Fast path for jsStringWithCache() when asked for the same string repeatedly.

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2014-07-04  Andreas Kling  <akling@apple.com>

        Fast path for jsStringWithCache() when asked for the same string repeatedly.
        <https://webkit.org/b/134635>

        Also moved the whole thing from WebCore to JavaScriptCore since it
        makes more sense here, and inline the lightweight checks, leaving only
        the hashmap stuff out of line.

        Reviewed by Darin Adler.

        * runtime/JSString.cpp:
        (JSC::jsStringWithCacheSlowCase):
        * runtime/JSString.h:
        (JSC::jsStringWithCache):
        * runtime/VM.h:

2014-07-03  Daniel Bates  <dabates@apple.com>

        Add WTF::move()
        https://bugs.webkit.org/show_bug.cgi?id=134500

        Rubber-stamped by Anders Carlsson.

        Substitute WTF::move() for std::move().

        * bytecode/CodeBlock.h:
        * bytecode/UnlinkedCodeBlock.cpp:
        * bytecompiler/BytecodeGenerator.cpp:
        * dfg/DFGGraph.cpp:
        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGStackLayoutPhase.cpp:
        * dfg/DFGWorklist.cpp:
        * heap/DelayedReleaseScope.h:
        * heap/HeapInlines.h:
        [...]

2014-07-03  Filip Pizlo  <fpizlo@apple.com>

        SSA DCE should process blocks in forward order
        https://bugs.webkit.org/show_bug.cgi?id=134611

        Reviewed by Andreas Kling.

        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::run):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
        * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added.
        (foo):

2014-07-03  Filip Pizlo  <fpizlo@apple.com>

        JSActivation::symbolTablePut() should invalidate variable watchpoints
        https://bugs.webkit.org/show_bug.cgi?id=134602

        Reviewed by Oliver Hunt.
        
        Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so
        during linking - we essentially assume that if it's at all possible for an inner function to store to a
        variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e.
        JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates
        JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code
        duplicated, but fixes JSActivation::symbolTablePut() to do the right thing.

        * runtime/JSActivation.cpp:
        (JSC::JSActivation::symbolTablePut):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTablePut):
        * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added.
        (.):

2014-07-01  Mark Lam  <mark.lam@apple.com>

        Debugger's breakpoint list should not be a Vector.
        <https://webkit.org/b/134514>

        Reviewed by Geoffrey Garen.

        The debugger currently stores breakpoint data as entries in a Vector (see
        BreakpointsInLine).  It also keeps a fast map look up of breakpoint IDs to
        the breakpoint data (see m_breakpointIDToBreakpoint).  Because a Vector can
        compact or reallocate its backing store, this can causes all sorts of havoc.
        The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't
        move in memory.

        The fix is to replace the BreakpointsInLine Vector with a BreakpointsList
        doubly linked list.

        * debugger/Breakpoint.h:
        (JSC::Breakpoint::Breakpoint):
        (JSC::BreakpointsList::~BreakpointsList):
        * debugger/Debugger.cpp:
        (JSC::Debugger::setBreakpoint):
        (JSC::Debugger::removeBreakpoint):
        (JSC::Debugger::hasBreakpoint):
        * debugger/Debugger.h:

2014-06-30  Michael Saboff  <msaboff@apple.com>

        Add option to run-jsc-stress-testes to filter out tests that use large heaps
        https://bugs.webkit.org/show_bug.cgi?id=134458

        Reviewed by Filip Pizlo.

        Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device.

        * tests/mozilla/mozilla-tests.yaml:

2014-06-30  Daniel Bates  <dabates@apple.com>

        Avoid copying closed variables vector; actually use move semantics

        Rubber-stamped by Oliver Hunt.

        Currently we always copy the closed variables vector passed by Parser::closedVariables()
        to ProgramNode::setClosedVariables() because these member functions return and take a const
        rvalue reference, respectively. Instead, these member functions should take an return a non-
        constant rvalue reference so that we actually move the closed variables vector from the Parser
        object to the Node object.

        * parser/Nodes.cpp:
        (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument.
        * parser/Nodes.h:
        (JSC::ScopeNode::setClosedVariables): Ditto.
        * parser/Parser.h:
        (JSC::Parser::closedVariables): Remove const qualifier on return type.
        (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here
        because Parser::closedVariables() returns an rvalue reference.

2014-06-30  Joseph Pecoraro  <pecoraro@apple.com>

        JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations
        https://bugs.webkit.org/show_bug.cgi?id=134371

        Reviewed by Timothy Hatcher.

        * API/JSContextPrivate.h:
        * API/JSContext.mm:
        (-[JSContext _debuggerRunLoop]):
        (-[JSContext _setDebuggerRunLoop:]):
        Private API for setting the CFRunLoop for a debugger to evaluate in.
        
        * API/JSContextRefInternal.h: Added.
        * API/JSContextRef.cpp:
        (JSGlobalContextGetDebuggerRunLoop):
        (JSGlobalContextSetDebuggerRunLoop):
        Internal API for setting a CFRunLoop on a JSContextRef.
        Set this on the debuggable.
        
        * inspector/remote/RemoteInspectorDebuggable.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
        (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
        (Inspector::RemoteInspectorBlock::operator=):
        (Inspector::RemoteInspectorBlock::operator()):
        Moved into the header.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::inspectorDebuggable):
        Lets store the RunLoop on the debuggable instead of this core
        platform agnostic class, so expose the debuggable.

        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorHandleRunSourceGlobal):
        (Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
        (Inspector::RemoteInspectorInitializeGlobalQueue):
        Rename the global functions for clarity.

        (Inspector::RemoteInspectorHandleRunSourceWithInfo):
        Handler for private run loops.

        (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
        (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
        (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
        (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
        (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop):
        (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
        Setup and teardown and use private run loop sources if the debuggable needs it.

2014-06-30  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>

        Add missing ENABLE(DFG_JIT) guards
        https://bugs.webkit.org/show_bug.cgi?id=134444

        Reviewed by Darin Adler.

        * dfg/DFGFunctionWhitelist.cpp:
        * dfg/DFGFunctionWhitelist.h:

2014-06-29  Yoav Weiss  <yoav@yoav.ws>

        Add support for HTMLImageElement's sizes attribute
        https://bugs.webkit.org/show_bug.cgi?id=133620

        Reviewed by Dean Jackson.

        Added an ENABLE_PICTURE_SIZES compile flag.

        * Configurations/FeatureDefines.xcconfig:

2014-06-27  Filip Pizlo  <fpizlo@apple.com>

        Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep
        https://bugs.webkit.org/show_bug.cgi?id=134412

        Reviewed by Mark Hahnenberg.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::setReplacement):
        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):
        * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added.
        (foo):
        (bar):
        (baz):

2014-06-27  Peyton Randolph  <prandolph@apple.com>

         Add feature flag for link long-press gesture.                                                                   
         https://bugs.webkit.org/show_bug.cgi?id=134262                                                                  
                                                                                                                         
         Reviewed by Enrica Casucci.                                                                                     
                                                                                                                         
         * Configurations/FeatureDefines.xcconfig:                                                                       
         Add ENABLE_LINK_LONG_PRESS. 

2014-06-27  László Langó  <llango.u-szeged@partner.samsung.com>

        [JavaScriptCore] FTL buildfix for EFL platform.
        https://bugs.webkit.org/show_bug.cgi?id=133546

        Reviewed by Darin Adler.

        * ftl/FTLAbstractHeap.cpp:
        (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::forStackmaps):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::opposite):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Constant::dump):
        * llvm/InitializeLLVMPOSIX.cpp:
        (JSC::initializeLLVMPOSIX):

2014-06-26  Benjamin Poulain  <benjamin@webkit.org>

        iOS 8 beta 2 ES6 'Set' clear() broken
        https://bugs.webkit.org/show_bug.cgi?id=134346

        Reviewed by Oliver Hunt.

        The object map was not cleared :(.

        Kudos to Ashley Gullen for tracking this and making a regression test.
        Credit to Oliver for finding the missing code.

        * runtime/MapData.h:
        (JSC::MapData::clear):

2014-06-25  Brent Fulgham  <bfulgham@apple.com>

        [Win] Expose Cache Information to WinLauncher
        https://bugs.webkit.org/show_bug.cgi?id=134318

        Reviewed by Dean Jackson.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
        MemoryStatistics files to the WIndows build.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2014-06-26  David Kilzer  <ddkilzer@apple.com>

        DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file
        <http://webkit.org/b/134343>
        <rdar://problem/17459487>

        Reviewed by Michael Saboff.

        * dfg/DFGFunctionWhitelist.cpp:
        (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
        Close the file handle, and log an error on failure.

2014-06-25  Dana Burkart  <dburkart@apple.com>

        Add support for 5-tuple versioning.

        Reviewed by David Farler.

        * Configurations/Version.xcconfig:

2014-06-25  Geoffrey Garen  <ggaren@apple.com>

        Build fix.

        Unreviewed.

        * runtime/JSDateMath.cpp:
        (JSC::parseDateFromNullTerminatedCharacters):
        * runtime/VM.cpp:
        (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN
        constant since that constant doesn't exist anymore.

2014-06-25  Geoffrey Garen  <ggaren@apple.com>

        Unreviewed, rolling out r166876.

        Caused some ECMA test262 failures

        Reverted changeset:

        "Date object needs to check for ES5 15.9.1.14 TimeClip limit."
        https://bugs.webkit.org/show_bug.cgi?id=131248
        http://trac.webkit.org/changeset/166876

2014-06-25  Brent Fulgham  <bfulgham@apple.com>

        [Win] Unreviewed gardening.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
        put various files in proper IDE categories.

2014-06-25  peavo@outlook.com  <peavo@outlook.com>

        [Win64] ASM LLINT is not enabled.
        https://bugs.webkit.org/show_bug.cgi?id=130638

        This patch adds a new LLINT assembler backend for Win64, and implements it.
        It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
        Also, LLINT and JIT is enabled for Win64.

        Reviewed by Mark Lam.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
        * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
        * assembler/MacroAssemblerX86_64.h: 
        (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
        * jit/JITStubsMSVC64.asm: Added.
        * jit/Repatch.cpp:
        (JSC::emitPutTransitionStub): Compile fix.
        * jit/ThunkGenerators.cpp:
        (JSC::nativeForGenerator): Follow Win64 ABI spec.
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions): Ditto.
        * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
        * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
        * llint/LowLevelInterpreter64.asm: Ditto.
        * offlineasm/asm.rb: Compile fix.
        * offlineasm/backends.rb: Add new llint backend for Win64.
        * offlineasm/settings.rb: Compile fix.
        * offlineasm/x86.rb: Implement new llint Win64 backend.

2014-06-25  Laszlo Gombos  <l.gombos@samsung.com>

        Remove build guard for progress element
        https://bugs.webkit.org/show_bug.cgi?id=134292

        Reviewed by Benjamin Poulain.

        * Configurations/FeatureDefines.xcconfig:

2014-06-24  Michael Saboff  <msaboff@apple.com>

        Add support routines to provide descriptive JavaScript backtraces
        https://bugs.webkit.org/show_bug.cgi?id=134278

        Reviewed by Mark Lam.

        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::dump):
        (JSC::CallFrame::describeFrame):
        * interpreter/CallFrame.h:
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dumpForBacktrace):
        * runtime/JSCJSValue.h:

2014-06-24  Brady Eidson  <beidson@apple.com>

        Enable GAMEPAD in the Mac build, but disabled at runtime.
        https://bugs.webkit.org/show_bug.cgi?id=134255

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig:

        * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
          functions at runtime.

2014-06-24  Mark Hahnenberg  <mhahnenberg@apple.com>

        REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
        https://bugs.webkit.org/show_bug.cgi?id=134046

        Reviewed by Filip Pizlo.

        * runtime/GetterSetter.h:
        (JSC::asGetterSetter):
        * runtime/JSObject.cpp:
        (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
        a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
        and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.

2014-06-24  Brent Fulgham  <bfulgham@apple.com>

        [Win] MSVC mishandles enums in bitfields
        https://bugs.webkit.org/show_bug.cgi?id=134237

        Reviewed by Michael Saboff.

        Replace uses of enum types in bit fields with unsigned to
        avoid losing a bit to hold the sign value. This can result
        in Windows interpreting the value of the field improperly.

        * bytecode/StructureStubInfo.h:
        * parser/Nodes.h:

2014-06-23  Andreas Kling  <akling@apple.com>

        Inline the UnlinkedInstructionStream::Reader logic.
        <https://webkit.org/b/134203>

        This class is only used by CodeBlock to unpack the unlinked instructions,
        and we were spending 0.5% of total time on PLT calling Reader::next().
        Move the logic to the header file and mark it ALWAYS_INLINE.

        Reviewed by Geoffrey Garen.

        * bytecode/UnlinkedInstructionStream.cpp:
        * bytecode/UnlinkedInstructionStream.h:
        (JSC::UnlinkedInstructionStream::Reader::Reader):
        (JSC::UnlinkedInstructionStream::Reader::read8):
        (JSC::UnlinkedInstructionStream::Reader::read32):
        (JSC::UnlinkedInstructionStream::Reader::next):

2014-06-20  Sam Weinig  <sam@webkit.org>

        Remove static tables for bindings that use eager reification
        https://bugs.webkit.org/show_bug.cgi?id=134126

        Reviewed by Oliver Hunt.

        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectCustomAccessor):
        * runtime/Structure.h:
        (JSC::Structure::setHasCustomGetterSetterProperties):
        Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
        the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
        Without this, JSObject::put() won't think there are any setters on the prototype chain of an
        object that has no static lookup table and uses eagerly reified custom getter/setter properties.

2014-06-21  Brady Eidson  <beidson@apple.com>

        Gamepad API - Deprecate the existing implementation
        https://bugs.webkit.org/show_bug.cgi?id=134108

        Reviewed by Timothy Hatcher.

        -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
        -Move some implementation files into a "deprecated" subdirectory.

        * Configurations/FeatureDefines.xcconfig:

2014-06-21  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r170244.
        https://bugs.webkit.org/show_bug.cgi?id=134157

        GTK/EFL bindings generator works differently, making this
        patch not work there.  Will fix entire patch after a rollout.
        (Requested by bradee-oh on #webkit).

        Reverted changeset:

        "Gamepad API - Deprecate the existing implementation"
        https://bugs.webkit.org/show_bug.cgi?id=134108
        http://trac.webkit.org/changeset/170244

2014-06-21  Brady Eidson  <beidson@apple.com>

        Gamepad API - Deprecate the existing implementation
        https://bugs.webkit.org/show_bug.cgi?id=134108

        Reviewed by Timothy Hatcher.

        -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
        -Add the "Deprecated" suffix to some implementation files

        * Configurations/FeatureDefines.xcconfig:

2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        Removing PAGE_VISIBILITY_API compile guard.
        https://bugs.webkit.org/show_bug.cgi?id=133844

        Reviewed by Gavin Barraclough.

        * Configurations/FeatureDefines.xcconfig:

2014-06-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        ARM traditional buildfix after r169942.
        https://bugs.webkit.org/show_bug.cgi?id=134100

        Reviewed by Zoltan Herczeg.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::abortWithReason): Added.

2014-06-20  Andreas Kling  <akling@apple.com>

        [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
        <https://webkit.org/b/134112>

        Reviewed by Mark Hahnenberg.

        * heap/BlockAllocator.h:

2014-06-19  Alex Christensen  <achristensen@webkit.org>

        Unreviewed fix after r170130.

        * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
        Corrected directory so it can find common.props when opening Visual Studio.

2014-06-19  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
        https://bugs.webkit.org/show_bug.cgi?id=130389

        Reviewed by Mark Lam.

        Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
        into !ENABLE(JIT) since they are mutually exclusive.

        * CMakeLists.txt:
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
        (JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
        * assembler/MaxFrameExtentForSlowPathCall.h:
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFromLLInt):
        * bytecode/CodeBlock.cpp:
        (JSC::dumpStructure):
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::unlinkCalls):
        (JSC::CodeBlock::unlinkIncomingCalls):
        (JSC::CodeBlock::linkIncomingCall):
        (JSC::CodeBlock::frameRegisterCount):
        * bytecode/CodeBlock.h:
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFromLLInt):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFromLLInt):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        * heap/Heap.cpp:
        (JSC::Heap::gatherJSStackRoots):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::initialize):
        (JSC::Interpreter::isOpcode):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::getOpcodeID):
        * interpreter/JSStack.cpp:
        (JSC::JSStack::JSStack):
        (JSC::JSStack::committedByteCount):
        * interpreter/JSStack.h:
        * interpreter/JSStackInlines.h:
        (JSC::JSStack::ensureCapacityFor):
        (JSC::JSStack::topOfFrameFor):
        (JSC::JSStack::setStackLimit):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        * jit/JIT.h:
        (JSC::JIT::compileCTINativeCall):
        * jit/JITExceptions.h:
        * jit/JITThunks.cpp:
        (JSC::JITThunks::ctiNativeCall):
        (JSC::JITThunks::ctiNativeConstruct):
        * llint/LLIntCLoop.cpp:
        * llint/LLIntCLoop.h:
        * llint/LLIntData.cpp:
        (JSC::LLInt::initialize):
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntData.h:
        (JSC::LLInt::Data::performAssertions): Deleted.
        * llint/LLIntEntrypoint.cpp:
        * llint/LLIntEntrypoint.h:
        * llint/LLIntExceptions.cpp:
        * llint/LLIntExceptions.h:
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LLIntOffsetsExtractor.cpp:
        (JSC::LLIntOffsetsExtractor::dummy):
        * llint/LLIntOpcode.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LLIntThunks.cpp:
        * llint/LLIntThunks.h:
        * llint/LowLevelInterpreter.cpp:
        * llint/LowLevelInterpreter.h:
        * runtime/CommonSlowPaths.cpp:
        * runtime/CommonSlowPaths.h:
        * runtime/ErrorHandlingScope.cpp:
        (JSC::ErrorHandlingScope::ErrorHandlingScope):
        (JSC::ErrorHandlingScope::~ErrorHandlingScope):
        * runtime/Executable.cpp:
        (JSC::setupLLInt):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::sanitizeStackForVM):
        * runtime/VM.h:
        (JSC::VM::canUseJIT): Deleted.

2014-06-18  Alex Christensen  <achristensen@webkit.org>

        Add FTL to Windows build.
        https://bugs.webkit.org/show_bug.cgi?id=134015

        Reviewed by Filip Pizlo.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        Added ftl source files.
        * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
        Added ftl and llvm directories to include path.
        * JavaScriptCore.vcxproj/libllvmForJSC: Added.
        * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
        * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
        * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
        MSVC doesn't like to divide by zero while compiling.  Use std::nan instead.
        * llvm/InitializeLLVMWin.cpp: Added.
        (JSC::initializeLLVMImpl):
        Implemented dynamic loading and linking for Windows.

2014-06-18  Alex Christensen  <achristensen@webkit.org>

        Unreviewed build fix after r170107.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        Use non-template sub for armv7s.

2014-06-18  David Kilzer  <ddkilzer@apple.com>

        -[JSContext setName:] leaks NSString
        <http://webkit.org/b/134038>

        Reviewed by Joseph Pecoraro.

        Fixes the following static analyzer warning:

            JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
                JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
                                                                                    ^

        * API/JSContext.mm:
        (-[JSContext setName:]): Autorelease the copy of |name|.

2014-06-18  Mark Lam  <mark.lam@apple.com>

        DFGGraph::m_doubleConstantMap will not map 0 values correctly.
        <https://webkit.org/b/133994>

        Reviewed by Geoffrey Garen.

        DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
        because it means two unfortunate things:
        - It will probably break for zero.
        - It will think that -0 is the same as +0 under some circumstances, size
          -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).

        The fix is to use std::unordered_map which does not require special empty
        and deleted values, and to use the raw bits instead of the double value as
        the key.

        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::addressOfDoubleConstant):

2014-06-18  Alex Christensen  <achristensen@webkit.org>

        Remove duplicate code using sdiv.
        https://bugs.webkit.org/show_bug.cgi?id=133764

        Reviewed by Daniel Bates.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::sdiv):
        Make sdiv a template to match arm64.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithDiv):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        Remove duplicate code that was identical except for sdiv not being a template.

2014-06-17  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r170082.
        https://bugs.webkit.org/show_bug.cgi?id=134006

        Breaks build. (Requested by mlam on #webkit).

        Reverted changeset:

        "DFGGraph::m_doubleConstantMap will not map 0 values
        correctly."
        https://bugs.webkit.org/show_bug.cgi?id=133994
        http://trac.webkit.org/changeset/170082

2014-06-17  Mark Lam  <mark.lam@apple.com>

        DFGGraph::m_doubleConstantMap will not map 0 values correctly.
        <https://webkit.org/b/133994>

        Reviewed by Geoffrey Garen.

        DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
        because it means two unfortunate things:
        - It will probably break for zero.
        - It will think that -0 is the same as +0 under some circumstances, size
          -0==+0 even though they are distinct values (for example 1/-0 != 1/+0).

        The fix is to use std::unordered_map which does not require special empty
        and deleted values, and to use the raw bits instead of the double value as
        the key.

        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::addressOfDoubleConstant):

2014-06-17  Oliver Hunt  <oliver@apple.com>

        Fix error messages for incorrect hex literals
        https://bugs.webkit.org/show_bug.cgi?id=133998

        Reviewed by Mark Lam.

        Ensure that the error messages for bogus hex literals actually
        make sense.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::lex):
        * parser/ParserTokens.h:

2014-06-17  Matthew Mirman  <mmirman@apple.com>

        Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses. 
        https://bugs.webkit.org/show_bug.cgi?id=133814

        Reviewed by Filip Pizlo.
        
        Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell 
        script from using "*.o" as a file when no other files in the directory exist. 
        
        * build-symbol-table-index.sh: Added license.
        * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.

2014-06-16  Sam Weinig  <sam@webkit.org>

        Move forward declaration of bindings static functions into their implementation files
        https://bugs.webkit.org/show_bug.cgi?id=133943

        Reviewed by Geoffrey Garen.

        * runtime/CommonIdentifiers.h:
        Add a few identifiers that are needed by the DOM.

2014-06-16  Mark Lam  <mark.lam@apple.com>

        Parser statementDepth accounting needs to account for when a function body excludes its braces.
        <https://webkit.org/b/133832>

        Reviewed by Oliver Hunt.

        In some cases (e.g. when a Function object is instantiated from a string), the
        function body source may not include its braces.  The parser needs to account
        for this when calculating its statementDepth.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::codeBlockFor):
        * bytecode/UnlinkedCodeBlock.h:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseStatement):
        - Also fixed the error message for declaring nested functions in strict mode
          to be more accurate.
        * parser/Parser.h:
        (JSC::Parser<LexerType>::parse):
        (JSC::parse):
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):

2014-06-16  Juergen Ributzka  <juergen@apple.com>

        Change the order of the alias analysis passes to align with the opt pipeline of LLVM
        https://bugs.webkit.org/show_bug.cgi?id=133753

        Reviewed by Geoffrey Garen.

        The order in which the alias analysis passes are added affects also the
        order in which they are utilized. Change the order to align with the
        one use by LLVM itself. The last alias analysis pass added will be
        evaluated first. With this change we first perform a basic alias
        analysis and then use the type-based alias analysis (if required).

        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):

2014-06-16  Juergen Ributzka  <juergen@apple.com>

        Fix the arguments passed to the LLVM dylib
        https://bugs.webkit.org/show_bug.cgi?id=133757

        Reviewed by Geoffrey Garen.

        The LLVM command line argument parser assumes that the first argument
        is the program name. We need to add a fake program name, otherwise the
        first argument will be parsed as program name and ignored.

        * llvm/library/LLVMExports.cpp:
        (initializeAndGetJSCLLVMAPI):

2014-06-16  Michael Saboff  <msaboff@apple.com>

        Convert ASSERT in inlineFunctionForCapabilityLevel to early return
        https://bugs.webkit.org/show_bug.cgi?id=133903

        Reviewed by Mark Hahnenberg.

        Hardened code by Converting ASSERT to return CannotCompile.

        * dfg/DFGCapabilities.h:
        (JSC::DFG::inlineFunctionForCapabilityLevel):

2014-06-13  Sam Weinig  <sam@webkit.org>

        Store DOM constants directly in the JS object rather than jumping through a custom accessor
        https://bugs.webkit.org/show_bug.cgi?id=133898

        Reviewed by Oliver Hunt.

        * runtime/Lookup.h:
        (JSC::HashTableValue::attributes):
        Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
        and will make adding more flags possibles.

        (JSC::HashTableValue::propertyGetter):
        (JSC::HashTableValue::propertyPutter):
        Change assertion to use BuiltinOrFunctionOrConstant.

        (JSC::HashTableValue::constantInteger):
        Added.

        (JSC::getStaticPropertySlot):
        (JSC::getStaticValueSlot):
        Use PropertySlot::setValue() for constants during static lookup.

        (JSC::reifyStaticProperties):
        Put the constant directly on the object when eagerly reifying.

        * runtime/PropertySlot.h:
        Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.

2014-06-14  Michael Saboff  <msaboff@apple.com>

        operationCreateArguments could cause a GC during OSR exit
        https://bugs.webkit.org/show_bug.cgi?id=133905

        Reviewed by Filip Pizlo.

        Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
        for use by OSR exit stubs.

        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:

2014-06-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
        https://bugs.webkit.org/show_bug.cgi?id=133880

        Reviewed by Filip Pizlo.

        We could have exited due to a value received from an inlined block that's no longer on 
        the stack, so we should just barrier all InlineCallFrames.

        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::adjustAndJumpToTarget):

2014-06-13  Alex Christensen  <achristensen@webkit.org>

        Make css jit compile for armv7.
        https://bugs.webkit.org/show_bug.cgi?id=133596

        Reviewed by Benjamin Poulain.

        * assembler/MacroAssembler.h:
        Use branchPtr on ARM_THUMB2.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::addPtrNoFlags):
        (JSC::MacroAssemblerARMv7::or32):
        (JSC::MacroAssemblerARMv7::test32):
        (JSC::MacroAssemblerARMv7::branch):
        (JSC::MacroAssemblerARMv7::branchPtr):
        Added macros necessary for css jit.

2014-06-13  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix ARMv7.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::abortWithReason):

2014-06-12  Filip Pizlo  <fpizlo@apple.com>

        Even better diagnostics from DFG traps
        https://bugs.webkit.org/show_bug.cgi?id=133836

        Reviewed by Oliver Hunt.
        
        We now stuff the DFG::NodeType into a register before bailing. Also made the
        DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
        different numbers than any previous abort reasons.

        * assembler/AbortReason.h:
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::abortWithReason):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::abortWithReason):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::abortWithReason):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::abortWithReason):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::bail):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        * dfg/DFGSpeculativeJIT.h:

2014-06-12  Simon Fraser  <simon.fraser@apple.com>

        Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
        https://bugs.webkit.org/show_bug.cgi?id=133840

        Reviewed by Filip Pizlo.
        
        Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
        when running DFG tests.

        * API/JSCTestRunnerUtils.cpp:
        (JSC::numberOfDFGCompiles):
        (JSC::setNeverInline):

2014-06-12  Brent Fulgham  <bfulgham@apple.com>

        [Win] Avoid fork bomb during build
        https://bugs.webkit.org/show_bug.cgi?id=133837
        <rdar://problem/17296034>

        Reviewed by Tim Horton.

        * JavaScriptCore.vcxproj/build-generated-files.sh: Use a
        reasonable default value when the 'num-cpus' script is not available.

2014-06-12  Mark Lam  <mark.lam@apple.com>

        Remove some dead / unused code.
        <https://webkit.org/b/133828>

        Reviewed by Filip Pizlo.

        * builtins/BuiltinExecutables.cpp:
        (JSC::BuiltinExecutables::createBuiltinExecutable):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::create):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::makeFunction):
        * parser/Parser.h:
        (JSC::DepthManager::DepthManager): Deleted.
        (JSC::DepthManager::~DepthManager): Deleted.
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):

2014-06-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Move structureHasRareData out of TypeInfo
        https://bugs.webkit.org/show_bug.cgi?id=133800

        Reviewed by Andreas Kling.

        StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger, 
        but we have a few spare bits in Structure so it would be nice to remove this hack.

        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
        (JSC::TypeInfo::structureHasRareData): Deleted.
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::allocateRareData):
        (JSC::Structure::cloneRareDataFrom):
        * runtime/Structure.h:
        (JSC::Structure::previousID):
        (JSC::Structure::objectToStringValue):
        (JSC::Structure::setObjectToStringValue):
        (JSC::Structure::setPreviousID):
        (JSC::Structure::clearPreviousID):
        (JSC::Structure::previous):
        (JSC::Structure::rareData):
        * runtime/StructureInlines.h:
        (JSC::Structure::setEnumerationCache):
        (JSC::Structure::enumerationCache):

2014-06-12  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>

        Allow enum guards to be generated from the replay json files
        https://bugs.webkit.org/show_bug.cgi?id=133399

        Reviewed by Csaba Osztrogonác.

        * replay/scripts/CodeGeneratorReplayInputs.py:
        (Type.__init__):
        (InputsModel.parse_type_with_framework_name):
        (Generator.generate_header):
        (Generator.generate_implementation):
        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
        (Test::HandleWheelEvent::HandleWheelEvent):
        (Test::HandleWheelEvent::~HandleWheelEvent):
        (JSC::InputTraits<Test::HandleWheelEvent>::type):
        (JSC::InputTraits<Test::HandleWheelEvent>::encode):
        (JSC::InputTraits<Test::HandleWheelEvent>::decode):
        (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
        (JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
        (JSC::InputTraits<Test::HandleWheelEvent>::queue):
        (Test::HandleWheelEvent::platformEvent):
        * replay/scripts/tests/generate-enum-with-guard.json: Added.

2014-06-12  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix GTK+ build after r169823.

        Include StructureInlines.h in a few more files to fix linking
        issues due to JSC::Structure::get undefined symbol.

        * runtime/ArrayIteratorConstructor.cpp:
        * runtime/ArrayIteratorPrototype.cpp:
        * runtime/JSConsole.cpp:
        * runtime/JSMapIterator.cpp:
        * runtime/JSSet.cpp:
        * runtime/JSSetIterator.cpp:
        * runtime/JSWeakMap.cpp:
        * runtime/MapIteratorPrototype.cpp:
        * runtime/MapPrototype.cpp:
        * runtime/SetIteratorPrototype.cpp:
        * runtime/SetPrototype.cpp:
        * runtime/WeakMapPrototype.cpp:

2014-06-12  Csaba Osztrogonác  <ossy@webkit.org>

        [EFL] One more URTBF after r169823 to make ARM64 build happy too.

        * runtime/JSMap.cpp:

2014-06-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        Inline caching should try to flatten uncacheable dictionaries
        https://bugs.webkit.org/show_bug.cgi?id=133683

        Reviewed by Geoffrey Garen.

        There exists a body of JS code that deletes properties off of objects (especially function/constructor objects), 
        which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects. 
        If properties are deleted out of the object during its initialization, we can enable caching for that object by 
        attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we 
        performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary 
        state then we can just give up on caching that object.

        In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
        the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
        the other inline caching functions to return this enum rather than the opaque booleans that we were previously 
        returning.

        * jit/Repatch.cpp:
        (JSC::actionForCell):
        (JSC::tryCacheGetByID):
        (JSC::repatchGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::buildGetByIDList):
        (JSC::tryCachePutByID):
        (JSC::repatchPutByID):
        (JSC::tryBuildPutByIdList):
        (JSC::buildPutByIdList):
        (JSC::tryRepatchIn):
        (JSC::repatchIn):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::flattenDictionaryStructure):
        * runtime/Structure.h:
        (JSC::Structure::hasBeenFlattenedBefore):

2014-06-11  Csaba Osztrogonác  <ossy@webkit.org>

        [EFL] URTBF after r169823.

        * bindings/ScriptValue.cpp: Missing include added.

2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>

        Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.

        Rubber-stamped by Andreas Kling.

        * runtime/JSObject.h:
        (JSC::JSObject::fastGetOwnPropertySlot):

2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>

        Turning on DUMP_PROPERTYMAP_STATS causes a build failure
        https://bugs.webkit.org/show_bug.cgi?id=133673

        Reviewed by Andreas Kling.

        Rewrote the property map statistics code because the old code wasn't building,
        and it was also mixing numbers for lookups and insertions/removals.

        New logging code records the number of calls to PropertyTable::find (finds) and
        PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
        the number of probing during updates and lookups.

        * jsc.cpp:
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::find):
        (JSC::PropertyTable::get):
        (JSC::PropertyTable::findWithString):
        (JSC::PropertyTable::add):
        (JSC::PropertyTable::remove):
        (JSC::PropertyTable::reinsert):
        (JSC::PropertyTable::rehash):
        * runtime/Structure.cpp:
        (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
        (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):

2014-06-11  Andreas Kling  <akling@apple.com>

        Always inline JSValue::get() and Structure::get().
        <https://webkit.org/b/133755>

        Reviewed by Ryosuke Niwa.

        These functions get really hot, so ask the compiler to be more
        aggressive about inlining them.

        ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
        through GetByVal.

        * runtime/JSArrayIterator.cpp:
        * runtime/JSCJSValue.cpp:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::get):
        * runtime/JSPromiseDeferred.cpp:
        * runtime/StructureInlines.h:
        (JSC::Structure::get):

2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>

        Structure::get should instantiate DeferGC only when materializing property map
        https://bugs.webkit.org/show_bug.cgi?id=133727

        Rubber-stamped by Andreas Kling.

        Make materializePropertyMapIfNecessary always inline.

        This is ~12% improvement on the microbenchmark attached in the bug.

        * runtime/Structure.h:
        (JSC::Structure::materializePropertyMapIfNecessary):
        (JSC::Structure::materializePropertyMapIfNecessaryForPinning):

2014-06-11  Ryosuke Niwa  <rniwa@webkit.org>

        Structure::get should instantiate DeferGC only when materializing property map
        https://bugs.webkit.org/show_bug.cgi?id=133727

        Reviewed by Geoffrey Garen.

        DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
        collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
        when GCSafeConcurrentJITLocker goes out of scope.

        However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
        in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
        and running a release assertion inside Heap::incrementDeferralDepth() is expensive.

        Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
        and immediately storing a pointer to the newly created property table in the stack before DeferGC
        goes out of scope so that the property table will be marked.

        This shows 13-16% improvement on the microbenchmark attached in the bug.

        * runtime/JSCJSValue.cpp:
        * runtime/JSObject.h:
        (JSC::JSObject::fastGetOwnPropertySlot):
        * runtime/Structure.h:
        (JSC::Structure::materializePropertyMapIfNecessary):
        * runtime/StructureInlines.h:
        (JSC::Structure::get):

2014-06-11  Andreas Kling  <akling@apple.com>

        Some JSValue::get() micro-optimzations.
        <https://webkit.org/b/133739>

        Tighten some of the property lookup code to improve performance of the
        eagerly reified prototype attributes:

        - Instead of converting the property name to an integer at every step
          in the prototype chain, move that to a separate pass at the end
          since it should be a rare case.

        - Cache the StructureIDTable in a local instead of fetching it from
          the Heap on every step.

        - Make fillCustomGetterPropertySlot inline. It was out-of-lined based
          on the assumption that clients would mostly be cacheable GetByIds,
          and it gets pretty hot (~1%) in GetByVal.

        - Pass the Structure directly to fillCustomGetterPropertySlot instead
          of refetching it from the StructureIDTable.

        Reviewed by Geoff Garen.

        * runtime/JSObject.cpp:
        (JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSObject::fillCustomGetterPropertySlot):
        (JSC::JSObject::getOwnPropertySlot):
        (JSC::JSObject::fastGetOwnPropertySlot):
        (JSC::JSObject::getPropertySlot):
        (JSC::JSObject::getOwnPropertySlotSlow): Deleted.

2014-06-10  Sam Weinig  <sam@webkit.org>

        Don't create a HashTable for JSObjects that use eager reification
        https://bugs.webkit.org/show_bug.cgi?id=133705

        Reviewed by Geoffrey Garen.

        * runtime/Lookup.h:
        (JSC::reifyStaticProperties):
        Add a version of reifyStaticProperties that takes an array of HashTableValues
        rather than a HashTable.

2014-06-10  Filip Pizlo  <fpizlo@apple.com>

        Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
        https://bugs.webkit.org/show_bug.cgi?id=133698

        Reviewed by Geoffrey Garen and Mark Hahnenberg.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
        * dfg/DFGVariableAccessData.cpp:
        (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
        (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
        (JSC::DFG::VariableAccessData::flushFormat):
        * dfg/DFGVariableAccessData.h:
        * tests/stress/int52-inlined-call-argument.js: Added.
        (foo):
        (bar):

2014-06-10  Mark Lam  <mark.lam@apple.com>

        Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
        <https://webkit.org/b/133356>

        Reviewed by Mark Hahnenberg.

        The root cause of this issue is that a nonPropertyTransition can transition
        a pinned dictionary structure to an unpinned dictionary structure.  The new
        structure will get a copy of the property table from the original structure.
        However, when a GC occurs, the property table in the new structure will be
        cleared because it is unpinned.  This leads to complications in subsequent
        derivative structures when flattening occurs, which eventually leads to the
        assertion failure in this bug.

        The fix is to ensure that the new dictionary structure generated by the
        nonPropertyTransition will have a copy of its predecessor's property table
        and is pinned.

        * runtime/Structure.cpp:
        (JSC::Structure::nonPropertyTransition):

2014-06-10  Michael Saboff  <msaboff@apple.com>

        In a certain app state, Array.prototype.filter() returns incorrect results
        https://bugs.webkit.org/show_bug.cgi?id=133577

        Reviewed by Oliver Hunt.

        Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        Global HashTables contain references to atomic StringImpls
        https://bugs.webkit.org/show_bug.cgi?id=133661

        Reviewed by Geoffrey Garen.

        This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables 
        cache their set of keys as StringImpls that are associated with a particular VM.  This is obviously 
        incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to 
        change the "keys" field of the static HashTables to be char** instead of StringImpl**.

        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):
        (JSC::HashTable::deleteTable):
        * runtime/Lookup.h:
        (JSC::HashTable::ConstIterator::key):
        (JSC::HashTable::entry):

2014-06-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        Build fix after r169703

        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-06-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Eagerly reify DOM prototype attributes
        https://bugs.webkit.org/show_bug.cgi?id=133558

        Reviewed by Oliver Hunt.

        This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype. 
        By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override 
        getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on 
        DOM wrappers.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        * runtime/BatchedTransitionOptimizer.h:
        (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
        * runtime/CustomGetterSetter.cpp: Added.
        (JSC::callCustomSetter):
        * runtime/CustomGetterSetter.h: Added.
        (JSC::CustomGetterSetter::create):
        (JSC::CustomGetterSetter::getter):
        (JSC::CustomGetterSetter::setter):
        (JSC::CustomGetterSetter::createStructure):
        (JSC::CustomGetterSetter::CustomGetterSetter):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::putToPrimitive):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::isCustomGetterSetter):
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::isCustomGetterSetter):
        (JSC::JSCell::canUseFastGetOwnProperty):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
        (JSC::JSFunction::isBuiltinFunction): Deleted.
        * runtime/JSFunction.h:
        * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
        (JSC::JSFunction::isBuiltinFunction):
        (JSC::JSFunction::isHostOrBuiltinFunction):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::putDirectCustomAccessor):
        (JSC::JSObject::fillGetterPropertySlot):
        (JSC::JSObject::fillCustomGetterPropertySlot):
        (JSC::JSObject::getOwnPropertySlotSlow): Deleted.
        * runtime/JSObject.h:
        (JSC::JSObject::hasCustomGetterSetterProperties):
        (JSC::JSObject::convertToDictionary):
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
        (JSC::JSObject::putOwnDataProperty):
        (JSC::JSObject::putDirect):
        (JSC::JSObject::putDirectWithoutTransition):
        * runtime/JSType.h:
        * runtime/Lookup.h:
        (JSC::reifyStaticProperties):
        * runtime/PropertyDescriptor.h:
        (JSC::PropertyDescriptor::PropertyDescriptor):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::nextOutOfLineStorageCapacity): Deleted.
        (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
        (JSC::Structure::get): Deleted.
        * runtime/Structure.h:
        (JSC::Structure::hasCustomGetterSetterProperties):
        (JSC::Structure::setHasCustomGetterSetterProperties):
        * runtime/StructureInlines.h:
        (JSC::Structure::get): Inlined due to hotness.
        (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
        (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):

2014-06-07  Mark Lam  <mark.lam@apple.com>

        Structure should initialize its previousID in its constructor.
        <https://webkit.org/b/133606>

        Reviewed by Mark Hahnenberg.

        Currently, the Structure constructor that takes a previous structure will
        initialize its previousID to point to the previous structure's previousID.
        This is incorrect.  However, the caller of the Structure::create() factory
        method (which instantiated the Structure) will later call setPreviousID()
        to set the previousID to the correct previous structure.  This makes the
        code confusing to read and more error prone in that the structure relies
        on client code to fix its invalid previousID.

        This patch fixes this by making the Structure constructor initialize
        previousID correctly.

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::nonPropertyTransition):
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::create):

2014-06-06  Andreas Kling  <akling@apple.com>

        Indexed getters should return values directly on the PropertySlot.
        <https://webkit.org/b/133586>

        Remove PropertySlot's custom index mode.

        Reviewed by Darin Adler.

        * runtime/JSObject.h:
        (JSC::PropertySlot::getValue):
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::setCustomIndex): Deleted.

2014-06-04  Timothy Horton  <timothy_horton@apple.com>

        iOS Debug build fix

        Rubber-stamped by Filip Pizlo.

        * Configurations/LLVMForJSC.xcconfig:
        Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.

2014-06-04  Oliver Hunt  <oliver@apple.com>

        ArrayIterator should not be exposed in Safari 8
        https://bugs.webkit.org/show_bug.cgi?id=133494

        Reviewed by Michael Saboff.

        Separate out types that require constructor objects, and don't
        include the iterator types in that list.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObject.h:

2014-06-04  Filip Pizlo  <fpizlo@apple.com>

        DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
        https://bugs.webkit.org/show_bug.cgi?id=133525
        <rdar://problem/16790296>

        Reviewed by Oliver Hunt.

        * dfg/DFGSafepoint.cpp:
        (JSC::DFG::Safepoint::begin):

2014-06-03  Filip Pizlo  <fpizlo@apple.com>

        LLVM soft-linking should be truly fail-silent
        https://bugs.webkit.org/show_bug.cgi?id=133482

        Reviewed by Mark Lam.

        * llvm/InitializeLLVMPOSIX.cpp:
        (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.

2014-06-03  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
        https://bugs.webkit.org/show_bug.cgi?id=133149

        Reviewed by Csaba Osztrogonác.

        * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.

2014-05-31  Anders Carlsson  <andersca@apple.com>

        Add a LazyNeverDestroyed class template and use it
        https://bugs.webkit.org/show_bug.cgi?id=133425

        Reviewed by Darin Adler.

        * dfg/DFGFunctionWhitelist.cpp:
        (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
        * dfg/DFGFunctionWhitelist.h:

2014-05-28  Filip Pizlo  <fpizlo@apple.com>

        DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
        https://bugs.webkit.org/show_bug.cgi?id=133368

        Reviewed by Mark Lam.

        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
        * tests/stress/new-array-dead.js: Added.
        (foo):

2014-05-28  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix not-x86 32-bit.

        * llint/LowLevelInterpreter32_64.asm:

2014-05-27  Filip Pizlo  <fpizlo@apple.com>

        Arrayify neglects to inform the clobberizer that it might fire watchpoints
        https://bugs.webkit.org/show_bug.cgi?id=133340

        Reviewed by Mark Lam.

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize): Be honest.
        * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
        * tests/stress/arrayify-fires-watchpoint.js: Added.
        (foo):
        (test):
        (makeObjectArray):
        * tests/stress/arrayify-structure-bad-test.js: Added.
        (foo):
        (test):

2014-05-27  Jon Lee  <jonlee@apple.com>

        Update ENABLE(MEDIA_SOURCE) on Mac
        https://bugs.webkit.org/show_bug.cgi?id=133141

        Reviewed by Darin Adler.

        * Configurations/FeatureDefines.xcconfig:

2014-05-27  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>

        Remove BLOB guards
        https://bugs.webkit.org/show_bug.cgi?id=132863

        Reviewed by Csaba Osztrogonác.

        * Configurations/FeatureDefines.xcconfig:

2014-05-27  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>

        Allow building CMake based ports with WEB_REPLAY
        https://bugs.webkit.org/show_bug.cgi?id=133154

        Reviewed by Csaba Osztrogonác.

        * CMakeLists.txt:

2014-05-25  Filip Pizlo  <fpizlo@apple.com>

        Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
        https://bugs.webkit.org/show_bug.cgi?id=133136

        Reviewed by Oliver Hunt.
        
        Some key concepts:

        - Except for the prediction propagation and type fixup phases, which are super early in
          the pipeline, nobody has to know about the fact that booleans may flow into numerical
          operations because there will just be a BooleanToNumber node that will take a value
          and, if that value is a boolean, will convert it to the equivalent numerical value. It
          will have a BooleanUse mode where it will also speculate that the input is a boolean
          but it can also do UntypedUse in which case it will pass through any non-booleans.
          This operation is very easy to model in all of the compiler tiers.

        - No changes to the baseline JIT. The Baseline JIT will still believe that boolean
          inputs require taking the slow path and it will still report that it took slow path
          for any such operations.  The DFG will now be smart enough to ignore baseline JIT slow
          path profiling on operations that were known to have had boolean inputs.  That's a
          little quirky, but it's probably easier than modifying the baseline JIT to track
          booleans correctly.
        
        4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.

        * bytecode/SpeculatedType.h:
        (JSC::isInt32OrBooleanSpeculation):
        (JSC::isInt32SpeculationForArithmetic):
        (JSC::isInt32OrBooleanSpeculationForArithmetic):
        (JSC::isInt32OrBooleanSpeculationExpectingDefined):
        (JSC::isInt52Speculation):
        (JSC::isMachineIntSpeculation):
        (JSC::isFullNumberOrBooleanSpeculation):
        (JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
        (JSC::isInt32SpeculationExpectingDefined): Deleted.
        (JSC::isMachineIntSpeculationExpectingDefined): Deleted.
        (JSC::isMachineIntSpeculationForArithmetic): Deleted.
        (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
        (JSC::isFullNumberSpeculationExpectingDefined): Deleted.
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGAllocator.h:
        (JSC::DFG::Allocator<T>::indexOf):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixIntConvertingEdge):
        (JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
        (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
        (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
        (JSC::DFG::FixupPhase::fixIntEdge): Deleted.
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addSpeculationMode):
        (JSC::DFG::Graph::valueAddSpeculationMode):
        (JSC::DFG::Graph::arithAddSpeculationMode):
        (JSC::DFG::Graph::addShouldSpeculateInt32):
        (JSC::DFG::Graph::mulShouldSpeculateInt32):
        (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
        (JSC::DFG::Graph::negateShouldSpeculateInt32):
        (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
        (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
        (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
        * dfg/DFGNode.h:
        (JSC::DFG::Node::sawBooleans):
        (JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
        (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
        (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
        (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
        (JSC::DFG::Node::shouldSpeculateMachineInt):
        (JSC::DFG::Node::shouldSpeculateDouble):
        (JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
        (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
        (JSC::DFG::Node::shouldSpeculateNumber):
        (JSC::DFG::Node::canSpeculateInt32):
        (JSC::DFG::Node::canSpeculateInt52):
        (JSC::DFG::Node::sourceFor):
        (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
        (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
        (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
        (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
        (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGNodeFlags.h:
        (JSC::DFG::nodeMayOverflow):
        (JSC::DFG::nodeMayNegZero):
        (JSC::DFG::nodeCanSpeculateInt32):
        (JSC::DFG::nodeCanSpeculateInt52):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):
        (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
        (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
        (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::asInt32ForArithmetic):
        * tests/stress/max-boolean-exit.js: Added.
        (foo):
        (test):
        * tests/stress/mul-boolean-exit.js: Added.
        (foo):
        (test):
        * tests/stress/plus-boolean-exit.js: Added.
        (foo):
        (test):
        * tests/stress/plus-boolean-or-double.js: Added.
        (foo):
        (test):
        * tests/stress/plus-boolean-or-int.js: Added.
        (foo):
        (test):

2014-05-26  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>

        Remove dead code from VM.cpp
        https://bugs.webkit.org/show_bug.cgi?id=133284

        Reviewed by Darin Adler.

        This workaround was added in r127505. Since the clang is the
        only used compiler in this case, this workaround is obsolete.

        * runtime/VM.cpp:
        (JSC::enableAssembler):

2014-05-26  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        JSC CLoop warning fix
        https://bugs.webkit.org/show_bug.cgi?id=133259

        Reviewed by Darin Adler.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2014-05-24  Andreas Kling  <akling@apple.com>

        Object.prototype.toString() should use cached strings for null/undefined.
        <https://webkit.org/b/133261>

        Normally, when calling Object.prototype.toString() on a regular object,
        we'd cache the result of the stringification on the object's structure,
        making repeated calls fast.

        For null and undefined, we were not as smart. We'd instead construct a
        new string with either "[object Null]" or "[object Undefined]" each time.

        This was exposed by Dromaeo's JS library tests, where some prototype.js
        subtests generate millions of strings this way.

        This patch adds two VM-permanent cached strings to the SmallStrings.
        Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html

        Reviewed by Darin Adler.

        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncToString):
        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::SmallStrings):
        (JSC::SmallStrings::initializeCommonStrings):
        (JSC::SmallStrings::visitStrongReferences):
        * runtime/SmallStrings.h:
        (JSC::SmallStrings::nullObjectString):
        (JSC::SmallStrings::undefinedObjectString):

2014-05-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove operationCallGetter

        Rubber stamped by Filip Pizlo.

        Nobody calls this function.

        * JavaScriptCore.order:
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:

2014-05-23  Andreas Kling  <akling@apple.com>

        Templatize GC's destructor invocation for dtor type.
        <https://webkit.org/b/133231>

        Get rid of a branch in callDestructor() by templatizing it for
        the DestructorType. Removed JSCell::methodTableForDestruction()
        since this was the only call site and it was jumping through
        a bunch of unnecessary hoops.

        Reviewed by Geoffrey Garen.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::callDestructor):
        (JSC::MarkedBlock::specializedSweep):
        * heap/MarkedBlock.h:
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::methodTableForDestruction): Deleted.

2014-05-23  Andreas Kling  <akling@apple.com>

        Support inline caching of RegExpMatchesArray.length
        <https://webkit.org/b/133234>

        Give RegExpMatchesArray.length the same treatment as JSArray in
        repatch so we don't have to go out of line on every access.

        ~13% speed-up on Octane/regexp.

        Reviewed by Geoffrey Garen.

        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        * runtime/RegExpMatchesArray.h:
        (JSC::isRegExpMatchesArray):

2014-05-22  Mark Lam  <mark.lam@apple.com>

        REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
        <https://webkit.org/b/133182>

        Reviewed by Oliver Hunt.

        Before r154797, we used to clear the VM exception before calling into the
        debugger.  After r154797, we don't.  This patch will restore this clearing
        of the exception before calling into the debugger.

        Also added assertions after returning from calls into the debugger to
        ensure that the debugger did not introduce any exceptions.

        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        (JSC::Interpreter::unwind):
        (JSC::Interpreter::debug):
        - Fixed the assertion here.  Interpreter::debug() should never be called
          with a pending exception.  Debugger callbacks for exceptions should be
          handled by Interpreter::unwind() and Interpreter::unwindCallFrame().

2014-05-21  Filip Pizlo  <fpizlo@apple.com>

        Store barrier elision should run after DCE in both the DFG path and the FTL path
        https://bugs.webkit.org/show_bug.cgi?id=129718

        Rubber stamped by Mark Hahnenberg.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):

2014-05-21  Zsolt Borbely  <zsborbely.u-szeged@partner.samsung.com>

        [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
        https://bugs.webkit.org/show_bug.cgi?id=132907

        Reviewed by Gyuyoung Kim.

        * CMakeLists.txt:

2014-05-16  Martin Robinson  <mrobinson@igalia.com>

        [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
        https://bugs.webkit.org/show_bug.cgi?id=132819

        Reviewed by Carlos Garcia Campos.

        * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
        use the common CMake ones directly.

2014-05-21  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out http://trac.webkit.org/changeset/169159.
        
        This was a unilateral change and wasn't properly reviewed.

        * tests/mozilla/mozilla-tests.yaml:

2014-05-21  Antoine Quint  <graouts@webkit.org>

        Array.prototype.find and findIndex should skip holes
        https://bugs.webkit.org/show_bug.cgi?id=132658

        Reviewed by Geoffrey Garen.

        Skip holes in the array when iterating such that callback isn't called.

        * builtins/Array.prototype.js:
        (find):
        (findIndex):

2014-05-21  Eva Balazsfalvi  <evab.u-szeged@partner.samsung.com>

        REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
        https://bugs.webkit.org/show_bug.cgi?id=133149

        Reviewed by Csaba Osztrogonác.

        * tests/mozilla/mozilla-tests.yaml:

2014-05-20  Geoffrey Garen  <ggaren@apple.com>

        Rolled out <http://trac.webkit.org/changeset/166184>
        https://bugs.webkit.org/show_bug.cgi?id=133144

        Reviewed by Gavin Barraclough.

        It caused a performance regression.

        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::blockFreeingThreadStartFunc):

2014-05-20  Filip Pizlo  <fpizlo@apple.com>

        DFG prediction propagation should agree with fixup phase over the return type of GetByVal
        https://bugs.webkit.org/show_bug.cgi?id=133134

        Reviewed by Mark Hahnenberg.
        
        Make prediction propagator use ArrayMode refinement to decide the return type.
        
        Also introduce a heap prediction intrinsic that allows us to test weird corner cases
        like this. The only way we'll see a mismatch like this in the real world is probably
        through a gnarly race condition.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::setHeapPrediction):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionFalse1):
        (functionFalse2):
        (functionUndefined1):
        (functionUndefined2):
        (functionFalse): Deleted.
        (functionOtherFalse): Deleted.
        (functionUndefined): Deleted.
        * runtime/Intrinsic.h:
        * tests/stress/get-by-val-double-predicted-int.js: Added.
        (foo):

2014-05-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Watchdog timer should be lazily allocated
        https://bugs.webkit.org/show_bug.cgi?id=133135

        Reviewed by Geoffrey Garen.

        We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. 
        There is no reason to do this checking if we never activated the Watchdog, which can only be done through 
        JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. 

        By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use 
        these two API functions (which is true of most clients).

        * API/JSContextRef.cpp:
        (JSContextGroupSetExecutionTimeLimit):
        (JSContextGroupClearExecutionTimeLimit):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_loop_hint):
        (JSC::JIT::emitSlow_op_loop_hint):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/VM.h:
        * runtime/Watchdog.cpp:
        (JSC::Watchdog::Scope::Scope): Deleted.
        (JSC::Watchdog::Scope::~Scope): Deleted.
        * runtime/Watchdog.h:
        (JSC::Watchdog::Scope::Scope):
        (JSC::Watchdog::Scope::~Scope):

2014-05-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSArray::shiftCountWith* could be more efficient
        https://bugs.webkit.org/show_bug.cgi?id=133011

        Reviewed by Geoffrey Garen.

        Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage 
        are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling 
        them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.

        * runtime/ArrayStorage.h:
        (JSC::ArrayStorage::indexingHeader):
        (JSC::ArrayStorage::length):
        (JSC::ArrayStorage::hasHoles):
        * runtime/IndexingHeader.h:
        (JSC::IndexingHeader::publicLength):
        (JSC::IndexingHeader::from):
        * runtime/JSArray.cpp:
        (JSC::JSArray::shiftCountWithArrayStorage):
        (JSC::JSArray::shiftCountWithAnyIndexingType):
        (JSC::JSArray::unshiftCountWithArrayStorage):
        * runtime/JSArray.h:
        (JSC::JSArray::shiftCountForShift):
        (JSC::JSArray::shiftCountForSplice):
        (JSC::JSArray::shiftCount):
        * runtime/Structure.cpp:
        (JSC::Structure::holesRequireSpecialBehavior):
        * runtime/Structure.h:

2014-05-19  Filip Pizlo  <fpizlo@apple.com>

        Test gardening: skip some failing tests on not-X86.

        * tests/mozilla/mozilla-tests.yaml:

2014-05-19  Mark Lam  <mark.lam@apple.com>

        operationOptimize() should defer the GC for a while.
        <https://webkit.org/b/133103>

        Reviewed by Filip Pizlo.

        Currently, operationOptimize() only defers the GC until its end.  As a result,
        a GC may be triggered just before we return from operationOptimize(), and it may
        jettison the optimize codeBlock that we're planning to OSR enter into when we
        return from this function.  This is because the OSR entry on-ramp code hasn't
        been executed yet, and hence, there is not yet a reference to this new codeBlock
        from the stack, and there won't be until we've had a chance to return out of
        operationOptimize() to run the OSR entry on-ramp code.

        This issue is now fixed by using DeferGCForAWhile instead of DeferGC.  This
        ensures that the GC will be deferred until after the OSR entry on-ramp can be
        executed.

        * jit/JITOperations.cpp:

2014-05-19  Filip Pizlo  <fpizlo@apple.com>

        Take care of some ARM64 test failures
        https://bugs.webkit.org/show_bug.cgi?id=133090

        Reviewed by Geoffrey Garen.
        
        Constant blinding on ARM64 cannot use the scratch register.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::convertInt32ToDouble):
        (JSC::MacroAssembler::branchPtr):
        (JSC::MacroAssembler::storePtr):
        (JSC::MacroAssembler::store64):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::scratchRegisterForBlinding):

2014-05-19  Tanay C  <tanay.c@samsung.com>

        Removing some check-webkit-style warnings from ./dfg
        https://bugs.webkit.org/show_bug.cgi?id=132854

        Reviewed by Darin Adler.

        * dfg/DFGAbstractInterpreter.h:
        * dfg/DFGAbstractValue.h:
        * dfg/DFGBlockInsertionSet.h:
        * dfg/DFGCommonData.h:
        * dfg/DFGDominators.h:
        * dfg/DFGGraph.h:
        * dfg/DFGInPlaceAbstractState.h:
        * dfg/DFGPredictionPropagationPhase.h:

2014-05-18  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
        That was a long time ago.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileReturn):

2014-05-18  Rik Cabanier  <cabanier@adobe.com>

        support for navigator.hardwareConcurrency
        https://bugs.webkit.org/show_bug.cgi?id=132588

        Reviewed by Filip Pizlo.

        * Configurations/FeatureDefines.xcconfig:

2014-05-16  Michael Saboff  <msaboff@apple.com>

        Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
        https://bugs.webkit.org/show_bug.cgi?id=133009

        Reviewed by Oliver Hunt.

        If we determine that any alternative requires a minumum match size greater than
        INT_MAX, we handle the match in the interpreter.

        Check to see if the pattern has unsigned lengths before invoking YARR JIT.
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::compileMatchOnly):

        * tests/stress/large-regexp.js: New test added.

        Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
        doesn't fit in an int.
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):

        Clear new m_containsUnsignedLengthPattern flag.
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPattern::YarrPattern):
        * yarr/YarrPattern.h:
        (JSC::Yarr::YarrPattern::reset):
        (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):

2014-05-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSDOMWindow should not claim HasImpureGetOwnPropertySlot
        https://bugs.webkit.org/show_bug.cgi?id=132918

        Reviewed by Geoffrey Garen.

        * jit/Repatch.cpp:
        (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".

2014-05-15  Alex Christensen  <achristensen@webkit.org>

        Add pointer lock to features without enabling it.
        https://bugs.webkit.org/show_bug.cgi?id=132961

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:
        Added ENABLE_POINTER_LOCK to list of features.

2014-05-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Inline caching for proxies clobbers baseGPR too early
        https://bugs.webkit.org/show_bug.cgi?id=132916

        Reviewed by Filip Pizlo.

        We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path 
        gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR 
        until we know the inline cache is going to succeed.

        * jit/Repatch.cpp:
        (JSC::generateByIdStub):

2014-05-14  Brent Fulgham  <bfulgham@apple.com>

        [Win] Unreviewed build fix.

        * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
        was missing commands to build LLInt portions of JSC.
        * llint/LLIntData.cpp: 64-bit build fix.

2014-05-14  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>

        ARM Traditional buildfix after r168776.
        https://bugs.webkit.org/show_bug.cgi?id=132903

        Reviewed by Darin Adler.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::abortWithReason): Added.

2014-05-14  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>

        Remove CSS_STICKY_POSITION guards
        https://bugs.webkit.org/show_bug.cgi?id=132676

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig:

2014-05-13  Filip Pizlo  <fpizlo@apple.com>

        JIT breakpoints should be more informative
        https://bugs.webkit.org/show_bug.cgi?id=132882

        Reviewed by Oliver Hunt.
        
        Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
        failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
        at that platform's abort reason register (r11 on X86-64 for example).

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbortReason.h: Added.
        * assembler/AbstractMacroAssembler.h:
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::abortWithReason):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::abortWithReason):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::abortWithReason):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::abortWithReason):
        * dfg/DFGSlowPathGenerator.h:
        (JSC::DFG::SlowPathGenerator::generate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::bail):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        (JSC::DFG::SpeculativeJIT::compileMakeRope):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrEntryThunkGenerator):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::jitAssertIsInt32):
        (JSC::AssemblyHelpers::jitAssertIsJSInt32):
        (JSC::AssemblyHelpers::jitAssertIsJSNumber):
        (JSC::AssemblyHelpers::jitAssertIsJSDouble):
        (JSC::AssemblyHelpers::jitAssertIsCell):
        (JSC::AssemblyHelpers::jitAssertTagsInPlace):
        (JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
        (JSC::AssemblyHelpers::jitAssertIsNull):
        (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
        (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::checkStackPointerAlignment):
        (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
        * jit/JIT.h:
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitSlow_op_div):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitSlow_op_loop_hint):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::compileGetDirectOffset):
        (JSC::JIT::addStructureTransitionCheck): Deleted.
        (JSC::JIT::testPrototype): Deleted.
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::compileGetDirectOffset):
        * jit/RegisterPreservationWrapperGenerator.cpp:
        (JSC::generateRegisterRestoration):
        * jit/Repatch.cpp:
        (JSC::addStructureTransitionCheck):
        (JSC::linkClosureCall):
        * jit/ThunkGenerators.cpp:
        (JSC::emitPointerValidation):
        (JSC::nativeForGenerator):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generate):

2014-05-13  peavo@outlook.com  <peavo@outlook.com>

        [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
        https://bugs.webkit.org/show_bug.cgi?id=132772

        Reviewed by Geoffrey Garen.

        Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
        This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
        This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
        The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::loadDouble):
        (JSC::MacroAssemblerARM::storeDouble):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::loadDouble):
        (JSC::MacroAssemblerARM64::storeDouble):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::loadDouble):
        (JSC::MacroAssemblerARMv7::storeDouble):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::loadDouble):
        (JSC::MacroAssemblerMIPS::storeDouble):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::loadDouble):
        (JSC::MacroAssemblerSH4::storeDouble):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::storeDouble):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::absDouble):
        (JSC::MacroAssemblerX86Common::negateDouble):
        (JSC::MacroAssemblerX86Common::loadDouble):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::compileClampDoubleToByte):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::purifyNaN):
        * jit/JITInlines.h:
        (JSC::JIT::emitLoadDouble):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitFloatTypedArrayGetByVal):
        * jit/ThunkGenerators.cpp:
        (JSC::floorThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::powThunkGenerator):

2014-05-12  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r168642.
        https://bugs.webkit.org/show_bug.cgi?id=132839

        Broke ARM build (Requested by jpfau on #webkit).

        Reverted changeset:

        "[Win] Enum type with value zero is compatible with void*,
        potential cause of crashes."
        https://bugs.webkit.org/show_bug.cgi?id=132772
        http://trac.webkit.org/changeset/168642

2014-05-12  peavo@outlook.com  <peavo@outlook.com>

        [Win] Enum type with value zero is compatible with void*, potential cause of crashes.
        https://bugs.webkit.org/show_bug.cgi?id=132772

        Reviewed by Geoffrey Garen.

        Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
        This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
        This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
        The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::loadDouble):
        (JSC::MacroAssemblerARM::storeDouble):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::loadDouble):
        (JSC::MacroAssemblerARM64::storeDouble):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::loadDouble):
        (JSC::MacroAssemblerARMv7::storeDouble):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::loadDouble):
        (JSC::MacroAssemblerMIPS::storeDouble):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::loadDouble):
        (JSC::MacroAssemblerSH4::storeDouble):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::storeDouble):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::absDouble):
        (JSC::MacroAssemblerX86Common::negateDouble):
        (JSC::MacroAssemblerX86Common::loadDouble):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::silentFill):
        (JSC::DFG::compileClampDoubleToByte):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::purifyNaN):
        * jit/JITInlines.h:
        (JSC::JIT::emitLoadDouble):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitFloatTypedArrayGetByVal):
        * jit/ThunkGenerators.cpp:
        (JSC::floorThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::powThunkGenerator):

2014-05-12  Andreas Kling  <akling@apple.com>

        0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
        <https://webkit.org/b/132828>
        <rdar://problem/16886285>

        Reviewed by Michael Saboff.

        * runtime/JSObject.cpp:
        (JSC::JSObject::visitButterfly):
        (JSC::JSObject::visitChildren):

            Use JSCell::structure(VM&) to reduce the number of hoops we jump
            through to find Structures during marking.

2014-05-12  László Langó  <llango.u-szeged@partner.samsung.com>

        [cmake] Add missing FTL source files to the build system.

        Reviewed by Csaba Osztrogonác.

        * CMakeLists.txt:

2014-05-09  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
        https://bugs.webkit.org/show_bug.cgi?id=132409

        Reviewed by Timothy Hatcher.

        Proxy applications are applications which hold WebViews for other
        applications. The WebProcess (Web Content Service) is a proxy application.
        For legacy reasons we were supporting a scenario where proxy applications
        could potentially host WebViews for more then one other application. That
        was never the case for WebProcess and it is now a scenario we don't need
        to worry about supporting.

        With this change, a proxy application more naturally only holds WebViews
        for a single parent / host application. The proxy process can set the
        parent pid / audit_token data on the RemoteInspector singleton, and
        that data will be sent on to webinspectord later on to be validated.
        In the WebProcess<->UIProcess relationship that information is known
        and set immediately. In the Legacy iOS case that information is set
        soon after, but not immediately known at the point the WebView is created.

        This allows us to simplify the RemoteInspectorDebuggable interface.
        We no longer need a pid per-Debuggable.

        * inspector/remote/RemoteInspector.h:
        * inspector/remote/RemoteInspector.mm:
        (Inspector::RemoteInspector::RemoteInspector):
        (Inspector::RemoteInspector::setParentProcessInformation):
        (Inspector::RemoteInspector::xpcConnectionReceivedMessage):
        (Inspector::RemoteInspector::listingForDebuggable):
        (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
        Handle new proxy application setup message, and provide an API
        for a proxy application to set the parent process information.

        * inspector/remote/RemoteInspectorConstants.h:
        New setup and response message for proxy applications to pass
        their parent / host application information to webinspectord.

        * inspector/remote/RemoteInspectorDebuggable.cpp:
        (Inspector::RemoteInspectorDebuggable::info):
        * inspector/remote/RemoteInspectorDebuggable.h:
        (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
        (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
        pid per debuggable is no longer needed.

2014-05-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSDOMWindow should disable property caching after a certain point
        https://bugs.webkit.org/show_bug.cgi?id=132751

        Reviewed by Filip Pizlo.

        This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static 
        hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks 
        that it has provided a cacheable value.

        * runtime/PropertySlot.h:
        (JSC::PropertySlot::PropertySlot):
        (JSC::PropertySlot::isCacheable):
        (JSC::PropertySlot::disableCaching):

2014-05-09  Andreas Kling  <akling@apple.com>

        8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
        <https://webkit.org/b/132749>

        Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
        in Object.prototype.* by using JSString::toIdentifier() in the cases where
        we are converting JSString -> String -> Identifier.

        This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
        "The Great HTML5 Gaming Performance Test: 2014 edition"
        <http://www.scirra.com/demos/c2/sbperftest/>

        Reviewed by Oliver Hunt.

        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncHasOwnProperty):
        (JSC::objectProtoFuncDefineGetter):
        (JSC::objectProtoFuncDefineSetter):
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):

2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSDOMWindow should have a WatchpointSet to fire on window close
        https://bugs.webkit.org/show_bug.cgi?id=132721

        Reviewed by Filip Pizlo.

        This patch allows us to reset the inline caches that assumed they could skip 
        the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has 
        been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.

        PropertySlot now accepts a WatchpointSet which the inline cache code can look for
        to see if it should create a new Watchpoint for that particular inline cache site.

        * bytecode/Watchpoint.h:
        * jit/Repatch.cpp:
        (JSC::generateByIdStub):
        (JSC::tryBuildGetByIDList):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::PropertySlot):
        (JSC::PropertySlot::watchpointSet):
        (JSC::PropertySlot::setWatchpointSet):

2014-05-09  Tanay C  <tanay.c@samsung.com>

        Fix build warning (uninitialized variable) in DFGFixupPhase.cpp 
        https://bugs.webkit.org/show_bug.cgi?id=132331

        Reviewed by Darin Adler.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::injectTypeConversionsForEdge):

2014-05-09  peavo@outlook.com  <peavo@outlook.com>

        [Win] Crash when enabling DFG JIT.
        https://bugs.webkit.org/show_bug.cgi?id=132683

        Reviewed by Geoffrey Garen.

        On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
        results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
        where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
        This causes the register to be written to address 0, hence the crash.

        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit): Ditto.

2014-05-09  Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>

        REGRESSION(r167094): JSC crashes on ARM Traditional
        https://bugs.webkit.org/show_bug.cgi?id=132738

        Reviewed by Zoltan Herczeg.

        PC is two instructions ahead of the current instruction
        on ARM Traditional, so the distance is 8 bytes not 2.

        * llint/LowLevelInterpreter.asm:

2014-05-09  Alberto Garcia  <berto@igalia.com>

        jsmin.py license header confusing, mentions non-free license
        https://bugs.webkit.org/show_bug.cgi?id=123665

        Reviewed by Darin Adler.

        Pull the most recent version from upstream, which has a clear
        license.

        * inspector/scripts/jsmin.py:

2014-05-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
        https://bugs.webkit.org/show_bug.cgi?id=132695

        Reviewed by Filip Pizlo.

        We check in the case where we're accessing something other than the base object (e.g. the prototype), 
        but we fail to do so for the base object.

        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
        because all of the values that are returned that could be impure are set to uncacheable anyways.
        (WTF::ImpureGetter::ImpureGetter):
        (WTF::ImpureGetter::createStructure):
        (WTF::ImpureGetter::create):
        (WTF::ImpureGetter::finishCreation):
        (WTF::ImpureGetter::getOwnPropertySlot):
        (WTF::ImpureGetter::visitChildren):
        (WTF::ImpureGetter::setDelegate):
        (GlobalObject::finishCreation):
        (functionCreateImpureGetter):
        (functionSetImpureGetterDelegate):
        * tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
        (foo):

2014-05-08  Filip Pizlo  <fpizlo@apple.com>

        deleteAllCompiledCode() shouldn't use the suspension worklist
        https://bugs.webkit.org/show_bug.cgi?id=132708

        Reviewed by Mark Hahnenberg.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::isStillValid):
        * heap/Heap.cpp:
        (JSC::Heap::deleteAllCompiledCode):

2014-05-08  Filip Pizlo  <fpizlo@apple.com>

        SSA conversion should delete PhantomLocals for captured variables
        https://bugs.webkit.org/show_bug.cgi?id=132693

        Reviewed by Mark Hahnenberg.

        * dfg/DFGCommon.cpp:
        (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
        * dfg/DFGCommon.h:
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
        * dfg/DFGLivenessAnalysisPhase.cpp:
        (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
        * dfg/DFGValidate.cpp: Use the workaround.
        * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
        (foo):
        (bar):

2014-05-07  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r168451.
        https://bugs.webkit.org/show_bug.cgi?id=132670

        Not a speed-up, just do what other compilers do. (Requested by
        kling on #webkit).

        Reverted changeset:

        "[X86] Emit BT instruction for single-bit tests."
        https://bugs.webkit.org/show_bug.cgi?id=132650
        http://trac.webkit.org/changeset/168451

2014-05-07  Filip Pizlo  <fpizlo@apple.com>

        Make Executable::clearCode() actually clear all of the entrypoints, and
        clean up some other FTL-related calling convention stuff.
        <rdar://problem/16720172>

        Rubber stamped by Mark Hahnenberg.

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::Worklist):
        (JSC::DFG::Worklist::finishCreation):
        (JSC::DFG::Worklist::create):
        (JSC::DFG::ensureGlobalDFGWorklist):
        (JSC::DFG::ensureGlobalFTLWorklist):
        * dfg/DFGWorklist.h:
        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::dump):
        * heap/CodeBlockSet.h:
        * runtime/Executable.cpp:
        (JSC::ExecutableBase::clearCode):

2014-05-07  Andreas Kling  <akling@apple.com>

        [X86] Emit BT instruction for single-bit tests.
        <https://webkit.org/b/132650>

        Implement test-bit-and-branch slightly more efficiently by using
        BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
        a single bit.

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::singleBitIndex):
        (JSC::MacroAssemblerX86Common::branchTest32):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::bt_i8r):
        (JSC::X86Assembler::bt_i8m):

2014-05-07  Mark Lam  <mark.lam@apple.com>

        REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
        <https://webkit.org/b/131356>

        Reviewed by Geoffrey Garen.

        The issue is that GC needs to be made aware of writes to m_inferredValue
        in the VariableWatchpointSet, but was not.  As a result, if a JSCell*
        is written to a VariableWatchpointSet m_inferredValue, and that JSCell
        does not survive an eden GC shortly after, we will end up with a stale
        JSCell pointer left in the m_inferredValue.

        This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
        using DumpRenderTree with the VM heap in zombie mode.

        The fix is to change VariableWatchpointSet m_inferredValue to type
        WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
        is executed by all the execution engines so that the WriteBarrier semantics
        are honored.

        We still check if the value to be written is the same as the one in the
        inferredValue.  We'll by-pass calling the slow path notifyWrite() if the
        values are the same.        

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        - need to pass the symbolTable to prepareToWatch() because it will be needed
          for instantiating the VariableWatchpointSet in prepareToWatch().

        * bytecode/VariableWatchpointSet.h:
        (JSC::VariableWatchpointSet::VariableWatchpointSet):
        - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
          write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
        (JSC::VariableWatchpointSet::inferredValue):
        (JSC::VariableWatchpointSet::invalidate):
        (JSC::VariableWatchpointSet::finalizeUnconditionally):
        (JSC::VariableWatchpointSet::addressOfInferredValue):
        (JSC::VariableWatchpointSet::notifyWrite): Deleted.
        * bytecode/VariableWatchpointSetInlines.h: Added.
        (JSC::VariableWatchpointSet::notifyWrite):

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::cellConstant):
        - Added an assert in case we try to make constants of zombified JSCells again.

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        - We now let the slow path handle the cases when the VariableWatchpointSet is
          in state ClearWatchpoint and IsWatched, and the slow path will ensure that
          we handle the needed write barrier semantics correctly.
          We will by-pass the slow path if the value being written is the same as the
          inferred value.

        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
        - Let the slow path handle the cases when the VariableWatchpointSet is
          in state ClearWatchpoint and IsWatched.
          We will by-pass the slow path if the value being written is the same as the
          inferred value.

        * heap/Heap.cpp:
        (JSC::Zombify::operator()):
        - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
          which is used everywhere else).
        * heap/Heap.h:
        (JSC::Heap::isZombified):
        - Provide a convenience test function to check if JSCells are zombified.  This is
          currently only used in an assertion in the DFG bytecode parser, but the intent
          it that we'll apply this test in other strategic places later to help with early
          detection of usage of GC'ed objects when we run in zombie mode.

        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitSlow_op_captured_mov):
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitNotifyWrite):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitNotifyWrite):
        (JSC::JIT::emitSlow_op_put_to_scope):
        - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
          is in state ClearWatchpoint and IsWatched.
          We will by-pass the slow path if the value being written is the same as the
          inferred value.
        
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
          is in state ClearWatchpoint and IsWatched.
          We will by-pass the slow path if the value being written is the same as the
          inferred value.
        
        * runtime/CommonSlowPaths.cpp:

        * runtime/JSCJSValue.h: Fixed some typos in the comments.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::addGlobalVar):
        (JSC::JSGlobalObject::addFunction):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTablePut):
        (JSC::symbolTablePutWithAttributes):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTableEntry::prepareToWatch):
        (JSC::SymbolTableEntry::notifyWriteSlow):
        * runtime/SymbolTable.h:
        (JSC::SymbolTableEntry::notifyWrite):

2014-05-06  Michael Saboff  <msaboff@apple.com>

        Unreviewd build fix for C-LOOP after r168396.

        * runtime/TestRunnerUtils.cpp:
        (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)

2014-05-06  Michael Saboff  <msaboff@apple.com>

        Add test for deleteAllCompiledCode
        https://bugs.webkit.org/show_bug.cgi?id=132632

        Reviewed by Phil Pizlo.

        Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
        the other to call CodeBlock::optimizeNextInvocation().  Used these two hooks
        to write a test that will queue up loads of DFG compiles and then call
        Heap::deleteAllCompiledCode() to make sure that it can handle compiled
        code as well as code being compiled.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionDeleteAllCompiledCode):
        (functionOptimizeNextInvocation):
        * runtime/TestRunnerUtils.cpp:
        (JSC::optimizeNextInvocation):
        * runtime/TestRunnerUtils.h:
        * tests/stress/deleteAllCompiledCode.js: Added.
        (functionList):
        (runTest):

2014-05-06  Andreas Kling  <akling@apple.com>

        JSString::toAtomicString() should return AtomicString.
        <https://webkit.org/b/132627>

        Remove premature optimization where I was trying to avoid refcount
        churn when returning an already atomicized String.

        Instead of using reinterpret_cast to mangle the String member into
        a const AtomicString& return value, just return AtomicString.

        Reviewed by Geoff Garen.

        * runtime/JSString.h:
        (JSC::JSString::toAtomicString):

2014-05-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Roll out r167889

        Rubber stamped by Geoff Garen.

        It broke some websites.

        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::hasDeletedOffset):
        (JSC::PropertyTable::hadDeletedOffset): Deleted.
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::removePropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::pin):
        (JSC::Structure::pinAndPreventTransitions): Deleted.
        * runtime/Structure.h:
        * runtime/StructureInlines.h:
        (JSC::Structure::setEnumerationCache):
        (JSC::Structure::propertyTable):
        (JSC::Structure::checkOffsetConsistency):
        (JSC::Structure::hadDeletedOffsets): Deleted.
        * tests/stress/for-in-after-delete.js:
        (foo): Deleted.

2014-05-05  Andreas Kling  <akling@apple.com>

        Fix debug build.

        * runtime/JSCellInlines.h:
        (JSC::JSCell::fastGetOwnProperty):

2014-05-05  Andreas Kling  <akling@apple.com>

        Optimize GetByVal when subscript is a rope string.
        <https://webkit.org/b/132590>

        Use JSString::toIdentifier() in the various GetByVal implementations
        to try and avoid allocating extra strings.

        Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
        in that, to avoid calling JSString::value() which always resolves ropes
        into new strings and de-optimizes subsequent toIdentifier() calls.

        My iMac says ~9% progression on Dromaeo/dom-attr.html

        Reviewed by Phil Pizlo.

        * dfg/DFGOperations.cpp:
        * jit/JITOperations.cpp:
        (JSC::getByVal):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::fastGetOwnProperty):
        (JSC::JSCell::canUseFastGetOwnProperty):

2014-05-05  Andreas Kling  <akling@apple.com>

        REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
        <https://webkit.org/b/168256>
        <rdar://problem/16816316>

        Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
        clear the fibers. The caller takes care of this.

        Test: fast/dom/getElementById-with-rope-string-arg.html

        Reviewed by Geoffrey Garen.

        * runtime/JSString.cpp:
        (JSC::JSRopeString::resolveRopeSlowCase8):

2014-05-05  Michael Saboff  <msaboff@apple.com>

        REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
        https://bugs.webkit.org/show_bug.cgi?id=132581

        Reviewed by Filip Pizlo.

        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
        started compiling for is still the same at the end of compilation.
        Also did some minor restructuring.

2014-05-05  Andreas Kling  <akling@apple.com>

        Optimize PutByVal when subscript is a rope string.
        <https://webkit.org/b/132572>

        Add a JSString::toIdentifier() that is smarter when the JSString is
        really a rope string. Use this in baseline & DFG's PutByVal to avoid
        allocating new StringImpls that we immediately deduplicate anyway.

        Reviewed by Antti Koivisto.

        * dfg/DFGOperations.cpp:
        (JSC::DFG::operationPutByValInternal):
        * jit/JITOperations.cpp:
        * runtime/JSString.h:
        (JSC::JSString::toIdentifier):

2014-05-05  Andreas Kling  <akling@apple.com>

        Remove two now-incorrect assertions after r168256.

        * runtime/JSString.cpp:
        (JSC::JSRopeString::resolveRopeSlowCase8):
        (JSC::JSRopeString::resolveRopeSlowCase):

2014-05-04  Andreas Kling  <akling@apple.com>

        Optimize JSRopeString for resolving directly to AtomicString.
        <https://webkit.org/b/132548>

        If we know that the JSRopeString we are resolving is going to be used
        as an AtomicString, we can try to avoid creating a new string.

        We do this by first resolving the rope into a stack buffer, and using
        that buffer as a key into the AtomicString table. If there is already
        an AtomicString with the same characters, we reuse that instead of
        constructing a new StringImpl.

        JSString gains these two public functions:

        - AtomicString toAtomicString()

            Returns an AtomicString, tries to avoid allocating a new string
            if possible.

        - AtomicStringImpl* toExistingAtomicString()

            Returns a non-null AtomicStringImpl* if one already exists in the
            AtomicString table. If none is found, the rope is left unresolved.

        Reviewed by Filip Pizlo.

        * runtime/JSString.cpp:
        (JSC::JSRopeString::resolveRopeInternal8):
        (JSC::JSRopeString::resolveRopeInternal16):
        (JSC::JSRopeString::resolveRopeToAtomicString):
        (JSC::JSRopeString::clearFibers):
        (JSC::JSRopeString::resolveRopeToExistingAtomicString):
        (JSC::JSRopeString::resolveRope):
        (JSC::JSRopeString::outOfMemory):
        * runtime/JSString.h:
        (JSC::JSString::toAtomicString):
        (JSC::JSString::toExistingAtomicString):

2014-05-04  Andreas Kling  <akling@apple.com>

        Unreviewed, rolling out r168254.

        Very crashy on debug JSC tests.

        Reverted changeset:

        "jsSubstring() should be lazy"
        https://bugs.webkit.org/show_bug.cgi?id=132556
        http://trac.webkit.org/changeset/168254

2014-05-04  Filip Pizlo  <fpizlo@apple.com>

        jsSubstring() should be lazy
        https://bugs.webkit.org/show_bug.cgi?id=132556

        Reviewed by Andreas Kling.
        
        jsSubstring() is now lazy by using a special rope that is a substring instead of a
        concatenation. To make this patch super simple, we require that a substring's base is
        never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
        path, or we go down a concatenation path which may see exactly one level of substrings in
        its fibers.
        
        This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::specializedSweep):
        * runtime/JSString.cpp:
        (JSC::JSRopeString::visitFibers):
        (JSC::JSRopeString::resolveRope):
        (JSC::JSRopeString::resolveRopeSlowCase8):
        (JSC::JSRopeString::resolveRopeSlowCase):
        (JSC::JSRopeString::outOfMemory):
        * runtime/JSString.h:
        (JSC::JSRopeString::finishCreation):
        (JSC::JSRopeString::append):
        (JSC::JSRopeString::create):
        (JSC::JSRopeString::offsetOfFibers):
        (JSC::JSRopeString::fiber):
        (JSC::JSRopeString::substringBase):
        (JSC::JSRopeString::substringOffset):
        (JSC::JSRopeString::substringSentinel):
        (JSC::JSRopeString::isSubstring):
        (JSC::jsSubstring):
        * runtime/RegExpMatchesArray.cpp:
        (JSC::RegExpMatchesArray::reifyAllProperties):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSubstring):

2014-05-02  Michael Saboff  <msaboff@apple.com>

        "arm64 function not 4-byte aligned" warnings when building JSC
        https://bugs.webkit.org/show_bug.cgi?id=132495

        Reviewed by Geoffrey Garen.

        Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.

        * llint/LowLevelInterpreter.cpp:

2014-05-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix cloop build after r168178

        * bytecode/CodeBlock.cpp:

2014-05-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add a DFG function whitelist
        https://bugs.webkit.org/show_bug.cgi?id=132437

        Reviewed by Geoffrey Garen.

        Often times when debugging, using bytecode ranges isn't enough to narrow down to the 
        particular DFG block that's causing issues. This patch adds the ability to whitelist 
        specific functions specified in a file to enable further filtering without having to recompile.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::isSupported):
        (JSC::DFG::mightInlineFunctionForCall):
        (JSC::DFG::mightInlineFunctionForClosureCall):
        (JSC::DFG::mightInlineFunctionForConstruct):
        * dfg/DFGFunctionWhitelist.cpp: Added.
        (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
        (JSC::DFG::FunctionWhitelist::FunctionWhitelist):
        (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
        (JSC::DFG::FunctionWhitelist::contains):
        * dfg/DFGFunctionWhitelist.h: Added.
        * runtime/Options.cpp:
        (JSC::parse):
        (JSC::Options::dumpOption):
        * runtime/Options.h:

2014-05-02  Filip Pizlo  <fpizlo@apple.com>

        DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
        https://bugs.webkit.org/show_bug.cgi?id=132446

        Reviewed by Mark Hahnenberg.
        
        Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
        our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
        to indicate a bound on the value. This is useful for knowing, for example, that
        Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
        ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
        But this means that all arithmetic operations must be careful to note that they may
        turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        * tests/stress/int52-ai-add-then-filter-int32.js: Added.
        (foo):
        * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
        (foo):
        * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
        (foo):
        * tests/stress/int52-ai-mul-then-filter-int32.js: Added.
        (foo):
        * tests/stress/int52-ai-neg-then-filter-int32.js: Added.
        (foo):
        * tests/stress/int52-ai-sub-then-filter-int32.js: Added.
        (foo):

2014-05-01  Geoffrey Garen  <ggaren@apple.com>

        JavaScriptCore fails to build with some versions of clang
        https://bugs.webkit.org/show_bug.cgi?id=132436

        Reviewed by Anders Carlsson.

        * runtime/ArgumentsIteratorConstructor.cpp: Since we call
        putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
        and both are marked inline, it's valid for the compiler to decide
        to inline both and emit neither in the binary. Therefore, we need
        both inline definitions to be available in the translation unit at
        compile time, or we'll try to link against a function that doesn't exist.

2014-05-01  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r167964.
        https://bugs.webkit.org/show_bug.cgi?id=132431

        Memory improvements should not regress memory usage (Requested
        by olliej on #webkit).

        Reverted changeset:

        "Don't hold on to parameter BindingNodes forever"
        https://bugs.webkit.org/show_bug.cgi?id=132360
        http://trac.webkit.org/changeset/167964

2014-05-01  Filip Pizlo  <fpizlo@apple.com>

        Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
        https://bugs.webkit.org/show_bug.cgi?id=132427

        Reviewed by Mark Hahnenberg.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):

2014-04-30  Simon Fraser  <simon.fraser@apple.com>

        Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
        https://bugs.webkit.org/show_bug.cgi?id=132396

        Reviewed by Eric Carlson.

        Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.

        * Configurations/FeatureDefines.xcconfig:

2014-04-30  Filip Pizlo  <fpizlo@apple.com>

        Argument flush formats should not be presumed to be JSValue since 'this' is weird
        https://bugs.webkit.org/show_bug.cgi?id=132404

        Reviewed by Michael Saboff.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Ditto.
        * dfg/DFGValueSource.cpp:
        (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
        * dfg/DFGValueSource.h:
        (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
        * ftl/FTLOSREntry.cpp:
        (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
        * tests/stress/strict-to-this-int.js: Added.
        (foo):
        (Number.prototype.valueOf):
        (test):

2014-04-29  Oliver Hunt  <oliver@apple.com>

        Don't hold on to parameterBindingNodes forever
        https://bugs.webkit.org/show_bug.cgi?id=132360

        Reviewed by Geoffrey Garen.

        Don't keep the parameter nodes anymore. Instead we store the
        original parameter string and reparse whenever we actually
        need them. Because we only actually need them for compilation
        this only results in a single extra parse.

        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        (JSC::UnlinkedFunctionExecutable::visitChildren):
        (JSC::UnlinkedFunctionExecutable::finishCreation):
        (JSC::UnlinkedFunctionExecutable::paramString):
        (JSC::UnlinkedFunctionExecutable::parameters):
        (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::create):
        (JSC::UnlinkedFunctionExecutable::parameterCount):
        (JSC::UnlinkedFunctionExecutable::parameters): Deleted.
        (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::ASTBuilder):
        (JSC::ASTBuilder::setFunctionBodyParameters):
        * parser/Nodes.h:
        (JSC::FunctionBodyNode::parametersStartOffset):
        (JSC::FunctionBodyNode::parametersEndOffset):
        (JSC::FunctionBodyNode::setParameterLocation):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseFunctionInfo):
        (JSC::parseParameters):
        * parser/Parser.h:
        (JSC::parse):
        * parser/SourceCode.h:
        (JSC::SourceCode::subExpression):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::setFunctionBodyParameters):

2014-04-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSProxies should be cacheable
        https://bugs.webkit.org/show_bug.cgi?id=132351

        Reviewed by Geoffrey Garen.

        Whenever we encounter a proxy in an inline cache we should try to cache on the 
        proxy's target instead of giving up.

        This patch adds support for a simple "recursive" inline cache if the base object
        we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses 
        are the only ones to benefit from this right now.

        This is performance neutral on the benchmarks we track. Currently we won't
        cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.

        * jit/Repatch.cpp:
        (JSC::generateByIdStub):
        (JSC::tryBuildGetByIDList):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (functionCreateProxy):
        * runtime/IntendedStructureChain.cpp:
        (JSC::IntendedStructureChain::isNormalized):
        * runtime/JSCellInlines.h:
        (JSC::JSCell::isProxy):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::finishCreation):
        * runtime/JSProxy.h:
        (JSC::JSProxy::createStructure):
        (JSC::JSProxy::targetOffset):
        * runtime/JSType.h:
        * runtime/Operations.h:
        (JSC::isPrototypeChainNormalized):
        * runtime/Structure.h:
        (JSC::Structure::isProxy):
        * tests/stress/proxy-inline-cache.js: Added.
        (cacheOnTarget.getX):
        (cacheOnTarget):
        (cacheOnPrototypeOfTarget.getX):
        (cacheOnPrototypeOfTarget):
        (dontCacheOnProxyInPrototypeChain.getX):
        (dontCacheOnProxyInPrototypeChain):
        (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
        (dontCacheOnTargetOfProxyInPrototypeChainOfTarget):

2014-04-29  Filip Pizlo  <fpizlo@apple.com>

        Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
        https://bugs.webkit.org/show_bug.cgi?id=112840

        Rubber stamped by Geoffrey Garen.

        * Configurations/FeatureDefines.xcconfig:

2014-04-29  Geoffrey Garen  <ggaren@apple.com>

        String.prototype.trim removes U+200B from strings.
        https://bugs.webkit.org/show_bug.cgi?id=130184

        Reviewed by Michael Saboff.

        * runtime/StringPrototype.cpp:
        (JSC::trimString):
        (JSC::isTrimWhitespace): Deleted.

2014-04-29  Mark Lam  <mark.lam@apple.com>

        Zombifying sweep should ignore retired blocks.
        <https://webkit.org/b/132344>

        Reviewed by Mark Hahnenberg.

        By definition, retired blocks do not have "dead" objects, or at least
        none that we know of yet until the next marking phase has been run
        over it.  So, we should not be sweeping them (even for zombie mode).

        * heap/Heap.cpp:
        (JSC::Heap::zombifyDeadObjects):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::zombifySweep):
        * heap/MarkedSpace.h:
        (JSC::ZombifySweep::operator()):

2014-04-29  Mark Lam  <mark.lam@apple.com>

        Fix bit rot in zombie mode heap code.
        <https://webkit.org/b/132342>

        Reviewed by Mark Hahnenberg.

        Need to enter a DelayedReleaseScope before doing a sweep.

        * heap/Heap.cpp:
        (JSC::Heap::zombifyDeadObjects):

2014-04-29  Tomas Popela  <tpopela@redhat.com>

        LLINT loadisFromInstruction doesn't need special case for big endians
        https://bugs.webkit.org/show_bug.cgi?id=132330

        Reviewed by Mark Lam.

        The change introduced in r167076 was wrong. We should not apply the offset
        adjustment on loadisFromInstruction usage as the instruction
        (UnlinkedInstruction) is declared as an union (i.e. with the int32_t
        operand variable). The offset of the other union members will be the
        same as the offset of the first one, that is 0. The behavior here is the
        same on little and big endian architectures. Thus we don't need
        special case for big endians.

        * llint/LowLevelInterpreter.asm:

2014-04-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        Simplify tryCacheGetById
        https://bugs.webkit.org/show_bug.cgi?id=132314

        Reviewed by Oliver Hunt and Filip Pizlo.

        This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.

        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.

2014-04-28  Michael Saboff  <msaboff@apple.com>

        REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
        https://bugs.webkit.org/show_bug.cgi?id=132315

        Reviewed by Mark Hahnenberg.

        Used the StringImpl version of utf8() instead of creating a String first.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):

2014-04-28  Filip Pizlo  <fpizlo@apple.com>

        The LLInt is awesome and it should get more of the action.

        Rubber stamped by Geoffrey Garen.
        
        5% speed-up on JSBench and no meaningful regressions.  Should be a PLT/DYE speed-up also.

        * runtime/Options.h:

2014-04-27  Filip Pizlo  <fpizlo@apple.com>

        GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
        https://bugs.webkit.org/show_bug.cgi?id=132166

        Reviewed by Oliver Hunt and Mark Hahnenberg.
        
        The GC can aid type inference by removing structures that are dead and jettisoning
        code that relies on those structures. This can dramatically accelerate type inference
        for some tricky programs.
        
        Unfortunately, we previously pinned any structures that enqueued compilations depended
        on. This means that if you're on a machine that only runs a single compilation thread
        and where compilations are relatively slow,&nb