JSActivation constructor should use NotNull placement new.

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2013-11-27  Andreas Kling  <akling@apple.com>

        JSActivation constructor should use NotNull placement new.
        <https://webkit.org/b/124909>

        Knock a null check outta the storage initialization loop.

        Reviewed by Antti Koivisto.

2013-11-26  Filip Pizlo  <fpizlo@apple.com>

        Restructure global variable constant inference so that it could work for any kind of symbol table variable
        https://bugs.webkit.org/show_bug.cgi?id=124760

        Reviewed by Oliver Hunt.
        
        This changes the way global variable constant inference works so that it can be reused
        for closure variable constant inference. Some of the premises that originally motivated
        this patch are somewhat wrong, but it led to some simplifications anyway and I suspect
        that we'll be able to fix those premises in the future. The main point of this patch is
        to make it easy to reuse global variable constant inference for closure variable
        constant inference, and this will be possible provided we can also either (a) infer
        one-shot closures (easy) or (b) infer closure variables that are always assigned prior
        to first use.
        
        One of the things that this patch is meant to enable is constant inference for closure
        variables that may be part of a multi-shot closure. Closure variables may be
        instantiated multiple times, like:
        
            function foo() {
                var WIDTH = 45;
                function bar() {
                    ... use WIDTH ...
                }
                ...
            }
        
        Even if foo() is called many times and WIDTH is assigned to multiple times, that
        doesn't change the fact that it's a constant. The goal of closure variable constant
        inference is to catch any case where a closure variable has been assigned at least once
        and its value has never changed. This patch doesn't implement that, but it does change
        global variable constant inference to have most of the powers needed to do that. Note
        that most likely we will use this functionality only to implement constant inference
        for one-shot closures, but the resulting machinery is still simpler than what we had
        before.
        
        This involves three changes:
        
            - The watchpoint object now contains the inferred value. This involves creating a
              new kind of watchpoint set, the VariableWatchpointSet. We will reuse this object
              for closure variables.
        
            - Writing to a variable that is watchpointed still involves these three states that
              we proceed through monotonically (Uninitialized->Initialized->Invalidated) but
              now, the Initialized->Invalidated state transition only happens if we change the
              variable's value, rather than store to the variable. Repeatedly storing the same
              value won't change the variable's state.
        
            - On 64-bit systems (the only systems on which we do concurrent JIT), you no longer
              need fancy fencing to get a consistent view of the watchpoint in the JIT. The
              state of the VariableWatchpointSet for the purposes of constant folding is
              entirely encapsulated in the VariableWatchpointSet::m_inferredValue. If that is
              JSValue() then you cannot fold (either because the set is uninitialized or
              because it's invalidated - doesn't matter which); on the other hand if the value
              is anything other than JSValue() then you can fold, and that's the value you fold
              to. Simple!
        
        This also changes the way that DFG IR deals with variable watchpoints. It's now
        oblivious to global variables. You install a watchpoint using VariableWatchpoint and
        you notify write using NotifyWrite. Easy!
        
        Note that this will requires some more tweaks because of the fact that op_enter will
        store Undefined into every captured variable. Hence it won't even work for one-shot
        closures. One-shot closures are easily fixed by introducing another state (so we'll
        have Uninitialized->Undefined->Initialized->Invalidated). Multi-shot closures will
        require static analysis. One-shot closures are clearly a higher priority.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/Instruction.h:
        * bytecode/VariableWatchpointSet.h: Added.
        (JSC::VariableWatchpointSet::VariableWatchpointSet):
        (JSC::VariableWatchpointSet::~VariableWatchpointSet):
        (JSC::VariableWatchpointSet::inferredValue):
        (JSC::VariableWatchpointSet::notifyWrite):
        (JSC::VariableWatchpointSet::invalidate):
        (JSC::VariableWatchpointSet::finalizeUnconditionally):
        (JSC::VariableWatchpointSet::addressOfInferredValue):
        * bytecode/Watchpoint.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasRegisterPointer):
        (JSC::DFG::Node::hasVariableWatchpointSet):
        (JSC::DFG::Node::variableWatchpointSet):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMod):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGWatchpointCollectionPhase.cpp:
        (JSC::DFG::WatchpointCollectionPhase::handle):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
        * jit/JIT.h:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitNotifyWrite):
        (JSC::JIT::emitPutGlobalVar):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitNotifyWrite):
        (JSC::JIT::emitPutGlobalVar):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::addGlobalVar):
        (JSC::JSGlobalObject::addFunction):
        * runtime/JSGlobalObject.h:
        * runtime/JSScope.h:
        (JSC::ResolveOp::ResolveOp):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTablePut):
        (JSC::symbolTablePutWithAttributes):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTableEntry::inferredValue):
        (JSC::SymbolTableEntry::prepareToWatch):
        (JSC::SymbolTableEntry::addWatchpoint):
        (JSC::SymbolTableEntry::notifyWriteSlow):
        (JSC::SymbolTable::visitChildren):
        (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup):
        (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup):
        (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
        * runtime/SymbolTable.h:
        (JSC::SymbolTableEntry::watchpointSet):
        (JSC::SymbolTableEntry::notifyWrite):

2013-11-24  Filip Pizlo  <fpizlo@apple.com>

        Create a new SymbolTable every time code is loaded so that the watchpoints don't get reused
        https://bugs.webkit.org/show_bug.cgi?id=124824

        Reviewed by Oliver Hunt.
        
        This helps with one shot closure inference as well as closure variable constant
        inference, since without this, if code was reloaded from the cache then we would
        think that the first run was actually an Nth run. This would cause us to think that
        the watchpoint(s) should all be invalidated.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::stronglyVisitStrongReferences):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::symbolTable):
        * runtime/Executable.cpp:
        (JSC::FunctionExecutable::symbolTable):
        * runtime/Executable.h:
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::clone):
        * runtime/SymbolTable.h:

2013-11-26  Oliver Hunt  <oliver@apple.com>

        Crash in JSC::ASTBuilder::Expression JSC::Parser<JSC::Lexer<unsigned char> >::parseUnaryExpression<JSC::ASTBuilder>(JSC::ASTBuilder&)
        https://bugs.webkit.org/show_bug.cgi?id=124886

        Reviewed by Sam Weinig.

        Make sure the error macros propagate an existing error before
        trying to create a new error message.  We need to do this as
        the parser state may not be safe for any specific error message
        if we are already unwinding due to an error.

        * parser/Parser.cpp:

2013-11-26  Nadav Rotem  <nrotem@apple.com>

        Optimize away OR with zero - a common ASM.js pattern.
        https://bugs.webkit.org/show_bug.cgi?id=124869

        Reviewed by Filip Pizlo.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):

2013-11-25  Julien Brianceau  <jbriance@cisco.com>

        [arm][mips] Fix crash in dfg-arrayify-elimination layout jsc test.
        https://bugs.webkit.org/show_bug.cgi?id=124839

        Reviewed by Michael Saboff.

        In ARM EABI and MIPS, 64-bit values have to be aligned on stack too.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JITInlines.h:
        (JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.

2013-11-23  Filip Pizlo  <fpizlo@apple.com>

        Fix more fallout from failed attempts at div/mod DFG strength reductions
        https://bugs.webkit.org/show_bug.cgi?id=124813

        Reviewed by Geoffrey Garen.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithMod):

2013-11-22  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSC Obj-C API should have real documentation
        https://bugs.webkit.org/show_bug.cgi?id=124805

        Reviewed by Geoffrey Garen.

        Massaging the header comments into proper headerdocs.

        * API/JSContext.h:
        * API/JSExport.h:
        * API/JSManagedValue.h:
        * API/JSValue.h:
        * API/JSVirtualMachine.h:

2013-11-22  Filip Pizlo  <fpizlo@apple.com>

        CodeBlock::m_numCalleeRegisters shouldn't also mean frame size, frame size needed for exit, or any other unrelated things
        https://bugs.webkit.org/show_bug.cgi?id=124793

        Reviewed by Mark Hahnenberg.
        
        Now m_numCalleeRegisters always refers to the number of locals that the attached
        bytecode uses. It never means anything else.
        
        For frame size, we now have it lazily computed from m_numCalleeRegisters for the
        baseline engines and we have it stored in DFG::CommonData for the optimizing JITs.
        
        For frame-size-needed-at-exit, we store that in DFG::CommonData, too.
        
        The code no longer implies that there is any arithmetic relationship between
        m_numCalleeRegisters and frameSize. Previously it implied that the latter is greater
        than the former.
        
        The code no longer implies that there is any arithmetic relationship between the
        frame Size and the frame-size-needed-at-exit. Previously it implied that the latter
        is greater that the former.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::frameRegisterCount):
        * bytecode/CodeBlock.h:
        * dfg/DFGCommonData.h:
        (JSC::DFG::CommonData::CommonData):
        (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::frameRegisterCount):
        (JSC::DFG::Graph::requiredRegisterCountForExit):
        (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
        * dfg/DFGGraph.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOSREntry.cpp:
        (JSC::DFG::prepareOSREntry):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
        * ftl/FTLOSREntry.cpp:
        (JSC::FTL::prepareOSREntry):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::frameExtentInternal):
        * interpreter/JSStackInlines.h:
        (JSC::JSStack::pushFrame):
        * jit/JIT.h:
        (JSC::JIT::frameRegisterCountFor):
        * jit/JITOperations.cpp:
        * llint/LLIntEntrypoint.cpp:
        (JSC::LLInt::frameRegisterCountFor):
        * llint/LLIntEntrypoint.h:

2013-11-21  Filip Pizlo  <fpizlo@apple.com>

        Combine SymbolTable and SharedSymbolTable
        https://bugs.webkit.org/show_bug.cgi?id=124761

        Reviewed by Geoffrey Garen.
        
        SymbolTable was never used directly; we now always used SharedSymbolTable. So, this
        gets rid of SymbolTable and renames SharedSymbolTable to SymbolTable.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::symbolTable):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::symbolTable):
        (JSC::UnlinkedCodeBlock::symbolTable):
        (JSC::UnlinkedCodeBlock::finishCreation):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::symbolTable):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::symbolTableFor):
        * runtime/Arguments.h:
        (JSC::Arguments::finishCreation):
        * runtime/Executable.h:
        (JSC::FunctionExecutable::symbolTable):
        * runtime/JSActivation.h:
        (JSC::JSActivation::create):
        (JSC::JSActivation::JSActivation):
        (JSC::JSActivation::registersOffset):
        (JSC::JSActivation::allocationSize):
        * runtime/JSSymbolTableObject.h:
        (JSC::JSSymbolTableObject::symbolTable):
        (JSC::JSSymbolTableObject::JSSymbolTableObject):
        (JSC::JSSymbolTableObject::finishCreation):
        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::JSVariableObject):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTable::destroy):
        (JSC::SymbolTable::SymbolTable):
        * runtime/SymbolTable.h:
        (JSC::SymbolTable::create):
        (JSC::SymbolTable::createStructure):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2013-11-22  Mark Lam  <mark.lam@apple.com>

        Remove residual references to "dynamicGlobalObject".
        https://bugs.webkit.org/show_bug.cgi?id=124787.

        Reviewed by Filip Pizlo.

        * JavaScriptCore.order:
        * interpreter/CallFrame.h:

2013-11-22  Mark Lam  <mark.lam@apple.com>

        Ensure that arity fixups honor stack alignment requirements.
        https://bugs.webkit.org/show_bug.cgi?id=124756.

        Reviewed by Geoffrey Garen.

        The LLINT and all the JITs rely on CommonSlowPaths::arityCheckFor() to
        compute the arg count adjustment for the arity fixup. We take advantage
        of this choke point and introduce the stack alignment padding there in
        the guise of additional args.

        The only cost of this approach is that the padding will also be
        initialized to undefined values as if they were args. Since arity fixups
        are considered a slow path that is rarely taken, this cost is not a
        concern.

        * runtime/CommonSlowPaths.h:
        (JSC::CommonSlowPaths::arityCheckFor):
        * runtime/VM.h:
        (JSC::VM::isSafeToRecurse):

2013-11-21  Filip Pizlo  <fpizlo@apple.com>

        BytecodeGenerator should align the stack according to native conventions
        https://bugs.webkit.org/show_bug.cgi?id=124735

        Reviewed by Mark Lam.
        
        Rolling this back in because it actually fixed fast/dom/gc-attribute-node.html, but
        our infrastructure misleads peole into thinking that fixing a test constitutes
        breaking it.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::CallArguments::registerOffset):
        (JSC::CallArguments::argumentCountIncludingThis):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallArguments::CallArguments):

2013-11-21  Filip Pizlo  <fpizlo@apple.com>

        Get rid of CodeBlock::dumpStatistics()
        https://bugs.webkit.org/show_bug.cgi?id=124762

        Reviewed by Mark Hahnenberg.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::~CodeBlock):
        * bytecode/CodeBlock.h:

2013-11-22  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r159652.
        http://trac.webkit.org/changeset/159652
        https://bugs.webkit.org/show_bug.cgi?id=124778

        broke fast/dom/gc-attribute-node.html (Requested by ap on
        #webkit).

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::CallArguments::registerOffset):
        (JSC::CallArguments::argumentCountIncludingThis):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallArguments::CallArguments):
        (JSC::CallArguments::newArgument):

2013-11-21  Filip Pizlo  <fpizlo@apple.com>

        Fix a typo (requriements->requirements).

        * runtime/StackAlignment.h:

2013-11-21  Mark Lam  <mark.lam@apple.com>

        CodeBlock::m_numCalleeRegisters need to honor native stack alignment.
        https://bugs.webkit.org/show_bug.cgi?id=124754.

        Reviewed by Filip Pizlo.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::newRegister):
        * dfg/DFGVirtualRegisterAllocationPhase.cpp:
        (JSC::DFG::VirtualRegisterAllocationPhase::run):

2013-11-21  Mark Rowe  <mrowe@apple.com>

        <https://webkit.org/b/124702> Stop overriding VALID_ARCHS.

        All modern versions of Xcode set it appropriately for our needs.

        Reviewed by Alexey Proskuryakov.

        * Configurations/Base.xcconfig:

2013-11-21  Mark Rowe  <mrowe@apple.com>

        <https://webkit.org/b/124701> Fix an error in a few Xcode configuration setting files.

        Reviewed by Alexey Proskuryakov.

        * Configurations/Base.xcconfig:

2013-11-21  Michael Saboff  <msaboff@apple.com>

        ARM64: Implement push/pop equivalents in LLInt
        https://bugs.webkit.org/show_bug.cgi?id=124721

        Reviewed by Filip Pizlo.

        Added pushLRAndFP and popLRAndFP that push and pop the link register and frame pointer register.
        These ops emit code just like what the compiler emits in the prologue and epilogue.  Also changed
        pushCalleeSaves and popCalleeSaves to use the same store pair and load pair instructions to do
        the actually pushing and popping.  Finally changed the implementation of push and pop to raise
        an exception since we don't have (or need) a single register push or pop.

        * llint/LowLevelInterpreter64.asm:
        * offlineasm/arm64.rb:
        * offlineasm/instructions.rb:

2013-11-21  Michael Saboff  <msaboff@apple.com>

        JSC: Removed unused opcodes from offline assembler
        https://bugs.webkit.org/show_bug.cgi?id=124749

        Reviewed by Mark Hahnenberg.

        Removed the unused, X86 only peekq and pokeq.

        * offlineasm/instructions.rb:
        * offlineasm/x86.rb:

2013-11-21  Michael Saboff  <msaboff@apple.com>

        REGRESSION(159395) Fix branch8(…, AbsoluteAddress, …) in ARM64 MacroAssembler
        https://bugs.webkit.org/show_bug.cgi?id=124688

        Reviewed by Geoffrey Garen.

        Changed handling of the address for the load8() in the branch8(AbsoluteAddress) to be like
        the rest of the branchXX(AbsoluteAddress) fucntions.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branch8):

2013-11-21  Filip Pizlo  <fpizlo@apple.com>

        BytecodeGenerator should align the stack according to native conventions
        https://bugs.webkit.org/show_bug.cgi?id=124735

        Reviewed by Mark Lam.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::CallArguments::registerOffset):
        (JSC::CallArguments::argumentCountIncludingThis):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::CallArguments::CallArguments):

2013-11-21  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, preemptive build fix.

        * runtime/StackAlignment.h:
        (JSC::stackAlignmentBytes):
        (JSC::stackAlignmentRegisters):

2013-11-21  Filip Pizlo  <fpizlo@apple.com>

        JSC should know what the stack alignment conventions are
        https://bugs.webkit.org/show_bug.cgi?id=124736

        Reviewed by Mark Lam.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/StackAlignment.h: Added.
        (JSC::stackAlignmentBytes):
        (JSC::stackAlignmentRegisters):

2013-11-21  Balazs Kilvady  <kilvadyb@homejinni.com>

        [MIPS] Build fails since r159545.
        https://bugs.webkit.org/show_bug.cgi?id=124716

        Reviewed by Michael Saboff.

        Add missing implementations in MacroAssembler and LLInt for MIPS.

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::sync):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::store8):
        (JSC::MacroAssemblerMIPS::memoryFence):
        * offlineasm/mips.rb:

2013-11-21  Julien Brianceau  <jbriance@cisco.com>

        Fix sh4 build after r159545.
        https://bugs.webkit.org/show_bug.cgi?id=124713

        Reviewed by Michael Saboff.

        Add missing implementations in macro assembler and LLINT for sh4.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::load8):
        (JSC::MacroAssemblerSH4::store8):
        (JSC::MacroAssemblerSH4::memoryFence):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::synco):
        * offlineasm/sh4.rb: Handle "memfence" opcode.

2013-11-20  Mark Lam  <mark.lam@apple.com>

        Introducing VMEntryScope to update the VM stack limit.
        https://bugs.webkit.org/show_bug.cgi?id=124634.

        Reviewed by Geoffrey Garen.

        1. Introduced USE(SEPARATE_C_AND_JS_STACK) (defined in Platform.h).
           Currently, it is hardcoded to use separate C and JS stacks. Once we
           switch to using the C stack for JS frames, we'll need to fix this to
           only be enabled when ENABLE(LLINT_C_LOOP).

        2. Stack limits are now tracked in the VM.

           Logically, there are 2 stack limits:
           a. m_stackLimit for the native C stack, and
           b. m_jsStackLimit for the JS stack.

           If USE(SEPARATE_C_AND_JS_STACK), then the 2 limits are the same
           value, and are implemented as 2 fields in a union.

        3. The VM native stackLimit is set as follows:
           a. Initially, the VM sets it to the limit of the stack of the thread that
              instantiated the VM. This allows the parser and bytecode generator to
              run before we enter the VM to execute JS code.

           b. Upon entry into the VM to execute JS code (via one of the
              Interpreter::execute...() functions), we instantiate a VMEntryScope
              that sets the VM's stackLimit to the limit of the current thread's
              stack. The VMEntryScope will automatically restore the previous
              entryScope and stack limit upon destruction.

           If USE(SEPARATE_C_AND_JS_STACK), the JSStack's methods will set the VM's
           jsStackLimit whenever it grows or shrinks.

        4. The VM now provides a isSafeToRecurse() function that compares the
           current stack pointer against its native stackLimit. This subsumes and
           obsoletes the VMStackBounds class.

        5. The VMEntryScope class also subsumes DynamicGlobalObjectScope for
           tracking the JSGlobalObject that we last entered the VM with.

        6. Renamed dynamicGlobalObject() to vmEntryGlobalObject() since that is
           the value that the function retrieves.

        7. Changed JIT and LLINT code to do stack checks against the jsStackLimit
           in the VM class instead of the JSStack.

        * API/JSBase.cpp:
        (JSEvaluateScript):
        (JSCheckScriptSyntax):
        * API/JSContextRef.cpp:
        (JSGlobalContextRetain):
        (JSGlobalContextRelease):
        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::emitNode):
        (JSC::BytecodeGenerator::emitNodeInConditionContext):
        * debugger/Debugger.cpp:
        (JSC::Debugger::detach):
        (JSC::Debugger::recompileAllJSFunctions):
        (JSC::Debugger::pauseIfNeeded):
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::vmEntryGlobalObject):
        * debugger/DebuggerCallFrame.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOSREntry.cpp:
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * ftl/FTLOSREntry.cpp:
        * heap/Heap.cpp:
        (JSC::Heap::lastChanceToFinalize):
        (JSC::Heap::deleteAllCompiledCode):
        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall):
        * interpreter/CallFrame.cpp:
        (JSC::CallFrame::vmEntryGlobalObject):
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        (JSC::unwindCallFrame):
        (JSC::Interpreter::unwind):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        (JSC::Interpreter::executeConstruct):
        (JSC::Interpreter::prepareForRepeatCall):
        (JSC::Interpreter::debug):
        * interpreter/JSStack.cpp:
        (JSC::JSStack::JSStack):
        (JSC::JSStack::growSlowCase):
        * interpreter/JSStack.h:
        * interpreter/JSStackInlines.h:
        (JSC::JSStack::shrink):
        (JSC::JSStack::grow):
        - Moved these inlined functions here from JSStack.h. It reduces some
          #include dependencies of JSSTack.h which had previously resulted
          in some EWS bots' unhappiness with this patch.
        (JSC::JSStack::updateStackLimit):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        * llint/LowLevelInterpreter.asm:
        * parser/Parser.cpp:
        (JSC::::Parser):
        * parser/Parser.h:
        (JSC::Parser::canRecurse):
        * runtime/CommonSlowPaths.h:
        * runtime/Completion.cpp:
        (JSC::evaluate):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/StringRecursionChecker.h:
        (JSC::StringRecursionChecker::performCheck):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::releaseExecutableMemory):
        (JSC::VM::throwException):
        * runtime/VM.h:
        (JSC::VM::addressOfJSStackLimit):
        (JSC::VM::jsStackLimit):
        (JSC::VM::setJSStackLimit):
        (JSC::VM::stackLimit):
        (JSC::VM::setStackLimit):
        (JSC::VM::isSafeToRecurse):
        * runtime/VMEntryScope.cpp: Added.
        (JSC::VMEntryScope::VMEntryScope):
        (JSC::VMEntryScope::~VMEntryScope):
        (JSC::VMEntryScope::requiredCapacity):
        * runtime/VMEntryScope.h: Added.
        (JSC::VMEntryScope::globalObject):
        * runtime/VMStackBounds.h: Removed.

2013-11-20  Michael Saboff  <msaboff@apple.com>

        [Win] JavaScript JIT crash (with DFG enabled).
        https://bugs.webkit.org/show_bug.cgi?id=124675

        Reviewed by Geoffrey Garen.

        Similar to the change in r159427, changed linkClosureCall to use regT0/regT1 (payload/tag) for the callee.
        linkForThunkGenerator already expected the callee in regT0/regT1, but changed the comment to reflect that.

        * jit/Repatch.cpp:
        (JSC::linkClosureCall):
        * jit/ThunkGenerators.cpp:
        (JSC::linkForThunkGenerator):

2013-11-20  Michael Saboff  <msaboff@apple.com>

        ARMv7: Crash due to use after free of AssemblerBuffer
        https://bugs.webkit.org/show_bug.cgi?id=124611

        Reviewed by Geoffrey Garen.

        Changed JITFinalizer constructor to take a MacroAssemblerCodePtr instead of a Label.
        In finalizeFunction(), we use that value instead of calculating it from the label.

        * assembler/MacroAssembler.cpp:
        * dfg/DFGJITFinalizer.cpp:
        (JSC::DFG::JITFinalizer::JITFinalizer):
        (JSC::DFG::JITFinalizer::finalizeFunction):
        * dfg/DFGJITFinalizer.h:

2013-11-20  Julien Brianceau  <jbriance@cisco.com>

        Fix CPU(ARM_TRADITIONAL) build after r159545.
        https://bugs.webkit.org/show_bug.cgi?id=124649

        Reviewed by Michael Saboff.

        Add missing memoryFence, load8 and store8 implementations in macro assembler.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::dmbSY):
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::load8):
        (JSC::MacroAssemblerARM::store8):
        (JSC::MacroAssemblerARM::memoryFence):

2013-11-20  Julien Brianceau  <jbriance@cisco.com>

        [armv7][arm64] Speculative build fix after r159545.
        https://bugs.webkit.org/show_bug.cgi?id=124646

        Reviewed by Filip Pizlo.

        * assembler/ARMv7Assembler.h:
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::memoryFence):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::memoryFence):

2013-11-19  Ryosuke Niwa  <rniwa@webkit.org>

        Enable HTMLTemplateElement on Mac port
        https://bugs.webkit.org/show_bug.cgi?id=124637

        Reviewed by Tim Horton.

        * Configurations/FeatureDefines.xcconfig:

2013-11-19  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, remove completely bogus assertion.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::addFunction):

2013-11-19  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, debug build fix.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::addFunction):

2013-11-19  Filip Pizlo  <fpizlo@apple.com>

        Infer constant global variables
        https://bugs.webkit.org/show_bug.cgi?id=124464

        Reviewed by Sam Weinig.
        
        All global variables that are candidates for watchpoint-based constant inference (i.e.
        not 'const' variables) will now have WatchpointSet's associated with them and those
        are used to drive the inference by tracking three states of each variable:
        
        Uninitialized: the variable's value is Undefined and the WatchpointSet state is
            ClearWatchpoint.
        
        Initialized: the variable's value was set to something (could even be explicitly set
            to Undefined) and the WatchpointSet state is IsWatching.
        
        Invalidated: the variable's value was set to something else (could even be the same
            thing as before but the point is that a put operation did execute again) and the
            WatchpointSet is IsInvalidated.
        
        If the compiler tries to compile a GetGlobalVar and the WatchpointSet state is
        IsWatching, then the current value of the variable can be folded in place of the get,
        and a watchpoint on the variable can be registered.
        
        We handle race conditions between the mutator and compiler by mandating that:
        
        - The mutator changes the WatchpointSet state after executing the put.
        
        - There is no opportunity to install code or call functions between when the mutator
          executes a put and changes the WatchpointSet state.
        
        - The compiler checks the WatchpointSet state prior to reading the value.
        
        The concrete algorithm used by the mutator is:
        
            1. Store the new value into the variable.
            --- Execute a store-store fence.
            2. Bump the state (ClearWatchpoing becomes IsWatching, IsWatching becomes
               IsInvalidated); the IsWatching->IsInvalidated transition may end up firing
               watchpoints.
        
        The concrete algorithm that the compiler uses is:
        
            1. Load the state. If it's *not* IsWatching, then give up on constant inference.
            --- Execute a load-load fence.
            2. Load the value of the variable and use that for folding, while also registering
               a DesiredWatchpoint. The various parts of this step can be done in any order.
        
        The desired watchpoint registration will fail if the watchpoint set is already
        invalidated. Now consider the following interesting interleavings:
        
        Uninitialized->M1->M2->C1->C2: Compiler sees IsWatching because of the mutator's store
            operation, and the variable is folded. The fencing ensures that C2 sees the value
            stored in M1 - i.e. we fold on the value that will actually be watchpointed. If
            before the compilation is installed the mutator executes another store then we
            will be sure that it will be a complete sequence of M1+M2 since compilations get
            installed at safepoints and never "in the middle" of a put_to_scope. Hence that
            compilation installation will be invalidated. If the M1+M2 sequence happens after
            the code is installed, then the code will be invalidated by triggering a jettison.
        
        Uninitialized->M1->C1->C2->M2: Compiler sees Uninitialized and will not fold. This is
            a sensible outcome since if the compiler read the variable's value, it would have
            seen Undefined.
        
        Uninitialized->C1->C2->M1->M2: Compiler sees Uninitialized and will not fold.
        Uninitialized->C1->M1->C2->M2: Compiler sees Uninitialized and will not fold.
        Uninitialized->C1->M1->M2->C2: Compiler sees Uninitialized and will not fold.
        Uninitialized->M1->C1->M2->C2: Compiler sees Uninitialized and will not fold.
        
        IsWatched->M1->M2->C1->C2: Compiler sees IsInvalidated and will not fold.
        
        IsWatched->M1->C1->C2->M2: Compiler will fold, but will also register a desired
            watchpoint, and that watchpoint will get invalidated before the code is installed.
        
        IsWatched->M1->C1->M2->C2: As above, will fold but the code will get invalidated.
        IsWatched->C1->C2->M1->M2: As above, will fold but the code will get invalidated.
        IsWatched->C1->M1->C2->M2: As above, will fold but the code will get invalidated.
        IsWatched->C1->M1->M2->C2: As above, will fold but the code will get invalidated.
        
        Note that this kind of reasoning shows why having the mutator first bump the state and
        then store the new value would be wrong. If we had done that (M1 = bump state, M2 =
        execute put) then we could have the following deadly interleavings:
        
        Uninitialized->M1->C1->C2->M2:
        Uninitialized->M1->C1->M2->C2: Mutator bumps the state to IsWatched and then the
            compiler folds Undefined, since M2 hasn't executed yet. Although C2 will set the
            watchpoint, M1 didn't notify it - it mearly initiated watching. M2 then stores a
            value other than Undefined, and you're toast.
        
        You could fix this sort of thing by making the Desired Watchpoints machinery more
        sophisticated, for example having it track the value that was folded; if the global
        variable's value was later found to be different then we could invalidate the
        compilation. You could also fix it by having the compiler also check that the value of
        the variable is not Undefined before folding. While those all sound great, I decided
        to instead just use the right interleaving since that results in less code and feels
        more intuitive.
        
        This is a 0.5% speed-up on SunSpider, mostly due to a 20% speed-up on math-cordic.
        It's a 0.6% slow-down on LongSpider, mostly due to a 25% slow-down on 3d-cube. This is
        because 3d-cube takes global variable assignment slow paths very often. Note that this
        3d-cube slow-down doesn't manifest as much in SunSpider (only 6% there). This patch is
        also a 1.5% speed-up on V8v7 and a 2.8% speed-up on Octane v1, mostly due to deltablue
        (3.7%), richards (4%), and mandreel (26%). This is a 2% speed-up on Kraken, mostly due
        to a 17.5% speed-up on imaging-gaussian-blur. Something that really illustrates the
        slam-dunk-itude of this patch is the wide range of speed-ups on JSRegress. Casual JS
        programming often leads to global-var-based idioms and those variables tend to be
        assigned once, leading to excellent constant folding opportunities in an optimizing
        JIT. This is very evident in the speed-ups on JSRegress.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::dmbSY):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::dmbSY):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::memfence):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::load8):
        (JSC::MacroAssemblerARMv7::memfence):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::load8):
        (JSC::MacroAssemblerX86::store8):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::getUnusedRegister):
        (JSC::MacroAssemblerX86Common::store8):
        (JSC::MacroAssemblerX86Common::memoryFence):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::load8):
        (JSC::MacroAssemblerX86_64::store8):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::movb_rm):
        (JSC::X86Assembler::movzbl_mr):
        (JSC::X86Assembler::mfence):
        (JSC::X86Assembler::X86InstructionFormatter::threeByteOp):
        (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/Watchpoint.cpp:
        (JSC::WatchpointSet::WatchpointSet):
        (JSC::WatchpointSet::add):
        (JSC::WatchpointSet::notifyWriteSlow):
        * bytecode/Watchpoint.h:
        (JSC::WatchpointSet::state):
        (JSC::WatchpointSet::isStillValid):
        (JSC::WatchpointSet::addressOfSetIsNotEmpty):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getJSConstantForValue):
        (JSC::DFG::ByteCodeParser::getJSConstant):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isStronglyProvedConstantIn):
        (JSC::DFG::Node::hasIdentifierNumberForCheck):
        (JSC::DFG::Node::hasRegisterPointer):
        * dfg/DFGNodeFlags.h:
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNotifyPutGlobalVar):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLAbbreviatedTypes.h:
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::buildFence):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileNotifyPutGlobalVar):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::fence):
        * jit/JIT.h:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitPutGlobalVar):
        (JSC::JIT::emit_op_put_to_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitPutGlobalVar):
        (JSC::JIT::emit_op_put_to_scope):
        (JSC::JIT::emitSlow_op_put_to_scope):
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * llvm/LLVMAPIFunctions.h:
        * offlineasm/arm.rb:
        * offlineasm/arm64.rb:
        * offlineasm/cloop.rb:
        * offlineasm/instructions.rb:
        * offlineasm/x86.rb:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::addGlobalVar):
        (JSC::JSGlobalObject::addFunction):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::addVar):
        (JSC::JSGlobalObject::addConst):
        * runtime/JSScope.cpp:
        (JSC::abstractAccess):
        * runtime/JSSymbolTableObject.h:
        (JSC::symbolTablePut):
        (JSC::symbolTablePutWithAttributes):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTableEntry::couldBeWatched):
        (JSC::SymbolTableEntry::prepareToWatch):
        (JSC::SymbolTableEntry::notifyWriteSlow):
        * runtime/SymbolTable.h:

2013-11-19  Michael Saboff  <msaboff@apple.com>

        REGRESSION(158384) ARMv7 point checks too restrictive for native calls to traditional ARM code
        https://bugs.webkit.org/show_bug.cgi?id=124612

        Reviewed by Geoffrey Garen.

        Removed ASSERT checks (i.e. lower bit set) for ARM Thumb2 destination addresses related to
        calls since we are calling native ARM traditional functions like sin() and cos().

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::linkCall):
        (JSC::ARMv7Assembler::relinkCall):
        * assembler/MacroAssemblerCodeRef.h:

2013-11-19  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r159459.
        http://trac.webkit.org/changeset/159459
        https://bugs.webkit.org/show_bug.cgi?id=124616

        tons of assertions on launch (Requested by thorton on
        #webkit).

        * API/JSContext.mm:
        (-[JSContext setException:]):
        (-[JSContext wrapperForObjCObject:]):
        (-[JSContext wrapperForJSObject:]):
        * API/JSContextRef.cpp:
        (JSContextGroupRelease):
        (JSGlobalContextRelease):
        * API/JSManagedValue.mm:
        (-[JSManagedValue initWithValue:]):
        (-[JSManagedValue value]):
        * API/JSObjectRef.cpp:
        (JSObjectIsFunction):
        (JSObjectCopyPropertyNames):
        * API/JSValue.mm:
        (containerValueToObject):
        * API/JSWrapperMap.mm:
        (tryUnwrapObjcObject):

2013-11-19  Filip Pizlo  <fpizlo@apple.com>

        Rename WatchpointSet::notifyWrite() should be renamed to WatchpointSet::fireAll()
        https://bugs.webkit.org/show_bug.cgi?id=124609

        Rubber stamped by Mark Lam.
        
        notifyWrite() is a thing that SymbolTable does. WatchpointSet uses that terminology
        because it was original designed to match exactly SymbolTable's semantics. But now
        it's a confusing term.

        * bytecode/Watchpoint.cpp:
        (JSC::WatchpointSet::fireAllSlow):
        * bytecode/Watchpoint.h:
        (JSC::WatchpointSet::fireAll):
        (JSC::InlineWatchpointSet::fireAll):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::put):
        (JSC::JSFunction::defineOwnProperty):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::haveABadTime):
        * runtime/Structure.h:
        (JSC::Structure::notifyTransitionFromThisStructure):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTableEntry::notifyWriteSlow):

2013-11-18  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r159395): Error compiling for ARMv7
        https://bugs.webkit.org/show_bug.cgi?id=124552

        Reviewed by Geoffrey Garen.

        Fixed the implementation of branch8(RelationalCondition cond, AbsoluteAddress address, TrustedImm32 right)
        to materialize and use address similar to other ARMv7 branchXX() functions.

        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branch8):

2013-11-19  Mark Lam  <mark.lam@apple.com>

        Add tracking of endColumn for Executables.
        https://bugs.webkit.org/show_bug.cgi?id=124245.

        Reviewed by Geoffrey Garen.

        1. Fixed computation of columns to take into account the startColumn from
           <script> tags. Previously, we were only computing the column relative
           to the char after the <script> tag. Now, the column number that JSC
           computes is always the column number you'll see when viewing the source
           in a text editor (assuming the first column position is 1, not 0).

        2. Previously, unlinkedExecutables kept the a base-1 startColumn for
           ProgramExecutables and EvalExecutables, but uses base-0 columns for
           FunctionExecutables. This has been fixed so that they all use base-0
           columns. When the executable gets linked, the column is adjusted into
           a base-1 value.

        3. In the UnlinkedFunctionExecutable, renamed m_functionStartOffset to
           m_unlinkedFunctionNameStart because it actually points to the start
           column in the name part of the function declaration.

           Similarly, renamed m_functionStartColumn to m_unlinkedBodyStartColumn
           because it points to the first character in the function body. This is
           usually '{' except for functions created from "global code" which
           excludes its braces. See FunctionExecutable::fromGlobalCode().

               The exclusion of braces for the global code case is needed so that
           computed start and end columns will more readily map to what a JS
           developer would expect them to be. Otherwise, the first column of the
           function source will not be 1 (includes prepended characters added in
           constructFunctionSkippingEvalEnabledCheck()).

           Also, similarly, a m_unlinkedBodyEndColumn has been added to track the
           end column of the UnlinkedFunctionExecutable.

        4. For unlinked executables, end column values are either:
           a. Relative to the start of the last line if (last line != first line).
           b. Relative to the start column position if (last line == first line).

           The second case is needed so that we can add an appropriate adjustment
           to the end column value (just like we do for the start column) when we
           link the executable.

        5. This is not new to this patch, but it worth noting that the lineCount
           values used through this patch has the following meaning:
           - a lineCount of 0 means the source for this code block is on 1 line.
           - a lineCount of N means there are N + l lines of source.

           This interpretation is janky, but was present before this patch. We can
           clean that up later in another patch.


        * JavaScriptCore.xcodeproj/project.pbxproj:
        - In order to implement WebCore::Internals::parserMetaData(), we need to
          move some seemingly unrelated header files from the Project section to
          the Private section so that they can be #include'd by the forwarding
          CodeBlock.h from WebCore.
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::sourceCodeForTools):
        (JSC::CodeBlock::CodeBlock):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::generateFunctionCodeBlock):
        (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
        - m_isFromGlobalCode is needed to support the exclusion of the open brace /
          prepended code for functions created from "global code".
        (JSC::UnlinkedFunctionExecutable::link):
        (JSC::UnlinkedFunctionExecutable::fromGlobalCode):
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedFunctionExecutable::create):
        (JSC::UnlinkedFunctionExecutable::unlinkedFunctionNameStart):
        (JSC::UnlinkedFunctionExecutable::unlinkedBodyStartColumn):
        (JSC::UnlinkedFunctionExecutable::unlinkedBodyEndColumn):
        (JSC::UnlinkedFunctionExecutable::recordParse):
        (JSC::UnlinkedCodeBlock::recordParse):
        (JSC::UnlinkedCodeBlock::endColumn):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::FunctionBodyNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createFunctionBody):
        (JSC::ASTBuilder::setFunctionNameStart):
        * parser/Lexer.cpp:
        (JSC::::shiftLineTerminator):
        - Removed an unused SourceCode Lexer<T>::sourceCode() function.
        * parser/Lexer.h:
        (JSC::Lexer::positionBeforeLastNewline):
        (JSC::Lexer::prevTerminator):
        - Added tracking of m_positionBeforeLastNewline in the Lexer to enable us
          to exclude the close brace / appended code for functions created from "global
          code".
        * parser/Nodes.cpp:
        (JSC::ProgramNode::ProgramNode):
        (JSC::ProgramNode::create):
        (JSC::EvalNode::EvalNode):
        (JSC::EvalNode::create):
        (JSC::FunctionBodyNode::FunctionBodyNode):
        (JSC::FunctionBodyNode::create):
        (JSC::FunctionBodyNode::setEndPosition):
        - setEndPosition() is needed to fixed up the end position so that we can
          exclude the close brace / appended code for functions created from "global
          code".
        * parser/Nodes.h:
        (JSC::ProgramNode::startColumn):
        (JSC::ProgramNode::endColumn):
        (JSC::EvalNode::startColumn):
        (JSC::EvalNode::endColumn):
        (JSC::FunctionBodyNode::setFunctionNameStart):
        (JSC::FunctionBodyNode::functionNameStart):
        (JSC::FunctionBodyNode::endColumn):
        * parser/Parser.cpp:
        (JSC::::parseFunctionBody):
        (JSC::::parseFunctionInfo):
        * parser/Parser.h:
        (JSC::Parser::positionBeforeLastNewline):
        (JSC::::parse):
        - Subtracted 1 from startColumn here to keep the node column values consistently
          base-0. See note 2 above.
        (JSC::parse):
        * parser/SourceProviderCacheItem.h:
        (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createFunctionBody):
        (JSC::SyntaxChecker::setFunctionNameStart):
        * runtime/CodeCache.cpp:
        (JSC::CodeCache::getGlobalCodeBlock):
        (JSC::CodeCache::getProgramCodeBlock):
        (JSC::CodeCache::getEvalCodeBlock):
        (JSC::CodeCache::getFunctionExecutableFromGlobalCode):
        * runtime/CodeCache.h:
        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::newCodeBlockFor):
        (JSC::FunctionExecutable::FunctionExecutable):
        (JSC::ProgramExecutable::initializeGlobalProperties):
        (JSC::FunctionExecutable::fromGlobalCode):
        * runtime/Executable.h:
        (JSC::ExecutableBase::isEvalExecutable):
        (JSC::ExecutableBase::isProgramExecutable):
        (JSC::ScriptExecutable::ScriptExecutable):
        (JSC::ScriptExecutable::endColumn):
        (JSC::ScriptExecutable::recordParse):
        (JSC::FunctionExecutable::create):
        (JSC::FunctionExecutable::bodyIncludesBraces):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/FunctionPrototype.cpp:
        (JSC::insertSemicolonIfNeeded):
        (JSC::functionProtoFuncToString):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::createProgramCodeBlock):
        (JSC::JSGlobalObject::createEvalCodeBlock):

2013-11-19  Dean Jackson  <dino@apple.com>

        MarkedSpace::resumeAllocating needs to delay release
        https://bugs.webkit.org/show_bug.cgi?id=124596

        Reviewed by Geoffrey Garen.

        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::resumeAllocating): Add DelayedReleaseScope protection.

2013-11-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        IncrementalSweeper needs to use DelayedReleaseScope too
        https://bugs.webkit.org/show_bug.cgi?id=124558

        Reviewed by Filip Pizlo.

        It does sweeping too, so it needs to use it. Also refactored an
        ASSERT that should have caught this sooner.

        * heap/DelayedReleaseScope.h:
        (JSC::DelayedReleaseScope::isInEffectFor):
        * heap/IncrementalSweeper.cpp:
        (JSC::IncrementalSweeper::doSweep):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::sweep):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::sweep):

2013-11-18  Michael Saboff  <msaboff@apple.com>

        ARM64 CRASH: Debug builds crash in emitPointerValidation()
        https://bugs.webkit.org/show_bug.cgi?id=124545

        Reviewed by Filip Pizlo.

        Changed emitPointerValidation() to use pushToSave() and popToRestore() as
        all macro assemblers have an implementation of these functions.

        * jit/ThunkGenerators.cpp:
        (JSC::emitPointerValidation):

2013-11-18  Michael Saboff  <msaboff@apple.com>

        ARM64: Update getHostCallReturnValue() to use architected frame pointer register
        https://bugs.webkit.org/show_bug.cgi?id=124520

        Reviewed by Filip Pizlo.

        Changed from using the prior JSC specific x25 callframe register to the ARM64
        architected x29 (fp) register.  This change should have been done as part of
        https://bugs.webkit.org/show_bug.cgi?id=123956.

        * jit/JITOperations.cpp:

2013-11-18  Filip Pizlo  <fpizlo@apple.com>

        put_to_scope[5] should not point to the structure if it's a variable access, but it should point to the WatchpointSet
        https://bugs.webkit.org/show_bug.cgi?id=124539

        Reviewed by Mark Hahnenberg.
        
        This is in preparation for getting put_to_scope to directly invalidate the watchpoint set
        on stores, which will allow us to run constant inference on all globals.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        (JSC::CodeBlock::finalizeUnconditionally):
        * bytecode/Instruction.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * runtime/JSScope.cpp:
        (JSC::abstractAccess):
        (JSC::JSScope::abstractResolve):
        * runtime/JSScope.h:
        (JSC::ResolveOp::ResolveOp):
        * runtime/SymbolTable.h:
        (JSC::SymbolTableEntry::watchpointSet):

2013-11-18  Mark Hahnenberg  <mhahnenberg@apple.com>

        APIEntryShims need some love
        https://bugs.webkit.org/show_bug.cgi?id=124540

        Reviewed by Filip Pizlo.

        We were missing them in key places which some other hacking revealed. These could have manifested as
        race conditions for VMs being used in multithreaded environments.

        * API/JSContext.mm:
        (-[JSContext setException:]):
        (-[JSContext wrapperForObjCObject:]):
        (-[JSContext wrapperForJSObject:]):
        * API/JSContextRef.cpp:
        (JSContextGroupRelease):
        (JSGlobalContextRelease):
        * API/JSManagedValue.mm:
        (-[JSManagedValue initWithValue:]):
        (-[JSManagedValue value]):
        * API/JSObjectRef.cpp:
        (JSObjectIsFunction):
        (JSObjectCopyPropertyNames):
        * API/JSValue.mm:
        (containerValueToObject):
        * API/JSWrapperMap.mm:
        (tryUnwrapObjcObject):

2013-11-18  Filip Pizlo  <fpizlo@apple.com>

        Allow the FTL debug dumps to include the new size field
        https://bugs.webkit.org/show_bug.cgi?id=124479

        Reviewed by Mark Hahnenberg.

        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Location::parse):
        (JSC::FTL::StackMaps::Location::dump):
        * ftl/FTLStackMaps.h:

2013-11-18  peavo@outlook.com  <peavo@outlook.com>

        [Win] Link fails when DFG JIT is enabled.
        https://bugs.webkit.org/show_bug.cgi?id=123614

        Reviewed by Brent Fulgham.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added new files.
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.

2013-11-18  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Add missing implementation in MacroAssembler to fix build (broken since r159395).
        https://bugs.webkit.org/show_bug.cgi?id=124484

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::load8):
        (JSC::MacroAssemblerSH4::branch8):

2013-11-18  Michael Saboff  <msaboff@apple.com>

        ARM64 CRASH: Improper offset in getHostCallReturnValue() to access callerFrame in CallFrame
        https://bugs.webkit.org/show_bug.cgi?id=124481

        Reviewed by Mark Lam.

        Fixed the offset to access CallerFrame in the ARM64 version of getHostCallReturnValue() to be 0
        to correspond with the change in CallFrame layout done in r158315.

        * jit/JITOperations.cpp:

2013-11-18  Michael Saboff  <msaboff@apple.com>

        Crash in virtualForThunkGenerator generated code on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=124447

        Reviewed by Geoffrey Garen.

        The baseline JIT generates slow path call code with the caller in regT0.  The DFG
        generates call code with the caller in nonArgGPR0.  The virtualForThunkGenerator
        generates code with the caller in nonArgGPR0.  For X86 and X86_64, regT0 and nonArgGPR0
        are the same CPU register, eax.  For other platforms this isn't the case.  The same
        issue exists for JSVALUE32_64 ports as well, where there also is an issue with the callee
        tag registers being regT1 and nonArgGPR1 in the various locations.

        Changed nonArgGPR0, nonArgGPR1 and nonArgGPR2 for X86 and X86_64 to not match up with
        regT0-2.  Changing these registers will cause a crash on all ports should we have a
        similar problem in the future.  Changed the DFG call generating code to use regT0 and
        regT1.  Now all slow path call code is generated using regT0 and for JSVALUE32_64 regT1.
        Added r12 to X86_64 as a new temp register (regT9) and moved r13 down to regT10.
        The new temp register decreases the likelihood of inadvertant register overlap.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toRegister):
        (JSC::GPRInfo::toIndex):
        * jit/ThunkGenerators.cpp:
        (JSC::virtualForThunkGenerator):

2013-11-18  Balazs Kilvady  <kilvadyb@homejinni.com>

        Add missing load8/branch8 with AbsoluteAddress parameter to MIPS port.

        [MIPS] Build fails since r159395.
        https://bugs.webkit.org/show_bug.cgi?id=124491

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::load8):
        (JSC::MacroAssemblerMIPS::branch8):

2013-11-18  Csaba Osztrogonác  <ossy@webkit.org>

        REGRESSION(r159351): It made zillion tests assert on !CF platforms
        https://bugs.webkit.org/show_bug.cgi?id=124490

        Reviewed by Mark Hahnenberg.

        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::sweep):

2013-11-18  Julien Brianceau  <jbriance@cisco.com>

        Remove architecture specific code in LowLevelInterpreter.
        https://bugs.webkit.org/show_bug.cgi?id=124501

        Reviewed by Michael Saboff.

        * llint/LowLevelInterpreter.asm: Use generic path instead of sh4 specific code.
        * llint/LowLevelInterpreter32_64.asm: Merge sh4/mips path with arm path. The
        "move t0, a0" is not needed for arm because t0 == a0 with this architecture.
        * offlineasm/sh4.rb: Handle move opcode with pr register.

2013-11-18  Julien Brianceau  <jbriance@cisco.com>

        [arm] Add missing implementation in MacroAssembler to fix build (broken since r159395).
        https://bugs.webkit.org/show_bug.cgi?id=124488

        Reviewed by Zoltan Herczeg.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branch8):

2013-11-17  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Fix revertJumpReplacementToBranchPtrWithPatch in MacroAssembler.
        https://bugs.webkit.org/show_bug.cgi?id=124468

        Reviewed by Michael Saboff.

        Current implementation of revertJumpReplacementToBranchPtrWithPatch is wrong in
        the sh4 MacroAssembler part, leading to random instabilities. This patch fixes it
        and also renames the bad-named revertJumpToMove to revertJumpReplacementToBranchPtrWithPatch
        in the SH4Assembler.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::revertJumpReplacementToBranchPtrWithPatch):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::replaceWithJump):
        (JSC::SH4Assembler::revertJumpReplacementToBranchPtrWithPatch):

2013-11-16  Filip Pizlo  <fpizlo@apple.com>

        Simplify WatchpointSet state tracking
        https://bugs.webkit.org/show_bug.cgi?id=124465

        Reviewed by Sam Weinig.
        
        We previously represented the state of watchpoint sets using two booleans. But that
        makes it awkward to case over the state.
        
        We also previously supported a watchpoint set being both watched and invalidated. We
        never used that capability, and its presence was just purely confusing.
        
        This turns the whole thing into an enum.

        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::branch8):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::branch8):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::branch8):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::branch8):
        * bytecode/Watchpoint.cpp:
        (JSC::WatchpointSet::WatchpointSet):
        (JSC::WatchpointSet::add):
        (JSC::WatchpointSet::notifyWriteSlow):
        (JSC::InlineWatchpointSet::inflateSlow):
        * bytecode/Watchpoint.h:
        (JSC::WatchpointSet::state):
        (JSC::WatchpointSet::isStillValid):
        (JSC::WatchpointSet::startWatching):
        (JSC::WatchpointSet::notifyWrite):
        (JSC::WatchpointSet::addressOfState):
        (JSC::InlineWatchpointSet::InlineWatchpointSet):
        (JSC::InlineWatchpointSet::hasBeenInvalidated):
        (JSC::InlineWatchpointSet::startWatching):
        (JSC::InlineWatchpointSet::notifyWrite):
        (JSC::InlineWatchpointSet::decodeState):
        (JSC::InlineWatchpointSet::encodeState):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitVarInjectionCheck):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitVarInjectionCheck):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::JSFunction):
        * runtime/JSFunctionInlines.h:
        (JSC::JSFunction::JSFunction):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        * runtime/Structure.cpp:
        (JSC::Structure::Structure):
        * runtime/SymbolTable.cpp:
        (JSC::SymbolTableEntry::attemptToWatch):
        * runtime/SymbolTable.h:

2013-11-16  Filip Pizlo  <fpizlo@apple.com>

        FTL should have an explicit notion of bytecode liveness
        https://bugs.webkit.org/show_bug.cgi?id=124181

        Reviewed by Sam Weinig.
        
        This makes FTL OSR exit use bytecode liveness analysis to determine which variables
        to include values for. The decision of how to get the values of variables is based on
        forward propagation of MovHints and SetLocals.
        
        This fixes a bunch of bugs (like https://bugs.webkit.org/show_bug.cgi?id=124138 but
        also others that I noticed when I started writing more targetted tests) and allows us
        to remove some sketchy code.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeBasicBlock.h:
        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::isValidRegisterForLiveness):
        (JSC::setForOperand):
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        (JSC::stepOverInstruction):
        (JSC::computeLocalLivenessForBytecodeOffset):
        (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
        (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
        (JSC::getLivenessInfo):
        (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
        (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
        * bytecode/BytecodeLivenessAnalysis.h:
        * bytecode/BytecodeLivenessAnalysisInlines.h: Added.
        (JSC::operandIsAlwaysLive):
        (JSC::operandThatIsNotAlwaysLiveIsLive):
        (JSC::operandIsLive):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::captureCount):
        (JSC::CodeBlock::captureStart):
        (JSC::CodeBlock::captureEnd):
        * bytecode/CodeOrigin.cpp:
        (JSC::InlineCallFrame::dumpInContext):
        * bytecode/FullBytecodeLiveness.h: Added.
        (JSC::FullBytecodeLiveness::FullBytecodeLiveness):
        (JSC::FullBytecodeLiveness::getOut):
        (JSC::FullBytecodeLiveness::operandIsLive):
        (JSC::FullBytecodeLiveness::getLiveness):
        * dfg/DFGAvailability.cpp: Added.
        (JSC::DFG::Availability::dump):
        (JSC::DFG::Availability::dumpInContext):
        * dfg/DFGAvailability.h: Added.
        (JSC::DFG::Availability::Availability):
        (JSC::DFG::Availability::unavailable):
        (JSC::DFG::Availability::withFlush):
        (JSC::DFG::Availability::withNode):
        (JSC::DFG::Availability::withUnavailableNode):
        (JSC::DFG::Availability::nodeIsUndecided):
        (JSC::DFG::Availability::nodeIsUnavailable):
        (JSC::DFG::Availability::hasNode):
        (JSC::DFG::Availability::node):
        (JSC::DFG::Availability::flushedAt):
        (JSC::DFG::Availability::operator!):
        (JSC::DFG::Availability::operator==):
        (JSC::DFG::Availability::merge):
        (JSC::DFG::Availability::mergeNodes):
        (JSC::DFG::Availability::unavailableMarker):
        * dfg/DFGBasicBlock.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::Disassembler):
        * dfg/DFGFlushFormat.cpp:
        (WTF::printInternal):
        * dfg/DFGFlushFormat.h:
        (JSC::DFG::resultFor):
        (JSC::DFG::useKindFor):
        (JSC::DFG::dataFormatFor):
        * dfg/DFGFlushedAt.cpp:
        (JSC::DFG::FlushedAt::dump):
        * dfg/DFGFlushedAt.h:
        (JSC::DFG::FlushedAt::FlushedAt):
        (JSC::DFG::FlushedAt::merge):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::livenessFor):
        (JSC::DFG::Graph::isLiveInBytecode):
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::baselineCodeBlockFor):
        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
        (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
        * dfg/DFGOSRAvailabilityAnalysisPhase.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGResurrectionForValidationPhase.cpp: Added.
        (JSC::DFG::ResurrectionForValidationPhase::ResurrectionForValidationPhase):
        (JSC::DFG::ResurrectionForValidationPhase::run):
        (JSC::DFG::performResurrectionForValidation):
        * dfg/DFGResurrectionForValidationPhase.h: Added.
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * dfg/DFGValueSource.h:
        (JSC::DFG::ValueSource::forFlushFormat):
        * dfg/DFGVariableAccessData.h:
        * ftl/FTLExitValue.cpp:
        (JSC::FTL::ExitValue::dumpInContext):
        * ftl/FTLInlineCacheSize.cpp:
        (JSC::FTL::sizeOfGetById):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::gpr):
        (JSC::FTL::Location::fpr):
        (JSC::FTL::Location::directGPR):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::compileBlock):
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
        (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
        (JSC::FTL::LowerDFGToLLVM::compilePutById):
        (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
        (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
        (JSC::FTL::LowerDFGToLLVM::buildExitArguments):
        (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
        (JSC::FTL::LowerDFGToLLVM::observeMovHint):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::alloca):
        * ftl/FTLValueSource.cpp: Removed.
        * ftl/FTLValueSource.h: Removed.
        * llvm/LLVMAPIFunctions.h:
        * runtime/DumpContext.cpp:
        (JSC::DumpContext::DumpContext):
        * runtime/DumpContext.h:
        * runtime/Options.h:
        * runtime/SymbolTable.h:
        (JSC::SharedSymbolTable::captureStart):
        (JSC::SharedSymbolTable::captureEnd):
        (JSC::SharedSymbolTable::captureCount):

2013-11-16  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation of JSActivation.h.

        Rubber stamped by Mark Hahnenberg.

        * runtime/JSActivation.h:

2013-11-16  Filip Pizlo  <fpizlo@apple.com>

        Fix indentation of JSVariableObject.h.

        Rubber stamped by Mark Hahnenberg.
        
        I'm about to do some damage to this file. I wanted to give it some sanity first.

        * runtime/JSVariableObject.h:

2013-11-16  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Fix build (broken since r159346).
        https://bugs.webkit.org/show_bug.cgi?id=124455

        Reviewed by Oliver Hunt.

        Fix LLINT implementation for sh4 architecture to handle properly load and store operations with pr register.

        * offlineasm/sh4.rb:

2013-11-15  Alexey Proskuryakov  <ap@apple.com>

        Support exporting symmetric keys as JWK
        https://bugs.webkit.org/show_bug.cgi?id=124442

        Reviewed by Sam Weinig.

        * runtime/JSONObject.h: Export JSONStringify.

2013-11-15  peavo@outlook.com  <peavo@outlook.com>

        [Win] JavaScript crashes on 64-bit with JIT enabled.
        https://bugs.webkit.org/show_bug.cgi?id=124409

        Reviewed by Michael Saboff.

        These are issues found with JIT on 64-bit:
        - The registers rsi and rdi in callToJavaScript needs to be saved and restored. This is required by the Windows 64-bit ABI.
        - The getHostCallReturnValue function needs to be updated according to it's GCC counterpart.
        - The poke argument offset needs to be 20h, because Windows 64-bit ABI requires stack space allocated for the 4 argument registers.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Re-added JITStubsMSVC64.asm to project.
        * jit/CCallHelpers.h: Set poke argument offset.
        (JSC::CCallHelpers::setupArguments): Compile fix, added needed method.
        * jit/JITStubsMSVC64.asm: Save and restore registers rsi and rdi.
                                  Update getHostCallReturnValue according to the GCC version.

2013-11-14  David Farler  <dfarler@apple.com>

        Copy ASAN flag settings to WebCore and JavaScriptCore intermediate build tools
        https://bugs.webkit.org/show_bug.cgi?id=124362

        Reviewed by David Kilzer.

        * Configurations/ToolExecutable.xcconfig:
        Use ASAN_C*FLAGS.

2013-11-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove JSChunk
        https://bugs.webkit.org/show_bug.cgi?id=124435

        Reviewed by Geoffrey Garen.

        It's empty and has been since it was added 3 years ago.

        * CMakeLists.txt:
        * runtime/JSChunk.cpp: Removed.
        * runtime/JSChunk.h: Removed.

2013-11-15  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove VTableSpectrum
        https://bugs.webkit.org/show_bug.cgi?id=124427

        Reviewed by Filip Pizlo.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.cpp:
        (JSC::Heap::lastChanceToFinalize):
        * heap/Heap.h:
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::callDestructor):
        * heap/SlotVisitor.cpp:
        (JSC::visitChildren):
        * heap/SlotVisitor.h:
        * heap/VTableSpectrum.cpp: Removed.
        * heap/VTableSpectrum.h: Removed.

2013-11-14  Mark Hahnenberg  <mhahnenberg@apple.com>

        -dealloc callbacks from wrapped Objective-C objects can happen at bad times
        https://bugs.webkit.org/show_bug.cgi?id=123821

        Reviewed by Darin Adler.

        Currently with the JSC Obj-C API, JS wrappers for client Obj-C objects retain their associated Obj-C 
        object. When they are swept, they release their Obj-C objects which can trigger a call to that 
        object's -dealloc method. These -dealloc methods can then call back into the same VM, which is not 
        allowed during sweeping or VM shutdown.

        We can handle this case by creating our own pool of Obj-C objects to be released when it is safe to do so.
        This is accomplished by using DelayedReleaseScope, an RAII-style object that will retain all objects
        that are unsafe to release until the end of the DelayedReleaseScope.

        * API/APIShims.h:
        (JSC::APICallbackShim::APICallbackShim):
        (JSC::APICallbackShim::vmForDropAllLocks):
        (JSC::APICallbackShim::execForDropAllLocks):
        * API/JSAPIWrapperObject.mm:
        (JSAPIWrapperObjectHandleOwner::finalize):
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunctionImpl::destroy):
        (JSC::ObjCCallbackFunction::destroy):
        * API/tests/testapi.mm:
        (-[TinyDOMNode initWithVirtualMachine:]):
        (-[TinyDOMNode dealloc]):
        (-[TinyDOMNode appendChild:]):
        (-[TinyDOMNode removeChildAtIndex:]):
        (-[EvilAllocationObject initWithContext:]):
        (-[EvilAllocationObject dealloc]):
        (-[EvilAllocationObject doEvilThingsWithContext:]):
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/DelayedReleaseScope.h: Added.
        (JSC::DelayedReleaseScope::DelayedReleaseScope):
        (JSC::DelayedReleaseScope::~DelayedReleaseScope):
        (JSC::DelayedReleaseScope::releaseSoon):
        (JSC::MarkedSpace::releaseSoon):
        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage):
        * heap/Heap.h:
        (JSC::Heap::releaseSoon):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::allocateSlowCase):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::MarkedSpace):
        (JSC::MarkedSpace::lastChanceToFinalize):
        (JSC::MarkedSpace::sweep):
        * heap/MarkedSpace.h:

2013-11-15  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r158586): callToJavaScript needs to save return PC to Sentinel frame
        https://bugs.webkit.org/show_bug.cgi?id=124420

        Reviewed by Filip Pizlo.

        Save the return PC into the sentinel frame.

        * jit/JITStubsMSVC64.asm:
        * jit/JITStubsX86.h:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:

2013-11-14  Oliver Hunt  <oliver@apple.com>

        Make CLoop easier to build, and make it work
        https://bugs.webkit.org/show_bug.cgi?id=124359

        Reviewed by Geoffrey Garen.

        Add --cloop to build-jsc, build-webkit and friends.

        Also make CLoop build and work again - This meant adding a
        couple of missing ENABLE(DFG_JIT) blocks, and fixing a few 
        other references.

        * Configurations/FeatureDefines.xcconfig:
        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/DFGExitProfile.cpp:
        * dfg/DFGCapabilities.cpp:
        * dfg/DFGCompilationKey.cpp:
        * dfg/DFGCompilationMode.cpp:
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):

2013-11-14  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r159276): Fix lots of crashes for arm_traditional architecture.
        https://bugs.webkit.org/show_bug.cgi?id=124365

        Reviewed by Oliver Hunt.

        Crashes were caused by a mixup between regular registers and temporary registers in ARM_EXTRA_GPRS.

        * llint/LowLevelInterpreter32_64.asm: Warning, t3 != a3. It's safer to use an implementation using aX
        registers like the MIPS one for cCallX macros.
        * offlineasm/arm.rb: Rearrange ARM_EXTRA_GPRS according to the new register distribution in LLINT.

2013-11-14  Michael Saboff  <msaboff@apple.com>

        REGRESSION (r159276): rbp register overwritten in Win 64 version of callToJavascript stub
        https://bugs.webkit.org/show_bug.cgi?id=124361

        Reviewed by Oliver Hunt.

        Swapped operand ordering to: mov rax, rbp

        * jit/JITStubsMSVC64.asm:

2013-11-14  Julien Brianceau  <jbriance@cisco.com>

        REGRESSION (r159276): Fix lots of crashes for sh4 architecture.
        https://bugs.webkit.org/show_bug.cgi?id=124347

        Reviewed by Michael Saboff.

        Since r159276, we have (t4 == a0 == r4) and (t5 == a1 == r5) in LLINT for sh4.
        This leads to argument register trampling in cCallX macros, especially with cCall2
        macro when arg1 == t4.

        * llint/LowLevelInterpreter32_64.asm: Use a new "setargs" pseudo-op to setup arguments for sh4.
        * offlineasm/instructions.rb:
        * offlineasm/sh4.rb: Lower "setargs" pseudo-op to setup argument registers and prevent register trampling issues.

2013-11-14  Julien Brianceau  <jbriance@cisco.com>

        Fix build for sh4 architectures (broken since r159276).
        https://bugs.webkit.org/show_bug.cgi?id=124344

        Reviewed by Csaba Osztrogonác.

        * offlineasm/sh4.rb: There is no fp alias for r14 register for sh4.

2013-11-13  Michael Saboff  <msaboff@apple.com>

        Change callToJavaScript thunk into an offline assembled stub
        https://bugs.webkit.org/show_bug.cgi?id=124251

        Reviewed by Geoffrey Garen.

        Changed callToJavaScript and throwNotCaught into stubs generated by the offline assembler.
        Added popCalleeSaves and pushCalleeSaves pseudo ops to the offline assembler to handle
        the saving and restoring of callee save registers.  Fixed callFrameRegister differences
        between arm traditional (r11) and arm Thumb2 (r7) in GPRInfo.h.  Also fixed implementation
        of pop & push in arm.rb.

        Since the offline assembler and therefore the LLInt don't work on Windows, the Windows stubs
        are handled as inline assembly in JITStubsX86.h and JITStubsMSVC64.asm.

        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toIndex):
        (JSC::GPRInfo::debugName):
        * jit/JITCode.cpp:
        (JSC::JITCode::execute):
        * jit/JITExceptions.cpp:
        (JSC::genericUnwind):
        * jit/JITStubs.h:
        * jit/JITStubsMSVC64.asm:
        * jit/JITStubsX86.h:
        * jit/ThunkGenerators.cpp:
        * jit/ThunkGenerators.h:
        * llint/LLIntThunks.h:
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/arm.rb:
        * offlineasm/arm64.rb:
        * offlineasm/instructions.rb:
        * offlineasm/mips.rb:
        * offlineasm/registers.rb:
        * offlineasm/sh4.rb:
        * offlineasm/x86.rb:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2013-11-13  Andy Estes  <aestes@apple.com>

        Fix the ARM64 build after recent JavaScriptCore changes
        https://bugs.webkit.org/show_bug.cgi?id=124315

        Reviewed by Michael Saboff.

        Based on patches by myself, Filip Pizlo, Benjamin Poulain, and Michael Saboff.

        * Configurations/JavaScriptCore.xcconfig: Hid the symbol for
        std::bad_function_call.
        * JavaScriptCore.xcodeproj/project.pbxproj: Marked
        MacroAssemblerARM64.h and ARM64Assembler.h as Private headers.
        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::executableOffsetFor):
        * assembler/MacroAssemblerARM64.h: Removed ARM64's executableCopy(),
        which was removed from other assembler backends in r157690.
        (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch): Added.
        (JSC::MacroAssemblerARM64::lshift64): Added.
        (JSC::MacroAssemblerARM64::mul64): Added.
        (JSC::MacroAssemblerARM64::rshift64): Added.
        (JSC::MacroAssemblerARM64::convertInt64ToDouble): Added.
        (JSC::MacroAssemblerARM64::branchMul64): Added.
        (JSC::MacroAssemblerARM64::branchNeg64): Added.
        (JSC::MacroAssemblerARM64::scratchRegisterForBlinding): Added.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArithDiv): Changed
        SpeculateIntegerOperand to SpeculateInt32Operand,
        nodeCanIgnoreNegativeZero() to bytecodeCanIgnoreNegativeZero(), and
        nodeUsedAsNumber() to bytecodeUsesAsNumber().
        (JSC::DFG::SpeculativeJIT::compileArithMod): Changed
        nodeCanIgnoreNegativeZero() to bytecodeCanIgnoreNegativeZero().

2013-11-13  Oliver Hunt  <oliver@apple.com>

        Fix debug build.

        * parser/Parser.cpp:

2013-11-13  Tim Horton  <timothy_horton@apple.com>

        r159210 added a period where there previously wasn't one, breaking >100 tests

        Rubber-stamped by Oliver Hunt.

        * parser/Parser.cpp:
        (JSC::::logError):
        Remove the extra period.

2013-11-13  Oliver Hunt  <oliver@apple.com>

        REGRESSION (r158014): Many webpages throw stack overflow exceptions on iOS (because Parser::parseMemberExpression uses ~130K more stack)
        https://bugs.webkit.org/show_bug.cgi?id=124177

        Reviewed by Michael Saboff.

        This patch pushes error handling into NEVER_INLINE functions to perform
        the actual error message construction.  This dramatically reduces the
        stack usage of the Parser.  For the large functions (such as parseMemberExpression)
        the improvement is on the order of 2.5x reduction in stack usage.  For
        smaller functions the reduction is in the order of 5-6x.

        * parser/Parser.cpp:
        (JSC::::logError):
        * parser/Parser.h:

2013-11-13  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Protect repatchCompact from flushConstantPool.
        https://bugs.webkit.org/show_bug.cgi?id=124278

        Reviewed by Michael Saboff.

        Random crashes may occur with sh4 architecture, when a flushConstantPool occurs in
        movlMemRegCompact. As in this case a branch opcode and the constant pool are put
        before the movlMemRegCompact, the branch itself is patched when calling repatchCompact
        instead of the mov instruction, which is really bad.

        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::repatchCompact): Handle this specific case and add an ASSERT.

2013-11-12  Alexey Proskuryakov  <ap@apple.com>

        Disable WebCrypto on Mountain Lion
        https://bugs.webkit.org/show_bug.cgi?id=124261

        Rubber-stamped by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:

2013-11-12  Julien Brianceau  <jbriance@cisco.com>

        [sh4] Fix load32WithUnalignedHalfWords function in baseline JIT.
        https://bugs.webkit.org/show_bug.cgi?id=124233

        Reviewed by Michael Saboff.

        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::load32WithUnalignedHalfWords): Do not claim scratch register too early.
        Test already covered by fast/regex/pcre-test-1.

2013-11-12  Filip Pizlo  <fpizlo@apple.com>

        Liveness analysis should take less memory in CodeBlock when it is unused
        https://bugs.webkit.org/show_bug.cgi?id=124225

        Reviewed by Mark Hahnenberg.
        
        Basically, I turned CodeBlock::m_livenessAnalysis into a pointer that is null by
        default.

        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
        (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint):
        (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset):
        (JSC::BytecodeLivenessAnalysis::dumpResults):
        (JSC::BytecodeLivenessAnalysis::compute):
        * bytecode/BytecodeLivenessAnalysis.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::livenessAnalysis):

2013-11-11  Oliver Hunt  <oliver@apple.com>

        Support unprefixed deconstructing assignment
        https://bugs.webkit.org/show_bug.cgi?id=124172

        Reviewed by Mark Lam.

        Add support for unprefixed descontructive assignment.

        Happily non-reference types on the left hand side of an assignment
        are a runtime error, so we're able to defer validation of the binding
        pattern to codegen time when we're already doing a lot more work.

        We're also able to predicate our attempt to parse on the existence of
        '[' or '{' as they are not as common as other constructs. 

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ArrayPatternNode::emitDirectBinding):
        * parser/ASTBuilder.h:
        * parser/Parser.cpp:
        (JSC::::createBindingPattern):
        (JSC::::tryParseDeconstructionPatternExpression):
        (JSC::::parseDeconstructionPattern):
        (JSC::::parseForStatement):
        (JSC::::parseAssignmentExpression):
        * parser/Parser.h:
        (JSC::Parser::createSavePoint):
        (JSC::Parser::restoreSavePoint):
        * parser/SyntaxChecker.h:

2013-11-12  Andy Estes  <aestes@apple.com>

        Run JavaScriptCore Objective-C API tests on all supported platforms
        https://bugs.webkit.org/show_bug.cgi?id=124214

        Reviewed by Mark Hahnenberg.

        Now that we support the API on iOS and on OS X 10.8, there's no reason
        to limit the tests to OS X 10.9 (or greater).

        * API/tests/CurrentThisInsideBlockGetterTest.h:
        * API/tests/CurrentThisInsideBlockGetterTest.mm:
        * API/tests/testapi.mm:

2013-08-02  Mark Hahnenberg  <mhahnenberg@apple.com>

        CodeBlocks should be able to determine bytecode liveness
        https://bugs.webkit.org/show_bug.cgi?id=118546

        Reviewed by Filip Pizlo.

        This will simplify some things in the DFG related to OSR exits and determining 
        which bytecode variables are live at which points during execution. It will
        also be useful for making our conservative GC scan more precise. Currently it 
        doesn't properly account for liveness while the DFG is running, so it will be 
        off by default behing a runtime Options flag.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeBasicBlock.cpp: Added.
        (JSC::isBranch): Used to determine the end of basic blocks.
        (JSC::isUnconditionalBranch): Used to determine when a branch at the end of a 
        basic block can't possibly fall through to the next basic block in program order.
        (JSC::isTerminal): Also used to detect the end of a block.
        (JSC::isThrow):
        (JSC::isJumpTarget): Used to correctly separate basic blocks. Any jump destination 
        must be the head of its own basic block.
        (JSC::linkBlocks): Links two blocks together in a bi-direcitonal fashion.
        (JSC::computeBytecodeBasicBlocks): Creates a set of basic blocks given a particular 
        CodeBlock and links them together.
        * bytecode/BytecodeBasicBlock.h: Added.
        (JSC::BytecodeBasicBlock::isEntryBlock): Entry blocks are a special basic blocks 
        that indicate the beginning of the function.
        (JSC::BytecodeBasicBlock::isExitBlock): Exit blocks are a special basic block that 
        all blocks that exit the function have as a successor. Entry and exit blocks allows 
        the various code paths to be more regular.
        (JSC::BytecodeBasicBlock::leaderBytecodeOffset): The leader bytecode offset is the 
        bytecode offset of the first instruction in the block.
        (JSC::BytecodeBasicBlock::totalBytecodeLength): The total length of all the bytecodes 
        in this block.
        (JSC::BytecodeBasicBlock::bytecodeOffsets): The bytecode offsets in this particular 
        basic block. This Vector allows us to iterate over the bytecodes in reverse order 
        which wouldn't be possible normally since they are of variable size.
        (JSC::BytecodeBasicBlock::addPredecessor): Links a block to a specified predecessor. 
        Only creates one direction of the link.
        (JSC::BytecodeBasicBlock::addSuccessor): Same as addPredecessor, but for successors.
        (JSC::BytecodeBasicBlock::predecessors): Getter for predecessors.
        (JSC::BytecodeBasicBlock::successors): Getter for successors.
        (JSC::BytecodeBasicBlock::in): Getter for the liveness info at the head of the block.
        (JSC::BytecodeBasicBlock::out): Getter for the liveness info at  the tail of the block.
        (JSC::BytecodeBasicBlock::BytecodeBasicBlock):
        (JSC::BytecodeBasicBlock::addBytecodeLength): When creating basic blocks we call 
        this function when we want to add the next bytecode in program order to this block.
        * bytecode/BytecodeLivenessAnalysis.cpp: Added.
        (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
        (JSC::numberOfCapturedVariables): Convenience wrapper. Returns the
        number of captured variables for a particular CodeBlock, or 0 if 
        the CodeBlock has no SymbolTable.
        (JSC::captureStart): Ditto, but for captureStart().
        (JSC::captureEnd): Ditto, but for captureEnd().
        (JSC::isValidRegisterForLiveness): Returns true if the liveness analysis should 
        track the liveness of a particular operand. We ignore constants, arguments, and 
        captured variables. We ignore arguments because they're live for the duration of 
        a function call. We ignore captured variables because we also treat them as live 
        for the duration of the function. This could probably be improved to be more precise, 
        but it didn't seem worth it for now.
        (JSC::setForOperand): Convenience wrapper that sets the bit in the provided bit 
        vector for the provided operand. It handles skipping over captured variables.
        (JSC::computeUsesForBytecodeOffset): Computes which operands are used by a particular bytecode.
        (JSC::computeDefsForBytecodeOffset): Computes which operands are defined by a particular 
        bytecode. Typically this is just the left-most operand.
        (JSC::findBasicBlockWithLeaderOffset): 
        (JSC::findBasicBlockForBytecodeOffset): Scans over basic blocks to find the block 
        which contains a particular bytecode offset.
        (JSC::computeLocalLivenessForBytecodeOffset): Computes block-local liveness from the 
        bottom of the block until a specified bytecode offset is reached. 
        (JSC::computeLocalLivenessForBlock): Computes liveness for the entire block and 
        stores the resulting liveness at the head.
        (JSC::BytecodeLivenessAnalysis::runLivenessFixpoint): Runs backward flow liveness 
        analysis to fixpoint.
        (JSC::BytecodeLivenessAnalysis::getLivenessInfoForNonCapturedVarsAtBytecodeOffset): 
        Slow path to get liveness info for non-captured, non-argument variable.
        (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): 
        (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset): Returns the liveness 
        info for both captured and non-captured vars at a particular bytecode offset.
        (JSC::BytecodeLivenessAnalysis::dumpResults): Dumps the output of the liveness analysis. 
        Controlled by new flag in Options.h/.cpp.
        (JSC::BytecodeLivenessAnalysis::compute): Creates bytecode basic blocks and runs 
        full liveness analysis.
        * bytecode/BytecodeLivenessAnalysis.h: Added.
        (JSC::BytecodeLivenessAnalysis::hasBeenComputed):
        (JSC::BytecodeLivenessAnalysis::computeIfNecessary):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::CodeBlock):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::livenessAnalysis):
        * bytecode/PreciseJumpTargets.cpp: Refactored to be able to get the jump targets for 
        a particular bytecode offset for use during bytecode basic block construction.
        (JSC::getJumpTargetsForBytecodeOffset):
        (JSC::computePreciseJumpTargets):
        (JSC::findJumpTargetsForBytecodeOffset):
        * bytecode/PreciseJumpTargets.h:
        * runtime/Options.cpp:
        (JSC::Options::initialize):
        * runtime/Options.h:

2013-11-11  Andy Estes  <aestes@apple.com>

        [iOS] Define JSC_OBJC_API_ENABLED
        https://bugs.webkit.org/show_bug.cgi?id=124192

        Reviewed by Geoffrey Garen.

        * API/JSBase.h: JSC_OBJC_API_ENABLED should evaluate to true if
        TARGET_OS_IPHONE is true.
        * API/JSValue.h: Ensure CG types referenced later in the file are defined.

2013-11-12  Balazs Kilvady  <kilvadyb@homejinni.com>

        Fix undefined reference issues in JavaScriptCore build.
        https://bugs.webkit.org/show_bug.cgi?id=124152

        Reviewed by Michael Saboff.

        Missing includes added.

        * runtime/SymbolTable.cpp:

2013-11-12  Alexandru Chiculita  <achicu@adobe.com>

        Web Inspector: Crash when closing the Inspector while debugging an exception inside a breakpoint condition.
        https://bugs.webkit.org/show_bug.cgi?id=124078

        Reviewed by Joseph Pecoraro.

        The crash would happen because the Debugger is not designed to support nested
        breaks. For example, when the debugger handles a breakpoint and the Inspector
        executes a console command that would hit the breakpoint again, the Debugger
        will just ignore the breakpoint.

        There were no checks for conditions and actions. Because of that conditions and actions
        could trigger exceptions and breakpoints. This patch disables that functionality as it
        cannot be supported without a bigger rewrite of the code.

        * debugger/Debugger.cpp:
        (JSC::TemporaryPausedState::TemporaryPausedState):
        (JSC::TemporaryPausedState::~TemporaryPausedState):
        (JSC::Debugger::hasBreakpoint):
        (JSC::Debugger::pauseIfNeeded):
        * debugger/Debugger.h:

2013-11-12  Julien Brianceau  <jbriance@cisco.com>

        InvalidIndex shouldn't be private in GPRInfo and FPRInfo for sh4, mips and arm64 architectures.
        https://bugs.webkit.org/show_bug.cgi?id=124156

        Reviewed by Michael Saboff.

        * jit/FPRInfo.h:
        (JSC::FPRInfo::debugName):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::debugName):

2013-11-11  Andreas Kling  <akling@apple.com>

        CodeBlock: Un-segment some Vectors.
        <https://webkit.org/b/124188>

        Turn some SegmentedVectors into Vectors where the final item count
        is known at CodeBlock construction time. This removes unnecessary
        allocation and indirection.

        I've got ~4.5 MB below SegmentedVector<ValueProfile>::ensureSegment
        on Membuster3 (peak, before pressure signal) so this should help
        take a bit of the edge off there.

        Reviewed by Geoffrey Garen.

2013-11-11  Filip Pizlo  <fpizlo@apple.com>

        Get rid of the lastResultRegister optimization in the baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=124171

        Rubber stamped by Mark Hahnenberg.
        
        The baseline JIT no longer needs amazing throughput. And this optimization has caused
        way too many OSR exit bugs. And it constrains how much we can do in the DFG/FTL. So,
        I'm getting rid of it.

        * dfg/DFGOSRExit.cpp:
        (JSC::DFG::OSRExit::OSRExit):
        (JSC::DFG::OSRExit::convertToForward):
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompiler32_64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGOSRExitCompiler64.cpp:
        (JSC::DFG::OSRExitCompiler::compileExit):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
        (JSC::DFG::SpeculativeJIT::compileMovHint):
        (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
        * dfg/DFGSpeculativeJIT.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
        (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
        (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
        (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
        (JSC::FTL::LowerDFGToLLVM::observeMovHint):
        * ftl/FTLOSRExit.cpp:
        (JSC::FTL::OSRExit::OSRExit):
        (JSC::FTL::OSRExit::convertToForward):
        * ftl/FTLOSRExit.h:
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JSC::JIT::appendCall):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_op_lshift):
        (JSC::JIT::emitRightShift):
        (JSC::JIT::emit_op_bitand):
        (JSC::JIT::emit_op_bitor):
        (JSC::JIT::emit_op_bitxor):
        (JSC::JIT::emit_op_inc):
        (JSC::JIT::emit_op_dec):
        * jit/JITCall.cpp:
        (JSC::JIT::emitPutCallResult):
        (JSC::JIT::compileLoadVarargs):
        * jit/JITInlines.h:
        (JSC::JIT::emitGetFromCallFrameHeaderPtr):
        (JSC::JIT::emitGetFromCallFrameHeader32):
        (JSC::JIT::emitGetFromCallFrameHeader64):
        (JSC::JIT::emitLoadTag):
        (JSC::JIT::emitLoadPayload):
        (JSC::JIT::emitLoad2):
        (JSC::JIT::emitGetVirtualRegister):
        (JSC::JIT::emitGetVirtualRegisters):
        (JSC::JIT::emitPutVirtualRegister):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_mov):
        (JSC::JIT::emit_op_catch):
        (JSC::JIT::emit_op_new_func):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_mov):
        (JSC::JIT::emit_op_to_primitive):
        (JSC::JIT::emit_op_to_number):
        (JSC::JIT::emit_op_catch):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_resolve_scope):
        (JSC::JIT::emit_op_get_from_scope):
        (JSC::JIT::emit_op_put_to_scope):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_val):
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_get_by_pname):
        (JSC::JIT::emitResolveClosure):
        (JSC::JIT::emit_op_resolve_scope):
        (JSC::JIT::emit_op_get_from_scope):
        (JSC::JIT::emit_op_init_global_const):
        * jit/SlowPathCall.h:
        (JSC::JITSlowPathCall::call):

2013-11-11  Filip Pizlo  <fpizlo@apple.com>

        Remove ConstantFoldingPhase's weirdo compile-time optimization
        https://bugs.webkit.org/show_bug.cgi?id=124169

        Reviewed by Mark Hahnenberg.
        
        It turns out that this compile-time optimization doesn't optimize compile times
        anymore. Kill it with fire.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):

2013-11-11  Filip Pizlo  <fpizlo@apple.com>

        Make bytecode dumping use the right opcode names for inc/dec.

        Rubber stamped by Mark Hahnenberg.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):

2013-11-10  Filip Pizlo  <fpizlo@apple.com>

        DFG Int52 boxing code may clobber the source without telling anyone
        https://bugs.webkit.org/show_bug.cgi?id=124137

        Reviewed by Mark Hahnenberg.

        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::boxInt52): This is called in places where source is expected to be unchanged. We never call this expecting super-amazing codegen. So, preserve the source's value the dumb way (by recovering it mathematically).
        * jit/AssemblyHelpers.h: Document the invariant for boxInt52.
        * jsc.cpp:
        (GlobalObject::finishCreation): It's been super annoying that sometimes we say noInline() and sometimes we say neverInlineFunction(). The LayoutTests harnesses ensure that we have something called noInline(), but it's great to also ensure that the shell has it.

2013-11-11  Oliver Hunt  <oliver@apple.com>

        ExtJS breaks with modern Array.prototype.values API due to use of with()
        https://bugs.webkit.org/show_bug.cgi?id=123440

        Reviewed by Beth Dakin.

        As with our attempt to make Arguments use the Array prototype, ExtJS has
        a weird dependency on not adding new APIs to core types.  In this case
        Array.prototype.values.  The fix is to remove it, and push for ES6 to drop
        the API.

        * runtime/ArrayPrototype.cpp:

2013-11-11  Gabor Rapcsanyi  <rgabor@webkit.org>

        Fix CPU(ARM_TRADITIONAL) build after r159039.
        https://bugs.webkit.org/show_bug.cgi?id=124149

        Reviewed by Geoffrey Garen.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::firstRegister):
        (JSC::ARMAssembler::lastRegister):
        (JSC::ARMAssembler::firstFPRegister):
        (JSC::ARMAssembler::lastFPRegister):
        * assembler/MacroAssemblerARM.h:
        * jit/FPRInfo.h:

2013-11-09  Filip Pizlo  <fpizlo@apple.com>

        Switch FTL GetById/PutById IC's over to using AnyRegCC
        https://bugs.webkit.org/show_bug.cgi?id=124094

        Reviewed by Sam Weinig.
        
        This closes the loop on inline caches (IC's) in the FTL. The goal is to have IC's
        in LLVM-generated code that are just as efficient (if not more so) than what a
        custom JIT could do. As in zero sources of overhead. Not a single extra instruction
        or even register allocation pathology. We accomplish this by having two thingies in
        LLVM. First is the llvm.experimental.patchpoint intrinsic, which is sort of an
        inline machine code snippet that we can fill in with whatever we want and then
        modify subsequently. But you have only two choices of how to pass values to a
        patchpoint: (1) via the calling convention or (2) via the stackmap. Neither are good
        for operands to an IC (like the base pointer for a GetById, for example). (1) is bad
        because it results in things being pinned to certain registers a priori; a custom
        JIT (like the DFG) will not pin IC operands to any registers a priori but will allow
        the register allocator to do whatever it wants. (2) is bad because the operands may
        be spilled or may be represented in other crazy ways. You generally want an IC to
        have its operands in registers. Also, patchpoints only return values using the
        calling convention, which is unfortunate since it pins the return value to a
        register a priori. This is where the second thingy comes in: the AnyRegCC. This is
        a special calling convention only for use with patchpoints. It means that arguments
        passed "by CC" in the patchpoint can be placed in any register, and the register
        that gets used is reported as part of the stackmap. It also means that the return
        value (if there is one) can be placed in any register, and the stackmap will tell
        you which one it was. Thus, patchpoints combined with AnyRegCC mean that you not
        only get the kind of self-modifying code that you want for IC's, but you also get
        all of the register allocation goodness that a custom JIT would have given you.
        Except that you're getting it from LLVM and not a custom JIT. Awesome.
        
        Even though all of the fun stuff is on the LLVM side, this patch was harder than
        you'd expect.
        
        First the obvious bits:
        
        - IC patchpoints now use AnyRegCC instead of the C CC. (CC = calling convention.)
        
        - FTL::fixFunctionBasedOnStackMaps() now correctly figures out which registers the
          IC is supposed to use instead of assuming C CC argument registers.
        
        And then all of the stuff that broke and that this patch fixes:
        
        - IC sizing based on generating a dummy IC (what FTLInlineCacheSize did) is totally
          bad on x86-64, where various register permutations lead to bizarre header bytes
          and eclectic SIB encodings. I changed that to have magic constants, for now.
        
        - Slow path calls didn't preserve the CC return register.
        
        - Repatch's scratch register allocation would get totally confused if the operand
          registers weren't one of the DFG-style "temp" registers. And by "totally confused"
          I mean that it would crash.
        
        - We assumed that r10 is callee-saved. It's not. That one dude's PPT about x86-64
          cdecl that I found on the intertubes was not a trustworthy source of information,
          apparently.
        
        - Call repatching didn't know that the FTL does its IC slow calls via specially
          generated thunks. This was particularly fun to fix: basically, now when we relink
          an IC call in the FTL, we use the old call target to find the SlowPathCallKey,
          which tells us everything we need to know to generate (or look up) a new thunk for
          the new function we want to call.
        
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
        (JSC::MacroAssemblerCodePtr::isEmptyValue):
        (JSC::MacroAssemblerCodePtr::isDeletedValue):
        (JSC::MacroAssemblerCodePtr::hash):
        (JSC::MacroAssemblerCodePtr::emptyValue):
        (JSC::MacroAssemblerCodePtr::deletedValue):
        (JSC::MacroAssemblerCodePtrHash::hash):
        (JSC::MacroAssemblerCodePtrHash::equal):
        * assembler/MacroAssemblerX86Common.h:
        * assembler/RepatchBuffer.h:
        (JSC::RepatchBuffer::RepatchBuffer):
        (JSC::RepatchBuffer::codeBlock):
        * ftl/FTLAbbreviations.h:
        (JSC::FTL::setInstructionCallingConvention):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLInlineCacheSize.cpp:
        (JSC::FTL::sizeOfGetById):
        (JSC::FTL::sizeOfPutById):
        * ftl/FTLJITFinalizer.cpp:
        (JSC::FTL::JITFinalizer::finalizeFunction):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::forStackmaps):
        * ftl/FTLLocation.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetById):
        (JSC::FTL::LowerDFGToLLVM::compilePutById):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * ftl/FTLSlowPathCall.cpp:
        * ftl/FTLSlowPathCallKey.h:
        (JSC::FTL::SlowPathCallKey::withCallTarget):
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Location::directGPR):
        (JSC::FTL::StackMaps::Location::restoreInto):
        * ftl/FTLStackMaps.h:
        * ftl/FTLThunks.h:
        (JSC::FTL::generateIfNecessary):
        (JSC::FTL::keyForThunk):
        (JSC::FTL::Thunks::keyForSlowPathCallThunk):
        * jit/FPRInfo.h:
        (JSC::FPRInfo::toIndex):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toIndex):
        (JSC::GPRInfo::debugName):
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::calleeSaveRegisters):
        * jit/RegisterSet.h:
        (JSC::RegisterSet::filter):
        * jit/Repatch.cpp:
        (JSC::readCallTarget):
        (JSC::repatchCall):
        (JSC::repatchByIdSelfAccess):
        (JSC::tryCacheGetByID):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        (JSC::resetGetByID):
        (JSC::resetPutByID):
        * jit/ScratchRegisterAllocator.h:
        (JSC::ScratchRegisterAllocator::lock):

2013-11-10  Oliver Hunt  <oliver@apple.com>

        Implement Set iterators
        https://bugs.webkit.org/show_bug.cgi?id=124129

        Reviewed by Antti Koivisto.

        Add Set iterator classes and implementations

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSSetIterator.cpp: Added.
        (JSC::JSSetIterator::finishCreation):
        (JSC::JSSetIterator::visitChildren):
        (JSC::JSSetIterator::createPair):
        * runtime/JSSetIterator.h: Added.
        (JSC::JSSetIterator::createStructure):
        (JSC::JSSetIterator::create):
        (JSC::JSSetIterator::next):
        (JSC::JSSetIterator::JSSetIterator):
        * runtime/SetIteratorConstructor.cpp: Added.
        (JSC::SetIteratorConstructor::finishCreation):
        * runtime/SetIteratorConstructor.h: Added.
        (JSC::SetIteratorConstructor::create):
        (JSC::SetIteratorConstructor::createStructure):
        (JSC::SetIteratorConstructor::SetIteratorConstructor):
        * runtime/SetIteratorPrototype.cpp: Added.
        (JSC::SetIteratorPrototype::finishCreation):
        (JSC::SetIteratorPrototypeFuncIterator):
        (JSC::SetIteratorPrototypeFuncNext):
        * runtime/SetIteratorPrototype.h: Added.
        (JSC::SetIteratorPrototype::create):
        (JSC::SetIteratorPrototype::createStructure):
        (JSC::SetIteratorPrototype::SetIteratorPrototype):
        * runtime/SetPrototype.cpp:
        (JSC::SetPrototype::finishCreation):
        (JSC::setProtoFuncValues):
        (JSC::setProtoFuncEntries):
        (JSC::setProtoFuncKeys):

2013-11-09  Oliver Hunt  <oliver@apple.com>

        Add Map Iterators
        https://bugs.webkit.org/show_bug.cgi?id=124109

        Reviewed by Andreas Kling.

        Added new Map iterator implementation.  This is a mostly boilerplate patch
        however there's a a little bit of additional logic added to the MapData iterator
        to deal with the possibility of map mutation between creation of the iterator
        and use of it.  We'll be able to improve the performance of this substantially
        by using intrinsics, however I'm pondering coming up with a better way to define
        these thunks without requiring so much duplicated logic.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/CommonIdentifiers.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSMapIterator.cpp: Added.
        (JSC::JSMapIterator::finishCreation):
        (JSC::JSMapIterator::visitChildren):
        (JSC::JSMapIterator::createPair):
        * runtime/JSMapIterator.h: Added.
        (JSC::JSMapIterator::createStructure):
        (JSC::JSMapIterator::create):
        (JSC::JSMapIterator::next):
        (JSC::JSMapIterator::JSMapIterator):
        * runtime/MapData.h:
        (JSC::MapData::const_iterator::ensureSlot):
        * runtime/MapIteratorConstructor.cpp: Added.
        (JSC::MapIteratorConstructor::finishCreation):
        * runtime/MapIteratorConstructor.h: Added.
        (JSC::MapIteratorConstructor::create):
        (JSC::MapIteratorConstructor::createStructure):
        (JSC::MapIteratorConstructor::MapIteratorConstructor):
        * runtime/MapIteratorPrototype.cpp: Added.
        (JSC::MapIteratorPrototype::finishCreation):
        (JSC::MapIteratorPrototypeFuncIterator):
        (JSC::MapIteratorPrototypeFuncNext):
        * runtime/MapIteratorPrototype.h: Added.
        (JSC::MapIteratorPrototype::create):
        (JSC::MapIteratorPrototype::createStructure):
        (JSC::MapIteratorPrototype::MapIteratorPrototype):
        * runtime/MapPrototype.cpp:
        (JSC::MapPrototype::finishCreation):
        (JSC::mapProtoFuncValues):
        (JSC::mapProtoFuncEntries):
        (JSC::mapProtoFuncKeys):

2013-11-08  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed GTK build fix.

        * GNUmakefile.list.am: Remove redundant build targets.

2013-11-08  Filip Pizlo  <fpizlo@apple.com>

        Remove dead FTL C ABI support
        https://bugs.webkit.org/show_bug.cgi?id=124100

        Reviewed by Jer Noble.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * ftl/FTLCArgumentGetter.cpp: Removed.
        * ftl/FTLCArgumentGetter.h: Removed.
        * ftl/FTLOSRExitCompiler.cpp:
        * jit/FPRInfo.h:

2013-11-08  Filip Pizlo  <fpizlo@apple.com>

        FTL should support Phantom(FinalObject:)
        https://bugs.webkit.org/show_bug.cgi?id=124092

        Reviewed by Oliver Hunt.

        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::isType):
        (JSC::FTL::LowerDFGToLLVM::isNotType):
        (JSC::FTL::LowerDFGToLLVM::speculateFinalObject):

2013-11-08  Filip Pizlo  <fpizlo@apple.com>

        Get rid of the FTL tail call APIs since they are unused
        https://bugs.webkit.org/show_bug.cgi?id=124093

        Reviewed by Oliver Hunt.

        * ftl/FTLAbbreviations.h:
        (JSC::FTL::buildCall):
        * ftl/FTLOutput.h:

2013-11-08  Filip Pizlo  <fpizlo@apple.com>

        FTL should support AllocatePropertyStorage
        https://bugs.webkit.org/show_bug.cgi?id=124086

        Reviewed by Oliver Hunt.
        
        Also rationalized some offsets in the DFG.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):

2013-11-08  Filip Pizlo  <fpizlo@apple.com>

        Get rid of the bizarre Darwin/x86-only MacroAssembler::shouldBlindForSpecificArch(uintptr_t) overload
        https://bugs.webkit.org/show_bug.cgi?id=124087

        Reviewed by Michael Saboff.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlindPointerForSpecificArch):
        (JSC::MacroAssembler::shouldBlind):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch):

2013-11-08  Filip Pizlo  <fpizlo@apple.com>

        FTL should support NewArrayBuffer
        https://bugs.webkit.org/show_bug.cgi?id=124067

        Reviewed by Michael Saboff.
        
        This expanded coverage and revealed some bugs.
        
        This revealed a bug in FTL::OSRExitCompiler where it was assuming that it could save
        the framePointer in regT3 even though DFG::reifyInlinedCallFrames() would clobber it.
        It turns out that this can be fixed by just completely restoring the stack prior to
        doing reifyInlineCallFrames().
        
        I used this as an opportunity to simplify NewArray. That revealed a bug; whenever we say
        lowJSValue() in there we need to use ManualOperandSpeculation since we're using it to
        rebox values even when we also have to do some speculations. The speculations are done
        at the top of compileNewArray().
        
        This also revealed a bug in StringCharAt() for the OOB case.

        * ftl/FTLAbstractHeapRepository.h:
        (JSC::FTL::AbstractHeapRepository::forIndexingType):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileNewArray):
        (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
        (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):

2013-11-08  Filip Pizlo  <fpizlo@apple.com>

        It should be easy to disable blinding on a per-architecture basis
        https://bugs.webkit.org/show_bug.cgi?id=124083

        Reviewed by Michael Saboff.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::haveScratchRegisterForBlinding):
        (JSC::AbstractMacroAssembler::scratchRegisterForBlinding):
        (JSC::AbstractMacroAssembler::canBlind):
        (JSC::AbstractMacroAssembler::shouldBlindForSpecificArch):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlind):
        (JSC::MacroAssembler::store32):
        (JSC::MacroAssembler::branch32):
        (JSC::MacroAssembler::branchAdd32):
        (JSC::MacroAssembler::branchMul32):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::canBlind):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::haveScratchRegisterForBlinding):

2013-11-08  Oliver Hunt  <oliver@apple.com>

        Remove more accidentally added files.

        * runtime/SetIteratorConstructor.cpp: Removed.
        * runtime/SetIteratorConstructor.h: Removed.
        * runtime/SetIteratorPrototype.cpp: Removed.
        * runtime/SetIteratorPrototype.h: Removed.

2013-11-08  Oliver Hunt  <oliver@apple.com>

        Remove accidentally added files.

        * runtime/JSSetIterator.cpp: Removed.
        * runtime/JSSetIterator.h: Removed.

2013-11-08  Oliver Hunt  <oliver@apple.com>

        Fix minor (unobservable) bug in ArrayIterator::next()
        https://bugs.webkit.org/show_bug.cgi?id=124061

        Reviewed by Beth Dakin.

        I noticed this while reading the array iterator code.  Due to how
        ArrayIterator::next() and our enumeration behaviour is implemented
        this is not actually a code path that can be hit.  But in order to
        future proof this it should be correct.
        
        * runtime/JSArrayIterator.cpp:
        (JSC::arrayIteratorNext):

2013-11-08  Mark Lam  <mark.lam@apple.com>

        Move breakpoint (and exception break) functionality into JSC::Debugger.
        https://bugs.webkit.org/show_bug.cgi?id=121796.

        Reviewed by Geoffrey Garen.

        - In ScriptDebugServer and JSC::Debugger, SourceID and BreakpointID are
          now numeric tokens.

        - JSC::Debugger now tracks user defined breakpoints in a JSC::Breakpoint
          record. Previously, this info is tracked in the ScriptBreakpoint record
          in ScriptDebugServer. The only element of ScriptBreakpoint that is not
          being tracked by JSC::Breakpoint is the ScriptBreakpointAction.
             The ScriptBreakpointAction is still tracked by the ScriptDebugServer
          in a list keyed on the corresponding BreakpointID.
             The ScriptBreakpoint record is now only used as a means of passing
          breakpoint paramaters to the ScriptDebugServer.

        - ScriptDebugServer now no longer accesses the JSC::CallFrame* directly.
          It always goes through the DebuggerCallFrame.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * debugger/Breakpoint.h: Added.
        (JSC::Breakpoint::Breakpoint):
        - Breakpoint class to track info for each breakpoint in JSC::Debugger.
        * debugger/Debugger.cpp:
        (JSC::DebuggerCallFrameScope::DebuggerCallFrameScope):
        (JSC::DebuggerCallFrameScope::~DebuggerCallFrameScope):
        (JSC::Debugger::Debugger):
        (JSC::Debugger::detach):
        (JSC::Debugger::updateNeedForOpDebugCallbacks):
        (JSC::Debugger::setBreakpoint):
        (JSC::Debugger::removeBreakpoint):
        (JSC::Debugger::hasBreakpoint):
        (JSC::Debugger::clearBreakpoints):
        (JSC::Debugger::setBreakpointsActivated):
        (JSC::Debugger::setPauseOnExceptionsState):
        (JSC::Debugger::setPauseOnNextStatement):
        (JSC::Debugger::breakProgram):
        (JSC::Debugger::continueProgram):
        (JSC::Debugger::stepIntoStatement):
        (JSC::Debugger::stepOverStatement):
        (JSC::Debugger::stepOutOfFunction):
        (JSC::Debugger::updateCallFrame):
        (JSC::Debugger::updateCallFrameAndPauseIfNeeded):
        (JSC::Debugger::pauseIfNeeded):
        (JSC::Debugger::exception):
        (JSC::Debugger::atStatement):
        (JSC::Debugger::callEvent):
        (JSC::Debugger::returnEvent):
        (JSC::Debugger::willExecuteProgram):
        (JSC::Debugger::didExecuteProgram):
        (JSC::Debugger::didReachBreakpoint):
        (JSC::Debugger::currentDebuggerCallFrame):
        * debugger/Debugger.h:
        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::sourceID):
        (JSC::DebuggerCallFrame::sourceIDForCallFrame):
        * debugger/DebuggerCallFrame.h:
        * debugger/DebuggerPrimitives.h: Added.
        - define SourceID, noSourceID, BreakpointID, and noBreakpointID.

2013-11-08  Oliver Hunt  <oliver@apple.com>

        Map.forEach crashes on deleted values
        https://bugs.webkit.org/show_bug.cgi?id=124017

        Reviewed by Ryosuke Niwa.

        MapData iterator did not consider the case of the first entries
        being holes.  To fix this I've refactored iteration so that we
        can perform an initialisation increment on construction, whle
        retaining the useful assertion in MapData::const_iterator::operator++

        * runtime/MapData.h:
        (JSC::MapData::const_iterator::operator++):
        (JSC::MapData::const_iterator::internalIncrement):
        (JSC::MapData::const_iterator::const_iterator):

2013-11-08  Julien Brianceau  <jbriance@cisco.com>

        REGRESSION(r158883): Fix crashes for ARM architecture.
        https://bugs.webkit.org/show_bug.cgi?id=124038

        Reviewed by Michael Saboff.

        * jit/GPRInfo.h: Remove r11 from the temporary register set, use a free register for
        nonPreservedNonReturnGPR and remove obsolete declaration of bucketCounterRegister.
        (JSC::GPRInfo::toRegister):
        (JSC::GPRInfo::toIndex):
        * jit/JITOperations.cpp: Frame pointer register is r11 for ARM_TRADITIONAL and
        r7 for ARM_THUMB2 instead of r5 since r158883.

2013-11-08  Julien Brianceau  <jbriance@cisco.com>

        REGRESSION(r158883): Fix crashes for MIPS architecture.
        https://bugs.webkit.org/show_bug.cgi?id=124044

        Reviewed by Michael Saboff.

        * jit/JITOperations.cpp: Frame pointer register is fp instead of s0 since r158883 for MIPS.
        * jit/ThunkGenerators.cpp: Save and restore the new frame pointer register.
        (JSC::returnFromJavaScript):
        (JSC::callToJavaScript):

2013-11-08  peavo@outlook.com  <peavo@outlook.com>

        [Win] JavaScript crash in getHostCallReturnValue.
        https://bugs.webkit.org/show_bug.cgi?id=124040

        Reviewed by Geoffrey Garen.

        * jit/JITOperations.cpp: Update MSVC assembler code in getHostCallReturnValue according to gcc x86 version.

2013-11-08  Julien Brianceau  <jbriance@cisco.com>

        [mips] Fix typo (introduced in r158751).
        https://bugs.webkit.org/show_bug.cgi?id=124033.

        Reviewed by Csaba Osztrogonác.

        * jit/ThunkGenerators.cpp:
        (JSC::callToJavaScript):

2013-11-08  Julien Brianceau  <jbriance@cisco.com>

        [arm] Use specific PatchableJump implementation for CPU(ARM_TRADITIONAL).
        https://bugs.webkit.org/show_bug.cgi?id=123891

        Reviewed by Michael Saboff.

        Although patchableBranch32 is implemented in MacroAssemblerARM.h, the used implementation
        is the generic one in MacroAssembler.h. This patch fixes it and also implements the
        patchableJump() function for CPU(ARM_TRADITIONAL). These specific implementations are
        needed for this architecture backend to ensure that these jumps can be relinked.

        * assembler/MacroAssembler.h:
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::patchableJump):
        * jit/GPRInfo.h: Remove static_cast that are generating warnings in debug builds.
        (JSC::GPRInfo::toIndex):
        (JSC::GPRInfo::debugName):

2013-11-07  Mark Lam  <mark.lam@apple.com>

        Get rid of the regT* definitions in JSInterfaceJIT.h.
        https://bugs.webkit.org/show_bug.cgi?id=123806.

        Reviewed by Geoffrey Garen.

        JSInterfaceJIT now inherits from GPRInfo and FPRInfo, and relies on them
        to provide all the register definitions.

        * jit/GPRInfo.h:
        (JSC::GPRInfo::toArgumentRegister):
        * jit/JIT.cpp:
        (JSC::JIT::emitEnterOptimizationCheck):
        (JSC::JIT::privateCompile):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_compareAndJumpSlow):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_compareAndJumpSlow):
        * jit/JITCall.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileLoadVarargs):
        * jit/JITInlines.h:
        (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
        (JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_end):
        (JSC::JIT::emitSlow_op_new_object):
        (JSC::JIT::emit_op_ret):
        (JSC::JIT::emit_op_ret_object_or_this):
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        (JSC::JIT::emit_op_create_activation):
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emitSlow_op_jfalse):
        (JSC::JIT::emitSlow_op_jtrue):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        (JSC::JIT::emitSlow_op_loop_hint):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::privateCompileCTINativeCall):
        (JSC::JIT::emit_op_end):
        (JSC::JIT::emitSlow_op_new_object):
        (JSC::JIT::emitSlow_op_jfalse):
        (JSC::JIT::emitSlow_op_jtrue):
        (JSC::JIT::emitSlow_op_eq):
        (JSC::JIT::emitSlow_op_neq):
        (JSC::JIT::emit_op_throw):
        (JSC::JIT::emit_op_get_pnames):
        (JSC::JIT::emit_op_switch_imm):
        (JSC::JIT::emit_op_switch_char):
        (JSC::JIT::emit_op_switch_string):
        (JSC::JIT::emit_op_create_activation):
        (JSC::JIT::emit_op_create_arguments):
        (JSC::JIT::emitSlow_op_get_argument_by_val):
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::JSInterfaceJIT):
        * jit/SlowPathCall.h:
        (JSC::JITSlowPathCall::call):
        * jit/ThunkGenerators.cpp:

2013-11-07  Filip Pizlo  <fpizlo@apple.com>

        FTL should support NewArray
        https://bugs.webkit.org/show_bug.cgi?id=124010

        Reviewed by Oliver Hunt.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileNewObject):
        (JSC::FTL::LowerDFGToLLVM::compileNewArray):
        (JSC::FTL::LowerDFGToLLVM::allocateCell):
        (JSC::FTL::LowerDFGToLLVM::allocateObject):
        (JSC::FTL::LowerDFGToLLVM::allocateBasicStorageAndGetEnd):
        (JSC::FTL::LowerDFGToLLVM::ArrayValues::ArrayValues):
        (JSC::FTL::LowerDFGToLLVM::allocateJSArray):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::loadDouble):
        (JSC::FTL::Output::storeDouble):

2013-11-07  Michael Saboff  <msaboff@apple.com>

        Change CallFrameRegister to architected frame pointer register
        https://bugs.webkit.org/show_bug.cgi?id=123956

        Reviewed by Geoffrey Garen.

        Changed X86 and ARM variants as well as MIPS to use their respective architected
        frame pointer registers.  The freed up callFrameRegisteris are made available to 
        the DFG register allocator.  Modified the FTL OSR exit compiler to use a temporary
        register as a stand in for the destination callFrameRegister since the FTL frame
        pointer register is needed to extract values from the FTL stack.

        Reviewed by Geoffrey Garen.

        * assembler/ARMAssembler.h:
        * assembler/ARMv7Assembler.h:
        * assembler/MacroAssemblerMIPS.h:
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::addressFor):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toRegister):
        (JSC::GPRInfo::toIndex):
        * jit/JITOperations.cpp:
        * jit/JSInterfaceJIT.h:
        * jit/ThunkGenerators.cpp:
        (JSC::callToJavaScript):
        * offlineasm/arm.rb:
        * offlineasm/arm64.rb:
        * offlineasm/mips.rb:
        * offlineasm/x86.rb:

2013-11-07  Oliver Hunt  <oliver@apple.com>

        Reproducible crash when using Map (affects Web Inspector)
        https://bugs.webkit.org/show_bug.cgi?id=123940

        Reviewed by Geoffrey Garen.

        Trivial fix.  Once again we get bitten by attempting to be clever when
        growing while adding entries to indexing maps.

        Now we simply do a find(), and then add() _after_ we've ensured there is
        sufficient space in the MapData list.

        * runtime/MapData.cpp:
        (JSC::MapData::add):

2013-11-07  Mark Lam  <mark.lam@apple.com>

        Cosmetic: rename xxxId to xxxID for ScriptId, SourceId, and BreakpointId.
        https://bugs.webkit.org/show_bug.cgi?id=123945.

        Reviewed by Geoffrey Garen.

        * debugger/DebuggerCallFrame.cpp:
        (JSC::DebuggerCallFrame::sourceID):
        (JSC::DebuggerCallFrame::sourceIDForCallFrame):
        * debugger/DebuggerCallFrame.h:

2013-11-07  Michael Saboff  <msaboff@apple.com>

        returnFromJavaScript() for ARM_THUMB2 uses push()s which should be pop()s
        https://bugs.webkit.org/show_bug.cgi?id=124006

        Rubber stamped by Mark Hahnenberg.

        Changed the push() calls to pop().

        * jit/ThunkGenerators.cpp:
        (JSC::returnFromJavaScript):

2013-11-07  Michael Saboff  <msaboff@apple.com>

        Remove unneeded moving of ESP to ECX in callToJavaScript for COMPILER(MSVC)
        https://bugs.webkit.org/show_bug.cgi?id=123998

        Reviewed by Mark Lam.

        Dead code removal.  Passing esp as the first "C" argument to a JavaScript
        function is no longer needed.

        * jit/ThunkGenerators.cpp:
        (JSC::callToJavaScript):

2013-11-07  Julien Brianceau  <jbriance@cisco.com>

        Fix build for architectures with 4 argument registers (broken since r158820).
        https://bugs.webkit.org/show_bug.cgi?id=123969

        Reviewed by Andreas Kling.

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArguments):

2013-11-05  Filip Pizlo  <fpizlo@apple.com>

        FTL should support CheckFunction
        https://bugs.webkit.org/show_bug.cgi?id=123862

        Reviewed by Sam Weinig.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCheckFunction):

2013-11-06  Filip Pizlo  <fpizlo@apple.com>

        IC code should handle the call frame register not being the callFrameRegister
        https://bugs.webkit.org/show_bug.cgi?id=123865

        Reviewed by Geoffrey Garen.
        
        For now, in the FTL, the call frame may be something other than our frame pointer,
        since it's an argument passed in according to whatever convention LLVM picks.
        
        This is temporary in two ways - pretty soon the callFrameRegister will be the actual
        frame pointer and not some other register, and LLVM will not pass the frame pointer
        as an argument to IC's.

        * bytecode/StructureStubInfo.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLInlineCacheSize.cpp:
        (JSC::FTL::sizeOfGetById):
        (JSC::FTL::sizeOfPutById):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArguments):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/Repatch.cpp:
        (JSC::tryBuildGetByIDList):
        (JSC::emitPutTransitionStub):

2013-11-06  Daniel Bates  <dabates@apple.com>

        [iOS] Upstream Letterpress effect
        https://bugs.webkit.org/show_bug.cgi?id=123932

        Reviewed by Sam Weinig.

        Add feature define ENABLE_LETTERPRESS disabled by default. We only enable
        letterpress on iOS.

        * Configurations/FeatureDefines.xcconfig:

2013-11-05  Oliver Hunt  <oliver@apple.com>

        Support iteration of the Arguments object
        https://bugs.webkit.org/show_bug.cgi?id=123835

        Reviewed by Mark Lam.

        Add an ArgumentsIterator object, and associated classes so that we can support
        iteration of the arguments object.

        This is a largely mechanical patch.  The only gnarliness is in the
        logic to avoid reifying the Arguments object in for(... of arguments)
        scenarios.

        * GNUmakefile.list.am:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitEnumeration):
        * runtime/Arguments.cpp:
        (JSC::Arguments::getOwnPropertySlot):
        (JSC::argumentsFuncIterator):
        * runtime/Arguments.h:
        * runtime/ArgumentsIteratorConstructor.cpp: Added.
        (JSC::ArgumentsIteratorConstructor::finishCreation):
        * runtime/ArgumentsIteratorConstructor.h: Added.
        (JSC::ArgumentsIteratorConstructor::create):
        (JSC::ArgumentsIteratorConstructor::createStructure):
        (JSC::ArgumentsIteratorConstructor::ArgumentsIteratorConstructor):
        * runtime/ArgumentsIteratorPrototype.cpp: Added.
        (JSC::ArgumentsIteratorPrototype::finishCreation):
        (JSC::argumentsIteratorPrototypeFuncIterator):
        (JSC::argumentsIteratorPrototypeFuncNext):
        * runtime/ArgumentsIteratorPrototype.h: Added.
        (JSC::ArgumentsIteratorPrototype::create):
        (JSC::ArgumentsIteratorPrototype::createStructure):
        (JSC::ArgumentsIteratorPrototype::ArgumentsIteratorPrototype):
        * runtime/CommonIdentifiers.h:
        * runtime/JSArgumentsIterator.cpp: Added.
        (JSC::JSArgumentsIterator::finishCreation):
        * runtime/JSArgumentsIterator.h: Added.
        (JSC::JSArgumentsIterator::createStructure):
        (JSC::JSArgumentsIterator::create):
        (JSC::JSArgumentsIterator::next):
        (JSC::JSArgumentsIterator::JSArgumentsIterator):
        * runtime/JSArrayIterator.cpp:
        (JSC::createIteratorResult):
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:

2013-11-06  Filip Pizlo  <fpizlo@apple.com>

        DFG CheckArray(NonArray) should prove that the child isn't an array
        https://bugs.webkit.org/show_bug.cgi?id=123911
        <rdar://problem/15202803>

        Reviewed by Mark Hahnenberg.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::isArrayType):

2013-11-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSExport doesn't support constructors
        https://bugs.webkit.org/show_bug.cgi?id=123380

        Reviewed by Geoffrey Garen.

        Needed another linked-on-or-after check for when we're deciding whether
        we should copy over init family methods.

        Factored out the link time checks into a separate function so that they can be cached.

        Factored out the check for init-family method selectors into helper function and changed it to
        match the description in the clang docs, namely that there can be underscores at the beginning
        and the first letter after 'init' part of the selector (if there is one) must be a capital letter.

        Updated tests to make sure we don't treat "initialize" as an init-family method and that we do
        treat "_init" as an init-family method.

        * API/JSWrapperMap.h:
        * API/JSWrapperMap.mm:
        (isInitFamilyMethod):
        (shouldSkipMethodWithName):
        (copyMethodsToObject):
        (allocateConstructorForCustomClass):
        (supportsInitMethodConstructors):
        * API/tests/testapi.mm:
        (-[ClassA initialize]):
        (-[ClassD initialize]):

2013-11-06  Michael Saboff  <msaboff@apple.com>

        Change ctiTrampoline into a thunk
        https://bugs.webkit.org/show_bug.cgi?id=123844

        Reviewed by Filip Pizlo.

        Converted ctiTrampoline and ctiOpThrowNotCaught into thunks named callToJavaScript
        and returnFromJavaScript.  Cleaned up and in some cases removed JITStubsXXX.h files
        after removing ctiTrampoline and ctiOpThrowNotCaught.  Added callJavaScriptJITFunction
        to VM that is a function pointer to the callToJavaScript thunk