cssText should use shorthand notations

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2012-03-26  Ryosuke Niwa  <rniwa@webkit.org>

        cssText should use shorthand notations
        https://bugs.webkit.org/show_bug.cgi?id=81737

        Reviewed by Enrica Casucci.

        Export symbols of BitVector on Windows.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-26  Filip Pizlo  <fpizlo@apple.com>

        DFG should assert that argument value recoveries can only be
        AlreadyInRegisterFile or Constant
        https://bugs.webkit.org/show_bug.cgi?id=82249

        Reviewed by Michael Saboff.
        
        Made the assertions that the DFG makes for argument value recoveries match
        what Arguments expects.

        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::isConstant):
        (ValueRecovery):
        (JSC::ValueRecovery::isAlreadyInRegisterFile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-26  Dan Bernstein  <mitz@apple.com>

        Tried to fix the Windows build.

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::putRange):

2012-03-26  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed - speculative Windows build fix.

        * yarr/YarrCanonicalizeUCS2.h:
        (JSC::Yarr::getCanonicalPair):

2012-03-26  Dan Bernstein  <mitz@apple.com>

        Fixed builds with assertions disabled.

        * yarr/YarrCanonicalizeUCS2.h:
        (JSC::Yarr::areCanonicallyEquivalent):

2012-03-26  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed - errk! - accidentally the whole pbxproj.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-03-25  Gavin Barraclough  <barraclough@apple.com>

        Greek sigma is handled wrong in case independent regexp.
        https://bugs.webkit.org/show_bug.cgi?id=82063

        Reviewed by Oliver Hunt.

        The bug here is that we assume that any given codepoint has at most one additional value it
        should match under a case insensitive match, and that the pair of codepoints that match (if
        a codepoint does not only match itself) can be determined by calling toUpper/toLower on the
        given codepoint). Life is not that simple.

        Instead, pre-calculate a set of tables mapping from a UCS2 codepoint to the set of characters
        it may match, under the ES5.1 case-insensitive matching rules. Since unicode is fairly regular
        we can pack this table quite nicely, and get it down to 364 entries. This means we can use a
        simple binary search to find an entry in typically eight compares.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * yarr/yarr.pri:
            - Added new files to build systems.
        * yarr/YarrCanonicalizeUCS2.cpp: Added.
            - New - autogenerated, UCS2 canonicalized comparison tables.
        * yarr/YarrCanonicalizeUCS2.h: Added.
        (JSC::Yarr::rangeInfoFor):
            - Look up the canonicalization info for a UCS2 character.
        (JSC::Yarr::getCanonicalPair):
            - For a UCS2 character with a single equivalent value, look it up.
        (JSC::Yarr::isCanonicallyUnique):
            - Returns true if no other UCS2 code points are canonically equal.
        (JSC::Yarr::areCanonicallyEquivalent):
            - Compare two values, under canonicalization rules.
        * yarr/YarrCanonicalizeUCS2.js: Added.
            - script used to generate YarrCanonicalizeUCS2.cpp.
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::tryConsumeBackReference):
            - Use isCanonicallyUnique, rather than Unicode toUpper/toLower.
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
            - Use isCanonicallyUnique, rather than Unicode toUpper/toLower.
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::putChar):
            - Updated to determine canonical equivalents correctly.
        (JSC::Yarr::CharacterClassConstructor::putUnicodeIgnoreCase):
            - Added, used to put a non-ascii, non-unique character in a case-insensitive match.
        (JSC::Yarr::CharacterClassConstructor::putRange):
            - Updated to determine canonical equivalents correctly.
        (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
            - Changed to call putUnicodeIgnoreCase, instead of putChar, avoid a double lookup of rangeInfo.

2012-03-26  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed build fix. Add the build outputs dir to the list of build dirs,
        so we make sure it finds the API headers on all platforms.

        * wscript:

2012-03-26  Patrick Gansterer  <paroga@webkit.org>

        Build fix for WinCE after r112039.

        * interpreter/Register.h:
        (Register): Removed inline keyword from decleration since
                    there is an ALWAYS_INLINE at the definition anyway.

2012-03-26  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing files.

2012-03-25  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed build fix. Move WTF to its own static lib build.

        * wscript:

2012-03-25  Filip Pizlo  <fpizlo@apple.com>

        DFG int-to-double conversion should be revealed to CSE
        https://bugs.webkit.org/show_bug.cgi?id=82135

        Reviewed by Oliver Hunt.
        
        This introduces the notion of an Int32ToDouble node, which is injected
        into the graph anytime we know that we have a double use of a node that
        was predicted integer. The Int32ToDouble simplifies double speculation
        on integers by skipping the path that would unbox doubles, if we know
        that the value is already proven to be an integer. It allows integer to
        double conversions to be subjected to common subexpression elimination
        (CSE) by allowing the CSE phase to see where these conversions are
        occurring. Finally, it allows us to see when a constant is being used
        as both a double and an integer. This is a bit odd, since it means that
        sometimes a double use of a constant will not refer directly to the
        constant. This should not cause problems, for now, but it may require
        some canonizalization in the future if we want to support strength
        reductions of double operations based on constants.
        
        To allow injection of nodes into the graph, this change introduces the
        DFG::InsertionSet, which is a way of lazily inserting elements into a
        list. This allows the FixupPhase to remain O(N) despite performing
        multiple injections in a single basic block. Without the InsertionSet,
        each injection would require performing an insertion into a vector,
        which is O(N), leading to O(N^2) performance overall. With the
        InsertionSet, each injection simply records what insertion would have
        been performed, and all insertions are performed at once (via
        InsertionSet::execute) after processing of a basic block is completed.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PredictedType.h:
        (JSC::isActionableIntMutableArrayPrediction):
        (JSC):
        (JSC::isActionableFloatMutableArrayPrediction):
        (JSC::isActionableTypedMutableArrayPrediction):
        (JSC::isActionableMutableArrayPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCommon.h:
        (JSC::DFG::useKindToString):
        (DFG):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupBlock):
        (FixupPhase):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixDoubleEdge):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGInsertionSet.h: Added.
        (DFG):
        (Insertion):
        (JSC::DFG::Insertion::Insertion):
        (JSC::DFG::Insertion::index):
        (JSC::DFG::Insertion::element):
        (InsertionSet):
        (JSC::DFG::InsertionSet::InsertionSet):
        (JSC::DFG::InsertionSet::append):
        (JSC::DFG::InsertionSet::execute):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::IntegerOperand::IntegerOperand):
        (JSC::DFG::DoubleOperand::DoubleOperand):
        (JSC::DFG::JSValueOperand::JSValueOperand):
        (JSC::DFG::StorageOperand::StorageOperand):
        (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
        (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-25  Filip Pizlo  <fpizlo@apple.com>

        DFGOperands should be moved out of the DFG and into bytecode
        https://bugs.webkit.org/show_bug.cgi?id=82151

        Reviewed by Dan Bernstein.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/Operands.h: Copied from Source/JavaScriptCore/dfg/DFGOperands.h.
        * dfg/DFGBasicBlock.h:
        * dfg/DFGNode.h:
        * dfg/DFGOSREntry.h:
        * dfg/DFGOSRExit.h:
        * dfg/DFGOperands.h: Removed.
        * dfg/DFGVariableAccessData.h:

2012-03-24  Filip Pizlo  <fpizlo@apple.com>

        DFG 64-bit Branch implementation should not be creating a JSValueOperand that
        it isn't going to use
        https://bugs.webkit.org/show_bug.cgi?id=82136

        Reviewed by Geoff Garen.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitBranch):

2012-03-24  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed. Fix the build after WTF move.

        * wscript:

2012-03-23  Filip Pizlo  <fpizlo@apple.com>

        DFG double voting may be overzealous in the case of variables that end up
        being used as integers
        https://bugs.webkit.org/show_bug.cgi?id=82008

        Reviewed by Oliver Hunt.
        
        Cleaned up propagation, making the intent more explicit in most places.
        Back-propagate NodeUsedAsInt for cases where a node was used in a context
        that is known to strongly prefer integers.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpCodeOrigin):
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::nodeFlagsAsString):
        * dfg/DFGNodeFlags.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (PredictionPropagationPhase):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
        (JSC::DFG::PredictionPropagationPhase::vote):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        (JSC::DFG::PredictionPropagationPhase::fixupNode):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):

2012-03-24  Filip Pizlo  <fpizlo@apple.com>

        DFG::Node::shouldNotSpeculateInteger() should be eliminated
        https://bugs.webkit.org/show_bug.cgi?id=82123

        Reviewed by Geoff Garen.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (Node):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):

2012-03-24  Yong Li  <yoli@rim.com>

        Increase getByIdSlowCase ConstantSpace/InstructionSpace for CPU(ARM_TRADITIONAL)
        https://bugs.webkit.org/show_bug.cgi?id=81521

        Increase sequenceGetByIdSlowCaseConstantSpace and sequenceGetByIdSlowCaseInstructionSpace
        for CPU(ARM_TRADITIONAL) to fit actual need.

        Reviewed by Oliver Hunt.

        * jit/JIT.h:
        (JIT):

2012-03-23  Filip Pizlo  <fpizlo@apple.com>

        DFG Fixup should be able to short-circuit trivial ValueToInt32's
        https://bugs.webkit.org/show_bug.cgi?id=82030

        Reviewed by Michael Saboff.
        
        Takes the fixup() method of the prediction propagation phase and makes it
        into its own phase. Adds the ability to short-circuit trivial ValueToInt32
        nodes, and mark pure ValueToInt32's as such.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCommon.h:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGFixupPhase.cpp: Added.
        (DFG):
        (FixupPhase):
        (JSC::DFG::FixupPhase::FixupPhase):
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::performFixup):
        * dfg/DFGFixupPhase.h: Added.
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):
        (PredictionPropagationPhase):

2012-03-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        tryReallocate could break the zero-ed memory invariant of CopiedBlocks
        https://bugs.webkit.org/show_bug.cgi?id=82087

        Reviewed by Filip Pizlo.

        Removing this optimization turned out to be ~1% regression on kraken, so I simply 
        undid the modification to the current block if we fail.

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::tryReallocate): Undid the reset in the CopiedAllocator if we fail 
        to reallocate from the current block.

2012-03-23  Alexey Proskuryakov  <ap@apple.com>

        [Mac] No need for platform-specific ENABLE_BLOB values
        https://bugs.webkit.org/show_bug.cgi?id=82102

        Reviewed by David Kilzer.

        * Configurations/FeatureDefines.xcconfig:

2012-03-23  Michael Saboff  <msaboff@apple.com>

        DFG::compileValueToInt32 Sometime Generates GPR to FPR reg back to GPR
        https://bugs.webkit.org/show_bug.cgi?id=81805

        Reviewed by Filip Pizlo.

        Added SpeculativeJIT::checkGeneratedType() to determine the current format
        of an operand.  Used that information in SpeculativeJIT::compileValueToInt32
        to generate code that will use integer and JSValue types in integer
        format directly without a conversion to double.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkGeneratedType):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        * dfg/DFGSpeculativeJIT.h:
        (DFG):
        (SpeculativeJIT):

2012-03-23  Steve Falkenburg  <sfalken@apple.com>

        Update Apple Windows build files for WTF move
        https://bugs.webkit.org/show_bug.cgi?id=82069

        Reviewed by Jessie Berlin.

        * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Removed WTF and WTFGenerated.

2012-03-23  Dean Jackson  <dino@apple.com>

        Disable CSS_SHADERS in Apple builds
        https://bugs.webkit.org/show_bug.cgi?id=81996

        Reviewed by Simon Fraser.

        Remove ENABLE_CSS_SHADERS from FeatureDefines. It's now in Platform.h.

        * Configurations/FeatureDefines.xcconfig:

2012-03-23  Gavin Barraclough  <barraclough@apple.com>

        RexExp constructor last match properties should not rely on previous ovector
        https://bugs.webkit.org/show_bug.cgi?id=82077

        Reviewed by Oliver Hunt.

        This change simplifies matching, and will enable subpattern results to be fully lazily generated in the future.

        This patch changes the scheme used to lazily generate the last match properties of the RegExp object.
        Instead of relying on the results in the ovector, we can instead lazily generate the subpatters using
        a RegExpMatchesArray. To do so we just need to store the input, the regexp matched, and the match
        location (the MatchResult). When the match is accessed or the input is set, we reify results. We use
        a special value of setting the saved result to MatchResult::failed() to indicated that we're in a
        reified state. This means that next time a match is performed, the store of the result will
        automatically blow away the reified value.

        * JavaScriptCore.xcodeproj/project.pbxproj:
            - Added new files.
        * runtime/RegExp.cpp:
        (JSC::RegExpFunctionalTestCollector::outputOneTest):
            - changed 'subPattern' -> 'subpattern' (there was a mix in JSC, 'subpattern' was more common).
        * runtime/RegExpCachedResult.cpp: Added.
        (JSC::RegExpCachedResult::visitChildren):
        (JSC::RegExpCachedResult::lastResult):
        (JSC::RegExpCachedResult::setInput):
            - New methods, mark GC objects, lazily create the matches array, and record a user provided input (via assignment to RegExp.inupt).
        * runtime/RegExpCachedResult.h: Added.
        (RegExpCachedResult):
            - Added new class.
        (JSC::RegExpCachedResult::RegExpCachedResult):
        (JSC::RegExpCachedResult::record):
        (JSC::RegExpCachedResult::input):
            - Initialize the object, record the result of a RegExp match, access the stored input property.
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::RegExpConstructor):
            - Initialize m_result/m_multiline properties.
        (JSC::RegExpConstructor::visitChildren):
            - Make sure the cached results (or lazy source for them) are marked.
        (JSC::RegExpConstructor::getBackref):
        (JSC::RegExpConstructor::getLastParen):
        (JSC::RegExpConstructor::getLeftContext):
        (JSC::RegExpConstructor::getRightContext):
            - Moved from RegExpConstructor, moved to RegExpCachedResult, and using new caching scheme.
        (JSC::regExpConstructorInput):
        (JSC::setRegExpConstructorInput):
            - Changed to use RegExpCachedResult.
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::create):
        (RegExpConstructor):
        (JSC::RegExpConstructor::setMultiline):
        (JSC::RegExpConstructor::multiline):
            - Move multiline property onto the constructor object; it is not affected by the last match.
        (JSC::RegExpConstructor::setInput):
        (JSC::RegExpConstructor::input):
            - These defer to RegExpCachedResult.
        (JSC::RegExpConstructor::performMatch):
        * runtime/RegExpMatchesArray.cpp: Added.
        (JSC::RegExpMatchesArray::visitChildren):
            - Eeeep! added missing visitChildren!
        (JSC::RegExpMatchesArray::finishCreation):
        (JSC::RegExpMatchesArray::reifyAllProperties):
        (JSC::RegExpMatchesArray::reifyMatchProperty):
            - Moved from RegExpConstructor.cpp.
        (JSC::RegExpMatchesArray::leftContext):
        (JSC::RegExpMatchesArray::rightContext):
            - Since the match start/
        * runtime/RegExpMatchesArray.h:
        (RegExpMatchesArray):
            - Declare new methods & structure flags.
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::match):
            - performMatch now requires the JSString input, to cache.
        * runtime/StringPrototype.cpp:
        (JSC::removeUsingRegExpSearch):
        (JSC::replaceUsingRegExpSearch):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
            - performMatch now requires the JSString input, to cache.

2012-03-23  Tony Chang  <tony@chromium.org>

        [chromium] rename newwtf target back to wtf
        https://bugs.webkit.org/show_bug.cgi?id=82064

        Reviewed by Adam Barth.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2012-03-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Simplify memory usage tracking in CopiedSpace
        https://bugs.webkit.org/show_bug.cgi?id=80705

        Reviewed by Filip Pizlo.

        * heap/CopiedAllocator.h:
        (CopiedAllocator): Rename currentUtilization to currentSize.
        (JSC::CopiedAllocator::currentCapacity):
        * heap/CopiedBlock.h:
        (CopiedBlock):
        (JSC::CopiedBlock::payload): Move the implementation of payload() out of the class
        declaration.
        (JSC):
        (JSC::CopiedBlock::size): Add new function to calculate the block's size.
        (JSC::CopiedBlock::capacity): Ditto for capacity.
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::CopiedSpace): Remove old bogus memory stats fields and add a new
        field for the water mark.
        (JSC::CopiedSpace::init):
        (JSC::CopiedSpace::tryAllocateSlowCase): When we fail to allocate from the current 
        block, we need to update our current water mark with the size of the block.
        (JSC::CopiedSpace::tryAllocateOversize): When we allocate a new oversize block, we 
        need to update our current water mark with the size of the used portion of the block.
        (JSC::CopiedSpace::tryReallocate): We don't need to update the water mark when 
        reallocating because it will either get accounted for when we fill up the block later 
        in the case of being able to reallocate in the current block or it will get picked up 
        immediately because we'll have to get a new block.
        (JSC::CopiedSpace::tryReallocateOversize): We do, however, need to update in when 
        realloc-ing an oversize block because we deallocate the old block and allocate a brand 
        new one.
        (JSC::CopiedSpace::doneFillingBlock): Update the water mark as blocks are returned to 
        the CopiedSpace by the SlotVisitors.
        (JSC::CopiedSpace::doneCopying): Add in any pinned blocks to the water mark.
        (JSC::CopiedSpace::getFreshBlock): We use the Heap's new function to tell us whether or 
        not we should collect now instead of doing the calculation ourself.
        (JSC::CopiedSpace::destroy):
        (JSC):
        (JSC::CopiedSpace::size): Manually calculate the size of the CopiedSpace, similar to how 
        MarkedSpace does.
        (JSC::CopiedSpace::capacity): Ditto for capacity.
        * heap/CopiedSpace.h:
        (JSC::CopiedSpace::waterMark):
        (CopiedSpace):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::startedCopying): Reset water mark to 0 when we start copying during a 
        collection.
        (JSC::CopiedSpace::allocateNewBlock):
        (JSC::CopiedSpace::fitsInBlock):
        (JSC::CopiedSpace::allocateFromBlock):
        * heap/Heap.cpp:
        (JSC::Heap::size): Incorporate size of CopiedSpace into the total size of the Heap.
        (JSC::Heap::capacity): Ditto for capacity.
        (JSC::Heap::collect):
        * heap/Heap.h:
        (Heap):
        (JSC::Heap::shouldCollect): New function for other sub-parts of the Heap to use to 
        determine whether they should initiate a collection or continue to allocate new blocks.
        (JSC):
        (JSC::Heap::waterMark): Now is the sum of the water marks of the two sub-parts of the
        Heap (MarkedSpace and CopiedSpace).
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateSlowCase): Changed to use the Heap's new shouldCollect() function.

2012-03-23  Ryosuke Niwa  <rniwa@webkit.org>

        BitVector::resizeOutOfLine doesn't memset when converting an inline buffer
        https://bugs.webkit.org/show_bug.cgi?id=82012

        Reviewed by Filip Pizlo.

        Initialize out-of-line buffers while extending an inline buffer. Also export symbols to be used in WebCore.

        * wtf/BitVector.cpp:
        (WTF::BitVector::resizeOutOfLine):
        * wtf/BitVector.h:
        (BitVector):
        (OutOfLineBits):

2012-03-22  Michael Saboff  <msaboff@apple.com>

        ExecutableAllocator::memoryPressureMultiplier() might can return NaN
        https://bugs.webkit.org/show_bug.cgi?id=82002

        Reviewed by Filip Pizlo.

        Guard against divide by zero and then make sure the return
        value is >= 1.0.

        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::memoryPressureMultiplier):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::memoryPressureMultiplier):

2012-03-22  Jessie Berlin  <jberlin@apple.com>

        Windows build fix after r111778.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        Don't include and try to build files owned by WTF.
        Also, let VS have its way with the vcproj in terms of file ordering.

2012-03-22  Raphael Kubo da Costa  <rakuco@FreeBSD.org>

        [CMake] Unreviewed build fix after r111778.

        * CMakeLists.txt: Move ${WTF_DIR} after ${JAVASCRIPTCORE_DIR} in
        the include paths so that the right config.h is used.

2012-03-22  Tony Chang  <tony@chromium.org>

        Unreviewed, fix chromium build after wtf move.

        Remove old wtf_config and wtf targets.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2012-03-22  Martin Robinson  <mrobinson@igalia.com>

        Fixed the GTK+ WTF/JavaScriptCore build after r111778.

        * GNUmakefile.list.am: Removed an extra trailing backslash.

2012-03-22  Mark Rowe  <mrowe@apple.com>

        Fix the build.

        * Configurations/JavaScriptCore.xcconfig: Tell the linker to pull in all members from static libraries
        rather than only those that contain symbols that JavaScriptCore itself uses.
        * JavaScriptCore.xcodeproj/project.pbxproj: Remove some bogus settings that crept in to the Xcode project.

2012-03-22  Filip Pizlo  <fpizlo@apple.com>

        DFG NodeFlags has some duplicate code and naming issues
        https://bugs.webkit.org/show_bug.cgi?id=81975

        Reviewed by Gavin Barraclough.
        
        Removed most references to "ArithNodeFlags" since those are now just part
        of the node flags. Fixed some renaming goofs (EdgedAsNum is once again
        NodeUsedAsNum). Got rid of setArithNodeFlags() and mergeArithNodeFlags()
        because the former was never called and the latter did the same things as
        mergeFlags().

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::arithNodeFlags):
        (Node):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::nodeFlagsAsString):
        * dfg/DFGNodeFlags.h:
        (DFG):
        (JSC::DFG::nodeUsedAsNumber):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultArithFlags):

2012-03-22  Eric Seidel  <eric@webkit.org>

        Actually move WTF files to their new home
        https://bugs.webkit.org/show_bug.cgi?id=81844

        Unreviewed.  The details of the port-specific changes
        have been seen by contributors from those ports, but
        the whole 5MB change isn't very reviewable as-is.

        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JSCTypedArrayStubs.h:
        * JavaScriptCore.gypi:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jsc.cpp:

2012-03-22  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed. Adding Source/WTF to the build.

        * wscript:

2012-03-22  Gavin Barraclough  <barraclough@apple.com>

        Add JSValue::isFunction
        https://bugs.webkit.org/show_bug.cgi?id=81935

        Reviewed by Geoff Garen.

        This would be useful in the WebCore bindings code.
        Also, remove asFunction, replace with jsCast<JSFunction*>.

        * API/JSContextRef.cpp:
        * debugger/Debugger.cpp:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::functionName):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueOfFunctionConstant):
        * dfg/DFGOperations.cpp:
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::isInlineCallFrameSlow):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::jitCompileFor):
        (JSC::lazyLinkFor):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::traceFunctionPrologue):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::setUpCall):
        * runtime/Arguments.h:
        (JSC::Arguments::finishCreation):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        (JSC::arrayProtoFuncEvery):
        (JSC::arrayProtoFuncForEach):
        (JSC::arrayProtoFuncSome):
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::compileFor):
        (JSC::FunctionExecutable::compileOptimizedFor):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        * runtime/JSArray.cpp:
        (JSC::JSArray::sort):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::argumentsGetter):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::lengthGetter):
        * runtime/JSFunction.h:
        (JSC):
        (JSC::asJSFunction):
        (JSC::JSValue::isFunction):
        * runtime/JSGlobalData.cpp:
        (WTF::Recompiler::operator()):
        (JSC::JSGlobalData::releaseExecutableMemory):
        * runtime/JSValue.h:
        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):

2012-03-21  Filip Pizlo  <fpizlo@apple.com>

        DFG speculation on booleans should be rationalized
        https://bugs.webkit.org/show_bug.cgi?id=81840

        Reviewed by Gavin Barraclough.
        
        This removes isKnownBoolean() and replaces it with AbstractState-based
        optimization, and cleans up the control flow in code gen methods for
        Branch and LogicalNot. Also fixes a goof in Node::shouldSpeculateNumber,
        and removes isKnownNotBoolean() since that method appeared to be a
        helper used solely by 32_64's speculateBooleanOperation().
        
        This is performance-neutral.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateNumber):
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-21  Mark Rowe  <mrowe@apple.com>

        Fix the build.

        * wtf/MetaAllocator.h:
        (MetaAllocator): Export the destructor.

2012-03-21  Eric Seidel  <eric@webkit.org>

        Fix remaining WTF includes in JavaScriptCore in preparation for moving WTF headers out of JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=81834

        Reviewed by Adam Barth.

        * jsc.cpp:
        * os-win32/WinMain.cpp:
        * runtime/JSDateMath.cpp:
        * runtime/TimeoutChecker.cpp:
        * testRegExp.cpp:
        * tools/CodeProfiling.cpp:

2012-03-21  Eric Seidel  <eric@webkit.org>

        WTF::MetaAllocator has a weak vtable (discovered when building wtf as a static library)
        https://bugs.webkit.org/show_bug.cgi?id=81838

        Reviewed by Geoffrey Garen.

        My understanding is that weak vtables happen when the compiler/linker cannot
        determine which compilation unit should constain the vtable.  In this case
        because there were only pure virtual functions as well as an "inline"
        virtual destructor (thus the virtual destructor was defined in many compilation
        units).  Since you can't actually "inline" a virtual function (it still has to
        bounce through the vtable), the "inline" on this virutal destructor doesn't
        actually help performance, and is only serving to confuse the compiler here.
        I've moved the destructor implementation to the .cpp file, thus making
        it clear to the compiler where the vtable should be stored, and solving the error.

        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocator::~MetaAllocator):
        (WTF):
        * wtf/MetaAllocator.h:

2012-03-20  Gavin Barraclough  <barraclough@apple.com>

        RegExpMatchesArray should not copy the ovector
        https://bugs.webkit.org/show_bug.cgi?id=81742

        Reviewed by Michael Saboff.

        Currently, all RegExpMatchesArray object contain Vector<int, 32>, used to hold any sub-pattern results.
        This makes allocation/construction/destruction of these objects more expensive. Instead, just store the
        main match, and recreate the sub-pattern ranges only if necessary (these are often only used for grouping,
        and the results never accessed).
        If the main match (index 0) of the RegExpMatchesArray is accessed, reify that value alone.

        * dfg/DFGOperations.cpp:
            - RegExpObject match renamed back to test (test returns a bool).
        * runtime/RegExpConstructor.cpp:
        (JSC):
            - Removed RegExpResult, RegExpMatchesArray constructor, destroy method.
        (JSC::RegExpMatchesArray::finishCreation):
            - Removed RegExpConstructorPrivate parameter.
        (JSC::RegExpMatchesArray::reifyAllProperties):
            - (Was fillArrayInstance) Reify all properties of the RegExpMatchesArray.
            If there are sub-pattern properties, the RegExp is re-run to generate their values.
        (JSC::RegExpMatchesArray::reifyMatchProperty):
            - Reify just the match (index 0) property of the RegExpMatchesArray.
        * runtime/RegExpConstructor.h:
        (RegExpConstructor):
        (JSC::RegExpConstructor::performMatch):
            - performMatch now returns a MatchResult, rather than using out-parameters.
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::RegExpMatchesArray):
            - Moved from .cpp, stores the input/regExp/result to use when lazily reifying properties.
        (RegExpMatchesArray):
        (JSC::RegExpMatchesArray::create):
            - Now passed the input string matched against, the RegExp, and the MatchResult.
        (JSC::RegExpMatchesArray::reifyAllPropertiesIfNecessary):
        (JSC::RegExpMatchesArray::reifyMatchPropertyIfNecessary):
            - Helpers to conditionally reify properties.
        (JSC::RegExpMatchesArray::getOwnPropertySlot):
        (JSC::RegExpMatchesArray::getOwnPropertySlotByIndex):
        (JSC::RegExpMatchesArray::getOwnPropertyDescriptor):
        (JSC::RegExpMatchesArray::put):
        (JSC::RegExpMatchesArray::putByIndex):
        (JSC::RegExpMatchesArray::deleteProperty):
        (JSC::RegExpMatchesArray::deletePropertyByIndex):
        (JSC::RegExpMatchesArray::getOwnPropertyNames):
        (JSC::RegExpMatchesArray::defineOwnProperty):
            - Changed to use reifyAllPropertiesIfNecessary/reifyMatchPropertyIfNecessary
            (getOwnPropertySlotByIndex calls reifyMatchPropertyIfNecessary if index is 0).
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::exec):
        (JSC::RegExpObject::match):
            - match now returns a MatchResult.
        * runtime/RegExpObject.h:
        (JSC::MatchResult::MatchResult):
            - Added the result of a match is a start & end tuple.
        (JSC::MatchResult::failed):
            - A failure is indicated by (notFound, 0).
        (JSC::MatchResult::operator bool):
            - Evaluates to false if the match failed.
        (JSC::MatchResult::empty):
            - Evaluates to true if the match succeeded with length 0.
        (JSC::RegExpObject::test):
            - Now returns a bool.
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTest):
            - RegExpObject match renamed back to test (test returns a bool).
        * runtime/StringPrototype.cpp:
        (JSC::removeUsingRegExpSearch):
        (JSC::replaceUsingRegExpSearch):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
            - performMatch now returns a MatchResult, rather than using out-parameters.

2012-03-21  Hojong Han  <hojong.han@samsung.com>

        Fix out of memory by allowing overcommit
        https://bugs.webkit.org/show_bug.cgi?id=81743

        Reviewed by Geoffrey Garen.

        Garbage collection is not triggered and new blocks are added
        because overcommit is allowed by MAP_NORESERVE flag when high water mark is big enough.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit):

2012-03-21  Jessie Berlin  <jberlin@apple.com>

        More Windows build fixing.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        Fix the order of the include directories to look in include/private first before looking
        in include/private/JavaScriptCore.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops:
        Look in the Production output directory (where the wtf headers will be). This is the same
        thing that is done for jsc and testRegExp in ReleasePGO.

2012-03-21  Jessie Berlin  <jberlin@apple.com>

        WTF headers should be in $(ConfigurationBuildDir)\include\private\wtf, not
        $(ConfigurationBuildDir)\include\private\JavaScriptCore\wtf.
        https://bugs.webkit.org/show_bug.cgi?id=81739

        Reviewed by Dan Bernstein.

        * JavaScriptCore.vcproj/jsc/jsc.vcproj:
        Look for AtomicString.cpp, StringBuilder.cpp, StringImpl.cpp, and WTFString.cpp in the wtf
        subdirectory of the build output, not the JavaScriptCore/wtf subdirectory.
        * JavaScriptCore.vcproj/testRegExp/testRegExp.vcproj:
        Ditto.

        * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops:
        Get the headers for those 4 files from the wtf subdirectory of the build output, not the
        JavaScriptCore/wtf subdirectory.
        * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops:
        Ditto.

2012-03-20  Eric Seidel  <eric@webkit.org>

        Move wtf/Platform.h from JavaScriptCore to Source/WTF/wtf
        https://bugs.webkit.org/show_bug.cgi?id=80911

        Reviewed by Adam Barth.

        Update the various build systems to depend on Source/WTF headers
        as well as remove references to Platform.h (since it's now moved).

        * CMakeLists.txt:
        * JavaScriptCore.pri:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CMakeLists.txt:

2012-03-20  Filip Pizlo  <fpizlo@apple.com>

        op_mod fails on many interesting corner cases
        https://bugs.webkit.org/show_bug.cgi?id=81648

        Reviewed by Oliver Hunt.
        
        Removed most strength reduction for op_mod, and fixed the integer handling
        to do the right thing for corner cases. Oddly, this revealed bugs in OSR,
        which this patch also fixes.
        
        This patch is performance neutral on all of the major benchmarks we track.

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        * jit/JIT.h:
        (JIT):
        * jit/JITArithmetic.cpp:
        (JSC):
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC):
        * jit/JITStubs.h:
        (TrampolineStructure):
        (JSC::JITThunks::ctiNativeConstruct):
        * llint/LowLevelInterpreter64.asm:
        * wtf/Platform.h:
        * wtf/SimpleStats.h:
        (WTF::SimpleStats::variance):

2012-03-20  Steve Falkenburg  <sfalken@apple.com>

        Windows (make based) build fix.
        <rdar://problem/11069015>

        * JavaScriptCore.vcproj/JavaScriptCore.make: devenv /rebuild doesn't work with JavaScriptCore.vcproj. Use /clean and /build instead.

2012-03-20  Steve Falkenburg  <sfalken@apple.com>

        Move WTF-related Windows project files out of JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=80680

        This change only moves the vcproj and related files from JavaScriptCore/JavaScriptCore.vcproj/WTF.
        It does not move any source code. This is in preparation for the WTF source move out of
        JavaScriptCore.

        Reviewed by Jessie Berlin.

        * JavaScriptCore.vcproj/JavaScriptCore.sln:
        * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln:
        * JavaScriptCore.vcproj/WTF: Removed.
        * JavaScriptCore.vcproj/WTF/WTF.vcproj: Removed.
        * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFDebug.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFDebugAll.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFDebugCairoCFLite.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGenerated.make: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGenerated.vcproj: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedCommon.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebug.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebugAll.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebugCairoCFLite.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedProduction.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedRelease.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedReleaseCairoCFLite.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFPostBuild.cmd: Removed.
        * JavaScriptCore.vcproj/WTF/WTFPreBuild.cmd: Removed.
        * JavaScriptCore.vcproj/WTF/WTFProduction.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFRelease.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFReleaseCairoCFLite.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/build-generated-files.sh: Removed.
        * JavaScriptCore.vcproj/WTF/copy-files.cmd: Removed.
        * JavaScriptCore.vcproj/WTF/work-around-vs-dependency-tracking-bugs.py: Removed.

2012-03-20  Benjamin Poulain  <bpoulain@apple.com>

        Cache the type string of JavaScript object
        https://bugs.webkit.org/show_bug.cgi?id=81446

        Reviewed by Geoffrey Garen.

        Instead of creating the JSString every time, we create
        lazily the strings in JSGlobalData.

        This avoid the construction of the StringImpl and of the JSString,
        which gives some performance improvements.

        * runtime/CommonIdentifiers.h:
        * runtime/JSValue.cpp:
        (JSC::JSValue::toStringSlowCase):
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::SmallStrings):
        (JSC::SmallStrings::finalizeSmallStrings):
        (JSC::SmallStrings::initialize):
        (JSC):
        * runtime/SmallStrings.h:
        (SmallStrings):

2012-03-20  Oliver Hunt  <oliver@apple.com>

        Allow LLINT to work even when executable allocation fails.
        https://bugs.webkit.org/show_bug.cgi?id=81693

        Reviewed by Gavin Barraclough.

        Don't crash if executable allocation fails if we can fall back on LLINT

        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit):

2012-03-20  Csaba Osztrogonác  <ossy@webkit.org>

        Division optimizations fail to infer cases of truncated division and mishandle -2147483648/-1
        https://bugs.webkit.org/show_bug.cgi?id=81428

        32 bit buildfix after r111355.

        2147483648 (2^31) isn't valid int literal in ISO C90, because 2147483647 (2^31-1) is the biggest int.
        The smallest int is -2147483648 (-2^31) == -2147483647 - 1  == -INT32_MAX-1 == INT32_MIN (stdint.h).

        Reviewed by Zoltan Herczeg.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):

2012-03-19  Jochen Eisinger  <jochen@chromium.org>

        Split WTFReportBacktrace into WTFReportBacktrace and WTFPrintBacktrace
        https://bugs.webkit.org/show_bug.cgi?id=80983

        Reviewed by Darin Adler.

        This allows printing a backtrace acquired by an earlier WTFGetBacktrace
        call which is useful for local debugging.

        * wtf/Assertions.cpp:
        * wtf/Assertions.h:

2012-03-19  Benjamin Poulain  <benjamin@webkit.org>

        Do not copy the script source in the SourceProvider, just reference the existing string
        https://bugs.webkit.org/show_bug.cgi?id=81466

        Reviewed by Geoffrey Garen.

        * parser/SourceCode.h: Remove the unused, and incorrect, function data().
        * parser/SourceProvider.h: Add OVERRIDE for clarity.

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        Division optimizations fail to infer cases of truncated division and
        mishandle -2147483648/-1
        https://bugs.webkit.org/show_bug.cgi?id=81428
        <rdar://problem/11067382>

        Reviewed by Oliver Hunt.

        If you're a division over integers and you're only used as an integer, then you're
        an integer division and remainder checks become unnecessary. If you're dividing
        -2147483648 by -1, don't crash.

        * assembler/MacroAssemblerX86Common.h:
        (MacroAssemblerX86Common):
        (JSC::MacroAssemblerX86Common::add32):
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * llint/LowLevelInterpreter64.asm:

2012-03-19  Benjamin Poulain  <bpoulain@apple.com>

        Simplify SmallStrings
        https://bugs.webkit.org/show_bug.cgi?id=81445

        Reviewed by Gavin Barraclough.

        SmallStrings had two methods that should not be public: count() and clear().

        The method clear() is effectively replaced by finalizeSmallStrings(). The body
        of the method was moved to the constructor since the code is obvious.

        The method count() is unused.

        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::SmallStrings):
        * runtime/SmallStrings.h:
        (SmallStrings):

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        DFG can no longer compile V8-v4/regexp in debug mode
        https://bugs.webkit.org/show_bug.cgi?id=81592

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        Prediction propagation for UInt32ToNumber incorrectly assumes that outs outcome does not
        change throughout the fixpoint
        https://bugs.webkit.org/show_bug.cgi?id=81583

        Reviewed by Michael Saboff.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        GC should not attempt to clear LLInt instruction inline caches for code blocks that are in
        the process of being generated
        https://bugs.webkit.org/show_bug.cgi?id=81565

        Reviewed by Oliver Hunt.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally):

2012-03-19  Eric Seidel  <eric@webkit.org>

        Fix WTF header include discipline in Chromium WebKit
        https://bugs.webkit.org/show_bug.cgi?id=81281

        Reviewed by James Robinson.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * wtf/unicode/icu/CollatorICU.cpp:

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        DFG NodeUse should be called Edge and NodeReferenceBlob should be called AdjacencyList
        https://bugs.webkit.org/show_bug.cgi?id=81556

        Rubber stamped by Gavin Barraclough.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractState.h:
        (JSC::DFG::AbstractState::forNode):
        * dfg/DFGAdjacencyList.h: Copied from Source/JavaScriptCore/dfg/DFGNodeReferenceBlob.h.
        (JSC::DFG::AdjacencyList::AdjacencyList):
        (JSC::DFG::AdjacencyList::child):
        (JSC::DFG::AdjacencyList::setChild):
        (JSC::DFG::AdjacencyList::child1):
        (JSC::DFG::AdjacencyList::child2):
        (JSC::DFG::AdjacencyList::child3):
        (JSC::DFG::AdjacencyList::setChild1):
        (JSC::DFG::AdjacencyList::setChild2):
        (JSC::DFG::AdjacencyList::setChild3):
        (JSC::DFG::AdjacencyList::child1Unchecked):
        (JSC::DFG::AdjacencyList::initialize):
        (AdjacencyList):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addVarArgChild):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::canonicalize):
        (JSC::DFG::CSEPhase::performSubstitution):
        * dfg/DFGEdge.h: Copied from Source/JavaScriptCore/dfg/DFGNodeUse.h.
        (DFG):
        (JSC::DFG::Edge::Edge):
        (JSC::DFG::Edge::operator==):
        (JSC::DFG::Edge::operator!=):
        (Edge):
        (JSC::DFG::operator==):
        (JSC::DFG::operator!=):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::operator[]):
        (JSC::DFG::Graph::at):
        (JSC::DFG::Graph::ref):
        (JSC::DFG::Graph::deref):
        (JSC::DFG::Graph::clearAndDerefChild1):
        (JSC::DFG::Graph::clearAndDerefChild2):
        (JSC::DFG::Graph::clearAndDerefChild3):
        (Graph):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::getPrediction):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::child1):
        (JSC::DFG::Node::child1Unchecked):
        (JSC::DFG::Node::child2):
        (JSC::DFG::Node::child3):
        (Node):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::arithNodeFlagsAsString):
        * dfg/DFGNodeFlags.h:
        (DFG):
        (JSC::DFG::nodeUsedAsNumber):
        * dfg/DFGNodeReferenceBlob.h: Removed.
        * dfg/DFGNodeUse.h: Removed.
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultArithFlags):
        (JSC::DFG::PredictionPropagationPhase::vote):
        (JSC::DFG::PredictionPropagationPhase::fixupNode):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::use):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::useChildren):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::at):
        (JSC::DFG::SpeculativeJIT::canReuse):
        (JSC::DFG::SpeculativeJIT::use):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        (JSC::DFG::IntegerOperand::IntegerOperand):
        (JSC::DFG::DoubleOperand::DoubleOperand):
        (JSC::DFG::JSValueOperand::JSValueOperand):
        (JSC::DFG::StorageOperand::StorageOperand):
        (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
        (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):

2012-03-19  Gavin Barraclough  <barraclough@apple.com>

        Object.freeze broken on latest Nightly
        https://bugs.webkit.org/show_bug.cgi?id=80577

        Reviewed by Oliver Hunt.

        * runtime/Arguments.cpp:
        (JSC::Arguments::defineOwnProperty):
            - defineOwnProperty was checking for correct behaviour, provided that length/callee hadn't
            been overrridden. instead, just reify length/callee & rely on JSObject::defineOwnProperty.
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::defineOwnProperty):
            - for arguments/caller/length properties, defineOwnProperty was incorrectly asserting that
            the object must be extensible; this is incorrect since these properties should already exist
            on the object. In addition, it was asserting that the arguments/caller values must match the
            corresponding magic data properties, but for strict mode function this is incorrect. Instead,
            just reify the arguments/caller accessor & defer to JSObject::defineOwnProperty.

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        LLInt get_by_pname slow path incorrectly assumes that the operands are not constants
        https://bugs.webkit.org/show_bug.cgi?id=81559

        Reviewed by Michael Saboff.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2012-03-19  Yong Li  <yoli@rim.com>

        [BlackBerry] Implement OSAllocator::commit/decommit in the correct way
        https://bugs.webkit.org/show_bug.cgi?id=77013

        We should use mmap(PROT_NONE, MAP_LAZY) instead of posix_madvise() to
        implement memory decommitting for QNX.

        Reviewed by Rob Buis.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveUncommitted):
        (WTF::OSAllocator::commit):
        (WTF::OSAllocator::decommit):

2012-03-19  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed - revent a couple of files accidentally committed.

        * runtime/Arguments.cpp:
        (JSC::Arguments::defineOwnProperty):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::defineOwnProperty):

2012-03-19  Jessie Berlin  <jberlin@apple.com>

        Another Windows build fix after r111129.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-19  Raphael Kubo da Costa  <rakuco@FreeBSD.org>

        Cross-platform processor core counter: fix build on FreeBSD.
        https://bugs.webkit.org/show_bug.cgi?id=81482

        Reviewed by Zoltan Herczeg.

        The documentation of sysctl(3) shows that <sys/types.h> should be
        included before <sys/sysctl.h> (sys/types.h tends to be the first
        included header in general).

        This should fix the build on FreeBSD and other systems where
        sysctl.h really depends on types defined in types.h.

        * wtf/NumberOfCores.cpp:

2012-03-19  Jessie Berlin  <jberlin@apple.com>

        Windows build fix after r111129.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-19  Gavin Barraclough  <barraclough@apple.com>

        JSCallbackFunction::toStringCallback/valueOfCallback do not handle 0 return value from convertToType
        https://bugs.webkit.org/show_bug.cgi?id=81468 <rdar://problem/11034745>

        Reviewed by Oliver Hunt.

        The API specifies that convertToType may opt not to handle a conversion:
            "@result The objects's converted value, or NULL if the object was not converted."
        In which case, it would propagate first up the JSClass hierarchy, calling its superclass's
        conversion functions, and failing that call the JSObject::defaultValue function.

        Unfortunately this behaviour was removed in bug#69677/bug#69858, and instead we now rely on
        the toStringCallback/valueOfCallback function introduced in bug#69156. Even after a fix in
        bug#73368, these will return the result from the first convertToType they find, regardless
        of whether this result is null, and if no convertToType method is found in the api class
        hierarchy (possible if toStringCallback/valueOfCallback was accessed off the prototype
        chain), they will also return a null pointer. This is unsafe.

        It would be easy to make the approach based around toStringCallback/valueOfCallback continue
        to walk the api class hierarchy, but making the fallback to defaultValue would be problematic
        (since defaultValue calls toStringCallback/valueOfCallback, this would infinitely recurse).
        Making the fallback work with toString/valueOf methods attached to api objects is probably
        not the right thing to do – instead, we should just implement the defaultValue trap for api
        objects.

        In addition, this bug highlights that fact that JSCallbackFunction::call will allow a hard
        null to be returned from C to JavaScript - this is not okay. Handle with an exception.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::call):
            - Should be null checking the return value.
        (JSC):
            - Remove toStringCallback/valueOfCallback.
        * API/JSCallbackFunction.h:
        (JSCallbackFunction):
            - Remove toStringCallback/valueOfCallback.
        * API/JSCallbackObject.h:
        (JSCallbackObject):
            - Add defaultValue mthods to JSCallbackObject.
        * API/JSCallbackObjectFunctions.h:
        (JSC::::defaultValue):
            - Add defaultValue mthods to JSCallbackObject.
        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype):
            - Remove toStringCallback/valueOfCallback.
        * API/tests/testapi.js:
            - Revert this test, now we no longer artificially introduce a toString method onto the api object.

2012-03-18  Raphael Kubo da Costa  <rakuco@FreeBSD.org>

        [EFL] Include ICU_INCLUDE_DIRS when building.
        https://bugs.webkit.org/show_bug.cgi?id=81483

        Reviewed by Daniel Bates.

        So far, only the ICU libraries were being included when building
        JavaScriptCore, however the include path is also needed, otherwise the
        build will fail when ICU is installed into a non-standard location.

        * PlatformEfl.cmake: Include ${ICU_INCLUDE_DIRS}.

2012-03-17  Gavin Barraclough  <barraclough@apple.com>

        Strength reduction, RegExp.exec -> RegExp.test
        https://bugs.webkit.org/show_bug.cgi?id=81459

        Reviewed by Sam Weinig.

        RegExp.prototype.exec & RegExp.prototype.test can both be used to test a regular
        expression for a match against a string - however exec is more expensive, since
        it allocates a matches array object. In cases where the result is consumed in a
        boolean context the allocation of the matches array can be trivially elided.

        For example:
            function f()
            {
                for (i =0; i < 10000000; ++i)
                    if(!/a/.exec("a"))
                        err = true;
            }

        This is a 2.5x speedup on this example microbenchmark loop.

        In a more advanced form of this optimization, we may be able to avoid allocating
        the array where access to the array can be observed.

        * create_hash_table:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileRegExpExec):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jsc.cpp:
        (GlobalObject::addConstructableFunction):
        * runtime/Intrinsic.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        (JSC):
        * runtime/JSFunction.h:
        (JSFunction):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::exec):
        (JSC::RegExpObject::match):
        * runtime/RegExpObject.h:
        (RegExpObject):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTest):
        (JSC::regExpProtoFuncExec):

2012-03-16  Michael Saboff  <msaboff@apple.com>

        Improve diagnostic benefit of JSGlobalData::m_isInitializingObject
        https://bugs.webkit.org/show_bug.cgi?id=81244

        Rubber stamped by Filip Pizlo.

        Changed type and name of JSGlobalData::m_isInitializingObject to
        ClassInfo* and m_initializingObjectClass.
        Changed JSGlobalData::setInitializingObject to
        JSGlobalData::setInitializingObjectClass.  This pointer can be used within 
        the debugger to determine what type of object is being initialized.
        
        * runtime/JSCell.h:
        (JSC::JSCell::finishCreation):
        (JSC::allocateCell):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        (JSC::JSGlobalData::isInitializingObject):
        (JSC::JSGlobalData::setInitializingObjectClass):
        * runtime/Structure.h:
        (JSC::JSCell::finishCreation):

2012-03-16  Mark Rowe  <mrowe@apple.com>

        Build fix. Do not preserve owner and group information when installing the WTF headers.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-03-15  David Dorwin  <ddorwin@chromium.org>

        Make the array pointer parameters in the Typed Array create() methods const.
        https://bugs.webkit.org/show_bug.cgi?id=81147

        Reviewed by Kenneth Russell.

        This allows const arrays to be passed to these methods.
        They use PassRefPtr<Subclass> create(), which already has a const parameter.

        * wtf/Int16Array.h:
        (Int16Array):
        (WTF::Int16Array::create):
        * wtf/Int32Array.h:
        (Int32Array):
        (WTF::Int32Array::create):
        * wtf/Int8Array.h:
        (Int8Array):
        (WTF::Int8Array::create):
        * wtf/Uint16Array.h:
        (Uint16Array):
        (WTF::Uint16Array::create):
        * wtf/Uint32Array.h:
        (Uint32Array):
        (WTF::Uint32Array::create):
        * wtf/Uint8Array.h:
        (Uint8Array):
        (WTF::Uint8Array::create):
        * wtf/Uint8ClampedArray.h:
        (Uint8ClampedArray):
        (WTF::Uint8ClampedArray::create):

2012-03-15  Myles Maxfield  <mmaxfield@google.com>

        CopiedSpace::tryAllocateOversize assumes system page size
        https://bugs.webkit.org/show_bug.cgi?id=80615

        Reviewed by Geoffrey Garen.

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::tryAllocateOversize):
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::oversizeBlockFor):
        * wtf/BumpPointerAllocator.h:
        (WTF::BumpPointerPool::create):
        * wtf/StdLibExtras.h:
        (WTF::roundUpToMultipleOf):

2012-03-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fixing Windows build breakage

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-15  Patrick Gansterer  <paroga@webkit.org>

        [EFL] Make zlib a general build requirement
        https://bugs.webkit.org/show_bug.cgi?id=80153

        Reviewed by Hajime Morita.

        After r109538 WebSocket module needs zlib to support deflate-frame extension.

        * wtf/Platform.h:

2012-03-15  Benjamin Poulain  <bpoulain@apple.com>

        NumericStrings should be inlined
        https://bugs.webkit.org/show_bug.cgi?id=81183

        Reviewed by Gavin Barraclough.

        NumericStrings is not always inlined. When it is not, the class is not faster
        than using UString::number() directly.

        * runtime/NumericStrings.h:
        (JSC::NumericStrings::add):
        (JSC::NumericStrings::lookupSmallString):

2012-03-15  Andras Becsi  <andras.becsi@nokia.com>

        Fix ARM build after r110792.

        Unreviewed build fix.

        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::cacheFlush):
        Remove superfluous curly brackets.

2012-03-15  Gavin Barraclough  <barraclough@apple.com>

        ARMv7: prefer vmov(gpr,gpr->double) over vmov(gpr->single)
        https://bugs.webkit.org/show_bug.cgi?id=81256

        Reviewed by Oliver Hunt.

        This is a 0.5% sunspider progression.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::convertInt32ToDouble):
            - switch which form of vmov we use.

2012-03-15  YoungTaeck Song  <youngtaeck.song@samsung.com>

        [EFL] Add OwnPtr specialization for Ecore_Timer.
        https://bugs.webkit.org/show_bug.cgi?id=80119

        Reviewed by Hajime Morita.

        Add an overload for deleteOwnedPtr(Ecore_Timer*) on EFL port.

        * wtf/OwnPtrCommon.h:
        (WTF):
        * wtf/efl/OwnPtrEfl.cpp:
        (WTF::deleteOwnedPtr):
        (WTF):

2012-03-15  Hojong Han  <hojong.han@samsung.com>

        Linux has madvise enough to support OSAllocator::commit/decommit
        https://bugs.webkit.org/show_bug.cgi?id=80505

        Reviewed by Geoffrey Garen.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveUncommitted):
        (WTF::OSAllocator::commit):
        (WTF::OSAllocator::decommit):

2012-03-15  Steve Falkenburg  <sfalken@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGOOptimize.vsprops:
        * JavaScriptCore.vcproj/WTF/copy-files.cmd:
        * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops:

2012-03-15  Steve Falkenburg  <sfalken@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj:

2012-03-15  Kevin Ollivier  <kevino@theolliviers.com>

        Move wx port to using export macros
        https://bugs.webkit.org/show_bug.cgi?id=77279

        Reviewed by Hajime Morita.

        * wscript:
        * wtf/Platform.h:

2012-03-14  Benjamin Poulain  <bpoulain@apple.com>

        Avoid StringImpl::getData16SlowCase() when sorting array
        https://bugs.webkit.org/show_bug.cgi?id=81070

        Reviewed by Geoffrey Garen.

        The function codePointCompare() is used intensively when sorting strings.
        This patch improves its performance by:
        -Avoiding character conversion.
        -Inlining the function.

        This makes Peacekeeper's arrayCombined test 30% faster.

        * wtf/text/StringImpl.cpp:
        * wtf/text/StringImpl.h:
        (WTF):
        (WTF::codePointCompare):
        (WTF::codePointCompare8):
        (WTF::codePointCompare16):
        (WTF::codePointCompare8To16):

2012-03-14  Hojong Han  <hojong.han@samsung.com>

        Fix memory allocation failed by fastmalloc
        https://bugs.webkit.org/show_bug.cgi?id=79614

        Reviewed by Geoffrey Garen.

        Memory allocation failed even if the heap grows successfully.
        It is wrong to get the span only from the large list after the heap grows,
        because new span could be added in the normal list.

        * wtf/FastMalloc.cpp:
        (WTF::TCMalloc_PageHeap::New):

2012-03-14  Hojong Han  <hojong.han@samsung.com>

        Run cacheFlush page by page to assure of flushing all the requested ranges
        https://bugs.webkit.org/show_bug.cgi?id=77712

        Reviewed by Geoffrey Garen.

        Current MetaAllocator concept, always coalesces adjacent free spaces,
        doesn't meet memory management of Linux kernel.
        In a certain case Linux kernel doesn't regard contiguous virtual memory areas as one but two.
        Therefore cacheFlush page by page guarantees a flush-requested range.

        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::cacheFlush):

2012-03-14  Oliver Hunt  <oliver@apple.com>

        Make ARMv7 work again
        https://bugs.webkit.org/show_bug.cgi?id=81157

        Reviewed by Geoffrey Garen.

        We were trying to use the ARMv7 dataRegister as a scratch register in a scenario
        where we the ARMv7MacroAssembler would also try to use dataRegister for its own
        nefarious purposes.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::store32):
        * assembler/MacroAssemblerARMv7.h:
        (MacroAssemblerARMv7):

2012-03-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Heap::destroy leaks CopiedSpace
        https://bugs.webkit.org/show_bug.cgi?id=81055

        Reviewed by Geoffrey Garen.

        Added a destroy() function to CopiedSpace that moves all normal size 
        CopiedBlocks from the CopiedSpace to the Heap's list of free blocks 
        as well as deallocates all of the oversize blocks in the CopiedSpace. 
        This function is now called in Heap::destroy().

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::destroy):
        (JSC):
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/Heap.cpp:
        (JSC::Heap::destroy):

2012-03-14  Andrew Lo  <anlo@rim.com>

        [BlackBerry] Implement REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR using AnimationFrameRateController
        https://bugs.webkit.org/show_bug.cgi?id=81000

        Enable WTF_USE_REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR for BlackBerry.

        Reviewed by Antonio Gomes.

        * wtf/Platform.h:

2012-03-13  Filip Pizlo  <fpizlo@apple.com>

        ValueToInt32 speculation will cause OSR exits even when it does not have to
        https://bugs.webkit.org/show_bug.cgi?id=81068
        <rdar://problem/11043926>

        Reviewed by Anders Carlsson.
        
        Two related changes:
        1) ValueToInt32 will now always just defer to the non-speculative path, instead
           of exiting, if it doesn't know what speculations to perform.
        2) ValueToInt32 will speculate boolean if it sees this to be profitable.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateBoolean):
        (Node):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):

2012-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        More Windows build fixing

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        Windows build fix

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        Type conversion of exponential part failed
        https://bugs.webkit.org/show_bug.cgi?id=80673

        Reviewed by Geoffrey Garen.

        * parser/Lexer.cpp:
        (JSC::::lex):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::parseInt):
        (JSC):
        (JSC::jsStrDecimalLiteral): Added another template argument that exposes whether or not
        we accept trailing junk to clients of jsStrDecimalLiteral. Also added additional template 
        parameter for strtod to allow trailing spaces.
        (JSC::toDouble):
        (JSC::parseFloat): Accept trailing junk, as per the ECMA 262 spec (15.1.2.3).
        * runtime/LiteralParser.cpp:
        (JSC::::Lexer::lexNumber):
        * tests/mozilla/expected.html: Update the expected page for run-javascriptcore-tests so that 
        we will run ecma/TypeConversion/9.3.1-3.js as a regression test now.
        * wtf/dtoa.cpp:
        (WTF):
        (WTF::strtod): We also needed to sometimes accept trailing spaces to pass a few other tests that were 
        broken by changing the default allowance of trailing junk in jsStrDecimalLiteral.
        * wtf/dtoa.h:
        * wtf/dtoa/double-conversion.cc: When the AdvanceToNonspace function was lifted out of the 
        Chromium codebase, the person porting it only thought to check for spaces when skipping whitespace.
        A few of our JSC tests check for other types of trailing whitespace, so I've added checks for those 
        here to cover those cases (horizontal tab, vertical tab, carriage return, form feed, and line feed).
        * wtf/text/WTFString.cpp:
        (WTF::toDoubleType): Disallow trailing spaces, as this breaks form input verification stuff.

2012-03-13  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, build fix since is_pod<> includes some header that I didn't know about.
        Removing the assert for now.

        * dfg/DFGOperations.h:
        * llint/LLIntSlowPaths.h:

2012-03-13  Filip Pizlo  <fpizlo@apple.com>

        Functions with C linkage should return POD types
        https://bugs.webkit.org/show_bug.cgi?id=81061

        Reviewed by Mark Rowe.

        * dfg/DFGOperations.h:
        * llint/LLIntSlowPaths.h:
        (LLInt):
        (SlowPathReturnType):
        (JSC::LLInt::encodeResult):

2012-03-13  Filip Pizlo  <fpizlo@apple.com>

        Loads from UInt32Arrays should not result in a double up-convert if it isn't necessary
        https://bugs.webkit.org/show_bug.cgi?id=80979
        <rdar://problem/11036848>

        Reviewed by Oliver Hunt.
        
        Also improved DFG IR dumping to include type information in a somewhat more
        intuitive way.

        * bytecode/PredictedType.cpp:
        (JSC::predictionToAbbreviatedString):
        (JSC):
        * bytecode/PredictedType.h:
        (JSC):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):

2012-03-13  George Staikos  <staikos@webkit.org>

        The callback is only used if SA_RESTART is defined.  Compile it out
        otherwise to avoid a warning.
        https://bugs.webkit.org/show_bug.cgi?id=80926

        Reviewed by Alexey Proskuryakov.

        * heap/MachineStackMarker.cpp:
        (JSC):

2012-03-13  Hojong Han  <hojong.han@samsung.com>

        Dump the generated code for ARM_TRADITIONAL
        https://bugs.webkit.org/show_bug.cgi?id=80975

        Reviewed by Gavin Barraclough.

        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::dumpCode):

2012-03-13  Adam Barth  <abarth@webkit.org> && Benjamin Poulain  <bpoulain@apple.com>

        Always enable ENABLE(CLIENT_BASED_GEOLOCATION)
        https://bugs.webkit.org/show_bug.cgi?id=78853

        Reviewed by Adam Barth.

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2012-03-13  Kwonjin Jeong  <gram@company100.net>

        Remove SlotVisitor::copy() method.
        https://bugs.webkit.org/show_bug.cgi?id=80973

        Reviewed by Geoffrey Garen.

        SlotVisitor::copy() method isn't called anywhere.

        * heap/MarkStack.cpp: Remove definition of SlotVisitor::copy() method.
        * heap/SlotVisitor.h: Remove declaration of SlotVisitor::copy() method.

2012-03-12  Hojong Han  <hojong.han@samsung.com>

        Fix test cases for RegExp multiline
        https://bugs.webkit.org/show_bug.cgi?id=80822

        Reviewed by Gavin Barraclough.

        * tests/mozilla/js1_2/regexp/RegExp_multiline.js:
        * tests/mozilla/js1_2/regexp/RegExp_multiline_as_array.js:
        * tests/mozilla/js1_2/regexp/beginLine.js:
        * tests/mozilla/js1_2/regexp/endLine.js:

2012-03-12  Filip Pizlo  <fpizlo@apple.com>

        Arithmetic use inference should be procedure-global and should run in tandem
        with type propagation
        https://bugs.webkit.org/show_bug.cgi?id=80819
        <rdar://problem/11034006>

        Reviewed by Gavin Barraclough.
        
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGArithNodeFlagsInferencePhase.cpp: Removed.
        * dfg/DFGArithNodeFlagsInferencePhase.h: Removed.
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
        (PredictionPropagationPhase):
        (JSC::DFG::PredictionPropagationPhase::isNotZero):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultArithFlags):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::flags):
        (VariableAccessData):
        (JSC::DFG::VariableAccessData::mergeFlags):

2012-03-12  Filip Pizlo  <fpizlo@apple.com>

        Node::op and Node::flags should be private
        https://bugs.webkit.org/show_bug.cgi?id=80824
        <rdar://problem/11033435>

        Reviewed by Gavin Barraclough.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::execute):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        (JSC::DFG::AbstractState::mergeToSuccessors):
        * dfg/DFGArithNodeFlagsInferencePhase.cpp:
        (JSC::DFG::ArithNodeFlagsInferencePhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::injectLazyOperandPrediction):
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::flushArgument):
        (JSC::DFG::ByteCodeParser::toInt32):
        (JSC::DFG::ByteCodeParser::isJSConstant):
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::linkBlock):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::canonicalize):
        (JSC::DFG::CSEPhase::endIndexForPureCSE):
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::byValIsPure):
        (JSC::DFG::CSEPhase::clobbersWorld):
        (JSC::DFG::CSEPhase::impureCSE):
        (JSC::DFG::CSEPhase::globalVarLoadElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkFunctionElimination):
        (JSC::DFG::CSEPhase::checkStructureLoadElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getScopeChainLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (DFG):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::addShouldSpeculateInteger):
        (JSC::DFG::Graph::negateShouldSpeculateInteger):
        (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
        * dfg/DFGNode.cpp: Removed.
        * dfg/DFGNode.h:
        (DFG):
        (JSC::DFG::Node::Node):
        (Node):
        (JSC::DFG::Node::op):
        (JSC::DFG::Node::flags):
        (JSC::DFG::Node::setOp):
        (JSC::DFG::Node::setFlags):
        (JSC::DFG::Node::mergeFlags):
        (JSC::DFG::Node::filterFlags):
        (JSC::DFG::Node::clearFlags):
        (JSC::DFG::Node::setOpAndDefaultFlags):
        (JSC::DFG::Node::mustGenerate):
        (JSC::DFG::Node::isConstant):
        (JSC::DFG::Node::isWeakConstant):
        (JSC::DFG::Node::valueOfJSConstant):
        (JSC::DFG::Node::hasVariableAccessData):
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::resolveGlobalDataIndex):
        (JSC::DFG::Node::hasArithNodeFlags):
        (JSC::DFG::Node::arithNodeFlags):
        (JSC::DFG::Node::setArithNodeFlag):
        (JSC::DFG::Node::mergeArithNodeFlags):
        (JSC::DFG::Node::hasConstantBuffer):
        (JSC::DFG::Node::hasRegexpIndex):
        (JSC::DFG::Node::hasVarNumber):
        (JSC::DFG::Node::hasScopeChainDepth):
        (JSC::DFG::Node::hasResult):
        (JSC::DFG::Node::hasInt32Result):
        (JSC::DFG::Node::hasNumberResult):
        (JSC::DFG::Node::hasJSResult):
        (JSC::DFG::Node::hasBooleanResult):
        (JSC::DFG::Node::isJump):
        (JSC::DFG::Node::isBranch):
        (JSC::DFG::Node::isTerminal):
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::hasFunctionCheckData):
        (JSC::DFG::Node::hasStructureTransitionData):
        (JSC::DFG::Node::hasStructureSet):
        (JSC::DFG::Node::hasStorageAccessData):
        (JSC::DFG::Node::hasFunctionDeclIndex):
        (JSC::DFG::Node::hasFunctionExprIndex):
        (JSC::DFG::Node::child1):
        (JSC::DFG::Node::child2):
        (JSC::DFG::Node::child3):
        (JSC::DFG::Node::firstChild):
        (JSC::DFG::Node::numChildren):
        * dfg/DFGNodeFlags.cpp: Copied from Source/JavaScriptCore/dfg/DFGNode.cpp.
        * dfg/DFGNodeFlags.h: Added.
        (DFG):
        (JSC::DFG::nodeUsedAsNumber):
        (JSC::DFG::nodeCanTruncateInteger):
        (JSC::DFG::nodeCanIgnoreNegativeZero):
        (JSC::DFG::nodeMayOverflow):
        (JSC::DFG::nodeCanSpeculateInteger):
        * dfg/DFGNodeType.h: Added.
        (DFG):
        (JSC::DFG::defaultFlags):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::vote):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        (JSC::DFG::PredictionPropagationPhase::fixupNode):
        * dfg/DFGRedundantPhiEliminationPhase.cpp:
        (JSC::DFG::RedundantPhiEliminationPhase::run):
        (JSC::DFG::RedundantPhiEliminationPhase::replacePhiChild):
        (JSC::DFG::RedundantPhiEliminationPhase::updateBlockVariableInformation):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::useChildren):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compare):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2012-03-12  Laszlo Gombos  <laszlo.1.gombos@nokia.com>

        Minor DataLog fixes
        https://bugs.webkit.org/show_bug.cgi?id=80826

        Reviewed by Andreas Kling.

        * bytecode/ExecutionCounter.cpp:
        Do not include DataLog.h, it is not used.
        
        * jit/ExecutableAllocator.cpp:
        Ditto.

        * wtf/DataLog.cpp:
        (WTF::initializeLogFileOnce):
        Add missing semi-colon to the code path where DATA_LOG_FILENAME is defined.

        * wtf/HashTable.cpp:
        Include DataLog as it is used.

2012-03-12  SangGyu Lee  <sg5.lee@samsung.com>

        Integer overflow check code in arithmetic operation in classic interpreter
        https://bugs.webkit.org/show_bug.cgi?id=80465

        Reviewed by Gavin Barraclough.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2012-03-12  Zeno Albisser  <zeno@webkit.org>

        [Qt][Mac] Build fails after enabling LLINT when JIT is disabled (r109863)
        https://bugs.webkit.org/show_bug.cgi?id=80827

        Qt on Mac uses OS(DARWIN) as well, but we do not want to enable LLINT.

        Reviewed by Simon Hausmann.

        * wtf/Platform.h:

2012-03-12  Simon Hausmann  <simon.hausmann@nokia.com>

        Unreviewed prospective Qt/Mac build fix

        * runtime/JSGlobalData.cpp: use #USE(CF) instead of PLATFORM(MAC) to determine
        whether to include CoreFoundation headers, used for JIT configuration in JSGlobalData
        constructor.

2012-03-12  Filip Pizlo  <fpizlo@apple.com>

        All DFG nodes should have a mutable set of flags
        https://bugs.webkit.org/show_bug.cgi?id=80779
        <rdar://problem/11026218>

        Reviewed by Gavin Barraclough.
        
        Got rid of NodeId, and placed all of the flags that distinguished NodeId
        from NodeType into a separate Node::flags field. Combined what was previously
        ArithNodeFlags into Node::flags.
        
        In the process of debugging, I found that the debug support in the virtual
        register allocator was lacking, so I improved it. I also realized that the
        virtual register allocator was assuming that the nodes in a basic block were
        contiguous, which is no longer the case. So I fixed that. The fix also made
        it natural to have more extreme assertions, so I added them. I suspect this
        will make it easier to catch virtual register allocation bugs in the future.
        
        This is mostly performance neutral; if anything it looks like a slight
        speed-up.
        
        This patch does leave some work for future refactorings; for example, Node::op
        is unencapsulated. This was already the case, though now it feels even more
        like it should be. I avoided doing that because this patch has already grown
        way bigger than I wanted.
        
        Finally, this patch creates a DFGNode.cpp file and makes a slight effort to
        move some unnecessarily inline stuff out of DFGNode.h.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGArithNodeFlagsInferencePhase.cpp:
        (JSC::DFG::ArithNodeFlagsInferencePhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::endIndexForPureCSE):
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::clobbersWorld):
        (JSC::DFG::CSEPhase::impureCSE):
        (JSC::DFG::CSEPhase::setReplacement):
        (JSC::DFG::CSEPhase::eliminate):
        (JSC::DFG::CSEPhase::performNodeCSE):
        (JSC::DFG::CSEPhase::performBlockCSE):
        (CSEPhase):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::opName):
        (JSC::DFG::Graph::dump):
        (DFG):
        * dfg/DFGNode.cpp: Added.
        (DFG):
        (JSC::DFG::arithNodeFlagsAsString):
        * dfg/DFGNode.h:
        (DFG):
        (JSC::DFG::nodeUsedAsNumber):
        (JSC::DFG::nodeCanTruncateInteger):
        (JSC::DFG::nodeCanIgnoreNegativeZero):
        (JSC::DFG::nodeMayOverflow):
        (JSC::DFG::nodeCanSpeculateInteger):
        (JSC::DFG::defaultFlags):
        (JSC::DFG::Node::Node):
        (Node):
        (JSC::DFG::Node::setOpAndDefaultFlags):
        (JSC::DFG::Node::mustGenerate):
        (JSC::DFG::Node::arithNodeFlags):
        (JSC::DFG::Node::setArithNodeFlag):
        (JSC::DFG::Node::mergeArithNodeFlags):
        (JSC::DFG::Node::hasResult):
        (JSC::DFG::Node::hasInt32Result):
        (JSC::DFG::Node::hasNumberResult):
        (JSC::DFG::Node::hasJSResult):
        (JSC::DFG::Node::hasBooleanResult):
        (JSC::DFG::Node::isJump):
        (JSC::DFG::Node::isBranch):
        (JSC::DFG::Node::isTerminal):
        (JSC::DFG::Node::child1):
        (JSC::DFG::Node::child2):
        (JSC::DFG::Node::child3):
        (JSC::DFG::Node::firstChild):
        (JSC::DFG::Node::numChildren):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::vote):
        (JSC::DFG::PredictionPropagationPhase::fixupNode):
        * dfg/DFGScoreBoard.h:
        (ScoreBoard):
        (JSC::DFG::ScoreBoard::~ScoreBoard):
        (JSC::DFG::ScoreBoard::assertClear):
        (JSC::DFG::ScoreBoard::use):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::useChildren):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2012-03-10  Filip Pizlo  <fpizlo@apple.com>

        LLInt should support JSVALUE64
        https://bugs.webkit.org/show_bug.cgi?id=79609
        <rdar://problem/10063437>

        Reviewed by Gavin Barraclough and Oliver Hunt.
        
        Ported the LLInt, which previously only worked on 32-bit, to 64-bit. This
        patch moves a fair bit of code from LowLevelInterpreter32_64.asm to the common
        file, LowLevelInterpreter.asm. About 1/3 of the LLInt did not have to be
        specialized for value representation.
        
        Also made some minor changes to offlineasm and the slow-paths.

        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntEntrypoints.cpp:
        * llint/LLIntSlowPaths.cpp:
        (LLInt):
        (JSC::LLInt::llint_trace_value):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::jitCompileAndSetHeuristics):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        (SlowPathReturnType):
        (JSC::LLInt::SlowPathReturnType::SlowPathReturnType):
        (JSC::LLInt::encodeResult):
        * llint/LLIntThunks.cpp:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/armv7.rb:
        * offlineasm/asm.rb:
        * offlineasm/ast.rb:
        * offlineasm/backends.rb:
        * offlineasm/instructions.rb:
        * offlineasm/parser.rb:
        * offlineasm/registers.rb:
        * offlineasm/transform.rb:
        * offlineasm/x86.rb:
        * wtf/Platform.h:

2012-03-10  Yong Li  <yoli@rim.com>

        Web Worker crashes with WX_EXCLUSIVE
        https://bugs.webkit.org/show_bug.cgi?id=80532

        Let each JS global object own a meta allocator
        for WX_EXCLUSIVE to avoid conflicts from Web Worker.
        Also fix a mutex leak in MetaAllocator's dtor.

        Reviewed by Filip Pizlo.

        * jit/ExecutableAllocator.cpp:
        (JSC::DemandExecutableAllocator::DemandExecutableAllocator):
        (JSC::DemandExecutableAllocator::~DemandExecutableAllocator):
        (JSC::DemandExecutableAllocator::bytesAllocatedByAllAllocators):
        (DemandExecutableAllocator):
        (JSC::DemandExecutableAllocator::bytesCommittedByAllocactors):
        (JSC::DemandExecutableAllocator::dumpProfileFromAllAllocators):
        (JSC::DemandExecutableAllocator::allocateNewSpace):
        (JSC::DemandExecutableAllocator::allocators):
        (JSC::DemandExecutableAllocator::allocatorsMutex):
        (JSC):
        (JSC::ExecutableAllocator::initializeAllocator):
        (JSC::ExecutableAllocator::ExecutableAllocator):
        (JSC::ExecutableAllocator::underMemoryPressure):
        (JSC::ExecutableAllocator::memoryPressureMultiplier):
        (JSC::ExecutableAllocator::allocate):
        (JSC::ExecutableAllocator::committedByteCount):
        (JSC::ExecutableAllocator::dumpProfile):
        * jit/ExecutableAllocator.h:
        (JSC):
        (ExecutableAllocator):
        (JSC::ExecutableAllocator::allocator):
        * wtf/MetaAllocator.h:
        (WTF::MetaAllocator::~MetaAllocator): Finalize the spin lock.
        * wtf/TCSpinLock.h:
        (TCMalloc_SpinLock::Finalize): Add empty Finalize() to some implementations.

2012-03-09  Gavin Barraclough  <barraclough@apple.com>

        Object.freeze broken on latest Nightly
        https://bugs.webkit.org/show_bug.cgi?id=80577

        Reviewed by Oliver Hunt.

        The problem here is that deleteProperty rejects deletion of prototype.
        This is correct in most cases, however defineOwnPropery is presently
        implemented internally to ensure the attributes change by deleting the
        old property, and creating a new one.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::deleteProperty):
            - If deletePropery is called via defineOwnPropery, allow old prototype to be removed.

2012-03-09  Gavin Barraclough  <barraclough@apple.com>

        Array.prototype.toLocaleString visits elements in wrong order under certain conditions
        https://bugs.webkit.org/show_bug.cgi?id=80663

        Reviewed by Michael Saboff.

        The bug here is actually that we're continuing to process the array after an exception
        has been thrown, and that the second value throw is overriding the first.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToLocaleString):

2012-03-09  Ryosuke Niwa  <rniwa@webkit.org>

        WebKit compiled by gcc (Xcode 3.2.6) hangs while running DOM/Accessors.html
        https://bugs.webkit.org/show_bug.cgi?id=80080

        Reviewed by Filip Pizlo.

        * bytecode/SamplingTool.cpp:
        (JSC::SamplingRegion::Locker::Locker):
        (JSC::SamplingRegion::Locker::~Locker):
        * bytecode/SamplingTool.h:
        (JSC::SamplingRegion::exchangeCurrent):
        * wtf/Atomics.h:
        (WTF):
        (WTF::weakCompareAndSwap):
        (WTF::weakCompareAndSwapUIntPtr):

2012-03-09  Gavin Barraclough  <barraclough@apple.com>

        REGRESSION: Date.parse("Tue Nov 23 20:40:05 2010 GMT") returns NaN
        https://bugs.webkit.org/show_bug.cgi?id=49989

        Reviewed by Oliver Hunt.

        Patch originally by chris reiss <christopher.reiss@nokia.com>,
        allow the year to appear before the timezone in date strings.

        * wtf/DateMath.cpp:
        (WTF::parseDateFromNullTerminatedCharacters):

2012-03-09  Mark Rowe  <mrowe@apple.com>

        Ensure that the WTF headers are copied at installhdrs time.

        Reviewed by Dan Bernstein and Jessie Berlin.

        * Configurations/JavaScriptCore.xcconfig: Set INSTALLHDRS_SCRIPT_PHASE = YES
        so that our script phases are invoked at installhdrs time. The only one that
        does any useful work at that time is the one that installs WTF headers.

2012-03-09  Jon Lee  <jonlee@apple.com>

        Add support for ENABLE(LEGACY_NOTIFICATIONS)
        https://bugs.webkit.org/show_bug.cgi?id=80497

        Reviewed by Adam Barth.

        Prep for b80472: Update API for Web Notifications
        * Configurations/FeatureDefines.xcconfig:

2012-03-09  Ashod Nakashian  <ashodnakashian@yahoo.com>

        Bash scripts should support LF endings only
        https://bugs.webkit.org/show_bug.cgi?id=79509

        Reviewed by David Kilzer.

        * gyp/generate-derived-sources.sh: Added property svn:eol-style.
        * gyp/run-if-exists.sh: Added property svn:eol-style.
        * gyp/update-info-plist.sh: Added property svn:eol-style.

2012-03-09  Jessie Berlin  <jberlin@apple.com>

        Windows debug build fix.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlind):
        Fix unreachable code warnings (which we treat as errors).

2012-03-09  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        Reviewed by Zoltan Herczeg.

        [Qt] Fix the SH4 build after r109834
        https://bugs.webkit.org/show_bug.cgi?id=80492

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::branchAdd32):
        (JSC::MacroAssemblerSH4::branchSub32):

2012-03-09  Andy Wingo  <wingo@igalia.com>

        Refactor code feature analysis in the parser
        https://bugs.webkit.org/show_bug.cgi?id=79112

        Reviewed by Geoffrey Garen.

        This commit refactors the parser to more uniformly propagate flag
        bits down and up the parse process, as the parser descends and
        returns into nested blocks.  Some flags get passed town to
        subscopes, some apply to specific scopes only, and some get
        unioned up after parsing subscopes.

        The goal is to eventually be very precise with scoping
        information, once we have block scopes: one block scope might use
        `eval', which would require the emission of a symbol table within
        that block and containing blocks, whereas another block in the
        same function might not, allowing us to not emit a symbol table.

        * parser/Nodes.h:
        (JSC::ScopeFlags): Rename from CodeFeatures.
        (JSC::ScopeNode::addScopeFlags):
        (JSC::ScopeNode::scopeFlags): New accessors for m_scopeFlags.
        (JSC::ScopeNode::isStrictMode):
        (JSC::ScopeNode::usesEval):
        (JSC::ScopeNode::usesArguments):
        (JSC::ScopeNode::setUsesArguments):
        (JSC::ScopeNode::usesThis):
        (JSC::ScopeNode::needsActivationForMoreThanVariables):
        (JSC::ScopeNode::needsActivation): Refactor these accessors to
        operate on the m_scopeFlags member.
        (JSC::ScopeNode::source):
        (JSC::ScopeNode::sourceURL):
        (JSC::ScopeNode::sourceID): Shuffle these definitions around; no
        semantic change.
        (JSC::ScopeNode::ScopeNode)
        (JSC::ProgramNode::ProgramNode)
        (JSC::EvalNode::EvalNode)
        (JSC::FunctionBodyNode::FunctionBodyNode): Have these constructors
        take a ScopeFlags as an argument, instead of a bool inStrictContext.

        * parser/Nodes.cpp:
        (JSC::ScopeNode::ScopeNode):
        (JSC::ProgramNode::ProgramNode):
        (JSC::ProgramNode::create):
        (JSC::EvalNode::EvalNode):
        (JSC::EvalNode::create):
        (JSC::FunctionBodyNode::FunctionBodyNode):
        (JSC::FunctionBodyNode::create): Adapt constructors to change.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::ASTBuilder):
        (JSC::ASTBuilder::thisExpr):
        (JSC::ASTBuilder::createResolve):
        (JSC::ASTBuilder::createFunctionBody):
        (JSC::ASTBuilder::createFuncDeclStatement):
        (JSC::ASTBuilder::createTryStatement):
        (JSC::ASTBuilder::createWithStatement):
        (JSC::ASTBuilder::addVar):
        (JSC::ASTBuilder::Scope::Scope):
        (Scope):
        (ASTBuilder):
        (JSC::ASTBuilder::makeFunctionCallNode): Don't track scope
        features here.  Instead rely on the base Parser mechanism to track
        features.

        * parser/NodeInfo.h (NodeInfo, NodeDeclarationInfo): "ScopeFlags".

        * parser/Parser.h:
        (JSC::Scope::Scope): Manage scope through flags, not
        bit-booleans.  This lets us uniformly propagate them up and down.
        (JSC::Scope::declareWrite):
        (JSC::Scope::declareParameter):
        (JSC::Scope::useVariable):
        (JSC::Scope::collectFreeVariables):
        (JSC::Scope::getCapturedVariables):
        (JSC::Scope::saveFunctionInfo):
        (JSC::Scope::restoreFunctionInfo):
        (JSC::Parser::pushScope): Adapt to use scope flags and their
        accessors instead of bit-booleans.
        * parser/Parser.cpp:
        (JSC::::Parser):
        (JSC::::parseInner):
        (JSC::::didFinishParsing):
        (JSC::::parseSourceElements):
        (JSC::::parseVarDeclarationList):
        (JSC::::parseConstDeclarationList):
        (JSC::::parseWithStatement):
        (JSC::::parseTryStatement):
        (JSC::::parseFunctionBody):
        (JSC::::parseFunctionInfo):
        (JSC::::parseFunctionDeclaration):
        (JSC::::parsePrimaryExpression): Hoist some of the flag handling
        out of the "context" (ASTBuilder or SyntaxChecker) and to here.
        Does not seem to have a performance impact.

        * parser/SourceProviderCacheItem.h (SourceProviderCacheItem):
        Cache the scopeflags.
        * parser/SyntaxChecker.h: Remove evalCount() decl.

        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::produceCodeBlockFor):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::ScriptExecutable::usesEval):
        (JSC::ScriptExecutable::usesArguments):
        (JSC::ScriptExecutable::needsActivation):
        (JSC::ScriptExecutable::isStrictMode):
        (JSC::ScriptExecutable::recordParse):
        (ScriptExecutable): ScopeFlags, not features.

2012-03-08  Benjamin Poulain  <bpoulain@apple.com>

        Build fix for MSVC after r110266

        Unreviewed. A #ifdef for MSVC was left over in r110266.

        * runtime/RegExpObject.h:
        (RegExpObject):

2012-03-08  Benjamin Poulain  <bpoulain@apple.com>

        Allocate the RegExpObject's data with the Cell
        https://bugs.webkit.org/show_bug.cgi?id=80654

        Reviewed by Gavin Barraclough.

        This patch removes the creation of RegExpObject's data to avoid the overhead
        create by the allocation and destruction.

        We RegExp are created repeatedly, this provides some performance improvment.
        The PeaceKeeper test stringDetectBrowser improves by 10%.

        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::RegExpObject):
        (JSC::RegExpObject::visitChildren):
        (JSC::RegExpObject::getOwnPropertyDescriptor):
        (JSC::RegExpObject::defineOwnProperty):
        (JSC::RegExpObject::match):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::setRegExp):
        (JSC::RegExpObject::regExp):
        (JSC::RegExpObject::setLastIndex):
        (JSC::RegExpObject::getLastIndex):
        (RegExpObject):

2012-03-08  Steve Falkenburg  <sfalken@apple.com>

        Separate WTF parts of JavaScriptCoreGenerated into WTFGenerated for Windows build
        https://bugs.webkit.org/show_bug.cgi?id=80657
        
        Preparation for WTF separation from JavaScriptCore.
        The "Generated" vcproj files on Windows are necessary so Visual Studio can calculate correct
        dependencies for generated files.
        
        This also removes the PGO build targets from the WTF code, since we can't build instrumentation/optimization
        versions of the WTF code independent of the JavaScriptCore code.

        Reviewed by Jessie Berlin.

        * JavaScriptCore.vcproj/JavaScriptCore.sln: Add WTFGenerated, update dependent projects.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.make: Removed WTF specific parts.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj: Removed WTF specific parts.
        * JavaScriptCore.vcproj/JavaScriptCore/build-generated-files.sh: Removed WTF specific parts.
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd: Removed WTF specific parts.
        * JavaScriptCore.vcproj/JavaScriptCore/work-around-vs-dependency-tracking-bugs.py: Removed.
        * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Add WTFGenerated, update dependent projects.
        * JavaScriptCore.vcproj/WTF/WTF.vcproj: Remove PGO targets from WTF.
        * JavaScriptCore.vcproj/WTF/WTFGenerated.make: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.make.
        * JavaScriptCore.vcproj/WTF/WTFGenerated.vcproj: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedCommon.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedCommon.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebug.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebug.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebugAll.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugAll.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebugCairoCFLite.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugCairoCFLite.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedProduction.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedProduction.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedRelease.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedRelease.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedReleaseCairoCFLite.vsprops: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleaseCairoCFLite.vsprops.
        * JavaScriptCore.vcproj/WTF/WTFReleasePGO.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/build-generated-files.sh: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/build-generated-files.sh.
        * JavaScriptCore.vcproj/WTF/copy-files.cmd: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd.
        * JavaScriptCore.vcproj/WTF/work-around-vs-dependency-tracking-bugs.py: Copied from Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/work-around-vs-dependency-tracking-bugs.py.

2012-03-08  Benjamin Poulain  <benjamin@webkit.org>

        Fix the build of WebKit with WTFURL following the removal of ForwardingHeaders/wtf
        https://bugs.webkit.org/show_bug.cgi?id=80652

        Reviewed by Eric Seidel.

        Fix the header, URLSegments.h is not part of the API.

        * wtf/url/api/ParsedURL.h:

2012-03-08  Ryosuke Niwa  <rniwa@webkit.org>

        Mac build fix for micro data API.

        * Configurations/FeatureDefines.xcconfig:

2012-03-08  Gavin Barraclough  <barraclough@apple.com>

        String.prototype.match and replace do not clear global regexp lastIndex per ES5.1 15.5.4.10
        https://bugs.webkit.org/show_bug.cgi?id=26890

        Reviewed by Oliver Hunt.

        Per 15.10.6.2 step 9.a.1 called via the action of the last iteration of 15.5.4.10 8.f.i.

        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):
        (JSC::stringProtoFuncMatch):
            - added calls to setLastIndex.

2012-03-08  Matt Lilek  <mrl@apple.com>

        Don't enable VIDEO_TRACK on all OS X platforms
        https://bugs.webkit.org/show_bug.cgi?id=80635

        Reviewed by Eric Carlson.

        * Configurations/FeatureDefines.xcconfig:

2012-03-08  Oliver Hunt  <oliver@apple.com>

        Build fix.  That day is not today.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlind):
        * assembler/MacroAssemblerX86Common.h:
        (MacroAssemblerX86Common):
        (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch):

2012-03-08  Oliver Hunt  <oliver@apple.com>

        Build fix. One of these days I'll manage to commit something that works everywhere.

        * assembler/AbstractMacroAssembler.h:
        (AbstractMacroAssembler):
        * assembler/MacroAssemblerARMv7.h:
        (MacroAssemblerARMv7):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch):
        (MacroAssemblerX86Common):

2012-03-08  Chao-ying Fu  <fu@mips.com>

        Update MIPS patchOffsetGetByIdSlowCaseCall
        https://bugs.webkit.org/show_bug.cgi?id=80302

        Reviewed by Oliver Hunt.

        * jit/JIT.h:
        (JIT):

2012-03-08  Oliver Hunt  <oliver@apple.com>

        Missing some places where we should be blinding 64bit values (and blinding something we shouldn't)
        https://bugs.webkit.org/show_bug.cgi?id=80633

        Reviewed by Gavin Barraclough.

        Add 64-bit trap for shouldBlindForSpecificArch, so that we always blind
        if there isn't a machine specific implementation (otherwise the 64bit value
        got truncated and 32bit checks were used -- leaving 32bits untested).
        Also add a bit of logic to ensure that we don't try to blind a few common
        constants that go through the ImmPtr paths -- encoded numeric JSValues and
        unencoded doubles with common "safe" values.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::shouldBlindForSpecificArch):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlindDouble):
        (MacroAssembler):
        (JSC::MacroAssembler::shouldBlind):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch):

2012-03-08  Mark Rowe  <mrowe@apple.com>

        <rdar://problem/11012572> Ensure that the staged frameworks path is in the search path for JavaScriptCore

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:

2012-03-08  Steve Falkenburg  <sfalken@apple.com>

        Fix line endings for copy-files.cmd.
        
        If a cmd file doesn't have Windows line endings, it doesn't work properly.
        In this case, the label :clean wasn't found, breaking the clean build.
        
        Reviewed by Jessie Berlin.

        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:

2012-03-07  Filip Pizlo  <fpizlo@apple.com>

        DFG CFA incorrectly handles ValueToInt32
        https://bugs.webkit.org/show_bug.cgi?id=80568

        Reviewed by Gavin Barraclough.
        
        Changed it match exactly the decision pattern used in
        DFG::SpeculativeJIT::compileValueToInt32

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):

2012-03-08  Viatcheslav Ostapenko  <ostapenko.viatcheslav@nokia.com>

        [Qt] [WK2] Webkit fails to link when compiled with force_static_libs_as_shared
        https://bugs.webkit.org/show_bug.cgi?id=80524

        Reviewed by Simon Hausmann.

        Move IdentifierTable methods defintion to WTFThreadData.cpp to fix linking 
        of WTF library.

        * runtime/Identifier.cpp:
        * wtf/WTFThreadData.cpp:
        (JSC):
        (JSC::IdentifierTable::~IdentifierTable):
        (JSC::IdentifierTable::add):

2012-03-08  Filip Pizlo  <fpizlo@apple.com>

        DFG instruction count threshold should be lifted to 10000
        https://bugs.webkit.org/show_bug.cgi?id=80579

        Reviewed by Gavin Barraclough.

        * runtime/Options.cpp:
        (JSC::Options::initializeOptions):

2012-03-07  Filip Pizlo  <fpizlo@apple.com>

        Incorrect tracking of abstract values of variables forced double
        https://bugs.webkit.org/show_bug.cgi?id=80566
        <rdar://problem/11001442>

        Reviewed by Gavin Barraclough.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::mergeStateAtTail):

2012-03-07  Chao-yng Fu  <fu@mips.com>

        [Qt] Fix the MIPS/SH4 build after r109834
        https://bugs.webkit.org/show_bug.cgi?id=80492

        Reviewed by Oliver Hunt.

        Implement three-argument branch(Add,Sub)32.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::add32):
        (MacroAssemblerMIPS):
        (JSC::MacroAssemblerMIPS::sub32):
        (JSC::MacroAssemblerMIPS::branchAdd32):
        (JSC::MacroAssemblerMIPS::branchSub32):

2012-03-07  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r110127.
        http://trac.webkit.org/changeset/110127
        https://bugs.webkit.org/show_bug.cgi?id=80562

        compile failed on AppleWin (Requested by ukai on #webkit).

        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage):
        * heap/Heap.h:
        (JSC):
        (Heap):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::FunctionExecutable::finalize):
        * runtime/Executable.h:
        (FunctionExecutable):
        (JSC::FunctionExecutable::create):
        * runtime/JSGlobalData.cpp:
        (WTF):
        (Recompiler):
        (WTF::Recompiler::operator()):
        (JSC::JSGlobalData::recompileAllJSFunctions):
        (JSC):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope):

2012-03-07  Hojong Han  <hojong.han@samsung.com>

        The end atom of the marked block considered to filter invalid cells
        https://bugs.webkit.org/show_bug.cgi?id=79191

        Reviewed by Geoffrey Garen.

        Register file could have stale pointers beyond the end atom of marked block.
        Those pointers can weasel out of filtering in-middle-of-cell pointer.

        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::isLiveCell):

2012-03-07  Jessie Berlin  <jberlin@apple.com>

        Clean Windows build fails after r110033
        https://bugs.webkit.org/show_bug.cgi?id=80553

        Rubber-stamped by Jon Honeycutt and Eric Seidel.

        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        Place the implementation files next to their header files in the wtf/text subdirectory.
        Use echo -F to tell xcopy that these are files (since there is apparently no flag).
        * JavaScriptCore.vcproj/jsc/jsc.vcproj:
        Update the path to those implementation files.
        * JavaScriptCore.vcproj/testRegExp/testRegExp.vcproj:
        Ditto.

2012-03-07  Yuqiang Xian  <yuqiang.xian@intel.com>

        Eliminate redundant Phis in DFG
        https://bugs.webkit.org/show_bug.cgi?id=80415

        Reviewed by Filip Pizlo.

        Although this may not have any advantage at current stage, this is towards
        minimal SSA to make more high level optimizations (like bug 76770) easier.
        We have the choices either to build minimal SSA from scratch or to
        keep current simple Phi insertion mechanism and remove the redundancy
        in another phase. Currently we choose the latter because the change
        could be smaller.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGRedundantPhiEliminationPhase.cpp: Added.
        (DFG):
        (RedundantPhiEliminationPhase):
        (JSC::DFG::RedundantPhiEliminationPhase::RedundantPhiEliminationPhase):
        (JSC::DFG::RedundantPhiEliminationPhase::run):
        (JSC::DFG::RedundantPhiEliminationPhase::getRedundantReplacement):
        (JSC::DFG::RedundantPhiEliminationPhase::replacePhiChild):
        (JSC::DFG::RedundantPhiEliminationPhase::fixupPhis):
        (JSC::DFG::RedundantPhiEliminationPhase::updateBlockVariableInformation):
        (JSC::DFG::performRedundantPhiElimination):
        * dfg/DFGRedundantPhiEliminationPhase.h: Added.
        (DFG):

2012-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        Refactor recompileAllJSFunctions() to be less expensive
        https://bugs.webkit.org/show_bug.cgi?id=80330

        Reviewed by Geoffrey Garen.

        This change is performance neutral on the JS benchmarks we track. It's mostly to improve page 
        load performance, which currently does at least a couple full GCs per navigation.

        * heap/Heap.cpp:
        (JSC::Heap::discardAllCompiledCode): Rename recompileAllJSFunctions to discardAllCompiledCode 
        because the function doesn't actually recompile anything (and never did); it simply throws code
        away for it to be recompiled later if we determine we should do so.
        (JSC):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::addFunctionExecutable): Adds a newly created FunctionExecutable to the Heap's list.
        (JSC::Heap::removeFunctionExecutable): Removes the specified FunctionExecutable from the Heap's list.
        * heap/Heap.h:
        (JSC):
        (Heap):
        * runtime/Executable.cpp: Added next and prev fields to FunctionExecutables so that they can 
        be used in DoublyLinkedLists.
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::FunctionExecutable::finalize): Removes the FunctionExecutable from the Heap's list.
        * runtime/Executable.h:
        (FunctionExecutable):
        (JSC::FunctionExecutable::create): Adds the FunctionExecutable to the Heap's list.
        * runtime/JSGlobalData.cpp: Remove recompileAllJSFunctions, as it's the Heap's job to own and manage 
        the list of FunctionExecutables.
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): Use the new discardAllCompiledCode.

2012-03-06  Oliver Hunt  <oliver@apple.com>

        Further harden 64-bit JIT
        https://bugs.webkit.org/show_bug.cgi?id=80457

        Reviewed by Filip Pizlo.

        This patch implements blinding for ImmPtr.  Rather than xor based blinding
        we perform randomised pointer rotations in order to avoid the significant
        cost in executable memory that would otherwise be necessary (and to avoid
        the need for an additional scratch register in some cases).

        As with the prior blinding patch there's a moderate amount of noise as we
        correct the use of ImmPtr vs. TrustedImmPtr.

        * assembler/AbstractMacroAssembler.h:
        (ImmPtr):
        (JSC::AbstractMacroAssembler::ImmPtr::asTrustedImmPtr):
        * assembler/MacroAssembler.h:
        (MacroAssembler):
        (JSC::MacroAssembler::storePtr):
        (JSC::MacroAssembler::branchPtr):
        (JSC::MacroAssembler::shouldBlind):
        (JSC::MacroAssembler::RotatedImmPtr::RotatedImmPtr):
        (RotatedImmPtr):
        (JSC::MacroAssembler::rotationBlindConstant):
        (JSC::MacroAssembler::loadRotationBlindedConstant):
        (JSC::MacroAssembler::convertInt32ToDouble):
        (JSC::MacroAssembler::move):
        (JSC::MacroAssembler::poke):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::storeDouble):
        (JSC::MacroAssemblerARMv7::branchAdd32):
        * assembler/MacroAssemblerX86_64.h:
        (MacroAssemblerX86_64):
        (JSC::MacroAssemblerX86_64::rotateRightPtr):
        (JSC::MacroAssemblerX86_64::xorPtr):
        * assembler/X86Assembler.h:
        (X86Assembler):
        (JSC::X86Assembler::xorq_rm):
        (JSC::X86Assembler::rorq_i8r):
        * dfg/DFGCCallHelpers.h:
        (CCallHelpers):
        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::createOSREntries):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::silentFillGPR):
        (JSC::DFG::SpeculativeJIT::callOperation):
        (JSC::DFG::SpeculativeJIT::emitEdgeCode):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillInteger):
        (JSC::DFG::SpeculativeJIT::fillDouble):
        (JSC::DFG::SpeculativeJIT::fillJSValue):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSlow_op_post_inc):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):
        (JSC::JIT::emitGetVirtualRegister):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_mov):
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emit_op_strcat):
        (JSC::JIT::emit_op_ensure_property_exists):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        (JSC::JIT::emit_op_jmp_scopes):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        (JSC::JIT::emit_op_throw_reference_error):
        (JSC::JIT::emit_op_debug):
        (JSC::JIT::emitSlow_op_resolve_global_dynamic):
        (JSC::JIT::emit_op_new_array):
        (JSC::JIT::emitSlow_op_new_array):
        (JSC::JIT::emit_op_new_array_buffer):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_new_object):
        (JSC::JIT::emit_op_strcat):
        (JSC::JIT::emit_op_ensure_property_exists):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        (JSC::JIT::emit_op_jmp_scopes):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_index):
        * jit/JITStubCall.h:
        (JITStubCall):
        (JSC::JITStubCall::addArgument):

2012-03-07  Simon Hausmann  <simon.hausmann@nokia.com>

        ARM build fix.

        Reviewed by Zoltan Herczeg.

        Implement three-argument branch(Add,Sub)32.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::add32):
        (MacroAssemblerARM):
        (JSC::MacroAssemblerARM::sub32):
        (JSC::MacroAssemblerARM::branchAdd32):
        (JSC::MacroAssemblerARM::branchSub32):

2012-03-07  Andy Wingo  <wingo@igalia.com>

        Parser: Inline ScopeNodeData into ScopeNode
        https://bugs.webkit.org/show_bug.cgi?id=79776

        Reviewed by Geoffrey Garen.

        It used to be that some ScopeNode members were kept in a separate
        structure because sometimes they wouldn't be needed, and
        allocating a ParserArena was expensive.  This patch makes
        ParserArena lazily allocate its IdentifierArena, allowing the
        members to be included directly, which is simpler and easier to
        reason about.

        * parser/ParserArena.cpp:
        (JSC::ParserArena::ParserArena):
        (JSC::ParserArena::reset):
        (JSC::ParserArena::isEmpty):
        * parser/ParserArena.h:
        (JSC::ParserArena::identifierArena): Lazily allocate the
        IdentifierArena.

        * parser/Nodes.cpp:
        (JSC::ScopeNode::ScopeNode):
        (JSC::ScopeNode::singleStatement):
        (JSC::ProgramNode::create):
        (JSC::EvalNode::create):
        (JSC::FunctionBodyNode::create):
        * parser/Nodes.h:
        (JSC::ScopeNode::destroyData):
        (JSC::ScopeNode::needsActivationForMoreThanVariables):
        (JSC::ScopeNode::needsActivation):
        (JSC::ScopeNode::hasCapturedVariables):
        (JSC::ScopeNode::capturedVariableCount):
        (JSC::ScopeNode::captures):
        (JSC::ScopeNode::varStack):
        (JSC::ScopeNode::functionStack):
        (JSC::ScopeNode::neededConstants):
        (ScopeNode):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ScopeNode::emitStatementsBytecode): Inline ScopeNodeData
        into ScopeNode.  Adapt accessors.

2012-03-06  Eric Seidel  <eric@webkit.org>

        Make WTF public headers use fully-qualified include paths and remove ForwardingHeaders/wtf
        https://bugs.webkit.org/show_bug.cgi?id=80363

        Reviewed by Mark Rowe.

        Historically WTF has been part of JavaScriptCore, and on Mac and Windows
        its headers have appeared as part of the "private" headers exported by
        JavaScriptCore.  All of the WTF headers there are "flattened" into a single
        private headers directory, and WebCore, WebKit and WebKit2 have used "ForwardingHeaders"
        to re-map fully-qualified <wtf/text/Foo.h> includes to simple <JavaScriptCore/Foo.h> includes.

        However, very soon, we are moving the WTF source code out of JavaScriptCore into its
        own directory and project.  As part of such, the WTF headers will no longer be part of
        the JavaScriptCore private interfaces.
        In preparation for that, this change makes both the Mac and Win builds export
        WTF headers in a non-flattened manner.  On Mac, that means into usr/local/include/wtf
        (and subdirectories), on Windows for now that means JavaScriptCore/wtf (and subdirectories).

        There are 5 parts to this change.
        1.  Updates the JavaScriptCore XCode and VCProj files to actually install these headers
            (and header directories) into the appropriate places in the build directory.
        2.  Updates JavaScriptCore.xcodeproj to look for these WTF headers in this install location
            (WebCore, WebKit, etc. had already been taught to look in previous patches).
        3.  Fixes all JavaScriptCore source files, and WTF headers to include WTF headers
            using fully qualified paths.
        4.  Stops the Mac and Win builds from installing these WTF headers in their old "flattened" location.
        5.  Removes WebCore and WebKit ForwardingHeaders/wtf directories now that the flattened headers no longer exist.

        Unfortunately we see no way to do this change in smaller parts, since all of these steps are interdependant.
        It is possible there are internal Apple projects which depend on JavaScriptCore/Foo.h working for WTF
        headers, those will have to be updated to use <wtf/Foo.h> after this change.
        I've discussed this proposed change at length with Mark Rowe, and my understanding is they
        are ready for (and interested in) this change happening.

        * API/tests/JSNode.c:
        * API/tests/JSNodeList.c:
        * Configurations/Base.xcconfig:
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssemblerCodeRef.h:
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGOperations.cpp:
        * heap/GCAssertions.h:
        * heap/HandleHeap.h:
        * heap/HandleStack.h:
        * heap/MarkedSpace.h:
        * heap/PassWeak.h:
        * heap/Strong.h:
        * heap/Weak.h:
        * jit/HostCallReturnValue.cpp:
        * jit/JIT.cpp:
        * jit/JITStubs.cpp:
        * jit/ThunkGenerators.cpp:
        * parser/Lexer.cpp:
        * runtime/Completion.cpp:
        * runtime/Executable.cpp:
        * runtime/Identifier.h:
        * runtime/InitializeThreading.cpp:
        * runtime/JSDateMath.cpp:
        * runtime/JSGlobalObjectFunctions.cpp:
        * runtime/JSStringBuilder.h:
        * runtime/JSVariableObject.h:
        * runtime/NumberPrototype.cpp:
        * runtime/WriteBarrier.h:
        * tools/CodeProfile.cpp:
        * tools/TieredMMapArray.h:
        * wtf/AVLTree.h:
        * wtf/Alignment.h:
        * wtf/AlwaysInline.h:
        * wtf/ArrayBufferView.h:
        * wtf/Assertions.h:
        * wtf/Atomics.h:
        * wtf/Bitmap.h:
        * wtf/BoundsCheckedPointer.h:
        * wtf/CheckedArithmetic.h:
        * wtf/Deque.h:
        * wtf/ExportMacros.h:
        * wtf/FastAllocBase.h:
        * wtf/FastMalloc.h:
        * wtf/Float32Array.h:
        * wtf/Float64Array.h:
        * wtf/Functional.h:
        * wtf/HashCountedSet.h:
        * wtf/HashFunctions.h:
        * wtf/HashMap.h:
        * wtf/HashSet.h:
        * wtf/HashTable.h:
        * wtf/HashTraits.h:
        * wtf/Int16Array.h:
        * wtf/Int32Array.h:
        * wtf/Int8Array.h:
        * wtf/IntegralTypedArrayBase.h:
        * wtf/ListHashSet.h:
        * wtf/MainThread.h:
        * wtf/MetaAllocator.h:
        * wtf/Noncopyable.h:
        * wtf/OwnArrayPtr.h:
        * wtf/OwnPtr.h:
        * wtf/PackedIntVector.h:
        * wtf/ParallelJobs.h:
        * wtf/PassOwnArrayPtr.h:
        * wtf/PassOwnPtr.h:
        * wtf/PassRefPtr.h:
        * wtf/PassTraits.h:
        * wtf/Platform.h:
        * wtf/PossiblyNull.h:
        * wtf/RefCounted.h:
        * wtf/RefCountedLeakCounter.h:
        * wtf/RefPtr.h:
        * wtf/RetainPtr.h:
        * wtf/SimpleStats.h:
        * wtf/Spectrum.h:
        * wtf/StdLibExtras.h:
        * wtf/TCPageMap.h:
        * wtf/TemporaryChange.h:
        * wtf/ThreadSafeRefCounted.h:
        * wtf/Threading.h:
        * wtf/ThreadingPrimitives.h:
        * wtf/TypeTraits.h:
        * wtf/TypedArrayBase.h:
        * wtf/Uint16Array.h:
        * wtf/Uint32Array.h:
        * wtf/Uint8Array.h:
        * wtf/Uint8ClampedArray.h:
        * wtf/UnusedParam.h:
        * wtf/Vector.h:
        * wtf/VectorTraits.h:
        * wtf/dtoa/double-conversion.h:
        * wtf/dtoa/utils.h:
        * wtf/gobject/GRefPtr.h:
        * wtf/gobject/GlibUtilities.h:
        * wtf/text/AtomicString.h:
        * wtf/text/AtomicStringImpl.h:
        * wtf/text/CString.h:
        * wtf/text/StringConcatenate.h:
        * wtf/text/StringHash.h:
        * wtf/text/WTFString.h:
        * wtf/unicode/CharacterNames.h:
        * wtf/unicode/UTF8.h:
        * wtf/unicode/glib/UnicodeGLib.h:
        * wtf/unicode/qt4/UnicodeQt4.h:
        * wtf/unicode/wince/UnicodeWinCE.h:
        * wtf/url/api/ParsedURL.h:
        * wtf/url/api/URLString.h:
        * wtf/wince/FastMallocWinCE.h:
        * yarr/YarrJIT.cpp:

2012-03-06  Gavin Barraclough  <barraclough@apple.com>

        Array.prototype functions should throw if delete fails
        https://bugs.webkit.org/show_bug.cgi?id=80467

        Reviewed by Oliver Hunt.

        All calls to [[Delete]] from Array.prototype are specified to pass 'true' as the value of Throw.
        In the case of shift/unshift, these are also missing a throw from the 'put' in the implementations
        in JSArray.cpp. There are effectively three copies of each of the generic shift/unshift routines,
        one in splice, one in ArrayPrototype's shift/unshift methods, and one in JSArray's shift/unshift
        routines, for handling arrays with holes. These three copies should be unified.

        * runtime/ArrayPrototype.cpp:
        (JSC::shift):
        (JSC::unshift):
            - Added - shared copies of the shift/unshift functionality.
        (JSC::arrayProtoFuncPop):
            - should throw if the delete fails.
        (JSC::arrayProtoFuncReverse):
            - should throw if the delete fails.
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
            - use shift/unshift.
        * runtime/JSArray.cpp:
        (JSC::JSArray::shiftCount):
        (JSC::JSArray::unshiftCount):
            - Don't try to handle arrays with holes; return a value indicating
              the generic routine should be used instead.
        * runtime/JSArray.h:
            - declaration for shiftCount/unshiftCount changed.
        * tests/mozilla/js1_6/Array/regress-304828.js:
            - this was asserting incorrect behaviour.

2012-03-06  Raphael Kubo da Costa  <kubo@profusion.mobi>

        [CMake] Make the removal of transitive library dependencies work with CMake < 2.8.7.
        https://bugs.webkit.org/show_bug.cgi?id=80469

        Reviewed by Antonio Gomes.

        * CMakeLists.txt: Manually set the LINK_INTERFACE_LIBRARIES target
        property on the library being created.

2012-03-06  Yuqiang Xian  <yuqiang.xian@intel.com>

        DFG BasicBlock should group the Phi nodes together and separate them
        from the other nodes
        https://bugs.webkit.org/show_bug.cgi?id=80361

        Reviewed by Filip Pizlo.

        This would make it more efficient to remove the redundant Phi nodes or
        insert new Phi nodes for SSA, besides providing a cleaner BasicBlock structure.
        This is performance neutral on SunSpider, V8 and Kraken.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::clobberStructures):
        (JSC::DFG::AbstractState::dump):
        * dfg/DFGBasicBlock.h:
        (JSC::DFG::BasicBlock::BasicBlock):
        (BasicBlock):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::insertPhiNode):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::impureCSE):
        (JSC::DFG::CSEPhase::globalVarLoadElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkFunctionElimination):
        (JSC::DFG::CSEPhase::checkStructureLoadElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getScopeChainLoadElimination):
        (JSC::DFG::CSEPhase::performBlockCSE):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        GCActivityCallback timer should vary with the length of the previous GC
        https://bugs.webkit.org/show_bug.cgi?id=80344

        Reviewed by Geoffrey Garen.

        * heap/Heap.cpp: Gave Heap the ability to keep track of the length of its last 
        GC length so that the GC Activity Callback can use it.
        (JSC::Heap::Heap):
        (JSC::Heap::collect):
        * heap/Heap.h:
       &n