Generate header detection headers for CMake on Windows.

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2014-08-12  Alex Christensen  <achristensen@webkit.org>

        Generate header detection headers for CMake on Windows.
        https://bugs.webkit.org/show_bug.cgi?id=135807

        Reviewed by Brent Fulgham.

        * CMakeLists.txt:
        Include the derived sources directory to find WTF/WTFHeaderDetection.h.

2014-08-11  Andy Estes  <aestes@apple.com>

        [iOS] Get rid of iOS.xcconfig
        https://bugs.webkit.org/show_bug.cgi?id=135809

        Reviewed by Joseph Pecoraro.

        All iOS.xcconfig did was include AspenFamily.xcconfig, so there's no need for the indirection.

        * Configurations/Base.xcconfig:
        * Configurations/iOS.xcconfig: Removed.
        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-08-11  Michael Saboff  <msaboff@apple.com>

        Eliminate {push,pop}CalleeSaves in favor of individual pushes & pops
        https://bugs.webkit.org/show_bug.cgi?id=127155

        Reviewed by Geoffrey Garen.

        Eliminated the offline assembler instructions {push,pop}CalleeSaves as well as the
        ARM64 specific {push,pop}LRAndFP and replaced them with individual push and pop
        instructions. Where the registers referenced by the added push and pop instructions
        are not part of the offline assembler register aliases, used a newly added "emit"
        offline assembler instruction which takes a string literal and outputs that
        string as a native instruction.

        * llint/LowLevelInterpreter.asm:
        * offlineasm/arm.rb:
        * offlineasm/arm64.rb:
        * offlineasm/ast.rb:
        * offlineasm/cloop.rb:
        * offlineasm/instructions.rb:
        * offlineasm/mips.rb:
        * offlineasm/parser.rb:
        * offlineasm/sh4.rb:
        * offlineasm/transform.rb:
        * offlineasm/x86.rb:

2014-08-11  Mark Lam  <mark.lam@apple.com>

        Re-landing r172401 with fixed test.
        <https://webkit.org/b/135782>

        Not reviewed.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetByVal):
        (JSC::BytecodeGenerator::pushIndexedForInScope):
        (JSC::BytecodeGenerator::pushStructureForInScope):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::ForInContext::ForInContext):
        (JSC::ForInContext::base):
        (JSC::StructureForInContext::StructureForInContext):
        (JSC::IndexedForInContext::IndexedForInContext):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitMultiLoopBytecode):
        * tests/stress/for-in-tests.js:

2014-08-11  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r172401.
        https://bugs.webkit.org/show_bug.cgi?id=135812

        Failing stress/for-in-tests.js
        http://build.webkit.org/builders/Apple%20Mavericks%20Release%20WK1%20%28Tests%29/builds/7945/steps
        /jscore-test/logs/stdio (Requested by mlam on #webkit).

        Reverted changeset:

        "for-in optimization should also make sure the base matches
        the object being iterated"
        https://bugs.webkit.org/show_bug.cgi?id=135782
        http://trac.webkit.org/changeset/172401

2014-08-11  Brian J. Burg  <burg@cs.washington.edu>

        Web Inspector: use type builders to construct high fidelity type information payloads
        https://bugs.webkit.org/show_bug.cgi?id=135803

        Reviewed by Timothy Hatcher.

        Due to some typos in the protocol file, the code had worked with raw objects
        rather than with type builders. Convert to using builders.

        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/protocol/Runtime.json: Fix 'item' for 'items'; true for 'true'.
        * runtime/HighFidelityTypeProfiler.cpp:
        (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
        * runtime/HighFidelityTypeProfiler.h:
        * runtime/TypeSet.cpp:
        (JSC::TypeSet::allStructureRepresentations):
        (JSC::StructureShape::stringRepresentation):
        (JSC::StructureShape::inspectorRepresentation):
        * runtime/TypeSet.h:

2014-08-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        for-in optimization should also make sure the base matches the object being iterated
        https://bugs.webkit.org/show_bug.cgi?id=135782

        Reviewed by Geoffrey Garen.

        If we access a different base object with the same index, we shouldn't try to randomly 
        load from that object's backing store.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetByVal):
        (JSC::BytecodeGenerator::pushIndexedForInScope):
        (JSC::BytecodeGenerator::pushStructureForInScope):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::ForInContext::ForInContext):
        (JSC::ForInContext::base):
        (JSC::StructureForInContext::StructureForInContext):
        (JSC::IndexedForInContext::IndexedForInContext):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitMultiLoopBytecode):
        * tests/stress/for-in-tests.js:

2014-08-11  Brent Fulgham  <bfulgham@apple.com>

        [Win] Unreviewed gardening.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Display files in
        proper folder categories..

2014-08-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        JIT should use full 64-bit stores for jsBoolean and jsNull
        https://bugs.webkit.org/show_bug.cgi?id=135784

        Reviewed by Michael Saboff.

        This guarantees that we set the high bits of the register with the correct tag.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_has_structure_property):
        (JSC::JIT::emit_op_next_enumerator_pname):

2014-08-11  Brent Fulgham  <bfulgham@apple.com>

        [Win] Adjust build script for Windows production build.
        https://bugs.webkit.org/show_bug.cgi?id=135806
        <rdar://problem/17978299>

        Reviewed by Timothy Hatcher.

        * JavaScriptCore.vcxproj/copy-files.cmd: Copy file for later use
        in WebInspectorUI build.

2014-08-10  Oliver Hunt  <oliver@apple.com>

        Destructuring assignment in a var declaration list incorrectly consumes subsequent variable initialisers
        https://bugs.webkit.org/show_bug.cgi?id=135773

        Reviewed by Michael Saboff.

        We should be using parseAssignment expression in order to get the correct
        precedence.

        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseVarDeclarationList):

2014-08-10  Diego Pino Garcia  <dpino@igalia.com>

        JSC Lexer is allowing octals 08 and 09 in strict mode functions
        https://bugs.webkit.org/show_bug.cgi?id=135704

        Reviewed by Oliver Hunt.

        Return syntax error ("Decimal integer literals with a leading zero are
        forbidden in strict mode") if a number starts with 0 and is followed 
        by a digit.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::lex):

2014-08-08  Mark Lam  <mark.lam@apple.com>

        REGRESSION: Inspector crashes when debugger is paused and injected scripts access window.screen().
        <https://webkit.org/b/135656>

        Not reviewed.

        Rolling out r170680 which was merged to ToT in r172129.

        * debugger/Debugger.h:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::scope):
        (JSC::DebuggerCallFrame::evaluate):
        (JSC::DebuggerCallFrame::invalidate):
        * debugger/DebuggerCallFrame.h:
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::DebuggerScope):
        (JSC::DebuggerScope::finishCreation):
        (JSC::DebuggerScope::visitChildren):
        (JSC::DebuggerScope::className):
        (JSC::DebuggerScope::getOwnPropertySlot):
        (JSC::DebuggerScope::put):
        (JSC::DebuggerScope::deleteProperty):
        (JSC::DebuggerScope::getOwnPropertyNames):
        (JSC::DebuggerScope::defineOwnProperty):
        (JSC::DebuggerScope::next): Deleted.
        (JSC::DebuggerScope::invalidateChain): Deleted.
        (JSC::DebuggerScope::isWithScope): Deleted.
        (JSC::DebuggerScope::isGlobalScope): Deleted.
        (JSC::DebuggerScope::isFunctionScope): Deleted.
        * debugger/DebuggerScope.h:
        (JSC::DebuggerScope::create):
        (JSC::DebuggerScope::Iterator::Iterator): Deleted.
        (JSC::DebuggerScope::Iterator::get): Deleted.
        (JSC::DebuggerScope::Iterator::operator++): Deleted.
        (JSC::DebuggerScope::Iterator::operator==): Deleted.
        (JSC::DebuggerScope::Iterator::operator!=): Deleted.
        (JSC::DebuggerScope::isValid): Deleted.
        (JSC::DebuggerScope::jsScope): Deleted.
        (JSC::DebuggerScope::begin): Deleted.
        (JSC::DebuggerScope::end): Deleted.
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::JSJavaScriptCallFrame::scopeType):
        (Inspector::JSJavaScriptCallFrame::scopeChain):
        * inspector/JavaScriptCallFrame.h:
        (Inspector::JavaScriptCallFrame::scopeChain):
        * inspector/ScriptDebugServer.cpp:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::debuggerScopeStructure): Deleted.
        * runtime/JSObject.h:
        (JSC::JSObject::isWithScope): Deleted.
        * runtime/JSScope.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2014-08-07  Saam Barati  <sbarati@apple.com>

        Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
        https://bugs.webkit.org/show_bug.cgi?id=135358

        Reviewed by Geoffrey Garen.

        When VMEntryScope is destroyed, and it has a flag set indicating that the
        Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. 
        This flag is only used by Debugger to have VMEntryScope notify it when the
        Debugger is safe to recompile all functions. This patch will substitute this
        Debugger-specific recompilation flag with a list of callbacks that are notified 
        when the outermost VMEntryScope dies. This creates a general purpose interface 
        for being notified when the VM stops executing code via the event of the outermost 
        VMEntryScope dying.

        * debugger/Debugger.cpp:
        (JSC::Debugger::recompileAllJSFunctions):
        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::VMEntryScope):
        (JSC::VMEntryScope::setEntryScopeDidPopListener):
        (JSC::VMEntryScope::~VMEntryScope):
        * runtime/VMEntryScope.h:
        (JSC::VMEntryScope::setRecompilationNeeded): Deleted.

2014-08-07  Benjamin Poulain  <bpoulain@apple.com>

        Get rid of SCRIPTED_SPEECH
        https://bugs.webkit.org/show_bug.cgi?id=135729

        Reviewed by Brent Fulgham.

        * Configurations/FeatureDefines.xcconfig:

2014-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        SpeculateInt32Operand is sometimes used in a 64-bit context, which has undefined behavior
        https://bugs.webkit.org/show_bug.cgi?id=135722

        Reviewed by Filip Pizlo.

        We should be using SpeculateStrictInt32Operand instead.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2014-08-07  Benjamin Poulain  <bpoulain@apple.com>

        Get rid of INPUT_SPEECH
        https://bugs.webkit.org/show_bug.cgi?id=135672

        Reviewed by Andreas Kling.

        * Configurations/FeatureDefines.xcconfig:

2014-08-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        for-in is failing fast/dom/dataset-xhtml.xhtml and dataset.html tests
        https://bugs.webkit.org/show_bug.cgi?id=135681

        Reviewed by Filip Pizlo.

        * runtime/Structure.cpp:
        (JSC::Structure::canCacheGenericPropertyNameEnumerator): We were checking the entire 
        prototype chain for overridesGetPropertyNames, but we were neglecting to check the 
        base object's Structure. D'oh!

2014-08-06  Mark Lam  <mark.lam@apple.com>

        Gardening: fix for build failure on EFL bots.

        Not reviewed.

        * runtime/EnumerationMode.h:
        (JSC::shouldIncludeJSObjectPropertyNames):
        (JSC::modeThatSkipsJSObject):
        * runtime/JSCell.cpp:
        (JSC::JSCell::getEnumerableLength):
        * runtime/JSCell.h:

2014-08-06  Dean Jackson  <dino@apple.com>

        ENABLE_CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED is not used anywhere. Remove it.
        https://bugs.webkit.org/show_bug.cgi?id=135675

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:

2014-08-06  Wenson Hsieh  <wenson_hsieh@apple.com>

        Implement parsing for CSS scroll snap points
        https://bugs.webkit.org/show_bug.cgi?id=134301

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig: Added ENABLE_CSS_SCROLL_SNAP

2014-08-06  Mark Lam  <mark.lam@apple.com>

        Gardening: fix for build failure on GTK bots.

        Not reviewed.

        * runtime/FunctionHasExecutedCache.cpp:
        - #include <limits.h> for UINT_MAX's definition.

2014-08-06  Mark Lam  <mark.lam@apple.com>

        Gardening: fix for build failure on EFL bots.

        Not reviewed.

        * jit/JITInlines.h:
        (JSC::JIT::emitLoadForArrayMode):

2014-08-06  Mark Lam  <mark.lam@apple.com>

        Gardening: adding missing build file changes from the FTLOPT merge at r172176.

        Not reviewed.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2014-08-06  Ryuan Choi  <ryuan.choi@samsung.com>

        Unreviewed build fix attempt since r172184

        * CMakeLists.txt: Removed TypeLocation.cpp

2014-08-06  Mark Lam  <mark.lam@apple.com>

        Gardening: adding missing build file changes from r171510.
        <https://webkit.org/b/134860>

        Not reviewed.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2014-08-06  Mark Lam  <mark.lam@apple.com>

        Gardening: adding missing build file changes from r170490.
        <https://webkit.org/b/133395>

        Not reviewed.

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2014-08-06  Filip Pizlo  <fpizlo@apple.com>

        Silence a debug assertion.

        Reviewed by Mark Hahnenberg.

        * runtime/JSPropertyNameEnumerator.h:
        (JSC::JSPropertyNameEnumerator::cachedStructure):

2014-08-06  Filip Pizlo  <fpizlo@apple.com>

        Fix 32-bit build.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileHasIndexedProperty):

2014-08-06  Filip Pizlo  <fpizlo@apple.com>

        Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt.

    2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>
    
            Support for-in in the FTL
            https://bugs.webkit.org/show_bug.cgi?id=134140
    
            Reviewed by Filip Pizlo.
    
            * dfg/DFGSSALoweringPhase.cpp:
            (JSC::DFG::SSALoweringPhase::handleNode):
            * ftl/FTLAbstractHeapRepository.cpp:
            * ftl/FTLAbstractHeapRepository.h:
            * ftl/FTLCapabilities.cpp:
            (JSC::FTL::canCompile):
            * ftl/FTLIntrinsicRepository.h:
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileNode):
            (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
            (JSC::FTL::LowerDFGToLLVM::compileHasGenericProperty):
            (JSC::FTL::LowerDFGToLLVM::compileHasStructureProperty):
            (JSC::FTL::LowerDFGToLLVM::compileGetDirectPname):
            (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
            (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator):
            (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator):
            (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
            (JSC::FTL::LowerDFGToLLVM::compileToIndexString):
    
    2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
    
            Remove JSPropertyNameIterator
            https://bugs.webkit.org/show_bug.cgi?id=135066
    
            Reviewed by Geoffrey Garen.
    
            It has been replaced by JSPropertyNameEnumerator.
    
            * JavaScriptCore.order:
            * bytecode/BytecodeBasicBlock.cpp:
            (JSC::isBranch):
            * bytecode/BytecodeList.json:
            * bytecode/BytecodeUseDef.h:
            (JSC::computeUsesForBytecodeOffset):
            (JSC::computeDefsForBytecodeOffset):
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::dumpBytecode):
            * bytecode/PreciseJumpTargets.cpp:
            (JSC::getJumpTargetsForBytecodeOffset):
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::emitGetPropertyNames): Deleted.
            (JSC::BytecodeGenerator::emitNextPropertyName): Deleted.
            * bytecompiler/BytecodeGenerator.h:
            * interpreter/Interpreter.cpp:
            * interpreter/Register.h:
            * jit/JIT.cpp:
            (JSC::JIT::privateCompileMainPass):
            (JSC::JIT::privateCompileSlowCases):
            * jit/JIT.h:
            * jit/JITOpcodes.cpp:
            (JSC::JIT::emit_op_get_pnames): Deleted.
            (JSC::JIT::emit_op_next_pname): Deleted.
            * jit/JITOpcodes32_64.cpp:
            (JSC::JIT::emit_op_get_pnames): Deleted.
            (JSC::JIT::emit_op_next_pname): Deleted.
            * jit/JITOperations.cpp:
            * jit/JITPropertyAccess.cpp:
            (JSC::JIT::emit_op_get_by_pname): Deleted.
            (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
            * jit/JITPropertyAccess32_64.cpp:
            (JSC::JIT::emit_op_get_by_pname): Deleted.
            (JSC::JIT::emitSlow_op_get_by_pname): Deleted.
            * llint/LLIntOffsetsExtractor.cpp:
            * llint/LLIntSlowPaths.cpp:
            (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
            * llint/LLIntSlowPaths.h:
            * llint/LowLevelInterpreter.asm:
            * llint/LowLevelInterpreter32_64.asm:
            * llint/LowLevelInterpreter64.asm:
            * runtime/CommonSlowPaths.cpp:
            * runtime/JSPropertyNameIterator.cpp:
            (JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted.
            (JSC::JSPropertyNameIterator::create): Deleted.
            (JSC::JSPropertyNameIterator::destroy): Deleted.
            (JSC::JSPropertyNameIterator::get): Deleted.
            (JSC::JSPropertyNameIterator::visitChildren): Deleted.
            * runtime/JSPropertyNameIterator.h:
            (JSC::JSPropertyNameIterator::createStructure): Deleted.
            (JSC::JSPropertyNameIterator::size): Deleted.
            (JSC::JSPropertyNameIterator::setCachedStructure): Deleted.
            (JSC::JSPropertyNameIterator::cachedStructure): Deleted.
            (JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted.
            (JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted.
            (JSC::JSPropertyNameIterator::finishCreation): Deleted.
            (JSC::Register::propertyNameIterator): Deleted.
            (JSC::StructureRareData::enumerationCache): Deleted.
            (JSC::StructureRareData::setEnumerationCache): Deleted.
            * runtime/Structure.cpp:
            (JSC::Structure::addPropertyWithoutTransition):
            (JSC::Structure::removePropertyWithoutTransition):
            * runtime/Structure.h:
            * runtime/StructureInlines.h:
            (JSC::Structure::setEnumerationCache): Deleted.
            (JSC::Structure::enumerationCache): Deleted.
            * runtime/StructureRareData.cpp:
            (JSC::StructureRareData::visitChildren):
            * runtime/StructureRareData.h:
            * runtime/VM.cpp:
            (JSC::VM::VM):
    
    2014-07-25  Saam Barati  <sbarati@apple.com>
    
            Fix 32-bit build breakage for type profiling
            https://bugs.webkit.org/process_bug.cgi
    
            Reviewed by Mark Hahnenberg.
    
            32-bit builds currently break because global variable IDs for high
            fidelity type profiling are int64_t. Change this to intptr_t so that
            it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms.
    
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::CodeBlock):
            (JSC::CodeBlock::scopeDependentProfile):
            * bytecode/TypeLocation.h:
            * runtime/SymbolTable.cpp:
            (JSC::SymbolTable::uniqueIDForVariable):
            (JSC::SymbolTable::uniqueIDForRegister):
            * runtime/SymbolTable.h:
            * runtime/TypeLocationCache.cpp:
            (JSC::TypeLocationCache::getTypeLocation):
            * runtime/TypeLocationCache.h:
            * runtime/VM.h:
            (JSC::VM::getNextUniqueVariableID):
    
    2014-07-25  Mark Hahnenberg  <mhahnenberg@apple.com>
    
            Reindent PropertyNameArray.h
            https://bugs.webkit.org/show_bug.cgi?id=135067
    
            Reviewed by Geoffrey Garen.
    
            * runtime/PropertyNameArray.h:
            (JSC::RefCountedIdentifierSet::contains):
            (JSC::RefCountedIdentifierSet::size):
            (JSC::RefCountedIdentifierSet::add):
            (JSC::PropertyNameArrayData::create):
            (JSC::PropertyNameArrayData::propertyNameVector):
            (JSC::PropertyNameArrayData::PropertyNameArrayData):
            (JSC::PropertyNameArray::PropertyNameArray):
            (JSC::PropertyNameArray::vm):
            (JSC::PropertyNameArray::add):
            (JSC::PropertyNameArray::addKnownUnique):
            (JSC::PropertyNameArray::operator[]):
            (JSC::PropertyNameArray::setData):
            (JSC::PropertyNameArray::data):
            (JSC::PropertyNameArray::releaseData):
            (JSC::PropertyNameArray::identifierSet):
            (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
            (JSC::PropertyNameArray::size):
            (JSC::PropertyNameArray::begin):
            (JSC::PropertyNameArray::end):
            (JSC::PropertyNameArray::numCacheableSlots):
            (JSC::PropertyNameArray::setNumCacheableSlotsForObject):
            (JSC::PropertyNameArray::setBaseObject):
            (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
    
    2014-07-23  Mark Hahnenberg  <mhahnenberg@apple.com>
    
            Refactor our current implementation of for-in
            https://bugs.webkit.org/show_bug.cgi?id=134142
    
            Reviewed by Filip Pizlo.
    
            This patch splits for-in loops into three distinct parts:
    
            - Iterating over the indexed properties in the base object.
            - Iterating over the Structure properties in the base object.
            - Iterating over any other enumerable properties for that object and any objects in the prototype chain.
     
            It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to 
            support the various operations required for each loop.
    
            * API/JSCallbackObjectFunctions.h:
            (JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * bytecode/BytecodeList.json:
            * bytecode/BytecodeUseDef.h:
            (JSC::computeUsesForBytecodeOffset):
            (JSC::computeDefsForBytecodeOffset):
            * bytecode/CallLinkStatus.h:
            (JSC::CallLinkStatus::CallLinkStatus):
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::dumpBytecode):
            (JSC::CodeBlock::CodeBlock):
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::emitGetByVal):
            (JSC::BytecodeGenerator::emitComplexPopScopes):
            (JSC::BytecodeGenerator::emitGetEnumerableLength):
            (JSC::BytecodeGenerator::emitHasGenericProperty):
            (JSC::BytecodeGenerator::emitHasIndexedProperty):
            (JSC::BytecodeGenerator::emitHasStructureProperty):
            (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator):
            (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator):
            (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName):
            (JSC::BytecodeGenerator::emitToIndexString):
            (JSC::BytecodeGenerator::pushIndexedForInScope):
            (JSC::BytecodeGenerator::popIndexedForInScope):
            (JSC::BytecodeGenerator::pushStructureForInScope):
            (JSC::BytecodeGenerator::popStructureForInScope):
            (JSC::BytecodeGenerator::invalidateForInContextForLocal):
            * bytecompiler/BytecodeGenerator.h:
            (JSC::ForInContext::ForInContext):
            (JSC::ForInContext::~ForInContext):
            (JSC::ForInContext::isValid):
            (JSC::ForInContext::invalidate):
            (JSC::ForInContext::local):
            (JSC::StructureForInContext::StructureForInContext):
            (JSC::StructureForInContext::type):
            (JSC::StructureForInContext::index):
            (JSC::StructureForInContext::property):
            (JSC::StructureForInContext::enumerator):
            (JSC::IndexedForInContext::IndexedForInContext):
            (JSC::IndexedForInContext::type):
            (JSC::IndexedForInContext::index):
            (JSC::BytecodeGenerator::pushOptimisedForIn): Deleted.
            (JSC::BytecodeGenerator::popOptimisedForIn): Deleted.
            * bytecompiler/NodesCodegen.cpp:
            (JSC::ReadModifyResolveNode::emitBytecode):
            (JSC::AssignResolveNode::emitBytecode):
            (JSC::ForInNode::tryGetBoundLocal):
            (JSC::ForInNode::emitLoopHeader):
            (JSC::ForInNode::emitMultiLoopBytecode):
            (JSC::ForInNode::emitBytecode):
            * debugger/DebuggerScope.h:
            * dfg/DFGAbstractHeap.h:
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::parseBlock):
            * dfg/DFGCapabilities.cpp:
            (JSC::DFG::capabilityLevel):
            * dfg/DFGClobberize.h:
            (JSC::DFG::clobberize):
            * dfg/DFGDoesGC.cpp:
            (JSC::DFG::doesGC):
            * dfg/DFGFixupPhase.cpp:
            (JSC::DFG::FixupPhase::fixupNode):
            * dfg/DFGHeapLocation.cpp:
            (WTF::printInternal):
            * dfg/DFGHeapLocation.h:
            * dfg/DFGNode.h:
            (JSC::DFG::Node::hasHeapPrediction):
            (JSC::DFG::Node::hasArrayMode):
            * dfg/DFGNodeType.h:
            * dfg/DFGPredictionPropagationPhase.cpp:
            (JSC::DFG::PredictionPropagationPhase::propagate):
            * dfg/DFGSafeToExecute.h:
            (JSC::DFG::safeToExecute):
            * dfg/DFGSpeculativeJIT.h:
            (JSC::DFG::SpeculativeJIT::callOperation):
            * dfg/DFGSpeculativeJIT32_64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGSpeculativeJIT64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * jit/JIT.cpp:
            (JSC::JIT::privateCompileMainPass):
            (JSC::JIT::privateCompileSlowCases):
            * jit/JIT.h:
            (JSC::JIT::compileHasIndexedProperty):
            (JSC::JIT::emitInt32Load):
            * jit/JITInlines.h:
            (JSC::JIT::emitDoubleGetByVal):
            (JSC::JIT::emitLoadForArrayMode):
            (JSC::JIT::emitContiguousGetByVal):
            (JSC::JIT::emitArrayStorageGetByVal):
            * jit/JITOpcodes.cpp:
            (JSC::JIT::emit_op_get_enumerable_length):
            (JSC::JIT::emit_op_has_structure_property):
            (JSC::JIT::emitSlow_op_has_structure_property):
            (JSC::JIT::emit_op_has_generic_property):
            (JSC::JIT::privateCompileHasIndexedProperty):
            (JSC::JIT::emit_op_has_indexed_property):
            (JSC::JIT::emitSlow_op_has_indexed_property):
            (JSC::JIT::emit_op_get_direct_pname):
            (JSC::JIT::emitSlow_op_get_direct_pname):
            (JSC::JIT::emit_op_get_structure_property_enumerator):
            (JSC::JIT::emit_op_get_generic_property_enumerator):
            (JSC::JIT::emit_op_next_enumerator_pname):
            (JSC::JIT::emit_op_to_index_string):
            * jit/JITOpcodes32_64.cpp:
            (JSC::JIT::emit_op_get_enumerable_length):
            (JSC::JIT::emit_op_has_structure_property):
            (JSC::JIT::emitSlow_op_has_structure_property):
            (JSC::JIT::emit_op_has_generic_property):
            (JSC::JIT::privateCompileHasIndexedProperty):
            (JSC::JIT::emit_op_has_indexed_property):
            (JSC::JIT::emitSlow_op_has_indexed_property):
            (JSC::JIT::emit_op_get_direct_pname):
            (JSC::JIT::emitSlow_op_get_direct_pname):
            (JSC::JIT::emit_op_get_structure_property_enumerator):
            (JSC::JIT::emit_op_get_generic_property_enumerator):
            (JSC::JIT::emit_op_next_enumerator_pname):
            (JSC::JIT::emit_op_to_index_string):
            * jit/JITOperations.cpp:
            * jit/JITOperations.h:
            * jit/JITPropertyAccess.cpp:
            (JSC::JIT::emitDoubleLoad):
            (JSC::JIT::emitContiguousLoad):
            (JSC::JIT::emitArrayStorageLoad):
            (JSC::JIT::emitDoubleGetByVal): Deleted.
            (JSC::JIT::emitContiguousGetByVal): Deleted.
            (JSC::JIT::emitArrayStorageGetByVal): Deleted.
            * jit/JITPropertyAccess32_64.cpp:
            (JSC::JIT::emitContiguousLoad):
            (JSC::JIT::emitDoubleLoad):
            (JSC::JIT::emitArrayStorageLoad):
            (JSC::JIT::emitContiguousGetByVal): Deleted.
            (JSC::JIT::emitDoubleGetByVal): Deleted.
            (JSC::JIT::emitArrayStorageGetByVal): Deleted.
            * llint/LowLevelInterpreter.asm:
            * parser/Nodes.h:
            * runtime/Arguments.cpp:
            (JSC::Arguments::getOwnPropertyNames):
            * runtime/ClassInfo.h:
            * runtime/CommonSlowPaths.cpp:
            (JSC::SLOW_PATH_DECL):
            * runtime/CommonSlowPaths.h:
            * runtime/EnumerationMode.h: Added.
            (JSC::shouldIncludeDontEnumProperties):
            (JSC::shouldExcludeDontEnumProperties):
            (JSC::shouldIncludeJSObjectPropertyNames):
            (JSC::modeThatSkipsJSObject):
            * runtime/JSActivation.cpp:
            (JSC::JSActivation::getOwnNonIndexPropertyNames):
            * runtime/JSArray.cpp:
            (JSC::JSArray::getOwnNonIndexPropertyNames):
            * runtime/JSArrayBuffer.cpp:
            (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
            * runtime/JSArrayBufferView.cpp:
            (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
            * runtime/JSCell.cpp:
            (JSC::JSCell::getEnumerableLength):
            (JSC::JSCell::getStructurePropertyNames):
            (JSC::JSCell::getGenericPropertyNames):
            * runtime/JSCell.h:
            * runtime/JSFunction.cpp:
            (JSC::JSFunction::getOwnNonIndexPropertyNames):
            * runtime/JSGenericTypedArrayViewInlines.h:
            (JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
            * runtime/JSObject.cpp:
            (JSC::getClassPropertyNames):
            (JSC::JSObject::hasOwnProperty):
            (JSC::JSObject::getOwnPropertyNames):
            (JSC::JSObject::getOwnNonIndexPropertyNames):
            (JSC::JSObject::getEnumerableLength):
            (JSC::JSObject::getStructurePropertyNames):
            (JSC::JSObject::getGenericPropertyNames):
            * runtime/JSObject.h:
            * runtime/JSPropertyNameEnumerator.cpp: Added.
            (JSC::JSPropertyNameEnumerator::create):
            (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
            (JSC::JSPropertyNameEnumerator::finishCreation):
            (JSC::JSPropertyNameEnumerator::destroy):
            (JSC::JSPropertyNameEnumerator::visitChildren):
            * runtime/JSPropertyNameEnumerator.h: Added.
            (JSC::JSPropertyNameEnumerator::createStructure):
            (JSC::JSPropertyNameEnumerator::propertyNameAtIndex):
            (JSC::JSPropertyNameEnumerator::identifierSet):
            (JSC::JSPropertyNameEnumerator::cachedPrototypeChain):
            (JSC::JSPropertyNameEnumerator::setCachedPrototypeChain):
            (JSC::JSPropertyNameEnumerator::cachedStructure):
            (JSC::JSPropertyNameEnumerator::cachedStructureID):
            (JSC::JSPropertyNameEnumerator::cachedInlineCapacity):
            (JSC::JSPropertyNameEnumerator::cachedStructureIDOffset):
            (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
            (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset):
            (JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset):
            (JSC::structurePropertyNameEnumerator):
            (JSC::genericPropertyNameEnumerator):
            * runtime/JSProxy.cpp:
            (JSC::JSProxy::getEnumerableLength):
            (JSC::JSProxy::getStructurePropertyNames):
            (JSC::JSProxy::getGenericPropertyNames):
            * runtime/JSProxy.h:
            * runtime/JSSymbolTableObject.cpp:
            (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
            * runtime/PropertyNameArray.cpp:
            (JSC::PropertyNameArray::add):
            (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties):
            * runtime/PropertyNameArray.h:
            (JSC::RefCountedIdentifierSet::contains):
            (JSC::RefCountedIdentifierSet::size):
            (JSC::RefCountedIdentifierSet::add):
            (JSC::PropertyNameArray::PropertyNameArray):
            (JSC::PropertyNameArray::add):
            (JSC::PropertyNameArray::addKnownUnique):
            (JSC::PropertyNameArray::identifierSet):
            (JSC::PropertyNameArray::canAddKnownUniqueForStructure):
            (JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
            * runtime/RegExpObject.cpp:
            (JSC::RegExpObject::getOwnNonIndexPropertyNames):
            (JSC::RegExpObject::getPropertyNames):
            (JSC::RegExpObject::getGenericPropertyNames):
            * runtime/RegExpObject.h:
            * runtime/StringObject.cpp:
            (JSC::StringObject::getOwnPropertyNames):
            * runtime/Structure.cpp:
            (JSC::Structure::getPropertyNamesFromStructure):
            (JSC::Structure::setCachedStructurePropertyNameEnumerator):
            (JSC::Structure::cachedStructurePropertyNameEnumerator):
            (JSC::Structure::setCachedGenericPropertyNameEnumerator):
            (JSC::Structure::cachedGenericPropertyNameEnumerator):
            (JSC::Structure::canCacheStructurePropertyNameEnumerator):
            (JSC::Structure::canCacheGenericPropertyNameEnumerator):
            (JSC::Structure::canAccessPropertiesQuickly):
            * runtime/Structure.h:
            * runtime/StructureRareData.cpp:
            (JSC::StructureRareData::visitChildren):
            (JSC::StructureRareData::cachedStructurePropertyNameEnumerator):
            (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator):
            (JSC::StructureRareData::cachedGenericPropertyNameEnumerator):
            (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator):
            * runtime/StructureRareData.h:
            * runtime/VM.cpp:
            (JSC::VM::VM):
            * runtime/VM.h:
    
    2014-07-23  Saam Barati  <sbarati@apple.com>
    
            Make improvements to Type Profiling
            https://bugs.webkit.org/show_bug.cgi?id=134860
    
            Reviewed by Filip Pizlo.
    
            I improved the API between the inspector and JSC. We no longer send one huge
            string to the inspector. We now send structured data that represents the type
            information that JSC has collected. I've also created a beginning implementation 
            of a type lattice that allows us to resolve a display name for a type that
            consists of a single word.
    
            I created a data structure that knows which functions have executed. This
            solves the bug where types inside an un-executed function will resolve
            to the type of the enclosing expression of that function. This data
            structure may also be useful later if the inspector chooses to create a UI
            around showing which functions have executed.
    
            Better type information is gathered for objects. StructureShape now
            represents an object's prototype chain.  StructureShape also collects
            the constructor name for an object.
    
            Expression ranges are now zero indexed.
    
            Removed some extraneous methods.
    
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::CodeBlock):
            (JSC::CodeBlock::scopeDependentProfile):
            * bytecode/CodeBlock.h:
            * bytecode/TypeLocation.h:
            (JSC::TypeLocation::TypeLocation):
            * bytecode/UnlinkedCodeBlock.cpp:
            (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
            * bytecode/UnlinkedCodeBlock.h:
            (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset):
            (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset):
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::BytecodeGenerator):
            (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
            * bytecompiler/BytecodeGenerator.h:
            (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
            * heap/Heap.cpp:
            (JSC::Heap::collect):
            * inspector/agents/InspectorRuntimeAgent.cpp:
            (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
            (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): Deleted.
            * inspector/agents/InspectorRuntimeAgent.h:
            * inspector/protocol/Runtime.json:
            * runtime/Executable.cpp:
            (JSC::ScriptExecutable::ScriptExecutable):
            (JSC::ProgramExecutable::ProgramExecutable):
            (JSC::FunctionExecutable::FunctionExecutable):
            (JSC::ProgramExecutable::initializeGlobalProperties):
            * runtime/Executable.h:
            (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset):
            (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset):
            * runtime/FunctionHasExecutedCache.cpp: Added.
            (JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
            (JSC::FunctionHasExecutedCache::insertUnexecutedRange):
            (JSC::FunctionHasExecutedCache::removeUnexecutedRange):
            * runtime/FunctionHasExecutedCache.h: Added.
            (JSC::FunctionHasExecutedCache::FunctionRange::FunctionRange):
            (JSC::FunctionHasExecutedCache::FunctionRange::operator==):
            (JSC::FunctionHasExecutedCache::FunctionRange::hash):
            * runtime/HighFidelityLog.cpp:
            (JSC::HighFidelityLog::processHighFidelityLog):
            (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): Deleted.
            * runtime/HighFidelityLog.h:
            (JSC::HighFidelityLog::recordTypeInformationForLocation):
            * runtime/HighFidelityTypeProfiler.cpp:
            (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
            (JSC::HighFidelityTypeProfiler::insertNewLocation):
            (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
            (JSC::descriptorMatchesTypeLocation):
            (JSC::HighFidelityTypeProfiler::findLocation):
            (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): Deleted.
            (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): Deleted.
            (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): Deleted.
            * runtime/HighFidelityTypeProfiler.h:
            (JSC::QueryKey::QueryKey):
            (JSC::QueryKey::isHashTableDeletedValue):
            (JSC::QueryKey::operator==):
            (JSC::QueryKey::hash):
            (JSC::QueryKeyHash::hash):
            (JSC::QueryKeyHash::equal):
            (JSC::HighFidelityTypeProfiler::functionHasExecutedCache):
            (JSC::HighFidelityTypeProfiler::typeLocationCache):
            * runtime/Structure.cpp:
            (JSC::Structure::toStructureShape):
            * runtime/Structure.h:
            * runtime/TypeLocationCache.cpp: Added.
            (JSC::TypeLocationCache::getTypeLocation):
            * runtime/TypeLocationCache.h: Added.
            (JSC::TypeLocationCache::LocationKey::LocationKey):
            (JSC::TypeLocationCache::LocationKey::operator==):
            (JSC::TypeLocationCache::LocationKey::hash):
            * runtime/TypeSet.cpp:
            (JSC::TypeSet::getRuntimeTypeForValue):
            (JSC::TypeSet::addTypeForValue):
            (JSC::TypeSet::seenTypes):
            (JSC::TypeSet::doesTypeConformTo):
            (JSC::TypeSet::displayName):
            (JSC::TypeSet::allPrimitiveTypeNames):
            (JSC::TypeSet::allStructureRepresentations):
            (JSC::TypeSet::leastCommonAncestor):
            (JSC::StructureShape::StructureShape):
            (JSC::StructureShape::addProperty):
            (JSC::StructureShape::propertyHash):
            (JSC::StructureShape::leastCommonAncestor):
            (JSC::StructureShape::stringRepresentation):
            (JSC::StructureShape::inspectorRepresentation):
            (JSC::StructureShape::leastUpperBound): Deleted.
            * runtime/TypeSet.h:
            (JSC::StructureShape::setConstructorName):
            (JSC::StructureShape::constructorName):
            (JSC::StructureShape::setProto):
            * runtime/VM.cpp:
            (JSC::VM::dumpHighFidelityProfilingTypes):
            (JSC::VM::getTypesForVariableAtOffset): Deleted.
            (JSC::VM::updateHighFidelityTypeProfileState): Deleted.
            * runtime/VM.h:
            (JSC::VM::isProfilingTypesWithHighFidelity):
            (JSC::VM::highFidelityTypeProfiler):
    
    2014-07-23  Filip Pizlo  <fpizlo@apple.com>
    
            Fix debug build.
    
            * bytecode/CallLinkStatus.h:
            (JSC::CallLinkStatus::CallLinkStatus):
    
    2014-07-20  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Phantoms in SSA form should be aggressively hoisted
            https://bugs.webkit.org/show_bug.cgi?id=135111
    
            Reviewed by Oliver Hunt.
            
            In CPS form, Phantom means three things: (1) that the children should be kept alive so long
            as they are relevant to OSR (due to a MovHint), (2) that the children are live-in-bytecode
            at the point of the Phantom, and (3) that some checks should be performed. In SSA, the
            second meaning is not used but the other two stay.
            
            The fact that a Phantom that is used to keep a node alive could be anywhere in the graph,
            even in a totally different basic block, complicates some SSA transformations. It's not
            possible to just jettison some successor, since tha successor could have a Phantom that we
            care about.
            
            This change rationalizes how Phantoms work so that:
            
            1) Phantoms keep children alive so long as those children are relevant to OSR. This is true
               in both CPS and SSA. This was true before and it's true now.
            
            2) Phantoms are used for live-in-bytecode only in CPS. This was true before and it's true
               now, except that now we also don't bother preserving the live-in-bytecode information
               that Phantoms convey, when we are in SSA.
            
            3) Phantoms may incidentally have checks, but in cases where we only want checks, we now
               use Check instead of Phantom. Notably, DCE phase has dead nodes decay to Check, not
               Phantom.
            
            The biggest part of this change is that in SSA, we canonicalize Phantoms:
            
            - All Phantoms are replaced with Check nodes that include only those edges that have
              checks.
            
            - Nodes that were the children of any Phantoms have a Phantom right after them.
            
            For example, the following code:
            
                5: ArithAdd(@1, @2)
                6: ArithSub(@5, @3)
                7: Phantom(Int32:@5)
            
            would be turned into the following:
            
                5: ArithAdd(@1, @2)
                8: Phantom(@5) // @5 was the child of a Phantom, so we create a new Phantom right after
                               // @5. This is the only Phantom we will have for @5.
                6: ArithSub(@5, @3)
                7: Check(Int32:@5) // We replace the Phantom with a Check; in this case since Int32: is
                                   // a checking edge, we leave it.
            
            This is a slight speed-up across the board, presumably because we now do a better job of
            reducing the size of the graph during compilation. It could also be a fluke, though. The
            main purpose of this is to unlock some other work (like CFG simplification in SSA). It will
            become a requirement to run phantom canonicalization prior to some SSA phases. None of the
            current phases need it, but future phases probably will.
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::foldConstants):
            * dfg/DFGDCEPhase.cpp:
            (JSC::DFG::DCEPhase::run):
            (JSC::DFG::DCEPhase::findTypeCheckRoot):
            (JSC::DFG::DCEPhase::countEdge):
            (JSC::DFG::DCEPhase::fixupBlock):
            (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
            * dfg/DFGEdge.cpp:
            (JSC::DFG::Edge::dump):
            * dfg/DFGEdge.h:
            (JSC::DFG::Edge::isProved):
            (JSC::DFG::Edge::needsCheck): Deleted.
            * dfg/DFGNodeFlags.h:
            * dfg/DFGPhantomCanonicalizationPhase.cpp: Added.
            (JSC::DFG::PhantomCanonicalizationPhase::PhantomCanonicalizationPhase):
            (JSC::DFG::PhantomCanonicalizationPhase::run):
            (JSC::DFG::performPhantomCanonicalization):
            * dfg/DFGPhantomCanonicalizationPhase.h: Added.
            * dfg/DFGPhantomRemovalPhase.cpp:
            (JSC::DFG::PhantomRemovalPhase::run):
            * dfg/DFGPhantomRemovalPhase.h:
            * dfg/DFGPlan.cpp:
            (JSC::DFG::Plan::compileInThreadImpl):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::lowJSValue):
            (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
    
    2014-07-22  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function
            https://bugs.webkit.org/show_bug.cgi?id=135146
    
            Reviewed by Oliver Hunt.
            
            This greatly simplifies our closure call optimizations by taking advantage of the type
            bits available in the cell header.
    
            * bytecode/CallLinkInfo.cpp:
            (JSC::CallLinkInfo::visitWeak):
            * bytecode/CallLinkStatus.cpp:
            (JSC::CallLinkStatus::CallLinkStatus):
            (JSC::CallLinkStatus::computeFor):
            (JSC::CallLinkStatus::dump):
            * bytecode/CallLinkStatus.h:
            (JSC::CallLinkStatus::CallLinkStatus):
            (JSC::CallLinkStatus::executable):
            (JSC::CallLinkStatus::structure): Deleted.
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::emitFunctionChecks):
            * dfg/DFGFixupPhase.cpp:
            (JSC::DFG::FixupPhase::fixupNode):
            (JSC::DFG::FixupPhase::observeUseKindOnNode):
            * dfg/DFGSafeToExecute.h:
            (JSC::DFG::SafeToExecuteEdge::operator()):
            * dfg/DFGSpeculativeJIT.cpp:
            (JSC::DFG::SpeculativeJIT::checkArray):
            (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
            (JSC::DFG::SpeculativeJIT::speculateCellType):
            (JSC::DFG::SpeculativeJIT::speculateFunction):
            (JSC::DFG::SpeculativeJIT::speculateFinalObject):
            (JSC::DFG::SpeculativeJIT::speculate):
            * dfg/DFGSpeculativeJIT.h:
            * dfg/DFGSpeculativeJIT32_64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGSpeculativeJIT64.cpp:
            (JSC::DFG::SpeculativeJIT::compile):
            * dfg/DFGUseKind.cpp:
            (WTF::printInternal):
            * dfg/DFGUseKind.h:
            (JSC::DFG::typeFilterFor):
            (JSC::DFG::isCell):
            * ftl/FTLCapabilities.cpp:
            (JSC::FTL::canCompile):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable):
            (JSC::FTL::LowerDFGToLLVM::speculate):
            (JSC::FTL::LowerDFGToLLVM::isFunction):
            (JSC::FTL::LowerDFGToLLVM::isNotFunction):
            (JSC::FTL::LowerDFGToLLVM::speculateFunction):
            * jit/ClosureCallStubRoutine.cpp:
            (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
            (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
            * jit/ClosureCallStubRoutine.h:
            (JSC::ClosureCallStubRoutine::structure): Deleted.
            * jit/JIT.h:
            (JSC::JIT::compileClosureCall): Deleted.
            * jit/JITCall.cpp:
            (JSC::JIT::privateCompileClosureCall): Deleted.
            * jit/JITCall32_64.cpp:
            (JSC::JIT::privateCompileClosureCall): Deleted.
            * jit/JITOperations.cpp:
            * jit/Repatch.cpp:
            (JSC::linkClosureCall):
            * jit/Repatch.h:
    
2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        [ARM] Incorrect handling of Unicode characters
        https://bugs.webkit.org/show_bug.cgi?id=135380

        Reviewed by Darin Adler.

        Removed erroneous fast case from stringFromUTF(), since it assumed that 
        char is always implemented as signed.

        * jsc.cpp:
        (stringFromUTF):

2014-08-06  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        [JSC] Build fix for FTL on EFL after ftlopt merge
        https://bugs.webkit.org/show_bug.cgi?id=135565

        Reviewed by Mark Lam.

        Adding an enable guard for native inlining, since it now requires the bitcode
        emitted from Clang, and we don't have a good way of creating it from other compilers.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        * ftl/FTLState.cpp:
        (JSC::FTL::State::State):
        * ftl/FTLState.h:

2014-08-05  Csaba Osztrogonác  <ossy@webkit.org>

        URTBF after r172129. (ftlopt branch merge)

        Remove the duplicated friend declaration to fix this build failure:
        "error: ‘JSC::Structure’ is already a friend of ‘JSC::StructureRareData’ [-Werror]"

        * runtime/StructureRareData.h:

2014-08-05  Filip Pizlo  <fpizlo@apple.com>

        Attempt to fix CMake-based builds, part 3.

        * CMakeLists.txt:

2014-08-05  Filip Pizlo  <fpizlo@apple.com>

        Attempt to fix CMake-based builds, part 2.

        * CMakeLists.txt:

2014-08-05  Filip Pizlo  <fpizlo@apple.com>

        Attempt to fix Windows build, part 2.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:

2014-08-05  Filip Pizlo  <fpizlo@apple.com>

        Attempt to fix CMake-based builds.

        * CMakeLists.txt:

2014-08-05  Filip Pizlo  <fpizlo@apple.com>

        Attempt to fix Windows build.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:

2014-08-05  Filip Pizlo  <fpizlo@apple.com>

        Fix cloop build.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::jettison):

2014-07-29  Filip Pizlo  <fpizlo@apple.com>

        Merge r170564, r170571, r170604, r170628, r170672, r170680, r170724, r170728, r170729, r170819, r170821, r170836, r170855, r170860, r170890, r170907, r170929, r171052, r171106, r171152, r171153, r171214 from ftlopt.

        This part of the merge delivers roughly a 2% across-the-board performance
        improvement, mostly due to immutable property inference and DFG-side GCSE. It also
        almost completely resolves accessor performance issues; in the common case the DFG
        will compile a getter/setter access into code that is just as efficient as a normal
        property access.
        
        Another major highlight of this part of the merge is the work to add a type profiler
        to the inspector. This work is still on-going but this greatly increases coverage.

        Note that this merge fixes a minor bug in the GetterSetter refactoring from
        http://trac.webkit.org/changeset/170729 (https://bugs.webkit.org/show_bug.cgi?id=134518).
        It also adds a new tests to tests/stress to cover that bug. That bug was previously only
        covered by layout tests.

    2014-07-17  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (merge trunk r171190)
            https://bugs.webkit.org/show_bug.cgi?id=135019
    
            Reviewed by Oliver Hunt.
            
            Behaviorally, this is just a merge of trunk r171190, except that the relevant functionality
            has moved to StrengthReductionPhase and is written in a different style. Same algorithm,
            different code.
    
            * dfg/DFGNodeType.h:
            * dfg/DFGStrengthReductionPhase.cpp:
            (JSC::DFG::StrengthReductionPhase::handleNode):
            * tests/stress/capture-escape-and-throw.js: Added.
            (foo.f):
            (foo):
            * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
            (foo):
            (bar):
    
    2014-07-15  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Constant fold GetGetter and GetSetter if the GetterSetter is a constant
            https://bugs.webkit.org/show_bug.cgi?id=134962
    
            Reviewed by Oliver Hunt.
            
            This removes yet another steady-state-throughput implication of using getters and setters:
            if your accessor call is monomorphic then you'll just get a structure check, nothing more.
            No more loads to get to the GetterSetter object or the accessor function object.
    
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * runtime/GetterSetter.h:
            (JSC::GetterSetter::getterConcurrently):
            (JSC::GetterSetter::setGetter):
            (JSC::GetterSetter::setterConcurrently):
            (JSC::GetterSetter::setSetter):
    
    2014-07-15  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Identity replacement in CSE shouldn't create a Phantom over the Identity's children
            https://bugs.webkit.org/show_bug.cgi?id=134893
    
            Reviewed by Oliver Hunt.
            
            Replace Identity with Check instead of Phantom. Phantom means that the child of the
            Identity should be unconditionally live. The liveness semantics of Identity are such that
            if the parents of Identity are live then the child is live. Removing the Identity entirely
            preserves such liveness semantics. So, the only thing that should be left behind is the
            type check on the child, which is what Check means: do the check but don't keep the child
            alive if the check isn't needed.
    
            * dfg/DFGCSEPhase.cpp:
            * dfg/DFGNode.h:
            (JSC::DFG::Node::convertToCheck):
    
    2014-07-13  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects
            https://bugs.webkit.org/show_bug.cgi?id=134677
    
            Reviewed by Sam Weinig.
            
            This removes the old local CSE phase, which was based on manually written backward-search 
            rules for all of the different kinds of things we cared about, and adds a new local/global
            CSE (local for CPS and global for SSA) that leaves the node semantics almost entirely up to
            clobberize(). Thus, the CSE phase itself just worries about the algorithms and data
            structures used for storing sets of available values. This results in a large reduction in
            code size in CSEPhase.cpp while greatly increasing the phase's power (since it now does
            global CSE) and reducing compile time (since local CSE is now rewritten to use smarter data
            structures). Even though LLVM was already running GVN, the extra GCSE at DFG IR level means
            that this is a significant (~0.7%) throughput improvement.
            
            This work is based on the concept of "def" to clobberize(). If clobberize() calls def(), it
            means that the node being analyzed makes available some value in some DFG node, and that
            future attempts to compute that value can simply use that node. In other words, it
            establishes an available value mapping of the form value=>node. There are two kinds of
            values that can be passed to def():
            
            PureValue. This captures everything needed to determine whether two pure nodes - nodes that
                neither read nor write, and produce a value that is a CSE candidate - are identical. It
                carries the NodeType, an AdjacencyList, and one word of meta-data. The meta-data is
                usually used for things like the arithmetic mode or constant pointer. Passing a
                PureValue to def() means that the node produces a value that is valid anywhere that the
                node dominates.
            
            HeapLocation. This describes a location in the heap that could be written to or read from.
                Both stores and loads can def() a HeapLocation. HeapLocation carries around an abstract
                heap that both serves as part of the "name" of the heap location (together with the
                other fields of HeapLocation) and also tells us what write()'s to watch for. If someone
                write()'s to an abstract heap that overlaps the heap associated with the HeapLocation,
                then it means that the values for that location are no longer available.
            
            This approach is sufficiently clever that the CSEPhase itself can focus on the mechanism of
            tracking the PureValue=>node and HeapLocation=>node maps, without having to worry about
            interpreting the semantics of different DFG node types - that is now almost entirely in
            clobberize(). The only things we special-case inside CSEPhase are the Identity node, which
            CSE is traditionally responsible for eliminating even though it has nothing to do with CSE,
            and the LocalCSE rule for turning PutByVal into PutByValAlias.
            
            This is a slight Octane, SunSpider, and Kraken speed-up - all somewhere arond 0.7% . It's
            not a bigger win because LLVM was already giving us most of what we needed in its GVN.
            Also, the SunSpider speed-up isn't from GCSE as much as it's a clean-up of local CSE - that
            is no longer O(n^2). Basically this is purely good: it reduces the amount of LLVM IR we
            generate, it removes the old CSE's heap modeling (which was a constant source of bugs), and
            it improves both the quality of the code we generate and the speed with which we generate
            it. Also, any future optimizations that depend on GCSE will now be easier to implement.
            
            During the development of this patch I also rationalized some other stuff, like Graph's
            ordered traversals - we now have preorder and postorder rather than just "depth first".
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * dfg/DFGAbstractHeap.h:
            * dfg/DFGAdjacencyList.h:
            (JSC::DFG::AdjacencyList::hash):
            (JSC::DFG::AdjacencyList::operator==):
            * dfg/DFGBasicBlock.h:
            * dfg/DFGCSEPhase.cpp:
            (JSC::DFG::performLocalCSE):
            (JSC::DFG::performGlobalCSE):
            (JSC::DFG::CSEPhase::CSEPhase): Deleted.
            (JSC::DFG::CSEPhase::run): Deleted.
            (JSC::DFG::CSEPhase::endIndexForPureCSE): Deleted.
            (JSC::DFG::CSEPhase::pureCSE): Deleted.
            (JSC::DFG::CSEPhase::constantCSE): Deleted.
            (JSC::DFG::CSEPhase::constantStoragePointerCSE): Deleted.
            (JSC::DFG::CSEPhase::getCalleeLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::getArrayLengthElimination): Deleted.
            (JSC::DFG::CSEPhase::globalVarLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::scopedVarLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::varInjectionWatchpointElimination): Deleted.
            (JSC::DFG::CSEPhase::getByValLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::checkFunctionElimination): Deleted.
            (JSC::DFG::CSEPhase::checkExecutableElimination): Deleted.
            (JSC::DFG::CSEPhase::checkStructureElimination): Deleted.
            (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): Deleted.
            (JSC::DFG::CSEPhase::getByOffsetLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::checkArrayElimination): Deleted.
            (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::getInternalFieldLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::getMyScopeLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::getLocalLoadElimination): Deleted.
            (JSC::DFG::CSEPhase::invalidationPointElimination): Deleted.
            (JSC::DFG::CSEPhase::setReplacement): Deleted.
            (JSC::DFG::CSEPhase::eliminate): Deleted.
            (JSC::DFG::CSEPhase::performNodeCSE): Deleted.
            (JSC::DFG::CSEPhase::performBlockCSE): Deleted.
            (JSC::DFG::performCSE): Deleted.
            * dfg/DFGCSEPhase.h:
            * dfg/DFGClobberSet.cpp:
            (JSC::DFG::addReads):
            (JSC::DFG::addWrites):
            (JSC::DFG::addReadsAndWrites):
            (JSC::DFG::readsOverlap):
            (JSC::DFG::writesOverlap):
            * dfg/DFGClobberize.cpp:
            (JSC::DFG::doesWrites):
            (JSC::DFG::accessesOverlap):
            (JSC::DFG::writesOverlap):
            * dfg/DFGClobberize.h:
            (JSC::DFG::clobberize):
            (JSC::DFG::NoOpClobberize::operator()):
            (JSC::DFG::CheckClobberize::operator()):
            (JSC::DFG::ReadMethodClobberize::ReadMethodClobberize):
            (JSC::DFG::ReadMethodClobberize::operator()):
            (JSC::DFG::WriteMethodClobberize::WriteMethodClobberize):
            (JSC::DFG::WriteMethodClobberize::operator()):
            (JSC::DFG::DefMethodClobberize::DefMethodClobberize):
            (JSC::DFG::DefMethodClobberize::operator()):
            * dfg/DFGDCEPhase.cpp:
            (JSC::DFG::DCEPhase::run):
            (JSC::DFG::DCEPhase::fixupBlock):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::getBlocksInPreOrder):
            (JSC::DFG::Graph::getBlocksInPostOrder):
            (JSC::DFG::Graph::addForDepthFirstSort): Deleted.
            (JSC::DFG::Graph::getBlocksInDepthFirstOrder): Deleted.
            * dfg/DFGGraph.h:
            * dfg/DFGHeapLocation.cpp: Added.
            (JSC::DFG::HeapLocation::dump):
            (WTF::printInternal):
            * dfg/DFGHeapLocation.h: Added.
            (JSC::DFG::HeapLocation::HeapLocation):
            (JSC::DFG::HeapLocation::operator!):
            (JSC::DFG::HeapLocation::kind):
            (JSC::DFG::HeapLocation::heap):
            (JSC::DFG::HeapLocation::base):
            (JSC::DFG::HeapLocation::index):
            (JSC::DFG::HeapLocation::hash):
            (JSC::DFG::HeapLocation::operator==):
            (JSC::DFG::HeapLocation::isHashTableDeletedValue):
            (JSC::DFG::HeapLocationHash::hash):
            (JSC::DFG::HeapLocationHash::equal):
            * dfg/DFGLICMPhase.cpp:
            (JSC::DFG::LICMPhase::run):
            * dfg/DFGNode.h:
            (JSC::DFG::Node::replaceWith):
            (JSC::DFG::Node::convertToPhantomUnchecked): Deleted.
            * dfg/DFGPlan.cpp:
            (JSC::DFG::Plan::compileInThreadImpl):
            * dfg/DFGPureValue.cpp: Added.
            (JSC::DFG::PureValue::dump):
            * dfg/DFGPureValue.h: Added.
            (JSC::DFG::PureValue::PureValue):
            (JSC::DFG::PureValue::operator!):
            (JSC::DFG::PureValue::op):
            (JSC::DFG::PureValue::children):
            (JSC::DFG::PureValue::info):
            (JSC::DFG::PureValue::hash):
            (JSC::DFG::PureValue::operator==):
            (JSC::DFG::PureValue::isHashTableDeletedValue):
            (JSC::DFG::PureValueHash::hash):
            (JSC::DFG::PureValueHash::equal):
            * dfg/DFGSSAConversionPhase.cpp:
            (JSC::DFG::SSAConversionPhase::run):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::lower):
    
    2014-07-13  Filip Pizlo  <fpizlo@apple.com>
    
            Unreviewed, revert unintended change in r171051.
    
            * dfg/DFGCSEPhase.cpp:
    
    2014-07-08  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Move Flush(SetLocal) store elimination to StrengthReductionPhase
            https://bugs.webkit.org/show_bug.cgi?id=134739
    
            Reviewed by Mark Hahnenberg.
            
            I'm going to streamline CSE around clobberize() as part of
            https://bugs.webkit.org/show_bug.cgi?id=134677, and so Flush(SetLocal) store
            elimination wouldn't belong in CSE anymore. It doesn't quite belong anywhere, which
            means that it belongs in StrengthReductionPhase, since that's intended to be our
            dumping ground.
            
            To do this I had to add some missing smarts to clobberize(). Previously clobberize()
            could play a bit loose with reads of Variables because it wasn't used for store
            elimination. The main client of read() was LICM, but it would only use it to
            determine hoistability and anything that did a write() was not hoistable - so, we had
            benign (but still wrong) missing read() calls in places that did write()s. This fixes
            a bunch of those cases.
    
            * dfg/DFGCSEPhase.cpp:
            (JSC::DFG::CSEPhase::performNodeCSE):
            (JSC::DFG::CSEPhase::setLocalStoreElimination): Deleted.
            * dfg/DFGClobberize.cpp:
            (JSC::DFG::accessesOverlap):
            * dfg/DFGClobberize.h:
            (JSC::DFG::clobberize): Make clobberize() smart enough for detecting when this store elimination would be sound.
            * dfg/DFGStrengthReductionPhase.cpp:
            (JSC::DFG::StrengthReductionPhase::handleNode): Implement the store elimination in terms of clobberize().
    
    2014-07-08  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Phantom simplification should be in its own phase
            https://bugs.webkit.org/show_bug.cgi?id=134742
    
            Reviewed by Geoffrey Garen.
            
            This moves Phantom simplification out of CSE, which greatly simplifies CSE and gives it
            more focus. Also this finally adds a phase that removes empty Phantoms. We sort of had
            this in CPSRethreading, but that phase runs too infrequently and doesn't run at all for
            SSA.
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * dfg/DFGAdjacencyList.h:
            * dfg/DFGCSEPhase.cpp:
            (JSC::DFG::CSEPhase::run):
            (JSC::DFG::CSEPhase::setReplacement):
            (JSC::DFG::CSEPhase::eliminate):
            (JSC::DFG::CSEPhase::performNodeCSE):
            (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): Deleted.
            * dfg/DFGPhantomRemovalPhase.cpp: Added.
            (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase):
            (JSC::DFG::PhantomRemovalPhase::run):
            (JSC::DFG::performCleanUp):
            * dfg/DFGPhantomRemovalPhase.h: Added.
            * dfg/DFGPlan.cpp:
            (JSC::DFG::Plan::compileInThreadImpl):
    
    2014-07-08  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Get rid of Node::misc by moving the fields out of the union so that you can use replacement and owner simultaneously
            https://bugs.webkit.org/show_bug.cgi?id=134730
    
            Reviewed by Mark Lam.
            
            This will allow for a better GCSE implementation.
    
            * dfg/DFGCPSRethreadingPhase.cpp:
            (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
            * dfg/DFGCSEPhase.cpp:
            (JSC::DFG::CSEPhase::setReplacement):
            * dfg/DFGEdgeDominates.h:
            (JSC::DFG::EdgeDominates::operator()):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::clearReplacements):
            (JSC::DFG::Graph::initializeNodeOwners):
            * dfg/DFGGraph.h:
            (JSC::DFG::Graph::performSubstitutionForEdge):
            * dfg/DFGLICMPhase.cpp:
            (JSC::DFG::LICMPhase::attemptHoist):
            * dfg/DFGNode.h:
            (JSC::DFG::Node::Node):
            * dfg/DFGSSAConversionPhase.cpp:
            (JSC::DFG::SSAConversionPhase::run):
    
    2014-07-04  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Infer immutable object properties
            https://bugs.webkit.org/show_bug.cgi?id=134567
    
            Reviewed by Mark Hahnenberg.
            
            This introduces a new way of inferring immutable object properties. A property is said to
            be immutable if after its creation (i.e. the transition that creates it), we never
            overwrite it (i.e. replace it) or delete it. Immutability is a property of an "own
            property" - so if we say that "f" is immutable at "o" then we are implying that "o" has "f"
            directly and not on a prototype. More specifically, the immutability inference will prove
            that a property on some structure is immutable. This means that, for example, we may have a
            structure S1 with property "f" where we claim that "f" at S1 is immutable, but S1 has a
            transition to S2 that adds a new property "g" and we may claim that "f" at S2 is actually
            mutable. This is mainly for convenience; it allows us to decouple immutability logic from
            transition logic. Immutability can be used to constant-fold accesses to objects at
            DFG-time. The DFG needs to prove the following to constant-fold the access:
            
            - The base of the access must be a constant object pointer. We prove that a property at a
              structure is immutable, but that says nothing of its value; each actual instance of that
              property may have a different value. So, a constant object pointer is needed to get an
              actual constant instance of the immutable value.
            
            - A check (or watchpoint) must have been emitted proving that the object has a structure
              that allows loading the property in question.
            
            - The replacement watchpoint set of the property in the structure that we've proven the
              object to have is still valid and we add a watchpoint to it lazily. The replacement
              watchpoint set is the key new mechanism that this change adds. It's possible that we have
              proven that the object has one of many structures, in which case each of those structures
              needs a valid replacement watchpoint set.
            
            The replacement watchpoint set is created the first time that any access to the property is
            cached. A put replace cache will create, and immediately invalidate, the watchpoint set. A
            get cache will create the watchpoint set and make it start watching. Any non-cached put
            access will invalidate the watchpoint set if one had been created; the underlying algorithm
            ensures that checking for the existence of a replacement watchpoint set is very fast in the
            common case. This algorithm ensures that no cached access needs to ever do any work to
            invalidate, or check the validity of, any replacement watchpoint sets. It also has some
            other nice properties:
            
            - It's very robust in its definition of immutability. The strictest that it will ever be is
              that for any instance of the object, the property must be written to only once,
              specifically at the time that the property is created. But it's looser than this in
              practice. For example, the property may be written to any number of times before we add
              the final property that the object will have before anyone reads the property; this works
              since for optimization purposes we only care if we detect immutability on the structure
              that the object will have when it is most frequently read from, not any previous
              structure that the object had. Also, we may write to the property any number of times
              before anyone caches accesses to it.
            
            - It is mostly orthogonal to structure transitions. No new structures need to be created to
              track the immutability of a property. Hence, there is no risk from this feature causing
              more polymorphism. This is different from the previous "specificValue" constant
              inference, which did cause additional structures to be created and sometimes those
              structures led to fake polymorphism. This feature does leverage existing transitions to
              do some of the watchpointing: property deletions don't fire the replacement watchpoint
              set because that would cause a new structure and so the mandatory structure check would
              fail. Also, this feature is guaranteed to never kick in for uncacheable dictionaries
              because those wouldn't allow for cacheable accesses - and it takes a cacheable access for
              this feature to be enabled.
            
            - No memory overhead is incurred except when accesses to the property are cached.
              Dictionary properties will typically have no meta-data for immutability. The number of
              replacement watchpoint sets we allocate is proportional to the number of inline caches in
              the program, which is typically must smaller than the number of structures or even the
              number of objects.
            
            This inference is far more powerful than the previous "specificValue" inference, so this
            change also removes all of that code. It's interesting that the amount of code that is
            changed to remove that feature is almost as big as the amount of code added to support the
            new inference - and that's if you include the new tests in the tally. Without new tests,
            it appears that the new feature actually touches less code!
            
            There is one corner case where the previous "specificValue" inference was more powerful.
            You can imagine someone creating objects with functions as self properties on those
            objects, such that each object instance had the same function pointers - essentially,
            someone might be trying to create a vtable but failing at the whole "one vtable for many
            instances" concept. The "specificValue" inference would do very well for such programs,
            because a structure check would be sufficient to prove a constant value for all of the
            function properties. This new inference will fail because it doesn't track the constant
            values of constant properties; instead it detects the immutability of otherwise variable
            properties (in the sense that each instance of the property may have a different value).
            So, the new inference requires having a particular object instance to actually get the
            constant value. I think it's OK to lose this antifeature. It took a lot of code to support
            and was a constant source of grief in our transition logic, and there doesn't appear to be
            any real evidence that programs benefited from that particular kind of inference since
            usually it's the singleton prototype instance that has all of the functions.
            
            This change is a speed-up on everything. date-format-xparb and both SunSpider/raytrace and
            V8/raytrace seem to be the biggest winners among the macrobenchmarks; they see >5%
            speed-ups. Many of our microbenchmarks see very large performance improvements, even 80% in
            one case.
    
            * bytecode/ComplexGetStatus.cpp:
            (JSC::ComplexGetStatus::computeFor):
            * bytecode/GetByIdStatus.cpp:
            (JSC::GetByIdStatus::computeFromLLInt):
            (JSC::GetByIdStatus::computeForStubInfo):
            (JSC::GetByIdStatus::computeFor):
            * bytecode/GetByIdVariant.cpp:
            (JSC::GetByIdVariant::GetByIdVariant):
            (JSC::GetByIdVariant::operator=):
            (JSC::GetByIdVariant::attemptToMerge):
            (JSC::GetByIdVariant::dumpInContext):
            * bytecode/GetByIdVariant.h:
            (JSC::GetByIdVariant::alternateBase):
            (JSC::GetByIdVariant::specificValue): Deleted.
            * bytecode/PutByIdStatus.cpp:
            (JSC::PutByIdStatus::computeForStubInfo):
            (JSC::PutByIdStatus::computeFor):
            * bytecode/PutByIdVariant.cpp:
            (JSC::PutByIdVariant::operator=):
            (JSC::PutByIdVariant::setter):
            (JSC::PutByIdVariant::dumpInContext):
            * bytecode/PutByIdVariant.h:
            (JSC::PutByIdVariant::specificValue): Deleted.
            * bytecode/Watchpoint.cpp:
            (JSC::WatchpointSet::fireAllSlow):
            (JSC::WatchpointSet::fireAll): Deleted.
            * bytecode/Watchpoint.h:
            (JSC::WatchpointSet::fireAll):
            * dfg/DFGAbstractInterpreterInlines.h:
            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::handleGetByOffset):
            (JSC::DFG::ByteCodeParser::handleGetById):
            (JSC::DFG::ByteCodeParser::handlePutById):
            (JSC::DFG::ByteCodeParser::parseBlock):
            * dfg/DFGConstantFoldingPhase.cpp:
            (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
            * dfg/DFGFixupPhase.cpp:
            (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
            (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
            * dfg/DFGGraph.cpp:
            (JSC::DFG::Graph::tryGetConstantProperty):
            (JSC::DFG::Graph::visitChildren):
            * dfg/DFGGraph.h:
            * dfg/DFGWatchableStructureWatchingPhase.cpp:
            (JSC::DFG::WatchableStructureWatchingPhase::run):
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
            * jit/JITOperations.cpp:
            * jit/Repatch.cpp:
            (JSC::repatchByIdSelfAccess):
            (JSC::generateByIdStub):
            (JSC::tryCacheGetByID):
            (JSC::tryCachePutByID):
            (JSC::tryBuildPutByIdList):
            * llint/LLIntSlowPaths.cpp:
            (JSC::LLInt::LLINT_SLOW_PATH_DECL):
            (JSC::LLInt::putToScopeCommon):
            * runtime/CommonSlowPaths.h:
            (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
            * runtime/IntendedStructureChain.cpp:
            (JSC::IntendedStructureChain::mayInterceptStoreTo):
            * runtime/JSCJSValue.cpp:
            (JSC::JSValue::putToPrimitive):
            * runtime/JSGlobalObject.cpp:
            (JSC::JSGlobalObject::reset):
            * runtime/JSObject.cpp:
            (JSC::JSObject::put):
            (JSC::JSObject::putDirectNonIndexAccessor):
            (JSC::JSObject::deleteProperty):
            (JSC::JSObject::defaultValue):
            (JSC::getCallableObjectSlow): Deleted.
            (JSC::JSObject::getPropertySpecificValue): Deleted.
            * runtime/JSObject.h:
            (JSC::JSObject::getDirect):
            (JSC::JSObject::getDirectOffset):
            (JSC::JSObject::inlineGetOwnPropertySlot):
            (JSC::JSObject::putDirectInternal):
            (JSC::JSObject::putOwnDataProperty):
            (JSC::JSObject::putDirect):
            (JSC::JSObject::putDirectWithoutTransition):
            (JSC::getCallableObject): Deleted.
            * runtime/JSScope.cpp:
            (JSC::abstractAccess):
            * runtime/PropertyMapHashTable.h:
            (JSC::PropertyMapEntry::PropertyMapEntry):
            (JSC::PropertyTable::copy):
            * runtime/PropertyTable.cpp:
            (JSC::PropertyTable::clone):
            (JSC::PropertyTable::PropertyTable):
            (JSC::PropertyTable::visitChildren): Deleted.
            * runtime/Structure.cpp:
            (JSC::Structure::Structure):
            (JSC::Structure::materializePropertyMap):
            (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
            (JSC::Structure::addPropertyTransitionToExistingStructure):
            (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
            (JSC::Structure::addPropertyTransition):
            (JSC::Structure::changePrototypeTransition):
            (JSC::Structure::attributeChangeTransition):
            (JSC::Structure::toDictionaryTransition):
            (JSC::Structure::preventExtensionsTransition):
            (JSC::Structure::takePropertyTableOrCloneIfPinned):
            (JSC::Structure::nonPropertyTransition):
            (JSC::Structure::addPropertyWithoutTransition):
            (JSC::Structure::allocateRareData):
            (JSC::Structure::ensurePropertyReplacementWatchpointSet):
            (JSC::Structure::startWatchingPropertyForReplacements):
            (JSC::Structure::didCachePropertyReplacement):
            (JSC::Structure::startWatchingInternalProperties):
            (JSC::Structure::copyPropertyTable):
            (JSC::Structure::copyPropertyTableForPinning):
            (JSC::Structure::getConcurrently):
            (JSC::Structure::get):
            (JSC::Structure::add):
            (JSC::Structure::visitChildren):
            (JSC::Structure::prototypeChainMayInterceptStoreTo):
            (JSC::Structure::dump):
            (JSC::Structure::despecifyDictionaryFunction): Deleted.
            (JSC::Structure::despecifyFunctionTransition): Deleted.
            (JSC::Structure::despecifyFunction): Deleted.
            (JSC::Structure::despecifyAllFunctions): Deleted.
            (JSC::Structure::putSpecificValue): Deleted.
            * runtime/Structure.h:
            (JSC::Structure::startWatchingPropertyForReplacements):
            (JSC::Structure::startWatchingInternalPropertiesIfNecessary):
            (JSC::Structure::startWatchingInternalPropertiesIfNecessaryForEntireChain):
            (JSC::Structure::transitionDidInvolveSpecificValue): Deleted.
            (JSC::Structure::disableSpecificFunctionTracking): Deleted.
            * runtime/StructureInlines.h:
            (JSC::Structure::getConcurrently):
            (JSC::Structure::didReplaceProperty):
            (JSC::Structure::propertyReplacementWatchpointSet):
            * runtime/StructureRareData.cpp:
            (JSC::StructureRareData::destroy):
            * runtime/StructureRareData.h:
            * tests/stress/infer-constant-global-property.js: Added.
            (foo.Math.sin):
            (foo):
            * tests/stress/infer-constant-property.js: Added.
            (foo):
            * tests/stress/jit-cache-poly-replace-then-cache-get-and-fold-then-invalidate.js: Added.
            (foo):
            (bar):
            * tests/stress/jit-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
            (foo):
            (bar):
            * tests/stress/jit-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
            (foo):
            (bar):
            * tests/stress/llint-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
            (foo):
            (bar):
            * tests/stress/llint-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
            (foo):
            (bar):
            * tests/stress/repeat-put-to-scope-global-with-same-value-watchpoint-invalidate.js: Added.
            (foo):
            (bar):
    
    2014-07-03  Saam Barati  <sbarati@apple.com>
    
            Add more coverage for the profile_types_with_high_fidelity op code.
            https://bugs.webkit.org/show_bug.cgi?id=134616
    
            Reviewed by Filip Pizlo.
    
            More operations are now being recorded by the profile_types_with_high_fidelity 
            opcode. Specifically: function parameters, function return values,
            function 'this' value, get_by_id, get_by_value, resolve nodes, function return 
            values at the call site. Added more flags to the profile_types_with_high_fidelity
            opcode so more focused tasks can take place when the instruction is
            being linked in CodeBlock. Re-worked the type profiler to search 
            through character offset ranges when asked for the type of an expression
            at a given offset. Removed redundant calls to Structure::toStructureShape
            in HighFidelityLog and TypeSet by caching calls based on StructureID.
    
            * bytecode/BytecodeList.json:
            * bytecode/BytecodeUseDef.h:
            (JSC::computeUsesForBytecodeOffset):
            (JSC::computeDefsForBytecodeOffset):
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::CodeBlock):
            (JSC::CodeBlock::finalizeUnconditionally):
            (JSC::CodeBlock::scopeDependentProfile):
            * bytecode/CodeBlock.h:
            (JSC::CodeBlock::returnStatementTypeSet):
            * bytecode/TypeLocation.h:
            * bytecode/UnlinkedCodeBlock.cpp:
            (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset):
            (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo):
            * bytecode/UnlinkedCodeBlock.h:
            * bytecompiler/BytecodeGenerator.cpp:
            (JSC::BytecodeGenerator::emitMove):
            (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
            (JSC::BytecodeGenerator::emitGetFromScopeWithProfile):
            (JSC::BytecodeGenerator::emitPutToScope):
            (JSC::BytecodeGenerator::emitPutToScopeWithProfile):
            (JSC::BytecodeGenerator::emitPutById):
            (JSC::BytecodeGenerator::emitPutByVal):
            * bytecompiler/BytecodeGenerator.h:
            (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
            * bytecompiler/NodesCodegen.cpp:
            (JSC::ResolveNode::emitBytecode):
            (JSC::BracketAccessorNode::emitBytecode):
            (JSC::DotAccessorNode::emitBytecode):
            (JSC::FunctionCallValueNode::emitBytecode):
            (JSC::FunctionCallResolveNode::emitBytecode):
            (JSC::FunctionCallBracketNode::emitBytecode):
            (JSC::FunctionCallDotNode::emitBytecode):
            (JSC::CallFunctionCallDotNode::emitBytecode):
            (JSC::ApplyFunctionCallDotNode::emitBytecode):
            (JSC::PostfixNode::emitResolve):
            (JSC::PostfixNode::emitBracket):
            (JSC::PostfixNode::emitDot):
            (JSC::PrefixNode::emitResolve):
            (JSC::PrefixNode::emitBracket):
            (JSC::PrefixNode::emitDot):
            (JSC::ReadModifyResolveNode::emitBytecode):
            (JSC::AssignResolveNode::emitBytecode):
            (JSC::AssignDotNode::emitBytecode):
            (JSC::ReadModifyDotNode::emitBytecode):
            (JSC::AssignBracketNode::emitBytecode):
            (JSC::ReadModifyBracketNode::emitBytecode):
            (JSC::ReturnNode::emitBytecode):
            (JSC::FunctionBodyNode::emitBytecode):
            * inspector/agents/InspectorRuntimeAgent.cpp:
            (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset):
            (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
            * inspector/agents/InspectorRuntimeAgent.h:
            * inspector/protocol/Runtime.json:
            * llint/LLIntSlowPaths.cpp:
            (JSC::LLInt::getFromScopeCommon):
            (JSC::LLInt::LLINT_SLOW_PATH_DECL):
            * llint/LLIntSlowPaths.h:
            * llint/LowLevelInterpreter.asm:
            * runtime/HighFidelityLog.cpp:
            (JSC::HighFidelityLog::processHighFidelityLog):
            (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
            (JSC::HighFidelityLog::recordTypeInformationForLocation): Deleted.
            * runtime/HighFidelityLog.h:
            (JSC::HighFidelityLog::recordTypeInformationForLocation):
            * runtime/HighFidelityTypeProfiler.cpp:
            (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset):
            (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset):
            (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset):
            (JSC::HighFidelityTypeProfiler::insertNewLocation):
            (JSC::HighFidelityTypeProfiler::findLocation):
            (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange): Deleted.
            (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange): Deleted.
            (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange): Deleted.
            (JSC::HighFidelityTypeProfiler::getLocationBasedHash): Deleted.
            * runtime/HighFidelityTypeProfiler.h:
            (JSC::LocationKey::LocationKey): Deleted.
            (JSC::LocationKey::hash): Deleted.
            (JSC::LocationKey::operator==): Deleted.
            * runtime/Structure.cpp:
            (JSC::Structure::toStructureShape):
            * runtime/Structure.h:
            * runtime/TypeSet.cpp:
            (JSC::TypeSet::TypeSet):
            (JSC::TypeSet::addTypeForValue):
            (JSC::TypeSet::seenTypes):
            (JSC::TypeSet::removeDuplicatesInStructureHistory): Deleted.
            * runtime/TypeSet.h:
            (JSC::StructureShape::setConstructorName):
            * runtime/VM.cpp:
            (JSC::VM::getTypesForVariableAtOffset):
            (JSC::VM::dumpHighFidelityProfilingTypes):
            (JSC::VM::getTypesForVariableInRange): Deleted.
            * runtime/VM.h:
    
    2014-07-04  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt][REGRESSION] debug tests fail because PutByIdDirect is now implemented in terms of In
            https://bugs.webkit.org/show_bug.cgi?id=134642
    
            Rubber stamped by Andreas Kling.
    
            * ftl/FTLLowerDFGToLLVM.cpp:
            (JSC::FTL::LowerDFGToLLVM::compileNode):
    
    2014-07-01  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Allocate a new GetterSetter if we change the value of any of its entries other than when they were previously null, so that if we constant-infer an accessor slot then we immediately get the function constant for free
            https://bugs.webkit.org/show_bug.cgi?id=134518
    
            Reviewed by Mark Hahnenberg.
            
            This has no real effect right now, particularly since almost all uses of
            setSetter/setGetter were already allocating a branch new GetterSetter. But once we start
            doing more aggressive constant property inference, this change will allow us to remove
            all runtime checks from getter/setter calls.
    
            * runtime/GetterSetter.cpp:
            (JSC::GetterSetter::withGetter):
            (JSC::GetterSetter::withSetter):
            * runtime/GetterSetter.h:
            (JSC::GetterSetter::setGetter):
            (JSC::GetterSetter::setSetter):
            * runtime/JSObject.cpp:
            (JSC::JSObject::defineOwnNonIndexProperty):
    
    2014-07-02  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Rename notifyTransitionFromThisStructure to didTransitionFromThisStructure
    
            Rubber stamped by Mark Hahnenberg.
    
            * runtime/Structure.cpp:
            (JSC::Structure::Structure):
            (JSC::Structure::nonPropertyTransition):
            (JSC::Structure::didTransitionFromThisStructure):
            (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
            * runtime/Structure.h:
    
    2014-07-02  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Remove the functionality for cloning StructureRareData since we never do that anymore.
    
            Rubber stamped by Mark Hahnenberg.
    
            * runtime/Structure.cpp:
            (JSC::Structure::Structure):
            (JSC::Structure::cloneRareDataFrom): Deleted.
            * runtime/Structure.h:
            * runtime/StructureRareData.cpp:
            (JSC::StructureRareData::clone): Deleted.
            (JSC::StructureRareData::StructureRareData): Deleted.
            * runtime/StructureRareData.h:
            (JSC::StructureRareData::needsCloning): Deleted.
    
    2014-07-01  Mark Lam  <mark.lam@apple.com>
    
            [ftlopt] DebuggerCallFrame::scope() should return a DebuggerScope.
            <https://webkit.org/b/134420>
    
            Reviewed by Geoffrey Garen.
    
            Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
            peers) which the WebInspector will use to introspect CallFrame variables.
            Instead, we should be returning a DebuggerScope as an abstraction layer that
            provides the introspection functionality that the WebInspector needs.  This
            is the first step towards not forcing every frame to have a JSActivation
            object just because the debugger is enabled.
    
            1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
               instead of the VM.  This allows JSObject::globalObject() to be able to
               return the global object for the DebuggerScope.
    
            2. On the DebuggerScope's life-cycle management:
    
               The DebuggerCallFrame is designed to be "valid" only during a debugging session
               (while the debugger is broken) through the use of a DebuggerCallFrameScope in
               Debugger::pauseIfNeeded().  Once the debugger resumes from the break, the
               DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
               We can't guarantee (from this code alone) that the Inspector code isn't still
               holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
               the frame will be invalidated, and any attempt to query it will return null values.
               This is pre-existing behavior.
    
               Now, we're adding the DebuggerScope into the picture.  While a single debugger
               pause session is in progress, the Inspector may request the scope from the
               DebuggerCallFrame.  While the DebuggerCallFrame is still valid, we want
               DebuggerCallFrame::scope() to always return the same DebuggerScope object.
               This is why we hold on to the DebuggerScope with a strong ref.
    
               If we use a weak ref instead, the following cooky behavior can manifest:
               1. The Inspector calls Debugger::scope() to get the top scope.
               2. The Inspector iterates down the scope chain and is now only holding a
                  reference to a parent scope.  It is no longer referencing the top scope.
               3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
                  gets cleared.
               4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
                  a different DebuggerScope instance.
               5. The Inspector iterates down the scope chain but never sees the parent scope
                  instance that retained a ref to in step 2 above.  This is because when iterating
                  this new DebuggerScope instance (which has no knowledge of the previous parent
                  DebuggerScope instance), a new DebuggerScope instance will get created for the
                  same parent scope. 
    
               Since the DebuggerScope is a JSObject, it's liveness is determined by its reachability.
               However, it's "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
               When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
               instantiated) will also get invalidated.  This is why we need the
               DebuggerScope::invalidateChain() method.  The Inspector should not be using the
               DebuggerScope instance after its owner DebuggerCallFrame is invalidated.  If it does,
               those methods will do nothing or returned a failed status.
    
            * debugger/Debugger.h:
            * debugger/DebuggerCallFrame.cpp:
            (JSC::DebuggerCallFrame::scope):
            (JSC::DebuggerCallFrame::evaluate):
            (JSC::DebuggerCallFrame::invalidate):
            (JSC::DebuggerCallFrame::vm):
            (JSC::DebuggerCallFrame::lexicalGlobalObject):
            * debugger/DebuggerCallFrame.h:
            * debugger/DebuggerScope.cpp:
            (JSC::DebuggerScope::DebuggerScope):
            (JSC::DebuggerScope::finishCreation):
            (JSC::DebuggerScope::visitChildren):
            (JSC::DebuggerScope::className):
            (JSC::DebuggerScope::getOwnPropertySlot):
            (JSC::DebuggerScope::put):
            (JSC::DebuggerScope::deleteProperty):
            (JSC::DebuggerScope::getOwnPropertyNames):
            (JSC::DebuggerScope::defineOwnProperty):
            (JSC::DebuggerScope::next):
            (JSC::DebuggerScope::invalidateChain):
            (JSC::DebuggerScope::isWithScope):
            (JSC::DebuggerScope::isGlobalScope):
            (JSC::DebuggerScope::isFunctionScope):
            * debugger/DebuggerScope.h:
            (JSC::DebuggerScope::create):
            (JSC::DebuggerScope::Iterator::Iterator):
            (JSC::DebuggerScope::Iterator::get):
            (JSC::DebuggerScope::Iterator::operator++):
            (JSC::DebuggerScope::Iterator::operator==):
            (JSC::DebuggerScope::Iterator::operator!=):
            (JSC::DebuggerScope::isValid):
            (JSC::DebuggerScope::jsScope):
            (JSC::DebuggerScope::begin):
            (JSC::DebuggerScope::end):
            * inspector/JSJavaScriptCallFrame.cpp:
            (Inspector::JSJavaScriptCallFrame::scopeType):
            (Inspector::JSJavaScriptCallFrame::scopeChain):
            * inspector/JavaScriptCallFrame.h:
            (Inspector::JavaScriptCallFrame::scopeChain):
            * inspector/ScriptDebugServer.cpp:
            * runtime/JSGlobalObject.cpp:
            (JSC::JSGlobalObject::reset):
            (JSC::JSGlobalObject::visitChildren):
            * runtime/JSGlobalObject.h:
            (JSC::JSGlobalObject::debuggerScopeStructure):
            * runtime/JSObject.h:
            (JSC::JSObject::isWithScope):
            * runtime/JSScope.h:
            * runtime/VM.cpp:
            (JSC::VM::VM):
            * runtime/VM.h:
    
    2014-07-01  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] DFG bytecode parser should turn PutById with nothing but a Setter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to
            https://bugs.webkit.org/show_bug.cgi?id=130756
    
            Reviewed by Oliver Hunt.
            
            The enables exposing the call to setters in the DFG, and then inlining it. Previously we
            already supproted inlined-cached calls to setters from within put_by_id inline caches,
            and the DFG could certainly emit such IC's. Now, if an IC had a setter call, then the DFG
            will either emit the GetGetterSetterByOffset/GetSetter/Call combo, or it will do one
            better and inline the call.
            
            A lot of the core functionality was already available from the previous work to inline
            getters. So, there are some refactorings in this patch that move preexisting
            functionality around. For example, the work to figure out how the DFG should go about
            getting to what we call the "loaded value" - i.e. the GetterSetter object reference in
            the case of accessors - is now shared in ComplexGetStatus, and both GetByIdStatus and
            PutByIdStatus use it. This means that we can keep the safety checks common.  This patch
            also does additional refactorings in DFG::ByteCodeParser so that we can continue to reuse
            handleCall() for all of the various kinds of calls we can now emit.
            
            83% speed-up on getter-richards, 2% speed-up on box2d.
    
            * CMakeLists.txt:
            * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * bytecode/ComplexGetStatus.cpp: Added.
            (JSC::ComplexGetStatus::computeFor):
            * bytecode/ComplexGetStatus.h: Added.
            (JSC::ComplexGetStatus::ComplexGetStatus):
            (JSC::ComplexGetStatus::skip):
            (JSC::ComplexGetStatus::takesSlowPath):
            (JSC::ComplexGetStatus::kind):
            (JSC::ComplexGetStatus::attributes):
            (JSC::ComplexGetStatus::specificValue):
            (JSC::ComplexGetStatus::offset):
            (JSC::ComplexGetStatus::chain):
            * bytecode/GetByIdStatus.cpp:
            (JSC::GetByIdStatus::computeForStubInfo):
            * bytecode/GetByIdVariant.cpp:
            (JSC::GetByIdVariant::GetByIdVariant):
            * bytecode/PolymorphicPutByIdList.h:
            (JSC::PutByIdAccess::PutByIdAccess):
            (JSC::PutByIdAccess::setter):
            (JSC::PutByIdAccess::structure):
            (JSC::PutByIdAccess::chainCount):
            * bytecode/PutByIdStatus.cpp:
            (JSC::PutByIdStatus::computeFromLLInt):
            (JSC::PutByIdStatus::computeFor):
            (JSC::PutByIdStatus::computeForStubInfo):
            (JSC::PutByIdStatus::makesCalls):
            * bytecode/PutByIdStatus.h:
            (JSC::PutByIdStatus::makesCalls): Deleted.
            * bytecode/PutByIdVariant.cpp:
            (JSC::PutByIdVariant::PutByIdVariant):
            (JSC::PutByIdVariant::operator=):
            (JSC::PutByIdVariant::replace):
            (JSC::PutByIdVariant::transition):
            (JSC::PutByIdVariant::setter):
            (JSC::PutByIdVariant::writesStructures):
            (JSC::PutByIdVariant::reallocatesStorage):
            (JSC::PutByIdVariant::makesCalls):
            (JSC::PutByIdVariant::dumpInContext):
            * bytecode/PutByIdVariant.h:
            (JSC::PutByIdVariant::PutByIdVariant):
            (JSC::PutByIdVariant::structure):
            (JSC::PutByIdVariant::oldStructure):
            (JSC::PutByIdVariant::alternateBase):
            (JSC::PutByIdVariant::specificValue):
            (JSC::PutByIdVariant::callLinkStatus):
            (JSC::PutByIdVariant::replace): Deleted.
            (JSC::PutByIdVariant::transition): Deleted.
            * dfg/DFGByteCodeParser.cpp:
            (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
            (JSC::DFG::ByteCodeParser::addCall):
            (JSC::DFG::ByteCodeParser::handleCall):
            (JSC::DFG::ByteCodeParser::handleInlining):
            (JSC::DFG::ByteCodeParser::handleGetById):
            (JSC::DFG::ByteCodeParser::handlePutById):
            (JSC::DFG::ByteCodeParser::parseBlock):
            * jit/Repatch.cpp:
            (JSC::tryCachePutByID):
            (JSC::tryBuildPutByIdList):
            * runtime/IntendedStructureChain.cpp:
            (JSC::IntendedStructureChain::takesSlowPathInDFGForImpureProperty):
            * runtime/IntendedStructureChain.h:
            * tests/stress/exit-from-setter.js: Added.
            * tests/stress/poly-chain-setter.js: Added.
            (Cons):
            (foo):
            (test):
            * tests/stress/poly-chain-then-setter.js: Added.
            (Cons1):
            (Cons2):
            (foo):
            (test):
            * tests/stress/poly-setter-combo.js: Added.
            (Cons1):
            (Cons2):
            (foo):
            (test):
            (.test):
            * tests/stress/poly-setter-then-self.js: Added.
            (foo):
            (test):
            (.test):
            * tests/stress/weird-setter-counter.js: Added.
            (foo):
            (test):
            * tests/stress/weird-setter-counter-syntactic.js: Added.
            (foo):
            (test):
    
    2014-07-01  Matthew Mirman  <mmirman@apple.com>
    
            Added an implementation of the "in" check to FTL.
            https://bugs.webkit.org/show_bug.cgi?id=134508
    
            Reviewed by Filip Pizlo.
    
            * ftl/FTLCapabilities.cpp: enabled compilation for "in"
            (JSC::FTL::canCompile): ditto
            * ftl/FTLCompile.cpp:
            (JSC::FTL::generateCheckInICFastPath): added.
            (JSC::FTL::fixFunctionBasedOnStackMaps): added case for CheckIn descriptors.
            * ftl/FTLInlineCacheDescriptor.h:
            (JSC::FTL::CheckInGenerator::CheckInGenerator): added.
            (JSC::FTL::CheckInDescriptor::CheckInDescriptor): added.
            * ftl/FTLInlineCacheSize.cpp: 
            (JSC::FTL::sizeOfCheckIn): added. Currently larger than necessary.
            * ftl/FTLInlineCacheSize.h: ditto
            * ftl/FTLIntrinsicRepository.h: Added function type for operationInGeneric
            * ftl/FTLLowerDFGToLLVM.cpp: 
            (JSC::FTL::LowerDFGToLLVM::compileNode): added case for In.
            (JSC::FTL::LowerDFGToLLVM::compileIn): added.
            * ftl/FTLSlowPathCall.cpp: Added a callOperation for operationIn
            (JSC::FTL::callOperation): ditto
            * ftl/FTLSlowPathCall.h: ditto
            * ftl/FTLState.h: Added a vector to hold CheckIn descriptors.
            * jit/JITOperations.h: made operationIns internal.
            * tests/stress/ftl-checkin.js: Added.
            * tests/stress/ftl-checkin-variable.js: Added.
    
    2014-06-30  Mark Hahnenberg  <mhahnenberg@apple.com>
    
            CodeBlock::stronglyVisitWeakReferences should mark DFG::CommonData::weakStructureReferences
            https://bugs.webkit.org/show_bug.cgi?id=134455
    
            Reviewed by Geoffrey Garen.
    
            Otherwise we get hanging pointers which can cause us to die later.
    
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::stronglyVisitWeakReferences):
    
    2014-06-27  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] Reduce the GC's influence on optimization decisions
            https://bugs.webkit.org/show_bug.cgi?id=134427
    
            Reviewed by Oliver Hunt.
            
            This is a slight speed-up on some platforms, that arises from a bunch of fixes that I made
            while trying to make the GC keep more structures alive
            (https://bugs.webkit.org/show_bug.cgi?id=128072).
            
            The fixes are, roughly:
            
            - If the GC clears an inline cache, then this no longer causes the IC to be forever
              polymorphic.
            
            - If we exit in inlined code into a function that tries to OSR enter, then we jettison
              sooner.
            
            - Some variables being uninitialized led to rage-recompilations.
            
            This is a pretty strong step in the direction of keeping more Structures alive and not
            blowing away code just because a Structure died. But, it seems like there is still a slight
            speed-up to be had from blowing away code that references dead Structures.
    
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::dumpAssumingJITType):
            (JSC::shouldMarkTransition):
            (JSC::CodeBlock::propagateTransitions):
            (JSC::CodeBlock::determineLiveness):
            * bytecode/GetByIdStatus.cpp:
            (JSC::GetByIdStatus::computeForStubInfo):
            * bytecode/PutByIdStatus.cpp:
            (JSC::PutByIdStatus::computeForStubInfo):
            * dfg/DFGCapabilities.cpp:
            (JSC::DFG::isSupportedForInlining):
            (JSC::DFG::mightInlineFunctionForCall):
            (JSC::DFG::mightInlineFunctionForClosureCall):
            (JSC::DFG::mightInlineFunctionForConstruct):
            * dfg/DFGCapabilities.h:
            * dfg/DFGCommonData.h:
            * dfg/DFGDesiredWeakReferences.cpp:
            (JSC::DFG::DesiredWeakReferences::reallyAdd):
            * dfg/DFGOSREntry.cpp:
            (JSC::DFG::prepareOSREntry):
            * dfg/DFGOSRExitCompilerCommon.cpp:
            (JSC::DFG::handleExitCounts):
            * dfg/DFGOperations.cpp:
            * dfg/DFGOperations.h:
            * ftl/FTLForOSREntryJITCode.cpp:
            (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode): These variables being uninitialized is benign in terms of correctness but can sometimes cause rage-recompilations. For some reason it took this patch to reveal this.
            * ftl/FTLOSREntry.cpp:
            (JSC::FTL::prepareOSREntry):
            * runtime/Executable.cpp:
            (JSC::ExecutableBase::destroy):
            (JSC::NativeExecutable::destroy):
            (JSC::ScriptExecutable::ScriptExecutable):
            (JSC::ScriptExecutable::destroy):
            (JSC::ScriptExecutable::installCode):
            (JSC::EvalExecutable::EvalExecutable):
            (JSC::ProgramExecutable::ProgramExecutable):
            * runtime/Executable.h:
            (JSC::ScriptExecutable::setDidTryToEnterInLoop):
            (JSC::ScriptExecutable::didTryToEnterInLoop):
            (JSC::ScriptExecutable::addressOfDidTryToEnterInLoop):
            (JSC::ScriptExecutable::ScriptExecutable): Deleted.
            * runtime/StructureInlines.h:
            (JSC::Structure::storedPrototypeObject):
            (JSC::Structure::storedPrototypeStructure):
    
    2014-06-25  Filip Pizlo  <fpizlo@apple.com>
    
            [ftlopt] If a CodeBlock is jettisoned due to a watchpoint then it should be possible to figure out something about that watchpoint
            https://bugs.webkit.org/show_bug.cgi?id=134333
    
            Reviewed by Geoffrey Garen.
            
            This is engineered to provide loads of information to the profiler without incurring any
            costs when the profiler is disabled. It's the oldest trick in the book: the thing that
            fires the watchpoint doesn't actually create anything to describe the reason why it was
            fired; instead it creates a stack-allocated FireDetail subclass instance. Only if the
            FireDetail::dump() virtual method is called does anything happen.
            
            Currently we use this to produce very fine-grained data for Structure watchpoints and
            some cases of variable watchpoints. For all other situations, the given reason is just a
            string constant, by using StringFireDetail. If we find a situation where that string
            constant is insufficient to diagnose an issue then we can change it to provide more
            fine-grained information.
    
            * JavaScriptCore.xcodeproj/project.pbxproj:
            * bytecode/CodeBlock.cpp:
            (JSC::CodeBlock::CodeBlock):
            (JSC::CodeBlock::jettison):
            * bytecode/CodeBlock.h:
            * bytecode/CodeBlockJettisoningWatchpoint.cpp:
            (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
            * bytecode/CodeBlockJettisoningWatchpoint.h:
            * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Removed.
            * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Removed.
            * bytecode/StructureStubClearingWatchpoint.cpp:
            (JSC::StructureStubClearingWatchpoint::fireInternal):
            * bytecode/StructureStubClearingWatchpoint.h:
            * bytecode/VariableWatchpointSet.h:
            (JSC::VariableWatchpointSet::invalidate):
            (JSC::VariableWatchpointSet::finalizeUnconditionally):
            * bytecode/VariableWatchpointSetInlines.h:
            (JSC::VariableWatchpointSet::notifyWrite):
            * bytecode/Watchpoint.cpp:
            (JSC::StringFireDetail::dump):
            (JSC::WatchpointSet::fireAll):
            (JSC::WatchpointSet::fireAllSlow):
            (JSC::WatchpointSet::fireAllWatchpoints):
            (JSC::InlineWatchpointSet::fireAll):
            * bytecode/Watchpoint.h:
            (JSC::FireDetail::FireDetail):
            (JSC::FireDetail::~FireDetail):
            (JSC::StringFireDetail::StringFireDetail):
            (JSC::Watchpoint::fire):
            (JSC::WatchpointSet::fireAll):
            (JSC::WatchpointSet::touch):
            (JSC::WatchpointSet::invalidate):
            (JSC::InlineWatchpointSet::fireAll):
            (JSC::InlineWatchpointSet::touch):
            * dfg/DFGCommonData.h:
            * dfg/DFGOperations.cpp:
            * interpreter/Interpreter.cpp:
            (JSC::Interpreter::execute):
            * jsc.cpp:
            (WTF::Masquerader::create):
            * profiler/ProfilerCompilation.cpp:
            (JSC::Profiler::Compilation::setJettisonReason):
            (JSC::Profiler::Compilation::toJS):
            * profiler/ProfilerCompilation.h:
            (JSC::Profiler::Compilation::setJettisonReason): Deleted.
            * runtime/ArrayBuffer.cpp:
            (JSC::ArrayBuffer::transfer):
            * runtime/ArrayBufferNeuteringWatchpoint.cpp:
            (JSC::ArrayBufferNeuteringWatchpoint::fireAll):
            * runtime/ArrayBufferNeuteringWatchpoint.h:
            * runtime/CommonIdentifiers.h:
            * runtime/CommonSlowPaths.cpp:
            (JSC::SLOW_PATH_DECL):
            * runtime/Identifier.cpp:
            (JSC::Identifier::dump):
            * runtime/Identifier.h:
            * runtime/JSFunction.cpp:
            (JSC::JSFunction::put):
            (JSC::JSFunction::defineOwnProperty):
            * runtime/JSGlobalObject.cpp:
            (JSC::JSGlobalObject::addFunction):
            (JSC::JSGlobalObject::haveABadTime):
            * runtime/JSSymbolTableObject.cpp:
            (JSC::VariableWriteFireDetail::dump):
            * runtime/JSSymbolTableObject.h:
            (JSC::VariableWriteFireDetail::VariableWriteFireDetail):
            (JSC::symbolTablePut):
            (JSC::symbolTablePutWithAttributes):
            * runtime/PropertyName.h:
            (JSC::PropertyName::dump):
            * runtime/Structure.cpp:
            (JSC::Structure::notifyTransitionFromThisStructure):
            * runtime/Structure.h:
            (JSC::Structure::notifyTransitionFromThisStructure): Deleted.
            * runtime/SymbolTable.cpp:
            (JSC::SymbolTableEntry::notifyWriteSlow):
            (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
            * runtime/SymbolTable.h:
            (JSC::SymbolTableEntry::notifyWrite):
            * runtime/VM.cpp:
            (JSC::VM::addImpureProperty):
    
2014-08-05  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r172099.
        https://bugs.webkit.org/show_bug.cgi?id=135635

        Needs a do-over. (Requested by kling on #webkit).

        Reverted changeset:

        "The JIT should cache property lookup misses."
        https://bugs.webkit.org/show_bug.cgi?id=135578
        http://trac.webkit.org/changeset/172099

2014-08-05  Przemyslaw Kuczynski  <p.kuczynski@samsung.com>

        Fix resource leak of unclosed file descriptor.
        https://bugs.webkit.org/show_bug.cgi?id=135417

        Reviewed by Darin Adler.

        When open returns zero, fd handle leaks. Checking (fd > 0) needs to be replaced
        with (fd != -1).

        * assembler/MacroAssemblerARM.cpp:
        (JSC::isVFPPresent):

2014-08-05  Andreas Kling  <akling@apple.com>

        The JIT should cache property lookup misses.
        <https://webkit.org/b/135578>

        Add support for inline caching of object properties that don't exist.
        Previously we'd fall back to the C++ slow-path whenever a property was missing.

        It's implemented as a simple GetById-style stub that returns jsUndefined() as
        long as the Structure chain check passes.

        10x speedup on the included microbenchmark.

        Reviewed by Geoffrey Garen.

        * jit/Repatch.cpp:
        (JSC::toString):
        (JSC::kindFor):
        (JSC::generateByIdStub):
        (JSC::tryCacheGetByID):
        (JSC::patchJumpToGetByIdStub):
        * runtime/PropertySlot.h:
        (JSC::PropertySlot::isUnset):

2014-08-05  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r172009.
        https://bugs.webkit.org/show_bug.cgi?id=135627

        "Commit landed on trunk instead of ftlopt branch." (Requested
        by saamyjoon on #webkit).

        Reverted changeset:

        "Create a more generic way for VMEntryScope to notify those
        interested that it will be destroyed"
        https://bugs.webkit.org/show_bug.cgi?id=135358
        http://trac.webkit.org/changeset/172009

2014-08-05  Alex Christensen  <achristensen@webkit.org>

        More work on CMake.
        https://bugs.webkit.org/show_bug.cgi?id=135620

        Reviewed by Laszlo Gombos.

        * CMakeLists.txt:
        Added missing source files.
        * PlatformEfl.cmake:
        * PlatformGTK.cmake:
        Include glib directories and libraries to find glib.h in EventLoop.cpp.
        * PlatformMac.cmake:
        Moved STATICALLY_LINKED_WITH_WTF definition away from the common CMakeLists
        because it should not be defined on Windows.
        Added remote inspector source files.

2014-08-05  Peyton Randolph  <prandolph@apple.com>

        Rename MAC_LONG_PRESS feature flag to LONG_MOUSE_PRESS.
        https://bugs.webkit.org/show_bug.cgi?id=135276

        Reviewed by Beth Dakin.

        * Configurations/FeatureDefines.xcconfig:

2014-08-04  Benjamin Poulain  <benjamin@webkit.org>

        Add a flag for the CSS Selectors level 4 implementation
        https://bugs.webkit.org/show_bug.cgi?id=135535

        Reviewed by Andreas Kling.

        * Configurations/FeatureDefines.xcconfig:

2014-08-04  Alex Christensen  <achristensen@webkit.org>

        Progress towards CMake on Mac.
        https://bugs.webkit.org/show_bug.cgi?id=135528

        Reviewed by Gyuyoung Kim.

        * CMakeLists.txt:
        Include necessary directories and copy all necessary forwarding headers.
        Only compile UDis86Disassembler.cpp if we're using UDIS86.
        * PlatformMac.cmake: Added.
        * tools/CodeProfiling.cpp:
        Compile fix.  Include sys/time.h on darwin, too.

2014-08-04  Saam Barati  <sbarati@apple.com>

        Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
        https://bugs.webkit.org/show_bug.cgi?id=135358

        Reviewed by Geoffrey Garen.

        When VMEntryScope is destroyed, and it has a flag set indicating that the
        Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. 
        This flag is only used by Debugger to have VMEntryScope notify it when the
        Debugger is safe to recompile all functions. This patch will substitute this
        Debugger-specific recompilation flag with a list of callbacks that are notified 
        when the outermost VMEntryScope dies. This creates a general purpose interface 
        for being notified when the VM stops executing code via the event of the outermost 
        VMEntryScope dying.

        * debugger/Debugger.cpp:
        (JSC::Debugger::recompileAllJSFunctions):
        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::VMEntryScope):
        (JSC::VMEntryScope::addEntryScopeDidPopListener):
        (JSC::VMEntryScope::~VMEntryScope):
        * runtime/VMEntryScope.h:
        (JSC::VMEntryScope::setRecompilationNeeded): Deleted.

2014-08-01  Carlos Alberto Lopez Perez  <clopez@igalia.com>

        REGRESSION(r171942): [CMAKE] [GTK] build broken (clean build).
        https://bugs.webkit.org/show_bug.cgi?id=135522

        Reviewed by Martin Robinson.

        * CMakeLists.txt: Output the inspector headers inside inspector
        subdirectory.

2014-08-01  Mark Lam  <mark.lam@apple.com>

        Add some structure related assertions.
        <https://webkit.org/b/135523>

        Reviewed by Geoffrey Garen.

        Adding 2 assertions:
        1. assert that we don't index pass the end of the StructureIDTable.
           This should never happen, but this assertion will help catch bugs
           where a bad structureID gets passed in.
        2. assert that cells in MarkedBlock::callDestructor() that are not
           zapped should have a non-null StructureID.  This will help us catch
           bugs where the other cell header flag bits get set after the cell is
           zapped, thereby making the cell look like an unzapped cell but has a
           null structureID.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::callDestructor):
        * runtime/StructureIDTable.h:
        (JSC::StructureIDTable::get):

2014-08-01  Csaba Osztrogonác  <ossy@webkit.org>

        URTBF after r171946 to fix non-Apple builds.

        * bytecode/InlineCallFrameSet.cpp:

2014-08-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        CodeBlock fails to visit the Executables of its InlineCallFrames
        https://bugs.webkit.org/show_bug.cgi?id=135471

        Reviewed by Geoffrey Garen.

        CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they 
        can be prematurely collected and cause crashes.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        * bytecode/CodeOrigin.h:
        (JSC::InlineCallFrame::visitAggregate):
        * bytecode/InlineCallFrameSet.cpp:
        (JSC::InlineCallFrameSet::visitAggregate):
        * bytecode/InlineCallFrameSet.h:

2014-08-01  Alex Christensen  <achristensen@webkit.org>

        Progress towards cmake on Windows.
        https://bugs.webkit.org/show_bug.cgi?id=135484

        Reviewed by Martin Robinson.

        * CMakeLists.txt:
        Generate code directly to inspector directory to avoid using the cp command
        which is not available on Windows.
        * PlatformWin.cmake: Added.

2014-07-31  Andreas Kling  <akling@apple.com>

        Remove the JSC::OverridesVisitChildren flag.
        <https://webkit.org/b/135489>

        Except for 3 special classes, the visitChildren() call is always
        dispatched through the method table (see SlotVisitor.cpp.)

        The OverridesVisitChildren flag doesn't actually do anything.
        It could be used to implement a non-virtual direct call to
        JSCell::visitChildren, bypassing the method table for some objects,
        but such a micro-optimization seems like a weak trade for all this
        code complexity. Instead, just remove the flag.

        This change frees up an inline flag bit in JSCell.

        Reviewed by Geoffrey Garen.

        * API/JSAPIWrapperObject.h:
        * API/JSAPIWrapperObject.mm:
        (JSC::JSAPIWrapperObject::visitChildren):
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::visitChildren):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedFunctionExecutable::visitChildren):
        (JSC::UnlinkedCodeBlock::visitChildren):
        (JSC::UnlinkedProgramCodeBlock::visitChildren):
        * bytecode/UnlinkedCodeBlock.h:
        * debugger/DebuggerScope.cpp:
        (JSC::DebuggerScope::visitChildren):
        * debugger/DebuggerScope.h:
        * jsc.cpp:
        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildren):
        * runtime/Arguments.h:
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::visitChildren):
        (JSC::ProgramExecutable::visitChildren):
        (JSC::FunctionExecutable::visitChildren):
        * runtime/Executable.h:
        * runtime/GetterSetter.cpp:
        (JSC::GetterSetter::visitChildren):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::createStructure):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::createStructure):
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::visitChildren):
        * runtime/JSActivation.h:
        * runtime/JSArrayIterator.cpp:
        (JSC::JSArrayIterator::visitChildren):
        * runtime/JSArrayIterator.h:
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::visitChildren):
        * runtime/JSBoundFunction.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::setStructure):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::visitChildren):
        * runtime/JSFunction.h:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        * runtime/JSMap.h:
        * runtime/JSMapIterator.cpp:
        (JSC::JSMapIterator::visitChildren):
        * runtime/JSMapIterator.h:
        * runtime/JSNameScope.cpp:
        (JSC::JSNameScope::visitChildren):
        * runtime/JSNameScope.h:
        * runtime/JSPromise.cpp:
        (JSC::JSPromise::visitChildren):
        * runtime/JSPromise.h:
        * runtime/JSPromiseDeferred.cpp:
        (JSC::JSPromiseDeferred::visitChildren):
        * runtime/JSPromiseDeferred.h:
        * runtime/JSPromiseReaction.cpp:
        (JSC::JSPromiseReaction::visitChildren):
        * runtime/JSPromiseReaction.h:
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::visitChildren):
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSProxy.cpp:
        (JSC::JSProxy::visitChildren):
        * runtime/JSProxy.h:
        * runtime/JSScope.cpp:
        (JSC::JSScope::visitChildren):
        * runtime/JSScope.h:
        * runtime/JSSegmentedVariableObject.cpp:
        (JSC::JSSegmentedVariableObject::visitChildren):
        * runtime/JSSegmentedVariableObject.h:
        * runtime/JSSet.h:
        * runtime/JSSetIterator.cpp:
        (JSC::JSSetIterator::visitChildren):
        * runtime/JSSetIterator.h:
        * runtime/JSSymbolTableObject.cpp:
        (JSC::JSSymbolTableObject::visitChildren):
        * runtime/JSSymbolTableObject.h:
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::overridesVisitChildren): Deleted.
        * runtime/JSWeakMap.h:
        * runtime/JSWithScope.cpp:
        (JSC::JSWithScope::visitChildren):
        * runtime/JSWithScope.h:
        * runtime/JSWrapperObject.cpp:
        (JSC::JSWrapperObject::visitChildren):
        * runtime/JSWrapperObject.h:
        * runtime/MapData.h:
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::visitChildren):
        * runtime/NativeErrorConstructor.h:
        * runtime/PropertyMapHashTable.h:
        * runtime/PropertyTable.cpp:
        (JSC::PropertyTable::visitChildren):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::visitChildren):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.cpp:
        (JSC::RegExpMatchesArray::visitChildren):
        * runtime/RegExpMatchesArray.h:
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::visitChildren):
        * runtime/RegExpObject.h:
        * runtime/SparseArrayValueMap.h:
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::visitChildren):
        * runtime/StructureChain.cpp:
        (JSC::StructureChain::visitChildren):
        * runtime/StructureChain.h:
        * runtime/StructureRareData.cpp:
        (JSC::StructureRareData::visitChildren):
        * runtime/StructureRareData.h:
        * runtime/WeakMapData.h:

2014-07-31  Mark Lam  <mark.lam@apple.com>

        JSCell::classInfo() belongs in JSCellInlines.h.
        <https://webkit.org/b/135475>

        Reviewed by Mark Hahnenberg.

        * runtime/JSCellInlines.h:
        (JSC::JSCell::classInfo):
        * runtime/JSDestructibleObject.h:
        (JSC::JSCell::classInfo): Deleted.

2014-07-31  Tanay C  <tanay.c@samsung.com>

        Build warning in webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
        https://bugs.webkit.org/show_bug.cgi?id=135414

        Reviewed by Csaba Osztrogonác.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::putToScopeCommon):removed unused parameter from function definition

2014-07-30  Filip Pizlo  <fpizlo@apple.com>

        NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
        https://bugs.webkit.org/show_bug.cgi?id=135430

        Reviewed by Mark Hahnenberg.

        We already handled this correctly after the ftlopt merge, but it's useful to have the test.

        * tests/stress/new-function-expression-has-structures.js: Added.
        (foo.f):
        (foo.f.prototype.f):
        (foo):

2014-07-30  Andreas Kling  <akling@apple.com>

        Speculative Windows build fix.

        Try to dllimport the dllexported global object HashTable.

        * jsc.cpp:
        * testRegExp.cpp:

2014-07-30  Andreas Kling  <akling@apple.com>

        PropertyName's internal string is always atomic.
        <https://webkit.org/b/135451>

        Now that we've merged the JSC::Identifier and WTF::AtomicString tables,
        we know that any string that's an Identifier is guaranteed to be atomic.

        A PropertyName can be either an Identifier or a PrivateName, and the
        private names are also guaranteed to be atomic internally.

        Make PropertyName vend AtomicStringImpl* instead of StringImpl*.

        Reviewed by Benjamin Poulain.

        * runtime/PropertyName.h:
        (JSC::PropertyName::PropertyName):
        (JSC::PropertyName::uid):
        (JSC::PropertyName::publicName):

2014-07-30  Andy Estes  <aestes@apple.com>

        USE(CONTENT_FILTERING) should be ENABLE(CONTENT_FILTERING)
        https://bugs.webkit.org/show_bug.cgi?id=135439

        Reviewed by Tim Horton.

        We now support two different platform content filters, and will soon support a mock content filter (as part of
        webkit.org/b/128858). This makes content filtering a feature of WebKit, not just an adoption of a third-party
        library. ENABLE() is the correct macro to use for such a feature.

        * Configurations/FeatureDefines.xcconfig:

2014-07-30  Andreas Kling  <akling@apple.com>

        Static hash tables no longer need to be coupled with a VM.
        <https://webkit.org/b/135421>

        Now that the static hash tables are using char** instead of StringImpl**,
        it's no longer necessary to make them per-VM.

        This patch removes the hook in ClassInfo for providing your own static
        hash table getter. Everyone now uses ClassInfo::staticPropHashTable.
        Most of this patch is tweaking ClassInfo construction sites to pass one
        less null pointer.

        Also simplified Lookup.h to stop requiring ExecState/VM to access the
        static hash tables.

        Reviewed by Geoffrey Garen.

        * API/JSAPIWrapperObject.mm:
        * API/JSCallbackConstructor.cpp:
        * API/JSCallbackFunction.cpp:
        * API/JSCallbackObject.cpp:
        * API/ObjCCallbackFunction.mm:
        * bytecode/UnlinkedCodeBlock.cpp:
        * create_hash_table:
        * debugger/DebuggerScope.cpp:
        * inspector/JSInjectedScriptHost.cpp:
        * inspector/JSInjectedScriptHostPrototype.cpp:
        * inspector/JSJavaScriptCallFrame.cpp:
        * inspector/JSJavaScriptCallFramePrototype.cpp:
        * interpreter/CallFrame.h:
        (JSC::ExecState::arrayConstructorTable): Deleted.
        (JSC::ExecState::arrayPrototypeTable): Deleted.
        (JSC::ExecState::booleanPrototypeTable): Deleted.
        (JSC::ExecState::dataViewTable): Deleted.
        (JSC::ExecState::dateTable): Deleted.
        (JSC::ExecState::dateConstructorTable): Deleted.
        (JSC::ExecState::errorPrototypeTable): Deleted.
        (JSC::ExecState::globalObjectTable): Deleted.
        (JSC::ExecState::jsonTable): Deleted.
        (JSC::ExecState::numberConstructorTable): Deleted.
        (JSC::ExecState::numberPrototypeTable): Deleted.
        (JSC::ExecState::objectConstructorTable): Deleted.
        (JSC::ExecState::privateNamePrototypeTable): Deleted.
        (JSC::ExecState::regExpTable): Deleted.
        (JSC::ExecState::regExpConstructorTable): Deleted.
        (JSC::ExecState::regExpPrototypeTable): Deleted.
        (JSC::ExecState::stringConstructorTable): Deleted.
        (JSC::ExecState::promisePrototypeTable): Deleted.
        (JSC::ExecState::promiseConstructorTable): Deleted.
        * jsc.cpp:
        * parser/Lexer.h:
        (JSC::Keywords::isKeyword):
        (JSC::Keywords::getKeyword):
        * runtime/Arguments.cpp:
        * runtime/ArgumentsIteratorConstructor.cpp:
        * runtime/ArgumentsIteratorPrototype.cpp:
        * runtime/ArrayBufferNeuteringWatchpoint.cpp:
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::getOwnPropertySlot):
        * runtime/ArrayIteratorConstructor.cpp:
        * runtime/ArrayIteratorPrototype.cpp:
        * runtime/ArrayPrototype.cpp:
        (JSC::ArrayPrototype::getOwnPropertySlot):
        * runtime/BooleanConstructor.cpp:
        * runtime/BooleanObject.cpp:
        * runtime/BooleanPrototype.cpp:
        (JSC::BooleanPrototype::getOwnPropertySlot):
        * runtime/ClassInfo.h:
        (JSC::ClassInfo::hasStaticProperties):
        (JSC::ClassInfo::propHashTable): Deleted.
        * runtime/ConsolePrototype.cpp:
        * runtime/CustomGetterSetter.cpp:
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::getOwnPropertySlot):
        * runtime/DateInstance.cpp:
        * runtime/DatePrototype.cpp:
        (JSC::DatePrototype::getOwnPropertySlot):
        * runtime/Error.cpp:
        * runtime/ErrorConstructor.cpp:
        * runtime/ErrorInstance.cpp:
        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::getOwnPropertySlot):
        * runtime/ExceptionHelpers.cpp:
        * runtime/Executable.cpp:
        * runtime/FunctionConstructor.cpp:
        * runtime/FunctionPrototype.cpp:
        * runtime/GetterSetter.cpp:
        * runtime/InternalFunction.cpp:
        * runtime/JSAPIValueWrapper.cpp:
        * runtime/JSActivation.cpp:
        * runtime/JSArgumentsIterator.cpp:
        * runtime/JSArray.cpp:
        * runtime/JSArrayBuffer.cpp:
        * runtime/JSArrayBufferConstructor.cpp:
        * runtime/JSArrayBufferPrototype.cpp:
        * runtime/JSArrayBufferView.cpp:
        * runtime/JSArrayIterator.cpp:
        * runtime/JSBoundFunction.cpp:
        * runtime/JSConsole.cpp:
        * runtime/JSDataView.cpp:
        * runtime/JSDataViewPrototype.cpp:
        (JSC::JSDataViewPrototype::getOwnPropertySlot):
        * runtime/JSFunction.cpp:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::getOwnPropertySlot):
        * runtime/JSMap.cpp:
        * runtime/JSMapIterator.cpp:
        * runtime/JSNameScope.cpp:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSONObject.cpp:
        (JSC::JSONObject::getOwnPropertySlot):
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
        (JSC::JSObject::put):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::findPropertyHashEntry):
        (JSC::JSObject::reifyStaticFunctionsForDelete):
        * runtime/JSObject.h:
        * runtime/JSPromise.cpp:
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructor::getOwnPropertySlot):
        * runtime/JSPromiseDeferred.cpp:
        * runtime/JSPromisePrototype.cpp:
        (JSC::JSPromisePrototype::getOwnPropertySlot):
        * runtime/JSPromiseReaction.cpp:
        * runtime/JSPropertyNameIterator.cpp:
        * runtime/JSProxy.cpp:
        * runtime/JSSet.cpp:
        * runtime/JSSetIterator.cpp:
        * runtime/JSString.cpp:
        * runtime/JSTypedArrayConstructors.cpp:
        * runtime/JSTypedArrayPrototypes.cpp:
        * runtime/JSTypedArrays.cpp:
        * runtime/JSVariableObject.cpp:
        * runtime/JSWeakMap.cpp:
        * runtime/JSWithScope.cpp:
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):
        * runtime/Lookup.h:
        (JSC::HashTable::initializeIfNeeded):
        (JSC::HashTable::entry):
        (JSC::HashTable::begin):
        (JSC::HashTable::end):
        (JSC::getStaticPropertySlot):
        (JSC::getStaticFunctionSlot):
        (JSC::getStaticValueSlot):
        (JSC::lookupPut):
        * runtime/MapConstructor.cpp:
        * runtime/MapData.cpp:
        * runtime/MapIteratorConstructor.cpp:
        * runtime/MapIteratorPrototype.cpp:
        * runtime/MapPrototype.cpp:
        * runtime/MathObject.cpp:
        * runtime/NameConstructor.cpp:
        * runtime/NameInstance.cpp:
        * runtime/NamePrototype.cpp:
        (JSC::NamePrototype::getOwnPropertySlot):
        * runtime/NativeErrorConstructor.cpp:
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::getOwnPropertySlot):
        * runtime/NumberObject.cpp:
        * runtime/NumberPrototype.cpp:
        (JSC::NumberPrototype::getOwnPropertySlot):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::getOwnPropertySlot):
        * runtime/ObjectPrototype.cpp:
        * runtime/PropertyTable.cpp:
        * runtime/RegExp.cpp:
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::getOwnPropertySlot):
        * runtime/RegExpMatchesArray.cpp:
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::getOwnPropertySlot):
        * runtime/RegExpPrototype.cpp:
        (JSC::RegExpPrototype::getOwnPropertySlot):
        * runtime/SetConstructor.cpp:
        * runtime/SetIteratorConstructor.cpp:
        * runtime/SetIteratorPrototype.cpp:
        * runtime/SetPrototype.cpp:
        * runtime/SparseArrayValueMap.cpp:
        * runtime/StrictEvalActivation.cpp:
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::getOwnPropertySlot):
        * runtime/StringObject.cpp:
        * runtime/StringPrototype.cpp:
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::freezeTransition):
        (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
        * runtime/StructureChain.cpp:
        * runtime/StructureRareData.cpp:
        * runtime/SymbolTable.cpp:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        * runtime/VM.h:
        * runtime/WeakMapConstructor.cpp:
        * runtime/WeakMapData.cpp:
        * runtime/WeakMapPrototype.cpp:
        * testRegExp.cpp:

2014-07-29  Brent Fulgham  <bfulgham@apple.com>

        [Win] Modify version numbering scheme to support 5-tuple versions
        https://bugs.webkit.org/show_bug.cgi?id=135400
        <rdar://problem/17849033>

        Reviewed by David Kilzer.

        * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Use the
        new version-stamp.pl script to version JavaScriptCore.dll.

2014-07-29  Daniel Bates  <dabates@apple.com>

        Use WTF::move() instead of std::move() to help ensure move semantics
        https://bugs.webkit.org/show_bug.cgi?id=135351

        Reviewed by Alexey Proskuryakov.

        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfo):
        * bytecode/GetByIdVariant.cpp:
        (JSC::GetByIdVariant::GetByIdVariant):

2014-07-28  Tamas Gergely  <tgergely.u-szeged@partner.samsung.com>

        BuildFix: JavaScriptCore/bytecode/StructureSet.h:262:77: warning.
        https://bugs.webkit.org/show_bug.cgi?id=135287

        Reviewed by Darin Adler.

        The set() method tries to use a part of the old value (the reservedFlag bit) which
        was not defined when the constructor is called. Initialize m_pointer to 0 explicitely.

        * bytecode/StructureSet.h:
        (JSC::StructureSet::StructureSet):

2014-07-28  Benjamin Poulain  <bpoulain@apple.com>

        [JSC] JIT::assertStackPointerOffset() crashes on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=135316

        Reviewed by Geoffrey Garen.

        JIT::assertStackPointerOffset() does a compare between an arbitrary register
        and the stack pointer. This was not supported by the ARM64 assembler.

        There are no variation that can take a stack pointer for Xd. There is one version of subs
        that can take a stack pointer, but only for the Xn: the shift+extend one.
        To solve the problem, I changed cmp to swap the registers if necessary, and I fixed
        the implementation of sub.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::sub):
        In the generic sub(reg, reg), I added assertions to catch the condition that cannot be generated
        with either version of sub.

        In sub(with shift), I remove the weird special case for SP. First, it was quite misleading because
        the Rd case only works if "setflag == false". The other confusing part is going to addSubtractShiftedRegister()
        gives you a reduce shift range, which could create subtle bug that only appear when SP is used.

        Since I removed the weird case, I need to differentiate between the sub() that support SP, and the one that does
        not elsewhere. That is why that branch has moved to the generic sub(reg, reg). Since at that point we know
        the shift value must be zero, it is safe to call either variant.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branch64):
        With the changes described above, we can now use SP for the left register. What do we do if the rightmost
        register is SP?

        For the case of JIT::assertStackPointerOffset(), the comparison is Equal so the order really does not matter,
        we just switch the registers before generating the instruction.

        For the generic case, just move the value of SP to a GPR before doing the CMP.

2014-07-28  Brian J. Burg  <burg@cs.washington.edu>

        Unreviewed build fix after r171682.

        * replay/EncodedValue.h: Don't mark the inlined Vector<char> specialization
        as an exported symbol.

2014-07-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
        https://bugs.webkit.org/show_bug.cgi?id=135322

        Reviewed by Oliver Hunt.

        The prototype chain of the JSProxy object should match that of the JSGlobalObject. 

        This is a separate but related issue with JSObjectSetPrototype which doesn't correctly 
        account for JSProxies. I also audited the rest of the C API to check that we correctly 
        handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
        and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when 
        passed a JSProxy.

        I also added some new tests for these cases.

        * API/JSObjectRef.cpp:
        (JSObjectSetPrototype):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        * API/JSWeakObjectMapRefPrivate.cpp:
        * API/tests/CustomGlobalObjectClassTest.c:
        (globalObjectSetPrototypeTest):
        (globalObjectPrivatePropertyTest):
        * API/tests/CustomGlobalObjectClassTest.h:
        * API/tests/testapi.c:
        (main):

2014-07-28  Filip Pizlo  <fpizlo@apple.com>

        Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
        https://bugs.webkit.org/show_bug.cgi?id=135350
        <rdar://problem/17509889>

        Reviewed by Mark Hahnenberg and Oliver Hunt.
        
        If we have an exiting node that uses a conversion node, then that exiting node
        needs to have a Phantom after it for the the original node. But we can't do that
        for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::clearPhantomsAtEnd):
        * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
        (foo):
        (test):
        * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
        (foo):
        (test):

2014-07-28  Joseph Pecoraro  <pecoraro@apple.com>

        JSContext Inspector: crash when using step-into
        https://bugs.webkit.org/show_bug.cgi?id=135345

        Reviewed by Timothy Hatcher.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::stepInto):
        Null check m_listener since it may not be set.

2014-07-28  Brian J. Burg  <burg@cs.washington.edu>

        Web Replay: auto-decoding of parameterized vector's elements is incorrect
        https://bugs.webkit.org/show_bug.cgi?id=135343

        Reviewed by Timothy Hatcher.

        Fix an incorrect type argument in EncodingTraits<Vector<T>>::encodeValue
        that was using the element's decoded type as the type parameter to
        EncodedValue::append<T>. It should instead be the raw type T. This
        causes problems when encoding Vector<RefPtr<T>>, as it later tries to
        use encoding traits for RefPtr<T> rather than for T.

        Fix incorrect generated encoding traits argument for vectors of
        RefCounted objects. Updated test to cover this scenario.