build-jsc --ftl-jit should work
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
index d4661e1..2c8e1bc 100644 (file)
+2013-08-22  Filip Pizlo  <fpizlo@apple.com>
+
+        build-jsc --ftl-jit should work
+        https://bugs.webkit.org/show_bug.cgi?id=120194
+
+        Reviewed by Oliver Hunt.
+
+        * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
+        * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
+        * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
+        * ftl/FTLLowerDFGToLLVM.cpp: Build fix
+        (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
+        (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
+
+2013-08-23  Oliver Hunt  <oliver@apple.com>
+
+        Re-sort xcode project file
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2013-08-23  Oliver Hunt  <oliver@apple.com>
+
+        Support in memory compression of rarely used data
+        https://bugs.webkit.org/show_bug.cgi?id=120143
+
+        Reviewed by Gavin Barraclough.
+
+        Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector.  This saves ~200k on google maps.
+
+        * Configurations/JavaScriptCore.xcconfig:
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
+        (JSC::UnlinkedCodeBlock::addExpressionInfo):
+        * bytecode/UnlinkedCodeBlock.h:
+
+2013-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        JSObject and JSArray code shouldn't have to tiptoe around garbage collection
+        https://bugs.webkit.org/show_bug.cgi?id=120179
+
+        Reviewed by Geoffrey Garen.
+
+        There are many places in the code for JSObject and JSArray where they are manipulating their 
+        Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 
+        these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 
+        like it will make this dance even more intricate. To make everybody's lives easier we should use 
+        the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 
+        code and trivially safe. Deferring collections will usually only last marginally longer, thus we 
+        should not incur any additional overhead.
+
+        * heap/Heap.h:
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::unshiftCountSlowCase):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
+        (JSC::JSObject::createInitialUndecided):
+        (JSC::JSObject::createInitialInt32):
+        (JSC::JSObject::createInitialDouble):
+        (JSC::JSObject::createInitialContiguous):
+        (JSC::JSObject::createArrayStorage):
+        (JSC::JSObject::convertUndecidedToArrayStorage):
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+        (JSC::JSObject::increaseVectorLength):
+        (JSC::JSObject::ensureLengthSlow):
+        * runtime/JSObject.h:
+        (JSC::JSObject::putDirectInternal):
+        (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
+        (JSC::JSObject::putDirectWithoutTransition):
+
+2013-08-22  Filip Pizlo  <fpizlo@apple.com>
+
+        Update LLVM binary drops and scripts to the latest version from SVN
+        https://bugs.webkit.org/show_bug.cgi?id=120184
+
+        Reviewed by Mark Hahnenberg.
+
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThreadImpl):
+
+2013-08-22  Gavin Barraclough  <barraclough@apple.com>
+
+        Don't leak registers for redeclared variables
+        https://bugs.webkit.org/show_bug.cgi?id=120174
+
+        Reviewed by Geoff Garen.
+
+        We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
+        Only allocate new registers when necessary.
+
+        No performance impact.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::execute):
+        * runtime/Executable.cpp:
+        (JSC::ProgramExecutable::initializeGlobalProperties):
+            - Don't allocate the register here.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::addGlobalVar):
+            - Allocate the register here instead.
+
+2013-08-22  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120128
+        Remove putDirectVirtual
+
+        Unreviewed, checked in commented out code. :-(
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::execute):
+            - delete commented out code
+
+2013-08-22  Gavin Barraclough  <barraclough@apple.com>
+
+        Error.stack should not be enumerable
+        https://bugs.webkit.org/show_bug.cgi?id=120171
+
+        Reviewed by Oliver Hunt.
+
+        Breaks ECMA tests.
+
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::finishCreation):
+            - None -> DontEnum
+
+2013-08-21  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120128
+        Remove putDirectVirtual
+
+        Reviewed by Sam Weinig.
+
+        This could most generously be described as 'vestigial'.
+        No performance impact.
+
+        * API/JSObjectRef.cpp:
+        (JSObjectSetProperty):
+            - changed to use defineOwnProperty
+        * debugger/DebuggerActivation.cpp:
+        * debugger/DebuggerActivation.h:
+            - remove putDirectVirtual
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::execute):
+            - changed to use defineOwnProperty
+        * runtime/ClassInfo.h:
+        * runtime/JSActivation.cpp:
+        * runtime/JSActivation.h:
+        * runtime/JSCell.cpp:
+        * runtime/JSCell.h:
+        * runtime/JSGlobalObject.cpp:
+        * runtime/JSGlobalObject.h:
+        * runtime/JSObject.cpp:
+        * runtime/JSObject.h:
+        * runtime/JSProxy.cpp:
+        * runtime/JSProxy.h:
+        * runtime/JSSymbolTableObject.cpp:
+        * runtime/JSSymbolTableObject.h:
+            - remove putDirectVirtual
+        * runtime/PropertyDescriptor.h:
+        (JSC::PropertyDescriptor::PropertyDescriptor):
+            - added constructor for convenience
+
+2013-08-22  Chris Curtis  <chris_curtis@apple.com>
+
+        errorDescriptionForValue() should not assume error value is an Object
+        https://bugs.webkit.org/show_bug.cgi?id=119812
+
+        Reviewed by Geoffrey Garen.
+
+        Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
+        has no type, the function now returns the empty string. 
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::errorDescriptionForValue):
+
+2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
+
+        Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
+        https://bugs.webkit.org/show_bug.cgi?id=120107
+
+        Reviewed by Yong Li.
+
+        EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
+
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+
+2013-08-21  Commit Queue  <commit-queue@webkit.org>
+
+        Unreviewed, rolling out r154416.
+        http://trac.webkit.org/changeset/154416
+        https://bugs.webkit.org/show_bug.cgi?id=120147
+
+        Broke Windows builds (Requested by rniwa on #webkit).
+
+        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
+        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
+        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
+        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
+        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
+        * JavaScriptCore.vcxproj/build-generated-files.sh:
+
+2013-08-21  Gavin Barraclough  <barraclough@apple.com>
+
+        Clarify var/const/function declaration
+        https://bugs.webkit.org/show_bug.cgi?id=120144
+
+        Reviewed by Sam Weinig.
+
+        Add methods to JSGlobalObject to declare vars, consts, and functions.
+
+        * runtime/Executable.cpp:
+        (JSC::ProgramExecutable::initializeGlobalProperties):
+        * runtime/Executable.h:
+            - Moved declaration code to JSGlobalObject
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::addGlobalVar):
+            - internal implementation of addVar, addConst, addFunction
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::addVar):
+        (JSC::JSGlobalObject::addConst):
+        (JSC::JSGlobalObject::addFunction):
+            - Added methods to declare vars, consts, and functions
+
+2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=119900
+        Exception in global setter doesn't unwind correctly
+
+        Reviewed by Geoffrey Garen.
+
+        Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
+
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+
+2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Rename/refactor setButterfly/setStructure
+        https://bugs.webkit.org/show_bug.cgi?id=120138
+
+        Reviewed by Geoffrey Garen.
+
+        setButterfly becomes setStructureAndButterfly.
+
+        Also removed the Butterfly* argument from setStructure and just implicitly
+        used m_butterfly internally since that's what every single client of setStructure
+        was doing already.
+
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
+        (JSC::JSObject::createInitialUndecided):
+        (JSC::JSObject::createInitialInt32):
+        (JSC::JSObject::createInitialDouble):
+        (JSC::JSObject::createInitialContiguous):
+        (JSC::JSObject::createArrayStorage):
+        (JSC::JSObject::convertUndecidedToInt32):
+        (JSC::JSObject::convertUndecidedToDouble):
+        (JSC::JSObject::convertUndecidedToContiguous):
+        (JSC::JSObject::convertUndecidedToArrayStorage):
+        (JSC::JSObject::convertInt32ToDouble):
+        (JSC::JSObject::convertInt32ToContiguous):
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::genericConvertDoubleToContiguous):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+        (JSC::JSObject::switchToSlowPutArrayStorage):
+        (JSC::JSObject::setPrototype):
+        (JSC::JSObject::putDirectAccessor):
+        (JSC::JSObject::seal):
+        (JSC::JSObject::freeze):
+        (JSC::JSObject::preventExtensions):
+        (JSC::JSObject::reifyStaticFunctionsForDelete):
+        (JSC::JSObject::removeDirect):
+        * runtime/JSObject.h:
+        (JSC::JSObject::setStructureAndButterfly):
+        (JSC::JSObject::setStructure):
+        (JSC::JSObject::putDirectInternal):
+        (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
+        (JSC::JSObject::putDirectWithoutTransition):
+        * runtime/Structure.cpp:
+        (JSC::Structure::flattenDictionaryStructure):
+
+2013-08-21  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120127
+        Remove JSObject::propertyIsEnumerable
+
+        Unreviewed typo fix
+
+        * runtime/JSObject.h:
+            - fix typo
+
+2013-08-21  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120139
+        PropertyDescriptor argument to define methods should be const
+
+        Rubber stamped by Sam Weinig.
+
+        This should never be modified, and this way we can use rvalues.
+
+        * debugger/DebuggerActivation.cpp:
+        (JSC::DebuggerActivation::defineOwnProperty):
+        * debugger/DebuggerActivation.h:
+        * runtime/Arguments.cpp:
+        (JSC::Arguments::defineOwnProperty):
+        * runtime/Arguments.h:
+        * runtime/ClassInfo.h:
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::defineOwnProperty):
+        * runtime/JSArray.h:
+        * runtime/JSArrayBuffer.cpp:
+        (JSC::JSArrayBuffer::defineOwnProperty):
+        * runtime/JSArrayBuffer.h:
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::defineOwnProperty):
+        * runtime/JSArrayBufferView.h:
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::defineOwnProperty):
+        * runtime/JSCell.h:
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::defineOwnProperty):
+        * runtime/JSFunction.h:
+        * runtime/JSGenericTypedArrayView.h:
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::::defineOwnProperty):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::defineOwnProperty):
+        * runtime/JSGlobalObject.h:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putIndexedDescriptor):
+        (JSC::JSObject::defineOwnIndexedProperty):
+        (JSC::putDescriptor):
+        (JSC::JSObject::defineOwnNonIndexProperty):
+        (JSC::JSObject::defineOwnProperty):
+        * runtime/JSObject.h:
+        * runtime/JSProxy.cpp:
+        (JSC::JSProxy::defineOwnProperty):
+        * runtime/JSProxy.h:
+        * runtime/RegExpMatchesArray.h:
+        (JSC::RegExpMatchesArray::defineOwnProperty):
+        * runtime/RegExpObject.cpp:
+        (JSC::RegExpObject::defineOwnProperty):
+        * runtime/RegExpObject.h:
+        * runtime/StringObject.cpp:
+        (JSC::StringObject::defineOwnProperty):
+        * runtime/StringObject.h:
+            - make PropertyDescriptor const
+
+2013-08-21  Filip Pizlo  <fpizlo@apple.com>
+
+        REGRESSION: Crash under JITCompiler::link while loading Gmail
+        https://bugs.webkit.org/show_bug.cgi?id=119872
+
+        Reviewed by Mark Hahnenberg.
+        
+        Apparently, unsigned + signed = unsigned. Work around it with a cast.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+
+2013-08-21  Alex Christensen  <achristensen@apple.com>
+
+        <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
+
+        Reviewed by Brent Fulgham.
+
+        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
+        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
+        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
+        Pass PlatformArchitecture as a command line parameter to bash scripts.
+        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
+        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
+        * JavaScriptCore.vcxproj/build-generated-files.sh:
+        Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
+
+2013-08-21  Filip Pizlo  <fpizlo@apple.com>
+
+        Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
+        https://bugs.webkit.org/show_bug.cgi?id=120099
+
+        Reviewed by Mark Hahnenberg.
+        
+        JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
+        JSDataView may have ordinary JS indexed properties.
+
+        * runtime/ClassInfo.h:
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        (JSC::JSArrayBufferView::finishCreation):
+        * runtime/JSArrayBufferView.h:
+        (JSC::hasArrayBuffer):
+        * runtime/JSArrayBufferViewInlines.h:
+        (JSC::JSArrayBufferView::buffer):
+        (JSC::JSArrayBufferView::neuter):
+        (JSC::JSArrayBufferView::byteOffset):
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::slowDownAndWasteMemory):
+        * runtime/JSCell.h:
+        * runtime/JSDataView.cpp:
+        (JSC::JSDataView::JSDataView):
+        (JSC::JSDataView::create):
+        (JSC::JSDataView::slowDownAndWasteMemory):
+        * runtime/JSDataView.h:
+        (JSC::JSDataView::buffer):
+        * runtime/JSGenericTypedArrayView.h:
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::::visitChildren):
+        (JSC::::slowDownAndWasteMemory):
+
+2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Remove incorrect ASSERT from CopyVisitor::visitItem
+
+        Rubber stamped by Filip Pizlo.
+
+        * heap/CopyVisitorInlines.h:
+        (JSC::CopyVisitor::visitItem):
+
+2013-08-21  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120127
+        Remove JSObject::propertyIsEnumerable
+
+        Reviewed by Sam Weinig.
+
+        This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
+
+        * runtime/JSObject.cpp:
+        * runtime/JSObject.h:
+            - remove propertyIsEnumerable
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncPropertyIsEnumerable):
+            - Move implementation here using getOwnPropertyDescriptor directly.
+
+2013-08-20  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG should inline new typedArray()
+        https://bugs.webkit.org/show_bug.cgi?id=120022
+
+        Reviewed by Oliver Hunt.
+        
+        Adds inlining of typed array allocations in the DFG. Any operation of the
+        form:
+        
+            new foo(blah)
+        
+        or:
+        
+            foo(blah)
+        
+        where 'foo' is a typed array constructor and 'blah' is exactly one argument,
+        is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
+        is predicted integer, we generate inline code for an allocation. Otherwise
+        it turns into a call to an operation that behaves like the constructor would
+        if it was passed one argument (i.e. it may wrap a buffer or it may create a
+        copy or another array, or it may allocate an array of that length).
+
+        * bytecode/SpeculatedType.cpp:
+        (JSC::speculationFromTypedArrayType):
+        (JSC::speculationFromClassInfo):
+        * bytecode/SpeculatedType.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::::executeEffects):
+        * dfg/DFGBackwardsPropagationPhase.cpp:
+        (JSC::DFG::BackwardsPropagationPhase::propagate):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+        * dfg/DFGCCallHelpers.h:
+        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
+        * dfg/DFGCSEPhase.cpp:
+        (JSC::DFG::CSEPhase::putStructureStoreElimination):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasTypedArrayType):
+        (JSC::DFG::Node::typedArrayType):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::newTypedArrayWithSize):
+        (JSC::DFG::newTypedArrayWithOneArgument):
+        * dfg/DFGOperations.h:
+        (JSC::DFG::operationNewTypedArrayWithSizeForType):
+        (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_object):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_new_object):
+        * runtime/JSArray.h:
+        (JSC::JSArray::allocationSize):
+        * runtime/JSArrayBufferView.h:
+        (JSC::JSArrayBufferView::allocationSize):
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayView):
+        * runtime/JSObject.h:
+        (JSC::JSFinalObject::allocationSize):
+        * runtime/TypedArrayType.cpp:
+        (JSC::constructorClassInfoForType):
+        * runtime/TypedArrayType.h:
+        (JSC::indexToTypedArrayType):
+
+2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
+
+        <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
+
+        Reviewed by Geoffrey Garen.
+
+        * dfg/DFGOperations.h:
+
+2013-08-20  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120093
+        Remove getOwnPropertyDescriptor trap
+
+        Reviewed by Geoff Garen.
+
+        All implementations of this method are now called via the method table, and equivalent in behaviour.
+        Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
+
+        * API/JSCallbackObject.h:
+        * API/JSCallbackObjectFunctions.h:
+        * debugger/DebuggerActivation.cpp:
+        * debugger/DebuggerActivation.h:
+        * runtime/Arguments.cpp:
+        * runtime/Arguments.h:
+        * runtime/ArrayConstructor.cpp:
+        * runtime/ArrayConstructor.h:
+        * runtime/ArrayPrototype.cpp:
+        * runtime/ArrayPrototype.h:
+        * runtime/BooleanPrototype.cpp:
+        * runtime/BooleanPrototype.h:
+            - remove getOwnPropertyDescriptor
+        * runtime/ClassInfo.h:
+            - remove getOwnPropertyDescriptor from MethodTable
+        * runtime/DateConstructor.cpp:
+        * runtime/DateConstructor.h:
+        * runtime/DatePrototype.cpp:
+        * runtime/DatePrototype.h:
+        * runtime/ErrorPrototype.cpp:
+        * runtime/ErrorPrototype.h:
+        * runtime/JSActivation.cpp:
+        * runtime/JSActivation.h:
+        * runtime/JSArray.cpp:
+        * runtime/JSArray.h:
+        * runtime/JSArrayBuffer.cpp:
+        * runtime/JSArrayBuffer.h:
+        * runtime/JSArrayBufferView.cpp:
+        * runtime/JSArrayBufferView.h:
+        * runtime/JSCell.cpp:
+        * runtime/JSCell.h:
+        * runtime/JSDataView.cpp:
+        * runtime/JSDataView.h:
+        * runtime/JSDataViewPrototype.cpp:
+        * runtime/JSDataViewPrototype.h:
+        * runtime/JSFunction.cpp:
+        * runtime/JSFunction.h:
+        * runtime/JSGenericTypedArrayView.h:
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        * runtime/JSGlobalObject.cpp:
+        * runtime/JSGlobalObject.h:
+        * runtime/JSNotAnObject.cpp:
+        * runtime/JSNotAnObject.h:
+        * runtime/JSONObject.cpp:
+        * runtime/JSONObject.h:
+            - remove getOwnPropertyDescriptor
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::propertyIsEnumerable):
+            - switch to call new getOwnPropertyDescriptor member function
+        (JSC::JSObject::getOwnPropertyDescriptor):
+            - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
+        (JSC::JSObject::defineOwnNonIndexProperty):
+            - switch to call new getOwnPropertyDescriptor member function
+        * runtime/JSObject.h:
+        * runtime/JSProxy.cpp:
+        * runtime/JSProxy.h:
+        * runtime/NamePrototype.cpp:
+        * runtime/NamePrototype.h:
+        * runtime/NumberConstructor.cpp:
+        * runtime/NumberConstructor.h:
+        * runtime/NumberPrototype.cpp:
+        * runtime/NumberPrototype.h:
+            - remove getOwnPropertyDescriptor
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorGetOwnPropertyDescriptor):
+        (JSC::objectConstructorSeal):
+        (JSC::objectConstructorFreeze):
+        (JSC::objectConstructorIsSealed):
+        (JSC::objectConstructorIsFrozen):
+            - switch to call new getOwnPropertyDescriptor member function
+        * runtime/ObjectConstructor.h:
+            - remove getOwnPropertyDescriptor
+        * runtime/PropertyDescriptor.h:
+            - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
+        * runtime/RegExpConstructor.cpp:
+        * runtime/RegExpConstructor.h:
+        * runtime/RegExpMatchesArray.cpp:
+        * runtime/RegExpMatchesArray.h:
+        * runtime/RegExpObject.cpp:
+        * runtime/RegExpObject.h:
+        * runtime/RegExpPrototype.cpp:
+        * runtime/RegExpPrototype.h:
+        * runtime/StringConstructor.cpp:
+        * runtime/StringConstructor.h:
+        * runtime/StringObject.cpp:
+        * runtime/StringObject.h:
+            - remove getOwnPropertyDescriptor
+
+2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
+
+        Reviewed by Oliver Hunt.
+
+        When we flatten an object in dictionary mode, we compact its properties. If the object 
+        had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
+        compaction its properties fit inline, the object's Structure "forgets" that the object 
+        has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
+        with bytes = 0, which causes all sorts of badness in CopiedSpace.
+
+        Instead, after we flatten a dictionary, if properties fit inline we should clear the 
+        Butterfly pointer so that the GC doesn't get confused later.
+
+        This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
+        JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
+        agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
+        that the number of bytes reported to SlotVisitor::copyLater is non-zero.
+
+        * heap/SlotVisitorInlines.h:
+        (JSC::SlotVisitor::copyLater):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
+        (JSC::JSObject::convertUndecidedToInt32):
+        (JSC::JSObject::convertUndecidedToDouble):
+        (JSC::JSObject::convertUndecidedToContiguous):
+        (JSC::JSObject::convertInt32ToDouble):
+        (JSC::JSObject::convertInt32ToContiguous):
+        (JSC::JSObject::genericConvertDoubleToContiguous):
+        (JSC::JSObject::switchToSlowPutArrayStorage):
+        (JSC::JSObject::setPrototype):
+        (JSC::JSObject::putDirectAccessor):
+        (JSC::JSObject::seal):
+        (JSC::JSObject::freeze):
+        (JSC::JSObject::preventExtensions):
+        (JSC::JSObject::reifyStaticFunctionsForDelete):
+        (JSC::JSObject::removeDirect):
+        * runtime/JSObject.h:
+        (JSC::JSObject::setButterfly):
+        (JSC::JSObject::putDirectInternal):
+        (JSC::JSObject::setStructure):
+        (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
+        * runtime/Structure.cpp:
+        (JSC::Structure::flattenDictionaryStructure):
+
+2013-08-20  Alex Christensen  <achristensen@apple.com>
+
+        Compile fix for Win64 after r154156.
+
+        Rubber stamped by Oliver Hunt.
+
+        * jit/JITStubsMSVC64.asm:
+        Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
+        cti_vm_throw_slowpath to cti_vm_handle_exception.
+
+2013-08-20  Alex Christensen  <achristensen@apple.com>
+
+        <https://webkit.org/b/120076> More work towards a Win64 build
+
+        Reviewed by Brent Fulgham.
+
+        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
+        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
+        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
+        * JavaScriptCore.vcxproj/copy-files.cmd:
+        * JavaScriptCore.vcxproj/jsc/jscCommon.props:
+        * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
+        Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
+
+2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
+
+        Reviewed by Geoffrey Garen.
+
+        More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
+        initializeLazyWriteBarrierFor* wrapper functions more sane. 
+
+        Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
+        and index when triggering the WriteBarrier at the end of compilation. 
+
+        The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
+        in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
+        little extra work that really shouldn't have been its responsibility.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::addConstant):
+        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+        * dfg/DFGDesiredWriteBarriers.cpp:
+        (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
+        (JSC::DFG::DesiredWriteBarrier::trigger):
+        * dfg/DFGDesiredWriteBarriers.h:
+        (JSC::DFG::DesiredWriteBarriers::add):
+        (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
+        (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
+        (JSC::DFG::initializeLazyWriteBarrierForConstant):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::truncateConstantToInt32):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::constantRegisterForConstant):
+
+2013-08-20  Michael Saboff  <msaboff@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120075
+        REGRESSION (r128400): BBC4 website not displaying pictures
+
+        Reviewed by Oliver Hunt.
+
+        * runtime/RegExpMatchesArray.h:
+        (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
+        so that the match results will be reified before any other modification to the results array.
+
+2013-08-19  Filip Pizlo  <fpizlo@apple.com>
+
+        Incorrect behavior on emscripten-compiled cube2hash
+        https://bugs.webkit.org/show_bug.cgi?id=120033
+
+        Reviewed by Mark Hahnenberg.
+        
+        If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
+        then we should bail attempts to CSE.
+
+        * dfg/DFGCSEPhase.cpp:
+        (JSC::DFG::CSEPhase::scopedVarLoadElimination):
+        (JSC::DFG::CSEPhase::scopedVarStoreElimination):
+
+2013-08-20  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120073
+        Remove use of GOPD from JSFunction::defineProperty
+
+        Reviewed by Oliver Hunt.
+
+        Call getOwnPropertySlot to check for existing properties instead.
+
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::defineOwnProperty):
+            - getOwnPropertyDescriptor -> getOwnPropertySlot
+
+2013-08-20  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120067
+        Remove getPropertyDescriptor
+
+        Reviewed by Oliver Hunt.
+
+        This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
+        Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
+
+        * runtime/JSObject.cpp:
+        * runtime/JSObject.h:
+            - remove getPropertyDescriptor
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncLookupGetter):
+        (JSC::objectProtoFuncLookupSetter):
+            - replace call to getPropertyDescriptor with getPropertySlot
+        * runtime/PropertyDescriptor.h:
+        * runtime/PropertySlot.h:
+        (JSC::PropertySlot::isAccessor):
+        (JSC::PropertySlot::isCacheableGetter):
+        (JSC::PropertySlot::getterSetter):
+            - rename isGetter() to isAccessor()
+
+2013-08-20  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120054
+        Remove some dead code following getOwnPropertyDescriptor cleanup
+
+        Reviewed by Oliver Hunt.
+
+        * runtime/Lookup.h:
+        (JSC::getStaticFunctionSlot):
+            - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
+
+2013-08-20  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120052
+        Remove custom getOwnPropertyDescriptor for JSProxy
+
+        Reviewed by Geoff Garen.
+
+        GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
+        Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
+        object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
+        assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
+        the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
+
+        * runtime/JSProxy.cpp:
+            - Remove custom getOwnPropertyDescriptor implementation.
+        * runtime/PropertyDescriptor.h:
+            - Modify own property access check to perform toThis conversion.
+
+2013-08-20  Alex Christensen  <achristensen@apple.com>
+
+        Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
+        https://bugs.webkit.org/show_bug.cgi?id=119512
+
+        Reviewed by Brent Fulgham.
+
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+        * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
+        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
+        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
+        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
+        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
+        Replaced obj32, bin32, and lib32 with macros for 64-bit build.
+
+2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
+
+        <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
+
+        Reviewed by Allan Sandfeld Jensen.
+
+        branchPtrWithPatch() of baseline JIT must ensure that space is available for its
+        instructions and two constants now DFG is enabled for sh4 architecture.
+        These missing ensureSpace calls lead to random crashes.
+
+        * assembler/MacroAssemblerSH4.h:
+        (JSC::MacroAssemblerSH4::branchPtrWithPatch):
+
+2013-08-19  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120034
+        Remove custom getOwnPropertyDescriptor for global objects
+
+        Reviewed by Geoff Garen.
+
+        Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
+
+        * runtime/JSGlobalObject.cpp:
+            - Remove custom getOwnPropertyDescriptor implementation.
+        * runtime/JSSymbolTableObject.h:
+        (JSC::symbolTableGet):
+            - The symbol table does not store the DontDelete attribute, we should be adding it back in.
+        * runtime/PropertyDescriptor.h:
+            - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
+        * runtime/PropertySlot.h:
+        (JSC::PropertySlot::setUndefined):
+            - This is used by WebCore when blocking access to properties on cross-frame access.
+              Mark blocked properties as read-only, non-configurable to prevent defineProperty.
+
+2013-08-17  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG should inline typedArray.byteOffset
+        https://bugs.webkit.org/show_bug.cgi?id=119962
+
+        Reviewed by Oliver Hunt.
+        
+        This adds a new node, GetTypedArrayByteOffset, which inlines
+        typedArray.byteOffset.
+        
+        Also, I improved a bunch of the clobbering logic related to typed arrays
+        and clobbering in general. For example, PutByOffset/PutStructure are not
+        clobber-world so they can be handled by most default cases in CSE. Also,
+        It's better to use the 'Class_field' notation for typed arrays now that
+        they no longer involve magical descriptor thingies.
+
+        * bytecode/SpeculatedType.h:
+        * dfg/DFGAbstractHeap.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::::executeEffects):
+        * dfg/DFGArrayMode.h:
+        (JSC::DFG::neverNeedsStorage):
+        * dfg/DFGCSEPhase.cpp:
+        (JSC::DFG::CSEPhase::getByValLoadElimination):
+        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
+        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
+        (JSC::DFG::CSEPhase::checkArrayElimination):
+        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
+        (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
+        (JSC::DFG::CSEPhase::performNodeCSE):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
+        (JSC::DFG::FixupPhase::convertToGetArrayLength):
+        (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGTypeCheckHoistingPhase.cpp:
+        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
+        * runtime/ArrayBuffer.h:
+        (JSC::ArrayBuffer::offsetOfData):
+        * runtime/Butterfly.h:
+        (JSC::Butterfly::offsetOfArrayBuffer):
+        * runtime/IndexingHeader.h:
+        (JSC::IndexingHeader::offsetOfArrayBuffer):
+
+2013-08-18  Filip Pizlo  <fpizlo@apple.com>
+
+        <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
+
+        Reviewed by Geoffrey Garen.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+
+2013-08-18  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=119995
+        Start removing custom implementations of getOwnPropertyDescriptor
+
+        Reviewed by Oliver Hunt.
+
+        This can now typically implemented in terms of getOwnPropertySlot.
+        Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
+        Switch over most classes in JSC & the WebCore bindings generator to use this.
+
+        * API/JSCallbackObjectFunctions.h:
+        * debugger/DebuggerActivation.cpp:
+        * runtime/Arguments.cpp:
+        * runtime/ArrayConstructor.cpp:
+        * runtime/ArrayPrototype.cpp:
+        * runtime/BooleanPrototype.cpp:
+        * runtime/DateConstructor.cpp:
+        * runtime/DatePrototype.cpp:
+        * runtime/ErrorPrototype.cpp:
+        * runtime/JSActivation.cpp:
+        * runtime/JSArray.cpp:
+        * runtime/JSArrayBuffer.cpp:
+        * runtime/JSArrayBufferView.cpp:
+        * runtime/JSCell.cpp:
+        * runtime/JSDataView.cpp:
+        * runtime/JSDataViewPrototype.cpp:
+        * runtime/JSFunction.cpp:
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        * runtime/JSNotAnObject.cpp:
+        * runtime/JSONObject.cpp:
+        * runtime/JSObject.cpp:
+        * runtime/NamePrototype.cpp:
+        * runtime/NumberConstructor.cpp:
+        * runtime/NumberPrototype.cpp:
+        * runtime/ObjectConstructor.cpp:
+            - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
+        * runtime/PropertyDescriptor.h:
+            - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
+        * runtime/PropertySlot.h:
+        (JSC::PropertySlot::isValue):
+        (JSC::PropertySlot::isGetter):
+        (JSC::PropertySlot::isCustom):
+        (JSC::PropertySlot::isCacheableValue):
+        (JSC::PropertySlot::isCacheableGetter):
+        (JSC::PropertySlot::isCacheableCustom):
+        (JSC::PropertySlot::attributes):
+        (JSC::PropertySlot::getterSetter):
+            - Add accessors necessary to convert PropertySlot to descriptor.
+        * runtime/RegExpConstructor.cpp:
+        * runtime/RegExpMatchesArray.cpp:
+        * runtime/RegExpMatchesArray.h:
+        * runtime/RegExpObject.cpp:
+        * runtime/RegExpPrototype.cpp:
+        * runtime/StringConstructor.cpp:
+        * runtime/StringObject.cpp:
+            - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
+
+2013-08-19  Michael Saboff  <msaboff@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
+
+        Reviewed by Sam Weinig.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
+        DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
+        all versions of fillSpeculateBoolean().
+
+2013-08-19  Michael Saboff  <msaboff@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
+
+        Reviewed by Benjamin Poulain.
+
+        Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
+        Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
+
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::branchTest32):
+
+2013-08-16  Oliver Hunt  <oliver@apple.com>
+
+        <https://webkit.org/b/119860> Crash during exception unwinding
+
+        Reviewed by Filip Pizlo.
+
+        Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
+        to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
+
+        We need this so that Throw and ThrowReferenceError no longer need to be treated as
+        terminals and the subsequent flush keeps the activation (and other registers) live.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::isTerminal):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2013-08-19  Víctor Manuel Jáquez Leal  <vjaquez@igalia.com>
+
+        <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
+
+        Reviewed by Oliver Hunt.
+
+        Guard the compilation of these files only if DFG_JIT is enabled.
+
+        * dfg/DFGDesiredTransitions.cpp:
+        * dfg/DFGDesiredTransitions.h:
+        * dfg/DFGDesiredWeakReferences.cpp:
+        * dfg/DFGDesiredWeakReferences.h:
+        * dfg/DFGDesiredWriteBarriers.cpp:
+        * dfg/DFGDesiredWriteBarriers.h:
+
+2013-08-17  Filip Pizlo  <fpizlo@apple.com>
+
+        REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
+        https://bugs.webkit.org/show_bug.cgi?id=119961
+
+        Reviewed by Mark Hahnenberg.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+
+2013-08-18  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=119972
+        Add attributes field to PropertySlot
+
+        Reviewed by Geoff Garen.
+
+        For all JSC types, this makes getOwnPropertyDescriptor redundant.
+        There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
+        (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
+
+        No performance impact.
+
+        * runtime/PropertySlot.h:
+        (JSC::PropertySlot::setValue):
+        (JSC::PropertySlot::setCustom):
+        (JSC::PropertySlot::setCacheableCustom):
+        (JSC::PropertySlot::setCustomIndex):
+        (JSC::PropertySlot::setGetterSlot):
+        (JSC::PropertySlot::setCacheableGetterSlot):
+            - These mathods now all require 'attributes'.
+        * runtime/JSObject.h:
+        (JSC::JSObject::getDirect):
+        (JSC::JSObject::getDirectOffset):
+        (JSC::JSObject::inlineGetOwnPropertySlot):
+            - Added variants of getDirect, getDirectOffset that return the attributes.
+        * API/JSCallbackObjectFunctions.h:
+        (JSC::::getOwnPropertySlot):
+        * runtime/Arguments.cpp:
+        (JSC::Arguments::getOwnPropertySlotByIndex):
+        (JSC::Arguments::getOwnPropertySlot):
+        * runtime/JSActivation.cpp:
+        (JSC::JSActivation::symbolTableGet):
+        (JSC::JSActivation::getOwnPropertySlot):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::getOwnPropertySlot):
+        * runtime/JSArrayBuffer.cpp:
+        (JSC::JSArrayBuffer::getOwnPropertySlot):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::getOwnPropertySlot):
+        * runtime/JSDataView.cpp:
+        (JSC::JSDataView::getOwnPropertySlot):
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::getOwnPropertySlot):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::::getOwnPropertySlot):
+        (JSC::::getOwnPropertySlotByIndex):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::getOwnPropertySlotByIndex):
+        (JSC::JSObject::fillGetterPropertySlot):
+        * runtime/JSString.h:
+        (JSC::JSString::getStringPropertySlot):
+        * runtime/JSSymbolTableObject.h:
+        (JSC::symbolTableGet):
+        * runtime/Lookup.cpp:
+        (JSC::setUpStaticFunctionSlot):
+        * runtime/Lookup.h:
+        (JSC::getStaticPropertySlot):
+        (JSC::getStaticPropertyDescriptor):
+        (JSC::getStaticValueSlot):
+        (JSC::getStaticValueDescriptor):
+        * runtime/RegExpObject.cpp:
+        (JSC::RegExpObject::getOwnPropertySlot):
+        * runtime/SparseArrayValueMap.cpp:
+        (JSC::SparseArrayEntry::get):
+            - Pass attributes to PropertySlot::set* methods.
+
+2013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
+
+        Reviewed by Filip Pizlo.
+
+        Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
+        Vector of WriteBarriers rather than the specific address. The fact that we were 
+        arbitrarily storing into a Vector's backing store for constants at the end of 
+        compilation after the Vector could have resized was causing crashes.
+
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::constants):
+        (JSC::CodeBlock::addConstantLazily):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::addConstant):
+        * dfg/DFGDesiredWriteBarriers.cpp:
+        (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
+        (JSC::DFG::DesiredWriteBarrier::trigger):
+        (JSC::DFG::initializeLazyWriteBarrierForConstant):
+        * dfg/DFGDesiredWriteBarriers.h:
+        (JSC::DFG::DesiredWriteBarriers::add):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::truncateConstantToInt32):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::constantRegisterForConstant):
+
+2013-08-16  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG should optimize typedArray.byteLength
+        https://bugs.webkit.org/show_bug.cgi?id=119909
+
+        Reviewed by Oliver Hunt.
+        
+        This adds typedArray.byteLength inlining to the DFG, and does so without changing
+        the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
+        legal since the byteLength of a typed array cannot exceed
+        numeric_limits<int32_t>::max().
+
+        * bytecode/SpeculatedType.cpp:
+        (JSC::typedArrayTypeFromSpeculation):
+        * bytecode/SpeculatedType.h:
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::toArrayType):
+        * dfg/DFGArrayMode.h:
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
+        (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
+        (JSC::DFG::FixupPhase::convertToGetArrayLength):
+        (JSC::DFG::FixupPhase::prependGetArrayLength):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::constantRegisterForConstant):
+        (JSC::DFG::Graph::convertToConstant):
+        * runtime/TypedArrayType.h:
+        (JSC::logElementSize):
+        (JSC::elementSize):
+
+2013-08-16  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG optimizes out strict mode arguments tear off
+        https://bugs.webkit.org/show_bug.cgi?id=119504
+
+        Reviewed by Mark Hahnenberg and Oliver Hunt.
+        
+        Don't do the optimization for strict mode.
+
+        * dfg/DFGArgumentsSimplificationPhase.cpp:
+        (JSC::DFG::ArgumentsSimplificationPhase::run):
+        (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
+
+2013-08-16  Benjamin Poulain  <benjamin@webkit.org>
+
+        [JSC] x86: improve code generation for xxxTest32
+        https://bugs.webkit.org/show_bug.cgi?id=119876
+
+        Reviewed by Geoffrey Garen.
+
+        Try to use testb whenever possible when testing for an immediate value.
+
+        When the input is an address and an offset, we can tweak the mask
+        and offset to be able to generate testb for any byte of the mask.
+
+        When the input is a register, we can use testb if we are only interested
+        in testing the low bits.
+
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::branchTest32):
+        (JSC::MacroAssemblerX86Common::test32):
+        (JSC::MacroAssemblerX86Common::generateTest32):
+
+2013-08-16  Mark Lam  <mark.lam@apple.com>
+
+        <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
+        error message that an object is not a constructor though it expects a function
+
+        Reviewed by Michael Saboff.
+
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+
+2013-08-16  Filip Pizlo  <fpizlo@apple.com>
+
+        Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
+        https://bugs.webkit.org/show_bug.cgi?id=119897
+
+        Reviewed by Oliver Hunt.
+        
+        6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
+        on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
+        to turn objects into dictionaries when you're storing using bracket syntax or using
+        eval is still in place.
+
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::putByIdContext):
+        * dfg/DFGOperations.cpp:
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/JSObject.h:
+        (JSC::JSObject::putDirectInternal):
+        * runtime/PutPropertySlot.h:
+        (JSC::PutPropertySlot::PutPropertySlot):
+        (JSC::PutPropertySlot::context):
+        * runtime/Structure.cpp:
+        (JSC::Structure::addPropertyTransition):
+        * runtime/Structure.h:
+
+2013-08-16  Balazs Kilvady  <kilvadyb@homejinni.com>
+
+        <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
+
+        Reviewed by Allan Sandfeld Jensen.
+
+        ctiVMHandleException must jump/return using register ra (r31).
+
+        * jit/JITStubsMIPS.h:
+
+2013-08-16  Julien Brianceau  <jbrianceau@nds.com>
+
+        <https://webkit.org/b/119879> Fix sh4 build after r154156.
+
+        Reviewed by Allan Sandfeld Jensen.
+
+        Fix typo in JITStubsSH4.h file.
+
+        * jit/JITStubsSH4.h:
+
+2013-08-15  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
+
+        Reviewed by Oliver Hunt.
+
+        The concurrent compilation thread should interact minimally with the Heap, including not 
+        triggering WriteBarriers. This is a prerequisite for generational GC.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::addOrFindConstant):
+        (JSC::CodeBlock::findConstant):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::addConstantLazily):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::getJSConstantForValue):
+        (JSC::DFG::ByteCodeParser::constantUndefined):
+        (JSC::DFG::ByteCodeParser::constantNull):
+        (JSC::DFG::ByteCodeParser::one):
+        (JSC::DFG::ByteCodeParser::constantNaN):
+        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+        * dfg/DFGCommonData.cpp:
+        (JSC::DFG::CommonData::notifyCompilingStructureTransition):
+        * dfg/DFGCommonData.h:
+        * dfg/DFGDesiredTransitions.cpp: Added.
+        (JSC::DFG::DesiredTransition::DesiredTransition):
+        (JSC::DFG::DesiredTransition::reallyAdd):
+        (JSC::DFG::DesiredTransitions::DesiredTransitions):
+        (JSC::DFG::DesiredTransitions::~DesiredTransitions):
+        (JSC::DFG::DesiredTransitions::addLazily):
+        (JSC::DFG::DesiredTransitions::reallyAdd):
+        * dfg/DFGDesiredTransitions.h: Added.
+        * dfg/DFGDesiredWeakReferences.cpp: Added.
+        (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
+        (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
+        (JSC::DFG::DesiredWeakReferences::addLazily):
+        (JSC::DFG::DesiredWeakReferences::reallyAdd):
+        * dfg/DFGDesiredWeakReferences.h: Added.
+        * dfg/DFGDesiredWriteBarriers.cpp: Added.
+        (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
+        (JSC::DFG::DesiredWriteBarrier::trigger):
+        (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
+        (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
+        (JSC::DFG::DesiredWriteBarriers::addImpl):
+        (JSC::DFG::DesiredWriteBarriers::trigger):
+        * dfg/DFGDesiredWriteBarriers.h: Added.
+        (JSC::DFG::DesiredWriteBarriers::add):
+        (JSC::DFG::initializeLazyWriteBarrier):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::truncateConstantToInt32):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::convertToConstant):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::addWeakReference):
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::Plan):
+        (JSC::DFG::Plan::reallyAdd):
+        * dfg/DFGPlan.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * runtime/WriteBarrier.h:
+        (JSC::WriteBarrierBase::set):
+        (JSC::WriteBarrier::WriteBarrier):
+
+2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
+
+        Fix x86 32bits build after r154158
+
+        * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
+
+2013-08-15  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Build fix attempt after r154156.
+
+        * jit/JITStubs.cpp:
+        (JSC::cti_vm_handle_exception): encode!
+
+2013-08-15  Benjamin Poulain  <benjamin@webkit.org>
+
+        [JSC] x86: Use inc and dec when possible
+        https://bugs.webkit.org/show_bug.cgi?id=119831
+
+        Reviewed by Geoffrey Garen.
+
+        When incrementing or decrementing by an immediate of 1, use the insctructions
+        inc and dec instead of add and sub.
+        The instructions have good timing and their encoding is smaller.
+
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86_64::add32):
+        (JSC::MacroAssemblerX86_64::sub32):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::add64):
+        (JSC::MacroAssemblerX86_64::sub64):
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::dec_r):
+        (JSC::X86Assembler::decq_r):
+        (JSC::X86Assembler::inc_r):
+        (JSC::X86Assembler::incq_r):
+
+2013-08-15  Filip Pizlo  <fpizlo@apple.com>
+
+        Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
+        https://bugs.webkit.org/show_bug.cgi?id=119874
+
+        Reviewed by Oliver Hunt and Mark Hahnenberg.
+        
+        It was a confusion between heuristics in DFG::ArrayMode that are assuming that
+        you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
+        sometimes for typed array length accesses, and the FixupPhase assuming that a
+        ForceExit ArrayMode means that it should continue using a generic GetById.
+
+        This fixes the confusion.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+
+2013-08-15  Mark Lam  <mark.lam@apple.com>
+
+        Fix crash when performing activation tearoff.
+        https://bugs.webkit.org/show_bug.cgi?id=119848
+
+        Reviewed by Oliver Hunt.
+
+        The activation tearoff crash was due to a bug in the baseline JIT.
+        If we have a scenario where the a baseline JIT frame calls a LLINT
+        frame, an exception may be thrown while in the LLINT.
+
+        Interpreter::throwException() which handles the exception will unwind
+        all frames until it finds a catcher or sees a host frame. When we
+        return from the LLINT to the baseline JIT code, the baseline JIT code
+        errorneously sets topCallFrame to the value in its call frame register,
+        and starts unwinding the stack frames that have already been unwound.
+
+        The fix is:
+        1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
+           This is a more accurate description of what this runtime function
+           is supposed to do i.e. it handles the exception which include doing
+           nothing (if there are no more frames to unwind).
+        2. Fix up topCallFrame values so that the HostCallFrameFlag is never
+           set on it.
+        3. Reloading the call frame register from topCallFrame when we're
+           returning from a callee and detect exception handling in progress.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::unwindCallFrame):
+        - Ensure that topCallFrame is not set with the HostCallFrameFlag.
+        (JSC::Interpreter::getStackTrace):
+        * interpreter/Interpreter.h:
+        (JSC::TopCallFrameSetter::TopCallFrameSetter):
+        (JSC::TopCallFrameSetter::~TopCallFrameSetter):
+        (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
+        - Ensure that topCallFrame is not set with the HostCallFrameFlag.
+        * jit/JIT.h:
+        * jit/JITExceptions.cpp:
+        (JSC::uncaughtExceptionHandler):
+        - Convenience function to get the handler for uncaught exceptions.
+        * jit/JITExceptions.h:
+        * jit/JITInlines.h:
+        (JSC::JIT::reloadCallFrameFromTopCallFrame):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::privateCompileCTINativeCall):
+        - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
+        * jit/JITStubs.cpp:
+        (JSC::throwExceptionFromOpCall):
+        - Ensure that topCallFrame is not set with the HostCallFrameFlag.
+        (JSC::cti_vm_handle_exception):
+        - Check for the case when there are no more frames to unwind.
+        * jit/JITStubs.h:
+        * jit/JITStubsARM.h:
+        * jit/JITStubsARMv7.h:
+        * jit/JITStubsMIPS.h:
+        * jit/JITStubsSH4.h:
+        * jit/JITStubsX86.h:
+        * jit/JITStubsX86_64.h:
+        - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
+        * jit/SlowPathCall.h:
+        (JSC::JITSlowPathCall::call):
+        - reload cfr from topcallFrame when handling an exception.
+        - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
+        * jit/ThunkGenerators.cpp:
+        (JSC::nativeForGenerator):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        - reload cfr from topcallFrame when handling an exception.
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        - Ensure that topCallFrame is not set with the HostCallFrameFlag.
+
+2013-08-15  Filip Pizlo  <fpizlo@apple.com>
+
+        Remove some code duplication.
+        
+        Rubber stamped by Mark Hahnenberg.
+
+        * runtime/JSDataViewPrototype.cpp:
+        (JSC::getData):
+        (JSC::setData):
+
+2013-08-15  Julien Brianceau  <jbrianceau@nds.com>
+
+        [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
+        https://bugs.webkit.org/show_bug.cgi?id=119794
+
+        Reviewed by Filip Pizlo.
+
+        This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
+
+        * dfg/DFGUseKind.h:
+        (JSC::DFG::isNumerical):
+        (JSC::DFG::isDouble):
+
+2013-08-15  Filip Pizlo  <fpizlo@apple.com>
+
+        http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
+
+        Rubber stamped by Oliver Hunt.
+        
+        This was causing some test crashes for me.
+
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+
+2013-08-15  Brent Fulgham  <bfulgham@apple.com>
+
+        [Windows] Clear up improper export declaration.
+
+        * runtime/ArrayBufferView.h:
+
+2013-08-15  Filip Pizlo  <fpizlo@apple.com>
+
+        Unreviewed, remove some unnecessary periods from exceptions.
+
+        * runtime/JSDataViewPrototype.cpp:
+        (JSC::getData):
+        (JSC::setData):
+
+2013-08-15  Filip Pizlo  <fpizlo@apple.com>
+
+        Unreviewed, fix 32-bit build.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2013-08-14  Filip Pizlo  <fpizlo@apple.com>
+
+        Typed arrays should be rewritten
+        https://bugs.webkit.org/show_bug.cgi?id=119064
+
+        Reviewed by Oliver Hunt.
+        
+        Typed arrays were previously deficient in several major ways:
+        
+        - They were defined separately in WebCore and in the jsc shell. The two
+          implementations were different, and the jsc shell one was basically wrong.
+          The WebCore one was quite awful, also.
+        
+        - Typed arrays were not visible to the JIT except through some weird hooks.
+          For example, the JIT could not ask "what is the Structure that this typed
+          array would have if I just allocated it from this global object". Also,
+          it was difficult to wire any of the typed array intrinsics, because most
+          of the functionality wasn't visible anywhere in JSC.
+        
+        - Typed array allocation was brain-dead. Allocating a typed array involved
+          two JS objects, two GC weak handles, and three malloc allocations.
+        
+        - Neutering. It involved keeping tabs on all native views but not the view
+          wrappers, even though the native views can autoneuter just by asking the
+          buffer if it was neutered anytime you touch them; while the JS view
+          wrappers are the ones that you really want to reach out to.
+        
+        - Common case-ing. Most typed arrays have one buffer and one view, and
+          usually nobody touches the buffer. Yet we created all of that stuff
+          anyway, using data structures optimized for the case where you had a lot
+          of views.
+        
+        - Semantic goofs. Typed arrays should, in the future, behave like ES
+          features rather than DOM features, for example when it comes to exceptions.
+          Firefox already does this and I agree with them.
+        
+        This patch cleanses our codebase of these sins:
+        
+        - Typed arrays are almost entirely defined in JSC. Only the lifecycle
+          management of native references to buffers is left to WebCore.
+        
+        - Allocating a typed array requires either two GC allocations (a cell and a
+          copied storage vector) or one GC allocation, a malloc allocation, and a
+          weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
+          latter). The latter is only used for oversize arrays. Remember that before
+          it was 7 allocations no matter what.
+        
+        - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
+          mode/length, void* vector. Before it was a lot more than that - remember,
+          there were five additional objects that did absolutely nothing for anybody.
+        
+        - Native views aren't tracked by the buffer, or by the wrappers. They are
+          transient. In the future we'll probably switch to not even having them be
+          malloc'd.
+        
+        - Native array buffers have an efficient way of tracking all of their JS view
+          wrappers, both for neutering, and for lifecycle management. The GC
+          special-cases native array buffers. This saves a bunch of grief; for example
+          it means that a JS view wrapper can refer to its buffer via the butterfly,
+          which would be dead by the time we went to finalize.
+        
+        - Typed array semantics now match Firefox, which also happens to be where the
+          standards are going. The discussion on webkit-dev seemed to confirm that
+          Chrome is also heading in this direction. This includes making
+          Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
+          ArrayBufferView as a JS-visible construct.
+        
+        This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
+        It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
+        further typed array optimizations in the JSC JITs, including inlining typed
+        array allocation, inlining more of the accessors, reducing the cost of type
+        checks, etc.
+        
+        An additional property of this patch is that typed arrays are mostly
+        implemented using templates. This deduplicates a bunch of code, but does mean
+        that we need some hacks for exporting s_info's of template classes. See
+        JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
+        low-impact compared to code duplication.
+        
+        Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
+
+        * CMakeLists.txt:
+        * DerivedSources.make:
+        * GNUmakefile.list.am:
+        * JSCTypedArrayStubs.h: Removed.
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Target.pri:
+        * bytecode/ByValInfo.h:
+        (JSC::hasOptimizableIndexingForClassInfo):
+        (JSC::jitArrayModeForClassInfo):
+        (JSC::typedArrayTypeForJITArrayMode):
+        * bytecode/SpeculatedType.cpp:
+        (JSC::speculationFromClassInfo):
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::toTypedArrayType):
+        * dfg/DFGArrayMode.h:
+        (JSC::DFG::ArrayMode::typedArrayType):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::checkArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * heap/CopyToken.h:
+        * heap/DeferGC.h:
+        (JSC::DeferGCForAWhile::DeferGCForAWhile):
+        (JSC::DeferGCForAWhile::~DeferGCForAWhile):
+        * heap/GCIncomingRefCounted.h: Added.
+        (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
+        (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
+        (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
+        (JSC::GCIncomingRefCounted::incomingReferenceAt):
+        (JSC::GCIncomingRefCounted::singletonFlag):
+        (JSC::GCIncomingRefCounted::hasVectorOfCells):
+        (JSC::GCIncomingRefCounted::hasAnyIncoming):
+        (JSC::GCIncomingRefCounted::hasSingleton):
+        (JSC::GCIncomingRefCounted::singleton):
+        (JSC::GCIncomingRefCounted::vectorOfCells):
+        * heap/GCIncomingRefCountedInlines.h: Added.
+        (JSC::::addIncomingReference):
+        (JSC::::filterIncomingReferences):
+        * heap/GCIncomingRefCountedSet.h: Added.
+        (JSC::GCIncomingRefCountedSet::size):
+        * heap/GCIncomingRefCountedSetInlines.h: Added.
+        (JSC::::GCIncomingRefCountedSet):
+        (JSC::::~GCIncomingRefCountedSet):
+        (JSC::::addReference):
+        (JSC::::sweep):
+        (JSC::::removeAll):
+        (JSC::::removeDead):
+        * heap/Heap.cpp:
+        (JSC::Heap::addReference):
+        (JSC::Heap::extraSize):
+        (JSC::Heap::size):
+        (JSC::Heap::capacity):
+        (JSC::Heap::collect):
+        (JSC::Heap::decrementDeferralDepth):
+        (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
+        * heap/Heap.h:
+        * interpreter/CallFrame.h:
+        (JSC::ExecState::dataViewTable):
+        * jit/JIT.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::privateCompileGetByVal):
+        (JSC::JIT::privateCompilePutByVal):
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        * runtime/ArrayBuffer.cpp:
+        (JSC::ArrayBuffer::transfer):
+        * runtime/ArrayBuffer.h:
+        (JSC::ArrayBuffer::createAdopted):
+        (JSC::ArrayBuffer::ArrayBuffer):
+        (JSC::ArrayBuffer::gcSizeEstimateInBytes):
+        (JSC::ArrayBuffer::pin):
+        (JSC::ArrayBuffer::unpin):
+        (JSC::ArrayBufferContents::tryAllocate):
+        * runtime/ArrayBufferView.cpp:
+        (JSC::ArrayBufferView::ArrayBufferView):
+        (JSC::ArrayBufferView::~ArrayBufferView):
+        (JSC::ArrayBufferView::setNeuterable):
+        * runtime/ArrayBufferView.h:
+        (JSC::ArrayBufferView::isNeutered):
+        (JSC::ArrayBufferView::buffer):
+        (JSC::ArrayBufferView::baseAddress):
+        (JSC::ArrayBufferView::byteOffset):
+        (JSC::ArrayBufferView::verifySubRange):
+        (JSC::ArrayBufferView::clampOffsetAndNumElements):
+        (JSC::ArrayBufferView::calculateOffsetAndLength):
+        * runtime/ClassInfo.h:
+        * runtime/CommonIdentifiers.h:
+        * runtime/DataView.cpp: Added.
+        (JSC::DataView::DataView):
+        (JSC::DataView::create):
+        (JSC::DataView::wrap):
+        * runtime/DataView.h: Added.
+        (JSC::DataView::byteLength):
+        (JSC::DataView::getType):
+        (JSC::DataView::get):
+        (JSC::DataView::set):
+        * runtime/Float32Array.h:
+        * runtime/Float64Array.h:
+        * runtime/GenericTypedArrayView.h: Added.
+        (JSC::GenericTypedArrayView::data):
+        (JSC::GenericTypedArrayView::set):
+        (JSC::GenericTypedArrayView::setRange):
+        (JSC::GenericTypedArrayView::zeroRange):
+        (JSC::GenericTypedArrayView::zeroFill):
+        (JSC::GenericTypedArrayView::length):
+        (JSC::GenericTypedArrayView::byteLength):
+        (JSC::GenericTypedArrayView::item):
+        (JSC::GenericTypedArrayView::checkInboundData):
+        (JSC::GenericTypedArrayView::getType):
+        * runtime/GenericTypedArrayViewInlines.h: Added.
+        (JSC::::GenericTypedArrayView):
+        (JSC::::create):
+        (JSC::::createUninitialized):
+        (JSC::::subarray):
+        (JSC::::wrap):
+        * runtime/IndexingHeader.h:
+        (JSC::IndexingHeader::arrayBuffer):
+        (JSC::IndexingHeader::setArrayBuffer):
+        * runtime/Int16Array.h:
+        * runtime/Int32Array.h:
+        * runtime/Int8Array.h:
+        * runtime/JSArrayBuffer.cpp: Added.
+        (JSC::JSArrayBuffer::JSArrayBuffer):
+        (JSC::JSArrayBuffer::finishCreation):
+        (JSC::JSArrayBuffer::create):
+        (JSC::JSArrayBuffer::createStructure):
+        (JSC::JSArrayBuffer::getOwnPropertySlot):
+        (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
+        (JSC::JSArrayBuffer::put):
+        (JSC::JSArrayBuffer::defineOwnProperty):
+        (JSC::JSArrayBuffer::deleteProperty):
+        (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
+        * runtime/JSArrayBuffer.h: Added.
+        (JSC::JSArrayBuffer::impl):
+        (JSC::toArrayBuffer):
+        * runtime/JSArrayBufferConstructor.cpp: Added.
+        (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
+        (JSC::JSArrayBufferConstructor::finishCreation):
+        (JSC::JSArrayBufferConstructor::create):
+        (JSC::JSArrayBufferConstructor::createStructure):
+        (JSC::constructArrayBuffer):
+        (JSC::JSArrayBufferConstructor::getConstructData):
+        (JSC::JSArrayBufferConstructor::getCallData):
+        * runtime/JSArrayBufferConstructor.h: Added.
+        * runtime/JSArrayBufferPrototype.cpp: Added.
+        (JSC::arrayBufferProtoFuncSlice):
+        (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
+        (JSC::JSArrayBufferPrototype::finishCreation):
+        (JSC::JSArrayBufferPrototype::create):
+        (JSC::JSArrayBufferPrototype::createStructure):
+        * runtime/JSArrayBufferPrototype.h: Added.
+        * runtime/JSArrayBufferView.cpp: Added.
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        (JSC::JSArrayBufferView::JSArrayBufferView):
+        (JSC::JSArrayBufferView::finishCreation):
+        (JSC::JSArrayBufferView::getOwnPropertySlot):
+        (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
+        (JSC::JSArrayBufferView::put):
+        (JSC::JSArrayBufferView::defineOwnProperty):
+        (JSC::JSArrayBufferView::deleteProperty):
+        (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
+        (JSC::JSArrayBufferView::finalize):
+        * runtime/JSArrayBufferView.h: Added.
+        (JSC::JSArrayBufferView::sizeOf):
+        (JSC::JSArrayBufferView::ConstructionContext::operator!):
+        (JSC::JSArrayBufferView::ConstructionContext::structure):
+        (JSC::JSArrayBufferView::ConstructionContext::vector):
+        (JSC::JSArrayBufferView::ConstructionContext::length):
+        (JSC::JSArrayBufferView::ConstructionContext::mode):
+        (JSC::JSArrayBufferView::ConstructionContext::butterfly):
+        (JSC::JSArrayBufferView::mode):
+        (JSC::JSArrayBufferView::vector):
+        (JSC::JSArrayBufferView::length):
+        (JSC::JSArrayBufferView::offsetOfVector):
+        (JSC::JSArrayBufferView::offsetOfLength):
+        (JSC::JSArrayBufferView::offsetOfMode):
+        * runtime/JSArrayBufferViewInlines.h: Added.
+        (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
+        (JSC::JSArrayBufferView::buffer):
+        (JSC::JSArrayBufferView::impl):
+        (JSC::JSArrayBufferView::neuter):
+        (JSC::JSArrayBufferView::byteOffset):
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::slowDownAndWasteMemory):
+        (JSC::JSCell::getTypedArrayImpl):
+        * runtime/JSCell.h:
+        * runtime/JSDataView.cpp: Added.
+        (JSC::JSDataView::JSDataView):
+        (JSC::JSDataView::create):
+        (JSC::JSDataView::createUninitialized):
+        (JSC::JSDataView::set):
+        (JSC::JSDataView::typedImpl):
+        (JSC::JSDataView::getOwnPropertySlot):
+        (JSC::JSDataView::getOwnPropertyDescriptor):
+        (JSC::JSDataView::slowDownAndWasteMemory):
+        (JSC::JSDataView::getTypedArrayImpl):
+        (JSC::JSDataView::createStructure):
+        * runtime/JSDataView.h: Added.
+        * runtime/JSDataViewPrototype.cpp: Added.
+        (JSC::JSDataViewPrototype::JSDataViewPrototype):
+        (JSC::JSDataViewPrototype::create):
+        (JSC::JSDataViewPrototype::createStructure):
+        (JSC::JSDataViewPrototype::getOwnPropertySlot):
+        (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
+        (JSC::getData):
+        (JSC::setData):
+        (JSC::dataViewProtoFuncGetInt8):
+        (JSC::dataViewProtoFuncGetInt16):
+        (JSC::dataViewProtoFuncGetInt32):
+        (JSC::dataViewProtoFuncGetUint8):
+        (JSC::dataViewProtoFuncGetUint16):
+        (JSC::dataViewProtoFuncGetUint32):
+        (JSC::dataViewProtoFuncGetFloat32):
+        (JSC::dataViewProtoFuncGetFloat64):
+        (JSC::dataViewProtoFuncSetInt8):
+        (JSC::dataViewProtoFuncSetInt16):
+        (JSC::dataViewProtoFuncSetInt32):
+        (JSC::dataViewProtoFuncSetUint8):
+        (JSC::dataViewProtoFuncSetUint16):
+        (JSC::dataViewProtoFuncSetUint32):
+        (JSC::dataViewProtoFuncSetFloat32):
+        (JSC::dataViewProtoFuncSetFloat64):
+        * runtime/JSDataViewPrototype.h: Added.
+        * runtime/JSFloat32Array.h: Added.
+        * runtime/JSFloat64Array.h: Added.
+        * runtime/JSGenericTypedArrayView.h: Added.
+        (JSC::JSGenericTypedArrayView::byteLength):
+        (JSC::JSGenericTypedArrayView::byteSize):
+        (JSC::JSGenericTypedArrayView::typedVector):
+        (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
+        (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
+        (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
+        (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
+        (JSC::JSGenericTypedArrayView::getIndexQuickly):
+        (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
+        (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
+        (JSC::JSGenericTypedArrayView::setIndexQuickly):
+        (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
+        (JSC::JSGenericTypedArrayView::typedImpl):
+        (JSC::JSGenericTypedArrayView::createStructure):
+        (JSC::JSGenericTypedArrayView::info):
+        (JSC::toNativeTypedView):
+        * runtime/JSGenericTypedArrayViewConstructor.h: Added.
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
+        (JSC::::JSGenericTypedArrayViewConstructor):
+        (JSC::::finishCreation):
+        (JSC::::create):
+        (JSC::::createStructure):
+        (JSC::constructGenericTypedArrayView):
+        (JSC::::getConstructData):
+        (JSC::::getCallData):
+        * runtime/JSGenericTypedArrayViewInlines.h: Added.
+        (JSC::::JSGenericTypedArrayView):
+        (JSC::::create):
+        (JSC::::createUninitialized):
+        (JSC::::validateRange):
+        (JSC::::setWithSpecificType):
+        (JSC::::set):
+        (JSC::::getOwnPropertySlot):
+        (JSC::::getOwnPropertyDescriptor):
+        (JSC::::put):
+        (JSC::::defineOwnProperty):
+        (JSC::::deleteProperty):
+        (JSC::::getOwnPropertySlotByIndex):
+        (JSC::::putByIndex):
+        (JSC::::deletePropertyByIndex):
+        (JSC::::getOwnNonIndexPropertyNames):
+        (JSC::::getOwnPropertyNames):
+        (JSC::::visitChildren):
+        (JSC::::copyBackingStore):
+        (JSC::::slowDownAndWasteMemory):
+        (JSC::::getTypedArrayImpl):
+        * runtime/JSGenericTypedArrayViewPrototype.h: Added.
+        * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
+        (JSC::genericTypedArrayViewProtoFuncSet):
+        (JSC::genericTypedArrayViewProtoFuncSubarray):
+        (JSC::::JSGenericTypedArrayViewPrototype):
+        (JSC::::finishCreation):
+        (JSC::::create):
+        (JSC::::createStructure):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::reset):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::arrayBufferPrototype):
+        (JSC::JSGlobalObject::arrayBufferStructure):
+        (JSC::JSGlobalObject::typedArrayStructure):
+        * runtime/JSInt16Array.h: Added.
+        * runtime/JSInt32Array.h: Added.
+        * runtime/JSInt8Array.h: Added.
+        * runtime/JSTypedArrayConstructors.cpp: Added.
+        * runtime/JSTypedArrayConstructors.h: Added.
+        * runtime/JSTypedArrayPrototypes.cpp: Added.
+        * runtime/JSTypedArrayPrototypes.h: Added.
+        * runtime/JSTypedArrays.cpp: Added.
+        * runtime/JSTypedArrays.h: Added.
+        * runtime/JSUint16Array.h: Added.
+        * runtime/JSUint32Array.h: Added.
+        * runtime/JSUint8Array.h: Added.
+        * runtime/JSUint8ClampedArray.h: Added.
+        * runtime/Operations.h:
+        * runtime/Options.h:
+        * runtime/SimpleTypedArrayController.cpp: Added.
+        (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
+        (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
+        (JSC::SimpleTypedArrayController::toJS):
+        * runtime/SimpleTypedArrayController.h: Added.
+        * runtime/Structure.h:
+        (JSC::Structure::couldHaveIndexingHeader):
+        * runtime/StructureInlines.h:
+        (JSC::Structure::hasIndexingHeader):
+        * runtime/TypedArrayAdaptors.h: Added.
+        (JSC::IntegralTypedArrayAdaptor::toNative):
+        (JSC::IntegralTypedArrayAdaptor::toJSValue):
+        (JSC::IntegralTypedArrayAdaptor::toDouble):
+        (JSC::FloatTypedArrayAdaptor::toNative):
+        (JSC::FloatTypedArrayAdaptor::toJSValue):
+        (JSC::FloatTypedArrayAdaptor::toDouble):
+        (JSC::Uint8ClampedAdaptor::toNative):
+        (JSC::Uint8ClampedAdaptor::toJSValue):
+        (JSC::Uint8ClampedAdaptor::toDouble):
+        (JSC::Uint8ClampedAdaptor::clamp):
+        * runtime/TypedArrayController.cpp: Added.
+        (JSC::TypedArrayController::TypedArrayController):
+        (JSC::TypedArrayController::~TypedArrayController):
+        * runtime/TypedArrayController.h: Added.
+        * runtime/TypedArrayDescriptor.h: Removed.
+        * runtime/TypedArrayInlines.h: Added.
+        * runtime/TypedArrayType.cpp: Added.
+        (JSC::classInfoForType):
+        (WTF::printInternal):
+        * runtime/TypedArrayType.h: Added.
+        (JSC::toIndex):
+        (JSC::isTypedView):
+        (JSC::elementSize):
+        (JSC::isInt):
+        (JSC::isFloat):
+        (JSC::isSigned):
+        (JSC::isClamped):
+        * runtime/TypedArrays.h: Added.
+        * runtime/Uint16Array.h:
+        * runtime/Uint32Array.h:
+        * runtime/Uint8Array.h:
+        * runtime/Uint8ClampedArray.h:
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        (JSC::VM::~VM):
+        * runtime/VM.h:
+
 2013-08-15  Oliver Hunt  <oliver@apple.com>
 
         <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure