DFG Speculative JIT does not always insert speculation checks when speculating
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
index 9bd68a9..4aee49d 100644 (file)
+2011-07-11  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG Speculative JIT does not always insert speculation checks when speculating
+        arrays.
+        https://bugs.webkit.org/show_bug.cgi?id=64254
+
+        Reviewed by Gavin Barraclough.
+        
+        Changed the SetLocal instruction to always validate that the value being stored
+        into the local variable is an array, if that variable was marked PredictArray.
+        This is necessary since uses of arrays assume that if a PredictArray value is
+        in a local variable then the speculation check validating that the value is an
+        array was already performed.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2011-07-11  Gabor Loki  <loki@webkit.org>
+
+        Fix the condition of the optimized code in doubleTransfer
+        https://bugs.webkit.org/show_bug.cgi?id=64261
+
+        Reviewed by Zoltan Herczeg.
+
+        The condition of the optimized code in doubleTransfer is wrong. The
+        data transfer should be executed with four bytes aligned address.
+        VFP cannot perform unaligned memory access.
+
+        Reported by Jacob Bramley.
+
+        * assembler/ARMAssembler.cpp:
+        (JSC::ARMAssembler::doubleTransfer):
+
+2011-07-11  Gabor Loki  <loki@webkit.org>
+
+        Signed arithmetic bug in dataTransfer32.
+        https://bugs.webkit.org/show_bug.cgi?id=64257
+
+        Reviewed by Zoltan Herczeg.
+
+        An arithmetic bug is fixed. If the offset of dataTransfer is half of the
+        addressable memory space on a 32-bit machine (-2147483648 = 0x80000000)
+        a load instruction is emitted with a wrong zero offset.
+
+        Inspired by Jacob Bramley's patch from JaegerMonkey.
+
+        * assembler/ARMAssembler.cpp:
+        (JSC::ARMAssembler::dataTransfer32):
+
+2011-07-09  Thouraya Andolsi  <thouraya.andolsi@st.com>
+
+        Fix unaligned userspace access for SH4 platforms. 
+        https://bugs.webkit.org/show_bug.cgi?id=62993
+
+        * wtf/Platform.h:
+
+2011-07-09  Chao-ying Fu  <fu@mips.com>
+
+        Fix MIPS build due to readInt32 and readPointer
+        https://bugs.webkit.org/show_bug.cgi?id=63962
+
+        * assembler/MIPSAssembler.h:
+        (JSC::MIPSAssembler::readInt32):
+        (JSC::MIPSAssembler::readPointer):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::rshift32):
+
+2011-07-08  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=64181
+        REGRESSION (r90602): Gmail doesn't load
+
+        Rolling out r90601, r90602.
+
+        * dfg/DFGAliasTracker.h:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::addVarArgChild):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::emitCall):
+        * dfg/DFGNode.h:
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::tryCacheGetByID):
+        (JSC::DFG::dfgLinkCall):
+        * dfg/DFGRepatch.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * runtime/JSObject.h:
+        (JSC::JSObject::isUsingInlineStorage):
+
+2011-07-08  Kalev Lember  <kalev@smartlink.ee>
+
+        Reviewed by Adam Roben.
+
+        Add missing _WIN32_WINNT and WINVER definitions
+        https://bugs.webkit.org/show_bug.cgi?id=59702
+
+        Moved _WIN32_WINNT and WINVER definitions to config.h so that they are
+        available for all source files.
+
+        In particular, wtf/FastMalloc.cpp uses CreateTimerQueueTimer and
+        DeleteTimerQueueTimer which are both guarded by
+        #if (_WIN32_WINNT >= 0x0500)
+        in MinGW headers.
+
+        * config.h:
+        * wtf/Assertions.cpp:
+
+2011-07-08  Chang Shu  <cshu@webkit.org>
+
+        Rename "makeSecure" to "fill" and remove the support for displaying last character
+        to avoid layering violatation.
+        https://bugs.webkit.org/show_bug.cgi?id=59114
+
+        Reviewed by Alexey Proskuryakov.
+
+        * JavaScriptCore.exp:
+        * JavaScriptCore.order:
+        * wtf/text/StringImpl.cpp:
+        (WTF::StringImpl::fill):
+        * wtf/text/StringImpl.h:
+        * wtf/text/WTFString.h:
+        (WTF::String::fill):
+
+2011-07-08  Benjamin Poulain  <benjamin@webkit.org>
+
+        [WK2] Do not forward touch events to the web process when it does not need them
+        https://bugs.webkit.org/show_bug.cgi?id=64164
+
+        Reviewed by Kenneth Rohde Christiansen.
+
+        Add a convenience function to obtain a reference to the last element of a Deque.
+
+        * wtf/Deque.h:
+        (WTF::Deque::last):
+
+2011-07-07  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG JIT does not implement op_construct.
+        https://bugs.webkit.org/show_bug.cgi?id=64066
+
+        Reviewed by Gavin Barraclough.
+
+        * dfg/DFGAliasTracker.h:
+        (JSC::DFG::AliasTracker::recordConstruct):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::addCall):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::emitCall):
+        * dfg/DFGNode.h:
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::dfgLinkFor):
+        * dfg/DFGRepatch.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2011-07-07  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG JIT does not implement get_by_id prototype caching.
+        https://bugs.webkit.org/show_bug.cgi?id=64077
+
+        Reviewed by Gavin Barraclough.
+
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::emitRestoreScratch):
+        (JSC::DFG::linkRestoreScratch):
+        (JSC::DFG::tryCacheGetByID):
+        * runtime/JSObject.h:
+        (JSC::JSObject::addressOfPropertyAtOffset):
+
+2011-07-07  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG JIT method_check implementation does not link to optimized get_by_id
+        slow path.
+        https://bugs.webkit.org/show_bug.cgi?id=64073
+
+        Reviewed by Gavin Barraclough.
+
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::dfgRepatchGetMethodFast):
+
+2011-07-07  Oliver Hunt  <oliver@apple.com>
+
+        Encode jump and link sizes into the appropriate enums
+        https://bugs.webkit.org/show_bug.cgi?id=64123
+
+        Reviewed by Sam Weinig.
+
+        Finally kill off the out of line jump and link size arrays, 
+        so we can avoid icky loads and constant fold the linking arithmetic.
+
+        * assembler/ARMv7Assembler.cpp:
+        * assembler/ARMv7Assembler.h:
+        (JSC::ARMv7Assembler::jumpSizeDelta):
+        (JSC::ARMv7Assembler::computeJumpType):
+
+2011-07-06  Juan C. Montemayor  <jmont@apple.com>
+
+        ASSERT_NOT_REACHED running test 262
+        https://bugs.webkit.org/show_bug.cgi?id=63951
+        
+        Added a case to the switch statement where the code was failing. Fixed
+        some logic as well that gave faulty error messages.
+
+        Reviewed by Gavin Barraclough.
+
+        * parser/JSParser.cpp:
+        (JSC::JSParser::getTokenName):
+        (JSC::JSParser::updateErrorMessageSpecialCase):
+        (JSC::JSParser::updateErrorMessage):
+
+2011-07-06  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG JIT implementation of op_call results in regressions on sunspider
+        controlflow-recursive.
+        https://bugs.webkit.org/show_bug.cgi?id=64039
+
+        Reviewed by Gavin Barraclough.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::isSmallInt32Constant):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::isInteger):
+
+2011-07-06  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG JIT does not support method_check
+        https://bugs.webkit.org/show_bug.cgi?id=63972
+
+        Reviewed by Gavin Barraclough.
+
+        * assembler/CodeLocation.h:
+        (JSC::CodeLocationPossiblyNearCall::CodeLocationPossiblyNearCall):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::visitAggregate):
+        * bytecode/CodeBlock.h:
+        (JSC::MethodCallLinkInfo::MethodCallLinkInfo):
+        (JSC::MethodCallLinkInfo::seenOnce):
+        (JSC::MethodCallLinkInfo::setSeen):
+        * dfg/DFGAliasTracker.h:
+        (JSC::DFG::AliasTracker::recordGetMethod):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::cachedGetById):
+        (JSC::DFG::JITCodeGenerator::cachedGetMethod):
+        * dfg/DFGJITCodeGenerator.h:
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compileFunction):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::addMethodGet):
+        (JSC::DFG::JITCompiler::MethodGetRecord::MethodGetRecord):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasIdentifier):
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::dfgRepatchGetMethodFast):
+        (JSC::DFG::tryCacheGetMethod):
+        (JSC::DFG::dfgRepatchGetMethod):
+        * dfg/DFGRepatch.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/JITWriteBarrier.h:
+        (JSC::JITWriteBarrier::set):
+
+2011-07-06  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG JIT op_call implementation will flush registers even when those registers are dead
+        https://bugs.webkit.org/show_bug.cgi?id=64023
+
+        Reviewed by Gavin Barraclough.
+
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::emitCall):
+        * dfg/DFGJITCodeGenerator.h:
+        (JSC::DFG::JITCodeGenerator::integerResult):
+        (JSC::DFG::JITCodeGenerator::noResult):
+        (JSC::DFG::JITCodeGenerator::cellResult):
+        (JSC::DFG::JITCodeGenerator::jsValueResult):
+        (JSC::DFG::JITCodeGenerator::doubleResult):
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2011-07-06  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG speculative JIT may crash when speculating int on a non-int JSConstant.
+        https://bugs.webkit.org/show_bug.cgi?id=64017
+
+        Reviewed by Gavin Barraclough.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2011-07-06  Dmitriy Vyukov  <dvyukov@google.com>
+
+        Reviewed by David Levin.
+
+        Allow substitution of dynamic annotations and prevent identical code folding by the linker.
+        https://bugs.webkit.org/show_bug.cgi?id=62443
+
+        * wtf/DynamicAnnotations.cpp:
+        (WTFAnnotateBenignRaceSized):
+        (WTFAnnotateHappensBefore):
+        (WTFAnnotateHappensAfter):
+
+2011-07-06  Zoltan Herczeg  <zherczeg@inf.u-szeged.hu>
+
+        Calls on 32 bit machines are failed after r90423
+        https://bugs.webkit.org/show_bug.cgi?id=63980
+
+        Reviewed by Gavin Barraclough.
+
+        Copy the necessary lines from JITCall.cpp.
+
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::compileOpCall):
+
+2011-07-05  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG JIT virtual call implementation is inefficient.
+        https://bugs.webkit.org/show_bug.cgi?id=63974
+
+        Reviewed by Gavin Barraclough.
+
+        * dfg/DFGOperations.cpp:
+        * runtime/Executable.h:
+        (JSC::ExecutableBase::generatedJITCodeForCallWithArityCheck):
+        (JSC::ExecutableBase::generatedJITCodeForConstructWithArityCheck):
+        (JSC::ExecutableBase::generatedJITCodeWithArityCheckFor):
+        (JSC::ExecutableBase::hasJITCodeForCall):
+        (JSC::ExecutableBase::hasJITCodeForConstruct):
+        (JSC::ExecutableBase::hasJITCodeFor):
+        * runtime/JSFunction.h:
+        (JSC::JSFunction::scopeUnchecked):
+
+2011-07-05  Oliver Hunt  <oliver@apple.com>
+
+        Force inlining of simple functions that show up as not being inlined
+        https://bugs.webkit.org/show_bug.cgi?id=63964
+
+        Reviewed by Gavin Barraclough.
+
+        Looking at profile data indicates the gcc is failing to inline a
+        number of trivial functions.  This patch hits the ones that show
+        up in profiles with the ALWAYS_INLINE hammer.
+
+        We also replace the memcpy() call in linking with a manual loop.
+        Apparently memcpy() is almost never faster than an inlined loop.
+
+        * assembler/ARMv7Assembler.h:
+        (JSC::ARMv7Assembler::add):
+        (JSC::ARMv7Assembler::add_S):
+        (JSC::ARMv7Assembler::ARM_and):
+        (JSC::ARMv7Assembler::asr):
+        (JSC::ARMv7Assembler::b):
+        (JSC::ARMv7Assembler::blx):
+        (JSC::ARMv7Assembler::bx):
+        (JSC::ARMv7Assembler::clz):
+        (JSC::ARMv7Assembler::cmn):
+        (JSC::ARMv7Assembler::cmp):
+        (JSC::ARMv7Assembler::eor):
+        (JSC::ARMv7Assembler::it):
+        (JSC::ARMv7Assembler::ldr):
+        (JSC::ARMv7Assembler::ldrCompact):
+        (JSC::ARMv7Assembler::ldrh):
+        (JSC::ARMv7Assembler::ldrb):
+        (JSC::ARMv7Assembler::lsl):
+        (JSC::ARMv7Assembler::lsr):
+        (JSC::ARMv7Assembler::movT3):
+        (JSC::ARMv7Assembler::mov):
+        (JSC::ARMv7Assembler::movt):
+        (JSC::ARMv7Assembler::mvn):
+        (JSC::ARMv7Assembler::neg):
+        (JSC::ARMv7Assembler::orr):
+        (JSC::ARMv7Assembler::orr_S):
+        (JSC::ARMv7Assembler::ror):
+        (JSC::ARMv7Assembler::smull):
+        (JSC::ARMv7Assembler::str):
+        (JSC::ARMv7Assembler::sub):
+        (JSC::ARMv7Assembler::sub_S):
+        (JSC::ARMv7Assembler::tst):
+        (JSC::ARMv7Assembler::linkRecordSourceComparator):
+        (JSC::ARMv7Assembler::link):
+        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp5Reg3Imm8):
+        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp5Imm5Reg3Reg3):
+        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Reg3Reg3Reg3):
+        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp8Imm8):
+        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp8RegReg143):
+        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp9Imm7):
+        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp10Reg3Reg3):
+        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg4FourFours):
+        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp16FourFours):
+        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp16Op16):
+        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp5i6Imm4Reg4EncodedImm):
+        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg4Reg4Imm12):
+        (JSC::ARMv7Assembler::ARMInstructionFormatter::vfpOp):
+        (JSC::ARMv7Assembler::ARMInstructionFormatter::vfpMemOp):
+        * assembler/LinkBuffer.h:
+        (JSC::LinkBuffer::linkCode):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::nearCall):
+        (JSC::MacroAssemblerARMv7::call):
+        (JSC::MacroAssemblerARMv7::ret):
+        (JSC::MacroAssemblerARMv7::moveWithPatch):
+        (JSC::MacroAssemblerARMv7::branchPtrWithPatch):
+        (JSC::MacroAssemblerARMv7::storePtrWithPatch):
+        (JSC::MacroAssemblerARMv7::tailRecursiveCall):
+        (JSC::MacroAssemblerARMv7::makeTailRecursiveCall):
+        (JSC::MacroAssemblerARMv7::jump):
+        (JSC::MacroAssemblerARMv7::makeBranch):
+
+2011-07-05  Zoltan Herczeg  <zherczeg@inf.u-szeged.hu>
+
+        Make "Add optimised paths for a few maths functions" work on Qt
+        https://bugs.webkit.org/show_bug.cgi?id=63893
+
+        Reviewed by Oliver Hunt.
+
+        Move the generated code to the .text section instead of .data section.
+        Fix alignment for the 32 bit thunk code.
+
+        * jit/ThunkGenerators.cpp:
+
+2011-07-05  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG JIT does not implement op_call.
+        https://bugs.webkit.org/show_bug.cgi?id=63858
+
+        Reviewed by Gavin Barraclough.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::unlinkCalls):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::setNumberOfCallLinkInfos):
+        (JSC::CodeBlock::numberOfCallLinkInfos):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitCall):
+        (JSC::BytecodeGenerator::emitConstruct):
+        * dfg/DFGAliasTracker.h:
+        (JSC::DFG::AliasTracker::lookupGetByVal):
+        (JSC::DFG::AliasTracker::recordCall):
+        (JSC::DFG::AliasTracker::equalIgnoringLaterNumericConversion):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::ByteCodeParser):
+        (JSC::DFG::ByteCodeParser::getLocal):
+        (JSC::DFG::ByteCodeParser::getArgument):
+        (JSC::DFG::ByteCodeParser::toInt32):
+        (JSC::DFG::ByteCodeParser::addToGraph):
+        (JSC::DFG::ByteCodeParser::addVarArgChild):
+        (JSC::DFG::ByteCodeParser::predictInt32):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        (JSC::DFG::ByteCodeParser::processPhiStack):
+        (JSC::DFG::ByteCodeParser::allocateVirtualRegisters):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::opName):
+        (JSC::DFG::Graph::dump):
+        (JSC::DFG::Graph::refChildren):
+        * dfg/DFGGraph.h:
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::useChildren):
+        (JSC::DFG::JITCodeGenerator::emitCall):
+        * dfg/DFGJITCodeGenerator.h:
+        (JSC::DFG::JITCodeGenerator::addressOfCallData):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compileFunction):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::CallRecord::CallRecord):
+        (JSC::DFG::JITCompiler::notifyCall):
+        (JSC::DFG::JITCompiler::appendCallWithFastExceptionCheck):
+        (JSC::DFG::JITCompiler::addJSCall):
+        (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
+        (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::Node):
+        (JSC::DFG::Node::child1):
+        (JSC::DFG::Node::child2):
+        (JSC::DFG::Node::child3):
+        (JSC::DFG::Node::firstChild):
+        (JSC::DFG::Node::numChildren):
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::basicArithOp):
+        (JSC::DFG::NonSpeculativeJIT::compare):
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::dfgLinkCall):
+        * dfg/DFGRepatch.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
+        (JSC::DFG::SpeculativeJIT::compilePeepHoleCall):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
+        * interpreter/CallFrame.h:
+        (JSC::ExecState::calleeAsValue):
+        * jit/JIT.cpp:
+        (JSC::JIT::JIT):
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        (JSC::JIT::privateCompile):
+        (JSC::JIT::linkCall):
+        (JSC::JIT::linkConstruct):
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileOpCall):
+        * jit/JITCode.h:
+        (JSC::JITCode::JITCode):
+        (JSC::JITCode::jitType):
+        (JSC::JITCode::HostFunction):
+        * runtime/JSFunction.h:
+        * runtime/JSGlobalData.h:
+
+2011-07-05  Oliver Hunt  <oliver@apple.com>
+
+        Initialize new MarkStack member
+
+        * heap/MarkStack.h:
+        (JSC::MarkStack::MarkStack):
+
+2011-07-05  Oliver Hunt  <oliver@apple.com>
+
+        Don't throw out compiled code repeatedly
+        https://bugs.webkit.org/show_bug.cgi?id=63960
+
+        Reviewed by Gavin Barraclough.
+
+        Stop throwing away all compiled code every time
+        we're told to do a full GC.  Instead unlink all
+        callsites during such GC passes to maximise the
+        number of collectable functions, but otherwise
+        leave compiled functions alone.
+
+        * API/JSBase.cpp:
+        (JSGarbageCollect):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::visitAggregate):
+        * heap/Heap.cpp:
+        (JSC::Heap::collectAllGarbage):
+        * heap/MarkStack.h:
+        (JSC::MarkStack::shouldUnlinkCalls):
+        (JSC::MarkStack::setShouldUnlinkCalls):
+        * runtime/JSGlobalData.cpp:
+        (JSC::JSGlobalData::recompileAllJSFunctions):
+        (JSC::JSGlobalData::releaseExecutableMemory):
+        * runtime/RegExp.cpp:
+        (JSC::RegExp::compile):
+        (JSC::RegExp::invalidateCode):
+        * runtime/RegExp.h:
+
+2011-07-05  Filip Pizlo  <fpizlo@apple.com>
+
+        JSC JIT has code duplication for the handling of call and construct
+        https://bugs.webkit.org/show_bug.cgi?id=63957
+
+        Reviewed by Gavin Barraclough.
+
+        * jit/JIT.cpp:
+        (JSC::JIT::linkFor):
+        * jit/JIT.h:
+        * jit/JITStubs.cpp:
+        (JSC::jitCompileFor):
+        (JSC::DEFINE_STUB_FUNCTION):
+        (JSC::arityCheckFor):
+        (JSC::lazyLinkFor):
+        * runtime/Executable.h:
+        (JSC::ExecutableBase::generatedJITCodeFor):
+        (JSC::FunctionExecutable::compileFor):
+        (JSC::FunctionExecutable::isGeneratedFor):
+        (JSC::FunctionExecutable::generatedBytecodeFor):
+        (JSC::FunctionExecutable::generatedJITCodeWithArityCheckFor):
+
+2011-07-05  Gavin Barraclough  <barraclough@apple.com>
+
+        Build fix following last patch.
+
+        * runtime/JSFunction.cpp:
+        (JSC::createPrototypeProperty):
+
+2011-07-05  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=63947
+        ASSERT running Object.preventExtensions(Math.sin)
+
+        Reviewed by Oliver Hunt.
+
+        This is due to calling scope() on a hostFunction as a part of
+        calling createPrototypeProperty to reify the prototype property.
+        But host functions don't have a prototype property anyway!
+
+        Prevent callling createPrototypeProperty on a host function.
+
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::createPrototypeProperty):
+        (JSC::JSFunction::preventExtensions):
+
+2011-07-04  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=63880
+        Evaluation order of conversions of operands to >, >= incorrect.
+
+        Reviewed by Sam Weinig.
+
+        Add 'leftFirst' parameter to jsLess, jsLessEq matching that described in the ES5
+        spec. This allows these methods to be reused to perform >, >= relational compares
+        with correct ordering of type conversions.
+
+        * dfg/DFGOperations.cpp:
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::privateExecute):
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * runtime/Operations.h:
+        (JSC::jsLess):
+        (JSC::jsLessEq):
+
+2011-07-04  Gavin Barraclough  <barraclough@apple.com>
+
+        Reviewed by Sam Weinig.
+
+        https://bugs.webkit.org/show_bug.cgi?id=16652
+        Firefox and JavaScriptCore differ in Number.toString(integer)
+
+        Our arbitrary radix (2..36) toString conversion is inaccurate.
+        This is partly because it uses doubles to perform math that requires
+        higher accuracy, and partly becasue it does not attempt to correctly
+        detect where to terminate, instead relying on a simple 'epsilon'.
+
+        * runtime/NumberPrototype.cpp:
+        (JSC::decomposeDouble):
+            - helper function to extract sign, exponent, mantissa from IEEE doubles.
+        (JSC::Uint16WithFraction::Uint16WithFraction):
+            - helper class, u16int with infinite precision fraction, used to convert
+              the fractional part of the number to a string.
+        (JSC::Uint16WithFraction::operator*=):
+            - Multiply by a uint16.
+        (JSC::Uint16WithFraction::operator<):
+            - Compare two Uint16WithFractions.
+        (JSC::Uint16WithFraction::floorAndSubtract):
+            - Extract the integer portion of the number, and subtract it (clears the integer portion).
+        (JSC::Uint16WithFraction::comparePoint5):
+            - Compare to 0.5.
+        (JSC::Uint16WithFraction::sumGreaterThanOne):
+            - Passed a second Uint16WithFraction, returns true if the result of adding
+              the two values would be greater than one.
+        (JSC::Uint16WithFraction::isNormalized):
+            - Used by ASSERTs to consistency check internal representation.
+        (JSC::BigInteger::BigInteger):
+            - helper class, unbounded integer value, used to convert the integer part
+              of the number to a string.
+        (JSC::BigInteger::divide):
+            - Divide this value through by a uint32.
+        (JSC::BigInteger::operator!):
+            - test for zero.
+        (JSC::toStringWithRadix):
+            - Performs number to string conversion, with the given radix (2..36).
+        (JSC::numberProtoFuncToString):
+            - Changed to use toStringWithRadix.
+
+2011-07-04  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=63881
+        Need separate bytecodes for handling >, >= comparisons.
+
+        Reviewed by Oliver Hunt.
+
+        This clears the way to fix Bug#63880. We currently handle greater-than comparisons
+        as being using the corresponding op_less, etc opcodes.  This is incorrect with
+        respect to evaluation ordering of the implicit conversions performed on operands -
+        we should be calling ToPrimitive on the LHS and RHS operands to the greater than,
+        but instead convert RHS then LHS.
+
+        This patch adds opcodes for greater-than comparisons mirroring existing ones used
+        for less-than.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dump):
+        * bytecode/Opcode.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitJumpIfTrue):
+        (JSC::BytecodeGenerator::emitJumpIfFalse):
+        * bytecompiler/NodesCodegen.cpp:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGNode.h:
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compare):
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGNonSpeculativeJIT.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compare):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT.h:
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::privateExecute):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        * jit/JIT.h:
+        (JSC::JIT::emit_op_loop_if_greater):
+        (JSC::JIT::emitSlow_op_loop_if_greater):
+        (JSC::JIT::emit_op_loop_if_greatereq):
+        (JSC::JIT::emitSlow_op_loop_if_greatereq):
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emit_op_jgreater):
+        (JSC::JIT::emit_op_jgreatereq):
+        (JSC::JIT::emit_op_jngreater):
+        (JSC::JIT::emit_op_jngreatereq):
+        (JSC::JIT::emitSlow_op_jgreater):
+        (JSC::JIT::emitSlow_op_jgreatereq):
+        (JSC::JIT::emitSlow_op_jngreater):
+        (JSC::JIT::emitSlow_op_jngreatereq):
+        (JSC::JIT::emit_compareAndJumpSlow):
+        * jit/JITArithmetic32_64.cpp:
+        (JSC::JIT::emitBinaryDoubleOp):
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * jit/JITStubs.h:
+        * parser/NodeConstructors.h:
+        (JSC::GreaterNode::GreaterNode):
+        (JSC::GreaterEqNode::GreaterEqNode):
+        * parser/Nodes.h:
+
+2011-07-03  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=63879
+        Reduce code duplication for op_jless, op_jlesseq, op_jnless, op_jnlesseq.
+
+        Reviewed by Sam Weinig.
+        
+        There is a lot of copy & paste code here; we can reduce duplication by making
+        a shared implementation.
+
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::branch32):
+        (JSC::MacroAssembler::commute):
+            - Make these function platform agnostic.
+        * assembler/MacroAssemblerX86Common.h:
+            - Moved branch32/commute up to MacroAssembler.
+        * jit/JIT.h:
+        (JSC::JIT::emit_op_loop_if_lesseq):
+        (JSC::JIT::emitSlow_op_loop_if_lesseq):
+            - Add an implementation matching that for op_loop_if_less, which just calls op_jless.
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emit_op_jless):
+        (JSC::JIT::emit_op_jlesseq):
+        (JSC::JIT::emit_op_jnless):
+        (JSC::JIT::emit_op_jnlesseq):
+        (JSC::JIT::emitSlow_op_jless):
+        (JSC::JIT::emitSlow_op_jlesseq):
+        (JSC::JIT::emitSlow_op_jnless):
+        (JSC::JIT::emitSlow_op_jnlesseq):
+            - Common implmentations of these methods for JSVALUE64 & JSVALUE32_64.
+        (JSC::JIT::emit_compareAndJump):
+        (JSC::JIT::emit_compareAndJumpSlow):
+            - Internal implmementation of jless etc for JSVALUE64.
+        * jit/JITArithmetic32_64.cpp:
+        (JSC::JIT::emit_compareAndJump):
+        (JSC::JIT::emit_compareAndJumpSlow):
+            - Internal implmementation of jless etc for JSVALUE32_64.
+        * jit/JITOpcodes.cpp:
+        * jit/JITOpcodes32_64.cpp:
+        * jit/JITStubs.cpp:
+        * jit/JITStubs.h:
+            - Remove old implementation of emit_op_loop_if_lesseq.
+
+2011-07-03  Sheriff Bot  <webkit.review.bot@gmail.com>
+
+        Unreviewed, rolling out r90347.
+        http://trac.webkit.org/changeset/90347
+        https://bugs.webkit.org/show_bug.cgi?id=63886
+
+        Build breaks on Leopard, Chromium-win, WinCairo, and WinCE.
+        (Requested by tkent on #webkit).
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * runtime/BigInteger.h: Removed.
+        * runtime/NumberPrototype.cpp:
+        (JSC::numberProtoFuncToPrecision):
+        (JSC::numberProtoFuncToString):
+        * runtime/Uint16WithFraction.h: Removed.
+        * wtf/MathExtras.h:
+
+2011-06-30  Gavin Barraclough  <barraclough@apple.com>
+
+        Reviewed by Sam Weinig.
+
+        https://bugs.webkit.org/show_bug.cgi?id=16652
+        Firefox and JavaScriptCore differ in Number.toString(integer)
+
+        Our arbitrary radix (2..36) toString conversion is inaccurate.
+        This is partly because it uses doubles to perform math that requires
+        higher accuracy, and partly becasue it does not attempt to correctly
+        detect where to terminate, instead relying on a simple 'epsilon'.
+
+        * runtime/NumberPrototype.cpp:
+        (JSC::decomposeDouble):
+            - helper function to extract sign, exponent, mantissa from IEEE doubles.
+        (JSC::Uint16WithFraction::Uint16WithFraction):
+            - helper class, u16int with infinite precision fraction, used to convert
+              the fractional part of the number to a string.
+        (JSC::Uint16WithFraction::operator*=):
+            - Multiply by a uint16.
+        (JSC::Uint16WithFraction::operator<):
+            - Compare two Uint16WithFractions.
+        (JSC::Uint16WithFraction::floorAndSubtract):
+            - Extract the integer portion of the number, and subtract it (clears the integer portion).
+        (JSC::Uint16WithFraction::comparePoint5):
+            - Compare to 0.5.
+        (JSC::Uint16WithFraction::sumGreaterThanOne):
+            - Passed a second Uint16WithFraction, returns true if the result of adding
+              the two values would be greater than one.
+        (JSC::Uint16WithFraction::isNormalized):
+            - Used by ASSERTs to consistency check internal representation.
+        (JSC::BigInteger::BigInteger):
+            - helper class, unbounded integer value, used to convert the integer part
+              of the number to a string.
+        (JSC::BigInteger::divide):
+            - Divide this value through by a uint32.
+        (JSC::BigInteger::operator!):
+            - test for zero.
+        (JSC::toStringWithRadix):
+            - Performs number to string conversion, with the given radix (2..36).
+        (JSC::numberProtoFuncToString):
+            - Changed to use toStringWithRadix.
+
+2011-07-02  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=63866
+        DFG JIT - implement instanceof
+
+        Reviewed by Sam Weinig.
+
+        Add ops CheckHasInstance & InstanceOf to implement bytecodes
+        op_check_has_instance & op_instanceof. This is an initial
+        functional implementation, performance is a wash. We can
+        follow up with changes to fuse the InstanceOf node with
+        a subsequant branch, as we do with other comparisons.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::jitAssertIsCell):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::jitAssertIsCell):
+        * dfg/DFGNode.h:
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2011-07-01  Oliver Hunt  <oliver@apple.com>
+
+        IE Web Workers demo crashes in JSC::SlotVisitor::visitChildren()
+        https://bugs.webkit.org/show_bug.cgi?id=63732
+
+        Reviewed by Gavin Barraclough.
+
+        Initialise the memory at the head of the new storage so that
+        GC is safe if triggered by reportExtraMemoryCost.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::increaseVectorPrefixLength):
+
+2011-07-01  Oliver Hunt  <oliver@apple.com>
+
+        GC sweep can occur before an object is completely initialised
+        https://bugs.webkit.org/show_bug.cgi?id=63836
+
+        Reviewed by Gavin Barraclough.
+
+        In rare cases it's possible for a GC sweep to occur while a
+        live, but not completely initialised object is on the stack.
+        In such a case we may incorrectly choose to mark it, even
+        though it has no children that need marking.
+
+        We resolve this by always zeroing out the structure of any
+        value returned from JSCell::operator new(), and making the
+        markstack tolerant of a null structure. 
+
+        * runtime/JSCell.h:
+        (JSC::JSCell::JSCell::~JSCell):
+        (JSC::JSCell::JSCell::operator new):
+        * runtime/Structure.h:
+        (JSC::MarkStack::internalAppend):
+
+2011-07-01  Filip Pizlo  <fpizlo@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        DFG non-speculative JIT always performs slow C calls for div and mod.
+        https://bugs.webkit.org/show_bug.cgi?id=63684
+
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compile):
+
+2011-07-01  Juan C. Montemayor  <jmont@apple.com>
+
+        Reviewed by Oliver Hunt.
+
+        Lexer error messages are currently appalling
+        https://bugs.webkit.org/show_bug.cgi?id=63340
+
+        Added error messages for the Lexer. These messages will be displayed
+        instead of the lexer error messages from the parser that are currently
+        shown.
+
+        * parser/Lexer.cpp:
+        (JSC::Lexer::getInvalidCharMessage):
+        (JSC::Lexer::setCode):
+        (JSC::Lexer::parseString):
+        (JSC::Lexer::lex):
+        (JSC::Lexer::clear):
+        * parser/Lexer.h:
+        (JSC::Lexer::getErrorMessage):
+        (JSC::Lexer::setOffset):
+        * parser/Parser.cpp:
+        (JSC::Parser::parse):
+
+2011-07-01  Jungshik Shin  <jshin@chromium.org>
+
+        Reviewed by Alexey Proskuryakov.
+
+        Add ScriptCodesFromICU.h to wtf/unicode and make necessary changes in
+        build files for ports not using ICU.
+        Add icu/unicode/uscript.h for ports using ICU. It's taken from 
+        ICU 3.6 (the version used on Mac OS 10.5)
+
+        http://bugs.webkit.org/show_bug.cgi?id=20797
+
+        * GNUmakefile.list.am:
+        * JavaScriptCore.gypi:
+        * icu/unicode/uscript.h: Added for UScriptCode enum.
+        * wtf/unicode/ScriptCodesFromICU.h: UScriptCode enum added.
+        * wtf/unicode/icu/UnicodeIcu.h:
+        * wtf/unicode/brew/UnicodeBrew.h:
+        * wtf/unicode/glib/UnicodeGLib.h:
+        * wtf/unicode/qt4/UnicodeQt4.h:
+        * wtf/unicode/wince/UnicodeWinCE.h:
+
+2011-07-01  Gavin Barraclough  <barraclough@apple.com>
+
+        Reviewed by Sam Weinig.
+
+        https://bugs.webkit.org/show_bug.cgi?id=63819
+        Escaping of forwardslashes in strings incorrect if multiple exist.
+
+        The bug is in the parameters passed to a substring - should be
+        start & length, but we're passing start & end indices!
+
+        * runtime/RegExpObject.cpp:
+        (JSC::regExpObjectSource):
+
+2011-07-01  Adam Roben  <aroben@apple.com>
+
+        Roll out r90194
+        http://trac.webkit.org/changeset/90194
+        https://bugs.webkit.org/show_bug.cgi?id=63778
+
+        Fixes <http://webkit.org/b/63812> REGRESSION (r90194): Multiple tests intermittently failing
+        assertions in WriteBarrierBase<JSC::Structure>::get
+
+        * runtime/JSCell.h:
+        (JSC::JSCell::JSCell::~JSCell):
+
+2011-06-30  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Add optimised paths for a few maths functions
+        https://bugs.webkit.org/show_bug.cgi?id=63757
+
+        Relanding as a Mac only patch.
+
+        This adds specialised thunks for Math.abs, Math.round, Math.ceil,
+        Math.floor, Math.log, and Math.exp as they are apparently more
+        important in real web content than we thought, which is somewhat
+        mind-boggling.  On average doubles the performance of the common
+        cases (eg. actually passing numbers in).  They're not as efficient
+        as they could be, but this way gives them the most portability.
+
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::supportsDoubleBitops):
+        (JSC::MacroAssemblerARM::andnotDouble):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::supportsDoubleBitops):
+        (JSC::MacroAssemblerARMv7::andnotDouble):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::andnotDouble):
+        (JSC::MacroAssemblerMIPS::supportsDoubleBitops):
+        * assembler/MacroAssemblerSH4.h:
+        (JSC::MacroAssemblerSH4::supportsDoubleBitops):
+        (JSC::MacroAssemblerSH4::andnotDouble):
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::supportsDoubleBitops):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::andnotDouble):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::supportsDoubleBitops):
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::andnpd_rr):
+        * create_hash_table:
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::finalize):
+        (JSC::SpecializedThunkJIT::callDoubleToDouble):
+        * jit/ThunkGenerators.cpp:
+        (JSC::floorThunkGenerator):
+        (JSC::ceilThunkGenerator):
+        (JSC::roundThunkGenerator):
+        (JSC::expThunkGenerator):
+        (JSC::logThunkGenerator):
+        (JSC::absThunkGenerator):
+        * jit/ThunkGenerators.h:
+
+2011-07-01  David Kilzer  <ddkilzer@apple.com>
+
+        <http://webkit.org/b/63814> Fix clang build error in JITOpcodes32_64.cpp
+
+        Fixes the following build error in clang:
+
+            JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36:{741:9-741:35}: error: operator '?:' has lower precedence than '+'; '+' will be evaluated first [-Werror,-Wparentheses,3]
+                 map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~ ^
+            JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36: note: place parentheses around the '+' expression to silence this warning [3]
+                 map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
+                                                ^
+                     (                         )
+            fix-it:"JavaScriptCore/jit/JITOpcodes32_64.cpp":{741:9-741:9}:"("
+            fix-it:"JavaScriptCore/jit/JITOpcodes32_64.cpp":{741:35-741:35}:")"
+            JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36:{741:28-741:94}: note: place parentheses around the '?:' expression to evaluate it first [3]
+                 map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
+                                        ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+            1 error generated.
+
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_resolve_global): Add parenthesis to make the
+        tertiary expression evaluate first.
+
+2011-07-01  Sheriff Bot  <webkit.review.bot@gmail.com>
+
+        Unreviewed, rolling out r90177 and r90179.
+        http://trac.webkit.org/changeset/90177
+        http://trac.webkit.org/changeset/90179
+        https://bugs.webkit.org/show_bug.cgi?id=63790
+
+        It caused crashes on Qt in debug mode (Requested by Ossy on
+        #webkit).
+
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::rshift32):
+        (JSC::MacroAssemblerARM::supportsFloatingPointSqrt):
+        (JSC::MacroAssemblerARM::sqrtDouble):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::supportsFloatingPointSqrt):
+        (JSC::MacroAssemblerARMv7::sqrtDouble):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::sqrtDouble):
+        (JSC::MacroAssemblerMIPS::supportsFloatingPointSqrt):
+        * assembler/MacroAssemblerSH4.h:
+        (JSC::MacroAssemblerSH4::sqrtDouble):
+        * assembler/MacroAssemblerX86.h:
+        * assembler/MacroAssemblerX86Common.h:
+        * assembler/MacroAssemblerX86_64.h:
+        * assembler/X86Assembler.h:
+        * create_hash_table:
+        * jit/JSInterfaceJIT.h:
+        (JSC::JSInterfaceJIT::emitLoadDouble):
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::finalize):
+        * jit/ThunkGenerators.cpp:
+        * jit/ThunkGenerators.h:
+
+2011-06-30  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Beth Dakin.
+
+        Make GC validation clear cell structure on destruction
+        https://bugs.webkit.org/show_bug.cgi?id=63778
+
+        * runtime/JSCell.h:
+        (JSC::JSCell::JSCell::~JSCell):
+
+2011-06-30  Geoffrey Garen  <ggaren@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Added write barrier that was missing from put_by_id_transition
+        https://bugs.webkit.org/show_bug.cgi?id=63775
+
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::writeBarrier): Made this static with a
+        MacroAssembler& argument so our patching functions could use it.
+
+        (JSC::DFG::JITCodeGenerator::cachedPutById):
+        * dfg/DFGJITCodeGenerator.h:
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compile): Updated for signature change.
+
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::tryCachePutByID): Missing barrier!
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile): Updated for signature change.
+
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::privateCompilePutByIdTransition):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::privateCompilePutByIdTransition):
+        * jit/JSInterfaceJIT.h: Same game here. Removed storePtrWithWriteBarrier
+        because its meaning isn't clear -- maybe in the future we'll have a
+        clear way to pass all stores through a common function that guarantees
+        a write barrier, but that's not the case right now.
+
+2011-06-30  Filip Pizlo  <fpizlo@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        DFG non-speculative JIT does not reuse registers when compiling comparisons.
+        https://bugs.webkit.org/show_bug.cgi?id=63565
+
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
+        (JSC::DFG::NonSpeculativeJIT::basicArithOp):
+        (JSC::DFG::NonSpeculativeJIT::compare):
+
+2011-06-30  Geoffrey Garen  <ggaren@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Added empty write barrier stubs in all the right places in the DFG JIT
+        https://bugs.webkit.org/show_bug.cgi?id=63764
+        
+        SunSpider thinks this might be a 0.5% speedup. Meh.
+
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::writeBarrier): Le stub.
+
+        (JSC::DFG::JITCodeGenerator::cachedPutById): Don't do anything special
+        for the case where base == scratch, since we now require base and scratch
+        to be not equal, for the sake of the write barrier.
+
+        * dfg/DFGJITCodeGenerator.h: Le stub.
+
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compile): Don't reuse the base register
+        as the scratch register, since that's incompatible with the write barrier,
+        which needs a distinct base and scratch.
+        
+        Do put the global object into a register before loading its var storage,
+        since it needs to be in a register for the write barrier to operate on it.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitWriteBarrier): Second verse, same as the first.
+
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_get_scoped_var):
+        (JSC::JIT::emit_op_put_scoped_var):
+        (JSC::JIT::emit_op_put_global_var): Deployed offsetOfRegisters() to more
+        places.
+
+        (JSC::JIT::emitWriteBarrier): Added a teeny tiny ASSERT so this function
+        is a little more than meaningless.
+
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_get_scoped_var):
+        (JSC::JIT::emit_op_put_scoped_var):
+        (JSC::JIT::emit_op_put_global_var): Deployed offsetOfRegisters() to more
+        places.
+
+        (JSC::JIT::emitWriteBarrier): Added a teeny tiny ASSERT so this function
+        is a little more than meaningless.
+
+        * runtime/JSVariableObject.h:
+        (JSC::JSVariableObject::offsetOfRegisters): Now used by the JIT, since
+        we put the global object in a register and only then load its var storage
+        by offset.
+
+        (JSC::JIT::emitWriteBarrier):
+
+2011-06-30  Oliver Hunt  <oliver@apple.com>
+
+        Fix ARMv6 build
+
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::rshift32):
+
+2011-06-30  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Add optimised paths for a few maths functions
+        https://bugs.webkit.org/show_bug.cgi?id=63757
+
+        This adds specialised thunks for Math.abs, Math.round, Math.ceil,
+        Math.floor, Math.log, and Math.exp as they are apparently more
+        important in real web content than we thought, which is somewhat
+        mind-boggling.  On average doubles the performance of the common
+        cases (eg. actually passing numbers in).  They're not as efficient
+        as they could be, but this way gives them the most portability.
+
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::supportsDoubleBitops):
+        (JSC::MacroAssemblerARM::andnotDouble):
+        * assembler/MacroAssemblerARMv7.h:
+        (JSC::MacroAssemblerARMv7::supportsDoubleBitops):
+        (JSC::MacroAssemblerARMv7::andnotDouble):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::andnotDouble):
+        (JSC::MacroAssemblerMIPS::supportsDoubleBitops):
+        * assembler/MacroAssemblerSH4.h:
+        (JSC::MacroAssemblerSH4::supportsDoubleBitops):
+        (JSC::MacroAssemblerSH4::andnotDouble):
+        * assembler/MacroAssemblerX86.h:
+        (JSC::MacroAssemblerX86::supportsDoubleBitops):
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::andnotDouble):
+        * assembler/MacroAssemblerX86_64.h:
+        (JSC::MacroAssemblerX86_64::supportsDoubleBitops):
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::andnpd_rr):
+        * create_hash_table:
+        * jit/SpecializedThunkJIT.h:
+        (JSC::SpecializedThunkJIT::finalize):
+        (JSC::SpecializedThunkJIT::callDoubleToDouble):
+        * jit/ThunkGenerators.cpp:
+        (JSC::floorThunkGenerator):
+        (JSC::ceilThunkGenerator):
+        (JSC::roundThunkGenerator):
+        (JSC::expThunkGenerator):
+        (JSC::logThunkGenerator):
+        (JSC::absThunkGenerator):
+        * jit/ThunkGenerators.h:
+
+2011-06-30  Cary Clark  <caryclark@google.com>
+
+        Reviewed by James Robinson.
+
+        Use Skia if Skia on Mac Chrome is enabled
+        https://bugs.webkit.org/show_bug.cgi?id=62999
+
+        * wtf/Platform.h:
+        Add switch to use Skia if, externally,
+        Skia has been enabled by a gyp define.
+
+2011-06-30  Juan C. Montemayor  <jmont@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Web Inspector fails to display source for eval with syntax error
+        https://bugs.webkit.org/show_bug.cgi?id=63583
+
+        Web Inspector now displays a link to an eval statement that contains
+        a syntax error.
+
+        * parser/Parser.h:
+        (JSC::isEvalNode):
+        (JSC::EvalNode):
+        (JSC::Parser::parse):
+
+2011-06-30  Filip Pizlo  <fpizlo@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        X86Assembler does not encode byte registers in 64-bit mode correctly.
+        https://bugs.webkit.org/show_bug.cgi?id=63665
+
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::testb_rr):
+        (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8):
+
+2011-06-30  Sheriff Bot  <webkit.review.bot@gmail.com>
+
+        Unreviewed, rolling out r90102.
+        http://trac.webkit.org/changeset/90102
+        https://bugs.webkit.org/show_bug.cgi?id=63714
+
+        Lots of tests asserting beneath
+        SVGSMILElement::findInstanceTime (Requested by aroben on
+        #webkit).
+
+        * wtf/StdLibExtras.h:
+        (WTF::binarySearch):
+
+2011-06-30  Oliver Varga  <Varga.Oliver@stud.u-szeged.hu>
+
+        Reviewed by Nikolas Zimmermann.
+
+        Speed up SVGSMILElement::findInstanceTime.
+        https://bugs.webkit.org/show_bug.cgi?id=61025
+
+        Add a new parameter to StdlibExtras.h::binarySerarch function
+        to also handle cases when the array does not contain the key value.
+        This is needed for an svg function.
+
+        * wtf/StdLibExtras.h:
+        (WTF::binarySearch):
+
+2011-06-29  Gavin Barraclough  <barraclough@apple.com>
+
+        Reviewed by Geoff Garen.
+
+        https://bugs.webkit.org/show_bug.cgi?id=63669
+        DFG JIT - fix spectral-norm regression
+
+        The problem is a mis-speculation leading to us falling off the speculative path.
+        Make the speculation logic slightly smarter, don't predict int if one of the
+        operands is already loaded as a double (we use this logic already for compares).
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):
+
+2011-06-29  Filip Pizlo  <fpizlo@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        DFG JIT does not do put_by_id transition caching.
+        https://bugs.webkit.org/show_bug.cgi?id=63662
+
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::cachedPutById):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::addPropertyAccess):
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::testPrototype):
+        (JSC::DFG::tryCachePutByID):
+
+2011-06-29  Geoffrey Garen  <ggaren@apple.com>
+
+        Reviewed by Oliver Hunt.
+
+        Added a dummy write barrier emitting function in all the right places in the old JIT
+        https://bugs.webkit.org/show_bug.cgi?id=63667
+        
+        SunSpider reports no change.
+
+        * jit/JIT.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_put_by_id):
+        (JSC::JIT::emit_op_put_scoped_var): Do it.
+
+        (JSC::JIT::emit_op_put_global_var): Global object needs to be in a register
+        for the sake of the write barrier.
+
+        (JSC::JIT::emitWriteBarrier): Empty for now. Not for long!
+
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::emit_op_put_by_id):
+        (JSC::JIT::emit_op_put_scoped_var): Do it.
+
+        (JSC::JIT::emit_op_put_global_var): Global object needs to be in a register
+        for the sake of the write barrier.
+
+        (JSC::JIT::emitWriteBarrier): Empty for now. Not for long!
+
+2011-06-29  Filip Pizlo  <fpizlo@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        DFG JIT does not perform get_by_id self list caching.
+        https://bugs.webkit.org/show_bug.cgi?id=63605
+
+        * bytecode/StructureStubInfo.h:
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compileFunction):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::tryCacheGetByID):
+        (JSC::DFG::tryBuildGetByIDList):
+        (JSC::DFG::dfgBuildGetByIDList):
+        * dfg/DFGRepatch.h:
+
+2011-06-28  Filip Pizlo  <fpizlo@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        DFG JIT lacks array.length caching.
+        https://bugs.webkit.org/show_bug.cgi?id=63505
+
+        * bytecode/StructureStubInfo.h:
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::cachedGetById):
+        (JSC::DFG::JITCodeGenerator::cachedPutById):
+        * dfg/DFGJITCodeGenerator.h:
+        (JSC::DFG::JITCodeGenerator::tryAllocate):
+        (JSC::DFG::JITCodeGenerator::selectScratchGPR):
+        (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compileFunction):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::addPropertyAccess):
+        (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
+        * dfg/DFGRegisterBank.h:
+        (JSC::DFG::RegisterBank::tryAllocate):
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::tryCacheGetByID):
+
+2011-06-28  Pierre Rossi  <pierre.rossi@gmail.com>
+
+        Reviewed by Eric Seidel.
+
+        Warnings in JSC's JIT on 32 bit
+        https://bugs.webkit.org/show_bug.cgi?id=63259
+
+        Fairly straightforward, just use ASSERT_JIT_OFFSET_UNUSED when it applies.
+
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_method_check):
+        (JSC::JIT::compileGetByIdHotPath):
+        (JSC::JIT::emit_op_put_by_id):
+
+2011-06-28  Sheriff Bot  <webkit.review.bot@gmail.com>
+
+        Unreviewed, rolling out r89968.
+        http://trac.webkit.org/changeset/89968
+        https://bugs.webkit.org/show_bug.cgi?id=63581
+
+        Broke chromium windows compile (Requested by jamesr on
+        #webkit).
+
+        * wtf/Platform.h:
+
+2011-06-28  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Fix sampling build
+        https://bugs.webkit.org/show_bug.cgi?id=63579
+
+        Gets opcode sampling building again, doesn't seem to work alas
+
+        * bytecode/SamplingTool.cpp:
+        (JSC::SamplingTool::notifyOfScope):
+        * bytecode/SamplingTool.h:
+        (JSC::SamplingTool::SamplingTool):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::enableSampler):
+        * runtime/Executable.h:
+        (JSC::ScriptExecutable::ScriptExecutable):
+
+2011-06-28  Cary Clark  <caryclark@google.com>
+
+        Reviewed by James Robinson.
+
+        Use Skia if Skia on Mac Chrome is enabled
+        https://bugs.webkit.org/show_bug.cgi?id=62999
+
+        * wtf/Platform.h:
+        Add switch to use Skia if, externally,
+        Skia has been enabled by a gyp define.
+
+2011-06-28  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        ASSERT when launching debug builds with interpreter and jit enabled
+        https://bugs.webkit.org/show_bug.cgi?id=63566
+
+        Add appropriate guards to the various Executable's memory reporting
+        logic.
+
+        * runtime/Executable.cpp:
+        (JSC::EvalExecutable::compileInternal):
+        (JSC::ProgramExecutable::compileInternal):
+        (JSC::FunctionExecutable::compileForCallInternal):
+        (JSC::FunctionExecutable::compileForConstructInternal):
+
+2011-06-28  Gavin Barraclough  <barraclough@apple.com>
+
+        Reviewed by Oliver Hunt.
+
+        https://bugs.webkit.org/show_bug.cgi?id=63563
+        DFG JIT - add support for double arith to speculative path
+
+        Add integer support for div & mod, add double support for div, mod,
+        add, sub & mul, dynamically selecting based on operand types.
+
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::FPRTemporary::FPRTemporary):
+        * dfg/DFGJITCodeGenerator.h:
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::assembler):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
+        (JSC::DFG::SpeculateDoubleOperand::~SpeculateDoubleOperand):
+        (JSC::DFG::SpeculateDoubleOperand::index):
+        (JSC::DFG::SpeculateDoubleOperand::fpr):
+
+2011-06-28  Oliver Hunt  <oliver@apple.com>
+
+        Fix interpreter build.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::privateExecute):
+
+2011-06-28  Gavin Barraclough  <barraclough@apple.com>
+
+        Reviewed by Oliver Hunt.
+
+        https://bugs.webkit.org/show_bug.cgi?id=63561
+        DFG JIT - don't always assume integer in relational compare
+
+        If neither operand is known integer, or either is in double representation,
+        then at least use a function call (don't bail off the speculative path).
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compilePeepHoleCall):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::isDataFormatDouble):
+        (JSC::DFG::SpeculativeJIT::compareIsInteger):
+
+2011-06-28  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Make constant array optimisation less strict about what constitutes a constant
+        https://bugs.webkit.org/show_bug.cgi?id=63554
+
+        Now allow string constants in array literals to actually be considered constant,
+        and so avoid codegen in array literals with strings in them.
+
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::addConstantBuffer):
+        (JSC::CodeBlock::constantBuffer):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::addConstantBuffer):
+        (JSC::BytecodeGenerator::addStringConstant):
+        (JSC::BytecodeGenerator::emitNewArray):
+        * bytecompiler/BytecodeGenerator.h:
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::privateExecute):
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+
+2011-06-28  Gavin Barraclough  <barraclough@apple.com>
+
+        Reviewed by Oliver Hunt.
+
+        https://bugs.webkit.org/show_bug.cgi?id=63560
+        DFG_JIT allow allocation of specific machine registers
+
+        This allow us to allocate the registers necessary to perform x86
+        idiv instructions for div/mod, and may be useful for shifts, too.
+
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::GPRTemporary::GPRTemporary):
+        * dfg/DFGJITCodeGenerator.h:
+        (JSC::DFG::JITCodeGenerator::allocate):
+        (JSC::DFG::GPRResult::GPRResult):
+        * dfg/DFGRegisterBank.h:
+        (JSC::DFG::RegisterBank::allocateSpecific):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::isInteger):
+
+2011-06-28  Gavin Barraclough  <barraclough@apple.com>
+
+        Reviewed by Oliver Hunt.
+
+        https://bugs.webkit.org/show_bug.cgi?id=55040
+        RegExp constructor returns the argument regexp instead of a new object
+
+        Per 15.10.3.1, our current behaviour is correct if called as a function,
+        but incorrect when called as a constructor.
+
+        * runtime/RegExpConstructor.cpp:
+        (JSC::constructRegExp):
+        (JSC::constructWithRegExpConstructor):
+        * runtime/RegExpConstructor.h:
+
+2011-06-28  Luke Macpherson   <macpherson@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Clean up integer clamping functions in MathExtras.h and support arbitrary numeric types and limits.
+        https://bugs.webkit.org/show_bug.cgi?id=63469
+
+        * wtf/MathExtras.h:
+        (defaultMinimumForClamp):
+        Version of std::numeric_limits::min() that returns the largest negative value for floating point types.
+        (defaultMaximumForClamp):
+        Symmetric alias for std::numeric_limits::max()
+        (clampTo):
+        New templated clamping function that supports arbitrary output types.
+        (clampToInteger):
+        Use new clampTo template.
+        (clampToFloat):
+        Use new clampTo template.
+        (clampToPositiveInteger):
+        Use new clampTo template.
+
+2011-06-28  Adam Roben  <aroben@apple.com>
+
+        Windows Debug build fix after r89885
+
+        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Exported
+        JSGlobalData::releaseExecutableMemory for jsc.exe's benefit.
+
+2011-06-28  Shinya Kawanaka  <shinyak@google.com>
+
+        Reviewed by Kent Tamura.
+
+        Add const to show() method in WTFString and AtomicString.
+        https://bugs.webkit.org/show_bug.cgi?id=63515
+
+        The lack of const in show() method is painful when
+        doing something like printf-debug.
+
+        * wtf/text/AtomicString.cpp:
+        (WTF::AtomicString::show):
+        * wtf/text/AtomicString.h:
+        * wtf/text/WTFString.cpp:
+        (String::show):
+        * wtf/text/WTFString.h:
+
+2011-06-27  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Build fix attempt after r89885.
+
+        * JavaScriptCore.exp:
+        * jsc.cpp:
+
+2011-06-27  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Support throwing away non-running code even while other code is running
+        https://bugs.webkit.org/show_bug.cgi?id=63485
+
+        Add a function to CodeBlock to support unlinking direct linked callsites,
+        and then with that in place add logic to discard code from any function
+        that is not currently on the stack.
+
+        The unlinking completely reverts any optimized call sites, such that they
+        may be relinked again in future.
+
+        * JavaScriptCore.exp:
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::unlinkCalls):
+        (JSC::CodeBlock::clearEvalCache):
+        * bytecode/CodeBlock.h:
+        (JSC::CallLinkInfo::CallLinkInfo):
+        (JSC::CallLinkInfo::unlink):
+        * bytecode/EvalCodeCache.h:
+        (JSC::EvalCodeCache::clear):
+        * heap/Heap.cpp:
+        (JSC::Heap::getConservativeRegisterRoots):
+        * heap/Heap.h:
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompile):
+        * jit/JIT.h:
+        * jit/JITCall.cpp:
+        (JSC::JIT::compileOpCall):
+        * jit/JITWriteBarrier.h:
+        (JSC::JITWriteBarrierBase::clear):
+        * jsc.cpp:
+        (GlobalObject::GlobalObject):
+        (functionReleaseExecutableMemory):
+        * runtime/Executable.cpp:
+        (JSC::EvalExecutable::unlinkCalls):
+        (JSC::ProgramExecutable::unlinkCalls):
+        (JSC::FunctionExecutable::discardCode):
+        (JSC::FunctionExecutable::unlinkCalls):
+        * runtime/Executable.h:
+        * runtime/JSGlobalData.cpp:
+        (JSC::SafeRecompiler::returnValue):
+        (JSC::SafeRecompiler::operator()):
+        (JSC::JSGlobalData::releaseExecutableMemory):
+
+2011-06-27  Gavin Barraclough  <barraclough@apple.com>
+
+        Reviewed by Darin Adler & Oliver Hunt.
+
+        https://bugs.webkit.org/show_bug.cgi?id=50554
+        RegExp.prototype.toString does not escape slashes
+
+        The problem here is that we don't escape forwards slashes when converting
+        a RegExp to a string. This means that RegExp("/").toString() is "///",
+        which is not a valid RegExp literal. Also, we return an invalid literal
+        for RegExp.prototype.toString() ("//", which is an empty single-line comment).
+
+        From ES5:
+        "NOTE: The returned String has the form of a RegularExpressionLiteral that
+        evaluates to another RegExp object with the same behaviour as this object."
+
+        * runtime/RegExpObject.cpp:
+        (JSC::regExpObjectSource):
+            - Escape forward slashes when getting the source of a RegExp.
+        * runtime/RegExpPrototype.cpp:
+        (JSC::regExpProtoFuncToString):
+            - Remove unnecessary and erroneous hack to return "//" as the string
+            representation of RegExp.prototype. This is not a valid RegExp literal
+            (it is an empty single-line comment).
+
+2011-06-27  Gavin Barraclough  <barraclough@apple.com>
+
+        Reviewed by Oliver Hunt.
+
+        https://bugs.webkit.org/show_bug.cgi?id=63497
+        Add DEBUG_WITH_BREAKPOINT support to the DFG JIT.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGNode.h:
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2011-06-27  Juan C. Montemayor  <jmont@apple.com>
+
+        Reviewed by Mark Rowe.
+
+        Indirectly including TextPosition.h and XPathGrammar.h causes compile errors
+        https://bugs.webkit.org/show_bug.cgi?id=63392
+        
+        When both TextPosition.h and XPathGrammar.h are included a compile-error
+        is caused, since XPathGrammar.h defines a macro called NUMBER and 
+        TextPosition has a typedef named NUMBER.
+
+        * wtf/text/TextPosition.h:
+        (WTF::TextPosition::TextPosition):
+        (WTF::TextPosition::minimumPosition):
+        (WTF::TextPosition::belowRangePosition):
+
+2011-06-27  Filip Pizlo  <fpizlo@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        DFG JIT does not perform put_by_id caching.
+        https://bugs.webkit.org/show_bug.cgi?id=63409
+
+        * bytecode/StructureStubInfo.h:
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::cachedPutById):
+        * dfg/DFGJITCodeGenerator.h:
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::compileFunction):
+        * dfg/DFGJITCompiler.h:
+        (JSC::DFG::JITCompiler::addPropertyAccess):
+        (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::dfgRepatchByIdSelfAccess):
+        (JSC::DFG::tryCacheGetByID):
+        (JSC::DFG::appropriatePutByIdFunction):
+        (JSC::DFG::tryCachePutByID):
+        (JSC::DFG::dfgRepatchPutByID):
+        * dfg/DFGRepatch.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2011-06-27  Gustavo Noronha Silva  <gns@gnome.org>
+
+        Unreviewed build fix. One more filed missing during distcheck, for
+        the MIPS build.
+
+        * GNUmakefile.list.am:
+
+2011-06-26  Filip Pizlo  <fpizlo@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        DFG non-speculative JIT has potentially harmful speculations with respect to arithmetic operations.
+        https://bugs.webkit.org/show_bug.cgi?id=63347
+
+        * dfg/DFGNonSpeculativeJIT.cpp:
+            - Changed arithmetic operations to speculate in favor of integers.
+        (JSC::DFG::NonSpeculativeJIT::valueToNumber):
+        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
+        (JSC::DFG::NonSpeculativeJIT::basicArithOp):
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGNonSpeculativeJIT.h:
+        * dfg/DFGOperations.cpp:
+            - Added slow-path routines for arithmetic that perform no speculation; the
+              non-speculative JIT will generate calls to these in cases where its
+              speculation fails.
+        * dfg/DFGOperations.h:
+
+2011-06-24  Nikolas Zimmermann  <nzimmermann@rim.com>
+
+        Reviewed by Rob Buis.
+
+        Integrate SVG Fonts within GlyphPage concept, removing the special SVG code paths from Font, making it possible to reuse the simple text code path for SVG Fonts
+        https://bugs.webkit.org/show_bug.cgi?id=59085
+
+        * wtf/Platform.h: Force Qt-EWS into a full rebuild, otherwhise this patch breaks the EWS.
+
+2011-06-24  Michael Saboff  <msaboff@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Arm Assembler, Immediate stack offset values truncated to 8 bits for add & sub
+        https://bugs.webkit.org/show_bug.cgi?id=63345
+
+        The methods ARMThumbImmediate::getUInt9 and ARMThumbImmediate::getUInt10
+        return 9 and 10 bit quantities, therefore changed their return type from
+        uint8_t to uint16_t.  Also casted the places where they are used as they
+        are currently shifted and used as 7 or 8 bit values.
+
+        These methods are currently used for literals for stack offsets, 
+        including creating and destroying stack frames.  The prior truncation of
+        the upper bits caused stack frames to be too small, thus allowing a
+        JIT'ed function to access and overwrite stack space outside of the
+        incorrectly sized stack frame.
+
+        * assembler/ARMv7Assembler.h:
+        (JSC::ARMThumbImmediate::getUInt9):
+        (JSC::ARMThumbImmediate::getUInt10):
+        (JSC::ARMv7Assembler::add):
+        (JSC::ARMv7Assembler::ldr):
+        (JSC::ARMv7Assembler::str):
+        (JSC::ARMv7Assembler::sub):
+        (JSC::ARMv7Assembler::sub_S):
+
+2011-06-24  Michael Saboff  <msaboff@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        releaseFastMallocFreeMemory doesn't adjust free counts for scavenger
+        https://bugs.webkit.org/show_bug.cgi?id=63015
+
+        Added code to adjust class TCMalloc_PageHeap variables free_committed_pages_ and
+        min_free_committed_pages_since_last_scavenge_ in ReleaseFreeList().  These 
+        adjustments are a bug.  These need to reflect the pages that are released
+        in ReleaseFreeLsit so that scavenge doesn't try to free that many pages as well.
+        Made ReleaseFreeList a member of TCMalloc_PageHeap in the process.  Updated
+        Check() and helper method CheckList() to check the number of actual free pages
+        with free_committed_pages_.
+
+        The symptom of the problem of the existing code is that the scavenger may
+        run unneccesarily without any real work to do, i.e. pages on the free lists.
+        The scanvenger would also end up freeing too many pages, that is going below 
+        the current 528 target free pages.
+
+        Note that the style of the changes was kept consistent with the
+        existing style.
+
+        * wtf/FastMalloc.cpp:
+        (WTF::TCMalloc_PageHeap::Check):
+        (WTF::TCMalloc_PageHeap::CheckList):
+        (WTF::TCMalloc_PageHeap::ReleaseFreeList):
+
+2011-06-24  Abhishek Arya  <inferno@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        Match other clampTo* functions in style with clampToInteger(float)
+        function.
+        https://bugs.webkit.org/show_bug.cgi?id=53449
+
+        * wtf/MathExtras.h:
+        (clampToInteger):
+        (clampToFloat):
+        (clampToPositiveInteger):
+
+2011-06-24  Sheriff Bot  <webkit.review.bot@gmail.com>
+
+        Unreviewed, rolling out r89594.
+        http://trac.webkit.org/changeset/89594
+        https://bugs.webkit.org/show_bug.cgi?id=63316
+
+        It broke 5 tests on the Qt bot (Requested by Ossy_DC on
+        #webkit).
+
+        * GNUmakefile.list.am:
+        * JavaScriptCore.gypi:
+        * icu/unicode/uscript.h: Removed.
+        * wtf/unicode/ScriptCodesFromICU.h: Removed.
+        * wtf/unicode/brew/UnicodeBrew.h:
+        * wtf/unicode/glib/UnicodeGLib.h:
+        * wtf/unicode/icu/UnicodeIcu.h:
+        * wtf/unicode/qt4/UnicodeQt4.h:
+        * wtf/unicode/wince/UnicodeWinCE.h:
+
+2011-06-23  Filip Pizlo  <fpizlo@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        DFG non-speculative JIT should have obvious optimizations for GetById and GetByVal
+        https://bugs.webkit.org/show_bug.cgi?id=63173
+
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::cachedGetById):
+        * dfg/DFGJITCodeGenerator.h:
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2011-06-23  Oliver Hunt  <oliver@apple.com>
+
+        Fix Qt again.
+
+        * assembler/ARMAssembler.h:
+        (JSC::ARMAssembler::readPointer):
+
 2011-06-23  Oliver Hunt  <oliver@apple.com>
 
         Fix Qt Build