWARFRegister::reg):
        (JSC::FTL::DWARFRegister::dump):
        * ftl/FTLDWARFRegister.h: Added.
        (JSC::FTL::DWARFRegister::DWARFRegister):
        (JSC::FTL::DWARFRegister::dwarfRegNum):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::dump):
        (JSC::FTL::Location::isGPR):
        (JSC::FTL::Location::gpr):
        (JSC::FTL::Location::isFPR):
        (JSC::FTL::Location::fpr):
        * ftl/FTLLocation.h:
        (JSC::FTL::Location::hasDwarfReg):
        (JSC::FTL::Location::dwarfReg):

2014-03-26  Brent Fulgham  <bfulgham@apple.com>

        Unreviewed build fix.

        * runtime/JSCell.h: VS2013 confused about argument type.

2014-03-26  Zoltan Horvath  <zoltan@webkit.org>

        [CSS Shapes] Remove shape-inside support
        https://bugs.webkit.org/show_bug.cgi?id=130698

        Reviewed by David Hyatt.

        * Configurations/FeatureDefines.xcconfig:

2014-03-26  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        Rename hasFastArrayStorage to be more appropriate
        https://bugs.webkit.org/show_bug.cgi?id=130773

        Reviewed by Filip Pizlo.

        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::alreadyChecked):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGWatchpointCollectionPhase.cpp:
        (JSC::DFG::WatchpointCollectionPhase::handle):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNewArray):
        (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
        (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::unshift):
        (JSC::Butterfly::shift):
        * runtime/IndexingHeaderInlines.h:
        (JSC::IndexingHeader::preCapacity):
        * runtime/IndexingType.h:
        (JSC::hasArrayStorage):
        (JSC::hasAnyArrayStorage):
        (JSC::hasFastArrayStorage): Deleted.
        * runtime/JSArray.cpp:
        (JSC::JSArray::sortVector):
        (JSC::JSArray::compactForSorting):
        * runtime/JSArray.h:
        (JSC::JSArray::create):
        (JSC::JSArray::tryCreateUninitialized):
        * runtime/JSGlobalObject.cpp:
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
        * runtime/JSObject.h:
        (JSC::JSObject::ensureArrayStorage):
        (JSC::JSObject::arrayStorage):
        * runtime/StructureTransitionTable.h:
        (JSC::newIndexingType):

2014-03-26  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed. Removing the remaining Automake cruft.

        * GNUmakefile.list.am: Removed.

2014-03-25  Filip Pizlo  <fpizlo@apple.com>

        Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias
        https://bugs.webkit.org/show_bug.cgi?id=130764
        <rdar://problem/16304788>

        Reviewed by Sam Weinig.
        
        Being an arguments alias just means that your OSR exit recovery should attempt arguments
        creation. This is true of arguments locals. We had special cases that tried to make it not
        true of arguments locals. The only consequence of those special cases was to cause crashes
        in case of arguments that are also captured variables (i.e. we have SlowArguments). This
        change just removes those special cases.
        
        This change means that the FTL will now see SetLocals with a FlushedArguments format.
        Previously you wouldn't see them because previously only non-captured variable would be
        arguments aliases, and non-captured variables get completely SSAified - i.e. no SetLocals
        left. Adding handling for FlushedArguments is a benign and simple change since its
        behavior is identical to FlushedJSValue for that code's purposes.

        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
        * tests/stress/captured-arguments-variable.js: Added.
        (foo):
        (noInline):

2014-03-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add HeapInlines
        https://bugs.webkit.org/show_bug.cgi?id=130759

        Reviewed by Filip Pizlo.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.cpp:
        (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
        (JSC::MarkedBlockSnapshotFunctor::operator()):
        * heap/Heap.h: Also reindented while we're here.
        (JSC::Heap::writeBarrierBuffer):
        (JSC::Heap::vm):
        (JSC::Heap::objectSpace):
        (JSC::Heap::machineThreads):
        (JSC::Heap::operationInProgress):
        (JSC::Heap::allocatorForObjectWithoutDestructor):
        (JSC::Heap::allocatorForObjectWithNormalDestructor):
        (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
        (JSC::Heap::storageAllocator):
        (JSC::Heap::notifyIsSafeToCollect):
        (JSC::Heap::isSafeToCollect):
        (JSC::Heap::handleSet):
        (JSC::Heap::handleStack):
        (JSC::Heap::lastFullGCLength):
        (JSC::Heap::lastEdenGCLength):
        (JSC::Heap::increaseLastFullGCLength):
        (JSC::Heap::sizeBeforeLastEdenCollection):
        (JSC::Heap::sizeAfterLastEdenCollection):
        (JSC::Heap::sizeBeforeLastFullCollection):
        (JSC::Heap::sizeAfterLastFullCollection):
        (JSC::Heap::jitStubRoutines):
        (JSC::Heap::isDeferred):
        (JSC::Heap::structureIDTable):
        (JSC::Heap::removeCodeBlock):
        * heap/HeapInlines.h: Added.
        (JSC::Heap::shouldCollect):
        (JSC::Heap::isBusy):
        (JSC::Heap::isCollecting):
        (JSC::Heap::heap):
        (JSC::Heap::isLive):
        (JSC::Heap::isInRememberedSet):
        (JSC::Heap::isMarked):
        (JSC::Heap::testAndSetMarked):
        (JSC::Heap::setMarked):
        (JSC::Heap::isWriteBarrierEnabled):
        (JSC::Heap::writeBarrier):
        (JSC::Heap::reportExtraMemoryCost):
        (JSC::Heap::forEachProtectedCell):
        (JSC::Heap::forEachCodeBlock):
        (JSC::Heap::allocateWithNormalDestructor):
        (JSC::Heap::allocateWithImmortalStructureDestructor):
        (JSC::Heap::allocateWithoutDestructor):
        (JSC::Heap::tryAllocateStorage):
        (JSC::Heap::tryReallocateStorage):
        (JSC::Heap::ascribeOwner):
        (JSC::Heap::blockAllocator):
        (JSC::Heap::releaseSoon):
        (JSC::Heap::incrementDeferralDepth):
        (JSC::Heap::decrementDeferralDepth):
        (JSC::Heap::collectIfNecessaryOrDefer):
        (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
        (JSC::Heap::markListSet):
        * runtime/JSCInlines.h:

2014-03-25  Filip Pizlo  <fpizlo@apple.com>

        DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush
        https://bugs.webkit.org/show_bug.cgi?id=130760

        Reviewed by Mark Hahnenberg.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * tests/stress/assign-argument-in-inlined-call.js: Added.
        (f1):
        (getF2Arguments):
        (f2):
        (f3):
        * tests/stress/assign-captured-argument-in-inlined-call.js: Added.
        (f1):
        (f2):
        (f3):

2014-03-25  Filip Pizlo  <fpizlo@apple.com>

        Fix 32-bit getter call alignment.

        Reviewed by Mark Hahnenberg.

        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub):

2014-03-25  Filip Pizlo  <fpizlo@apple.com>

        Repatch should plant calls to getters directly rather than through a C helper
        https://bugs.webkit.org/show_bug.cgi?id=129589

        Reviewed by Mark Hahnenberg.
        
        As the title says. All of the superstructure for this was already in place, so now it
        was just a matter of actually emitting the call.
        
        8x speed-up for getter microbenchmarks. 

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PolymorphicGetByIdList.h:
        (JSC::GetByIdAccess::doesCalls):
        * jit/AccessorCallJITStubRoutine.cpp: Added.
        (JSC::AccessorCallJITStubRoutine::AccessorCallJITStubRoutine):
        (JSC::AccessorCallJITStubRoutine::~AccessorCallJITStubRoutine):
        (JSC::AccessorCallJITStubRoutine::visitWeak):
        * jit/AccessorCallJITStubRoutine.h: Added.
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::storeCell):
        * jit/GCAwareJITStubRoutine.h:
        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::offsetOfGetter):
        (JSC::GetterSetter::offsetOfSetter):

2014-03-25  Michael Saboff  <msaboff@apple.com>

        Unreviewed, rolling out r166126.

        Rollout r166126 in prepartion to roll out prerequisite r166070

        Reverted changeset:

        "toThis() on a JSWorkerGlobalScope should return a JSProxy and
        not undefined"
        https://bugs.webkit.org/show_bug.cgi?id=130554
        http://trac.webkit.org/changeset/166126

2014-03-25  Oliver Hunt  <oliver@apple.com>

        AST incorrectly conflates readable and writable locations
        https://bugs.webkit.org/show_bug.cgi?id=130734

        Reviewed by Filip Pizlo.

        We need to distinguish between "locations" that are valid for reading
        and writing, vs those that may only be written.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitBytecode):
        (JSC::ForOfNode::emitBytecode):
        * parser/Nodes.h:
        (JSC::ExpressionNode::isAssignmentLocation):

2014-03-24  Oliver Hunt  <oliver@apple.com>

        ASSERTION FAILED in Parser: dst != localReg
        https://bugs.webkit.org/show_bug.cgi?id=130710

        Reviewed by Filip Pizlo.

        Just make sure we don't try to write to a captured constant,
        following the change to track captured variables separately.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::PostfixNode::emitResolve):
        (JSC::PrefixNode::emitResolve):

2014-03-25  Martin Robinson  <mrobinson@igalia.com>

        [GTK] Remove the autotools build
        https://bugs.webkit.org/show_bug.cgi?id=130717

        Reviewed by Anders Carlsson.

        * GNUmakefile.am: Removed.
        * config.h: Remove references to the autotools configure file.

2014-03-24  Filip Pizlo  <fpizlo@apple.com>

        More scaffolding for a stub routine to have a stub recursively embedded inside it
        https://bugs.webkit.org/show_bug.cgi?id=130770

        Reviewed by Oliver Hunt.

        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink): VM& argument is superfluous.
        (JSC::CallLinkInfo::visitWeak): Factor this out, it used to be in CodeBlock::finalizeUnconditionally().
        * bytecode/CallLinkInfo.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally): Factor out some functionality into CallLinkInfo::visitWeak(), and make sure we pass RepatchBuffer& in more places.
        (JSC::CodeBlock::unlinkCalls):
        (JSC::CodeBlock::unlinkIncomingCalls):
        * bytecode/PolymorphicGetByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
        (JSC::GetByIdAccess::visitWeak):
        (JSC::PolymorphicGetByIdList::visitWeak):
        * bytecode/PolymorphicGetByIdList.h:
        * bytecode/PolymorphicPutByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
        (JSC::PutByIdAccess::visitWeak):
        (JSC::PolymorphicPutByIdList::visitWeak):
        * bytecode/PolymorphicPutByIdList.h:
        * bytecode/StructureStubInfo.cpp: Pass RepatchBuffer& through.
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        * jit/ClosureCallStubRoutine.cpp: isClosureCall is unused.
        (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
        * jit/GCAwareJITStubRoutine.cpp:
        (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
        (JSC::createJITStubRoutine):
        * jit/GCAwareJITStubRoutine.h: Make it easier to construct one of these.
        (JSC::GCAwareJITStubRoutine::isClosureCall): Deleted.
        * jit/JITStubRoutine.cpp:
        (JSC::JITStubRoutine::visitWeak): This will allow future JITStubRoutine subclasses to have stubs recursively embedded inside them.
        * jit/JITStubRoutine.h:
        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub): Fix a possible GC bug where we weren't making the stub routine GC aware.
        (JSC::emitCustomSetterStub): Clean up some code.

2014-03-24  Geoffrey Garen  <ggaren@apple.com>

        Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage
        when WebKit is compiled with fcatch-undefined-behavior
        https://bugs.webkit.org/show_bug.cgi?id=130652

        Reviewed by Mark Hahnenberg.

        Use a static member function because the butterfly we pass in might be
        NULL, and passing NULL to a member function is undefined behavior.

        Stylistically, I think this new way reads a little more clearly, since it
        matches createOrGrowArrayRight, and it helps to convey that m_butterfly
        might not exist yet.

        * runtime/Butterfly.h:
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage
        because we might create. Split out the create path to avoid using NULL
        in a member function expression.

        Removed some unused versions of this function.

        * runtime/JSObject.cpp:
        (JSC::JSObject::growOutOfLineStorage): Updated for interface change.

2014-03-24  Oliver Hunt  <oliver@apple.com>

        Strict mode destructuring assignment crashes the parser.
        https://bugs.webkit.org/show_bug.cgi?id=130538

        Reviewed by Michael Saboff.

        The SyntaxChecker mode always return 1 for success, except
        for a small subset of functions where we needed exact information.
        This ends up just being a poor design decision as it means
        the parser can get confused between a function return 1, and
        the Resolve constant which was also 1. So we now use a unique
        type for every creation method.

        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createSourceElements):
        (JSC::SyntaxChecker::createFunctionBody):
        (JSC::SyntaxChecker::createArguments):
        (JSC::SyntaxChecker::createSpreadExpression):
        (JSC::SyntaxChecker::createArgumentsList):
        (JSC::SyntaxChecker::createPropertyList):
        (JSC::SyntaxChecker::createElementList):
        (JSC::SyntaxChecker::createFormalParameterList):
        (JSC::SyntaxChecker::createClause):
        (JSC::SyntaxChecker::createClauseList):
        (JSC::SyntaxChecker::createFuncDeclStatement):
        (JSC::SyntaxChecker::createBlockStatement):
        (JSC::SyntaxChecker::createExprStatement):
        (JSC::SyntaxChecker::createIfStatement):
        (JSC::SyntaxChecker::createForLoop):
        (JSC::SyntaxChecker::createForInLoop):
        (JSC::SyntaxChecker::createForOfLoop):
        (JSC::SyntaxChecker::createEmptyStatement):
        (JSC::SyntaxChecker::createVarStatement):
        (JSC::SyntaxChecker::createReturnStatement):
        (JSC::SyntaxChecker::createBreakStatement):
        (JSC::SyntaxChecker::createContinueStatement):
        (JSC::SyntaxChecker::createTryStatement):
        (JSC::SyntaxChecker::createSwitchStatement):
        (JSC::SyntaxChecker::createWhileStatement):
        (JSC::SyntaxChecker::createWithStatement):
        (JSC::SyntaxChecker::createDoWhileStatement):
        (JSC::SyntaxChecker::createLabelStatement):
        (JSC::SyntaxChecker::createThrowStatement):
        (JSC::SyntaxChecker::createDebugger):
        (JSC::SyntaxChecker::createConstStatement):
        (JSC::SyntaxChecker::appendConstDecl):
        (JSC::SyntaxChecker::combineCommaNodes):
        (JSC::SyntaxChecker::operatorStackPop):

2014-03-24  Brent Fulgham  <bfulgham@apple.com>

        Activate WebVTT Tests Once Merging is Complete
        https://bugs.webkit.org/show_bug.cgi?id=130420

        Reviewed by Eric Carlson.

        * Configurations/FeatureDefines.xcconfig: Turn on ENABLE(WEBVTT_REGIONS)

2014-03-24  Andreas Kling  <akling@apple.com>

        Stop pulling in all the macro assemblers from VM.h
        <https://webkit.org/b/130691>

        Remove #include of "GPRInfo.h". This breaks WebCore's dependency
        on macro assemblers headers and removes 8 includes from every
        .cpp file in the JS bindings.

        Reviewed by Geoff Garen.

        * runtime/VM.h:

2014-03-24  Gavin Barraclough  <barraclough@apple.com>

        Add support for thread QoS
        https://bugs.webkit.org/show_bug.cgi?id=130688

        Reviewed by Andreas Kling.

        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::blockFreeingThreadStartFunc):
            - block freeing is a utility activity.

2014-03-24  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix CLOOP build.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
        (JSC::CodeBlock::resetStubDuringGCInternal): Deleted.
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::callLinkInfosEnd): Deleted.

2014-03-24  Gabor Rapcsanyi  <rgabor@webkit.org>

        [ARM64] GNU assembler doesn't work with LLInt arm64 backend.
        https://bugs.webkit.org/show_bug.cgi?id=130453
        
        Reviewed by Filip Pizlo.

        Change fp and lr to x29 and x30. Add both operand kinds to emitARM64()
        at sxtw and uxtw instructions.

        * offlineasm/arm64.rb:

2014-03-23  Hyowon Kim  <hw1008.kim@samsung.com>

        Move all EFL typedefs into EflTypedefs.h.
        https://bugs.webkit.org/show_bug.cgi?id=130511

        Reviewed by Gyuyoung Kim

        * heap/HeapTimer.h: Remove EFL typedefs.

2014-03-23  Filip Pizlo  <fpizlo@apple.com>

        Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters
        https://bugs.webkit.org/show_bug.cgi?id=130650
        <rdar://problem/16122966>

        Reviewed by Michael Saboff.
        
        Previously, it was only in the case of inlining that we would do SetLocal's beyond the
        previously established numLocals limit. But then we added generalized op_call_varargs
        handling, which results in us emitting SetLocals that didn't previously exist in the
        bytecode.
        
        This factors out the inliner's ensureLocals loop and calls it from op_call_varargs.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ensureLocals):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub): Make this do alignment correctly.
        * runtime/Options.h:
        * tests/stress/call-varargs-from-inlined-code.js: Added.
        * tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added.

2014-03-22  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, adjust sizes for ARM64.

        * ftl/FTLInlineCacheSize.cpp:
        (JSC::FTL::sizeOfCall):

2014-03-22  Filip Pizlo  <fpizlo@apple.com>

        Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant
        https://bugs.webkit.org/show_bug.cgi?id=130649
        <rdar://problem/16399949>

        Reviewed by Andreas Kling.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        * tests/stress/fuzz-bug-16399949.js: Added.
        (tryItOut.f):
        (tryItOut):

2014-03-22  Filip Pizlo  <fpizlo@apple.com>

        Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks
        https://bugs.webkit.org/show_bug.cgi?id=130644

        Reviewed by Andreas Kling.
        
        This is conceptually a really simple change but it involves the following:
        
        - The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2.
        
        - CodeBlock uses a Bag of CallLinkInfos instead of a Vector.
        
        - Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no
          longer has a vector of slow path counts that shadows the CallLinkInfo vector.
        
        - Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions
          and not all relinking.
        
        This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since
        the CallLinkInfo and the call IC slow paths no longer rely on the call being associated
        with a op_call/op_construct instruction and a machine code return PC within such an
        instruction.

        * bytecode/CallLinkInfo.h:
        (JSC::getCallLinkInfoCodeOrigin):
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        (JSC::CallLinkStatus::computeDFGStatuses):
        * bytecode/CallLinkStatus.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::getCallLinkInfoMap):
        (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
        (JSC::CodeBlock::addCallLinkInfo):
        (JSC::CodeBlock::unlinkCalls):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::stubInfoBegin):
        (JSC::CodeBlock::stubInfoEnd):
        (JSC::CodeBlock::callLinkInfosBegin):
        (JSC::CodeBlock::callLinkInfosEnd):
        (JSC::CodeBlock::byValInfo):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGJITCode.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addJSCall):
        (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLInlineCacheSize.cpp:
        (JSC::FTL::sizeOfCall):
        * ftl/FTLJSCall.cpp:
        (JSC::FTL::JSCall::JSCall):
        (JSC::FTL::JSCall::emit):
        (JSC::FTL::JSCall::link):
        * ftl/FTLJSCall.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        (JSC::operationLinkFor):
        (JSC::operationVirtualFor):
        (JSC::operationLinkClosureCallFor):
        * jit/Repatch.cpp:
        (JSC::linkClosureCall):
        * jit/ThunkGenerators.cpp:
        (JSC::slowPathFor):
        (JSC::virtualForThunkGenerator):
        * tests/stress/eval-that-is-not-eval.js: Added.

2014-03-22  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix mispelled test name.

        * tests/stress/constand-folding-osr-exit.js: Removed.
        * tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js.

2014-03-22  Andreas Kling  <akling@apple.com>

        CREATE_DOM_WRAPPER doesn't need the ExecState.
        <https://webkit.org/b/130648>

        Add a fast path from JSGlobalObject to the VM so we don't have
        to dance via the Heap.

        Reviewed by Darin Adler.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::vm):

2014-03-22  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix FTL build.

        * ftl/FTLJITFinalizer.cpp:

2014-03-22  Michael Saboff  <msaboff@apple.com>

        toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined
        https://bugs.webkit.org/show_bug.cgi?id=130554

        Reviewed by Geoffrey Garen.

        Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject.
        Did some cleanup as well.  Moved the setting of the thisObject in a JSGlobalObject to
        happen in finishCreation() so that it will also happen for other derived classes including
        JSWorkerGlobalScopeBase.

        * API/JSContextRef.cpp:
        (JSGlobalContextCreateInGroup):
        * jsc.cpp:
        (GlobalObject::create):
        * API/tests/testapi.c:
        (globalObject_initialize): Eliminated ASSERT that the global object we are creating matches
        the result from JSContextGetGlobalObject() as that will return the proxy.       
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since
        we now call setGlobalThis in finishCreation().
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::finishCreation):
        (JSC::JSGlobalObject::setGlobalThis): Made this a private method.

2014-03-22  Andreas Kling  <akling@apple.com>

        Fix debug build.

        * bytecode/CodeBlock.cpp:
        * runtime/Executable.cpp:

2014-03-22  Andreas Kling  <akling@apple.com>

        Cut down on JSC profiler includes in WebCore & co.
        <https://webkit.org/b/130637>

        Most of WebKit was pulling in JSC's profiler headers via VM.h.

        Reviewed by Darin Adler.

        * dfg/DFGDisassembler.cpp:
        * dfg/DFGDisassembler.h:
        * dfg/DFGJITFinalizer.cpp:
        * jsc.cpp:
        * runtime/VM.cpp:
        * runtime/VM.h:

2014-03-22  Landry Breuil <landry@openbsd.org>

        Use pthread_stackseg_np() to find the stack bounds on OpenBSD.
        https://bugs.webkit.org/show_bug.cgi?id=129965

        Reviewed By Anders Carlsson.

2014-03-21  Mark Lam  <mark.lam@apple.com>

        Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
        <https://webkit.org/b/124508>

        Reviewed by Oliver Hunt.

        The issue is that BreakNode::emitBytecode() is holding onto a LabelScope
        pointer from the BytecodeGenerator's m_localScopes vector, and then it
        calls emitPopScopes().  emitPopScopes() may do finally clause handling
        which will require the m_localScopes to be cloned so that it can change
        the local scopes for the finally block, and then restore it after
        handling the finally clause.  These modifications of the m_localScopes
        vector will result in the LabelScope pointer in BreakNode::emitBytecode()
        becoming stale, thereby causing the crash.

        The same issue applies to the ContinueNode as well.

        The fix is to use the existing LabelScopePtr abstraction instead of raw
        LabelScope pointers.  The LabelScopePtr is resilient to the underlying
        vector re-allocating its backing store.

        I also changed the LabelScopePtr constructor that takes a LabelScopeStore
        to expect a reference to the owner store instead of a pointer because the
        owner store should never be a null pointer.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::newLabelScope):
        (JSC::BytecodeGenerator::breakTarget):
        (JSC::BytecodeGenerator::continueTarget):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/LabelScope.h:
        (JSC::LabelScopePtr::LabelScopePtr):
        (JSC::LabelScopePtr::operator bool):
        (JSC::LabelScopePtr::null):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ContinueNode::trivialTarget):
        (JSC::ContinueNode::emitBytecode):
        (JSC::BreakNode::trivialTarget):
        (JSC::BreakNode::emitBytecode):

2014-03-21  Mark Hahnenberg  <mhahnenberg@apple.com>

        6% SunSpider commandline regression due to r165940
        https://bugs.webkit.org/show_bug.cgi?id=130617

        Reviewed by Michael Saboff.

        In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected 
        before. Some of the benchmarks are never running a single EdenCollection, which causes 
        them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer 
        slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of 
        magnitude more than we normally would.

        The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):

2014-03-21  Filip Pizlo  <fpizlo@apple.com>

        Constants folded by DFG::ByteCodeParser should not be dead.
        https://bugs.webkit.org/show_bug.cgi?id=130576

        Reviewed by Mark Hahnenberg.
        
        This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This
        reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one
        or more folders in LLVM). Doing so has no performance impact since the other constant folders
        already subsume this one.
        
        Also added a test case for the specific bug that instigated this.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getJSConstantForValue):
        (JSC::DFG::ByteCodeParser::getJSConstant):
        (JSC::DFG::ByteCodeParser::inferredConstant):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGNodeFlags.h:
        * tests/stress/constand-folding-osr-exit.js: Added.
        (foo):
        (test):
        (.var):

2014-03-21  Mark Lam  <mark.lam@apple.com>

        StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
        <https://webkit.org/b/130566>

        Reviewed by Filip Pizlo.

        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):

2014-03-20  Filip Pizlo  <fpizlo@apple.com>

        FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values
        https://bugs.webkit.org/show_bug.cgi?id=130562
        <rdar://problem/16382842>

        Reviewed by Geoffrey Garen.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        * tests/stress/uint32array-unsigned-load.js: Added.
        (foo):

2014-03-20  Brian Burg  <bburg@apple.com>

        Web Inspector: add frontend controller and models for replay sessions
        https://bugs.webkit.org/show_bug.cgi?id=130145

        Reviewed by Joseph Pecoraro.

        * inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain.

2014-03-20  Filip Pizlo  <fpizlo@apple.com>

        FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees
        https://bugs.webkit.org/show_bug.cgi?id=130546
        <rdar://problem/16383308>

        Reviewed by Mark Hahnenberg.
        
        Make AI do a better job of folding this.
        
        Also made the FTL backend be more tolerant of data representations. In this case it
        didn't know that "constant" was a valid representation. There is a finite set of
        possible representations, but broadly, we don't write code that presumes anything
        about the representation of an input; that's what methods like lowJSValue() are for.
        ValueToInt32 was previously not relying on those methods at all because it had some
        hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down
        to lowJSValue().

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
        (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
        * tests/stress/value-to-int32-undefined-constant.js: Added.
        (foo):
        * tests/stress/value-to-int32-undefined.js: Added.
        (foo):

2014-03-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add some assertions back
        https://bugs.webkit.org/show_bug.cgi?id=130531

        Reviewed by Geoffrey Garen.

        We removed a useful set of assertions for verifying that MarkedBlocks were 
        in the state that we expected them to be in after clearing marks in the Heap. 
        We should add these back to catch bugs earlier.

        * heap/MarkedBlock.h:
        * heap/MarkedSpace.cpp:
        (JSC::VerifyMarkedOrRetired::operator()):
        (JSC::MarkedSpace::clearMarks):

2014-03-20  Filip Pizlo  <fpizlo@apple.com>

        Implement stackmap header version check and support new stackmap formats
        https://bugs.webkit.org/show_bug.cgi?id=130535
        <rdar://problem/16164284>

        Reviewed by Geoffrey Garen.
        
        Add the notion of versioning so that LLVMers can happily implement new stackmap formats
        without worrying about WebKit getting version-locked to LLVM. In the future, we will have
        to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have
        to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be
        happy to move backward in time to older versions of LLVM.

        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::readObject):
        (JSC::FTL::StackMaps::Constant::parse):
        (JSC::FTL::StackMaps::StackSize::parse):
        (JSC::FTL::StackMaps::Location::parse):
        (JSC::FTL::StackMaps::Record::parse):
        (JSC::FTL::StackMaps::parse):
        (JSC::FTL::StackMaps::dump):
        (JSC::FTL::StackMaps::dumpMultiline):
        * ftl/FTLStackMaps.h:

2014-03-20  Filip Pizlo  <fpizlo@apple.com>

        Crash beneath operationTearOffActivation running this JS compression demo
        https://bugs.webkit.org/show_bug.cgi?id=130295
        <rdar://problem/16332337>

        Reviewed by Oliver Hunt.
        
        Make sure that we flush things as if we were at a terminal, if we are at a block with
        no forward edges. This fixes infinitely loopy code with captured variables.

        Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block.
        
        Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed
        it by itself. Now it's an artifact of CPS rethreading.
        
        Add a bunch of tests. All of them previously either crashed or returned bad output due
        to memory corruption.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::isCaptured):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::flushForTerminal):
        (JSC::DFG::ByteCodeParser::flushForReturn):
        (JSC::DFG::ByteCodeParser::flushIfTerminal):
        (JSC::DFG::ByteCodeParser::branchData):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::run):
        (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
        (JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp):
        (JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::clearFlagsOnAllNodes):
        * dfg/DFGGraph.h:
        * dfg/DFGNode.h:
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGNodeFlags.h:
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * tests/stress/activation-test-loop.js: Added.
        (Inner.this.doStuff):
        (Inner):
        (foo.inner.isDone):
        (foo):
        * tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added.
        (bar):
        (foo):
        (noInline):
        * tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added.
        (bar):
        (foo):
        (noInline):
        * tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added.
        (bar):
        (foo):
        (noInline):
        * tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added.
        (bar):
        (foo):
        (noInline):
        * tests/stress/infinite-loop-that-uses-captured-variables.js: Added.
        (bar):
        (foo):
        (noInline):
        * tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
        (bar):
        (fuzz):
        (foo.f):
        (foo):
        * tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
        (bar):
        (foo.f):
        (foo):
        * tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
        (bar):
        (foo.f):
        (foo):
        * tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added.
        (bar):
        (foo):
        (noInline):

2014-03-20  Oliver Hunt  <oliver@apple.com>

        Incorrect behavior when mutating a typed array during set.
        https://bugs.webkit.org/show_bug.cgi?id=130428

        Reviewed by Geoffrey Garen.

        This fixes a null derefence that occurs if a typed array
        is mutated during the set() operation. The patch gets rid
        of the "Quickly" version of setIndex that is assigning
        JSValues of unknown type, as the numeric conversion can trigger
        side effects that lead to neutering, and so we deref null.

        * runtime/JSGenericTypedArrayView.h:
        (JSC::JSGenericTypedArrayView::setIndex):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::set):
        (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):

2014-03-20  Gavin Barraclough  <barraclough@apple.com>

        Remove IdentifierTable typedef, isIdentifier()
        https://bugs.webkit.org/show_bug.cgi?id=130533

        Rubber stamped by Geoff Garen.

        Code should use AtomicStringTable, isAtomic() directly.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::~OpaqueJSClass):
        (OpaqueJSClassContextData::OpaqueJSClassContextData):
        (OpaqueJSClass::className):
        * API/JSClassRef.h:
        * bytecode/SpeculatedType.cpp:
        (JSC::speculationFromCell):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * interpreter/CallFrame.h:
        (JSC::ExecState::atomicStringTable):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::addVar):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::createBindingPattern):
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        (JSC::evaluate):
        * runtime/Identifier.cpp:
        (JSC::Identifier::checkCurrentAtomicStringTable):
        * runtime/Identifier.h:
        (JSC::Identifier::Identifier):
        * runtime/IdentifierInlines.h:
        (JSC::Identifier::add):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dumpInContext):
        * runtime/JSLock.cpp:
        (JSC::JSLock::didAcquireLock):
        (JSC::JSLock::willReleaseLock):
        (JSC::JSLock::DropAllLocks::DropAllLocks):
        (JSC::JSLock::DropAllLocks::~DropAllLocks):
        * runtime/JSLock.h:
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::find):
        (JSC::PropertyTable::get):
        (JSC::PropertyTable::findWithString):
        * runtime/PropertyName.h:
        (JSC::PropertyName::PropertyName):
        * runtime/PropertyNameArray.cpp:
        (JSC::PropertyNameArray::add):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        * runtime/VM.h:
        (JSC::VM::atomicStringTable):

2014-03-20  Gavin Barraclough  <barraclough@apple.com>

        Merge AtomicString, Identifier
        https://bugs.webkit.org/show_bug.cgi?id=128624

        Reviewed by Geoff Garen.

        WTF::StringImpl currently supports two uniquing mechanism - AtomicString and
        Identifer - that is one too many.

        Remove Identifier in favour of AtomicString. Identifier had two interesting
        mechanisms that we preserve.

        (1) JSC API VMs each get their own string table, switch the string table on
            API entry/exit.
        (2) JSC caches a pointer to the string table on the VM to avoid a thread
            specific access. Adds a new AtomicString::add method to support this.

        * API/JSAPIWrapperObject.mm:
            - updated includes.
        * JavaScriptCore.xcodeproj/project.pbxproj:
            - added IdentifierInlines.h.
        * inspector/JSInjectedScriptHostPrototype.cpp:
        * inspector/JSJavaScriptCallFramePrototype.cpp:
            - updated includes.
        * interpreter/CallFrame.h:
        (JSC::ExecState::atomicStringTable):
            - added, used via AtomicString::add to avoid thread-specific access.
        * runtime/ConsolePrototype.cpp:
            - updated includes.
        * runtime/Identifier.cpp:
        (JSC::Identifier::add):
        (JSC::Identifier::add8):
            - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
        * runtime/Identifier.h:
        (JSC::Identifier::Identifier):
            - added ASSERTS.
        (JSC::Identifier::add):
            - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
        * runtime/IdentifierInlines.h: Added.
        (JSC::Identifier::add):
            - moved from Identifier.h, use AtomicString::add.
        * runtime/JSCInlines.h:
            - added IdentifierInlines.h.
        * runtime/JSLock.h:
            - removed IdentifierTable.
        * runtime/PropertyNameArray.cpp:
            - updated includes.
        * runtime/SmallStrings.cpp:
        (JSC::SmallStringsStorage::SmallStringsStorage):
            - ensure all single character strings are Atomic.
        * runtime/VM.cpp:
        (JSC::VM::VM):
            - instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data.
        * runtime/VM.h:
        (JSC::VM::atomicStringTable):
            - added, used via AtomicString::add to avoid thread-specific access.

2014-03-20  Gabor Rapcsanyi  <rgabor@webkit.org>

        [ARM64] Fix assembler build issues and add cacheFlush support for Linux
        https://bugs.webkit.org/show_bug.cgi?id=130502

        Reviewed by Michael Saboff.

        Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t)
        because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well.
        Add cacheFlush support for Linux.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::linuxPageFlush):
        (JSC::ARM64Assembler::cacheFlush):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch):

2014-03-19  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=130494
        EmptyUnique strings are Identifiers/Atomic

        Reviewed by Geoff Garen.

        EmptyUnique strings should set the Identifier/Atomic flag.

        This fixes an unreproducible bug we believe exists in Identifier handling.
        Expected behaviour is that while Identifiers may reference EmptyUniques
        (StringImpls allocated as UIDs for PrivateNames), these are not created
        through the main Identifier constructor, the Identifier flag is not set
        on PrivateNames, and we should never lookup EmptyUnique strings in the
        IdentifierTable.

        Unfortunately that was happening. Some tables used to implement property
        access in the JIT hold StringImpl*s, and turn these back into Identifiers
        using the identfiier constructor. Since the code generator will now plant
        by-id (cachable) accesses to PrivateNames we can end up passing an
        EmptyUnique to Identifier::add, potentially leading to PrivateNames being
        uniqued together (though hard to prove, since the hash codes are random).

        * runtime/PropertyName.h:
        (JSC::PropertyName::PropertyName):
        (JSC::PropertyName::uid):
        (JSC::PropertyName::publicName):
        (JSC::PropertyName::asIndex):
            - PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
        * runtime/Structure.cpp:
        (JSC::Structure::getPropertyNamesFromStructure):
            - Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().

2014-03-19  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional.

        * dfg/DFGCommon.h:

2014-03-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        GC timer should intelligently choose between EdenCollections and FullCollections
        https://bugs.webkit.org/show_bug.cgi?id=128261

        Reviewed by Geoffrey Garen.

        Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer 
        always does FullCollections. To reduce the impact of the GC timer on the system this patch
        changes Heap so that it has two timers, one for each type of collection. The FullCollection
        timer is notified at the end of EdenCollections how much the Heap has grown since the last 
        FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't 
        be detected by an EdenCollection).

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/EdenGCActivityCallback.cpp: Added.
        (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
        (JSC::EdenGCActivityCallback::doCollection):
        (JSC::EdenGCActivityCallback::lastGCLength):
        (JSC::EdenGCActivityCallback::deathRate):
        (JSC::EdenGCActivityCallback::gcTimeSlice):
        * heap/EdenGCActivityCallback.h: Added.
        (JSC::GCActivityCallback::createEdenTimer):
        * heap/FullGCActivityCallback.cpp: Added.
        (JSC::FullGCActivityCallback::FullGCActivityCallback):
        (JSC::FullGCActivityCallback::doCollection):
        (JSC::FullGCActivityCallback::lastGCLength):
        (JSC::FullGCActivityCallback::deathRate):
        (JSC::FullGCActivityCallback::gcTimeSlice):
        * heap/FullGCActivityCallback.h: Added.
        (JSC::GCActivityCallback::createFullTimer):
        * heap/GCActivityCallback.cpp:
        (JSC::GCActivityCallback::GCActivityCallback):
        (JSC::GCActivityCallback::doWork):
        (JSC::GCActivityCallback::scheduleTimer):
        (JSC::GCActivityCallback::cancelTimer):
        (JSC::GCActivityCallback::didAllocate):
        (JSC::GCActivityCallback::willCollect):
        (JSC::GCActivityCallback::cancel):
        * heap/GCActivityCallback.h:
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::reportAbandonedObjectGraph):
        (JSC::Heap::didAbandon):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::collect):
        (JSC::Heap::willStartCollection):
        (JSC::Heap::updateAllocationLimits):
        (JSC::Heap::didFinishCollection):
        (JSC::Heap::setFullActivityCallback):
        (JSC::Heap::setEdenActivityCallback):
        (JSC::Heap::fullActivityCallback):
        (JSC::Heap::edenActivityCallback):
        (JSC::Heap::setGarbageCollectionTimerEnabled):
        (JSC::Heap::didAllocate):
        (JSC::Heap::shouldDoFullCollection):
        * heap/Heap.h:
        (JSC::Heap::lastFullGCLength):
        (JSC::Heap::lastEdenGCLength):
        (JSC::Heap::increaseLastFullGCLength):
        (JSC::Heap::sizeBeforeLastEdenCollection):
        (JSC::Heap::sizeAfterLastEdenCollection):
        (JSC::Heap::sizeBeforeLastFullCollection):
        (JSC::Heap::sizeAfterLastFullCollection):
        * heap/HeapOperation.h:
        * heap/HeapStatistics.cpp:
        (JSC::HeapStatistics::showObjectStatistics):
        * heap/HeapTimer.cpp:
        (JSC::HeapTimer::timerDidFire):
        * jsc.cpp:
        (functionFullGC):
        (functionEdenGC):
        * runtime/Options.h:

2014-03-19  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r165926.
        https://bugs.webkit.org/show_bug.cgi?id=130488

        broke the iOS build (Requested by estes on #webkit).

        Reverted changeset:

        "GC timer should intelligently choose between EdenCollections
        and FullCollections"
        https://bugs.webkit.org/show_bug.cgi?id=128261
        http://trac.webkit.org/changeset/165926

2014-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        GC timer should intelligently choose between EdenCollections and FullCollections
        https://bugs.webkit.org/show_bug.cgi?id=128261

        Reviewed by Geoffrey Garen.

        Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer 
        always does FullCollections. To reduce the impact of the GC timer on the system this patch
        changes Heap so that it has two timers, one for each type of collection. The FullCollection
        timer is notified at the end of EdenCollections how much the Heap has grown since the last 
        FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be 
        detected by an EdenCollection).

        * heap/GCActivityCallback.cpp:
        (JSC::GCActivityCallback::GCActivityCallback):
        (JSC::GCActivityCallback::doWork):
        (JSC::FullGCActivityCallback::FullGCActivityCallback):
        (JSC::FullGCActivityCallback::doCollection):
        (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
        (JSC::EdenGCActivityCallback::doCollection):
        (JSC::GCActivityCallback::scheduleTimer):
        (JSC::GCActivityCallback::cancelTimer):
        (JSC::GCActivityCallback::didAllocate):
        (JSC::GCActivityCallback::willCollect):
        (JSC::GCActivityCallback::cancel):
        * heap/GCActivityCallback.h:
        (JSC::GCActivityCallback::GCActivityCallback):
        (JSC::GCActivityCallback::createFullTimer):
        (JSC::GCActivityCallback::createEdenTimer):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::didAbandon):
        (JSC::Heap::willStartCollection):
        (JSC::Heap::updateAllocationLimits):
        (JSC::Heap::setFullActivityCallback):
        (JSC::Heap::setEdenActivityCallback):
        (JSC::Heap::fullActivityCallback):
        (JSC::Heap::edenActivityCallback):
        (JSC::Heap::setGarbageCollectionTimerEnabled):
        (JSC::Heap::didAllocate):
        * heap/Heap.h:
        * heap/HeapTimer.cpp:
        (JSC::HeapTimer::timerDidFire):

2014-03-19  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit
        https://bugs.webkit.org/show_bug.cgi?id=130134

        Reviewed by Mark Hahnenberg.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1.
        (JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around.
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want.
        * jit/JITInlineCacheGenerator.h:
        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem.

2014-03-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Normalize some of the older JSC options
        https://bugs.webkit.org/show_bug.cgi?id=128753

        Reviewed by Michael Saboff.

        * runtime/Options.cpp:
        (JSC::Options::initialize):

2014-03-12  Mark Lam  <mark.lam@apple.com>

        Update type of local vars to match the type of String length.
        <https://webkit.org/b/130077>

        Reviewed by Geoffrey Garen.

        * runtime/JSStringJoiner.cpp:
        (JSC::JSStringJoiner::join):

2014-03-18  Filip Pizlo  <fpizlo@apple.com>

        Get rid of Flush in SSA
        https://bugs.webkit.org/show_bug.cgi?id=130440

        Reviewed by Sam Weinig.
        
        This is basically a red patch. We used to use backwards flow for determining what was
        flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't
        accomplish anything. Keeping them around in SSA can only make things hard.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGBasicBlock.cpp:
        (JSC::DFG::BasicBlock::SSAData::SSAData):
        * dfg/DFGBasicBlock.h:
        * dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed.
        * dfg/DFGFlushLivenessAnalysisPhase.h: Removed.
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):

2014-03-18  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix iOS production build.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-03-18  Michael Saboff  <msaboff@apple.com>

        Update RegExp Tracing code
        https://bugs.webkit.org/show_bug.cgi?id=130381

        Reviewed by Andreas Kling.

        Updated the regular expression tracing code for 8/16 bit JIT as
        well as match only entry points.  Also added average string length
        metric.

        * runtime/RegExp.cpp:
        (JSC::RegExp::RegExp):
        (JSC::RegExp::match):
        (JSC::RegExp::printTraceData):
        * runtime/RegExp.h:
        * runtime/VM.cpp:
        (JSC::VM::addRegExpToTrace):
        (JSC::VM::dumpRegExpTrace):
        * runtime/VM.h:
        * yarr/YarrJIT.h:
        (JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr):
        (JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr):
        (JSC::Yarr::YarrCodeBlock::get8BitMatchAddr):
        (JSC::Yarr::YarrCodeBlock::get16BitMatchAddr):

2014-03-17  Filip Pizlo  <fpizlo@apple.com>

        Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:)
        https://bugs.webkit.org/show_bug.cgi?id=130300

        Reviewed by Mark Hahnenberg.
        
        We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's.
        This makes the DFG aware of this.
        
        Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to
        the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL.
        
        This also gives the DFG some abstractions for checking something is a cell or is other.
        This made this patch easier to write and also simplified a bunch of other stuff.
        
        1% speed-up on Octane.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::JumpList::JumpList):
        * bytecode/SpeculatedType.h:
        (JSC::isNotStringVarSpeculation):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::childFor):
        (JSC::DFG::Node::shouldSpeculateNotStringVar):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
        (JSC::DFG::SpeculativeJIT::compileInstanceOf):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::compileBooleanCompare):
        (JSC::DFG::SpeculativeJIT::compileStringEquality):
        (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
        (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
        (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
        (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
        (JSC::DFG::SpeculativeJIT::speculateString):
        (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
        (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
        (JSC::DFG::SpeculativeJIT::speculateNotCell):
        (JSC::DFG::SpeculativeJIT::speculateOther):
        (JSC::DFG::SpeculativeJIT::speculate):
        (JSC::DFG::SpeculativeJIT::emitSwitchChar):
        (JSC::DFG::SpeculativeJIT::emitSwitchString):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::blessedBooleanResult):
        (JSC::DFG::SpeculativeJIT::unblessedBooleanResult):
        (JSC::DFG::SpeculativeJIT::booleanResult):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::branchIsCell):
        (JSC::DFG::branchNotCell):
        (JSC::DFG::SpeculativeJIT::branchIsOther):
        (JSC::DFG::SpeculativeJIT::branchNotOther):
        (JSC::DFG::SpeculativeJIT::moveTrueTo):
        (JSC::DFG::SpeculativeJIT::moveFalseTo):
        (JSC::DFG::SpeculativeJIT::blessBoolean):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        (JSC::DFG::SpeculativeJIT::branchIsCell):
        (JSC::DFG::SpeculativeJIT::branchNotCell):
        (JSC::DFG::SpeculativeJIT::branchIsOther):
        (JSC::DFG::SpeculativeJIT::branchNotOther):
        (JSC::DFG::SpeculativeJIT::moveTrueTo):
        (JSC::DFG::SpeculativeJIT::moveFalseTo):
        (JSC::DFG::SpeculativeJIT::blessBoolean):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::lowString):
        (JSC::FTL::LowerDFGToLLVM::lowStringIdent):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateString):
        (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
        (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar):
        * runtime/JSCJSValue.h:
        * tests/stress/string-ident-to-not-string-var-equality.js: Added.
        (foo):
        (bar):
        (test):

2014-03-18  Joseph Pecoraro  <pecoraro@apple.com>

        Add Copyright to framework.sb
        https://bugs.webkit.org/show_bug.cgi?id=130413

        Reviewed by Timothy Hatcher.

        Other sb files got the copyright. Follow suit.

        * framework.sb:

2014-03-18  Matthew Mirman  <mmirman@apple.com>

        Removed extra parens from if statement in a preprocessor define.
        https://bugs.webkit.org/show_bug.cgi?id=130408

        Reviewed by Filip Pizlo.

        * parser/Parser.cpp:

2014-03-18  Filip Pizlo  <fpizlo@apple.com>

        More FTL enabling.

        Rubber stamped by Dan Bernstein and Mark Hahnenberg.

        * Configurations/FeatureDefines.xcconfig:
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):

2014-03-17  Michael Saboff  <msaboff@apple.com>

        V8 regexp spends most of its time in operationGetById
        https://bugs.webkit.org/show_bug.cgi?id=130380

        Reviewed by Filip Pizlo.

        Added String.length case to tryCacheGetByID that will only help the BaseLine JIT.
        When V8 regexp is run from the command line, this nets a 2% performance improvement.
        When the test is run for a longer amount of time, there is much less benefit as the
        DFG will emit the appropriate code for String.length.  This does remove
        operationGetById as the hottest function whne run from the command line.

        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):

2014-03-17  Andreas Kling  <akling@apple.com>

        Add one-deep cache to opaque roots hashset.
        <https://webkit.org/b/130357>

        The vast majority of WebCore JS wrappers will have their Document*
        as the root(). This change adds a simple optimization where we cache
        the last lookup and avoid going to the hashset for repeated queries.

        Looks like 0.4% progression on DYEB on my MBP.

        Reviewed by Mark Hahnenberg.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/OpaqueRootSet.h: Added.
        (JSC::OpaqueRootSet::OpaqueRootSet):
        (JSC::OpaqueRootSet::contains):
        (JSC::OpaqueRootSet::isEmpty):
        (JSC::OpaqueRootSet::clear):
        (JSC::OpaqueRootSet::add):
        (JSC::OpaqueRootSet::size):
        (JSC::OpaqueRootSet::begin):
        (JSC::OpaqueRootSet::end):
        * heap/SlotVisitor.h:

2014-03-17  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>

        Implement Math.hypot
        https://bugs.webkit.org/show_bug.cgi?id=129486

        Reviewed by Darin Adler.

        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):
        (JSC::mathProtoFuncHypot):

2014-03-17  Zsolt Borbely  <borbezs@inf.u-szeged.hu>

        Fix the !ENABLE(PROMISES) build
        https://bugs.webkit.org/show_bug.cgi?id=130328

        Reviewed by Darin Adler.

        Add missing ENABLE(PROMISES) guards.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        * runtime/JSPromiseDeferred.cpp:
        * runtime/JSPromiseDeferred.h:
        * runtime/JSPromiseReaction.cpp:
        * runtime/JSPromiseReaction.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2014-03-16  Andreas Kling  <akling@apple.com>

        REGRESSION(r165703): JSC tests crashing in StringImpl::destroy().
        <https://webkit.org/b/130304>

        Reviewed by Anders Carlsson.

        Unreviewed, restoring the old behavior of OpaqueJSString::identifier()
        that doesn't put a potentially unwanted string into the Identifier table.

        * API/OpaqueJSString.cpp:
        (OpaqueJSString::identifier):

2014-03-16  Brian Burg  <bburg@apple.com>

        Web Inspector: generated backend commands should reflect build system ENABLE settings
        https://bugs.webkit.org/show_bug.cgi?id=130111

        Reviewed by Timothy Hatcher.

        * CMakeLists.txt:

        Combine only the Inspector domains listed in INSPECTOR_DOMAINS,
        instead of globbing any .json file.

        * DerivedSources.make:

        Force the combined inspector protocol file to be regenerated if
        the content or list of domains itself changes.

2014-03-16  Brian Burg  <bburg@apple.com>

        Web Inspector: vended backend commands file should be generated as part of the build
        https://bugs.webkit.org/show_bug.cgi?id=130110

        Reviewed by Timothy Hatcher.

        * JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the
        private headers directory.

2014-03-16  Darin Adler  <darin@apple.com>

        Remove all uses of deprecatedCharacters from JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=130304

        Reviewed by Anders Carlsson.

        * API/JSValueRef.cpp:
        (JSValueMakeFromJSONString): Use characters16 in the 16-bit code path.
        * API/OpaqueJSString.cpp:
        (OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path.
        (OpaqueJSString::identifier): Get rid of custom Identifier constructor, and
        juse use the standard one that takes a String.
        (OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a
        hand-written alternative.

        * bindings/ScriptValue.cpp:
        (Deprecated::jsToInspectorValue): Create InspectorString from String directly
        instead of involving a character pointer. Use the String from Identifier
        directly instead of making a new String.

        * inspector/ContentSearchUtilities.cpp:
        (Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder
        instead of building a String a character at a time. This is still a very slow
        way to do this. Also use strchr to search for a character instead of building
        a String every time just to use find on it.

        * inspector/InspectorValues.cpp:
        (Inspector::doubleQuoteString): Remove unnecessary trip through a
        character pointer. This is still a really slow way to do this.
        (Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters
        instead of String::deprecatedCharacters. Still slow to always upconvert.

        * runtime/DateConstructor.cpp: Removed unneeded include.
        * runtime/DatePrototype.cpp: Ditto.

        * runtime/Identifier.h: Removed deprecatedCharacters function.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::encode): Added a type cast to avoid ambiguity with the two character-
        appending functions from JSStringBuilder. Removed unneeded code duplicating
        what JSStringBuilder already does in its character append function.
        (JSC::decode): Deleted code that creates a JSStringBuilder that is never used.
        (JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that
        is used outside this file have external linkage. Added a new overload that takes
        a StringView.
        (JSC::parseInt): Use StringView::substring to call parseIntOverflow.
        (JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a
        single character.

        * runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow.

        * runtime/JSStringBuilder.h: Marked this "lightly deprecated".
        (JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters.
        Made one overload private. Fixed a performance bug where we would reserve capacity
        in the 8-bit buffer but then append to the 16-bit buffer.

        * runtime/ObjectPrototype.cpp: Removed unneeded include.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert.
        (JSC::stringProtoFuncLink): Ditto.

2014-03-15  Filip Pizlo  <fpizlo@apple.com>

        FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies
        https://bugs.webkit.org/show_bug.cgi?id=130296

        Reviewed by Andreas Kling.
        
        During the 32-bit structure ID work, the second load of the structure was removed.
        That's wrong. The whole point of loading the structure ID again is that the structure
        ID would have been changed by the arrayification call, and we're verifying that the
        arrayification succeeded in changing the structure. If we check the old structure - as
        the code was doing after the 32-bit structure ID work - then this check is guaranteed
        to fail, causing a significant performance regression.
        
        It's actually amazing that the regression wasn't bigger. The reason is that if FTL
        code pathologically exits but the equivalent DFG code doesn't, then the exponential
        backoff almost perfectly guarantees that we just end up in the DFG. For this code, at
        the time at least, the DFG wasn't much slower so this didn't cause too much pain.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):

2014-03-15  Filip Pizlo  <fpizlo@apple.com>

        FTL should support CheckHasInstance/InstanceOf
        https://bugs.webkit.org/show_bug.cgi?id=130285

        Reviewed by Sam Weinig.
        
        Fairly straightforward; I also discovered an inaccurate FIXME in the process.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance):
        (JSC::FTL::LowerDFGToLLVM::compileInstanceOf):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::phi):
        * tests/stress/instanceof.js: Added.
        * tests/stress/instanceof-not-cell.js: Added.

2014-03-15  Michael Saboff  <msaboff@apple.com>

        It should be possible to adjust DFG and FTL compiler thread priorities
        https://bugs.webkit.org/show_bug.cgi?id=130288

        Reviewed by Filip Pizlo.

        Added ability to change thread priorities relative to its current priority.
        Created options to adjust the priority of the DFG and FTL compilation work thread
        pools.  For two core systems, there might be three runnable threads, the main thread,
        the DFG compilation thread and the FTL compilation thread.  With the same priority,
        the scheduler is free to schedule whatever thread it wants.  By lowering the
        compilation threads, the main thread can run.  Further tests may suggest better values
        for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads.

        For a two-core device, this change has a net positive improvement of 1-3% across
        SunSpider, Octane, Kraken and AsmBench.

        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::finishCreation):
        (JSC::DFG::Worklist::create):
        (JSC::DFG::ensureGlobalDFGWorklist):
        (JSC::DFG::ensureGlobalFTLWorklist):
        * dfg/DFGWorklist.h:
        * runtime/Options.cpp:
        (JSC::computePriorityDeltaOfWorkerThreads):
        * runtime/Options.h:

2014-03-15  David Kilzer  <ddkilzer@apple.com>

        [iOS] Define SYSTEM_VERSION_PREFIX consistently
        <http://webkit.org/b/130293>
        <rdar://problem/15926359>

        Reviewed by Dan Bernstein.

        * Configurations/Version.xcconfig:
        (SYSTEM_VERSION_PREFIX_iphoneos): Sync with
        Source/WebKit/mac/Version.xcconfig.

2014-03-15  David Kilzer  <ddkilzer@apple.com>

        Fix build: using integer absolute value function 'abs' when argument is of floating point type
        <http://webkit.org/b/130286>

        Reviewed by Filip Pizlo.

        Fixes the following build failure using trunk clang:

            JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value]
                    value = abs(value);
                            ^
            JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead
                    value = abs(value);
                            ^~~
                            fabs

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to
        fabs().

2014-03-14  Oliver Hunt  <oliver@apple.com>

        Reinstate intialiser syntax in for-in loops
        https://bugs.webkit.org/show_bug.cgi?id=130269

        Reviewed by Michael Saboff.

        Disallowing the initialiser broke some sites so this patch re-allows
        the syntax.  We still disallow the syntax in 'of' and pattern based
        enumeration.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::isBindingNode):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseVarDeclarationList):
        (JSC::Parser<LexerType>::parseForStatement):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::operatorStackPop):

2014-03-14  Mark Lam  <mark.lam@apple.com>

        Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined.
        <https://webkit.org/b/130279>

        Reviewed by Filip Pizlo.

        If neither the getter nor setter are defined, accessing __lookupGetter__
        and __lookupSetter__ will return undefined as expected.  However, if the
        getter is defined but the setter is not, accessing __lookupSetter__ will
        crash the VM.  Similarly, accessing __lookupGetter__ when only the setter
        is defined will crash the VM.

        The reason is because objectProtoFuncLookupGetter() and
        objectProtoFuncLookupSetter() did not check if the getter and setter
        value is non-null before returning it as an EncodedJSValue.  The fix is
        to add the appropriate null checks.

        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):

2014-03-14  Mark Rowe  <mrowe@apple.com>

        Fix the production build.

        Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't
        be at the expected relative path when working from installed source.

        * Configurations/Base.xcconfig:

2014-03-14  Maciej Stachowiak  <mjs@apple.com>

        Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers
        https://bugs.webkit.org/show_bug.cgi?id=130276
        <rdar://problem/16266927>

        Reviewed by Simon Fraser.

        * API/APICast.h:
        * API/JSBase.cpp:
        * API/JSBase.h:
        * API/JSBasePrivate.h:
        * API/JSCallbackConstructor.cpp:
        * API/JSCallbackConstructor.h:
        * API/JSCallbackFunction.cpp:
        * API/JSCallbackFunction.h:
        * API/JSCallbackObject.cpp:
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        * API/JSClassRef.cpp:
        * API/JSClassRef.h:
        * API/JSContextRef.cpp:
        * API/JSContextRef.h:
        * API/JSContextRefPrivate.h:
        * API/JSObjectRef.cpp:
        * API/JSObjectRef.h:
        * API/JSProfilerPrivate.cpp:
        * API/JSProfilerPrivate.h:
        * API/JSRetainPtr.h:
        * API/JSStringRef.cpp:
        * API/JSStringRef.h:
        * API/JSStringRefBSTR.cpp:
        * API/JSStringRefBSTR.h:
        * API/JSStringRefCF.cpp:
        * API/JSStringRefCF.h:
        * API/JSValueRef.cpp:
        * API/JSValueRef.h:
        * API/JavaScript.h:
        * API/JavaScriptCore.h:
        * API/OpaqueJSString.cpp:
        * API/OpaqueJSString.h:
        * API/tests/JSNode.c:
        * API/tests/JSNode.h:
        * API/tests/JSNodeList.c:
        * API/tests/JSNodeList.h:
        * API/tests/Node.c:
        * API/tests/Node.h:
        * API/tests/NodeList.c:
        * API/tests/NodeList.h:
        * API/tests/minidom.c:
        * API/tests/minidom.js:
        * API/tests/testapi.c:
        * API/tests/testapi.js:
        * DerivedSources.make:
        * bindings/ScriptValue.cpp:
        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        * bytecode/EvalCodeCache.h:
        * bytecode/Instruction.h:
        * bytecode/JumpTable.cpp:
        * bytecode/JumpTable.h:
        * bytecode/Opcode.cpp:
        * bytecode/Opcode.h:
        * bytecode/SamplingTool.cpp:
        * bytecode/SamplingTool.h:
        * bytecode/SpeculatedType.cpp:
        * bytecode/SpeculatedType.h:
        * bytecode/ValueProfile.h:
        * bytecompiler/BytecodeGenerator.cpp:
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/Label.h:
        * bytecompiler/LabelScope.h:
        * bytecompiler/RegisterID.h:
        * debugger/DebuggerCallFrame.cpp:
        * debugger/DebuggerCallFrame.h:
        * dfg/DFGDesiredStructureChains.cpp:
        * dfg/DFGDesiredStructureChains.h:
        * heap/GCActivityCallback.cpp:
        * heap/GCActivityCallback.h:
        * inspector/ConsoleMessage.cpp:
        * inspector/ConsoleMessage.h:
        * inspector/IdentifiersFactory.cpp:
        * inspector/IdentifiersFactory.h:
        * inspector/InjectedScriptManager.cpp:
        * inspector/InjectedScriptManager.h:
        * inspector/InjectedScriptSource.js:
        * inspector/ScriptBreakpoint.h:
        * inspector/ScriptDebugListener.h:
        * inspector/ScriptDebugServer.cpp:
        * inspector/ScriptDebugServer.h:
        * inspector/agents/InspectorAgent.cpp:
        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        * inspector/agents/InspectorDebuggerAgent.h:
        * interpreter/Interpreter.cpp:
        * interpreter/Interpreter.h:
        * interpreter/JSStack.cpp:
        * interpreter/JSStack.h:
        * interpreter/Register.h:
        * jit/CompactJITCodeMap.h:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JITStubsARM.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:
        * os-win32/stdbool.h:
        * parser/SourceCode.h:
        * parser/SourceProvider.h:
        * profiler/LegacyProfiler.cpp:
        * profiler/LegacyProfiler.h:
        * profiler/ProfileNode.cpp:
        * profiler/ProfileNode.h:
        * runtime/ArrayBufferView.cpp:
        * runtime/ArrayBufferView.h:
        * runtime/BatchedTransitionOptimizer.h:
        * runtime/CallData.h:
        * runtime/ConstructData.h:
        * runtime/DumpContext.cpp:
        * runtime/DumpContext.h:
        * runtime/ExceptionHelpers.cpp:
        * runtime/ExceptionHelpers.h:
        * runtime/InitializeThreading.cpp:
        * runtime/InitializeThreading.h:
        * runtime/IntegralTypedArrayBase.h:
        * runtime/IntendedStructureChain.cpp:
        * runtime/IntendedStructureChain.h:
        * runtime/JSActivation.cpp:
        * runtime/JSActivation.h:
        * runtime/JSExportMacros.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSNotAnObject.h:
        * runtime/JSPropertyNameIterator.cpp:
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSSegmentedVariableObject.cpp:
        * runtime/JSSegmentedVariableObject.h:
        * runtime/JSSymbolTableObject.cpp:
        * runtime/JSSymbolTableObject.h:
        * runtime/JSTypeInfo.h:
        * runtime/JSVariableObject.cpp:
        * runtime/JSVariableObject.h:
        * runtime/PropertyTable.cpp:
        * runtime/PutPropertySlot.h:
        * runtime/SamplingCounter.cpp:
        * runtime/SamplingCounter.h:
        * runtime/Structure.cpp:
        * runtime/Structure.h:
        * runtime/StructureChain.cpp:
        * runtime/StructureChain.h:
        * runtime/StructureInlines.h:
        * runtime/StructureTransitionTable.h:
        * runtime/SymbolTable.cpp:
        * runtime/SymbolTable.h:
        * runtime/TypedArrayBase.h:
        * runtime/TypedArrayType.cpp:
        * runtime/TypedArrayType.h:
        * runtime/VM.cpp:
        * runtime/VM.h:
        * yarr/RegularExpression.cpp:
        * yarr/RegularExpression.h:

2014-03-14  Filip Pizlo  <fpizlo@apple.com>

        Final FTL iOS build magic
        https://bugs.webkit.org/show_bug.cgi?id=130281

        Reviewed by Michael Saboff.

        * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X.
        * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/

2014-03-14  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Gracefully handle nil name -[JSContext setName:]
        https://bugs.webkit.org/show_bug.cgi?id=130262

        Reviewed by Mark Hahnenberg.

        * API/JSContext.mm:
        (-[JSContext setName:]):
        Gracefully handle nil input.

        * API/tests/testapi.c:
        (globalContextNameTest):
        * API/tests/testapi.mm:
        Test for nil / NULL names in the ObjC and C APIs.

2014-03-11  Oliver Hunt  <oliver@apple.com>

        Improve dom error messages
        https://bugs.webkit.org/show_bug.cgi?id=130103

        Reviewed by Andreas Kling.

        Add new helper function.

        * runtime/Error.h:
        (JSC::throwVMTypeError):

2014-03-14  László Langó  <llango.u-szeged@partner.samsung.com>

        Remove unused method declaration.
        https://bugs.webkit.org/show_bug.cgi?id=130238

        Reviewed by Filip Pizlo.

        The implementation of CallFrame::dumpCaller was removed in
        http://trac.webkit.org/changeset/153183, but the declaration of it was not.

        * interpreter/CallFrame.h:
        Remove CallFrame::dumpCaller() method declaration.

2014-03-12  Sergio Villar Senin  <svillar@igalia.com>

        Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL
        https://bugs.webkit.org/show_bug.cgi?id=129612

        Reviewed by Darin Adler.

        For new code use static NeverDestroyed<T> instead.

        * API/JSAPIWrapperObject.mm:
        (jsAPIWrapperObjectHandleOwner):
        * API/JSManagedValue.mm:
        (managedValueHandleOwner):
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::objectGroupForBreakpointAction):
        * inspector/scripts/CodeGeneratorInspectorStrings.py:
        * interpreter/JSStack.cpp:
        (JSC::stackStatisticsMutex):
        * jit/ExecutableAllocator.cpp:
        (JSC::DemandExecutableAllocator::allocators):

2014-03-12  Gavin Barraclough  <barraclough@apple.com>

        Reduce memory use for static property maps
        https://bugs.webkit.org/show_bug.cgi?id=129986

        Reviewed by Andreas Kling.

        Static property tables are currently duplicated on first use from read-only memory into dirty memory
        in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
        (we use a custom hash table without a rehash) a lot of memory may be wasted.

        First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
        from string hashes to indicies into a densely packed array of values. Compute the index table at
        compile time as a part of the derived sources step, such that this may be read-only data.

        Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
        directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
        keys, which are Identifiers.

        * create_hash_table:
            - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
        * parser/Lexer.cpp:
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        (JSC::Lexer<T>::parseIdentifierSlowCase):
            - HashEntry -> HashTableValue.
        * parser/Lexer.h:
        (JSC::Keywords::getKeyword):
            - HashEntry -> HashTableValue.
        * runtime/ClassInfo.h:
            - removed HashEntry.
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
            - use HashTable::ConstIterator.
        (JSC::JSObject::put):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::findPropertyHashEntry):
            - HashEntry -> HashTableValue.
        (JSC::JSObject::reifyStaticFunctionsForDelete):
            - changed HashTable::ConstIterator interface.
        * runtime/JSObject.h:
            - HashEntry -> HashTableValue.
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):
            - table -> keys, keys array is now densely packed.
        (JSC::HashTable::deleteTable):
            - table -> keys.
        (JSC::setUpStaticFunctionSlot):
            - HashEntry -> HashTableValue.
        * runtime/Lookup.h:
        (JSC::HashTableValue::builtinGenerator):
        (JSC::HashTableValue::function):
        (JSC::HashTableValue::functionLength):
        (JSC::HashTableValue::propertyGetter):
        (JSC::HashTableValue::propertyPutter):
        (JSC::HashTableValue::lexerValue):
            - added accessor methods from HashEntry.
        (JSC::HashTable::copy):
            - fields changed.
        (JSC::HashTable::initializeIfNeeded):
            - table -> keys.
        (JSC::HashTable::entry):
            - HashEntry -> HashTableValue.
        (JSC::HashTable::ConstIterator::ConstIterator):
            - iterate packed value array, so no need to skipInvalidKeys().
        (JSC::HashTable::ConstIterator::value):
        (JSC::HashTable::ConstIterator::key):
        (JSC::HashTable::ConstIterator::operator->):
            - accessors now get HashTableValue/StringImpl* separately.
        (JSC::HashTable::ConstIterator::operator++):
            - iterate packed value array, so no need to skipInvalidKeys().
        (JSC::HashTable::end):
            - end is now size of dense not sparse array.
        (JSC::getStaticPropertySlot):
        (JSC::getStaticFunctionSlot):
        (JSC::getStaticValueSlot):
        (JSC::putEntry):
        (JSC::lookupPut):
            - HashEntry -> HashTableValue.

2014-03-13  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix Mac no-FTL build.

        * llvm/library/LLVMExports.cpp:
        (initializeAndGetJSCLLVMAPI):

2014-03-13  Juergen Ributzka  <juergen@apple.com>

        Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib
        https://bugs.webkit.org/show_bug.cgi?id=130224

        Reviewed by Filip Pizlo.

        This limits the exported symbols to only initializeAndGetJSCLLVMAPI from
        the LLVM dylib. This allows the dylib to be safely used with other LLVM
        dylibs on the same system. It also reduces the dynamic linking overhead
        and also reduces the size by 6MB, because the linker can now dead strip
        many unused functions.

        * Configurations/LLVMForJSC.xcconfig:

2014-03-13  Andreas Kling  <akling@apple.com>

        VM::discardAllCode() should clear the RegExp cache.
        <https://webkit.org/b/130144>

        Reviewed by Michael Saboff.

        * runtime/VM.cpp:
        (JSC::VM::discardAllCode):

2014-03-13  Andreas Kling  <akling@apple.com>

        Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
        <https://webkit.org/b/129995>

        This code path is not taken anymore on DYEB, and I can't explain why
        it was showing up in my profiles. Backing it out per JoePeck's suggestion.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):

2014-03-13  Filip Pizlo  <fpizlo@apple.com>

        FTL should support IsBlah
        https://bugs.webkit.org/show_bug.cgi?id=130202

        Reviewed by Geoffrey Garen.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
        (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
        (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
        (JSC::FTL::LowerDFGToLLVM::compileIsString):
        (JSC::FTL::LowerDFGToLLVM::compileIsObject):
        (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
        (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
        (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
        (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
        (JSC::FTL::LowerDFGToLLVM::isNumber):
        (JSC::FTL::LowerDFGToLLVM::isNotNumber):
        (JSC::FTL::LowerDFGToLLVM::isBoolean):
        * ftl/FTLOSRExitCompiler.cpp:
        * tests/stress/is-undefined-exit-on-masquerader.js: Added.
        (bar):
        (foo):
        (test):
        * tests/stress/is-undefined-jettison-on-masquerader.js: Added.
        (foo):
        (test):
        * tests/stress/is-undefined-masquerader.js: Added.
        (foo):
        (test):

2014-03-13  Mark Lam  <mark.lam@apple.com>

        JS benchmarks crash with a bus error on 32-bit x86.
        <https://webkit.org/b/130203>

        Reviewed by Geoffrey Garen.

        The issue is that generateGetByIdStub() can potentially use the same register
        for the JSValue base register and the target tag register.  After loading the
        tag value into the target tag register, the JSValue base address is lost.
        The code then proceeds to load the payload value using the base register, and
        this results in a crash.

        The fix is to check if the base register is the same as the target tag register.
        If so, we should make a copy the base register first before loading the tag
        value, and use the copy to load the payload value instead.

        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub):

2014-03-12  Filip Pizlo  <fpizlo@apple.com>

        WebKit shouldn't crash on uniprocessor machines
        https://bugs.webkit.org/show_bug.cgi?id=130176

        Reviewed by Michael Saboff.
        
        Previously the math for computing the number of JIT compiler threads would come up with
        zero threads on uniprocessor machines, and then the Worklist code would assert.

        * runtime/Options.cpp:
        (JSC::computeNumberOfWorkerThreads):
        * runtime/Options.h:

2014-03-13  Radu Stavila  <stavila@adobe.com>

        Webkit not building on XCode 5.1 due to garbage collection no longer being supported
        https://bugs.webkit.org/show_bug.cgi?id=130087

        Reviewed by Mark Rowe.

        Disable garbage collection on macosx when not using internal SDK.

        * Configurations/Base.xcconfig:

2014-03-10  Darin Adler  <darin@apple.com>

        Avoid copy-prone idiom "for (auto item : collection)"
        https://bugs.webkit.org/show_bug.cgi?id=129990

        Reviewed by Geoffrey Garen.

        * heap/CodeBlockSet.h:
        (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
        make explicit that we are iterating through pointers.
        (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
        (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
        get rid of an unneeded local variable.

2014-03-13  Brian Burg  <bburg@apple.com>

        Web Inspector: Remove unused callId parameter from evaluateInWebInspector
        https://bugs.webkit.org/show_bug.cgi?id=129744

        Reviewed by Timothy Hatcher.

        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::enable):
        (Inspector::InspectorAgent::evaluateForTestInFrontend):
        * inspector/agents/InspectorAgent.h:
        * inspector/protocol/InspectorDomain.json:

2014-03-11  Filip Pizlo  <fpizlo@apple.com>

        ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
        https://bugs.webkit.org/show_bug.cgi?id=130069

        Reviewed by Geoffrey Garen.
        
        This was a great assertion, and it represents our strictest interpretation of the rules of
        our intermediate representation. However, fixing DCE to actually preserve the relevant
        property would be hard, and it wouldn't have an observable effect right now because nobody
        actually uses the propery of CPS that this assertion is checking for.
        
        In particular, we do always require, and rely on, the fact that non-captured variables
        have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
        block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
        PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
        broken in this regard. But, in the strictest sense, CPS also means that for captured
        variables, variablesAtTail also continues to point to the last relevant use of the
        variable. In particular, if there are multiple GetLocals, then it should point to the last
        one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
        variables, except to check the VariableAccessData; but in that case, we don't really need
        the *last* relevant use of the variable - any node that mentions the same variable will do
        just fine.
        
        So, this change loosens the assertion and adds a detailed FIXME describing what we would
        have to do if we wanted to preserve the more strict property.
        
        This also makes changes to various debug printing paths so that validation doesn't crash
        during graph dump. This also adds tests for the interesting cases of DCE failing to
        preserve CPS in the strictest sense. This also attempts to win the record for longest test
        name.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::hashAsStringIfPossible):
        (JSC::CodeBlock::dumpAssumingJITType):
        * bytecode/CodeBlock.h:
        * bytecode/CodeOrigin.cpp:
        (JSC::InlineCallFrame::hashAsStringIfPossible):
        (JSC::InlineCallFrame::dumpBriefFunctionInformation):
        * bytecode/CodeOrigin.h:
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::run):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::cleanVariables):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
        * runtime/FunctionExecutableDump.cpp:
        (JSC::FunctionExecutableDump::dump):
        * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
        (foo):
        * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
        (foo):

2014-03-12  Brian Burg  <bburg@apple.com>

        Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
        https://bugs.webkit.org/show_bug.cgi?id=129445

        Reviewed by Timothy Hatcher.

        There was a bug in the replay inputs code generator that would include
        headers for definitions of enum classes, even though they can be safely
        forward-declared.

        * replay/scripts/CodeGeneratorReplayInputs.py:
        (Generator.generate_includes): Only include for copy constructor if the
        type is a heavy scalar (i.e., String, URL), not a normal scalar
        (i.e., int, double, enum classes).

        (Generator.generate_type_forward_declarations): Forward-declare scalars
        that are enums or enum classes.

2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
        https://bugs.webkit.org/show_bug.cgi?id=130118

        Reviewed by Timothy Hatcher.

        * Configurations/FeatureDefines.xcconfig:

2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Hang in Remote Inspection triggering breakpoint from console
        https://bugs.webkit.org/show_bug.cgi?id=130032

        Reviewed by Timothy Hatcher.

        * inspector/EventLoop.h:
        * inspector/EventLoop.cpp:
        (Inspector::EventLoop::remoteInspectorRunLoopMode):
        (Inspector::EventLoop::cycle):
        Expose the run loop mode name so it can be used if needed by others.

        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
        (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
        (Inspector::RemoteInspectorBlock::operator=):
        (Inspector::RemoteInspectorBlock::operator()):
        (Inspector::RemoteInspectorQueueTask):
        Instead of a dispatch_queue, have our own static Vector of debugger tasks.

        (Inspector::RemoteInspectorHandleRunSource):
        (Inspector::RemoteInspectorInitializeQueue):
        Initialize the static queue and run loop source. When the run loop source
        fires, it will exhaust the queue of debugger messages.

        (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
        (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
        When we get a debuggable connection add a run loop source for inspector commands.

        (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
        (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
        Enqueue blocks on our Vector instead of our dispatch_queue.

2014-03-12  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r165482.
        https://bugs.webkit.org/show_bug.cgi?id=130157

        Broke the windows build; "error C2466: cannot allocate an
        array of constant size 0" (Requested by jernoble on #webkit).

        Reverted changeset:

        "Reduce memory use for static property maps"
        https://bugs.webkit.org/show_bug.cgi?id=129986
        http://trac.webkit.org/changeset/165482

2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove HandleSet::m_nextToFinalize
        https://bugs.webkit.org/show_bug.cgi?id=130109

        Reviewed by Mark Lam.

        This is a remnant of when HandleSet contained things that needed to be finalized. 

        * heap/HandleSet.cpp:
        (JSC::HandleSet::HandleSet):
        (JSC::HandleSet::writeBarrier):
        * heap/HandleSet.h:
        (JSC::HandleSet::allocate):
        (JSC::HandleSet::deallocate):

2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Layout Test fast/workers/worker-gc.html is failing
        https://bugs.webkit.org/show_bug.cgi?id=130135

        Reviewed by Geoffrey Garen.

        When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's 
        main list of blocks, i.e. not in the retired list. When shutting down the VM this
        wasn't always the case which was causing ASSERTs to fire. We should rearrange things 
        so that allocators are notified with lastChanceToFinalize. This will give them 
        the chance to move their retired blocks back into the main list before removing them all.

        * heap/MarkedAllocator.cpp:
        (JSC::LastChanceToFinalize::operator()):
        (JSC::MarkedAllocator::lastChanceToFinalize):
        * heap/MarkedAllocator.h:
        * heap/MarkedSpace.cpp:
        (JSC::LastChanceToFinalize::operator()):
        (JSC::MarkedSpace::lastChanceToFinalize):

2014-03-12  Gavin Barraclough  <barraclough@apple.com>

        Reduce memory use for static property maps
        https://bugs.webkit.org/show_bug.cgi?id=129986

        Reviewed by Andreas Kling.

        Static property tables are currently duplicated on first use from read-only memory into dirty memory
        in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
        (we use a custom hash table without a rehash) a lot of memory may be wasted.

        First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
        from string hashes to indicies into a densely packed array of values. Compute the index table at
        compile time as a part of the derived sources step, such that this may be read-only data.

        Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
        directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
        keys, which are Identifiers.

        * create_hash_table:
            - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
        * parser/Lexer.cpp:
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        (JSC::Lexer<T>::parseIdentifierSlowCase):
            - HashEntry -> HashTableValue.
        * parser/Lexer.h:
        (JSC::Keywords::getKeyword):
            - HashEntry -> HashTableValue.
        * runtime/ClassInfo.h:
            - removed HashEntry.
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
            - use HashTable::ConstIterator.
        (JSC::JSObject::put):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::findPropertyHashEntry):
            - HashEntry -> HashTableValue.
        (JSC::JSObject::reifyStaticFunctionsForDelete):
            - changed HashTable::ConstIterator interface.
        * runtime/JSObject.h:
            - HashEntry -> HashTableValue.
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):
            - table -> keys, keys array is now densely packed.
        (JSC::HashTable::deleteTable):
            - table -> keys.
        (JSC::setUpStaticFunctionSlot):
            - HashEntry -> HashTableValue.
        * runtime/Lookup.h:
        (JSC::HashTableValue::builtinGenerator):
        (JSC::HashTableValue::function):
        (JSC::HashTableValue::functionLength):
        (JSC::HashTableValue::propertyGetter):
        (JSC::HashTableValue::propertyPutter):
        (JSC::HashTableValue::lexerValue):
            - added accessor methods from HashEntry.
        (JSC::HashTable::copy):
            - fields changed.
        (JSC::HashTable::initializeIfNeeded):
            - table -> keys.
        (JSC::HashTable::entry):
            - HashEntry -> HashTableValue.
        (JSC::HashTable::ConstIterator::ConstIterator):
            - iterate packed value array, so no need to skipInvalidKeys().
        (JSC::HashTable::ConstIterator::value):
        (JSC::HashTable::ConstIterator::key):
        (JSC::HashTable::ConstIterator::operator->):
            - accessors now get HashTableValue/StringImpl* separately.
        (JSC::HashTable::ConstIterator::operator++):
            - iterate packed value array, so no need to skipInvalidKeys().
        (JSC::HashTable::end):
            - end is now size of dense not sparse array.
        (JSC::getStaticPropertySlot):
        (JSC::getStaticFunctionSlot):
        (JSC::getStaticValueSlot):
        (JSC::putEntry):
        (JSC::lookupPut):
            - HashEntry -> HashTableValue.

2014-03-11  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to build WebKit with FTL on iOS
        https://bugs.webkit.org/show_bug.cgi?id=130116

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
        https://bugs.webkit.org/show_bug.cgi?id=129778

        Reviewed by Geoffrey Garen.
        
        Also deduplicate the GetById getter call caching. Also add some small tests for
        get stubs.
        
        This change reduces the amount of code involved in GetById access caching and it
        creates data structures that can serve as an elegant scaffold for introducing other
        kinds of caches or improving current caching styles. It will definitely make getter
        performance improvements easier to implement.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdCacheStatus):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfo):
        * bytecode/PolymorphicGetByIdList.cpp: Added.
        (JSC::GetByIdAccess::GetByIdAccess):
        (JSC::GetByIdAccess::~GetByIdAccess):
        (JSC::GetByIdAccess::fromStructureStubInfo):
        (JSC::GetByIdAccess::visitWeak):
        (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
        (JSC::PolymorphicGetByIdList::from):
        (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
        (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
        (JSC::PolymorphicGetByIdList::addAccess):
        (JSC::PolymorphicGetByIdList::isFull):
        (JSC::PolymorphicGetByIdList::isAlmostFull):
        (JSC::PolymorphicGetByIdList::didSelfPatching):
        (JSC::PolymorphicGetByIdList::visitWeak):
        * bytecode/PolymorphicGetByIdList.h: Added.
        (JSC::GetByIdAccess::GetByIdAccess):
        (JSC::GetByIdAccess::isSet):
        (JSC::GetByIdAccess::operator!):
        (JSC::GetByIdAccess::type):
        (JSC::GetByIdAccess::structure):
        (JSC::GetByIdAccess::chain):
        (JSC::GetByIdAccess::chainCount):
        (JSC::GetByIdAccess::stubRoutine):
        (JSC::GetByIdAccess::doesCalls):
        (JSC::PolymorphicGetByIdList::isEmpty):
        (JSC::PolymorphicGetByIdList::size):
        (JSC::PolymorphicGetByIdList::at):
        (JSC::PolymorphicGetByIdList::operator[]):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        (JSC::isGetByIdAccess):
        (JSC::StructureStubInfo::initGetByIdList):
        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub):
        (JSC::tryCacheGetByID):
        (JSC::patchJumpToGetByIdStub):
        (JSC::tryBuildGetByIDList):
        (JSC::tryBuildPutByIdList):
        * tests/stress/getter.js: Added.
        (foo):
        (.o):
        * tests/stress/polymorphic-prototype-accesses.js: Added.
        (Foo):
        (Bar):
        (foo):
        * tests/stress/prototype-getter.js: Added.
        (Foo):
        (foo):
        * tests/stress/simple-prototype-accesses.js: Added.
        (Foo):
        (foo):

2014-03-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
        https://bugs.webkit.org/show_bug.cgi?id=129920

        Reviewed by Geoffrey Garen.

        This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
        when the amount of free space in a MarkedBlock drops below a certain threshold.
        Retired blocks are not considered for sweeping.

        This is profitable because it reduces churn during sweeping. To build a free list, 
        we have to scan through each cell in a block. After a collection, all objects that 
        are live in the block will remain live until the next FullCollection, at which time
        we un-retire all previously retired blocks. Thus, a small number of objects in a block
        that die during each EdenCollection could cause us to do a disproportiante amount of 
        sweeping for how much free memory we get back.

        This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.

        * heap/Heap.h:
        (JSC::Heap::didRetireBlockWithFreeListSize):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::removeBlock):
        (JSC::MarkedAllocator::reset):
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::forEachBlock):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::sweepHelper):
        (JSC::MarkedBlock::clearMarksWithCollectionType):
        (JSC::MarkedBlock::didRetireBlock):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::willRemoveBlock):
        (JSC::MarkedBlock::isLive):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::clearNewlyAllocated):
        (JSC::MarkedSpace::clearMarks):
        * runtime/Options.h:

2014-03-11  Andreas Kling  <akling@apple.com>

        Streamline PropertyTable for lookup-only access.
        <https://webkit.org/b/130060>

        The PropertyTable lookup algorithm was written to support both read
        and write access. This wasn't actually needed in most places.

        This change adds a PropertyTable::get() that just returns the value
        type (instead of an insertion iterator.) It also adds an early return
        for empty tables.

        Finally, up the minimum table capacity from 8 to 16. It was lowered
        to 8 in order to save memory, but that was before PropertyTables were
        GC allocated. Nowadays we don't have nearly as many tables, since all
        the unpinned transitions die off.

        Reviewed by Darin Adler.

        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::get):
        * runtime/Structure.cpp:
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        * runtime/StructureInlines.h:
        (JSC::Structure::get):

2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        REGRESSION(r165407): DoYouEvenBench crashes in DRT
        https://bugs.webkit.org/show_bug.cgi?id=130066

        Reviewed by Geoffrey Garen.

        The baseline JIT does a conditional store barrier for the put_by_id, but we need 
        an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.

        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitWriteBarrier):

2014-03-10  Mark Lam  <mark.lam@apple.com>

        Resurrect bit-rotted JIT::probe() mechanism.
        <https://webkit.org/b/130067>

        Reviewed by Geoffrey Garen.

        * jit/JITStubs.cpp:
        - Added the needed #include <wtf/InlineASM.h>.

2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>

        Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.

        Rubber-stamped by Dan Bernstein.

        * Configurations/JavaScriptCore.xcconfig:

2014-03-10  Mark Lam  <mark.lam@apple.com>

        r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
        <https://webkit.org/b/130065>

        Reviewed by Michael Saboff.

        There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
        being able to return InvalidIndex.  Hence, the assertion is invalid.  Ditto for
        FPRInfo::toIndex().

        The fix is to remove the "result != InvalidIndex" assertions.

        * jit/FPRInfo.h:
        (JSC::FPRInfo::toIndex):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toIndex):

2014-03-10  Mark Lam  <mark.lam@apple.com>

        Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
        <https://webkit.org/b/129955>

        Reviewed by Geoffrey Garen.

        The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
        stack memory every time it was called.  This is now fixed.

        * jit/JITOperations.cpp:

2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>

        Better JSContext API for named evaluations (other than //# sourceURL)
        https://bugs.webkit.org/show_bug.cgi?id=129911

        Reviewed by Geoffrey Garen.

        * API/JSBase.h:
        * API/JSContext.h:
        * API/JSContext.mm:
        (-[JSContext evaluateScript:]):
        (-[JSContext evaluateScript:withSourceURL:]):
        Add new evaluateScript:withSourceURL:.

        * API/tests/testapi.c:
        (main):
        * API/tests/testapi.mm:
        (testObjectiveCAPI):
        Add tests for sourceURL in evaluate APIs. It should
        affect the exception objects.

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        Repatch should save and restore all used registers - not just temp ones - when making a call
        https://bugs.webkit.org/show_bug.cgi?id=130041

        Reviewed by Geoffrey Garen and Mark Hahnenberg.
        
        The save/restore code was written back when the only client was the DFG, which only uses a
        subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
        other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
        lead to data corruption on ARM64. 

        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::calleeSaveRegisters):
        (JSC::RegisterSet::numberOfSetGPRs):
        (JSC::RegisterSet::numberOfSetFPRs):
        * jit/RegisterSet.h:
        * jit/Repatch.cpp:
        (JSC::storeToWriteBarrierBuffer):
        (JSC::emitPutTransitionStub):
        * jit/ScratchRegisterAllocator.cpp:
        (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
        (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
        (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
        (JSC::ScratchRegisterAllocator::usedRegistersForCall):
        (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
        (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
        (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
        * jit/ScratchRegisterAllocator.h:

2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove ConditionalStore barrier
        https://bugs.webkit.org/show_bug.cgi?id=130040

        Reviewed by Geoffrey Garen.

        ConditionalStoreBarrier was created when barriers were much more expensive. Now that 
        they're cheap(er), we can get rid of them. This also allows us to get rid of the write 
        barrier logic in emitPutTransitionStub because we always will have executed a write barrier 
        on the base object in the case where we are allocating and storing a new Butterfly into it. 
        Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object, 
        so we'd have to emit a write barrier in the transition case.

        This is performance neutral on the benchmarks we track.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::insertStoreBarrier):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isStoreBarrier):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        * jit/Repatch.cpp:
        (JSC::emitPutTransitionStub):

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        DFG and FTL should know that comparing anything to Misc is cheap and easy
        https://bugs.webkit.org/show_bug.cgi?id=130001

        Reviewed by Geoffrey Garen.
        
        - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
          comparison is just Untyped:.
        
        - This obviates the need for CompareStrictEqConstant, so remove it.
        
        - FTL had a thing called "Nully" which is really "Other". Rename it and add
          OtherUse.
        
        9% speed-up on box2d.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isBinaryUseKind):
        (JSC::DFG::Node::shouldSpeculateOther):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
        (JSC::FTL::LowerDFGToLLVM::isNotOther):
        (JSC::FTL::LowerDFGToLLVM::isOther):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
        (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
        (JSC::FTL::LowerDFGToLLVM::speculateOther):
        (JSC::FTL::LowerDFGToLLVM::speculateMisc):
        * tests/stress/compare-strict-eq-integer-to-misc.js: Added.

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, remove unintended change.

        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        jsc commandline shouldn't have a "console" because that confuses some tests into thinking
        that they're running in the browser.

        Rubber stamped by Mark Hahnenberg.

        * jsc.cpp:
        (GlobalObject::finishCreation):

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        Out-line ScratchRegisterAllocator

        Rubber stamped by Mark Hahnenberg.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * jit/ScratchRegisterAllocator.cpp: Added.
        (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
        (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
        (JSC::ScratchRegisterAllocator::lock):
        (JSC::ScratchRegisterAllocator::allocateScratch):
        (JSC::ScratchRegisterAllocator::allocateScratchGPR):
        (JSC::ScratchRegisterAllocator::allocateScratchFPR):
        (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
        (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
        (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
        (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
        (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
        * jit/ScratchRegisterAllocator.h:

2014-03-10  Brent Fulgham  <bfulgham@apple.com>

        [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
        https://bugs.webkit.org/show_bug.cgi?id=130023

        Reviewed by Dean Jackson.

        * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
        path names to avoid accidental escaping of later string substitutions.

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for testb_i8r when register is accumulator.
        <https://webkit.org/b/130026>

        Generate the shorthand version of "test al, imm" when possible.

        Reviewed by Michael Saboff.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::testb_i8r):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for sub_ir when register is accumulator.
        <https://webkit.org/b/130025>

        Generate the shorthand version of "sub eax, imm" when possible.

        Reviewed by Michael Saboff.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::subl_ir):
        (JSC::X86Assembler::subq_ir):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for add_ir when register is accumulator.
        <https://webkit.org/b/130024>

        Generate the shorthand version of "add eax, imm" when possible.

        Reviewed by Michael Saboff.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::addl_ir):
        (JSC::X86Assembler::addq_ir):

2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        writeBarrier in emitPutReplaceStub is unnecessary
        https://bugs.webkit.org/show_bug.cgi?id=130030

        Reviewed by Filip Pizlo.

        We already emit write barriers for each put-by-id when they're first compiled, so it's 
        redundant to emit a write barrier as part of the repatched code.

        * jit/Repatch.cpp:
        (JSC::emitPutReplaceStub):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for xor_ir when register is accumulator.
        <https://webkit.org/b/130008>

        Generate the shorthand version of "xor eax, imm" when possible.

        Reviewed by Benjamin Poulain.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::xorl_ir):
        (JSC::X86Assembler::xorq_ir):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for or_ir when register is accumulator.
        <https://webkit.org/b/130007>

        Generate the shorthand version of "or eax, imm" when possible.

        Reviewed by Benjamin Poulain.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::orl_ir):
        (JSC::X86Assembler::orq_ir):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for test_ir when register is accumulator.
        <https://webkit.org/b/130006>

        Generate the shorthand version of "test eax, imm" when possible.

        Reviewed by Benjamin Poulain.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::testl_i32r):
        (JSC::X86Assembler::testq_i32r):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for cmp_ir when register is accumulator.
        <https://webkit.org/b/130005>

        Generate the shorthand version of "cmp eax, imm" when possible.

        Reviewed by Benjamin Poulain.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::cmpl_ir):
        (JSC::X86Assembler::cmpq_ir):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
        <https://webkit.org/b/130002>

        Generate this:

            mov [address], imm32

        Instead of this:

            mov scratchRegister, imm32
            mov [address], scratchRegister

        For store64(imm, address) where the 64-bit immediate can be passed as
        a sign-extended 32-bit value.

        Reviewed by Benjamin Poulain.

        * assembler/MacroAssemblerX86_64.h:
        (CAN_SIGN_EXTEND_32_64):
        (JSC::MacroAssemblerX86_64::store64):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for xchg_rr when one register is accumulator.
        <https://webkit.org/b/130004>

        Generate the 1-byte version of "xchg eax, reg" when possible.

        Reviewed by Benjamin Poulain.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::xchgl_rr):
        (JSC::X86Assembler::xchgq_rr):

2014-03-09  Filip Pizlo  <fpizlo@apple.com>

        GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=129998

        Reviewed by Geoffrey Garen.
        
        Not only is that the established contract, but this is used to signal to
        ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
        that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
        some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
        fine but previously it would have led to either an assertion failure, or data corruption, in
        the ScratchRegisterAllocator.

        * jit/GPRInfo.h:
        (JSC::GPRInfo::toIndex):

2014-03-09  Filip Pizlo  <fpizlo@apple.com>

        FTL fails the new equals-masquerader strictEqualConstant test
        https://bugs.webkit.org/show_bug.cgi?id=129996

        Reviewed by Mark Lam.
        
        It turns out that the FTL was trying to do the masquerading stuff for ===null. But
        that's wrong since none of the other engines do it. The DFG even had an ancient
        FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
        don't do it and JSValue::strictEqual() doesn't do it.
        
        Remove the FIXME and remove the extra checks in the FTL.
        
        This is a glorious patch: nothing but red and it fixes a test failure.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):

2014-03-09  Andreas Kling  <akling@apple.com>

        Short-circuit JSGlobalObjectInspectorController when not inspecting.
        <https://webkit.org/b/129995>

        Add an early return in reportAPIException() when the console agent
        is disabled. This avoids expensive symbolication during exceptions
        if there's nobody expecting the fancy backtrace anyway.

        ~2% progression on DYEB on my MBP.

        Reviewed by Geoff Garen.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):

2014-03-09  Andreas Kling  <akling@apple.com>

        Inline the trivial parts of GC deferral.
        <https://webkit.org/b/129984>

        Made most of the functions called by the DeferGC RAII object inline
        to avoid function call overhead.

        Looks like ~1% progression on DYEB.

        Reviewed by Geoffrey Garen.

        * heap/Heap.cpp:
        * heap/Heap.h:
        (JSC::Heap::incrementDeferralDepth):
        (JSC::Heap::decrementDeferralDepth):
        (JSC::Heap::collectIfNecessaryOrDefer):
        (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):

2014-03-08  Mark Lam  <mark.lam@apple.com>

        32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
        <https://webkit.org/b/129969>

        Reviewed by Geoffrey Garen.

        The 32-bit version of handleUncaughtException was missing the handling of an
        edge case for stack overflows where the current frame may already be the
        sentinel frame.  This edge case was handled in the 64-bit version.  The fix
        is to bring the 32-bit version up to parity.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * llint/LowLevelInterpreter32_64.asm:

2014-03-07  Mark Lam  <mark.lam@apple.com>

        Fix bugs in 32-bit Structure implementation.
        <https://webkit.org/b/129947>

        Reviewed by Mark Hahnenberg.

        Added the loading of the Structure (from the JSCell) before use that was
        missing in a few places.  Also added more test cases to equals-masquerader.js.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * llint/LowLevelInterpreter32_64.asm:
        * tests/stress/equals-masquerader.js:
        (equalsNull):
        (notEqualsNull):
        (strictEqualsNull):
        (strictNotEqualsNull):
        (equalsUndefined):
        (notEqualsUndefined):
        (strictEqualsUndefined):
        (strictNotEqualsUndefined):
        (isFalsey):
        (test):

2014-03-07  Andrew Trick  <atrick@apple.com>

        Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
        https://bugs.webkit.org/show_bug.cgi?id=129954

        Reviewed by Filip Pizlo.

        * tests/stress/float32-repeat-out-of-bounds.js:
        * tests/stress/int8-repeat-out-of-bounds.js:

2014-03-07  Michael Saboff  <msaboff@apple.com>

        .cfi directives in LowLevelInterpreter.cpp are providing no benefit
        https://bugs.webkit.org/show_bug.cgi?id=129945

        Reviewed by Mark Lam.

        Removed .cfi directive.  Verified that stack traces didn't regress in crash reporter
        or in lldb.

        * llint/LowLevelInterpreter.cpp:

2014-03-07  Oliver Hunt  <oliver@apple.com>

        Continue hangs when performing for-of over arguments
        https://bugs.webkit.org/show_bug.cgi?id=129915

        Reviewed by Geoffrey Garen.

        Put the continue label in the right place

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitEnumeration):

2014-03-07  peavo@outlook.com  <peavo@outlook.com>

        [Win64] Compile error after r165128.
        https://bugs.webkit.org/show_bug.cgi?id=129807

        Reviewed by Mark Lam.

        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 
        Check platform environment variable to determine if an assembler file should be generated.

2014-03-07  Michael Saboff  <msaboff@apple.com>

        Clarify how we deal with "special" registers
        https://bugs.webkit.org/show_bug.cgi?id=129806

        Already reviewed change being relanded.

        Relanding change set r165196 as it wasn't responsible for the breakage reported in
        https://bugs.webkit.org/show_bug.cgi?id=129822.  That appears to be a build or

        Reviewed by Michael Saboff.
        configuration issue.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::lastRegister):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::nextRegister):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::restoreInto):
        * ftl/FTLSaveRestore.cpp:
        (JSC::FTL::saveAllRegisters):
        (JSC::FTL::restoreAllRegisters):
        * ftl/FTLSlowPathCall.cpp:
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::reservedHardwareRegisters):
        (JSC::RegisterSet::runtimeRegisters):
        (JSC::RegisterSet::specialRegisters):
        (JSC::RegisterSet::calleeSaveRegisters):
        * jit/RegisterSet.h:

2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        Move GCActivityCallback to heap
        https://bugs.webkit.org/show_bug.cgi?id=129457

        Reviewed by Geoffrey Garen.

        All the other GC timer related stuff is there already.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
        * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
        * runtime/GCActivityCallback.cpp: Removed.
        * runtime/GCActivityCallback.h: Removed.

2014-03-07  Andrew Trick  <atrick@apple.com>

        Correct a comment typo from:
        FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
        https://bugs.webkit.org/show_bug.cgi?id=129865

        Reviewed by Mark Lam.

        * ftl/FTLOutput.h:
        (JSC::FTL::Output::doubleRem):

2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        Use OwnPtr in StructureIDTable
        https://bugs.webkit.org/show_bug.cgi?id=129828

        Reviewed by Geoffrey Garen.

        This reduces the amount of boilerplate and fixes a memory leak.

        * runtime/StructureIDTable.cpp:
        (JSC::StructureIDTable::StructureIDTable):
        (JSC::StructureIDTable::resize):
        (JSC::StructureIDTable::flushOldTables):
        (JSC::StructureIDTable::allocateID):
        (JSC::StructureIDTable::deallocateID):
        * runtime/StructureIDTable.h:
        (JSC::StructureIDTable::table):
        (JSC::StructureIDTable::get):

2014-03-07  Andrew Trick  <atrick@apple.com>

        FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
        https://bugs.webkit.org/show_bug.cgi?id=129865

        Reviewed by Filip Pizlo.

        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::doubleRem):

2014-03-06  Filip Pizlo  <fpizlo@apple.com>

        If the FTL is build-time enabled then it should be run-time enabled.

        Rubber stamped by Geoffrey Garen.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>

        [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
        https://bugs.webkit.org/show_bug.cgi?id=129852

        Reviewed by Geoffrey Garen.

        * framework.sb: Added.
        Sandbox extension to allow access to "com.apple.webinspector".

        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add a Copy Resources build phase and include framework.sb.

        * Configurations/JavaScriptCore.xcconfig:
        Do not copy framework.sb on iOS.

2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
        https://bugs.webkit.org/show_bug.cgi?id=129858

        Reviewed by Mark Lam.

        It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock, 
        but now it ends up overwriting the IdentifierTable that JSLock just restored.

        * API/JSContextRef.cpp:
        (JSGlobalContextRelease):

2014-03-06  Oliver Hunt  <oliver@apple.com>

        Fix FTL build.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):

2014-03-06  Brent Fulgham  <bfulgham@apple.com>

        Unreviewed build fix after r165128.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
        performing 'Production' and 'DebugSuffix' type builds.

2014-03-06  Julien Brianceau  <jbriance@cisco.com>

        Unreviewed, fix style in my previous commit.
        https://bugs.webkit.org/show_bug.cgi?id=129833

        * runtime/JSConsole.cpp:

2014-03-06  Julien Brianceau  <jbriance@cisco.com>

        Build fix: add missing include in JSConole.cpp.
        https://bugs.webkit.org/show_bug.cgi?id=129833

        Reviewed by Oliver Hunt.

        * runtime/JSConsole.cpp:

2014-03-06  Oliver Hunt  <oliver@apple.com>

        Fix ARMv7

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):

2014-03-06  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r165196.
        http://trac.webkit.org/changeset/165196
        https://bugs.webkit.org/show_bug.cgi?id=129822

        broke arm64 on hardware (Requested by bfulgham on #webkit).

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::lastRegister):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::isStackRelated):
        (JSC::MacroAssembler::firstRealRegister):
        (JSC::MacroAssembler::nextRegister):
        (JSC::MacroAssembler::secondRealRegister):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::restoreInto):
        * ftl/FTLSaveRestore.cpp:
        (JSC::FTL::saveAllRegisters):
        (JSC::FTL::restoreAllRegisters):
        * ftl/FTLSlowPathCall.cpp:
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::specialRegisters):
        (JSC::RegisterSet::calleeSaveRegisters):
        * jit/RegisterSet.h:

2014-03-06  Mark Lam  <mark.lam@apple.com>

        REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
        <https://webkit.org/b/129813>

        Reviewed by Michael Saboff.

        Fixed broken C loop LLINT build.

        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        * offlineasm/cloop.rb:

2014-03-03  Oliver Hunt  <oliver@apple.com>

        Support caching of custom setters
        https://bugs.webkit.org/show_bug.cgi?id=129519

        Reviewed by Filip Pizlo.

        This patch adds caching of assignment to properties that
        are backed by C functions. This provides most of the leg
        work required to start supporting setters, and resolves
        the remaining regressions from moving DOM properties up
        the prototype chain.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PolymorphicPutByIdList.cpp:
        (JSC::PutByIdAccess::visitWeak):
        (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
        (JSC::PolymorphicPutByIdList::from):
        * bytecode/PolymorphicPutByIdList.h:
        (JSC::PutByIdAccess::transition):
        (JSC::PutByIdAccess::replace):
        (JSC::PutByIdAccess::customSetter):
        (JSC::PutByIdAccess::isCustom):
        (JSC::PutByIdAccess::oldStructure):
        (JSC::PutByIdAccess::chain):
        (JSC::PutByIdAccess::stubRoutine):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        (JSC::PutByIdStatus::computeFor):
        (JSC::PutByIdStatus::dump):
        * bytecode/PutByIdStatus.h:
        (JSC::PutByIdStatus::PutByIdStatus):
        (JSC::PutByIdStatus::takesSlowPath):
        (JSC::PutByIdStatus::makesCalls):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::emitPutById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::emitCustomSetterStub):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        * jit/SpillRegistersMode.h: Added.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::setCacheableCustomProperty):
        (JSC::PutPropertySlot::customSetter):
        (JSC::PutPropertySlot::isCacheablePut):
        (JSC::PutPropertySlot::isCacheableCustomProperty):
        (JSC::PutPropertySlot::cachedOffset):

2014-03-06  Filip Pizlo  <fpizlo@apple.com>

        FTL arity fixup should work on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=129810

        Reviewed by Michael Saboff.
        
        - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
          callee-save.
        
        - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
        
        This makes some more tests pass.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::prologueStackPointerDelta):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/ThunkGenerators.cpp:
        (JSC::arityFixup):
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/arm64.rb:
        * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.

2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
        https://bugs.webkit.org/show_bug.cgi?id=129760

        Reviewed by Geoffrey Garen.

        r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. 
        The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::checkMarkByte):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        * jit/Repatch.cpp:
        (JSC::writeBarrier):

2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
        https://bugs.webkit.org/show_bug.cgi?id=127944

        Reviewed by Geoffrey Garen.

        Always expose the Console object in JSContexts, just like we
        do for web pages. The default behavior will route to an
        attached JSContext inspector. This can be overriden by
        setting the ConsoleClient on the JSGlobalObject, which WebCore
        does to get slightly different behavior.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Update build systems.

        * API/tests/testapi.js:
        * API/tests/testapi.mm:
        Test that "console" exists in C and ObjC contexts.

        * runtime/ConsoleClient.cpp: Added.
        (JSC::ConsoleClient::printURLAndPosition):
        (JSC::ConsoleClient::printMessagePrefix):
        (JSC::ConsoleClient::printConsoleMessage):
        (JSC::ConsoleClient::printConsoleMessageWithArguments):
        (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
        (JSC::ConsoleClient::logWithLevel):
        (JSC::ConsoleClient::clear):
        (JSC::ConsoleClient::dir):
        (JSC::ConsoleClient::dirXML):
        (JSC::ConsoleClient::table):
        (JSC::ConsoleClient::trace):
        (JSC::ConsoleClient::assertCondition):
        (JSC::ConsoleClient::group):
        (JSC::ConsoleClient::groupCollapsed):
        (JSC::ConsoleClient::groupEnd):
        * runtime/ConsoleClient.h: Added.
        (JSC::ConsoleClient::~ConsoleClient):
        New private interface for handling the console object's methods.
        A lot of the methods funnel through messageWithTypeAndLevel.

        * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
        Moved to JSC namespace.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        Create the "console" object when initializing the environment.
        Also set the default console client to be the JS context inspector.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::setConsoleClient):
        (JSC::JSGlobalObject::consoleClient):
        Ability to change the console client, so WebCore can set a custom client.

        * runtime/ConsolePrototype.cpp: Added.
        (JSC::ConsolePrototype::finishCreation):
        (JSC::valueToStringWithUndefinedOrNullCheck):
        (JSC::consoleLogWithLevel):
        (JSC::consoleProtoFuncDebug):
        (JSC::consoleProtoFuncError):
        (JSC::consoleProtoFuncLog):
        (JSC::consoleProtoFuncWarn):
        (JSC::consoleProtoFuncClear):
        (JSC::consoleProtoFuncDir):
        (JSC::consoleProtoFuncDirXML):
        (JSC::consoleProtoFuncTable):
        (JSC::consoleProtoFuncTrace):
        (JSC::consoleProtoFuncAssert):
        (JSC::consoleProtoFuncCount):
        (JSC::consoleProtoFuncProfile):
        (JSC::consoleProtoFuncProfileEnd):
        (JSC::consoleProtoFuncTime):
        (JSC::consoleProtoFuncTimeEnd):
        (JSC::consoleProtoFuncTimeStamp):
        (JSC::consoleProtoFuncGroup):
        (JSC::consoleProtoFuncGroupCollapsed):
        (JSC::consoleProtoFuncGroupEnd):
        * runtime/ConsolePrototype.h: Added.
        (JSC::ConsolePrototype::create):
        (JSC::ConsolePrototype::createStructure):
        (JSC::ConsolePrototype::ConsolePrototype):
        Define the console object interface. Parse out required / expected
        arguments and throw expcetions when methods are misused.

        * runtime/JSConsole.cpp: Added.
        * runtime/JSConsole.h: Added.
        (JSC::JSConsole::createStructure):
        (JSC::JSConsole::create):
        (JSC::JSConsole::JSConsole):
        Empty "console" object. Everything is in the prototype.

        * inspector/JSConsoleClient.cpp: Added.
        (Inspector::JSConsoleClient::JSGlobalObjectConsole):
        (Inspector::JSConsoleClient::count):
        (Inspector::JSConsoleClient::profile):
        (Inspector::JSConsoleClient::profileEnd):
        (Inspector::JSConsoleClient::time):
        (Inspector::JSConsoleClient::timeEnd):
        (Inspector::JSConsoleClient::timeStamp):
        (Inspector::JSConsoleClient::warnUnimplemented):
        (Inspector::JSConsoleClient::internalAddMessage):
        * inspector/JSConsoleClient.h: Added.
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::consoleClient):
        * inspector/JSGlobalObjectInspectorController.h:
        Default JSContext ConsoleClient implementation. Handle nearly
        everything exception profile/profileEnd and timeStamp.

2014-03-06  Andreas Kling  <akling@apple.com>

        Drop unlinked function code on memory pressure.
        <https://webkit.org/b/129789>

        Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
        are not currently being compiled.

        4.5 MB progression on Membuster.

        Reviewed by Geoffrey Garen.

        * heap/Heap.cpp:
        (JSC::Heap::deleteAllUnlinkedFunctionCode):
        * heap/Heap.h:
        * runtime/VM.cpp:
        (JSC::VM::discardAllCode):

2014-03-06  Filip Pizlo  <fpizlo@apple.com>

        Clarify how we deal with "special" registers
        https://bugs.webkit.org/show_bug.cgi?id=129806

        Reviewed by Michael Saboff.
        
        Previously we had two different places that defined what "stack" registers are, a thing
        called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
        "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
        one place and had a baked-in notion of what it meant for a register to be "real" or not.
        
        It's not cool to use words like "real" and "special" to describe registers, especially if you
        fail to qualify what that means. This originally made sense on X86 - "real" registers were
        the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
        you also have to worry about the LR register, which we'd want to say is "not real" but it's
        also not a "stack" register. This got super confusing.
        
        So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
        a "stack" register, and uses the word special only in places where it's clearly defined and
        where no better word comes to mind.
        
        This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
        Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
        magically didn't break anything because you never need to save/restore either FP or Q0, but
        it was still super weird.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::lastRegister):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::nextRegister):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::restoreInto):
        * ftl/FTLSaveRestore.cpp:
        (JSC::FTL::saveAllRegisters):
        (JSC::FTL::restoreAllRegisters):
        * ftl/FTLSlowPathCall.cpp:
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::reservedHardwareRegisters):
        (JSC::RegisterSet::runtimeRegisters):
        (JSC::RegisterSet::specialRegisters):
        (JSC::RegisterSet::calleeSaveRegisters):
        * jit/RegisterSet.h:

2014-03-06  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix build.

        * disassembler/ARM64Disassembler.cpp:

2014-03-06  Filip Pizlo  <fpizlo@apple.com>

        Use the LLVM disassembler on ARM64 if we are enabling the FTL
        https://bugs.webkit.org/show_bug.cgi?id=129785

        Reviewed by Geoffrey Garen.
        
        Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
        is strictly more capable at this point. Use it if it's available.

        * disassembler/ARM64Disassembler.cpp:
        (JSC::tryToDisassemble):

2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Reduce RWI message frequency
        https://bugs.webkit.org/show_bug.cgi?id=129767

        Reviewed by Timothy Hatcher.

        This used to be 0.2s and changed by accident to 0.02s.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::pushListingSoon):

2014-03-05  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r165141, r165157, and r165158.
        http://trac.webkit.org/changeset/165141
        http://trac.webkit.org/changeset/165157
        http://trac.webkit.org/changeset/165158
        https://bugs.webkit.org/show_bug.cgi?id=129772

        "broke ftl" (Requested by olliej_ on #webkit).

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PolymorphicPutByIdList.cpp:
        (JSC::PutByIdAccess::visitWeak):
        (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
        (JSC::PolymorphicPutByIdList::from):
        * bytecode/PolymorphicPutByIdList.h:
        (JSC::PutByIdAccess::transition):
        (JSC::PutByIdAccess::replace):
        (JSC::PutByIdAccess::oldStructure):
        (JSC::PutByIdAccess::chain):
        (JSC::PutByIdAccess::stubRoutine):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        (JSC::PutByIdStatus::computeFor):
        (JSC::PutByIdStatus::dump):
        * bytecode/PutByIdStatus.h:
        (JSC::PutByIdStatus::PutByIdStatus):
        (JSC::PutByIdStatus::takesSlowPath):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::emitPutById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        * jit/SpillRegistersMode.h: Removed.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::isCacheable):
        (JSC::PutPropertySlot::cachedOffset):

2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Prevent possible deadlock in view indication
        https://bugs.webkit.org/show_bug.cgi?id=129766

        Reviewed by Geoffrey Garen.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::receivedIndicateMessage):

2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
        https://bugs.webkit.org/show_bug.cgi?id=129754

        Reviewed by Geoffrey Garen.

        InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.

        * runtime/JSCell.h:
        (JSC::JSCell::inlineTypeFlags):
        * runtime/JSObject.h:
        (JSC::JSObject::fastGetOwnPropertySlot):
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::TypeInfo):
        (JSC::TypeInfo::overridesGetOwnPropertySlot):

2014-03-05  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
        https://bugs.webkit.org/show_bug.cgi?id=129763

        Reviewed by Geoffrey Garen.

        Clear the list of all breakpoints, including unresolved breakpoints.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):

2014-03-05  Mark Lam  <mark.lam@apple.com>

        llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
        <https://webkit.org/b/129768>

        Reviewed by Mark Hahnenberg.

        When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
        and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
        path llint_slow_path_check_has_instance(), and execute a code path that does the
        following:
        1. Adjusts the byte code PC to the jump target PC.
        2. For the purpose of storing the result, get the result registerIndex from the
           1st operand using the PC as if the PC is still pointing to op_check_has_instance
           bytecode.

        The result is that whatever value resides after where the jump target PC is will
        be used as a result register value.  Depending on what that value is, the result
        can be:
        1. the code coincidently works correctly
        2. memory corruption
        3. crashes

        The fix is to only adjust the byte code PC after we have stored the result.
        
        * llint/LLIntSlowPaths.cpp:
        (llint_slow_path_check_has_instance):

2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>

        Another build fix attempt after r165141.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):

2014-03-05  Ryosuke Niwa  <rniwa@webkit.org>

        FTL build fix attempt after r165141.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):

2014-03-05  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=128625
        Add fast mapping from StringImpl to JSString

        Unreviewed roll-out.

        Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.

        * runtime/JSString.cpp:
        * runtime/JSString.h:
        * runtime/VM.cpp:
        (JSC::VM::createLeaked):
        * runtime/VM.h:

2014-03-03  Oliver Hunt  <oliver@apple.com>

        Support caching of custom setters
        https://bugs.webkit.org/show_bug.cgi?id=129519

        Reviewed by Filip Pizlo.

        This patch adds caching of assignment to properties that
        are backed by C functions. This provides most of the leg
        work required to start supporting setters, and resolves
        the remaining regressions from moving DOM properties up
        the prototype chain.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PolymorphicPutByIdList.cpp:
        (JSC::PutByIdAccess::visitWeak):
        (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
        (JSC::PolymorphicPutByIdList::from):
        * bytecode/PolymorphicPutByIdList.h:
        (JSC::PutByIdAccess::transition):
        (JSC::PutByIdAccess::replace):
        (JSC::PutByIdAccess::customSetter):
        (JSC::PutByIdAccess::isCustom):
        (JSC::PutByIdAccess::oldStructure):
        (JSC::PutByIdAccess::chain):
        (JSC::PutByIdAccess::stubRoutine):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        (JSC::PutByIdStatus::computeFor):
        (JSC::PutByIdStatus::dump):
        * bytecode/PutByIdStatus.h:
        (JSC::PutByIdStatus::PutByIdStatus):
        (JSC::PutByIdStatus::takesSlowPath):
        (JSC::PutByIdStatus::makesCalls):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::emitPutById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::emitCustomSetterStub):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        * jit/SpillRegistersMode.h: Added.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::setCacheableCustomProperty):
        (JSC::PutPropertySlot::customSetter):
        (JSC::PutPropertySlot::isCacheablePut):
        (JSC::PutPropertySlot::isCacheableCustomProperty):
        (JSC::PutPropertySlot::cachedOffset):

2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSCell::m_gcData should encode its information differently
        https://bugs.webkit.org/show_bug.cgi?id=129741

        Reviewed by Geoffrey Garen.

        We want to keep track of three GC states for an object:

        1. Not marked (which implies not in the remembered set)
        2. Marked but not in the remembered set
        3. Marked and in the remembered set
        
        Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write 
        barrier, we only want to take the slow path if the object being stored to is in state #2. 
        We'd like to make the test for state #2 as fast as possible, which means making it a 
        compare against 0.

        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::osrWriteBarrier):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkMarkByte):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::allocateCell):
        (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
        * heap/Heap.cpp:
        (JSC::Heap::clearRememberedSet):
        (JSC::Heap::addToRememberedSet):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::checkMarkByte):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::checkMarkByte):
        (JSC::JIT::emitWriteBarrier):
        * jit/Repatch.cpp:
        (JSC::writeBarrier):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSCell.h:
        (JSC::JSCell::mark):
        (JSC::JSCell::remember):
        (JSC::JSCell::forget):
        (JSC::JSCell::isMarked):
        (JSC::JSCell::isRemembered):
        * runtime/JSCellInlines.h:
        (JSC::JSCell::JSCell):
        * runtime/StructureIDBlob.h:
        (JSC::StructureIDBlob::StructureIDBlob):

2014-03-05  Filip Pizlo  <fpizlo@apple.com>

        More FTL ARM fixes
        https://bugs.webkit.org/show_bug.cgi?id=129755

        Reviewed by Geoffrey Garen.
        
        - Be more defensive about inline caches that have degenerate chains.
        
        - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
          platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
        
        - Don't even emit intrinsic declarations on non-x86 platforms.
        
        - More debug printing support.
        
        - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
          but somehow it gets lucky on x86.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::appendVariant):
        (JSC::GetByIdStatus::computeForChain):
        (JSC::GetByIdStatus::computeForStubInfo):
        * bytecode/GetByIdStatus.h:
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::appendVariant):
        (JSC::PutByIdStatus::computeForStubInfo):
        * bytecode/PutByIdStatus.h:
        * bytecode/StructureSet.h:
        (JSC::StructureSet::overlaps):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        * ftl/FTLDataSection.cpp:
        (JSC::FTL::DataSection::DataSection):
        (JSC::FTL::DataSection::~DataSection):
        * ftl/FTLDataSection.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::lower):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::doubleSin):
        (JSC::FTL::Output::doubleCos):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dumpInContext):
        * runtime/JSCell.h:
        (JSC::JSCell::structureID):

2014-03-05  peavo@outlook.com  <peavo@outlook.com>

        [Win32][LLINT] Crash when running JSC stress tests.
        https://bugs.webkit.org/show_bug.cgi?id=129429

        On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
        where the guard page is a barrier between committed and uncommitted memory.
        When data from the guard page is read or written, the guard page is moved, and memory is committed.
        This is how the system grows the stack.
        When using the C stack on Windows we need to precommit the needed stack space.
        Otherwise we might crash later if we access uncommitted stack memory.
        This can happen if we allocate stack space larger than the page guard size (4K).
        The system does not get the chance to move the guard page, and commit more memory,
        and we crash if uncommitted memory is accessed.
        The MSVC compiler fixes this by inserting a call to the _chkstk() function,
        when needed, see http://support.microsoft.com/kb/100775.

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
        * jit/Repatch.cpp:
        (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
        * offlineasm/x86.rb: Compile fix, and small simplification.
        * runtime/VM.cpp:
        (JSC::preCommitStackMemory): Added function to precommit stack memory.
        (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.

2014-03-05  Michael Saboff  <msaboff@apple.com>

        JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
        https://bugs.webkit.org/show_bug.cgi?id=129746

        Reviewed by Filip Pizlo.

        Changed to use a union to manually assemble or disassemble the various types
        from / to the corresponding bytes.  All memory access is now done using
        byte accesses.

        * runtime/JSDataViewPrototype.cpp:
        (JSC::getData):
        (JSC::setData):

2014-03-05  Filip Pizlo  <fpizlo@apple.com>

        FTL loadStructure always generates invalid IR
        https://bugs.webkit.org/show_bug.cgi?id=129747

        Reviewed by Mark Hahnenberg.

        As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
        of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
        to have a pointer to a type, and you can only load things of that type from that
        pointer. Pointer arithmetic is basically not possible except through the bizarre
        getelementptr operator. This doesn't fit with how the JS object model works since
        the JS object model doesn't consist of nice and tidy C types placed in C arrays.
        Also, it would be impossible to use getelementptr and LLVM pointers for accessing
        any of JSC's C or C++ objects unless we went through the exercise of redeclaring
        all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
        this for us, but that would require that to use the FTL, JSC itself would have to
        be compiled with clang. Worse, it would have to be compiled with a clang that uses
        a version of LLVM that is compatible with the one against which the FTL is linked.
        Yuck!

        The solution is to NEVER use LLVM pointers. This has always been the case in the
        FTL. But it causes some confusion.
        
        Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
        pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
        "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
        pointer that has the type that we want. The load and store operations over pointers
        are called Output::load* and Output::store*, where * is one of "8", "16", "32",
        "64", "Ptr", "Float", or "Double.
        
        There is unavoidable confusion here. It would be bizarre for the FTL to call its
        "pointer-wide integers" anything other than "pointers", since they are, in all
        respects that we care about, simply pointers. But they are *not* LLVM pointers and
        they never will be that.
        
        There is one exception to this "no pointers" rule. The FTL does use actual LLVM
        pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
        confusion, we call these "references". So an "FTL reference" is actually an "LLVM
        pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
        methods for access called Output::get and Output::set. These lower to LLVM load
        and store, since FTL references are just LLVM pointers.
        
        This confusion appears to have led to incorrect code in loadStructure().
        loadStructure() was using get() and set() to access FTL pointers. But those methods
        don't work on FTL pointers and never will, since they are for FTL references.
        
        The worst part of this is that it was previously impossible to have test coverage
        for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
        patch fixes this by introducing a Masquerader object to jsc.cpp.
        
        * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
        * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
        * jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
        (WTF::Masquerader::Masquerader):
        (WTF::Masquerader::create):
        (WTF::Masquerader::createStructure):
        (GlobalObject::finishCreation):
        (functionMakeMasquerader):
        * tests/stress/equals-masquerader.js: Added.
        (foo):
        (test):

2014-03-05  Anders Carlsson  <andersca@apple.com>

        Tweak after r165109 to avoid extra copies
        https://bugs.webkit.org/show_bug.cgi?id=129745

        Reviewed by Geoffrey Garen.

        * heap/Heap.cpp:
        (JSC::Heap::visitProtectedObjects):
        (JSC::Heap::visitTempSortVectors):
        (JSC::Heap::clearRememberedSet):
        * heap/Heap.h:
        (JSC::Heap::forEachProtectedCell):

2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
        https://bugs.webkit.org/show_bug.cgi?id=129717

        Reviewed by Filip Pizlo.

        * dfg/DFGStoreBarrierElisionPhase.cpp:
        (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
        (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):

2014-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Use range-based loops where possible in Heap methods
        https://bugs.webkit.org/show_bug.cgi?id=129513

        Reviewed by Mark Lam.

        Replace old school iterator based loops with the new range-based loop hotness
        for a better tomorrow.

        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::~CodeBlockSet):
        (JSC::CodeBlockSet::clearMarks):
        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
        (JSC::CodeBlockSet::traceMarked):
        * heap/Heap.cpp:
        (JSC::Heap::visitProtectedObjects):
        (JSC::Heap::visitTempSortVectors):
        (JSC::Heap::clearRememberedSet):
        * heap/Heap.h:
        (JSC::Heap::forEachProtectedCell):

2014-03-04  Filip Pizlo  <fpizlo@apple.com>

        DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
        https://bugs.webkit.org/show_bug.cgi?id=129563

        Reviewed by Geoffrey Garen.
        
        Rolling this back in after fixing an assertion failure. speculateMisc() should have
        said DFG_TYPE_CHECK instead of typeCheck.
        
        This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
        when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
        user of this was EarleyBoyer, and in that benchmark what it was really doing was
        comparing undefined, null, and booleans to each other.
        
        This also adds support for miscellaneous things that I needed to make my various test
        cases work. This includes comparison over booleans and the various Throw-related node
        types.
        
        This also improves constant folding of CompareStrictEq and CompareEq.
        
        Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
        based on profiling, which caused some downstream badness. We don't actually support
        compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
        emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
        shouldn't factor out the bounds check since the access is not InBounds but then the
        backend would ignore the flag and assume that the bounds check was already emitted.
        This showed up on an existing test but I added a test for this explicitly to have more
        certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
        that we'll have a bounds check anyway.
        
        This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
        general progressions across the board. No speed-up yet on EarleyBoyer, since there is
        still a lot more coverage work to be done there.

        * bytecode/SpeculatedType.cpp:
        (JSC::speculationToAbbreviatedString):
        (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
        (JSC::valuesCouldBeEqual):
        * bytecode/SpeculatedType.h:
        (JSC::isMiscSpeculation):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGArrayMode.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateMisc):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::speculateMisc):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::compileThrow):
        (JSC::FTL::LowerDFGToLLVM::isNotMisc):
        (JSC::FTL::LowerDFGToLLVM::isMisc):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateMisc):
        * tests/stress/float32-array-out-of-bounds.js: Added.
        * tests/stress/weird-equality-folding-cases.js: Added.

2014-03-04  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r165085.
        http://trac.webkit.org/changeset/165085
        https://bugs.webkit.org/show_bug.cgi?id=129729

        Broke imported/w3c/html-templates/template-element/template-
        content.html (Requested by ap on #webkit).

        * bytecode/SpeculatedType.cpp:
        (JSC::speculationToAbbreviatedString):
        * bytecode/SpeculatedType.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGArrayMode.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateBoolean):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        * tests/stress/float32-array-out-of-bounds.js: Removed.
        * tests/stress/weird-equality-folding-cases.js: Removed.

2014-03-04  Brian Burg  <bburg@apple.com>

        Inspector does not restore breakpoints after a page reload
        https://bugs.webkit.org/show_bug.cgi?id=129655

        Reviewed by Joseph Pecoraro.

        Fix a regression introduced by r162096 that erroneously removed
        the inspector backend's mapping of files to breakpoints whenever the
        global object was cleared.

        The inspector's breakpoint mappings should only be cleared when the
        debugger agent is disabled or destroyed. We should only clear the
        debugger's breakpoint state when the global object is cleared.

        To make it clearer what state is being cleared, the two cases have
        been split into separate methods.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::disable):
        (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
        (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
        (Inspector::InspectorDebuggerAgent::didClearGlobalObject):
        * inspector/agents/InspectorDebuggerAgent.h:

2014-03-04  Andreas Kling  <akling@apple.com>

        Streamline JSValue::get().
        <https://webkit.org/b/129720>

        Fetch each Structure and VM only once when walking the prototype chain
        in JSObject::getPropertySlot(), then pass it along to the functions
        we call from there, so they don't have to re-fetch it.

        Reviewed by Geoff Garen.

        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSObject::fastGetOwnPropertySlot):
        (JSC::JSObject::getPropertySlot):

2014-03-01  Filip Pizlo  <fpizlo@apple.com>

        DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
        https://bugs.webkit.org/show_bug.cgi?id=129563

        Reviewed by Geoffrey Garen.
        
        This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
        when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
        user of this was EarleyBoyer, and in that benchmark what it was really doing was
        comparing undefined, null, and booleans to each other.
        
        This also adds support for miscellaneous things that I needed to make my various test
        cases work. This includes comparison over booleans and the various Throw-related node
        types.
        
        This also improves constant folding of CompareStrictEq and CompareEq.
        
        Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
        based on profiling, which caused some downstream badness. We don't actually support
        compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
        emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
        shouldn't factor out the bounds check since the access is not InBounds but then the
        backend would ignore the flag and assume that the bounds check was already emitted.
        This showed up on an existing test but I added a test for this explicitly to have more
        certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
        that we'll have a bounds check anyway.
        
        This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
        general progressions across the board. No speed-up yet on EarleyBoyer, since there is
        still a lot more coverage work to be done there.

        * bytecode/SpeculatedType.cpp:
        (JSC::speculationToAbbreviatedString):
        (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
        (JSC::valuesCouldBeEqual):
        * bytecode/SpeculatedType.h:
        (JSC::isMiscSpeculation):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateMisc):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::speculateMisc):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::compileThrow):
        (JSC::FTL::LowerDFGToLLVM::isNotMisc):
        (JSC::FTL::LowerDFGToLLVM::isMisc):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateMisc):
        * tests/stress/float32-array-out-of-bounds.js: Added.
        * tests/stress/weird-equality-folding-cases.js: Added.

2014-03-04  Andreas Kling  <akling@apple.com>

        Spam static branch prediction hints on JS bindings.
        <https://webkit.org/b/129703>

        Add LIKELY hint to jsDynamicCast since it's always used in a context
        where we expect it to succeed and takes an error path when it doesn't.

        Reviewed by Geoff Garen.

        * runtime/JSCell.h:
        (JSC::jsDynamicCast):

2014-03-04  Andreas Kling  <akling@apple.com>

        Get to Structures more efficiently in JSCell::methodTable().
        <https://webkit.org/b/129702>

        In JSCell::methodTable(), get the VM once and pass that along to
        structure(VM&) instead of using the heavier structure().

        In JSCell::methodTable(VM&), replace calls to structure() with
        calls to structure(VM&).

        Reviewed by Mark Hahnenberg.

        * runtime/JSCellInlines.h:
        (JSC::JSCell::methodTable):

2014-03-04  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
        https://bugs.webkit.org/show_bug.cgi?id=129697

        Reviewed by Timothy Hatcher.

        * inspector/remote/RemoteInspectorXPCConnection.mm:
        (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
        (Inspector::RemoteInspectorXPCConnection::handleEvent):

2014-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Merge API shims and JSLock
        https://bugs.webkit.org/show_bug.cgi?id=129650

        Reviewed by Mark Lam.

        JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason 
        to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.

        * API/APICallbackFunction.h:
        (JSC::APICallbackFunction::call):
        (JSC::APICallbackFunction::construct):
        * API/APIShims.h: Removed.
        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        (JSGarbageCollect):
        (JSReportExtraMemoryCost):
        (JSSynchronousGarbageCollectForDebugging):
        * API/JSCallbackConstructor.cpp:
        * API/JSCallbackFunction.cpp:
        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject<Parent>::init):
        (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
        (JSC::JSCallbackObject<Parent>::put):
        (JSC::JSCallbackObject<Parent>::putByIndex):
        (JSC::JSCallbackObject<Parent>::deleteProperty):
        (JSC::JSCallbackObject<Parent>::construct):
        (JSC::JSCallbackObject<Parent>::customHasInstance):
        (JSC::JSCallbackObject<Parent>::call):
        (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
        (JSC::JSCallbackObject<Parent>::getStaticValue):
        (JSC::JSCallbackObject<Parent>::callbackGetter):
        * API/JSContext.mm:
        (-[JSContext setException:]):
        (-[JSContext wrapperForObjCObject:]):
        (-[JSContext wrapperForJSObject:]):
        * API/JSContextRef.cpp:
        (JSContextGroupRelease):
        (JSContextGroupSetExecutionTimeLimit):
        (JSContextGroupClearExecutionTimeLimit):
        (JSGlobalContextCreateInGroup):
        (JSGlobalContextRetain):
        (JSGlobalContextRelease):
        (JSContextGetGlobalObject):
        (JSContextGetGlobalContext):
        (JSGlobalContextCopyName):
        (JSGlobalContextSetName):
        * API/JSManagedValue.mm:
        (-[JSManagedValue value]):
        * API/JSObjectRef.cpp:
        (JSObjectMake):
        (JSObjectMakeFunctionWithCallback):
        (JSObjectMakeConstructor):
        (JSObjectMakeFunction):
        (JSObjectMakeArray):
        (JSObjectMakeDate):
        (JSObjectMakeError):
        (JSObjectMakeRegExp):
        (JSObjectGetPrototype):
        (JSObjectSetPrototype):
        (JSObjectHasProperty):
        (JSObjectGetProperty):
        (JSObjectSetProperty):
        (JSObjectGetPropertyAtIndex):
        (JSObjectSetPropertyAtIndex):
        (JSObjectDeleteProperty):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        (JSObjectIsFunction):
        (JSObjectCallAsFunction):
        (JSObjectCallAsConstructor):
        (JSObjectCopyPropertyNames):
        (JSPropertyNameArrayRelease):
        (JSPropertyNameAccumulatorAddName):
        * API/JSScriptRef.cpp:
        * API/JSValue.mm:
        (isDate):
        (isArray):
        (containerValueToObject):
        (valueToArray):
        (valueToDictionary):
        (objectToValue):
        * API/JSValueRef.cpp:
        (JSValueGetType):
        (JSValueIsUndefined):
        (JSValueIsNull):
        (JSValueIsBoolean):
        (JSValueIsNumber):
        (JSValueIsString):
        (JSValueIsObject):
        (JSValueIsObjectOfClass):
        (JSValueIsEqual):
        (JSValueIsStrictEqual):
        (JSValueIsInstanceOfConstructor):
        (JSValueMakeUndefined):
        (JSValueMakeNull):
        (JSValueMakeBoolean):
        (JSValueMakeNumber):
        (JSValueMakeString):
        (JSValueMakeFromJSONString):
        (JSValueCreateJSONString):
        (JSValueToBoolean):
        (JSValueToNumber):
        (JSValueToStringCopy):
        (JSValueToObject):
        (JSValueProtect):
        (JSValueUnprotect):
        * API/JSVirtualMachine.mm:
        (-[JSVirtualMachine addManagedReference:withOwner:]):
        (-[JSVirtualMachine removeManagedReference:withOwner:]):
        * API/JSWeakObjectMapRefPrivate.cpp:
        * API/JSWrapperMap.mm:
        (constructorHasInstance):
        (makeWrapper):
        (tryUnwrapObjcObject):
        * API/ObjCCallbackFunction.mm:
        (JSC::objCCallbackFunctionCallAsFunction):
        (JSC::objCCallbackFunctionCallAsConstructor):
        (objCCallbackFunctionForInvocation):
        * CMakeLists.txt:
        * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGWorklist.cpp:
        * heap/DelayedReleaseScope.h:
        (JSC::DelayedReleaseScope::~DelayedReleaseScope):
        * heap/HeapTimer.cpp:
        (JSC::HeapTimer::timerDidFire):
        (JSC::HeapTimer::timerEvent):
        * heap/IncrementalSweeper.cpp:
        * inspector/InjectedScriptModule.cpp:
        (Inspector::InjectedScriptModule::ensureInjected):
        * jsc.cpp:
        (jscmain):
        * runtime/GCActivityCallback.cpp:
        (JSC::DefaultGCActivityCallback::doWork):
        * runtime/JSGlobalObjectDebuggable.cpp:
        (JSC::JSGlobalObjectDebuggable::connect):
        (JSC::JSGlobalObjectDebuggable::disconnect):
        (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
        * runtime/JSLock.cpp:
        (JSC::JSLock::lock):
        (JSC::JSLock::didAcquireLock):
        (JSC::JSLock::unlock):
        (JSC::JSLock::willReleaseLock):
        (JSC::JSLock::DropAllLocks::DropAllLocks):
        (JSC::JSLock::DropAllLocks::~DropAllLocks):
        * runtime/JSLock.h:
        * testRegExp.cpp:
        (realMain):

2014-03-04  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r164812.
        http://trac.webkit.org/changeset/164812
        https://bugs.webkit.org/show_bug.cgi?id=129699

        it made things run slower (Requested by pizlo on #webkit).

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        * runtime/BatchedTransitionOptimizer.h:
        (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
        (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):

2014-03-02  Filip Pizlo  <fpizlo@apple.com>

        GetMyArgumentByVal in FTL
        https://bugs.webkit.org/show_bug.cgi?id=128850

        Reviewed by Oliver Hunt.
        
        This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
        They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
        caused it to think that the arity check had failed if the caller had passed more
        arguments than needed. This would cause the call frame copying to sort of go into
        reverse (because the amount-by-which-we-failed-arity would have opposite sign,
        throwing off a bunch of math) and the stack would end up being corrupted.
        
        The bug was revealed by two existing tests although as far as I could tell, neither
        test was intending to cover this case directly. So, I added a new test.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
        (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
        (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
        (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLState.h:
        * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
        * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
        * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
        * tests/stress/ftl-get-my-argument-by-val.js: Added.

2014-03-04  Zan Dobersek  <zdobersek@igalia.com>

        [GTK] Build the Udis86 disassembler
        https://bugs.webkit.org/show_bug.cgi?id=129679

        Reviewed by Michael Saboff.

        * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
        * GNUmakefile.list.am: Add the Udis86 disassembler files to the build.

2014-03-04  Andreas Kling  <akling@apple.com>

        Fix too-narrow assertion I added in r165054.

        It's okay for a 1-character string to come in here. This will happen
        if the VM small string optimization doesn't apply (ch > 0xFF)

        * runtime/JSString.h:
        (JSC::jsStringWithWeakOwner):

2014-03-04  Andreas Kling  <akling@apple.com>

        Micro-optimize Strings in JS bindings.
        <https://webkit.org/b/129673>

        Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
        This avoids branches in length() and operator[].

        Also call JSString::create() directly instead of jsString() and just
        assert that the string length is >1. This way we don't duplicate the
        optimizations for empty and single-character strings.

        Reviewed by Ryosuke Niwa.

        * runtime/JSString.h:
        (JSC::jsStringWithWeakOwner):

2014-03-04  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        Implement Number.prototype.clz()
        https://bugs.webkit.org/show_bug.cgi?id=129479

        Reviewed by Oliver Hunt.

        Implemented Number.prototype.clz() as specified in the ES6 standard.

        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncClz):

2014-03-03  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
        https://bugs.webkit.org/show_bug.cgi?id=129631

        Reviewed by Timothy Hatcher.

        Avoid deref() too early if a client calls close(). The xpc_connection_close
        will cause another XPC_ERROR event to come in from the queue, deref then.
        Likewise, protect multithreaded access to m_client. If a client calls
        close() we want to immediately clear the pointer to prevent calls to it.

        Overall the multi-threading aspects of RemoteInspectorXPCConnection are
        growing too complicated for probably little benefit. We may want to
        clean this up later.

        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::xpcConnectionFailed):
        * inspector/remote/RemoteInspectorXPCConnection.h:
        * inspector/remote/RemoteInspectorXPCConnection.mm:
        (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
        (Inspector::RemoteInspectorXPCConnection::close):
        (Inspector::RemoteInspectorXPCConnection::closeOnQueue):
        (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
        (Inspector::RemoteInspectorXPCConnection::handleEvent):
        (Inspector::RemoteInspectorXPCConnection::sendMessage):

2014-03-03  Michael Saboff  <msaboff@apple.com>

        AbstractMacroAssembler::CachedTempRegister should start out invalid
        https://bugs.webkit.org/show_bug.cgi?id=129657

        Reviewed by Filip Pizlo.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::AbstractMacroAssembler):
        - Invalidate all cached registers in constructor as we don't know the
          contents of any register at the entry to the code we are going to
          generate.

2014-03-03  Andreas Kling  <akling@apple.com>

        StructureOrOffset should be fastmalloced.
        <https://webkit.org/b/129640>

        Reviewed by Geoffrey Garen.

        * runtime/StructureIDTable.h:

2014-03-03  Michael Saboff  <msaboff@apple.com>

        Crash in JIT code while watching a video @ storyboard.tumblr.com
        https://bugs.webkit.org/show_bug.cgi?id=129635

        Reviewed by Filip Pizlo.

        Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
        construtor.

        * jit/TempRegisterSet.cpp:
        (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
        * jit/TempRegisterSet.h:
        (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
        (JSC::TempRegisterSet::clearAll): New private helper.

2014-03-03  Benjamin Poulain  <benjamin@webkit.org>

        [x86] Improve code generation of byte test
        https://bugs.webkit.org/show_bug.cgi?id=129597

        Reviewed by Geoffrey Garen.

        When possible, test the 8 bit register to itself instead of comparing it
        to a literal.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::test32):

2014-03-03  Mark Lam  <mark.lam@apple.com>

        Web Inspector: debugger statements do not break.
        <https://webkit.org/b/129524>

        Reviewed by Geoff Garen.

        Since we no longer call op_debug hooks unless there is a debugger request
        made on the CodeBlock, the op_debug for the debugger statement never gets
        serviced.

        With this fix, we check in the CodeBlock constructor if any debugger
        statements are present.  If so, we set a m_hasDebuggerStatement flag that
        causes the CodeBlock to show as having debugger requests.  Hence,
        breaking at debugger statements is now restored.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::hasDebuggerRequests):
        (JSC::CodeBlock::clearDebuggerRequests):

2014-03-03  Mark Lam  <mark.lam@apple.com>

        ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
        <https://webkit.org/b/129393>

        Reviewed by Geoffrey Garen.

        The issue manifests because the debugger will iterate all CodeBlocks in
        the heap when setting / clearing breakpoints, but it is possible for a
        CodeBlock to have been instantiate but is not yet registered with the
        debugger.  This can happen because of the following:

        1. DFG worklist compilation is still in progress, and the target
           codeBlock is not ready for installation in its executable yet.

        2. DFG compilation failed and we have a codeBlock that will never be
           installed in its executable, and the codeBlock has not been cleaned
           up by the GC yet.

        The code for installing the codeBlock in its executable is the same code
        that registers it with the debugger.  Hence, these codeBlocks are not
        registered with the debugger, and any pending breakpoints that would map
        to that CodeBlock is as yet unset or will never be set.  As such, an
        attempt to remove a breakpoint in that CodeBlock will fail that assertion.

        To fix this, we do the following:

        1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
           compilation.  This is achieved by providing a
           DeferredCompilationCallback::compilationDidComplete() that does this
           clean up, and have all sub classes call it at the end of their
           compilationDidComplete() methods.

        2. Before the debugger or profiler iterates CodeBlocks in the heap, they
           will wait for all compilations to complete before proceeding.  This
           ensures that:
           1. any zombie CodeBlocks would have been cleaned up, and won't be
              seen by the debugger or profiler.
           2. all CodeBlocks that the debugger and profiler needs to operate on
              will be "ready" for whatever needs to be done to them e.g.
              jettison'ing of DFG codeBlocks.

        * bytecode/DeferredCompilationCallback.cpp:
        (JSC::DeferredCompilationCallback::compilationDidComplete):
        * bytecode/DeferredCompilationCallback.h:
        - Provide default implementation method to clean up zombie CodeBlocks.

        * debugger/Debugger.cpp:
        (JSC::Debugger::forEachCodeBlock):
        - Utility function to iterate CodeBlocks.  It ensures that all compilations
          are complete before proceeding.
        (JSC::Debugger::setSteppingMode):
        (JSC::Debugger::toggleBreakpoint):
        (JSC::Debugger::recompileAllJSFunctions):
        (JSC::Debugger::clearBreakpoints):
        (JSC::Debugger::clearDebuggerRequests):
        - Use the utility iterator function.

        * debugger/Debugger.h:
        * dfg/DFGOperations.cpp:
        - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
        - Remove unneeded code (that was not the best solution anyway) for ensuring
          that we don't generate new DFG codeBlocks after enabling the debugger or
          profiler.  Now that we wait for compilations to complete before proceeding
          with debugger and profiler work, this scenario will never happen.

        * dfg/DFGToFTLDeferredCompilationCallback.cpp:
        (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
        - Call the super class method to clean up zombie codeBlocks.

        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
        (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
        - Call the super class method to clean up zombie codeBlocks.

        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::remove):
        * heap/CodeBlockSet.h:
        * heap/Heap.h:
        (JSC::Heap::removeCodeBlock):
        - New method to remove a codeBlock from the codeBlock set.

        * jit/JITOperations.cpp:
        - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.

        * jit/JITToDFGDeferredCompilationCallback.cpp:
        (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
        - Call the super class method to clean up zombie codeBlocks.

        * runtime/VM.cpp:
        (JSC::VM::waitForCompilationsToComplete):
        - Renamed from prepareToDiscardCode() to be clearer about what it does.

        (JSC::VM::discardAllCode):
        (JSC::VM::releaseExecutableMemory):
        (JSC::VM::setEnabledProfiler):
        - Wait for compilation to complete before enabling the profiler.

        * runtime/VM.h:

2014-03-03  Brian Burg  <bburg@apple.com>

        Another unreviewed build fix attempt for Windows after r164986.

        We never told Visual Studio to copy over the web replay code generator scripts
        and the generated headers for JavaScriptCore replay inputs as if they were
        private headers.

        * JavaScriptCore.vcxproj/copy-files.cmd:

2014-03-03  Brian Burg  <bburg@apple.com>

        Web Replay: upstream input storage, capture/replay machinery, and inspector domain
        https://bugs.webkit.org/show_bug.cgi?id=128782

        Reviewed by Timothy Hatcher.

        Alter the replay inputs code generator so that it knows when it is necessary to
        to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * replay/scripts/CodeGeneratorReplayInputs.py:
        (Framework.fromString):
        (Frameworks): Add WTF as an allowed framework for code generation.
        (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
        (Generator.generate_includes.declaration):
        (Generator.generate_includes.or):
        (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.

2014-03-02  Filip Pizlo  <fpizlo@apple.com>

        PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
        https://bugs.webkit.org/show_bug.cgi?id=129591

        Reviewed by Michael Saboff.

        * bytecode/PolymorphicPutByIdList.cpp:
        (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
        (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
        (JSC::PolymorphicPutByIdList::from):
        * bytecode/PolymorphicPutByIdList.h:
        (JSC::PutByIdAccess::stubRoutine):
        * jit/Repatch.cpp:
        (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.

2014-03-02  Filip Pizlo  <fpizlo@apple.com>

        Debugging improvements from my gbemu investigation session
        https://bugs.webkit.org/show_bug.cgi?id=129599

        Reviewed by Mark Lam.
        
        Various improvements from when I was investigating bug 129411.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionDescribe): Make describe() return a string rather than printing the string.
        (functionDescribeArray): Like describe(), but prints details about arrays.

2014-02-25  Andreas Kling  <akling@apple.com>

        JSDOMWindow::commonVM() should return a reference.
        <https://webkit.org/b/129293>

        Added a DropAllLocks constructor that takes VM& without null checks.

        Reviewed by Geoff Garen.

2014-03-02  Mark Lam  <mark.lam@apple.com>

        CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
        <https://webkit.org/b/129584>

        Reviewed by Darin Adler.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::hasDebuggerRequests):

2014-03-02  Mark Lam  <mark.lam@apple.com>

        Clean up use of Options::enableConcurrentJIT().
        <https://webkit.org/b/129582>

        Reviewed by Filip Pizlo.

        DFG Driver was conditionally checking Options::enableConcurrentJIT()
        only if ENABLE(CONCURRENT_JIT).  Otherwise, it bypasses it with a local
        enableConcurrentJIT set to false.

        Instead we should configure Options::enableConcurrentJIT() to be false
        in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
        check Options::enableConcurrentJIT().  This makes the code read a little
        cleaner.

        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2014-03-01  Filip Pizlo  <fpizlo@apple.com>

        This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
        stress tests.

        * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.

2014-03-01  Andreas Kling  <akling@apple.com>

        JSCell::fastGetOwnProperty() should get the Structure more efficiently.
        <https://webkit.org/b/129560>

        Now that structure() is nontrivial and we have a faster structure(VM&),
        make use of that in fastGetOwnProperty() since we already have VM.

        Reviewed by Sam Weinig.

        * runtime/JSCellInlines.h:
        (JSC::JSCell::fastGetOwnProperty):

2014-03-01  Andreas Kling  <akling@apple.com>

        Avoid going through ExecState for VM when we already have it (in some places.)
        <https://webkit.org/b/129554>

        Tweak some places that jump through unnecessary hoops to get the VM.
        There are many more like this.

        Reviewed by Sam Weinig.

        * runtime/JSObject.cpp:
        (JSC::JSObject::putByIndexBeyondVectorLength):
        (JSC::JSObject::putDirectIndexBeyondVectorLength):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToString):

2014-02-28  Filip Pizlo  <fpizlo@apple.com>

        FTL should support PhantomArguments
        https://bugs.webkit.org/show_bug.cgi?id=113986

        Reviewed by Oliver Hunt.
        
        Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
        object into the FTL's OSR exit compiler.
        
        This isn't a speed-up yet, since there is still more to be done to fully support
        all of the arguments craziness that our varargs benchmarks do.

        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
        (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
        (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
        * dfg/DFGOSRExitCompilerCommon.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLExitValue.cpp:
        (JSC::FTL::ExitValue::dumpInContext):
        * ftl/FTLExitValue.h:
        (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
        (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
        (JSC::FTL::ExitValue::valueFormat):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
        (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
        * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
        * tests/stress/trivially-foldable-reflective-arguments-access.js: Added.

2014-02-28  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):

2014-02-28  Andreas Kling  <akling@apple.com>

        JSObject::findPropertyHashEntry() should take VM instead of ExecState.
        <https://webkit.org/b/129529>

        Callers already have VM in a local, and findPropertyHashEntry() only
        uses the VM, no need to go all the way through ExecState.

        Reviewed by Geoffrey Garen.

        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::findPropertyHashEntry):
        * runtime/JSObject.h:

2014-02-28  Joseph Pecoraro  <pecoraro@apple.com>

        Deadlock remotely inspecting iOS Simulator
        https://bugs.webkit.org/show_bug.cgi?id=129511

        Reviewed by Timothy Hatcher.

        Avoid synchronous setup. Do it asynchronously, and let
        the RemoteInspector singleton know later if it failed.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::setupFailed):
        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorDebuggableConnection::setup):

2014-02-28  Oliver Hunt  <oliver@apple.com>

        REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
        https://bugs.webkit.org/show_bug.cgi?id=129488

        Reviewed by Mark Lam.

        Whoops, modify the right register.

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):

2014-02-28  Filip Pizlo  <fpizlo@apple.com>

        FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
        https://bugs.webkit.org/show_bug.cgi?id=129503

        Reviewed by Mark Lam.

        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::doubleSin):
        (JSC::FTL::Output::doubleCos):
        (JSC::FTL::Output::intrinsicOrOperation):

2014-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix !ENABLE(GGC) builds

        * heap/Heap.cpp:
        (JSC::Heap::markRoots):
        (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.

2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        Clean up Heap::collect and Heap::markRoots
        https://bugs.webkit.org/show_bug.cgi?id=129464

        Reviewed by Geoffrey Garen.

        These functions have built up a lot of cruft recently. 
        We should do a bit of cleanup to make them easier to grok.

        * heap/Heap.cpp:
        (JSC::Heap::finalizeUnconditionalFinalizers):
        (JSC::Heap::gatherStackRoots):
        (JSC::Heap::gatherJSStackRoots):
        (JSC::Heap::gatherScratchBufferRoots):
        (JSC::Heap::clearLivenessData):
        (JSC::Heap::visitSmallStrings):
        (JSC::Heap::visitConservativeRoots):
        (JSC::Heap::visitCompilerWorklists):
        (JSC::Heap::markProtectedObjects):
        (JSC::Heap::markTempSortVectors):
        (JSC::Heap::markArgumentBuffers):
        (JSC::Heap::visitException):
        (JSC::Heap::visitStrongHandles):
        (JSC::Heap::visitHandleStack):
        (JSC::Heap::traceCodeBlocksAndJITStubRoutines):
        (JSC::Heap::converge):
        (JSC::Heap::visitWeakHandles):
        (JSC::Heap::clearRememberedSet):
        (JSC::Heap::updateObjectCounts):
        (JSC::Heap::resetVisitors):
        (JSC::Heap::markRoots):
        (JSC::Heap::copyBackingStores):
        (JSC::Heap::deleteUnmarkedCompiledCode):
        (JSC::Heap::collect):
        (JSC::Heap::collectIfNecessaryOrDefer):
        (JSC::Heap::suspendCompilerThreads):
        (JSC::Heap::willStartCollection):
        (JSC::Heap::deleteOldCode):
        (JSC::Heap::flushOldStructureIDTables):
        (JSC::Heap::flushWriteBarrierBuffer):
        (JSC::Heap::stopAllocation):
        (JSC::Heap::reapWeakHandles):
        (JSC::Heap::sweepArrayBuffers):
        (JSC::Heap::snapshotMarkedSpace):
        (JSC::Heap::deleteSourceProviderCaches):
        (JSC::Heap::notifyIncrementalSweeper):
        (JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
        (JSC::Heap::resetAllocators):
        (JSC::Heap::updateAllocationLimits):
        (JSC::Heap::didFinishCollection):
        (JSC::Heap::resumeCompilerThreads):
        * heap/Heap.h:

2014-02-27  Ryosuke Niwa  <rniwa@webkit.org>

        indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
        https://bugs.webkit.org/show_bug.cgi?id=129466

        Reviewed by Michael Saboff.

        Refactored the code to avoid calling JSString::value when needle is longer than haystack.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncIndexOf):
        (JSC::stringProtoFuncLastIndexOf):

2014-02-27  Timothy Hatcher  <timothy@apple.com>

        Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.

        https://bugs.webkit.org/show_bug.cgi?id=129458

        Reviewed by Joseph Pecoraro.

        * inspector/ContentSearchUtilities.cpp:
        (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
        (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
        line ending type and don't try to strip the line ending. Use size_t
        (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
        This will include the line ending in the lines, but that is okay.
        (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
        (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.

2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>

        [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
        https://bugs.webkit.org/show_bug.cgi?id=129446

        Reviewed by Timothy Hatcher.

        Remove duplicate header entries in Copy Header build phase.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-02-27  Oliver Hunt  <oliver@apple.com>

        Whoops, include all of last patch.

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):

2014-02-27  Oliver Hunt  <oliver@apple.com>

        Slow cases for function.apply and function.call should not require vm re-entry
        https://bugs.webkit.org/show_bug.cgi?id=129454

        Reviewed by Geoffrey Garen.

        Implement call and apply using builtins. Happily the use
        of @call and @apply don't perform function equality checks
        and just plant direct var_args calls. This did expose a few
        codegen issues, but they're all covered by existing tests
        once call and apply are implemented in JS.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/Function.prototype.js: Added.
        (call):
        (apply):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * interpreter/Interpreter.cpp:
        (JSC::sizeFrameForVarargs):
        (JSC::loadVarargs):
        * interpreter/Interpreter.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::makeFunctionCallNode):
        * parser/Lexer.cpp:
        (JSC::isSafeBuiltinIdentifier):
        * runtime/CommonIdentifiers.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::addFunctionProperties):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectBuiltinFunction):
        (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
        * runtime/JSObject.h:

2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
        https://bugs.webkit.org/show_bug.cgi?id=129443

        Reviewed by Timothy Hatcher.

        This queue is specific to the JSContext debuggable connections,
        there is no XPC involved. Give it a better name.

        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):

2014-02-27  David Kilzer  <ddkilzer@apple.com>

        Remove jsc symlink if it already exists

        This is a follow-up fix for:

        Create symlink to /usr/local/bin/jsc during installation
        <http://webkit.org/b/129399>
        <rdar://problem/16168734>

        * JavaScriptCore.xcodeproj/project.pbxproj:
        (Create /usr/local/bin/jsc symlink): If a jsc symlink already
        exists where we're about to create the symlink, remove the old
        one first.

2014-02-27  Michael Saboff  <msaboff@apple.com>

        Unreviewed build fix for Mac tools after r164814

        * Configurations/ToolExecutable.xcconfig:
        - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
        * JavaScriptCore.xcodeproj/project.pbxproj:
        - Changed productName to testRegExp for testRegExp target.

2014-02-27  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: JSContext inspection should report exceptions in the console
        https://bugs.webkit.org/show_bug.cgi?id=128776

        Reviewed by Timothy Hatcher.

        When JavaScript API functions have an exception, let the inspector
        know so it can log the JavaScript and Native backtrace that caused
        the exception.

        Include some clean up of ConsoleMessage and ScriptCallStack construction.

        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        (JSObjectMakeArray):
        (JSObjectMakeDate):
        (JSObjectMakeError):
        (JSObjectMakeRegExp):
        (JSObjectGetProperty):
        (JSObjectSetProperty):
        (JSObjectGetPropertyAtIndex):
        (JSObjectSetPropertyAtIndex):
        (JSObjectDeleteProperty):
        (JSObjectCallAsFunction):
        (JSObjectCallAsConstructor):
        * API/JSValue.mm:
        (reportExceptionToInspector):
        (valueToArray):
        (valueToDictionary):
        * API/JSValueRef.cpp:
        (JSValueIsEqual):
        (JSValueIsInstanceOfConstructor):
        (JSValueCreateJSONString):
        (JSValueToNumber):
        (JSValueToStringCopy):
        (JSValueToObject):
        When seeing an exception, let the inspector know there was an exception.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
        Log API exceptions by also grabbing the native backtrace.

        * inspector/ScriptCallStack.h:
        * inspector/ScriptCallStack.cpp:
        (Inspector::ScriptCallStack::firstNonNativeCallFrame):
        (Inspector::ScriptCallStack::append):
        Minor extensions to ScriptCallStack to make it easier to work with.

        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::ConsoleMessage):
        (Inspector::ConsoleMessage::autogenerateMetadata):
        Provide better default information if the first call frame was native.

        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::createScriptCallStack):
        (Inspector::extractSourceInformationFromException):
        (Inspector::createScriptCallStackFromException):
        Perform the handling here of inserting a fake call frame for exceptions
        if there was no call stack (e.g. a SyntaxError) or if the first call
        frame had no information.

        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::ConsoleMessage):
        (Inspector::ConsoleMessage::autogenerateMetadata):
        * inspector/ConsoleMessage.h:
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::createScriptCallStack):
        (Inspector::createScriptCallStackForConsole):
        * inspector/ScriptCallStackFactory.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::enable):
        (Inspector::InspectorConsoleAgent::addMessageToConsole):
        (Inspector::InspectorConsoleAgent::count):
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
        ConsoleMessage cleanup.

2014-02-27  David Kilzer  <ddkilzer@apple.com>

        Create symlink to /usr/local/bin/jsc during installation
        <http://webkit.org/b/129399>
        <rdar://problem/16168734>

        Reviewed by Dan Bernstein.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        - Add "Create /usr/local/bin/jsc symlink" build phase script to
          create the symlink during installation.

2014-02-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>

        Math.{max, min}() must not return after first NaN value
        https://bugs.webkit.org/show_bug.cgi?id=104147

        Reviewed by Oliver Hunt.

        According to the spec, ToNumber going to be called on each argument
        even if a `NaN` value was already found

        * runtime/MathObject.cpp:
        (JSC::mathProtoFuncMax):
        (JSC::mathProtoFuncMin):

2014-02-27  Gergo Balogh  <gbalogh.u-szeged@partner.samsung.com>

        JSType upper limit (0xff) assertion can be removed.
        https://bugs.webkit.org/show_bug.cgi?id=129424

        Reviewed by Geoffrey Garen.

        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::TypeInfo):

2014-02-26  Michael Saboff  <msaboff@apple.com>

        Auto generate bytecode information for bytecode parser and LLInt
        https://bugs.webkit.org/show_bug.cgi?id=129181

        Reviewed by Mark Lam.

        Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
        helpers.  It also includes bytecode length and other information used to generate files.
        Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
        in DerivedSources/JavaScriptCore/.

        Added the generation of these files to the "DerivedSource" build step.
        Slighty changed the build order, since the Bytecodes.h file is needed by
        JSCLLIntOffsetsExtractor.  Moved the offline assembly to a separate step since it needs
        to be run after JSCLLIntOffsetsExtractor.

        Made related changes to OPCODE macros and their use.

        Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
        jsc to resolve Mac build issue.

        * CMakeLists.txt:
        * Configurations/JSC.xcconfig:
        * DerivedSources.make:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.vcxproj/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * llint/LLIntCLoop.cpp:
        (JSC::LLInt::CLoop::initialize):
        * llint/LLIntCLoop.h:
        * llint/LLIntData.cpp:
        (JSC::LLInt::initialize):
        * llint/LLIntOpcode.h:
        * llint/LowLevelInterpreter.asm:

2014-02-27  Julien Brianceau   <jbriance@cisco.com>

        Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
        https://bugs.webkit.org/show_bug.cgi?id=129420

        Reviewed by Geoffrey Garen.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
        Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.

2014-02-27  Filip Pizlo  <fpizlo@apple.com>

        Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
        https://bugs.webkit.org/show_bug.cgi?id=129435

        Reviewed by Oliver Hunt.
        
        This is a 5-10% speed-up on Octane/closure.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionClearCodeCache):
        * runtime/BatchedTransitionOptimizer.h:
        (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
        (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):

2014-02-27  Alexey Proskuryakov  <ap@apple.com>

        Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.

        * inspector/scripts: Added property svn:ignore.
        * replay/scripts: Added property svn:ignore.

2014-02-27  Gabor Rapcsanyi  <rgabor@webkit.org>

        r164764 broke the ARM build
        https://bugs.webkit.org/show_bug.cgi?id=129415

        Reviewed by Zoltan Herczeg.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
        (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
        (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
        (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.

2014-02-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        r164764 broke the ARM build
        https://bugs.webkit.org/show_bug.cgi?id=129415

        Reviewed by Geoffrey Garen.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::moveWithPatch):

2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        r164764 broke the ARM build
        https://bugs.webkit.org/show_bug.cgi?id=129415

        Reviewed by Geoffrey Garen.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.

2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        EFL build fix

        * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):

2014-02-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        Make JSCells have 32-bit Structure pointers
        https://bugs.webkit.org/show_bug.cgi?id=123195

        Reviewed by Filip Pizlo.

        This patch changes JSCells such that they no longer have a full 64-bit Structure
        pointer in their header. Instead they now have a 32-bit index into
        a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
        pointers.

        This change frees up an additional 32 bits of information in our object headers.
        We then use this extra space to store the indexing type of the object, the JSType
        of the object, some various type flags, and garbage collection data (e.g. mark bit).
        Because this inline type information is now faster to read, it pays for the slowdown 
        incurred by having to perform an extra indirection through the StructureIDTable.

        This patch also threads a reference to the current VM through more of the C++ runtime
        to offset the cost of having to look up the VM to get the actual Structure pointer.

        * API/JSContext.mm:
        (-[JSContext setException:]):
        (-[JSContext wrapperForObjCObject:]):
        (-[JSContext wrapperForJSObject:]):
        * API/JSContextRef.cpp:
        (JSContextGroupRelease):
        (JSGlobalContextRelease):
        * API/JSObjectRef.cpp:
        (JSObjectIsFunction):
        (JSObjectCopyPropertyNames):
        * API/JSValue.mm:
        (containerValueToObject):
        * API/JSWrapperMap.mm:
        (tryUnwrapObjcObject):
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::patchableBranch32WithPatch):
        (JSC::MacroAssembler::patchableBranch32):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branchPtrWithPatch):
        (JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
        (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
        (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::store8):
        (JSC::MacroAssemblerARMv7::branch32WithPatch):
        (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
        (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
        (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::branch32WithPatch):
        (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
        (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::store32):
        (JSC::MacroAssemblerX86_64::moveWithPatch):
        (JSC::MacroAssemblerX86_64::branch32WithPatch):
        (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
        (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
        (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
        * assembler/RepatchBuffer.h:
        (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
        (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::revertJumpTo_movq_i64r):
        (JSC::X86Assembler::revertJumpTo_movl_i32r):
        * bytecode/ArrayProfile.cpp:
        (JSC::ArrayProfile::computeUpdatedPrediction):
        * bytecode/ArrayProfile.h:
        (JSC::ArrayProfile::ArrayProfile):
        (JSC::ArrayProfile::addressOfLastSeenStructureID):
        (JSC::ArrayProfile::observeStructure):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::heap):
        * bytecode/UnlinkedCodeBlock.h:
        * debugger/Debugger.h:
        * dfg/DFGAbstractHeap.h:
        * dfg/DFGArrayifySlowPathGenerator.h:
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::branchWeakStructure):
        (JSC::DFG::JITCompiler::branchStructurePtr):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::osrWriteBarrier):
        (JSC::DFG::adjustAndJumpToTarget):
        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkArray):
        (JSC::DFG::SpeculativeJIT::arrayify):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
        (JSC::DFG::SpeculativeJIT::compileInstanceOf):
        (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
        (JSC::DFG::SpeculativeJIT::speculateObject):
        (JSC::DFG::SpeculativeJIT::speculateFinalObject):
        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
        (JSC::DFG::SpeculativeJIT::speculateString):
        (JSC::DFG::SpeculativeJIT::speculateStringObject):
        (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
        (JSC::DFG::SpeculativeJIT::emitSwitchChar):
        (JSC::DFG::SpeculativeJIT::emitSwitchString):
        (JSC::DFG::SpeculativeJIT::genericWriteBarrier):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
        (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGWorklist.cpp:
        * ftl/FTLAbstractHeapRepository.cpp:
        (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
        (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
        (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
        (JSC::FTL::LowerDFGToLLVM::compileToString):
        (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
        (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
        (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
        (JSC::FTL::LowerDFGToLLVM::allocateCell):
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
        (JSC::FTL::LowerDFGToLLVM::isObject):
        (JSC::FTL::LowerDFGToLLVM::isString):
        (JSC::FTL::LowerDFGToLLVM::isArrayType):
        (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
        (JSC::FTL::LowerDFGToLLVM::isType):
        (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
        (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
        (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
        (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
        (JSC::FTL::LowerDFGToLLVM::loadMarkByte):
        (JSC::FTL::LowerDFGToLLVM::loadStructure):
        (JSC::FTL::LowerDFGToLLVM::weakStructure):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::store8):
        * heap/GCAssertions.h:
        * heap/Heap.cpp:
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::collect):
        (JSC::Heap::writeBarrier):
        * heap/Heap.h:
        (JSC::Heap::structureIDTable):
        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::forEachBlock):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::internalAppend):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::branchIfCellNotObject):
        (JSC::AssemblyHelpers::genericWriteBarrier):
        (JSC::AssemblyHelpers::emitLoadStructure):
        (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emit_op_ret_object_or_this):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::privateCompileClosureCall):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::generateFastPathChecks):
        * jit/JITInlineCacheGenerator.h:
        * jit/JITInlines.h:
        (JSC::JIT::emitLoadCharacterString):
        (JSC::JIT::checkStructure):
        (JSC::JIT::emitJumpIfCellNotObject):
        (JSC::JIT::emitAllocateJSObject):
        (JSC::JIT::emitArrayProfilingSiteWithCell):
        (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
        (JSC::JIT::branchStructure):
        (JSC::branchStructure):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_check_has_instance):
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emit_op_is_undefined):
        (JSC::JIT::emit_op_is_string):
        (JSC::JIT::emit_op_ret_object_or_this):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_next_pname):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):
        (JSC::JIT::emit_op_to_this):
        (JSC::JIT::emitSlow_op_to_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_check_has_instance):
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emit_op_is_undefined):
        (JSC::JIT::emit_op_is_string):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emit_op_jeq_null):
        (JSC::JIT::emit_op_jneq_null):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emit_op_eq_null):
        (JSC::JIT::emit_op_neq_null):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_next_pname):
        (JSC::JIT::emit_op_to_this):
        * jit/JITOperations.cpp:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_get_by_pname):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitLoadWithStructureCheck):
        (JSC::JIT::emitSlow_op_get_from_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        (JSC::JIT::checkMarkWord):
        (JSC::JIT::emitWriteBarrier):
        (JSC::JIT::addStructureTransitionCheck):
        (JSC::JIT::emitIntTypedArrayGetByVal):
        (JSC::JIT::emitFloatTypedArrayGetByVal):
        (JSC::JIT::emitIntTypedArrayPutByVal):
        (JSC::JIT::emitFloatTypedArrayPutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_get_by_pname):
        (JSC::JIT::emitLoadWithStructureCheck):
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::emitJumpIfNotType):
        * jit/Repatch.cpp:
        (JSC::repatchByIdSelfAccess):
        (JSC::addStructureTransitionCheck):
        (JSC::replaceWithJump):
        (JSC::generateProtoChainAccessStub):
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::writeBarrier):
        (JSC::emitPutReplaceStub):
        (JSC::emitPutTransitionStub):
        (JSC::tryBuildPutByIdList):
        (JSC::tryRepatchIn):
        (JSC::linkClosureCall):
        (JSC::resetGetByID):
        (JSC::resetPutByID):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::loadJSStringArgument):
        (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
        * jit/ThunkGenerators.cpp:
        (JSC::virtualForThunkGenerator):
        (JSC::arrayIteratorNextThunkGenerator):
        * jit/UnusedPointer.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/Arguments.cpp:
        (JSC::Arguments::createStrictModeCallerIfNecessary):
        (JSC::Arguments::createStrictModeCalleeIfNecessary):
        * runtime/Arguments.h:
        (JSC::Arguments::createStructure):
        * runtime/ArrayPrototype.cpp:
        (JSC::shift):
        (JSC::unshift):
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncReverse):
        (JSC::performSlowSort):
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/Executable.h:
        (JSC::ExecutableBase::isFunctionExecutable):
        (JSC::ExecutableBase::clearCodeVirtual):
        (JSC::ScriptExecutable::unlinkCalls):
        * runtime/GetterSetter.cpp:
        (JSC::callGetter):
        (JSC::callSetter):
        * runtime/InitializeThreading.cpp:
        * runtime/JSArray.cpp:
        (JSC::JSArray::unshiftCountSlowCase):
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::push):
        (JSC::JSArray::shiftCountWithArrayStorage):
        (JSC::JSArray::shiftCountWithAnyIndexingType):
        (JSC::JSArray::unshiftCountWithArrayStorage):
        (JSC::JSArray::unshiftCountWithAnyIndexingType):
        (JSC::JSArray::sortNumericVector):
        (JSC::JSArray::sortNumeric):
        (JSC::JSArray::sortCompactedVector):
        (JSC::JSArray::sort):
        (JSC::JSArray::sortVector):
        (JSC::JSArray::fillArgList):
        (JSC::JSArray::copyToArguments):
        (JSC::JSArray::compactForSorting):
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::toThis):
        (JSC::JSValue::put):
        (JSC::JSValue::putByIndex):
        (JSC::JSValue::equalSlowCaseInline):
        * runtime/JSCell.cpp:
        (JSC::JSCell::put):
        (JSC::JSCell::putByIndex):
        (JSC::JSCell::deleteProperty):
        (JSC::JSCell::deletePropertyByIndex):
        * runtime/JSCell.h:
        (JSC::JSCell::clearStructure):
        (JSC::JSCell::mark):
        (JSC::JSCell::isMarked):
        (JSC::JSCell::structureIDOffset):
        (JSC::JSCell::typeInfoFlagsOffset):
        (JSC::JSCell::typeInfoTypeOffset):
        (JSC::JSCell::indexingTypeOffset):
        (JSC::JSCell::gcDataOffset):
        * runtime/JSCellInlines.h:
        (JSC::JSCell::JSCell):
        (JSC::JSCell::finishCreation):
        (JSC::JSCell::type):
        (JSC::JSCell::indexingType):
        (JSC::JSCell::structure):
        (JSC::JSCell::visitChildren):
        (JSC::JSCell::isObject):
        (JSC::JSCell::isString):
        (JSC::JSCell::isGetterSetter):
        (JSC::JSCell::isProxy):
        (JSC::JSCell::isAPIValueWrapper):
        (JSC::JSCell::setStructure):
        (JSC::JSCell::methodTable):
        (JSC::Heap::writeBarrier):
        * runtime/JSDataView.cpp:
        (JSC::JSDataView::createStructure):
        * runtime/JSDestructibleObject.h:
        (JSC::JSCell::classInfo):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnNonIndexPropertyNames):
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGenericTypedArrayView.h:
        (JSC::JSGenericTypedArrayView::createStructure):
        * runtime/JSObject.cpp:
        (JSC::getCallableObjectSlow):
        (JSC::JSObject::copyButterfly):
        (JSC::JSObject::visitButterfly):
        (JSC::JSFinalObject::visitChildren):
        (JSC::JSObject::getOwnPropertySlotByIndex):
        (JSC::JSObject::put):
        (JSC::JSObject::putByIndex):
        (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
        (JSC::JSObject::enterDictionaryIndexingMode):
        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
        (JSC::JSObject::createInitialIndexedStorage):
        (JSC::JSObject::createInitialUndecided):
        (JSC::JSObject::createInitialInt32):
        (JSC::JSObject::createInitialDouble):
        (JSC::JSObject::createInitialContiguous):
        (JSC::JSObject::createArrayStorage):
        (JSC::JSObject::convertUndecidedToInt32):
        (JSC::JSObject::convertUndecidedToDouble):
        (JSC::JSObject::convertUndecidedToContiguous):
        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
        (JSC::JSObject::convertUndecidedToArrayStorage):
        (JSC::JSObject::convertInt32ToDouble):
        (JSC::JSObject::convertInt32ToContiguous):
        (JSC::JSObject::convertInt32ToArrayStorage):
        (JSC::JSObject::genericConvertDoubleToContiguous):
        (JSC::JSObject::convertDoubleToArrayStorage):
        (JSC::JSObject::convertContiguousToArrayStorage):
        (JSC::JSObject::ensureInt32Slow):
        (JSC::JSObject::ensureDoubleSlow):
        (JSC::JSObject::ensureContiguousSlow):
        (JSC::JSObject::ensureArrayStorageSlow):
        (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
        (JSC::JSObject::switchToSlowPutArrayStorage):
        (JSC::JSObject::setPrototype):
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::JSObject::putDirectNonIndexAccessor):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::hasOwnProperty):
        (JSC::JSObject::deletePropertyByIndex):
        (JSC::JSObject::getPrimitiveNumber):
        (JSC::JSObject::hasInstance):
        (JSC::JSObject::getPropertySpecificValue):
        (JSC::JSObject::getPropertyNames):
        (JSC::JSObject::getOwnPropertyNames):
        (JSC::JSObject::getOwnNonIndexPropertyNames):
        (JSC::JSObject::seal):
        (JSC::JSObject::freeze):
        (JSC::JSObject::preventExtensions):
        (JSC::JSObject::reifyStaticFunctionsForDelete):
        (JSC::JSObject::removeDirect):
        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
        (JSC::JSObject::putByIndexBeyondVectorLength):
        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
        (JSC::JSObject::putDirectIndexBeyondVectorLength):
        (JSC::JSObject::getNewVectorLength):
        (JSC::JSObject::countElements):
        (JSC::JSObject::increaseVectorLength):
        (JSC::JSObject::ensureLengthSlow):
        (JSC::JSObject::growOutOfLineStorage):
        (JSC::JSObject::getOwnPropertyDescriptor):
        (JSC::putDescriptor):
        (JSC::JSObject::defineOwnNonIndexProperty):
        * runtime/JSObject.h:
        (JSC::getJSFunction):
        (JSC::JSObject::getArrayLength):
        (JSC::JSObject::getVectorLength):
        (JSC::JSObject::putByIndexInline):
        (JSC::JSObject::canGetIndexQuickly):
        (JSC::JSObject::getIndexQuickly):
        (JSC::JSObject::tryGetIndexQuickly):
        (JSC::JSObject::getDirectIndex):
        (JSC::JSObject::canSetIndexQuickly):
        (JSC::JSObject::canSetIndexQuicklyForPutDirect):
        (JSC::JSObject::setIndexQuickly):
        (JSC::JSObject::initializeIndex):
        (JSC::JSObject::hasSparseMap):
        (JSC::JSObject::inSparseIndexingMode):
        (JSC::JSObject::getDirect):
        (JSC::JSObject::getDirectOffset):
        (JSC::JSObject::isSealed):
        (JSC::JSObject::isFrozen):
        (JSC::JSObject::flattenDictionaryObject):
        (JSC::JSObject::ensureInt32):
        (JSC::JSObject::ensureDouble):
        (JSC::JSObject::ensureContiguous):
        (JSC::JSObject::rageEnsureContiguous):
        (JSC::JSObject::ensureArrayStorage):
        (JSC::JSObject::arrayStorage):
        (JSC::JSObject::arrayStorageOrNull):
        (JSC::JSObject::ensureLength):
        (JSC::JSObject::currentIndexingData):
        (JSC::JSObject::getHolyIndexQuickly):
        (JSC::JSObject::currentRelevantLength):
        (JSC::JSObject::isGlobalObject):
        (JSC::JSObject::isVariableObject):
        (JSC::JSObject::isStaticScopeObject):
        (JSC::JSObject::isNameScopeObject):
        (JSC::JSObject::isActivationObject):
        (JSC::JSObject::isErrorInstance):
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSObject::fastGetOwnPropertySlot):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::createStructure):
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::getOwnPropertySlot):
        (JSC::JSProxy::getOwnPropertySlotByIndex):
        (JSC::JSProxy::put):
        (JSC::JSProxy::putByIndex):
        (JSC::JSProxy::defineOwnProperty):
        (JSC::JSProxy::deleteProperty):
        (JSC::JSProxy::deletePropertyByIndex):
        (JSC::JSProxy::getPropertyNames):
        (JSC::JSProxy::getOwnPropertyNames):
        * runtime/JSScope.cpp:
        (JSC::JSScope::objectAtScope):
        * runtime/JSString.h:
        (JSC::JSString::createStructure):
        (JSC::isJSString):
        * runtime/JSType.h:
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::TypeInfo):
        (JSC::TypeInfo::isObject):
        (JSC::TypeInfo::structureIsImmortal):
        (JSC::TypeInfo::zeroedGCDataOffset):
        (JSC::TypeInfo::inlineTypeFlags):
        * runtime/MapData.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetOwnPropertyNames):
        (JSC::objectConstructorKeys):
        (JSC::objectConstructorDefineProperty):
        (JSC::defineProperties):
        (JSC::objectConstructorSeal):
        (JSC::objectConstructorFreeze):
        (JSC::objectConstructorIsSealed):
        (JSC::objectConstructorIsFrozen):
        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncToString):
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        (JSC::jsIsObjectType):
        * runtime/Operations.h:
        (JSC::normalizePrototypeChainForChainAccess):
        (JSC::normalizePrototypeChain):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::createStructure):
        * runtime/RegExp.h:
        (JSC::RegExp::createStructure):
        * runtime/SparseArrayValueMap.h:
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::~Structure):
        (JSC::Structure::prototypeChainMayInterceptStoreTo):
        * runtime/Structure.h:
        (JSC::Structure::id):
        (JSC::Structure::idBlob):
        (JSC::Structure::objectInitializationFields):
        (JSC::Structure::structureIDOffset):
        * runtime/StructureChain.h:
        (JSC::StructureChain::createStructure):
        * runtime/StructureIDTable.cpp: Added.
        (JSC::StructureIDTable::StructureIDTable):
        (JSC::StructureIDTable::~StructureIDTable):
        (JSC::StructureIDTable::resize):
        (JSC::StructureIDTable::flushOldTables):
        (JSC::StructureIDTable::allocateID):
        (JSC::StructureIDTable::deallocateID):
        * runtime/StructureIDTable.h: Added.
        (JSC::StructureIDTable::base):
        (JSC::StructureIDTable::get):
        * runtime/SymbolTable.h:
        * runtime/TypedArrayType.cpp:
        (JSC::typeForTypedArrayType):
        * runtime/TypedArrayType.h:
        * runtime/WeakMapData.h:

2014-02-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        Unconditional logging in compileFTLOSRExit
        https://bugs.webkit.org/show_bug.cgi?id=129407

        Reviewed by Michael Saboff.

        This was causing tests to fail with the FTL enabled.

        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileFTLOSRExit):

2014-02-26  Oliver Hunt  <oliver@apple.com>

        Remove unused access types
        https://bugs.webkit.org/show_bug.cgi?id=129385

        Reviewed by Filip Pizlo.

        Remove unused cruft.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdCacheStatus):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        * bytecode/StructureStubInfo.h:
        (JSC::isGetByIdAccess):
        (JSC::isPutByIdAccess):

2014-02-26  Oliver Hunt  <oliver@apple.com>

        Function.prototype.apply has a bad time with the spread operator
        https://bugs.webkit.org/show_bug.cgi?id=129381

        Reviewed by Mark Hahnenberg.

        Make sure our apply logic handle the spread operator correctly.
        To do this we simply emit the enumeration logic that we'd normally
        use for other enumerations, but only store the first two results
        to registers.  Then perform a varargs call.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ApplyFunctionCallDotNode::emitBytecode):

2014-02-26  Mark Lam  <mark.lam@apple.com>

        Compilation policy management belongs in operationOptimize(), not the DFG Driver.
        <https://webkit.org/b/129355>

        Reviewed by Filip Pizlo.

        By compilation policy, I mean the rules for determining whether to
        compile, when to compile, when to attempt compilation again, etc.  The
        few of these policy decisions that were previously being made in the
        DFG driver are now moved to operationOptimize() where we keep the rest
        of the policy logic.  Decisions that are based on the capabilities
        supported by the DFG are moved to DFG capabiliityLevel().

        I've run the following benchmarks:
        1. the collection of jsc benchmarks on the jsc executable vs. its
           baseline.
        2. Octane 2.0 in browser without the WebInspector.
        3. Octane 2.0 in browser with the WebInspector open and a breakpoint
           set somewhere where it won't break.

        In all of these, the results came out to be a wash as expected.

        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::isSupported):
        (JSC::DFG::mightCompileEval):
        (JSC::DFG::mightCompileProgram):
        (JSC::DFG::mightCompileFunctionForCall):
        (JSC::DFG::mightCompileFunctionForConstruct):
        (JSC::DFG::mightInlineFunctionForCall):
        (JSC::DFG::mightInlineFunctionForClosureCall):
        (JSC::DFG::mightInlineFunctionForConstruct):
        * dfg/DFGCapabilities.h:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * jit/JITOperations.cpp:

2014-02-26  Mark Lam  <mark.lam@apple.com>

        ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
        <https://webkit.org/b/129364>

        Reviewed by Alexey Proskuryakov.

        InjectedScriptModule::ensureInjected() needs an APIEntryShim.

        * inspector/InjectedScriptModule.cpp:
        (Inspector::InjectedScriptModule::ensureInjected):
        - Added the needed but missing APIEntryShim. 

2014-02-25  Mark Lam  <mark.lam@apple.com>

        Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
        <https://webkit.org/b/128766>

        Reviewed by Geoffrey Garen.

        Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
        The reasoning is that we don't know of any clients that need unordered
        re-entry into the VM from different threads. So, we're enforcing ordered
        re-entry i.e. we must re-grab locks in the reverse order of dropping locks.

        The crash in this bug happened because we were allowing unordered re-entry,
        and the following type of scenario occurred:

        1. Thread T1 locks the VM, and enters the VM to execute some JS code.
        2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
           first time it entered the VM.
           T1 sets VM::m_entryScope to T1's entryScope.
        3. T1 drops all locks.

        4. Thread T2 locks the VM, and enters the VM to execute some JS code.
           On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
           does not set the entryScope.
        5. T2 drops all locks.

        6. T1 re-grabs locks.
        7. T1 returns all the way out of JS code. On exit from the outer most
           JS function, T1 clears VM::m_entryScope (because T1 was the one who
           set it).
        8. T1 unlocks the VM.

        9. T2 re-grabs locks.
        10. T2 proceeds to execute some code and expects VM::m_entryScope to be
            NOT null, but it turns out to be null. Assertion failures and
            crashes ensue.

        With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
        the VM. Hence, the issue will no longer manifest.

        * runtime/JSLock.cpp:
        (JSC::JSLock::dropAllLocks):
        (JSC::JSLock::grabAllLocks):
        * runtime/JSLock.h:
        (JSC::JSLock::DropAllLocks::dropDepth):

2014-02-25  Mark Lam  <mark.lam@apple.com>

        Need to initialize VM stack data even when the VM is on an exclusive thread.
        <https://webkit.org/b/129265>

        Not reviewed.

        Relanding r164627 now that <https://webkit.org/b/129341> is fixed.

        * API/APIShims.h:
        (JSC::APIEntryShim::APIEntryShim):
        (JSC::APICallbackShim::shouldDropAllLocks):
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::addCurrentThread):
        * runtime/JSLock.cpp:
        (JSC::JSLockHolder::JSLockHolder):
        (JSC::JSLockHolder::init):
        (JSC::JSLockHolder::~JSLockHolder):
        (JSC::JSLock::JSLock):
        (JSC::JSLock::setExclusiveThread):
        (JSC::JSLock::lock):
        (JSC::JSLock::unlock):
        (JSC::JSLock::currentThreadIsHoldingLock):
        (JSC::JSLock::dropAllLocks):
        (JSC::JSLock::grabAllLocks):
        * runtime/JSLock.h:
        (JSC::JSLock::hasExclusiveThread):
        (JSC::JSLock::exclusiveThread):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::hasExclusiveThread):
        (JSC::VM::exclusiveThread):
        (JSC::VM::setExclusiveThread):
        (JSC::VM::currentThreadIsHoldingAPILock):

2014-02-25  Filip Pizlo  <fpizlo@apple.com>

        Inline caching in the FTL on ARM64 should "work"
        https://bugs.webkit.org/show_bug.cgi?id=129334

        Reviewed by Mark Hahnenberg.
        
        Gets us to the point where simple tests that use inline caching are passing.

        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        (JSC::LinkBuffer::shrink):
        * ftl/FTLInlineCacheSize.cpp:
        (JSC::FTL::sizeOfGetById):
        (JSC::FTL::sizeOfPutById):
        (JSC::FTL::sizeOfCall):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileFTLOSRExit):
        * ftl/FTLThunks.cpp:
        (JSC::FTL::osrExitGenerationThunkGenerator):
        * jit/GPRInfo.h:
        * offlineasm/arm64.rb:

2014-02-25  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r164627.
        http://trac.webkit.org/changeset/164627
        https://bugs.webkit.org/show_bug.cgi?id=129325

        Broke SubtleCrypto tests (Requested by ap on #webkit).

        * API/APIShims.h:
        (JSC::APIEntryShim::APIEntryShim):
        (JSC::APICallbackShim::shouldDropAllLocks):
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::addCurrentThread):
        * runtime/JSLock.cpp:
        (JSC::JSLockHolder::JSLockHolder):
        (JSC::JSLockHolder::init):
        (JSC::JSLockHolder::~JSLockHolder):
        (JSC::JSLock::JSLock):
        (JSC::JSLock::lock):
        (JSC::JSLock::unlock):
        (JSC::JSLock::currentThreadIsHoldingLock):
        (JSC::JSLock::dropAllLocks):
        (JSC::JSLock::grabAllLocks):
        * runtime/JSLock.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::currentThreadIsHoldingAPILock):

2014-02-25  Filip Pizlo  <fpizlo@apple.com>

        ARM64 rshift64 should be an arithmetic shift
        https://bugs.webkit.org/show_bug.cgi?id=129323

        Reviewed by Mark Hahnenberg.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::rshift64):

2014-02-25  Sergio Villar Senin  <svillar@igalia.com>

        [CSS Grid Layout] Add ENABLE flag
        https://bugs.webkit.org/show_bug.cgi?id=129153

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.

2014-02-25  Michael Saboff  <msaboff@apple.com>

        JIT Engines use the wrong stack limit for stack checks
        https://bugs.webkit.org/show_bug.cgi?id=129314

        Reviewed by Filip Pizlo.

        Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        * runtime/VM.h:
        (JSC::VM::addressOfStackLimit):

2014-02-25  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out http://trac.webkit.org/changeset/164493.
        
        It causes crashes, apparently because it's removing too many barriers. I will investigate
        later.

        * bytecode/SpeculatedType.cpp:
        (JSC::speculationToAbbreviatedString):
        * bytecode/SpeculatedType.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::insertStoreBarrier):
        * dfg/DFGNode.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
        (JSC::FTL::LowerDFGToLLVM::isNotNully):
        (JSC::FTL::LowerDFGToLLVM::isNully):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
        (JSC::FTL::LowerDFGToLLVM::speculateNotCell):

2014-02-24  Oliver Hunt  <oliver@apple.com>

        Fix build.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):

2014-02-24  Oliver Hunt  <oliver@apple.com>

        Spread operator has a bad time when applied to call function
        https://bugs.webkit.org/show_bug.cgi?id=128853

        Reviewed by Geoffrey Garen.

        Follow on from the previous patch the added an extra slot to
        op_call_varargs (and _call, _call_eval, _construct).  We now
        use the slot as an offset to in effect act as a 'slice' on
        the spread subject.  This allows us to automatically retain
        all our existing argument and array optimisatons.  Most of
        this patch is simply threading the offset around.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallVarargs):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::getArgumentByVal):
        (JSC::CallFunctionCallDotNode::emitBytecode):
        (JSC::ApplyFunctionCallDotNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::sizeFrameForVarargs):
        (JSC::loadVarargs):
        * interpreter/Interpreter.h:
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Arguments.cpp:
        (JSC::Arguments::copyToArguments):
        * runtime/Arguments.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::copyToArguments):
        * runtime/JSArray.h:

2014-02-24  Mark Lam  <mark.lam@apple.com>

        Need to initialize VM stack data even when the VM is on an exclusive thread.
        <https://webkit.org/b/129265>

        Reviewed by Geoffrey Garen.

        We check VM::exclusiveThread as an optimization to forego the need to do
        JSLock locking. However, we recently started piggy backing on JSLock's
        lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
        and lastStackTop) to appropriate values for the current thread. This is
        needed because we may be acquiring the lock to enter the VM on a different
        thread.

        As a result, we ended up not initializing the VM stack data when
        VM::exclusiveThread causes us to bypass the locking activity. Even though
        the VM::exclusiveThread will not have to deal with the VM being entered
        on a different thread, it still needs to initialize the VM stack data.
        The VM relies on that data being initialized properly once it has been
        entered.

        With this fix, we push the check for exclusiveThread down into the JSLock,
        and handle the bypassing of unneeded locking activity there while still
        executing the necessary the VM stack data initialization.

        * API/APIShims.h:
        (JSC::APIEntryShim::APIEntryShim):
        (JSC::APICallbackShim::shouldDropAllLocks):
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::addCurrentThread):
        * runtime/JSLock.cpp:
        (JSC::JSLockHolder::JSLockHolder):
        (JSC::JSLockHolder::init):
        (JSC::JSLockHolder::~JSLockHolder):
        (JSC::JSLock::JSLock):
        (JSC::JSLock::setExclusiveThread):
        (JSC::JSLock::lock):
        (JSLock::unlock):
        (JSLock::currentThreadIsHoldingLock):
        (JSLock::dropAllLocks):
        (JSLock::grabAllLocks):
        * runtime/JSLock.h:
        (JSC::JSLock::exclusiveThread):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::exclusiveThread):
        (JSC::VM::setExclusiveThread):
        (JSC::VM::currentThreadIsHoldingAPILock):

2014-02-24  Filip Pizlo  <fpizlo@apple.com>

        FTL should do polymorphic PutById inlining
        https://bugs.webkit.org/show_bug.cgi?id=129210

        Reviewed by Mark Hahnenberg and Oliver Hunt.
        
        This makes PutByIdStatus inform us about polymorphic cases by returning an array of
        PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
        selection of multiple inlined PutByIdVariants.
        
        MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
        http://trac.webkit.org/changeset/164207.
        
        This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
        that generate similar code.
        
        1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
        sometimes swaps field insertion order, creating fake polymorphism.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        (JSC::PutByIdStatus::computeFor):
        (JSC::PutByIdStatus::computeForStubInfo):
        (JSC::PutByIdStatus::dump):
        * bytecode/PutByIdStatus.h:
        (JSC::PutByIdStatus::PutByIdStatus):
        (JSC::PutByIdStatus::isSimple):
        (JSC::PutByIdStatus::numVariants):
        (JSC::PutByIdStatus::variants):
        (JSC::PutByIdStatus::at):
        (JSC::PutByIdStatus::operator[]):
        * bytecode/PutByIdVariant.cpp: Added.
        (JSC::PutByIdVariant::dump):
        (JSC::PutByIdVariant::dumpInContext):
        * bytecode/PutByIdVariant.h: Added.
        (JSC::PutByIdVariant::PutByIdVariant):
        (JSC::PutByIdVariant::replace):
        (JSC::PutByIdVariant::transition):
        (JSC::PutByIdVariant::kind):
        (JSC::PutByIdVariant::isSet):
        (JSC::PutByIdVariant::operator!):
        (JSC::PutByIdVariant::structure):
        (JSC::PutByIdVariant::oldStructure):
        (JSC::PutByIdVariant::newStructure):
        (JSC::PutByIdVariant::structureChain):
        (JSC::PutByIdVariant::offset):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::emitPrototypeChecks):
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::emitPutById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::checkStructureElimination):
        (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
        (JSC::DFG::CSEPhase::putStructureStoreElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        * dfg/DFGNode.cpp:
        (JSC::DFG::MultiPutByOffsetData::writesStructures):
        (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToPutByOffset):
        (JSC::DFG::Node::hasMultiPutByOffsetData):
        (JSC::DFG::Node::multiPutByOffsetData):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
        (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
        (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
        (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
        (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
        (JSC::FTL::LowerDFGToLLVM::loadProperty):
        (JSC::FTL::LowerDFGToLLVM::storeProperty):
        (JSC::FTL::LowerDFGToLLVM::addressOfProperty):
        (JSC::FTL::LowerDFGToLLVM::storageForTransition):
        (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
        (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
        * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
        * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
        * tests/stress/multi-put-by-offset-reallocation-cases.js: Added.

2014-02-24  peavo@outlook.com  <peavo@outlook.com>

        JSC regressions after r164494
        https://bugs.webkit.org/show_bug.cgi?id=129272

        Reviewed by Mark Lam.

        * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.

2014-02-24  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>

        Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
        https://bugs.webkit.org/show_bug.cgi?id=129255

        Reviewed by Csaba Osztrogonác.

        ENABLE_WORKERS macro was removed in r159679.
        Support is now also removed from xcconfig files.

        * Configurations/FeatureDefines.xcconfig:

2014-02-24  David Kilzer  <ddkilzer@apple.com>

        Remove redundant setting in FeatureDefines.xcconfig

        * Configurations/FeatureDefines.xcconfig:

2014-02-23  Sam Weinig  <sam@webkit.org>

        Update FeatureDefines.xcconfig

        Rubber-stamped by Anders Carlsson.

        * Configurations/FeatureDefines.xcconfig:

2014-02-23  Dean Jackson  <dino@apple.com>

        Sort the project file with sort-Xcode-project-file.

        Rubber-stamped by Sam Weinig.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-02-23  Sam Weinig  <sam@webkit.org>

        Move telephone number detection behind its own ENABLE macro
        https://bugs.webkit.org/show_bug.cgi?id=129236

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig:
        Add ENABLE_TELEPHONE_NUMBER_DETECTION.

2014-02-22  Filip Pizlo  <fpizlo@apple.com>

        Refine DFG+FTL inlining and compilation limits
        https://bugs.webkit.org/show_bug.cgi?id=129212

        Reviewed by Mark Hahnenberg.
        
        Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
        and set that limit quite high. Institute a limit on inlining-into. The idea here is
        that large functions tend to be autogenerated, and code generators like emscripten
        appear to leave few inlining opportunities anyway. Also, we don't want the code
        size explosion that we would risk if we allowed compilation of a large function and
        then inlined a ton of stuff into it.
        
        This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
        regression. This is a 9% speed-up on AsmBench.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::noticeIncomingCall):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::isSmallEnoughToInlineCodeInto):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLState.h:
        (JSC::FTL::shouldShowDisassembly):
        * runtime/Options.h:

2014-02-22  Dan Bernstein  <mitz@apple.com>

        REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
        https://bugs.webkit.org/show_bug.cgi?id=129227

        Reviewed by Eric Carlson.

        Reverted r164507.

        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        (JSObjectMakeArray):
        (JSObjectMakeDate):
        (JSObjectMakeError):
        (JSObjectMakeRegExp):
        (JSObjectGetProperty):
        (JSObjectSetProperty):
        (JSObjectGetPropertyAtIndex):
        (JSObjectSetPropertyAtIndex):
        (JSObjectDeleteProperty):
        (JSObjectCallAsFunction):
        (JSObjectCallAsConstructor):
        * API/JSValue.mm:
        (valueToArray):
        (valueToDictionary):
        * API/JSValueRef.cpp:
        (JSValueIsEqual):
        (JSValueIsInstanceOfConstructor):
        (JSValueCreateJSONString):
        (JSValueToNumber):
        (JSValueToStringCopy):
        (JSValueToObject):
        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::ConsoleMessage):
        (Inspector::ConsoleMessage::autogenerateMetadata):
        * inspector/ConsoleMessage.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/ScriptCallStack.cpp:
        * inspector/ScriptCallStack.h:
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::createScriptCallStack):
        (Inspector::createScriptCallStackForConsole):
        (Inspector::createScriptCallStackFromException):
        * inspector/ScriptCallStackFactory.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::enable):
        (Inspector::InspectorConsoleAgent::addMessageToConsole):
        (Inspector::InspectorConsoleAgent::count):
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):

2014-02-22  Joseph Pecoraro  <pecoraro@apple.com>

        Remove some unreachable code (-Wunreachable-code)
        https://bugs.webkit.org/show_bug.cgi?id=129220

        Reviewed by Eric Carlson.

        * API/tests/testapi.c:
        (EvilExceptionObject_convertToType):
        * disassembler/udis86/udis86_decode.c:
        (decode_operand):

2014-02-22  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, ARMv7 build fix.

        * assembler/ARMv7Assembler.h:

2014-02-21  Filip Pizlo  <fpizlo@apple.com>

        It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful
        https://bugs.webkit.org/show_bug.cgi?id=124733

        Reviewed by Oliver Hunt.
        
        This also takes the opportunity to de-duplicate some branch compaction code.

        * assembler/ARM64Assembler.h:
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::buffer):
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerData::AssemblerData):
        (JSC::AssemblerBuffer::AssemblerBuffer):
        (JSC::AssemblerBuffer::storage):
        (JSC::AssemblerBuffer::grow):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::executableOffsetFor):
        (JSC::LinkBuffer::applyOffset):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::link):
        * assembler/MacroAssemblerARMv7.h:

2014-02-21  Brent Fulgham  <bfulgham@apple.com>

        Extend media support for WebVTT sources
        https://bugs.webkit.org/show_bug.cgi?id=129156

        Reviewed by Eric Carlson.

        * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS

2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: JSContext inspection should report exceptions in the console
        https://bugs.webkit.org/show_bug.cgi?id=128776

        Reviewed by Timothy Hatcher.

        When JavaScript API functions have an exception, let the inspector
        know so it can log the JavaScript and Native backtrace that caused
        the exception.

        Include some clean up of ConsoleMessage and ScriptCallStack construction.

        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        (JSObjectMakeArray):
        (JSObjectMakeDate):
        (JSObjectMakeError):
        (JSObjectMakeRegExp):
        (JSObjectGetProperty):
        (JSObjectSetProperty):
        (JSObjectGetPropertyAtIndex):
        (JSObjectSetPropertyAtIndex):
        (JSObjectDeleteProperty):
        (JSObjectCallAsFunction):
        (JSObjectCallAsConstructor):
        * API/JSValue.mm:
        (reportExceptionToInspector):
        (valueToArray):
        (valueToDictionary):
        * API/JSValueRef.cpp:
        (JSValueIsEqual):
        (JSValueIsInstanceOfConstructor):
        (JSValueCreateJSONString):
        (JSValueToNumber):
        (JSValueToStringCopy):
        (JSValueToObject):
        When seeing an exception, let the inspector know there was an exception.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
        Log API exceptions by also grabbing the native backtrace.

        * inspector/ScriptCallStack.h:
        * inspector/ScriptCallStack.cpp:
        (Inspector::ScriptCallStack::firstNonNativeCallFrame):
        (Inspector::ScriptCallStack::append):
        Minor extensions to ScriptCallStack to make it easier to work with.

        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::ConsoleMessage):
        (Inspector::ConsoleMessage::autogenerateMetadata):
        Provide better default information if the first call frame was native.

        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::createScriptCallStack):
        (Inspector::extractSourceInformationFromException):
        (Inspector::createScriptCallStackFromException):
        Perform the handling here of inserting a fake call frame for exceptions
        if there was no call stack (e.g. a SyntaxError) or if the first call
        frame had no information.

        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::ConsoleMessage):
        (Inspector::ConsoleMessage::autogenerateMetadata):
        * inspector/ConsoleMessage.h:
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::createScriptCallStack):
        (Inspector::createScriptCallStackForConsole):
        * inspector/ScriptCallStackFactory.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::enable):
        (Inspector::InspectorConsoleAgent::addMessageToConsole):
        (Inspector::InspectorConsoleAgent::count):
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
        ConsoleMessage cleanup.

2014-02-21  Oliver Hunt  <oliver@apple.com>

        Add extra space to op_call and related opcodes
        https://bugs.webkit.org/show_bug.cgi?id=129170

        Reviewed by Mark Lam.

        No change in behaviour, just some refactoring to add an extra
        slot to the op_call instructions, and refactoring to make similar
        changes easier in future.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printCallOp):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitCallVarargs):
        (JSC::BytecodeGenerator::emitConstruct):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2014-02-21  Mark Lam  <mark.lam@apple.com>

        gatherFromOtherThread() needs to align the sp before gathering roots.
        <https://webkit.org/b/129169>

        Reviewed by Geoffrey Garen.

        The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread().
        gatherFromOtherThread() defines the range of the other thread's stack as
        being bounded by the other thread's stack pointer and stack base. While
        the stack base will always be aligned to sizeof(void*), the stack pointer
        may not be. This is because the other thread may have just pushed a 32-bit
        value on its stack before we suspended it for scanning.

        The fix is to round the stack pointer up to the next aligned address of
        sizeof(void*) and start scanning from there. On 64-bit systems, we will
        effectively ignore the 32-bit word at the bottom of the stack (top of the
        stack for stacks growing up) because it cannot be a 64-bit pointer anyway.
        64-bit pointers should always be stored on 64-bit aligned boundaries (our
        conservative scan algorithm already depends on this assumption).

        On 32-bit systems, the rounding is effectively a no-op.

        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::genericAddSpan):
        - Hardened somne assertions so that we can catch misalignment issues on
          release builds as well.
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::gatherFromOtherThread):

2014-02-21  Matthew Mirman  <mmirman@apple.com>

        Added a GetMyArgumentsLengthSafe and added a speculation check.
        https://bugs.webkit.org/show_bug.cgi?id=129051

        Reviewed by Filip Pizlo.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):

2014-02-21  peavo@outlook.com  <peavo@outlook.com>

        [Win][LLINT] Many JSC stress test failures.
        https://bugs.webkit.org/show_bug.cgi?id=129155

        Reviewed by Michael Saboff.

        Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations.
        Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack.
        E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1).

        * offlineasm/x86.rb: Swap operand order on Windows.

2014-02-21  Filip Pizlo  <fpizlo@apple.com>

        DFG write barriers should do more speculations
        https://bugs.webkit.org/show_bug.cgi?id=129160

        Reviewed by Mark Hahnenberg.
        
        Replace ConditionalStoreBarrier with the cheapest speculation that you could do
        instead.
        
        Miniscule speed-up on some things. It's a decent difference in code size, though.

        * bytecode/SpeculatedType.cpp:
        (JSC::speculationToAbbreviatedString):
        * bytecode/SpeculatedType.h:
        (JSC::isNotCellSpeculation):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::insertStoreBarrier):
        (JSC::DFG::FixupPhase::insertPhantomCheck):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateOther):
        (JSC::DFG::Node::shouldSpeculateNotCell):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
        (JSC::FTL::LowerDFGToLLVM::isNotOther):
        (JSC::FTL::LowerDFGToLLVM::isOther):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
        (JSC::FTL::LowerDFGToLLVM::speculateOther):
        (JSC::FTL::LowerDFGToLLVM::speculateNotCell):

2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>

        Revert r164486, causing a number of test failures.

        Unreviewed rollout.

2014-02-21  Filip Pizlo  <fpizlo@apple.com>

        Revive SABI (aka shouldAlwaysBeInlined)
        https://bugs.webkit.org/show_bug.cgi?id=129159

        Reviewed by Mark Hahnenberg.
        
        This is a small Octane speed-up.

        * jit/Repatch.cpp:
        (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs.

2014-02-21  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: JSContext inspection should report exceptions in the console
        https://bugs.webkit.org/show_bug.cgi?id=128776

        Reviewed by Timothy Hatcher.

        When JavaScript API functions have an exception, let the inspector
        know so it can log the JavaScript and Native backtrace that caused
        the exception.

        Include some clean up of ConsoleMessage and ScriptCallStack construction.

        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        (JSObjectMakeArray):
        (JSObjectMakeDate):
        (JSObjectMakeError):
        (JSObjectMakeRegExp):
        (JSObjectGetProperty):
        (JSObjectSetProperty):
        (JSObjectGetPropertyAtIndex):
        (JSObjectSetPropertyAtIndex):
        (JSObjectDeleteProperty):
        (JSObjectCallAsFunction):
        (JSObjectCallAsConstructor):
        * API/JSValue.mm:
        (reportExceptionToInspector):
        (valueToArray):
        (valueToDictionary):
        * API/JSValueRef.cpp:
        (JSValueIsEqual):
        (JSValueIsInstanceOfConstructor):
        (JSValueCreateJSONString):
        (JSValueToNumber):
        (JSValueToStringCopy):
        (JSValueToObject):
        When seeing an exception, let the inspector know there was an exception.

        * inspector/JSGlobalObjectInspectorController.h:
        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
        (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):
        Log API exceptions by also grabbing the native backtrace.

        * inspector/ScriptCallStack.h:
        * inspector/ScriptCallStack.cpp:
        (Inspector::ScriptCallStack::firstNonNativeCallFrame):
        (Inspector::ScriptCallStack::append):
        Minor extensions to ScriptCallStack to make it easier to work with.

        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::ConsoleMessage):
        (Inspector::ConsoleMessage::autogenerateMetadata):
        Provide better default information if the first call frame was native.

        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::createScriptCallStack):
        (Inspector::extractSourceInformationFromException):
        (Inspector::createScriptCallStackFromException):
        Perform the handling here of inserting a fake call frame for exceptions
        if there was no call stack (e.g. a SyntaxError) or if the first call
        frame had no information.

        * inspector/ConsoleMessage.cpp:
        (Inspector::ConsoleMessage::ConsoleMessage):
        (Inspector::ConsoleMessage::autogenerateMetadata):
        * inspector/ConsoleMessage.h:
        * inspector/ScriptCallStackFactory.cpp:
        (Inspector::createScriptCallStack):
        (Inspector::createScriptCallStackForConsole):
        * inspector/ScriptCallStackFactory.h:
        * inspector/agents/InspectorConsoleAgent.cpp:
        (Inspector::InspectorConsoleAgent::enable):
        (Inspector::InspectorConsoleAgent::addMessageToConsole):
        (Inspector::InspectorConsoleAgent::count):
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
        ConsoleMessage cleanup.

2014-02-20  Anders Carlsson  <andersca@apple.com>

        Modernize JSGlobalLock and JSLockHolder
        https://bugs.webkit.org/show_bug.cgi?id=129105

        Reviewed by Michael Saboff.

        Use std::mutex and std::thread::id where possible.

        * runtime/JSLock.cpp:
        (JSC::GlobalJSLock::GlobalJSLock):
        (JSC::GlobalJSLock::~GlobalJSLock):
        (JSC::GlobalJSLock::initialize):
        (JSC::JSLock::JSLock):
        (JSC::JSLock::lock):
        (JSC::JSLock::unlock):
        (JSC::JSLock::currentThreadIsHoldingLock):
        * runtime/JSLock.h:

2014-02-20  Mark Lam  <mark.lam@apple.com>

        virtualForWithFunction() should not throw an exception with a partially initialized frame.
        <https://webkit.org/b/129134>

        Reviewed by Michael Saboff.

        Currently, when JITOperations.cpp's virtualForWithFunction() fails to
        prepare the callee function for execution, it proceeds to throw the
        exception using the callee frame which is only partially initialized
        thus far. Instead, it should be throwing the exception using the caller
        frame because:
        1. the error happened "in" the caller while preparing the callee for
           execution i.e. the caller frame is the top fully initialized frame
           on the stack.
        2. the callee frame is not fully initialized yet, and the unwind
           mechanism cannot depend on the data in it.

        * jit/JITOperations.cpp:

2014-02-20  Mark Lam  <mark.lam@apple.com>

        DefaultGCActivityCallback::doWork() should reschedule if GC is deferred.
        <https://webkit.org/b/129131>

        Reviewed by Mark Hahnenberg.

        Currently, DefaultGCActivityCallback::doWork() does not check if the GC
        needs to be deferred before commencing. As a result, the GC may crash
        and/or corrupt data because the VM is not in the consistent state needed
        for the GC to run. With this fix, doWork() now checks if the GC is
        supposed to be deferred and re-schedules if needed. It only commences
        with GC'ing when it's safe to do so.

        * runtime/GCActivityCallback.cpp:
        (JSC::DefaultGCActivityCallback::doWork):

2014-02-20  Geoffrey Garen  <ggaren@apple.com>

        Math.imul gives wrong results
        https://bugs.webkit.org/show_bug.cgi?id=126345

        Reviewed by Mark Hahnenberg.

        Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
        Instead, take a slow path that will do the right thing.

        * jit/ThunkGenerators.cpp:
        (JSC::imulThunkGenerator):

2014-02-20  Filip Pizlo  <fpizlo@apple.com>

        DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints
        https://bugs.webkit.org/show_bug.cgi?id=129129

        Reviewed by Geoffrey Garen.
        
        We estimate execution counts based on loop depth, and then use those to estimate branch
        weights. These weights then get carried all the way down to LLVM prof branch_weights
        meta-data.
        
        This is better than letting LLVM do its own static estimates, since by the time we
        generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of
        course, it would be even better if we just slurped in some kind of execution counts
        from profiling, but we don't do that, yet.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGBasicBlock.cpp:
        (JSC::DFG::BasicBlock::BasicBlock):
        * dfg/DFGBasicBlock.h:
        * dfg/DFGBlockInsertionSet.cpp:
        (JSC::DFG::BlockInsertionSet::insert):
        (JSC::DFG::BlockInsertionSet::insertBefore):
        * dfg/DFGBlockInsertionSet.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseCodeBlock):
        * dfg/DFGCriticalEdgeBreakingPhase.cpp:
        (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
        * dfg/DFGLoopPreHeaderCreationPhase.cpp:
        (JSC::DFG::createPreHeader):
        * dfg/DFGNaturalLoops.h:
        (JSC::DFG::NaturalLoops::loopDepth):
        * dfg/DFGOSREntrypointCreationPhase.cpp:
        (JSC::DFG::OSREntrypointCreationPhase::run):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added.
        (JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase):
        (JSC::DFG::StaticExecutionCountEstimationPhase::run):
        (JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts):
        (JSC::DFG::performStaticExecutionCountEstimation):
        * dfg/DFGStaticExecutionCountEstimationPhase.h: Added.

2014-02-20  Filip Pizlo  <fpizlo@apple.com>

        FTL may not see a compact_unwind section if there weren't any stackmaps
        https://bugs.webkit.org/show_bug.cgi?id=129125

        Reviewed by Geoffrey Garen.
        
        It's OK to not have an unwind section, so long as the function also doesn't have any
        OSR exits.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        (JSC::FTL::compile):
        * ftl/FTLUnwindInfo.cpp:
        (JSC::FTL::UnwindInfo::parse):
        * ftl/FTLUnwindInfo.h:

== Rolled over to ChangeLog-2014-02-20 ==