Remove unused data member from Lexer class

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2012-04-10  Darin Adler  <darin@apple.com>

        Remove unused data member from Lexer class
        https://bugs.webkit.org/show_bug.cgi?id=83429

        Reviewed by Kentaro Hara.

        I noticed that m_delimited was "write-only", so I deleted it.

        * parser/Lexer.cpp:
        (JSC::Lexer::setCode): Removed code to set m_delimited.
        (JSC::Lexer::parseIdentifier): Ditto.
        (JSC::Lexer::parseIdentifierSlowCase): Ditto.
        (JSC::Lexer::lex): Ditto.
        * parser/Lexer.h: Deleted m_delimited.

2012-04-10  Patrick Gansterer  <paroga@webkit.org>

        [CMake] Enable USE_FOLDERS property
        https://bugs.webkit.org/show_bug.cgi?id=83571

        Reviewed by Daniel Bates.

        Setting the FOLDER property on targets gives more structure 
        to the generated Visual Studio solutions.
        This does not affect other CMake generators.

        * CMakeLists.txt:
        * shell/CMakeLists.txt:

2012-04-10  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to see why a code block was not compiled by the DFG
        https://bugs.webkit.org/show_bug.cgi?id=83553

        Reviewed by Geoff Garen.
        
        If DFG_ENABLE(DEBUG_VERBOSE) and a code block is rejected, then print the
        opcode that caused the rejection.

        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::debugFail):
        (DFG):
        (JSC::DFG::canHandleOpcodes):

2012-04-09  Gavin Barraclough  <barraclough@apple.com>

        If a callback constructor returns a C++ null, throw a type error.
        https://bugs.webkit.org/show_bug.cgi?id=83537

        Rubber Stamped by Geoff Garen.

        * API/JSCallbackConstructor.cpp:
        (JSC::constructJSCallback):
            - If a callback constructor returns a C++ null, throw a type error.
        * API/tests/testapi.c:
        (Base_returnHardNull):
        * API/tests/testapi.js:
            - Add a test case for callback constructors that return a C++ null.

2012-04-09  Gavin Barraclough  <barraclough@apple.com>

        If a callback function returns a C++ null, convert to undefined.
        https://bugs.webkit.org/show_bug.cgi?id=83534

        Reviewed by Geoff Garen.

        * API/JSCallbackFunction.cpp:
            - If a callback function returns a C++ null, convert to undefined.
        (JSC::JSCallbackFunction::call):
        * API/tests/testapi.c:
        (Base_returnHardNull):
        * API/tests/testapi.js:
            - Add a test case for callback functions that return a C++ null.

2012-04-09  Filip Pizlo  <fpizlo@apple.com>

        Classic interpreter's GC hooks shouldn't attempt to scan instructions for code blocks that
        are currently being generated
        https://bugs.webkit.org/show_bug.cgi?id=83531
        <rdar://problem/11215200>

        Reviewed by Gavin Barraclough.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::stronglyVisitStrongReferences):

2012-04-09  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, modernize and clean up uses of ARM assembly mnemonics in inline asm blocks.

        * dfg/DFGOperations.cpp:
        (JSC):
        * offlineasm/armv7.rb:

2012-04-09  Patrick Gansterer  <paroga@webkit.org>

        Remove HAVE_STDINT_H
        https://bugs.webkit.org/show_bug.cgi?id=83434

        Reviewed by Kentaro Hara.

        HAVE_STDINT_H is defined with 1 all the time and we us stdint.h without HAVE(STDINT_H) already.

        * config.h:

2012-04-08  Filip Pizlo  <fpizlo@apple.com>

        DFG should not load the property storage if it is inline.
        https://bugs.webkit.org/show_bug.cgi?id=83455

        Reviewed by Gavin Barraclough.
        
        We had previously decided to have all property storage accesses go through
        the property storage pointer even if they don't "really" have to, because
        we were thinking this would help GC barriers somehow. Well, we never ended
        up doing anything with that. Hence, doing these wasted loads of the
        property storage pointer when the storage is inline is just a waste of CPU
        cycles.
        
        This change makes the DFG's inline property accesses (GetByOffset and
        PutByOffset) go directly to the inline property storage if the structure(s)
        tell us that it's OK.
        
        This looks like an across-the-board 1% win.

        * bytecode/StructureSet.h:
        (JSC):
        (JSC::StructureSet::allAreUsingInlinePropertyStorage):
        (StructureSet):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillStorage):

2012-04-08  Filip Pizlo  <fpizlo@apple.com>

        Command-line jsc's exception handling should be rationalized
        https://bugs.webkit.org/show_bug.cgi?id=83437

        Reviewed by Dan Bernstein.
        
        - If an exception is thrown during run() execution, it is now propagated,
          so that it will terminate program execution unless it is caught.
          
        - If program execution terminates with an exception, the exception is now
          always printed.
          
        - When printing the exception, the backtrace is now also printed if one is
          available. It will only not be available if you use something akin to my
          favorite line of code, 'throw "error"', since primitives don't have
          properties and hence we cannot attach a "stack" property to them.

        * jsc.cpp:
        (functionRun):
        (runWithScripts):

2012-04-04  Filip Pizlo  <fpizlo@apple.com>

        Forced OSR exits should lead to recompilation based on count, not rate
        https://bugs.webkit.org/show_bug.cgi?id=83247
        <rdar://problem/10720925>

        Reviewed by Geoff Garen.
        
        Track which OSR exits happen because of inadequate coverage. Count them
        separately. If the count reaches a threshold, immediately trigger
        reoptimization.
        
        This is in contrast to the recompilation trigger for all other OSR exits.
        Normally recomp is triggered when the exit rate exceeds a certain ratio.
        
        Looks like a slight V8 speedup (sub 1%).

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::forcedOSRExitCounter):
        (JSC::CodeBlock::addressOfForcedOSRExitCounter):
        (JSC::CodeBlock::offsetOfForcedOSRExitCounter):
        (JSC::CodeBlock::shouldReoptimizeNow):
        (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
        (CodeBlock):
        * bytecode/DFGExitProfile.h:
        (JSC::DFG::exitKindToString):
        * dfg/DFGOSRExitCompiler.cpp:
        (JSC::DFG::OSRExitCompiler::handleExitCounts):
        (DFG):
        * dfg/DFGOSRExitCompiler.h:
        (OSRExitCompiler):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/Options.cpp:
        (Options):
        (JSC::Options::initializeOptions):
        * runtime/Options.h:
        (Options):

2012-04-06  Benjamin Poulain  <bpoulain@apple.com>

        Do not abuse ArrayStorage's m_length for testing array consistency
        https://bugs.webkit.org/show_bug.cgi?id=83403

        Reviewed by Geoffrey Garen.

        Array creation from a list of values is a 3 steps process:
        -JSArray::tryCreateUninitialized()
        -JSArray::initializeIndex() for each values
        -JSArray::completeInitialization()

        Previously, the attribute m_length was not set to the final size
        JSArray::tryCreateUninitialized() because it was used to test the array
        consistency JSArray::initializeIndex().

        This caused the initialization loop using JSArray::initializeIndex() maintain
        two counters:
        -index of the loop
        -storage->m_length++

        This patch fixes this by using the index of the initialization loop for the indinces of
        JSArray::initializeIndex(). For testing consistency, the variable m_initializationIndex
        is introduced if CHECK_ARRAY_CONSISTENCY is defined.

        The patch also fixes minor unrelated build issue when CHECK_ARRAY_CONSISTENCY is defined.

        This improves the performance of JSArray creation from literals by 8%.

        * runtime/JSArray.cpp:
        (JSC::JSArray::tryFinishCreationUninitialized):
        (JSC::JSArray::checkConsistency):
        * runtime/JSArray.h:
        (ArrayStorage):
        (JSC::JSArray::initializeIndex):
        (JSC::JSArray::completeInitialization):

2012-04-06  Jon Lee  <jonlee@apple.com>

        Build fix for Windows bots.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: export missing symbol.

2012-04-06  Geoffrey Garen  <ggaren@apple.com>

        Renamed

                WeakHeap => WeakSet
                HandleHeap => HandleSet

        Reviewed by Sam Weinig.

        These sets do have internal allocators, but it's confusing to call them
        heaps because they're sub-objects of an object called "heap".

        * heap/HandleHeap.cpp: Removed.
        * heap/HandleHeap.h: Removed.
        * heap/HandleSet.cpp: Copied from JavaScriptCore/heap/HandleHeap.cpp.
        * heap/WeakHeap.cpp: Removed.
        * heap/WeakHeap.h: Removed.
        * heap/WeakSet.cpp: Copied from JavaScriptCore/heap/WeakHeap.cpp.
        * heap/WeakSet.h: Copied from JavaScriptCore/heap/WeakHeap.h.

        Plus global rename using grep.

2012-04-06  Dan Bernstein  <mitz@apple.com>

        <rdar://problem/10912476> HiDPI: Have canvas use a hidpi backing store, but downsample upon access

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig: Added ENABLE_HIGH_DPI_CANVAS.

2012-04-06  Rob Buis  <rbuis@rim.com>

        Fix cast-align warnings in JSC
        https://bugs.webkit.org/show_bug.cgi?id=80790

        Reviewed by George Staikos.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::computeJumpType):
        (JSC::ARMv7Assembler::link):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::linkCode):
        * heap/MarkStack.cpp:
        (JSC::SlotVisitor::copyAndAppend):
        * runtime/JSArray.cpp:
        (JSC::JSArray::visitChildren):
        * wtf/RefCountedArray.h:
        (WTF::RefCountedArray::Header::payload):

2012-04-06  Darin Adler  <darin@apple.com>

        Streamline strtod and fix some related problems
        https://bugs.webkit.org/show_bug.cgi?id=82857

        Reviewed by Geoffrey Garen.

        * parser/Lexer.cpp:
        (JSC::Lexer<>::lex): Use parseDouble. Since we have already scanned the number
        and we know it has only correct characters, leading spaces, trailing junk, and
        trailing spaces are not a possibility. No need to add a trailing null character.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::parseInt): Changed overflow based 10 case to use parseDouble. No need
        to allow trailing junk since the code above already allows only numeric digits
        in the string. This code path is used only in unusual cases, so it's not
        optimized for 8-bit strings, but easily could be.
        (JSC::jsStrDecimalLiteral): Removed the allow trailing junk argument to this
        function template because all the callers are OK with trailing junk. Use the
        parseDouble function. No need to copy the data into a byte buffer, because
        parseDouble handles that.
        (JSC::toDouble): Got rid of the DisallowTrailingJunk argument to the
        jsStrDecimalLiteral function template. That's OK because this function
        already checks for trailing junk and handles it appropriately. The old code
        path was doing it twice.
        (JSC::parseFloat): Got rid of the AllowTrailingJunk argument to the
        jsStrDecimalLiteral function template; the template allows junk unconditionally.

        * runtime/LiteralParser.cpp:
        (JSC::::Lexer::lexNumber): Use parseDouble. Since we have already scanned the number
        and we know it has only correct characters, leading spaces, trailing junk, and
        trailing spaces are not a possibility. No need to add a trailing null character.
        No need to copy the data into a byte buffer, because parseDouble handles that.
        We could optimize the UChar case even more because we know all the characters
        are ASCII, but not doing that at this time.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Updated.

2012-04-06  Patrick Gansterer  <paroga@webkit.org>

        Remove JSC dependency from GregorianDateTime
        https://bugs.webkit.org/show_bug.cgi?id=83290

        Reviewed by Geoffrey Garen.

        This allows us to move it to WTF later.

        * runtime/DateConstructor.cpp:
        (JSC::callDate):
        * runtime/JSDateMath.h:

2012-04-05  Michael Saboff  <msaboff@apple.com>

        Call Heap::discardAllCompiledCode() in low memory situations
        https://bugs.webkit.org/show_bug.cgi?id=83335

        Reviewed by Geoffrey Garen.

        Restructured Heap::discardAllCompiledCode() to do the "Is JavaScriptRunning?"
        check inline so that it can be called directly without this check.

        * heap/Heap.cpp:
        (JSC::Heap::discardAllCompiledCode):
        (JSC::Heap::collectAllGarbage):
        * heap/Heap.h: Added JS_EXPORT_PRIVATE to discardAllCompiledCode() so it can be
        called from WebCore.
        (Heap):
        * runtime/JSGlobalData.h: Removed unused " void discardAllCompiledCode()" declaration.
        (JSGlobalData):

2012-04-05  Benjamin Poulain  <bpoulain@apple.com>

        Speed up the conversion from JSValue to String for bulk operations
        https://bugs.webkit.org/show_bug.cgi?id=83243

        Reviewed by Geoffrey Garen.

        When making operations on primitive types, we loose some time converting
        values to JSString in order to extract the string.

        This patch speeds up some basic Array operations by avoiding the creation
        of intermediary JSString when possible.

        For the cases where we need to convert a lot of JSValue in a tight loop,
        an inline conversion is used.

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncSort):
        * runtime/CommonIdentifiers.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::sort):
        * runtime/JSString.h:
        (JSC::JSValue::toUString):
        (JSC):
        (JSC::inlineJSValueNotStringtoUString):
        (JSC::JSValue::toUStringInline):
        * runtime/JSValue.cpp:
        (JSC::JSValue::toUStringSlowCase):
        (JSC):
        * runtime/JSValue.h:
        (JSValue):

2012-04-05  Benjamin Poulain  <bpoulain@apple.com>

        Use QuickSort when sorting primitive values by string representation
        https://bugs.webkit.org/show_bug.cgi?id=83312

        Reviewed by Gavin Barraclough.

        When the value we are sorting are all primitive values, we do not need to
        ensure a stable sort as two values with equal string representation are
        indistinguishable from JavaScript.

        This gives about 16% performance increase when sorting primitive values.

        * runtime/JSArray.cpp:
        (JSC::JSArray::sort):

2012-04-05  Oliver Hunt  <oliver@apple.com>

        SIGILL in JavaScriptCore on a Geode processor
        https://bugs.webkit.org/show_bug.cgi?id=82496

        Reviewed by Gavin Barraclough.

        Don't attempt to use the DFG when SSE2 is not available.

        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::canCompileOpcodes):

2012-04-05  Oliver Hunt  <oliver@apple.com>

        Fix 32-bit build.

        * API/APICast.h:
        (toJS):

2012-04-05  Oliver Hunt  <oliver@apple.com>

        Replace static_cast with jsCast when casting JSCell subclasses in JSC
        https://bugs.webkit.org/show_bug.cgi?id=83307

        Reviewed by Gavin Barraclough.

        Replace all usage of static_cast<JSCell subtype*> with jsCast<> in JavaScriptCore.
        This results in assertions when unsafe casts are performed, but simply leaves
        a static_cast<> in release builds.

        * API/APICast.h:
        (toJS):
        * API/JSCallbackConstructor.cpp:
        (JSC::constructJSCallback):
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::call):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::asCallbackObject):
        (JSC::::finishCreation):
        (JSC::::construct):
        (JSC::::call):
        * API/JSObjectRef.cpp:
        (JSObjectGetPrivate):
        (JSObjectSetPrivate):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        * API/JSValueRef.cpp:
        (JSValueIsObjectOfClass):
        * API/JSWeakObjectMapRefPrivate.cpp:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::resolve):
        (JSC::BytecodeGenerator::resolveConstDecl):
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::finishCreation):
        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Executable.h:
        (JSC::isHostFunction):
        * runtime/JSActivation.h:
        (JSC::asActivation):
        * runtime/JSArray.cpp:
        (JSC::JSArray::defineOwnProperty):
        * runtime/JSArray.h:
        (JSC::asArray):
        * runtime/JSBoundFunction.cpp:
        (JSC::boundFunctionCall):
        (JSC::boundFunctionConstruct):
        * runtime/JSByteArray.h:
        (JSC::asByteArray):
        * runtime/JSCell.cpp:
        (JSC::JSCell::toObject):
        * runtime/JSCell.h:
        (JSC::jsCast):
        * runtime/JSGlobalObject.h:
        (JSC::asGlobalObject):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * runtime/JSObject.cpp:
        (JSC::JSObject::setPrototypeWithCycleCheck):
        (JSC::JSObject::allowsAccessFrom):
        (JSC::JSObject::toThisObject):
        (JSC::JSObject::unwrappedObject):
        * runtime/JSObject.h:
        (JSC::asObject):
        * runtime/JSPropertyNameIterator.h:
        (JSC::Register::propertyNameIterator):
        * runtime/JSString.h:
        (JSC::asString):
        (JSC::JSValue::toString):
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSubstr):

2012-04-05  Benjamin Poulain  <bpoulain@apple.com>

        Make something faster than JSStringBuilder for joining an array of JSValue
        https://bugs.webkit.org/show_bug.cgi?id=83180

        Reviewed by Geoffrey Garen.

        This patch add the class JSStringJoiner optimized for join() operations.

        This class makes stricter constraints than JSStringBuilder in order avoid
        memory allocations.

        In the best case, the class allocate memory only twice:
        -Allocate an array to keep a list of UString to join.
        -Allocate the final string.

        We also avoid the conversion from 8bits strings to 16bits strings since
        they are costly and unlikly to help for subsequent calls.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncJoin):
        * runtime/JSStringJoiner.cpp: Added.
        (JSC):
        (JSC::appendStringToData):
        (JSC::joinStrings):
        (JSC::JSStringJoiner::build):
        * runtime/JSStringJoiner.h: Added.
        (JSC):
        (JSStringJoiner):
        (JSC::JSStringJoiner::JSStringJoiner):
        (JSC::JSStringJoiner::append):

2012-04-05  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=77293
        [Un]Reserve 'let'

        Rubber stamped by Oliver Hunt.

        Revert r106198.
        This does break the web - e.g. https://bvi.bnc.ca/index/bnc/indexen.html
        If we're going to reserve let, we're going to have to do so in a more
        circumspect fashion.

        * parser/Keywords.table:

2012-04-05  Michael Saboff  <msaboff@apple.com>

        Rolling out http://trac.webkit.org/changeset/113262.
        Original code was fine.

        Rubber-stamped by Oliver Hunt.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::additionBlindedConstant):

2012-04-05  Patrick Gansterer  <paroga@webkit.org>

        [WinCE] Remove unnecessary function decleration
        https://bugs.webkit.org/show_bug.cgi?id=83155

        Reviewed by Kentaro Hara.

        * runtime/JSDateMath.cpp:

2012-04-04  Patrick Gansterer  <paroga@webkit.org>

        Add WTF::getCurrentLocalTime()
        https://bugs.webkit.org/show_bug.cgi?id=83164

        Reviewed by Alexey Proskuryakov.

        Replace the calls to WTF::getLocalTime() with time(0) with the new function.
        This allows us to use Win32 API on windows to get the same result in a next step.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/DateConstructor.cpp:
        (JSC::callDate):

2012-04-04  Oliver Hunt  <oliver@apple.com>

        Parser fails to revert some state after parsing expression and object literals.
        https://bugs.webkit.org/show_bug.cgi?id=83236

        Reviewed by Gavin Barraclough.

        Reset left hand side counter after parsing the literals.

        * parser/Parser.cpp:
        (JSC::::parseObjectLiteral):
        (JSC::::parseStrictObjectLiteral):
        (JSC::::parseArrayLiteral):

2012-04-04  Filip Pizlo  <fpizlo@apple.com>

        DFG InstanceOf should not uselessly speculate cell
        https://bugs.webkit.org/show_bug.cgi?id=83234

        Reviewed by Oliver Hunt.
        
        If InstanceOf is the only user of its child then don't speculate cell, since
        the not-cell case is super easy to handle.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileInstanceOf):

2012-04-04  Michael Saboff  <msaboff@apple.com>

        Fixed minor error: "& 3" should be "& 2".

        Rubber-stamped by Oliver Hunt.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::additionBlindedConstant):

2012-04-04  Michael Saboff  <msaboff@apple.com>

        Constant Blinding for add/sub immediate crashes in ArmV7 when dest is SP
        https://bugs.webkit.org/show_bug.cgi?id=83191

        Reviewed by Oliver Hunt.

        Make are that blinded constant pairs are similarly aligned to the
        original immediate values so that instructions that expect that
        alignment work correctly.  One example is ARMv7 add/sub imm to SP.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::add): Added ASSERT that immediate is word aligned.
        (JSC::ARMv7Assembler::sub): Added ASSERT that immediate is word aligned.
        (JSC::ARMv7Assembler::sub_S): Added ASSERT that immediate is word aligned.
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::additionBlindedConstant):

2012-04-04  Filip Pizlo  <fpizlo@apple.com>

        DFG should short-circuit Branch(LogicalNot(...))
        https://bugs.webkit.org/show_bug.cgi?id=83181

        Reviewed by Geoff Garen.
        
        Slight (sub 1%) speed-up on V8.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2012-04-04  Geoffrey Garen  <ggaren@apple.com>

        [Qt] REGRESSION(r113141): All tests assert on 32 bit debug mode
        https://bugs.webkit.org/show_bug.cgi?id=83139

        Reviewed by Sam Weinig.

        * heap/PassWeak.h:
        (JSC::::get): 32-bit JSValue treats JSValue(nullptr).asCell() as an error,
        so work around that here. (Long-term, we should make 32-bit and 64-bit
        agree on the right behavior.)

2012-04-03  Geoffrey Garen  <ggaren@apple.com>

        Updated JSC expected test results to reflect recent bug fixes <disapproving look>.

        Reviewed by Sam Weinig.

        * tests/mozilla/expected.html:

2012-03-29  Geoffrey Garen  <ggaren@apple.com>

        First step toward incremental Weak<T> finalization
        https://bugs.webkit.org/show_bug.cgi?id=82670

        Reviewed by Filip Pizlo.

        This patch implements a Weak<T> heap that is compatible with incremental
        finalization, while making as few behavior changes as possible. The behavior
        changes it makes are:

        (*) Weak<T>'s raw JSValue no longer reverts to JSValue() automatically --
        instead, a separate flag indicates that the JSValue is no longer valid.
        (This is required so that the JSValue can be preserved for later finalization.)
        Objects dealing with WeakImpls directly must change to check the flag.

        (*) Weak<T> is no longer a subclass of Handle<T>.

        (*) DOM GC performance is different -- 9% faster in the geometric mean,
        but 15% slower in one specific case:
                gc-dom1.html: 6%  faster
                gc-dom2.html: 23% faster
                gc-dom3.html: 17% faster
                gc-dom4.html: 15% *slower*

        The key features of this new heap are:

        (*) Each block knows its own state, independent of any other blocks.

        (*) Each block caches its own sweep result.

        (*) The heap visits dead Weak<T>s at the end of GC. (It doesn't
        mark them yet, since that would be a behavior change.)

        * API/JSCallbackObject.cpp:
        (JSC::JSCallbackObjectData::finalize):
        * API/JSCallbackObjectFunctions.h:
        (JSC::::init): Updated to use the new WeakHeap API.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri: Paid the build system tax since I added some new files.

        * heap/Handle.h: Made WeakBlock a friend and exposed slot() as public,
        so we can keep passing a Handle<T> to finalizers, to avoid more surface
        area change in this patch. A follow-up patch should change the type we
        pass to finalizers.

        * heap/HandleHeap.cpp:
        (JSC):
        (JSC::HandleHeap::writeBarrier):
        (JSC::HandleHeap::isLiveNode):
        * heap/HandleHeap.h:
        (JSC):
        (HandleHeap):
        (Node):
        (JSC::HandleHeap::Node::Node): Removed all code related to Weak<T>, since
        we have a separate WeakHeap now.

        * heap/Heap.cpp:
        (JSC::Heap::Heap): Removed m_extraCost because extra cost is accounted
        for through our watermark now. Removed m_waterMark because it was unused.

        (JSC::Heap::destroy): Updated for addition of WeakHeap.

        (JSC::Heap::reportExtraMemoryCostSlowCase): Changed from using its own
        variable to participating in the watermark strategy. I wanted to standardize
        WeakHeap and all other Heap clients on this strategy, to make sure it's
        accurate.
 
        (JSC::Heap::markRoots): Updated for addition of WeakHeap. Added WeakHeap
        dead visit pass, as explained above.

        (JSC::Heap::collect):
        (JSC::Heap::resetAllocators): Updated for addition of WeakHeap.

        (JSC::Heap::addFinalizer):
        (JSC::Heap::FinalizerOwner::finalize): Updated for new Weak<T> API.

        * heap/Heap.h:
        (JSC::Heap::weakHeap):
        (Heap):
        (JSC::Heap::addToWaterMark): Added a way to participate in the watermarking
        strategy, since this is the best way for WeakHeap to report its memory
        cost. (I plan to update this in a follow-up patch to make it more accurate,
        but for now it is not less accurate than it used to be.)

        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::resetAllocators):
        * heap/MarkedSpace.h:
        (MarkedSpace):
        (JSC::MarkedSpace::addToWaterMark):
        (JSC::MarkedSpace::didConsumeFreeList): Removed m_nurseryWaterMark because
        it was unused, and I didn't want to update WeakHeap to keep an usused
        variable working. Added API for above.

        * heap/PassWeak.h:
        (JSC):
        (WeakImplAccessor):
        (PassWeak):
        (JSC::::operator):
        (JSC::::get):
        (JSC::::was):
        (JSC::::PassWeak):
        (JSC::::~PassWeak):
        (JSC::UnspecifiedBoolType):
        (JSC::::leakImpl):
        (JSC::adoptWeak):
        * heap/Strong.h:
        (JSC::Strong::operator!):
        (Strong):
        (JSC::Strong::operator UnspecifiedBoolType*):
        (JSC::Strong::get):
        * heap/Weak.h:
        (Weak):
        (JSC::::Weak):
        (JSC):
        (JSC::::isHashTableDeletedValue):
        (JSC::::~Weak):
        (JSC::::swap):
        (JSC::=):
        (JSC::::operator):
        (JSC::UnspecifiedBoolType):
        (JSC::::release):
        (JSC::::clear):
        (JSC::::hashTableDeletedValue): Lots of code changes here, but they boil
        down to two things:

        (*) Allocate WeakImpls from the WeakHeap instead of Handles from the HandleHeap.

        (*) Explicitly check WeakImpl::state() for non-liveness before returning
        a value (explained above).

        These files implement the new Weak<T> heap behavior described above:

        * heap/WeakBlock.cpp: Added.
        * heap/WeakBlock.h: Added.
        * heap/WeakHandleOwner.cpp: Added.
        * heap/WeakHandleOwner.h: Added.
        * heap/WeakHeap.cpp: Added.
        * heap/WeakHeap.h: Added.
        * heap/WeakImpl.h: Added.

        One interesting difference from the old heap is that we don't allow
        clients to overwrite a WeakImpl after allocating it, and we don't recycle
        WeakImpls prior to garbage collection. This is required for lazy finalization,
        but it will also help us esablish a useful invariant in the future: allocating
        a WeakImpl will be a binding contract to run a finalizer at some point in the
        future, even if the WeakImpl is later deallocated.

        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub): Check the Weak<T> for ! instead of
        its JSValue, since that's our API contract now, and the JSValue might
        be stale.

        * runtime/JSCell.h:
        (JSC::jsCast): Allow casting NULL pointers because it's useful and harmless.

        * runtime/Structure.cpp:
        (JSC::StructureTransitionTable::add): I can't remember why I did this.

        * runtime/StructureTransitionTable.h:
        * runtime/WeakGCMap.h: I had to update these classes because they allocate
        and deallocate weak pointers manually. They should probably stop doing that.

2012-04-03  Keishi Hattori  <keishi@webkit.org>

        Disable ENABLE_DATALIST for now
        https://bugs.webkit.org/show_bug.cgi?id=82871

        Reviewed by Kent Tamura.

        * Configurations/FeatureDefines.xcconfig: Disabled ENABLE_DATALIST.

2012-04-02  Filip Pizlo  <fpizlo@apple.com>

        jsr/sret should be removed
        https://bugs.webkit.org/show_bug.cgi?id=82986
        <rdar://problem/11017015>

        Reviewed by Sam Weinig and Geoff Garen.
        
        Replaces jsr/sret with finally block inlining.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::pushFinallyContext):
        (JSC::BytecodeGenerator::emitComplexJumpScopes):
        (JSC):
        * bytecompiler/BytecodeGenerator.h:
        (FinallyContext):
        (BytecodeGenerator):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::TryNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        (JIT):
        * jit/JITOpcodes.cpp:
        (JSC):
        * jit/JITOpcodes32_64.cpp:
        (JSC):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2012-04-03  Mark Rowe  <mrowe@apple.com>

        Make it possible to install the JavaScriptCore test tools.

        Part of <rdar://problem/11158607>.
        
        Reviewed by Filip Pizlo.

        * JavaScriptCore.xcodeproj/project.pbxproj: Introduce an aggregate target named
        Test Tools that builds testapi, minidom and testRegExp. Switch All from depending on
        those targets individually to depending on the new aggregate target.

2012-04-03  Filip Pizlo  <fpizlo@apple.com>

        Offlineasm ARM backend has a very convoluted way of saying it wants to emit a
        three-operand multiply instruction
        https://bugs.webkit.org/show_bug.cgi?id=83100

        Reviewed by Darin Adler.
        
        Changed the "muli"/"mulp" case to call emitArmV7() since that helper method was
        already smart enough to do the Right Thing for multiply.

        * offlineasm/armv7.rb:

2012-04-03  Filip Pizlo  <fpizlo@apple.com>

        Offlineasm ARM backend uses the wrong mnemonic for multiply
        https://bugs.webkit.org/show_bug.cgi?id=83098
        <rdar://problem/11168744>

        Reviewed by Gavin Barraclough.
        
        Use "mul" instead of "muls" since we're passing three operands, not two.

        * offlineasm/armv7.rb:

2012-04-03  Gavin Barraclough  <barraclough@apple.com>

        Linux crashes during boot
        https://bugs.webkit.org/show_bug.cgi?id=83096

        Reviewed by Filip Pizlo.

        The bug here is that we add empty JSValues to the sparse map, and then set them
        - but a GC may occur before doing so (due to a call to reportExtraMemory cost).
        We may want to consider making it safe to mark empty JSValues, but the simple &
        contained fix to this specific bug is to just initialize these values to
        something other than JSValue().

        * runtime/JSArray.cpp:
        (JSC::SparseArrayValueMap::add):
            - Initialize sparse map entries.

2012-04-02  Oliver Hunt  <oliver@apple.com>

        Incorrect liveness information when inlining
        https://bugs.webkit.org/show_bug.cgi?id=82985

        Reviewed by Filip Pizlo.

        Don't remap register numbers that have already been remapped.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):

2012-04-02  Filip Pizlo  <fpizlo@apple.com>

        Activation tear-off neglects to copy the callee and scope chain, leading to crashes if we
        try to create an arguments object from the activation
        https://bugs.webkit.org/show_bug.cgi?id=82947
        <rdar://problem/11058598>

        Reviewed by Gavin Barraclough.
        
        We now copy the entire call frame header just to be sure. This is mostly perf-netural,
        except for a 3.7% slow-down in V8/earley.

        * runtime/JSActivation.cpp:
        (JSC::JSActivation::visitChildren):
        * runtime/JSActivation.h:
        (JSC::JSActivation::tearOff):

2012-04-02  Daniel Bates  <dbates@webkit.org>

        Remove Source/JavaScriptCore/wtf and its empty subdirectories

        Rubber-stamped by Eric Seidel.

        Following the move of WTF from Source/JavaScriptCore/wtf to Source/WTF
        (https://bugs.webkit.org/show_bug.cgi?id=75673), remove directory
        Source/JavaScriptCore/wtf and its empty subdirectories.

        * wtf: Removed.
        * wtf/android: Removed.
        * wtf/blackberry: Removed.
        * wtf/chromium: Removed.
        * wtf/dtoa: Removed.
        * wtf/efl: Removed.
        * wtf/gobject: Removed.
        * wtf/gtk: Removed.
        * wtf/mac: Removed.
        * wtf/qt: Removed.
        * wtf/qt/compat: Removed.
        * wtf/tests: Removed.
        * wtf/text: Removed.
        * wtf/threads: Removed.
        * wtf/threads/win: Removed.
        * wtf/unicode: Removed.
        * wtf/unicode/glib: Removed.
        * wtf/unicode/icu: Removed.
        * wtf/unicode/qt4: Removed.
        * wtf/unicode/wince: Removed.
        * wtf/url: Removed.
        * wtf/url/api: Removed.
        * wtf/url/src: Removed.
        * wtf/win: Removed.
        * wtf/wince: Removed.
        * wtf/wx: Removed.

2012-04-02  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck issues.

        * GNUmakefile.list.am: Add missing file.

2012-04-01  Darin Adler  <darin@apple.com>

        Fix incorrect path for libWTF.a in Mac project file.

        * JavaScriptCore.xcodeproj/project.pbxproj: Removed the "../Release" prefix that
        would cause other configurations to try to link with the "Release" version of
        libWTF.a instead of the correct version.

2012-03-29  Filip Pizlo  <fpizlo@apple.com>

        DFG should optimize a==b for a being an object and b being either an object or
        null/undefined, and vice versa
        https://bugs.webkit.org/show_bug.cgi?id=82656

        Reviewed by Oliver Hunt.
        
        Implements additional object equality optimizations for the case that one
        operand is predicted to be an easily speculated object (like FinalObject or
        Array) and the other is either an easily speculated object or Other, i.e.
        Null or Undefined.
        
        2-5% speed-up on V8/raytrace, leading to a sub-1% progression on V8.
        
        I also took the opportunity to clean up the control flow for the speculation
        decisions in the various Compare opcodes. And to fix a build bug in SamplingTool.
        And to remove debug cruft I stupidly committed in my last patch.
        
        * bytecode/SamplingTool.h:
        (SamplingRegion):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compare):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):

2012-03-30  David Barr  <davidbarr@chromium.org>

        Split up top-level .gitignore and .gitattributes
        https://bugs.webkit.org/show_bug.cgi?id=82687

        Reviewed by Tor Arne Vestbø.

        * JavaScriptCore.gyp/.gitignore: Added.

2012-03-30  Steve Falkenburg  <sfalken@apple.com>

        Windows (make based) build fix.

        * JavaScriptCore.vcproj/JavaScriptCore.make: Copy WTF header files into a place where JavaScriptCore build can see them.

2012-03-30  Keishi Hattori  <keishi@webkit.org>

        Change ENABLE_INPUT_COLOR to ENABLE_INPUT_TYPE_COLOR and enable it for chromium
        https://bugs.webkit.org/show_bug.cgi?id=80972

        Reviewed by Kent Tamura.

        * Configurations/FeatureDefines.xcconfig:

2012-03-29  Mark Hahnenberg  <mhahnenberg@apple.com>

        Refactor recompileAllJSFunctions() to be less expensive
        https://bugs.webkit.org/show_bug.cgi?id=80330

        Reviewed by Filip Pizlo.

        This change is performance neutral on the JS benchmarks we track. It's mostly to improve page 
        load performance, which currently does at least a couple full GCs per navigation.

        * heap/Heap.cpp:
        (JSC::Heap::discardAllCompiledCode): Rename recompileAllJSFunctions to discardAllCompiledCode 
        because the function doesn't actually recompile anything (and never did); it simply throws code
        away for it to be recompiled later if we determine we should do so.
        (JSC):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::addFunctionExecutable): Adds a newly created FunctionExecutable to the Heap's list.
        (JSC::Heap::removeFunctionExecutable): Removes the specified FunctionExecutable from the Heap's list.
        * heap/Heap.h:
        (JSC):
        (Heap):
        * runtime/Executable.cpp: Added next and prev fields to FunctionExecutables so that they can 
        be used in DoublyLinkedLists.
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::FunctionExecutable::finalize): Removes the FunctionExecutable from the Heap's list.
        * runtime/Executable.h:
        (FunctionExecutable):
        (JSC::FunctionExecutable::create): Adds the FunctionExecutable to the Heap's list.
        * runtime/JSGlobalData.cpp: Remove recompileAllJSFunctions, as it's the Heap's job to own and manage 
        the list of FunctionExecutables.
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSGlobalObject.cpp:
        (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope): Use the new discardAllCompiledCode.

2012-03-29  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for non-x86 platforms.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSlow_op_mod):

2012-03-29  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix p2.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-29  Gavin Barraclough  <barraclough@apple.com>

        Windows build fix p1.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-29  Gavin Barraclough  <barraclough@apple.com>

        Template the Yarr::Interpreter on the character type
        https://bugs.webkit.org/show_bug.cgi?id=82637

        Reviewed by Sam Weinig.

        We should be able to call to the interpreter after having already checked the character type,
        without having to re-package the character pointer back up into a string!

        * runtime/RegExp.cpp:
        (JSC::RegExp::match):
        (JSC::RegExp::matchCompareWithInterpreter):
            - Don't pass length.
        * yarr/Yarr.h:
            - moved function declarations to YarrInterpreter.h.
        * yarr/YarrInterpreter.cpp:
        (Yarr):
        (Interpreter):
        (JSC::Yarr::Interpreter::InputStream::InputStream):
        (InputStream):
        (JSC::Yarr::Interpreter::Interpreter):
        (JSC::Yarr::interpret):
            - templated Interpreter class on CharType.
        * yarr/YarrInterpreter.h:
        (Yarr):
            - added function declarations.

2012-03-29  David Kilzer  <ddkilzer@apple.com>

        Don't use a flattened framework path when building on OS X

        Reviewed by Mark Rowe.

        * Configurations/ToolExecutable.xcconfig: Use REAL_PLATFORM_NAME
        to select different INSTALL_PATH values.

2012-03-29  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed build fix, add Win-specific sources
        the wx port needs after WTF move.

        * wscript:

2012-03-29  Andy Estes  <aestes@apple.com>

        Remove an unused variable that breaks the build with newer versions of clang.

        Rubber stamped by Gavin Barraclough.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):

2012-03-29  Caio Marcelo de Oliveira Filho  <caio.oliveira@openbossa.org>

        HashMap<>::add should return a more descriptive object
        https://bugs.webkit.org/show_bug.cgi?id=71063

        Reviewed by Ryosuke Niwa.

        Update code to use AddResult instead of a pair. Note that since WeakGCMap wraps
        the iterator type, there's a need for its own AddResult type -- instantiated from
        HashTableAddResult template class.

        * API/JSCallbackObject.h:
        (JSC::JSCallbackObjectData::JSPrivatePropertyMap::setPrivateProperty):
        * API/JSClassRef.cpp:
        (OpaqueJSClass::contextData):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addVar):
        (JSC::BytecodeGenerator::addGlobalVar):
        (JSC::BytecodeGenerator::addConstant):
        (JSC::BytecodeGenerator::addConstantValue):
        (JSC::BytecodeGenerator::emitLoad):
        (JSC::BytecodeGenerator::addStringConstant):
        (JSC::BytecodeGenerator::emitLazyNewFunction):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitBytecode):
        * debugger/Debugger.cpp:
        * dfg/DFGAssemblyHelpers.cpp:
        (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::cellConstant):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * jit/JITStubs.cpp:
        (JSC::JITThunks::ctiStub):
        (JSC::JITThunks::hostFunctionStub):
        * parser/Parser.cpp:
        (JSC::::parseStrictObjectLiteral):
        * parser/Parser.h:
        (JSC::Scope::declareParameter):
        * runtime/Identifier.cpp:
        (JSC::Identifier::add):
        (JSC::Identifier::add8):
        (JSC::Identifier::addSlowCase):
        * runtime/Identifier.h:
        (JSC::Identifier::add):
        (JSC::IdentifierTable::add):
        * runtime/JSArray.cpp:
        (JSC::SparseArrayValueMap::add):
        (JSC::SparseArrayValueMap::put):
        (JSC::SparseArrayValueMap::putDirect):
        (JSC::JSArray::enterDictionaryMode):
        (JSC::JSArray::defineOwnNumericProperty):
        * runtime/JSArray.h:
        (SparseArrayValueMap):
        * runtime/PropertyNameArray.cpp:
        (JSC::PropertyNameArray::add):
        * runtime/StringRecursionChecker.h:
        (JSC::StringRecursionChecker::performCheck):
        * runtime/Structure.cpp:
        (JSC::StructureTransitionTable::add):
        * runtime/WeakGCMap.h:
        (WeakGCMap):
        (JSC::WeakGCMap::add):
        (JSC::WeakGCMap::set):
        * tools/ProfileTreeNode.h:
        (JSC::ProfileTreeNode::sampleChild):

2012-03-29  Patrick Gansterer  <paroga@webkit.org>

        Build fix for !ENABLE(YARR_JIT) after r112454.

        * runtime/RegExp.cpp:
        (JSC::RegExp::invalidateCode):

2012-03-28  Filip Pizlo  <fpizlo@apple.com>

        DFG object equality speculations should be simplified
        https://bugs.webkit.org/show_bug.cgi?id=82557

        Reviewed by Gavin Barraclough.

        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateFinalObject):
        (JSC::DFG::Node::shouldSpeculateArray):

2012-03-28  David Kilzer  <ddkilzer@apple.com>

        minidom configurations should be based on ToolExecutable.xcconfig
        <http://webkit.org/b/82513>

        Reviewed by Mark Rowe.

        Note that this patch changes minidom from being installed in
        /usr/local/bin to JavaScriptCore.framework/Resources.

        * Configurations/ToolExecutable.xcconfig: Add semi-colon.
        * JavaScriptCore.xcodeproj/project.pbxproj: Base minidom
        configurations on ToolExecutable.xcconfig.  Remove redundant
        PRODUCT_NAME and SKIP_INSTALL variables.

2012-03-28  Gavin Barraclough  <barraclough@apple.com>

        Build fix - some compiles generating NORETURN related warnings.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::setSubpatternStart):
        (JSC::Yarr::YarrGenerator::setSubpatternEnd):
        (JSC::Yarr::YarrGenerator::clearSubpatternStart):

2012-03-28  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed. Build fix, move WTF back into JSCore target
        until issues with JSCore not linking in all WTF symbols are resolved.
        
        * wscript:

2012-03-28  Gavin Barraclough  <barraclough@apple.com>

        Yarr: if we're not using the output array, don't populate it!
        https://bugs.webkit.org/show_bug.cgi?id=82519

        Reviewed by Sam Weinig.

        * runtime/RegExp.cpp:
        (JSC):
            - Missed review comment! - didn't fully remove RegExpRepresentation.

2012-03-28  Gavin Barraclough  <barraclough@apple.com>

        Yarr: if we're not using the output array, don't populate it!
        https://bugs.webkit.org/show_bug.cgi?id=82519

        Reviewed by Sam Weinig.

        Add a new variant of the match method to RegExp that returns a MatchResult,
        and modify YarrJIT to be able to compile code that doesn't use an output vector.

        This is a 3% progression on v8-regexp.

        * JavaScriptCore.xcodeproj/project.pbxproj:
            - Moved MatchResult into its own header.
        * assembler/AbstractMacroAssembler.h:
            - Added missing include.
        * runtime/MatchResult.h: Added.
        (MatchResult::MatchResult):
        (MatchResult):
        (MatchResult::failed):
        (MatchResult::operator bool):
        (MatchResult::empty):
            - Moved MatchResult into its own header.
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::compileIfNecessary):
        (JSC::RegExp::match):
            - Changed due to execute & representation changes.
        (JSC::RegExp::compileMatchOnly):
        (JSC::RegExp::compileIfNecessaryMatchOnly):
            - Added helper to compile MatchOnly code.
        (JSC::RegExp::invalidateCode):
        (JSC::RegExp::matchCompareWithInterpreter):
        (JSC::RegExp::printTraceData):
            - Changed due representation changes.
        * runtime/RegExp.h:
        (RegExp):
        (JSC::RegExp::hasCode):
            - Made YarrCodeBlock a member.
        * runtime/RegExpConstructor.h:
        (RegExpConstructor):
        (JSC::RegExpConstructor::performMatch):
            - Added no-ovector form.
        * runtime/RegExpMatchesArray.cpp:
        (JSC::RegExpMatchesArray::reifyAllProperties):
            - Match now takes a reference to ovector, not a pointer.
        * runtime/RegExpObject.h:
        (JSC):
            - Moved MatchResult into its own header.
        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncSplit):
            - Match now takes a reference to ovector, not a pointer.
        * testRegExp.cpp:
        (testOneRegExp):
            - Match now takes a reference to ovector, not a pointer.
        * yarr/YarrJIT.cpp:
        (Yarr):
        (YarrGenerator):
        (JSC::Yarr::YarrGenerator::initCallFrame):
        (JSC::Yarr::YarrGenerator::removeCallFrame):
        (JSC::Yarr::YarrGenerator::setSubpatternStart):
        (JSC::Yarr::YarrGenerator::setSubpatternEnd):
        (JSC::Yarr::YarrGenerator::clearSubpatternStart):
        (JSC::Yarr::YarrGenerator::setMatchStart):
        (JSC::Yarr::YarrGenerator::getMatchStart):
            - Added helper functions to intermediate access to output.
        (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
        (JSC::Yarr::YarrGenerator::generate):
        (JSC::Yarr::YarrGenerator::backtrack):
        (JSC::Yarr::YarrGenerator::generateEnter):
        (JSC::Yarr::YarrGenerator::compile):
            - Changed to use the new helpers, only generate subpatterns if IncludeSubpatterns.
        (JSC::Yarr::jitCompile):
            - Needs to template of MatchOnly or IncludeSubpatterns.
        * yarr/YarrJIT.h:
        (YarrCodeBlock):
        (JSC::Yarr::YarrCodeBlock::set8BitCode):
        (JSC::Yarr::YarrCodeBlock::set16BitCode):
        (JSC::Yarr::YarrCodeBlock::has8BitCodeMatchOnly):
        (JSC::Yarr::YarrCodeBlock::has16BitCodeMatchOnly):
        (JSC::Yarr::YarrCodeBlock::set8BitCodeMatchOnly):
        (JSC::Yarr::YarrCodeBlock::set16BitCodeMatchOnly):
        (JSC::Yarr::YarrCodeBlock::execute):
        (JSC::Yarr::YarrCodeBlock::clear):
            - Added a second set of CodeRefs, so that we can compile RexExps with/without subpattern matching.

2012-03-27  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit should not generate an exit for variables of inlinees if the
        inlinees are not in scope
        https://bugs.webkit.org/show_bug.cgi?id=82312

        Reviewed by Oliver Hunt.
        
        * bytecode/CodeBlock.h:
        (JSC::baselineCodeBlockForInlineCallFrame):
        (JSC):
        (JSC::baselineCodeBlockForOriginAndBaselineCodeBlock):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::computeNumVariablesForCodeOrigin):
        (DFG):
        (JSC::DFG::OSRExit::OSRExit):

2012-03-27  Matt Lilek  <mrl@apple.com>

        Stop compiling Interpreter.cpp with -fno-var-tracking
        https://bugs.webkit.org/show_bug.cgi?id=82299

        Reviewed by Anders Carlsson.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-03-27  Pratik Solanki  <psolanki@apple.com>

        Compiler warning when JIT is not enabled
        https://bugs.webkit.org/show_bug.cgi?id=82352

        Reviewed by Filip Pizlo.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):

2012-03-26  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        Unaligned userspace access for SH4 platforms
        https://bugs.webkit.org/show_bug.cgi?id=79104

        Reviewed by Gavin Barraclough.

        * assembler/AbstractMacroAssembler.h:
        (Jump):
        (JSC::AbstractMacroAssembler::Jump::Jump):
        (JSC::AbstractMacroAssembler::Jump::link):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::load16Unaligned):
        (JSC::MacroAssemblerSH4::load32WithUnalignedHalfWords):
        (JSC::MacroAssemblerSH4::branchDouble):
        (JSC::MacroAssemblerSH4::branchTrue):
        (JSC::MacroAssemblerSH4::branchFalse):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::extraInstrForBranch):
        (SH4Assembler):
        (JSC::SH4Assembler::bra):
        (JSC::SH4Assembler::linkJump):
        * jit/JIT.h:
        (JIT):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):

2012-03-26  Ryosuke Niwa  <rniwa@webkit.org>

        cssText should use shorthand notations
        https://bugs.webkit.org/show_bug.cgi?id=81737

        Reviewed by Enrica Casucci.

        Export symbols of BitVector on Windows.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-26  Filip Pizlo  <fpizlo@apple.com>

        DFG should assert that argument value recoveries can only be
        AlreadyInRegisterFile or Constant
        https://bugs.webkit.org/show_bug.cgi?id=82249

        Reviewed by Michael Saboff.
        
        Made the assertions that the DFG makes for argument value recoveries match
        what Arguments expects.

        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::isConstant):
        (ValueRecovery):
        (JSC::ValueRecovery::isAlreadyInRegisterFile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-26  Dan Bernstein  <mitz@apple.com>

        Tried to fix the Windows build.

        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::putRange):

2012-03-26  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed - speculative Windows build fix.

        * yarr/YarrCanonicalizeUCS2.h:
        (JSC::Yarr::getCanonicalPair):

2012-03-26  Dan Bernstein  <mitz@apple.com>

        Fixed builds with assertions disabled.

        * yarr/YarrCanonicalizeUCS2.h:
        (JSC::Yarr::areCanonicallyEquivalent):

2012-03-26  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed - errk! - accidentally the whole pbxproj.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-03-25  Gavin Barraclough  <barraclough@apple.com>

        Greek sigma is handled wrong in case independent regexp.
        https://bugs.webkit.org/show_bug.cgi?id=82063

        Reviewed by Oliver Hunt.

        The bug here is that we assume that any given codepoint has at most one additional value it
        should match under a case insensitive match, and that the pair of codepoints that match (if
        a codepoint does not only match itself) can be determined by calling toUpper/toLower on the
        given codepoint). Life is not that simple.

        Instead, pre-calculate a set of tables mapping from a UCS2 codepoint to the set of characters
        it may match, under the ES5.1 case-insensitive matching rules. Since unicode is fairly regular
        we can pack this table quite nicely, and get it down to 364 entries. This means we can use a
        simple binary search to find an entry in typically eight compares.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * yarr/yarr.pri:
            - Added new files to build systems.
        * yarr/YarrCanonicalizeUCS2.cpp: Added.
            - New - autogenerated, UCS2 canonicalized comparison tables.
        * yarr/YarrCanonicalizeUCS2.h: Added.
        (JSC::Yarr::rangeInfoFor):
            - Look up the canonicalization info for a UCS2 character.
        (JSC::Yarr::getCanonicalPair):
            - For a UCS2 character with a single equivalent value, look it up.
        (JSC::Yarr::isCanonicallyUnique):
            - Returns true if no other UCS2 code points are canonically equal.
        (JSC::Yarr::areCanonicallyEquivalent):
            - Compare two values, under canonicalization rules.
        * yarr/YarrCanonicalizeUCS2.js: Added.
            - script used to generate YarrCanonicalizeUCS2.cpp.
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::tryConsumeBackReference):
            - Use isCanonicallyUnique, rather than Unicode toUpper/toLower.
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
        (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
            - Use isCanonicallyUnique, rather than Unicode toUpper/toLower.
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::CharacterClassConstructor::putChar):
            - Updated to determine canonical equivalents correctly.
        (JSC::Yarr::CharacterClassConstructor::putUnicodeIgnoreCase):
            - Added, used to put a non-ascii, non-unique character in a case-insensitive match.
        (JSC::Yarr::CharacterClassConstructor::putRange):
            - Updated to determine canonical equivalents correctly.
        (JSC::Yarr::YarrPatternConstructor::atomPatternCharacter):
            - Changed to call putUnicodeIgnoreCase, instead of putChar, avoid a double lookup of rangeInfo.

2012-03-26  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed build fix. Add the build outputs dir to the list of build dirs,
        so we make sure it finds the API headers on all platforms.

        * wscript:

2012-03-26  Patrick Gansterer  <paroga@webkit.org>

        Build fix for WinCE after r112039.

        * interpreter/Register.h:
        (Register): Removed inline keyword from decleration since
                    there is an ALWAYS_INLINE at the definition anyway.

2012-03-26  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck.

        * GNUmakefile.list.am: Add missing files.

2012-03-25  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed build fix. Move WTF to its own static lib build.

        * wscript:

2012-03-25  Filip Pizlo  <fpizlo@apple.com>

        DFG int-to-double conversion should be revealed to CSE
        https://bugs.webkit.org/show_bug.cgi?id=82135

        Reviewed by Oliver Hunt.
        
        This introduces the notion of an Int32ToDouble node, which is injected
        into the graph anytime we know that we have a double use of a node that
        was predicted integer. The Int32ToDouble simplifies double speculation
        on integers by skipping the path that would unbox doubles, if we know
        that the value is already proven to be an integer. It allows integer to
        double conversions to be subjected to common subexpression elimination
        (CSE) by allowing the CSE phase to see where these conversions are
        occurring. Finally, it allows us to see when a constant is being used
        as both a double and an integer. This is a bit odd, since it means that
        sometimes a double use of a constant will not refer directly to the
        constant. This should not cause problems, for now, but it may require
        some canonizalization in the future if we want to support strength
        reductions of double operations based on constants.
        
        To allow injection of nodes into the graph, this change introduces the
        DFG::InsertionSet, which is a way of lazily inserting elements into a
        list. This allows the FixupPhase to remain O(N) despite performing
        multiple injections in a single basic block. Without the InsertionSet,
        each injection would require performing an insertion into a vector,
        which is O(N), leading to O(N^2) performance overall. With the
        InsertionSet, each injection simply records what insertion would have
        been performed, and all insertions are performed at once (via
        InsertionSet::execute) after processing of a basic block is completed.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PredictedType.h:
        (JSC::isActionableIntMutableArrayPrediction):
        (JSC):
        (JSC::isActionableFloatMutableArrayPrediction):
        (JSC::isActionableTypedMutableArrayPrediction):
        (JSC::isActionableMutableArrayPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCommon.h:
        (JSC::DFG::useKindToString):
        (DFG):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupBlock):
        (FixupPhase):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixDoubleEdge):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGInsertionSet.h: Added.
        (DFG):
        (Insertion):
        (JSC::DFG::Insertion::Insertion):
        (JSC::DFG::Insertion::index):
        (JSC::DFG::Insertion::element):
        (InsertionSet):
        (JSC::DFG::InsertionSet::InsertionSet):
        (JSC::DFG::InsertionSet::append):
        (JSC::DFG::InsertionSet::execute):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::IntegerOperand::IntegerOperand):
        (JSC::DFG::DoubleOperand::DoubleOperand):
        (JSC::DFG::JSValueOperand::JSValueOperand):
        (JSC::DFG::StorageOperand::StorageOperand):
        (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
        (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-25  Filip Pizlo  <fpizlo@apple.com>

        DFGOperands should be moved out of the DFG and into bytecode
        https://bugs.webkit.org/show_bug.cgi?id=82151

        Reviewed by Dan Bernstein.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/Operands.h: Copied from Source/JavaScriptCore/dfg/DFGOperands.h.
        * dfg/DFGBasicBlock.h:
        * dfg/DFGNode.h:
        * dfg/DFGOSREntry.h:
        * dfg/DFGOSRExit.h:
        * dfg/DFGOperands.h: Removed.
        * dfg/DFGVariableAccessData.h:

2012-03-24  Filip Pizlo  <fpizlo@apple.com>

        DFG 64-bit Branch implementation should not be creating a JSValueOperand that
        it isn't going to use
        https://bugs.webkit.org/show_bug.cgi?id=82136

        Reviewed by Geoff Garen.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitBranch):

2012-03-24  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed. Fix the build after WTF move.

        * wscript:

2012-03-23  Filip Pizlo  <fpizlo@apple.com>

        DFG double voting may be overzealous in the case of variables that end up
        being used as integers
        https://bugs.webkit.org/show_bug.cgi?id=82008

        Reviewed by Oliver Hunt.
        
        Cleaned up propagation, making the intent more explicit in most places.
        Back-propagate NodeUsedAsInt for cases where a node was used in a context
        that is known to strongly prefer integers.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dumpCodeOrigin):
        (JSC::DFG::Graph::dump):
        * dfg/DFGGraph.h:
        (Graph):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::nodeFlagsAsString):
        * dfg/DFGNodeFlags.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (PredictionPropagationPhase):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
        (JSC::DFG::PredictionPropagationPhase::vote):
        (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
        (JSC::DFG::PredictionPropagationPhase::fixupNode):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):

2012-03-24  Filip Pizlo  <fpizlo@apple.com>

        DFG::Node::shouldNotSpeculateInteger() should be eliminated
        https://bugs.webkit.org/show_bug.cgi?id=82123

        Reviewed by Geoff Garen.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (Node):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):

2012-03-24  Yong Li  <yoli@rim.com>

        Increase getByIdSlowCase ConstantSpace/InstructionSpace for CPU(ARM_TRADITIONAL)
        https://bugs.webkit.org/show_bug.cgi?id=81521

        Increase sequenceGetByIdSlowCaseConstantSpace and sequenceGetByIdSlowCaseInstructionSpace
        for CPU(ARM_TRADITIONAL) to fit actual need.

        Reviewed by Oliver Hunt.

        * jit/JIT.h:
        (JIT):

2012-03-23  Filip Pizlo  <fpizlo@apple.com>

        DFG Fixup should be able to short-circuit trivial ValueToInt32's
        https://bugs.webkit.org/show_bug.cgi?id=82030

        Reviewed by Michael Saboff.
        
        Takes the fixup() method of the prediction propagation phase and makes it
        into its own phase. Adds the ability to short-circuit trivial ValueToInt32
        nodes, and mark pure ValueToInt32's as such.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCommon.h:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGFixupPhase.cpp: Added.
        (DFG):
        (FixupPhase):
        (JSC::DFG::FixupPhase::FixupPhase):
        (JSC::DFG::FixupPhase::run):
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::performFixup):
        * dfg/DFGFixupPhase.h: Added.
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):
        (PredictionPropagationPhase):

2012-03-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        tryReallocate could break the zero-ed memory invariant of CopiedBlocks
        https://bugs.webkit.org/show_bug.cgi?id=82087

        Reviewed by Filip Pizlo.

        Removing this optimization turned out to be ~1% regression on kraken, so I simply 
        undid the modification to the current block if we fail.

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::tryReallocate): Undid the reset in the CopiedAllocator if we fail 
        to reallocate from the current block.

2012-03-23  Alexey Proskuryakov  <ap@apple.com>

        [Mac] No need for platform-specific ENABLE_BLOB values
        https://bugs.webkit.org/show_bug.cgi?id=82102

        Reviewed by David Kilzer.

        * Configurations/FeatureDefines.xcconfig:

2012-03-23  Michael Saboff  <msaboff@apple.com>

        DFG::compileValueToInt32 Sometime Generates GPR to FPR reg back to GPR
        https://bugs.webkit.org/show_bug.cgi?id=81805

        Reviewed by Filip Pizlo.

        Added SpeculativeJIT::checkGeneratedType() to determine the current format
        of an operand.  Used that information in SpeculativeJIT::compileValueToInt32
        to generate code that will use integer and JSValue types in integer
        format directly without a conversion to double.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkGeneratedType):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        * dfg/DFGSpeculativeJIT.h:
        (DFG):
        (SpeculativeJIT):

2012-03-23  Steve Falkenburg  <sfalken@apple.com>

        Update Apple Windows build files for WTF move
        https://bugs.webkit.org/show_bug.cgi?id=82069

        Reviewed by Jessie Berlin.

        * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Removed WTF and WTFGenerated.

2012-03-23  Dean Jackson  <dino@apple.com>

        Disable CSS_SHADERS in Apple builds
        https://bugs.webkit.org/show_bug.cgi?id=81996

        Reviewed by Simon Fraser.

        Remove ENABLE_CSS_SHADERS from FeatureDefines. It's now in Platform.h.

        * Configurations/FeatureDefines.xcconfig:

2012-03-23  Gavin Barraclough  <barraclough@apple.com>

        RexExp constructor last match properties should not rely on previous ovector
        https://bugs.webkit.org/show_bug.cgi?id=82077

        Reviewed by Oliver Hunt.

        This change simplifies matching, and will enable subpattern results to be fully lazily generated in the future.

        This patch changes the scheme used to lazily generate the last match properties of the RegExp object.
        Instead of relying on the results in the ovector, we can instead lazily generate the subpatters using
        a RegExpMatchesArray. To do so we just need to store the input, the regexp matched, and the match
        location (the MatchResult). When the match is accessed or the input is set, we reify results. We use
        a special value of setting the saved result to MatchResult::failed() to indicated that we're in a
        reified state. This means that next time a match is performed, the store of the result will
        automatically blow away the reified value.

        * JavaScriptCore.xcodeproj/project.pbxproj:
            - Added new files.
        * runtime/RegExp.cpp:
        (JSC::RegExpFunctionalTestCollector::outputOneTest):
            - changed 'subPattern' -> 'subpattern' (there was a mix in JSC, 'subpattern' was more common).
        * runtime/RegExpCachedResult.cpp: Added.
        (JSC::RegExpCachedResult::visitChildren):
        (JSC::RegExpCachedResult::lastResult):
        (JSC::RegExpCachedResult::setInput):
            - New methods, mark GC objects, lazily create the matches array, and record a user provided input (via assignment to RegExp.inupt).
        * runtime/RegExpCachedResult.h: Added.
        (RegExpCachedResult):
            - Added new class.
        (JSC::RegExpCachedResult::RegExpCachedResult):
        (JSC::RegExpCachedResult::record):
        (JSC::RegExpCachedResult::input):
            - Initialize the object, record the result of a RegExp match, access the stored input property.
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::RegExpConstructor):
            - Initialize m_result/m_multiline properties.
        (JSC::RegExpConstructor::visitChildren):
            - Make sure the cached results (or lazy source for them) are marked.
        (JSC::RegExpConstructor::getBackref):
        (JSC::RegExpConstructor::getLastParen):
        (JSC::RegExpConstructor::getLeftContext):
        (JSC::RegExpConstructor::getRightContext):
            - Moved from RegExpConstructor, moved to RegExpCachedResult, and using new caching scheme.
        (JSC::regExpConstructorInput):
        (JSC::setRegExpConstructorInput):
            - Changed to use RegExpCachedResult.
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::create):
        (RegExpConstructor):
        (JSC::RegExpConstructor::setMultiline):
        (JSC::RegExpConstructor::multiline):
            - Move multiline property onto the constructor object; it is not affected by the last match.
        (JSC::RegExpConstructor::setInput):
        (JSC::RegExpConstructor::input):
            - These defer to RegExpCachedResult.
        (JSC::RegExpConstructor::performMatch):
        * runtime/RegExpMatchesArray.cpp: Added.
        (JSC::RegExpMatchesArray::visitChildren):
            - Eeeep! added missing visitChildren!
        (JSC::RegExpMatchesArray::finishCreation):
        (JSC::RegExpMatchesArray::reifyAllProperties):
        (JSC::RegExpMatchesArray::reifyMatchProperty):
            - Moved from RegExpConstructor.cpp.
        (JSC::RegExpMatchesArray::leftContext):
        (JSC::RegExpMatchesArray::rightContext):
            - Since the match start/
        * runtime/RegExpMatchesArray.h:
        (RegExpMatchesArray):
            - Declare new methods & structure flags.
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::match):
            - performMatch now requires the JSString input, to cache.
        * runtime/StringPrototype.cpp:
        (JSC::removeUsingRegExpSearch):
        (JSC::replaceUsingRegExpSearch):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
            - performMatch now requires the JSString input, to cache.

2012-03-23  Tony Chang  <tony@chromium.org>

        [chromium] rename newwtf target back to wtf
        https://bugs.webkit.org/show_bug.cgi?id=82064

        Reviewed by Adam Barth.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2012-03-23  Mark Hahnenberg  <mhahnenberg@apple.com>

        Simplify memory usage tracking in CopiedSpace
        https://bugs.webkit.org/show_bug.cgi?id=80705

        Reviewed by Filip Pizlo.

        * heap/CopiedAllocator.h:
        (CopiedAllocator): Rename currentUtilization to currentSize.
        (JSC::CopiedAllocator::currentCapacity):
        * heap/CopiedBlock.h:
        (CopiedBlock):
        (JSC::CopiedBlock::payload): Move the implementation of payload() out of the class
        declaration.
        (JSC):
        (JSC::CopiedBlock::size): Add new function to calculate the block's size.
        (JSC::CopiedBlock::capacity): Ditto for capacity.
        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::CopiedSpace): Remove old bogus memory stats fields and add a new
        field for the water mark.
        (JSC::CopiedSpace::init):
        (JSC::CopiedSpace::tryAllocateSlowCase): When we fail to allocate from the current 
        block, we need to update our current water mark with the size of the block.
        (JSC::CopiedSpace::tryAllocateOversize): When we allocate a new oversize block, we 
        need to update our current water mark with the size of the used portion of the block.
        (JSC::CopiedSpace::tryReallocate): We don't need to update the water mark when 
        reallocating because it will either get accounted for when we fill up the block later 
        in the case of being able to reallocate in the current block or it will get picked up 
        immediately because we'll have to get a new block.
        (JSC::CopiedSpace::tryReallocateOversize): We do, however, need to update in when 
        realloc-ing an oversize block because we deallocate the old block and allocate a brand 
        new one.
        (JSC::CopiedSpace::doneFillingBlock): Update the water mark as blocks are returned to 
        the CopiedSpace by the SlotVisitors.
        (JSC::CopiedSpace::doneCopying): Add in any pinned blocks to the water mark.
        (JSC::CopiedSpace::getFreshBlock): We use the Heap's new function to tell us whether or 
        not we should collect now instead of doing the calculation ourself.
        (JSC::CopiedSpace::destroy):
        (JSC):
        (JSC::CopiedSpace::size): Manually calculate the size of the CopiedSpace, similar to how 
        MarkedSpace does.
        (JSC::CopiedSpace::capacity): Ditto for capacity.
        * heap/CopiedSpace.h:
        (JSC::CopiedSpace::waterMark):
        (CopiedSpace):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::startedCopying): Reset water mark to 0 when we start copying during a 
        collection.
        (JSC::CopiedSpace::allocateNewBlock):
        (JSC::CopiedSpace::fitsInBlock):
        (JSC::CopiedSpace::allocateFromBlock):
        * heap/Heap.cpp:
        (JSC::Heap::size): Incorporate size of CopiedSpace into the total size of the Heap.
        (JSC::Heap::capacity): Ditto for capacity.
        (JSC::Heap::collect):
        * heap/Heap.h:
        (Heap):
        (JSC::Heap::shouldCollect): New function for other sub-parts of the Heap to use to 
        determine whether they should initiate a collection or continue to allocate new blocks.
        (JSC):
        (JSC::Heap::waterMark): Now is the sum of the water marks of the two sub-parts of the
        Heap (MarkedSpace and CopiedSpace).
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateSlowCase): Changed to use the Heap's new shouldCollect() function.

2012-03-23  Ryosuke Niwa  <rniwa@webkit.org>

        BitVector::resizeOutOfLine doesn't memset when converting an inline buffer
        https://bugs.webkit.org/show_bug.cgi?id=82012

        Reviewed by Filip Pizlo.

        Initialize out-of-line buffers while extending an inline buffer. Also export symbols to be used in WebCore.

        * wtf/BitVector.cpp:
        (WTF::BitVector::resizeOutOfLine):
        * wtf/BitVector.h:
        (BitVector):
        (OutOfLineBits):

2012-03-22  Michael Saboff  <msaboff@apple.com>

        ExecutableAllocator::memoryPressureMultiplier() might can return NaN
        https://bugs.webkit.org/show_bug.cgi?id=82002

        Reviewed by Filip Pizlo.

        Guard against divide by zero and then make sure the return
        value is >= 1.0.

        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::memoryPressureMultiplier):
        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::ExecutableAllocator::memoryPressureMultiplier):

2012-03-22  Jessie Berlin  <jberlin@apple.com>

        Windows build fix after r111778.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        Don't include and try to build files owned by WTF.
        Also, let VS have its way with the vcproj in terms of file ordering.

2012-03-22  Raphael Kubo da Costa  <rakuco@FreeBSD.org>

        [CMake] Unreviewed build fix after r111778.

        * CMakeLists.txt: Move ${WTF_DIR} after ${JAVASCRIPTCORE_DIR} in
        the include paths so that the right config.h is used.

2012-03-22  Tony Chang  <tony@chromium.org>

        Unreviewed, fix chromium build after wtf move.

        Remove old wtf_config and wtf targets.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:

2012-03-22  Martin Robinson  <mrobinson@igalia.com>

        Fixed the GTK+ WTF/JavaScriptCore build after r111778.

        * GNUmakefile.list.am: Removed an extra trailing backslash.

2012-03-22  Mark Rowe  <mrowe@apple.com>

        Fix the build.

        * Configurations/JavaScriptCore.xcconfig: Tell the linker to pull in all members from static libraries
        rather than only those that contain symbols that JavaScriptCore itself uses.
        * JavaScriptCore.xcodeproj/project.pbxproj: Remove some bogus settings that crept in to the Xcode project.

2012-03-22  Filip Pizlo  <fpizlo@apple.com>

        DFG NodeFlags has some duplicate code and naming issues
        https://bugs.webkit.org/show_bug.cgi?id=81975

        Reviewed by Gavin Barraclough.
        
        Removed most references to "ArithNodeFlags" since those are now just part
        of the node flags. Fixed some renaming goofs (EdgedAsNum is once again
        NodeUsedAsNum). Got rid of setArithNodeFlags() and mergeArithNodeFlags()
        because the former was never called and the latter did the same things as
        mergeFlags().

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::arithNodeFlags):
        (Node):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::nodeFlagsAsString):
        * dfg/DFGNodeFlags.h:
        (DFG):
        (JSC::DFG::nodeUsedAsNumber):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultArithFlags):

2012-03-22  Eric Seidel  <eric@webkit.org>

        Actually move WTF files to their new home
        https://bugs.webkit.org/show_bug.cgi?id=81844

        Unreviewed.  The details of the port-specific changes
        have been seen by contributors from those ports, but
        the whole 5MB change isn't very reviewable as-is.

        * GNUmakefile.am:
        * GNUmakefile.list.am:
        * JSCTypedArrayStubs.h:
        * JavaScriptCore.gypi:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * jsc.cpp:

2012-03-22  Kevin Ollivier  <kevino@theolliviers.com>

        [wx] Unreviewed. Adding Source/WTF to the build.

        * wscript:

2012-03-22  Gavin Barraclough  <barraclough@apple.com>

        Add JSValue::isFunction
        https://bugs.webkit.org/show_bug.cgi?id=81935

        Reviewed by Geoff Garen.

        This would be useful in the WebCore bindings code.
        Also, remove asFunction, replace with jsCast<JSFunction*>.

        * API/JSContextRef.cpp:
        * debugger/Debugger.cpp:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::functionName):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueOfFunctionConstant):
        * dfg/DFGOperations.cpp:
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::isInlineCallFrameSlow):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::jitCompileFor):
        (JSC::lazyLinkFor):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::traceFunctionPrologue):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        (JSC::LLInt::setUpCall):
        * runtime/Arguments.h:
        (JSC::Arguments::finishCreation):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        (JSC::arrayProtoFuncEvery):
        (JSC::arrayProtoFuncForEach):
        (JSC::arrayProtoFuncSome):
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):
        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::compileFor):
        (JSC::FunctionExecutable::compileOptimizedFor):
        * runtime/FunctionPrototype.cpp:
        (JSC::functionProtoFuncToString):
        * runtime/JSArray.cpp:
        (JSC::JSArray::sort):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::argumentsGetter):
        (JSC::JSFunction::callerGetter):
        (JSC::JSFunction::lengthGetter):
        * runtime/JSFunction.h:
        (JSC):
        (JSC::asJSFunction):
        (JSC::JSValue::isFunction):
        * runtime/JSGlobalData.cpp:
        (WTF::Recompiler::operator()):
        (JSC::JSGlobalData::releaseExecutableMemory):
        * runtime/JSValue.h:
        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):

2012-03-21  Filip Pizlo  <fpizlo@apple.com>

        DFG speculation on booleans should be rationalized
        https://bugs.webkit.org/show_bug.cgi?id=81840

        Reviewed by Gavin Barraclough.
        
        This removes isKnownBoolean() and replaces it with AbstractState-based
        optimization, and cleans up the control flow in code gen methods for
        Branch and LogicalNot. Also fixes a goof in Node::shouldSpeculateNumber,
        and removes isKnownNotBoolean() since that method appeared to be a
        helper used solely by 32_64's speculateBooleanOperation().
        
        This is performance-neutral.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateNumber):
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-21  Mark Rowe  <mrowe@apple.com>

        Fix the build.

        * wtf/MetaAllocator.h:
        (MetaAllocator): Export the destructor.

2012-03-21  Eric Seidel  <eric@webkit.org>

        Fix remaining WTF includes in JavaScriptCore in preparation for moving WTF headers out of JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=81834

        Reviewed by Adam Barth.

        * jsc.cpp:
        * os-win32/WinMain.cpp:
        * runtime/JSDateMath.cpp:
        * runtime/TimeoutChecker.cpp:
        * testRegExp.cpp:
        * tools/CodeProfiling.cpp:

2012-03-21  Eric Seidel  <eric@webkit.org>

        WTF::MetaAllocator has a weak vtable (discovered when building wtf as a static library)
        https://bugs.webkit.org/show_bug.cgi?id=81838

        Reviewed by Geoffrey Garen.

        My understanding is that weak vtables happen when the compiler/linker cannot
        determine which compilation unit should constain the vtable.  In this case
        because there were only pure virtual functions as well as an "inline"
        virtual destructor (thus the virtual destructor was defined in many compilation
        units).  Since you can't actually "inline" a virtual function (it still has to
        bounce through the vtable), the "inline" on this virutal destructor doesn't
        actually help performance, and is only serving to confuse the compiler here.
        I've moved the destructor implementation to the .cpp file, thus making
        it clear to the compiler where the vtable should be stored, and solving the error.

        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocator::~MetaAllocator):
        (WTF):
        * wtf/MetaAllocator.h:

2012-03-20  Gavin Barraclough  <barraclough@apple.com>

        RegExpMatchesArray should not copy the ovector
        https://bugs.webkit.org/show_bug.cgi?id=81742

        Reviewed by Michael Saboff.

        Currently, all RegExpMatchesArray object contain Vector<int, 32>, used to hold any sub-pattern results.
        This makes allocation/construction/destruction of these objects more expensive. Instead, just store the
        main match, and recreate the sub-pattern ranges only if necessary (these are often only used for grouping,
        and the results never accessed).
        If the main match (index 0) of the RegExpMatchesArray is accessed, reify that value alone.

        * dfg/DFGOperations.cpp:
            - RegExpObject match renamed back to test (test returns a bool).
        * runtime/RegExpConstructor.cpp:
        (JSC):
            - Removed RegExpResult, RegExpMatchesArray constructor, destroy method.
        (JSC::RegExpMatchesArray::finishCreation):
            - Removed RegExpConstructorPrivate parameter.
        (JSC::RegExpMatchesArray::reifyAllProperties):
            - (Was fillArrayInstance) Reify all properties of the RegExpMatchesArray.
            If there are sub-pattern properties, the RegExp is re-run to generate their values.
        (JSC::RegExpMatchesArray::reifyMatchProperty):
            - Reify just the match (index 0) property of the RegExpMatchesArray.
        * runtime/RegExpConstructor.h:
        (RegExpConstructor):
        (JSC::RegExpConstructor::performMatch):
            - performMatch now returns a MatchResult, rather than using out-parameters.
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::RegExpMatchesArray):
            - Moved from .cpp, stores the input/regExp/result to use when lazily reifying properties.
        (RegExpMatchesArray):
        (JSC::RegExpMatchesArray::create):
            - Now passed the input string matched against, the RegExp, and the MatchResult.
        (JSC::RegExpMatchesArray::reifyAllPropertiesIfNecessary):
        (JSC::RegExpMatchesArray::reifyMatchPropertyIfNecessary):
            - Helpers to conditionally reify properties.
        (JSC::RegExpMatchesArray::getOwnPropertySlot):
        (JSC::RegExpMatchesArray::getOwnPropertySlotByIndex):
        (JSC::RegExpMatchesArray::getOwnPropertyDescriptor):
        (JSC::RegExpMatchesArray::put):
        (JSC::RegExpMatchesArray::putByIndex):
        (JSC::RegExpMatchesArray::deleteProperty):
        (JSC::RegExpMatchesArray::deletePropertyByIndex):
        (JSC::RegExpMatchesArray::getOwnPropertyNames):
        (JSC::RegExpMatchesArray::defineOwnProperty):
            - Changed to use reifyAllPropertiesIfNecessary/reifyMatchPropertyIfNecessary
            (getOwnPropertySlotByIndex calls reifyMatchPropertyIfNecessary if index is 0).
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::exec):
        (JSC::RegExpObject::match):
            - match now returns a MatchResult.
        * runtime/RegExpObject.h:
        (JSC::MatchResult::MatchResult):
            - Added the result of a match is a start & end tuple.
        (JSC::MatchResult::failed):
            - A failure is indicated by (notFound, 0).
        (JSC::MatchResult::operator bool):
            - Evaluates to false if the match failed.
        (JSC::MatchResult::empty):
            - Evaluates to true if the match succeeded with length 0.
        (JSC::RegExpObject::test):
            - Now returns a bool.
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTest):
            - RegExpObject match renamed back to test (test returns a bool).
        * runtime/StringPrototype.cpp:
        (JSC::removeUsingRegExpSearch):
        (JSC::replaceUsingRegExpSearch):
        (JSC::stringProtoFuncMatch):
        (JSC::stringProtoFuncSearch):
            - performMatch now returns a MatchResult, rather than using out-parameters.

2012-03-21  Hojong Han  <hojong.han@samsung.com>

        Fix out of memory by allowing overcommit
        https://bugs.webkit.org/show_bug.cgi?id=81743

        Reviewed by Geoffrey Garen.

        Garbage collection is not triggered and new blocks are added
        because overcommit is allowed by MAP_NORESERVE flag when high water mark is big enough.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit):

2012-03-21  Jessie Berlin  <jberlin@apple.com>

        More Windows build fixing.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        Fix the order of the include directories to look in include/private first before looking
        in include/private/JavaScriptCore.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops:
        Look in the Production output directory (where the wtf headers will be). This is the same
        thing that is done for jsc and testRegExp in ReleasePGO.

2012-03-21  Jessie Berlin  <jberlin@apple.com>

        WTF headers should be in $(ConfigurationBuildDir)\include\private\wtf, not
        $(ConfigurationBuildDir)\include\private\JavaScriptCore\wtf.
        https://bugs.webkit.org/show_bug.cgi?id=81739

        Reviewed by Dan Bernstein.

        * JavaScriptCore.vcproj/jsc/jsc.vcproj:
        Look for AtomicString.cpp, StringBuilder.cpp, StringImpl.cpp, and WTFString.cpp in the wtf
        subdirectory of the build output, not the JavaScriptCore/wtf subdirectory.
        * JavaScriptCore.vcproj/testRegExp/testRegExp.vcproj:
        Ditto.

        * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops:
        Get the headers for those 4 files from the wtf subdirectory of the build output, not the
        JavaScriptCore/wtf subdirectory.
        * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops:
        Ditto.

2012-03-20  Eric Seidel  <eric@webkit.org>

        Move wtf/Platform.h from JavaScriptCore to Source/WTF/wtf
        https://bugs.webkit.org/show_bug.cgi?id=80911

        Reviewed by Adam Barth.

        Update the various build systems to depend on Source/WTF headers
        as well as remove references to Platform.h (since it's now moved).

        * CMakeLists.txt:
        * JavaScriptCore.pri:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/CMakeLists.txt:

2012-03-20  Filip Pizlo  <fpizlo@apple.com>

        op_mod fails on many interesting corner cases
        https://bugs.webkit.org/show_bug.cgi?id=81648

        Reviewed by Oliver Hunt.
        
        Removed most strength reduction for op_mod, and fixed the integer handling
        to do the right thing for corner cases. Oddly, this revealed bugs in OSR,
        which this patch also fixes.
        
        This patch is performance neutral on all of the major benchmarks we track.

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        * jit/JIT.h:
        (JIT):
        * jit/JITArithmetic.cpp:
        (JSC):
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_mod):
        (JSC::JIT::emitSlow_op_mod):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC):
        * jit/JITStubs.h:
        (TrampolineStructure):
        (JSC::JITThunks::ctiNativeConstruct):
        * llint/LowLevelInterpreter64.asm:
        * wtf/Platform.h:
        * wtf/SimpleStats.h:
        (WTF::SimpleStats::variance):

2012-03-20  Steve Falkenburg  <sfalken@apple.com>

        Windows (make based) build fix.
        <rdar://problem/11069015>

        * JavaScriptCore.vcproj/JavaScriptCore.make: devenv /rebuild doesn't work with JavaScriptCore.vcproj. Use /clean and /build instead.

2012-03-20  Steve Falkenburg  <sfalken@apple.com>

        Move WTF-related Windows project files out of JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=80680

        This change only moves the vcproj and related files from JavaScriptCore/JavaScriptCore.vcproj/WTF.
        It does not move any source code. This is in preparation for the WTF source move out of
        JavaScriptCore.

        Reviewed by Jessie Berlin.

        * JavaScriptCore.vcproj/JavaScriptCore.sln:
        * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln:
        * JavaScriptCore.vcproj/WTF: Removed.
        * JavaScriptCore.vcproj/WTF/WTF.vcproj: Removed.
        * JavaScriptCore.vcproj/WTF/WTFCommon.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFDebug.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFDebugAll.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFDebugCairoCFLite.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGenerated.make: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGenerated.vcproj: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedCommon.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebug.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebugAll.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedDebugCairoCFLite.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedProduction.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedRelease.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFGeneratedReleaseCairoCFLite.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFPostBuild.cmd: Removed.
        * JavaScriptCore.vcproj/WTF/WTFPreBuild.cmd: Removed.
        * JavaScriptCore.vcproj/WTF/WTFProduction.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFRelease.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/WTFReleaseCairoCFLite.vsprops: Removed.
        * JavaScriptCore.vcproj/WTF/build-generated-files.sh: Removed.
        * JavaScriptCore.vcproj/WTF/copy-files.cmd: Removed.
        * JavaScriptCore.vcproj/WTF/work-around-vs-dependency-tracking-bugs.py: Removed.

2012-03-20  Benjamin Poulain  <bpoulain@apple.com>

        Cache the type string of JavaScript object
        https://bugs.webkit.org/show_bug.cgi?id=81446

        Reviewed by Geoffrey Garen.

        Instead of creating the JSString every time, we create
        lazily the strings in JSGlobalData.

        This avoid the construction of the StringImpl and of the JSString,
        which gives some performance improvements.

        * runtime/CommonIdentifiers.h:
        * runtime/JSValue.cpp:
        (JSC::JSValue::toStringSlowCase):
        * runtime/Operations.cpp:
        (JSC::jsTypeStringForValue):
        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::SmallStrings):
        (JSC::SmallStrings::finalizeSmallStrings):
        (JSC::SmallStrings::initialize):
        (JSC):
        * runtime/SmallStrings.h:
        (SmallStrings):

2012-03-20  Oliver Hunt  <oliver@apple.com>

        Allow LLINT to work even when executable allocation fails.
        https://bugs.webkit.org/show_bug.cgi?id=81693

        Reviewed by Gavin Barraclough.

        Don't crash if executable allocation fails if we can fall back on LLINT

        * jit/ExecutableAllocatorFixedVMPool.cpp:
        (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveAndCommit):

2012-03-20  Csaba Osztrogonác  <ossy@webkit.org>

        Division optimizations fail to infer cases of truncated division and mishandle -2147483648/-1
        https://bugs.webkit.org/show_bug.cgi?id=81428

        32 bit buildfix after r111355.

        2147483648 (2^31) isn't valid int literal in ISO C90, because 2147483647 (2^31-1) is the biggest int.
        The smallest int is -2147483648 (-2^31) == -2147483647 - 1  == -INT32_MAX-1 == INT32_MIN (stdint.h).

        Reviewed by Zoltan Herczeg.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):

2012-03-19  Jochen Eisinger  <jochen@chromium.org>

        Split WTFReportBacktrace into WTFReportBacktrace and WTFPrintBacktrace
        https://bugs.webkit.org/show_bug.cgi?id=80983

        Reviewed by Darin Adler.

        This allows printing a backtrace acquired by an earlier WTFGetBacktrace
        call which is useful for local debugging.

        * wtf/Assertions.cpp:
        * wtf/Assertions.h:

2012-03-19  Benjamin Poulain  <benjamin@webkit.org>

        Do not copy the script source in the SourceProvider, just reference the existing string
        https://bugs.webkit.org/show_bug.cgi?id=81466

        Reviewed by Geoffrey Garen.

        * parser/SourceCode.h: Remove the unused, and incorrect, function data().
        * parser/SourceProvider.h: Add OVERRIDE for clarity.

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        Division optimizations fail to infer cases of truncated division and
        mishandle -2147483648/-1
        https://bugs.webkit.org/show_bug.cgi?id=81428
        <rdar://problem/11067382>

        Reviewed by Oliver Hunt.

        If you're a division over integers and you're only used as an integer, then you're
        an integer division and remainder checks become unnecessary. If you're dividing
        -2147483648 by -1, don't crash.

        * assembler/MacroAssemblerX86Common.h:
        (MacroAssemblerX86Common):
        (JSC::MacroAssemblerX86Common::add32):
        * dfg/DFGSpeculativeJIT.cpp:
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * llint/LowLevelInterpreter64.asm:

2012-03-19  Benjamin Poulain  <bpoulain@apple.com>

        Simplify SmallStrings
        https://bugs.webkit.org/show_bug.cgi?id=81445

        Reviewed by Gavin Barraclough.

        SmallStrings had two methods that should not be public: count() and clear().

        The method clear() is effectively replaced by finalizeSmallStrings(). The body
        of the method was moved to the constructor since the code is obvious.

        The method count() is unused.

        * runtime/SmallStrings.cpp:
        (JSC::SmallStrings::SmallStrings):
        * runtime/SmallStrings.h:
        (SmallStrings):

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        DFG can no longer compile V8-v4/regexp in debug mode
        https://bugs.webkit.org/show_bug.cgi?id=81592

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        Prediction propagation for UInt32ToNumber incorrectly assumes that outs outcome does not
        change throughout the fixpoint
        https://bugs.webkit.org/show_bug.cgi?id=81583

        Reviewed by Michael Saboff.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        GC should not attempt to clear LLInt instruction inline caches for code blocks that are in
        the process of being generated
        https://bugs.webkit.org/show_bug.cgi?id=81565

        Reviewed by Oliver Hunt.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally):

2012-03-19  Eric Seidel  <eric@webkit.org>

        Fix WTF header include discipline in Chromium WebKit
        https://bugs.webkit.org/show_bug.cgi?id=81281

        Reviewed by James Robinson.

        * JavaScriptCore.gyp/JavaScriptCore.gyp:
        * wtf/unicode/icu/CollatorICU.cpp:

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        DFG NodeUse should be called Edge and NodeReferenceBlob should be called AdjacencyList
        https://bugs.webkit.org/show_bug.cgi?id=81556

        Rubber stamped by Gavin Barraclough.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGAbstractState.h:
        (JSC::DFG::AbstractState::forNode):
        * dfg/DFGAdjacencyList.h: Copied from Source/JavaScriptCore/dfg/DFGNodeReferenceBlob.h.
        (JSC::DFG::AdjacencyList::AdjacencyList):
        (JSC::DFG::AdjacencyList::child):
        (JSC::DFG::AdjacencyList::setChild):
        (JSC::DFG::AdjacencyList::child1):
        (JSC::DFG::AdjacencyList::child2):
        (JSC::DFG::AdjacencyList::child3):
        (JSC::DFG::AdjacencyList::setChild1):
        (JSC::DFG::AdjacencyList::setChild2):
        (JSC::DFG::AdjacencyList::setChild3):
        (JSC::DFG::AdjacencyList::child1Unchecked):
        (JSC::DFG::AdjacencyList::initialize):
        (AdjacencyList):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addVarArgChild):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::canonicalize):
        (JSC::DFG::CSEPhase::performSubstitution):
        * dfg/DFGEdge.h: Copied from Source/JavaScriptCore/dfg/DFGNodeUse.h.
        (DFG):
        (JSC::DFG::Edge::Edge):
        (JSC::DFG::Edge::operator==):
        (JSC::DFG::Edge::operator!=):
        (Edge):
        (JSC::DFG::operator==):
        (JSC::DFG::operator!=):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::operator[]):
        (JSC::DFG::Graph::at):
        (JSC::DFG::Graph::ref):
        (JSC::DFG::Graph::deref):
        (JSC::DFG::Graph::clearAndDerefChild1):
        (JSC::DFG::Graph::clearAndDerefChild2):
        (JSC::DFG::Graph::clearAndDerefChild3):
        (Graph):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::getPrediction):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::child1):
        (JSC::DFG::Node::child1Unchecked):
        (JSC::DFG::Node::child2):
        (JSC::DFG::Node::child3):
        (Node):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::arithNodeFlagsAsString):
        * dfg/DFGNodeFlags.h:
        (DFG):
        (JSC::DFG::nodeUsedAsNumber):
        * dfg/DFGNodeReferenceBlob.h: Removed.
        * dfg/DFGNodeUse.h: Removed.
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultArithFlags):
        (JSC::DFG::PredictionPropagationPhase::vote):
        (JSC::DFG::PredictionPropagationPhase::fixupNode):
        * dfg/DFGScoreBoard.h:
        (JSC::DFG::ScoreBoard::use):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::useChildren):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::at):
        (JSC::DFG::SpeculativeJIT::canReuse):
        (JSC::DFG::SpeculativeJIT::use):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        (JSC::DFG::IntegerOperand::IntegerOperand):
        (JSC::DFG::DoubleOperand::DoubleOperand):
        (JSC::DFG::JSValueOperand::JSValueOperand):
        (JSC::DFG::StorageOperand::StorageOperand):
        (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
        (JSC::DFG::SpeculateStrictInt32Operand::SpeculateStrictInt32Operand):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):

2012-03-19  Gavin Barraclough  <barraclough@apple.com>

        Object.freeze broken on latest Nightly
        https://bugs.webkit.org/show_bug.cgi?id=80577

        Reviewed by Oliver Hunt.

        * runtime/Arguments.cpp:
        (JSC::Arguments::defineOwnProperty):
            - defineOwnProperty was checking for correct behaviour, provided that length/callee hadn't
            been overrridden. instead, just reify length/callee & rely on JSObject::defineOwnProperty.
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::defineOwnProperty):
            - for arguments/caller/length properties, defineOwnProperty was incorrectly asserting that
            the object must be extensible; this is incorrect since these properties should already exist
            on the object. In addition, it was asserting that the arguments/caller values must match the
            corresponding magic data properties, but for strict mode function this is incorrect. Instead,
            just reify the arguments/caller accessor & defer to JSObject::defineOwnProperty.

2012-03-19  Filip Pizlo  <fpizlo@apple.com>

        LLInt get_by_pname slow path incorrectly assumes that the operands are not constants
        https://bugs.webkit.org/show_bug.cgi?id=81559

        Reviewed by Michael Saboff.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2012-03-19  Yong Li  <yoli@rim.com>

        [BlackBerry] Implement OSAllocator::commit/decommit in the correct way
        https://bugs.webkit.org/show_bug.cgi?id=77013

        We should use mmap(PROT_NONE, MAP_LAZY) instead of posix_madvise() to
        implement memory decommitting for QNX.

        Reviewed by Rob Buis.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveUncommitted):
        (WTF::OSAllocator::commit):
        (WTF::OSAllocator::decommit):

2012-03-19  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed - revent a couple of files accidentally committed.

        * runtime/Arguments.cpp:
        (JSC::Arguments::defineOwnProperty):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::defineOwnProperty):

2012-03-19  Jessie Berlin  <jberlin@apple.com>

        Another Windows build fix after r111129.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-19  Raphael Kubo da Costa  <rakuco@FreeBSD.org>

        Cross-platform processor core counter: fix build on FreeBSD.
        https://bugs.webkit.org/show_bug.cgi?id=81482

        Reviewed by Zoltan Herczeg.

        The documentation of sysctl(3) shows that <sys/types.h> should be
        included before <sys/sysctl.h> (sys/types.h tends to be the first
        included header in general).

        This should fix the build on FreeBSD and other systems where
        sysctl.h really depends on types defined in types.h.

        * wtf/NumberOfCores.cpp:

2012-03-19  Jessie Berlin  <jberlin@apple.com>

        Windows build fix after r111129.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-19  Gavin Barraclough  <barraclough@apple.com>

        JSCallbackFunction::toStringCallback/valueOfCallback do not handle 0 return value from convertToType
        https://bugs.webkit.org/show_bug.cgi?id=81468 <rdar://problem/11034745>

        Reviewed by Oliver Hunt.

        The API specifies that convertToType may opt not to handle a conversion:
            "@result The objects's converted value, or NULL if the object was not converted."
        In which case, it would propagate first up the JSClass hierarchy, calling its superclass's
        conversion functions, and failing that call the JSObject::defaultValue function.

        Unfortunately this behaviour was removed in bug#69677/bug#69858, and instead we now rely on
        the toStringCallback/valueOfCallback function introduced in bug#69156. Even after a fix in
        bug#73368, these will return the result from the first convertToType they find, regardless
        of whether this result is null, and if no convertToType method is found in the api class
        hierarchy (possible if toStringCallback/valueOfCallback was accessed off the prototype
        chain), they will also return a null pointer. This is unsafe.

        It would be easy to make the approach based around toStringCallback/valueOfCallback continue
        to walk the api class hierarchy, but making the fallback to defaultValue would be problematic
        (since defaultValue calls toStringCallback/valueOfCallback, this would infinitely recurse).
        Making the fallback work with toString/valueOf methods attached to api objects is probably
        not the right thing to do – instead, we should just implement the defaultValue trap for api
        objects.

        In addition, this bug highlights that fact that JSCallbackFunction::call will allow a hard
        null to be returned from C to JavaScript - this is not okay. Handle with an exception.

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::call):
            - Should be null checking the return value.
        (JSC):
            - Remove toStringCallback/valueOfCallback.
        * API/JSCallbackFunction.h:
        (JSCallbackFunction):
            - Remove toStringCallback/valueOfCallback.
        * API/JSCallbackObject.h:
        (JSCallbackObject):
            - Add defaultValue mthods to JSCallbackObject.
        * API/JSCallbackObjectFunctions.h:
        (JSC::::defaultValue):
            - Add defaultValue mthods to JSCallbackObject.
        * API/JSClassRef.cpp:
        (OpaqueJSClass::prototype):
            - Remove toStringCallback/valueOfCallback.
        * API/tests/testapi.js:
            - Revert this test, now we no longer artificially introduce a toString method onto the api object.

2012-03-18  Raphael Kubo da Costa  <rakuco@FreeBSD.org>

        [EFL] Include ICU_INCLUDE_DIRS when building.
        https://bugs.webkit.org/show_bug.cgi?id=81483

        Reviewed by Daniel Bates.

        So far, only the ICU libraries were being included when building
        JavaScriptCore, however the include path is also needed, otherwise the
        build will fail when ICU is installed into a non-standard location.

        * PlatformEfl.cmake: Include ${ICU_INCLUDE_DIRS}.

2012-03-17  Gavin Barraclough  <barraclough@apple.com>

        Strength reduction, RegExp.exec -> RegExp.test
        https://bugs.webkit.org/show_bug.cgi?id=81459

        Reviewed by Sam Weinig.

        RegExp.prototype.exec & RegExp.prototype.test can both be used to test a regular
        expression for a match against a string - however exec is more expensive, since
        it allocates a matches array object. In cases where the result is consumed in a
        boolean context the allocation of the matches array can be trivially elided.

        For example:
            function f()
            {
                for (i =0; i < 10000000; ++i)
                    if(!/a/.exec("a"))
                        err = true;
            }

        This is a 2.5x speedup on this example microbenchmark loop.

        In a more advanced form of this optimization, we may be able to avoid allocating
        the array where access to the array can be observed.

        * create_hash_table:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasHeapPrediction):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileRegExpExec):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jsc.cpp:
        (GlobalObject::addConstructableFunction):
        * runtime/Intrinsic.h:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        (JSC):
        * runtime/JSFunction.h:
        (JSFunction):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/RegExpObject.cpp:
        (JSC::RegExpObject::exec):
        (JSC::RegExpObject::match):
        * runtime/RegExpObject.h:
        (RegExpObject):
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncTest):
        (JSC::regExpProtoFuncExec):

2012-03-16  Michael Saboff  <msaboff@apple.com>

        Improve diagnostic benefit of JSGlobalData::m_isInitializingObject
        https://bugs.webkit.org/show_bug.cgi?id=81244

        Rubber stamped by Filip Pizlo.

        Changed type and name of JSGlobalData::m_isInitializingObject to
        ClassInfo* and m_initializingObjectClass.
        Changed JSGlobalData::setInitializingObject to
        JSGlobalData::setInitializingObjectClass.  This pointer can be used within 
        the debugger to determine what type of object is being initialized.
        
        * runtime/JSCell.h:
        (JSC::JSCell::finishCreation):
        (JSC::allocateCell):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        (JSC::JSGlobalData::isInitializingObject):
        (JSC::JSGlobalData::setInitializingObjectClass):
        * runtime/Structure.h:
        (JSC::JSCell::finishCreation):

2012-03-16  Mark Rowe  <mrowe@apple.com>

        Build fix. Do not preserve owner and group information when installing the WTF headers.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2012-03-15  David Dorwin  <ddorwin@chromium.org>

        Make the array pointer parameters in the Typed Array create() methods const.
        https://bugs.webkit.org/show_bug.cgi?id=81147

        Reviewed by Kenneth Russell.

        This allows const arrays to be passed to these methods.
        They use PassRefPtr<Subclass> create(), which already has a const parameter.

        * wtf/Int16Array.h:
        (Int16Array):
        (WTF::Int16Array::create):
        * wtf/Int32Array.h:
        (Int32Array):
        (WTF::Int32Array::create):
        * wtf/Int8Array.h:
        (Int8Array):
        (WTF::Int8Array::create):
        * wtf/Uint16Array.h:
        (Uint16Array):
        (WTF::Uint16Array::create):
        * wtf/Uint32Array.h:
        (Uint32Array):
        (WTF::Uint32Array::create):
        * wtf/Uint8Array.h:
        (Uint8Array):
        (WTF::Uint8Array::create):
        * wtf/Uint8ClampedArray.h:
        (Uint8ClampedArray):
        (WTF::Uint8ClampedArray::create):

2012-03-15  Myles Maxfield  <mmaxfield@google.com>

        CopiedSpace::tryAllocateOversize assumes system page size
        https://bugs.webkit.org/show_bug.cgi?id=80615

        Reviewed by Geoffrey Garen.

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::tryAllocateOversize):
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/CopiedSpaceInlineMethods.h:
        (JSC::CopiedSpace::oversizeBlockFor):
        * wtf/BumpPointerAllocator.h:
        (WTF::BumpPointerPool::create):
        * wtf/StdLibExtras.h:
        (WTF::roundUpToMultipleOf):

2012-03-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fixing Windows build breakage

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-15  Patrick Gansterer  <paroga@webkit.org>

        [EFL] Make zlib a general build requirement
        https://bugs.webkit.org/show_bug.cgi?id=80153

        Reviewed by Hajime Morita.

        After r109538 WebSocket module needs zlib to support deflate-frame extension.

        * wtf/Platform.h:

2012-03-15  Benjamin Poulain  <bpoulain@apple.com>

        NumericStrings should be inlined
        https://bugs.webkit.org/show_bug.cgi?id=81183

        Reviewed by Gavin Barraclough.

        NumericStrings is not always inlined. When it is not, the class is not faster
        than using UString::number() directly.

        * runtime/NumericStrings.h:
        (JSC::NumericStrings::add):
        (JSC::NumericStrings::lookupSmallString):

2012-03-15  Andras Becsi  <andras.becsi@nokia.com>

        Fix ARM build after r110792.

        Unreviewed build fix.

        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::cacheFlush):
        Remove superfluous curly brackets.

2012-03-15  Gavin Barraclough  <barraclough@apple.com>

        ARMv7: prefer vmov(gpr,gpr->double) over vmov(gpr->single)
        https://bugs.webkit.org/show_bug.cgi?id=81256

        Reviewed by Oliver Hunt.

        This is a 0.5% sunspider progression.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::convertInt32ToDouble):
            - switch which form of vmov we use.

2012-03-15  YoungTaeck Song  <youngtaeck.song@samsung.com>

        [EFL] Add OwnPtr specialization for Ecore_Timer.
        https://bugs.webkit.org/show_bug.cgi?id=80119

        Reviewed by Hajime Morita.

        Add an overload for deleteOwnedPtr(Ecore_Timer*) on EFL port.

        * wtf/OwnPtrCommon.h:
        (WTF):
        * wtf/efl/OwnPtrEfl.cpp:
        (WTF::deleteOwnedPtr):
        (WTF):

2012-03-15  Hojong Han  <hojong.han@samsung.com>

        Linux has madvise enough to support OSAllocator::commit/decommit
        https://bugs.webkit.org/show_bug.cgi?id=80505

        Reviewed by Geoffrey Garen.

        * wtf/OSAllocatorPosix.cpp:
        (WTF::OSAllocator::reserveUncommitted):
        (WTF::OSAllocator::commit):
        (WTF::OSAllocator::decommit):

2012-03-15  Steve Falkenburg  <sfalken@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGOOptimize.vsprops:
        * JavaScriptCore.vcproj/WTF/copy-files.cmd:
        * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops:

2012-03-15  Steve Falkenburg  <sfalken@apple.com>

        Windows build fix.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj:

2012-03-15  Kevin Ollivier  <kevino@theolliviers.com>

        Move wx port to using export macros
        https://bugs.webkit.org/show_bug.cgi?id=77279

        Reviewed by Hajime Morita.

        * wscript:
        * wtf/Platform.h:

2012-03-14  Benjamin Poulain  <bpoulain@apple.com>

        Avoid StringImpl::getData16SlowCase() when sorting array
        https://bugs.webkit.org/show_bug.cgi?id=81070

        Reviewed by Geoffrey Garen.

        The function codePointCompare() is used intensively when sorting strings.
        This patch improves its performance by:
        -Avoiding character conversion.
        -Inlining the function.

        This makes Peacekeeper's arrayCombined test 30% faster.

        * wtf/text/StringImpl.cpp:
        * wtf/text/StringImpl.h:
        (WTF):
        (WTF::codePointCompare):
        (WTF::codePointCompare8):
        (WTF::codePointCompare16):
        (WTF::codePointCompare8To16):

2012-03-14  Hojong Han  <hojong.han@samsung.com>

        Fix memory allocation failed by fastmalloc
        https://bugs.webkit.org/show_bug.cgi?id=79614

        Reviewed by Geoffrey Garen.

        Memory allocation failed even if the heap grows successfully.
        It is wrong to get the span only from the large list after the heap grows,
        because new span could be added in the normal list.

        * wtf/FastMalloc.cpp:
        (WTF::TCMalloc_PageHeap::New):

2012-03-14  Hojong Han  <hojong.han@samsung.com>

        Run cacheFlush page by page to assure of flushing all the requested ranges
        https://bugs.webkit.org/show_bug.cgi?id=77712

        Reviewed by Geoffrey Garen.

        Current MetaAllocator concept, always coalesces adjacent free spaces,
        doesn't meet memory management of Linux kernel.
        In a certain case Linux kernel doesn't regard contiguous virtual memory areas as one but two.
        Therefore cacheFlush page by page guarantees a flush-requested range.

        * jit/ExecutableAllocator.h:
        (JSC::ExecutableAllocator::cacheFlush):

2012-03-14  Oliver Hunt  <oliver@apple.com>

        Make ARMv7 work again
        https://bugs.webkit.org/show_bug.cgi?id=81157

        Reviewed by Geoffrey Garen.

        We were trying to use the ARMv7 dataRegister as a scratch register in a scenario
        where we the ARMv7MacroAssembler would also try to use dataRegister for its own
        nefarious purposes.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::store32):
        * assembler/MacroAssemblerARMv7.h:
        (MacroAssemblerARMv7):

2012-03-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Heap::destroy leaks CopiedSpace
        https://bugs.webkit.org/show_bug.cgi?id=81055

        Reviewed by Geoffrey Garen.

        Added a destroy() function to CopiedSpace that moves all normal size 
        CopiedBlocks from the CopiedSpace to the Heap's list of free blocks 
        as well as deallocates all of the oversize blocks in the CopiedSpace. 
        This function is now called in Heap::destroy().

        * heap/CopiedSpace.cpp:
        (JSC::CopiedSpace::destroy):
        (JSC):
        * heap/CopiedSpace.h:
        (CopiedSpace):
        * heap/Heap.cpp:
        (JSC::Heap::destroy):

2012-03-14  Andrew Lo  <anlo@rim.com>

        [BlackBerry] Implement REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR using AnimationFrameRateController
        https://bugs.webkit.org/show_bug.cgi?id=81000

        Enable WTF_USE_REQUEST_ANIMATION_FRAME_DISPLAY_MONITOR for BlackBerry.

        Reviewed by Antonio Gomes.

        * wtf/Platform.h:

2012-03-13  Filip Pizlo  <fpizlo@apple.com>

        ValueToInt32 speculation will cause OSR exits even when it does not have to
        https://bugs.webkit.org/show_bug.cgi?id=81068
        <rdar://problem/11043926>

        Reviewed by Anders Carlsson.
        
        Two related changes:
        1) ValueToInt32 will now always just defer to the non-speculative path, instead
           of exiting, if it doesn't know what speculations to perform.
        2) ValueToInt32 will speculate boolean if it sees this to be profitable.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateBoolean):
        (Node):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):

2012-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        More Windows build fixing

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        Windows build fix

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2012-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        Type conversion of exponential part failed
        https://bugs.webkit.org/show_bug.cgi?id=80673

        Reviewed by Geoffrey Garen.

        * parser/Lexer.cpp:
        (JSC::::lex):
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::parseInt):
        (JSC):
        (JSC::jsStrDecimalLiteral): Added another template argument that exposes whether or not
        we accept trailing junk to clients of jsStrDecimalLiteral. Also added additional template 
        parameter for strtod to allow trailing spaces.
        (JSC::toDouble):
        (JSC::parseFloat): Accept trailing junk, as per the ECMA 262 spec (15.1.2.3).
        * runtime/LiteralParser.cpp:
        (JSC::::Lexer::lexNumber):
        * tests/mozilla/expected.html: Update the expected page for run-javascriptcore-tests so that 
        we will run ecma/TypeConversion/9.3.1-3.js as a regression test now.
        * wtf/dtoa.cpp:
        (WTF):
        (WTF::strtod): We also needed to sometimes accept trailing spaces to pass a few other tests that were 
        broken by changing the default allowance of trailing junk in jsStrDecimalLiteral.
        * wtf/dtoa.h:
        * wtf/dtoa/double-conversion.cc: When the AdvanceToNonspace function was lifted out of the 
        Chromium codebase, the person porting it only thought to check for spaces when skipping whitespace.
        A few of our JSC tests check for other types of trailing whitespace, so I've added checks for those 
        here to cover those cases (horizontal tab, vertical tab, carriage return, form feed, and line feed).
        * wtf/text/WTFString.cpp:
        (WTF::toDoubleType): Disallow trailing spaces, as this breaks form input verification stuff.

2012-03-13  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, build fix since is_pod<> includes some header that I didn't know about.
        Removing the assert for now.

        * dfg/DFGOperations.h:
        * llint/LLIntSlowPaths.h:

2012-03-13  Filip Pizlo  <fpizlo@apple.com>

        Functions with C linkage should return POD types
        https://bugs.webkit.org/show_bug.cgi?id=81061

        Reviewed by Mark Rowe.

        * dfg/DFGOperations.h:
        * llint/LLIntSlowPaths.h:
        (LLInt):
        (SlowPathReturnType):
        (JSC::LLInt::encodeResult):

2012-03-13  Filip Pizlo  <fpizlo@apple.com>

        Loads from UInt32Arrays should not result in a double up-convert if it isn't necessary
        https://bugs.webkit.org/show_bug.cgi?id=80979
        <rdar://problem/11036848>

        Reviewed by Oliver Hunt.
        
        Also improved DFG IR dumping to include type information in a somewhat more
        intuitive way.

        * bytecode/PredictedType.cpp:
        (JSC::predictionToAbbreviatedString):
        (JSC):
        * bytecode/PredictedType.h:
        (JSC):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):

2012-03-13  George Staikos  <staikos@webkit.org>

        The callback is only used if SA_RESTART is defined.  Compile it out
        otherwise to avoid a warning.
        https://bugs.webkit.org/show_bug.cgi?id=80926

        Reviewed by Alexey Proskuryakov.

        * heap/MachineStackMarker.cpp:
        (JSC):

2012-03-