DFG should not speculate array even when predictions say that the base is not an...

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2011-12-22  Filip Pizlo  <fpizlo@apple.com>

        DFG should not speculate array even when predictions say that the base is not an array
        https://bugs.webkit.org/show_bug.cgi?id=75160
        <rdar://problem/10622646>
        <rdar://problem/10622649>

        Reviewed by Oliver Hunt.
        
        Added the ability to call slow path when the base is known to not be an array.
        Also rationalized the logic for deciding when the index is not an int, and
        cleaned up the logic for deciding when to speculate typed array.
        
        Neutral for the most part, with odd speed-ups and slow-downs. The slow-downs can
        likely be mitigated by having the notion of a polymorphic array access, where we
        try, but don't speculate, to access the array one way before either trying some
        other ways or calling slow path.

        * bytecode/PredictedType.h:
        (JSC::isActionableMutableArrayPrediction):
        (JSC::isActionableArrayPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateInt8Array):
        (JSC::DFG::Node::shouldSpeculateInt16Array):
        (JSC::DFG::Node::shouldSpeculateInt32Array):
        (JSC::DFG::Node::shouldSpeculateUint8Array):
        (JSC::DFG::Node::shouldSpeculateUint16Array):
        (JSC::DFG::Node::shouldSpeculateUint32Array):
        (JSC::DFG::Node::shouldSpeculateFloat32Array):
        (JSC::DFG::Node::shouldSpeculateFloat64Array):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::byValIsPure):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-22  Gavin Barraclough  <barraclough@apple.com>

        Unreviewed - fix stylebot issues from last patch.

        * runtime/JSArray.cpp:
        (JSC::JSArray::putSlowCase):

2011-12-22  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=75151
        Add attributes field to JSArray's SparseMap

        Reviewed by Sam Weinig.

        This will be necessary to be able to support non- writable/configurable/enumerable
        properties, and helpful for getters/setters.

        Added a concept of being 'inSparseMode' - this indicates the array has a non-standard

        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncSort):
            - JSArray::sort methods not allowed on arrays that are 'inSparseMode'.
              (must fall back to generic sort alogrithm).
        * runtime/JSArray.cpp:
        (JSC::JSArray::finishCreation):
            - moved reportedMapCapacity into the SparseArrayValueMap object.
        (JSC::SparseArrayValueMap::find):
        (JSC::SparseArrayValueMap::put):
        (JSC::SparseArrayValueMap::visitChildren):
            - Added.
        (JSC::JSArray::getOwnPropertySlotByIndex):
        (JSC::JSArray::getOwnPropertyDescriptor):
        (JSC::JSArray::putSlowCase):
        (JSC::JSArray::deletePropertyByIndex):
        (JSC::JSArray::getOwnPropertyNames):
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::visitChildren):
            - Updated for changes in SparseArrayValueMap.
        (JSC::JSArray::sortNumeric):
        (JSC::JSArray::sort):
        (JSC::JSArray::compactForSorting):
            - Disallow on 'SparseMode' arrays.
        * runtime/JSArray.h:
        (JSC::SparseArrayEntry::SparseArrayEntry):
            - An entry in the sparse array - value (WriteBarrier) + attributes.
        (JSC::SparseArrayValueMap::SparseArrayValueMap):
        (JSC::SparseArrayValueMap::sparseMode):
        (JSC::SparseArrayValueMap::setSparseMode):
            - Flags to track whether an Array is forced into SparseMode.
        (JSC::SparseArrayValueMap::remove):
        (JSC::SparseArrayValueMap::notFound):
        (JSC::SparseArrayValueMap::isEmpty):
        (JSC::SparseArrayValueMap::contains):
        (JSC::SparseArrayValueMap::size):
        (JSC::SparseArrayValueMap::begin):
        (JSC::SparseArrayValueMap::end):
            - accessors to the map
        (JSC::SparseArrayValueMap::take):
            - only for use on non-SpareMode arrays.
        (JSC::JSArray::inSparseMode):
            - Added.

2011-12-22  Filip Pizlo  <fpizlo@apple.com>

        DFG CFA sometimes generates an incorrect proof that a node is known to be a typed array
        https://bugs.webkit.org/show_bug.cgi?id=75150
        <rdar://problem/10621900>

        Reviewed by Gavin Barraclough.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):

2011-12-22  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does exactly the wrong thing when doing strict equality on two known cells
        https://bugs.webkit.org/show_bug.cgi?id=75138
        <rdar://problem/10621526>

        Reviewed by Oliver Hunt.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):

2011-12-22  Balazs Kelemen  <kbalazs@webkit.org>

        Fix debug build with assertions disabled
        https://bugs.webkit.org/show_bug.cgi?id=75075

        Reviewed by Darin Adler.

        Check whether assertions are disabled instead of NDEBUG
        where appropriate to avoid "defined but not used" warnings.

        * wtf/DateMath.cpp:
        (WTF::initializeDates):

2011-12-22  Mariusz Grzegorczyk  <mariusz.g@samsung.com>

        [EFL] Missing plugins support for efl port
        https://bugs.webkit.org/show_bug.cgi?id=44505

        Reviewed by Anders Carlsson.

        Add define of ENABLE_PLUGIN_PACKAGE_SIMPLE_HASH for efl port.

        * wtf/Platform.h:

2011-12-22  Wei Charles  <charles.wei@torchmobile.com.cn>

        Remove un-used data member of LiteralParser::Lex::m_string
        https://bugs.webkit.org/show_bug.cgi?id=68216

        Reviewed by George Staikos.

        * runtime/LiteralParser.h:

2011-12-21  Dan Bernstein  <mitz@apple.com>

        OS X build fix after r103488.

        * JavaScriptCore.exp:

2011-12-21  Konrad Piascik  <kpiascik@rim.com>

        Implement the JavaScriptCore bindings for eventListenerHandlerLocation
        https://bugs.webkit.org/show_bug.cgi?id=74313

        Reviewed by Eric Seidel.

        Updated project files to get Windows and Mac builds working.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-12-21  Filip Pizlo  <fpizlo@apple.com>

        DFG ConvertThis optimizations do not honor the distinction between the global object and the global this object
        https://bugs.webkit.org/show_bug.cgi?id=75058
        <rdar://problem/10616612>
        <rdar://problem/10617500>

        Reviewed by Oliver Hunt.
        
        Added a call to toThisObject() in the DFG when planting a direct reference to the global this object.
        Instead of adding a separate toThisObject() method on JSCell which does not take ExecState*, I reascribed
        a new contract: if you're calling toThisObject() on JSObject or one of its subtypes, then the ExecState*
        is optional.

        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::globalThisObjectFor):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSObject.h:

2011-12-21  Pierre Rossi  <pierre.rossi@gmail.com>

        Implement montonicallyIncreasingClock() on Qt
        https://bugs.webkit.org/show_bug.cgi?id=62159

        Reviewed by Darin Adler.

        * wtf/CurrentTime.cpp:
        (WTF::monotonicallyIncreasingTime):

2011-12-20  Filip Pizlo  <fpizlo@apple.com>

        32_64 baseline JIT should attempt to convert division results to integers, and record when that fails
        https://bugs.webkit.org/show_bug.cgi?id=74997
        <rdar://problem/10612389>

        Reviewed by Gavin Barraclough.

        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_div):

2011-12-20  Filip Pizlo  <fpizlo@apple.com>

        JavaScriptCore should be consistent about how it reads and writes ArgumentCount
        https://bugs.webkit.org/show_bug.cgi?id=74989
        <rdar://problem/10612006>

        Reviewed by Gavin Barraclough.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_get_arguments_length):
        (JSC::JIT::emit_op_get_argument_by_val):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::SpecializedThunkJIT):

2011-12-20  Filip Pizlo  <fpizlo@apple.com>

        Value Profiles for arguments should be more easily accessible to the interpreter
        https://bugs.webkit.org/show_bug.cgi?id=74984
        <rdar://problem/10611364>

        Reviewed by Gavin Barraclough.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        (JSC::CodeBlock::shouldOptimizeNow):
        (JSC::CodeBlock::dumpValueProfiles):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setArgumentValueProfileSize):
        (JSC::CodeBlock::numberOfArgumentValueProfiles):
        (JSC::CodeBlock::valueProfileForArgument):
        (JSC::CodeBlock::addValueProfile):
        (JSC::CodeBlock::valueProfile):
        (JSC::CodeBlock::valueProfileForBytecodeOffset):
        (JSC::CodeBlock::totalNumberOfValueProfiles):
        (JSC::CodeBlock::getFromAllValueProfiles):
        * bytecode/ValueProfile.h:
        (JSC::ValueProfile::ValueProfile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITInlineMethods.h:
        (JSC::JIT::emitValueProfilingSite):

2011-12-20  Gavin Barraclough  <barraclough@apple.com>

        JSC shell should accept utf8 input.

        Reviewed by Filip Pizlo.

        * jsc.cpp:
        (jscSource):
        (functionRun):
        (functionLoad):
        (functionCheckSyntax):
        (runWithScripts):
        (runInteractive):

2011-12-20  Gavin Barraclough  <barraclough@apple.com>

        Rubber Stamped by Sam Weinig

        * runtime/JSGlobalData.cpp:
            - removed some dead code.

2011-12-19  Geoffrey Garen  <ggaren@apple.com>

        Tightened up Vector<T>::append
        https://bugs.webkit.org/show_bug.cgi?id=74906

        Reviewed by Sam Weinig.

        Not a measurable speedup, but code inspection shows better code generated,
        and I believe this is a step toward turning off -fomit-frame-pointer.

        * wtf/Vector.h:
        (WTF::::append):
        (WTF::::appendSlowCase): Split out the slow case into a separate function
        to keep unnecessary instructions off the hot path. This means the hot
        path can now be inlined more often.
        
        Removed some old MSVC7 cruft. Hopefully, we don't need to hang on to a
        compiler work-around from 2007.

2011-12-19  Yuqiang Xian  <yuqiang.xian@intel.com>

        Temporary GPR should not be lazily allocated in DFG JIT on X86
        https://bugs.webkit.org/show_bug.cgi?id=74908

        Reviewed by Filip Pizlo.

        On X86, we used to allocate a temporary GPR lazily when it's really
        used rather than defined. This may cause potential issues of
        allocating registers inside control flow and result in problems in
        subsequent code generation, for example the DFG JIT may think an
        operand already being spilled (to satisfy the allocation request) and
        generate code to read the data from memory, but the allocation and
        spilling are in a branch which is not taken at runtime, so the
        generated code is incorrect.

        Although current DFG JIT code doesn't have this problematic pattern,
        it's better to cut-off the root to avoid any potential issues in the
        future.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::GPRTemporary::GPRTemporary):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::GPRTemporary::gpr):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-19  Yuqiang Xian  <yuqiang.xian@intel.com>

        Remove unused code for non-speculative Arith operations from DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=74905

        Reviewed by Filip Pizlo.

        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        * dfg/DFGSpeculativeJIT64.cpp:

2011-12-19  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=74903
        Exceptions not thrown correctly from DFG JIT on 32bit

        Reviewed by Oliver Hunt.

        Arguments for lookupExceptionHandler are not setup correctly.
        In the case of ARMv7 we rely on lr being preserved over a call,
        this in invalid. On x86 we don't should be poking the arguments onto the stack!

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
        * dfg/DFGGPRInfo.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileBody):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addExceptionCheck):
        (JSC::DFG::JITCompiler::addFastExceptionCheck):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:

2011-12-19  Filip Pizlo  <fpizlo@apple.com>

        If we detect that we can use the JIT, don't use computed opcode lookups
        https://bugs.webkit.org/show_bug.cgi?id=74899
        <rdar://problem/10604551>

        Reviewed by Gavin Barraclough.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::initialize):
        (JSC::Interpreter::privateExecute):
        * interpreter/Interpreter.h:
        (JSC::Interpreter::getOpcode):
        (JSC::Interpreter::getOpcodeID):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):

2011-12-19  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Qt build.

        Unreviewed.

        * wtf/ThreadSpecific.h: #include!

2011-12-18  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to change the value of an Options variable without recompiling the world
        https://bugs.webkit.org/show_bug.cgi?id=74807

        Reviewed by Gavin Barraclough.

        * runtime/Options.cpp:
        (JSC::Options::initializeOptions):
        * runtime/Options.h:

2011-12-19  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r103250.
        http://trac.webkit.org/changeset/103250
        https://bugs.webkit.org/show_bug.cgi?id=74877

        it still breaks codegen (Requested by olliej on #webkit).

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::byValIsPure):
        (JSC::DFG::Propagator::clobbersWorld):
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-16  Oliver Hunt  <oliver@apple.com>

        Rolling r103120 back in with merge errors corrected.

        PutByVal[Alias] unnecessarily reloads the storage buffer
        https://bugs.webkit.org/show_bug.cgi?id=74747

        Reviewed by Gavin Barraclough.

        Make PutByVal use GetIndexedStorage to load the storage buffer.
        This required switching PutByVal to a vararg node (which is
        responsible for most of the noise in this patch).  This fixes the
        remaining portion of the kraken regression caused by the GetByVal
        storage load elimination, and a 1-5% win on some of the sub tests of
        the typed array benchmark at:
        http://stepheneb.github.com/webgl-matrix-benchmarks/matrix_benchmark.html

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::byValIndexIsPure):
        (JSC::DFG::Propagator::clobbersWorld):
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-15  Geoffrey Garen  <ggaren@apple.com>

        Placement new does an unnecessary NULL check
        https://bugs.webkit.org/show_bug.cgi?id=74676

        Reviewed by Sam Weinig.

        We can define our own version, which skips the NULL check.
        
        Not a measurable speedup, but code inspection shows better code generated,
        and I believe this is a step toward turning off -fomit-frame-pointer.

        * API/JSCallbackConstructor.h:
        (JSC::JSCallbackConstructor::create):
        * API/JSCallbackFunction.h:
        (JSC::JSCallbackFunction::create): Use the NotNull version of placement
        new to skip the NULL check.

        * API/JSCallbackObject.h: Removed a conflicting, unnecessaray placement new.

        (JSC::JSCallbackObject::create):
        * debugger/DebuggerActivation.h:
        (JSC::DebuggerActivation::create):
        * heap/HandleHeap.cpp:
        (JSC::HandleHeap::grow):
        * heap/HandleHeap.h:
        (JSC::HandleHeap::allocate):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::create):
        (JSC::MarkedBlock::recycle):
        * jit/JITCode.h:
        (JSC::JITCode::clear):
        * jsc.cpp:
        (GlobalObject::create):
        * profiler/CallIdentifier.h:
        * runtime/Arguments.h:
        (JSC::Arguments::create):
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::create):
        * runtime/ArrayPrototype.h:
        (JSC::ArrayPrototype::create):
        * runtime/BooleanConstructor.h:
        (JSC::BooleanConstructor::create):
        * runtime/BooleanObject.h:
        (JSC::BooleanObject::create):
        * runtime/BooleanPrototype.h:
        (JSC::BooleanPrototype::create):
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::create):
        * runtime/DateInstance.h:
        (JSC::DateInstance::create):
        * runtime/DatePrototype.h:
        (JSC::DatePrototype::create):
        * runtime/Error.h:
        (JSC::StrictModeTypeErrorFunction::create):
        * runtime/ErrorConstructor.h:
        (JSC::ErrorConstructor::create):
        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::create):
        * runtime/ErrorPrototype.h:
        (JSC::ErrorPrototype::create):
        * runtime/ExceptionHelpers.h:
        (JSC::InterruptedExecutionError::create):
        (JSC::TerminatedExecutionError::create):
        * runtime/Executable.h:
        (JSC::NativeExecutable::create):
        (JSC::EvalExecutable::create):
        (JSC::ProgramExecutable::create):
        (JSC::FunctionExecutable::create):
        * runtime/FunctionConstructor.h:
        (JSC::FunctionConstructor::create):
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::create):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::create):
        * runtime/JSAPIValueWrapper.h:
        (JSC::JSAPIValueWrapper::create):
        * runtime/JSActivation.h:
        (JSC::JSActivation::create):
        * runtime/JSArray.h:
        (JSC::JSArray::create):
        * runtime/JSBoundFunction.cpp:
        (JSC::JSBoundFunction::create):
        * runtime/JSByteArray.h:
        (JSC::JSByteArray::create): Use the NotNull version of placement
        new to skip the NULL check.

        * runtime/JSCell.h: Removed a conflicting, unnecessaray placement new.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create):
        * runtime/JSFunction.h:
        (JSC::JSFunction::create):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::create):
        * runtime/JSGlobalThis.h:
        (JSC::JSGlobalThis::create):
        * runtime/JSNotAnObject.h:
        (JSC::JSNotAnObject::create):
        * runtime/JSONObject.h:
        (JSC::JSONObject::create):
        * runtime/JSObject.h:
        (JSC::JSFinalObject::create):
        * runtime/JSPropertyNameIterator.cpp:
        (JSC::JSPropertyNameIterator::create):
        * runtime/JSPropertyNameIterator.h:
        (JSC::JSPropertyNameIterator::create):
        * runtime/JSStaticScopeObject.h:
        (JSC::JSStaticScopeObject::create):
        * runtime/JSString.cpp:
        (JSC::StringObject::create):
        * runtime/JSString.h:
        (JSC::RopeBuilder::createNull):
        (JSC::RopeBuilder::create):
        (JSC::RopeBuilder::createHasOtherOwner):
        * runtime/MathObject.h:
        (JSC::MathObject::create):
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::create):
        * runtime/NativeErrorPrototype.h:
        (JSC::NativeErrorPrototype::create):
        * runtime/NumberConstructor.h:
        (JSC::NumberConstructor::create):
        * runtime/NumberObject.h:
        (JSC::NumberObject::create):
        * runtime/NumberPrototype.h:
        (JSC::NumberPrototype::create):
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::create):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::create):
        * runtime/RegExp.cpp:
        (JSC::RegExp::createWithoutCaching):
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::create):
        * runtime/RegExpMatchesArray.h:
        (JSC::RegExpMatchesArray::create):
        * runtime/RegExpObject.h:
        (JSC::RegExpObject::create):
        * runtime/RegExpPrototype.h:
        (JSC::RegExpPrototype::create):
        * runtime/ScopeChain.h:
        (JSC::ScopeChainNode::create):
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::create):
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::create):
        * runtime/StringObject.h:
        (JSC::StringObject::create):
        * runtime/StringPrototype.h:
        (JSC::StringPrototype::create):
        * runtime/Structure.h:
        (JSC::Structure::create):
        (JSC::Structure::createStructure):
        * runtime/StructureChain.h:
        (JSC::StructureChain::create):
        * testRegExp.cpp:
        (GlobalObject::create):
        * wtf/BitVector.cpp:
        (WTF::BitVector::OutOfLineBits::create): Use the NotNull version of placement
        new to skip the NULL check.

        * wtf/BumpPointerAllocator.h:
        (WTF::BumpPointerPool::create): Standardized spacing to make grep easier.

        * wtf/ByteArray.cpp:
        (WTF::ByteArray::create):
        * wtf/Deque.h:
        (WTF::::append):
        (WTF::::prepend): Use NotNull, as above.

        * wtf/FastAllocBase.h: Added a placement new, since this class would otherwise
        hide the name of the global placement new.

        (WTF::fastNew): Standardized spacing. Most of these functions don't need
        NotNull, since they check for NULL, and the optimizer can see that.

        * wtf/HashTable.h:
        * wtf/HashTraits.h:
        (WTF::SimpleClassHashTraits::constructDeletedValue):
        * wtf/MetaAllocator.cpp:
        (WTF::MetaAllocator::allocFreeSpaceNode): NotNull, as above.

        * wtf/StdLibExtras.h:
        (throw): This is our NotNull placement new. Declaring that we throw is
        the C++ way to say that operator new will not return NULL.

        * wtf/ThreadSpecific.h:
        (WTF::T):
        * wtf/Vector.h:
        (WTF::::append):
        (WTF::::tryAppend):
        (WTF::::uncheckedAppend):
        (WTF::::insert):
        * wtf/text/AtomicStringHash.h:
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::createUninitialized):
        (WTF::StringImpl::reallocate):
        * wtf/text/StringImpl.h:
        (WTF::StringImpl::tryCreateUninitialized):
        * wtf/text/StringStatics.cpp:
        (WTF::AtomicString::init): Use NotNull, as above.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::allocDisjunctionContext):
        (JSC::Yarr::Interpreter::ParenthesesDisjunctionContext::ParenthesesDisjunctionContext):
        (JSC::Yarr::Interpreter::allocParenthesesDisjunctionContext): Standardized
        spacing for easy grep.

2011-12-19  Eric Carlson  <eric.carlson@apple.com>

        Enable <track> for Mac build
        https://bugs.webkit.org/show_bug.cgi?id=74838

        Reviewed by Darin Adler.

        * wtf/Platform.h:

2011-12-18  Filip Pizlo  <fpizlo@apple.com>

        DFG is too sloppy with register allocation
        https://bugs.webkit.org/show_bug.cgi?id=74835

        Reviewed by Gavin Barraclough.
        
        Added assertions that at the end of a successfully generated basic block,
        all use counts should be zero. This revealed a number of bugs:
        
        - Array length optimizations were turning a must-generate node into one
          that is not must-generate, but failing to change the ref count
          accordingly.
          
        - Indexed property storage optimizations were failing to deref their
          children, or to deref the indexed property storage node itself. Also,
          they used the Phantom node as a replacement. But the Phantom node is
          must-generate, which was causing bizarre issues. So this introduces a
          Nop node, which should be used in cases where you want a node that is
          skipped and has no children.
          
        This does not have any significant performance effect, but it should
        relieve some register pressure. The main thing this patch adds, though,
        are the assertions, which should make it easier to do register allocation
        related changes in the future.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGGenerationInfo.h:
        (JSC::DFG::GenerationInfo::initConstant):
        (JSC::DFG::GenerationInfo::initInteger):
        (JSC::DFG::GenerationInfo::initJSValue):
        (JSC::DFG::GenerationInfo::initCell):
        (JSC::DFG::GenerationInfo::initBoolean):
        (JSC::DFG::GenerationInfo::initDouble):
        (JSC::DFG::GenerationInfo::initStorage):
        (JSC::DFG::GenerationInfo::use):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::clearAndDerefChild1):
        (JSC::DFG::Graph::clearAndDerefChild2):
        (JSC::DFG::Graph::clearAndDerefChild3):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::deref):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-18  Benjamin Poulain  <bpoulain@apple.com>

        Remove the duplicated code from ASCIICType.h
        https://bugs.webkit.org/show_bug.cgi?id=74771

        Reviewed by Andreas Kling.

        Use isASCIIDigit() and isASCIIAlpha() instead of copying the code.

        * wtf/ASCIICType.h:
        (WTF::isASCIIDigit):
        (WTF::isASCIIAlphanumeric):
        (WTF::isASCIIHexDigit):

2011-12-18  Anders Carlsson  <andersca@apple.com>

        Set the main frame view scroll position asynchronously
        https://bugs.webkit.org/show_bug.cgi?id=74823

        Reviewed by Sam Weinig.

        * JavaScriptCore.exp:

2011-12-10  Andreas Kling  <kling@webkit.org>

        OpaqueJSClass: Remove RVCT2 workarounds.
        <http://webkit.org/b/74250>

        Reviewed by Benjamin Poulain.

        We no longer need workarounds for the RVCT2 compiler since it was
        only used for the Symbian port of WebKit which is now defunct.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::OpaqueJSClass):
        (OpaqueJSClassContextData::OpaqueJSClassContextData):

2011-12-16  Benjamin Poulain  <bpoulain@apple.com>

        Remove the duplicated code from ASCIICType.h
        https://bugs.webkit.org/show_bug.cgi?id=74771

        Reviewed by Andreas Kling.

        The functions were sharing similar code and were defined for the various input types.
        Use templates instead to avoid code duplication.

        * wtf/ASCIICType.h:
        (WTF::isASCII):
        (WTF::isASCIIAlpha):
        (WTF::isASCIIAlphanumeric):
        (WTF::isASCIIDigit):
        (WTF::isASCIIHexDigit):
        (WTF::isASCIILower):
        (WTF::isASCIIOctalDigit):
        (WTF::isASCIIPrintable):
        (WTF::isASCIISpace):
        (WTF::isASCIIUpper):
        (WTF::toASCIILower):
        (WTF::toASCIIUpper):
        (WTF::toASCIIHexValue):
        (WTF::lowerNibbleToASCIIHexDigit):
        (WTF::upperNibbleToASCIIHexDigit):

2011-12-16  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit may get confused about where in the scratch buffer it stored a value
        https://bugs.webkit.org/show_bug.cgi?id=74695

        Reviewed by Oliver Hunt.
        
        The code that reads from the scratch buffer now explicitly knows which locations to
        read from. No new tests, since this patch covers a case so uncommon that I don't know
        how to make a test for it.

        * dfg/DFGOSRExitCompiler.h:
        (JSC::DFG::OSRExitCompiler::badIndex):
        (JSC::DFG::OSRExitCompiler::initializePoisoned):
        (JSC::DFG::OSRExitCompiler::poisonIndex):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):

2011-12-16  Oliver Hunt  <oliver@apple.com>

        PutByVal[Alias] unnecessarily reloads the storage buffer
        https://bugs.webkit.org/show_bug.cgi?id=74747

        Reviewed by Gavin Barraclough.

        Make PutByVal use GetIndexedStorage to load the storage buffer.
        This required switching PutByVal to a vararg node (which is
        responsible for most of the noise in this patch).  This fixes the
        remaining portion of the kraken regression caused by the GetByVal
        storage load elimination, and a 1-5% win on some of the sub tests of
        the typed array benchmark at:
        http://stepheneb.github.com/webgl-matrix-benchmarks/matrix_benchmark.html

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateArithNodeFlags):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::byValIndexIsPure):
        (JSC::DFG::Propagator::clobbersWorld):
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-16  Daniel Bates  <dbates@rim.com>

        Include BlackBerryPlatformLog.h instead of BlackBerryPlatformMisc.h

        Rubber-stamped by Antonio Gomes.

        BlackBerry::Platform::logV() is declared in BlackBerryPlatformLog.h. That is, it isn't
        declared in BlackBerryPlatformMisc.h. Hence, we should include BlackBerryPlatformLog.h
        instead of BlackBerryPlatformMisc.h.

        * wtf/Assertions.cpp:

2011-12-16  Mark Hahnenberg  <mhahnenberg@apple.com>

        De-virtualize destructors
        https://bugs.webkit.org/show_bug.cgi?id=74331

        Reviewed by Geoffrey Garen.

        This is a megapatch which frees us from the chains of virtual destructors.

        In order to remove the virtual destructors, which are the last of the virtual 
        functions, from the JSCell hierarchy, we need to add the ClassInfo pointer to 
        the cell rather than to the structure because in order to be able to lazily call 
        the static destroy() functions that will replace the virtual destructors, we 
        need to be able to access the ClassInfo without the danger of the object's 
        Structure being collected before the object itself.

        After adding the ClassInfo to the cell, we can then begin to remove our use 
        of vptrs for optimizations within the JIT and the GC.  When we have removed 
        all of the stored vptrs from JSGlobalData, we can then also remove all of 
        the related VPtrStealingHack code.

        The replacement for virtual destructors will be to add a static destroy function 
        pointer to the MethodTable stored in ClassInfo.  Any subclass of JSCell that has 
        a non-trivial destructor will require its own static destroy function to static 
        call its corresponding destructor, which will now be non-virtual.  In future 
        patches we will slowly move away from destructors altogether as we make more and 
        more objects backed by GC memory rather than malloc-ed memory.  The GC will now 
        call the static destroy method rather than the virtual destructor.

        As we go through the hierarchy and add static destroy functions to classes, 
        we will also add a new assert, ASSERT_HAS_TRIVIAL_DESTRUCTOR, to those classes 
        to which it applies.  The future goal is to eventually have every class have that assert.

        * API/JSCallbackConstructor.cpp:
        (JSC::JSCallbackConstructor::destroy): Add a destroy function to statically call 
        ~JSCallbackConstructor because it has some extra destruction logic.
        * API/JSCallbackConstructor.h:
        * API/JSCallbackFunction.cpp: Add trivial destructor assert for JSCallbackFunction.
        * API/JSCallbackObject.cpp: Add a destroy function to statically call ~JSCallbackObject 
        because it has a member OwnPtr that needs destruction.
        (JSC::::destroy):
        * API/JSCallbackObject.h:
        * JavaScriptCore.exp: Add/remove necessary symbols for JSC.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Same for Windows symbols.
        * debugger/DebuggerActivation.cpp: DebuggerActivation, for some strange reason, didn't 
        have its own ClassInfo despite the fact that it overrides a number of MethodTable 
        methods.  Added the ClassInfo, along with an assertion that its destructor is trivial.
        * debugger/DebuggerActivation.h:
        * dfg/DFGOperations.cpp: Remove global data first argument to isJSArray, isJSByteArray, 
        isJSString, as it is no longer necessary.
        (JSC::DFG::putByVal):
        * dfg/DFGRepatch.cpp:  Ditto.  Also remove uses of jsArrayVPtr in favor of using the 
        JSArray ClassInfo pointer.
        (JSC::DFG::tryCacheGetByID):
        * dfg/DFGSpeculativeJIT.cpp:  Replace uses of the old vptrs with new ClassInfo 
        comparisons since we don't have vptrs anymore.
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayLength):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT.h: Ditto.
        (JSC::DFG::SpeculativeJIT::emitAllocateJSFinalObject):
        * dfg/DFGSpeculativeJIT32_64.cpp: Ditto.
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp: Ditto.
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * heap/Heap.cpp: Remove all uses of vptrs in GC optimizations and replace them with 
        ClassInfo comparisons.
        (JSC::Heap::Heap):
        * heap/MarkStack.cpp: Ditto.
        (JSC::MarkStackThreadSharedData::markingThreadMain):
        (JSC::visitChildren):
        (JSC::SlotVisitor::drain):
        * heap/MarkStack.h: Ditto.
        (JSC::MarkStack::MarkStack):
        * heap/MarkedBlock.cpp: Ditto.
        (JSC::MarkedBlock::callDestructor):
        (JSC::MarkedBlock::specializedSweep):
        * heap/MarkedBlock.h: Ditto.
        * heap/SlotVisitor.h: Ditto.
        (JSC::SlotVisitor::SlotVisitor):
        * heap/VTableSpectrum.cpp: Now that we don't have vptrs, we can't count them.  
        We'll have to rename this class and make it use ClassInfo ptrs in a future patch.
        (JSC::VTableSpectrum::count):
        * interpreter/Interpreter.cpp: Remove all global data arguments from isJSArray, 
        etc. functions.
        (JSC::loadVarargs):
        (JSC::Interpreter::tryCacheGetByID):
        (JSC::Interpreter::privateExecute):
        * jit/JIT.h: Remove vptr argument from emitAllocateBasicJSObject 
        * jit/JITInlineMethods.h: Remove vptr planting, and add ClassInfo planting, 
        remove all vtable related code.
        (JSC::JIT::emitLoadCharacterString):
        (JSC::JIT::emitAllocateBasicJSObject):
        (JSC::JIT::emitAllocateJSFinalObject):
        (JSC::JIT::emitAllocateJSFunction):
        * jit/JITOpcodes.cpp: Replace vptr related branch code with corresponding ClassInfo.
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emit_op_convert_this):
        * jit/JITOpcodes32_64.cpp: Ditto.
        (JSC::JIT::privateCompileCTIMachineTrampolines):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::compileOpStrictEq):
        (JSC::JIT::emit_op_convert_this):
        * jit/JITPropertyAccess.cpp: Ditto.
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::privateCompilePutByIdTransition):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        * jit/JITPropertyAccess32_64.cpp: Ditto.
        (JSC::JIT::stringGetByValStubGenerator):
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emitSlow_op_get_by_val):
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::privateCompilePatchGetArrayLength):
        * jit/JITStubs.cpp: Remove global data argument from isJSString, etc.
        (JSC::JITThunks::tryCacheGetByID):
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/SpecializedThunkJIT.h: Replace vptr related stuff with ClassInfo stuff.
        (JSC::SpecializedThunkJIT::loadJSStringArgument):
        * runtime/ArrayConstructor.cpp: Add trivial destructor assert.
        * runtime/ArrayPrototype.cpp: Remove global data argument from isJSArray.
        (JSC::arrayProtoFuncToString):
        (JSC::arrayProtoFuncJoin):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncFilter):
        (JSC::arrayProtoFuncMap):
        (JSC::arrayProtoFuncEvery):
        (JSC::arrayProtoFuncForEach):
        (JSC::arrayProtoFuncSome):
        (JSC::arrayProtoFuncReduce):
        (JSC::arrayProtoFuncReduceRight):
        * runtime/BooleanConstructor.cpp: Add trivial destructor assert.
        * runtime/BooleanObject.cpp: Ditto.
        * runtime/BooleanPrototype.cpp: Ditto.
        * runtime/ClassInfo.h: Add destroy function pointer to MethodTable.
        * runtime/DateConstructor.cpp: Add trivial destructor assert.
        * runtime/DateInstance.cpp: Add destroy function for DateInstance because it has a RefPtr 
        that needs destruction.
        (JSC::DateInstance::destroy):
        * runtime/DateInstance.h:
        * runtime/Error.cpp: Ditto (because of UString member).
        (JSC::StrictModeTypeErrorFunction::destroy):
        * runtime/Error.h:
        * runtime/ErrorConstructor.cpp: Add trivial destructor assert.
        * runtime/ErrorInstance.cpp: Ditto.
        * runtime/ExceptionHelpers.cpp: Ditto.
        * runtime/Executable.cpp: Add destroy functions for ExecutableBase and subclasses.
        (JSC::ExecutableBase::destroy):
        (JSC::NativeExecutable::destroy):
        (JSC::ScriptExecutable::destroy):
        (JSC::EvalExecutable::destroy):
        (JSC::ProgramExecutable::destroy):
        (JSC::FunctionExecutable::destroy):
        * runtime/Executable.h:
        * runtime/FunctionConstructor.cpp: Add trivial destructor assert.
        * runtime/FunctionPrototype.cpp: Ditto. Also remove global data first arg from isJSArray.
        (JSC::functionProtoFuncApply):
        * runtime/GetterSetter.cpp: Ditto.
        * runtime/InitializeThreading.cpp: Remove call to JSGlobalData::storeVPtrs since it no 
        longer exists.
        (JSC::initializeThreadingOnce):
        * runtime/InternalFunction.cpp: Remove vtableAnchor function, add trivial destructor assert, 
        remove first arg from isJSString.
        (JSC::InternalFunction::displayName):
        * runtime/InternalFunction.h: Remove VPtrStealingHack.
        * runtime/JSAPIValueWrapper.cpp: Add trivial destructor assert.
        * runtime/JSArray.cpp: Add static destroy to call ~JSArray.  Replace vptr checks in 
        destructor with ClassInfo checks.
        (JSC::JSArray::~JSArray):
        (JSC::JSArray::destroy):
        * runtime/JSArray.h: Remove VPtrStealingHack.  Remove globalData argument from isJSArray 
        and change them to check the ClassInfo rather than the vptrs.
        (JSC::isJSArray):
        * runtime/JSBoundFunction.cpp: Add trival destructor assert. Remove first arg from isJSArray.
        (JSC::boundFunctionCall):
        (JSC::boundFunctionConstruct):
        * runtime/JSByteArray.cpp: Add static destroy function, replace vptr checks with ClassInfo checks.
        (JSC::JSByteArray::~JSByteArray):
        (JSC::JSByteArray::destroy):
        * runtime/JSByteArray.h: Remove VPtrStealingHack code.
        (JSC::isJSByteArray):
        * runtime/JSCell.cpp: Add trivial destructor assert.  Add static destroy function.
        (JSC::JSCell::destroy):
        * runtime/JSCell.h: Remove VPtrStealingHack code.  Add function for returning the offset 
        of the ClassInfo pointer in the object for use by the JIT.  Add the ClassInfo pointer to 
        the JSCell itself, and grab it from the Structure.  Remove the vptr and setVPtr functions, 
        as they are no longer used.  Add a validatedClassInfo function to JSCell for any clients 
        that want to verify, while in Debug mode, that the ClassInfo contained in the cell is the 
        same one as that contained in the Structure.  This isn't used too often, because most of 
        the places where we compare the ClassInfo to things can be called during destruction.  
        Since the Structure is unreliable during the phase when destructors are being called, 
        we can't call validatedClassInfo.
        (JSC::JSCell::classInfoOffset):
        (JSC::JSCell::structure):
        (JSC::JSCell::classInfo):
        * runtime/JSFunction.cpp: Remove VPtrStealingHack code.  Add static destroy, remove vtableAnchor, 
        remove first arg from call to isJSString.
        (JSC::JSFunction::destroy):
        (JSC::JSFunction::displayName):
        * runtime/JSFunction.h: 
        * runtime/JSGlobalData.cpp: Remove all VPtr stealing code and storage, including storeVPtrs, 
        as these vptrs are no longer needed in the codebase.
        * runtime/JSGlobalData.h:
        (JSC::TypedArrayDescriptor::TypedArrayDescriptor): Changed the TypedArrayDescriptor to use 
        ClassInfo rather than the vptr.
        * runtime/JSGlobalObject.cpp: Add static destroy function.
        (JSC::JSGlobalObject::destroy):
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalThis.cpp: Add trivial destructor assert.
        * runtime/JSNotAnObject.cpp: Ditto.
        * runtime/JSONObject.cpp: Ditto. Remove first arg from isJSArray calls.
        (JSC::Stringifier::Holder::appendNextProperty):
        (JSC::Walker::walk):
        * runtime/JSObject.cpp: 
        (JSC::JSFinalObject::destroy):
        (JSC::JSNonFinalObject::destroy):
        (JSC::JSObject::destroy):
        * runtime/JSObject.h: Add trivial destructor assert for JSObject, remove vtableAnchor 
        from JSNonFinalObject and JSFinalObject, add static destroy for JSFinalObject and 
        JSNonFinalObject, add isJSFinalObject utility function similar to isJSArray, remove all VPtrStealingHack code.
        (JSC::JSObject::finishCreation):
        (JSC::JSNonFinalObject::finishCreation):
        (JSC::JSFinalObject::finishCreation):
        (JSC::isJSFinalObject):
        * runtime/JSPropertyNameIterator.cpp: Add static destroy.
        (JSC::JSPropertyNameIterator::destroy):
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSStaticScopeObject.cpp: Ditto.
        (JSC::JSStaticScopeObject::destroy):
        * runtime/JSStaticScopeObject.h: Ditto. 
        * runtime/JSString.cpp:
        (JSC::JSString::destroy):
        * runtime/JSString.h: Ditto. Remove VPtrStealingHack code. Also remove fixupVPtr code, 
        since we no longer need to fixup vptrs.
        (JSC::jsSingleCharacterString):
        (JSC::jsSingleCharacterSubstring):
        (JSC::jsNontrivialString):
        (JSC::jsString):
        (JSC::jsSubstring8):
        (JSC::jsSubstring):
        (JSC::jsOwnedString):
        (JSC::jsStringBuilder):
        (JSC::isJSString):
        * runtime/JSVariableObject.cpp: 
        (JSC::JSVariableObject::destroy):
        * runtime/JSVariableObject.h: Ditto.
        * runtime/JSWrapperObject.cpp:
        * runtime/JSWrapperObject.h: Add trivial destructor assert.
        * runtime/MathObject.cpp: Ditto.
        * runtime/NativeErrorConstructor.cpp: Ditto.
        * runtime/NumberConstructor.cpp: Ditto.
        * runtime/NumberObject.cpp: Ditto.
        * runtime/NumberPrototype.cpp: Ditto.
        * runtime/ObjectConstructor.cpp: Ditto.
        * runtime/ObjectPrototype.cpp: Ditto.
        * runtime/Operations.h: Remove calls to fixupVPtr, remove first arg to isJSString.
        (JSC::jsString):
        (JSC::jsLess):
        (JSC::jsLessEq):
        * runtime/RegExp.cpp: Add static destroy.
        (JSC::RegExp::destroy):
        * runtime/RegExp.h:
        * runtime/RegExpConstructor.cpp: Add static destroy for RegExpConstructor and RegExpMatchesArray.
        (JSC::RegExpConstructor::destroy):
        (JSC::RegExpMatchesArray::destroy):
        * runtime/RegExpConstructor.h:
        * runtime/RegExpMatchesArray.h:
        * runtime/RegExpObject.cpp: Add static destroy.
        (JSC::RegExpObject::destroy):
        * runtime/RegExpObject.h:
        * runtime/ScopeChain.cpp: Add trivial destructor assert.
        * runtime/ScopeChain.h:
        * runtime/StrictEvalActivation.cpp: Ditto.
        * runtime/StringConstructor.cpp:
        * runtime/StringObject.cpp: Ditto. Remove vtableAnchor.
        * runtime/StringObject.h:
        * runtime/StringPrototype.cpp: Ditto.
        * runtime/Structure.cpp: Add static destroy.
        (JSC::Structure::destroy):
        * runtime/Structure.h: Move JSCell::finishCreation and JSCell constructor into Structure.h 
        because they need to have the full Structure type to access the ClassInfo to store in the JSCell.
        (JSC::JSCell::setStructure):
        (JSC::JSCell::validatedClassInfo):
        (JSC::JSCell::JSCell):
        (JSC::JSCell::finishCreation):
        * runtime/StructureChain.cpp: Add static destroy.
        (JSC::StructureChain::destroy):
        * runtime/StructureChain.h:
        * wtf/Assertions.h: Add new assertion ASSERT_HAS_TRIVIAL_DESTRUCTOR, which uses clangs 
        ability to tell us when a class has a trivial destructor. We will use this assert 
        more in future patches as we move toward having all JSC objects backed by GC memory, 
        which means moving away from using destructors/finalizers.

2011-12-15  Martin Robinson  <mrobinson@igalia.com>

        Fix 'make dist' in preparation for the GTK+ release.

        * GNUmakefile.list.am: Add missing header.

2011-12-15  Sam Weinig  <sam@webkit.org>

        <rdar://problem/10552550> JavaScriptCore uses obsolete 'cpy' mnemonic in ARM assembly

        Reviewed by Gavin Barraclough.

        Original patch by Jim Grosbach.

        * jit/JITStubs.cpp:
        (JSC::ctiTrampoline):
        (JSC::ctiVMThrowTrampoline):
        Replace uses of the 'cpy' mnemonic with 'mov'.

2011-12-15  Filip Pizlo  <fpizlo@apple.com>

        Value profiling should distinguished between NaN and non-NaN doubles
        https://bugs.webkit.org/show_bug.cgi?id=74682

        Reviewed by Gavin Barraclough.
        
        Added PredictDoubleReal and PredictDoubleNaN. PredictDouble is now the union
        of the two.

        * bytecode/PredictedType.cpp:
        (JSC::predictionToString):
        (JSC::predictionFromValue):
        * bytecode/PredictedType.h:
        (JSC::isDoubleRealPrediction):
        (JSC::isDoublePrediction):

2011-12-15  Anders Carlsson  <andersca@apple.com>

        Regression (r102866): Navigating away from or closing a page with a plugin crashes
        https://bugs.webkit.org/show_bug.cgi?id=74655
        <rdar://problem/10590024>

        Reviewed by Sam Weinig.

        Rewrite HasRefAndDeref to work if ref and deref are implemented in base classes,
        using a modified version of the technique described here:
        http://groups.google.com/group/comp.lang.c++.moderated/msg/e5fbc9305539f699
        
        * wtf/Functional.h:

2011-12-15  Andy Wingo  <wingo@igalia.com>

        Warnings fixes in Interpreter.cpp and PrivateExecute.cpp
        https://bugs.webkit.org/show_bug.cgi?id=74624

        Reviewed by Darin Adler.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute): Fix variables unused in
        release mode.
        * wtf/ParallelJobsGeneric.cpp:
        (WTF::ParallelEnvironment::ParallelEnvironment): Fix
        signed/unsigned comparison warning, with a cast.

2011-12-15  Andy Wingo  <wingo@igalia.com>

        Use more macrology in JSC::Options
        https://bugs.webkit.org/show_bug.cgi?id=72938

        Reviewed by Filip Pizlo.

        * runtime/Options.cpp:
        (JSC::Options::initializeOptions):
        * runtime/Options.h: Use macros to ensure that all heuristics are
        declared and have initializers.

2011-12-15  Anders Carlsson  <andersca@apple.com>

        Add ScrollingCoordinator class and ENABLE_THREADED_SCROLLING define
        https://bugs.webkit.org/show_bug.cgi?id=74639

        Reviewed by Andreas Kling.

        Add ENABLE_THREADED_SCROLLING #define.

        * wtf/Platform.h:

2011-12-15  Anders Carlsson  <andersca@apple.com>

        EventDispatcher should handle wheel events on the connection queue
        https://bugs.webkit.org/show_bug.cgi?id=74627

        Reviewed by Andreas Kling.

        Add a BoundFunctionImpl specialization that takes three parameters.

        * wtf/Functional.h:
        (WTF::C::):
        (WTF::R):
        (WTF::bind):

2011-12-14  Anders Carlsson  <andersca@apple.com>

        Add WTF::Function to wtf/Forward.h
        https://bugs.webkit.org/show_bug.cgi?id=74576

        Reviewed by Adam Roben.

        * jsc.cpp:
        Work around a name conflict in the readline library.

        * wtf/Forward.h:
        Add Function.

2011-12-15  Igor Oliveira  <igor.oliveira@openbossa.org>

        [Qt] Support requestAnimationFrame API
        https://bugs.webkit.org/show_bug.cgi?id=74528

        Let Qt port use REQUEST_ANIMATION_FRAME_TIMER.

        Reviewed by Kenneth Rohde Christiansen.

        * wtf/Platform.h:

2011-12-15  Andy Wingo  <wingo@igalia.com>

        Minor refactor to Parser::parseTryStatement
        https://bugs.webkit.org/show_bug.cgi?id=74507

        Reviewed by Geoffrey Garen.

        * parser/Parser.cpp (JSC::Parser::parseTryStatement): Use the
        Parser's declareVariable instead of going directly to the scope.
        This will facilitate future checks related to harmony block
        scoping.

2011-12-15  Andy Wingo  <wingo@igalia.com>

        Rename JSC::Heuristics to JSC::Options
        https://bugs.webkit.org/show_bug.cgi?id=72889

        Reviewed by Filip Pizlo.

        * runtime/Options.cpp: Renamed from Source/JavaScriptCore/runtime/Heuristics.cpp.
        * runtime/Options.h: Renamed from Source/JavaScriptCore/runtime/Heuristics.h.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::shouldOptimizeNow):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::likelyToTakeSlowCase):
        (JSC::CodeBlock::couldTakeSlowCase):
        (JSC::CodeBlock::likelyToTakeSpecialFastCase):
        (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
        (JSC::CodeBlock::likelyToTakeAnySlowCase):
        (JSC::CodeBlock::reoptimizationRetryCounter):
        (JSC::CodeBlock::countReoptimization):
        (JSC::CodeBlock::counterValueForOptimizeAfterWarmUp):
        (JSC::CodeBlock::counterValueForOptimizeAfterLongWarmUp):
        (JSC::CodeBlock::optimizeNextInvocation):
        (JSC::CodeBlock::dontOptimizeAnytimeSoon):
        (JSC::CodeBlock::optimizeSoon):
        (JSC::CodeBlock::largeFailCountThreshold):
        (JSC::CodeBlock::largeFailCountThresholdForLoop):
        (JSC::CodeBlock::shouldReoptimizeNow):
        (JSC::CodeBlock::shouldReoptimizeFromLoopNow):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleInlining):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::mightCompileEval):
        (JSC::DFG::mightCompileProgram):
        (JSC::DFG::mightCompileFunctionForCall):
        (JSC::DFG::mightCompileFunctionForConstruct):
        (JSC::DFG::mightInlineFunctionForCall):
        (JSC::DFG::mightInlineFunctionForConstruct):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
        * heap/MarkStack.cpp:
        (JSC::MarkStackSegmentAllocator::allocate):
        (JSC::MarkStackSegmentAllocator::shrinkReserve):
        (JSC::MarkStackArray::MarkStackArray):
        (JSC::MarkStackArray::donateSomeCellsTo):
        (JSC::MarkStackArray::stealSomeCellsFrom):
        (JSC::MarkStackThreadSharedData::MarkStackThreadSharedData):
        (JSC::SlotVisitor::donateSlow):
        (JSC::SlotVisitor::drain):
        (JSC::SlotVisitor::drainFromShared):
        * heap/MarkStack.h:
        (JSC::MarkStack::mergeOpaqueRootsIfProfitable):
        (JSC::MarkStack::addOpaqueRoot):
        (JSC::MarkStackArray::canDonateSomeCells):
        * heap/SlotVisitor.h:
        (JSC::SlotVisitor::donate):
        * jit/JIT.cpp:
        (JSC::JIT::emitOptimizationCheck):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreadingOnce): Adapt callers and build systems.

        * testRegExp.cpp:
        (CommandLine::CommandLine):
        * jsc.cpp:
        (CommandLine::CommandLine):
        Rename from Options, to avoid name conflict.

2011-12-14  Sam Weinig  <sam@webkit.org>

        Revert unintentional change to JavaScriptCore.def

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:

2011-12-14  Sam Weinig  <weinig@apple.com>

        Remove whitespace from InheritedPropertySheets attributes in
        vsprops files to appease the Visual Studio project migrator.

        Reviewed by Adam Roben.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebug.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebugAll.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebug.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugAll.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedProduction.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedRelease.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleasePGO.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreProduction.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreRelease.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGOOptimize.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFDebug.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFDebugAll.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFProduction.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFRelease.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/WTF/WTFReleasePGO.vsprops:
        * JavaScriptCore.vcproj/jsc/jscDebug.vsprops:
        * JavaScriptCore.vcproj/jsc/jscDebugAll.vsprops:
        * JavaScriptCore.vcproj/jsc/jscDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/jsc/jscProduction.vsprops:
        * JavaScriptCore.vcproj/jsc/jscRelease.vsprops:
        * JavaScriptCore.vcproj/jsc/jscReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebug.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebugAll.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpProduction.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpRelease.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpReleaseCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiDebug.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiDebugAll.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiDebugCairoCFLite.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiProduction.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiRelease.vsprops:
        * JavaScriptCore.vcproj/testapi/testapiReleaseCairoCFLite.vsprops:

2011-12-14  Anders Carlsson  <andersca@apple.com>

        binding a member function should ref/deref the object pointer if needed
        https://bugs.webkit.org/show_bug.cgi?id=74552

        Reviewed by Sam Weinig.

        Add a HasRefAndDeref helper class template which checks if a given class type has ref and deref
        member functions which the right type. Use this to determine if we should ref/deref the first parameter.

        * wtf/Functional.h:
        (WTF::R):
        (WTF::C::):
        (WTF::RefAndDeref::ref):
        (WTF::RefAndDeref::deref):

2011-12-14  Hajime Morrita  <morrita@chromium.org>

        JS_INLINE and WTF_INLINE should be visible from WebCore
        https://bugs.webkit.org/show_bug.cgi?id=73191

        - Moved Export related macro definitions from config.h to ExportMacros.h and JSExportMacros.h.
        - Moved WTF_USE_JSC and WTF_USE_V8 from various config.h family to Platform.h.
        - Replaced JS_EXPORTDATA in wtf moudule with newly introduced WTF_EXPORTDATA.

        Reviewed by Kevin Ollivier.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * config.h:
        * runtime/JSExportMacros.h: Added.
        * wtf/ExportMacros.h:
        * wtf/Platform.h:
        * wtf/WTFThreadData.h:
        * wtf/text/AtomicString.h:
        * wtf/text/StringStatics.cpp:

2011-12-14  Anders Carlsson  <andersca@apple.com>

        Work around a bug in the MSVC2005 compiler
        https://bugs.webkit.org/show_bug.cgi?id=74550

        Reviewed by Sam Weinig.

        Add template parameters for the return types of the partial specializations of BoundFunctionImpl.

        * wtf/Functional.h:
        (WTF::R):

2011-12-13  Jon Lee  <jonlee@apple.com>

        Enable notifications on Mac.

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:

2011-12-14  David Kilzer  <ddkilzer@apple.com>

        Remove definition of old ENABLE(YARR) macro
        <http://webkit.org/b/74532>

        Reviewed by Darin Adler.

        * wtf/Platform.h: Removed ENABLE_YARR macros.

2011-12-14  Anders Carlsson  <andersca@apple.com>

        bind should handle member functions
        https://bugs.webkit.org/show_bug.cgi?id=74529

        Reviewed by Sam Weinig.

        Add FunctionWrapper partial specializations for member function pointers.

        * wtf/Functional.h:
        (WTF::C::):

2011-12-14  Gavin Barraclough  <barraclough@apple.com>

        DFG relies on returning a struct in registers
        https://bugs.webkit.org/show_bug.cgi?id=74527

        Reviewed by Geoff Garen.

        This will not work on all platforms. Returning a uint64_t will more reliably achieve
        what we want, on 32-bit platforms (on 64-bit, stick with the struct return).

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        (JSC::DFG::DFGHandler::dfgHandlerEncoded):

2011-12-14  Anders Carlsson  <andersca@apple.com>

        Add unary and binary bind overloads
        https://bugs.webkit.org/show_bug.cgi?id=74524

        Reviewed by Sam Weinig.

        * wtf/Functional.h:
        (WTF::R):
        (WTF::FunctionWrapper::ResultType):
        (WTF::bind):

2011-12-14  Anders Carlsson  <andersca@apple.com>

        Add back the callOnMainThread overload that takes a WTF::Function
        https://bugs.webkit.org/show_bug.cgi?id=74512

        Reviewed by Darin Adler.

        Add back the overload; the changes to WebCore should hopefully keep Windows building.

        * wtf/MainThread.cpp:
        (WTF::callFunctionObject):
        (WTF::callOnMainThread):
        * wtf/MainThread.h:

2011-12-13  Filip Pizlo  <fpizlo@apple.com>

        DFG should infer when local variables are doubles
        https://bugs.webkit.org/show_bug.cgi?id=74480

        Reviewed by Oliver Hunt.
        
        Introduced the notion that a local variable (though not an argument, yet!) can
        be stored as a double, and will be guaranteed to always contain a double. This
        requires more magic in the OSR (conversion in both entry and exit). The inference
        is quite unorthodox: all uses of a variable vote on whether they think it should
        be a double or a JSValue, based on how they use it. If they use it in an integer
        or boxed value context, they vote JSValue. If they use it in a double context,
        they vote double. This voting is interleaved in the propagator's fixpoint, so
        that variables voted double then have a double prediction propagated from them.
        This interleaving is needed because a variable that actually always contains an
        integer that always gets used in arithmetic that involves doubles may end up
        being voted double, which then means that all uses of the variable will see a
        double rather than an integer.
        
        This is worth 18% to SunSpider/3d-cube, 7% to Kraken/audio-beat-detection, 7%
        to Kraken/audio-fft, 6% to Kraken/imaging-darkroom, 20% to
        Kraken/imaging-gaussian-blur, and just over 1% to Kraken/json-parse-financial.
        It results in a 1% speed-up on SunSpider and a 4% speed-up in Kraken.  Similar
        results on JSVALUE32_64, though with a bigger win on Kraken (5%) and no overall
        win on SunSpider.

        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::alreadyInRegisterFileAsUnboxedDouble):
        (JSC::ValueRecovery::dump):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::boxDouble):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::noticeOSREntry):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGOSREntry.h:
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::vote):
        (JSC::DFG::Propagator::doRoundOfDoubleVoting):
        (JSC::DFG::Propagator::propagatePredictions):
        (JSC::DFG::Propagator::fixupNode):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::ValueSource::dump):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::clearVotes):
        (JSC::DFG::VariableAccessData::vote):
        (JSC::DFG::VariableAccessData::doubleVoteRatio):
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
        (JSC::DFG::VariableAccessData::shouldUseDoubleFormat):
        (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
        * runtime/Arguments.cpp:
        (JSC::Arguments::tearOff):
        * runtime/Heuristics.cpp:
        (JSC::Heuristics::initializeHeuristics):
        * runtime/Heuristics.h:

2011-12-13  Anders Carlsson  <andersca@apple.com>

        Try to fix the Windows build.

        Remove the callOnMainThread overload that takes a WTF::Function since it's not being used.

        * wtf/MainThread.cpp:
        * wtf/MainThread.h:

2011-12-13  Anders Carlsson  <andersca@apple.com>

        Add a very bare-bones implementation of bind and Function to WTF
        https://bugs.webkit.org/show_bug.cgi?id=74462

        Reviewed by Sam Weinig.

        In order to make it easier to package up function calls and send them across
        threads, add a (currently very simple) implementation of WTF::bind and WTF::Function to a new
        wtf/Functional.h header.

        Currently, all bind can do is bind a nullary function and return a Function object that can be called and copied,
        but I'll add more as the need arises.

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/Functional.h: Added.
        (WTF::R):
        (WTF::FunctionImplBase::~FunctionImplBase):
        (WTF::FunctionWrapper::ResultType):
        (WTF::FunctionBase::isNull):
        (WTF::FunctionBase::FunctionBase):
        (WTF::FunctionBase::impl):
        (WTF::bind):
        * wtf/MainThread.cpp:
        (WTF::callFunctionObject):
        (WTF::callOnMainThread):
        * wtf/MainThread.h:
        * wtf/wtf.pro:

2011-12-13  Geoffrey Garen  <ggaren@apple.com>

        <rdar://problem/10577239> GC Crash introduced in r102545

        Reviewed by Gavin Barraclough.
        
        MarkedArgumentBuffer was still marking items in forwards order, even though
        the argument order has been reversed.
        
        I fixed this bug, and replaced address calculation code with some helper
        functions -- mallocBase() and slotFor() -- so it stays fixed everywhere.

        * runtime/ArgList.cpp:
        (JSC::MarkedArgumentBuffer::markLists):
        (JSC::MarkedArgumentBuffer::slowAppend):
        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
        (JSC::MarkedArgumentBuffer::at):
        (JSC::MarkedArgumentBuffer::append):
        (JSC::MarkedArgumentBuffer::last):
        (JSC::MarkedArgumentBuffer::slotFor):
        (JSC::MarkedArgumentBuffer::mallocBase):

2011-12-13  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit for UInt32ToNumber should roll forward, not roll backward
        https://bugs.webkit.org/show_bug.cgi?id=74463

        Reviewed by Gavin Barraclough.
        
        Implements roll-forward OSR exit for UInt32ToNumber, which requires ValueRecoveries knowing
        how to execute the slow path of UInt32ToNumber.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::lastOSRExit):
        * bytecode/CodeOrigin.h:
        (JSC::CodeOrigin::operator!=):
        * bytecode/ValueRecovery.h:
        (JSC::ValueRecovery::uint32InGPR):
        (JSC::ValueRecovery::gpr):
        (JSC::ValueRecovery::dump):
        * dfg/DFGAssemblyHelpers.cpp:
        * dfg/DFGAssemblyHelpers.h:
        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExit::valueRecoveryForOperand):
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-13  Oliver Hunt  <oliver@apple.com>

        Arguments object doesn't handle mutation of length property correctly
        https://bugs.webkit.org/show_bug.cgi?id=74454

        Reviewed by Gavin Barraclough.

        Correct handling of arguments objects with overridden length property

        * interpreter/Interpreter.cpp:
        (JSC::loadVarargs):
        * runtime/Arguments.cpp:
        (JSC::Arguments::copyToArguments):
        (JSC::Arguments::fillArgList):

2011-12-13  Filip Pizlo  <fpizlo@apple.com>

        DFG GetByVal CSE rule should match PutByValAlias
        https://bugs.webkit.org/show_bug.cgi?id=74390

        Reviewed by Geoff Garen.
        
        Tiny win on some benchmarks. Maybe a 0.2% win on SunSpider.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::getByValLoadElimination):

2011-12-13  Andy Wingo  <wingo@igalia.com>

        Fix interpreter debug build.
        https://bugs.webkit.org/show_bug.cgi?id=74439

        Reviewed by Geoffrey Garen.

        * bytecode/ValueRecovery.h: Include stdio.h on debug builds.

2011-12-13  Filip Pizlo  <fpizlo@apple.com>

        DFG should know exactly why recompilation was triggered
        https://bugs.webkit.org/show_bug.cgi?id=74362

        Reviewed by Oliver Hunt.
        
        Each OSR exit is now individually counted, as well as counting the total number 
        of OSR exits that occurred in a code block. If recompilation is triggered, we
        check to see if there are OSR exit sites that make up a sufficiently large
        portion of the total OSR exits that occurred. For any such OSR exit sites, we
        add a description of the site (bytecode index, kind) to a data structure in the
        corresponding baseline CodeBlock. Then, when we recompile the code, we immediately
        know which speculations would be unwise based on the fact that previous such
        speculations proved to be fruitless.
        
        This means 2% win on two of the SunSpider string tests, a 4% win on V8's deltablue,
        and 5% on Kraken's imaging-darkroom. It is only a minor win in the averages, less
        than 0.5%.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::tallyFrequentExitSites):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addFrequentExitSite):
        (JSC::CodeBlock::exitProfile):
        (JSC::CodeBlock::reoptimize):
        (JSC::CodeBlock::tallyFrequentExitSites):
        * bytecode/DFGExitProfile.cpp: Added.
        (JSC::DFG::ExitProfile::ExitProfile):
        (JSC::DFG::ExitProfile::~ExitProfile):
        (JSC::DFG::ExitProfile::add):
        (JSC::DFG::QueryableExitProfile::QueryableExitProfile):
        (JSC::DFG::QueryableExitProfile::~QueryableExitProfile):
        * bytecode/DFGExitProfile.h: Added.
        (JSC::DFG::exitKindToString):
        (JSC::DFG::exitKindIsCountable):
        (JSC::DFG::FrequentExitSite::FrequentExitSite):
        (JSC::DFG::FrequentExitSite::operator!):
        (JSC::DFG::FrequentExitSite::operator==):
        (JSC::DFG::FrequentExitSite::hash):
        (JSC::DFG::FrequentExitSite::bytecodeOffset):
        (JSC::DFG::FrequentExitSite::kind):
        (JSC::DFG::FrequentExitSite::isHashTableDeletedValue):
        (JSC::DFG::FrequentExitSiteHash::hash):
        (JSC::DFG::FrequentExitSiteHash::equal):
        (JSC::DFG::QueryableExitProfile::hasExitSite):
        * dfg/DFGAssemblyHelpers.h:
        (JSC::DFG::AssemblyHelpers::baselineCodeBlockForOriginAndBaselineCodeBlock):
        (JSC::DFG::AssemblyHelpers::baselineCodeBlockFor):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSiteSlow):
        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExit::considerAddingAsFrequentExitSite):
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        (JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnByteArray):
        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayLength):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):
        (JSC::DFG::SpeculativeJIT::compileArithMul):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compileObjectEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::compileLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::emitBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/Heuristics.cpp:
        (JSC::Heuristics::initializeHeuristics):
        * runtime/Heuristics.h:

2011-12-13  Michael Saboff  <msaboff@apple.com>

        Cleanup of StringImpl::equal in r102631 post commit
        https://bugs.webkit.org/show_bug.cgi?id=74421

        Reviewed by Darin Adler.

        * wtf/text/AtomicString.h:
        (WTF::operator==): Removed cast no longer needed.
        * wtf/text/StringImpl.h:
        (WTF::equal): Changed template to several overloaded methods.

2011-12-12  Michael Saboff  <msaboff@apple.com>

        Eliminate Duplicate word at a time equal code in StringImpl.cpp and StringHash.h
        https://bugs.webkit.org/show_bug.cgi?id=73622

        Reviewed by Oliver Hunt.

        Moved equal(charType1 *, charType2, unsigned) template methods
        from static StringImpl.cpp to StringImpl.h and then replaced the
        processor specific character comparison code in StringHash::equal
        with calls to these methods.

        This change is worth 3% on SunSpider string-unpack-code as reported
        by the SunSpider command line harness.  No other tests appear to
        have measurable performance changes.

        * wtf/text/AtomicString.h:
        (WTF::operator==):
        * wtf/text/StringHash.h:
        (WTF::StringHash::equal):
        * wtf/text/StringImpl.cpp:
        * wtf/text/StringImpl.h:
        (WTF::LChar):
        (WTF::UChar):
        (WTF::equal):

2011-12-12  Filip Pizlo  <fpizlo@apple.com>

        ARMv7 version of DFG soft modulo does register allocation inside of control flow
        https://bugs.webkit.org/show_bug.cgi?id=74354

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSoftModulo):

2011-12-12  Andy Wingo  <wingo@igalia.com>

        Simplify autotools configure.ac
        https://bugs.webkit.org/show_bug.cgi?id=74312

        Reviewed by Martin Robinson.

        * GNUmakefile.am: Add JSC_CPPFLAGS to javascriptcore_cppflags.

2011-12-12  Filip Pizlo  <fpizlo@apple.com>

        DFG GetByVal CSE incorrectly assumes that a non-matching PutByVal cannot clobber
        https://bugs.webkit.org/show_bug.cgi?id=74329

        Reviewed by Gavin Barraclough.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::getByValLoadElimination):

2011-12-09  Alexander Pavlov  <apavlov@chromium.org>

        WebKit does not enumerate over CSS properties in HTMLElement.style
        https://bugs.webkit.org/show_bug.cgi?id=23946

        Reviewed by Darin Adler.

        Add a few exports to follow the JSCSSStyleDeclaration.cpp changes,
        introduce an std::sort() comparator function.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/text/WTFString.h:
        (WTF::codePointCompareLessThan): Used by std::sort() to sort properties.

2011-12-12  Alexander Pavlov  <apavlov@chromium.org>

        Unreviewed, build fix.

        Revert r102570 which broke SnowLeopard builders.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/text/WTFString.h:

2011-12-09  Alexander Pavlov  <apavlov@chromium.org>

        WebKit does not enumerate over CSS properties in HTMLElement.style
        https://bugs.webkit.org/show_bug.cgi?id=23946

        Reviewed by Darin Adler.

        Add a few exports to follow the JSCSSStyleDeclaration.cpp changes,
        introduce an std::sort() comparator function.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * wtf/text/WTFString.h:
        (WTF::codePointCompareLessThan): Used by std::sort() to sort properties.

2011-12-12  Carlos Garcia Campos  <cgarcia@igalia.com>

        Unreviewed. Fix make distcheck issues.

        * GNUmakefile.list.am:

2011-12-11  Sam Weinig  <sam@webkit.org>

        Fix another signed vs. unsigned warning

        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):

2011-12-11  Sam Weinig  <sam@webkit.org>

        Fix a signed vs. unsigned warning.

        * runtime/ArgList.cpp:
        (JSC::MarkedArgumentBuffer::slowAppend):
        Cast inlineCapacity to an int to appease the warning. This is known OK
        since inlineCapacity is defined to be 8.

2011-12-11  Geoffrey Garen  <ggaren@apple.com>

        Rolled out *another* debugging change I committed accidentally.

        Unreviewed.

        * Configurations/Base.xcconfig:

2011-12-11  Geoffrey Garen  <ggaren@apple.com>
        
        Rolled out a debug counter I committed accidentally.

        Unreviewed.

        * jit/JITStubs.cpp:
        (JSC::arityCheckFor):

2011-12-10  Geoffrey Garen  <ggaren@apple.com>

        v8 benchmark takes 12-13 million function call slow paths due to extra arguments
        https://bugs.webkit.org/show_bug.cgi?id=74244

        Reviewed by Filip Pizlo.
        
        .arguments function of order the Reversed
        
        10% speedup on v8-raytrace, 1.7% speedup on v8 overall, neutral on Kraken
        and SunSpider.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::valueProfileForArgument): Clarified that the interface
        to this function is an argument number.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        (JSC::BytecodeGenerator::isArgumentNumber): Switched to using CallFrame
        helper functions for computing offsets for arguments, rather than doing
        the math by hand.
        
        Switched to iterating argument offsets backwards (--) instead of forwards (++).

        * bytecompiler/BytecodeGenerator.h:
        (JSC::CallArguments::thisRegister):
        (JSC::CallArguments::argumentRegister):
        (JSC::CallArguments::registerOffset): Updated for arguments being reversed.

        * bytecompiler/NodesCodegen.cpp: Allocate arguments in reverse order.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::flush):
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::handleMinMax):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack): Use abstract argument indices
        that just-in-time convert to bytecode operands (i.e., indexes in the register
        file) through helper functions. This means only one piece of code needs
        to know how arguments are laid out in the register file.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump): Ditto.

        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::valueProfileFor): Ditto.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction): The whole point of this patch:
        Treat too many arguments as an arity match.

        * dfg/DFGOSRExit.h:
        (JSC::DFG::OSRExit::variableForIndex):
        (JSC::DFG::OSRExit::operandForIndex): Use helper functions, as above.

        * dfg/DFGOperands.h:
        (JSC::DFG::operandToArgument):
        (JSC::DFG::argumentToOperand): These are now the only two lines of code in
        the DFG compiler that know how arguments are laid out in memory.

        (JSC::DFG::Operands::operand):
        (JSC::DFG::Operands::setOperand): Use helper functions, as above.

        * dfg/DFGOperations.cpp: The whole point of this patch:
        Treat too many arguments as an arity match.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall): Use helper functions, as above.
        
        Also, don't tag the caller frame slot as a cell, because it's not a cell.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall): Use helper functions, as above.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Use helper functions, as above.

        (JSC::DFG::SpeculativeJIT::checkArgumentTypes): Use already-computed
        argument virtual register instead of recomputing by hand.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callFrameSlot):
        (JSC::DFG::SpeculativeJIT::argumentSlot):
        (JSC::DFG::SpeculativeJIT::callFrameTagSlot):
        (JSC::DFG::SpeculativeJIT::callFramePayloadSlot):
        (JSC::DFG::SpeculativeJIT::argumentTagSlot):
        (JSC::DFG::SpeculativeJIT::argumentPayloadSlot): Added a few helper
        functions for dealing with callee arguments specifically. These still
        build on top of our other helper functions, and have no direct knowledge
        of how arguments are laid out in the register file.

        (JSC::DFG::SpeculativeJIT::resetCallArguments):
        (JSC::DFG::SpeculativeJIT::addCallArgument): Renamed argumentIndex to
        argumentOffset to match CallFrame naming.

        (JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand): Use helper
        functions, as above.

        * interpreter/CallFrame.h:
        (JSC::ExecState::argumentOffset):
        (JSC::ExecState::argumentOffsetIncludingThis):
        (JSC::ExecState::argument):
        (JSC::ExecState::setArgument):
        (JSC::ExecState::thisArgumentOffset):
        (JSC::ExecState::thisValue):
        (JSC::ExecState::setThisValue):
        (JSC::ExecState::offsetFor):
        (JSC::ExecState::hostThisRegister):
        (JSC::ExecState::hostThisValue): Added a bunch of helper functions for
        computing where an argument is in the register file. Anything in the
        runtime that needs to access arguments should use these helpers.

        * interpreter/CallFrameClosure.h:
        (JSC::CallFrameClosure::setThis):
        (JSC::CallFrameClosure::setArgument):
        (JSC::CallFrameClosure::resetCallFrame): This stuff is a lot simpler, now
        that too many arguments counts as an arity match and doesn't require
        preserving two copies of our arguments.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::slideRegisterWindowForCall): Only need to do something
        special if the caller provided too few arguments.
        
        Key simplification: We never need to maintain two copies of our arguments
        anymore.

        (JSC::eval):
        (JSC::loadVarargs): Use helper functions.

        (JSC::Interpreter::unwindCallFrame): Updated for new interface.

        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall): Seriously, though: use helper
        functions.

        (JSC::Interpreter::privateExecute): No need to check for stack overflow
        when calling host functions because they have zero callee registers.

        (JSC::Interpreter::retrieveArguments): Explicitly tear off the arguments
        object, since there's no special constructor for this anymore.

        * interpreter/Interpreter.h: Reduced the C++ re-entry depth because some
        workers tests were hitting stack overflow in some of my testing. We should
        make this test more exact in future.

        * interpreter/RegisterFile.h: Death to all runtime knowledge of argument
        location that does not belong to the CallFrame class!

        * jit/JIT.cpp:
        (JSC::JIT::privateCompile): I am a broken record and I use helper functions.
        
        Also, the whole point of this patch: Treat too many arguments as an arity match.

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs): Updated the argument copying math to use
        helper functions, for backwards-correctness. Removed the condition
        pertaining to declared argument count because, now that arguments are
        always in just one place, this optimization is valid for all functions.
        Standardized the if predicate for each line of the optimization. This might
        fix a bug, but I couldn't get the bug to crash in practice.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emit_op_get_argument_by_val):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emit_op_get_argument_by_val):
        (JSC::JIT::emitSlow_op_get_argument_by_val): Removed cti_op_create_arguments_no_params
        optimization because it's no longer an optimization, now that arguments
        are always contiguous in a known location.
        
        Updated argument access opcode math for backwards-correctness.

        * jit/JITStubs.cpp:
        (JSC::arityCheckFor): Updated just like slideRegisterWindowForCall. This
        function is slightly different because it copies the call frame in
        addition to the arguments. (In the Interpreter, the call frame is not
        set up by this point.)

        (JSC::lazyLinkFor): The whole point of this patch: Treat too many
        arguments as an arity match.

        (JSC::DEFINE_STUB_FUNCTION): Updated for new iterface to tearOff().

        * jit/JITStubs.h:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::loadDoubleArgument):
        (JSC::SpecializedThunkJIT::loadCellArgument):
        (JSC::SpecializedThunkJIT::loadInt32Argument): Use helper functions! They
        build strong bones and teeth!

        * runtime/ArgList.cpp:
        (JSC::ArgList::getSlice):
        (JSC::MarkedArgumentBuffer::slowAppend):
        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::MarkedArgumentBuffer):
        (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
        (JSC::MarkedArgumentBuffer::at):
        (JSC::MarkedArgumentBuffer::clear):
        (JSC::MarkedArgumentBuffer::append):
        (JSC::MarkedArgumentBuffer::removeLast):
        (JSC::MarkedArgumentBuffer::last):
        (JSC::ArgList::ArgList):
        (JSC::ArgList::at): Updated for backwards-correctness. WTF::Vector doesn't
        play nice with backwards-ness, so I changed to using manual allocation.
        
        Fixed a FIXME about not all values being marked in the case of out-of-line
        arguments. I had to rewrite the loop anyway, and I didn't feel like
        maintaining fidelity to its old bugs.

        * runtime/Arguments.cpp:
        (JSC::Arguments::visitChildren):
        (JSC::Arguments::copyToArguments):
        (JSC::Arguments::fillArgList):
        (JSC::Arguments::getOwnPropertySlotByIndex):
        (JSC::Arguments::getOwnPropertySlot):
        (JSC::Arguments::getOwnPropertyDescriptor):
        (JSC::Arguments::putByIndex):
        (JSC::Arguments::put):
        (JSC::Arguments::tearOff):
        * runtime/Arguments.h:
        (JSC::Arguments::create):
        (JSC::Arguments::Arguments):
        (JSC::Arguments::argument):
        (JSC::Arguments::finishCreation): Secondary benefit of this patch: deleted
        lots of tricky code designed to maintain two different copies of function
        arguments. Now that arguments are always contiguous in one place in memory,
        this complexity can go away.
        
        Reduced down to one create function for the Arguments class, from three.

        Moved tearOff() into an out-of-line function because it's huge.
        
        Moved logic about whether to tear off eagerly into the Arguments class,
        so we didn't have to duplicate it elsewhere.

        * runtime/JSActivation.cpp:
        (JSC::JSActivation::JSActivation):
        (JSC::JSActivation::visitChildren): Renamed m_numParametersMinusThis to
        m_numCapturedArgs because if the value really were m_numParametersMinusThis
        we would be marking too much. (We shouldn't mark 'this' because it can't
        be captured.) Also, use helper functions.

        * runtime/JSActivation.h:
        (JSC::JSActivation::tearOff): Use helper functions.

        * runtime/JSArray.cpp:
        (JSC::JSArray::copyToArguments):
        * runtime/JSArray.h: Use helper functions, as above.

2011-12-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSC testapi is crashing on Windows
        https://bugs.webkit.org/show_bug.cgi?id=74233

        Reviewed by Sam Weinig.

        Same error we've encountered before where we are calling the wrong version of 
        visitChildren and objects that are still reachable aren't getting marked.
        This problem will go away soon with the removal of vptrs for these sorts of 
        optimizations in favor of using the ClassInfo, but for now we can simply give 
        JSFinalObject a bogus virtual method that Visual Studio can't optimize away to
        ensure that JSFinalObject will always have a unique vptr.  We don't have to worry 
        about JSString or JSArray right now, which are the other two special cases for
        visitChildren, since they already have their own virtual functions.

        * JavaScriptCore.exp:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        * runtime/JSObject.cpp:
        (JSC::JSFinalObject::vtableAnchor):
        * runtime/JSObject.h:

2011-12-10  Alexis Menard  <alexis.menard@openbossa.org>

        Unused variable in YarrJIT.cpp.
        https://bugs.webkit.org/show_bug.cgi?id=74237

        Reviewed by Andreas Kling.

        Variable is set but not used so we can remove it.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):

2011-12-09  Filip Pizlo  <fpizlo@apple.com>

        DFG ArithMul power-of-two case does not check for overflow
        https://bugs.webkit.org/show_bug.cgi?id=74230

        Reviewed by Gavin Barraclough.
        
        Disabled power-of-2 peephole optimization for multiplication, because it was wrong,
        and any attempt to fix it would likely introduce code bloat and register pressure.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMul):

2011-12-09  David Levin  <levin@chromium.org>

        REGRESSION(r101863-r102042): Assertion hit: m_verifier.isSafeToUse() in RefCountedBase::ref in FunctionCodeBlock
        https://bugs.webkit.org/show_bug.cgi?id=73886

        Reviewed by Darin Adler.

        * runtime/SymbolTable.h:
        (JSC::SharedSymbolTable::SharedSymbolTable): Added deprecatedTurnOffVerifier for
        another JavaScriptObject, since JavaScriptCore objects allow use on multiple threads.
        Bug 58091 is about changing these deprecated calls to something else but that something
        else will still need to be in all of these places.

2011-12-09  Konrad Piascik  <kpiascik@rim.com>

        Remove unnecessary file DissasemblerARM.cpp from build system
        https://bugs.webkit.org/show_bug.cgi?id=74184

        Reviewed by Daniel Bates.

        * PlatformBlackBerry.cmake:

2011-12-09  Filip Pizlo  <fpizlo@apple.com>

        DFG's interpretation of rare case profiles should be frequency-based not count-based
        https://bugs.webkit.org/show_bug.cgi?id=74170

        Reviewed by Geoff Garen.
        
        DFG optimizes for rare cases only when the rare case counter is above some threshold
        and it also constitutes a large enough fraction of total function executions. Also
        added some minor debug logic.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::likelyToTakeSlowCase):
        (JSC::CodeBlock::couldTakeSlowCase):
        (JSC::CodeBlock::likelyToTakeSpecialFastCase):
        (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
        (JSC::CodeBlock::likelyToTakeAnySlowCase):
        (JSC::CodeBlock::executionEntryCount):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::makeSafe):
        (JSC::DFG::ByteCodeParser::makeDivSafe):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * runtime/Heuristics.cpp:
        (JSC::Heuristics::initializeHeuristics):
        * runtime/Heuristics.h:

2011-12-09  Oliver Hunt  <oliver@apple.com>

        PutByValAlias unnecessarily clobbers GetIndexedPropertyStorage
        https://bugs.webkit.org/show_bug.cgi?id=74223

        Reviewed by Geoffrey Garen.

        Don't clobber GetIndexedPropertyStorage when we see PutByValAlias

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::getIndexedPropertyStorageLoadElimination):

2011-12-09  David Levin  <levin@chromium.org>

        Hash* iterators should allow comparison between const and const versions.
        https://bugs.webkit.org/show_bug.cgi?id=73370

        Reviewed by Darin Adler.

        * wtf/HashTable.h: Add the operators needed to do this.
        (WTF::HashTableConstIterator::operator==):
        (WTF::HashTableConstIterator::operator!=):
        (WTF::HashTableIterator::operator==):
        (WTF::HashTableIterator::operator!=):
        (WTF::operator==):
        (WTF::operator!=):

2011-12-09  Michael Saboff  <msaboff@apple.com>

        YARR: Multi-character read optimization for 8bit strings
        https://bugs.webkit.org/show_bug.cgi?id=74191

        Reviewed by Oliver Hunt.

        Changed generatePatternCharacterOnce to generate
        code for 1 to 4 characters in the 8 bit case.
        This is worth 29% improvement on SunSpider regexp-dna test.
        It provides no benefit to v8-regexp.

        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
        (JSC::Yarr::YarrGenerator::generate): Spelling fix in comment.

2011-12-09  David Levin  <levin@chromium.org>

        Regression(r53595): Sync xhr requests in workers aren't terminated on worker close.
        https://bugs.webkit.org/show_bug.cgi?id=71695

        Reviewed by Zoltan Herczeg.

        * wtf/MessageQueue.h:
        (WTF::MessageQueue::tryGetMessageIgnoringKilled): Added a way to get messages
        even after the queue has been killed. This is useful when one wants to
        kill a queue but then go through it to run clean up tasks from it.

2011-12-09  Adrienne Walker  <enne@google.com>

        Fix HashMap<..., OwnPtr<...> >::add compilation errors
        https://bugs.webkit.org/show_bug.cgi?id=74159

        Reviewed by Darin Adler.

        Add a constructor to OwnPtr that takes the empty value (nullptr_t)
        from HashTraits so that this function can compile.

        * wtf/OwnPtr.h:
        (WTF::OwnPtr::OwnPtr):

2011-12-09  Oliver Hunt  <oliver@apple.com>

        Avoid reloading storage pointer for indexed properties unnecessarily
        https://bugs.webkit.org/show_bug.cgi?id=74136

        Reviewed by Filip Pizlo.

        Add a node to represent loading property storage for indexed properties.
        This allows us to reduce code generated for sequential access of arrays,
        strings, etc.  This results in up to 5% improvement in code that is 
        very heavy on indexed reads, such as matrix operations in typed arrays
        and 20% faster on microbenchmarks.

        Currently this is only supported by GetByVal and other similar indexed reads.

        * bytecode/PredictedType.h:
        (JSC::isFixedIndexedStorageObjectPrediction):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        (JSC::DFG::Propagator::fixupNode):
        (JSC::DFG::Propagator::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnByteArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-08  Fady Samuel  <fsamuel@chromium.org>

        [Chromium] Enable viewport metatag
        https://bugs.webkit.org/show_bug.cgi?id=73495

        Reviewed by Darin Fisher.

        * wtf/Platform.h: Added ENABLE(VIEWPORT) tag.

2011-12-08  Adam Klein  <adamk@chromium.org>

        Use HashMap<Node*, OwnPtr<...>> in ChildListMutationScope
        https://bugs.webkit.org/show_bug.cgi?id=73964

        Reviewed by Darin Adler.

        * wtf/HashTraits.h: Add passOut(std::nullptr_t) to allow callers to use HashMap::take on a HashMap of OwnPtrs.

2011-12-08  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

        https://bugs.webkit.org/show_bug.cgi?id=74005
        fix unaligned access memory in generatePatternCharacterOnce function
        for SH4 platforms.

        Reviewed by Gavin Barraclough.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::load16Unaligned):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::load16Unaligned):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::load16Unaligned):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::lshift32):
        (JSC::MacroAssemblerSH4::load8):
        (JSC::MacroAssemblerSH4::load16):
        (JSC::MacroAssemblerSH4::load16Unaligned):
        (JSC::MacroAssemblerSH4::branch8):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::load16Unaligned):
        * jit/JIT.h:
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):

2011-12-08  Michael Saboff  <msaboff@apple.com>

        Add 8 bit paths for StringTypeAdapter classes
        https://bugs.webkit.org/show_bug.cgi?id=73882

        Reviewed by Darin Adler.

        Added is8Bit() method and writeTo(LChar*) methods
        to StringTypeAdapter<> classes.  The writeTo(LChar*)
        method can be used if is8Bit() returns true.  The
        non-native 8 bit classes contain ASSERT(is8Bit())
        in their writeTo(LChar*).

        Updated all of the various versions of tryMakeString() to
        use 8 bit processing in the updated StringTypeAdapter<>
        classes.

        This has slight if any performance improvement on kraken.

        * runtime/UStringConcatenate.h:
        * wtf/text/StringConcatenate.h:
        (WTF::tryMakeString):
        * wtf/text/StringOperators.h:
        (WTF::StringAppend::is8Bit):
        (WTF::StringAppend::writeTo):

2011-12-07  Filip Pizlo  <fpizlo@apple.com>

        DFG CSE should know that CheckFunction is pure
        https://bugs.webkit.org/show_bug.cgi?id=74044

        Reviewed by Oliver Hunt.
        
        Possible slight win on V8, no regressions.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::checkFunctionElimination):

2011-12-07  Michael Saboff  <msaboff@apple.com>

        StringBuilderTest.Append and StringBuilderTest.ToStringPreserveCapacity are failing.
        https://bugs.webkit.org/show_bug.cgi?id=73995

        Reviewed by Geoffrey Garen.

        Problem was that a call to characters on an StringImpl associated
        with a StringBuilder that is being appended to gets stale.
        Added a new m_valid16BitShadowlen that keeps the length of
        the 16 bit shadow that has been upconverted or will be up converted
        with the first getCharacters().  When StringBuilder::characters or
        ::reifyString is called, further characters are upconverted if
        we have a shadow16bit copy and the m_valid16BitShadowlen is updated.

        * JavaScriptCore.exp:
        * wtf/text/StringBuilder.cpp:
        (WTF::StringBuilder::reifyString):
        * wtf/text/StringBuilder.h:
        (WTF::StringBuilder::StringBuilder):
        (WTF::StringBuilder::characters):
        (WTF::StringBuilder::clear): Cleaned up as part of the change.
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::getData16SlowCase):
        (WTF::StringImpl::upconvertCharacters):
        * wtf/text/StringImpl.h:

2011-12-07  Filip Pizlo  <fpizlo@apple.com>

        Compare and Swap should be enabled on ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=74023

        Reviewed by Geoff Garen.
        
        Implemented weakCompareAndSwap in terms of LDREX/STREX and enabled PARALLEL_GC.
        It gives the expected speed-up on multi-core ARMv7 devices.

        * wtf/Atomics.h:
        (WTF::weakCompareAndSwap):
        * wtf/Platform.h:

2011-12-07  Filip Pizlo  <fpizlo@apple.com>

        DFG CSE is overzealous with GetByVal
        https://bugs.webkit.org/show_bug.cgi?id=74042

        Reviewed by Oliver Hunt.
        
        Made sure that the purity of GetByVal and the limited-clobber-itude of PutByVal
        is tested in all places that matter.

        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::byValIsPure):
        (JSC::DFG::Propagator::clobbersWorld):
        (JSC::DFG::Propagator::getByValLoadElimination):
        (JSC::DFG::Propagator::checkStructureLoadElimination):
        (JSC::DFG::Propagator::getByOffsetLoadElimination):
        (JSC::DFG::Propagator::getPropertyStorageLoadElimination):
        (JSC::DFG::Propagator::performNodeCSE):

2011-12-07  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r102267.
        http://trac.webkit.org/changeset/102267
        https://bugs.webkit.org/show_bug.cgi?id=74032

        Breaks build on Chromium Mac Debug (Requested by aklein on
        #webkit).

        * wtf/HashTraits.h:

2011-12-07  Adam Klein  <adamk@chromium.org>

        Use HashMap<Node*, OwnPtr<...>> in ChildListMutationScope
        https://bugs.webkit.org/show_bug.cgi?id=73964

        Reviewed by Ryosuke Niwa.

        * wtf/HashTraits.h: Add passOut(std::nullptr_t) to allow callers to use HashMap::take on an entry whose value is null.

2011-12-07  Filip Pizlo  <fpizlo@apple.com>

        Non-Mac devices should benefit from a larger heap
        https://bugs.webkit.org/show_bug.cgi?id=74015

        Reviewed by Geoff Garen.
        
        Removed the ENABLE(LARGE_HEAP) option from Platform.h, since it was only used in
        Heap.cpp, and got in the way of having more granular, per-platform control over
        what the heap size should be. Bumped the heap size to 8MB on iOS (was 512KB).

        * heap/Heap.cpp:
        (JSC::GCTimer::heapSizeForHint):
        * wtf/Platform.h:

2011-11-30  Simon Hausmann  <simon.hausmann@nokia.com>

        [Qt] V8 build fixes.

        Reviewed by Tor Arne Vestbø.

        * yarr/yarr.pri: Don't rely on Source/JavaScriptCore being in
        VPATH. Prefix SOURCES correctly and make sure that runtime/ is
        in the include search path when building with v8.

2011-12-06  Filip Pizlo  <fpizlo@apple.com>

        Zapping a block that is Marked leads to dead objects being mistaken for live ones
        https://bugs.webkit.org/show_bug.cgi?id=73982

        Reviewed by Geoff Garen.
        
        Changed the zapping code to ignore blocks that are Marked or Zapped. Additionally,
        the code asserts that:
        
        - If we zap a Marked or Zapped block then the free list is empty, because this
          can only happen if the block was never free-listed.
          
        - Zapping can only happen for Marked, Zapped, or FreeListed blocks, since Allocated
          blocks are those that cannot be referred to by SizeClass::currentBlock (since
          SizeClass::currentBlock only refers to blocks that are candidates for allocation,
          and Allocated blocks are those who have been exhausted by allocation and will not
          be allocated from again), and New blocks cannot be referred to by anything except
          during a brief window inside the allocation slow-path.

        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::zapFreeList):

2011-12-06  Filip Pizlo  <fpizlo@apple.com>

        DFG 32_64 call linking does not handle non-cell callees correctly
        https://bugs.webkit.org/show_bug.cgi?id=73965

        Reviewed by Sam Weinig.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):

2011-12-06  Sam Weinig  <sam@webkit.org>

        Remove unintentional type name shadowing in the Interpreter
        https://bugs.webkit.org/show_bug.cgi?id=73963

        Reviewed by Oliver Hunt.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::prepareForRepeatCall): Replace the parameter name FunctionExecutable,
        which shadows the FunctionExecutable type name, with functionExecutable.

2011-12-06  Michael Saboff  <msaboff@apple.com>

        r102146 from 73875 broke fast/js/encode-URI-test.html
        https://bugs.webkit.org/show_bug.cgi?id=73950

        Reviewed by Gavin Barraclough.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncUnescape): Restructured to handle
        the %uHHHH case to output the resulting character
        and continue so that a failure in finding 4 hex
        digits will fall through and output the '%'.
        Due to style check, changed the temporary
        character variable to a more descriptive name.

2011-12-06  Filip Pizlo  <fpizlo@apple.com>

        GC zapping logic could benefit from some more assertions
        https://bugs.webkit.org/show_bug.cgi?id=73947

        Reviewed by Gavin Barraclough.
        
        - If you're in a zapped block and you're zapped, then your mark bit should
          never be set.
          
        - If you're being marked, then you should never be zapped.

        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::isLive):
        * runtime/Structure.h:
        (JSC::MarkStack::internalAppend):

2011-12-06  Oliver Hunt  <oliver@apple.com>

        Don't allocate register in typedarray control flow
        https://bugs.webkit.org/show_bug.cgi?id=73944

        Reviewed by Gavin Barraclough.

        Move a temporary allocation outside of control flow.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):

2011-12-06  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=68328
        The generator and intrinsic fields in HashTableValue/HashEntry and associated structures and methods are redundant

        Reviewed by Geoff Garen.

        Move the instrinsic enum out of the DFG, into runtime. Add entires for all host functions
        that have an intrinsic in the form of a generated thunk. Remove the thunk pointer from the
        hashtable, and make Intrinsic field no longer ifdef on JIT/DFG. In getHostFunction select
        a thunk genertaor to use based on the Intrinsic.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * create_hash_table:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        * dfg/DFGCapabilities.h:
        * dfg/DFGIntrinsic.h: Removed.
        * jit/JITStubs.cpp:
        (JSC::JITThunks::hostFunctionStub):
        * jit/JITStubs.h:
        * runtime/Executable.cpp:
        (JSC::ExecutableBase::intrinsic):
        (JSC::NativeExecutable::intrinsic):
        * runtime/Executable.h:
        (JSC::ExecutableBase::intrinsicFor):
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::finishCreation):
        * runtime/Intrinsic.h: Copied from Source/JavaScriptCore/dfg/DFGIntrinsic.h.
        * runtime/JSGlobalData.cpp:
        (JSC::thunkGeneratorForIntrinsic):
        (JSC::JSGlobalData::getHostFunction):
        * runtime/JSGlobalData.h:
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):
        (JSC::setUpStaticFunctionSlot):
        * runtime/Lookup.h:
        (JSC::HashEntry::initialize):
        (JSC::HashEntry::intrinsic):

2011-12-06  Michael Saboff  <msaboff@apple.com>

        Add 8 bit paths to global object functions
        https://bugs.webkit.org/show_bug.cgi?id=73875

        Added 8 bit paths for converions methods.

        This is worth 1.5% on kraken audio-oscillator,
        1.6% on stanford-crypto-ccm and 2.5% on
        stanford-crypto-sha256-iterative.  See bug for
        a full report.

        Reviewed by Oliver Hunt.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::decode): Split into a templated helper.
        (JSC::parseInt): Split into a templated helper.
        (JSC::parseFloat): Added an 8 bit path
        (JSC::globalFuncEscape): Added 8 bit path
        (JSC::globalFuncUnescape): Added 8 bit path
        * runtime/JSStringBuilder.h:
        (JSC::JSStringBuilder::append): New append for LChar
        * wtf/text/StringBuilder.h:
        (WTF::StringBuilder::append): New append for LChar

2011-11-21  Balazs Kelemen  <kbalazs@webkit.org>

        Enable ParallelJobs by default
        https://bugs.webkit.org/show_bug.cgi?id=70032

        Reviewed by Zoltan Herczeg.

        According to measurements on Mac and Linux it is a
        considerable speedup for SVG on multicore.

        Remove the ENABLE(PARALLEL_JOBS) guard.
        Fix build on Windows and Chromium.

        * JavaScriptCore.gypi:  Add the files to the build. It was
        missing for the gyp build system.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
        Export symbols.
        * wtf/ParallelJobs.h:
        * wtf/ParallelJobsGeneric.cpp:
        (WTF::ParallelEnvironment::ParallelEnvironment):
        (WTF::ParallelEnvironment::execute):
        Deinline these to avoid exporting a lot of symbols.
        These are non-trivial and called only once on a given object
        so it doesn't seems to be worthwile to inline them.
        Additionally fix a signed-unsigned comparison in the constructor.
        * wtf/ParallelJobsGeneric.h:
        * wtf/Platform.h:

2011-12-06  Simon Hausmann  <simon.hausmann@nokia.com>

        [Qt] build-jsc script doesn't work
        https://bugs.webkit.org/show_bug.cgi?id=73910

        Reviewed by Tor Arne Vestbø.

        * JavaScriptCore.pro: Build WTF before JavaScriptCore and JSC
        (moved from top-level WebKit.pro). Also add v8 scopes to only build
        WTF during v8 builds.

2011-12-05  Anders Carlsson  <andersca@apple.com>

        Add HashMap::keys() and HashMap::values() for easy iteration of hash map keys and values in C++11.

        Reviewed by Darin Adler.

        * wtf/HashMap.h:

2011-12-05  Michael Saboff  <msaboff@apple.com>

        Create StringImpl::empty() as an 8 bit string
        https://bugs.webkit.org/show_bug.cgi?id=73871

        Reviewed by Oliver Hunt.

        * wtf/text/StringStatics.cpp:
        (WTF::StringImpl::empty): Changed to be an 8 bit string.

2011-12-05  Darin Adler  <darin@apple.com>

        Convert JSClassRef to use HashMap<OwnPtr>
        https://bugs.webkit.org/show_bug.cgi?id=73780

        Reviewed by Andreas Kling.

        * API/JSCallbackObjectFunctions.h:
        (JSC::JSCallbackObject::getOwnPropertyNames): Use get() on the hash map
        entries because the hash map now has an OwnPtr instead of a raw pointer.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::OpaqueJSClass): No need to initialize m_staticValues and
        m_staticFunctions since they are now OwnPtr. Use adoptPtr when allocating.
        Removed the code that gets and deletes existing entries, and just use set,
        which now handles deletion automatically due to it being OwnPtr.
        (OpaqueJSClass::~OpaqueJSClass): Replaced code to do all the deletion
        with assertion-only NDEBUG-only code.
        (OpaqueJSClassContextData::OpaqueJSClassContextData): Use adoptPtr when
        allocating. Use OwnPtr when adding. Removed unneeded code to set
        staticValues and staticFunctions to 0. Removed unneeded destructor.
        (OpaqueJSClass::staticValues): Added get call. Also removed unneeded local.
        (OpaqueJSClass::staticFunctions): Ditto.
        (OpaqueJSClass::prototype): Added use of adoptPtr.

        * API/JSClassRef.h: Made the static values and static functions tables
        use OwnPtr for the entries. Also used OwnPtr for the pointers to the
        tables themselves. Also removed ~OpaqueJSClassContextData(), letting
        the compiler generate it.

2011-12-05  Oliver Hunt  <oliver@apple.com>

        Land uncommitted bit of float array support
        https://bugs.webkit.org/show_bug.cgi?id=73873

        Reviewed by Filip Pizlo.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):

2011-12-05  Benjamin Poulain  <benjamin@webkit.org>

        Update String::containsOnlyASCII() to handle 8 bits strings
        https://bugs.webkit.org/show_bug.cgi?id=73799

        Reviewed by Darin Adler.

        Implement String::containsOnlyASCII() so that it does not
        call String::characters().

        * wtf/text/WTFString.h:
        (WTF::String::containsOnlyASCII):

2011-12-05  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed build fix for non-DFG platforms.

        * dfg/DFGRepatch.h:

2011-12-05  Filip Pizlo  <fpizlo@apple.com>

        Old JIT emits 32-bit offsets for put_by_id but sometimes patches them as if they
        were compact offsets
        https://bugs.webkit.org/show_bug.cgi?id=73861

        Reviewed by Gavin Barraclough.

        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::resetPatchPutById):

2011-12-05  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, build fixes for ARM.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::unreachableForPlatform):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::loadDouble):
        (JSC::MacroAssemblerARMv7::loadFloat):
        (JSC::MacroAssemblerARMv7::storeFloat):
        (JSC::MacroAssemblerARMv7::convertFloatToDouble):
        (JSC::MacroAssemblerARMv7::convertDoubleToFloat):

2011-12-05  Benjamin Poulain  <benjamin@webkit.org>

        Update String::containsOnlyLatin1() to avoid converting to 16 bits
        https://bugs.webkit.org/show_bug.cgi?id=73797

        Reviewed by Andreas Kling.

        When the String use 8bits StringImpl, there is no need to iterate
        over the string.

        The function charactersAreAllLatin1() is removed because it is not
        used anywhere.

        * wtf/text/WTFString.h:
        (WTF::String::containsOnlyLatin1):

2011-12-05  Michael Saboff  <msaboff@apple.com>

        8 bit string work slows down Kraken json-stringify-tinderbox
        https://bugs.webkit.org/show_bug.cgi?id=73457

        Added 8 bit path to StringBuilder.  StringBuilder starts
        assuming 8 bit contents and gets converted to 16 bit upon
        seeing the first 16 bit character or string.  Split
        appendUninitialiezed into an inlined fast and function call
        slow case.

        Factored out the processing of the UString argument from
        Stringifier::appendQuotedString() to a static templated function
        based on character size.

        This change eliminates 5% of the 7% slowdown to json-stringify-tinderbox.
        This change introduces a 4.8% slowdown to json-parse-financial.
        This slowdown will be addressed in a subsequent patch to StringImpl::equal.

        Reviewed by Oliver Hunt.

        * runtime/JSONObject.cpp:
        (JSC::appendStringToUStringBuilder):
        (JSC::Stringifier::appendQuotedString):
        * wtf/text/StringBuilder.cpp:
        (WTF::StringBuilder::resize):
        (WTF::StringBuilder::allocateBuffer):
        (WTF::StringBuilder::allocateBufferUpConvert):
        (WTF::LChar):
        (WTF::UChar):
        (WTF::StringBuilder::reserveCapacity):
        (WTF::StringBuilder::appendUninitialized):
        (WTF::StringBuilder::appendUninitializedSlow):
        (WTF::StringBuilder::append):
        (WTF::StringBuilder::shrinkToFit):
        * wtf/text/StringBuilder.h:
        (WTF::StringBuilder::StringBuilder):
        (WTF::StringBuilder::append):
        (WTF::StringBuilder::operator[]):
        (WTF::StringBuilder::characters8):
        (WTF::StringBuilder::characters16):
        (WTF::StringBuilder::charactersBlah):
        (WTF::LChar):
        (WTF::UChar):

2011-12-01  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=73624
        JIT + INTERPRETER builds are broken

        Reviewed by Geoff Garen, Sam Weinig.

        These don't fallback to the interpreter correctly.
        Thunk creation assumes that is the JIT is compiled in, then it is enabled.

        * jit/JITStubs.cpp:
        (JSC::JITThunks::JITThunks):
        * runtime/Executable.h:
        (JSC::NativeExecutable::create):
        (JSC::NativeExecutable::finishCreation):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::getHostFunction):

2011-12-05  Zoltan Herczeg  <zherczeg@webkit.org>

        MacroAssemblerSH4 does not implement readCallTarget
        https://bugs.webkit.org/show_bug.cgi?id=73434

        Reviewed by Csaba Osztrogonác.

        * assembler/MacroAssemblerSH4.h: Support for SH4.
        (JSC::MacroAssemblerSH4::readCallTarget):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::readCallTarget):

2011-12-04  Filip Pizlo  <fpizlo@apple.com>

        DFG should optimize strict equality
        https://bugs.webkit.org/show_bug.cgi?id=73764

        Reviewed by Oliver Hunt.
        
        1% speed-up on V8.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
        (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
        (JSC::DFG::SpeculativeJIT::compileDoubleCompare):
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-03  Darin Adler  <darin@apple.com>

        Use HashMap<OwnPtr> for ScriptSampleRecordMap
        https://bugs.webkit.org/show_bug.cgi?id=73758

        Reviewed by Andreas Kling.

        * bytecode/SamplingTool.cpp:
        (JSC::SamplingTool::notifyOfScope): Added adoptPtr.
        (JSC::SamplingTool::dump): Added get.
        * bytecode/SamplingTool.h: Changed the value type of ScriptSampleRecordMap to be OwnPtr.

2011-12-03  Darin Adler  <darin@apple.com>

        Use HashMap<OwnPtr> for the opaqueJSClassData map
        https://bugs.webkit.org/show_bug.cgi?id=73759

        Reviewed by Andreas Kling.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::contextData): Update types.
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::~JSGlobalData): Add an explicit clear of opaqueJSClassData to keep the
        timing the same. If we didn't care about the order of operations, we could remove this, too.
        * runtime/JSGlobalData.h: Use OwnPtr instead of raw pointer for the mapped type in the
        opaqueJSClassData map.

2011-12-03  Darin Adler  <darin@apple.com>

        Change HashMap implementation to use the pass type and peek type from traits for the mapped value
        https://bugs.webkit.org/show_bug.cgi?id=72474

        Reviewed by Anders Carlsson.

        * wtf/HashMap.h: Added ReferenceTypeMaker struct template. Get PassInType, PassOutType,
        and PeekType from the traits of the mapped value instead of hard-coding them here.
        Changed inlineAdd to take a reference to the PassInType instead of the PassInType itself,
        to accomodate a PassInType that can't be copied. Use the store, peek, and passOut
        functions from the traits as well.

        * wtf/HashTraits.h: Updated GenericHashTraits and HashTraits for OwnPtr to include
        PassInType, PassOutType, PeekType, store, passOut, and peek. Before this, the file had
        an earlier version that was just PassType, PeekType, pass, and peek. Also commented
        the HashTraits for RefPtr to foreshadow some work we can do there.

        * wtf/RefPtrHashMap.h: Same changes as HashMap.h.

2011-12-02  David Levin  <levin@chromium.org>

        Rename WTF class from TemporarilyChange to TemporaryChange.
        https://bugs.webkit.org/show_bug.cgi?id=73479

        Reviewed by Eric Seidel.

        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/WTF/WTF.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * wtf/TemporaryChange.h: Renamed from Source/JavaScriptCore/wtf/TemporarilyChange.h.
        (WTF::TemporaryChange::TemporaryChange):
        (WTF::TemporaryChange::~TemporaryChange):

2011-12-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        REGRESSION (r99754): All layout tests crash on Windows
        https://bugs.webkit.org/show_bug.cgi?id=72305

        Reviewed by Geoffrey Garen.

        Fixes a crash in release builds on Windows.  Windows was optimizing the out-of-line virtual destructor in 
        JSFunction away, which left it with no virtual functions.  Its vtable ptr was then identical to that of 
        a different class, therefore the optimization in the visitChildren helper function in MarkedStack.cpp was calling an 
        incorrect version of visitChildren on the object, which left its children unmarked, causing them to be 
        collected when they were still reachable.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::vtableAnchor): Add a virtual function to JSFunction that Visual Studio can't optimize away.
        * runtime/JSFunction.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::storeVPtrs): Add checks to make sure that all virtual pointers that we rely on for optimization
        purposes are distinct from one another.

2011-12-02  Oliver Hunt  <oliver@apple.com>

        Improve float array support in the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=73722

        Reviewed by Gavin Barraclough.

        Add basic support for float typed arrays in JSC.  This is currently
        less optimal than it could be in the following ways:
         * float32Array1[0] = float32Array2[0] (eg. an element by element copy) 
           promotes float to double and then back to float.
         * float64Array[0] will always perform NaN tests in order to prevent
           signalling NaNs from entering the engine.

        We also don't support Float32Array on ARMv7

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::loadDouble):
        (JSC::MacroAssemblerARMv7::loadFloat):
        (JSC::MacroAssemblerARMv7::storeDouble):
        (JSC::MacroAssemblerARMv7::storeFloat):
        (JSC::MacroAssemblerARMv7::convertFloatToDouble):
        (JSC::MacroAssemblerARMv7::convertDoubleToFloat):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::loadDouble):
        (JSC::MacroAssemblerX86Common::loadFloat):
        (JSC::MacroAssemblerX86Common::storeDouble):
        (JSC::MacroAssemblerX86Common::storeFloat):
        (JSC::MacroAssemblerX86Common::convertDoubleToFloat):
        (JSC::MacroAssemblerX86Common::convertFloatToDouble):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::cvtsd2ss_rr):
        (JSC::X86Assembler::cvtss2sd_rr):
        (JSC::X86Assembler::movsd_rm):
        (JSC::X86Assembler::movss_rm):
        (JSC::X86Assembler::movsd_mr):
        (JSC::X86Assembler::movss_mr):
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::execute):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::shouldSpeculateFloat32Array):
        * dfg/DFGPropagator.cpp:
        (JSC::DFG::Propagator::propagateNodePredictions):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::compile):

2011-12-02  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r101801.
        http://trac.webkit.org/changeset/101801
        https://bugs.webkit.org/show_bug.cgi?id=73667

        Build is still broken (Requested by Ossy on #webkit).

        * assembler/SH4Assembler.h:

2011-12-01  Darin Adler  <darin@apple.com>

        Prepare to deploy pass and peek types in the HashMap class
        https://bugs.webkit.org/show_bug.cgi?id=73477

        Reviewed by Adam Roben.

        This patch adds private typedefs inside the HashMap class,
        and uses them as appropriate. A future patch will actually
        tie those typedefs to hash traits, which will allow us to
        make HashMap work with OwnPtr mapped values and to optimize
        how HashMap works with RefPtr mapped values.

        Also changed the hash translator and adapter struct templates
        to use template functions to simplify them and make them more
        flexible.

        Also removed some unused template arguments.

        This goes out of its way to not change behavior. Future patches
        will change the peek type to be a reference type, which will
        reduce reference count churn a bit for hash tables with RefPtr
        mapped values, and then do further optimizations for RefPtr
        and OwnPtr by getting types from the hash traits.

        * wtf/HashMap.h: Added MappedPassInType, MappedPassOutType,
        and MappedPeekType typedefs, and used them for the arguments
        and return types of the get, set, add, take, and inlineAdd
        functions.
        (WTF::HashMapTranslator): Changed this struct template to take
        fewer arguments, and changed its member functions to be
        function templates instead. This allows the compiler to
        determine types more flexibly and also simplifies use of it.
        (WTF::HashMapTranslatorAdapter): Ditto.
        (WTF::HashMap::find): Updated to use new HashMapTranslatorAdapter.
        Also reduced the arguments passed to the HashTable function template.
        (WTF::HashMap::contains): Ditto.
        (WTF::HashMap::inlineAdd): Ditto. Also take MappedPassInType.
        (WTF::HashMap::set): Ditto.
        (WTF::HashMap::add): Ditto.
        (WTF::HashMap::inlineGet): Ditto, but return MappedPeekType.
        (WTF::HashMap::get): Ditto.
        (WTF::HashMap::take): Ditto, but return MappedPassOutType and use
        that type in the implementation.
        (WTF::deleteAllValues): Removed unneeded template arguments from
        call to deleteAllPairSeconds.
        (WTF::deleteAllKeys): Removed unneeded template arguments from
        call to deleteAllPairFirsts.

        * wtf/HashSet.h:
        (WTF::IdentityExtractor): Changed this to be a struct rather than
        a struct template, and replaced the extract function with a function
        template. This allows the compiler to deduce the type.
        (WTF::HashSetTranslatorAdapter): Changed this struct template to take
        fewer arguments, and changed its member functions to be
        function templates instead. This allows the compiler to
        determine types more flexibly and also simplifies use of it.
        (WTF::HashSet::find): Updated to use new HashSetTranslatorAdapter.
        Also reduced the arguments passed to the HashTable function template.
        (WTF::HashSet::contains): Ditto.
        (WTF::HashSet::add): Ditto.

        * wtf/HashTable.h:
        (WTF::IdentityHashTranslator): Changed this struct template to take
        fewer arguments, and changed its member functions to be
        function templates instead. This allows the compiler to
        determine types more flexibly and also simplifies use of it.
        (WTF::HashTable::add): Reduced arguments passed to the function template.
        (WTF::HashTable::find): Ditto, also reversed the template arguments so the
        translator comes first so the compiler can deduce the other type.
        (WTF::HashTable::contains): Ditto.
        (WTF::HashTable::lookup): Ditto.
        (WTF::HashTable::lookupForWriting): Ditto.
        (WTF::HashTable::checkKey): Ditto.
        (WTF::HashTable::fullLookupForWriting): Ditto.
        (WTF::HashTable::add): Ditto.
        (WTF::HashTable::addPassingHashCode): Ditto.
        (WTF::HashTable::find): Ditto.
        (WTF::HashTable::contains): Ditto.

        * wtf/ListHashSet.h:
        (WTF::ListHashSetNodeHashFunctions): Changed this struct template to take
        fewer arguments, and changed its member functions to be function templates
        instead. This allows the compiler to determine types more flexibly and
        also simplifies use of it.
        (WTF::ListHashSet::find): Reduced the arguments passed to the HashTable
        functon template.
        (WTF::ListHashSetTranslatorAdapter): Changed this struct template in the
        same way we changed ListHashSetNodeHashFunctions above.
        (WTF::ListHashSetTranslatorAdapter::equal):
        (WTF::::contains):
        (WTF::::add):
        (WTF::::insertBefore):

        * wtf/RefPtrHashMap.h: Updated comments. Removed the
        RefPtrHashMapRawKeyTranslator struct template; we can use the
        HashMapTranslator struct template from HashMap.h instead now that
        it is more flexible. Added MappedPassInType, MappedPassOutType,
        and MappedPeekType typedefs, and used them for the arguments
        and return types of the get, inlineGet, set, add, take, and inlineAdd
        functions. Changed the name of the RawKeyTranslator type to
        Translator since it's now a class that can handle both raw keys
        and conventional keys.
        (WTF::HashMap::find): Changed to use Translator instead of RawKeyTranslator.
        Reduced the arguments passed to the HashTable function template.
        (WTF::HashMap::contains): Ditto.
        (WTF::HashMap::inlineAdd): Ditto. Also take MappedPassInType.
        (WTF::HashMap::set): Ditto.
        (WTF::HashMap::add): Ditto.
        (WTF::HashMap::inlineGet): Ditto, but return MappedPeekType.
        (WTF::HashMap::get): Ditto.
        (WTF::HashMap::take): Ditto, but return MappedPassOutType and use
        that type in the implementation.
        (WTF::deleteAllValues): Removed unneeded template arguments from
        call to deleteAllPairSeconds.
        (WTF::deleteAllKeys): Removed unneeded template arguments from
        call to deleteAllPairFirsts.

2011-12-02  Zoltan Herczeg  <zherczeg@webkit.org>

        MacroAssemblerSH4 does not implement readCallTarget
        https://bugs.webkit.org/show_bug.cgi?id=73434

        Reviewed by Csaba Osztrogonác.