[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2011-09-26  Geoffrey Garen  <ggaren@apple.com>

        REGRESSION (r95912): Conservative marking doesn't filter out pointers to
        MarkedBlock metadata
        https://bugs.webkit.org/show_bug.cgi?id=68860

        Reviewed by Oliver Hunt.
        
        Bencher says no performance change, maybe a 7% speedup on kraken-imaging-darkroom.

        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::isAtomAligned): Renamed atomMask to atomAlignment mask
        because the mask doesn't produce the actual atom number.

        (JSC::MarkedBlock::isLiveCell): Testing just for alignment isn't good
        enough; we also need to test that a pointer is beyond the metadata section
        of a MarkedBlock, to avoid treating random metadata as a JSCell.

2011-09-26  Mark Hahnenberg  <mhahnenberg@apple.com>

        Make JSCell::toBoolean non-virtual
        https://bugs.webkit.org/show_bug.cgi?id=67727

        Reviewed by Geoffrey Garen.

        JSCell::toBoolean now manually performs the toBoolean check for objects and strings (where 
        before it was simply virtual and would crash if its implementation was called). 
        Its descendants in JSObject and JSString have also been made non-virtual.  JSCell now
        explicitly covers all cases of toBoolean, so having a virtual implementation of 
        JSCell::toBoolean is no longer necessary.  This is part of a larger process of un-virtualizing JSCell.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.h:
        * runtime/JSString.h:
        (JSC::JSCell::toBoolean):
        (JSC::JSValue::toBoolean):

2011-09-26  Chris Marrin  <cmarrin@apple.com>

        Enable requestAnimationFrame on Windows
        https://bugs.webkit.org/show_bug.cgi?id=68397

        Reviewed by Simon Fraser.

        Enabled REQUEST_ANIMATION_FRAME_TIMER for Windows

        * wtf/Platform.h:

2011-09-26  Noel Gordon  <noel.gordon@gmail.com>

        [Chromium] Remove DFGAliasTracker.h references from gyp project files
        https://bugs.webkit.org/show_bug.cgi?id=68787

        Reviewed by Geoffrey Garen.

        DFG/DFGAliasTracker.h was removed in r95389.  Cleanup (remove) references
        to that file from the gyp project files.

        * JavaScriptCore.gypi:

2011-09-26  Zoltan Herczeg  <zherczeg@webkit.org>

        [Qt]REGRESSION(r95865): It made 4 tests crash
        https://bugs.webkit.org/show_bug.cgi?id=68780
        
        Reviewed by Oliver Hunt.

        emitJumpSlowCaseIfNotJSCell(...) cannot be moved
        away since the next load depends on it.

        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_val):

2011-09-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add custom vtable struct to ClassInfo struct
        https://bugs.webkit.org/show_bug.cgi?id=68567

        Reviewed by Oliver Hunt.

        Declared/defined the MethodTable struct and added it to the ClassInfo struct.
        Also defined the CREATE_METHOD_TABLE macro to generate these method tables 
        succinctly where they need to be defined.

        Also added to it the first function to use this macro, visitChildren. 

        This is part of the process of getting rid of all C++ virtual methods in JSCell.  
        Eventually all virtual functions in JSCell that can't easily be converted to 
        non-virtual functions will be put into this custom vtable structure.
        * runtime/ClassInfo.h:

        Added the CREATE_METHOD_TABLE macro call as the last argument to each of the 
        ClassInfo structs declared in these classes.  This saves us from having to visit 
        each s_info definition in the future when we add more methods to the MethodTable.
        * API/JSCallbackConstructor.cpp:
        * API/JSCallbackFunction.cpp:
        * API/JSCallbackObject.cpp:
        * JavaScriptCore.exp:
        * runtime/Arguments.cpp:
        * runtime/ArrayConstructor.cpp:
        * runtime/ArrayPrototype.cpp:
        * runtime/BooleanObject.cpp:
        * runtime/BooleanPrototype.cpp:
        * runtime/DateConstructor.cpp:
        * runtime/DateInstance.cpp:
        * runtime/DatePrototype.cpp:
        * runtime/ErrorInstance.cpp:
        * runtime/ErrorPrototype.cpp:
        * runtime/ExceptionHelpers.cpp:
        * runtime/Executable.cpp:
        * runtime/GetterSetter.cpp:
        * runtime/InternalFunction.cpp:
        * runtime/JSAPIValueWrapper.cpp:
        * runtime/JSActivation.cpp:
        * runtime/JSArray.cpp:
        * runtime/JSByteArray.cpp:
        * runtime/JSFunction.cpp:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSONObject.cpp:
        * runtime/JSObject.cpp:
        * runtime/JSPropertyNameIterator.cpp:
        * runtime/JSString.cpp:
        * runtime/MathObject.cpp:
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NumberConstructor.cpp:
        * runtime/NumberObject.cpp:
        * runtime/NumberPrototype.cpp:
        * runtime/ObjectConstructor.cpp:
        * runtime/ObjectPrototype.cpp:
        * runtime/RegExp.cpp:
        * runtime/RegExpConstructor.cpp:
        * runtime/RegExpObject.cpp:
        * runtime/RegExpPrototype.cpp:
        * runtime/ScopeChain.cpp:
        * runtime/StringConstructor.cpp:
        * runtime/StringObject.cpp:
        * runtime/StringPrototype.cpp:
        * runtime/Structure.cpp:
        * runtime/StructureChain.cpp:

        Had to make visitChildren and visitChildrenVirtual protected instead of private
        because some of the subclasses of JSWrapperObject need access to JSWrapperObject's
        visitChildren function pointer in their vtable since they don't provide their own
        implementation. Same for RegExpObject.
        * runtime/JSWrapperObject.h:
        * runtime/RegExpObject.h:

2011-09-25  Adam Barth  <abarth@webkit.org>

        Finish removing PLATFORM(BREWMP) by removing associated code
        https://bugs.webkit.org/show_bug.cgi?id=68779

        Reviewed by Sam Weinig.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * JavaScriptCore.gypi:
        * gyp/JavaScriptCore.gyp:
        * wscript:
        * wtf/FastMalloc.cpp:
        (WTF::fastMallocSize):
        * wtf/Vector.h:
        * wtf/brew: Removed.
        * wtf/brew/MainThreadBrew.cpp: Removed.
        * wtf/brew/OwnPtrBrew.cpp: Removed.
        * wtf/brew/RefPtrBrew.h: Removed.
        * wtf/brew/ShellBrew.h: Removed.
        * wtf/brew/StringBrew.cpp: Removed.
        * wtf/brew/SystemMallocBrew.h: Removed.
        * wtf/unicode/brew: Removed.
        * wtf/unicode/brew/UnicodeBrew.cpp: Removed.
        * wtf/unicode/brew/UnicodeBrew.h: Removed.

2011-09-25  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not count speculation successes correctly
        https://bugs.webkit.org/show_bug.cgi?id=68785

        Reviewed by Geoffrey Garen.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::compileBody):
        * dfg/DFGOperations.cpp:

2011-09-25  Filip Pizlo  <fpizlo@apple.com>

        DFG support for op_resolve_global is not enabled
        https://bugs.webkit.org/show_bug.cgi?id=68786

        Reviewed by Geoffrey Garen.

        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):

2011-09-25  Filip Pizlo  <fpizlo@apple.com>

        DFG static prediction code is no longer needed and should be removed
        https://bugs.webkit.org/show_bug.cgi?id=68784

        Reviewed by Oliver Hunt.
        
        This gets rid of static prediction code, and ensures that we do not
        try to compile code where dynamic predictions are not available.
        This is accomplished by immediately performing an OSR exit wherever
        a value is retrieved for which no predictions exist.
        
        This also adds value profiling for this on functions used for calls.
        
        The heuristics for deciding when to optimize code are also tweaked,
        since it is now profitable to optimize sooner. This may need to be
        tweaked further, but this patch only makes minimal changes.
        
        This results in a 16% speed-up on Kraken/ai-astar, leading to a 3%
        overall win on Kraken.  It's neutral elsewhere.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::shouldOptimizeNow):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/CodeBlock.h:
        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        * bytecode/PredictedType.h:
        (JSC::isCellPrediction):
        (JSC::isObjectPrediction):
        (JSC::isFinalObjectPrediction):
        (JSC::isStringPrediction):
        (JSC::isArrayPrediction):
        (JSC::isInt32Prediction):
        (JSC::isDoublePrediction):
        (JSC::isNumberPrediction):
        (JSC::isBooleanPrediction):
        (JSC::mergePredictions):
        * bytecode/PredictionTracker.h:
        (JSC::PredictionTracker::predictArgument):
        (JSC::PredictionTracker::predict):
        (JSC::PredictionTracker::predictGlobalVar):
        * bytecode/ValueProfile.cpp:
        (JSC::ValueProfile::computeUpdatedPrediction):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::set):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::getPrediction):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predict):
        (JSC::DFG::Graph::predictGlobalVar):
        (JSC::DFG::Graph::getMethodCheckPrediction):
        (JSC::DFG::Graph::getJSConstantPrediction):
        (JSC::DFG::Graph::getPrediction):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::writeBarrier):
        (JSC::DFG::JITCodeGenerator::emitBranch):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::getPrediction):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::valueOfJSConstantNode):
        (JSC::DFG::Node::isInt32Constant):
        (JSC::DFG::Node::isDoubleConstant):
        (JSC::DFG::Node::isNumberConstant):
        (JSC::DFG::Node::isBooleanConstant):
        (JSC::DFG::Node::predict):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::Propagator):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::isPredictedNumerical):
        (JSC::DFG::Propagator::logicalNotIsPure):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateNumber):
        (JSC::DFG::SpeculativeJIT::shouldNotSpeculateInteger):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateObject):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateCell):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):

2011-09-25  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT Construct opcode takes a this argument even though it's
        not passed
        https://bugs.webkit.org/show_bug.cgi?id=68782

        Reviewed by Oliver Hunt.
        
        This is performance-neutral, mostly. It's a slight speed-up on
        v8-splay.
        
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addCall):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):

2011-09-25  Filip Pizlo  <fpizlo@apple.com>

        DFG tracking of the value in cachedResultRegister does not handle
        op_mov correctly
        https://bugs.webkit.org/show_bug.cgi?id=68781

        Reviewed by Oliver Hunt.
        
        This takes the simplest approach: it makes the old JIT dumber rather
        than making the DFG JIT smarter. This is performance-neutral.

        * jit/JIT.h:
        (JSC::JIT::canBeOptimized):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_mov):

2011-09-25  Adam Barth  <abarth@webkit.org>

        Remove PLATFORM(HAIKU) and associated code
        https://bugs.webkit.org/show_bug.cgi?id=68774

        Reviewed by Sam Weinig.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * JavaScriptCore.gypi:
        * gyp/JavaScriptCore.gyp:
        * heap/MachineStackMarker.cpp:
        * wtf/PageAllocation.h:
        * wtf/Platform.h:
        * wtf/StackBounds.cpp:
        * wtf/haiku: Removed.
        * wtf/haiku/MainThreadHaiku.cpp: Removed.
        * wtf/haiku/StringHaiku.cpp: Removed.
        * wtf/text/WTFString.h:

2011-09-24  Adam Barth  <abarth@webkit.org>

        Always enable ENABLE(OFFLINE_WEB_APPLICATIONS)
        https://bugs.webkit.org/show_bug.cgi?id=68767

        Reviewed by Eric Seidel.

        * Configurations/FeatureDefines.xcconfig:

2011-09-24  Filip Pizlo  <fpizlo@apple.com>

        JIT implementation of put_by_val increments m_length instead of setting
        it to index+1
        https://bugs.webkit.org/show_bug.cgi?id=68766

        Reviewed by Geoffrey Garen.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_val):

2011-09-24  Geoffrey Garen  <ggaren@apple.com>

        More build fixage.

        * heap/ConservativeRoots.cpp: Our system of #includes, it is chaos.

2011-09-24  Filip Pizlo  <fpizlo@apple.com>

        The DFG should not attempt to guess types in the absence of value
        profiles
        https://bugs.webkit.org/show_bug.cgi?id=68677

        Reviewed by Oliver Hunt.
        
        This adds the ForceOSRExit node, which is ignored by the propagator
        and virtual register allocator (and hence ensuring that liveness analysis
        works correctly), but forces terminateSpeculativeExecution() in the
        back-end. This appears to be a slight speed-up on benchmark averages,
        with ~5% swings on individual benchmarks, in both directions. But it's
        never a regression on any average, and appears to be a ~1% progression
        in the SunSpider average.
        
        This also adds a bit better debugging support in the old JIT and in DFG,
        as this was necessary to debug the much more frequent OSR transitions
        that occur with this change.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::getStrongPrediction):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:

2011-09-24  Geoffrey Garen  <ggaren@apple.com>

        Some Windows build fixage.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::sweep):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::isLive): Show the compiler that all control paths
        return a value. There, there, compiler. Everything's going to be OK.

        * runtime/JSCell.h:
        (JSC::JSCell::setVPtr): Oops! Unrename this function.

2011-09-24  Geoffrey Garen  <ggaren@apple.com>

        Allocate new objects unmarked
        https://bugs.webkit.org/show_bug.cgi?id=68764

        Reviewed by Oliver Hunt.
        
        This is a pre-requisite to using the mark bit to determine object age.

        ~2% v8 speedup, mostly due to a 12% v8-splay speedup.

        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::isLive):
        (JSC::MarkedBlock::isLiveCell): These two functions are the reason for
        this patch. They can now determine object liveness without relying on
        newly allocated objects having their mark bits set. Each MarkedBlock
        now has a state variable that tells us how to determine whether its
        cells are live. (This new state variable supercedes the old one about
        destructor state. The rest of this patch is just refactoring to support
        the invariants of this new state variable without introducing a
        performance regression.)

        (JSC::MarkedBlock::didConsumeFreeList): New function for updating interal
        state when a block becomes fully allocated.

        (JSC::MarkedBlock::clearMarks): Folded a state change to 'Marked' into
        this function because, logically, clearing all mark bits is the first
        step in saying "mark bits now exactly reflect object liveness".

        (JSC::MarkedBlock::markCountIsZero): Renamed from isEmpty() to clarify
        that this function only tells you about the mark bits, so it's only
        meaningful if you've put the mark bits into a meaningful state before
        calling it.

        (JSC::MarkedBlock::forEachCell): Changed to use isLive() helper function
        instead of testing mark bits, since mark bits are not always the right
        way to find out if an object is live anymore. (New objects are live, but
        not marked.)

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::recycle):
        (JSC::MarkedBlock::MarkedBlock): Folded all initialization -- even
        initialization when recycling an old block -- into the MarkedBlock
        constructor, for simplicity.

        (JSC::MarkedBlock::callDestructor): Inlined for speed. Always check for
        a zapped cell before running a destructor, and always zap after
        running a destructor. This does not seem to be expensive, and the
        alternative just creates a too-confusing matrix of possible cell states
        ((zombie undestructed cell + zombie destructed cell + zapped destructed
        cell) * 5! permutations for progressing through block states = "Oh my!").

        (JSC::MarkedBlock::specializedSweep):
        (JSC::MarkedBlock::sweep): Maintained and expanded a pre-existing
        optimization to use template specialization to constant fold lots of
        branches and elide certain operations entirely during a sweep. Merged
        four or five functions that were logically about sweeping into this one
        function pair, so there's only one way to do things now, it's
        automatically correct, and it's always fast.

        (JSC::MarkedBlock::zapFreeList): Renamed this function to be more explicit
        about exactly what it does, and to honor the new block state system.

        * heap/AllocationSpace.cpp:
        (JSC::AllocationSpace::allocateBlock): Updated for rename.

        (JSC::AllocationSpace::freeBlocks): Updated for changed interface.

        (JSC::TakeIfUnmarked::TakeIfUnmarked):
        (JSC::TakeIfUnmarked::operator()):
        (JSC::TakeIfUnmarked::returnValue): Just like isEmpty() above, renamed
        to clarify that this functor only tests the mark bits, so it's only
        valid if you've put the mark bits into a meaningful state before
        calling it.
        
        (JSC::AllocationSpace::shrink): Updated for rename.

        * heap/AllocationSpace.h:
        (JSC::AllocationSpace::canonicalizeCellLivenessData): Renamed to be a
        little more specific about what we're making canonical.

        (JSC::AllocationSpace::forEachCell): Updated for rename.

        (JSC::AllocationSpace::forEachBlock): No need to canonicalize cell
        liveness data before iterating blocks -- clients that want iterated
        blocks to have valid cell lieveness data should make this call for
        themselves. (And not all clients want it.)

        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::genericAddPointer): Updated for rename. Removed
        obsolete comment.

        * heap/Heap.cpp:
        (JSC::CountFunctor::ClearMarks::operator()): Removed call to notify...()
        because clearMarks() now does that implicitly.

        (JSC::Heap::destroy): Make sure to canonicalize before tear-down, since
        tear-down tests cell liveness when running destructors.

        (JSC::Heap::markRoots):
        (JSC::Heap::collect): Moved weak reference harvesting out of markRoots()
        and into collect, since it strictly depends on root marking, and does
        not contribute to root marking.

        (JSC::Heap::canonicalizeCellLivenessData): Renamed to be a little more
        specific about what we're making canonical.

        * heap/Heap.h:
        (JSC::Heap::forEachProtectedCell): No need to canonicalize cell liveness
        data before iterating protected cells, since we know they're all live,
        and don't need to test for it.

        * heap/Local.h:
        (JSC::::set): Can't make the same ASSERT we used to because we just don't
        have the mark bits for it anymore. Perhaps we can bring this ASSERT back
        in a weaker form in the future.

        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::addBlock):
        (JSC::MarkedSpace::removeBlock): Updated for interface change.
        (JSC::MarkedSpace::canonicalizeCellLivenessData): Renamed to be a little more
        specific about what we're making canonical.

        * heap/MarkedSpace.h:
        (JSC::MarkedSpace::allocate):
        (JSC::MarkedSpace::SizeClass::SizeClass):
        (JSC::MarkedSpace::SizeClass::resetAllocator):
        (JSC::MarkedSpace::SizeClass::zapFreeList): Simplified this allocator
        functionality a bit. We now track only one block -- "currentBlock" --
        and rely on its internal state to know whether it has more cells to
        allocate.

        * heap/Weak.h:
        (JSC::Weak::set): Can't make the same ASSERT we used to because we just don't
        have the mark bits for it anymore. Perhaps we can bring this ASSERT back
        in a weaker form in the future.

        * runtime/JSCell.h:
        (JSC::JSCell::vptr):
        (JSC::JSCell::zap):
        (JSC::JSCell::isZapped):
        (JSC::isZapped): Made zapping a property of JSCell, for a little abstraction.
        In the future, exactly how a JSCell zaps itself will change, as the
        internal representation of JSCell changes.

2011-09-24  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT should not eagerly initialize integer tags in the register file
        https://bugs.webkit.org/show_bug.cgi?id=68763

        Reviewed by Oliver Hunt.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::ValueRecovery::dump):
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::ValueRecovery::alreadyInRegisterFileAsUnboxedInt32):
        (JSC::DFG::OSRExit::operandForArgument):
        (JSC::DFG::OSRExit::operandForIndex):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):

2011-09-23  Yuqiang Xian  <yuqiang.xian@intel.com>

        Add JSVALUE32_64 support to DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=67460

        Reviewed by Gavin Barraclough.

        This is the initial attempt to add JSVALUE32_64 support to DFG JIT.
        It's tested on IA32 Linux EFL port currently. It still cannot run
        all the test cases and benchmarks so should be turned off now.
        
        The major work includes:
        1) dealing with JSVALUE32_64 data format in DFG JIT;
        2) bindings between 64-bit JS Value and 32-bit registers;
        3) handling of function calls. Currently for DFG operation function
        calls we follow the X86 cdecl calling convention on Linux, and the
        implementation is in a naive way by pushing the arguments into stack
        one by one.
        
        The known issues include:
        1) some code duplicates unnecessarily, especially in Speculative JIT
        code generation, where most of the operations on SpeculataInteger /
        SpeculateDouble should be identical to the JSVALUE64 code. Refactoring
        is needed in the future;
        2) lack of op_call and op_construct support, comparing to current
        JSVALUE64 DFG;
        3) currently integer speculations assume to be StrictInt32;
        4) lack of JSBoolean speculations;
        5) boxing and unboxing doubles could be improved;
        6) DFG X86 register description is different with the baseline JIT,
        the timeoutCheckRegister is used for general purpose usage;
        7) calls to runtime functions with primitive double parameters (e.g.
        fmod) don't work. Support needs to be added to the assembler to
        implement the mechanism of passing double parameters for X86 cdecl
        convention.
        
        And there should be many other hidden bugs which should be exposed and
        resolved in later debugging process.

        * CMakeListsEfl.txt:
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::loadDouble):
        (JSC::MacroAssemblerX86::storeDouble):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movsd_rm):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGFPRInfo.h:
        (JSC::DFG::FPRInfo::debugName):
        * dfg/DFGGPRInfo.h:
        (JSC::DFG::GPRInfo::toRegister):
        (JSC::DFG::GPRInfo::toIndex):
        (JSC::DFG::GPRInfo::debugName):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::needDataFormatConversion):
        (JSC::DFG::GenerationInfo::initJSValue):
        (JSC::DFG::GenerationInfo::initDouble):
        (JSC::DFG::GenerationInfo::gpr):
        (JSC::DFG::GenerationInfo::tagGPR):
        (JSC::DFG::GenerationInfo::payloadGPR):
        (JSC::DFG::GenerationInfo::fpr):
        (JSC::DFG::GenerationInfo::fillJSValue):
        (JSC::DFG::GenerationInfo::fillCell):
        (JSC::DFG::GenerationInfo::fillDouble):
        * dfg/DFGJITCodeGenerator.cpp:
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::allocate):
        (JSC::DFG::JITCodeGenerator::use):
        (JSC::DFG::JITCodeGenerator::registersMatched):
        (JSC::DFG::JITCodeGenerator::silentSpillGPR):
        (JSC::DFG::JITCodeGenerator::silentFillGPR):
        (JSC::DFG::JITCodeGenerator::silentFillFPR):
        (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
        (JSC::DFG::JITCodeGenerator::silentFillAllRegisters):
        (JSC::DFG::JITCodeGenerator::boxDouble):
        (JSC::DFG::JITCodeGenerator::unboxDouble):
        (JSC::DFG::JITCodeGenerator::spill):
        (JSC::DFG::addressOfDoubleConstant):
        (JSC::DFG::integerResult):
        (JSC::DFG::jsValueResult):
        (JSC::DFG::setupResults):
        (JSC::DFG::callOperation):
        (JSC::JSValueOperand::JSValueOperand):
        (JSC::JSValueOperand::~JSValueOperand):
        (JSC::JSValueOperand::isDouble):
        (JSC::JSValueOperand::fill):
        (JSC::JSValueOperand::tagGPR):
        (JSC::JSValueOperand::payloadGPR):
        (JSC::JSValueOperand::fpr):
        (JSC::GPRTemporary::~GPRTemporary):
        (JSC::GPRTemporary::gpr):
        (JSC::GPRResult2::GPRResult2):
        * dfg/DFGJITCodeGenerator32_64.cpp: Added.
        (JSC::DFG::JITCodeGenerator::clearGenerationInfo):
        (JSC::DFG::JITCodeGenerator::fillInteger):
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::fillStorage):
        (JSC::DFG::JITCodeGenerator::useChildren):
        (JSC::DFG::JITCodeGenerator::isStrictInt32):
        (JSC::DFG::JITCodeGenerator::isKnownInteger):
        (JSC::DFG::JITCodeGenerator::isKnownNumeric):
        (JSC::DFG::JITCodeGenerator::isKnownCell):
        (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
        (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
        (JSC::DFG::JITCodeGenerator::isKnownBoolean):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeCheckHasInstance):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeInstanceOf):
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        (JSC::DFG::JITCodeGenerator::writeBarrier):
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        (JSC::DFG::JITCodeGenerator::cachedGetMethod):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeCompareNull):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeStrictEq):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeStrictEq):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeStrictEq):
        (JSC::DFG::JITCodeGenerator::emitBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeLogicalNot):
        (JSC::DFG::JITCodeGenerator::emitCall):
        (JSC::DFG::JITCodeGenerator::speculationCheck):
        (JSC::DFG::dataFormatString):
        (JSC::DFG::JITCodeGenerator::dump):
        (JSC::DFG::JITCodeGenerator::checkConsistency):
        (JSC::DFG::GPRTemporary::GPRTemporary):
        (JSC::DFG::FPRTemporary::FPRTemporary):
        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::tagForGlobalVar):
        (JSC::DFG::JITCompiler::payloadForGlobalVar):
        (JSC::DFG::JITCompiler::appendCallWithExceptionCheck):
        (JSC::DFG::JITCompiler::addressOfDoubleConstant):
        (JSC::DFG::JITCompiler::boxDouble):
        (JSC::DFG::JITCompiler::unboxDouble):
        (JSC::DFG::JITCompiler::addPropertyAccess):
        (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
        * dfg/DFGJITCompiler32_64.cpp: Added.
        (JSC::DFG::JITCompiler::fillNumericToDouble):
        (JSC::DFG::JITCompiler::fillInt32ToInteger):
        (JSC::DFG::JITCompiler::fillToJS):
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::compileBody):
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        (JSC::DFG::JITCompiler::jitAssertIsInt32):
        (JSC::DFG::JITCompiler::jitAssertIsJSInt32):
        (JSC::DFG::JITCompiler::jitAssertIsJSNumber):
        (JSC::DFG::JITCompiler::jitAssertIsJSDouble):
        (JSC::DFG::JITCompiler::jitAssertIsCell):
        (JSC::DFG::JITCompiler::emitCount):
        (JSC::DFG::JITCompiler::setSamplingFlag):
        (JSC::DFG::JITCompiler::clearSamplingFlag):
        * dfg/DFGJITCompilerInlineMethods.h: Added.
        (JSC::DFG::JITCompiler::emitLoadTag):
        (JSC::DFG::JITCompiler::emitLoadPayload):
        (JSC::DFG::JITCompiler::emitLoad):
        (JSC::DFG::JITCompiler::emitLoad2):
        (JSC::DFG::JITCompiler::emitLoadDouble):
        (JSC::DFG::JITCompiler::emitLoadInt32ToDouble):
        (JSC::DFG::JITCompiler::emitStore):
        (JSC::DFG::JITCompiler::emitStoreInt32):
        (JSC::DFG::JITCompiler::emitStoreCell):
        (JSC::DFG::JITCompiler::emitStoreBool):
        (JSC::DFG::JITCompiler::emitStoreDouble):
        * dfg/DFGNode.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::tryCachePutByID):
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::ValueRecovery::inGPR):
        (JSC::DFG::ValueRecovery::inPair):
        (JSC::DFG::ValueRecovery::tagGPR):
        (JSC::DFG::ValueRecovery::payloadGPR):
        * dfg/DFGSpeculativeJIT32_64.cpp: Added.
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::ValueSource::dump):
        (JSC::DFG::ValueRecovery::dump):
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::OSRExit::dump):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::convertToDouble):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::initializeVariableTypes):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * runtime/JSValue.h:

2011-09-23  Filip Pizlo  <fpizlo@apple.com>

        wtf/BitVector.h has a variety of bugs which manifest when the
        vector grows beyond 63 bits
        https://bugs.webkit.org/show_bug.cgi?id=68746

        Reviewed by Oliver Hunt.
        
        Out-of-lined slow path code in BitVector so that not every user
        of CodeBlock ends up having to compile it. Fixed a variety of
        index computation and size computation bugs.
        
        I have not seen these issues manifest themselves, but they are
        blocking a patch that uses BitVector more aggressively.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/BitVector.cpp: Added.
        (BitVector::BitVector):
        (BitVector::operator=):
        (BitVector::resize):
        (BitVector::clearAll):
        (BitVector::OutOfLineBits::create):
        (BitVector::OutOfLineBits::destroy):
        (BitVector::resizeOutOfLine):
        * wtf/BitVector.h:
        (WTF::BitVector::ensureSize):
        (WTF::BitVector::get):
        (WTF::BitVector::set):
        (WTF::BitVector::clear):
        (WTF::BitVector::byteCount):
        (WTF::BitVector::OutOfLineBits::numWords):
        (WTF::BitVector::OutOfLineBits::bits):
        (WTF::BitVector::outOfLineBits):
        * wtf/CMakeLists.txt:
        * wtf/wtf.pri:

2011-09-23  Adam Klein  <adamk@chromium.org>

        Add ENABLE_MUTATION_OBSERVERS feature flag
        https://bugs.webkit.org/show_bug.cgi?id=68732

        Reviewed by Ojan Vafai.

        This flag will guard an implementation of the "Mutation Observers" proposed in
        http://lists.w3.org/Archives/Public/public-webapps/2011JulSep/1622.html

        * Configurations/FeatureDefines.xcconfig:

2011-09-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize JSCell::getJSNumber
        https://bugs.webkit.org/show_bug.cgi?id=68651

        Reviewed by Oliver Hunt.

        Added a new JSType to check whether or not something is a 
        NumberObject (which includes NumberPrototype) in TypeInfo::isNumberObject because there's not 
        currently a better way to determine whether something is indeed a NumberObject.
        Also de-virtualized JSCell::getJSNumber, having it check the TypeInfo 
        for whether the object is a NumberObject or not.  This patch is part of 
        the larger process of de-virtualizing JSCell.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSCell.cpp:
        (JSC::JSCell::getJSNumber):
        * runtime/JSCell.h:
        (JSC::JSValue::getJSNumber):
        * runtime/JSType.h:
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::isNumberObject):
        * runtime/JSValue.h:
        * runtime/NumberObject.cpp:
        (JSC::NumberObject::getJSNumber):
        * runtime/NumberObject.h:
        (JSC::NumberObject::createStructure):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::createStructure):

2011-09-23  Filip Pizlo  <fpizlo@apple.com>

        Resolve opcodes should have value profiling.
        https://bugs.webkit.org/show_bug.cgi?id=68723

        Reviewed by Oliver Hunt.
        
        This adds value profiling to all forms of op_resolve in the
        old JIT, and patches that information into the DFG along with
        performing the appropriate type propagation.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predict):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::resolveGlobalDataIndex):
        (JSC::DFG::Node::hasPrediction):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_resolve):
        (JSC::JIT::emit_op_resolve_base):
        (JSC::JIT::emit_op_resolve_skip):
        (JSC::JIT::emit_op_resolve_global):
        (JSC::JIT::emitSlow_op_resolve_global):
        (JSC::JIT::emit_op_resolve_with_base):
        (JSC::JIT::emit_op_resolve_with_this):
        (JSC::JIT::emitSlow_op_resolve_global_dynamic):
        * jit/JITStubCall.h:
        (JSC::JITStubCall::callWithValueProfiling):

2011-09-23  Oliver Hunt  <oliver@apple.com>

        Fix windows build.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-09-23  Gavin Barraclough  <barraclough@apple.com>

        Strict mode does not work in non-trivial nested functions.
        https://bugs.webkit.org/show_bug.cgi?id=68740

        Reviewed by Oliver Hunt.

        Function-info caching does not preserve all state that it should.

        * parser/JSParser.cpp:
        (JSC::JSParser::Scope::saveFunctionInfo):
        (JSC::JSParser::Scope::restoreFunctionInfo):
        (JSC::JSParser::parseFunctionInfo):
        * parser/SourceProviderCacheItem.h:

2011-09-23  Filip Pizlo  <fpizlo@apple.com>

        ValueToDouble handling in prediction propagation should be ASSERT_NOT_REACHED
        https://bugs.webkit.org/show_bug.cgi?id=68724

        Reviewed by Oliver Hunt.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):

2011-09-23  Oliver Hunt  <oliver@apple.com>

        Build fix.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-09-23  Filip Pizlo  <fpizlo@apple.com>

        DFG implementation of PutScopedVar corrupts register allocation
        https://bugs.webkit.org/show_bug.cgi?id=68735

        Reviewed by Oliver Hunt.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-23  Oliver Hunt  <oliver@apple.com>

        Make write barriers actually do something when enabled
        https://bugs.webkit.org/show_bug.cgi?id=68717

        Reviewed by Geoffrey Garen.

        Add a basic card marking style write barrier to JSC (currently
        turned off).  This requires two scratch registers in the JIT
        so there was some register re-arranging to satisfy that requirement.
        Happily this produced a minor perf bump in sunspider (~0.5%).

        Turning the barriers on causes an overall regression of around 1.5%

        * JavaScriptCore.exp:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::store8):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movb_i8m):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::isKnownNotCell):
        (JSC::DFG::JITCodeGenerator::writeBarrier):
        (JSC::DFG::JITCodeGenerator::markCellCard):
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCachePutByID):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * heap/CardSet.h: Added.
        (JSC::CardSet::CardSet):
        (JSC::::cardForAtom):
        (JSC::::cardMarkedForAtom):
        (JSC::::markCardForAtom):
        * heap/Heap.cpp:
        * heap/Heap.h:
        (JSC::Heap::addressOfCardFor):
        (JSC::Heap::writeBarrierFastCase):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::setDirtyObject):
        (JSC::MarkedBlock::addressOfCardFor):
        (JSC::MarkedBlock::offsetOfCards):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_put_global_var):
        (JSC::JIT::emitWriteBarrier):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitSlow_op_put_by_id):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_put_global_var):

2011-09-23  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        https://bugs.webkit.org/show_bug.cgi?id=68077
        SH4 assemblers doesn't refer to executable memory handle.

        Reviewed by Gavin Barraclough.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::branch8):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::executableCopy):

2011-09-23  Oliver Hunt  <oliver@apple.com>

        PutScopedVar nodes should report that it has a var number
        https://bugs.webkit.org/show_bug.cgi?id=68721

        Reviewed by Anders Carlsson.

        Another assertion fix.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasVarNumber):

2011-09-23  Oliver Hunt  <oliver@apple.com>

        Add a bunch of unhandled node types to the propagator
        https://bugs.webkit.org/show_bug.cgi?id=68716

        Reviewed by Darin Adler.

        Remove the ASSERT_NOT_REACHED() default for debug builds in the
        prediction propagator, this way unhandled nodes will just cause
        compile time failures rather than failing at some point in the
        future.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):

2011-09-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add static version of JSCell::visitChildren
        https://bugs.webkit.org/show_bug.cgi?id=68404

        Reviewed by Darin Adler.

        In this patch we just extract the bodies of the virtual visitChildren methods
        throughout the JSCell inheritance hierarchy out into static methods, which are 
        now called from the virtual methods.  This is an intermediate step in trying to 
        move the virtual-ness of visitChildren into our own custom vtable stored in 
        ClassInfo.  We need to convert the methods to static methods in order to be 
        able to more easily store and refer to them in our custom vtable since normal 
        member methods store some implicit information in their types, making it 
        impossible to store them generically in ClassInfo.

        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::visitChildrenVirtual):
        (JSC::JSCallbackObject::visitChildren):
        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::visitChildrenVirtual):
        (JSC::DebuggerActivation::visitChildren):
        * debugger/DebuggerActivation.h:
        * heap/MarkStack.cpp:
        (JSC::SlotVisitor::visitChildren):
        (JSC::SlotVisitor::drain):
        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildrenVirtual):
        (JSC::Arguments::visitChildren):
        * runtime/Arguments.h:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::visitChildrenVirtual):
        (JSC::EvalExecutable::visitChildren):
        (JSC::ProgramExecutable::visitChildrenVirtual):
        (JSC::ProgramExecutable::visitChildren):
        (JSC::FunctionExecutable::visitChildrenVirtual):
        (JSC::FunctionExecutable::visitChildren):
        * runtime/Executable.h:
        * runtime/GetterSetter.cpp:
        (JSC::GetterSetter::visitChildrenVirtual):
        (JSC::GetterSetter::visitChildren):
        * runtime/GetterSetter.h:
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::visitChildrenVirtual):
        (JSC::JSActivation::visitChildren):
        * runtime/JSActivation.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::visitChildrenVirtual):
        (JSC::JSArray::visitChildren):
        * runtime/JSArray.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::visitChildrenVirtual):
        (JSC::JSBoundFunction::visitChildren):
        * runtime/JSBoundFunction.h:
        * runtime/JSCell.h:
        (JSC::JSCell::visitChildrenVirtual):
        (JSC::JSCell::visitChildren):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::visitChildrenVirtual):
        (JSC::JSFunction::visitChildren):
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::visitChildrenVirtual):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        * runtime/JSObject.cpp:
        (JSC::JSObject::visitChildrenVirtual):
        (JSC::JSObject::visitChildren):
        * runtime/JSObject.h:
        (JSC::JSObject::visitChildrenDirect):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::visitChildrenVirtual):
        (JSC::JSPropertyNameIterator::visitChildren):
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSStaticScopeObject.cpp:
        (JSC::JSStaticScopeObject::visitChildrenVirtual):
        (JSC::JSStaticScopeObject::visitChildren):
        * runtime/JSStaticScopeObject.h:
        * runtime/JSWrapperObject.cpp:
        (JSC::JSWrapperObject::visitChildrenVirtual):
        (JSC::JSWrapperObject::visitChildren):
        * runtime/JSWrapperObject.h:
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::visitChildrenVirtual):
        (JSC::NativeErrorConstructor::visitChildren):
        * runtime/NativeErrorConstructor.h:
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::visitChildrenVirtual):
        (JSC::RegExpObject::visitChildren):
        * runtime/RegExpObject.h:
        * runtime/ScopeChain.cpp:
        (JSC::ScopeChainNode::visitChildrenVirtual):
        (JSC::ScopeChainNode::visitChildren):
        * runtime/ScopeChain.h:
        * runtime/Structure.cpp:
        (JSC::Structure::visitChildrenVirtual):
        (JSC::Structure::visitChildren):
        * runtime/Structure.h:
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::visitChildrenVirtual):
        (JSC::StructureChain::visitChildren):
        * runtime/StructureChain.h:

2011-09-23  Oliver Hunt  <oliver@apple.com>

        Node propagation doesn't handle PutScopedVar
        https://bugs.webkit.org/show_bug.cgi?id=68713

        Reviewed by Sam Weinig.

        This was causing assertion failures.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):

2011-09-23  Anders Carlsson  <andersca@apple.com>

        Make sure to define OVERRIDE and FINAL for older builds of clang.

        * wtf/Compiler.h:

2011-09-23  Gavin Barraclough  <barraclough@apple.com>

        Implement op_resolve_global in the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=68704

        Reviewed by Oliver Hunt.

        This is performance neutral, but increases coverage.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::resolveInfoIndex):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-23  Mark Rowe  <mrowe@apple.com>

        Define BUILDING_ON_LION / TARGETING_LION when appropriate in Platform.h.

        * wtf/Platform.h:

2011-09-22  Anders Carlsson  <andersca@apple.com>

        We should add support for OVERRIDE and FINAL annotations
        https://bugs.webkit.org/show_bug.cgi?id=68654

        Reviewed by David Hyatt.

        Add OVERRIDE and FINAL macros for compilers that support them.

        * wtf/Compiler.h:

2011-09-22  Filip Pizlo  <fpizlo@apple.com>

        GetScopedVar should have value profiling
        https://bugs.webkit.org/show_bug.cgi?id=68676

        Reviewed by Oliver Hunt.
        
        Added GetScopedVar value profiling and predictin propagation.
        Added GetScopeChain to CSE.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predict):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasPrediction):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::getScopeChainLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_scoped_var):

2011-09-22  Filip Pizlo  <fpizlo@apple.com>

        PPC build fix, part 3.

        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::compileForConstructInternal):

2011-09-22  Filip Pizlo  <fpizlo@apple.com>

        Another PPC build fix.

        * runtime/Executable.cpp:
        * runtime/Executable.h:

2011-09-22  Dean Jackson  <dino@apple.com>

        Add ENABLE_CSS_FILTERS
        https://bugs.webkit.org/show_bug.cgi?id=68652

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig:

2011-09-22  Gavin Barraclough  <barraclough@apple.com>

        Incorrect this value passed to callbacks.
        https://bugs.webkit.org/show_bug.cgi?id=68668

        Reviewed by Oliver Hunt.

        From Array/String prototype function.  Should be undefined, but
        global object is passed instead (this is visible for strict callbacks).

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSort):
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        (JSC::arrayProtoFuncEvery):
        (JSC::arrayProtoFuncForEach):
        (JSC::arrayProtoFuncSome):
        * runtime/JSArray.cpp:
        (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key):
        (JSC::JSArray::sort):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncReplace):

2011-09-22  Gavin Barraclough  <barraclough@apple.com>

        Function.prototype.bind.length shoudl be 1.

        Rubber stamped by Olier Hunt.

        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::addFunctionProperties):

2011-09-22  Filip Pizlo  <fpizlo@apple.com>

        PPC build fix.

        * bytecode/CodeBlock.h:

2011-09-22  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix pt. 2

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-09-22  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix pt. 1

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-09-21  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not support to_primitive or strcat
        https://bugs.webkit.org/show_bug.cgi?id=68582

        Reviewed by Darin Adler.
        
        This adds functional support for to_primitive and strcat. It focuses
        on minimizing the amount of code emitted on to_primitive (if we know
        that it is a primitive or can speculate cheaply, then we omit the
        slow path) and on keeping the implementation of strcat simple while
        leveraging whatever optimizations we have already. In particular,
        unlike the Call and Construct nodes which require extending the size
        of the DFG's callee registers, StrCat takes advantage of the fact
        that no JS code can run while StrCat is in progress and uses a
        scratch buffer, rather than the register file, to store the list of
        values to concatenate. This was done mainly to keep the code simple,
        but there are probably other benefits to keeping call frame sizes
        down. Essentially, this patch ensures that the presence of an
        op_strcat does not mess up any other optimizations we might do while
        ensuring that if you do execute it, it'll work about as well as you'd
        expect.
        
        When combined with the previous patch for integer division, this is a
        14% speed-up on Kraken. Without it, it would have been a 2% loss.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::TrustedImmPtr::TrustedImmPtr):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::callOperation):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        * dfg/DFGNode.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::scratchBufferForSize):

2011-09-22  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT should support integer division
        https://bugs.webkit.org/show_bug.cgi?id=68597

        Reviewed by Darin Adler.
        
        This adds support for ArithDiv speculating integer, and speculating
        that the result is integer (i.e. remainder = 0).
        
        This is a 4% win on Kraken and a 1% loss on V8.

        * bytecode/CodeBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasArithNodeFlags):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_div):

2011-09-22  Oliver Hunt  <oliver@apple.com>

        Implement put_scoped_var in the DFG jit
        https://bugs.webkit.org/show_bug.cgi?id=68653

        Reviewed by Gavin Barraclough.

        Naive implementation of put_scoped_var.  Same story as the
        get_scoped_var implementation, although I've hoisted scope
        object acquisition into a separate dfg node.  Ideally in the
        future we would reuse the resolved scope chain object, but
        for now we don't.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasScopeChainDepth):
        (JSC::DFG::Node::scopeChainDepth):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-22  Gavin Barraclough  <barraclough@apple.com>

        Implement Function.prototype.bind
        https://bugs.webkit.org/show_bug.cgi?id=26382

        Reviewed by Sam Weinig.

        This patch provides a basic functional implementation
        for Function.bind. It should (hopefully!) be fully
        functionally correct, and the bound functions can be
        called to quickly (since they are a subclass of
        JSFunction, not InternalFunction), but we'll probably
        want to follow up with some optimization work to keep
        bound calls in JIT code.

        * JavaScriptCore.JSVALUE32_64only.exp:
        * JavaScriptCore.JSVALUE64only.exp:
        * JavaScriptCore.exp:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITStubs.h:
        * jsc.cpp:
        (GlobalObject::addFunction):
        * runtime/CommonIdentifiers.h:
        * runtime/ConstructData.h:
        * runtime/Executable.h:
        (JSC::NativeExecutable::NativeExecutable):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::addFunctionProperties):
        (JSC::functionProtoFuncBind):
        * runtime/FunctionPrototype.h:
        * runtime/JSBoundFunction.cpp: Added.
        (JSC::boundFunctionCall):
        (JSC::boundFunctionConstruct):
        (JSC::JSBoundFunction::create):
        (JSC::JSBoundFunction::hasInstance):
        (JSC::JSBoundFunction::getOwnPropertySlot):
        (JSC::JSBoundFunction::getOwnPropertyDescriptor):
        (JSC::JSBoundFunction::JSBoundFunction):
        (JSC::JSBoundFunction::finishCreation):
        * runtime/JSBoundFunction.h: Added.
        (JSC::JSBoundFunction::targetFunction):
        (JSC::JSBoundFunction::boundThis):
        (JSC::JSBoundFunction::boundArgs):
        (JSC::JSBoundFunction::createStructure):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        (JSC::JSFunction::finishCreation):
        (JSC::createDescriptorForThrowingProperty):
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSFunction.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::getHostFunction):
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::boundFunctionStructure):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):

2011-09-22  Oliver Hunt  <oliver@apple.com>

        Implement get_scoped_var in the DFG
        https://bugs.webkit.org/show_bug.cgi?id=68640

        Reviewed by Gavin Barraclough.

        Naive implementation of get_scoped_var in the DFG.  Essentially this
        is the bare minimum required to get correct behaviour, so there's no
        load/store coalescing or type profiling involved, even though these
        would be wins.  No impact on SunSpider or V8.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasVarNumber):
        (JSC::DFG::Node::hasScopeChainDepth):
        (JSC::DFG::Node::scopeChainDepth):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-22  Adam Roben  <aroben@apple.com>

        Remove FindSafari from all our .sln files

        It isn't used anymore, so there's no point in building it.

        Part of <http://webkit.org/b/68628> Remove FindSafari

        Reviewed by Steve Falkenburg.

        * JavaScriptCore.vcproj/JavaScriptCore.sln:

2011-09-22  Filip Pizlo  <fpizlo@apple.com>

        32-bit call code clobbers the function cell tag
        https://bugs.webkit.org/show_bug.cgi?id=68606

        Reviewed by Csaba Osztrogonác.
        
        This is a minimalistic fix: it simply emits code to restore the
        cell tag on the slow path, if we know that we failed due to
        emitCallIfNotType.

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCallVarargsSlowCase):
        (JSC::JIT::compileOpCallSlowCase):

2011-09-21  Gavin Barraclough  <barraclough@apple.com>

        Add missing addPtr->add32 mapping for X86.

        Rubber stamped by Sam Weinig.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::addPtr):

2011-09-21  Gavin Barraclough  <barraclough@apple.com>

        Add missing addDouble for AbsoluteAddress to X86

        Rubber stamped by Geoff Garen.

        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::addDouble):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::addsd_mr):
        (JSC::X86Assembler::cvtsi2sd_rr):
        (JSC::X86Assembler::cvtsi2sd_mr):

2011-09-21  Gavin Barraclough  <barraclough@apple.com>

        Build fix following fix for bug #68586.

        * jit/JIT.cpp:
        * jit/JITInlineMethods.h:

2011-09-21  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT should be able to compile op_throw
        https://bugs.webkit.org/show_bug.cgi?id=68571

        Reviewed by Geoffrey Garen.
        
        This compiles op_throw in the simplest way possible: it's an OSR
        point back to the old JIT. This is a good step towards increasing
        coverage, particularly on Kraken, but it's neutral because the
        same functions that do throw also use some other unsupported
        opcodes.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-21  Filip Pizlo  <fpizlo@apple.com>

        DFG should support continuous optimization
        https://bugs.webkit.org/show_bug.cgi?id=68329

        Reviewed by Geoffrey Garen.
        
        This adds the ability to reoptimize a code block if speculation
        failures happen frequently. 6% speed-up on Kraken, 1% slow-down
        on V8, neutral on SunSpider.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::ProgramCodeBlock::jettison):
        (JSC::EvalCodeBlock::jettison):
        (JSC::FunctionCodeBlock::jettison):
        (JSC::CodeBlock::shouldOptimizeNow):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/CodeBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getStrongPrediction):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        (JSC::DFG::JITCompiler::compileEntry):
        (JSC::DFG::JITCompiler::compileBody):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntry.h:
        (JSC::DFG::getOSREntryDataBytecodeIndex):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * heap/ConservativeRoots.cpp:
        (JSC::ConservativeRoots::ConservativeRoots):
        (JSC::ConservativeRoots::~ConservativeRoots):
        (JSC::DummyMarkHook::mark):
        (JSC::ConservativeRoots::genericAddPointer):
        (JSC::ConservativeRoots::genericAddSpan):
        (JSC::ConservativeRoots::add):
        * heap/ConservativeRoots.h:
        * heap/Heap.cpp:
        (JSC::Heap::addJettisonCodeBlock):
        (JSC::Heap::markRoots):
        * heap/Heap.h:
        * heap/JettisonedCodeBlocks.cpp: Added.
        (JSC::JettisonedCodeBlocks::JettisonedCodeBlocks):
        (JSC::JettisonedCodeBlocks::~JettisonedCodeBlocks):
        (JSC::JettisonedCodeBlocks::addCodeBlock):
        (JSC::JettisonedCodeBlocks::clearMarks):
        (JSC::JettisonedCodeBlocks::deleteUnmarkedCodeBlocks):
        (JSC::JettisonedCodeBlocks::traceCodeBlocks):
        * heap/JettisonedCodeBlocks.h: Added.
        (JSC::JettisonedCodeBlocks::mark):
        * interpreter/RegisterFile.cpp:
        (JSC::RegisterFile::gatherConservativeRoots):
        * interpreter/RegisterFile.h:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Executable.cpp:
        (JSC::jettisonCodeBlock):
        (JSC::EvalExecutable::jettisonOptimizedCode):
        (JSC::ProgramExecutable::jettisonOptimizedCode):
        (JSC::FunctionExecutable::jettisonOptimizedCodeForCall):
        (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
        * wtf/BitVector.h: Added.
        (WTF::BitVector::BitVector):
        (WTF::BitVector::~BitVector):
        (WTF::BitVector::operator=):
        (WTF::BitVector::size):
        (WTF::BitVector::ensureSize):
        (WTF::BitVector::resize):
        (WTF::BitVector::clearAll):
        (WTF::BitVector::get):
        (WTF::BitVector::set):
        (WTF::BitVector::clear):
        (WTF::BitVector::bitsInPointer):
        (WTF::BitVector::maxInlineBits):
        (WTF::BitVector::byteCount):
        (WTF::BitVector::makeInlineBits):
        (WTF::BitVector::OutOfLineBits::numBits):
        (WTF::BitVector::OutOfLineBits::numWords):
        (WTF::BitVector::OutOfLineBits::bits):
        (WTF::BitVector::OutOfLineBits::create):
        (WTF::BitVector::OutOfLineBits::destroy):
        (WTF::BitVector::OutOfLineBits::OutOfLineBits):
        (WTF::BitVector::isInline):
        (WTF::BitVector::outOfLineBits):
        (WTF::BitVector::resizeOutOfLine):
        (WTF::BitVector::bits):

2011-09-21  Gavin Barraclough  <barraclough@apple.com>

        Add X86 GPRInfo for DFG JIT.
        https://bugs.webkit.org/show_bug.cgi?id=68586

        Reviewed by Geoff Garen.

        * dfg/DFGGPRInfo.h:
        (JSC::DFG::GPRInfo::toRegister):
        (JSC::DFG::GPRInfo::toIndex):
        (JSC::DFG::GPRInfo::debugName):

2011-09-21  Gavin Barraclough  <barraclough@apple.com>

        Should support value profiling on CPU(X86)
        https://bugs.webkit.org/show_bug.cgi?id=68575

        Reviewed by Sam Weinig.

        Fix verbose profiling in ToT (SlowCaseProfile had been
        partially renamed to RareCaseProfile), add in-memory
        bucket counter for CPU(X86), move JIT::m_canBeOptimized
        out of the DFG_JIT ifdef.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::resetRareCaseProfiles):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/CodeBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):

2011-09-21  Filip Pizlo  <fpizlo@apple.com>

        DFG does not support compiling functions as constructors
        https://bugs.webkit.org/show_bug.cgi?id=68500

        Reviewed by Oliver Hunt.
        
        This adds support for compiling constructors to the DFG. It's a
        1% speed-up on V8, mostly due to a 6% speed-up on early-boyer.
        It's also a 13% win on access-binary-trees, but it's neutral in
        the SunSpider and Kraken averages.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::mightCompileFunctionForConstruct):
        (JSC::DFG::canCompileOpcode):
        * dfg/DFGNode.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::compileOptimizedForConstruct):
        (JSC::FunctionExecutable::compileForConstructInternal):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::compileForConstruct):
        (JSC::FunctionExecutable::compileFor):
        (JSC::FunctionExecutable::compileOptimizedFor):

2011-09-21  Gavin Barraclough  <barraclough@apple.com>

        Replace jsFunctionVPtr compares with a type check on the Structure.
        https://bugs.webkit.org/show_bug.cgi?id=68557

        Reviewed by Oliver Hunt.

        This will permit calls to still optimize to subclasses of JSFunction
        that have the correct type (but a different C++ vptr).

        This patch stops passing the globalData into numerous functions.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::isFunctionConstant):
        (JSC::DFG::Graph::valueOfFunctionConstant):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::isFunctionConstant):
        (JSC::DFG::JITCompiler::valueOfFunctionConstant):
        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCallVarargs):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCallVarargs):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitJumpIfNotType):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Executable.h:
        (JSC::isHostFunction):
        * runtime/JSFunction.h:
        (JSC::JSFunction::createStructure):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::putWithAttributes):
        * runtime/JSObject.h:
        (JSC::getJSFunction):
        (JSC::JSObject::putDirect):
        (JSC::JSObject::putDirectWithoutTransition):
        * runtime/JSType.h:

2011-09-21  Geoffrey Garen  <ggaren@apple.com>

        Removed WTFTHREADDATA_MULTITHREADED, making it always true
        https://bugs.webkit.org/show_bug.cgi?id=68549

        Reviewed by Darin Adler.
        
        Another part of making threads exist in WebKit.

        * wtf/WTFThreadData.cpp:
        * wtf/WTFThreadData.h:
        (WTF::wtfThreadData):

2011-09-21  Dan Bernstein  <mitz@apple.com>

        JavaScriptCore Part of: Prevent the WebKit frameworks from defining inappropriately-named Objective-C classes
        https://bugs.webkit.org/show_bug.cgi?id=68451

        Reviewed by Darin Adler.

        * JavaScriptCore.xcodeproj/project.pbxproj: Added a script build phase that invokes
        check-for-inappropriate-objc-class-names, allowing only class names prefixed with "JS".

2011-09-20  Gavin Barraclough  <barraclough@apple.com>

        MacroAssembler fixes.
        https://bugs.webkit.org/show_bug.cgi?id=68494

        Reviewed by Sam Weinig.

        Add X86-64's 3 operand or32 to other MacroAssembler, fix load32's [const] void* mismatch

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::orPtr):
        (JSC::MacroAssembler::loadPtr):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::or32):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::or32):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::or32):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::or32):
        (JSC::MacroAssemblerSH4::load32):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::load32):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::load32):

2011-09-20  Geoffrey Garen  <ggaren@apple.com>

        Some Heap cleanup.

        Reviewed by Beth Dakin.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::blessNewBlock): Removed blessNewBlockForSlowPath()
        because it was unused; renamed blessNewBlockForFastPath() to blessNewBlock()
        since there is only one now.

        * heap/MarkedBlock.h: Removed ownerSet-related stuff since it was unused.
        Updated mark bit overhead calculation. Deployed atomsPerBlock in one
        place where we were recalculating it.

        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::addBlock): Updated for rename.

2011-09-20  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT always speculates integer on modulo
        https://bugs.webkit.org/show_bug.cgi?id=68485

        Reviewed by Oliver Hunt.
        
        Added support for double modulo, which is a call to fmod().
        Also added support for recording the old JIT's statistics
        on op_mod and propagating them along the graph. Finally,
        fixed a goof in the ArithNodeFlags propagation logic that
        was made obvious when I started testing ArithMod.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasArithNodeFlags):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-20  ChangSeok Oh  <shivamidow@gmail.com>

        [GTK] requestAnimationFrame support for gtk port
        https://bugs.webkit.org/show_bug.cgi?id=66280

        Reviewed by Martin Robinson.

        Let GTK port use REQUEST_ANIMATION_FRAME_TIMER.

        * wtf/Platform.h:

2011-09-20  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT performs too many negative zero checks, and too many
        overflow checks
        https://bugs.webkit.org/show_bug.cgi?id=68430

        Reviewed by Oliver Hunt.
        
        This adds comprehensive support for deciding how to perform an
        arithmetic operations based on a combination of overflow profiling,
        negative zero profiling, value profiling, and a static analysis of
        how the results of these operations get used.
        
        This is a 72% speed-up on stanford-crypto-sha256-iterative, and a
        2.5% speed-up on the Kraken average, a 1.4% speed-up on the V8
        geomean, and neutral on SunSpider. It's also an 8.5% speed-up on
        V8-crypto, because apparenty everything we do speeds up crypto.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::toInt32):
        (JSC::DFG::ByteCodeParser::toNumber):
        (JSC::DFG::ByteCodeParser::isSmallInt32Constant):
        (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
        (JSC::DFG::ByteCodeParser::weaklyPredictInt32):
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
        * dfg/DFGNode.h:
        (JSC::DFG::nodeUsedAsNumber):
        (JSC::DFG::nodeCanTruncateInteger):
        (JSC::DFG::nodeCanIgnoreNegativeZero):
        (JSC::DFG::nodeCanSpeculateInteger):
        (JSC::DFG::arithNodeFlagsAsString):
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::hasArithNodeFlags):
        (JSC::DFG::Node::rawArithNodeFlags):
        (JSC::DFG::Node::arithNodeFlags):
        (JSC::DFG::Node::arithNodeFlagsForCompare):
        (JSC::DFG::Node::setArithNodeFlag):
        (JSC::DFG::Node::mergeArithNodeFlags):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::isNotNegZero):
        (JSC::DFG::Propagator::isNotZero):
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::propagateArithNodeFlagsForward):
        (JSC::DFG::Propagator::propagateArithNodeFlagsBackward):
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::propagatePredictionsForward):
        (JSC::DFG::Propagator::propagatePredictionsBackward):
        (JSC::DFG::Propagator::toDouble):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::fixup):
        (JSC::DFG::Propagator::startIndexForChildren):
        (JSC::DFG::Propagator::endIndexForPureCSE):
        (JSC::DFG::Propagator::pureCSE):
        (JSC::DFG::Propagator::clobbersWorld):
        (JSC::DFG::Propagator::setReplacement):
        (JSC::DFG::Propagator::performNodeCSE):
        (JSC::DFG::Propagator::localCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):

2011-09-19  Oliver Hunt  <oliver@apple.com>

        Refactor Heap allocation logic into separate AllocationSpace class
        https://bugs.webkit.org/show_bug.cgi?id=68409

        Reviewed by Gavin Barraclough.

        This patch hoists direct manipulation of the MarkedSpace and related
        data out of Heap and into a separate class.  This will allow us to
        have multiple allocation spaces in future, so easing the way towards
        having GC'd backing stores for objects.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/Debugger.cpp:
        (JSC::Debugger::recompileAllJSFunctions):
        * heap/AllocationSpace.cpp: Added.
        (JSC::AllocationSpace::tryAllocate):
        (JSC::AllocationSpace::allocateSlowCase):
        (JSC::AllocationSpace::allocateBlock):
        (JSC::AllocationSpace::freeBlocks):
        (JSC::TakeIfEmpty::TakeIfEmpty):
        (JSC::TakeIfEmpty::operator()):
        (JSC::TakeIfEmpty::returnValue):
        (JSC::AllocationSpace::shrink):
        * heap/AllocationSpace.h: Added.
        (JSC::AllocationSpace::AllocationSpace):
        (JSC::AllocationSpace::blocks):
        (JSC::AllocationSpace::sizeClassFor):
        (JSC::AllocationSpace::setHighWaterMark):
        (JSC::AllocationSpace::highWaterMark):
        (JSC::AllocationSpace::canonicalizeBlocks):
        (JSC::AllocationSpace::resetAllocator):
        (JSC::AllocationSpace::forEachCell):
        (JSC::AllocationSpace::forEachBlock):
        (JSC::AllocationSpace::allocate):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::reportExtraMemoryCostSlowCase):
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::markRoots):
        (JSC::Heap::clearMarks):
        (JSC::Heap::sweep):
        (JSC::Heap::objectCount):
        (JSC::Heap::size):
        (JSC::Heap::capacity):
        (JSC::Heap::globalObjectCount):
        (JSC::Heap::objectTypeCounts):
        (JSC::Heap::collect):
        (JSC::Heap::canonicalizeBlocks):
        (JSC::Heap::resetAllocator):
        (JSC::Heap::freeBlocks):
        (JSC::Heap::shrink):
        * heap/Heap.h:
        (JSC::Heap::objectSpace):
        (JSC::Heap::sizeClassForObject):
        (JSC::Heap::allocate):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicJSObject):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::recompileAllJSFunctions):
        (JSC::JSGlobalData::releaseExecutableMemory):

2011-09-19  Geoffrey Garen  <ggaren@apple.com>

        Removed BREWMP* platform #ifdefs
        https://bugs.webkit.org/show_bug.cgi?id=68425
        
        BREWMP* has no maintainer, and this is dead code.

        Reviewed by Darin Adler.

        * heap/MarkStack.h:
        (JSC::::shrinkAllocation):
        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::cacheFlush):
        * runtime/TimeoutChecker.cpp:
        (JSC::getCPUTime):
        * wtf/Assertions.cpp:
        * wtf/Assertions.h:
        * wtf/CurrentTime.cpp:
        * wtf/DateMath.cpp:
        (WTF::calculateUTCOffset):
        * wtf/FastMalloc.cpp:
        (WTF::fastMalloc):
        (WTF::fastCalloc):
        (WTF::fastMallocSize):
        * wtf/FastMalloc.h:
        * wtf/MainThread.cpp:
        * wtf/MathExtras.h:
        * wtf/OwnPtrCommon.h:
        * wtf/Platform.h:
        * wtf/RandomNumber.cpp:
        (WTF::randomNumber):
        * wtf/RandomNumberSeed.h:
        (WTF::initializeRandomNumberGenerator):
        * wtf/text/WTFString.h:
        * wtf/unicode/Unicode.h:

2011-09-20  Adam Roben  <aroben@apple.com>

        Windows build fix after r95523

        * wtf/CheckedArithmetic.h: Added stdint.h so we can have int64_t defined.

2011-09-18  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not speculate aggressively enough on GetById
        https://bugs.webkit.org/show_bug.cgi?id=68320

        Reviewed by Oliver Hunt.
        
        This adds the ability to access properties directly, by offset.
        This optimization kicks in when at the time of DFG compilation,
        it appears that the given get_by_id is self-cached by the old JIT.
        Two new opcodes get introduced: CheckStructure and GetByOffset.
        CheckStructure performs a speculation check on the object's
        structure, and returns the storage pointer. GetByOffset performs
        a direct read of the field from the storage pointer. Both
        CheckStructure and GetByOffset can be CSE'd, so that we can
        eliminate redundant structure checks, and redundant reads of the
        same field.
        
        This is a 4% speed-up on V8, a 2% slow-down on Kraken, and
        neutral on SunSpider.

        * bytecode/PredictedType.cpp:
        (JSC::predictionFromClassInfo):
        (JSC::predictionFromStructure):
        (JSC::predictionFromCell):
        * bytecode/PredictedType.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::dataFormatToString):
        (JSC::DFG::needDataFormatConversion):
        (JSC::DFG::GenerationInfo::initStorage):
        (JSC::DFG::GenerationInfo::spill):
        (JSC::DFG::GenerationInfo::fillStorage):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::predict):
        (JSC::DFG::Graph::getPrediction):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillInteger):
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::fillStorage):
        (JSC::DFG::GPRTemporary::GPRTemporary):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentSpillGPR):
        (JSC::DFG::JITCodeGenerator::silentFillGPR):
        (JSC::DFG::JITCodeGenerator::spill):
        (JSC::DFG::JITCodeGenerator::storageResult):
        (JSC::DFG::StorageOperand::StorageOperand):
        (JSC::DFG::StorageOperand::~StorageOperand):
        (JSC::DFG::StorageOperand::index):
        (JSC::DFG::StorageOperand::gpr):
        (JSC::DFG::StorageOperand::use):
        * dfg/DFGNode.h:
        (JSC::DFG::OpInfo::OpInfo):
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::hasPrediction):
        (JSC::DFG::Node::hasStructure):
        (JSC::DFG::Node::structure):
        (JSC::DFG::Node::hasStorageAccessData):
        (JSC::DFG::Node::storageAccessDataIndex):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNode):
        (JSC::DFG::Propagator::globalVarLoadElimination):
        (JSC::DFG::Propagator::getMethodLoadElimination):
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * wtf/StdLibExtras.h:
        (WTF::safeCast):

2011-09-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove toPrimitive from JSCell
        https://bugs.webkit.org/show_bug.cgi?id=67875

        Reviewed by Darin Adler.

        Part of the refactoring process to un-virtualize JSCell.  We move 
        all of the implicit functionality provided by the virtual toPrimitive method 
        in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while 
        also de-virtualizing JSCell::toPrimitive.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSCell.cpp:
        (JSC::JSCell::toPrimitive):
        * runtime/JSCell.h:

        We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from 
        JSObject.  This pushes the virtual method further down, enabling us to get rid 
        of the virtual call in JSCell.  Eventually we'll probably have to deal with this
        again, but we'll cross that bridge when we come to it.
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::defaultValue):
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.h:
        * runtime/JSString.h:

2011-09-19  Geoffrey Garen  <ggaren@apple.com>

        Removed ENABLE_LAZY_BLOCK_FREEING and related #ifdefs
        https://bugs.webkit.org/show_bug.cgi?id=68424

        As discussed on webkit-dev. All ports build with threads enabled in JSC now.
        
        This may break WinCE and other ports that have not built and tested with
        this configuration. I've filed bugs for port maintainers. It's time for
        WebKit to move forward.

        Reviewed by Mark Rowe.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::~Heap):
        (JSC::Heap::destroy):
        (JSC::Heap::blockFreeingThreadMain):
        (JSC::Heap::allocateBlock):
        (JSC::Heap::freeBlocks):
        (JSC::Heap::releaseFreeBlocks):
        * heap/Heap.h:
        * wtf/Platform.h:

2011-09-19  Geoffrey Garen  <ggaren@apple.com>

        Removed ENABLE_WTF_MULTIPLE_THREADS and related #ifdefs
        https://bugs.webkit.org/show_bug.cgi?id=68423

        As discussed on webkit-dev. All ports build with threads enabled in WTF now.
        
        This may break WinCE and other ports that have not built and tested with
        this configuration. I've filed bugs for port maintainers. It's time for
        WebKit to move forward.

        Reviewed by Mark Rowe.

        * wtf/CryptographicallyRandomNumber.cpp:
        (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomNumber):
        (WTF::ARC4Stream::ARC4RandomNumberGenerator::randomValues):
        * wtf/FastMalloc.cpp:
        * wtf/Platform.h:
        * wtf/RandomNumber.cpp:
        (WTF::randomNumber):
        * wtf/RefCountedLeakCounter.cpp:
        (WTF::RefCountedLeakCounter::increment):
        (WTF::RefCountedLeakCounter::decrement):
        * wtf/ThreadingPthreads.cpp:
        (WTF::initializeThreading):
        * wtf/ThreadingWin.cpp:
        (WTF::initializeThreading):
        * wtf/dtoa.cpp:
        (WTF::pow5mult):
        * wtf/gtk/ThreadingGtk.cpp:
        (WTF::initializeThreading):
        * wtf/qt/ThreadingQt.cpp:
        (WTF::initializeThreading):

2011-09-19  Geoffrey Garen  <ggaren@apple.com>

        Removed ENABLE_JSC_MULTIPLE_THREADS and related #ifdefs.
        https://bugs.webkit.org/show_bug.cgi?id=68422
        
        As discussed on webkit-dev. All ports build with threads enabled in JSC now.
        
        This may break WinCE and other ports that have not built and tested with
        this configuration. I've filed bugs for port maintainers. It's time for
        WebKit to move forward.

        Reviewed by Sam Weinig.

        * API/APIShims.h:
        (JSC::APIEntryShimWithoutLock::APIEntryShimWithoutLock):
        * API/JSContextRef.cpp:
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::MachineThreads):
        (JSC::MachineThreads::~MachineThreads):
        (JSC::MachineThreads::gatherConservativeRoots):
        * heap/MachineStackMarker.h:
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce):
        (JSC::initializeThreading):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::sharedInstance):
        * runtime/JSGlobalData.h:
        (JSC::JSGlobalData::makeUsableFromMultipleThreads):
        * runtime/JSLock.cpp:
        * runtime/Structure.cpp:
        * wtf/Platform.h:

2011-09-19  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r95493 and r95496.
        http://trac.webkit.org/changeset/95493
        http://trac.webkit.org/changeset/95496
        https://bugs.webkit.org/show_bug.cgi?id=68418

        Broke Windows build (Requested by rniwa on #webkit).

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/Debugger.cpp:
        (JSC::Debugger::recompileAllJSFunctions):
        * heap/AllocationSpace.cpp: Removed.
        * heap/AllocationSpace.h: Removed.
        * heap/Heap.cpp:
        (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty):
        (JSC::CountFunctor::TakeIfEmpty::operator()):
        (JSC::CountFunctor::TakeIfEmpty::returnValue):
        (JSC::Heap::Heap):
        (JSC::Heap::reportExtraMemoryCostSlowCase):
        (JSC::Heap::tryAllocate):
        (JSC::Heap::allocateSlowCase):
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::markRoots):
        (JSC::Heap::clearMarks):
        (JSC::Heap::sweep):
        (JSC::Heap::objectCount):
        (JSC::Heap::size):
        (JSC::Heap::capacity):
        (JSC::Heap::globalObjectCount):
        (JSC::Heap::objectTypeCounts):
        (JSC::Heap::collect):
        (JSC::Heap::canonicalizeBlocks):
        (JSC::Heap::resetAllocator):
        (JSC::Heap::allocateBlock):
        (JSC::Heap::freeBlocks):
        (JSC::Heap::shrink):
        * heap/Heap.h:
        (JSC::Heap::markedSpace):
        (JSC::Heap::forEachCell):
        (JSC::Heap::forEachBlock):
        (JSC::Heap::sizeClassFor):
        (JSC::Heap::allocate):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicJSObject):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::recompileAllJSFunctions):
        (JSC::JSGlobalData::releaseExecutableMemory):

2011-09-19  Gavin Barraclough  <barraclough@apple.com>

        Errrk, missed stylebot comments in last commit.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSplit):

2011-09-19  Gavin Barraclough  <barraclough@apple.com>

        String#split is buggy
        https://bugs.webkit.org/show_bug.cgi?id=68348

        Reviewed by Sam Weinig.

        * runtime/StringPrototype.cpp:
        (JSC::jsStringWithReuse):
            - added helper function to reuse original JSString value.
        (JSC::stringProtoFuncSplit):
            - Rewritten from the spec.
        * tests/mozilla/ecma/String/15.5.4.8-2.js:
        (getTestCases):
            - This test is not ES5 compliant.

2011-09-19  Geoffrey Garen  <ggaren@apple.com>

        Removed lots of friend declarations from JSCell, so we can more
        effectively make use of private and protected.

        Reviewed by Sam Weinig.

        * runtime/JSCell.h: Removed MSVCBugWorkaround because it was a lot of
        confusion for not much safety.
        (JSC::JSCell::operator new): Made this public because it is used by a
        few clients, and not really dangerous.

        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::defineGetter):
        (JSC::JSObject::defineSetter):
        (JSC::JSObject::getPropertySpecificValue):
        (JSC::JSObject::getOwnPropertyNames):
        (JSC::JSObject::seal):
        (JSC::JSObject::freeze):
        (JSC::JSObject::preventExtensions):
        (JSC::JSObject::removeDirect):
        (JSC::JSObject::createInheritorID):
        (JSC::JSObject::allocatePropertyStorage):
        (JSC::JSObject::getOwnPropertyDescriptor):
        * runtime/JSObject.h:
        (JSC::JSObject::getDirect):
        (JSC::JSObject::getDirectLocation):
        (JSC::JSObject::hasCustomProperties):
        (JSC::JSObject::hasGetterSetterProperties):
        (JSC::JSObject::isSealed):
        (JSC::JSObject::isFrozen):
        (JSC::JSObject::isExtensible):
        (JSC::JSObject::flattenDictionaryObject):
        (JSC::JSObject::finishCreation):
        (JSC::JSObject::prototype):
        (JSC::JSObject::setPrototype):
        (JSC::JSObject::inlineGetOwnPropertySlot):
        (JSC::JSCell::fastGetOwnProperty):
        (JSC::JSObject::putDirectInternal):
        (JSC::JSObject::putDirectWithoutTransition):
        (JSC::JSObject::transitionTo):
        (JSC::JSObject::visitChildrenDirect): Changed all use of m_structure to
        structure() / setStructure(), so we don't have to be a friend of JSCell.

        * runtime/Structure.h:
        (JSC::JSCell::setStructure): Added, to avoid direct access by JSObject
        to JSCell::m_structure.

2011-09-19  Adam Barth  <abarth@webkit.org>

        Always enable ENABLE(EVENTSOURCE)
        https://bugs.webkit.org/show_bug.cgi?id=68414

        Reviewed by Eric Seidel.

        * Configurations/FeatureDefines.xcconfig:

2011-09-19  Eli Fidler  <efidler@rim.com>

        Enable JSC_MULTIPLE_THREADS for OS(QNX).
        https://bugs.webkit.org/show_bug.cgi?id=68047

        Reviewed by Daniel Bates.

        SA_RESTART was required for SIGUSR2-based debugging, but is not
        present on QNX. This debugging doesn't seem critical to
        JSC_MULTIPLE_THREADS, so allow it to proceed.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::Thread::Thread):
        (JSC::getPlatformThreadRegisters):
        (JSC::otherThreadStackPointer):
        (JSC::freePlatformThreadRegisters):
        * wtf/Platform.h: enable PTHREADS for OS(QNX)

2011-09-19  Oliver Hunt  <oliver@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-09-19  Oliver Hunt  <oliver@apple.com>

        Refactor Heap allocation logic into separate AllocationSpace class
        https://bugs.webkit.org/show_bug.cgi?id=68409

        Reviewed by Gavin Barraclough.

        This patch hoists direct manipulation of the MarkedSpace and related
        data out of Heap and into a separate class.  This will allow us to
        have multiple allocation spaces in future, so easing the way towards
        having GC'd backing stores for objects.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.exp:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/Debugger.cpp:
        (JSC::Debugger::recompileAllJSFunctions):
        * heap/AllocationSpace.cpp: Added.
        (JSC::AllocationSpace::tryAllocate):
        (JSC::AllocationSpace::allocateSlowCase):
        (JSC::AllocationSpace::allocateBlock):
        (JSC::AllocationSpace::freeBlocks):
        (JSC::TakeIfEmpty::TakeIfEmpty):
        (JSC::TakeIfEmpty::operator()):
        (JSC::TakeIfEmpty::returnValue):
        (JSC::AllocationSpace::shrink):
        * heap/AllocationSpace.h: Added.
        (JSC::AllocationSpace::AllocationSpace):
        (JSC::AllocationSpace::blocks):
        (JSC::AllocationSpace::sizeClassFor):
        (JSC::AllocationSpace::setHighWaterMark):
        (JSC::AllocationSpace::highWaterMark):
        (JSC::AllocationSpace::canonicalizeBlocks):
        (JSC::AllocationSpace::resetAllocator):
        (JSC::AllocationSpace::forEachCell):
        (JSC::AllocationSpace::forEachBlock):
        (JSC::AllocationSpace::allocate):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::reportExtraMemoryCostSlowCase):
        (JSC::Heap::getConservativeRegisterRoots):
        (JSC::Heap::markRoots):
        (JSC::Heap::clearMarks):
        (JSC::Heap::sweep):
        (JSC::Heap::objectCount):
        (JSC::Heap::size):
        (JSC::Heap::capacity):
        (JSC::Heap::globalObjectCount):
        (JSC::Heap::objectTypeCounts):
        (JSC::Heap::collect):
        (JSC::Heap::canonicalizeBlocks):
        (JSC::Heap::resetAllocator):
        (JSC::Heap::freeBlocks):
        (JSC::Heap::shrink):
        * heap/Heap.h:
        (JSC::Heap::objectSpace):
        (JSC::Heap::sizeClassForObject):
        (JSC::Heap::allocate):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicJSObject):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::recompileAllJSFunctions):
        (JSC::JSGlobalData::releaseExecutableMemory):

2011-09-19  Adam Roben  <aroben@apple.com>

        Windows build fix after r95310

        * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Added
        include\private\JavaScriptCore to the include path so DFGIntrinsic.h can be found.

2011-09-19  Filip Pizlo  <fpizlo@apple.com>

        DFG speculation failures should act as additional value profiles
        https://bugs.webkit.org/show_bug.cgi?id=68335

        Reviewed by Oliver Hunt.
        
        This adds slow-case counters to the old JIT. It also ensures that
        negative zero in multiply is handled carefully. The old JIT
        previously took slow path if the result of a multiply was zero,
        which, without any changes, would cause the DFG to think that
        every such multiply produced a double result.
        
        This also fixes a bug in the old JIT's handling of decrements. It
        would take the slow path if the result was zero, but not if it
        underflowed.
        
        By itself, this would be a 1% slow-down on V8 and Kraken. But then
        I wrote optimizations in the DFG that take advantage of this new
        information. It's no longer the case that every multiply needs to
        do a check for negative zero; it only happens if the negative
        zero is ignored.
        
        This results in a 12% speed-up on v8-crypto, for a 1.4% geomean
        speed-up in V8. It's mostly neutral on Kraken. I can see an
        0.5% slow-down and it appears to be significant.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::resetRareCaseProfiles):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/CodeBlock.h:
        * bytecode/ValueProfile.h:
        (JSC::RareCaseProfile::RareCaseProfile):
        (JSC::getRareCaseProfileBytecodeOffset):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::toInt32):
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::GPRTemporary::GPRTemporary):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNode):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::clobbersWorld):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JSC::JIT::linkDummySlowCase):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_post_dec):
        (JSC::JIT::emit_op_pre_dec):
        (JSC::JIT::compileBinaryArithOp):
        (JSC::JIT::emit_op_add):
        (JSC::JIT::emitSlow_op_add):
        * jit/JITInlineMethods.h:
        (JSC::JIT::addSlowCase):

2011-09-19  Adam Roben  <aroben@apple.com>

        Windows build fix after r94575

        * JavaScriptCore.vcproj/JavaScriptCore.sln: Relinearized project dependencies. testRegExp
        now builds just before FindSafari.

2011-09-19  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r95466.
        http://trac.webkit.org/changeset/95466
        https://bugs.webkit.org/show_bug.cgi?id=68389

        Incorrect version of the patch. (Requested by mhahnenberg on
        #webkit).

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSCell.cpp:
        (JSC::JSCell::toPrimitive):
        * runtime/JSCell.h:
        (JSC::JSCell::JSValue::toPrimitive):
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::toPrimitive):
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.h:
        * runtime/JSString.h:

2011-09-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove toPrimitive from JSCell
        https://bugs.webkit.org/show_bug.cgi?id=67875

        Reviewed by Geoffrey Garen.

        Part of the refactoring process to un-virtualize JSCell.  We move 
        all of the implicit functionality provided by the virtual toPrimitive method 
        in JSCell to be explicit in JSValue::toPrimitive and JSCell:toPrimitive while 
        also de-virtualizing JSCell::toPrimitive.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSCell.cpp:
        (JSC::JSCell::toPrimitive):
        * runtime/JSCell.h:

        We replace JSNotAnObject::toPrimitive with defaultValue, which it overrides from 
        JSObject.  This pushes the virtual method further down, enabling us to get rid 
        of the virtual call in JSCell.  Eventually we'll probably have to deal with this
        again, but we'll cross that bridge when we come to it.
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::defaultValue):
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.h:
        * runtime/JSString.h:
        (JSC::JSValue::toPrimitive):

2011-09-19  Oliver Hunt  <oliver@apple.com>

        Build fix.

        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::compileGetDirectOffset):

2011-09-19  Oliver Hunt  <oliver@apple.com>

        Rename NewSpace.{h,cpp} to MarkedSpace.{h,cpp}
        https://bugs.webkit.org/show_bug.cgi?id=68376

        Reviewed by Gavin Barraclough.

        Renamed the the MarkedSpace files to match new name, and
        updated the relevant references.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.h:
        * heap/MarkedSpace.cpp: Renamed from Source/JavaScriptCore/heap/NewSpace.cpp.
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::addBlock):
        (JSC::MarkedSpace::removeBlock):
        (JSC::MarkedSpace::resetAllocator):
        (JSC::MarkedSpace::canonicalizeBlocks):
        * heap/MarkedSpace.h: Renamed from Source/JavaScriptCore/heap/NewSpace.h.
        (JSC::MarkedSpace::waterMark):
        (JSC::MarkedSpace::highWaterMark):
        (JSC::MarkedSpace::setHighWaterMark):
        (JSC::MarkedSpace::sizeClassFor):
        (JSC::MarkedSpace::allocate):
        (JSC::MarkedSpace::forEachBlock):
        (JSC::MarkedSpace::SizeClass::SizeClass):
        (JSC::MarkedSpace::SizeClass::resetAllocator):
        (JSC::MarkedSpace::SizeClass::canonicalizeBlock):
        * runtime/JSCell.h:

2011-09-19  Oliver Hunt  <oliver@apple.com>

        Rename NewSpace to MarkedSpace
        https://bugs.webkit.org/show_bug.cgi?id=68375

        Reviewed by Gavin Barraclough.

        Rename NewSpace to a more accurate name, and update all uses.
        This patch doesn't rename the files themselves as that will
        just make the patch appear bigger than it is.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * heap/Heap.cpp:
        (JSC::CountFunctor::TakeIfEmpty::TakeIfEmpty):
        (JSC::CountFunctor::TakeIfEmpty::operator()):
        (JSC::Heap::Heap):
        (JSC::Heap::reportExtraMemoryCostSlowCase):
        (JSC::Heap::tryAllocate):
        (JSC::Heap::allocateSlowCase):
        (JSC::Heap::collect):
        (JSC::Heap::canonicalizeBlocks):
        (JSC::Heap::resetAllocator):
        (JSC::Heap::isValidAllocation):
        (JSC::Heap::shrink):
        * heap/Heap.h:
        (JSC::Heap::markedSpace):
        (JSC::Heap::sizeClassFor):
        (JSC::Heap::allocate):
        * heap/NewSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::addBlock):
        (JSC::MarkedSpace::removeBlock):
        (JSC::MarkedSpace::resetAllocator):
        (JSC::MarkedSpace::canonicalizeBlocks):
        * heap/NewSpace.h:
        (JSC::MarkedSpace::waterMark):
        (JSC::MarkedSpace::highWaterMark):
        (JSC::MarkedSpace::setHighWaterMark):
        (JSC::MarkedSpace::sizeClassFor):
        (JSC::MarkedSpace::allocate):
        (JSC::MarkedSpace::forEachBlock):
        (JSC::MarkedSpace::SizeClass::SizeClass):
        (JSC::MarkedSpace::SizeClass::resetAllocator):
        (JSC::MarkedSpace::SizeClass::canonicalizeBlock):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitAllocateBasicJSObject):

2011-09-19  Peter Rybin  <peter.rybin@gmail.com>

        TextPosition refactoring: Merge ZeroBasedNumber and OneBasedNumber classes
        https://bugs.webkit.org/show_bug.cgi?id=63541

        Reviewed by Adam Barth.

        * parser/SourceProvider.h:
        (JSC::SourceProvider::startPosition):
        * wtf/text/TextPosition.h:
        (WTF::OrdinalNumber::fromZeroBasedInt):
        (WTF::OrdinalNumber::fromOneBasedInt):
        (WTF::OrdinalNumber::OrdinalNumber):
        (WTF::OrdinalNumber::zeroBasedInt):
        (WTF::OrdinalNumber::oneBasedInt):
        (WTF::OrdinalNumber::operator==):
        (WTF::OrdinalNumber::operator!=):
        (WTF::OrdinalNumber::first):
        (WTF::OrdinalNumber::beforeFirst):
        (WTF::TextPosition::TextPosition):
        (WTF::TextPosition::minimumPosition):
        (WTF::TextPosition::belowRangePosition):

2011-09-19  Dan Bernstein  <mitz@apple.com>

        JavaScriptCore part of [mac] WebKit contains Objective-C classes that are not prefixed with its standard prefixes
        https://bugs.webkit.org/show_bug.cgi?id=68323

        Reviewed by Sam Weinig.

        Renamed WTFMainThreadCaller to JSWTFMainThreadCaller.

        * wtf/mac/MainThreadMac.mm:
        (WTF::initializeMainThreadPlatform):
        (WTF::initializeMainThreadToProcessMainThreadPlatform):

2011-09-19  Oliver Hunt  <oliver@apple.com>

        Remove direct property slot pointers from the instruction stream
        https://bugs.webkit.org/show_bug.cgi?id=68373

        Reviewed by Gavin Barraclough.

        Use an indirect load to access prototype properties rather than directly
        storing the property address in the instruction stream.  This should allow
        further optimisations in future, and also provides a 0.5% win to sunspider.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::generateProtoChainAccessStub):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::compileGetDirectOffset):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::compileGetDirectOffset):
        * runtime/JSObject.h:
        (JSC::JSObject::addressOfPropertyStorage):

2011-09-19  Oliver Hunt  <oliver@apple.com>

        Remove bump allocator
        https://bugs.webkit.org/show_bug.cgi?id=68370

        Reviewed by Sam Weinig.

        Can't do anything with this allocator currently, and it's
        increasing the complexity of the GC code.  Slight progression
        on SunSpider, slight regression (undoing the original progression)
        in V8.

        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * heap/Heap.h:
        * heap/NewSpace.cpp:
        (JSC::NewSpace::NewSpace):
        * heap/NewSpace.h:
        (JSC::NewSpace::allocate):
        * runtime/JSObject.cpp:
        (JSC::JSObject::allocatePropertyStorage):
        * runtime/JSObject.h:
        (JSC::JSObject::~JSObject):
        (JSC::JSObject::visitChildrenDirect):
        * runtime/StorageBarrier.h:
        (JSC::StorageBarrier::set):

2011-09-19  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Fix distcheck build
        https://bugs.webkit.org/show_bug.cgi?id=68346

        Reviewed by Philippe Normand.

        * GNUmakefile.list.am:

2011-09-19  Carlos Garcia Campos  <cgarcia@igalia.com>

        [GTK] Fix distcheck build
        https://bugs.webkit.org/show_bug.cgi?id=68241

        Reviewed by Martin Robinson.

        * GNUmakefile.list.am:

2011-09-18  Dan Bernstein  <mitz@apple.com>

        Removed ProfilerServer.

        Reviewed by Mark Rowe.

        * JavaScriptCore.gypi:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * profiler/ProfilerServer.h: Removed.
        * profiler/ProfilerServer.mm: Removed.
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * wscript:

2011-09-17  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT should inline Math.min, Math.max, and Math.sqrt
        https://bugs.webkit.org/show_bug.cgi?id=68318

        Reviewed by Gavin Barraclough.
        
        Adds Math.min, Math.max, and Math.sqrt intrinsics. Adds support for
        a function to have an intrinsic but not a thunk generator. This is
        a 7% speed-up on access-nbody, and neutral elsewhere, mainly because
        we're still not DFG compiling the bulk of the hot code in Kraken audio
        benchmarks.

        * create_hash_table:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGIntrinsic.h:
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNode):
        (JSC::DFG::Propagator::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):

2011-09-18  Nico Weber  <thakis@chromium.org>

        Remove two files from JavaScriptCore.gypi that were removed in r95240
        https://bugs.webkit.org/show_bug.cgi?id=68327

        Unreviewed, build warning fix.

        * JavaScriptCore.gypi:

2011-09-17  Oliver Hunt  <oliver@apple.com>

        Remove special case handling of inline storage from the JIT
        https://bugs.webkit.org/show_bug.cgi?id=68319

        Reviewed by Gavin Barraclough.

        Simplify logic used for reading and writing to property storage
        by removing the special cases for inline storage.  This has no
        perf impact.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryBuildGetByIDList):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::compilePutDirectOffset):
        (JSC::JIT::compileGetDirectOffset):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompileGetByIdSelfList):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::compilePutDirectOffset):
        (JSC::JIT::compileGetDirectOffset):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompileGetByIdSelfList):

2011-09-17  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not have full block-local CSE
        https://bugs.webkit.org/show_bug.cgi?id=68316

        Reviewed by Oliver Hunt.
        
        This adds block-local CSE to the DFG. CSE runs in the propagator just after
        type propagation. It is part of the propagator itself because it needs to
        use the propagator's internal data structures to determine which operations
        may have side effects. Because it changes the live-ranges of nodes, the
        virtual register allocator had to be moved into the propagator so that it
        runs after CSE. To ensure that the back-end knows to keep the inputs to
        any eliminated node alive for OSR, a new node type, Phantom, was introduced.
        It is a no-op but prolonges the live-range of its inputs.
        
        This is an 80% speed-up on imaging-gaussian-blur, and a 10% speed-up on
        Kraken.
        
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAliasTracker.h: Removed.
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::MethodCheckData::operator==):
        (JSC::DFG::MethodCheckData::operator!=):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasVirtualRegister):
        (JSC::DFG::Node::setRefCount):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::Propagator):
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::propagateNode):
        (JSC::DFG::Propagator::canonicalize):
        (JSC::DFG::Propagator::computeStartIndex):
        (JSC::DFG::Propagator::startIndex):
        (JSC::DFG::Propagator::pureCSE):
        (JSC::DFG::Propagator::globalVarLoadElimination):
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::getMethodLoadElimination):
        (JSC::DFG::Propagator::performSubstitution):
        (JSC::DFG::Propagator::setReplacement):
        (JSC::DFG::Propagator::performNodeCSE):
        (JSC::DFG::Propagator::performBlockCSE):
        (JSC::DFG::Propagator::localCSE):
        (JSC::DFG::Propagator::allocateVirtualRegisters):
        (JSC::DFG::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-16  Filip Pizlo  <fpizlo@apple.com>

        method_check should repatch itself if it finds that the new structure(s)
        are the result of transitions from the old structure(s)
        https://bugs.webkit.org/show_bug.cgi?id=68294

        Reviewed by Gavin Barraclough.
        
        Previously a patched method_check would slow-path to get_by_id. Now it
        slow-paths to method_check_update, which attempts to correct the
        method_check due to structure transitions before bailing to get_by_id.
        
        This is a 1-2% speed-up on some benchmarks and is not a slow-down
        anywhere, leading to a 0.6% speed-up on the Kraken geomean.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::patchMethodCallProto):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        * runtime/Structure.h:
        (JSC::Structure::transitivelyTransitionedFrom):

2011-09-16  Ryosuke Niwa  <rniwa@webkit.org>

        Touch Platform.h in the hope to fix SnowLeopard Intel Release (WebKit2 Tests).

        * wtf/Platform.h:

2011-09-16  Sam Weinig  <sam@webkit.org>

        Rename APIValueWrapper type to APIValueWrapperType for consistency
        https://bugs.webkit.org/show_bug.cgi?id=68306

        Reviewed by Anders Carlsson.

        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        Update name.

        * runtime/JSType.h:
        Update name and un-indent.

        * runtime/Structure.h:
        (JSC::JSCell::isAPIValueWrapper):
        Update name.

2011-09-16  Sam Weinig  <sam@webkit.org>

        Remove unused isStrictModeFunction function
        https://bugs.webkit.org/show_bug.cgi?id=68305

        Reviewed by Anders Carlsson.

        * runtime/JSObject.h:
        (JSC::JSObject::isStrictModeFunction):

2011-09-16  Sam Weinig  <sam@webkit.org>

        Cleanup JSTypeInfo a bit
        https://bugs.webkit.org/show_bug.cgi?id=68289

        Reviewed by Anders Carlsson.

        * dfg/DFGOperations.cpp:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        Replace direct access to flags() with predicate.

        * runtime/JSObject.h:
        (JSC::JSFinalObject::createStructure):
        Pass FinalObjectType instead of using special IsJSFinalObject.

        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::TypeInfo):
        Add additional assert that you should no object should OverridesHasInstance but not have ImplementsHasInstance set.

        (JSC::TypeInfo::isFinalObject):
        Added.

        (JSC::TypeInfo::masqueradesAsUndefined):
        (JSC::TypeInfo::implementsHasInstance):
        (JSC::TypeInfo::isEnvironmentRecord):
        (JSC::TypeInfo::overridesHasInstance):
        (JSC::TypeInfo::implementsDefaultHasInstance):
        (JSC::TypeInfo::overridesGetOwnPropertySlot):
        (JSC::TypeInfo::overridesVisitChildren):
        (JSC::TypeInfo::overridesGetPropertyNames):
        (JSC::TypeInfo::prohibitsPropertyCaching):
        (JSC::TypeInfo::isSetOnFlags1):
        (JSC::TypeInfo::isSetOnFlags2):
        Replace direct bit twiddling with helper functions.

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        Use new isFinalObject() predicate.

2011-09-16  Gavin Barraclough  <barraclough@apple.com>

        Unsigned bit shift fails under certain conditions in 32 bit builds
        https://bugs.webkit.org/show_bug.cgi?id=68166

        Reviewed by Geoff Garen.

        The major bug here is that the slow case (which handles shifts of
        doubles) doesn't check for negative results from an unsigned shift
        (which should be unsigned, and as such can't be represented by a
        signed integer immediate).  The implementation is also flawed for
        shifts by negative shift amounts (treats as shift by zero).

        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitRightShift):
        (JSC::JIT::emitRightShiftSlowCase):

2011-09-16  Geoffrey Garen  <ggaren@apple.com>

        Removed undetectable style.filter.

        Reviewed by Sam Weinig.
        
        This feature was added in http://trac.webkit.org/changeset/15557 to
        support housingmaps.com. But housingmaps.com no longer needs this hack,
        we don't know of other websites that need it, and we don't know of
        any other browsers that have implemented this feature.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSTypeInfo.h:
        * runtime/StringObjectThatMasqueradesAsUndefined.h: Removed.

2011-09-15  Sam Weinig  <sam@webkit.org>

        Prepare JSTypes for more Object subtypes
        https://bugs.webkit.org/show_bug.cgi?id=68200

        Reviewed by Gavin Barraclough.

        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::branchIfNotObject):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitJumpIfNotObject):
        * runtime/JSGlobalObject.h:
        (JSC::Structure::prototypeForLookup):
        * runtime/JSObject.h:
        (JSC::JSObject::finishCreation):
        * runtime/JSType.h:
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::type):
        (JSC::TypeInfo::isObject):
        (JSC::TypeInfo::isFinal):
        (JSC::TypeInfo::prohibitsPropertyCaching):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::finishCreation):
        * runtime/Operations.cpp:
        (JSC::jsIsObjectType):
        * runtime/Structure.cpp:
        (JSC::Structure::addPropertyTransitionToExistingStructure):
        (JSC::Structure::addPropertyTransition):
        * runtime/Structure.h:
        (JSC::Structure::isObject):
        (JSC::JSCell::isObject):

2011-09-16  Geoffrey Garen  <ggaren@apple.com>

        Rolled back in r95201 with test failure fixed.
        
        I missed two cases of jumpSlowToHot in rshift -- these cases need to be
        sure to initialize regT1 to the int tag, since it will otherwise hold
        the top 32 bits of a double.

        * jit/JIT.h:
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_lshift):
        (JSC::JIT::emitRightShift):
        (JSC::JIT::emitRightShiftSlowCase):
        (JSC::JIT::emit_op_bitand):
        (JSC::JIT::emit_op_bitor):
        (JSC::JIT::emit_op_bitxor):
        (JSC::JIT::emit_op_bitnot):
        (JSC::JIT::emit_op_post_inc):
        (JSC::JIT::emit_op_post_dec):
        (JSC::JIT::emit_op_pre_inc):
        (JSC::JIT::emit_op_pre_dec):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitStoreAndMapInt32):

2011-09-16  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed Windows build fix after 95318.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-09-16  Adam Roben  <aroben@apple.com>

        Windows build fix after r95310

        * JavaScriptCore.vcproj/jsc/jscCommon.vsprops: Added include\private\JavaScriptCore to the
        include path so DFGIntrinsic.h can be found.

2011-09-16  Gavin Barraclough  <barraclough@apple.com>

        Rationalize JSObject::putDirect* methods
        https://bugs.webkit.org/show_bug.cgi?id=68274

        Reviewed by Sam Weinig.
        
        Delete the *Function variants. These are overall inefficient,
        in the way they get the name back from the function rather
        than just passing it in.

        * JavaScriptCore.exp:
        * jsc.cpp:
        (GlobalObject::finishCreation):
        (GlobalObject::addFunction):
        * runtime/FunctionPrototype.cpp:
        (JSC::FunctionPrototype::addFunctionProperties):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::putWithAttributes):
        (JSC::JSObject::defineGetter):
        (JSC::JSObject::defineSetter):
        * runtime/JSObject.h:
        (JSC::JSObject::putDirect):
        (JSC::JSObject::putDirectWithoutTransition):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::lookupPut):

2011-09-16  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for Windows.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:

2011-09-16  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for non-DFG builds.

        * runtime/Executable.h:
        (JSC::NativeExecutable::finishCreation):

2011-09-16  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT should inline Math.abs
        https://bugs.webkit.org/show_bug.cgi?id=68227

        Reviewed by Oliver Hunt.
        
        This adds the ability to track intrinsic functions throughout the
        host function infrastructure, so that the DFG can easily query
        whether or not a call's target is intrinsic, and if so, which
        intrinsic it is.
        
        On top of this, it adds Math.abs intrinsics to DFG. Call(Math.abs)
        is transformed into ValueToNumber<-ArithAbs nodes. These nodes
        then get optimized using the usual tricks.
        
        Also had to make a completely unrelated change to
        DateInstanceCache.h in order to fix a preexisting alphabetical
        sorting problem in JSGlobalData.h
        
        This results in a big win in imaging-gaussian-blur: 61% faster
        than before. The net win on Kraken is around 13%.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * create_hash_table:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::isFunctionConstant):
        (JSC::DFG::Graph::valueOfFunctionConstant):
        * dfg/DFGIntrinsic.h: Added.
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::isFunctionConstant):
        (JSC::DFG::JITCodeGenerator::valueOfFunctionConstant):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::isFunctionConstant):
        (JSC::DFG::JITCompiler::valueOfFunctionConstant):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITStubs.h:
        * runtime/DateInstanceCache.h:
        * runtime/Executable.cpp:
        (JSC::ExecutableBase::intrinsic):
        (JSC::NativeExecutable::intrinsic):
        * runtime/Executable.h:
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::finishCreation):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::getHostFunction):
        * runtime/JSGlobalData.h:
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashEntry::initialize):
        (JSC::HashEntry::intrinsic):

2011-09-16  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION: Reproducible crash below SlotVisitor::harvestWeakReferences
        using Domino's online ordering
        https://bugs.webkit.org/show_bug.cgi?id=68220

        Reviewed by Oliver Hunt.
        
        Weak handle processing can result in new objects being marked, which
        results in new WeakReferencesHarvesters being added. But weak
        reference harvesters are only processed before weak handle processing,
        so there's the risk that a weak reference harvester will persist
        until the next collection, by which time it may have been deleted.

        * heap/Heap.cpp:
        (JSC::Heap::markRoots):

2011-09-16  Csaba Osztrogonác  <ossy@webkit.org>

        REGRESSION(r95201): It made two tests fail
        https://bugs.webkit.org/show_bug.cgi?id=68230

        Unreviewed rolling out r95201.

        * jit/JIT.h:
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_lshift):
        (JSC::JIT::emitRightShift):
        (JSC::JIT::emit_op_bitand):
        (JSC::JIT::emit_op_bitor):
        (JSC::JIT::emit_op_bitxor):
        (JSC::JIT::emit_op_bitnot):
        (JSC::JIT::emit_op_post_inc):
        (JSC::JIT::emit_op_post_dec):
        (JSC::JIT::emit_op_pre_inc):
        (JSC::JIT::emit_op_pre_dec):
        * jit/JITInlineMethods.h:

2011-09-15  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not optimize method_check
        https://bugs.webkit.org/show_bug.cgi?id=68215

        Reviewed by Oliver Hunt.
        
        MethodCallLinkInfo and StructureStubInfo are now searchable by
        bytecodeIndex, so that DFG::ByteCodeParser can use that information
        to determine how to optimize GetMethod.
        
        A new node op has been added to DFG: CheckMethod. This is a variant
        of GetMethod that has been optimized for the case that GetMethod
        always takes the fast path. CheckMethod results in only a very
        small amount of code (two loads and two branches in the worst case,
        one load and one branch in the best case). CheckMethod behaves as
        if it were a constant.  
        
        Introduced the notion that a DFG node that is not JSConstant
        behaves as a constant. CheckMethod uses this functionality.
        
        This is a 3% speed-up on Kraken, and a small speed-up on V8.
        Appears to be neutral on SunSpider.

        * bytecode/CodeBlock.h:
        (JSC::getStructureStubInfoBytecodeIndex):
        (JSC::getMethodCallLinkInfoBytecodeIndex):
        * bytecode/PredictedType.cpp:
        (JSC::predictionFromCell):
        (JSC::predictionFromValue):
        * bytecode/PredictedType.h:
        * bytecode/StructureStubInfo.h:
        * dfg/DFGAliasTracker.h:
        (JSC::DFG::AliasTracker::recordGetMethod):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::getMethodCheckPrediction):
        (JSC::DFG::Graph::getPrediction):
        (JSC::DFG::Graph::isConstant):
        (JSC::DFG::Graph::isJSConstant):
        (JSC::DFG::Graph::valueOfJSConstant):
        (JSC::DFG::Graph::valueOfInt32Constant):
        (JSC::DFG::Graph::valueOfNumberConstant):
        (JSC::DFG::Graph::valueOfBooleanConstant):
        (JSC::DFG::Graph::valueOfJSConstantNode):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::fillInteger):
        (JSC::DFG::JITCodeGenerator::fillDouble):
        (JSC::DFG::JITCodeGenerator::fillJSValue):
        (JSC::DFG::JITCodeGenerator::isKnownNotInteger):
        (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentSpillFPR):
        (JSC::DFG::JITCodeGenerator::silentFillGPR):
        (JSC::DFG::JITCodeGenerator::silentFillFPR):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::fillNumericToDouble):
        (JSC::DFG::JITCompiler::fillInt32ToInteger):
        (JSC::DFG::JITCompiler::fillToJS):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasConstant):
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::hasMethodCheckData):
        (JSC::DFG::Node::methodCheckDataIndex):
        (JSC::DFG::Node::valueOfJSConstant):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
        (JSC::MethodCallCompilationInfo::MethodCallCompilationInfo):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::emit_op_put_by_id):
        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::structureAddress):

2011-09-15  Adam Barth  <abarth@webkit.org>

        Rename ENABLE(DATABASE) to ENABLE(SQL_DATABASE)
        https://bugs.webkit.org/show_bug.cgi?id=68205

        Reviewed by Eric Seidel.

        * Configurations/FeatureDefines.xcconfig:
        * wtf/Platform.h:

2011-09-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Unzip initialization lists and constructors in JSCell hierarchy (7/7)
        https://bugs.webkit.org/show_bug.cgi?id=68122

        Reviewed by Geoffrey Garen.

        Completed the seventh and final level of the refactoring to add finishCreation() 
        methods to all classes within the JSCell hierarchy with non-trivial 
        constructor bodies.

        JSCallbackObject was missed in previous patches due to the fact that 
        it's non-obvious (at least to my script) that it is in the JSCell hierarchy, so 
        this is just a bit of retroactive cleanup.

        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::create):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::JSCallbackObject):

2011-09-15  Filip Pizlo  <fpizlo@apple.com>

        The DFG non-speculative JIT is no longer used and should be removed.
        https://bugs.webkit.org/show_bug.cgi?id=68177

        Reviewed by Geoffrey Garen.
        
        This removes the non-speculative JIT and everything that relied on it,
        including the ability to turn on DFG but not tiered compilation the,
        ability to perform speculation failure into non-speculative JIT code,
        and the ability to statically terminate speculation.

        * GNUmakefile.list.am:
        * JavaScriptCore.pro:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitLoopHint):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::getStrongPrediction):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGenerationInfo.h:
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGJITCodeGenerator.cpp:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::linkOSRExits):
        (JSC::DFG::JITCompiler::compileBody):
        * dfg/DFGJITCompiler.h:
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp: Removed.
        * dfg/DFGNonSpeculativeJIT.h: Removed.
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGPropagator.cpp:
        * dfg/DFGPropagator.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::osrExits):
        (JSC::DFG::SpeculativeJIT::speculationRecovery):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITCode.h:
        (JSC::JITCode::bottomTierJIT):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        * wtf/Platform.h:

2011-09-15  Eric Seidel  <eric@webkit.org>

        Remove ENABLE(SVG_AS_IMAGE) since all major ports have it on by default
        https://bugs.webkit.org/show_bug.cgi?id=68182

        Reviewed by Adam Barth.

        * Configurations/FeatureDefines.xcconfig:

2011-09-15  Filip Pizlo  <fpizlo@apple.com>

        DFG speculative JIT sometimes asserts that a value is not a number
        even when it doesn't know anything about the number
        https://bugs.webkit.org/show_bug.cgi?id=68189

        Reviewed by Oliver Hunt.

        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::isUnknownJS):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::isKnownNotNumber):

2011-09-15  Filip Pizlo  <fpizlo@apple.com>

        All of the functionality in the non-speculative JIT should be
        available to the speculative JIT via helper methods
        https://bugs.webkit.org/show_bug.cgi?id=68186

        Reviewed by Oliver Hunt.
        
        Stole all of the goodness from NonSpeculativeJIT and placed it
        in JITCodeGenerator.  Left all of the badness (i.e. subtle code
        duplication with SpeculativeJIT, etc).  This is in preparation
        for removing the NonSpeculativeJIT entirely, but having its
        goodness available for reuse in the SpeculativeJIT if necessary.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToNumber):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeKnownConstantArithOp):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeBasicArithOp):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeArithMod):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeCheckHasInstance):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeInstanceOf):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeAdd):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeArithSub):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGNonSpeculativeJIT.h:

2011-09-15  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r95167.
        http://trac.webkit.org/changeset/95167
        https://bugs.webkit.org/show_bug.cgi?id=68191

        Patch needs further work. (Requested by mhahnenberg on
        #webkit).

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSCell.cpp:
        (JSC::JSCell::toBoolean):
        * runtime/JSCell.h:
        (JSC::JSCell::JSValue::toBoolean):
        * runtime/JSNotAnObject.cpp:
        (JSC::JSNotAnObject::toBoolean):
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.h:
        * runtime/JSString.h:
        * runtime/StringObjectThatMasqueradesAsUndefined.h:
        (JSC::StringObjectThatMasqueradesAsUndefined::toBoolean):

2011-09-15  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for platforms that expect a linkable symbol
        for primitive static const's.

        * bytecode/CodeBlock.h:
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):

2011-09-15  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for assertion on existence of alternative
        CodeBlock.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        Value profiles collect no information for global variables
        https://bugs.webkit.org/show_bug.cgi?id=68143

        Reviewed by Geoffrey Garen.
        
        17% speed-up on string-fasta.  Neutral elsewhere.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getStrongPrediction):
        (JSC::DFG::ByteCodeParser::stronglyPredict):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_global_var):

2011-09-15  Eric Seidel  <eric@webkit.org>

        Remove ENABLE_SVG_ANIMATION as all major ports have it on by default
        https://bugs.webkit.org/show_bug.cgi?id=68022

        Reviewed by Ryosuke Niwa.

        * Configurations/FeatureDefines.xcconfig:

2011-09-15  Gavin Barraclough  <barraclough@apple.com>

        Ooops, revert accidentally commited unreviewed changes.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emit_op_jtrue):
        * jit/JSInterfaceJIT.h:
        * runtime/JSValue.h:

2011-09-15  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r95163.
        http://trac.webkit.org/changeset/95163
        https://bugs.webkit.org/show_bug.cgi?id=68180

        [Qt] The QT_GCC_X variables were removed in Qt5 by accident.
        (Requested by darktears on #webkit).

        * JavaScriptCore.pro:

2011-09-15  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix p1.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_jfalse):
        (JSC::JIT::emit_op_jtrue):
        * jit/JSInterfaceJIT.h:
        * runtime/JSValue.h:

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        Tiered compilation should be enabled by default on platforms
        that support the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=68136

        Reviewed by Sam Weinig.
        
        Neutral on SunSpider, 4% speed-up on V8, and 19% speed-up on
        Kraken.  Large progressions on some benchmarks, including
        3x on imaging-desaturate.

        * wtf/Platform.h:

2011-09-15  Gavin Barraclough  <barraclough@apple.com>

        devirtualize preventExtensions
        https://bugs.webkit.org/show_bug.cgi?id=68176

        Reviewed by Oliver Hunt.

        This is virtual due to problems in JSFunction putting the prototype
        property, but we can fix this problem a different way, just setting
        the checkReadOnly flag to false in the put.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::getOwnPropertySlot):
        * runtime/JSFunction.h:
        * runtime/JSObject.h:

2011-09-15  Geoffrey Garen  <ggaren@apple.com>

        Value chaining for JSValue32_64 bitops.

        Reviewed by Sam Weinig.
        
        SunSpider says 2.3% faster, v8 ~1% faster (mostly due to crypto).

        * jit/JIT.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitStoreAndMapInt32): New int32 helper function for stores
        that can chain their results, which is the common case.

        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_lshift):
        (JSC::JIT::emitRightShift):
        (JSC::JIT::emit_op_bitand):
        (JSC::JIT::emit_op_bitor):
        (JSC::JIT::emit_op_bitxor):
        (JSC::JIT::emit_op_bitnot):
        (JSC::JIT::emit_op_pre_inc):
        (JSC::JIT::emit_op_pre_dec): Deployed new function.
        (JSC::JIT::emit_op_post_inc):
        (JSC::JIT::emit_op_post_dec): Had to reorder these functions so they
        computed their result values last, to make them elligible for chaining.

2011-09-15  Adam Roben  <aroben@apple.com>

        Clang build fix after r95172

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
        Added parentheses to make precendence clear.

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        DFG does not speculate aggressively enough on comparisons
        https://bugs.webkit.org/show_bug.cgi?id=68138

        Reviewed by Oliver Hunt.
        
        This is a 75% speed-up on Kraken/ai-astar.  It's a 1% win on
        V8 and an 8.5% win on Kraken.  Neutral on SunSpider.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compare):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::shouldSpeculateFinalObject):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateArray):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateObject):
        (JSC::DFG::SpeculativeJIT::shouldSpeculateCell):

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not leverage integer speculations on branches
        https://bugs.webkit.org/show_bug.cgi?id=68140

        Reviewed by Oliver Hunt.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::isStrictInt32):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-14  Gavin Barraclough  <barraclough@apple.com>

        [n]stricteq code is bogus in JSValue32_64 JIT
        https://bugs.webkit.org/show_bug.cgi?id=68141

        Reviewed by Sam Weinig.

        The code tries to check for both ints or cells, but this check also
        catches cases where values that are undefined, null, etc (probably
        was incorrectly assuming cell was the 2nd highest tag?).

        Also, there is no need not to handle int on the fast path.
        stricteq is just a case of comparing the payloads, if we:
            * handle cases of differing tags on a slow path
            * handle doubles a slow path
            * handle both-are-string on a slow path

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emitSlow_op_stricteq):
        (JSC::JIT::emitSlow_op_nstricteq):

2011-09-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Make JSCell::toBoolean non-virtual
        https://bugs.webkit.org/show_bug.cgi?id=67727

        Reviewed by Sam Weinig.

        JSCell::toBoolean now manually performs the toBoolean check for objects and strings (where 
        before it was simply virtual and would crash if its implementation was called). 
        Its descendants in JSObject and JSString have also been made non-virtual.  JSCell now
        explicitly covers all cases of toBoolean, so having a virtual implementation of 
        JSCell::toBoolean is no longer necessary.  This is part of a larger process of un-virtualizing JSCell.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSCell.cpp:
        * runtime/JSCell.h:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSNotAnObject.h:
        * runtime/JSObject.h:
        * runtime/JSString.h:
        (JSC::JSCell::toBoolean):
        (JSC::JSValue::toBoolean):
        * runtime/StringObjectThatMasqueradesAsUndefined.h:

2011-09-14  Alexis Menard  <alexis.menard@openbossa.org>

        [Qt] Replace QT_GCC_X as they don't exist in Qt5 anymore.
        https://bugs.webkit.org/show_bug.cgi?id=68114

        Reviewed by Kenneth Rohde Christiansen.

        Use the new GCC_X variables defined in WebKit.pri to replace
        the usage of QT_GCC_X.

        * JavaScriptCore.pro:

2011-09-14  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r95145.
        http://trac.webkit.org/changeset/95145
        https://bugs.webkit.org/show_bug.cgi?id=68139

        The GTK+ build is working now, so revert this trial build fix.
        (Requested by mrobinson on #webkit).

        * GNUmakefile.list.am:

2011-09-14  Patrick Gansterer  <paroga@webkit.org>

        Port MachineStackMarker to Windows ARM and MIPS
        https://bugs.webkit.org/show_bug.cgi?id=68068

        Reviewed by Geoffrey Garen.

        Use the correct memeber of the CONTEXT struct for the stackpointer for CPU(ARM) and CPU(MIPS).
        Only query CONTEXT_INTEGER and CONTEXT_CONTROL, since CONTEXT_SEGMENTS isn't defined for
        CPU(ARM) and CPU(MIPS) and the stackpointer is defined in the CONTEXT_CONTROL section for
        CPU(ARM), CPU(X86) and CPU(X86_64) and in the CONTEXT_INTEGER section for CPU(MIPS).

        * heap/MachineStackMarker.cpp:
        (JSC::getPlatformThreadRegisters):
        (JSC::otherThreadStackPointer):

2011-09-12  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT always speculates that ValueAdd is a numeric addition
        https://bugs.webkit.org/show_bug.cgi?id=67956

        Reviewed by Geoffrey Garen.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
        (JSC::DFG::NonSpeculativeJIT::basicArithOp):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::shouldSpeculateNumber):

2011-09-14  Anders Carlsson  <andersca@apple.com>

        Stop building BinarySemaphore to see if that's what's breaking the GTK+ build.

        * GNUmakefile.list.am:

2011-09-14  Anders Carlsson  <andersca@apple.com>

        This is getting old. Yet another build fix attempt.

        * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:

2011-09-14  Anders Carlsson  <andersca@apple.com>

        Yet another build fix attempt.

        * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd:

2011-09-14  Anders Carlsson  <andersca@apple.com>

        How I &quot;love&quot; Visual Studio...

        Try to fix build again.

        * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:

2011-09-14  Anders Carlsson  <andersca@apple.com>

        Try to fix Windows build.

        * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops:

2011-09-14  Anders Carlsson  <andersca@apple.com>

        Add BinarySemaphore class from WebKit2 to WTF
        https://bugs.webkit.org/show_bug.cgi?id=68132

        Reviewed by Sam Weinig.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CMakeLists.txt:
        Update build systems.

        * wtf/threads: Added.
        * wtf/threads/BinarySemaphore.cpp: Copied from Source/WebKit2/Platform/CoreIPC/BinarySemaphore.cpp.
        * wtf/threads/BinarySemaphore.h: Copied from Source/WebKit2/Platform/CoreIPC/BinarySemaphore.h.
        * wtf/threads/win: Added.
        * wtf/threads/win/BinarySemaphoreWin.cpp: Copied from Source/WebKit2/Platform/CoreIPC/win/BinarySemaphoreWin.cpp.

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for Interpreter.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2011-09-14  Anders Carlsson  <andersca@apple.com>

        Add wtf/threads and wtf/threads/win, so we can be sure that the EWS
        bots can correctly build the patch in https://bugs.webkit.org/show_bug.cgi?id=68132

        Rubber-stamped by Sam Weinig.

        * wtf/threads: Added.
        * wtf/threads/win: Added.

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT should not speculate integer if the value is always going to be
        used as a double anyway
        https://bugs.webkit.org/show_bug.cgi?id=68127

        Reviewed by Oliver Hunt.
        
        Added a ValueToDouble node, which is a variant of ValueToNumber that
        hints that it will only be used as a double and never as an integer.
        Thus, it turns off integer speculation even if the value profiler
        told us that the value source is an int. The logic for converting a
        ValueToNumber into a ValueToDouble is found in Propagator.
        
        This appears to be a 22% speed-up in imaging-darkroom.

        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::fixpoint):
        (JSC::DFG::Propagator::toDouble):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::fixup):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        Tiered compilation heuristics do not account for value profile fullness
        https://bugs.webkit.org/show_bug.cgi?id=68116

        Reviewed by Oliver Hunt.
        
        Tiered compilation avoids invoking the DFG JIT if it finds that value
        profiles contain insufficient information. Instead, it produces a
        prediction from the current value profile, and then clears the value
        profile. This allows the value profile to heat up from scratch for
        some number of additional executions. The new profiles will then be
        merged with the previous prediction. Once the amount of information
        in predictions is enough according to heuristics in CodeBlock.cpp,
        DFG optimization is allowed to proceed.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.pro:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        (JSC::CodeBlock::visitAggregate):
        (JSC::CodeBlock::visitWeakReferences):
        (JSC::CodeBlock::shouldOptimizeNow):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/CodeBlock.h:
        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        * bytecode/PredictedType.h:
        * bytecode/ValueProfile.cpp: Added.
        (JSC::ValueProfile::computeStatistics):
        (JSC::ValueProfile::computeUpdatedPrediction):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::ValueProfile):
        (JSC::ValueProfile::classInfo):
        (JSC::ValueProfile::numberOfSamples):
        (JSC::ValueProfile::totalNumberOfSamples):
        (JSC::ValueProfile::isLive):
        (JSC::ValueProfile::numberOfInt32s):
        (JSC::ValueProfile::numberOfDoubles):
        (JSC::ValueProfile::numberOfBooleans):
        (JSC::ValueProfile::dump):
        (JSC::getValueProfileBytecodeOffset):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::stronglyPredict):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::exitSpeculativeWithOSR):
        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        DFG should not speculate that the child of LogicalNot is a boolean if
        predictions tell us otherwise
        https://bugs.webkit.org/show_bug.cgi?id=68118

        Reviewed by Geoffrey Garen.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::nonSpeculativeLogicalNot):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-09-14  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix.  Turn off tiered compilation.

        * wtf/Platform.h:

2011-09-13  Filip Pizlo  <fpizlo@apple.com>

        Prediction tracking is not precise enough
        https://bugs.webkit.org/show_bug.cgi?id=67993

        Reviewed by Oliver Hunt.
        
        Added a richer set of type predictions, including JSFinalObject, JSString,
        object that is not a JSFinalObject or JSArray (ObjectOther), some object
        but we don't or care know what kind (SomeObject), definitely an object,
        cell that is not an object or JSString, an value that is none of the above
        (so either Undefined or Null). Made the propagator and value profiler work
        with the new types.
        
        Performance is neutral, because the DFG JIT does not take advantage of this
        new knowledge yet.
        
        In the process of writing predictionToString() (which is now considerably
        more complex) I decided to finally add a BoundsCheckedPointer, which
        should come in handy in other places, like at least the OSR scratch buffer
        and the CompactJITCodeMap. It's great for cases where you want to
        do pointer arithmetic, you want to have assertions about the
        pointer not going out of bounds, but you don't want to write those
        assertions yourself.
        
        This also required refactoring inherits(), since the ValueProfiler may
        want to do the equivalent of inherits() but given two ClassInfo's.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PredictedType.cpp: Added.
        (JSC::predictionToString):
        (JSC::makePrediction):