Source/JavaScriptCore: Unreviewed, it is no longer necessary to call DisablePrettySta...

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2013-11-03  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, it is no longer necessary to call DisablePrettyStackTrace.

        * llvm/library/LLVMExports.cpp:
        (initializeAndGetJSCLLVMAPI):

2013-11-02  Mark Lam  <mark.lam@apple.com>

        Assertion failure in non-JIT'ed LLInt on ARM Thumb.
        https://bugs.webkit.org/show_bug.cgi?id=97569.

        Reviewed by Geoffrey Garen.

        * assembler/MacroAssemblerCodeRef.h:
        - Thumb2 alignment assertions do not apply to the C Loop LLINT because
          the arguments passed to those assertions are actually OpcodeIDs
          masquerading as addresses.
        * llint/LLIntOfflineAsmConfig.h:
        - Some of the #defines belong in the !ENABLE(LLINT_C_LOOP) section.
          Moving them there.
        * llint/LowLevelInterpreter.cpp:
        - Keep the compiler happy from some unreferenced C Loop labels.

2013-11-02  Filip Pizlo  <fpizlo@apple.com>

        FTL should use LLVM intrinsics for OSR exit, watchpoints, inline caches, and stack layout
        https://bugs.webkit.org/show_bug.cgi?id=122318

        Reviewed by Geoffrey Garen.
        
        This all now works. This patch just updates our implementation to work with LLVM trunk,
        and removes all of the old code that tried to do OSR exits and heap accesses without
        the benefit of those intrinsics.
        
        In particular:
        
        - StackMaps parsing now uses the new, less compact, but more future-proof, format.
        
        - Remove the ftlUsesStackmaps() option and hard-code ftlUsesStackmaps = true. Remove
          all code for ftlUsesStackmaps = false, since that was only there for back when we
          didn't have the intrinsics.
        
        - Remove the other experimental OSR options (useLLVMOSRExitIntrinsic,
          ftlTrapsOnOSRExit, and FTLOSRExitOmitsMarshalling).
        
        - Remove LowerDFGToLLVM's use of the ExitThunkGenerator since we don't need to generate
          the exit thunks until after we parse the stackmaps.
        
        - Remove all of the exit thunk and compiler code for the no-stackmaps case.

        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::mmAllocateDataSection):
        * ftl/FTLExitThunkGenerator.cpp:
        (JSC::FTL::ExitThunkGenerator::emitThunk):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::forStackmaps):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::lower):
        (JSC::FTL::LowerDFGToLLVM::compileGetById):
        (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        (JSC::FTL::LowerDFGToLLVM::callStackmap):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
        * ftl/FTLOSRExitCompilationInfo.h:
        (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        (JSC::FTL::compileFTLOSRExit):
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Location::parse):
        (JSC::FTL::StackMaps::parse):
        (WTF::printInternal):
        * ftl/FTLStackMaps.h:
        * ftl/FTLThunks.cpp:
        (JSC::FTL::osrExitGenerationThunkGenerator):
        * ftl/FTLThunks.h:
        (JSC::FTL::Thunks::getOSRExitGenerationThunk):
        * runtime/Options.h:

2013-11-02  Patrick Gansterer  <paroga@webkit.org>

        Add missing getHostCallReturnValue() for MSVC ARM
        https://bugs.webkit.org/show_bug.cgi?id=123685

        Reviewed by Darin Adler.

        * jit/JITStubsARM.h:

2013-11-02  Patrick Gansterer  <paroga@webkit.org>

        Fix MSVC warning about unary minus operator
        https://bugs.webkit.org/show_bug.cgi?id=123674

        Reviewed by Darin Adler.

        Change some static_cast<> to silence the following warning of Microsoft compiler:
        warning C4146: unary minus operator applied to unsigned type, result still unsigned

        * jit/Repatch.cpp:
        (JSC::emitPutTransitionStub):

2013-11-02  Filip Pizlo  <fpizlo@apple.com>

        Disable LLVM's pretty stack traces, which involve intercepting fatal signals
        https://bugs.webkit.org/show_bug.cgi?id=123681

        Reviewed by Geoffrey Garen.

        * llvm/library/LLVMExports.cpp:
        (initializeAndGetJSCLLVMAPI):

2013-11-02  Filip Pizlo  <fpizlo@apple.com>

        LLVM assertion failures should funnel into WTF's crash handling
        https://bugs.webkit.org/show_bug.cgi?id=123682

        Reviewed by Geoffrey Garen.
        
        Inside llvmForJSC, we override assertion-related functions and funnel them
        into g_llvmTrapCallback(). We also now register a fatal error handler inside
        the library and funnel that into g_llvmTrapCallback, and have
        initializeAndGetJSCLLVMAPI() take such a callback as an argument.
        
        Inside JSC, we no longer call LLVMInstallFatalErrorHandler() but instead we
        pass WTFLogAlwaysAndCrash() as the trap callback for llvmForJSC.

        * llvm/InitializeLLVM.cpp:
        (JSC::initializeLLVM):
        * llvm/InitializeLLVMPOSIX.cpp:
        (JSC::initializeLLVMPOSIX):
        * llvm/library/LLVMExports.cpp:
        (llvmCrash):
        (initializeAndGetJSCLLVMAPI):
        * llvm/library/LLVMOverrides.cpp:
        (raise):
        (__assert_rtn):
        (abort):
        * llvm/library/LLVMTrapCallback.h: Added.

2013-11-02  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock::jettison() shouldn't call baselineVersion()
        https://bugs.webkit.org/show_bug.cgi?id=123675

        Reviewed by Geoffrey Garen.
        
        Fix more uses of baselineVersion().

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::jettison):
        * bytecode/CodeBlock.h:
        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
        (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):

2013-11-02  Filip Pizlo  <fpizlo@apple.com>

        LLVM asserts in internal-js-tests.yaml/Octane/stress-tests/mandreel.js
        https://bugs.webkit.org/show_bug.cgi?id=123535

        Reviewed by Geoffrey Garen.
        
        Use double comparisons for doubles.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::doubleToInt32):

2013-11-02  Patrick Gansterer  <paroga@webkit.org>

        Various small WinCE build fixes

        * jsc.cpp:
        (main):

2013-11-02  Patrick Gansterer  <paroga@webkit.org>

        Fix MSVC ARM build after r157581.

        * jit/JITStubsARM.h:

2013-11-01  Filip Pizlo  <fpizlo@apple.com>

        FTL should use a simple optimization pipeline by default
        https://bugs.webkit.org/show_bug.cgi?id=123638

        Reviewed by Geoffrey Garen.
        
        20% speed-up on imagine-gaussian-blur, when combined with --ftlUsesStackmaps=true.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):
        * runtime/Options.h:

2013-11-01  Andreas Kling  <akling@apple.com>

        Neuter WTF_MAKE_FAST_ALLOCATED in GLOBAL_FASTMALLOC_NEW builds.
        <https://webkit.org/b/123639>

        JSC::ParserArenaRefCounted really needed to have the new/delete
        operators overridden, in order for JSC::ScopeNode to be able to
        choose that "operator new" out of the two it inherits.

        Reviewed by Anders Carlsson.

2013-11-01  Filip Pizlo  <fpizlo@apple.com>

        OSR exit profiling should be robust against all code being cleared
        https://bugs.webkit.org/show_bug.cgi?id=123629
        <rdar://problem/15365476>

        Reviewed by Michael Saboff.
        
        The problem here is two-fold:

        1) A watchpoint (i.e. ProfiledCodeBlockJettisoningWatchpoint) may be fired after we
        have cleared the CodeBlock for all or some Executables.  This means that doing
        codeBlock->baselineVersion() would either crash or return a bogus CodeBlock, since
        there wasn't a baseline code block reachable from the Executable anymore.  The
        solution is that we shouldn't be asking for the baseline code block reachable from
        the owning executable (what baselineVersion did), but instead we should be asking
        for the baseline version reachable from the code block being watchpointed (basically
        what CodeBlock::alternative() did).

        2) If dealing with inlined code, baselienCodeBlockForOriginAndBaselineCodeBlock()
        may return null, for the same reason as above - we might have cleared the baseline
        codeblock for the executable that was inlined.  The solution is to just not do
        profiling if there isn't a baseline code block anymore.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::baselineAlternative):
        (JSC::CodeBlock::baselineVersion):
        (JSC::CodeBlock::jettison):
        * bytecode/CodeBlock.h:
        * bytecode/CodeBlockJettisoningWatchpoint.cpp:
        (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
        (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
        * dfg/DFGOSRExitBase.cpp:
        (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::AssemblyHelpers):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::baselineCodeBlockFor):

2013-10-31  Oliver Hunt  <oliver@apple.com>

        JavaScript parser bug
        https://bugs.webkit.org/show_bug.cgi?id=123506

        Reviewed by Mark Lam.

        Add ParserState as an abstraction and use that to save and restore
        the parser state around nested functions (We'll need to use this in
        more places in future).  Also fix a minor error typo this testcases
        hit.

        * parser/Parser.cpp:
        (JSC::::parseFunctionInfo):
        (JSC::::parseAssignmentExpression):
        * parser/Parser.h:
        (JSC::Parser::saveState):
        (JSC::Parser::restoreState):

2013-10-31  Filip Pizlo  <fpizlo@apple.com>

        FTL Int32ToDouble should handle the forward type check case where you need a recovery
        https://bugs.webkit.org/show_bug.cgi?id=123605

        Reviewed by Mark Hahnenberg.
        
        If you have a Int32ToDouble that needs to do a type check and it's required to do a
        forward exit, then it needs to manually pass in a value recovery for itself in the
        OSR exit - since this is one of those forward-exiting nodes that doesn't have a
        preceding MovHint.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
        (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck):

2013-10-31  Filip Pizlo  <fpizlo@apple.com>

        FTL should implement InvalidationPoint in terms of llvm.stackmap
        https://bugs.webkit.org/show_bug.cgi?id=113647

        Reviewed by Mark Hahnenberg.
        
        This is pretty straightforward now that InvalidationPoint has exactly the semantics
        that agree with llvm.stackmap.

        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
        (JSC::FTL::LowerDFGToLLVM::callStackmap):
        * ftl/FTLOSRExitCompilationInfo.h:
        (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):

2013-10-30  Oliver Hunt  <oliver@apple.com>

        Implement basic ES6 Math functions
        https://bugs.webkit.org/show_bug.cgi?id=123536

        Reviewed by Michael Saboff.

        Fairly trivial patch to implement the core ES6 Math functions.

        This doesn't implement Math.hypot as it is not a trivial function.
        I've also skipped Math.sign as I am yet to be convinced the spec
        behaviour is good.  Everything else is trivial.

        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):
        (JSC::mathProtoFuncACosh):
        (JSC::mathProtoFuncASinh):
        (JSC::mathProtoFuncATanh):
        (JSC::mathProtoFuncCbrt):
        (JSC::mathProtoFuncCosh):
        (JSC::mathProtoFuncExpm1):
        (JSC::mathProtoFuncFround):
        (JSC::mathProtoFuncLog1p):
        (JSC::mathProtoFuncLog10):
        (JSC::mathProtoFuncLog2):
        (JSC::mathProtoFuncSinh):
        (JSC::mathProtoFuncTanh):
        (JSC::mathProtoFuncTrunc):

2013-10-31  Filip Pizlo  <fpizlo@apple.com>

        FTL::Location::restoreInto() doesn't handle stack-related registers correctly if you're using it after pushing a new stack frame
        https://bugs.webkit.org/show_bug.cgi?id=123591

        Reviewed by Mark Hahnenberg.
        
        This gets us to pass more tests with ftlUsesStackmaps.

        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::restoreInto):
        * ftl/FTLLocation.h:
        * ftl/FTLThunks.cpp:
        (JSC::FTL::osrExitGenerationWithStackMapThunkGenerator):

2013-10-31  Alexey Proskuryakov  <ap@apple.com>

        Enable WebCrypto on Mac
        https://bugs.webkit.org/show_bug.cgi?id=123587

        Reviewed by Anders Carlsson.

        * Configurations/FeatureDefines.xcconfig: Do it.

2013-10-31  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, really remove CachedTranscendentalFunction.h.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:

2013-10-31  Filip Pizlo  <fpizlo@apple.com>

        Remove CachedTranscendentalFunction because caching math functions is an ugly idea
        https://bugs.webkit.org/show_bug.cgi?id=123574

        Reviewed by Mark Hahnenberg.
        
        This is performance-neutral because I also make Math.cos/sin intrinsic. This means that
        we gain the "overhead" of actually computing sin and cos but we lose the overhead of
        going through the native call thunks.
        
        Caching transcendental functions is a really ugly idea. It works for SunSpider because
        that benchmark makes very predictable calls into Math.sin. But I don't believe that this
        is representative of any kind of reality, and so for sensible uses of Math.sin/cos all
        that this was doing was adding more call overhead and some hashing overhead.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITOperations.h:
        * runtime/CachedTranscendentalFunction.h: Removed.
        * runtime/DateInstanceCache.h:
        * runtime/Intrinsic.h:
        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):
        (JSC::mathProtoFuncCos):
        (JSC::mathProtoFuncSin):
        * runtime/VM.h:

2013-10-30  Filip Pizlo  <fpizlo@apple.com>

        Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html
        https://bugs.webkit.org/show_bug.cgi?id=123551
        <rdar://problem/15356238>

        Reviewed by Mark Hahnenberg.
        
        WatchpointSets have always had this "fire everything on deletion" policy because it
        seemed like a good fail-safe at the time I first implemented WatchpointSets. But
        it's actually causing bugs rather than providing safety:
        
        - Everyone who registers Watchpoints with WatchpointSets have separate mechanisms
          for either keeping the WatchpointSets alive or noticing when they are collected.
          So this wasn't actually providing any safety.
          
          One example of this is Structures, where:
          
          - CodeBlocks that register Watchpoints on Structure's WatchpointSet will also
            register weak references to the Structure, and the GC will jettison a CodeBlock
            if the Structure(s) it cares about dies.
          
          - StructureStubInfos that register Watchpoints on Structure's WatchpointSet will
            also be cleared by GC if the Structures die.
        
        - The WatchpointSet destructor would get invoked from finalization/destruction.
          This would then cause CodeBlock::jettison() to be called on a CodeBlock, but that
          method requires doing things that access heap objects. This would usually cause
          problems on VM destruction, since then the CodeBlocks would still be alive but the
          whole heap would be destroyed.
        
        This also ensures that CodeBlock::jettison() cannot cause a GC. This is safe since
        that method doesn't really allocate objects, and it is likely necessary because
        jettison() may be called from deep in the stack.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::jettison):
        * bytecode/Watchpoint.cpp:
        (JSC::WatchpointSet::~WatchpointSet):
        * bytecode/Watchpoint.h:

2013-10-30  Mark Lam  <mark.lam@apple.com>

        Unreviewed, fix C Loop LLINT build.

        * bytecode/CodeBlockJettisoningWatchpoint.cpp:
        (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
        (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):

2013-10-30  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix FTL build.

        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):

2013-10-30  Alexey Proskuryakov  <ap@apple.com>

        Add a way to fulfill promises from DOM code
        https://bugs.webkit.org/show_bug.cgi?id=123466

        Reviewed by Sam Weinig.

        * JavaScriptCore.xcodeproj/project.pbxproj: Make JSPromise.h and JSPromiseResolver.h
        private headers for WebCore to use.

        * runtime/JSPromise.h:
        * runtime/JSPromiseResolver.h:
        Export functions that JSDOMPromise will use.

2013-10-30  Mark Lam  <mark.lam@apple.com>

        Adjust CallFrameHeader's ReturnPC and CallFrame locations to match the native ABI .
        https://bugs.webkit.org/show_bug.cgi?id=123444.

        Reviewed by Geoffrey Garen.

        - Introduced an explicit CallerFrameAndPC struct.
        - A CallFrame is expected to start with a CallerFrameAndPC struct. 
        - The Register class no longer supports CallFrame* and Instruction*.

          These hides the differences between JSVALUE32_64 and JSVALUE64 in
          terms of managing the callerFrame() and returnPC() values.

        - Convert all uses of JSStack::CallerFrame and JSStack::ReturnPC to
          go through CallFrame to access the appropriate values and offsets.
          CallFrame, in turn, will access the callerFrame and returnPC via
          the CallerFrameAndPC struct.

        - InlineCallFrame will provide offsets for its callerFrame and
          returnPC. It will make use of CallFrame::callerFrameOffset() and
          CallerFrame::returnPCOffset() to compute these.

        * bytecode/CodeOrigin.h:
        (JSC::InlineCallFrame::callerFrameOffset):
        (JSC::InlineCallFrame::returnPCOffset):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::calleeFrameSlot):
        (JSC::DFG::SpeculativeJIT::calleeArgumentSlot):
        (JSC::DFG::SpeculativeJIT::calleeFrameTagSlot):
        (JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot):
        (JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot):
        (JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot):
        - Prefixed all the above with callee since they apply to the callee frame.
        (JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame):
        - Added to set the callerFrame pointer in the callee frame.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLink.cpp:
        (JSC::FTL::compileEntry):
        (JSC::FTL::link):
        * interpreter/CallFrame.h:
        (JSC::ExecState::callerFrame):
        (JSC::ExecState::callerFrameOffset):
        (JSC::ExecState::returnPC):
        (JSC::ExecState::hasReturnPC):
        (JSC::ExecState::clearReturnPC):
        (JSC::ExecState::returnPCOffset):
        (JSC::ExecState::setCallerFrame):
        (JSC::ExecState::setReturnPC):
        (JSC::ExecState::callerFrameAndPC):
        * interpreter/JSStack.h:
        * interpreter/Register.h:
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitPutToCallFrameHeader):
        - Convert to using storePtr() here and simplify the code.
        (JSC::AssemblyHelpers::emitGetCallerFrameFromCallFrameHeaderPtr):
        (JSC::AssemblyHelpers::emitPutCallerFrameToCallFrameHeader):
        (JSC::AssemblyHelpers::emitGetReturnPCFromCallFrameHeaderPtr):
        (JSC::AssemblyHelpers::emitPutReturnPCToCallFrameHeader):
        - Helpers to emit gets/puts of the callerFrame and returnPC.
        (JSC::AssemblyHelpers::addressForByteOffset):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompile):
        (JSC::JIT::privateCompileExceptionHandlers):
        * jit/JITCall.cpp:
        (JSC::JIT::compileCallEval):
        (JSC::JIT::compileOpCall):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::emit_op_ret_object_or_this):
        (JSC::JIT::compileCallEval):
        (JSC::JIT::compileOpCall):
        * jit/JITInlines.h:
        (JSC::JIT::unmap):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_end):
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::emit_op_ret_object_or_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_end):
        * jit/JITOperations.cpp:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::returnJSValue):
        (JSC::SpecializedThunkJIT::returnDouble):
        (JSC::SpecializedThunkJIT::returnInt32):
        (JSC::SpecializedThunkJIT::returnJSCell):
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::slowPathFor):
        (JSC::nativeForGenerator):

        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
        - Updated offsets and asserts to match the new CallFrame layout.

2013-10-30  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix Mac.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::RegisterAllocationOffset::checkOffsets):
        (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):

2013-10-30  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix Windows.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::jettison):

2013-10-30  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix Windows.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addFrequentExitSite):

2013-10-29  Filip Pizlo  <fpizlo@apple.com>

        Add InvalidationPoints to the DFG and use them for all watchpoints
        https://bugs.webkit.org/show_bug.cgi?id=123472

        Reviewed by Mark Hahnenberg.
        
        This makes a fundamental change to how watchpoints work in the DFG.
        
        Previously, a watchpoint was an instruction whose execution semantics were something
        like:
        
            if (watchpoint->invalidated)
                exit
        
        We would implement this without any branch by using jump replacement.
        
        This is a very good optimization. But it's a bit awkward once you get a lot of
        watchpoints: semantically we will have lots of these branches in the code, which the
        compiler needs to reason about even though they don't actually result in any emitted
        code.
        
        Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would
        be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be
        called into again, but it would do nothing for CodeBlocks that were already on the
        stack.
        
        This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump
        replacement has nothing to do with watchpoints; instead it's something that happens if
        you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over
        all of the potential call-return safe-exit-points in a CodeBlock. We call these
        "InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG
        collect all of the watchpoint sets that the CodeBlock cares about, and then registering
        a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it
        jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into
        (because the entrypoint now points to baseline code) and can't be returned into
        (because returning exits to baseline before the next bytecode instruction).
        
        This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow
        for jettison() to be used effectively for things like breakpointing and single-stepping
        in the debugger.
        
        Well, basically, this mechanism just takes us into the HotSpot-style world where anyone
        can, at any time and for any reason, request that an optimized CodeBlock is rendered
        immediately invalid. You can use this for many cool things, I'm sure.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::jettison):
        * bytecode/CodeBlock.h:
        * bytecode/CodeBlockJettisoningWatchpoint.cpp: Added.
        (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
        * bytecode/CodeBlockJettisoningWatchpoint.h: Added.
        (JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint):
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added.
        (JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
        * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added.
        (JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint):
        * dfg/DFGAbstractHeap.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGClobberize.cpp:
        (JSC::DFG::writesOverlap):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        (JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps):
        (JSC::DFG::AbstractHeapOverlaps::operator()):
        (JSC::DFG::AbstractHeapOverlaps::result):
        * dfg/DFGCommonData.cpp:
        (JSC::DFG::CommonData::invalidate):
        * dfg/DFGCommonData.h:
        (JSC::DFG::CommonData::CommonData):
        * dfg/DFGDesiredWatchpoints.cpp:
        (JSC::DFG::DesiredWatchpoints::addLazily):
        (JSC::DFG::DesiredWatchpoints::reallyAdd):
        * dfg/DFGDesiredWatchpoints.h:
        (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
        (JSC::DFG::GenericDesiredWatchpoints::addLazily):
        (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
        (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGInvalidationPointInjectionPhase.cpp: Added.
        (JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase):
        (JSC::DFG::InvalidationPointInjectionPhase::run):
        (JSC::DFG::InvalidationPointInjectionPhase::handle):
        (JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
        (JSC::DFG::performInvalidationPointInjection):
        * dfg/DFGInvalidationPointInjectionPhase.h: Added.
        * dfg/DFGJITCode.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        * dfg/DFGJumpReplacement.cpp: Added.
        (JSC::DFG::JumpReplacement::fire):
        * dfg/DFGJumpReplacement.h: Added.
        (JSC::DFG::JumpReplacement::JumpReplacement):
        * dfg/DFGNodeType.h:
        * dfg/DFGOSRExitCompilationInfo.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        (JSC::DFG::Plan::reallyAdd):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
        (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGWatchpointCollectionPhase.cpp: Added.
        (JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase):
        (JSC::DFG::WatchpointCollectionPhase::run):
        (JSC::DFG::WatchpointCollectionPhase::handle):
        (JSC::DFG::WatchpointCollectionPhase::handleEdge):
        (JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
        (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal):
        (JSC::DFG::WatchpointCollectionPhase::addLazily):
        (JSC::DFG::WatchpointCollectionPhase::globalObject):
        (JSC::DFG::performWatchpointCollection):
        * dfg/DFGWatchpointCollectionPhase.h: Added.
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
        (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
        (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
        * jit/JITOperations.cpp:
        * jit/JumpReplacementWatchpoint.cpp: Removed.
        * jit/JumpReplacementWatchpoint.h: Removed.

2013-10-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSExport doesn't support constructors
        https://bugs.webkit.org/show_bug.cgi?id=123380

        Reviewed by Geoffrey Garen.

        Support for constructor-style callbacks for the Objective-C API to JSC is currently limited to 
        Objective-C blocks. Any clients who try to call the constructor of a JSExport-ed Objective-C class 
        are met with a type error stating that it cannot be called as a constructor.

        It would be nice to expand JSExport's functionality to support this idiom. It is a natural 
        extension to JSExport and would increase the expressiveness and simplicity in both Objective-C and 
        JavaScript client code.

        The way we'll do this is to expand the capabilities of ObjCCallbackFunction and associated classes. 
        Instead of constructing a normal C API object for the constructor, we'll instead allocate a full-blown 
        ObjCCallbackFunction object which can already properly handle being invoked as a constructor.

        * API/JSWrapperMap.mm:
        (copyMethodsToObject):
        (allocateConstructorForCustomClass):
        (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
        (tryUnwrapObjcObject):
        * API/ObjCCallbackFunction.h:
        (JSC::ObjCCallbackFunction::impl):
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
        (JSC::ObjCCallbackFunctionImpl::wrappedConstructor):
        (JSC::ObjCCallbackFunctionImpl::isConstructible):
        (JSC::ObjCCallbackFunction::getConstructData):
        (JSC::ObjCCallbackFunctionImpl::name):
        (JSC::ObjCCallbackFunctionImpl::call):
        (objCCallbackFunctionForInvocation):
        (objCCallbackFunctionForInit):
        (tryUnwrapConstructor):
        * API/tests/testapi.mm:
        (-[TextXYZ initWithString:]):
        (-[ClassA initWithA:]):
        (-[ClassB initWithA:b:]):
        (-[ClassC initWithA:]):
        (-[ClassC initWithA:b:]):

2013-10-30  peavo@outlook.com  <peavo@outlook.com>

        [Win] Compile errors when enabling DFG JIT.
        https://bugs.webkit.org/show_bug.cgi?id=120998

        Reviewed by Brent Fulgham.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added files.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
        * dfg/DFGAllocator.h: Removed scope.
        * dfg/DFGWorklist.cpp: Use new ThreadingOnce class instead of pthread_once.
        (JSC::DFG::globalWorklist):
        * heap/DeferGC.h: Link fix, member needs to be public.
        * jit/JITOperationWrappers.h: Added required assembler macros.

2013-10-30  Iago Toral Quiroga  <itoral@igalia.com>

        Add result caching for Math.cos
        https://bugs.webkit.org/show_bug.cgi?id=123255

        Reviewed by Brent Fulgham.

        * runtime/MathObject.cpp:
        (JSC::mathProtoFuncCos):
        * runtime/VM.h:

2013-10-30  Alex Christensen  <achristensen@webkit.org>

        Disabled JIT on Win64.
        https://bugs.webkit.org/show_bug.cgi?id=122472

        Reviewed by Geoffrey Garen.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        Disabled building JITStubsMSVC64.

2013-10-29  Michael Saboff  <msaboff@apple.com>

        Change local variable register allocation to start at offset -1
        https://bugs.webkit.org/show_bug.cgi?id=123182

        Reviewed by Geoffrey Garen.

        Adjusted the virtual register mapping down by one slot.  Reduced
        the CallFrame header slots offsets by one.  They now start at 0.
        Changed arity fixup to no longer skip passed register slot 0 as this
        is now part of the CallFrame header.

        * bytecode/VirtualRegister.h:
        (JSC::operandIsLocal):
        (JSC::operandIsArgument):
        (JSC::VirtualRegister::localToOperand):
        (JSC::VirtualRegister::operandToLocal):
          Adjusted functions for shift in mapping from local to register offset.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):
        * interpreter/CallFrame.h:
        (JSC::ExecState::frameExtent):
        (JSC::ExecState::offsetFor):
        * interpreter/Interpreter.cpp:
        (JSC::loadVarargs):
        (JSC::Interpreter::dumpRegisters):
        (JSC::Interpreter::executeCall):
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LowLevelInterpreter.asm:
          Adjusted math to accomodate for shift in call frame slots.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::frameExtentInternal):
        * interpreter/JSStackInlines.h:
        (JSC::JSStack::pushFrame):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::llint_slow_path_stack_check):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
          Fixed offset calculation to use VirtualRegister and related calculation instead of
          doing seperate calculations.

        * interpreter/JSStack.h:
          Adjusted CallFrame slots down by one.  Did some miscellaneous fixing of dumpRegisters()
          in the process of testing the fixes.

        * jit/ThunkGenerators.cpp:
        (JSC::arityFixup):
          Changed arity fixup to no longer skip passed register slot 0 as this
          is now part of the CallFrame header.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
          Changed arity fixup to no longer skip passed register slot 0 as this
          is now part of the CallFrame header.  Updated op_enter processing for
          the change in local registers.

        * runtime/JSGlobalObject.h:
          Removed the now unneeded extra slot in the global callframe

2013-10-29  Julien Brianceau  <jbriance@cisco.com>

        [arm] Fix lots of crashes because of 4th argument register trampling.
        https://bugs.webkit.org/show_bug.cgi?id=123421

        Reviewed by Michael Saboff.

        r3 register is the 4th argument register for ARM and also a scratch
        register in the baseline JIT for this architecture. We can use r6
        instead, as this used to be the timeoutCheckRegister and it is no
        longer used since r148119.

        * assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM.
        * assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7.
        * jit/GPRInfo.h: Add r3 properly in GPRInfo for ARM.
        (JSC::GPRInfo::toRegister):
        (JSC::GPRInfo::toIndex):
        * jit/JITStubsARM.h:
        (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
        * jit/JITStubsARMv7.h:
        (JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
        * jit/JSInterfaceJIT.h: Remove useless stuff.
        * yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6.
        (JSC::Yarr::YarrGenerator::generateEnter): r8 register doesn't need to be saved.
        (JSC::Yarr::YarrGenerator::generateReturn):

2013-10-29  Julien Brianceau  <jbriance@cisco.com>

        Fix CPU(ARM_TRADITIONAL) build after r157690.
        https://bugs.webkit.org/show_bug.cgi?id=123247

        Reviewed by Michael Saboff.

        Since r157690, the executableCopy function has been removed from AssemblerBuffer.h
        and the copy of executable code occurs in the linkCode function (in LinkBuffer.cpp).
        As the constant pool for jumps is updated in the executableCopy function of ARM_TRADITIONAL,
        this part of code still needs to be called and absolute jumps must be corrected to anticipate
        the copy of the executable code through memcpy.

        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::prepareExecutableCopy): Rename executableCopy to prepareExecutableCopy
        and correct absolute jump values using the delta between the source and destination buffers.
        * assembler/ARMAssembler.h:
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::linkCode): Call prepareExecutableCopy just before the memcpy.

2013-10-28  Filip Pizlo  <fpizlo@apple.com>

        OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo
        https://bugs.webkit.org/show_bug.cgi?id=123423

        Reviewed by Mark Hahnenberg.
        
        Also enable ExitKind to tell you if it's a watchpoint.

        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        (JSC::isWatchpoint):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::appendExitInfo):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompilationInfo.h:
        (JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-10-28  Myles C. Maxfield  <mmaxfield@apple.com>

        Parsing support for -webkit-text-decoration-skip: ink
        https://bugs.webkit.org/show_bug.cgi?id=123358

        Reviewed by Dean Jackson.

        Adding ENABLE(CSS3_TEXT_DECORATION)

        * Configurations/FeatureDefines.xcconfig:

2013-10-24  Filip Pizlo  <fpizlo@apple.com>

        Get rid of InlineStart so that I don't have to implement it in FTL
        https://bugs.webkit.org/show_bug.cgi?id=123302

        Reviewed by Geoffrey Garen.
        
        InlineStart was a special instruction that we would insert at the top of inlined code,
        so that the backend could capture the OSR state of arguments to an inlined call. It used
        to be that only the backend had this information, so this instruction was sort of an ugly
        callback from the backend for filling in some data structures.
        
        But in the time since when that code was written (two years ago?), we rationalized how
        variables work. It's now the case that variables that the runtime must know about are
        treated specially in IR (they are "flushed") and we know how we will represent them even
        before we get to the backend. The last place that makes changes to their representation
        is the StackLayoutPhase.
        
        So, this patch gets rid of InlineStart, but keeps around the special meta-data that the
        instruction had. Instead of handling the bookkeeping in the backend, we handle it in
        StackLayoutPhase. This means that the DFG and FTL can share code for handling this
        bookkeeping. This also means that now the FTL can compile code blocks that had inlining.
        
        Of course, giving the FTL the ability to handle code blocks that had inlining means that
        we're going to have new bugs. Sure enough, the FTL's linker didn't handle inline call
        frames. This patch also fixes that.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        * dfg/DFGNode.h:
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):

2013-10-24  Filip Pizlo  <fpizlo@apple.com>

        The GetById->GetByOffset AI-based optimization should actually do things
        https://bugs.webkit.org/show_bug.cgi?id=123299

        Reviewed by Oliver Hunt.
        
        20% speed-up on Octane/gbemu.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor): Actually finish filling in the Status by setting the state. Previously it would remain set to NoInformation, meaning that this whole method was a no-op.

2013-10-28  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing files to compilation.

2013-10-25  Oliver Hunt  <oliver@apple.com>

        Refactor parser rollback logic
        https://bugs.webkit.org/show_bug.cgi?id=123372

        Reviewed by Brady Eidson.

        Add a sane abstraction for rollbacks in the parser.

        * parser/Parser.cpp:
        (JSC::::parseSourceElements):
        (JSC::::parseObjectLiteral):
        * parser/Parser.h:
        (JSC::Parser::createSavePoint):
        (JSC::Parser::restoreSavePoint):

2013-10-25  peavo@outlook.com  <peavo@outlook.com>

        [Win] Javascript crash with DFG JIT enabled.
        https://bugs.webkit.org/show_bug.cgi?id=121001

        Reviewed by Geoffrey Garen.

        On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
        results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
        where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
        This causes the register to be written to address 0, hence the crash.
  
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::storeDouble): Assert if we try to generate code which writes to a null pointer.
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
        * dfg/DFGThunks.cpp:
        (JSC::DFG::osrExitGenerationThunkGenerator): Ditto.

2013-10-25  Oliver Hunt  <oliver@apple.com>

        Fix a number of problems with destructuring of arguments
        https://bugs.webkit.org/show_bug.cgi?id=123357

        Reviewed by Filip Pizlo.

        This renames the destructuring node's emitBytecode to bindValue
        in order to remove the existing confusion over what was happening.

        We then fix an incorrect fall through in the destructuring arguments
        logic, and fix the then exposed bug where we placed the index rather
        than value into the bound property.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitBytecode):
        (JSC::ForOfNode::emitBytecode):
        (JSC::DeconstructingAssignmentNode::emitBytecode):
        (JSC::ArrayPatternNode::bindValue):
        (JSC::ArrayPatternNode::emitDirectBinding):
        (JSC::ObjectPatternNode::bindValue):
        (JSC::BindingNode::bindValue):
        * parser/Nodes.h:

2013-10-25  Joseph Pecoraro  <pecoraro@apple.com>

        Upstream ENABLE(REMOTE_INSPECTOR) and enable on iOS and Mac
        https://bugs.webkit.org/show_bug.cgi?id=123111

        Reviewed by Timothy Hatcher.

        * Configurations/FeatureDefines.xcconfig:

2013-10-25  Oliver Hunt  <oliver@apple.com>

        Fix MSVC again

        * parser/Parser.cpp:

2013-10-25  Oliver Hunt  <oliver@apple.com>

        Fix MSVC

        * parser/Parser.cpp:

2013-10-25  Oliver Hunt  <oliver@apple.com>

        Improve JSC Parser error messages
        https://bugs.webkit.org/show_bug.cgi?id=123341

        Reviewed by Andreas Kling.

        This patch moves away from the current cludgy mechanisms used to produce
        error messages and moves to something closer to case by case errors.

        This results in a large change size as previously we may just have
        'failIfFalse(foo)', but now the logic becomes either
        'failIfFalseWithMessage(foo, "Cannot do blah with ", foo->thing())'
        Or alternatively

        if (!foo)
            check for 'interesting' errors, before falling back to generic error

        This means that this patch is large, but produces no semantic changes, and
        only hits slow (e.g. error) paths.

        * parser/Parser.cpp:
        (JSC::::Parser):
        (JSC::::parseSourceElements):
        (JSC::::parseVarDeclaration):
        (JSC::::parseConstDeclaration):
        (JSC::::parseDoWhileStatement):
        (JSC::::parseWhileStatement):
        (JSC::::parseVarDeclarationList):
        (JSC::::createBindingPattern):
        (JSC::::parseDeconstructionPattern):
        (JSC::::parseConstDeclarationList):
        (JSC::::parseForStatement):
        (JSC::::parseBreakStatement):
        (JSC::::parseContinueStatement):
        (JSC::::parseReturnStatement):
        (JSC::::parseThrowStatement):
        (JSC::::parseWithStatement):
        (JSC::::parseSwitchStatement):
        (JSC::::parseSwitchClauses):
        (JSC::::parseSwitchDefaultClause):
        (JSC::::parseTryStatement):
        (JSC::::parseDebuggerStatement):
        (JSC::::parseBlockStatement):
        (JSC::::parseStatement):
        (JSC::::parseFormalParameters):
        (JSC::::parseFunctionBody):
        (JSC::stringForFunctionMode):
        (JSC::::parseFunctionInfo):
        (JSC::::parseFunctionDeclaration):
        (JSC::::parseExpressionOrLabelStatement):
        (JSC::::parseExpressionStatement):
        (JSC::::parseIfStatement):
        (JSC::::parseExpression):
        (JSC::::parseAssignmentExpression):
        (JSC::::parseConditionalExpression):
        (JSC::::parseBinaryExpression):
        (JSC::::parseProperty):
        (JSC::::parseObjectLiteral):
        (JSC::::parseStrictObjectLiteral):
        (JSC::::parseArrayLiteral):
        (JSC::::parsePrimaryExpression):
        (JSC::::parseArguments):
        (JSC::::parseMemberExpression):
        (JSC::operatorString):
        (JSC::::parseUnaryExpression):
        (JSC::::printUnexpectedTokenText):
        * parser/Parser.h:
        (JSC::Scope::hasDeclaredVariable):
        (JSC::Scope::hasDeclaredParameter):
        (JSC::Parser::hasDeclaredVariable):
        (JSC::Parser::hasDeclaredParameter):
        (JSC::Parser::setErrorMessage):

2013-10-24  Mark Rowe  <mrowe@apple.com>

        Remove references to OS X 10.7 from Xcode configuration settings.

        Now that we're not building for OS X 10.7 they're no longer needed.

        Reviewed by Anders Carlsson.

        * Configurations/Base.xcconfig:
        * Configurations/DebugRelease.xcconfig:
        * Configurations/FeatureDefines.xcconfig:
        * Configurations/Version.xcconfig:

2013-10-24  Mark Rowe  <mrowe@apple.com>

        <rdar://problem/15312643> Prepare for the mysterious future.

        Reviewed by David Kilzer.

        * Configurations/Base.xcconfig:
        * Configurations/DebugRelease.xcconfig:
        * Configurations/FeatureDefines.xcconfig:
        * Configurations/Version.xcconfig:

2013-10-24  Mark Lam  <mark.lam@apple.com>

        Better way to fix part of broken C Loop LLINT build.
        https://bugs.webkit.org/show_bug.cgi?id=123271.

        Reviewed by Geoffrey Garen.

        Undoing offline asm hackery.

        * llint/LowLevelInterpreter.cpp:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/cloop.rb:
        * offlineasm/instructions.rb:

2013-10-24  Mark Lam  <mark.lam@apple.com>

        Fix broken C Loop LLINT build.
        https://bugs.webkit.org/show_bug.cgi?id=123271.

        Reviewed by Michael Saboff.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdCacheStatus): Added an UNUSED_PARAM().
        (JSC::CodeBlock::dumpBytecode): Added #if ENABLE(JIT) to JIT only code.
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor): Added an UNUSED_PARAM().
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor): Added an UNUSED_PARAM().
        * bytecode/StructureStubInfo.h:
        - Added a stub StubInfoMap for non-JIT builds. StubInfoMap is still used
          in function prototypes even when !ENABLE(JIT). Rather that adding #if's
          in many places, we just provide a stub/placeholder implementation that
          is unused but keeps the compiler happy.
        * jit/JITOperations.h: Added #if ENABLE(JIT).
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        - The putByVal() macro reifies a slow path which is never taken in one case.
          This translates into a label that is never used in the C Loop LLINT. The
          C++ compiler doesn't like unused labels. So, we fix this by adding a
          cloopUnusedLabel offline asm instruction that synthesizes the following:

              if (false) goto unusedLabel;

          This keeps the C++ compiler happy without changing code behavior.
        * offlineasm/cloop.rb: Implementing cloopUnusedLabel.
        * offlineasm/instructions.rb: Declaring cloopUnusedLabel.
        * runtime/Executable.cpp:
        (JSC::setupJIT): Added UNUSED_PARAM()s.
        (JSC::ScriptExecutable::prepareForExecutionImpl):
        - run-javascriptcore-tests have phases that forces the LLINT to be off
          which in turn asserts that the JIT is enabled. With the C Loop LLINT,
          this combination is illegal. So, we override the setup code here to
          always use the LLINT if !ENABLE(JIT) regardless of what options are
          passed in.

2013-10-24  peavo@outlook.com  <peavo@outlook.com>

        Uninitialized member causes crash when DFG JIT is not enabled.
        https://bugs.webkit.org/show_bug.cgi?id=123270

        Reviewed by Brent Fulgham.

        The data member sizeOfLastScratchBuffer in the VM class is only initialized if DFG JIT is enabled, even though it's defined regardless.
        This causes an early crash on Windows, which doesn't have DFG JIT enabled.

        * runtime/VM.cpp:
        (JSC::VM::VM): Initialize sizeOfLastScratchBuffer member regardless of whether DFG JIT is enabled.

2013-10-24  Ryuan Choi  <ryuan.choi@samsung.com>

        [EFL] Build break with latest EFL 1.8 libraries.
        https://bugs.webkit.org/show_bug.cgi?id=123245

        Reviewed by Gyuyoung Kim.

        After fixed build break on EFL 1.8 at r138326, EFL libraries are changed
        Eo typedef and splitted header files which contain version macro.

        * PlatformEfl.cmake: Added EO path to include directories.
        * heap/HeapTimer.h: Changed Ecore_Timer typedef when EO exist.

2013-10-23  Filip Pizlo  <fpizlo@apple.com>

        Put all uses of LLVM intrinsics behind a single Option
        https://bugs.webkit.org/show_bug.cgi?id=123219

        Reviewed by Mark Hahnenberg.

        * ftl/FTLExitThunkGenerator.cpp:
        (JSC::FTL::ExitThunkGenerator::emitThunk):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::generateExitThunks):
        (JSC::FTL::LowerDFGToLLVM::compileGetById):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileFTLOSRExit):
        * runtime/Options.h:

2013-10-23  Daniel Bates  <dabates@apple.com>

        Fix JavaScriptCore build targets following <http://trac.webkit.org/changeset/157864>
        (https://bugs.webkit.org/show_bug.cgi?id=123169)

        Tell Xcode that the supported platforms for all JavaScriptCore targets are iOS and OS X.

        * Configurations/Base.xcconfig:

2013-10-23  Michael Saboff  <msaboff@apple.com>

        LLInt arity check exception processing should start unwinding from caller
        https://bugs.webkit.org/show_bug.cgi?id=123209

        Reviewed by Oliver Hunt.

        Use the caller frame returned from slow_path_call_arityCheck to process exceptions.

        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2013-10-22  Filip Pizlo  <fpizlo@apple.com>

        FTL should be able to do some simple inline caches using LLVM patchpoints
        https://bugs.webkit.org/show_bug.cgi?id=123164

        Reviewed by Mark Hahnenberg.
        
        This implements GetById inline caches in the FTL using llvm.webkit.patchpoint.
        
        The idea is that we ask LLVM for a nop slide the size of a GetById inline
        cache and then fill in the code after LLVM compilation is complete. For now, we
        just use the system calling convention for the arguments and return. We also
        still make some assumptions about registers that aren't correct. But, most of
        the scaffolding is there and this will successfully patch an inline cache.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
        (JSC::LinkBuffer::linkCode):
        (JSC::LinkBuffer::allocate):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::link):
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::constNull):
        (JSC::FTL::buildCall):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLInlineCacheDescriptor.h: Added.
        (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
        (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
        (JSC::FTL::GetByIdDescriptor::stackmapID):
        (JSC::FTL::GetByIdDescriptor::codeOrigin):
        (JSC::FTL::GetByIdDescriptor::uid):
        * ftl/FTLInlineCacheSize.cpp: Added.
        (JSC::FTL::sizeOfGetById):
        (JSC::FTL::sizeOfPutById):
        * ftl/FTLInlineCacheSize.h: Added.
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * ftl/FTLJITFinalizer.h:
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::directGPR):
        * ftl/FTLLocation.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetById):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::call):
        * ftl/FTLSlowPathCall.cpp: Added.
        (JSC::FTL::callOperation):
        * ftl/FTLSlowPathCall.h: Added.
        (JSC::FTL::SlowPathCall::SlowPathCall):
        (JSC::FTL::SlowPathCall::call):
        (JSC::FTL::SlowPathCall::key):
        * ftl/FTLSlowPathCallKey.cpp: Added.
        (JSC::FTL::SlowPathCallKey::dump):
        * ftl/FTLSlowPathCallKey.h: Added.
        (JSC::FTL::SlowPathCallKey::SlowPathCallKey):
        (JSC::FTL::SlowPathCallKey::usedRegisters):
        (JSC::FTL::SlowPathCallKey::callTarget):
        (JSC::FTL::SlowPathCallKey::offset):
        (JSC::FTL::SlowPathCallKey::isEmptyValue):
        (JSC::FTL::SlowPathCallKey::isDeletedValue):
        (JSC::FTL::SlowPathCallKey::operator==):
        (JSC::FTL::SlowPathCallKey::hash):
        (JSC::FTL::SlowPathCallKeyHash::hash):
        (JSC::FTL::SlowPathCallKeyHash::equal):
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Location::directGPR):
        * ftl/FTLStackMaps.h:
        * ftl/FTLState.h:
        * ftl/FTLThunks.cpp:
        (JSC::FTL::slowPathCallThunkGenerator):
        * ftl/FTLThunks.h:
        (JSC::FTL::Thunks::getSlowPathCallThunk):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArguments):
        * jit/GPRInfo.h:
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::garbageStubInfo):
        (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
        (JSC::JITByIdGenerator::finalize):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITByIdGenerator::slowPathBegin):
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::stackRegisters):
        (JSC::RegisterSet::specialRegisters):
        (JSC::RegisterSet::calleeSaveRegisters):
        (JSC::RegisterSet::allGPRs):
        (JSC::RegisterSet::allFPRs):
        (JSC::RegisterSet::allRegisters):
        (JSC::RegisterSet::dump):
        * jit/RegisterSet.h:
        (JSC::RegisterSet::exclude):
        (JSC::RegisterSet::numberOfSetRegisters):
        (JSC::RegisterSet::RegisterSet):
        (JSC::RegisterSet::isEmptyValue):
        (JSC::RegisterSet::isDeletedValue):
        (JSC::RegisterSet::operator==):
        (JSC::RegisterSet::hash):
        (JSC::RegisterSetHash::hash):
        (JSC::RegisterSetHash::equal):
        * runtime/Options.h:

2013-10-22  Filip Pizlo  <fpizlo@apple.com>

        jitCompileAndSetHeuristics should DeferGCForAWhile
        https://bugs.webkit.org/show_bug.cgi?id=123196

        Reviewed by Mark Hahnenberg.
        
        This fixes random crashes in V8v7/raytrace. I only see those crashes on exactly one of
        my machines. I don't think this is testable; we just need to steadily converge towards
        getting our uses of DeferGC to be right and then be careful not to regress. We're not
        there yet, obviously.
        
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::jitCompileAndSetHeuristics):

2013-10-23  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream more JavaScriptCore build configuration changes
        https://bugs.webkit.org/show_bug.cgi?id=123169

        Reviewed by David Kilzer.

        * Configurations/Base.xcconfig:
        * Configurations/Version.xcconfig:
        * Configurations/iOS.xcconfig: Added.
        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-10-23  Daniel Bates  <dabates@apple.com>

        [iOS] Export DefaultGCActivityCallback member functions
        https://bugs.webkit.org/show_bug.cgi?id=123175

        Reviewed by David Kilzer.

        * runtime/GCActivityCallback.h:

2013-10-23  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream more ARMv7s bits
        https://bugs.webkit.org/show_bug.cgi?id=123052

        Reviewed by Joseph Pecoraro.

        * Configurations/JavaScriptCore.xcconfig:

2013-10-22  Andreas Kling  <akling@apple.com>

        Minor VM* -> VM& cleanups in HashTable and Keywords.
        <https://webkit.org/b/123183>

        Turn some VM* variables that will never be null into VM&.

        Reviewed by Geoffrey Garen.

2013-10-22  Geoffrey Garen  <ggaren@apple.com>

        REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't!
        https://bugs.webkit.org/show_bug.cgi?id=123179

        Reviewed by Mark Hahnenberg.

        * parser/NodeConstructors.h:
        (JSC::LogicalOpNode::LogicalOpNode):
        * parser/ResultType.h:
        (JSC::ResultType::forLogicalOp): Don't assume that && produces a boolean.
        This is JavaScript (aka Sparta).

2013-10-22  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r157819.
        http://trac.webkit.org/changeset/157819
        https://bugs.webkit.org/show_bug.cgi?id=123180

        Broke 32-bit builds (Requested by smfr on #webkit).

        * Configurations/JavaScriptCore.xcconfig:
        * Configurations/ToolExecutable.xcconfig:

2013-10-22  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream more ARMv7s bits
        https://bugs.webkit.org/show_bug.cgi?id=123052

        Reviewed by Joseph Pecoraro.

        * Configurations/JavaScriptCore.xcconfig:
        * Configurations/ToolExecutable.xcconfig: Enable CLANG_ENABLE_OBJC_ARC for i386 as I'm
        modifying a file in JavaScriptCore/Configurations.

2013-10-22  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream JSLock changes
        https://bugs.webkit.org/show_bug.cgi?id=123107

        Reviewed by Geoffrey Garen.

        * runtime/JSLock.cpp:
        (JSC::JSLock::unlock):
        (JSC::JSLock::dropAllLocks): Modified to take a SpinLock, used only on iOS.
        (JSC::JSLock::dropAllLocksUnconditionally): Modified to take a SpinLock, used only on iOS. Also
        use pre-increment instead of post-increment when we're not using the return value of the instruction.
        (JSC::JSLock::grabAllLocks): Modified to take a SpinLock, used only on iOS. Also change
        places where we were using post-increment/post-decrement to use pre-increment/pre-decrement,
        since we don't use the return value of such instructions.
        (JSC::JSLock::DropAllLocks::DropAllLocks): Modified to support releasing all locks unconditionally.
        Take a spin lock before releasing all locks on iOS. Also, use nullptr instead of 0.
        (JSC::JSLock::DropAllLocks::~DropAllLocks): Take a spin lock before acquiring all locks on iOS.
        * runtime/JSLock.h: Remove extraneous argument name "exec" from DropAllLocks as the data type of
        the argument is sufficiently descriptive of its purpose.

2013-10-22  Julien Brianceau  <jbriance@cisco.com>

        [arm] Add missing setupArgumentsWithExecState() prototypes to fix build.
        https://bugs.webkit.org/show_bug.cgi?id=123166

        Reviewed by Michael Saboff.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):

2013-10-22  Julien Brianceau  <jbriance@cisco.com>

        [sh4][mips][arm] Fix crashes in JSC (32-bit only).
        https://bugs.webkit.org/show_bug.cgi?id=123165

        Reviewed by Michael Saboff.

        * jit/JITInlines.h:
        (JSC::JIT::callOperationNoExceptionCheck): Add missing EABI_32BIT_DUMMY_ARG.
        (JSC::JIT::callOperation): The last TrustedImm32(arg3) is a bit overkill for SH4 :)
        (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
        (JSC::JIT::callOperation): Fix tag and payload order for V_JITOperation_EJJJ prototype.

2013-10-22  Julien Brianceau  <jbriance@cisco.com>

        REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool.
        https://bugs.webkit.org/show_bug.cgi?id=123092

        Reviewed by Michael Saboff.

        Impacted architectures are SH4 and ARM_TRADITIONAL.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::buffer):
        * assembler/AssemblerBufferWithConstantPool.h:
        (JSC::AssemblerBufferWithConstantPool::flushConstantPool):
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::linkCode):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::buffer):

2013-10-22  Julien Brianceau  <jbriance@cisco.com>

        Remove unused stuff in JIT stubs.
        https://bugs.webkit.org/show_bug.cgi?id=123155

        Reviewed by Michael Saboff.

        * jit/JITStubs.h:
        * jit/JITStubsARM.h:
        (JSC::ctiTrampoline):
        * jit/JITStubsARM64.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsMIPS.h:
        * jit/JITStubsSH4.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:

2013-10-22  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream OS-version-specific install paths for JavaScriptCore.framework
        https://bugs.webkit.org/show_bug.cgi?id=123115
        <rdar://problem/13696872>

        Reviewed by Andy Estes.

        Based on a patch by Mark Hahnenberg.

        Add support for running JavaScriptCore-based apps, built against the iOS 7 SDK, on older versions of iOS.

        * API/JSBase.cpp:

2013-10-22  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Add missing lastRegister(), firstFPRegister() and lastFPRegister(). 
        https://bugs.webkit.org/show_bug.cgi?id=123157

        Reviewed by Andreas Kling.

        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::lastRegister):
        (JSC::SH4Assembler::firstFPRegister):
        (JSC::SH4Assembler::lastFPRegister):

2013-10-22  Brian Holt  <brian.holt@samsung.com>

        Build break on ARMv7 after r157209
        https://bugs.webkit.org/show_bug.cgi?id=122890

        Reviewed by Csaba Osztrogonác.

        Add framePointerRegister and first/last register helpers for ARM_TRADITIONAL.

        * assembler/ARMAssembler.h:
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::firstRegister):
        (JSC::MacroAssemblerARM::lastRegister):
        (JSC::MacroAssemblerARM::firstFPRegister):
        (JSC::MacroAssemblerARM::lastFPRegister):

2013-10-21  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream JSGlobalObject::shouldInterruptScriptBeforeTimeout()
        https://bugs.webkit.org/show_bug.cgi?id=123045

        Reviewed by Joseph Pecoraro.

        * jsc.cpp: Add function pointer for shouldInterruptScriptBeforeTimeout
        to global method table.
        * runtime/JSGlobalObject.cpp: Ditto.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout): Added.

2013-10-21  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream JSC Objective-C API compiler warning fixes
        https://bugs.webkit.org/show_bug.cgi?id=123125

        Reviewed by Mark Hahnenberg.

        Based on a patch by Mark Hahnenberg.

        * API/JSValue.mm:
        (-[JSValue toPoint]): Cast to CGFloat to fix some compiler warnings about double narrowing to float.
        (-[JSValue toSize]): Ditto.
        * API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7.

2013-10-21  Daniel Bates  <dabates@apple.com>

        [iOS] Mark classes JS{Context, ManagedValue, Value, VirtualMachine} as
        available since iOS 7.0
        https://bugs.webkit.org/show_bug.cgi?id=123122

        Reviewed by Dan Bernstein.

        * API/JSContext.h:
        * API/JSManagedValue.h:
        * API/JSValue.h:
        * API/JSVirtualMachine.h:

2013-10-20  Mark Lam  <mark.lam@apple.com>

        Avoid JSC debugger overhead unless needed.
        https://bugs.webkit.org/show_bug.cgi?id=123084.

        Reviewed by Geoffrey Garen.

        - If no breakpoints are set, we now avoid calling the debug hook callbacks.
        - If no break on exception is set, we also avoid exception event debug callbacks.
        - When we return from the ScriptDebugServer to the JSC::Debugger, we may no
          longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
          pointer in the ScriptDebugServer may become stale. To avoid this issue, before
          returning, the ScriptDebugServer will clear its m_currentCallFrame if
          needsOpDebugCallbacks() is false.

        * debugger/Debugger.cpp:
        (JSC::Debugger::Debugger):
        (JSC::Debugger::setNeedsExceptionCallbacks):
        (JSC::Debugger::setShouldPause):
        (JSC::Debugger::updateNumberOfBreakpoints):
        (JSC::Debugger::updateNeedForOpDebugCallbacks):
        * debugger/Debugger.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::unwind):
        (JSC::Interpreter::debug):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_debug):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_debug):
        * llint/LLIntOffsetsExtractor.cpp:
        * llint/LowLevelInterpreter.asm:

2013-10-21  Brent Fulgham  <bfulgham@apple.com>

        [WIN] Unreviewed build correction.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Handle new JIT files as C++ implementation
          sources, not header files.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.

2013-10-21  Oliver Hunt  <oliver@apple.com>

        Support computed property names in object literals
        https://bugs.webkit.org/show_bug.cgi?id=123112

        Reviewed by Michael Saboff.

        Add support for computed property names to the parser.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createProperty):
        (JSC::ASTBuilder::getName):
        * parser/NodeConstructors.h:
        (JSC::PropertyNode::PropertyNode):
        * parser/Nodes.h:
        (JSC::PropertyNode::expressionName):
        (JSC::PropertyNode::name):
        * parser/Parser.cpp:
        (JSC::::parseProperty):
        (JSC::::parseStrictObjectLiteral):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::Property::Property):
        (JSC::SyntaxChecker::createProperty):
        (JSC::SyntaxChecker::operatorStackPop):

2013-10-21  Michael Saboff  <msaboff@apple.com>

        Add option so that JSC will crash if it can't allocate executable memory for the JITs
        https://bugs.webkit.org/show_bug.cgi?id=123048
        <rdar://problem/12856193>

        Reviewed by Geoffrey Garen.

        Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash
        when checking the validity of the executable allocator. The default value for this option is
        false, but jsc sets it to true when built for iOS to make it straightforward to identify whether
        the app can obtain executable memory.

        * jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS.
        (main):
        * runtime/Options.h: Added option crashIfCantAllocateJITMemory.
        * runtime/VM.cpp:
        (JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory
        is enabled.

2013-10-21  Nadav Rotem  <nrotem@apple.com>

        Remove AllInOneFile.cpp
        https://bugs.webkit.org/show_bug.cgi?id=123055

        Reviewed by Csaba Osztrogonác.

        * AllInOneFile.cpp: Removed.

2013-10-20  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, cleanup a FIXME comment.

        * jit/Repatch.cpp:

2013-10-20  Filip Pizlo  <fpizlo@apple.com>

        StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
        https://bugs.webkit.org/show_bug.cgi?id=123076

        Reviewed by Sam Weinig.
        
        Start preparing for a world in which we are patching code generated by LLVM, which may have
        very different register usage conventions than our JITs. This requires us being more explicit
        about the registers we are using. For example, the repatching code shouldn't take for granted
        that tagMaskRegister holds the TagMask or that the register is even in use.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::numberOfRegisters):
        (JSC::MacroAssembler::registerIndex):
        (JSC::MacroAssembler::numberOfFPRegisters):
        (JSC::MacroAssembler::fpRegisterIndex):
        (JSC::MacroAssembler::totalNumberOfRegisters):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::usedRegisters):
        * dfg/DFGSpeculativeJIT.h:
        * ftl/FTLSaveRestore.cpp:
        (JSC::FTL::bytesForGPRs):
        (JSC::FTL::bytesForFPRs):
        (JSC::FTL::offsetOfGPR):
        (JSC::FTL::offsetOfFPR):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/RegisterSet.cpp: Added.
        (JSC::RegisterSet::specialRegisters):
        * jit/RegisterSet.h: Added.
        (JSC::RegisterSet::RegisterSet):
        (JSC::RegisterSet::set):
        (JSC::RegisterSet::clear):
        (JSC::RegisterSet::get):
        (JSC::RegisterSet::merge):
        * jit/Repatch.cpp:
        (JSC::generateProtoChainAccessStub):
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::emitPutReplaceStub):
        (JSC::tryRepatchIn):
        (JSC::linkClosureCall):
        * jit/TempRegisterSet.cpp: Added.
        (JSC::TempRegisterSet::TempRegisterSet):
        * jit/TempRegisterSet.h:

2013-10-20  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Fix build (broken since r157690).
        https://bugs.webkit.org/show_bug.cgi?id=123081

        Reviewed by Andreas Kling.

        * assembler/AssemblerBufferWithConstantPool.h:
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::buffer):
        (JSC::SH4Assembler::readCallTarget):

2013-10-19  Filip Pizlo  <fpizlo@apple.com>

        Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union
        https://bugs.webkit.org/show_bug.cgi?id=123079

        Reviewed by Geoffrey Garen.

        * jit/TempRegisterSet.h:

2013-10-19  Filip Pizlo  <fpizlo@apple.com>

        Rename RegisterSet to TempRegisterSet
        https://bugs.webkit.org/show_bug.cgi?id=123077

        Reviewed by Dan Bernstein.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCompiler.h:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::usedRegisters):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/RegisterSet.h: Removed.
        * jit/ScratchRegisterAllocator.h:
        (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
        * jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
        (JSC::TempRegisterSet::TempRegisterSet):
        (JSC::TempRegisterSet::asPOD):
        (JSC::TempRegisterSet::copyInfo):

2013-10-19  Filip Pizlo  <fpizlo@apple.com>

        Restructure LinkBuffer to allow for alternate allocation strategies
        https://bugs.webkit.org/show_bug.cgi?id=123071

        Reviewed by Oliver Hunt.
        
        The idea is to eventually allow a LinkBuffer to place the code into an already
        allocated region of memory.  That region of memory could be the nop-slide left behind
        by a llvm.webkit.patchpoint.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::buffer):
        * assembler/AssemblerBuffer.h:
        * assembler/LinkBuffer.cpp:
        (JSC::LinkBuffer::copyCompactAndLinkCode):
        (JSC::LinkBuffer::linkCode):
        (JSC::LinkBuffer::allocate):
        (JSC::LinkBuffer::shrink):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::LinkBuffer):
        (JSC::LinkBuffer::didFailToAllocate):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::buffer):
        (JSC::X86Assembler::X86InstructionFormatter::memoryModRM):

2013-10-19  Alexey Proskuryakov  <ap@apple.com>

        Some includes in JSC seem to use an incorrect style
        https://bugs.webkit.org/show_bug.cgi?id=123057

        Reviewed by Geoffrey Garen.

        Changed pseudo-system includes to user ones.

        * API/JSContextRef.cpp:
        * API/JSStringRefCF.cpp:
        * API/JSValueRef.cpp:
        * API/OpaqueJSString.cpp:
        * jit/JIT.h:
        * parser/SyntaxChecker.h:
        * runtime/WeakGCMap.h:

2013-10-19  Filip Pizlo  <fpizlo@apple.com>

        Baseline JIT and DFG IC code generation should be unified and rationalized
        https://bugs.webkit.org/show_bug.cgi?id=122939

        Reviewed by Geoffrey Garen.
        
        Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
        some register info and creates JIT inline caches for you. Used this to even furhter
        unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
        is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
        that it needs to do the equivalent of get_by_id, so with this generator it will be able
        to create an IC even though it wasn't associated with a get_by_id bytecode instruction.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::DataLabelCompact::label):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::ecmaMode):
        * dfg/DFGInlineCacheWrapper.h: Added.
        (JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
        * dfg/DFGInlineCacheWrapperInlines.h: Added.
        (JSC::DFG::::finalize):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addGetById):
        (JSC::DFG::JITCompiler::addPutById):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::isStrictModeFor):
        (JSC::AssemblyHelpers::strictModeFor):
        * jit/GPRInfo.h:
        (JSC::JSValueRegs::tagGPR):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITInlineCacheGenerator.cpp: Added.
        (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITByIdGenerator::finalize):
        (JSC::JITByIdGenerator::generateFastPathChecks):
        (JSC::JITGetByIdGenerator::generateFastPath):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        (JSC::JITPutByIdGenerator::generateFastPath):
        (JSC::JITPutByIdGenerator::slowPathFunction):
        * jit/JITInlineCacheGenerator.h: Added.
        (JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
        (JSC::JITInlineCacheGenerator::stubInfo):
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITByIdGenerator::reportSlowPathCall):
        (JSC::JITByIdGenerator::slowPathJump):
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        * jit/RegisterSet.h:
        (JSC::RegisterSet::set):

2013-10-19  Alexey Proskuryakov  <ap@apple.com>

        APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
        https://bugs.webkit.org/show_bug.cgi?id=123067

        Reviewed by Geoffrey Garen.

        * API/APICast.h: Include it.

2013-10-19  Filip Pizlo  <fpizlo@apple.com>

        FTL::Location should treat the offset as an addend in the case of a Register location
        https://bugs.webkit.org/show_bug.cgi?id=123062

        Reviewed by Sam Weinig.

        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::forStackmaps):
        (JSC::FTL::Location::dump):
        (JSC::FTL::Location::restoreInto):
        * ftl/FTLLocation.h:
        (JSC::FTL::Location::forRegister):
        (JSC::FTL::Location::hasAddend):
        (JSC::FTL::Location::addend):

2013-10-19  Nadav Rotem  <nrotem@apple.com>

        DFG dominators: document and rename stuff.
        https://bugs.webkit.org/show_bug.cgi?id=123056

        Reviewed by Filip Pizlo.

        Documented the code and renamed some variables.

        * dfg/DFGDominators.cpp:
        (JSC::DFG::Dominators::compute):
        (JSC::DFG::Dominators::pruneDominators):
        * dfg/DFGDominators.h:

2013-10-19  Julien Brianceau  <jbriance@cisco.com>

        Fix build failure for architectures with 4 argument registers.
        https://bugs.webkit.org/show_bug.cgi?id=123060

        Reviewed by Michael Saboff.

        Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
        Remove SH4 specific code no longer needed since callOperation prototype change in r157660.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):

2013-10-18  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix FTL build.

        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetById):

2013-10-18  Filip Pizlo  <fpizlo@apple.com>

        A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
        https://bugs.webkit.org/show_bug.cgi?id=122940

        Reviewed by Oliver Hunt.
        
        This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
        whereas previously it was in a Vector, so it moved. This allows you to use pointers to
        StructureStubInfo. This also eliminates the use of return PC as a way of finding the
        StructureStubInfo's. It removes some of the need for the compile-time property access
        records; for example the DFG no longer has to save information about registers in a
        property access record only to later save it to the stub info.
        
        The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
        at any stage of compilation.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdCacheStatus):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::addStubInfo):
        (JSC::CodeBlock::getStubInfoMap):
        (JSC::CodeBlock::shrinkToFit):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::begin):
        (JSC::CodeBlock::end):
        (JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
        * bytecode/CodeOrigin.h:
        (JSC::CodeOrigin::CodeOrigin):
        (JSC::CodeOrigin::isHashTableDeletedValue):
        (JSC::CodeOrigin::hash):
        (JSC::CodeOriginHash::hash):
        (JSC::CodeOriginHash::equal):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeFor):
        * bytecode/GetByIdStatus.h:
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeFor):
        * bytecode/PutByIdStatus.h:
        * bytecode/StructureStubInfo.h:
        (JSC::getStructureStubInfoCodeOrigin):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
        (JSC::DFG::InRecord::InRecord):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JIT.cpp:
        (JSC::PropertyStubCompilationInfo::copyToStubInfo):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::PropertyStubCompilationInfo::slowCaseInfo):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_get_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        * jit/Repatch.cpp:
        (JSC::appropriateGenericPutByIdFunction):
        (JSC::appropriateListBuildingPutByIdFunction):
        (JSC::resetPutByID):

2013-10-18  Oliver Hunt  <oliver@apple.com>

        Spread operator should be performing direct "puts" and not triggering setters
        https://bugs.webkit.org/show_bug.cgi?id=123047

        Reviewed by Geoffrey Garen.

        Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
        to array construct.  This required a new PutByValDirect node to be introduced to
        the DFG.  The current implementation simply changes the slow path function that
        is called, but in future this could be made faster as it does not need to check
        the prototype chain.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/Opcode.h:
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDirectPutByVal):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::getArrayLengthElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkStructureElimination):
        (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::clobbersWorld):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasArrayMode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        (JSC::DFG::putByVal):
        (JSC::DFG::operationPutByValInternal):
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JSC::JIT::compileDirectPutByVal):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::privateCompilePutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_put_by_val):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2013-10-18  Daniel Bates  <dabates@apple.com>

        [iOS] Export symbol for VM::sharedInstanceExists()
        https://bugs.webkit.org/show_bug.cgi?id=123046

        Reviewed by Mark Hahnenberg.

        * runtime/VM.h:

2013-10-18  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
        https://bugs.webkit.org/show_bug.cgi?id=123049

        Reviewed by Mark Hahnenberg.

        * heap/Heap.cpp:
        (JSC::Heap::setIncrementalSweeper):
        * heap/Heap.h:
        * heap/HeapTimer.h:
        * heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
        Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
        (we include its header in the .cpp file) and remove include for header wtf/HashSet.h
        (duplicates the include in the .cpp).
        * heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
        making use of this now, but we'll make use of it in a subsequent patch.

2013-10-18  Anders Carlsson  <andersca@apple.com>

        Remove spaces between template angle brackets
        https://bugs.webkit.org/show_bug.cgi?id=123040

        Reviewed by Andreas Kling.

        * API/JSCallbackObject.cpp:
        (JSC::::create):
        * API/JSObjectRef.cpp:
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::constants):
        (JSC::CodeBlock::setConstantRegisters):
        * bytecode/DFGExitProfile.h:
        * bytecode/EvalCodeCache.h:
        * bytecode/Operands.h:
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::constantRegisters):
        * bytecode/Watchpoint.h:
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/StaticPropertyAnalysis.h:
        * bytecompiler/StaticPropertyAnalyzer.h:
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        * dfg/DFGBlockInsertionSet.h:
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::performCSE):
        (JSC::DFG::performStoreElimination):
        * dfg/DFGCommonData.h:
        * dfg/DFGDesiredStructureChains.h:
        * dfg/DFGDesiredWatchpoints.h:
        * dfg/DFGJITCompiler.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGWorklist.h:
        * heap/BlockAllocator.h:
        (JSC::CopiedBlock):
        (JSC::MarkedBlock):
        (JSC::WeakBlock):
        (JSC::MarkStackSegment):
        (JSC::CopyWorkListSegment):
        (JSC::HandleBlock):
        * heap/Heap.h:
        * heap/Local.h:
        * heap/MarkedBlock.h:
        * heap/Strong.h:
        * jit/AssemblyHelpers.cpp:
        (JSC::AssemblyHelpers::decodedCodeMapFor):
        * jit/AssemblyHelpers.h:
        * jit/SpecializedThunkJIT.h:
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::::parseIfStatement):
        * parser/Parser.h:
        (JSC::Scope::copyCapturedVariablesToVector):
        (JSC::parse):
        * parser/ParserArena.h:
        * parser/SourceProviderCacheItem.h:
        * profiler/LegacyProfiler.cpp:
        (JSC::dispatchFunctionToProfiles):
        * profiler/LegacyProfiler.h:
        (JSC::LegacyProfiler::currentProfiles):
        * profiler/ProfileNode.h:
        (JSC::ProfileNode::children):
        * profiler/ProfilerDatabase.h:
        * runtime/Butterfly.h:
        (JSC::Butterfly::contiguousInt32):
        (JSC::Butterfly::contiguous):
        * runtime/GenericTypedArrayViewInlines.h:
        (JSC::::create):
        * runtime/Identifier.h:
        (JSC::Identifier::add):
        * runtime/JSPromise.h:
        * runtime/PropertyMapHashTable.h:
        * runtime/PropertyNameArray.h:
        * runtime/RegExpCache.h:
        * runtime/SparseArrayValueMap.h:
        * runtime/SymbolTable.h:
        * runtime/VM.h:
        * tools/CodeProfile.cpp:
        (JSC::truncateTrace):
        * tools/CodeProfile.h:
        * yarr/YarrInterpreter.cpp:
        * yarr/YarrInterpreter.h:
        (JSC::Yarr::BytecodePattern::BytecodePattern):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
        (JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
        (JSC::Yarr::YarrGenerator::opCompileBody):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
        (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
        * yarr/YarrPattern.h:

2013-10-18  Mark Lam  <mark.lam@apple.com>

        Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
        https://bugs.webkit.org/show_bug.cgi?id=123037.

        Reviewed by Geoffrey Garen.

        * jit/JITStubsMSVC64.asm:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:

2013-10-18  Filip Pizlo  <fpizlo@apple.com>

        Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
        https://bugs.webkit.org/show_bug.cgi?id=121661

        Reviewed by Mark Hahnenberg.
        
        This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
        so I added a return-early check using isCompilationThread().
        
        Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
        it is describing: m_offset and the property table. Most structures only have m_offset and report
        null for the property table. If the property table is there, it will tell you additional
        information and that information subsumes m_offset - but the m_offset is still there. So, when
        we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
        machinery to do this.
        
        Changing the property table only happens on the main thread.
        
        Because the machinery to change the property table is so complex, especially with respect to
        keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
        called at key points before and after changes to the property table or the offset.

        Most clients of Structure who care about object layout, including the concurrent thread, will
        want to know m_offset and not the property table. If they want the property table, they will
        already be super careful. The concurrent thread has special methods for this, like
        Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
        view of the property table.
        
        Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
        called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
        
        But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
        which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
        because we have found that it helps quickly identify situations where the property table and
        m_offset get out of sync - mainly because code that changes either of those things will usually
        also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
        need the property table; it uses the m_offset. The concurrent JIT is correct to call
        outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
        it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
        outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
        locks, and that same structure is having its property table modified by the main thread, we end
        up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
        property table modified - instead what happens is that some downstream structure steals the
        property table and then starts adding things to it. The concurrent thread loads the property
        table before it's stolen, and hence the badness.
        
        I suspect there are other code paths that lead to the concurrent JIT calling some Structure
        method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
        and then you have a possible crash.
        
        The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
        aware of its uselessness to the concurrent JIT thread. This change makes it return early if
        it's in the concurrent JIT.
        
        * runtime/StructureInlines.h:
        (JSC::Structure::checkOffsetConsistency):

2013-10-18  Daniel Bates  <dabates@apple.com>

        Add SPI to disable the garbage collector timer
        https://bugs.webkit.org/show_bug.cgi?id=122921

        Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
        omitted.

        * heap/Heap.cpp:
        (JSC::Heap::setGarbageCollectionTimerEnabled):

2013-10-18  Julien Brianceau  <jbriance@cisco.com>

        Group 64-bit specific and 32-bit specific callOperation implementations.
        https://bugs.webkit.org/show_bug.cgi?id=123024

        Reviewed by Michael Saboff.

        This is not a big deal, but could be less confusing when reading the code.

        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        (JSC::JIT::callOperationWithCallFrameRollbackOnException):
        (JSC::JIT::callOperationNoExceptionCheck):

2013-10-18  Nadav Rotem  <nrotem@apple.com>

        Fix a FlushLiveness problem.
        https://bugs.webkit.org/show_bug.cgi?id=122984

        Reviewed by Filip Pizlo.

        * dfg/DFGFlushLivenessAnalysisPhase.cpp:
        (JSC::DFG::FlushLivenessAnalysisPhase::process):

2013-10-18  Michael Saboff  <msaboff@apple.com>

        Change native function call stubs to use JIT operations instead of ctiVMHandleException
        https://bugs.webkit.org/show_bug.cgi?id=122982

        Reviewed by Geoffrey Garen.

        Change ctiVMHandleException to operationVMHandleException.  Change all exception operations to
        return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
        This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
        in the process.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::jumpToExceptionHandler):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileExceptionHandlers):
        * jit/JIT.h:
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITExceptions.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperationNoExceptionCheck):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_throw):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_throw):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JITStubsARM.h:
        * jit/JITStubsARM64.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsMIPS.h:
        * jit/JITStubsMSVC64.asm:
        * jit/JITStubsSH4.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:
        * jit/Repatch.cpp:
        (JSC::tryBuildGetByIDList):
        * jit/SlowPathCall.h:
        (JSC::JITSlowPathCall::call):
        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromCallSlowPathGenerator):
        (JSC::nativeForGenerator):
        * runtime/VM.h:
        (JSC::VM::callFrameForThrowOffset):
        (JSC::VM::targetMachinePCForThrowOffset):

2013-10-18  Julien Brianceau  <jbriance@cisco.com>

        Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
        https://bugs.webkit.org/show_bug.cgi?id=123023

        Reviewed by Michael Saboff.

        * jit/JITInlines.h:
        (JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
        using EABI_32BIT_DUMMY_ARG here.

2013-10-17  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, another ARM64 build fix.
        
        Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
        on ARM64 and none of its uses are legit - they should all be using
        andPtr(TrustedImm32, blah) anyway.

        * assembler/MacroAssembler.h:
        * assembler/MacroAssemblerARM64.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileExceptionHandlers):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileExceptionHandlers):

2013-10-17  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, speculative ARM64 build fix.
        
        move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
        implemented. So, you have to use TrustedImmPtr in the superclasses.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::store8):
        (JSC::MacroAssemblerARM64::branchTest8):

2013-10-17  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, speculative ARM build fix.
        https://bugs.webkit.org/show_bug.cgi?id=122890
        <rdar://problem/15258624>

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::firstRegister):
        (JSC::ARM64Assembler::lastRegister):
        (JSC::ARM64Assembler::firstFPRegister):
        (JSC::ARM64Assembler::lastFPRegister):
        * assembler/MacroAssemblerARM64.h:
        * assembler/MacroAssemblerARMv7.h:

2013-10-17  Andreas Kling  <akling@apple.com>

        Pass VM instead of JSGlobalObject to JSONObject constructor.
        <https://webkit.org/b/122999>

        JSONObject was only use the JSGlobalObject to grab at the VM.
        Dodge a few loads by passing the VM directly instead.

        Reviewed by Geoffrey Garen.

        * runtime/JSONObject.cpp:
        (JSC::JSONObject::JSONObject):
        (JSC::JSONObject::finishCreation):
        * runtime/JSONObject.h:
        (JSC::JSONObject::create):

2013-10-17  Geoffrey Garen  <ggaren@apple.com>

        Removed the JITStackFrame struct
        https://bugs.webkit.org/show_bug.cgi?id=123001

        Reviewed by Anders Carlsson.

        * jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
        our helper functions obey the C function call ABI.

2013-10-17  Geoffrey Garen  <ggaren@apple.com>

        Removed an unused #define
        https://bugs.webkit.org/show_bug.cgi?id=123000

        Reviewed by Anders Carlsson.

        * jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
        since it is unused now. This is a step toward using the C stack.

2013-10-17  Geoffrey Garen  <ggaren@apple.com>

        Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
        https://bugs.webkit.org/show_bug.cgi?id=122973

        Reviewed by Michael Saboff.

        * jit/ThunkGenerators.cpp:
        (JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
        so I removed it.

        The code acted as if it needed to pass an argument to
        lookupExceptionHandler, and as if it passed that argument to itself
        through JITStackFrame. However, lookupExceptionHandler does not take
        an argument (other than the default ExecState argument), and the code
        did not initialize the thing that it thought it passed to itself!

2013-10-17  Alex Christensen  <achristensen@webkit.org>

        Run JavaScriptCore tests again on Windows.
        https://bugs.webkit.org/show_bug.cgi?id=122787

        Reviewed by Tim Horton.

        * JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
        * jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.

2013-10-17  Geoffrey Garen  <ggaren@apple.com>

        Removed restoreArgumentReference (another use of JITStackFrame)
        https://bugs.webkit.org/show_bug.cgi?id=122997

        Reviewed by Oliver Hunt.

        * jit/JSInterfaceJIT.h: Removed an unused function. This is a step
        toward using the C stack.

2013-10-17  Oliver Hunt  <oliver@apple.com>

        Remove JITStubCall.h
        https://bugs.webkit.org/show_bug.cgi?id=122991

        Reviewed by Geoff Garen.

        Happily this is no longer used

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jit/JIT.cpp:
        * jit/JITArithmetic.cpp:
        * jit/JITArithmetic32_64.cpp:
        * jit/JITCall.cpp:
        * jit/JITCall32_64.cpp:
        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * jit/JITPropertyAccess.cpp:
        * jit/JITPropertyAccess32_64.cpp:
        * jit/JITStubCall.h: Removed.

2013-10-17  Geoffrey Garen  <ggaren@apple.com>

        Removed a use of JITSTACKFRAME_ARGS_INDEX
        https://bugs.webkit.org/show_bug.cgi?id=122989

        Reviewed by Oliver Hunt.

        * jit/JITStubCall.h: Removed an unused function. This is one step closer
        to using the C stack.

2013-10-17  Geoffrey Garen  <ggaren@apple.com>

        Change emit_op_catch to use another method to materialize VM
        https://bugs.webkit.org/show_bug.cgi?id=122977

        Reviewed by Oliver Hunt.

        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_catch):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
        on JITStackFrame. It is also faster and simpler.

2013-10-17  Geoffrey Garen  <ggaren@apple.com>

        Eliminate emitGetJITStubArg() - dead code
        https://bugs.webkit.org/show_bug.cgi?id=122975

        Reviewed by Anders Carlsson.

        * jit/JIT.h:
        * jit/JITInlines.h: Removed unused, deprecated function.

2013-10-17  Mark Lam  <mark.lam@apple.com>

        Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
        https://bugs.webkit.org/show_bug.cgi?id=122979.

        Reviewed by Michael Saboff.

        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JITStubsARM.h:
        * jit/JITStubsARM64.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsMIPS.h:
        * jit/JITStubsSH4.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):

2013-10-17  Michael Saboff  <msaboff@apple.com>

        Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
        https://bugs.webkit.org/show_bug.cgi?id=122974

        Reviewed by Geoffrey Garen.

        Eliminated unneeded storing to JITStackFrame.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):

2013-10-17  Michael Saboff  <msaboff@apple.com>

        Transition cti_op_throw and cti_vm_throw to a JIT operation
        https://bugs.webkit.org/show_bug.cgi?id=122931

        Reviewed by Filip Pizlo.

        Moved cti_op_throw to operationThrow.  Made the caller responsible for jumping to the
        catch handler.  Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
        and their callers as it is now dead code.  There is some work needed on the Microsoft X86
        callOperation to handle the need to provide space for structure return value.

        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_throw):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_catch):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JITStubsARM.h:
        * jit/JITStubsARM64.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsMIPS.h:
        * jit/JITStubsMSVC64.asm:
        * jit/JITStubsSH4.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:
        * jit/JSInterfaceJIT.h:

2013-10-17  Mark Lam  <mark.lam@apple.com>

        Remove JITStackFrame references in the C Loop LLINT.
        https://bugs.webkit.org/show_bug.cgi?id=122950.

        Reviewed by Michael Saboff.

        * jit/JITStubs.h:
        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        * offlineasm/cloop.rb:

2013-10-17  Mark Lam  <mark.lam@apple.com>

        Remove JITStackFrame references in JIT probes.
        https://bugs.webkit.org/show_bug.cgi?id=122947.

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerARM.cpp:
        (JSC::MacroAssemblerARM::ProbeContext::dump):
        * assembler/MacroAssemblerARM.h:
        * assembler/MacroAssemblerARMv7.cpp:
        (JSC::MacroAssemblerARMv7::ProbeContext::dump):
        * assembler/MacroAssemblerARMv7.h:
        * assembler/MacroAssemblerX86Common.cpp:
        (JSC::MacroAssemblerX86Common::ProbeContext::dump):
        * assembler/MacroAssemblerX86Common.h:
        * jit/JITStubsARM.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86Common.h:
        * jit/JITStubsX86_64.h:

2013-10-17  Julien Brianceau  <jbriance@cisco.com>

        Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
        https://bugs.webkit.org/show_bug.cgi?id=122949

        Reviewed by Andreas Kling.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):

2013-10-16  Mark Lam  <mark.lam@apple.com>

        Transition remaining op_get* JITStubs to JIT operations.
        https://bugs.webkit.org/show_bug.cgi?id=122925.

        Reviewed by Geoffrey Garen.

        Transitioning:
            cti_op_get_by_id_generic
            cti_op_get_by_val
            cti_op_get_by_val_generic
            cti_op_get_by_val_string

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitSlow_op_get_arguments_length):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emitSlow_op_get_arguments_length):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_pname):
        (JSC::JIT::privateCompileGetByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_pname):
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * runtime/Executable.cpp:
        (JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
        * runtime/Options.cpp:
        (JSC::Options::initialize):

2013-10-16  Filip Pizlo  <fpizlo@apple.com>

        Introduce WTF::Bag and start using it for InlineCallFrameSet
        https://bugs.webkit.org/show_bug.cgi?id=122941

        Reviewed by Geoffrey Garen.
        
        Use Bag for InlineCallFrameSet. If this works out then I'll make other
        SegmentedVectors into Bags as well.

        * bytecode/InlineCallFrameSet.cpp:
        (JSC::InlineCallFrameSet::add):
        * bytecode/InlineCallFrameSet.h:
        (JSC::InlineCallFrameSet::begin):
        (JSC::InlineCallFrameSet::end):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2013-10-16  Filip Pizlo  <fpizlo@apple.com>

        libllvmForJSC shouldn't call exit(1) on report_fatal_error()
        https://bugs.webkit.org/show_bug.cgi?id=122905
        <rdar://problem/15237856>

        Reviewed by Michael Saboff.
        
        Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
        then always call it to install something that calls CRASH().

        * llvm/InitializeLLVM.cpp:
        (JSC::llvmCrash):
        (JSC::initializeLLVMOnce):
        (JSC::initializeLLVM):
        * llvm/LLVMAPIFunctions.h:

2013-10-16  Filip Pizlo  <fpizlo@apple.com>

        Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
        https://bugs.webkit.org/show_bug.cgi?id=122938

        Reviewed by Sam Weinig.
        
        This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.

        * jit/Repatch.cpp:
        (JSC::tryBuildGetByIDList):

2013-10-16  Filip Pizlo  <fpizlo@apple.com>

        JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
        https://bugs.webkit.org/show_bug.cgi?id=122937

        Reviewed by Geoffrey Garen.
        
        JITStubCall used to do it.
        
        This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.

        * jit/JIT.h:
        (JSC::JIT::appendCall):

2013-10-16  Michael Saboff  <msaboff@apple.com>

        transition void cti_op_put_by_val* stubs to JIT operations
        https://bugs.webkit.org/show_bug.cgi?id=122903

        Reviewed by Geoffrey Garen.

        Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
        operationPutByValGeneric.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JIT.h:
        * jit/JITInlines.h:
        (JSC::JIT::callOperation):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::privateCompilePutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_put_by_val):
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JSInterfaceJIT.h:

2013-10-16  Oliver Hunt  <oliver@apple.com>

        Implement ES6 spread operator
        https://bugs.webkit.org/show_bug.cgi?id=122911

        Reviewed by Michael Saboff.

        Implement the ES6 spread operator

        This has a little bit of refactoring to move the enumeration logic out ForOfNode
        and into BytecodeGenerator, and then adds the logic to make it nicely callback
        driven.

        The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
        and actually handling the spread.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitNewArray):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitEnumeration):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        (JSC::ForOfNode::emitBytecode):
        (JSC::SpreadExpressionNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createSpreadExpression):
        * parser/Lexer.cpp:
        (JSC::::lex):
        * parser/NodeConstructors.h:
        (JSC::SpreadExpressionNode::SpreadExpressionNode):
        * parser/Nodes.h:
        (JSC::ExpressionNode::isSpreadExpression):
        (JSC::SpreadExpressionNode::expression):
        * parser/Parser.cpp:
        (JSC::::parseArrayLiteral):
        (JSC::::parseArguments):
        (JSC::::parseMemberExpression):
        * parser/Parser.h:
        (JSC::Parser::getTokenName):
        (JSC::Parser::updateErrorMessageSpecialCase):
        * parser/ParserTokens.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createSpreadExpression):

2013-10-16  Filip Pizlo  <fpizlo@apple.com>

        Add a useLLInt option to jsc
        https://bugs.webkit.org/show_bug.cgi?id=122930

        Reviewed by Geoffrey Garen.

        * runtime/Executable.cpp:
        (JSC::setupLLInt):
        (JSC::setupJIT):
        (JSC::ScriptExecutable::prepareForExecutionImpl):
        * runtime/Options.h:

2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        Build fix.

        Forgot to svn add DeferGC.cpp

        * heap/DeferGC.cpp: Added.

2013-10-16  Filip Pizlo  <fpizlo@apple.com>

        r157411 fails run-javascriptcore-tests when run with Baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=122902

        Reviewed by Mark Hahnenberg.
        
        It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
        not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
        logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
        didn't. Turns out that there's even a helpful method,
        Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!

        * jit/Repatch.cpp:
        (JSC::tryCachePutByID):

2013-10-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
        https://bugs.webkit.org/show_bug.cgi?id=122667

        Reviewed by Geoffrey Garen.

        The issue this patch is attempting to fix is that there are places in our codebase
        where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
        operations that can initiate a garbage collection. Garbage collection then calls 
        some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
        always necessarily run during garbage collection). This causes a deadlock.
 
        To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
        into a thread-local field that indicates that it is unsafe to perform any operation 
        that could trigger garbage collection on the current thread. In debug builds, 
        ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
        detect deadlocks.
 
        This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
        which uses the DeferGC mechanism to prevent collections from occurring while the 
        lock is held.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/DeferGC.h:
        (JSC::DisallowGC::DisallowGC):
        (JSC::DisallowGC::~DisallowGC):
        (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
        (JSC::DisallowGC::initialize):
        * jit/Repatch.cpp:
        (JSC::repatchPutByID):
        (JSC::buildPutByIdList):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/ConcurrentJITLock.h:
        (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
        (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
        (JSC::ConcurrentJITLockerBase::unlockEarly):
        (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
        (JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
        (JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
        (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        * runtime/JSCellInlines.h:
        (JSC::allocateCell):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTablePut):
        * runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
        can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but 
        before the caller has a chance to use the newly created PropertyTable. The garbage collection
        clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
        we must DeferGC until the caller is done getting the newly materialized PropertyTable from 
        the Structure.
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::takePropertyTableOrCloneIfPinned):
        (JSC::Structure::isSealed):
        (JSC::Structure::isFrozen):
        (JSC::Structure::addPropertyWithoutTransition):
        (JSC::Structure::removePropertyWithoutTransition):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        (JSC::Structure::despecifyAllFunctions):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::createPropertyMap):
        (JSC::Structure::getPropertyNamesFromStructure):
        * runtime/Structure.h:
        (JSC::Structure::materializePropertyMapIfNecessary):
        (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
        * runtime/StructureInlines.h:
        (JSC::Structure::get):
        * runtime/SymbolTable.h:
        (JSC::SymbolTable::find):
        (JSC::SymbolTable::end):

2013-10-16  Daniel Bates  <dabates@apple.com>

        Add SPI to disable the garbage collector timer
        https://bugs.webkit.org/show_bug.cgi?id=122921

        Reviewed by Geoffrey Garen.

        Based on a patch by Mark Hahnenberg.

        * API/JSBase.cpp:
        (JSDisableGCTimer): Added; SPI function.
        * API/JSBasePrivate.h:
        * heap/BlockAllocator.cpp:
        (JSC::createBlockFreeingThread): Added.
        (JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
        to conditionally create the "block freeing" thread depending on the value of
        GCActivityCallback::s_shouldCreateGCTimer.
        (JSC::BlockAllocator::~BlockAllocator):
        * heap/BlockAllocator.h:
        (JSC::BlockAllocator::deallocate):
        * heap/Heap.cpp:
        (JSC::Heap::didAbandon):
        (JSC::Heap::collect):
        (JSC::Heap::didAllocate):
        * heap/HeapTimer.cpp:
        (JSC::HeapTimer::timerDidFire):
        * runtime/GCActivityCallback.cpp:
        * runtime/GCActivityCallback.h:
        (JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
        when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
        object (since DefaultGCActivityCallback ultimately extends HeapTimer).

2013-10-16  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r157529.
        http://trac.webkit.org/changeset/157529
        https://bugs.webkit.org/show_bug.cgi?id=122919

        Caused score test failures and some build failures. (Requested
        by rfong on #webkit).

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitNewArray):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        (JSC::CallArguments::CallArguments):
        (JSC::ForOfNode::emitBytecode):
        (JSC::BindingNode::collectBoundIdentifiers):
        * parser/ASTBuilder.h:
        * parser/Lexer.cpp:
        (JSC::::lex):
        * parser/NodeConstructors.h:
        (JSC::DotAccessorNode::DotAccessorNode):
        * parser/Nodes.h:
        * parser/Parser.cpp:
        (JSC::::parseArrayLiteral):
        (JSC::::parseArguments):
        (JSC::::parseMemberExpression):
        * parser/Parser.h:
        (JSC::Parser::getTokenName):
        (JSC::Parser::updateErrorMessageSpecialCase):
        * parser/ParserTokens.h:
        * parser/SyntaxChecker.h:

2013-10-16  Julien Brianceau  <jbriance@cisco.com>

        Remove useless architecture specific implementation in DFG.
        https://bugs.webkit.org/show_bug.cgi?id=122917.

        Reviewed by Michael Saboff.

        With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
        as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.

        * dfg/DFGSpeculativeJIT.h:

2013-10-16  Julien Brianceau  <jbriance@cisco.com>

        Remove unused JIT::restoreArgumentReferenceForTrampoline function.
        https://bugs.webkit.org/show_bug.cgi?id=122916.

        Reviewed by Michael Saboff.

        This architecture specific function is not used anymore, so get rid of it.

        * jit/JIT.h:
        * jit/JITInlines.h:

2013-10-16  Oliver Hunt  <oliver@apple.com>

        Implement ES6 spread operator
        https://bugs.webkit.org/show_bug.cgi?id=122911

        Reviewed by Michael Saboff.

        Implement the ES6 spread operator

        This has a little bit of refactoring to move the enumeration logic out ForOfNode
        and into BytecodeGenerator, and then adds the logic to make it nicely callback
        driven.

        The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
        and actually handling the spread.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitNewArray):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitEnumeration):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::emitBytecode):
        (JSC::ForOfNode::emitBytecode):
        (JSC::SpreadExpressionNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createSpreadExpression):
        * parser/Lexer.cpp:
        (JSC::::lex):
        * parser/NodeConstructors.h:
        (JSC::SpreadExpressionNode::SpreadExpressionNode):
        * parser/Nodes.h:
        (JSC::ExpressionNode::isSpreadExpression):
        (JSC::SpreadExpressionNode::expression):
        * parser/Parser.cpp:
        (JSC::::parseArrayLiteral):
        (JSC::::parseArguments):
        (JSC::::parseMemberExpression):
        * parser/Parser.h:
        (JSC::Parser::getTokenName):
        (JSC::Parser::updateErrorMessageSpecialCase):
        * parser/ParserTokens.h:
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createSpreadExpression):

2013-10-16  Mark Lam  <mark.lam@apple.com>

        Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
        https://bugs.webkit.org/show_bug.cgi?id=122899.

        Reviewed by Michael Saboff.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_tear_off_activation):
        (JSC::JIT::emit_op_tear_off_arguments):
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:

2013-10-16  Julien Brianceau  <jbriance@cisco.com>

        Remove more of the UNINTERRUPTED_SEQUENCE thing
        https://bugs.webkit.org/show_bug.cgi?id=122885

        Reviewed by Andreas Kling.

        It was not completely removed by r157481, leading to build failure for sh4 architecture.

        * jit/JIT.h:
        * jit/JITInlines.h:

2013-10-15  Filip Pizlo  <fpizlo@apple.com>

        Get rid of the StructureStubInfo::patch union
        https://bugs.webkit.org/show_bug.cgi?id=122877

        Reviewed by Sam Weinig.
        
        Just simplifying code by getting rid of data structures that ain't used no more.
        
        Note that I replace the patch union with a patch struct. This means we say things like
        stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
        encapsulation makes the code more readable: the patch struct contains just those things
        that you need to know to perform patching.

        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * jit/JIT.cpp:
        (JSC::PropertyStubCompilationInfo::copyToStubInfo):
        * jit/Repatch.cpp:
        (JSC::repatchByIdSelfAccess):
        (JSC::replaceWithJump):
        (JSC::linkRestoreScratch):
        (JSC::generateProtoChainAccessStub):
        (JSC::tryCacheGetByID):
        (JSC::getPolymorphicStructureList):
        (JSC::patchJumpToGetByIdStub):
        (JSC::tryBuildGetByIDList):
        (JSC::emitPutReplaceStub):
        (JSC::emitPutTransitionStub):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        (JSC::tryRepatchIn):
        (JSC::resetGetByID):
        (JSC::resetPutByID):
        (JSC::resetIn):

2013-10-15  Nadav Rotem  <nrotem@apple.com>

        FTL: add support for Int52ToValue and fix putByVal of int52s.
        https://bugs.webkit.org/show_bug.cgi?id=122873

        Reviewed by Filip Pizlo.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
        (JSC::FTL::LowerDFGToLLVM::compilePutByVal):

2013-10-15  Filip Pizlo  <fpizlo@apple.com>

        Get rid of the UNINTERRUPTED_SEQUENCE thing
        https://bugs.webkit.org/show_bug.cgi?id=122876

        Reviewed by Mark Hahnenberg.
        
        It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
        
        Moreover, we should resist the temptation to bring anything like this back. We don't
        want to have inline caches that only work if the assembler lays out code in a specific
        predetermined way.