[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2011-09-14  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r95145.
        http://trac.webkit.org/changeset/95145
        https://bugs.webkit.org/show_bug.cgi?id=68139

        The GTK+ build is working now, so revert this trial build fix.
        (Requested by mrobinson on #webkit).

        * GNUmakefile.list.am:

2011-09-14  Patrick Gansterer  <paroga@webkit.org>

        Port MachineStackMarker to Windows ARM and MIPS
        https://bugs.webkit.org/show_bug.cgi?id=68068

        Reviewed by Geoffrey Garen.

        Use the correct memeber of the CONTEXT struct for the stackpointer for CPU(ARM) and CPU(MIPS).
        Only query CONTEXT_INTEGER and CONTEXT_CONTROL, since CONTEXT_SEGMENTS isn't defined for
        CPU(ARM) and CPU(MIPS) and the stackpointer is defined in the CONTEXT_CONTROL section for
        CPU(ARM), CPU(X86) and CPU(X86_64) and in the CONTEXT_INTEGER section for CPU(MIPS).

        * heap/MachineStackMarker.cpp:
        (JSC::getPlatformThreadRegisters):
        (JSC::otherThreadStackPointer):

2011-09-12  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT always speculates that ValueAdd is a numeric addition
        https://bugs.webkit.org/show_bug.cgi?id=67956

        Reviewed by Geoffrey Garen.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
        (JSC::DFG::NonSpeculativeJIT::basicArithOp):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::shouldSpeculateNumber):

2011-09-14  Anders Carlsson  <andersca@apple.com>

        Stop building BinarySemaphore to see if that's what's breaking the GTK+ build.

        * GNUmakefile.list.am:

2011-09-14  Anders Carlsson  <andersca@apple.com>

        This is getting old. Yet another build fix attempt.

        * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:

2011-09-14  Anders Carlsson  <andersca@apple.com>

        Yet another build fix attempt.

        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:

2011-09-14  Anders Carlsson  <andersca@apple.com>

        How I &quot;love&quot; Visual Studio...

        Try to fix build again.

        * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:

2011-09-14  Anders Carlsson  <andersca@apple.com>

        Try to fix Windows build.

        * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:

2011-09-14  Anders Carlsson  <andersca@apple.com>

        Add BinarySemaphore class from WebKit2 to WTF
        https://bugs.webkit.org/show_bug.cgi?id=68132

        Reviewed by Sam Weinig.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CMakeLists.txt:
        Update build systems.

        * wtf/threads: Added.
        * wtf/threads/BinarySemaphore.cpp: Copied from Source/WebKit2/Platform/CoreIPC/BinarySemaphore.cpp.
        * wtf/threads/BinarySemaphore.h: Copied from Source/WebKit2/Platform/CoreIPC/BinarySemaphore.h.
        * wtf/threads/win: Added.
        * wtf/threads/win/BinarySemaphoreWin.cpp: Copied from Source/WebKit2/Platform/CoreIPC/win/BinarySemaphoreWin.cpp.

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for Interpreter.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2011-09-14  Anders Carlsson  <andersca@apple.com>

        Add wtf/threads and wtf/threads/win, so we can be sure that the EWS
        bots can correctly build the patch in https://bugs.webkit.org/show_bug.cgi?id=68132

        Rubber-stamped by Sam Weinig.

        * wtf/threads: Added.
        * wtf/threads/win: Added.

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT should not speculate integer if the value is always going to be
        used as a double anyway
        https://bugs.webkit.org/show_bug.cgi?id=68127

        Reviewed by Oliver Hunt.
        
        Added a ValueToDouble node, which is a variant of ValueToNumber that
        hints that it will only be used as a double and never as an integer.
        Thus, it turns off integer speculation even if the value profiler
        told us that the value source is an int. The logic for converting a
        ValueToNumber into a ValueToDouble is found in Propagator.
        
        This appears to be a 22% speed-up in imaging-darkroom.

        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::toDouble):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::fixup):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        Tiered compilation heuristics do not account for value profile fullness
        https://bugs.webkit.org/show_bug.cgi?id=68116

        Reviewed by Oliver Hunt.
        
        Tiered compilation avoids invoking the DFG JIT if it finds that value
        profiles contain insufficient information. Instead, it produces a
        prediction from the current value profile, and then clears the value
        profile. This allows the value profile to heat up from scratch for
        some number of additional executions. The new profiles will then be
        merged with the previous prediction. Once the amount of information
        in predictions is enough according to heuristics in CodeBlock.cpp,
        DFG optimization is allowed to proceed.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::visitAggregate):
        (JSC::CodeBlock::visitWeakReferences):
        (JSC::CodeBlock::shouldOptimizeNow):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/CodeBlock.h:
        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        * bytecode/PredictedType.h:
        * bytecode/ValueProfile.cpp: Added.
        (JSC::ValueProfile::computeStatistics):
        (JSC::ValueProfile::computeUpdatedPrediction):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::ValueProfile):
        (JSC::ValueProfile::classInfo):
        (JSC::ValueProfile::numberOfSamples):
        (JSC::ValueProfile::totalNumberOfSamples):
        (JSC::ValueProfile::isLive):
        (JSC::ValueProfile::numberOfInt32s):
        (JSC::ValueProfile::numberOfDoubles):
        (JSC::ValueProfile::numberOfBooleans):
        (JSC::ValueProfile::dump):
        (JSC::getValueProfileBytecodeOffset):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::stronglyPredict):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        DFG should not speculate that the child of LogicalNot is a boolean if
        predictions tell us otherwise
        https://bugs.webkit.org/show_bug.cgi?id=68118

        Reviewed by Geoffrey Garen.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeLogicalNot):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix.  Turn off tiered compilation.

        * wtf/Platform.h:

2011-09-13  Filip Pizlo  <fpizlo@apple.com>

        Prediction tracking is not precise enough
        https://bugs.webkit.org/show_bug.cgi?id=67993

        Reviewed by Oliver Hunt.
        
        Added a richer set of type predictions, including JSFinalObject, JSString,
        object that is not a JSFinalObject or JSArray (ObjectOther), some object
        but we don't or care know what kind (SomeObject), definitely an object,
        cell that is not an object or JSString, an value that is none of the above
        (so either Undefined or Null). Made the propagator and value profiler work
        with the new types.
        
        Performance is neutral, because the DFG JIT does not take advantage of this
        new knowledge yet.
        
        In the process of writing predictionToString() (which is now considerably
        more complex) I decided to finally add a BoundsCheckedPointer, which
        should come in handy in other places, like at least the OSR scratch buffer
        and the CompactJITCodeMap. It's great for cases where you want to
        do pointer arithmetic, you want to have assertions about the
        pointer not going out of bounds, but you don't want to write those
        assertions yourself.
        
        This also required refactoring inherits(), since the ValueProfiler may
        want to do the equivalent of inherits() but given two ClassInfo's.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PredictedType.cpp: Added.
        (JSC::predictionToString):
        (JSC::makePrediction):
        (JSC::predictionFromValue):
        * bytecode/PredictedType.h:
        (JSC::isCellPrediction):
        (JSC::isObjectPrediction):
        (JSC::isFinalObjectPrediction):
        (JSC::isStringPrediction):
        (JSC::mergePredictions):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::numberOfObjects):
        (JSC::ValueProfile::numberOfFinalObjects):
        (JSC::ValueProfile::numberOfStrings):
        (JSC::ValueProfile::probabilityOfObject):
        (JSC::ValueProfile::probabilityOfFinalObject):
        (JSC::ValueProfile::probabilityOfString):
        (JSC::ValueProfile::dump):
        (JSC::ValueProfile::Statistics::Statistics):
        (JSC::ValueProfile::computeStatistics):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::stronglyPredict):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::predict):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNode):
        * runtime/ClassInfo.h:
        (JSC::ClassInfo::isSubClassOf):
        * runtime/JSObject.h:
        (JSC::JSCell::inherits):
        * wtf/BoundsCheckedPointer.h: Added.
        (WTF::BoundsCheckedPointer::BoundsCheckedPointer):
        (WTF::BoundsCheckedPointer::operator=):
        (WTF::BoundsCheckedPointer::operator+=):
        (WTF::BoundsCheckedPointer::operator-=):
        (WTF::BoundsCheckedPointer::operator+):
        (WTF::BoundsCheckedPointer::operator-):
        (WTF::BoundsCheckedPointer::operator++):
        (WTF::BoundsCheckedPointer::operator--):
        (WTF::BoundsCheckedPointer::operator<):
        (WTF::BoundsCheckedPointer::operator<=):
        (WTF::BoundsCheckedPointer::operator>):
        (WTF::BoundsCheckedPointer::operator>=):
        (WTF::BoundsCheckedPointer::operator==):
        (WTF::BoundsCheckedPointer::operator!=):
        (WTF::BoundsCheckedPointer::operator!):
        (WTF::BoundsCheckedPointer::get):
        (WTF::BoundsCheckedPointer::operator*):
        (WTF::BoundsCheckedPointer::operator[]):
        (WTF::BoundsCheckedPointer::strcat):
        (WTF::BoundsCheckedPointer::validate):
        * wtf/CMakeLists.txt:

2011-09-14  Csaba Osztrogonác  <ossy@webkit.org>

        [Qt] Win32 builds with threads turned off
        https://bugs.webkit.org/show_bug.cgi?id=67864

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.pri: Link pthread library on Windows platform.
        * wtf/Platform.h: Enable multiple threads.

2011-09-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Unzip initialization lists and constructors in JSCell hierarchy (6/7)
        https://bugs.webkit.org/show_bug.cgi?id=67692

        Reviewed by Geoffrey Garen.

        Completed the sixth level of the refactoring to add finishCreation() 
        methods to all classes within the JSCell hierarchy with non-trivial 
        constructor bodies.

        This primarily consists of pushing the calls to finishCreation() down 
        into the constructors of the subclasses of the fifth level of the hierarchy 
        as well as pulling the finishCreation() calls out into the class's corresponding
        create() method if it has one.  Doing both simultaneously allows us to 
        maintain the invariant that the finishCreation() method chain is called exactly 
        once during the creation of an object, since calling it any other number of 
        times (0, 2, or more) will cause an assertion failure.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::JSCallbackFunction):
        * API/JSCallbackFunction.h:
        (JSC::JSCallbackFunction::create):
        * jsc.cpp:
        (GlobalObject::create):
        (GlobalObject::GlobalObject):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::ArrayConstructor):
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::create):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::BooleanConstructor):
        * runtime/BooleanConstructor.h:
        (JSC::BooleanConstructor::create):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::BooleanPrototype):
        * runtime/BooleanPrototype.h:
        (JSC::BooleanPrototype::create):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::DateConstructor):
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::create):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::DatePrototype):
        * runtime/DatePrototype.h:
        (JSC::DatePrototype::create):
        * runtime/Error.cpp:
        (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
        (JSC::StrictModeTypeErrorFunction::create):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::ErrorConstructor):
        * runtime/ErrorConstructor.h:
        (JSC::ErrorConstructor::create):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::FunctionConstructor):
        * runtime/FunctionConstructor.h:
        (JSC::FunctionConstructor::create):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::FunctionPrototype):
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::create):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::NativeErrorConstructor):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::create):
        * runtime/NativeErrorPrototype.cpp:
        (JSC::NativeErrorPrototype::NativeErrorPrototype):
        (JSC::NativeErrorPrototype::finishCreation):
        * runtime/NativeErrorPrototype.h:
        (JSC::NativeErrorPrototype::create):
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::NumberConstructor):
        * runtime/NumberConstructor.h:
        (JSC::NumberConstructor::create):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::NumberPrototype):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::create):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::ObjectConstructor):
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::create):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::RegExpConstructor):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::create):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::RegExpPrototype):
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::create):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::StringConstructor):
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::create):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::create):
        (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::StringPrototype):
        * runtime/StringPrototype.h:
        (JSC::StringPrototype::create):

2011-09-13  Eric Seidel  <eric@webkit.org>

        Remove ENABLE_SVG_USE as <use> is required by HTML5
        https://bugs.webkit.org/show_bug.cgi?id=68019

        Reviewed by Ryosuke Niwa.

        * Configurations/FeatureDefines.xcconfig:

2011-09-14  Iain Merrick  <husky@google.com>

        HashTraits.h should include template specialization for WTF::String
        https://bugs.webkit.org/show_bug.cgi?id=67851

        Ensure that the template specialization for HashTraits<String> is always
        picked up. (Previously it was possible to include HashSet and String but
        not the correct HashTraits, so you would get an inefficient template
        instantiation.)

        Reviewed by Darin Adler.

        * wtf/HashTraits.h:
        * wtf/text/StringHash.h:

2011-09-13  Filip Pizlo  <fpizlo@apple.com>

        SpeculativeJIT::shouldSpeculateInteger(NodeIndex, NodeIndex) should
        return false if either node can be double
        https://bugs.webkit.org/show_bug.cgi?id=67985

        Reviewed by Geoffrey Garen.
        
        This is a 17% speed-up on 3d-cube.
        
        This required allowing us to check if a constant is double but not
        integer, and making the shouldSpeculateInteger() check test for
        any hints of doubly-ness in its operands. This also required
        changing some terminology: previously "isDouble" often meant
        "isDouble or isInt32".  Now "isDouble" means exactly what the name
        suggests, and "isNumber" means "isDouble or isInt32".

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::toNumber):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::isJSFormat):
        (JSC::DFG::isJSInteger):
        (JSC::DFG::isJSDouble):
        (JSC::DFG::isJSCell):
        (JSC::DFG::isJSBoolean):
        (JSC::DFG::GenerationInfo::isJSFormat):
        (JSC::DFG::GenerationInfo::isJSInteger):
        (JSC::DFG::GenerationInfo::isJSDouble):
        (JSC::DFG::GenerationInfo::isJSCell):
        (JSC::DFG::GenerationInfo::isJSBoolean):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::isNumberConstant):
        (JSC::DFG::Graph::valueOfNumberConstant):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillInteger):
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::isKnownInteger):
        (JSC::DFG::JITCodeGenerator::isKnownNumeric):
        (JSC::DFG::JITCodeGenerator::isKnownCell):
        (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
        (JSC::DFG::JITCodeGenerator::isKnownBoolean):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentFillFPR):
        (JSC::DFG::JITCodeGenerator::isNumberConstant):
        (JSC::DFG::JITCodeGenerator::valueOfNumberConstant):
        (JSC::DFG::JITCodeGenerator::initConstantInfo):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::fillNumericToDouble):
        (JSC::DFG::JITCompiler::fillToJS):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::isNumberConstant):
        (JSC::DFG::JITCompiler::valueOfNumberConstant):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isDoubleConstant):
        (JSC::DFG::Node::isNumberConstant):
        (JSC::DFG::Node::valueOfNumberConstant):
        (JSC::DFG::Node::hasNumberResult):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isInteger):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::shouldNotSpeculateInteger):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):

2011-09-13  Anders Carlsson  <andersca@apple.com>

        Disable C++ exceptions when building with clang
        https://bugs.webkit.org/show_bug.cgi?id=68031
        <rdar://problem/9556880>

        Reviewed by Mark Rowe.

        * Configurations/Base.xcconfig:

2011-09-13  Eric Seidel  <eric@webkit.org>

        Remove ENABLE_SVG_FOREIGN_OBJECT as it is a required part of HTML5
        https://bugs.webkit.org/show_bug.cgi?id=68018

        Reviewed by Ryosuke Niwa.

        * Configurations/FeatureDefines.xcconfig:

2011-09-13  Sam Weinig  <sam@webkit.org>

        Object.getPrototypeOf should use JSValue::get()
        https://bugs.webkit.org/show_bug.cgi?id=67973

        Reviewed by Darin Adler.

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorGetPrototypeOf):
        Pipe through JSValue::get() to allow overrides.

2011-09-12  Filip Pizlo  <fpizlo@apple.com>

        JavaScriptCore does not have baseline->speculative OSR
        https://bugs.webkit.org/show_bug.cgi?id=67920

        Reviewed by Oliver Hunt.
        
        This adds the ability to on-stack-replace (OSR) from code that is
        running hot in the old JIT to code compiled by the new JIT.  This
        ensures that long-running loops benefit from DFG optimization.
        It also ensures that if code experiences a speculation failure
        in DFG code, it has an opportunity to reenter the DFG once every
        1,000 loop iterations or so.
        
        This results in a 2.88x speed-up on Kraken/imaging-desaturate,
        and is a pure win on the main three benchmark suites (SunSpider,
        V8, Kraken), when tiered compilation is enabled.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        (JSC::CodeBlock::CodeBlock):
        (JSC::ProgramCodeBlock::compileOptimized):
        (JSC::EvalCodeBlock::compileOptimized):
        (JSC::FunctionCodeBlock::compileOptimized):
        * bytecode/CodeBlock.h:
        * bytecode/Opcode.h:
        * bytecode/PredictedType.h: Added.
        (JSC::isCellPrediction):
        (JSC::isArrayPrediction):
        (JSC::isInt32Prediction):
        (JSC::isDoublePrediction):
        (JSC::isNumberPrediction):
        (JSC::isBooleanPrediction):
        (JSC::isStrongPrediction):
        (JSC::predictionToString):
        (JSC::mergePredictions):
        (JSC::mergePrediction):
        (JSC::makePrediction):
        * bytecode/PredictionTracker.h: Added.
        (JSC::operandIsArgument):
        (JSC::PredictionSlot::PredictionSlot):
        (JSC::PredictionTracker::PredictionTracker):
        (JSC::PredictionTracker::initializeSimilarTo):
        (JSC::PredictionTracker::copyLocalsFrom):
        (JSC::PredictionTracker::numberOfArguments):
        (JSC::PredictionTracker::numberOfVariables):
        (JSC::PredictionTracker::argumentIndexForOperand):
        (JSC::PredictionTracker::predictArgument):
        (JSC::PredictionTracker::predict):
        (JSC::PredictionTracker::predictGlobalVar):
        (JSC::PredictionTracker::getArgumentPrediction):
        (JSC::PredictionTracker::getPrediction):
        (JSC::PredictionTracker::getGlobalVarPrediction):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitLoopHint):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::DoWhileNode::emitBytecode):
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):
        (JSC::ForInNode::emitBytecode):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::BasicBlock::BasicBlock):
        (JSC::DFG::Graph::predict):
        (JSC::DFG::Graph::getPrediction):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::compileBody):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGNode.h:
        * dfg/DFGOSREntry.cpp: Added.
        (JSC::DFG::predictionIsValid):
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntry.h: Added.
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGPredictionTracker.h: Removed.
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::mergeUse):
        (JSC::DFG::Propagator::mergePrediction):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/CompactJITCodeMap.h:
        (JSC::CompactJITCodeMap::numberOfEntries):
        (JSC::CompactJITCodeMap::decode):
        (JSC::CompactJITCodeMap::Decoder::Decoder):
        (JSC::CompactJITCodeMap::Decoder::numberOfEntriesRemaining):
        (JSC::CompactJITCodeMap::Decoder::read):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):
        (JSC::JIT::emitTimeoutCheck):
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        (JSC::JIT::emit_op_loop_hint):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):

2011-09-12  Sam Weinig  <sam@webkit.org>

        Don't allow setting __proto__ to be a getter or setter
        https://bugs.webkit.org/show_bug.cgi?id=67982

        Reviewed by Gavin Barraclough.

        * runtime/JSObject.cpp:
        (JSC::JSObject::defineGetter):
        (JSC::JSObject::defineSetter):
        Disallow setting a getter or setter on __proto__.

2011-09-12  James Robinson  <jamesr@chromium.org>

        Unreviewed build fix for chromium.

        Guard access to UString::latin1() with USE(JSC) since it is defined in JavaScriptCore/runtime/UString.cpp, which
        is currently only compiled in by ports that use JavaScriptCore.  This code is currently unreachable in builds so
        no change in functionality.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::CharAccess::CharAccess):

2011-09-09  Filip Pizlo  <fpizlo@apple.com>

        JavaScriptCore does not have speculative->baseline OSR
        https://bugs.webkit.org/show_bug.cgi?id=67826

        Reviewed by Oliver Hunt.
        
        This adds the ability to bail out of DFG speculative JIT execution by
        performing an on-stack replacement (OSR) that results in the control
        flow going to the equivalent code generated by the old JIT.
        
        This required a number of new features, as well as taking advantage of
        some features that happened to already be present:
        
        We already had a policy of storing the bytecode index for which a DFG
        node was generated inside the DFG::Node class. This was previously
        called exceptionInfo. It's now renamed to codeOrigin to reflect that
        it's used for more than just excpetions. OSR uses this to figure out
        which bytecode index to use to look up the machine code location in
        the code generated by the old JIT that we should be jumping to.
        
        CodeBlock now stores a mapping between bytecode indices and machine
        code offsets for code generated by the old JIT. This is implemented
        by CompactJITCodeMap, which tries to compress this data a bit.  The
        OSR compiler decodes this and uses it to find the machine code
        locations it should be jumping to.
        
        We already had a mechanism that emitted SetLocal nodes in the DFG graph
        that told us the time at which the old JIT would have stored something
        into its register file, and the DFG::Node that corresponds to the value
        that it would have stored. These SetLocal's were mostly dead-code-
        eliminated, but our DCE leaves the nodes intact except for making them
        have 0 as the ref count. This allows the OSR compiler to construct a
        mapping between the state as it would have been seen by the old JIT
        and the state as the DFG JIT sees it. The OSR compiler uses this to
        generate code that reshapes the call frame so that it is like what the
        old JIT would expect.
        
        Finally, when DFG_OSR is enabled (the default for TIERED_COMPILATION)
        we no longer emit the non-speculative path.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::currentCodeOrigin):
        (JSC::DFG::ByteCodeParser::addToGraph):
        * dfg/DFGGPRInfo.h:
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::alive):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::appendCallWithExceptionCheck):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::CallRecord::CallRecord):
        (JSC::DFG::JITCompiler::notifyCall):
        (JSC::DFG::JITCompiler::appendCallWithExceptionCheck):
        (JSC::DFG::JITCompiler::appendCallWithFastExceptionCheck):
        (JSC::DFG::JITCompiler::addJSCall):
        (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
        * dfg/DFGNode.h:
        (JSC::DFG::CodeOrigin::CodeOrigin):
        (JSC::DFG::CodeOrigin::isSet):
        (JSC::DFG::CodeOrigin::bytecodeIndex):
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::child1Unchecked):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::ValueSource::dump):
        (JSC::DFG::ValueRecovery::dump):
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::ValueSource::ValueSource):
        (JSC::DFG::ValueSource::isSet):
        (JSC::DFG::ValueSource::nodeIndex):
        (JSC::DFG::ValueRecovery::ValueRecovery):
        (JSC::DFG::ValueRecovery::alreadyInRegisterFile):
        (JSC::DFG::ValueRecovery::inGPR):
        (JSC::DFG::ValueRecovery::inFPR):
        (JSC::DFG::ValueRecovery::displacedInRegisterFile):
        (JSC::DFG::ValueRecovery::constant):
        (JSC::DFG::ValueRecovery::technique):
        (JSC::DFG::ValueRecovery::gpr):
        (JSC::DFG::ValueRecovery::fpr):
        (JSC::DFG::ValueRecovery::virtualRegister):
        (JSC::DFG::OSRExit::numberOfRecoveries):
        (JSC::DFG::OSRExit::valueRecovery):
        (JSC::DFG::OSRExit::isArgument):
        (JSC::DFG::OSRExit::argumentForIndex):
        (JSC::DFG::OSRExit::variableForIndex):
        (JSC::DFG::OSRExit::operandForIndex):
        (JSC::DFG::SpeculativeJIT::osrExits):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::valueSourceForOperand):
        (JSC::DFG::SpeculativeJIT::setNodeIndexForOperand):
        (JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculationCheckIndexIterator::SpeculationCheckIndexIterator):
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        * jit/CompactJITCodeMap.h: Added.
        (JSC::BytecodeAndMachineOffset::BytecodeAndMachineOffset):
        (JSC::BytecodeAndMachineOffset::getBytecodeIndex):
        (JSC::BytecodeAndMachineOffset::getMachineCodeOffset):
        (JSC::CompactJITCodeMap::~CompactJITCodeMap):
        (JSC::CompactJITCodeMap::decode):
        (JSC::CompactJITCodeMap::CompactJITCodeMap):
        (JSC::CompactJITCodeMap::at):
        (JSC::CompactJITCodeMap::decodeNumber):
        (JSC::CompactJITCodeMap::Encoder::Encoder):
        (JSC::CompactJITCodeMap::Encoder::~Encoder):
        (JSC::CompactJITCodeMap::Encoder::append):
        (JSC::CompactJITCodeMap::Encoder::finish):
        (JSC::CompactJITCodeMap::Encoder::appendByte):
        (JSC::CompactJITCodeMap::Encoder::encodeNumber):
        (JSC::CompactJITCodeMap::Encoder::ensureCapacityFor):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::osrScratchBufferForSize):
        * runtime/JSValue.cpp:
        (JSC::JSValue::description):

2011-09-12  Geoffrey Garen  <ggaren@apple.com>

        Re-enabled ENABLE(LAZY_BLOCK_FREEING).
        
        Reviewed by Stephanie Lewis.

        I accidentally disabled this in r94890, causing a big performance regression.

        * wtf/Platform.h:

2011-09-12  Michael Saboff  <msaboff@apple.com>

        Broken Build for ARM - lshift32() needs TrustedImm32 arg
        https://bugs.webkit.org/show_bug.cgi?id=67965

        Change lshift32(16, ARMRegisters::S1); to lshift32(TrustedImm32(16), ARMRegisters::S1);

        Reviewed by Anders Carlsson.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branch16):

2011-09-12  Michael Saboff  <msaboff@apple.com>

        Broken ARM build - missing semicolon in JavaScriptCore/assembler/MacroAssemblerARM.h
        https://bugs.webkit.org/show_bug.cgi?id=67961

        Added missing semicolon.

        Reviewed by Ryosuke Niwa.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branch16):

2011-09-12  Michael Saboff  <msaboff@apple.com>

        Update RegExp and related classes to use 8 bit strings when available
        https://bugs.webkit.org/show_bug.cgi?id=67337

        Modified both the Yarr interpreter and JIT to handle 8 bit subject strings.
        The code paths are triggered by the UString::is8bit() method which currently
        returns false.  Implemented JIT changes for all current architectures.
        Tested X86_64 and ARM v7.

        This includes some code that will likely change as we complete the
        8 bit string changes.  This includes the way the raw buffer pointers
        are accessed as well as replacing the CharAccess class with a
        string interator returned from UString.

        Fixed build breakage in testRegExp.cpp due to globalObject construction
        changes.

        Reviewed by Gavin Barraclough.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * testRegExp.cpp:
        (GlobalObject::finishCreation):
        (GlobalObject::GlobalObject):
        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::baseIndexTransfer32):
        * assembler/ARMAssembler.h:
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::ubfx):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg40Imm3Reg4Imm20Imm5):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::load8):
        (JSC::MacroAssemblerARM::branch8):
        (JSC::MacroAssemblerARM::branch16):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::load8):
        (JSC::MacroAssemblerARMv7::branch16):
        (JSC::MacroAssemblerARMv7::branch8):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::load8):
        (JSC::MacroAssemblerMIPS::branch8):
        (JSC::MacroAssemblerMIPS::branch16):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::load8):
        (JSC::MacroAssemblerSH4::branch8):
        (JSC::MacroAssemblerSH4::branch16):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::load8):
        (JSC::MacroAssemblerX86Common::branch16):
        (JSC::MacroAssemblerX86Common::branch8):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::extub):
        (JSC::SH4Assembler::printInstr):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::cmpw_ir):
        (JSC::X86Assembler::movzbl_mr):
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::compileIfNecessary):
        (JSC::RegExp::match):
        (JSC::RegExp::matchCompareWithInterpreter):
        * runtime/RegExp.h:
        * runtime/UString.h:
        (JSC::UString::is8Bit):
        * yarr/Yarr.h:
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::CharAccess::CharAccess):
        (JSC::Yarr::Interpreter::CharAccess::~CharAccess):
        (JSC::Yarr::Interpreter::CharAccess::operator[]):
        (JSC::Yarr::Interpreter::InputStream::InputStream):
        (JSC::Yarr::Interpreter::Interpreter):
        (JSC::Yarr::interpret):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
        (JSC::Yarr::YarrGenerator::readCharacter):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
        (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
        (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
        (JSC::Yarr::YarrGenerator::YarrGenerator):
        (JSC::Yarr::YarrGenerator::compile):
        (JSC::Yarr::jitCompile):
        (JSC::Yarr::execute):
        * yarr/YarrJIT.h:
        (JSC::Yarr::YarrCodeBlock::has8BitCode):
        (JSC::Yarr::YarrCodeBlock::has16BitCode):
        (JSC::Yarr::YarrCodeBlock::set8BitCode):
        (JSC::Yarr::YarrCodeBlock::set16BitCode):
        (JSC::Yarr::YarrCodeBlock::execute):
        * yarr/YarrParser.h:
        (JSC::Yarr::Parser::Parser):

2011-09-12  Andras Becsi  <andras.becsi@nokia.com>

        [Qt] Build fails after r94920 with strict compiler
        https://bugs.webkit.org/show_bug.cgi?id=67928

        Reviewed by Csaba Osztrogonác.

        * wtf/RedBlackTree.h:
        (WTF::RedBlackTree::insert): Remove dead variables updateStart and newSubTreeRoot.

2011-09-12  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed build fix after r94871.

        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * wtf/FastMalloc.cpp:
        * wtf/RefCountedLeakCounter.h:

2011-09-11  Filip Pizlo  <fpizlo@apple.com>

        DFGNode.h has macros that indicate the enabling of a feature, but
        they do not use the ENABLE() idiom.
        https://bugs.webkit.org/show_bug.cgi?id=67907

        Reviewed by Oliver Hunt.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::stronglyPredict):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGJITCodeGenerator.cpp:
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::fillInt32ToInteger):
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::propagateNode):
        (JSC::DFG::Propagator::propagateForward):
        (JSC::DFG::Propagator::propagateBackward):
        (JSC::DFG::propagate):
        * dfg/DFGScoreBoard.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):

2011-09-11  Fumitoshi Ukai  <ukai@chromium.org>

        Unreviewed build fix for chromium/mac & clang.

        Fix the macro redefinition error by r94927, because chromium set
        ENABLE_JSC_MULTIPLE_THREADS=0 in WebKit/chromium/features.gypi and
        it is not PLATFORM(QT).
         ../../JavaScriptCore/wtf/Platform.h:512:9: error: 'ENABLE_JSC_MULTIPLE_THREADS' macro redefined [-Werror]
         #define ENABLE_JSC_MULTIPLE_THREADS 1
         <command line>:43:9: note: previous definition is here
         #define ENABLE_JSC_MULTIPLE_THREADS 0
         1 error generated.

        * wtf/Platform.h:

2011-09-11  Sam Weinig  <sam@webkit.org>

        Remove JSCell::isPropertyNameIterator(), it is unused
        https://bugs.webkit.org/show_bug.cgi?id=67911

        Reviewed by Oliver Hunt.

        * runtime/JSCell.h:
        * runtime/JSPropertyNameIterator.h:

2011-09-11  Sam Weinig  <sam@webkit.org>

        De-virtualize JSCell::isAPIValueWrapper
        https://bugs.webkit.org/show_bug.cgi?id=67909

        Reviewed by Oliver Hunt.

        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        Set the correct type on structure creation.

        * runtime/JSCell.h:
        Remove virtual keyword and default implementation.

        * runtime/JSType.h:
        Add type for APIValueWrapper. It must come after CompoundType since
        the APIValueWrapper has children in need of marking.

        * runtime/Structure.h:
        (JSC::JSCell::isAPIValueWrapper):
        Implement predicate using type info.

2011-09-10  Sam Weinig  <sam@webkit.org>

        De-virtualize JSCell::isGetterSetter, type information is available for it
        https://bugs.webkit.org/show_bug.cgi?id=67902

        Reviewed by Dan Bernstein.

        * runtime/GetterSetter.cpp:
        * runtime/GetterSetter.h:
        Remove override of isGetterSetter.

        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        De-virtualize and remove silly base implementation.

        * runtime/Structure.h:
        (JSC::JSCell::isGetterSetter):
        Use type info to determine getter-setter-hood.

2011-09-09  Oliver Hunt  <oliver@apple.com>

        Remove support for anonymous storage from jsobjects
        https://bugs.webkit.org/show_bug.cgi?id=67881

        Reviewed by Sam Weinig.

        Remove all use of anonymous slots, essentially a mechanical change
        in JavaScriptCore

        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::createStructure):
        * API/JSCallbackFunction.h:
        (JSC::JSCallbackFunction::createStructure):
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::createStructure):
        * JavaScriptCore.exp:
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::createStructure):
        * heap/MarkStack.cpp:
        (JSC::MarkStack::validateValue):
        * heap/MarkStack.h:
        * runtime/Arguments.h:
        (JSC::Arguments::createStructure):
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::createStructure):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::finishCreation):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::createStructure):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::createStructure):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::BooleanPrototype):
        * runtime/BooleanPrototype.h:
        (JSC::BooleanPrototype::createStructure):
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::createStructure):
        * runtime/DateInstance.h:
        (JSC::DateInstance::createStructure):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::DatePrototype):
        * runtime/DatePrototype.h:
        (JSC::DatePrototype::createStructure):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::createStructure):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::finishCreation):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::createStructure):
        * runtime/ExceptionHelpers.h:
        (JSC::InterruptedExecutionError::createStructure):
        (JSC::TerminatedExecutionError::createStructure):
        * runtime/Executable.h:
        (JSC::ExecutableBase::createStructure):
        (JSC::NativeExecutable::createStructure):
        (JSC::EvalExecutable::createStructure):
        (JSC::ProgramExecutable::createStructure):
        (JSC::FunctionExecutable::createStructure):
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::createStructure):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::createStructure):
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::createStructure):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        * runtime/JSActivation.h:
        (JSC::JSActivation::createStructure):
        * runtime/JSArray.h:
        (JSC::JSArray::createStructure):
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::createStructure):
        * runtime/JSCell.h:
        * runtime/JSFunction.h:
        (JSC::JSFunction::createStructure):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::finishCreation):
        (JSC::JSGlobalObject::createStructure):
        * runtime/JSNotAnObject.h:
        (JSC::JSNotAnObject::createStructure):
        * runtime/JSONObject.h:
        (JSC::JSONObject::createStructure):
        * runtime/JSObject.h:
        (JSC::JSObject::createStructure):
        (JSC::JSNonFinalObject::createStructure):
        (JSC::JSFinalObject::createStructure):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::createStructure):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::createStructure):
        * runtime/JSString.h:
        (JSC::RopeBuilder::createStructure):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::createStructure):
        * runtime/JSWrapperObject.h:
        (JSC::JSWrapperObject::createStructure):
        * runtime/MathObject.h:
        (JSC::MathObject::createStructure):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::createStructure):
        * runtime/NumberConstructor.h:
        (JSC::NumberConstructor::createStructure):
        * runtime/NumberObject.h:
        (JSC::NumberObject::createStructure):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::NumberPrototype):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::createStructure):
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::createStructure):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::finishCreation):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::createStructure):
        * runtime/RegExp.h:
        (JSC::RegExp::createStructure):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::createStructure):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::createStructure):
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::createStructure):
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::createStructure):
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::createStructure):
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::createStructure):
        * runtime/StringObject.h:
        (JSC::StringObject::createStructure):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::createStructure):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::StringPrototype):
        * runtime/StringPrototype.h:
        (JSC::StringPrototype::createStructure):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::addPropertyTransitionToExistingStructure):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::removePropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::getterSetterTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::get):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::remove):
        (JSC::Structure::checkConsistency):
        * runtime/Structure.h:
        (JSC::Structure::create):
        (JSC::Structure::propertyStorageSize):
        (JSC::Structure::get):
        * runtime/StructureChain.h:
        (JSC::StructureChain::createStructure):

2011-09-11  Jarred Nicholls  <jarred@sencha.com>

        [Qt] Win32 build broken due to MachineStackMarker.cpp/.o failing to link against pthreads library
        https://bugs.webkit.org/show_bug.cgi?id=67864
        
        Qt Win32 is not pthread compatible and cannot participate in multithreaded JSC or it fails to build.

        Reviewed by Csaba Osztrogonác.

        * wtf/Platform.h:

2011-09-11  Filip Pizlo  <fpizlo@apple.com>

        ARM and MIPS assemblers still refer to executable pools.
        https://bugs.webkit.org/show_bug.cgi?id=67903

        Reviewed by Csaba Osztrogonác.

        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::executableCopy):
        * assembler/ARMAssembler.h:
        * assembler/AssemblerBufferWithConstantPool.h:
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::executableCopy):

2011-09-08  Filip Pizlo  <fpizlo@apple.com>

        The executable allocator makes it difficult to free individual
        chunks of executable memory
        https://bugs.webkit.org/show_bug.cgi?id=66363

        Reviewed by Oliver Hunt.
        
        Introduced a best-fit, balanced-tree based allocator. The allocator
        required a balanced tree that does not allocate memory and that
        permits the removal of individual nodes directly (as opposed to by
        key); neither AVLTree nor WebCore's PODRedBlackTree supported this.
        Changed all references to executable code to use a reference counted
        handle.

        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AssemblerBuffer.h:
        (JSC::AssemblerBuffer::executableCopy):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::finalizeCode):
        (JSC::LinkBuffer::linkCode):
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodeRef::MacroAssemblerCodeRef):
        (JSC::MacroAssemblerCodeRef::createSelfManagedCodeRef):
        (JSC::MacroAssemblerCodeRef::executableMemory):
        (JSC::MacroAssemblerCodeRef::code):
        (JSC::MacroAssemblerCodeRef::size):
        (JSC::MacroAssemblerCodeRef::operator!):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::executableCopy):
        (JSC::X86Assembler::X86InstructionFormatter::executableCopy):
        * bytecode/CodeBlock.h:
        * bytecode/Instruction.h:
        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::tryBuildGetByIDProtoList):
        (JSC::DFG::tryCachePutByID):
        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::initializeAllocator):
        (JSC::ExecutableAllocator::ExecutableAllocator):
        (JSC::ExecutableAllocator::allocate):
        (JSC::ExecutableAllocator::committedByteCount):
        (JSC::ExecutableAllocator::dumpProfile):
        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::dumpProfile):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::initializeAllocator):
        (JSC::ExecutableAllocator::ExecutableAllocator):
        (JSC::ExecutableAllocator::isValid):
        (JSC::ExecutableAllocator::underMemoryPressure):
        (JSC::ExecutableAllocator::allocate):
        (JSC::ExecutableAllocator::committedByteCount):
        (JSC::ExecutableAllocator::dumpProfile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::JIT::compileCTIMachineTrampolines):
        (JSC::JIT::compileCTINativeCall):
        * jit/JITCode.h:
        (JSC::JITCode::operator !):
        (JSC::JITCode::addressForCall):
        (JSC::JITCode::offsetOf):
        (JSC::JITCode::execute):
        (JSC::JITCode::start):
        (JSC::JITCode::size):
        (JSC::JITCode::getExecutableMemory):
        (JSC::JITCode::HostFunction):
        (JSC::JITCode::JITCode):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::privateCompileCTINativeCall):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdSelfList):
        (JSC::JIT::privateCompileGetByIdProtoList):
        (JSC::JIT::privateCompileGetByIdChainList):
        (JSC::JIT::privateCompileGetByIdChain):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::JITThunks):
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::getPolymorphicAccessStructureListSlot):
        (JSC::JITThunks::ctiStub):
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITStubs.h:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
        (JSC::SpecializedThunkJIT::finalize):
        * jit/ThunkGenerators.cpp:
        (JSC::charCodeAtThunkGenerator):
        (JSC::charAtThunkGenerator):
        (JSC::fromCharCodeThunkGenerator):
        (JSC::sqrtThunkGenerator):
        (JSC::floorThunkGenerator):
        (JSC::ceilThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::expThunkGenerator):
        (JSC::logThunkGenerator):
        (JSC::absThunkGenerator):
        (JSC::powThunkGenerator):
        * jit/ThunkGenerators.h:
        * runtime/Executable.h:
        (JSC::NativeExecutable::create):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::dumpSampleData):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::getCTIStub):
        * wtf/CMakeLists.txt:
        * wtf/MetaAllocator.cpp: Added.
        (WTF::MetaAllocatorHandle::MetaAllocatorHandle):
        (WTF::MetaAllocatorHandle::~MetaAllocatorHandle):
        (WTF::MetaAllocatorHandle::shrink):
        (WTF::MetaAllocator::MetaAllocator):
        (WTF::MetaAllocator::allocate):
        (WTF::MetaAllocator::currentStatistics):
        (WTF::MetaAllocator::findAndRemoveFreeSpace):
        (WTF::MetaAllocator::addFreeSpaceFromReleasedHandle):
        (WTF::MetaAllocator::addFreshFreeSpace):
        (WTF::MetaAllocator::debugFreeSpaceSize):
        (WTF::MetaAllocator::addFreeSpace):
        (WTF::MetaAllocator::incrementPageOccupancy):
        (WTF::MetaAllocator::decrementPageOccupancy):
        (WTF::MetaAllocator::roundUp):
        (WTF::MetaAllocator::allocFreeSpaceNode):
        (WTF::MetaAllocator::freeFreeSpaceNode):
        (WTF::MetaAllocator::dumpProfile):
        * wtf/MetaAllocator.h: Added.
        (WTF::MetaAllocator::bytesAllocated):
        (WTF::MetaAllocator::bytesReserved):
        (WTF::MetaAllocator::bytesCommitted):
        (WTF::MetaAllocator::dumpProfile):
        (WTF::MetaAllocator::~MetaAllocator):
        * wtf/MetaAllocatorHandle.h: Added.
        * wtf/RedBlackTree.h: Added.
        (WTF::RedBlackTree::Node::Node):
        (WTF::RedBlackTree::Node::successor):
        (WTF::RedBlackTree::Node::predecessor):
        (WTF::RedBlackTree::Node::reset):
        (WTF::RedBlackTree::Node::parent):
        (WTF::RedBlackTree::Node::setParent):
        (WTF::RedBlackTree::Node::left):
        (WTF::RedBlackTree::Node::setLeft):
        (WTF::RedBlackTree::Node::right):
        (WTF::RedBlackTree::Node::setRight):
        (WTF::RedBlackTree::Node::color):
        (WTF::RedBlackTree::Node::setColor):
        (WTF::RedBlackTree::RedBlackTree):
        (WTF::RedBlackTree::insert):
        (WTF::RedBlackTree::remove):
        (WTF::RedBlackTree::findExact):
        (WTF::RedBlackTree::findLeastGreaterThanOrEqual):
        (WTF::RedBlackTree::findGreatestLessThanOrEqual):
        (WTF::RedBlackTree::first):
        (WTF::RedBlackTree::last):
        (WTF::RedBlackTree::size):
        (WTF::RedBlackTree::isEmpty):
        (WTF::RedBlackTree::treeMinimum):
        (WTF::RedBlackTree::treeMaximum):
        (WTF::RedBlackTree::treeInsert):
        (WTF::RedBlackTree::leftRotate):
        (WTF::RedBlackTree::rightRotate):
        (WTF::RedBlackTree::removeFixup):
        * wtf/wtf.pri:
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::compile):
        * yarr/YarrJIT.h:
        (JSC::Yarr::YarrCodeBlock::execute):
        (JSC::Yarr::YarrCodeBlock::getAddr):

2011-09-10  Sam Weinig  <sam@webkit.org>

        Remove JSC::isZombie() function, it did nothing and was called by no-one.
        https://bugs.webkit.org/show_bug.cgi?id=67901

        Reviewed by Andy Estes.

        * JavaScriptCore.exp:
        * runtime/JSCell.cpp:
        * runtime/JSValue.h:

2011-09-10  Sam Weinig  <sam@webkit.org>

        Add isInterruptedExecutionException and isTerminatedExecutionException predicates
        https://bugs.webkit.org/show_bug.cgi?id=67892

        Reviewed by Andy "First Time Reviewer" Estes.

        * JavaScriptCore.exp:
        Add symbols.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):
        Use new predicates.

        * runtime/ExceptionHelpers.cpp:
        (JSC::createInterruptedExecutionException):
        (JSC::isInterruptedExecutionException):
        (JSC::createTerminatedExecutionException):
        (JSC::isTerminatedExecutionException):
        * runtime/ExceptionHelpers.h:
        (JSC::InterruptedExecutionError::InterruptedExecutionError):
        Add predicates.

2011-09-10  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT completely undoes speculative compilation even in the case of
        a partial static speculation failure
        https://bugs.webkit.org/show_bug.cgi?id=67798

        Reviewed by Geoffrey Garen.
        
        This is a regression with static speculation, so it is turned off by
        default.  But it is a necessary prerequisite for further work on
        dynamic speculation.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::clearGenerationInfo):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):

2011-09-09  Chris Marrin  <cmarrin@apple.com>

        requestAnimationFrame doesn't throttle on Mac
        https://bugs.webkit.org/show_bug.cgi?id=67171

        Reviewed by Simon Fraser.

        Added WTF_USE_REQUEST_ANIMATION_FRAME_TIMER to allow any platform to run
        requestAnimationFrame callbacks on a Timer defined in ScriptedAnimationController.
        Currently only enabled for PLATFORM(MAC)

        * wtf/Platform.h:

2011-09-09  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Dan Bernstein.

        Removed ENABLE(SINGLE_THREADED) support, since it is always false
        https://bugs.webkit.org/show_bug.cgi?id=67862

        Next step toward making the baseline platform assumption that threads exist.

        * wtf/wtf.pri:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj: Removed references to
        ThreadingNone.cpp, which was only compiled in single-threaded mode.

        * wtf/Platform.h:
        * wtf/ThreadSpecific.h:
        (WTF::::destroy):
        * wtf/qt/ThreadingQt.cpp: Removed now-dead code.

        * wtf/ThreadingNone.cpp: Removed.

2011-09-09  Mark Hahnenberg  <mhahnenberg@apple.com>

        Unzip initialization lists and constructors in JSCell hierarchy (5/7)
        https://bugs.webkit.org/show_bug.cgi?id=67420

        Reviewed by Geoffrey Garen.

        Completed the fifth level of the refactoring to add finishCreation() 
        methods to all classes within the JSCell hierarchy with non-trivial 
        constructor bodies.

        This primarily consists of pushing the calls to finishCreation() down 
        into the constructors of the subclasses of the second level of the hierarchy 
        as well as pulling the finishCreation() calls out into the class's corresponding
        create() method if it has one.  Doing both simultaneously allows us to 
        maintain the invariant that the finishCreation() method chain is called exactly 
        once during the creation of an object, since calling it any other number of 
        times (0, 2, or more) will cause an assertion failure.

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::JSCallbackConstructor):
        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::create):
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::JSCallbackFunction):
        (JSC::JSCallbackFunction::finishCreation):
        * API/JSCallbackFunction.h:
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        (JSC::::JSCallbackObject):
        (JSC::::finishCreation):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::create):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (GlobalObject::GlobalObject):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::ArrayConstructor):
        (JSC::ArrayConstructor::finishCreation):
        * runtime/ArrayConstructor.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::ArrayPrototype):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::create):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::BooleanConstructor):
        (JSC::BooleanConstructor::finishCreation):
        * runtime/BooleanConstructor.h:
        * runtime/BooleanObject.cpp:
        (JSC::BooleanObject::BooleanObject):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::create):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::BooleanPrototype):
        (JSC::BooleanPrototype::finishCreation):
        * runtime/BooleanPrototype.h:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::DateConstructor):
        (JSC::DateConstructor::finishCreation):
        * runtime/DateConstructor.h:
        * runtime/DateInstance.cpp:
        (JSC::DateInstance::DateInstance):
        * runtime/DateInstance.h:
        (JSC::DateInstance::create):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::DatePrototype):
        (JSC::DatePrototype::finishCreation):
        * runtime/DatePrototype.h:
        * runtime/Error.cpp:
        (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::ErrorConstructor):
        (JSC::ErrorConstructor::finishCreation):
        * runtime/ErrorConstructor.h:
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::create):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::FunctionConstructor):
        (JSC::FunctionConstructor::finishCreation):
        * runtime/FunctionConstructor.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::FunctionPrototype):
        (JSC::FunctionPrototype::finishCreation):
        * runtime/FunctionPrototype.h:
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        * runtime/InternalFunction.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::JSActivation):
        * runtime/JSActivation.h:
        (JSC::JSActivation::create):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::create):
        (JSC::JSGlobalObject::JSGlobalObject):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::JSONObject):
        * runtime/JSONObject.h:
        (JSC::JSONObject::create):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::create):
        (JSC::JSStaticScopeObject::JSStaticScopeObject):
        * runtime/JSString.cpp:
        (JSC::StringObject::create):
        * runtime/MathObject.cpp:
        (JSC::MathObject::MathObject):
        * runtime/MathObject.h:
        (JSC::MathObject::create):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::NativeErrorConstructor):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::finishCreation):
        * runtime/NativeErrorPrototype.cpp:
        (JSC::NativeErrorPrototype::NativeErrorPrototype):
        (JSC::NativeErrorPrototype::finishCreation):
        * runtime/NativeErrorPrototype.h:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::NumberConstructor):
        (JSC::NumberConstructor::finishCreation):
        * runtime/NumberConstructor.h:
        * runtime/NumberObject.cpp:
        (JSC::NumberObject::NumberObject):
        * runtime/NumberObject.h:
        (JSC::NumberObject::create):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::NumberPrototype):
        (JSC::NumberPrototype::finishCreation):
        * runtime/NumberPrototype.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::ObjectConstructor):
        (JSC::ObjectConstructor::finishCreation):
        * runtime/ObjectConstructor.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::RegExpConstructor):
        (JSC::RegExpConstructor::finishCreation):
        (JSC::RegExpMatchesArray::RegExpMatchesArray):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::create):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::RegExpObject):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::create):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::RegExpPrototype):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::StringConstructor):
        (JSC::StringConstructor::finishCreation):
        * runtime/StringConstructor.h:
        * runtime/StringObject.cpp:
        (JSC::StringObject::StringObject):
        * runtime/StringObject.h:
        (JSC::StringObject::create):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::StringPrototype):
        (JSC::StringPrototype::finishCreation):
        * runtime/StringPrototype.h:

2011-09-09  Geoffrey Garen  <ggaren@apple.com>

        Build fix: Guard against double-#define for something already #defined
        by the build system.

        * wtf/Platform.h:

2011-09-09  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Dan Bernstein.

        Never #define ENABLE_SINGLE_THREADED, !ENABLE_JSC_MULTIPLE_THREADS, or
        !ENABLE_WTF_MULTIPLE_THREADS
        https://bugs.webkit.org/show_bug.cgi?id=67860

        First step toward making the baseline platform assumption that threads
        exist: Never #define ENABLE_SINGLE_THREADED, !ENABLE_JSC_MULTIPLE_THREADS,
        or !ENABLE_WTF_MULTIPLE_THREADS.

        * wtf/Platform.h:

2011-09-09  Laszlo Gombos  <laszlo.1.gombos@nokia.com>

        [Qt] Remove common.pri
        https://bugs.webkit.org/show_bug.cgi?id=67814

        Reviewed by Andreas Kling.

        * JavaScriptCore.pri:

2011-09-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        REGRESSION(r94811): Assertion failure in 2 worker tests
        https://bugs.webkit.org/show_bug.cgi?id=67829

        Reviewed by Sam Weinig.

        Fixing a couple tests that were broken due to the wrong values being 
        set in the parent class pointers in the ClassInfo structs for 
        TerminatedExecutionError and InterruptedExecutionError.

        * runtime/ExceptionHelpers.cpp:

2011-09-08  Oliver Hunt  <oliver@apple.com>

        Use bump allocator for initial property storage
        https://bugs.webkit.org/show_bug.cgi?id=67494

        Reviewed by Geoffrey Garen.

        Use a bump allocator for initial allocation of property storage,
        and promote to fastMalloc memory only if it survives a GC pass.

        Comes out as a 1% win on v8, and is a useful step on the way to
        GC allocation of all property storage.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * heap/Heap.h:
        (JSC::Heap::allocatePropertyStorage):
        (JSC::Heap::inPropertyStorageNursery):
        * heap/MarkedBlock.h:
        * heap/NewSpace.cpp:
        (JSC::NewSpace::NewSpace):
        * heap/NewSpace.h:
        (JSC::NewSpace::resetPropertyStorageNursery):
        (JSC::NewSpace::allocatePropertyStorage):
        (JSC::NewSpace::inPropertyStorageNursery):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSObject.cpp:
        (JSC::JSObject::allocatePropertyStorage):
        * runtime/JSObject.h:
        (JSC::JSObject::isUsingInlineStorage):
        (JSC::JSObject::JSObject):
        (JSC::JSObject::propertyStorage):
        (JSC::JSObject::~JSObject):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putDirectWithoutTransition):
        (JSC::JSObject::putDirectFunctionWithoutTransition):
        (JSC::JSObject::transitionTo):
        (JSC::JSObject::visitChildrenDirect):
        * runtime/StorageBarrier.h: Added.
        (JSC::StorageBarrier::StorageBarrier):
        (JSC::StorageBarrier::set):
        (JSC::StorageBarrier::operator->):
        (JSC::StorageBarrier::operator*):
        (JSC::StorageBarrier::operator[]):
        (JSC::StorageBarrier::get):

2011-09-08  Sam Weinig  <sam@webkit.org>

        Remove the Completion object from JSC, I have never liked it
        https://bugs.webkit.org/show_bug.cgi?id=67755

        Reviewed by Gavin Barraclough.

        - Removes the Completion object and replaces its use with out parameter exceptions.
        - Remove ComplType and virtual exceptionType() function on JSObject. Replace with
          ClassInfo for InterruptedExecutionError and TerminatedExecutionError.

        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::throwException):
        * jsc.cpp:
        (functionLoad):
        (functionCheckSyntax):
        (runWithScripts):
        (runInteractive):
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        (JSC::evaluate):
        * runtime/Completion.h:
        * runtime/ExceptionHelpers.cpp:
        (JSC::InterruptedExecutionError::toString):
        (JSC::TerminatedExecutionError::toString):
        (JSC::createInterruptedExecutionException):
        * runtime/ExceptionHelpers.h:
        (JSC::InterruptedExecutionError::InterruptedExecutionError):
        (JSC::InterruptedExecutionError::create):
        (JSC::InterruptedExecutionError::createStructure):
        (JSC::TerminatedExecutionError::TerminatedExecutionError):
        (JSC::TerminatedExecutionError::create):
        (JSC::TerminatedExecutionError::createStructure):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSObject.h:

2011-09-08  Ryosuke Niwa  <rniwa@webkit.org>

        Build fix.

        * dfg/DFGCapabilities.cpp:

2011-09-08  Filip Pizlo  <fpizlo@apple.com>

        Value profling and execution count profiling is performed even for
        code that cannot be optimized
        https://bugs.webkit.org/show_bug.cgi?id=67694

        Reviewed by Gavin Barraclough.
        
        This is a 2% speed-up on V8 when tiered compilation is enabled.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::ProgramCodeBlock::canCompileWithDFG):
        (JSC::EvalCodeBlock::canCompileWithDFG):
        (JSC::FunctionCodeBlock::canCompileWithDFG):
        * bytecode/CodeBlock.h:
        * dfg/DFGCapabilities.cpp: Added.
        (JSC::DFG::canCompileOpcodes):
        * dfg/DFGCapabilities.h: Added.
        (JSC::DFG::mightCompileEval):
        (JSC::DFG::mightCompileProgram):
        (JSC::DFG::mightCompileFunctionForCall):
        (JSC::DFG::mightCompileFunctionForConstruct):
        (JSC::DFG::canCompileOpcode):
        (JSC::DFG::canCompileEval):
        (JSC::DFG::canCompileProgram):
        (JSC::DFG::canCompileFunctionForCall):
        (JSC::DFG::canCompileFunctionForConstruct):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::JIT::shouldEmitProfiling):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):

2011-09-08  Filip Pizlo  <fpizlo@apple.com>

        DFG speculative JIT does not initialize integer tags for PredictInt32 temporaries
        https://bugs.webkit.org/show_bug.cgi?id=67840

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::initializeVariableTypes):

2011-09-08  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        https://bugs.webkit.org/show_bug.cgi?id=67771

        Fix sequenceGetByIdSlowCaseInstructionSpace, sequenceGetByIdSlowCaseConstantSpace
        and patchOffsetGetByIdSlowCaseCall
        and enables DOUBLE_CONVERSION_CORRECT_DOUBLE_OPERATIONS flag for SH4 platforms.

        Reviewed by Gavin Barraclough.

        * jit/JIT.h:
        * wtf/dtoa/utils.h:

2011-09-08  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove getUInt32 from JSCell
        https://bugs.webkit.org/show_bug.cgi?id=67691

        Reviewed by Oliver Hunt.

         We don't use JSCell::getUInt32 anymore, so it has been removed.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:

2011-09-07  Filip Pizlo  <fpizlo@apple.com>

        PPC build fix.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::~CodeBlock):

2011-09-07  Oliver Hunt  <oliver@apple.com>

        Release mode build fix.

        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::create):

2011-09-06  Oliver Hunt  <oliver@apple.com>

        Remove JSObjectWithGlobalObject
        https://bugs.webkit.org/show_bug.cgi?id=67689

        Reviewed by Geoff Garen.

        Remove JSObjectWithGlobalObject, and update code to stop using anonymous
        storage to access the global object that a JSObject comes from.  Largely
        mechanical change to remove the use of anonymous storage and JSObjectWithGlobalObject.

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::JSCallbackConstructor):
        (JSC::JSCallbackConstructor::finishCreation):
        * API/JSCallbackConstructor.h:
        * API/JSCallbackObject.cpp:
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::create):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::JSCallbackObject):
        (JSC::::finishCreation):
        (JSC::::staticFunctionGetter):
        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype):
        * API/JSObjectRef.cpp:
        (JSObjectMake):
        (JSObjectGetPrivate):
        (JSObjectSetPrivate):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        * API/JSValueRef.cpp:
        (JSValueIsObjectOfClass):
        * API/JSWeakObjectMapRefPrivate.cpp:
        * JavaScriptCore.exp:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgRepatchGetMethodFast):
        (JSC::DFG::tryCacheGetMethod):
        * jit/JIT.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateJSFunction):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::patchMethodCallProto):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/DatePrototype.cpp:
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        (JSC::InternalFunction::finishCreation):
        * runtime/InternalFunction.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::finishCreation):
        * runtime/JSFunction.h:
        (JSC::JSFunction::create):
        (JSC::JSFunction::createStructure):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::JSONObject):
        (JSC::JSONObject::finishCreation):
        * runtime/JSONObject.h:
        * runtime/JSObject.h:
        (JSC::JSObject::globalObject):
        * runtime/JSObjectWithGlobalObject.cpp: Removed.
        * runtime/JSObjectWithGlobalObject.h: Removed.
        * runtime/JSValue.cpp:
        (JSC::JSValue::isValidCallee):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        * runtime/MathObject.cpp:
        (JSC::MathObject::MathObject):
        (JSC::MathObject::finishCreation):
        * runtime/MathObject.h:
        * runtime/NumberPrototype.cpp:
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::RegExpObject):
        (JSC::RegExpObject::finishCreation):
        * runtime/RegExpObject.h:
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        * runtime/Structure.h:
        (JSC::Structure::create):
        (JSC::Structure::globalObject):

2011-09-07  Gavin Barraclough  <barraclough@apple.com>

        Refactor JIT checks for ObjectType into helper functions.

        Rubber stamped by Sam Weinig.

        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::branchIfNotObject):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.h:
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emit_op_ret_object_or_this):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitJumpIfNotObject):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emit_op_ret_object_or_this):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_create_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_instanceof):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_create_this):

2011-09-07  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r94627 and r94632.
        http://trac.webkit.org/changeset/94627
        http://trac.webkit.org/changeset/94632
        https://bugs.webkit.org/show_bug.cgi?id=67698

        It broke tests on GTK and Qt (Requested by Ossy on #webkit).

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::JSCallbackConstructor):
        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::create):
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::JSCallbackFunction):
        * API/JSCallbackFunction.h:
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::create):
        * debugger/DebuggerActivation.h:
        * jsc.cpp:
        (GlobalObject::constructorBody):
        (GlobalObject::GlobalObject):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::ArrayConstructor):
        * runtime/ArrayConstructor.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::ArrayPrototype):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::create):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::BooleanConstructor):
        * runtime/BooleanConstructor.h:
        * runtime/BooleanObject.cpp:
        (JSC::BooleanObject::BooleanObject):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::create):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::BooleanPrototype):
        * runtime/BooleanPrototype.h:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::DateConstructor):
        * runtime/DateConstructor.h:
        * runtime/DateInstance.cpp:
        (JSC::DateInstance::DateInstance):
        * runtime/DateInstance.h:
        (JSC::DateInstance::create):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::DatePrototype):
        * runtime/DatePrototype.h:
        * runtime/Error.cpp:
        (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::ErrorConstructor):
        * runtime/ErrorConstructor.h:
        (JSC::ErrorConstructor::create):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::create):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::FunctionConstructor):
        * runtime/FunctionConstructor.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::FunctionPrototype):
        * runtime/FunctionPrototype.h:
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        * runtime/InternalFunction.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::JSActivation):
        * runtime/JSActivation.h:
        (JSC::JSActivation::create):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::create):
        (JSC::JSGlobalObject::JSGlobalObject):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::JSONObject):
        * runtime/JSONObject.h:
        (JSC::JSONObject::create):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::create):
        (JSC::JSStaticScopeObject::JSStaticScopeObject):
        * runtime/JSString.cpp:
        (JSC::StringObject::create):
        * runtime/MathObject.cpp:
        (JSC::MathObject::MathObject):
        * runtime/MathObject.h:
        (JSC::MathObject::create):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::NativeErrorConstructor):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::constructorBody):
        * runtime/NativeErrorPrototype.cpp:
        (JSC::NativeErrorPrototype::NativeErrorPrototype):
        (JSC::NativeErrorPrototype::constructorBody):
        * runtime/NativeErrorPrototype.h:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::NumberConstructor):
        * runtime/NumberConstructor.h:
        * runtime/NumberObject.cpp:
        (JSC::NumberObject::NumberObject):
        * runtime/NumberObject.h:
        (JSC::NumberObject::create):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::NumberPrototype):
        * runtime/NumberPrototype.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::ObjectConstructor):
        * runtime/ObjectConstructor.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::RegExpConstructor):
        (JSC::RegExpMatchesArray::RegExpMatchesArray):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::create):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::RegExpObject):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::create):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::RegExpPrototype):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::StringConstructor):
        * runtime/StringConstructor.h:
        * runtime/StringObject.cpp:
        (JSC::StringObject::StringObject):
        * runtime/StringObject.h:
        (JSC::StringObject::create):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::StringPrototype):
        * runtime/StringPrototype.h:

2011-09-06  Xianzhu Wang  <wangxianzhu@chromium.org>

        Replace usages of Vector<UChar> with existing StringBuilder
        https://bugs.webkit.org/show_bug.cgi?id=67079

        Reviewed by Gavin Barraclough.

        This is part of work to support 8-bit string buffers.
        Adds StringBuilder::characters() because the original Vector<UChar>::data()
        is widely used.
        Sets the minimum size of buffer to 16 to prevent possible performance
        regression. Further performance investigation should be done in
        https://bugs.webkit.org/show_bug.cgi?id=67084.

        * wtf/Forward.h:
        * wtf/text/StringBuilder.cpp:
        (WTF::StringBuilder::appendUninitialized): Sets minimum buffer size to 16 bytes.
        * wtf/text/StringBuilder.h:
        (WTF::StringBuilder::operator[]):
        (WTF::StringBuilder::characters): Added.

2011-09-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix broken snow leopard build
        https://bugs.webkit.org/show_bug.cgi?id=67693

        Reviewed by Daniel Bates.

        Removed unnecessary symbol export.

        * JavaScriptCore.exp:

2011-09-06  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not optimize booleans
        https://bugs.webkit.org/show_bug.cgi?id=67670

        Reviewed by Gavin Barraclough.
        
        This adds boolean value profiling, boolean prediction in the DFG,
        boolean forward flow propagation in the DFGPropagator, boolean
        data format in DFG generation info, and comprehensive optimizations
        based on both boolean prediction and boolean generation info.
        This is brings the speed-up on v8-richards to 12%, and gives slight
        speed-ups elsewhere as well.
        
        Making this work right required navigating some subtleties in
        value profiling.  Some functions get compiled with insufficient
        information because some important path of the function never
        executed.  In these cases, we wish to fall back on static
        speculation.  But to do so, we need to ensure that predictions that
        are inherent in the code (like that GetById almost certainly takes
        a cell operand) are reflected in predictions that we make in
        DFGPropagator.  Thus, DFGPropagator now does both backward and
        forward flow, using a both forward and backward fixpoint.
        
        The backward flow in DFGPropagator is a separate static analysis,
        and needs to keep a set of backward flow abstract values for
        variables, arguments, and globals.  To make this easy, this patch
        factors out DFGGraph's prediction tracking capability into
        DFGPredictionTracker, which now gets used by both DFGGraph (for
        forward flow predictions) and DFGPropagator (for backward flow
        predictions).  Backward flow predictions eventually get merged
        into forward flow ones, but the two are not equivalent: a forward
        flow prediction is a superset of the backward flow prediction.
        
        Debugging these prediction issues required a better understanding
        of where we fail speculation, and what our value predictions look
        like.  This patch also adds optional verbose speculation failure
        (so an informative printf fires whenever speculation failure occurs)
        and slight improvements to the verbosity in other places.

        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::numberOfBooleans):
        (JSC::ValueProfile::probabilityOfBoolean):
        (JSC::ValueProfile::dump):
        (JSC::ValueProfile::computeStatistics):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::stronglyPredict):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::dataFormatToString):
        (JSC::DFG::needDataFormatConversion):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::predictions):
        (JSC::DFG::Graph::predict):
        (JSC::DFG::Graph::predictGlobalVar):
        (JSC::DFG::Graph::getPrediction):
        (JSC::DFG::Graph::getGlobalVarPrediction):
        (JSC::DFG::Graph::isBooleanConstant):
        (JSC::DFG::Graph::valueOfBooleanConstant):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillInteger):
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
        (JSC::DFG::JITCodeGenerator::isKnownBoolean):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::JITCodeGenerator::emitBranch):
        (JSC::DFG::JITCodeGenerator::speculationCheck):
        (JSC::DFG::GPRTemporary::GPRTemporary):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::isBooleanConstant):
        (JSC::DFG::JITCodeGenerator::valueOfBooleanConstant):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::debugCall):
        (JSC::DFG::JITCompiler::isBooleanConstant):
        (JSC::DFG::JITCompiler::valueOfBooleanConstant):
        * dfg/DFGNode.h:
        (JSC::DFG::isBooleanPrediction):
        (JSC::DFG::predictionToString):
        (JSC::DFG::mergePredictions):
        (JSC::DFG::makePrediction):
        (JSC::DFG::Node::isBooleanConstant):
        (JSC::DFG::Node::valueOfBooleanConstant):
        (JSC::DFG::Node::hasBooleanResult):
        (JSC::DFG::Node::hasNumericResult):
        (JSC::DFG::Node::predict):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionTracker.h: Added.
        (JSC::DFG::operandIsArgument):
        (JSC::DFG::PredictionSlot::PredictionSlot):
        (JSC::DFG::PredictionTracker::PredictionTracker):
        (JSC::DFG::PredictionTracker::initializeSimilarTo):
        (JSC::DFG::PredictionTracker::numberOfArguments):
        (JSC::DFG::PredictionTracker::numberOfVariables):
        (JSC::DFG::PredictionTracker::argumentIndexForOperand):
        (JSC::DFG::PredictionTracker::predictArgument):
        (JSC::DFG::PredictionTracker::predict):
        (JSC::DFG::PredictionTracker::predictGlobalVar):
        (JSC::DFG::PredictionTracker::getArgumentPrediction):
        (JSC::DFG::PredictionTracker::getPrediction):
        (JSC::DFG::PredictionTracker::getGlobalVarPrediction):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::Propagator):
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::setPrediction):
        (JSC::DFG::Propagator::mergeUse):
        (JSC::DFG::Propagator::mergePrediction):
        (JSC::DFG::Propagator::propagateNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        (JSC::DFG::SpeculateBooleanOperand::~SpeculateBooleanOperand):
        (JSC::DFG::SpeculateBooleanOperand::index):
        (JSC::DFG::SpeculateBooleanOperand::gpr):
        (JSC::DFG::SpeculateBooleanOperand::use):
        * runtime/JSGlobalData.h:
        * runtime/JSValue.cpp:
        (JSC::JSValue::description):

2011-09-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Unzip initialization lists and constructors in JSCell hierarchy (5/7)
        https://bugs.webkit.org/show_bug.cgi?id=67420

        Reviewed by Geoffrey Garen.

        Completed the fifth level of the refactoring to add finishCreation() 
        methods to all classes within the JSCell hierarchy with non-trivial 
        constructor bodies.

        This primarily consists of pushing the calls to finishCreation() down 
        into the constructors of the subclasses of the second level of the hierarchy 
        as well as pulling the finishCreation() calls out into the class's corresponding
        create() method if it has one.  Doing both simultaneously allows us to 
        maintain the invariant that the finishCreation() method chain is called exactly 
        once during the creation of an object, since calling it any other number of 
        times (0, 2, or more) will cause an assertion failure.

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::JSCallbackConstructor):
        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::create):
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::JSCallbackFunction):
        (JSC::JSCallbackFunction::finishCreation):
        * API/JSCallbackFunction.h:
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::create):
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (GlobalObject::GlobalObject):
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::ArrayConstructor):
        (JSC::ArrayConstructor::finishCreation):
        * runtime/ArrayConstructor.h:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::ArrayPrototype):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::create):
        * runtime/BooleanConstructor.cpp:
        (JSC::BooleanConstructor::BooleanConstructor):
        (JSC::BooleanConstructor::finishCreation):
        * runtime/BooleanConstructor.h:
        * runtime/BooleanObject.cpp:
        (JSC::BooleanObject::BooleanObject):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::create):
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::BooleanPrototype):
        (JSC::BooleanPrototype::finishCreation):
        * runtime/BooleanPrototype.h:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::DateConstructor):
        (JSC::DateConstructor::finishCreation):
        * runtime/DateConstructor.h:
        * runtime/DateInstance.cpp:
        (JSC::DateInstance::DateInstance):
        * runtime/DateInstance.h:
        (JSC::DateInstance::create):
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::DatePrototype):
        (JSC::DatePrototype::finishCreation):
        * runtime/DatePrototype.h:
        * runtime/Error.cpp:
        (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::ErrorConstructor):
        (JSC::ErrorConstructor::finishCreation):
        * runtime/ErrorConstructor.h:
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::create):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::FunctionConstructor):
        (JSC::FunctionConstructor::finishCreation):
        * runtime/FunctionConstructor.h:
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::FunctionPrototype):
        (JSC::FunctionPrototype::finishCreation):
        * runtime/FunctionPrototype.h:
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        * runtime/InternalFunction.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::JSActivation):
        * runtime/JSActivation.h:
        (JSC::JSActivation::create):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::create):
        (JSC::JSGlobalObject::JSGlobalObject):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::JSONObject):
        * runtime/JSONObject.h:
        (JSC::JSONObject::create):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::create):
        (JSC::JSStaticScopeObject::JSStaticScopeObject):
        * runtime/JSString.cpp:
        (JSC::StringObject::create):
        * runtime/MathObject.cpp:
        (JSC::MathObject::MathObject):
        * runtime/MathObject.h:
        (JSC::MathObject::create):
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::NativeErrorConstructor):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::finishCreation):
        * runtime/NativeErrorPrototype.cpp:
        (JSC::NativeErrorPrototype::NativeErrorPrototype):
        (JSC::NativeErrorPrototype::finishCreation):
        * runtime/NativeErrorPrototype.h:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::NumberConstructor):
        (JSC::NumberConstructor::finishCreation):
        * runtime/NumberConstructor.h:
        * runtime/NumberObject.cpp:
        (JSC::NumberObject::NumberObject):
        * runtime/NumberObject.h:
        (JSC::NumberObject::create):
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::NumberPrototype):
        (JSC::NumberPrototype::finishCreation):
        * runtime/NumberPrototype.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::ObjectConstructor):
        (JSC::ObjectConstructor::finishCreation):
        * runtime/ObjectConstructor.h:
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::RegExpConstructor):
        (JSC::RegExpConstructor::finishCreation):
        (JSC::RegExpMatchesArray::RegExpMatchesArray):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::create):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::RegExpObject):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::create):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::RegExpPrototype):
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::StringConstructor):
        (JSC::StringConstructor::finishCreation):
        * runtime/StringConstructor.h:
        * runtime/StringObject.cpp:
        (JSC::StringObject::StringObject):
        * runtime/StringObject.h:
        (JSC::StringObject::create):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::StringObjectThatMasqueradesAsUndefined):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::StringPrototype):
        (JSC::StringPrototype::finishCreation):
        * runtime/StringPrototype.h:

2011-09-06  Filip Pizlo  <fpizlo@apple.com>

        Accessibility tests crashing in BasicRawSentinelNode code
        https://bugs.webkit.org/show_bug.cgi?id=67682

        Reviewed by Geoffrey Garen.
        
        A CodeBlock should ensure that no other CodeBlocks have references to it after
        it is destroyed.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::~CodeBlock):

2011-09-06  Yong Li  <yoli@rim.com>

        https://bugs.webkit.org/show_bug.cgi?id=67486
        This reverts r65993 which gives wrong results for rshift
        in some corner cases (see the test).

        Reviewed by Gavin Barraclough.

        New test: fast/js/floating-point-truncate-rshift.html

        * assembler/ARMAssembler.h:
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::supportsFloatingPointTruncate):
        (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):

2011-09-06  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for r94559.
        
        Marked the relevant parameters as unused if !ENABLE(JIT), and surrounded
        new out-of-line JIT-specific method definitions with !ENABLE(JIT).

        * bytecode/CodeBlock.cpp:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):

2011-09-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix broken PPC build due to new dtoa library
        https://bugs.webkit.org/show_bug.cgi?id=67654

        Reviewed by Dan Bernstein.

        Added condition for PPC in the new dtoa compatibility check so that
        building won't fail.

        * wtf/dtoa/utils.h:

2011-09-05  Oliver Hunt  <oliver@apple.com>

        An object's structure should reference the global object responsible for its creation
        https://bugs.webkit.org/show_bug.cgi?id=67624

        Reviewed by Gavin Barraclough.

        Add a reference to a GlobalObject to Structure, and update all calls to
        Structure::create() to pass the global object that is the origin for that
        structure.  For objects where the appropriate global object isn't available
        at construction time (global object prototypes, etc), or objects that
        logically don't have a global object (strings, etc) we just pass null.

        This change is largely mechanical (passing a new globalObject parameter
        around).

        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::createStructure):
        * API/JSCallbackFunction.h:
        (JSC::JSCallbackFunction::createStructure):
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::createStructure):
        * API/JSContextRef.cpp:
        * JavaScriptCore.exp:
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::createStructure):
        * runtime/Arguments.h:
        (JSC::Arguments::createStructure):
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::createStructure):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::createStructure):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::createStructure):
        * runtime/BooleanPrototype.h:
        (JSC::BooleanPrototype::createStructure):
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::createStructure):
        * runtime/DateInstance.h:
        (JSC::DateInstance::createStructure):
        * runtime/DatePrototype.h:
        (JSC::DatePrototype::createStructure):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::createStructure):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::createStructure):
        * runtime/Executable.h:
        (JSC::ExecutableBase::createStructure):
        (JSC::NativeExecutable::createStructure):
        (JSC::EvalExecutable::createStructure):
        (JSC::ProgramExecutable::createStructure):
        (JSC::FunctionExecutable::createStructure):
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::createStructure):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::createStructure):
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::createStructure):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        * runtime/JSActivation.h:
        (JSC::JSActivation::createStructure):
        * runtime/JSArray.h:
        (JSC::JSArray::createStructure):
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::createStructure):
        * runtime/JSByteArray.h:
        * runtime/JSFunction.h:
        (JSC::JSFunction::createStructure):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::finishCreation):
        (JSC::JSGlobalObject::createStructure):
        * runtime/JSNotAnObject.h:
        (JSC::JSNotAnObject::createStructure):
        * runtime/JSONObject.h:
        (JSC::JSONObject::createStructure):
        * runtime/JSObject.cpp:
        (JSC::JSObject::createInheritorID):
        * runtime/JSObject.h:
        (JSC::JSObject::createStructure):
        (JSC::JSNonFinalObject::createStructure):
        (JSC::JSFinalObject::createStructure):
        (JSC::createEmptyObjectStructure):
        * runtime/JSObjectWithGlobalObject.h:
        (JSC::JSObjectWithGlobalObject::createStructure):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::createStructure):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::createStructure):
        * runtime/JSString.h:
        (JSC::RopeBuilder::createStructure):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::createStructure):
        * runtime/JSWrapperObject.h:
        (JSC::JSWrapperObject::createStructure):
        * runtime/MathObject.h:
        (JSC::MathObject::createStructure):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::createStructure):
        (JSC::NativeErrorConstructor::constructorBody):
        * runtime/NumberConstructor.h:
        (JSC::NumberConstructor::createStructure):
        * runtime/NumberObject.h:
        (JSC::NumberObject::createStructure):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::createStructure):
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::createStructure):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::createStructure):
        * runtime/RegExp.h:
        (JSC::RegExp::createStructure):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::createStructure):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::createStructure):
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::createStructure):
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::createStructure):
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::createStructure):
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::createStructure):
        * runtime/StringObject.h:
        (JSC::StringObject::createStructure):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::create):
        (JSC::StringObjectThatMasqueradesAsUndefined::createStructure):
        * runtime/StringPrototype.h:
        (JSC::StringPrototype::createStructure):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::visitChildren):
        * runtime/Structure.h:
        (JSC::Structure::create):
        (JSC::Structure::globalObject):
        (JSC::Structure::setGlobalObject):
        * runtime/StructureChain.h:
        (JSC::StructureChain::createStructure):

2011-09-06  Michael Saboff  <msaboff@apple.com>

        Add windows changes for JSC:RegExp functional tests
        https://bugs.webkit.org/show_bug.cgi?id=67521

        Windows build changes for regular expression functional test.

        Rubber-stamped by Gavin Barraclough.

        * JavaScriptCore.vcproj/JavaScriptCore.sln:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/testRegExp: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExp.vcproj: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebug.vsprops: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebugAll.vsprops: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebugCairoCFLite.vsprops: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpPostBuild.cmd: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpPreBuild.cmd: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpPreLink.cmd: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpProduction.vsprops: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpRelease.vsprops: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpReleaseCairoCFLite.vsprops: Added.
        * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops: Added.

2011-09-06  Filip Pizlo  <fpizlo@apple.com>

        JavaScriptCore does not have tiered compilation
        https://bugs.webkit.org/show_bug.cgi?id=67176

        Reviewed by Gavin Barraclough.
        
        This adds the ability to have multiple CodeBlocks associated with
        a particular role in an Executable.  These are stored in
        descending order of compiler tier.  CodeBlocks are optimized when
        a counter (m_executeCounter) that is incremented in loops and
        epilogues becomes positive.  Optimizing means that all calls to
        the old CodeBlock are unlinked.
        
        The DFG can now pull in predictions from ValueProfiles, and
        propagate them along the graph.  To support the new phase while
        maintaing some level of abstraction, a DFGDriver was introduced
        that encapsulates how to run the DFG compiler.
        
        This is turned off by default because it's not yet a performance
        win on all benchmarks.  It speeds up crypto and richards by
        10% and 6% respectively, but still does not do as good of a job
        as it could.  Notably, the DFG backend has not changed, and
        is largely oblivious to the new information being made available
        to it.
        
        When turned off (the default), this patch is performance neutral.

        * CMakeLists.txt:
        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::branchAdd32):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::branchAdd32):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::visitAggregate):
        (JSC::CallLinkInfo::unlink):
        (JSC::CodeBlock::unlinkCalls):
        (JSC::CodeBlock::unlinkIncomingCalls):
        (JSC::CodeBlock::clearEvalCache):
        (JSC::replaceExistingEntries):
        (JSC::CodeBlock::copyDataFromAlternative):
        (JSC::ProgramCodeBlock::replacement):
        (JSC::EvalCodeBlock::replacement):
        (JSC::FunctionCodeBlock::replacement):
        (JSC::ProgramCodeBlock::compileOptimized):
        (JSC::EvalCodeBlock::compileOptimized):
        (JSC::FunctionCodeBlock::compileOptimized):
        * bytecode/CodeBlock.h:
        (JSC::GlobalCodeBlock::GlobalCodeBlock):
        (JSC::ProgramCodeBlock::ProgramCodeBlock):
        (JSC::EvalCodeBlock::EvalCodeBlock):
        (JSC::FunctionCodeBlock::FunctionCodeBlock):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::dump):
        (JSC::ValueProfile::computeStatistics):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::dynamicallyPredict):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::parse):
        * dfg/DFGDriver.cpp: Added.
        (JSC::DFG::compile):
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        * dfg/DFGDriver.h: Added.
        (JSC::DFG::tryCompile):
        (JSC::DFG::tryCompileFunction):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predict):
        (JSC::DFG::Graph::predictGlobalVar):
        (JSC::DFG::Graph::isConstant):
        (JSC::DFG::Graph::isJSConstant):
        (JSC::DFG::Graph::isInt32Constant):
        (JSC::DFG::Graph::isDoubleConstant):
        (JSC::DFG::Graph::valueOfJSConstant):
        (JSC::DFG::Graph::valueOfInt32Constant):
        (JSC::DFG::Graph::valueOfDoubleConstant):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::isConstant):
        (JSC::DFG::JITCompiler::isJSConstant):
        (JSC::DFG::JITCompiler::isInt32Constant):
        (JSC::DFG::JITCompiler::isDoubleConstant):
        (JSC::DFG::JITCompiler::valueOfJSConstant):
        (JSC::DFG::JITCompiler::valueOfInt32Constant):
        (JSC::DFG::JITCompiler::valueOfDoubleConstant):
        * dfg/DFGNode.h:
        (JSC::DFG::isCellPrediction):
        (JSC::DFG::isNumberPrediction):
        (JSC::DFG::predictionToString):
        (JSC::DFG::mergePrediction):
        (JSC::DFG::makePrediction):
        (JSC::DFG::Node::valueOfJSConstant):
        (JSC::DFG::Node::isInt32Constant):
        (JSC::DFG::Node::isDoubleConstant):
        (JSC::DFG::Node::valueOfInt32Constant):
        (JSC::DFG::Node::valueOfDoubleConstant):
        (JSC::DFG::Node::predict):
        * dfg/DFGPropagation.cpp: Added.
        (JSC::DFG::Propagator::Propagator):
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::setPrediction):
        (JSC::DFG::Propagator::mergePrediction):
        (JSC::DFG::Propagator::propagateNode):
        (JSC::DFG::Propagator::propagateForward):
        (JSC::DFG::Propagator::propagateBackward):
        (JSC::DFG::propagate):
        * dfg/DFGPropagation.h: Added.
        (JSC::DFG::propagate):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgLinkFor):
        * heap/HandleHeap.h:
        (JSC::HandleHeap::Node::Node):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):
        (JSC::JIT::emitTimeoutCheck):
        (JSC::JIT::privateCompile):
        (JSC::JIT::linkFor):
        * jit/JIT.h:
        (JSC::JIT::emitOptimizationCheck):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::emit_op_ret_object_or_this):
        * jit/JITCode.h:
        (JSC::JITCode::JITCode):
        (JSC::JITCode::bottomTierJIT):
        (JSC::JITCode::topTierJIT):
        (JSC::JITCode::nextTierJIT):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::emit_op_ret_object_or_this):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileOptimized):
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileOptimized):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileOptimizedForCall):
        (JSC::FunctionExecutable::compileOptimizedForConstruct):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (JSC::EvalExecutable::compile):
        (JSC::ProgramExecutable::compile):
        (JSC::FunctionExecutable::compileForCall):
        (JSC::FunctionExecutable::compileForConstruct):
        (JSC::FunctionExecutable::compileOptimizedFor):
        * wtf/Platform.h:
        * wtf/SentinelLinkedList.h:
        (WTF::BasicRawSentinelNode::BasicRawSentinelNode):
        (WTF::BasicRawSentinelNode::setPrev):
        (WTF::BasicRawSentinelNode::setNext):
        (WTF::BasicRawSentinelNode::prev):
        (WTF::BasicRawSentinelNode::next):
        (WTF::BasicRawSentinelNode::isOnList):
        (WTF::::remove):
        (WTF::::SentinelLinkedList):
        (WTF::::begin):
        (WTF::::end):
        (WTF::::push):

2011-09-05  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r94445 and r94448.
        http://trac.webkit.org/changeset/94445
        http://trac.webkit.org/changeset/94448
        https://bugs.webkit.org/show_bug.cgi?id=67595

        It broke everything (Requested by ossy on #webkit).

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * heap/Heap.h:
        * heap/NewSpace.cpp:
        (JSC::NewSpace::NewSpace):
        * heap/NewSpace.h:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSObject.cpp:
        (JSC::JSObject::allocatePropertyStorage):
        * runtime/JSObject.h:
        (JSC::JSObject::~JSObject):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putDirectWithoutTransition):
        (JSC::JSObject::putDirectFunctionWithoutTransition):
        (JSC::JSObject::transitionTo):
        (JSC::JSObject::visitChildrenDirect):

2011-09-05  Patrick Gansterer  <paroga@webkit.org>

        Unreviewed build fix for r94452.

        Add config.h as the first header to the cc files as required by the coding style.
        Reuse macros from Assertions.h instead of adding addional #ifdefs.

        * wtf/dtoa/bignum-dtoa.cc:
        * wtf/dtoa/bignum.cc:
        * wtf/dtoa/cached-powers.cc:
        * wtf/dtoa/diy-fp.cc:
        * wtf/dtoa/double-conversion.cc:
        * wtf/dtoa/fast-dtoa.cc:
        * wtf/dtoa/fixed-dtoa.cc:
        * wtf/dtoa/strtod.cc:
        * wtf/dtoa/utils.h:

2011-09-05  Andras Becsi  <andras.becsi@nokia.com>

        [Qt][WK2] Fix the build

        Rubber-stamped by Csaba Osztrogonác.

        * wtf/dtoa/double-conversion.cc: Remove dead variable in file added in r94452.
        The variable fractional_part is only set but never used.

2011-09-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        REGRESSION (r94452): 20 http/tests tests failing on Qt Linux Release
        https://bugs.webkit.org/show_bug.cgi?id=67562

        Reviewed by Darin Adler.

        Fixing the build (again which was broken by the dtoa patch.  Needed 
        to make sure WTF::double_conversion::initialize() is called for Qt
        as well as adding a check for WinCE in dtoa/utils.h

        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * wtf/dtoa/cached-powers.cc:
        * wtf/dtoa/utils.h:

2011-09-03  Filip Pizlo  <fpizlo@apple.com>

        ThunkGenerators does not convert positive double zero into integer zero
        https://bugs.webkit.org/show_bug.cgi?id=67553

        Reviewed by Gavin Barraclough.
        
        This is an 0.5% speed-up on V8 and neutral elsewhere.

        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::returnDouble):

2011-09-03  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed build fix. Add wtf/dtoa directory to build.

        * wscript:

2011-09-03  Filip Pizlo  <fpizlo@apple.com>

        DFG variable predictions only work for local variables, not temporaries
        https://bugs.webkit.org/show_bug.cgi?id=67554

        Reviewed by Gavin Barraclough.
        
        This appears to be a slight speed-up in Kraken (0.3% but significant)
        and neutral elsewhere.

        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predict):

2011-09-02  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT speculation failure does recovery of additions in reverse and
        doesn't rebox
        https://bugs.webkit.org/show_bug.cgi?id=67551

        Reviewed by Sam Weinig.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):

2011-09-02  Filip Pizlo  <fpizlo@apple.com>

        ValueProfile does not make it safe to introspect cell values
        after garbage collection
        https://bugs.webkit.org/show_bug.cgi?id=67354

        Reviewed by Gavin Barraclough.
        
        ValueProfile buckets are now weak references, implemented using a
        light-weight weak reference mechanism that this patch also adds (the
        WeakReferenceHarvester).  If a cell stored in a ValueProfile bucket
        is not marked, then the bucket is transformed into a Structure
        pointer.  If the Structure is not marked either, then it is turned
        into a ClassInfo pointer.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::visitAggregate):
        (JSC::CodeBlock::visitWeakReferences):
        * bytecode/CodeBlock.h:
        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::ValueProfile):
        (JSC::ValueProfile::classInfo):
        (JSC::ValueProfile::numberOfInt32s):
        (JSC::ValueProfile::numberOfDoubles):
        (JSC::ValueProfile::numberOfCells):
        (JSC::ValueProfile::numberOfArrays):
        (JSC::ValueProfile::probabilityOfArray):
        (JSC::ValueProfile::WeakBucket::WeakBucket):
        (JSC::ValueProfile::WeakBucket::operator!):
        (JSC::ValueProfile::WeakBucket::isEmpty):
        (JSC::ValueProfile::WeakBucket::isClassInfo):
        (JSC::ValueProfile::WeakBucket::isStructure):
        (JSC::ValueProfile::WeakBucket::asStructure):
        (JSC::ValueProfile::WeakBucket::asClassInfo):
        (JSC::ValueProfile::WeakBucket::getClassInfo):
        * heap/Heap.cpp:
        (JSC::Heap::harvestWeakReferences):
        (JSC::Heap::markRoots):
        * heap/Heap.h:
        * heap/MarkStack.cpp:
        (JSC::SlotVisitor::drain):
        (JSC::SlotVisitor::harvestWeakReferences):
        * heap/MarkStack.h:
        (JSC::MarkStack::addWeakReferenceHarvester):
        (JSC::MarkStack::MarkStack):
        (JSC::MarkStack::appendUnbarrieredPointer):
        * heap/SlotVisitor.h:
        * heap/WeakReferenceHarvester.h: Added.
        (JSC::WeakReferenceHarvester::WeakReferenceHarvester):
        (JSC::WeakReferenceHarvester::~WeakReferenceHarvester):

2011-09-02  Michael Saboff  <msaboff@apple.com>

        Replace local implementation of string equals() methods with UString versions
        https://bugs.webkit.org/show_bug.cgi?id=67342

        In preparation to allowing StringImpl to be backed by 8 bit 
        characters when appropriate, we need to eliminate or change the
        usage of StringImpl::characters(). Change the uses of characters()
        that are used to implement redundant equals() methods.

        Reviewed by Gavin Barraclough.

        * runtime/Identifier.cpp:
        (JSC::Identifier::equal):
        * runtime/Identifier.h:
        (JSC::Identifier::equal):
        * wtf/text/AtomicString.cpp:
        (WTF::CStringTranslator::equal): Moved an optimized method to here.
        (WTF::operator==):
        * wtf/text/StringImpl.cpp:
        (WTF::equal):
        * wtf/text/StringImpl.h:

2011-09-02  Michael Saboff  <msaboff@apple.com>

        Add JSC:RegExp functional tests
        https://bugs.webkit.org/show_bug.cgi?id=67339

        Added new test driver program (testRegExp) and corresponding data file
        along with build scripts changes.

        Reviewed by Gavin Barraclough.

        * JavaScriptCore.exp:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * testRegExp.cpp: Added.
        (Options::Options):
        (StopWatch::start):
        (StopWatch::stop):
        (StopWatch::getElapsedMS):
        (RegExpTest::RegExpTest):
        (GlobalObject::create):
        (GlobalObject::className):
        (GlobalObject::GlobalObject):
        (main):
        (cleanupGlobalData):
        (testOneRegExp):
        (scanString):
        (parseRegExpLine):
        (parseTestLine):
        (runFromFiles):
        (printUsageStatement):
        (parseArguments):
        (realMain):
        * tests/regexp: Added.
        * tests/regexp/RegExpTest.data: Added.

2011-09-02  Michael Saboff  <msaboff@apple.com>

        Add JSC:RegExp functional test data generator
        https://bugs.webkit.org/show_bug.cgi?id=67519

        Add a data generator for regular expressions.  To enable, change the
        #undef REGEXP_FUNC_TEST_DATA_GEN to #define.  Then compile and use
        regular expressions.  The resulting data will be in /tmp/RegExpTestsData.

        Reviewed by Gavin Barraclough.

        * runtime/RegExp.cpp:
        (JSC::regExpFlags):
        (JSC::RegExpFunctionalTestCollector::clearRegExp):
        (JSC::RegExpFunctionalTestCollector::get):
        (JSC::RegExpFunctionalTestCollector::outputOneTest):
        (JSC::RegExpFunctionalTestCollector::RegExpFunctionalTestCollector):
        (JSC::RegExpFunctionalTestCollector::~RegExpFunctionalTestCollector):
        (JSC::RegExpFunctionalTestCollector::outputEscapedUString):
        (JSC::RegExp::~RegExp):
        (JSC::RegExp::compile):
        (JSC::RegExp::match):
        (JSC::RegExp::matchCompareWithInterpreter):

2011-09-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix the broken build due to dtoa patch
        https://bugs.webkit.org/show_bug.cgi?id=67534

        Reviewed by Oliver Hunt.

        Fixing the build.

        * GNUmakefile.list.am:
        * wtf/dtoa/bignum.cc:
        * wtf/dtoa/fast-dtoa.cc:
        * wtf/dtoa/utils.h:

2011-09-02  Oliver Hunt  <oliver@apple.com>

        Remove OldSpace classes
        https://bugs.webkit.org/show_bug.cgi?id=67533

        Reviewed by Gavin Barraclough.

        Remove the unused OldSpace classes

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.cpp:
        (JSC::Heap::writeBarrierSlowCase):
        * heap/MarkedBlock.h:
        * heap/OldSpace.cpp: Removed.
        * heap/OldSpace.h: Removed.

2011-09-02  James Robinson  <jamesr@chromium.org>

        Compile fix for mac build.

        * wtf/CheckedArithmetic.h:
        (WTF::operator+):
        (WTF::operator-):
        (WTF::operator*):

2011-08-30  Matthew Delaney  <mdelaney@apple.com>

        Read out of bounds in sUnpremultiplyData_RGBA8888 / ImageBufferData::getData
        https://bugs.webkit.org/show_bug.cgi?id=65352

        Reviewed by Simon Fraser.

        New test: fast/canvas/canvas-getImageData-large-crash.html

        This patch prevents overflows from happening in getImageData, createImageData, and canvas creation
        calls that specify widths and heights that end up overflowing the ints that we store those values in
        as well as derived values such as area and maxX / maxY of the bounding rects involved. Overflow of integer
        arithmetic is detected via the use of the new Checked type that was introduced in r94207. The change to JSC
        is just to add a new helper method described below.

        * wtf/MathExtras.h:
        (isWithinIntRange): Reports if a float's value is within the range expressible by an int.

2011-09-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        Incorporate newer, faster dtoa library
        https://bugs.webkit.org/show_bug.cgi?id=66346

        Reviewed by Oliver Hunt.

        Added new dtoa library at http://code.google.com/p/double-conversion/.
        Replaced old call to dtoa.  The new library is much faster than the old one.
        We still use the old dtoa for some stuff in WebCore as well as the old strtod, 
        but we can phase these out eventually as well.

        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/InitializeThreading.cpp:
        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToExponential):
        (JSC::numberProtoFuncToFixed):
        (JSC::numberProtoFuncToPrecision):
        * runtime/UString.cpp:
        (JSC::UString::number):
        * wtf/CMakeLists.txt:
        * wtf/ThreadingPthreads.cpp:
        (WTF::initializeThreading):
        * wtf/ThreadingWin.cpp:
        (WTF::initializeThreading):
        * wtf/dtoa.cpp:
        (WTF::dtoa):
        * wtf/dtoa.h:
        * wtf/dtoa/COPYING: Added.
        * wtf/dtoa/LICENSE: Added.
        * wtf/dtoa/README: Added.
        * wtf/dtoa/bignum-dtoa.cc: Added.
        * wtf/dtoa/bignum-dtoa.h: Added.
        * wtf/dtoa/bignum.cc: Added.
        * wtf/dtoa/bignum.h: Added.
        (WTF::double_conversion::Bignum::Times10):
        (WTF::double_conversion::Bignum::Equal):
        (WTF::double_conversion::Bignum::LessEqual):
        (WTF::double_conversion::Bignum::Less):
        (WTF::double_conversion::Bignum::PlusEqual):
        (WTF::double_conversion::Bignum::PlusLessEqual):
        (WTF::double_conversion::Bignum::PlusLess):
        (WTF::double_conversion::Bignum::EnsureCapacity):
        (WTF::double_conversion::Bignum::BigitLength):
        * wtf/dtoa/cached-powers.cc: Added.
        * wtf/dtoa/cached-powers.h: Added.
        * wtf/dtoa/diy-fp.cc: Added.
        * wtf/dtoa/diy-fp.h: Added.
        (WTF::double_conversion::DiyFp::DiyFp):
        (WTF::double_conversion::DiyFp::Subtract):
        (WTF::double_conversion::DiyFp::Minus):
        (WTF::double_conversion::DiyFp::Times):
        (WTF::double_conversion::DiyFp::Normalize):
        (WTF::double_conversion::DiyFp::f):
        (WTF::double_conversion::DiyFp::e):
        (WTF::double_conversion::DiyFp::set_f):
        (WTF::double_conversion::DiyFp::set_e):
        * wtf/dtoa/double-conversion.cc: Added.
        * wtf/dtoa/double-conversion.h: Added.
        (WTF::double_conversion::DoubleToStringConverter::DoubleToStringConverter):
        (WTF::double_conversion::StringToDoubleConverter::StringToDoubleConverter):
        * wtf/dtoa/double.h: Added.
        (WTF::double_conversion::double_to_uint64):
        (WTF::double_conversion::uint64_to_double):
        (WTF::double_conversion::Double::Double):
        (WTF::double_conversion::Double::AsDiyFp):
        (WTF::double_conversion::Double::AsNormalizedDiyFp):
        (WTF::double_conversion::Double::AsUint64):
        (WTF::double_conversion::Double::NextDouble):
        (WTF::double_conversion::Double::Exponent):
        (WTF::double_conversion::Double::Significand):
        (WTF::double_conversion::Double::IsDenormal):
        (WTF::double_conversion::Double::IsSpecial):
        (WTF::double_conversion::Double::IsNan):
        (WTF::double_conversion::Double::IsInfinite):
        (WTF::double_conversion::Double::Sign):
        (WTF::double_conversion::Double::UpperBoundary):
        (WTF::double_conversion::Double::NormalizedBoundaries):
        (WTF::double_conversion::Double::value):
        (WTF::double_conversion::Double::SignificandSizeForOrderOfMagnitude):
        (WTF::double_conversion::Double::Infinity):
        (WTF::double_conversion::Double::NaN):
        (WTF::double_conversion::Double::DiyFpToUint64):
        * wtf/dtoa/fast-dtoa.cc: Added.
        * wtf/dtoa/fast-dtoa.h: Added.
        * wtf/dtoa/fixed-dtoa.cc: Added.
        * wtf/dtoa/fixed-dtoa.h: Added.
        * wtf/dtoa/strtod.cc: Added.
        * wtf/dtoa/strtod.h: Added.
        * wtf/dtoa/utils.h: Added.
        (WTF::double_conversion::Max):
        (WTF::double_conversion::Min):
        (WTF::double_conversion::StrLength):
        (WTF::double_conversion::Vector::Vector):
        (WTF::double_conversion::Vector::SubVector):
        (WTF::double_conversion::Vector::length):
        (WTF::double_conversion::Vector::is_empty):
        (WTF::double_conversion::Vector::start):
        (WTF::double_conversion::Vector::operator[]):
        (WTF::double_conversion::Vector::first):
        (WTF::double_conversion::Vector::last):
        (WTF::double_conversion::StringBuilder::StringBuilder):
        (WTF::double_conversion::StringBuilder::~StringBuilder):
        (WTF::double_conversion::StringBuilder::size):
        (WTF::double_conversion::StringBuilder::position):
        (WTF::double_conversion::StringBuilder::Reset):
        (WTF::double_conversion::StringBuilder::AddCharacter):
        (WTF::double_conversion::StringBuilder::AddString):
        (WTF::double_conversion::StringBuilder::AddSubstring):
        (WTF::double_conversion::StringBuilder::AddPadding):
        (WTF::double_conversion::StringBuilder::Finalize):
        (WTF::double_conversion::StringBuilder::is_finalized):
        (WTF::double_conversion::BitCast):
        * wtf/wtf.pri:

2011-09-02  Filip Pizlo  <fpizlo@apple.com>

        DFG graph has no way of distinguishing or reconciling between static
        and dynamic predictions
        https://bugs.webkit.org/show_bug.cgi?id=67343

        Reviewed by Gavin Barraclough.
        
        PredictedType now stores the source of the prediction.  Merging predictions,
        which was previously done with a bitwise or, is now done via the
        mergePredictions (equivalent to |) and mergePrediction (equivalent to |=)
        functions, which correctly handle combinations of static and dynamic.
        
        This is performance-neutral, since all predictions are currently static and
        so the code has no visible effects.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::set):
        (JSC::DFG::ByteCodeParser::staticallyPredictArray):
        (JSC::DFG::ByteCodeParser::staticallyPredictInt32):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predict):
        (JSC::DFG::Graph::predictGlobalVar):
        * dfg/DFGNode.h:
        (JSC::DFG::isArrayPrediction):
        (JSC::DFG::isInt32Prediction):
        (JSC::DFG::isDoublePrediction):
        (JSC::DFG::isDynamicPrediction):
        (JSC::DFG::mergePredictions):
        (JSC::DFG::mergePrediction):
        (JSC::DFG::makePrediction):
        (JSC::DFG::Node::predict):

2011-09-02  Oliver Hunt  <oliver@apple.com>

        Fix 32bit build.

        * heap/NewSpace.h:
        (JSC::NewSpace::allocatePropertyStorage):
        (JSC::NewSpace::inPropertyStorageNursery):

2011-09-02  Oliver Hunt  <oliver@apple.com>

        Use bump allocator for initial property storage
        https://bugs.webkit.org/show_bug.cgi?id=67494

        Reviewed by Gavin Barraclough.

        Switch to a bump allocator for the initial out of line
        property storage.  This gives us slightly faster allocation
        for short lived objects that need out of line storage at
        the cost of an additional memcpy when the object survives
        a GC pass.

        No performance impact.

        * JavaScriptCore.exp:
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * heap/Heap.h:
        (JSC::Heap::allocatePropertyStorage):
        (JSC::Heap::inPropertyStorageNursary):
        * heap/NewSpace.cpp:
        (JSC::NewSpace::NewSpace):
        * heap/NewSpace.h:
        (JSC::NewSpace::resetPropertyStorageNursary):
        (JSC::NewSpace::allocatePropertyStorage):
        (JSC::NewSpace::inPropertyStorageNursary):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/JSObject.cpp:
        (JSC::JSObject::allocatePropertyStorage):
        * runtime/JSObject.h:
        (JSC::JSObject::~JSObject):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putDirectWithoutTransition):
        (JSC::JSObject::putDirectFunctionWithoutTransition):
        (JSC::JSObject::transitionTo):
        (JSC::JSObject::visitChildrenDirect):

2011-09-01  Mark Rowe  <mrowe@apple.com>

        Fix the build.

        * JavaScriptCore.JSVALUE32_64only.exp:
        * JavaScriptCore.JSVALUE64only.exp:
        * JavaScriptCore.exp:

2011-09-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        Unzip initialization lists and constructors in JSCell hierarchy (4/7)
        https://bugs.webkit.org/show_bug.cgi?id=67174

        Reviewed by Oliver Hunt.

        Completed the fourth level of the refactoring to add finishCreation() 
        methods to all classes within the JSCell hierarchy with non-trivial 
        constructor bodies.

        This primarily consists of pushing the calls to finishCreation() down 
        into the constructors of the subclasses of the second level of the hierarchy 
        as well as pulling the finishCreation() calls out into the class's corresponding
        create() method if it has one.  Doing both simultaneously allows us to 
        maintain the invariant that the finishCreation() method chain is called exactly 
        once during the creation of an object, since calling it any other number of 
        times (0, 2, or more) will cause an assertion failure.

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::JSCallbackConstructor):
        (JSC::JSCallbackConstructor::finishCreation):
        * API/JSCallbackConstructor.h:
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::create):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::JSCallbackObject):
        (JSC::::finishCreation):
        * JavaScriptCore.JSVALUE64only.exp:
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::DebuggerActivation):
        (JSC::DebuggerActivation::create):
        * debugger/DebuggerActivation.h:
        * runtime/Arguments.h:
        (JSC::Arguments::create):
        (JSC::Arguments::createNoParameters):
        (JSC::Arguments::Arguments):
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::ArrayPrototype):
        (JSC::ArrayPrototype::finishCreation):
        * runtime/ArrayPrototype.h:
        * runtime/BooleanObject.cpp:
        (JSC::BooleanObject::BooleanObject):
        (JSC::BooleanObject::finishCreation):
        * runtime/BooleanObject.h:
        * runtime/DateInstance.cpp:
        (JSC::DateInstance::DateInstance):
        (JSC::DateInstance::finishCreation):
        * runtime/DateInstance.h:
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::ErrorInstance):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::create):
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
        (JSC::ErrorPrototype::finishCreation):
        * runtime/ErrorPrototype.h:
        * runtime/ExceptionHelpers.cpp:
        (JSC::InterruptedExecutionError::InterruptedExecutionError):
        (JSC::InterruptedExecutionError::create):
        (JSC::TerminatedExecutionError::TerminatedExecutionError):
        (JSC::TerminatedExecutionError::create):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::EvalExecutable):
        (JSC::ProgramExecutable::ProgramExecutable):
        (JSC::FunctionExecutable::FunctionExecutable):
        * runtime/Executable.h:
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::NativeExecutable):
        (JSC::EvalExecutable::create):
        (JSC::ProgramExecutable::create):
        (JSC::FunctionExecutable::create):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        (JSC::InternalFunction::finishCreation):
        * runtime/InternalFunction.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::JSActivation):
        (JSC::JSActivation::finishCreation):
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::JSArray):
        * runtime/JSArray.h:
        (JSC::JSArray::create):
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::JSByteArray):
        * runtime/JSByteArray.h:
        (JSC::JSByteArray::create):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        (JSC::JSFunction::finishCreation):
        * runtime/JSFunction.h:
        (JSC::JSFunction::create):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::finishCreation):
        * runtime/JSNotAnObject.h:
        (JSC::JSNotAnObject::JSNotAnObject):
        (JSC::JSNotAnObject::create):
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::JSONObject):
        (JSC::JSONObject::finishCreation):
        * runtime/JSONObject.h:
        * runtime/JSObjectWithGlobalObject.cpp:
        (JSC::JSObjectWithGlobalObject::JSObjectWithGlobalObject):
        * runtime/JSObjectWithGlobalObject.h:
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::create):
        (JSC::JSStaticScopeObject::finishCreation):
        (JSC::JSStaticScopeObject::JSStaticScopeObject):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::JSVariableObject):
        * runtime/JSWrapperObject.h:
        (JSC::JSWrapperObject::JSWrapperObject):
        * runtime/MathObject.cpp:
        (JSC::MathObject::MathObject):
        (JSC::MathObject::finishCreation):
        * runtime/MathObject.h:
        * runtime/NumberObject.cpp:
        (JSC::NumberObject::NumberObject):
        (JSC::NumberObject::finishCreation):
        * runtime/NumberObject.h:
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::ObjectPrototype):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::create):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpMatchesArray::RegExpMatchesArray):
        (JSC::RegExpMatchesArray::finishCreation):
        * runtime/RegExpMatchesArray.h:
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::RegExpObject):
        (JSC::RegExpObject::finishCreation):
        * runtime/RegExpObject.h:
        * runtime/StrictEvalActivation.cpp:
        (JSC::StrictEvalActivation::StrictEvalActivation):
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::create):
        * runtime/StringObject.cpp:
        (JSC::StringObject::StringObject):
        (JSC::StringObject::finishCreation):
        * runtime/StringObject.h:

2011-09-01  Daniel Bates  <dbates@rim.com>

        QNX GCC distribution doesn't support vasprintf()
        https://bugs.webkit.org/show_bug.cgi?id=67423

        Reviewed by Antonio Gomes.

        * wtf/Platform.h: Don't enable HAVE_VASPRINTF when building with GCC on QNX.

2011-09-01  Michael Saboff  <msaboff@apple.com>

        Remove simple usage of UString::characters() from JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=67340

        In preparation to allowing StringImpl to be backed by 8 bit 
        characters when appropriate, we need to eliminate or change the
        usage of StringImpl::characters().  Most of the changes below
        change s->characters()[0] to s[0].

        Reviewed by Geoffrey Garen.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::keyForCharacterSwitch):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::processClauseList):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Identifier.cpp:
        (JSC::Identifier::addSlowCase):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::jsToNumber):
        (JSC::parseFloat):
        * runtime/JSString.cpp:
        (JSC::JSString::substringFromRope):
        * runtime/JSString.h:
        (JSC::jsSingleCharacterSubstring):
        (JSC::jsString):
        (JSC::jsSubstring):
        (JSC::jsOwnedString):
        * runtime/RegExp.cpp:
        (JSC::regExpFlags):
        * wtf/text/StringBuilder.h:
        (WTF::StringBuilder::operator[]):

2011-09-01  Ada Chan  <adachan@apple.com>

        Export fastMallocStatistics and Heap::objectTypeCounts for https://bugs.webkit.org/show_bug.cgi?id=67160.

        Reviewed by Darin Adler.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-09-01  Hao Zheng  <zhenghao@chromium.org>

        Define PTHREAD_KEYS_MAX to fix Android port build.
        https://bugs.webkit.org/show_bug.cgi?id=67362

        Reviewed by Adam Barth.

        PTHREAD_KEYS_MAX is not defined in bionic, so explicitly define it.

        * wtf/ThreadIdentifierDataPthreads.cpp:

2011-08-31  Oliver Hunt  <oliver@apple.com>

        Fix build.

        * wtf/CheckedArithmetic.h:
        (WTF::Checked::Checked):
        (WTF::Checked::operator=):

2011-08-31  Oliver Hunt  <oliver@apple.com>

        fast/regex/overflow.html asserts in debug builds
        https://bugs.webkit.org/show_bug.cgi?id=67326

        Reviewed by Gavin Barraclough.

        The deliberate overflows in these expressions don't interact nicely
        with Checked<32bit-type> so we just bump up to Checked<int64_t> for the
        intermediate calculations.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
        (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):

2011-08-31  Jeff Miller  <jeffm@apple.com>

        REGRESSION(92210): AVFoundation media engine is disabled on OS X
        https://bugs.webkit.org/show_bug.cgi?id=67316

        Move the definition of WTF_USE_AVFOUNDATION on the Mac back to JavaScriptCore/wtf/Platform.h,
        since WebKit2 doesn't have access to WebCore/config.h on this platform. This reverts the
        changes that were made in r92210.

        Reviewed by Darin Adler.

        * wtf/Platform.h: Added definition of WTF_USE_AVFOUNDATION on the Mac.

2011-08-31  Peter Beverloo  <peter@chromium.org>

        Add Android's platform specification and the right atomic functions.
        https://bugs.webkit.org/show_bug.cgi?id=66687

        Reviewed by Adam Barth.

        * wtf/Atomics.h:
        (WTF::atomicIncrement):
        (WTF::atomicDecrement):
        * wtf/Platform.h:

2011-08-30  Oliver Hunt  <oliver@apple.com>

        Add support for checked arithmetic
        https://bugs.webkit.org/show_bug.cgi?id=67095

        Reviewed by Sam Weinig.

        Add a checked arithmetic class Checked<T> that provides overflow-safe
        arithmetic over all integral types.  Checked<T> supports addition, subtraction
        and multiplication, along with "bool" conversions and equality operators.

        Checked<> can be used in either CRASH() on overflow or delayed failure modes,
        although the default is to CRASH().

        To ensure the code is actually in use (rather than checking in dead code) I've
        made a couple of properties in YARR use Checked<int> and Checked<unsigned>
        instead of raw value arithmetic.  This has resulted in a moderate set of changes,
        to YARR - mostly adding .get() calls, but a couple of casts from unsigned long
        to unsigned for some uses of sizeof, as Checked<> currently does not support
        mixed signed-ness of types wider that 32 bits.

        Happily the increased type safety of Checked<> means that it's not possible to
        accidentally assign away precision, nor accidentally call integer overload of
        a function instead of the bool version.

        No measurable regression in performance, and SunSpider claims this patch to be
        a progression of 0.3%.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CheckedArithmetic.h: Added.
        (WTF::CrashOnOverflow::overflowed):
        (WTF::CrashOnOverflow::clearOverflow):
        (WTF::CrashOnOverflow::hasOverflowed):
        (WTF::RecordOverflow::RecordOverflow):
        (WTF::RecordOverflow::overflowed):
        (WTF::RecordOverflow::clearOverflow):
        (WTF::RecordOverflow::hasOverflowed):
        (WTF::isInBounds):
        (WTF::safeAdd):
        (WTF::safeSub):
        (WTF::safeMultiply):
        (WTF::safeEquals):
        (WTF::workAroundClangBug):
        (WTF::Checked::Checked):
        (WTF::Checked::operator=):
        (WTF::Checked::operator++):
        (WTF::Checked::operator--):
        (WTF::Checked::operator!):
        (WTF::Checked::operator UnspecifiedBoolType*):
        (WTF::Checked::get):
        (WTF::Checked::operator+=):
        (WTF::Checked::operator-=):
        (WTF::Checked::operator*=):
        (WTF::Checked::operator==):
        (WTF::Checked::operator!=):
        (WTF::operator+):
        (WTF::operator-):
        (WTF::operator*):
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::atomPatternCharacter):
        (JSC::Yarr::ByteCompiler::atomCharacterClass):
        (JSC::Yarr::ByteCompiler::atomBackReference):
        (JSC::Yarr::ByteCompiler::atomParentheticalAssertionEnd):
        (JSC::Yarr::ByteCompiler::atomParenthesesSubpatternEnd):
        (JSC::Yarr::ByteCompiler::atomParenthesesOnceEnd):
        (JSC::Yarr::ByteCompiler::atomParenthesesTerminalEnd):
        * yarr/YarrInterpreter.h:
        (JSC::Yarr::ByteTerm::ByteTerm):
        (JSC::Yarr::ByteTerm::CheckInput):
        (JSC::Yarr::ByteTerm::UncheckInput):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generateAssertionEOL):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
        (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
        (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
        (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
        (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
        (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
        * yarr/YarrPattern.h:

2011-08-31  Andrei Popescu  <andreip@google.com>

        Investigate current uses of OS(ANDROID)
        https://bugs.webkit.org/show_bug.cgi?id=66761

        Unreviewed, build fix for ARM platforms.

        * wtf/Platform.h:

2011-08-31  Andrei Popescu  <andreip@google.com>

        Investigate current uses of OS(ANDROID)
        https://bugs.webkit.org/show_bug.cgi?id=66761

        Reviewed by Darin Adler.

        Remove the last legacy Android code.

        No new tests needed as the code wasn't tested in the first place.

        * wtf/Atomics.h:
        * wtf/Platform.h:
        * wtf/ThreadingPthreads.cpp:
        (WTF::createThreadInternal):

2011-08-30  Aaron Colwell  <acolwell@chromium.org>

        Add MediaSource API to HTMLMediaElement
        https://bugs.webkit.org/show_bug.cgi?id=64731

        Reviewed by Eric Carlson.

        * Configurations/FeatureDefines.xcconfig:

2011-08-30  Oliver Hunt  <oliver@apple.com>

        TypedArrays don't ensure that denormalised values are normalised
        https://bugs.webkit.org/show_bug.cgi?id=67178

        Reviewed by Gavin Barraclough.

        Add a couple of assertions to jsNumber() to ensure that
        we block signaling NaNs

        * runtime/JSValue.h:
        (JSC::jsDoubleNumber):
        (JSC::jsNumber):

2011-08-30  Ademar de Souza Reis Jr.  <ademar.reis@openbossa.org>

        [Qt] Do not unconditionally use pkg-config in .pro files
        https://bugs.webkit.org/show_bug.cgi?id=67055

        Reviewed by Andreas Kling.

        Original patch from Rohan McGovern <rohan.mcgovern@nokia.com>

        Using the first pkg-config in PATH is prone to errors when cross
        compiling inside the Qt repository (using Qt's build-system).

        This patch protect calls for pkg-config with
        !contains(QT_CONFIG, no-pkg-config). no-pkg-config is added to
        QT_CONFIG by Qt's 'configure' when cross-compiling on systems
        without pkg-config.

        The respective change in Qt's configure has been submited already.

        No new tests as this is just a build change.

        * wtf/wtf.pri: protect pkg-config calls

2011-08-29  Daniel Bates  <dbates@webkit.org>

        Add HAVE(VASPRINTF) macro to test for vasprintf() support
        https://bugs.webkit.org/show_bug.cgi?id=67156

        Reviewed by Darin Adler.

        Encapsulate testing of vasprintf() support in a HAVE macro
        instead of hardcoding the list of supported/unsupported
        compilers at the call site.

        * wtf/Platform.h:

2011-08-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        Unzip initialization lists and constructors in JSCell hierarchy (3/7)
        https://bugs.webkit.org/show_bug.cgi?id=67064

        Reviewed by Darin Adler.

        Completed the third level of the refactoring to add finishCreation() 
        methods to all classes within the JSCell hierarchy with non-trivial 
        constructor bodies.

        This primarily consists of pushing the calls to finishCreation() down 
        into the constructors of the subclasses of the second level of the hierarchy 
        as well as pulling the finishCreation() calls out into the class's corresponding
        create() method if it has one.  Doing both simultaneously allows us to 
        maintain the invariant that the finishCreation() method chain is called exactly 
        once during the creation of an object, since calling it any other number of 
        times (0, 2, or more) will cause an assertion failure.

        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::DebuggerActivation):
        (JSC::DebuggerActivation::finishCreation):
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::create):
        * runtime/Arguments.h:
        (JSC::Arguments::create):
        (JSC::Arguments::createNoParameters):
        (JSC::Arguments::Arguments):
        (JSC::Arguments::finishCreation):
        * runtime/ErrorInstance.cpp:
        (JSC::ErrorInstance::ErrorInstance):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::finishCreation):
        * runtime/ExceptionHelpers.cpp:
        (JSC::InterruptedExecutionError::InterruptedExecutionError):
        (JSC::TerminatedExecutionError::TerminatedExecutionError):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::EvalExecutable):
        (JSC::ProgramExecutable::ProgramExecutable):
        (JSC::FunctionExecutable::FunctionExecutable):
        Moved the assignment of m_firstLine and m_lastLine into the 
        FunctionExecutable::finishCreation() method in Executable.h
        * runtime/Executable.h:
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::EvalExecutable::create):
        (JSC::ProgramExecutable::create):
        (JSC::FunctionExecutable::create):
        (JSC::FunctionExecutable::finishCreation):
        * runtime/JSArray.cpp:
        (JSC::JSArray::JSArray):
        (JSC::JSArray::finishCreation):
        * runtime/JSArray.h:
        * runtime/JSByteArray.cpp:
        (JSC::JSByteArray::JSByteArray):
        * runtime/JSByteArray.h:
        (JSC::JSByteArray::finishCreation):
        * runtime/JSNotAnObject.h:
        (JSC::JSNotAnObject::JSNotAnObject):
        * runtime/JSObject.h:
        (JSC::JSNonFinalObject::JSNonFinalObject):
        * runtime/JSObjectWithGlobalObject.cpp:
        (JSC::JSObjectWithGlobalObject::JSObjectWithGlobalObject):
        (JSC::JSObjectWithGlobalObject::finishCreation):
        * runtime/JSObjectWithGlobalObject.h:
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::JSVariableObject):
        (JSC::JSVariableObject::finishCreation):
        * runtime/JSWrapperObject.h:
        (JSC::JSWrapperObject::JSWrapperObject):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::ObjectPrototype):
        (JSC::ObjectPrototype::finishCreation):
        * runtime/ObjectPrototype.h:
        * runtime/StrictEvalActivation.cpp:
        (JSC::StrictEvalActivation::StrictEvalActivation):

2011-08-29  Andreas Kling  <kling@webkit.org>

        Unreviewed build fix after r93990.

        * wtf/HashTable.h:

2011-08-29  Andreas Kling  <kling@webkit.org>

        Viewing a post on reddit.com wastes a lot of memory on event listeners.
        https://bugs.webkit.org/show_bug.cgi?id=67133

        Reviewed by Darin Adler.

        Add a minimum table size to the HashTraits, instead of having it hard coded.
        The default value remains at 64, but can now be specialized.

        * runtime/StructureTransitionTable.h:
        * wtf/HashTable.h:
        (WTF::HashTable::shouldShrink):
        (WTF::::expand):
        (WTF::::checkTableConsistencyExceptSize):
        * wtf/HashTraits.h:

2011-08-28  Jonathan Liu  <net147@gmail.com>

        Fix build error when compiling with MinGW-w64 by disabling JIT
        on Windows 64-bit
        https://bugs.webkit.org/show_bug.cgi?id=61235

        Reviewed by Gavin Barraclough.

        The fixed mmap executable allocator for JIT on x86_64 requires
        sys/mman.h which is not available on Windows.

        * wtf/Platform.h:

2011-08-27  Filip Pizlo  <fpizlo@apple.com>

        JSC::Executable is inconsistent about using weak handle finalizers
        and destructors for releasing memory
        https://bugs.webkit.org/show_bug.cgi?id=67072

        Reviewed by Darin Adler.
        
        Moved more of the destruction of Executable state into the finalizer,
        which also resulted in an opportunity to mostly combine this with
        discardCode().  This also means that the finalizer is now enabled even
        when the JIT is turned off.  This is performance neutral on SunSpider,
        V8, and Kraken.

        * runtime/Executable.cpp:
        (JSC::ExecutableBase::clearCode):
        (JSC::ExecutableFinalizer::finalize):
        (JSC::EvalExecutable::clearCode):
        (JSC::ProgramExecutable::clearCode):
        (JSC::FunctionExecutable::discardCode):
        (JSC::FunctionExecutable::clearCode):
        * runtime/Executable.h:
        (JSC::ExecutableBase::finishCreation):

2011-08-26  Gavin Barraclough  <barraclough@apple.com>

        DFG JIT - ArithMod may clobber operands.
        https://bugs.webkit.org/show_bug.cgi?id=67085

        Reviewed by Sam Weinig.

        unboxDouble must be called on a temporary.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillDouble):