[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2013-03-22  David Kilzer  <ddkilzer@apple.com>

        Revert "BUILD FIX (r146558): Call [super dealloc] from -[TinyDOMNode dealloc]"

        This fixes a build failure introduced by this change:

            Source/JavaScriptCore/API/tests/testapi.mm:206:6: error: ARC forbids explicit message send of 'dealloc'
                [super dealloc];
                 ^     ~~~~~~~
            1 error generated.

        Not sure why this didn't fail locally on my Mac Pro.

        * API/tests/testapi.mm:
        (-[TinyDOMNode dealloc]): Remove call to [super dealloc].

2013-03-22  David Kilzer  <ddkilzer@apple.com>

        BUILD FIX (r146558): Call [super dealloc] from -[TinyDOMNode dealloc]
        <http://webkit.org/b/112608>

        Fixes the following build failure:

            Source/JavaScriptCore/API/tests/testapi.mm:205:1: error: method possibly missing a [super dealloc] call [-Werror,-Wobjc-missing-super-calls]
            }
            ^
            1 error generated.

        * API/tests/testapi.mm:
        (-[TinyDOMNode dealloc]): Call [super dealloc].

2013-03-22  Ryosuke Niwa  <rniwa@webkit.org>

        Leak bots erroneously report JSC::WatchpointSet as leaking
        https://bugs.webkit.org/show_bug.cgi?id=107781

        Reviewed by Filip Pizlo.

        Since leaks doesn't support tagged pointers, avoid using it by flipping the bit flag to indicate
        the entry is "fat". We set the flag when the entry is NOT fat; i.e. slim.

        Replaced FatFlag by SlimFlag and initialized m_bits with this flag to indicate that the entry is
        initially "slim".

        * runtime/SymbolTable.cpp:
        (JSC::SymbolTableEntry::copySlow): Don't set FatFlag since it has been replaced by SlimFlag.
        (JSC::SymbolTableEntry::inflateSlow): Ditto.

        * runtime/SymbolTable.h:
        (JSC::SymbolTableEntry::Fast::Fast): Set SlimFlag by default.
        (JSC::SymbolTableEntry::Fast::isNull): Ignore SlimFlag.
        (JSC::SymbolTableEntry::Fast::isFat): An entry is fat when m_bits is not entirely zero and SlimFlag
        is not set.

        (JSC::SymbolTableEntry::SymbolTableEntry): Set SlimFlag by default.
        (JSC::SymbolTableEntry::SymbolTableEntry::getFast): Set SlimFlag when creating Fast from a fat entry.
        (JSC::SymbolTableEntry::isNull): Ignore SlimFlag.
        (JSC::SymbolTableEntry::FatEntry::FatEntry): Strip SlimFlag.
        (JSC::SymbolTableEntry::isFat): An entry is fat when m_bits is not entirely zero and SlimFlag is unset.
        (JSC::SymbolTableEntry::fatEntry): Don't strip FatFlag as this flag doesn't exist anymore.
        (JSC::SymbolTableEntry::pack): Preserve SlimFlag.

        (JSC::SymbolTableIndexHashTraits): empty value is no longer zero so don't set emptyValueIsZero true.

2013-03-21  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Need a good way to preserve custom properties on JS wrappers
        https://bugs.webkit.org/show_bug.cgi?id=112608

        Reviewed by Geoffrey Garen.

        Currently, we just use a weak map, which means that garbage collection can cause a wrapper to 
        disappear if it isn't directly exported to JavaScript.

        The most straightforward and safe way (with respect to garbage collection and concurrency) is to have 
        clients add and remove their external references along with their owners. Effectively, the client is 
        recording the structure of the external object graph so that the garbage collector can make sure to 
        mark any wrappers that are reachable through either the JS object graph of the external Obj-C object 
        graph. By keeping these wrappers alive, this has the effect that custom properties on these wrappers 
        will also remain alive.

        The rule for if an object needs to be tracked by the runtime (and therefore whether the client should report it) is as follows:
        For a particular object, its references to its children should be added if:
        1. The child is referenced from JavaScript.
        2. The child contains references to other objects for which (1) or (2) are true.

        * API/JSAPIWrapperObject.mm:
        (JSAPIWrapperObjectHandleOwner::finalize):
        (JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots): A wrapper object is kept alive only if its JSGlobalObject
        is marked and its corresponding Objective-C object was added to the set of opaque roots.
        (JSC::JSAPIWrapperObject::visitChildren): We now call out to scanExternalObjectGraph, which handles adding all Objective-C
        objects to the set of opaque roots.
        * API/JSAPIWrapperObject.h:
        (JSAPIWrapperObject):
        * API/JSContext.mm: Moved dealloc to its proper place in the main implementation.
        (-[JSContext dealloc]):
        * API/JSVirtualMachine.h:
        * API/JSVirtualMachine.mm:
        (-[JSVirtualMachine initWithContextGroupRef:]):
        (-[JSVirtualMachine dealloc]):
        (getInternalObjcObject): Helper funciton to get the Objective-C object out of JSManagedValues or JSValues if there is one.
        (-[JSVirtualMachine addManagedReference:withOwner:]): Adds the Objective-C object to the set of objects 
        owned by the owner object in that particular virtual machine.
        (-[JSVirtualMachine removeManagedReference:withOwner:]): Removes the relationship between the two objects.
        (-[JSVirtualMachine externalObjectGraph]):
        (scanExternalObjectGraph): Does a depth-first search of the external object graph in a particular virtual machine starting at
        the specified root. Each new object it encounters it adds to the set of opaque roots. These opaque roots will keep their 
        corresponding wrapper objects alive if they have them. 
        * API/JSManagedReferenceInternal.h: Added.
        * API/JSVirtualMachine.mm: Added the per-JSVirtualMachine map between objects and the objects they own, which is more formally
        known as that virtual machine's external object graph.
        * API/JSWrapperMap.mm:
        (-[JSWrapperMap dealloc]): We were leaking this before :-(
        (-[JSVirtualMachine initWithContextGroupRef:]):
        (-[JSVirtualMachine dealloc]):
        (-[JSVirtualMachine externalObjectGraph]):
        * API/JSVirtualMachineInternal.h:
        * API/tests/testapi.mm: Added two new tests using the TinyDOMNode class. The first tests that a custom property added to a wrapper 
        doesn't vanish after GC, even though that wrapper isn't directly accessible to the JS garbage collector but is accessible through 
        the external Objective-C object graph. The second test makes sure that adding an object to the external object graph with the same 
        owner doesn't cause any sort of problems.
        (+[TinyDOMNode sharedVirtualMachine]):
        (-[TinyDOMNode init]):
        (-[TinyDOMNode dealloc]):
        (-[TinyDOMNode appendChild:]):
        (-[TinyDOMNode numberOfChildren]):
        (-[TinyDOMNode childAtIndex:]):
        (-[TinyDOMNode removeChildAtIndex:]):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/SlotVisitor.h:
        (SlotVisitor):
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::containsOpaqueRootTriState): Added a new method to SlotVisitor to allow scanExternalObjectGraph to have a 
        thread-safe view of opaque roots during parallel marking. The set of opaque roots available to any one SlotVisitor isn't guaranteed
        to be 100% correct, but that just results in a small duplication of work in scanExternalObjectGraph. To indicate this change for
        false negatives we return a TriState that's either true or mixed, but never false.

2013-03-21  Mark Lam  <mark.lam@apple.com>

        Fix O(n^2) op_debug bytecode charPosition to column computation.
        https://bugs.webkit.org/show_bug.cgi?id=112957.

        Reviewed by Geoffrey Garen.

        The previous algorithm does a linear reverse scan of the source string
        to find the line start for any given char position. This results in a
        O(n^2) algortithm when the source string has no line breaks.

        The new algorithm computes a line start column table for a
        SourceProvider on first use. This line start table is used to fix up
        op_debug's charPosition operand into a column operand when an
        UnlinkedCodeBlock is linked into a CodeBlock. The initialization of
        the line start table is O(n), and the CodeBlock column fix up is
        O(log(n)).

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode): 
        (JSC::CodeBlock::CodeBlock): - do column fix up.
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::debug): - no need to do column fixup anymore.
        * interpreter/Interpreter.h:
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * parser/SourceProvider.cpp:
        (JSC::SourceProvider::lineStarts):
        (JSC::charPositionExtractor):
        (JSC::SourceProvider::charPositionToColumnNumber):
        - initialize line start column table if needed.
        - look up line start for the given char position.
        * parser/SourceProvider.h:

2013-03-21  Filip Pizlo  <fpizlo@apple.com>

        JSC profiler should have an at-a-glance report of the success of DFG optimization
        https://bugs.webkit.org/show_bug.cgi?id=112988

        Reviewed by Geoffrey Garen.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleGetById):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * profiler/ProfilerCompilation.cpp:
        (JSC::Profiler::Compilation::Compilation):
        (JSC::Profiler::Compilation::toJS):
        * profiler/ProfilerCompilation.h:
        (JSC::Profiler::Compilation::noticeInlinedGetById):
        (JSC::Profiler::Compilation::noticeInlinedPutById):
        (JSC::Profiler::Compilation::noticeInlinedCall):
        (Compilation):
        * runtime/CommonIdentifiers.h:

2013-03-21  Mark Lam  <mark.lam@apple.com>

        Fix lexer charPosition computation when "rewind"ing the lexer.
        https://bugs.webkit.org/show_bug.cgi?id=112952.

        Reviewed by Michael Saboff.

        Changed the Lexer to no longer keep a m_charPosition. Instead, we compute
        currentCharPosition() from m_code and m_codeStartPlusOffset, where
        m_codeStartPlusOffset is the SourceProvider m_codeStart + the SourceCode
        start offset. This ensures that the charPosition is always in sync with
        m_code.

        * parser/Lexer.cpp:
        (JSC::::setCode):
        (JSC::::internalShift):
        (JSC::::shift):
        (JSC::::lex):
        * parser/Lexer.h:
        (JSC::Lexer::currentCharPosition):
        (JSC::::lexExpectIdentifier):

2013-03-21  Alberto Garcia  <agarcia@igalia.com>

        [BlackBerry] GCActivityCallback: replace JSLock with JSLockHolder
        https://bugs.webkit.org/show_bug.cgi?id=112448

        Reviewed by Xan Lopez.

        This changed in r121381.

        * runtime/GCActivityCallbackBlackBerry.cpp:
        (JSC::DefaultGCActivityCallback::doWork):

2013-03-21  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: wrapperClass holds a static JSClassRef, which causes JSGlobalObjects to leak
        https://bugs.webkit.org/show_bug.cgi?id=112856

        Reviewed by Geoffrey Garen.

        Through a very convoluted path that involves the caching of prototypes on the JSClassRef, we can leak 
        JSGlobalObjects when inserting an Objective-C object into multiple independent JSContexts.

        * API/JSAPIWrapperObject.cpp: Removed.
        * API/JSAPIWrapperObject.h:
        (JSAPIWrapperObject):
        * API/JSAPIWrapperObject.mm: Copied from Source/JavaScriptCore/API/JSAPIWrapperObject.cpp. Made this an
        Objective-C++ file so that we can call release on the wrappedObject. Also added a WeakHandleOwner for 
        JSAPIWrapperObjects. This will also be used in a future patch for https://bugs.webkit.org/show_bug.cgi?id=112608.
        (JSAPIWrapperObjectHandleOwner):
        (jsAPIWrapperObjectHandleOwner):
        (JSAPIWrapperObjectHandleOwner::finalize): This finalize replaces the old finalize that was done through
        the C API.
        (JSC::JSAPIWrapperObject::finishCreation): Allocate the WeakImpl. Balanced in finalize.
        (JSC::JSAPIWrapperObject::setWrappedObject): We now do the retain of the wrappedObject here rather than in random
        places scattered around JSWrapperMap.mm
        * API/JSObjectRef.cpp: Added some ifdefs for platforms that don't support the Obj-C API.
        (JSObjectGetPrivate): Ditto.
        (JSObjectSetPrivate): Ditto.
        (JSObjectGetPrivateProperty): Ditto.
        (JSObjectSetPrivateProperty): Ditto.
        (JSObjectDeletePrivateProperty): Ditto.
        * API/JSValueRef.cpp: Ditto.
        (JSValueIsObjectOfClass): Ditto.
        * API/JSWrapperMap.mm: Remove wrapperClass().
        (objectWithCustomBrand): Change to no longer use a parent class, which was only used to give the ability to 
        finalize wrapper objects.
        (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Change to no longer use wrapperClass(). 
        (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Ditto.
        (tryUnwrapObjcObject): We now check if the object inherits from JSAPIWrapperObject.
        * API/tests/testapi.mm: Added a test that exports an Objective-C object to two different JSContexts and makes 
        sure that the first one is collected properly by using a weak JSManagedValue for the wrapper in the first JSContext.
        * CMakeLists.txt: Build file modifications.
        * GNUmakefile.list.am: Ditto.
        * JavaScriptCore.gypi: Ditto.
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: Ditto.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Ditto.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
        * JavaScriptCore.xcodeproj/project.pbxproj: Ditto.
        * runtime/JSGlobalObject.cpp: More ifdefs for unsupported platforms.
        (JSC::JSGlobalObject::reset): Ditto.
        (JSC::JSGlobalObject::visitChildren): Ditto.
        * runtime/JSGlobalObject.h: Ditto.
        (JSGlobalObject): Ditto.
        (JSC::JSGlobalObject::objcCallbackFunctionStructure): Ditto.

2013-03-21  Anton Muhin  <antonm@chromium.org>

        Unreviewed, rolling out r146483.
        http://trac.webkit.org/changeset/146483
        https://bugs.webkit.org/show_bug.cgi?id=111695

        Breaks debug builds.

        * bytecode/GlobalResolveInfo.h: Removed property svn:mergeinfo.

2013-03-21  Gabor Rapcsanyi  <rgabor@webkit.org>

        Implement LLInt for CPU(ARM_TRADITIONAL)
        https://bugs.webkit.org/show_bug.cgi?id=97589

        Reviewed by Zoltan Herczeg.

        Enable LLInt for ARMv5 and ARMv7 traditional as well.

        * llint/LLIntOfflineAsmConfig.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * offlineasm/arm.rb:
        * offlineasm/backends.rb:
        * offlineasm/instructions.rb:

2013-03-20  Cosmin Truta  <ctruta@blackberry.com>

        [QNX][ARM] REGRESSION(r135330): Various failures in Octane
        https://bugs.webkit.org/show_bug.cgi?id=112863

        Reviewed by Yong Li.

        This was fixed in http://trac.webkit.org/changeset/146396 on Linux only.
        Enable this fix on QNX.

        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):
        (JSC::ARMv7Assembler::replaceWithJump):
        (JSC::ARMv7Assembler::maxJumpReplacementSize):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):

2013-03-20  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation of JSString.h

        Rubber stamped by Mark Hahnenberg.

        * runtime/JSString.h:

2013-03-20  Filip Pizlo  <fpizlo@apple.com>

        "" + x where x is not a string should be optimized by the DFG to some manner of ToString conversion
        https://bugs.webkit.org/show_bug.cgi?id=112845

        Reviewed by Mark Hahnenberg.
        
        I like to do "" + x. So I decided to make DFG recognize it, and related idioms.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupToPrimitive):
        (FixupPhase):
        (JSC::DFG::FixupPhase::fixupToString):
        (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::resultOfToPrimitive):
        (DFG):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGPredictionPropagationPhase.h:
        (DFG):

2013-03-20  Zoltan Herczeg  <zherczeg@webkit.org>

        ARMv7 replaceWithJump ASSERT failure after r135330.
        https://bugs.webkit.org/show_bug.cgi?id=103146

        Reviewed by Filip Pizlo.

        On Linux, the 24 bit distance range of jumps sometimes does not
        enough to cover all targets addresses. This patch supports jumps
        outside of this range using a mov/movt/bx 10 byte long sequence.

        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):
        (JSC::ARMv7Assembler::revertJumpTo_movT3movtcmpT2):
        (JSC::ARMv7Assembler::nopw):
        (JSC::ARMv7Assembler::label):
        (JSC::ARMv7Assembler::replaceWithJump):
        (JSC::ARMv7Assembler::maxJumpReplacementSize):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::revertJumpReplacementToBranchPtrWithPatch):

2013-03-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Fix over-releasing in allocateConstructorAndPrototypeWithSuperClassInfo:
        https://bugs.webkit.org/show_bug.cgi?id=112832

        Reviewed by Geoffrey Garen.

        If either the m_constructor or m_prototype (but not both) is collected, we will call 
        allocateConstructorAndPrototypeWithSuperClassInfo, which will create a new object to replace the one 
        that was collected, but at the end of the method we call release on both of them. 
        This is incorrect since we autorelease the JSValue in the case that the object doesn't need to be 
        reallocated. Thus we'll end up overreleasing later during the drain of the autorelease pool.

        * API/JSWrapperMap.mm:
        (objectWithCustomBrand): We no longer alloc here. We instead call the JSValue valueWithValue class method,
        which autoreleases for us.
        (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): We no longer call release on the 
        constructor or prototype JSValues.
        * API/tests/testapi.mm: Added a new test that crashes on ToT due to over-releasing.

2013-03-19  Filip Pizlo  <fpizlo@apple.com>

        It's called "Hash Consing" not "Hash Consting"
        https://bugs.webkit.org/show_bug.cgi?id=112768

        Rubber stamped by Mark Hahnenberg.
        
        See http://en.wikipedia.org/wiki/Hash_consing

        * heap/GCThreadSharedData.cpp:
        (JSC::GCThreadSharedData::GCThreadSharedData):
        (JSC::GCThreadSharedData::reset):
        * heap/GCThreadSharedData.h:
        (GCThreadSharedData):
        * heap/SlotVisitor.cpp:
        (JSC::SlotVisitor::SlotVisitor):
        (JSC::SlotVisitor::setup):
        (JSC::SlotVisitor::reset):
        (JSC::JSString::tryHashConsLock):
        (JSC::JSString::releaseHashConsLock):
        (JSC::JSString::shouldTryHashCons):
        (JSC::SlotVisitor::internalAppend):
        * heap/SlotVisitor.h:
        (SlotVisitor):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        (JSC::JSGlobalData::haveEnoughNewStringsToHashCons):
        (JSC::JSGlobalData::resetNewStringsSinceLastHashCons):
        * runtime/JSString.h:
        (JSC::JSString::finishCreation):
        (JSString):
        (JSC::JSString::isHashConsSingleton):
        (JSC::JSString::clearHashConsSingleton):
        (JSC::JSString::setHashConsSingleton):

2013-03-20  Filip Pizlo  <fpizlo@apple.com>

        DFG implementation of op_strcat should inline rope allocations
        https://bugs.webkit.org/show_bug.cgi?id=112780

        Reviewed by Oliver Hunt.
        
        This gets rid of the StrCat node and adds a MakeRope node. The MakeRope node can
        take either two or three operands, and allocates a rope string with either two or
        three fibers. (The magic choice of three children for non-VarArg nodes happens to
        match exactly with the magic choice of three fibers for rope strings.)
        
        ValueAdd on KnownString is replaced with MakeRope with two children.
        
        StrCat gets replaced by an appropriate sequence of MakeRope's.
        
        MakeRope does not do the dynamic check to see if its children are empty strings.
        This is replaced by a static check, instead. The downside is that we may use more
        memory if the strings passed to MakeRope turn out to dynamically be empty. The
        upside is that we do fewer checks in the cases where either the strings are not
        empty, or where the strings are statically known to be empty. I suspect both of
        those cases are more common, than the case where the string is dynamically empty.
        
        This also results in some badness for X86. MakeRope needs six registers if it is
        allocating a three-rope. We don't have six registers to spare on X86. Currently,
        the code side-steps this problem by just never usign three-ropes in optimized
        code on X86. All other architectures, including X86_64, don't have this problem.
        
        This is a shocking speed-up. 9% progressions on both V8/splay and
        SunSpider/date-format-xparb. 1% progression on V8v7 overall, and ~0.5% progression
        on SunSpider. 2x speed-up on microbenchmarks that test op_strcat.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGAdjacencyList.h:
        (AdjacencyList):
        (JSC::DFG::AdjacencyList::removeEdge):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::putStructureStoreElimination):
        (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::createToString):
        (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
        (JSC::DFG::FixupPhase::convertStringAddUse):
        (FixupPhase):
        (JSC::DFG::FixupPhase::convertToMakeRope):
        (JSC::DFG::FixupPhase::fixupMakeRope):
        (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAdd):
        (JSC::DFG::SpeculativeJIT::compileMakeRope):
        (DFG):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (SpeculativeJIT):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (JSC::DFG::SpeculateCellOperand::~SpeculateCellOperand):
        (JSC::DFG::SpeculateCellOperand::gpr):
        (JSC::DFG::SpeculateCellOperand::use):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSString.h:
        (JSRopeString):

2013-03-20  Peter Gal  <galpeter@inf.u-szeged.hu>

        Implement and32 on MIPS platform
        https://bugs.webkit.org/show_bug.cgi?id=112665

        Reviewed by Zoltan Herczeg.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::and32): Added missing method.
        (MacroAssemblerMIPS):

2013-03-20  Mark Lam  <mark.lam@apple.com>

        Fix incorrect debugger column number value.
        https://bugs.webkit.org/show_bug.cgi?id=112741.

        Reviewed by Oliver Hunt.

        1. In lexer, parser, and debugger code, renamed column to charPosition.
        2. Convert the charPosition to the equivalent column number before
           passing it to the debugger.
        3. Changed ScopeNodes to take both a startLocation and an endLocation.
           This allows FunctionBodyNodes, ProgramNodes, and EvalNodess to emit
           correct debug hooks with correct starting line and column numbers.
        4. Fixed the Lexer to not reset the charPosition (previously
           columnNumber) in Lexer::lex().

        * JavaScriptCore.order:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitDebugHook):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitExpressionInfo):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayNode::toArgumentList):
        (JSC::ConstStatementNode::emitBytecode):
        (JSC::EmptyStatementNode::emitBytecode):
        (JSC::DebuggerStatementNode::emitBytecode):
        (JSC::ExprStatementNode::emitBytecode):
        (JSC::VarStatementNode::emitBytecode):
        (JSC::IfNode::emitBytecode):
        (JSC::IfElseNode::emitBytecode):
        (JSC::DoWhileNode::emitBytecode):
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):
        (JSC::ForInNode::emitBytecode):
        (JSC::ContinueNode::emitBytecode):
        (JSC::BreakNode::emitBytecode):
        (JSC::ReturnNode::emitBytecode):
        (JSC::WithNode::emitBytecode):
        (JSC::SwitchNode::emitBytecode):
        (JSC::LabelNode::emitBytecode):
        (JSC::ThrowNode::emitBytecode):
        (JSC::TryNode::emitBytecode):
        (JSC::ProgramNode::emitBytecode):
        (JSC::EvalNode::emitBytecode):
        (JSC::FunctionBodyNode::emitBytecode):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::debug):
        - convert charPosition to column for the debugger.
        * interpreter/Interpreter.h:
        * jit/JITStubs.cpp:
        (DEFINE_STUB_FUNCTION(void, op_debug)):
        * llint/LLIntSlowPaths.cpp:
        (LLINT_SLOW_PATH_DECL(slow_op_debug)):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createFunctionExpr):
        (JSC::ASTBuilder::createFunctionBody):
        (JSC::ASTBuilder::createGetterOrSetterProperty):
        (JSC::ASTBuilder::createFuncDeclStatement):
        (JSC::ASTBuilder::createBlockStatement):
        (JSC::ASTBuilder::createExprStatement):
        (JSC::ASTBuilder::createIfStatement):
        (JSC::ASTBuilder::createForLoop):
        (JSC::ASTBuilder::createForInLoop):
        (JSC::ASTBuilder::createVarStatement):
        (JSC::ASTBuilder::createReturnStatement):
        (JSC::ASTBuilder::createBreakStatement):
        (JSC::ASTBuilder::createContinueStatement):
        (JSC::ASTBuilder::createTryStatement):
        (JSC::ASTBuilder::createSwitchStatement):
        (JSC::ASTBuilder::createWhileStatement):
        (JSC::ASTBuilder::createDoWhileStatement):
        (JSC::ASTBuilder::createWithStatement):
        (JSC::ASTBuilder::createThrowStatement):
        (JSC::ASTBuilder::createDebugger):
        (JSC::ASTBuilder::createConstStatement):
        * parser/Lexer.cpp:
        (JSC::::setCode):
        (JSC::::internalShift):
        (JSC::::shift):
        (JSC::::lex):
        * parser/Lexer.h:
        (JSC::Lexer::currentCharPosition):
        (Lexer):
        (JSC::::lexExpectIdentifier):
        * parser/NodeConstructors.h:
        (JSC::Node::Node):
        * parser/Nodes.cpp:
        (JSC::StatementNode::setLoc):
        (JSC::ScopeNode::ScopeNode):
        (JSC::ProgramNode::ProgramNode):
        (JSC::ProgramNode::create):
        (JSC::EvalNode::EvalNode):
        (JSC::EvalNode::create):
        (JSC::FunctionBodyNode::FunctionBodyNode):
        (JSC::FunctionBodyNode::create):
        * parser/Nodes.h:
        (JSC::Node::charPosition):
        (Node):
        (StatementNode):
        (JSC::StatementNode::lastLine):
        (ScopeNode):
        (JSC::ScopeNode::startLine):
        (JSC::ScopeNode::startCharPosition):
        (ProgramNode):
        (EvalNode):
        (FunctionBodyNode):
        * parser/Parser.cpp:
        (JSC::::Parser):
        (JSC::::parseFunctionBody):
        (JSC::::parseFunctionInfo):
        * parser/Parser.h:
        (JSC::::parse):
        * parser/ParserTokens.h:
        (JSC::JSTokenLocation::JSTokenLocation):
        (JSTokenLocation):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createFunctionBody):

2013-03-20  Csaba Osztrogonác  <ossy@webkit.org>

        REGRESSION(r146089): It broke 20 sputnik tests on ARM traditional and Thumb2
        https://bugs.webkit.org/show_bug.cgi?id=112676

        Rubber-stamped by Filip Pizlo.

        Add one more EABI_32BIT_DUMMY_ARG to make DFG JIT ARM EABI compatible
        again after r146089 similar to https://bugs.webkit.org/show_bug.cgi?id=84449

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):

2013-03-19  Michael Saboff  <msaboff@apple.com>

        Crash when loading http://www.jqchart.com/jquery/gauges/RadialGauge/LiveData
        https://bugs.webkit.org/show_bug.cgi?id=112694

        Reviewed by Filip Pizlo.

        We were trying to convert an NewArray to a Phantom, but convertToPhantom doesn't handle
        nodes with variable arguments.  Added code to insert a Phantom node in front of all the
        live children of a var args node.  Added ASSERT not var args for convertToPhantom to
        catch any other similar cases.  Added a new convertToPhantomUnchecked() for converting 
        var arg nodes.

        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::run):
        * dfg/DFGNode.h:
        (Node):
        (JSC::DFG::Node::setOpAndDefaultNonExitFlags): Added ASSERT(!(m_flags & NodeHasVarArgs))
        (JSC::DFG::Node::setOpAndDefaultNonExitFlagsUnchecked):
        (JSC::DFG::Node::convertToPhantomUnchecked):

2013-03-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Crash in SpeculativeJIT::fillSpeculateIntInternal<false> on http://bellard.org/jslinux
        https://bugs.webkit.org/show_bug.cgi?id=112738

        Reviewed by Filip Pizlo.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixIntEdge): We shouldn't be killing this node because it could be
        referenced by other people.

2013-03-19  Oliver Hunt  <oliver@apple.com>

        RELEASE_ASSERT fires in exception handler lookup

        RS=Geoff Garen.

        Temporarily switch this RELEASE_ASSERT into a regular ASSERT 
        as currently this is producing fairly bad crashiness.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::handlerForBytecodeOffset):

2013-03-18  Filip Pizlo  <fpizlo@apple.com>

        DFG should optimize StringObject.length and StringOrStringObject.length
        https://bugs.webkit.org/show_bug.cgi?id=112658

        Reviewed by Mark Hahnenberg.
        
        Implemented by injecting a ToString(StringObject:@a) or ToString(StringOrStringObject:@a) prior
        to GetArrayLength with ArrayMode(Array::String) if @a is predicted StringObject or
        StringOrStringObject.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::createToString):
        (FixupPhase):
        (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
        (JSC::DFG::FixupPhase::convertStringAddUse):

2013-03-19  Gabor Rapcsanyi  <rgabor@webkit.org>

        Implement and32 on ARMv7 and ARM traditional platforms
        https://bugs.webkit.org/show_bug.cgi?id=112663

        Reviewed by Zoltan Herczeg.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::and32): Add missing method.
        (MacroAssemblerARM):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::and32): Add missing method.
        (MacroAssemblerARMv7):

2013-03-18  Filip Pizlo  <fpizlo@apple.com>

        DFG ToString generic cases should work correctly
        https://bugs.webkit.org/show_bug.cgi?id=112654
        <rdar://problem/13447250>

        Reviewed by Geoffrey Garen.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-03-18  Michael Saboff  <msaboff@apple.com>

        Unreviewed build fix for 32 bit builds.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-03-18  Michael Saboff  <msaboff@apple.com>

        EFL: Unsafe branch detected in compilePutByValForFloatTypedArray()
        https://bugs.webkit.org/show_bug.cgi?id=112609

        Reviewed by Geoffrey Garen.

        Created local valueFPR and scratchFPR and filled them with valueOp.fpr() and scratch.fpr()
        respectively so that if valueOp.fpr() causes a spill during allocation, it occurs before the
        branch and also to follow convention.  Added register allocation checks to FPRTemporary.
        Cleaned up a couple of other places to follow the "AllocatVirtualRegType foo, get machine
        reg from foo" pattern.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::fprAllocate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::convertToDouble):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-03-18  Filip Pizlo  <fpizlo@apple.com>

        DFG should inline binary string concatenations (i.e. ValueAdd with string children)
        https://bugs.webkit.org/show_bug.cgi?id=112599

        Reviewed by Oliver Hunt.
        
        This does as advertised: if you do x + y where x and y are strings, you'll get
        a fast inlined JSRopeString allocation (along with whatever checks are necessary).
        It also does good things if either x or y (or both) are StringObjects, or some
        other thing like StringOrStringObject. It also lays the groundwork for making this
        fast if either x or y are numbers, or some other reasonably-cheap-to-convert
        value.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (FixupPhase):
        (JSC::DFG::FixupPhase::isStringObjectUse):
        (JSC::DFG::FixupPhase::convertStringAddUse):
        (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAdd):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
        * runtime/JSString.h:
        (JSC::JSString::offsetOfFlags):
        (JSString):
        (JSRopeString):
        (JSC::JSRopeString::offsetOfFibers):

2013-03-18  Filip Pizlo  <fpizlo@apple.com>

        JSC_NATIVE_FUNCTION() takes an identifier for the name and then uses #name, which is unsafe if name was already #define'd to something else
        https://bugs.webkit.org/show_bug.cgi?id=112639

        Reviewed by Michael Saboff.
        
        Change it to take a string instead.

        * runtime/JSObject.h:
        (JSC):
        * runtime/ObjectPrototype.cpp:
        (JSC::ObjectPrototype::finishCreation):
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):

2013-03-18  Brent Fulgham  <bfulgham@webkit.org>

        [WinCairo] Get build working under VS2010.
        https://bugs.webkit.org/show_bug.cgi?id=112604

        Reviewed by Tim Horton.

        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Use CFLite-specific
        build target (standard version links against CoreFoundation.lib
        instead of CFLite.lib).
        * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Added.
        * JavaScriptCore.vcxproj/testapi/testapiDebugCFLite.props: Added.
        * JavaScriptCore.vcxproj/testapi/testapiReleaseCFLite.props: Added.

2013-03-18  Roger Fong  <roger_fong@apple.com>

        AppleWin VS2010 Debug configuration build fix..

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:

2013-03-18  Brent Fulgham  <bfulgham@webkit.org>

        [WinCairo] Get build working under VS2010.
        https://bugs.webkit.org/show_bug.cgi?id=112604

        Reviewed by Tim Horton.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add build targets for
        Debug_WinCairo and Release_WinCairo using CFLite.
        * JavaScriptCore.vcxproj/JavaScriptCoreCFLite.props: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props: Added.
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj:
        Add Debug_WinCairo and Release_WinCairo build targets to
        make sure headers are copied to proper build folder.
        * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: Ditto.
        * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props: Added.
        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
        Add Debug_WinCairo and Release_WinCairo build targets to
        make sure headers are copied to proper build folder.
        * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
        Ditto.
        * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
        Ditto.
        * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Ditto.
        * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Ditto.
        * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Ditto.

2013-03-18  Michael Saboff  <msaboff@apple.com>

        Potentially unsafe register allocations in DFG code generation
        https://bugs.webkit.org/show_bug.cgi?id=112477

        Reviewed by Geoffrey Garen.

        Moved allocation of temporary GPRs to be before any generated branches in the functions below.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):

2013-03-15  Filip Pizlo  <fpizlo@apple.com>

        DFG string conversions and allocations should be inlined
        https://bugs.webkit.org/show_bug.cgi?id=112376

        Reviewed by Geoffrey Garen.
        
        This turns new String(), String(), String.prototype.valueOf(), and
        String.prototype.toString() into intrinsics. It gives the DFG the ability to handle
        conversions from StringObject to JSString and vice-versa, and also gives it the
        ability to handle cases where a variable may be either a StringObject or a JSString.
        To do this, I added StringObject to value profiling (and removed the stale
        distinction between Myarguments and Foreignarguments). I also cleaned up ToPrimitive
        handling, using some of the new functionality but also taking advantage of the
        existence of Identity(String:@a).
        
        This is a 2% SunSpider speed-up. Also there are some speed-ups on V8v7 and Kraken.
        On microbenchmarks that stress new String() this is a 14x speed-up.

        * CMakeLists.txt:
        * DerivedSources.make:
        * DerivedSources.pri:
        * GNUmakefile.list.am:
        * bytecode/CodeBlock.h:
        (CodeBlock):
        (JSC::CodeBlock::hasExitSite):
        (JSC):
        * bytecode/DFGExitProfile.cpp:
        (JSC::DFG::ExitProfile::hasExitSite):
        (DFG):
        * bytecode/DFGExitProfile.h:
        (ExitProfile):
        (JSC::DFG::ExitProfile::hasExitSite):
        * bytecode/ExitKind.cpp:
        (JSC::exitKindToString):
        * bytecode/ExitKind.h:
        * bytecode/SpeculatedType.cpp:
        (JSC::dumpSpeculation):
        (JSC::speculationToAbbreviatedString):
        (JSC::speculationFromClassInfo):
        * bytecode/SpeculatedType.h:
        (JSC):
        (JSC::isStringObjectSpeculation):
        (JSC::isStringOrStringObjectSpeculation):
        * create_hash_table:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGAbstractState.h:
        (JSC::DFG::AbstractState::filterEdgeByUse):
        * dfg/DFGByteCodeParser.cpp:
        (ByteCodeParser):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
        (DFG):
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::putStructureStoreElimination):
        * dfg/DFGEdge.h:
        (JSC::DFG::Edge::shift):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
        (FixupPhase):
        (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
        (JSC::DFG::FixupPhase::observeUseKindOnNode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::hasGlobalExitSite):
        (Graph):
        (JSC::DFG::Graph::hasExitSite):
        (JSC::DFG::Graph::clobbersWorld):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToToString):
        (Node):
        (JSC::DFG::Node::hasStructure):
        (JSC::DFG::Node::shouldSpeculateStringObject):
        (JSC::DFG::Node::shouldSpeculateStringOrStringObject):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileNewStringObject):
        (JSC::DFG::SpeculativeJIT::speculateObject):
        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
        (JSC::DFG::SpeculativeJIT::speculateString):
        (JSC::DFG::SpeculativeJIT::speculateStringObject):
        (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        (SpeculativeJIT):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (DFG):
        (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * interpreter/CallFrame.h:
        (JSC::ExecState::regExpPrototypeTable):
        * runtime/CommonIdentifiers.h:
        * runtime/Intrinsic.h:
        * runtime/JSDestructibleObject.h:
        (JSDestructibleObject):
        (JSC::JSDestructibleObject::classInfoOffset):
        * runtime/JSGlobalData.cpp:
        (JSC):
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSObject.cpp:
        * runtime/JSObject.h:
        (JSC):
        * runtime/JSWrapperObject.h:
        (JSC::JSWrapperObject::allocationSize):
        (JSWrapperObject):
        (JSC::JSWrapperObject::internalValueOffset):
        (JSC::JSWrapperObject::internalValueCellOffset):
        * runtime/StringPrototype.cpp:
        (JSC):
        (JSC::StringPrototype::finishCreation):
        (JSC::StringPrototype::create):
        * runtime/StringPrototype.h:
        (StringPrototype):

2013-03-18  Filip Pizlo  <fpizlo@apple.com>

        ObjectPrototype properties should be eagerly created rather than lazily via static tables
        https://bugs.webkit.org/show_bug.cgi?id=112539

        Reviewed by Oliver Hunt.
        
        This is the first part of https://bugs.webkit.org/show_bug.cgi?id=112233. Rolling this
        in first since it's the less-likely-to-be-broken part.

        * CMakeLists.txt:
        * DerivedSources.make:
        * DerivedSources.pri:
        * GNUmakefile.list.am:
        * interpreter/CallFrame.h:
        (JSC::ExecState::objectConstructorTable):
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalData.cpp:
        (JSC):
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectNativeFunction):
        (JSC):
        * runtime/JSObject.h:
        (JSObject):
        (JSC):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/ObjectPrototype.cpp:
        (JSC):
        (JSC::ObjectPrototype::finishCreation):
        (JSC::ObjectPrototype::create):
        * runtime/ObjectPrototype.h:
        (ObjectPrototype):

2013-03-16  Pratik Solanki  <psolanki@apple.com>

        Disable High DPI Canvas on iOS
        https://bugs.webkit.org/show_bug.cgi?id=112511

        Reviewed by Joseph Pecoraro.

        * Configurations/FeatureDefines.xcconfig:

2013-03-15  Andreas Kling  <akling@apple.com>

        Don't also clone StructureRareData when cloning Structure.
        <http://webkit.org/b/111672>

        Reviewed by Mark Hahnenberg.

        We were cloning a lot of StructureRareData with only the previousID pointer set since
        the enumerationCache is not shared between clones.

        Let the Structure copy constructor decide whether it wants to clone the rare data.
        The decision is made by StructureRareData::needsCloning() and will currently always
        return false, since StructureRareData only holds on to caches at present.
        This may change in the future as more members are added to StructureRareData.

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        (JSC::Structure::cloneRareDataFrom):
        * runtime/StructureInlines.h:
        (JSC::Structure::create):

2013-03-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Roll out r145838
        https://bugs.webkit.org/show_bug.cgi?id=112458

        Unreviewed. Requested by Filip Pizlo.

        * CMakeLists.txt:
        * DerivedSources.make:
        * DerivedSources.pri:
        * GNUmakefile.list.am:
        * dfg/DFGOperations.cpp:
        * interpreter/CallFrame.h:
        (JSC::ExecState::objectPrototypeTable):
        * jit/JITStubs.cpp:
        (JSC::getByVal):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):
        * runtime/CommonIdentifiers.h:
        * runtime/JSCell.cpp:
        (JSC):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSCellInlines.h:
        (JSC):
        (JSC::JSCell::fastGetOwnProperty):
        * runtime/JSGlobalData.cpp:
        (JSC):
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSObject.cpp:
        (JSC):
        * runtime/JSObject.h:
        (JSObject):
        (JSC):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/ObjectPrototype.cpp:
        (JSC):
        (JSC::ObjectPrototype::finishCreation):
        (JSC::ObjectPrototype::getOwnPropertySlot):
        (JSC::ObjectPrototype::getOwnPropertyDescriptor):
        * runtime/ObjectPrototype.h:
        (JSC::ObjectPrototype::create):
        (ObjectPrototype):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::findWithString):
        * runtime/Structure.h:
        (Structure):
        * runtime/StructureInlines.h:
        (JSC::Structure::get):

2013-03-15  Michael Saboff  <msaboff@apple.com>

        Cleanup of DFG and Baseline JIT debugging code
        https://bugs.webkit.org/show_bug.cgi?id=111871

        Reviewed by Geoffrey Garen.

        Fixed various debug related issue in baseline and DFG JITs. See below.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgLinkClosureCall): Used pointerDump() to handle when calleeCodeBlock is NULL.
        * dfg/DFGScratchRegisterAllocator.h: Now use ScratchBuffer::activeLengthPtr() to get
        pointer to scratch register length.
        (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
        (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::checkConsistency): Added missing case labels for DataFormatOSRMarker,
        DataFormatDead, and DataFormatArguments and made them RELEASE_ASSERT_NOT_REACHED();
        * jit/JITCall.cpp:
        (JSC::JIT::privateCompileClosureCall): Used pointerDump() to handle when calleeCodeBlock is NULL.
        * jit/JITCall32_64.cpp:
        (JSC::JIT::privateCompileClosureCall): Used pointerDump() to handle when calleeCodeBlock is NULL.
        * runtime/JSGlobalData.h:
        (JSC::ScratchBuffer::ScratchBuffer): Fixed buffer allocation alignment to
        be on a double boundary.
        (JSC::ScratchBuffer::setActiveLength):
        (JSC::ScratchBuffer::activeLength):
        (JSC::ScratchBuffer::activeLengthPtr):

2013-03-15  Michael Saboff  <msaboff@apple.com>

        Add runtime check for improper register allocations in DFG
        https://bugs.webkit.org/show_bug.cgi?id=112380

        Reviewed by Geoffrey Garen.

        Added framework to check for register allocation within a branch source - target range.  All register allocations
        are saved using the offset in the code stream where the allocation occurred.  Later when a jump is linked, the
        currently saved register allocations are checked to make sure that they didn't occur in the range of code that was
        jumped over.  This protects against the case where an allocation could have spilled register contents to free up 
        a register and that spill only occurs on one path of a many through the code.  A subsequent fill of the spilled
        register may load garbage.  See https://bugs.webkit.org/show_bug.cgi?id=111777 for one such bug.
        This code is protected by the compile time check of #if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION).
        The check is only done during the processing of SpeculativeJIT::compile(Node* node) and its callees.
 
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::Jump::link): Invoke register allocation checks using source and target of link.
        (JSC::AbstractMacroAssembler::Jump::linkTo): Invoke register allocation checks using source and target of link.
        (AbstractMacroAssembler):
        (RegisterAllocationOffset): New helper class to store the instruction stream offset and compare against a 
        jump range.
        (JSC::AbstractMacroAssembler::RegisterAllocationOffset::RegisterAllocationOffset):
        (JSC::AbstractMacroAssembler::RegisterAllocationOffset::check):
        (JSC::AbstractMacroAssembler::addRegisterAllocationAtOffset):
        (JSC::AbstractMacroAssembler::clearRegisterAllocationOffsets): 
        (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::allocate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-03-14  Oliver Hunt  <oliver@apple.com>

        REGRESSION(r145000): Crash loading arstechnica.com when Safari Web Inspector is open
        https://bugs.webkit.org/show_bug.cgi?id=111868

        Reviewed by Antti Koivisto.

        Don't allow non-local property lookup when the debugger is enabled.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::resolve):

2013-03-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Objective-C functions exposed to JavaScript have the wrong type (object instead of function)
        https://bugs.webkit.org/show_bug.cgi?id=105892

        Reviewed by Geoffrey Garen.

        Changed ObjCCallbackFunction to subclass JSCallbackFunction which already has all of the machinery to call
        functions using the C API. Since ObjCCallbackFunction is now a JSCell, we changed the old implementation of
        ObjCCallbackFunction to be the internal implementation and keep track of all the proper data so that we 
        don't have to put all of that in the header, which will now be included from C++ files (e.g. JSGlobalObject.cpp).

        * API/JSCallbackFunction.cpp: Change JSCallbackFunction to allow subclassing. Originally it was internally
        passing its own Structure up the chain of constructors, but we now want to be able to pass other Structures as well.
        (JSC::JSCallbackFunction::JSCallbackFunction):
        (JSC::JSCallbackFunction::create):
        * API/JSCallbackFunction.h:
        (JSCallbackFunction):
        * API/JSWrapperMap.mm: Changed interface to tryUnwrapBlock.
        (tryUnwrapObjcObject):
        * API/ObjCCallbackFunction.h:
        (ObjCCallbackFunction): Moved into the JSC namespace, just like JSCallbackFunction.
        (JSC::ObjCCallbackFunction::createStructure): Overridden so that the correct ClassInfo gets used since we have 
        a destructor.
        (JSC::ObjCCallbackFunction::impl): Getter for the internal impl.
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl): What used to be ObjCCallbackFunction is now 
        ObjCCallbackFunctionImpl. It handles the Objective-C specific parts of managing callback functions.
        (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl):
        (JSC::objCCallbackFunctionCallAsFunction): Same as the old one, but now it casts to ObjCCallbackFunction and grabs the impl 
        rather than using JSObjectGetPrivate.
        (JSC::ObjCCallbackFunction::ObjCCallbackFunction): New bits to allow being part of the JSCell hierarchy.
        (JSC::ObjCCallbackFunction::create):
        (JSC::ObjCCallbackFunction::destroy):
        (JSC::ObjCCallbackFunctionImpl::call): Handles the actual invocation, just like it used to.
        (objCCallbackFunctionForInvocation):
        (tryUnwrapBlock): Changed to check the ClassInfo for inheritance directly, rather than going through the C API call.
        * API/tests/testapi.mm: Added new test to make sure that doing Function.prototype.toString.call(f) won't result in 
        an error when f is an Objective-C method or block underneath the covers.
        * runtime/JSGlobalObject.cpp: Added new Structure for ObjCCallbackFunction.
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        (JSC::JSGlobalObject::objcCallbackFunctionStructure):

2013-03-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Nested dictionaries are not converted properly in the Objective-C binding
        https://bugs.webkit.org/show_bug.cgi?id=112377

        Reviewed by Oliver Hunt.

        Accidental reassignment of the root task in the container conversion logic was causing the last 
        array or dictionary processed to be returned in the case of nested containers.

        * API/JSValue.mm:
        (containerValueToObject):
        * API/tests/testapi.mm:

2013-03-13  Filip Pizlo  <fpizlo@apple.com>

        JSObject fast by-string access optimizations should work even on the prototype chain, and even when the result is undefined
        https://bugs.webkit.org/show_bug.cgi?id=112233

        Reviewed by Oliver Hunt.
        
        Extended the existing fast access path for String keys to work over the entire prototype chain,
        not just the self access case. This will fail as soon as it sees an object that intercepts
        getOwnPropertySlot, so this patch also ensures that ObjectPrototype does not fall into that
        category. This is accomplished by making ObjectPrototype eagerly reify all of its properties.
        This is safe for ObjectPrototype because it's so common and we expect all of its properties to
        be reified for any interesting programs anyway. A new idiom for adding native functions to
        prototypes is introduced, which ought to work well for any other prototypes that we wish to do
        this conversion for.
        
        This is a >60% speed-up in the case that you frequently do by-string lookups that "miss", i.e.
        they don't turn up anything.

        * CMakeLists.txt:
        * DerivedSources.make:
        * DerivedSources.pri:
        * GNUmakefile.list.am:
        * dfg/DFGOperations.cpp:
        * interpreter/CallFrame.h:
        (JSC::ExecState::objectConstructorTable):
        * jit/JITStubs.cpp:
        (JSC::getByVal):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::getByVal):
        * runtime/CommonIdentifiers.h:
        * runtime/JSCell.cpp:
        (JSC::JSCell::getByStringSlow):
        (JSC):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSCellInlines.h:
        (JSC):
        (JSC::JSCell::getByStringAndKey):
        (JSC::JSCell::getByString):
        * runtime/JSGlobalData.cpp:
        (JSC):
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::~JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectNativeFunction):
        (JSC):
        * runtime/JSObject.h:
        (JSObject):
        (JSC):
        * runtime/Lookup.cpp:
        (JSC::setUpStaticFunctionSlot):
        * runtime/ObjectPrototype.cpp:
        (JSC):
        (JSC::ObjectPrototype::finishCreation):
        (JSC::ObjectPrototype::create):
        * runtime/ObjectPrototype.h:
        (ObjectPrototype):
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::findWithString):
        * runtime/Structure.h:
        (Structure):
        * runtime/StructureInlines.h:
        (JSC::Structure::get):
        (JSC):

2013-03-13  Filip Pizlo  <fpizlo@apple.com>

        DFG bytecode parser is too aggressive about getting rid of GetLocals on captured variables
        https://bugs.webkit.org/show_bug.cgi?id=112287
        <rdar://problem/13342340>

        Reviewed by Oliver Hunt.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::finalizeUnconditionally):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getLocal):

2013-03-13  Ryosuke Niwa  <rniwa@webkit.org>

        Threaded HTML Parser is missing feature define flags in all but Chromium port's build files
        https://bugs.webkit.org/show_bug.cgi?id=112277

        Reviewed by Adam Barth.

        * Configurations/FeatureDefines.xcconfig:

2013-03-13  Csaba Osztrogonác  <ossy@webkit.org>

        LLINT C loop warning fix for GCC
        https://bugs.webkit.org/show_bug.cgi?id=112145

        Reviewed by Filip Pizlo.

        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):

2013-02-13  Simon Hausmann  <simon.hausmann@digia.com>

        Add support for convenient conversion from JSStringRef to QString
        https://bugs.webkit.org/show_bug.cgi?id=109694

        Reviewed by Allan Sandfeld Jensen.

        Add JSStringCopyQString helper function that allows for the convenient
        extraction of a QString out of a JSStringRef.

        * API/JSStringRefQt.cpp: Added.
        (JSStringCopyQString):
        * API/JSStringRefQt.h: Added.
        * API/OpaqueJSString.h:
        (OpaqueJSString):
        (OpaqueJSString::qString):
        (OpaqueJSString::OpaqueJSString):
        * Target.pri:

2013-03-13  Peter Gal  <galpeter@inf.u-szeged.hu>

        Token 'not' is ignored in the offlineasm.
        https://bugs.webkit.org/show_bug.cgi?id=111568

        Reviewed by Filip Pizlo.

        * offlineasm/parser.rb: Build the Not AST node if the 'not' token is found.

2013-03-12  Tim Horton  <timothy_horton@apple.com>

        WTF uses macros for exports. Try to fix the Windows build. Unreviewed.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

2013-03-12  Filip Pizlo  <fpizlo@apple.com>

        Array.prototype.sort should at least try to be PTIME even when the array is in some bizarre mode
        https://bugs.webkit.org/show_bug.cgi?id=112187
        <rdar://problem/13393550>

        Reviewed by Michael Saboff and Gavin Barraclough.
        
        If we have an array-like object in crazy mode passed into Array.prototype.sort, and its length is large,
        then first copy all elements into a separate, compact, un-holy array and sort that. Then copy back.
        This means that sorting will be at worst O(n^2) in the actual number of things in the array, rather than
        O(n^2) in the array's length.

        * runtime/ArrayPrototype.cpp:
        (JSC::attemptFastSort):
        (JSC::performSlowSort):
        (JSC):
        (JSC::arrayProtoFuncSort):

2013-03-12  Tim Horton  <timothy_horton@apple.com>

        Try to fix the Windows build.

        Not reviewed.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:

2013-03-12  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Windows build.

        Not reviewed.

        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
        Export a thing.

2013-03-11  Oliver Hunt  <oliver@apple.com>

        Harden JSStringJoiner
        https://bugs.webkit.org/show_bug.cgi?id=112093

        Reviewed by Filip Pizlo.

        Harden JSStringJoiner, make it use our CheckedArithmetic
        class to simplify everything.

        * runtime/JSStringJoiner.cpp:
        (JSC::JSStringJoiner::build):
        * runtime/JSStringJoiner.h:
        (JSStringJoiner):
        (JSC::JSStringJoiner::JSStringJoiner):
        (JSC::JSStringJoiner::append):

2013-03-12  Filip Pizlo  <fpizlo@apple.com>

        DFG generic array access cases should not be guarded by CheckStructure even of the profiling tells us that it could be
        https://bugs.webkit.org/show_bug.cgi?id=112183

        Reviewed by Oliver Hunt.
        
        Slight speed-up on string-unpack-code.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::findAndRemoveUnnecessaryStructureCheck):
        (FixupPhase):
        (JSC::DFG::FixupPhase::checkArray):
        (JSC::DFG::FixupPhase::blessArrayOperation):

2013-03-12  Gabor Rapcsanyi  <rgabor@webkit.org>

        https://bugs.webkit.org/show_bug.cgi?id=112141
        LLInt CLoop backend misses Double2Ints() on 32bit architectures

        Reviewed by Filip Pizlo.

        Implement Double2Ints() in CLoop backend of LLInt on 32bit architectures.

        * llint/LowLevelInterpreter.cpp:
        (LLInt):
        (JSC::LLInt::Double2Ints):
        * offlineasm/cloop.rb:

2013-03-12  Gabor Rapcsanyi  <rgabor@webkit.org>

        Making more sophisticated cache flush on ARM Linux platform
        https://bugs.webkit.org/show_bug.cgi?id=111854

        Reviewed by Zoltan Herczeg.

        The cache flush on ARM Linux invalidates whole pages
        instead of just the required area.

        * assembler/ARMAssembler.h:
        (ARMAssembler):
        (JSC::ARMAssembler::linuxPageFlush):
        (JSC::ARMAssembler::cacheFlush):
        * assembler/ARMv7Assembler.h:
        (ARMv7Assembler):
        (JSC::ARMv7Assembler::linuxPageFlush):
        (JSC::ARMv7Assembler::cacheFlush):

2013-03-12  Gabor Rapcsanyi  <rgabor@webkit.org>

        Renaming the armv7.rb LLINT backend to arm.rb
        https://bugs.webkit.org/show_bug.cgi?id=110565

        Reviewed by Zoltan Herczeg.

        This is the first step of a unified ARM backend for
        all ARM 32 bit architectures in LLInt.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * LLIntOffsetsExtractor.pro:
        * offlineasm/arm.rb: Copied from Source/JavaScriptCore/offlineasm/armv7.rb.
        * offlineasm/armv7.rb: Removed.
        * offlineasm/backends.rb:
        * offlineasm/risc.rb:

2013-03-12  Csaba Osztrogonác  <ossy@webkit.org>

        REGRESSION(r145482): It broke 33 jsc tests and zillion layout tests on all platform
        https://bugs.webkit.org/show_bug.cgi?id=112112

        Reviewed by Oliver Hunt.

        Rolling out https://trac.webkit.org/changeset/145482 to unbreak the bots.

        * runtime/JSStringJoiner.cpp:
        (JSC::JSStringJoiner::build):
        * runtime/JSStringJoiner.h:
        (JSStringJoiner):
        (JSC::JSStringJoiner::JSStringJoiner):
        (JSC::JSStringJoiner::append):

2013-03-12  Filip Pizlo  <fpizlo@apple.com>

        DFG prediction propagation phase should not rerun forward propagation if double voting has already converged
        https://bugs.webkit.org/show_bug.cgi?id=111920

        Reviewed by Oliver Hunt.
        
        I don't know why we weren't exiting early after double voting if !m_changed.
        
        This change also removes backwards propagation from the voting fixpoint, since at that
        point short-circuiting loops is probably not particularly profitable. Profiling shows
        that this reduces the time spent in prediction propagation even further.
        
        This change appears to be a 1% SunSpider speed-up.

        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::run):

2013-03-11  Filip Pizlo  <fpizlo@apple.com>

        DFG overflow check elimination is too smart for its own good
        https://bugs.webkit.org/show_bug.cgi?id=111832

        Reviewed by Oliver Hunt and Gavin Barraclough.
        
        Rolling this back in after fixing accidental misuse of JSValue. The code was doing value < someInt
        rather than value.asInt32() < someInt. This "worked" when isWithinPowerOfTwo wasn't templatized.
        It worked by always being false and always disabling the relvant optimization.
        
        This improves overflow check elimination in three ways:
        
        1) It reduces the amount of time the compiler will spend doing it.
        
        2) It fixes bugs where overflow check elimination was overzealous. Precisely, for a binary operation
           over @a and @b where both @a and @b will type check that their inputs (@a->children, @b->children)
           are int32's and then perform a possibly-overflowing operation, we must be careful not to assume
           that @a's non-int32 parts don't matter if at the point that @a runs we have as yet not proved that
           @b->children are int32's and that hence @b might produce a large enough result that doubles would
           start chopping low bits. The specific implication of this is that for a binary operation to not
           propagate that it cares about non-int32 parts (NodeUsedAsNumber), we must prove that at least one
           of the inputs is guaranteed to produce a result within 2^32 and that there won't be a tower of such
           operations large enough to ultimately produce a double greater than 2^52 (roughly). We achieve the
           latter by disabling this optimization for very large basic blocks. It's noteworthy that blocks that
           large won't even make it into the DFG currently.
        
        3) It makes the overflow check elimination more precise for cases where the inputs to an Add or Sub
           are the outputs of a bit-op. For example in (@a + (@b | 0)) | 0, we don't need to propagate
           NodeUsedAsNumber to either @a or @b.
        
        This is neutral on V8v7 and a slight speed-up on compile time benchmarks.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGBackwardsPropagationPhase.cpp: Added.
        (DFG):
        (BackwardsPropagationPhase):
        (JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase):
        (JSC::DFG::BackwardsPropagationPhase::run):
        (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
        (JSC::DFG::BackwardsPropagationPhase::isNotZero):
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoNonRecursive):
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
        (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags):
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        (JSC::DFG::performBackwardsPropagation):
        * dfg/DFGBackwardsPropagationPhase.h: Added.
        (DFG):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::run):
        (JSC::DFG::CPSRethreadingPhase::clearIsLoadedFrom):
        (CPSRethreadingPhase):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        (DFG):
        * dfg/DFGNodeFlags.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (PredictionPropagationPhase):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGUnificationPhase.cpp:
        (JSC::DFG::UnificationPhase::run):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::mergeIsLoadedFrom):
        (VariableAccessData):
        (JSC::DFG::VariableAccessData::setIsLoadedFrom):
        (JSC::DFG::VariableAccessData::isLoadedFrom):

2013-03-11  Oliver Hunt  <oliver@apple.com>

        Harden JSStringJoiner
        https://bugs.webkit.org/show_bug.cgi?id=112093

        Reviewed by Filip Pizlo.

        Harden JSStringJoiner, make it use our CheckedArithmetic
        class to simplify everything.

        * runtime/JSStringJoiner.cpp:
        (JSC::JSStringJoiner::build):
        * runtime/JSStringJoiner.h:
        (JSStringJoiner):
        (JSC::JSStringJoiner::JSStringJoiner):
        (JSC::JSStringJoiner::append):

2013-03-11  Michael Saboff  <msaboff@apple.com>

        Crash beneath operationCreateInlinedArguments running fast/js/dfg-create-inlined-arguments-in-closure-inline.html (32-bit only)
        https://bugs.webkit.org/show_bug.cgi?id=112067

        Reviewed by Geoffrey Garen.

        We weren't setting the tag in SetCallee.  Therefore set it to CellTag.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-03-11  Oliver Hunt  <oliver@apple.com>

        Make SegmentedVector Noncopyable
        https://bugs.webkit.org/show_bug.cgi?id=112059

        Reviewed by Geoffrey Garen.

        Copying a SegmentedVector is very expensive, and really shouldn't
        be necessary.  So I've taken the one place where we currently copy
        and replaced it with a regular Vector, and replaced the address
        dependent logic with a indexing ref instead.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::newLabelScope):
        (JSC::BytecodeGenerator::emitComplexJumpScopes):
        * bytecompiler/BytecodeGenerator.h:
        (BytecodeGenerator):
        * bytecompiler/LabelScope.h:
        (JSC):
        (JSC::LabelScopePtr::LabelScopePtr):
        (LabelScopePtr):
        (JSC::LabelScopePtr::operator=):
        (JSC::LabelScopePtr::~LabelScopePtr):
        (JSC::LabelScopePtr::operator*):
        (JSC::LabelScopePtr::operator->):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::DoWhileNode::emitBytecode):
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):
        (JSC::ForInNode::emitBytecode):
        (JSC::SwitchNode::emitBytecode):
        (JSC::LabelNode::emitBytecode):

2013-03-10  Andreas Kling  <akling@apple.com>

        SpeculativeJIT should use OwnPtr<SlowPathGenerator>.
        <http://webkit.org/b/111942>

        Reviewed by Anders Carlsson.

        There's no need to include DFGSlowPathGenerator.h from the header as long as the destructor is out-of-line,
        so let's use OwnPtr instead of raw pointers + deleteAllValues().

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::~SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::addSlowPathGenerator):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):

2013-03-09  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r145299.
        http://trac.webkit.org/changeset/145299
        https://bugs.webkit.org/show_bug.cgi?id=111928

        compilation failure with recent clang
        (DFGBackwardsPropagationPhase.cpp:132:35: error: comparison of
        constant 10 with expression of type 'bool' is always false)
        (Requested by thorton on #webkit).

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGBackwardsPropagationPhase.cpp: Removed.
        * dfg/DFGBackwardsPropagationPhase.h: Removed.
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::run):
        (CPSRethreadingPhase):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::nodeFlagsAsString):
        (DFG):
        * dfg/DFGNodeFlags.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::isNotNegZero):
        (PredictionPropagationPhase):
        (JSC::DFG::PredictionPropagationPhase::isNotZero):
        (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoForConstant):
        (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwoNonRecursive):
        (JSC::DFG::PredictionPropagationPhase::isWithinPowerOfTwo):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        (JSC::DFG::PredictionPropagationPhase::mergeDefaultFlags):
        * dfg/DFGUnificationPhase.cpp:
        (JSC::DFG::UnificationPhase::run):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (VariableAccessData):

2013-03-08  Filip Pizlo  <fpizlo@apple.com>

        DFG overflow check elimination is too smart for its own good
        https://bugs.webkit.org/show_bug.cgi?id=111832

        Reviewed by Oliver Hunt and Gavin Barraclough.
        
        This improves overflow check elimination in three ways:
        
        1) It reduces the amount of time the compiler will spend doing it.
        
        2) It fixes bugs where overflow check elimination was overzealous. Precisely, for a binary operation
           over @a and @b where both @a and @b will type check that their inputs (@a->children, @b->children)
           are int32's and then perform a possibly-overflowing operation, we must be careful not to assume
           that @a's non-int32 parts don't matter if at the point that @a runs we have as yet not proved that
           @b->children are int32's and that hence @b might produce a large enough result that doubles would
           start chopping low bits. The specific implication of this is that for a binary operation to not
           propagate that it cares about non-int32 parts (NodeUsedAsNumber), we must prove that at least one
           of the inputs is guaranteed to produce a result within 2^32 and that there won't be a tower of such
           operations large enough to ultimately produce a double greater than 2^52 (roughly). We achieve the
           latter by disabling this optimization for very large basic blocks. It's noteworthy that blocks that
           large won't even make it into the DFG currently.
        
        3) It makes the overflow check elimination more precise for cases where the inputs to an Add or Sub
           are the outputs of a bit-op. For example in (@a + (@b | 0)) | 0, we don't need to propagate
           NodeUsedAsNumber to either @a or @b.
        
        This is neutral on V8v7 and a slight speed-up on compile time benchmarks.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine):
        * dfg/DFGBackwardsPropagationPhase.cpp: Added.
        (DFG):
        (BackwardsPropagationPhase):
        (JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase):
        (JSC::DFG::BackwardsPropagationPhase::run):
        (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
        (JSC::DFG::BackwardsPropagationPhase::isNotZero):
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoNonRecursive):
        (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
        (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags):
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        (JSC::DFG::performBackwardsPropagation):
        * dfg/DFGBackwardsPropagationPhase.h: Added.
        (DFG):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::run):
        (JSC::DFG::CPSRethreadingPhase::clearIsLoadedFrom):
        (CPSRethreadingPhase):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
        (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        (DFG):
        * dfg/DFGNodeFlags.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (PredictionPropagationPhase):
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGUnificationPhase.cpp:
        (JSC::DFG::UnificationPhase::run):
        * dfg/DFGVariableAccessData.h:
        (JSC::DFG::VariableAccessData::VariableAccessData):
        (JSC::DFG::VariableAccessData::mergeIsLoadedFrom):
        (VariableAccessData):
        (JSC::DFG::VariableAccessData::setIsLoadedFrom):
        (JSC::DFG::VariableAccessData::isLoadedFrom):

2013-03-08  Roger Fong  <roger_fong@apple.com>

        Makefile fixes.

        * JavaScriptCore.vcxproj/JavaScriptCore.make:

2013-03-08  Gabor Rapcsanyi  <rgabor@webkit.org>

        Cache flush problem on ARMv7 JSC
        https://bugs.webkit.org/show_bug.cgi?id=111441

        Reviewed by Zoltan Herczeg.

        Not proper cache flush causing random crashes on ARMv7 Linux with V8 tests.
        The problem is similar to https://bugs.webkit.org/show_bug.cgi?id=77712.
        Change the cache fulsh mechanism similar to ARM traditinal and revert the
        temporary fix.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::cacheFlush):

2013-03-07  Geoffrey Garen  <ggaren@apple.com>

        REGRESSION (r143759): 40% JSBench regression, 20% Octane/closure regression, 40% Octane/jquery regression, 2% Octane regression
        https://bugs.webkit.org/show_bug.cgi?id=111797

        Reviewed by Oliver Hunt.

        The bot's testing configuration stresses the cache's starting guess
        of 1MB.

        This patch removes any starting guess, and just uses wall clock time
        to discover the initial working set size of an app, in code size.

        * runtime/CodeCache.cpp:
        (JSC::CodeCacheMap::pruneSlowCase): Update our timer as we go.

        Also fixed a bug where pruning from 0 to 0 would hang -- that case is
        a possibility now that we start with a capacity of 0.

        * runtime/CodeCache.h:
        (CodeCacheMap):
        (JSC::CodeCacheMap::CodeCacheMap):
        (JSC::CodeCacheMap::add):
        (JSC::CodeCacheMap::prune): Don't prune if we're in the middle of
        discovering the working set size of an app, in code size.

2013-03-07  Michael Saboff  <msaboff@apple.com>

        Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article
        https://bugs.webkit.org/show_bug.cgi?id=111777

        Reviewed by Filip Pizlo.

        Moved register allocations to be above any generated control flow so that any
        resulting spill would be visible to all subsequently generated code.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::compile):

2013-03-07  Filip Pizlo  <fpizlo@apple.com>

        DFG should not get corrupted IR in the case of code that is dead, unreachable, and contains a chain of nodes that use each other in an untyped way
        https://bugs.webkit.org/show_bug.cgi?id=111783

        Reviewed by Mark Hahnenberg.
        
        Unreachable code is not touched by CFA and so thinks that even untyped uses are checked.
        But dead untyped uses don't need checks and hence don't need to be Phantom'd. The DCE knew
        this in findTypeCheckRoot() but not in eliminateIrrelevantPhantomChildren(), leading to a
        Phantom node that had another Phantom node as one of its kids.

        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):

2013-03-07  Filip Pizlo  <fpizlo@apple.com>

        The DFG fixpoint is not strictly profitable, and should be straight-lined
        https://bugs.webkit.org/show_bug.cgi?id=111764

        Reviewed by Oliver Hunt and Geoffrey Garen.
        
        The DFG previously ran optimizations to fixpoint because there exists a circular dependency:
        
        CSE depends on CFG simplification: CFG simplification merges blocks, and CSE is block-local.
        
        CFG simplification depends on CFA and constant folding: constant folding reveals branches on
        constants.
        
        CFA depends on CSE: CSE reveals must-alias relationships by proving that two operations
        always produce identical values.
        
        Arguments simplification also depends on CSE, but it ought not depend on anything else.
        
        Hence we get a cycle like: CFA -> folding -> CFG -> CSE -> CFA.
        
        Note that before we had sparse conditional CFA, we also had CFA depending on CFG. This ought
        not be the case anymore: CFG simplification should not by itself lead to better CFA results.
        
        My guess is that the weakest link in this cycle is CFG -> CSE. CSE cuts both ways: if you
        CSE too much then you increase register pressure. Hence it's not clear that you always want
        to CSE after simplifying control flow. This leads to an order of optimization as follows:
        
        CSE -> arguments -> CFA -> folding -> CFG
        
        This is a 2.5% speed-up on SunSpider, a 4% speed-up on V8Spider, a possible 0.3% slow-down
        on V8v7, nothing on Kraken, and 1.2% speed-up in the JSRegress geomean. I'll take a 2.5%
        speed-up over a 0.3% V8v7 speed-up.

        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):

2013-03-07  Roger Fong  <roger_fong@apple.com>

        Build fix for AppleWin VS2010.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:

2013-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Need a good way to reference event handlers without causing cycles
        https://bugs.webkit.org/show_bug.cgi?id=111088

        Reviewed by Geoffrey Garen.

        JSManagedValue is like a special kind of weak value. When you create a JSManagedValue, you can
        supply an Objective-C object as its "owner". As long as the Objective-C owner object remains
        alive and its wrapper remains accessible to the JSC garbage collector (e.g. by being marked by 
        the global object), the reference to the JavaScript value is strong. As soon as the Objective-C
        owner is deallocated or its wrapper becomes inaccessible to the garbage collector, the reference
        becomes weak.

        If you do not supply an owner or you use the weakValueWithValue: convenience class method, the
        returned JSManagedValue behaves as a normal weak reference.

        This new class allows clients to maintain references to JavaScript values in the Objective-C
        heap without creating reference cycles/leaking memory.

        * API/JSAPIWrapperObject.cpp: Added.
        (JSC):
        (JSC::::createStructure):
        (JSC::JSAPIWrapperObject::JSAPIWrapperObject): This is a special JSObject for the Objective-C API that knows
        for the purposes of garbage collection/marking that it wraps an opaque Objective-C object.
        (JSC::JSAPIWrapperObject::visitChildren): We add the pointer to the wrapped Objective-C object to the set of
        opaque roots so that the weak handle owner for JSManagedValues can find it later.
        * API/JSAPIWrapperObject.h: Added.
        (JSC):
        (JSAPIWrapperObject):
        (JSC::JSAPIWrapperObject::wrappedObject):
        (JSC::JSAPIWrapperObject::setWrappedObject):
        * API/JSBase.cpp:
        (JSSynchronousGarbageCollect):
        * API/JSBasePrivate.h:
        * API/JSCallbackObject.cpp:
        (JSC):
        * API/JSCallbackObject.h:
        (JSC::JSCallbackObject::destroy): Moved this to the header so that we don't get link errors with JSAPIWrapperObject.
        * API/JSContext.mm:
        (-[JSContext initWithVirtualMachine:]): We weren't adding manually allocated/initialized JSVirtualMachine objects to 
        the global cache of virtual machines. The init methods handle this now rather than contextWithGlobalContextRef, since 
        not everyone is guaranteed to use the latter.
        (-[JSContext initWithGlobalContextRef:]):
        (+[JSContext contextWithGlobalContextRef:]):
        * API/JSManagedValue.h: Added.
        * API/JSManagedValue.mm: Added.
        (JSManagedValueHandleOwner):
        (managedValueHandleOwner):
        (+[JSManagedValue weakValueWithValue:]):
        (+[JSManagedValue managedValueWithValue:owner:]):
        (-[JSManagedValue init]): We explicitly call the ARC entrypoints to initialize/get the weak owner field since we don't 
        use ARC when building our framework.
        (-[JSManagedValue initWithValue:]):
        (-[JSManagedValue initWithValue:owner:]):
        (-[JSManagedValue dealloc]):
        (-[JSManagedValue value]):
        (-[JSManagedValue weakOwner]):
        (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): If the Objective-C owner is still alive (i.e. loading the weak field
        returns non-nil) and that value was added to the set of opaque roots by the wrapper for that Objective-C owner, then the the 
        JSObject to which the JSManagedObject refers is still alive.
        * API/JSObjectRef.cpp: We have to add explicit checks for the JSAPIWrapperObject, just like the other types of JSCallbackObjects.
        (JSObjectGetPrivate):
        (JSObjectSetPrivate):
        (JSObjectGetPrivateProperty):
        (JSObjectSetPrivateProperty):
        (JSObjectDeletePrivateProperty):
        * API/JSValue.mm:
        (objectToValueWithoutCopy):
        * API/JSValueRef.cpp:
        (JSValueIsObjectOfClass):
        * API/JSVirtualMachine.mm:
        (-[JSVirtualMachine initWithContextGroupRef:]):
        (+[JSVirtualMachine virtualMachineWithContextGroupRef:]):
        * API/JSWrapperMap.mm:
        (wrapperFinalize):
        (makeWrapper): This is our own internal version of JSObjectMake which creates JSAPIWrapperObjects, the Obj-C API 
        version of JSCallbackObjects.
        (createObjectWithCustomBrand):
        (-[JSObjCClassInfo wrapperForObject:]):
        (tryUnwrapObjcObject):
        * API/JavaScriptCore.h:
        * API/tests/testapi.mm: Added new tests for the strong and weak uses of JSManagedValue in the context of an 
        onclick handler for an Objective-C object inserted into a JSContext.
        (-[TextXYZ setWeakOnclick:]):
        (-[TextXYZ setOnclick:]):
        (-[TextXYZ weakOnclick]):
        (-[TextXYZ onclick]):
        (-[TextXYZ click]):
        * CMakeLists.txt: Various build system additions.
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/JSGlobalObject.cpp: Added the new canonical Structure for the JSAPIWrapperObject class.
        (JSC::JSGlobalObject::reset):
        (JSC):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        (JSC::JSGlobalObject::objcWrapperObjectStructure):

2013-03-06  Filip Pizlo  <fpizlo@apple.com>

        ConvertThis should be turned into Identity based on predictions in Fixup, rather than based on proofs in ConstantFolding
        https://bugs.webkit.org/show_bug.cgi?id=111674

        Reviewed by Oliver Hunt.
        
        This gets rid of the speculated forms of ConvertThis in the backend, and has Fixup
        convert them to either Identity(Object:@child) if the child is predicted object, or
        Phantom(Other:@child) ; WeakJSConstant(global this object) if it's predicted Other.
        
        The goal of this is to ensure that the optimization fixpoint doesn't create
        Identity's, since doing so requires a rerun of CSE. So far this isn't a speed-up
        but I'm hoping this will be a step towards reducing the need to rerun the fixpoint
        so as to ultimately reduce compile times.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGAssemblyHelpers.h:
        (AssemblyHelpers):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (FixupPhase):
        (JSC::DFG::FixupPhase::observeUseKindOnNode):
        (JSC::DFG::FixupPhase::setUseKindAndUnboxIfProfitable):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::globalThisObjectFor):
        (Graph):
        * dfg/DFGNode.h:
        (Node):
        (JSC::DFG::Node::convertToIdentity):
        (JSC::DFG::Node::convertToWeakConstant):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2013-03-07  Peter Gal  <galpeter@inf.u-szeged.hu>

        Children method in LLINT AST Not class should return [@child]
        https://bugs.webkit.org/show_bug.cgi?id=90740

        Reviewed by Filip Pizlo.

        * offlineasm/ast.rb: Fixed the return value of the children method in the Not AST class.

2013-03-05  Oliver Hunt  <oliver@apple.com>

        Bring back eager resolution of function scoped variables
        https://bugs.webkit.org/show_bug.cgi?id=111497

        Reviewed by Geoffrey Garen.

        This reverts the get/put_scoped_var part of the great non-local
        variable resolution refactoring.  This still leaves all the lazy
        variable resolution logic as it's necessary for global property
        resolution, and i don't want to make the patch bigger than it
        already is.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (CodeBlock):
        * bytecode/Opcode.h:
        (JSC):
        (JSC::padOpcodeName):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::codeBlockFor):
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC):
        (UnlinkedFunctionExecutable):
        (UnlinkedCodeBlock):
        (JSC::UnlinkedCodeBlock::usesGlobalObject):
        (JSC::UnlinkedCodeBlock::setGlobalObjectRegister):
        (JSC::UnlinkedCodeBlock::globalObjectRegister):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::ResolveResult::checkValidity):
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitLoadGlobalObject):
        (JSC):
        (JSC::BytecodeGenerator::resolve):
        (JSC::BytecodeGenerator::resolveConstDecl):
        (JSC::BytecodeGenerator::emitResolve):
        (JSC::BytecodeGenerator::emitResolveBase):
        (JSC::BytecodeGenerator::emitResolveBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithBaseForPut):
        (JSC::BytecodeGenerator::emitResolveWithThis):
        (JSC::BytecodeGenerator::emitGetStaticVar):
        (JSC::BytecodeGenerator::emitPutStaticVar):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::ResolveResult::lexicalResolve):
        (JSC::ResolveResult::isStatic):
        (JSC::ResolveResult::depth):
        (JSC::ResolveResult::index):
        (ResolveResult):
        (JSC::ResolveResult::ResolveResult):
        (BytecodeGenerator):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ResolveNode::isPure):
        (JSC::FunctionCallResolveNode::emitBytecode):
        (JSC::PostfixNode::emitResolve):
        (JSC::TypeOfResolveNode::emitBytecode):
        (JSC::PrefixNode::emitResolve):
        (JSC::ReadModifyResolveNode::emitBytecode):
        (JSC::AssignResolveNode::emitBytecode):
        (JSC::ConstDeclNode::emitCodeSingle):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::debugFail):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode):
        (JSC::DFG::canInlineOpcode):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        (JIT):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC):
        (JSC::JIT::emit_op_put_scoped_var):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC):
        (JSC::JIT::emit_op_put_scoped_var):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        * runtime/CodeCache.h:
        (JSC):
        (CodeCache):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::FunctionExecutable::produceCodeBlockFor):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createEvalCodeBlock):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject):
        * runtime/Options.cpp:
        (JSC::Options::initialize):

2013-03-06  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, roll out http://trac.webkit.org/changeset/144989
        
        I think we want the assertion that I removed.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::merge):
        (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
        * dfg/DFGAbstractState.h:
        (AbstractState):

2013-03-06  Filip Pizlo  <fpizlo@apple.com>

        DFG::AbstractState::merge() is still more complicated than it needs to be
        https://bugs.webkit.org/show_bug.cgi?id=111619

        Reviewed by Mark Hahnenberg.
        
        This method is the one place where we still do some minimal amount of liveness pruning, but the style with
        which it is written is awkward, and it makes an assertion about variablesAtTail that will be invalidated
        by https://bugs.webkit.org/show_bug.cgi?id=111539.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::merge):
        (JSC::DFG::AbstractState::mergeVariableBetweenBlocks):
        * dfg/DFGAbstractState.h:
        (AbstractState):

2013-03-06  Filip Pizlo  <fpizlo@apple.com>

        DFG should not run full CSE after the optimization fixpoint, since it really just wants store elimination
        https://bugs.webkit.org/show_bug.cgi?id=111536

        Reviewed by Oliver Hunt and Mark Hahnenberg.
        
        The fixpoint will do aggressive load elimination and pure CSE. There's no need to do it after the fixpoint.
        On the other hand, the fixpoint does not profit from doing store elimination (except for SetLocal/Flush).
        Previously we had CSE do both, and had it avoid doing some store elimination during the fixpoint by querying
        the fixpoint state. This changes CSE to be templated on mode - either NormalCSE or StoreElimination - so
        that we explicitly put it into one of those modes depending on where we call it from. The goal is to reduce
        time spent doing load elimination after the fixpoint, since that is just wasted cycles.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::CSEPhase):
        (JSC::DFG::CSEPhase::run):
        (JSC::DFG::CSEPhase::performNodeCSE):
        (JSC::DFG::CSEPhase::performBlockCSE):
        (JSC::DFG::performCSE):
        (DFG):
        (JSC::DFG::performStoreElimination):
        * dfg/DFGCSEPhase.h:
        (DFG):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):

2013-03-06  Andreas Kling  <akling@apple.com>

        Pack Structure members better.
        <http://webkit.org/b/111593>
        <rdar://problem/13359200>

        Reviewed by Mark Hahnenberg.

        Shrink Structure by 8 bytes (now at 104 bytes) on 64-bit by packing the members better.

        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        * runtime/Structure.h:
        (Structure):

2013-03-06  Andreas Kling  <akling@apple.com>

        Unreviewed, fix Windows build after r144910.

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:

2013-03-05  Filip Pizlo  <fpizlo@apple.com>

        DFG should not check if nodes are shouldGenerate prior to DCE
        https://bugs.webkit.org/show_bug.cgi?id=111520

        Reviewed by Geoffrey Garen.
        
        All nodes are live before DCE. We don't need to check that they aren't, because they
        definitely will be.

        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::performBlockCFA):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::pureCSE):
        (JSC::DFG::CSEPhase::int32ToDoubleCSE):
        (JSC::DFG::CSEPhase::constantCSE):
        (JSC::DFG::CSEPhase::weakConstantCSE):
        (JSC::DFG::CSEPhase::getCalleeLoadElimination):
        (JSC::DFG::CSEPhase::getArrayLengthElimination):
        (JSC::DFG::CSEPhase::globalVarLoadElimination):
        (JSC::DFG::CSEPhase::scopedVarLoadElimination):
        (JSC::DFG::CSEPhase::globalVarWatchpointElimination):
        (JSC::DFG::CSEPhase::globalVarStoreElimination):
        (JSC::DFG::CSEPhase::scopedVarStoreElimination):
        (JSC::DFG::CSEPhase::getByValLoadElimination):
        (JSC::DFG::CSEPhase::checkStructureElimination):
        (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
        (JSC::DFG::CSEPhase::putStructureStoreElimination):
        (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
        (JSC::DFG::CSEPhase::putByOffsetStoreElimination):
        (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::checkArrayElimination):
        (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
        (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
        (JSC::DFG::CSEPhase::getLocalLoadElimination):
        (JSC::DFG::CSEPhase::setLocalStoreElimination):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):

2013-03-06  Csaba Osztrogonác  <ossy@webkit.org>

        Fix unused parameter warnings in ARM assembler
        https://bugs.webkit.org/show_bug.cgi?id=111433

        Reviewed by Kentaro Hara.

        * assembler/ARMAssembler.h: Remove unreachable revertJump() after r143346.
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::moveIntsToDouble): Remove unused scratch parameter instead of UNUSED_PARAM.
        (JSC::MacroAssemblerARM::branchConvertDoubleToInt32): Remove unused fpTemp parameter.
        (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranchPtrWithPatch): Remove unused parameters.

2013-03-06  Andreas Kling  <akling@apple.com>

        Unused Structure property tables waste 14MB on Membuster.
        <http://webkit.org/b/110854>
        <rdar://problem/13292104>

        Reviewed by Geoffrey Garen.

        Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
        14 MB progression on Membuster3.

        This time it should stick; I've been through all the tests with COLLECT_ON_EVERY_ALLOCATION.
        The issue with the last version was that Structure::m_offset could be used uninitialized
        when re-materializing a previously GC'd property table, causing some sanity checks to fail.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:

            Added PropertyTable.cpp.

        * runtime/PropertyTable.cpp: Added.
        (JSC::PropertyTable::create):
        (JSC::PropertyTable::clone):
        (JSC::PropertyTable::PropertyTable):
        (JSC::PropertyTable::destroy):
        (JSC::PropertyTable::~PropertyTable):
        (JSC::PropertyTable::visitChildren):

            Moved marking of property table values here from Structure::visitChildren().

        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase::get):

            Move m_cell to a local before using it multiple times. This avoids a multiple-access race when
            Structure::checkOffsetConsistency() is used in assertions on the main thread while a marking thread
            zaps the property table.

        * runtime/Structure.h:
        (JSC::Structure::materializePropertyMapIfNecessary):
        (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
        * runtime/StructureInlines.h:
        (JSC::Structure::propertyTable):

            Added a getter for the Structure's PropertyTable that ASSERTs GC currently isn't active.
            Because GC can zap an unpinned property table at any time, it's not entirely safe to access it.
            Renamed the variable itself to m_propertyTableUnsafe to force call sites into explaining themselves.

        (JSC::Structure::putWillGrowOutOfLineStorage):
        (JSC::Structure::checkOffsetConsistency):

            Moved these out of Structure.h to break header dependency cycle between Structure/PropertyTable.

        * runtime/Structure.cpp:
        (JSC::Structure::visitChildren):

            Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.

        (JSC::Structure::takePropertyTableOrCloneIfPinned):

            Added for setting up the property table in a new transition, this code is now shared between
            addPropertyTransition() and nonPropertyTransition().

        * runtime/JSGlobalData.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):

            Add a global propertyTableStructure.

        * runtime/PropertyMapHashTable.h:
        (PropertyTable):
        (JSC::PropertyTable::createStructure):
        (JSC::PropertyTable::copy):

            Make PropertyTable a GC object.

        * runtime/Structure.cpp:
        (JSC::Structure::dumpStatistics):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::sealTransition):
        (JSC::Structure::freezeTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::isSealed):
        (JSC::Structure::isFrozen):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::pin):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::copyPropertyTableForPinning):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        (JSC::Structure::despecifyAllFunctions):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::remove):
        (JSC::Structure::createPropertyMap):
        (JSC::Structure::getPropertyNamesFromStructure):
        (JSC::Structure::checkConsistency):

2013-03-05  Filip Pizlo  <fpizlo@apple.com>

        Get rid of the invert argument to SpeculativeJIT::jumpSlowForUnwantedArrayMode
        https://bugs.webkit.org/show_bug.cgi?id=105624

        Reviewed by Oliver Hunt.
        
        All callers pass invert = false, which is the default value of the argument. So, get
        rid of the argument and fold away all code that checks it.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):

2013-03-05  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix an incorrect comment. The comment was a holdover from a work-in-progress version of this code.

        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::run):

2013-03-04  Filip Pizlo  <fpizlo@apple.com>

        DFG DCE might eliminate checks unsoundly
        https://bugs.webkit.org/show_bug.cgi?id=109389

        Reviewed by Oliver Hunt.
        
        This gets rid of all eager reference counting, and does all dead code elimination
        in one phase - the DCEPhase. This phase also sets up the node reference counts,
        which are then used not just for DCE but also register allocation and stack slot
        allocation.
        
        Doing this required a number of surgical changes in places that previously relied
        on always having liveness information. For example, the structure check hoisting
        phase must now consult whether a VariableAccessData is profitable for unboxing to
        make sure that it doesn't try to do hoisting on set SetLocals. The arguments
        simplification phase employs its own light-weight liveness analysis. Both phases
        previously just used reference counts.
        
        The largest change is that now, dead nodes get turned into Phantoms. Those
        Phantoms will retain those child edges that are not proven. This ensures that any
        type checks performed by a dead node remain even after the node is killed. On the
        other hand, this Phantom conversion means that we need special handling for
        SetLocal. I decided to make the four forms of SetLocal explicit:
        
        MovHint(@a, rK): Just indicates that node @a contains the value that would have
             now been placed into virtual register rK. Does not actually cause @a to be
             stored into rK. This would have previously been a dead SetLocal with @a
             being live. MovHints are always dead.
        
        ZombieHint(rK): Indicates that at this point, register rK will contain a dead
             value and OSR should put Undefined into it. This would have previously been
             a dead SetLocal with @a being dead also. ZombieHints are always dead.
        
        MovHintAndCheck(@a, rK): Identical to MovHint except @a is also type checked,
             according to whatever UseKind the edge to @a has. The type check is always a
             forward exit. MovHintAndChecks are always live, since they are
             NodeMustGenerate. Previously this would have been a dead SetLocal with a
             live @a, and the check would have disappeared. This is one of the bugs that
             this patch solves.
        
        SetLocal(@a, rK): This still does exactly what it does now, if the SetLocal is
             live.
        
        Basically this patch makes it so that dead SetLocals eventually decay to MovHint,
        ZombieHint, or MovHintAndCheck depending on the situation. If the child @a is
        also dead, then you get a ZombieHint. If the child @a is live but the SetLocal
        has a type check and @a's type hasn't been proven to have that type then you get
        a MovHintAndCheck. Otherwise you get a MovHint.
        
        This is performance neutral.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        (JSC::DFG::AbstractState::mergeStateAtTail):
        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        (ArgumentsSimplificationPhase):
        (JSC::DFG::ArgumentsSimplificationPhase::removeArgumentsReferencingPhantomChild):
        * dfg/DFGBasicBlock.h:
        (BasicBlock):
        * dfg/DFGBasicBlockInlines.h:
        (DFG):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::insertPhiNode):
        (JSC::DFG::ByteCodeParser::emitFunctionChecks):
        * dfg/DFGCFAPhase.cpp:
        (JSC::DFG::CFAPhase::run):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::run):
        (JSC::DFG::CPSRethreadingPhase::addPhiSilently):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren):
        (JSC::DFG::CSEPhase::setReplacement):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGCommon.cpp:
        (WTF::printInternal):
        (WTF):
        * dfg/DFGCommon.h:
        (WTF):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
        (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
        * dfg/DFGDCEPhase.cpp: Added.
        (DFG):
        (DCEPhase):
        (JSC::DFG::DCEPhase::DCEPhase):
        (JSC::DFG::DCEPhase::run):
        (JSC::DFG::DCEPhase::findTypeCheckRoot):
        (JSC::DFG::DCEPhase::countEdge):
        (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
        (JSC::DFG::performDCE):
        * dfg/DFGDCEPhase.h: Added.
        (DFG):
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compile):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::checkArray):
        (JSC::DFG::FixupPhase::blessArrayOperation):
        (JSC::DFG::FixupPhase::fixIntEdge):
        (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
        (JSC::DFG::FixupPhase::truncateConstantToInt32):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::Graph):
        (JSC::DFG::Graph::dump):
        (DFG):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::changeChild):
        (JSC::DFG::Graph::changeEdge):
        (JSC::DFG::Graph::compareAndSwap):
        (JSC::DFG::Graph::clearAndDerefChild):
        (JSC::DFG::Graph::performSubstitution):
        (JSC::DFG::Graph::performSubstitutionForEdge):
        (Graph):
        (JSC::DFG::Graph::substitute):
        * dfg/DFGInsertionSet.h:
        (InsertionSet):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::convertToConstant):
        (JSC::DFG::Node::convertToGetLocalUnlinked):
        (JSC::DFG::Node::containsMovHint):
        (Node):
        (JSC::DFG::Node::hasVariableAccessData):
        (JSC::DFG::Node::willHaveCodeGenOrOSR):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::compileMovHintAndCheck):
        (DFG):
        (JSC::DFG::SpeculativeJIT::compileInlineStart):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStructureCheckHoistingPhase.cpp:
        (JSC::DFG::StructureCheckHoistingPhase::run):
        (JSC::DFG::StructureCheckHoistingPhase::shouldConsiderForHoisting):
        (StructureCheckHoistingPhase):
        * dfg/DFGValidate.cpp:
        (JSC::DFG::Validate::validate):

2013-03-05  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: JSValue should implement init and return nil in exceptional cases
        https://bugs.webkit.org/show_bug.cgi?id=111487

        Reviewed by Darin Adler.

        * API/JSValue.mm:
        (-[JSValue init]): We return nil here because there is no way to get the instance into a coherent state
        without a JSContext.
        (-[JSValue initWithValue:inContext:]): Similarly, we should also return nil here if either of the arguments is 0.

2013-03-05  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r144708.
        http://trac.webkit.org/changeset/144708
        https://bugs.webkit.org/show_bug.cgi?id=111447

        random assertion crashes in inspector tests on qt+mac bots
        (Requested by kling on #webkit).

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        * runtime/JSGlobalData.h:
        (JSGlobalData):
        * runtime/PropertyMapHashTable.h:
        (PropertyTable):
        (JSC::PropertyTable::PropertyTable):
        (JSC):
        (JSC::PropertyTable::~PropertyTable):
        (JSC::PropertyTable::copy):
        * runtime/PropertyTable.cpp: Removed.
        * runtime/Structure.cpp:
        (JSC::Structure::dumpStatistics):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::sealTransition):
        (JSC::Structure::freezeTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::isSealed):
        (JSC::Structure::isFrozen):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::pin):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::copyPropertyTableForPinning):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        (JSC::Structure::despecifyAllFunctions):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::remove):
        (JSC::Structure::createPropertyMap):
        (JSC::Structure::getPropertyNamesFromStructure):
        (JSC::Structure::visitChildren):
        (JSC::Structure::checkConsistency):
        * runtime/Structure.h:
        (JSC):
        (JSC::Structure::putWillGrowOutOfLineStorage):
        (JSC::Structure::materializePropertyMapIfNecessary):
        (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
        (JSC::Structure::checkOffsetConsistency):
        (Structure):
        * runtime/StructureInlines.h:
        (JSC::Structure::get):
        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase::get):

2013-03-05  David Kilzer  <ddkilzer@apple.com>

        BUILD FIX (r144698): Only enable SPEECH_SYNTHESIS for Mac
        <http://webkit.org/b/106742>

        Fixes the following build failures:

            Undefined symbols for architecture i386:
              "__ZTVN7WebCore25PlatformSpeechSynthesizerE", referenced from:
                  __ZN7WebCore25PlatformSpeechSynthesizerC2EPNS_31PlatformSpeechSynthesizerClientE in PlatformSpeechSynthesizer.o
              NOTE: a missing vtable usually means the first non-inline virtual member function has no definition.
              "__ZN7WebCore25PlatformSpeechSynthesizer19initializeVoiceListEv", referenced from:
                  __ZN7WebCore25PlatformSpeechSynthesizerC2EPNS_31PlatformSpeechSynthesizerClientE in PlatformSpeechSynthesizer.o
            ld: symbol(s) not found for architecture i386

        * Configurations/FeatureDefines.xcconfig:
        - Fix definition of ENABLE_ENCRYPTED_MEDIA_V2_macosx to match
          other FeatureDefines.xcconfig files.
        - Only set ENABLE_SPEECH_SYNTHESIS for the macosx platform.

2013-03-04  Andreas Kling  <akling@apple.com>

        Unused Structure property tables waste 14MB on Membuster.
        <http://webkit.org/b/110854>
        <rdar://problem/13292104>

        Reviewed by Geoffrey Garen.

        Turn PropertyTable into a GC object and have Structure drop unpinned tables when marking.
        14 MB progression on Membuster3.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Target.pri:

            Added PropertyTable.cpp.

        * runtime/PropertyTable.cpp: Added.
        (JSC::PropertyTable::create):
        (JSC::PropertyTable::clone):
        (JSC::PropertyTable::PropertyTable):
        (JSC::PropertyTable::destroy):
        (JSC::PropertyTable::~PropertyTable):
        (JSC::PropertyTable::visitChildren):

            Moved marking of property table values here from Structure::visitChildren().

        * runtime/WriteBarrier.h:
        (JSC::WriteBarrierBase::get):

            Move m_cell to a local before using it multiple times. This avoids a multiple-access race when
            Structure::checkOffsetConsistency() is used in assertions on the main thread while a marking thread
            zaps the property table.

        * runtime/Structure.h:
        (JSC::Structure::materializePropertyMapIfNecessary):
        (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
        * runtime/StructureInlines.h:
        (JSC::Structure::propertyTable):

            Added a getter for the Structure's PropertyTable that ASSERTs GC currently isn't active.
            Because GC can zap an unpinned property table at any time, it's not entirely safe to access it.
            Renamed the variable itself to m_propertyTableUnsafe to force call sites into explaining themselves.

        (JSC::Structure::putWillGrowOutOfLineStorage):
        (JSC::Structure::checkOffsetConsistency):

            Moved these out of Structure.h to break header dependency cycle between Structure/PropertyTable.

        * runtime/Structure.cpp:
        (JSC::Structure::visitChildren):

            Null out m_propertyTable if the table is unpinned. This'll cause the table to get GC'd.

        * runtime/JSGlobalData.h:
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):

            Add a global propertyTableStructure.

        * runtime/PropertyMapHashTable.h:
        (PropertyTable):
        (JSC::PropertyTable::createStructure):
        (JSC::PropertyTable::copy):

            Make PropertyTable a GC object.

        * runtime/Structure.cpp:
        (JSC::Structure::dumpStatistics):
        (JSC::Structure::materializePropertyMap):
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::addPropertyTransition):
        (JSC::Structure::changePrototypeTransition):
        (JSC::Structure::despecifyFunctionTransition):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::toDictionaryTransition):
        (JSC::Structure::sealTransition):
        (JSC::Structure::freezeTransition):
        (JSC::Structure::preventExtensionsTransition):
        (JSC::Structure::nonPropertyTransition):
        (JSC::Structure::isSealed):
        (JSC::Structure::isFrozen):
        (JSC::Structure::flattenDictionaryStructure):
        (JSC::Structure::pin):
        (JSC::Structure::copyPropertyTable):
        (JSC::Structure::copyPropertyTableForPinning):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        (JSC::Structure::despecifyAllFunctions):
        (JSC::Structure::putSpecificValue):
        (JSC::Structure::remove):
        (JSC::Structure::createPropertyMap):
        (JSC::Structure::getPropertyNamesFromStructure):
        (JSC::Structure::checkConsistency):

2013-03-04  Chris Fleizach  <cfleizach@apple.com>

        Support WebSpeech - Speech Synthesis
        https://bugs.webkit.org/show_bug.cgi?id=106742

        Reviewed by Simon Fraser.

        Enable speech synthesis for the Mac.

        * Configurations/FeatureDefines.xcconfig:

2013-03-04  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove contextInternalContext from JSContextInternal.h
        https://bugs.webkit.org/show_bug.cgi?id=111356

        Reviewed by Geoffrey Garen.

        We don't need it any more since we have globalContextRef in JSContext.

        * API/JSContext.mm:
        * API/JSContextInternal.h:
        * API/JSValue.mm:
        (+[JSValue valueWithBool:inContext:]):
        (+[JSValue valueWithDouble:inContext:]):
        (+[JSValue valueWithInt32:inContext:]):
        (+[JSValue valueWithUInt32:inContext:]):
        (+[JSValue valueWithNewObjectInContext:]):
        (+[JSValue valueWithNewArrayInContext:]):
        (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]):
        (+[JSValue valueWithNewErrorFromMessage:inContext:]):
        (+[JSValue valueWithNullInContext:]):
        (+[JSValue valueWithUndefinedInContext:]):
        (-[JSValue toBool]):
        (-[JSValue toDouble]):
        (-[JSValue toNumber]):
        (-[JSValue toString]):
        (-[JSValue toDate]):
        (-[JSValue toArray]):
        (-[JSValue toDictionary]):
        (-[JSValue valueForProperty:]):
        (-[JSValue setValue:forProperty:]):
        (-[JSValue deleteProperty:]):
        (-[JSValue hasProperty:]):
        (-[JSValue valueAtIndex:]):
        (-[JSValue setValue:atIndex:]):
        (-[JSValue isUndefined]):
        (-[JSValue isNull]):
        (-[JSValue isBoolean]):
        (-[JSValue isNumber]):
        (-[JSValue isString]):
        (-[JSValue isObject]):
        (-[JSValue isEqualToObject:]):
        (-[JSValue isEqualWithTypeCoercionToObject:]):
        (-[JSValue isInstanceOf:]):
        (-[JSValue callWithArguments:]):
        (-[JSValue constructWithArguments:]):
        (-[JSValue invokeMethod:withArguments:]):
        (valueToObject):
        (objectToValueWithoutCopy):
        (objectToValue):
        (-[JSValue initWithValue:inContext:]):
        (-[JSValue dealloc]):
        (-[JSValue description]):
        * API/JSWrapperMap.mm:
        (createObjectWithCustomBrand):
        (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
        (-[JSObjCClassInfo wrapperForObject:]):
        (-[JSWrapperMap jsWrapperForObject:]):
        * API/ObjCCallbackFunction.mm:
        (ObjCCallbackFunction::call):
        (objCCallbackFunctionForInvocation):

2013-03-04  Andreas Kling  <akling@apple.com>

        Add simple vector traits for JSC::Identifier.
        <http://webkit.org/b/111323>

        Reviewed by Geoffrey Garen.

        Identifiers are really just Strings, giving them simple vector traits makes
        Vector move them with memcpy() instead of churning the refcounts.

        * runtime/Identifier.h:
        (WTF):

2013-03-04  Kunihiko Sakamoto  <ksakamoto@chromium.org>

        Add build flag for FontLoader
        https://bugs.webkit.org/show_bug.cgi?id=111289

        Reviewed by Benjamin Poulain.

        Add ENABLE_FONT_LOAD_EVENTS build flag (disabled by default).

        * Configurations/FeatureDefines.xcconfig:

2013-03-03  Andreas Kling  <akling@apple.com>

        Shrink JSC::HashTable entries.
        <http://webkit.org/b/111275>
        <rdar://problem/13333511>

        Reviewed by Anders Carlsson.

        Move the Intrinsic value out of the function-specific part of the union,
        and store it next to m_attributes. Reduces the size of HashEntry by 8 bytes.

        990 kB progression on Membuster3. (PTUS: 797 kB)

        * runtime/Lookup.h:
        (JSC::HashEntry::initialize):
        (JSC::HashEntry::intrinsic):
        (HashEntry):

2013-03-01  David Kilzer  <ddkilzer@apple.com>

        BUILD FIX: testapi should link to Foundation, not CoreFoundation

        * JavaScriptCore.xcodeproj/project.pbxproj: Change testapi to
        link to Foundation.framework instead of CoreFoundation.framework
        since it uses NS types.

2013-03-01  Mark Hahnenberg  <mhahnenberg@apple.com>

        Objective-C API: Passing JS functions to Objective-C callbacks causes JSValue to leak
        https://bugs.webkit.org/show_bug.cgi?id=107836

        Reviewed by Oliver Hunt.

        We've decided to remove support for this feature from the API because there's no way to automatically manage 
        the memory for clients in a satisfactory manner. Clients can still pass JS functions to Objective-C methods, 
        but the methods must accept plain JSValues instead of Objective-C blocks.

        We now ignore functions that are part of a protocol that inherits from JSExport that accept blocks as arguments.

        * API/JSBlockAdaptor.h: Removed.
        * API/JSBlockAdaptor.mm: Removed.
        * API/ObjCCallbackFunction.mm:
        (ArgumentTypeDelegate::typeBlock): Return nil to signal that we want to ignore this function when copying it
        to the object from the protocol.
        * API/tests/testapi.mm: Added a test to make sure that we ignore methods declared as part of a JSExport-ed protocol
        that have block arguments.
        (-[TestObject bogusCallback:]):
        * JavaScriptCore.gypi: Updated build files.
        * JavaScriptCore.xcodeproj/project.pbxproj:

2013-03-01  Filip Pizlo  <fpizlo@apple.com>

        DFG Branch(LogicalNot) peephole should not try to optimize and work-around the case where LogicalNot may be otherwise live
        https://bugs.webkit.org/show_bug.cgi?id=111209

        Reviewed by Oliver Hunt.
        
        Even if it is then everything will work just fine. It's not necessary to check the ref count here.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2013-03-01  Filip Pizlo  <fpizlo@apple.com>

        DFG CSE phase shouldn't rely on ref count of nodes, since it doesn't have to
        https://bugs.webkit.org/show_bug.cgi?id=111205

        Reviewed by Oliver Hunt.
        
        I don't understand the intuition behind setLocalStoreElimination() validating that the SetLocal's ref count
        is 1. I believe this is a hold-over from when setLocalStoreElimination() would match one SetLocal to another,
        and then try to eliminate the first SetLocal. But that's not how it works now. Now, setLocalStoreElimination()
        is actually Flush elimination: it eliminates any Flush that anchors a SetLocal if it proves that every path
        from the SetLocal to the Flush is devoid of operations that may observe the local. It doesn't actually kill
        the SetLocal itself: if the SetLocal is live because of other things (other Flushes or GetLocals in other
        basic blocks), then the SetLocal will naturally still be alive because th Flush was only keeping the SetLocal
        alive by one count rather than being solely responsible for its liveness.

        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::setLocalStoreElimination):
        (JSC::DFG::CSEPhase::eliminate):
        (JSC::DFG::CSEPhase::performNodeCSE):

2013-03-01  Filip Pizlo  <fpizlo@apple.com>

        Rename MovHint to MovHintEvent so I can create a NodeType called MovHint

        Rubber stamped by Mark Hahnenberg.
        
        This is similar to the SetLocal/SetLocalEvent naming scheme, where SetLocal is the
        NodeType and SetLocalEvent is the VariableEventKind.

        * dfg/DFGVariableEvent.cpp:
        (JSC::DFG::VariableEvent::dump):
        * dfg/DFGVariableEvent.h:
        (JSC::DFG::VariableEvent::movHint):
        (JSC::DFG::VariableEvent::id):
        (JSC::DFG::VariableEvent::operand):
        (VariableEvent):
        * dfg/DFGVariableEventStream.cpp:
        (JSC::DFG::VariableEventStream::reconstruct):

2013-03-01  Raphael Kubo da Costa  <raphael.kubo.da.costa@intel.com>

        [JSC] Fix sign comparison warning/error after r144340.
        https://bugs.webkit.org/show_bug.cgi?id=111164

        Reviewed by Mark Hahnenberg.

        gcc (both 4.2.1 and 4.7.2) complain about comparing signed and
        unsigned terms (clang accepts it just fine).

        Work around that by casting the 1 to an uintptr_t as well.

        * dfg/DFGEdge.h:
        (JSC::DFG::Edge::makeWord):

2013-02-28  Filip Pizlo  <fpizlo@apple.com>

        DFG CFA should not do liveness pruning
        https://bugs.webkit.org/show_bug.cgi?id=111119

        Reviewed by Mark Hahnenberg.
        
        It adds complexity and probably buys nothing.  Moreover, I'm transitioning to having
        liveness only available at the bitter end of compilation, so this will stop working
        after https://bugs.webkit.org/show_bug.cgi?id=109389 anyway.

        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::initialize):
        (JSC::DFG::AbstractState::mergeStateAtTail):

2013-02-28  Filip Pizlo  <fpizlo@apple.com>

        Don't try to emit profiling if you don't have the DFG JIT.

        Rubber stamped by Mark Hahnenberg.

        * jit/JIT.h:
        (JSC::JIT::shouldEmitProfiling):

2013-02-28  Filip Pizlo  <fpizlo@apple.com>

        DFG Phantom node should be honest about the fact that it can exit
        https://bugs.webkit.org/show_bug.cgi?id=111115

        Reviewed by Mark Hahnenberg.
        
        The chances of this having cause serious issues are low, since most clients of the
        NodeDoesNotExit flag run after CFA and CFA updates this properly. But one possible
        case of badness is if the ByteCodeParser inserted a Phantom with a type check in
        between a LogicalNot and a Branch; then that peephole optimization in Fixup might
        go slightly wrong.

        * dfg/DFGNodeType.h:
        (DFG):

2013-02-28  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add casts in DFGGPRInfo.h to suppress warnings
        https://bugs.webkit.org/show_bug.cgi?id=111104

        Reviewed by Filip Pizlo.

        With certain flags on, we get compiler warnings on ARM. We should do the proper casts to make these warnings go away.

        * dfg/DFGGPRInfo.h:
        (JSC::DFG::GPRInfo::toIndex):
        (JSC::DFG::GPRInfo::debugName):

2013-02-28  Filip Pizlo  <fpizlo@apple.com>

        It should be easy to determine if a DFG node exits forward or backward when doing type checks
        https://bugs.webkit.org/show_bug.cgi?id=111102

        Reviewed by Mark Hahnenberg.
        
        This adds a NodeExitsForward flag, which tells you the exit directionality of
        type checks performed by the node. Even if you convert the node to a Phantom
        and use the Edge UseKind for type checks, you'll still get the same exit
        directionality that the original node would have wanted.

        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * dfg/DFGArrayifySlowPathGenerator.h:
        (JSC::DFG::ArrayifySlowPathGenerator::ArrayifySlowPathGenerator):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::run):
        (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::setReplacement):
        (JSC::DFG::CSEPhase::eliminate):
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::checkArray):
        * dfg/DFGNode.h:
        (Node):
        (JSC::DFG::Node::setOpAndDefaultNonExitFlags):
        (JSC::DFG::Node::convertToPhantom):
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::nodeFlagsAsString):
        * dfg/DFGNodeFlags.h:
        (DFG):
        * dfg/DFGNodeType.h:
        (DFG):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::backwardSpeculationCheck):
        (DFG):
        (JSC::DFG::SpeculativeJIT::speculationCheck):
        (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
        (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
        (JSC::DFG::SpeculativeJIT::typeCheck):
        (JSC::DFG::SpeculativeJIT::forwardTypeCheck):
        (JSC::DFG::SpeculativeJIT::fillStorage):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
        * dfg/DFGSpeculativeJIT.h:
        (SpeculativeJIT):
        (JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand):
        (JSC::DFG::SpeculateIntegerOperand::gpr):
        (SpeculateIntegerOperand):
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (JSC::DFG::SpeculateDoubleOperand::fpr):
        (SpeculateDoubleOperand):
        (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
        (JSC::DFG::SpeculateCellOperand::gpr):
        (SpeculateCellOperand):
        (JSC::DFG::SpeculateBooleanOperand::SpeculateBooleanOperand):
        (JSC::DFG::SpeculateBooleanOperand::gpr):
        (SpeculateBooleanOperand):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt):
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
        (JSC::DFG::SpeculativeJIT::compile):

2013-02-28  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock::valueProfile() has a bogus assertion
        https://bugs.webkit.org/show_bug.cgi?id=111106
        <rdar://problem/13131427>

        Reviewed by Mark Hahnenberg.
        
        This was just a bad assertion: m_bytecodeOffset == -1 means that the value profile is constructed but not initialized.
        ValueProfile constructs itself in a safe way; you can call any method you want on a constructed but not initialized
        ValueProfile. CodeBlock first constructs all ValueProfiles (by growing the ValueProfile vector) and then initializes
        their m_bytecodeOffset later. This is necessary because the initialization is linking bytecode instructions to their
        ValueProfiles, so at that point we don't want the ValueProfile vector to resize, which implies that we want all of
        them to already be constructed. A GC can happen during this phase, and the GC may want to walk all ValueProfiles.
        This is safe, but one of the ValueProfile getters (CodeBlock::valueProfile()) was asserting that any value profile
        you get has had its m_bytecodeOffset initialized. This need not be the case and nothing will go wrong if it isn't.

        The solution is to remove the assertion, which I believe was put there to ensure that my m_valueProfiles refactoring
        a long time ago was sound: it used to be that a ValueProfile with m_bytecodeOffset == -1 was an argument profile; now
        all argument profiles are in m_argumentValueProfiles instead. I think it's safe to say that this refactoring was done
        soundly since it was a long time ago. So we should kill the assertion - I don't see an easy way to make the assertion
        sound with respect to the GC-during-CodeBlock-construction issue, and I don't believe that the assertion is buying us
        anything at this point.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::valueProfile):

2013-02-27  Filip Pizlo  <fpizlo@apple.com>

        DFG CFA should leave behind information in Edge that says if the Edge's type check is proven to succeed
        https://bugs.webkit.org/show_bug.cgi?id=110840

        Reviewed by Mark Hahnenberg.
        
        This doesn't add any observable functionality to the compiler, yet. But it does give
        every phase that runs after CFA the ability to know, in O(1) time, whether an edge
        will need to execute a type check.

        * dfg/DFGAbstractState.h:
        (JSC::DFG::AbstractState::filterEdgeByUse):
        (JSC::DFG::AbstractState::filterByType):
        * dfg/DFGCommon.cpp:
        (WTF):
        (WTF::printInternal):
        * dfg/DFGCommon.h:
        (JSC::DFG::isProved):
        (DFG):
        (JSC::DFG::proofStatusForIsProved):
        (WTF):
        * dfg/DFGEdge.cpp:
        (JSC::DFG::Edge::dump):
        * dfg/DFGEdge.h:
        (JSC::DFG::Edge::Edge):
        (JSC::DFG::Edge::setNode):
        (JSC::DFG::Edge::useKindUnchecked):
        (JSC::DFG::Edge::setUseKind):
        (Edge):
        (JSC::DFG::Edge::proofStatusUnchecked):
        (JSC::DFG::Edge::proofStatus):
        (JSC::DFG::Edge::setProofStatus):
        (JSC::DFG::Edge::isProved):
        (JSC::DFG::Edge::needsCheck):
        (JSC::DFG::Edge::shift):
        (JSC::DFG::Edge::makeWord):

2013-02-28  Simon Hausmann  <simon.hausmann@digia.com>

        [Qt][Mac] Fix massive parallel builds

        Reviewed by Tor Arne Vestbø.

        There exists a race condition that LLIntDesiredOffsets.h is written to
        by two parllel instances of the ruby script. This patch ensures that similar to the output file,
        the generated file is also prefixed according to the build configuration.

        * LLIntOffsetsExtractor.pro:

2013-02-27  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r144168.
        http://trac.webkit.org/changeset/144168
        https://bugs.webkit.org/show_bug.cgi?id=111019

        It broke the build and tronical is unavailable (Requested by
        Ossy_night on #webkit).

        * LLIntOffsetsExtractor.pro:

2013-02-26  Filip Pizlo  <fpizlo@apple.com>

        Disable some unsound DFG DCE
        https://bugs.webkit.org/show_bug.cgi?id=110948

        Reviewed by Michael Saboff.
        
        DCE of bitops is not sound since the bitops might call some variant of valueOf.
        
        This used to work right because ValueToInt32 was MustGenerate. From the DFG IR
        standpoint it feels weird to make ValueToInt32 be MustGenerate since that node is
        implemented entirely as a pure conversion. If we ever gave the DFG the ability to
        do effectful bitops, we would most likely implement them as special nodes not
        related to the ValueToInt32 and bitop nodes we have now.
        
        This change is performance neutral.

        * dfg/DFGNodeType.h:
        (DFG):

2013-02-27  Glenn Adams  <glenn@skynav.com>

        Add ENABLE_CSS3_TEXT_LINE_BREAK flag.
        https://bugs.webkit.org/show_bug.cgi?id=110944

        Reviewed by Dean Jackson.

        * Configurations/FeatureDefines.xcconfig:

2013-02-27  Julien Brianceau   <jbrianceau@nds.com>

        Fix build when DFG_JIT is not enabled
        https://bugs.webkit.org/show_bug.cgi?id=110991

        Reviewed by Csaba Osztrogonác.

        * jit/JIT.h:
        (JSC::JIT::canBeOptimizedOrInlined):

2013-02-27  Simon Hausmann  <simon.hausmann@digia.com>

        [Qt][Mac] Fix massive parallel builds

        Reviewed by Tor Arne Vestbø.

        There exists a race condition that LLIntDesiredOffsets.h is written to
        by two parllel instances of the ruby script. This patch ensures that similar to the output file,
        the generated file is also prefixed according to the build configuration.

        * LLIntOffsetsExtractor.pro:

2013-02-26  Filip Pizlo  <fpizlo@apple.com>

        DFG OSR exit doesn't know which virtual register to use for the last result register for post_inc and post_dec
        https://bugs.webkit.org/show_bug.cgi?id=109036
        <rdar://problem/13292139>

&nbs