build-jsc --ftl-jit should work
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
index d66ba3d..2c8e1bc 100644 (file)
@@ -1,3 +1,852 @@
+2013-08-22  Filip Pizlo  <fpizlo@apple.com>
+
+        build-jsc --ftl-jit should work
+        https://bugs.webkit.org/show_bug.cgi?id=120194
+
+        Reviewed by Oliver Hunt.
+
+        * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
+        * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
+        * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
+        * ftl/FTLLowerDFGToLLVM.cpp: Build fix
+        (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
+        (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
+
+2013-08-23  Oliver Hunt  <oliver@apple.com>
+
+        Re-sort xcode project file
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+
+2013-08-23  Oliver Hunt  <oliver@apple.com>
+
+        Support in memory compression of rarely used data
+        https://bugs.webkit.org/show_bug.cgi?id=120143
+
+        Reviewed by Gavin Barraclough.
+
+        Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector.  This saves ~200k on google maps.
+
+        * Configurations/JavaScriptCore.xcconfig:
+        * bytecode/UnlinkedCodeBlock.cpp:
+        (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
+        (JSC::UnlinkedCodeBlock::addExpressionInfo):
+        * bytecode/UnlinkedCodeBlock.h:
+
+2013-08-22  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        JSObject and JSArray code shouldn't have to tiptoe around garbage collection
+        https://bugs.webkit.org/show_bug.cgi?id=120179
+
+        Reviewed by Geoffrey Garen.
+
+        There are many places in the code for JSObject and JSArray where they are manipulating their 
+        Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within 
+        these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks 
+        like it will make this dance even more intricate. To make everybody's lives easier we should use 
+        the DeferGC mechanism in these functions to make these GC critical sections both obvious in the 
+        code and trivially safe. Deferring collections will usually only last marginally longer, thus we 
+        should not incur any additional overhead.
+
+        * heap/Heap.h:
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::unshiftCountSlowCase):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
+        (JSC::JSObject::createInitialUndecided):
+        (JSC::JSObject::createInitialInt32):
+        (JSC::JSObject::createInitialDouble):
+        (JSC::JSObject::createInitialContiguous):
+        (JSC::JSObject::createArrayStorage):
+        (JSC::JSObject::convertUndecidedToArrayStorage):
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+        (JSC::JSObject::increaseVectorLength):
+        (JSC::JSObject::ensureLengthSlow):
+        * runtime/JSObject.h:
+        (JSC::JSObject::putDirectInternal):
+        (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
+        (JSC::JSObject::putDirectWithoutTransition):
+
+2013-08-22  Filip Pizlo  <fpizlo@apple.com>
+
+        Update LLVM binary drops and scripts to the latest version from SVN
+        https://bugs.webkit.org/show_bug.cgi?id=120184
+
+        Reviewed by Mark Hahnenberg.
+
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThreadImpl):
+
+2013-08-22  Gavin Barraclough  <barraclough@apple.com>
+
+        Don't leak registers for redeclared variables
+        https://bugs.webkit.org/show_bug.cgi?id=120174
+
+        Reviewed by Geoff Garen.
+
+        We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
+        Only allocate new registers when necessary.
+
+        No performance impact.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::execute):
+        * runtime/Executable.cpp:
+        (JSC::ProgramExecutable::initializeGlobalProperties):
+            - Don't allocate the register here.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::addGlobalVar):
+            - Allocate the register here instead.
+
+2013-08-22  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120128
+        Remove putDirectVirtual
+
+        Unreviewed, checked in commented out code. :-(
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::execute):
+            - delete commented out code
+
+2013-08-22  Gavin Barraclough  <barraclough@apple.com>
+
+        Error.stack should not be enumerable
+        https://bugs.webkit.org/show_bug.cgi?id=120171
+
+        Reviewed by Oliver Hunt.
+
+        Breaks ECMA tests.
+
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::finishCreation):
+            - None -> DontEnum
+
+2013-08-21  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120128
+        Remove putDirectVirtual
+
+        Reviewed by Sam Weinig.
+
+        This could most generously be described as 'vestigial'.
+        No performance impact.
+
+        * API/JSObjectRef.cpp:
+        (JSObjectSetProperty):
+            - changed to use defineOwnProperty
+        * debugger/DebuggerActivation.cpp:
+        * debugger/DebuggerActivation.h:
+            - remove putDirectVirtual
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::execute):
+            - changed to use defineOwnProperty
+        * runtime/ClassInfo.h:
+        * runtime/JSActivation.cpp:
+        * runtime/JSActivation.h:
+        * runtime/JSCell.cpp:
+        * runtime/JSCell.h:
+        * runtime/JSGlobalObject.cpp:
+        * runtime/JSGlobalObject.h:
+        * runtime/JSObject.cpp:
+        * runtime/JSObject.h:
+        * runtime/JSProxy.cpp:
+        * runtime/JSProxy.h:
+        * runtime/JSSymbolTableObject.cpp:
+        * runtime/JSSymbolTableObject.h:
+            - remove putDirectVirtual
+        * runtime/PropertyDescriptor.h:
+        (JSC::PropertyDescriptor::PropertyDescriptor):
+            - added constructor for convenience
+
+2013-08-22  Chris Curtis  <chris_curtis@apple.com>
+
+        errorDescriptionForValue() should not assume error value is an Object
+        https://bugs.webkit.org/show_bug.cgi?id=119812
+
+        Reviewed by Geoffrey Garen.
+
+        Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
+        has no type, the function now returns the empty string. 
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::errorDescriptionForValue):
+
+2013-08-22  Julien Brianceau  <jbrianceau@nds.com>
+
+        Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
+        https://bugs.webkit.org/show_bug.cgi?id=120107
+
+        Reviewed by Yong Li.
+
+        EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
+
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+
+2013-08-21  Commit Queue  <commit-queue@webkit.org>
+
+        Unreviewed, rolling out r154416.
+        http://trac.webkit.org/changeset/154416
+        https://bugs.webkit.org/show_bug.cgi?id=120147
+
+        Broke Windows builds (Requested by rniwa on #webkit).
+
+        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
+        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
+        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
+        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
+        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
+        * JavaScriptCore.vcxproj/build-generated-files.sh:
+
+2013-08-21  Gavin Barraclough  <barraclough@apple.com>
+
+        Clarify var/const/function declaration
+        https://bugs.webkit.org/show_bug.cgi?id=120144
+
+        Reviewed by Sam Weinig.
+
+        Add methods to JSGlobalObject to declare vars, consts, and functions.
+
+        * runtime/Executable.cpp:
+        (JSC::ProgramExecutable::initializeGlobalProperties):
+        * runtime/Executable.h:
+            - Moved declaration code to JSGlobalObject
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::addGlobalVar):
+            - internal implementation of addVar, addConst, addFunction
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::addVar):
+        (JSC::JSGlobalObject::addConst):
+        (JSC::JSGlobalObject::addFunction):
+            - Added methods to declare vars, consts, and functions
+
+2013-08-21  Yi Shen  <max.hong.shen@gmail.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=119900
+        Exception in global setter doesn't unwind correctly
+
+        Reviewed by Geoffrey Garen.
+
+        Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
+
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+
+2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Rename/refactor setButterfly/setStructure
+        https://bugs.webkit.org/show_bug.cgi?id=120138
+
+        Reviewed by Geoffrey Garen.
+
+        setButterfly becomes setStructureAndButterfly.
+
+        Also removed the Butterfly* argument from setStructure and just implicitly
+        used m_butterfly internally since that's what every single client of setStructure
+        was doing already.
+
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
+        (JSC::JSObject::createInitialUndecided):
+        (JSC::JSObject::createInitialInt32):
+        (JSC::JSObject::createInitialDouble):
+        (JSC::JSObject::createInitialContiguous):
+        (JSC::JSObject::createArrayStorage):
+        (JSC::JSObject::convertUndecidedToInt32):
+        (JSC::JSObject::convertUndecidedToDouble):
+        (JSC::JSObject::convertUndecidedToContiguous):
+        (JSC::JSObject::convertUndecidedToArrayStorage):
+        (JSC::JSObject::convertInt32ToDouble):
+        (JSC::JSObject::convertInt32ToContiguous):
+        (JSC::JSObject::convertInt32ToArrayStorage):
+        (JSC::JSObject::genericConvertDoubleToContiguous):
+        (JSC::JSObject::convertDoubleToArrayStorage):
+        (JSC::JSObject::convertContiguousToArrayStorage):
+        (JSC::JSObject::switchToSlowPutArrayStorage):
+        (JSC::JSObject::setPrototype):
+        (JSC::JSObject::putDirectAccessor):
+        (JSC::JSObject::seal):
+        (JSC::JSObject::freeze):
+        (JSC::JSObject::preventExtensions):
+        (JSC::JSObject::reifyStaticFunctionsForDelete):
+        (JSC::JSObject::removeDirect):
+        * runtime/JSObject.h:
+        (JSC::JSObject::setStructureAndButterfly):
+        (JSC::JSObject::setStructure):
+        (JSC::JSObject::putDirectInternal):
+        (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
+        (JSC::JSObject::putDirectWithoutTransition):
+        * runtime/Structure.cpp:
+        (JSC::Structure::flattenDictionaryStructure):
+
+2013-08-21  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120127
+        Remove JSObject::propertyIsEnumerable
+
+        Unreviewed typo fix
+
+        * runtime/JSObject.h:
+            - fix typo
+
+2013-08-21  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120139
+        PropertyDescriptor argument to define methods should be const
+
+        Rubber stamped by Sam Weinig.
+
+        This should never be modified, and this way we can use rvalues.
+
+        * debugger/DebuggerActivation.cpp:
+        (JSC::DebuggerActivation::defineOwnProperty):
+        * debugger/DebuggerActivation.h:
+        * runtime/Arguments.cpp:
+        (JSC::Arguments::defineOwnProperty):
+        * runtime/Arguments.h:
+        * runtime/ClassInfo.h:
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::defineOwnProperty):
+        * runtime/JSArray.h:
+        * runtime/JSArrayBuffer.cpp:
+        (JSC::JSArrayBuffer::defineOwnProperty):
+        * runtime/JSArrayBuffer.h:
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::defineOwnProperty):
+        * runtime/JSArrayBufferView.h:
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::defineOwnProperty):
+        * runtime/JSCell.h:
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::defineOwnProperty):
+        * runtime/JSFunction.h:
+        * runtime/JSGenericTypedArrayView.h:
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::::defineOwnProperty):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::defineOwnProperty):
+        * runtime/JSGlobalObject.h:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putIndexedDescriptor):
+        (JSC::JSObject::defineOwnIndexedProperty):
+        (JSC::putDescriptor):
+        (JSC::JSObject::defineOwnNonIndexProperty):
+        (JSC::JSObject::defineOwnProperty):
+        * runtime/JSObject.h:
+        * runtime/JSProxy.cpp:
+        (JSC::JSProxy::defineOwnProperty):
+        * runtime/JSProxy.h:
+        * runtime/RegExpMatchesArray.h:
+        (JSC::RegExpMatchesArray::defineOwnProperty):
+        * runtime/RegExpObject.cpp:
+        (JSC::RegExpObject::defineOwnProperty):
+        * runtime/RegExpObject.h:
+        * runtime/StringObject.cpp:
+        (JSC::StringObject::defineOwnProperty):
+        * runtime/StringObject.h:
+            - make PropertyDescriptor const
+
+2013-08-21  Filip Pizlo  <fpizlo@apple.com>
+
+        REGRESSION: Crash under JITCompiler::link while loading Gmail
+        https://bugs.webkit.org/show_bug.cgi?id=119872
+
+        Reviewed by Mark Hahnenberg.
+        
+        Apparently, unsigned + signed = unsigned. Work around it with a cast.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+
+2013-08-21  Alex Christensen  <achristensen@apple.com>
+
+        <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
+
+        Reviewed by Brent Fulgham.
+
+        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
+        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
+        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
+        Pass PlatformArchitecture as a command line parameter to bash scripts.
+        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
+        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
+        * JavaScriptCore.vcxproj/build-generated-files.sh:
+        Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
+
+2013-08-21  Filip Pizlo  <fpizlo@apple.com>
+
+        Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
+        https://bugs.webkit.org/show_bug.cgi?id=120099
+
+        Reviewed by Mark Hahnenberg.
+        
+        JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
+        JSDataView may have ordinary JS indexed properties.
+
+        * runtime/ClassInfo.h:
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        (JSC::JSArrayBufferView::finishCreation):
+        * runtime/JSArrayBufferView.h:
+        (JSC::hasArrayBuffer):
+        * runtime/JSArrayBufferViewInlines.h:
+        (JSC::JSArrayBufferView::buffer):
+        (JSC::JSArrayBufferView::neuter):
+        (JSC::JSArrayBufferView::byteOffset):
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::slowDownAndWasteMemory):
+        * runtime/JSCell.h:
+        * runtime/JSDataView.cpp:
+        (JSC::JSDataView::JSDataView):
+        (JSC::JSDataView::create):
+        (JSC::JSDataView::slowDownAndWasteMemory):
+        * runtime/JSDataView.h:
+        (JSC::JSDataView::buffer):
+        * runtime/JSGenericTypedArrayView.h:
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::::visitChildren):
+        (JSC::::slowDownAndWasteMemory):
+
+2013-08-21  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Remove incorrect ASSERT from CopyVisitor::visitItem
+
+        Rubber stamped by Filip Pizlo.
+
+        * heap/CopyVisitorInlines.h:
+        (JSC::CopyVisitor::visitItem):
+
+2013-08-21  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120127
+        Remove JSObject::propertyIsEnumerable
+
+        Reviewed by Sam Weinig.
+
+        This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
+
+        * runtime/JSObject.cpp:
+        * runtime/JSObject.h:
+            - remove propertyIsEnumerable
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncPropertyIsEnumerable):
+            - Move implementation here using getOwnPropertyDescriptor directly.
+
+2013-08-20  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG should inline new typedArray()
+        https://bugs.webkit.org/show_bug.cgi?id=120022
+
+        Reviewed by Oliver Hunt.
+        
+        Adds inlining of typed array allocations in the DFG. Any operation of the
+        form:
+        
+            new foo(blah)
+        
+        or:
+        
+            foo(blah)
+        
+        where 'foo' is a typed array constructor and 'blah' is exactly one argument,
+        is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
+        is predicted integer, we generate inline code for an allocation. Otherwise
+        it turns into a call to an operation that behaves like the constructor would
+        if it was passed one argument (i.e. it may wrap a buffer or it may create a
+        copy or another array, or it may allocate an array of that length).
+
+        * bytecode/SpeculatedType.cpp:
+        (JSC::speculationFromTypedArrayType):
+        (JSC::speculationFromClassInfo):
+        * bytecode/SpeculatedType.h:
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::::executeEffects):
+        * dfg/DFGBackwardsPropagationPhase.cpp:
+        (JSC::DFG::BackwardsPropagationPhase::propagate):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+        * dfg/DFGCCallHelpers.h:
+        (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
+        * dfg/DFGCSEPhase.cpp:
+        (JSC::DFG::CSEPhase::putStructureStoreElimination):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasTypedArrayType):
+        (JSC::DFG::Node::typedArrayType):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::newTypedArrayWithSize):
+        (JSC::DFG::newTypedArrayWithOneArgument):
+        * dfg/DFGOperations.h:
+        (JSC::DFG::operationNewTypedArrayWithSizeForType):
+        (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_object):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_new_object):
+        * runtime/JSArray.h:
+        (JSC::JSArray::allocationSize):
+        * runtime/JSArrayBufferView.h:
+        (JSC::JSArrayBufferView::allocationSize):
+        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
+        (JSC::constructGenericTypedArrayView):
+        * runtime/JSObject.h:
+        (JSC::JSFinalObject::allocationSize):
+        * runtime/TypedArrayType.cpp:
+        (JSC::constructorClassInfoForType):
+        * runtime/TypedArrayType.h:
+        (JSC::indexToTypedArrayType):
+
+2013-08-21  Julien Brianceau  <jbrianceau@nds.com>
+
+        <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
+
+        Reviewed by Geoffrey Garen.
+
+        * dfg/DFGOperations.h:
+
+2013-08-20  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120093
+        Remove getOwnPropertyDescriptor trap
+
+        Reviewed by Geoff Garen.
+
+        All implementations of this method are now called via the method table, and equivalent in behaviour.
+        Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
+
+        * API/JSCallbackObject.h:
+        * API/JSCallbackObjectFunctions.h:
+        * debugger/DebuggerActivation.cpp:
+        * debugger/DebuggerActivation.h:
+        * runtime/Arguments.cpp:
+        * runtime/Arguments.h:
+        * runtime/ArrayConstructor.cpp:
+        * runtime/ArrayConstructor.h:
+        * runtime/ArrayPrototype.cpp:
+        * runtime/ArrayPrototype.h:
+        * runtime/BooleanPrototype.cpp:
+        * runtime/BooleanPrototype.h:
+            - remove getOwnPropertyDescriptor
+        * runtime/ClassInfo.h:
+            - remove getOwnPropertyDescriptor from MethodTable
+        * runtime/DateConstructor.cpp:
+        * runtime/DateConstructor.h:
+        * runtime/DatePrototype.cpp:
+        * runtime/DatePrototype.h:
+        * runtime/ErrorPrototype.cpp:
+        * runtime/ErrorPrototype.h:
+        * runtime/JSActivation.cpp:
+        * runtime/JSActivation.h:
+        * runtime/JSArray.cpp:
+        * runtime/JSArray.h:
+        * runtime/JSArrayBuffer.cpp:
+        * runtime/JSArrayBuffer.h:
+        * runtime/JSArrayBufferView.cpp:
+        * runtime/JSArrayBufferView.h:
+        * runtime/JSCell.cpp:
+        * runtime/JSCell.h:
+        * runtime/JSDataView.cpp:
+        * runtime/JSDataView.h:
+        * runtime/JSDataViewPrototype.cpp:
+        * runtime/JSDataViewPrototype.h:
+        * runtime/JSFunction.cpp:
+        * runtime/JSFunction.h:
+        * runtime/JSGenericTypedArrayView.h:
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        * runtime/JSGlobalObject.cpp:
+        * runtime/JSGlobalObject.h:
+        * runtime/JSNotAnObject.cpp:
+        * runtime/JSNotAnObject.h:
+        * runtime/JSONObject.cpp:
+        * runtime/JSONObject.h:
+            - remove getOwnPropertyDescriptor
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::propertyIsEnumerable):
+            - switch to call new getOwnPropertyDescriptor member function
+        (JSC::JSObject::getOwnPropertyDescriptor):
+            - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
+        (JSC::JSObject::defineOwnNonIndexProperty):
+            - switch to call new getOwnPropertyDescriptor member function
+        * runtime/JSObject.h:
+        * runtime/JSProxy.cpp:
+        * runtime/JSProxy.h:
+        * runtime/NamePrototype.cpp:
+        * runtime/NamePrototype.h:
+        * runtime/NumberConstructor.cpp:
+        * runtime/NumberConstructor.h:
+        * runtime/NumberPrototype.cpp:
+        * runtime/NumberPrototype.h:
+            - remove getOwnPropertyDescriptor
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorGetOwnPropertyDescriptor):
+        (JSC::objectConstructorSeal):
+        (JSC::objectConstructorFreeze):
+        (JSC::objectConstructorIsSealed):
+        (JSC::objectConstructorIsFrozen):
+            - switch to call new getOwnPropertyDescriptor member function
+        * runtime/ObjectConstructor.h:
+            - remove getOwnPropertyDescriptor
+        * runtime/PropertyDescriptor.h:
+            - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
+        * runtime/RegExpConstructor.cpp:
+        * runtime/RegExpConstructor.h:
+        * runtime/RegExpMatchesArray.cpp:
+        * runtime/RegExpMatchesArray.h:
+        * runtime/RegExpObject.cpp:
+        * runtime/RegExpObject.h:
+        * runtime/RegExpPrototype.cpp:
+        * runtime/RegExpPrototype.h:
+        * runtime/StringConstructor.cpp:
+        * runtime/StringConstructor.h:
+        * runtime/StringObject.cpp:
+        * runtime/StringObject.h:
+            - remove getOwnPropertyDescriptor
+
+2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
+
+        Reviewed by Oliver Hunt.
+
+        When we flatten an object in dictionary mode, we compact its properties. If the object 
+        had out-of-line storage in the form of a Butterfly prior to this compaction, and after 
+        compaction its properties fit inline, the object's Structure "forgets" that the object 
+        has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes 
+        with bytes = 0, which causes all sorts of badness in CopiedSpace.
+
+        Instead, after we flatten a dictionary, if properties fit inline we should clear the 
+        Butterfly pointer so that the GC doesn't get confused later.
+
+        This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
+        JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
+        agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
+        that the number of bytes reported to SlotVisitor::copyLater is non-zero.
+
+        * heap/SlotVisitorInlines.h:
+        (JSC::SlotVisitor::copyLater):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::notifyPresenceOfIndexedAccessors):
+        (JSC::JSObject::convertUndecidedToInt32):
+        (JSC::JSObject::convertUndecidedToDouble):
+        (JSC::JSObject::convertUndecidedToContiguous):
+        (JSC::JSObject::convertInt32ToDouble):
+        (JSC::JSObject::convertInt32ToContiguous):
+        (JSC::JSObject::genericConvertDoubleToContiguous):
+        (JSC::JSObject::switchToSlowPutArrayStorage):
+        (JSC::JSObject::setPrototype):
+        (JSC::JSObject::putDirectAccessor):
+        (JSC::JSObject::seal):
+        (JSC::JSObject::freeze):
+        (JSC::JSObject::preventExtensions):
+        (JSC::JSObject::reifyStaticFunctionsForDelete):
+        (JSC::JSObject::removeDirect):
+        * runtime/JSObject.h:
+        (JSC::JSObject::setButterfly):
+        (JSC::JSObject::putDirectInternal):
+        (JSC::JSObject::setStructure):
+        (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
+        * runtime/Structure.cpp:
+        (JSC::Structure::flattenDictionaryStructure):
+
+2013-08-20  Alex Christensen  <achristensen@apple.com>
+
+        Compile fix for Win64 after r154156.
+
+        Rubber stamped by Oliver Hunt.
+
+        * jit/JITStubsMSVC64.asm:
+        Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
+        cti_vm_throw_slowpath to cti_vm_handle_exception.
+
+2013-08-20  Alex Christensen  <achristensen@apple.com>
+
+        <https://webkit.org/b/120076> More work towards a Win64 build
+
+        Reviewed by Brent Fulgham.
+
+        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
+        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
+        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
+        * JavaScriptCore.vcxproj/copy-files.cmd:
+        * JavaScriptCore.vcxproj/jsc/jscCommon.props:
+        * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
+        Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
+
+2013-08-20  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
+
+        Reviewed by Geoffrey Garen.
+
+        More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the 
+        initializeLazyWriteBarrierFor* wrapper functions more sane. 
+
+        Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
+        and index when triggering the WriteBarrier at the end of compilation. 
+
+        The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
+        in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a 
+        little extra work that really shouldn't have been its responsibility.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::addConstant):
+        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+        * dfg/DFGDesiredWriteBarriers.cpp:
+        (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
+        (JSC::DFG::DesiredWriteBarrier::trigger):
+        * dfg/DFGDesiredWriteBarriers.h:
+        (JSC::DFG::DesiredWriteBarriers::add):
+        (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
+        (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
+        (JSC::DFG::initializeLazyWriteBarrierForConstant):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::truncateConstantToInt32):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::constantRegisterForConstant):
+
+2013-08-20  Michael Saboff  <msaboff@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120075
+        REGRESSION (r128400): BBC4 website not displaying pictures
+
+        Reviewed by Oliver Hunt.
+
+        * runtime/RegExpMatchesArray.h:
+        (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
+        so that the match results will be reified before any other modification to the results array.
+
+2013-08-19  Filip Pizlo  <fpizlo@apple.com>
+
+        Incorrect behavior on emscripten-compiled cube2hash
+        https://bugs.webkit.org/show_bug.cgi?id=120033
+
+        Reviewed by Mark Hahnenberg.
+        
+        If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
+        then we should bail attempts to CSE.
+
+        * dfg/DFGCSEPhase.cpp:
+        (JSC::DFG::CSEPhase::scopedVarLoadElimination):
+        (JSC::DFG::CSEPhase::scopedVarStoreElimination):
+
+2013-08-20  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120073
+        Remove use of GOPD from JSFunction::defineProperty
+
+        Reviewed by Oliver Hunt.
+
+        Call getOwnPropertySlot to check for existing properties instead.
+
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::defineOwnProperty):
+            - getOwnPropertyDescriptor -> getOwnPropertySlot
+
+2013-08-20  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120067
+        Remove getPropertyDescriptor
+
+        Reviewed by Oliver Hunt.
+
+        This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
+        Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
+
+        * runtime/JSObject.cpp:
+        * runtime/JSObject.h:
+            - remove getPropertyDescriptor
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncLookupGetter):
+        (JSC::objectProtoFuncLookupSetter):
+            - replace call to getPropertyDescriptor with getPropertySlot
+        * runtime/PropertyDescriptor.h:
+        * runtime/PropertySlot.h:
+        (JSC::PropertySlot::isAccessor):
+        (JSC::PropertySlot::isCacheableGetter):
+        (JSC::PropertySlot::getterSetter):
+            - rename isGetter() to isAccessor()
+
+2013-08-20  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120054
+        Remove some dead code following getOwnPropertyDescriptor cleanup
+
+        Reviewed by Oliver Hunt.
+
+        * runtime/Lookup.h:
+        (JSC::getStaticFunctionSlot):
+            - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
+
+2013-08-20  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120052
+        Remove custom getOwnPropertyDescriptor for JSProxy
+
+        Reviewed by Geoff Garen.
+
+        GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
+        Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
+        object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
+        assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
+        the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
+
+        * runtime/JSProxy.cpp:
+            - Remove custom getOwnPropertyDescriptor implementation.
+        * runtime/PropertyDescriptor.h:
+            - Modify own property access check to perform toThis conversion.
+
+2013-08-20  Alex Christensen  <achristensen@apple.com>
+
+        Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
+        https://bugs.webkit.org/show_bug.cgi?id=119512
+
+        Reviewed by Brent Fulgham.
+
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+        * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
+        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
+        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
+        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
+        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
+        Replaced obj32, bin32, and lib32 with macros for 64-bit build.
+
+2013-08-20  Julien Brianceau  <jbrianceau@nds.com>
+
+        <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
+
+        Reviewed by Allan Sandfeld Jensen.
+
+        branchPtrWithPatch() of baseline JIT must ensure that space is available for its
+        instructions and two constants now DFG is enabled for sh4 architecture.
+        These missing ensureSpace calls lead to random crashes.
+
+        * assembler/MacroAssemblerSH4.h:
+        (JSC::MacroAssemblerSH4::branchPtrWithPatch):
+
 2013-08-19  Gavin Barraclough  <barraclough@apple.com>
 
         https://bugs.webkit.org/show_bug.cgi?id=120034