NativeError.prototype objects have [[Class]] of "Object" but should be "Error"

[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2011-07-15  Gavin Barraclough  <barraclough@apple.com>

        NativeError.prototype objects have [[Class]] of "Object" but should be "Error"
        https://bugs.webkit.org/show_bug.cgi?id=55346

        Reviewed by Sam Weinig.

        * runtime/ErrorPrototype.cpp:
        (JSC::ErrorPrototype::ErrorPrototype):
            - Switch to putDirect since we're not the only ones tranitioning this Structure now.
        * runtime/NativeErrorPrototype.cpp:
        (JSC::NativeErrorPrototype::NativeErrorPrototype):
        * runtime/NativeErrorPrototype.h:
            - Switch base class to ErrorPrototype.

2011-07-15  Gavin Barraclough  <barraclough@apple.com>

        DFG JIT - Where arguments passed are integers, speculate this.
        https://bugs.webkit.org/show_bug.cgi?id=64630

        Reviewed by Sam Weinig.

        Presently the DFG JIT is overly aggressively predicting double.
        Use a bit of dynamic information, and curtail this a little.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::predictArgumentTypes):
            - Check for integer arguments.
        * dfg/DFGGraph.h:
            - Function declaration.
        * runtime/Executable.cpp:
        (JSC::tryDFGCompile):
        (JSC::FunctionExecutable::compileForCallInternal):
            - Add call to predictArgumentTypes.

2011-07-15  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT is inconsistent about fusing branches and speculating
        integer comparisons for branches.
        https://bugs.webkit.org/show_bug.cgi?id=64573

        Reviewed by Gavin Barraclough.
        
        This patch moves some of NonSpeculativeJIT's functionality up into the
        JITCodeGenerator superclass so that it can be used from both JITs.  Now,
        in cases where the speculative JIT doesn't want to speculate but still
        wants to emit good code, it can reliably emit the same code sequence as
        the non-speculative JIT.  This patch also extends the non-speculative
        JIT's compare optimizations to include compare/branch fusing, and
        extends the speculative JIT's compare optimizations to cover StrictEqual.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::isKnownInteger):
        (JSC::DFG::JITCodeGenerator::isKnownNumeric):
        (JSC::DFG::JITCodeGenerator::nonSpeculativePeepholeBranch):
        (JSC::DFG::JITCodeGenerator::nonSpeculativeCompare):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::detectPeepHoleBranch):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGNonSpeculativeJIT.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        * wtf/Platform.h:

2011-07-14  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64250
        Global strict mode function leaking global object as "this".

        Reviewed by Oliver Hunt.

        The root problem here is that we pass the wrong values into
        calls, and then try to fix them up in the callee. Correct
        behaviour per the spec is to pass in the value undefined,
        as this unless either (1) the function call is based on an
        explicit property access or (2) the base of the call comes
        directly from a 'with'.

        This change does away with the need for this conversion of
        objects (non strict code should only box primitives), and
        does away with all this conversion for strict functions.

        This patch may have web compatibility ramifications, and may
        require some advocacy.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * bytecode/Opcode.h:
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitResolveWithThis):
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * bytecompiler/BytecodeGenerator.h:
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * bytecompiler/NodesCodegen.cpp:
        (JSC::EvalFunctionCallNode::emitBytecode):
        (JSC::FunctionCallResolveNode::emitBytecode):
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
            - Change NeedsThisConversion check to test for JSString's vptr
              (objects no longer need conversion).
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::resolveThisAndProperty):
            - Based on resolveBaseAndProperty, but produce correct this value.
        (JSC::Interpreter::privateExecute):
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * interpreter/Interpreter.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_resolve_with_this):
            - Removed op_convert_this_strict, added op_resolve_with_this.
        (JSC::JIT::emit_op_convert_this):
        (JSC::JIT::emitSlow_op_convert_this):
            - Change NeedsThisConversion check to test for JSString's vptr
              (objects no longer need conversion).
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_resolve_with_this):
            - Removed op_convert_this_strict, added op_resolve_with_this.
        (JSC::JIT::emit_op_convert_this):
        (JSC::JIT::emitSlow_op_convert_this):
            - Change NeedsThisConversion check to test for JSString's vptr
              (objects no longer need conversion).
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * jit/JITStubs.h:
            - Removed op_convert_this_strict, added op_resolve_with_this.
        * runtime/JSActivation.h:
            - removed NeedsThisConversion flag, added IsEnvironmentRecord.
        * runtime/JSStaticScopeObject.h:
            - removed NeedsThisConversion flag, added IsEnvironmentRecord.
        * runtime/JSString.h:
        (JSC::RopeBuilder::createStructure):
            - removed NeedsThisConversion.
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::isEnvironmentRecord):
        (JSC::TypeInfo::overridesHasInstance):
            - removed NeedsThisConversion flag, added IsEnvironmentRecord.
        * runtime/JSValue.h:
            - removed NeedsThisConversion.
        * runtime/JSVariableObject.h:
            - Corrected StructureFlags inheritance.
        * runtime/StrictEvalActivation.h:
        (JSC::StrictEvalActivation::createStructure):
            - Added IsEnvironmentRecord to StructureFlags, addded createStructure.
        * runtime/Structure.h:
            - removed NeedsThisConversion.
        * tests/mozilla/ecma/String/15.5.4.6-2.js:
        (getTestCases):
            - Removed invalid test case.

2011-07-15  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r91082, r91087, and r91089.
        http://trac.webkit.org/changeset/91082
        http://trac.webkit.org/changeset/91087
        http://trac.webkit.org/changeset/91089
        https://bugs.webkit.org/show_bug.cgi?id=64616

        gtk tests are failing a lot after this change. (Requested by
        dave_levin on #webkit).

        * wtf/ThreadIdentifierDataPthreads.cpp:
        (WTF::ThreadIdentifierData::identifier):
        (WTF::ThreadIdentifierData::initialize):
        (WTF::ThreadIdentifierData::initializeKeyOnceHelper):
        (WTF::ThreadIdentifierData::initializeKeyOnce):
        * wtf/ThreadIdentifierDataPthreads.h:
        * wtf/ThreadingPthreads.cpp:
        (WTF::initializeThreading):

2011-07-15  David Levin  <levin@chromium.org>

        Another attempted build fix.

        * wtf/ThreadIdentifierDataPthreads.cpp: Add include to pick
        up the definition of PTHREAD_KEYS_MAX.

2011-07-15  David Levin  <levin@chromium.org>

        Chromium build fix.

        * wtf/ThreadIdentifierDataPthreads.cpp: Add include to pick
        up the definition of PTHREAD_KEYS_MAX.

2011-07-14  David Levin  <levin@chromium.org>

        currentThread is too slow!
        https://bugs.webkit.org/show_bug.cgi?id=64577

        Reviewed by Darin Adler and Dmitry Titov.

        The problem is that currentThread results in a pthread_once call which always takes a lock.
        With this change, currentThread is 10% faster than isMainThread in release mode and only
        5% slower than isMainThread in debug.

        * wtf/ThreadIdentifierDataPthreads.cpp:
        (WTF::ThreadIdentifierData::initializeOnce): Remove the pthread once stuff
        which is no longer needed because this is called from initializeThreading().
        (WTF::ThreadIdentifierData::identifier): Remove the initializeKeyOnce call because
        intialization of the pthread key should already be done.
        (WTF::ThreadIdentifierData::initialize): Ditto.
        * wtf/ThreadIdentifierDataPthreads.h:
        * wtf/ThreadingPthreads.cpp:
        (WTF::initializeThreading): Acquire the pthread key here.

2011-07-14  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not optimize Branch as well as it could.
        https://bugs.webkit.org/show_bug.cgi?id=64574

        Reviewed by Gavin Barraclough.
        
        This creates a common code path for emitting unfused branches, which does
        no speculation, and only performs a slow call if absolutely necessary.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::emitBranch):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-14  Filip Pizlo  <fpizlo@apple.com>

        GC allocation fast path has too many operations.
        https://bugs.webkit.org/show_bug.cgi?id=64493

        Reviewed by Darin Adler.
        
        Changed the timing of the lazy sweep so that it occurs when we land on
        a previously-unsweeped block, rather than whenever we land on an unsweeped
        cell.  After the per-block lazy sweep occurs, the block is turned into a
        singly linked list of free cells.  The allocation fast path is now just a
        load-branch-store to remove a cell from the head of the list.
        
        Additionally, this changes the way new blocks are allocated.  Previously,
        they would be populated with dummy cells.  With this patch, they are
        turned into a free list, which means that there will never be destructor
        calls for allocations in fresh blocks.
        
        These changes result in a 1.9% speed-up on V8, and a 0.6% speed-up on
        SunSpider.  There are no observed statistically significant slow-downs
        on any individual benchmark.

        * JavaScriptCore.exp:
        * heap/Heap.cpp:
        (JSC::Heap::allocateSlowCase):
        (JSC::Heap::collect):
        (JSC::Heap::canonicalizeBlocks):
        (JSC::Heap::resetAllocator):
        * heap/Heap.h:
        (JSC::Heap::forEachProtectedCell):
        (JSC::Heap::forEachCell):
        (JSC::Heap::forEachBlock):
        (JSC::Heap::allocate):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::MarkedBlock):
        (JSC::MarkedBlock::lazySweep):
        (JSC::MarkedBlock::blessNewBlockForFastPath):
        (JSC::MarkedBlock::blessNewBlockForSlowPath):
        (JSC::MarkedBlock::canonicalizeBlock):
        * heap/MarkedBlock.h:
        * heap/NewSpace.cpp:
        (JSC::NewSpace::addBlock):
        (JSC::NewSpace::canonicalizeBlocks):
        * heap/NewSpace.h:
        (JSC::NewSpace::allocate):
        (JSC::NewSpace::SizeClass::SizeClass):
        (JSC::NewSpace::SizeClass::canonicalizeBlock):
        * heap/OldSpace.cpp:
        (JSC::OldSpace::addBlock):

2011-07-14  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT crashes on host constructor calls in debug mode.
        https://bugs.webkit.org/show_bug.cgi?id=64562
        
        Reviewed by Gavin Barraclough.
        
        Fixed the relevant ASSERT.

        * dfg/DFGOperations.cpp:

2011-07-14  Filip Pizlo  <fpizlo@apple.com>

        DFG speculative JIT contains a FIXME for rewinding speculative code generation that
        has already been fixed.
        https://bugs.webkit.org/show_bug.cgi?id=64022

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):

2011-07-14  Ryuan Choi  <ryuan.choi@samsung.com>

        [EFL] Add OwnPtr specialization for Ecore_Pipe.
        https://bugs.webkit.org/show_bug.cgi?id=64515

        Add an overload for deleteOwnedPtr(Ecore_Pipe*) on EFL port.

        Reviewed by Xan Lopez.

        * wtf/OwnPtrCommon.h:
        * wtf/efl/OwnPtrEfl.cpp:
        (WTF::deleteOwnedPtr):

2011-07-14  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT unnecessarily boxes and unboxes values during silent spilling.
        https://bugs.webkit.org/show_bug.cgi?id=64068

        Reviewed by Gavin Barraclough.
        
        Silent spilling and filling of registers is done during slow-path C
        function calls.  The silent spill/fill logic does not affect register
        allocation on paths that don't involve the C function call.
        
        This changes the silent spilling code to spill in unboxed form.  The
        silent fill will refill in whatever form the register was spilled in.
        For example, the silent spill code may choose not to spill the register
        because it was already spilled previously, which would imply that it
        was spilled in boxed form.  The filling code detects this and either
        unboxes, or not, depending on what is appropriate.
        
        This change also results in a simplification of the silent spill/fill
        API: silent spilling no longer needs to know about the set of registers
        that cannot be trampled, since it never does boxing and hence does not
        need a temporary register.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentSpillGPR):
        (JSC::DFG::JITCodeGenerator::silentSpillFPR):
        (JSC::DFG::JITCodeGenerator::silentFillFPR):
        (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::valueToNumber):
        (JSC::DFG::NonSpeculativeJIT::valueToInt32):
        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
        (JSC::DFG::NonSpeculativeJIT::basicArithOp):
        (JSC::DFG::NonSpeculativeJIT::compare):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-13  Michael Saboff  <msaboff@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64202
        Enh: Improve handling of RegExp in the form of /.*blah.*/

        Reviewed by Gavin Barraclough.

        Added code to both the Yarr interpreter and JIT to handle
        these expressions a little differently.  First off, the terms
        in between the leading and trailing .*'s cannot capture and
        also this enhancement is limited to single alternative expressions.
        If an expression is of the right form with the aforementioned
        restrictions, we process the inner terms and then look for the
        beginning of the string and end of the string.  There is handling 
        for multiline expressions to allow the beginning and end to be 
        right after and right before newlines.

        This enhancement speeds up expressions of this type 12x on
        a MacBookPro.

        Cleaned up 'case' statement indentation.

        A new set of tests was added as LayoutTests/fast/regex/dotstar.html

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::InputStream::end):
        (JSC::Yarr::Interpreter::matchDotStarEnclosure):
        (JSC::Yarr::Interpreter::matchDisjunction):
        (JSC::Yarr::ByteCompiler::assertionDotStarEnclosure):
        (JSC::Yarr::ByteCompiler::emitDisjunction):
        * yarr/YarrInterpreter.h:
        (JSC::Yarr::ByteTerm::DotStarEnclosure):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
        (JSC::Yarr::YarrGenerator::backtrackDotStarEnclosure):
        (JSC::Yarr::YarrGenerator::generateTerm):
        (JSC::Yarr::YarrGenerator::backtrackTerm):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
        (JSC::Yarr::YarrPatternConstructor::containsCapturingTerms):
        (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
        (JSC::Yarr::YarrPattern::compile):
        * yarr/YarrPattern.h:
        (JSC::Yarr::PatternTerm::PatternTerm):

2011-07-13  Xan Lopez  <xlopez@igalia.com>

        [GTK] Fix distcheck

        Reviewed by Martin Robinson.

        * GNUmakefile.list.am: add missing files.

2011-07-13  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not implement prototype chain or list caching for get_by_id.
        https://bugs.webkit.org/show_bug.cgi?id=64147

        Reviewed by Gavin Barraclough.
        
        This implements unified support for prototype caching, prototype chain
        caching, and polymorphic (i.e. list) prototype and prototype chain
        caching.  This is done by creating common code for emitting prototype
        or chain access stubs, and having it factored out into
        generateProtoChainAccessStub().  This function is called by
        tryCacheGetByID once the latter determines that some form of prototype
        access caching is necessary (i.e. the slot being accessed is not on the
        base value but on some other object).
        
        Direct prototype list, and prototype chain list, caching is implemented by
        linking the slow path to operationGetByIdProtoBuildList(), which uses the
        same helper function (generateProtoChainAccessStub()) as tryCacheGetByID.
        
        This change required ensuring that the value in the scratchGPR field in
        StructureStubInfo is preserved even after the stub info is in the
        chain, or proto_list, states.  Hence scratchGPR was moved out of the union
        and into the top-level of StructureStubInfo.
        
        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::emitRestoreScratch):
        (JSC::DFG::linkRestoreScratch):
        (JSC::DFG::generateProtoChainAccessStub):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDProtoList):
        (JSC::DFG::dfgBuildGetByIDProtoList):
        (JSC::DFG::tryCachePutByID):
        * dfg/DFGRepatch.h:

2011-07-12  Brent Fulgham  <bfulgham@webkit.org>

        Standardize WinCairo conditionalized code under PLATFORM macro.
        https://bugs.webkit.org/show_bug.cgi?id=64377

        Reviewed by Maciej Stachowiak.

        * wtf/Platform.h: Update to use PLATFORM(WIN_CAIRO) for tests.

2011-07-13  David Levin  <levin@chromium.org>

        Possible race condition in ThreadIdentifierData::initializeKeyOnce and shouldCallRealDebugger.
        https://bugs.webkit.org/show_bug.cgi?id=64465

        Reviewed by Dmitry Titov.

        There isn't a good way to test this as it is very highly unlikely to occur.

        * wtf/ThreadIdentifierDataPthreads.cpp:
        (WTF::ThreadIdentifierData::initializeKeyOnce): Since scoped static initialization
        isn't thread-safe, change the initialization to be global.

2011-07-12  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64424
        Our direct eval behaviour deviates slightly from the spec.

        Reviewed by Oliver Hunt.

        The ES5 spec defines a concept of 'Direct Call to Eval' (see section 15.1.2.1.1), where
        behaviour will differ from that of an indirect call (e.g. " { eval: window.eval }.eval();"
        or "var a = eval; a();" are indirect calls), particularly in non-strict scopes variables
        may be introduced into the caller's environment.

        ES5 direct calls are any call where the callee function is provided by a reference, a base
        of that Reference is an EnvironmentRecord (this corresponds to all productions
        "PrimaryExpression: Identifier", see 10.2.2.1 GetIdentifierReference), and where the name
        of the reference is "eval". This means any expression of the form "eval(...)", and that
        calls the standard built in eval method from on the Global Object, is considered to be
        direct.

        In JavaScriptCore we are currently overly restrictive. We also check that the
        EnvironmentRecord that is the base of the reference is the Declaractive Environment Record
        at the root of the scope chain, corresponding to the Global Object - an "eval(..)" statement
        that hits a var eval in a nested scope is not considered to be direct. This behaviour does
        not emanate from the spec, and is incorrect.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
            - Fixed direct eval check in op_call_eval.
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
            - Fixed direct eval check in op_call_eval.
        * runtime/Executable.h:
        (JSC::isHostFunction):
            - Added check for host function with specific NativeFunction.

2011-07-13  Ademar de Souza Reis Jr.  <ademar.reis@openbossa.org>

        Reviewed by Andreas Kling.

        Broken build on QNX
        https://bugs.webkit.org/show_bug.cgi?id=63717

        QNX doesn't support pthread's SA_RESTART (required by
        JSC_MULTIPLE_THREADS), JIT is broken at runtime and there a
        few minor compilation errors here and there.

        Original patch by Ritt Konstantin <ritt.ks@gmail.com>, also
        tested by him on QNX v6.5 (x86)

        * wtf/DateMath.cpp: fix usage of abs/labs
        * wtf/Platform.h: Disable JIT and JSC_MULTIPLE_THREADS
        * wtf/StackBounds.cpp: Add a couple of missing includes (and sort them)

2011-07-12  Anders Carlsson  <andersca@apple.com>

        If a compiler has nullptr support, include <cstddef> to get the nullptr_t definition
        https://bugs.webkit.org/show_bug.cgi?id=64429

        Include the cstddef which has the nullptr_t typedef according to the C++0x standard.

        * wtf/NullPtr.h:

2011-07-13  MORITA Hajime  <morrita@google.com>

        Refactoring: Ignored ExceptionCode value should be less annoying.
        https://bugs.webkit.org/show_bug.cgi?id=63688

        Added ASSERT_AT macro.

        Reviewed by Darin Adler.

        * wtf/Assertions.h:

2011-07-12  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not implement op_construct.
        https://bugs.webkit.org/show_bug.cgi?id=64066

        Reviewed by Gavin Barraclough.
        
        This is a fixed implementation of op_construct.  Constructor calls are implemented
        by reusing almost all of the code for Call, with care taken to make sure that
        where the are differences (like selecting different code blocks), those differences
        are respected.  The two fixes over the last patch are: (1) make sure the
        CodeBlock::unlinkCalls respects differences between Call and Construct, and (2)
        make sure that virtualFor() in DFGOperations respects the CodeSpecializationKind
        (either CodeForCall or CodeForConstruct) when invoking the compiler.

        * dfg/DFGAliasTracker.h:
        (JSC::DFG::AliasTracker::recordConstruct):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgLinkFor):
        * dfg/DFGRepatch.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/CodeBlock.cpp:
        (JSC::CodeBlock::unlinkCalls):

2011-07-12  Oliver Hunt  <oliver@apple.com>

        Overzealous type validation in method_check
        https://bugs.webkit.org/show_bug.cgi?id=64415

        Reviewed by Gavin Barraclough.

        method_check is essentially just a value look up
        optimisation, but it internally stores the value
        as a JSFunction, even though it never relies on
        this fact.  Under GC validation however we end up
        trying to enforce that assumption.  The fix is
        simply to store the value as a correct supertype.

        * bytecode/CodeBlock.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgRepatchGetMethodFast):
        (JSC::DFG::tryCacheGetMethod):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::patchMethodCallProto):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2011-07-12  Filip Pizlo  <fpizlo@apple.com>

        COLLECT_ON_EVERY_ALLOCATION no longer works.
        https://bugs.webkit.org/show_bug.cgi?id=64388

        Reviewed by Oliver Hunt.
        
        Added a flag to Heap that determines if it's safe to collect (which for now means that
        JSGlobalObject has actually been initialized, but it should work for other things, too).
        This allows JSGlobalObject to allocate even if the allocator wants to GC; instead of
        GCing it just grows the heap, if necessary.
        
        Then changed Heap::allocate() to not recurse ad infinitum when
        COLLECT_ON_EVERY_ALLOCATION is set.  This also makes the allocator generally more
        resilient against bugs; this change allowed me to put in handy assertions, such as that
        an allocation must succeed after either a collection or after a new block was added.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::tryAllocate):
        (JSC::Heap::allocate):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::collect):
        * heap/Heap.h:
        (JSC::Heap::notifyIsSafeToCollect):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):

2011-07-12  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT put_by_id transition caching does not inform the GC about the structure and
        prototype chain that it is referencing.
        https://bugs.webkit.org/show_bug.cgi?id=64387

        Reviewed by Gavin Barraclough.
        
        Fixed the relevant code in DFGRepatch to call StructureStubInfo::initPutByIdTransition().

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCachePutByID):

2011-07-12  Adam Roben  <aroben@apple.com>

        Ensure no intermediate WTF::Strings are created when concatenating with string literals

        Fixes <http://webkit.org/b/63330> Concatenating string literals and WTF::Strings using
        operator+ is suboptimal

        Reviewed by Darin Adler.

        * wtf/text/StringConcatenate.h:
        (WTF::StringTypeAdapter<String>::writeTo): Added a macro that can be used for testing how
        many WTF::Strings get copied while evaluating an operator+ expression.

        * wtf/text/StringOperators.h:
        (WTF::operator+): Changed the overload that takes a StringAppend to take it on the left-hand
        side, since operator+ is left-associative. Having the StringAppend on the right-hand side
        was causing us to make intermediate WTF::Strings when evaluating expressions that contained
        multiple calls to operator+. Added some more overloads for that take a left-hand side of
        const char* to resolve overload ambiguity for certain expressions. Added overloads that take
        a left-hand side of const UChar* (matching the const char* overloads) so that wide string
        literals don't first have to be converted to a WTF::String in operator+ expressions.

2011-07-12  Adam Roben  <aroben@apple.com>

        Unreviewed, rolling out r90811.
        http://trac.webkit.org/changeset/90811
        https://bugs.webkit.org/show_bug.cgi?id=61025

        Several svg tests failing assertions beneath
        SVGSMILElement::findInstanceTime

        * wtf/StdLibExtras.h:
        (WTF::binarySearch):

2011-07-12  Oliver Varga  <Varga.Oliver@stud.u-szeged.hu>

        Reviewed by Nikolas Zimmermann.

        Speed up SVGSMILElement::findInstanceTime.
        https://bugs.webkit.org/show_bug.cgi?id=61025

        Add a new parameter to StdlibExtras.h::binarySerarch function
        to also handle cases when the array does not contain the key value.
        This is needed for an svg function.

        * wtf/StdLibExtras.h:
        (WTF::binarySearch):

2011-07-11  Filip Pizlo  <fpizlo@apple.com>

        DFG speculative JIT does not guard itself against floating point speculation
        failures on non-floating-point constants.
        https://bugs.webkit.org/show_bug.cgi?id=64330

        Reviewed by Gavin Barraclough.
        
        Made fillSpeculateDouble immediate invoke terminateSpeculativeExecution() as
        soon as it notices that it's speculating on something that is a non-numeric
        JSConstant.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):

2011-07-11  Filip Pizlo  <fpizlo@apple.com>

        DFG Speculative JIT does not always insert speculation checks when speculating
        arrays.
        https://bugs.webkit.org/show_bug.cgi?id=64254

        Reviewed by Gavin Barraclough.
        
        Changed the SetLocal instruction to always validate that the value being stored
        into the local variable is an array, if that variable was marked PredictArray.
        This is necessary since uses of arrays assume that if a PredictArray value is
        in a local variable then the speculation check validating that the value is an
        array was already performed.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-11  Gabor Loki  <loki@webkit.org>

        Fix the condition of the optimized code in doubleTransfer
        https://bugs.webkit.org/show_bug.cgi?id=64261

        Reviewed by Zoltan Herczeg.

        The condition of the optimized code in doubleTransfer is wrong. The
        data transfer should be executed with four bytes aligned address.
        VFP cannot perform unaligned memory access.

        Reported by Jacob Bramley.

        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::doubleTransfer):

2011-07-11  Gabor Loki  <loki@webkit.org>

        Signed arithmetic bug in dataTransfer32.
        https://bugs.webkit.org/show_bug.cgi?id=64257

        Reviewed by Zoltan Herczeg.

        An arithmetic bug is fixed. If the offset of dataTransfer is half of the
        addressable memory space on a 32-bit machine (-2147483648 = 0x80000000)
        a load instruction is emitted with a wrong zero offset.

        Inspired by Jacob Bramley's patch from JaegerMonkey.

        * assembler/ARMAssembler.cpp:
        (JSC::ARMAssembler::dataTransfer32):

2011-07-09  Thouraya Andolsi  <thouraya.andolsi@st.com>

        Fix unaligned userspace access for SH4 platforms. 
        https://bugs.webkit.org/show_bug.cgi?id=62993

        * wtf/Platform.h:

2011-07-09  Chao-ying Fu  <fu@mips.com>

        Fix MIPS build due to readInt32 and readPointer
        https://bugs.webkit.org/show_bug.cgi?id=63962

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::readInt32):
        (JSC::MIPSAssembler::readPointer):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::rshift32):

2011-07-08  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=64181
        REGRESSION (r90602): Gmail doesn't load

        Rolling out r90601, r90602.

        * dfg/DFGAliasTracker.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addVarArgChild):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::dfgLinkCall):
        * dfg/DFGRepatch.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * runtime/JSObject.h:
        (JSC::JSObject::isUsingInlineStorage):

2011-07-08  Kalev Lember  <kalev@smartlink.ee>

        Reviewed by Adam Roben.

        Add missing _WIN32_WINNT and WINVER definitions
        https://bugs.webkit.org/show_bug.cgi?id=59702

        Moved _WIN32_WINNT and WINVER definitions to config.h so that they are
        available for all source files.

        In particular, wtf/FastMalloc.cpp uses CreateTimerQueueTimer and
        DeleteTimerQueueTimer which are both guarded by
        #if (_WIN32_WINNT >= 0x0500)
        in MinGW headers.

        * config.h:
        * wtf/Assertions.cpp:

2011-07-08  Chang Shu  <cshu@webkit.org>

        Rename "makeSecure" to "fill" and remove the support for displaying last character
        to avoid layering violatation.
        https://bugs.webkit.org/show_bug.cgi?id=59114

        Reviewed by Alexey Proskuryakov.

        * JavaScriptCore.exp:
        * JavaScriptCore.order:
        * wtf/text/StringImpl.cpp:
        (WTF::StringImpl::fill):
        * wtf/text/StringImpl.h:
        * wtf/text/WTFString.h:
        (WTF::String::fill):

2011-07-08  Benjamin Poulain  <benjamin@webkit.org>

        [WK2] Do not forward touch events to the web process when it does not need them
        https://bugs.webkit.org/show_bug.cgi?id=64164

        Reviewed by Kenneth Rohde Christiansen.

        Add a convenience function to obtain a reference to the last element of a Deque.

        * wtf/Deque.h:
        (WTF::Deque::last):

2011-07-07  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not implement op_construct.
        https://bugs.webkit.org/show_bug.cgi?id=64066

        Reviewed by Gavin Barraclough.

        * dfg/DFGAliasTracker.h:
        (JSC::DFG::AliasTracker::recordConstruct):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::addCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgLinkFor):
        * dfg/DFGRepatch.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-07  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not implement get_by_id prototype caching.
        https://bugs.webkit.org/show_bug.cgi?id=64077

        Reviewed by Gavin Barraclough.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::emitRestoreScratch):
        (JSC::DFG::linkRestoreScratch):
        (JSC::DFG::tryCacheGetByID):
        * runtime/JSObject.h:
        (JSC::JSObject::addressOfPropertyAtOffset):

2011-07-07  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT method_check implementation does not link to optimized get_by_id
        slow path.
        https://bugs.webkit.org/show_bug.cgi?id=64073

        Reviewed by Gavin Barraclough.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgRepatchGetMethodFast):

2011-07-07  Oliver Hunt  <oliver@apple.com>

        Encode jump and link sizes into the appropriate enums
        https://bugs.webkit.org/show_bug.cgi?id=64123

        Reviewed by Sam Weinig.

        Finally kill off the out of line jump and link size arrays, 
        so we can avoid icky loads and constant fold the linking arithmetic.

        * assembler/ARMv7Assembler.cpp:
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::jumpSizeDelta):
        (JSC::ARMv7Assembler::computeJumpType):

2011-07-06  Juan C. Montemayor  <jmont@apple.com>

        ASSERT_NOT_REACHED running test 262
        https://bugs.webkit.org/show_bug.cgi?id=63951
        
        Added a case to the switch statement where the code was failing. Fixed
        some logic as well that gave faulty error messages.

        Reviewed by Gavin Barraclough.

        * parser/JSParser.cpp:
        (JSC::JSParser::getTokenName):
        (JSC::JSParser::updateErrorMessageSpecialCase):
        (JSC::JSParser::updateErrorMessage):

2011-07-06  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT implementation of op_call results in regressions on sunspider
        controlflow-recursive.
        https://bugs.webkit.org/show_bug.cgi?id=64039

        Reviewed by Gavin Barraclough.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::isSmallInt32Constant):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isInteger):

2011-07-06  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not support method_check
        https://bugs.webkit.org/show_bug.cgi?id=63972

        Reviewed by Gavin Barraclough.

        * assembler/CodeLocation.h:
        (JSC::CodeLocationPossiblyNearCall::CodeLocationPossiblyNearCall):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * bytecode/CodeBlock.h:
        (JSC::MethodCallLinkInfo::MethodCallLinkInfo):
        (JSC::MethodCallLinkInfo::seenOnce):
        (JSC::MethodCallLinkInfo::setSeen):
        * dfg/DFGAliasTracker.h:
        (JSC::DFG::AliasTracker::recordGetMethod):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        (JSC::DFG::JITCodeGenerator::cachedGetMethod):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addMethodGet):
        (JSC::DFG::JITCompiler::MethodGetRecord::MethodGetRecord):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgRepatchGetMethodFast):
        (JSC::DFG::tryCacheGetMethod):
        (JSC::DFG::dfgRepatchGetMethod):
        * dfg/DFGRepatch.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITWriteBarrier.h:
        (JSC::JITWriteBarrier::set):

2011-07-06  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT op_call implementation will flush registers even when those registers are dead
        https://bugs.webkit.org/show_bug.cgi?id=64023

        Reviewed by Gavin Barraclough.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::integerResult):
        (JSC::DFG::JITCodeGenerator::noResult):
        (JSC::DFG::JITCodeGenerator::cellResult):
        (JSC::DFG::JITCodeGenerator::jsValueResult):
        (JSC::DFG::JITCodeGenerator::doubleResult):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-06  Filip Pizlo  <fpizlo@apple.com>

        DFG speculative JIT may crash when speculating int on a non-int JSConstant.
        https://bugs.webkit.org/show_bug.cgi?id=64017

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-06  Dmitriy Vyukov  <dvyukov@google.com>

        Reviewed by David Levin.

        Allow substitution of dynamic annotations and prevent identical code folding by the linker.
        https://bugs.webkit.org/show_bug.cgi?id=62443

        * wtf/DynamicAnnotations.cpp:
        (WTFAnnotateBenignRaceSized):
        (WTFAnnotateHappensBefore):
        (WTFAnnotateHappensAfter):

2011-07-06  Zoltan Herczeg  <zherczeg@inf.u-szeged.hu>

        Calls on 32 bit machines are failed after r90423
        https://bugs.webkit.org/show_bug.cgi?id=63980

        Reviewed by Gavin Barraclough.

        Copy the necessary lines from JITCall.cpp.

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):

2011-07-05  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT virtual call implementation is inefficient.
        https://bugs.webkit.org/show_bug.cgi?id=63974

        Reviewed by Gavin Barraclough.

        * dfg/DFGOperations.cpp:
        * runtime/Executable.h:
        (JSC::ExecutableBase::generatedJITCodeForCallWithArityCheck):
        (JSC::ExecutableBase::generatedJITCodeForConstructWithArityCheck):
        (JSC::ExecutableBase::generatedJITCodeWithArityCheckFor):
        (JSC::ExecutableBase::hasJITCodeForCall):
        (JSC::ExecutableBase::hasJITCodeForConstruct):
        (JSC::ExecutableBase::hasJITCodeFor):
        * runtime/JSFunction.h:
        (JSC::JSFunction::scopeUnchecked):

2011-07-05  Oliver Hunt  <oliver@apple.com>

        Force inlining of simple functions that show up as not being inlined
        https://bugs.webkit.org/show_bug.cgi?id=63964

        Reviewed by Gavin Barraclough.

        Looking at profile data indicates the gcc is failing to inline a
        number of trivial functions.  This patch hits the ones that show
        up in profiles with the ALWAYS_INLINE hammer.

        We also replace the memcpy() call in linking with a manual loop.
        Apparently memcpy() is almost never faster than an inlined loop.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::add):
        (JSC::ARMv7Assembler::add_S):
        (JSC::ARMv7Assembler::ARM_and):
        (JSC::ARMv7Assembler::asr):
        (JSC::ARMv7Assembler::b):
        (JSC::ARMv7Assembler::blx):
        (JSC::ARMv7Assembler::bx):
        (JSC::ARMv7Assembler::clz):
        (JSC::ARMv7Assembler::cmn):
        (JSC::ARMv7Assembler::cmp):
        (JSC::ARMv7Assembler::eor):
        (JSC::ARMv7Assembler::it):
        (JSC::ARMv7Assembler::ldr):
        (JSC::ARMv7Assembler::ldrCompact):
        (JSC::ARMv7Assembler::ldrh):
        (JSC::ARMv7Assembler::ldrb):
        (JSC::ARMv7Assembler::lsl):
        (JSC::ARMv7Assembler::lsr):
        (JSC::ARMv7Assembler::movT3):
        (JSC::ARMv7Assembler::mov):
        (JSC::ARMv7Assembler::movt):
        (JSC::ARMv7Assembler::mvn):
        (JSC::ARMv7Assembler::neg):
        (JSC::ARMv7Assembler::orr):
        (JSC::ARMv7Assembler::orr_S):
        (JSC::ARMv7Assembler::ror):
        (JSC::ARMv7Assembler::smull):
        (JSC::ARMv7Assembler::str):
        (JSC::ARMv7Assembler::sub):
        (JSC::ARMv7Assembler::sub_S):
        (JSC::ARMv7Assembler::tst):
        (JSC::ARMv7Assembler::linkRecordSourceComparator):
        (JSC::ARMv7Assembler::link):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp5Reg3Imm8):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp5Imm5Reg3Reg3):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Reg3Reg3Reg3):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp8Imm8):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp8RegReg143):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp9Imm7):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp10Reg3Reg3):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg4FourFours):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp16FourFours):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp16Op16):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp5i6Imm4Reg4EncodedImm):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::twoWordOp12Reg4Reg4Imm12):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::vfpOp):
        (JSC::ARMv7Assembler::ARMInstructionFormatter::vfpMemOp):
        * assembler/LinkBuffer.h:
        (JSC::LinkBuffer::linkCode):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::nearCall):
        (JSC::MacroAssemblerARMv7::call):
        (JSC::MacroAssemblerARMv7::ret):
        (JSC::MacroAssemblerARMv7::moveWithPatch):
        (JSC::MacroAssemblerARMv7::branchPtrWithPatch):
        (JSC::MacroAssemblerARMv7::storePtrWithPatch):
        (JSC::MacroAssemblerARMv7::tailRecursiveCall):
        (JSC::MacroAssemblerARMv7::makeTailRecursiveCall):
        (JSC::MacroAssemblerARMv7::jump):
        (JSC::MacroAssemblerARMv7::makeBranch):

2011-07-05  Zoltan Herczeg  <zherczeg@inf.u-szeged.hu>

        Make "Add optimised paths for a few maths functions" work on Qt
        https://bugs.webkit.org/show_bug.cgi?id=63893

        Reviewed by Oliver Hunt.

        Move the generated code to the .text section instead of .data section.
        Fix alignment for the 32 bit thunk code.

        * jit/ThunkGenerators.cpp:

2011-07-05  Filip Pizlo  <fpizlo@apple.com>

        DFG JIT does not implement op_call.
        https://bugs.webkit.org/show_bug.cgi?id=63858

        Reviewed by Gavin Barraclough.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::unlinkCalls):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::setNumberOfCallLinkInfos):
        (JSC::CodeBlock::numberOfCallLinkInfos):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCall):
        (JSC::BytecodeGenerator::emitConstruct):
        * dfg/DFGAliasTracker.h:
        (JSC::DFG::AliasTracker::lookupGetByVal):
        (JSC::DFG::AliasTracker::recordCall):
        (JSC::DFG::AliasTracker::equalIgnoringLaterNumericConversion):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ByteCodeParser):
        (JSC::DFG::ByteCodeParser::getLocal):
        (JSC::DFG::ByteCodeParser::getArgument):
        (JSC::DFG::ByteCodeParser::toInt32):
        (JSC::DFG::ByteCodeParser::addToGraph):
        (JSC::DFG::ByteCodeParser::addVarArgChild):
        (JSC::DFG::ByteCodeParser::predictInt32):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::processPhiStack):
        (JSC::DFG::ByteCodeParser::allocateVirtualRegisters):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::opName):
        (JSC::DFG::Graph::dump):
        (JSC::DFG::Graph::refChildren):
        * dfg/DFGGraph.h:
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::useChildren):
        (JSC::DFG::JITCodeGenerator::emitCall):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::addressOfCallData):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::CallRecord::CallRecord):
        (JSC::DFG::JITCompiler::notifyCall):
        (JSC::DFG::JITCompiler::appendCallWithFastExceptionCheck):
        (JSC::DFG::JITCompiler::addJSCall):
        (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
        (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::child1):
        (JSC::DFG::Node::child2):
        (JSC::DFG::Node::child3):
        (JSC::DFG::Node::firstChild):
        (JSC::DFG::Node::numChildren):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::basicArithOp):
        (JSC::DFG::NonSpeculativeJIT::compare):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgLinkCall):
        * dfg/DFGRepatch.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
        * interpreter/CallFrame.h:
        (JSC::ExecState::calleeAsValue):
        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        (JSC::JIT::linkCall):
        (JSC::JIT::linkConstruct):
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITCode.h:
        (JSC::JITCode::JITCode):
        (JSC::JITCode::jitType):
        (JSC::JITCode::HostFunction):
        * runtime/JSFunction.h:
        * runtime/JSGlobalData.h:

2011-07-05  Oliver Hunt  <oliver@apple.com>

        Initialize new MarkStack member

        * heap/MarkStack.h:
        (JSC::MarkStack::MarkStack):

2011-07-05  Oliver Hunt  <oliver@apple.com>

        Don't throw out compiled code repeatedly
        https://bugs.webkit.org/show_bug.cgi?id=63960

        Reviewed by Gavin Barraclough.

        Stop throwing away all compiled code every time
        we're told to do a full GC.  Instead unlink all
        callsites during such GC passes to maximise the
        number of collectable functions, but otherwise
        leave compiled functions alone.

        * API/JSBase.cpp:
        (JSGarbageCollect):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * heap/Heap.cpp:
        (JSC::Heap::collectAllGarbage):
        * heap/MarkStack.h:
        (JSC::MarkStack::shouldUnlinkCalls):
        (JSC::MarkStack::setShouldUnlinkCalls):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::recompileAllJSFunctions):
        (JSC::JSGlobalData::releaseExecutableMemory):
        * runtime/RegExp.cpp:
        (JSC::RegExp::compile):
        (JSC::RegExp::invalidateCode):
        * runtime/RegExp.h:

2011-07-05  Filip Pizlo  <fpizlo@apple.com>

        JSC JIT has code duplication for the handling of call and construct
        https://bugs.webkit.org/show_bug.cgi?id=63957

        Reviewed by Gavin Barraclough.

        * jit/JIT.cpp:
        (JSC::JIT::linkFor):
        * jit/JIT.h:
        * jit/JITStubs.cpp:
        (JSC::jitCompileFor):
        (JSC::DEFINE_STUB_FUNCTION):
        (JSC::arityCheckFor):
        (JSC::lazyLinkFor):
        * runtime/Executable.h:
        (JSC::ExecutableBase::generatedJITCodeFor):
        (JSC::FunctionExecutable::compileFor):
        (JSC::FunctionExecutable::isGeneratedFor):
        (JSC::FunctionExecutable::generatedBytecodeFor):
        (JSC::FunctionExecutable::generatedJITCodeWithArityCheckFor):

2011-07-05  Gavin Barraclough  <barraclough@apple.com>

        Build fix following last patch.

        * runtime/JSFunction.cpp:
        (JSC::createPrototypeProperty):

2011-07-05  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=63947
        ASSERT running Object.preventExtensions(Math.sin)

        Reviewed by Oliver Hunt.

        This is due to calling scope() on a hostFunction as a part of
        calling createPrototypeProperty to reify the prototype property.
        But host functions don't have a prototype property anyway!

        Prevent callling createPrototypeProperty on a host function.

        * runtime/JSFunction.cpp:
        (JSC::JSFunction::createPrototypeProperty):
        (JSC::JSFunction::preventExtensions):

2011-07-04  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=63880
        Evaluation order of conversions of operands to >, >= incorrect.

        Reviewed by Sam Weinig.

        Add 'leftFirst' parameter to jsLess, jsLessEq matching that described in the ES5
        spec. This allows these methods to be reused to perform >, >= relational compares
        with correct ordering of type conversions.

        * dfg/DFGOperations.cpp:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * runtime/Operations.h:
        (JSC::jsLess):
        (JSC::jsLessEq):

2011-07-04  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=16652
        Firefox and JavaScriptCore differ in Number.toString(integer)

        Our arbitrary radix (2..36) toString conversion is inaccurate.
        This is partly because it uses doubles to perform math that requires
        higher accuracy, and partly becasue it does not attempt to correctly
        detect where to terminate, instead relying on a simple 'epsilon'.

        * runtime/NumberPrototype.cpp:
        (JSC::decomposeDouble):
            - helper function to extract sign, exponent, mantissa from IEEE doubles.
        (JSC::Uint16WithFraction::Uint16WithFraction):
            - helper class, u16int with infinite precision fraction, used to convert
              the fractional part of the number to a string.
        (JSC::Uint16WithFraction::operator*=):
            - Multiply by a uint16.
        (JSC::Uint16WithFraction::operator<):
            - Compare two Uint16WithFractions.
        (JSC::Uint16WithFraction::floorAndSubtract):
            - Extract the integer portion of the number, and subtract it (clears the integer portion).
        (JSC::Uint16WithFraction::comparePoint5):
            - Compare to 0.5.
        (JSC::Uint16WithFraction::sumGreaterThanOne):
            - Passed a second Uint16WithFraction, returns true if the result of adding
              the two values would be greater than one.
        (JSC::Uint16WithFraction::isNormalized):
            - Used by ASSERTs to consistency check internal representation.
        (JSC::BigInteger::BigInteger):
            - helper class, unbounded integer value, used to convert the integer part
              of the number to a string.
        (JSC::BigInteger::divide):
            - Divide this value through by a uint32.
        (JSC::BigInteger::operator!):
            - test for zero.
        (JSC::toStringWithRadix):
            - Performs number to string conversion, with the given radix (2..36).
        (JSC::numberProtoFuncToString):
            - Changed to use toStringWithRadix.

2011-07-04  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=63881
        Need separate bytecodes for handling >, >= comparisons.

        Reviewed by Oliver Hunt.

        This clears the way to fix Bug#63880. We currently handle greater-than comparisons
        as being using the corresponding op_less, etc opcodes.  This is incorrect with
        respect to evaluation ordering of the implicit conversions performed on operands -
        we should be calling ToPrimitive on the LHS and RHS operands to the greater than,
        but instead convert RHS then LHS.

        This patch adds opcodes for greater-than comparisons mirroring existing ones used
        for less-than.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dump):
        * bytecode/Opcode.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitJumpIfTrue):
        (JSC::BytecodeGenerator::emitJumpIfFalse):
        * bytecompiler/NodesCodegen.cpp:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compare):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGNonSpeculativeJIT.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JSC::JIT::emit_op_loop_if_greater):
        (JSC::JIT::emitSlow_op_loop_if_greater):
        (JSC::JIT::emit_op_loop_if_greatereq):
        (JSC::JIT::emitSlow_op_loop_if_greatereq):
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_jgreater):
        (JSC::JIT::emit_op_jgreatereq):
        (JSC::JIT::emit_op_jngreater):
        (JSC::JIT::emit_op_jngreatereq):
        (JSC::JIT::emitSlow_op_jgreater):
        (JSC::JIT::emitSlow_op_jgreatereq):
        (JSC::JIT::emitSlow_op_jngreater):
        (JSC::JIT::emitSlow_op_jngreatereq):
        (JSC::JIT::emit_compareAndJumpSlow):
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitBinaryDoubleOp):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h:
        * parser/NodeConstructors.h:
        (JSC::GreaterNode::GreaterNode):
        (JSC::GreaterEqNode::GreaterEqNode):
        * parser/Nodes.h:

2011-07-03  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=63879
        Reduce code duplication for op_jless, op_jlesseq, op_jnless, op_jnlesseq.

        Reviewed by Sam Weinig.
        
        There is a lot of copy & paste code here; we can reduce duplication by making
        a shared implementation.

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::branch32):
        (JSC::MacroAssembler::commute):
            - Make these function platform agnostic.
        * assembler/MacroAssemblerX86Common.h:
            - Moved branch32/commute up to MacroAssembler.
        * jit/JIT.h:
        (JSC::JIT::emit_op_loop_if_lesseq):
        (JSC::JIT::emitSlow_op_loop_if_lesseq):
            - Add an implementation matching that for op_loop_if_less, which just calls op_jless.
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emit_op_jless):
        (JSC::JIT::emit_op_jlesseq):
        (JSC::JIT::emit_op_jnless):
        (JSC::JIT::emit_op_jnlesseq):
        (JSC::JIT::emitSlow_op_jless):
        (JSC::JIT::emitSlow_op_jlesseq):
        (JSC::JIT::emitSlow_op_jnless):
        (JSC::JIT::emitSlow_op_jnlesseq):
            - Common implmentations of these methods for JSVALUE64 & JSVALUE32_64.
        (JSC::JIT::emit_compareAndJump):
        (JSC::JIT::emit_compareAndJumpSlow):
            - Internal implmementation of jless etc for JSVALUE64.
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emit_compareAndJump):
        (JSC::JIT::emit_compareAndJumpSlow):
            - Internal implmementation of jless etc for JSVALUE32_64.
        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
            - Remove old implementation of emit_op_loop_if_lesseq.

2011-07-03  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r90347.
        http://trac.webkit.org/changeset/90347
        https://bugs.webkit.org/show_bug.cgi?id=63886

        Build breaks on Leopard, Chromium-win, WinCairo, and WinCE.
        (Requested by tkent on #webkit).

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/BigInteger.h: Removed.
        * runtime/NumberPrototype.cpp:
        (JSC::numberProtoFuncToPrecision):
        (JSC::numberProtoFuncToString):
        * runtime/Uint16WithFraction.h: Removed.
        * wtf/MathExtras.h:

2011-06-30  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=16652
        Firefox and JavaScriptCore differ in Number.toString(integer)

        Our arbitrary radix (2..36) toString conversion is inaccurate.
        This is partly because it uses doubles to perform math that requires
        higher accuracy, and partly becasue it does not attempt to correctly
        detect where to terminate, instead relying on a simple 'epsilon'.

        * runtime/NumberPrototype.cpp:
        (JSC::decomposeDouble):
            - helper function to extract sign, exponent, mantissa from IEEE doubles.
        (JSC::Uint16WithFraction::Uint16WithFraction):
            - helper class, u16int with infinite precision fraction, used to convert
              the fractional part of the number to a string.
        (JSC::Uint16WithFraction::operator*=):
            - Multiply by a uint16.
        (JSC::Uint16WithFraction::operator<):
            - Compare two Uint16WithFractions.
        (JSC::Uint16WithFraction::floorAndSubtract):
            - Extract the integer portion of the number, and subtract it (clears the integer portion).
        (JSC::Uint16WithFraction::comparePoint5):
            - Compare to 0.5.
        (JSC::Uint16WithFraction::sumGreaterThanOne):
            - Passed a second Uint16WithFraction, returns true if the result of adding
              the two values would be greater than one.
        (JSC::Uint16WithFraction::isNormalized):
            - Used by ASSERTs to consistency check internal representation.
        (JSC::BigInteger::BigInteger):
            - helper class, unbounded integer value, used to convert the integer part
              of the number to a string.
        (JSC::BigInteger::divide):
            - Divide this value through by a uint32.
        (JSC::BigInteger::operator!):
            - test for zero.
        (JSC::toStringWithRadix):
            - Performs number to string conversion, with the given radix (2..36).
        (JSC::numberProtoFuncToString):
            - Changed to use toStringWithRadix.

2011-07-02  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=63866
        DFG JIT - implement instanceof

        Reviewed by Sam Weinig.

        Add ops CheckHasInstance & InstanceOf to implement bytecodes
        op_check_has_instance & op_instanceof. This is an initial
        functional implementation, performance is a wash. We can
        follow up with changes to fuse the InstanceOf node with
        a subsequant branch, as we do with other comparisons.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::jitAssertIsCell):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::jitAssertIsCell):
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-07-01  Oliver Hunt  <oliver@apple.com>

        IE Web Workers demo crashes in JSC::SlotVisitor::visitChildren()
        https://bugs.webkit.org/show_bug.cgi?id=63732

        Reviewed by Gavin Barraclough.

        Initialise the memory at the head of the new storage so that
        GC is safe if triggered by reportExtraMemoryCost.

        * runtime/JSArray.cpp:
        (JSC::JSArray::increaseVectorPrefixLength):

2011-07-01  Oliver Hunt  <oliver@apple.com>

        GC sweep can occur before an object is completely initialised
        https://bugs.webkit.org/show_bug.cgi?id=63836

        Reviewed by Gavin Barraclough.

        In rare cases it's possible for a GC sweep to occur while a
        live, but not completely initialised object is on the stack.
        In such a case we may incorrectly choose to mark it, even
        though it has no children that need marking.

        We resolve this by always zeroing out the structure of any
        value returned from JSCell::operator new(), and making the
        markstack tolerant of a null structure. 

        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::~JSCell):
        (JSC::JSCell::JSCell::operator new):
        * runtime/Structure.h:
        (JSC::MarkStack::internalAppend):

2011-07-01  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        DFG non-speculative JIT always performs slow C calls for div and mod.
        https://bugs.webkit.org/show_bug.cgi?id=63684

        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):

2011-07-01  Juan C. Montemayor  <jmont@apple.com>

        Reviewed by Oliver Hunt.

        Lexer error messages are currently appalling
        https://bugs.webkit.org/show_bug.cgi?id=63340

        Added error messages for the Lexer. These messages will be displayed
        instead of the lexer error messages from the parser that are currently
        shown.

        * parser/Lexer.cpp:
        (JSC::Lexer::getInvalidCharMessage):
        (JSC::Lexer::setCode):
        (JSC::Lexer::parseString):
        (JSC::Lexer::lex):
        (JSC::Lexer::clear):
        * parser/Lexer.h:
        (JSC::Lexer::getErrorMessage):
        (JSC::Lexer::setOffset):
        * parser/Parser.cpp:
        (JSC::Parser::parse):

2011-07-01  Jungshik Shin  <jshin@chromium.org>

        Reviewed by Alexey Proskuryakov.

        Add ScriptCodesFromICU.h to wtf/unicode and make necessary changes in
        build files for ports not using ICU.
        Add icu/unicode/uscript.h for ports using ICU. It's taken from 
        ICU 3.6 (the version used on Mac OS 10.5)

        http://bugs.webkit.org/show_bug.cgi?id=20797

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * icu/unicode/uscript.h: Added for UScriptCode enum.
        * wtf/unicode/ScriptCodesFromICU.h: UScriptCode enum added.
        * wtf/unicode/icu/UnicodeIcu.h:
        * wtf/unicode/brew/UnicodeBrew.h:
        * wtf/unicode/glib/UnicodeGLib.h:
        * wtf/unicode/qt4/UnicodeQt4.h:
        * wtf/unicode/wince/UnicodeWinCE.h:

2011-07-01  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=63819
        Escaping of forwardslashes in strings incorrect if multiple exist.

        The bug is in the parameters passed to a substring - should be
        start & length, but we're passing start & end indices!

        * runtime/RegExpObject.cpp:
        (JSC::regExpObjectSource):

2011-07-01  Adam Roben  <aroben@apple.com>

        Roll out r90194
        http://trac.webkit.org/changeset/90194
        https://bugs.webkit.org/show_bug.cgi?id=63778

        Fixes <http://webkit.org/b/63812> REGRESSION (r90194): Multiple tests intermittently failing
        assertions in WriteBarrierBase<JSC::Structure>::get

        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::~JSCell):

2011-06-30  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Add optimised paths for a few maths functions
        https://bugs.webkit.org/show_bug.cgi?id=63757

        Relanding as a Mac only patch.

        This adds specialised thunks for Math.abs, Math.round, Math.ceil,
        Math.floor, Math.log, and Math.exp as they are apparently more
        important in real web content than we thought, which is somewhat
        mind-boggling.  On average doubles the performance of the common
        cases (eg. actually passing numbers in).  They're not as efficient
        as they could be, but this way gives them the most portability.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::supportsDoubleBitops):
        (JSC::MacroAssemblerARM::andnotDouble):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::supportsDoubleBitops):
        (JSC::MacroAssemblerARMv7::andnotDouble):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::andnotDouble):
        (JSC::MacroAssemblerMIPS::supportsDoubleBitops):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::supportsDoubleBitops):
        (JSC::MacroAssemblerSH4::andnotDouble):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::supportsDoubleBitops):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::andnotDouble):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::supportsDoubleBitops):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::andnpd_rr):
        * create_hash_table:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::finalize):
        (JSC::SpecializedThunkJIT::callDoubleToDouble):
        * jit/ThunkGenerators.cpp:
        (JSC::floorThunkGenerator):
        (JSC::ceilThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::expThunkGenerator):
        (JSC::logThunkGenerator):
        (JSC::absThunkGenerator):
        * jit/ThunkGenerators.h:

2011-07-01  David Kilzer  <ddkilzer@apple.com>

        <http://webkit.org/b/63814> Fix clang build error in JITOpcodes32_64.cpp

        Fixes the following build error in clang:

            JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36:{741:9-741:35}: error: operator '?:' has lower precedence than '+'; '+' will be evaluated first [-Werror,-Wparentheses,3]
                 map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
                     ~~~~~~~~~~~~~~~~~~~~~~~~~~ ^
            JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36: note: place parentheses around the '+' expression to silence this warning [3]
                 map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
                                                ^
                     (                         )
            fix-it:"JavaScriptCore/jit/JITOpcodes32_64.cpp":{741:9-741:9}:"("
            fix-it:"JavaScriptCore/jit/JITOpcodes32_64.cpp":{741:35-741:35}:")"
            JavaScriptCore/jit/JITOpcodes32_64.cpp:741:36:{741:28-741:94}: note: place parentheses around the '?:' expression to evaluate it first [3]
                 map(m_bytecodeOffset + dynamic ? OPCODE_LENGTH(op_resolve_global_dynamic) : OPCODE_LENGTH(op_resolve_global), dst, regT1, regT0);
                                        ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            1 error generated.

        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_resolve_global): Add parenthesis to make the
        tertiary expression evaluate first.

2011-07-01  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r90177 and r90179.
        http://trac.webkit.org/changeset/90177
        http://trac.webkit.org/changeset/90179
        https://bugs.webkit.org/show_bug.cgi?id=63790

        It caused crashes on Qt in debug mode (Requested by Ossy on
        #webkit).

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::rshift32):
        (JSC::MacroAssemblerARM::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerARM::sqrtDouble):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::supportsFloatingPointSqrt):
        (JSC::MacroAssemblerARMv7::sqrtDouble):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::sqrtDouble):
        (JSC::MacroAssemblerMIPS::supportsFloatingPointSqrt):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::sqrtDouble):
        * assembler/MacroAssemblerX86.h:
        * assembler/MacroAssemblerX86Common.h:
        * assembler/MacroAssemblerX86_64.h:
        * assembler/X86Assembler.h:
        * create_hash_table:
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::emitLoadDouble):
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::finalize):
        * jit/ThunkGenerators.cpp:
        * jit/ThunkGenerators.h:

2011-06-30  Oliver Hunt  <oliver@apple.com>

        Reviewed by Beth Dakin.

        Make GC validation clear cell structure on destruction
        https://bugs.webkit.org/show_bug.cgi?id=63778

        * runtime/JSCell.h:
        (JSC::JSCell::JSCell::~JSCell):

2011-06-30  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Gavin Barraclough.

        Added write barrier that was missing from put_by_id_transition
        https://bugs.webkit.org/show_bug.cgi?id=63775

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::writeBarrier): Made this static with a
        MacroAssembler& argument so our patching functions could use it.

        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile): Updated for signature change.

        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCachePutByID): Missing barrier!

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Updated for signature change.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::privateCompilePutByIdTransition):
        * jit/JSInterfaceJIT.h: Same game here. Removed storePtrWithWriteBarrier
        because its meaning isn't clear -- maybe in the future we'll have a
        clear way to pass all stores through a common function that guarantees
        a write barrier, but that's not the case right now.

2011-06-30  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        DFG non-speculative JIT does not reuse registers when compiling comparisons.
        https://bugs.webkit.org/show_bug.cgi?id=63565

        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
        (JSC::DFG::NonSpeculativeJIT::basicArithOp):
        (JSC::DFG::NonSpeculativeJIT::compare):

2011-06-30  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Gavin Barraclough.

        Added empty write barrier stubs in all the right places in the DFG JIT
        https://bugs.webkit.org/show_bug.cgi?id=63764
        
        SunSpider thinks this might be a 0.5% speedup. Meh.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::writeBarrier): Le stub.

        (JSC::DFG::JITCodeGenerator::cachedPutById): Don't do anything special
        for the case where base == scratch, since we now require base and scratch
        to be not equal, for the sake of the write barrier.

        * dfg/DFGJITCodeGenerator.h: Le stub.

        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile): Don't reuse the base register
        as the scratch register, since that's incompatible with the write barrier,
        which needs a distinct base and scratch.
        
        Do put the global object into a register before loading its var storage,
        since it needs to be in a register for the write barrier to operate on it.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitWriteBarrier): Second verse, same as the first.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_put_global_var): Deployed offsetOfRegisters() to more
        places.

        (JSC::JIT::emitWriteBarrier): Added a teeny tiny ASSERT so this function
        is a little more than meaningless.

        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_put_global_var): Deployed offsetOfRegisters() to more
        places.

        (JSC::JIT::emitWriteBarrier): Added a teeny tiny ASSERT so this function
        is a little more than meaningless.

        * runtime/JSVariableObject.h:
        (JSC::JSVariableObject::offsetOfRegisters): Now used by the JIT, since
        we put the global object in a register and only then load its var storage
        by offset.

        (JSC::JIT::emitWriteBarrier):

2011-06-30  Oliver Hunt  <oliver@apple.com>

        Fix ARMv6 build

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::rshift32):

2011-06-30  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Add optimised paths for a few maths functions
        https://bugs.webkit.org/show_bug.cgi?id=63757

        This adds specialised thunks for Math.abs, Math.round, Math.ceil,
        Math.floor, Math.log, and Math.exp as they are apparently more
        important in real web content than we thought, which is somewhat
        mind-boggling.  On average doubles the performance of the common
        cases (eg. actually passing numbers in).  They're not as efficient
        as they could be, but this way gives them the most portability.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::supportsDoubleBitops):
        (JSC::MacroAssemblerARM::andnotDouble):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::supportsDoubleBitops):
        (JSC::MacroAssemblerARMv7::andnotDouble):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::andnotDouble):
        (JSC::MacroAssemblerMIPS::supportsDoubleBitops):
        * assembler/MacroAssemblerSH4.h:
        (JSC::MacroAssemblerSH4::supportsDoubleBitops):
        (JSC::MacroAssemblerSH4::andnotDouble):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::supportsDoubleBitops):
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::andnotDouble):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::supportsDoubleBitops):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::andnpd_rr):
        * create_hash_table:
        * jit/SpecializedThunkJIT.h:
        (JSC::SpecializedThunkJIT::finalize):
        (JSC::SpecializedThunkJIT::callDoubleToDouble):
        * jit/ThunkGenerators.cpp:
        (JSC::floorThunkGenerator):
        (JSC::ceilThunkGenerator):
        (JSC::roundThunkGenerator):
        (JSC::expThunkGenerator):
        (JSC::logThunkGenerator):
        (JSC::absThunkGenerator):
        * jit/ThunkGenerators.h:

2011-06-30  Cary Clark  <caryclark@google.com>

        Reviewed by James Robinson.

        Use Skia if Skia on Mac Chrome is enabled
        https://bugs.webkit.org/show_bug.cgi?id=62999

        * wtf/Platform.h:
        Add switch to use Skia if, externally,
        Skia has been enabled by a gyp define.

2011-06-30  Juan C. Montemayor  <jmont@apple.com>

        Reviewed by Geoffrey Garen.

        Web Inspector fails to display source for eval with syntax error
        https://bugs.webkit.org/show_bug.cgi?id=63583

        Web Inspector now displays a link to an eval statement that contains
        a syntax error.

        * parser/Parser.h:
        (JSC::isEvalNode):
        (JSC::EvalNode):
        (JSC::Parser::parse):

2011-06-30  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        X86Assembler does not encode byte registers in 64-bit mode correctly.
        https://bugs.webkit.org/show_bug.cgi?id=63665

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::testb_rr):
        (JSC::X86Assembler::X86InstructionFormatter::oneByteOp8):

2011-06-30  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r90102.
        http://trac.webkit.org/changeset/90102
        https://bugs.webkit.org/show_bug.cgi?id=63714

        Lots of tests asserting beneath
        SVGSMILElement::findInstanceTime (Requested by aroben on
        #webkit).

        * wtf/StdLibExtras.h:
        (WTF::binarySearch):

2011-06-30  Oliver Varga  <Varga.Oliver@stud.u-szeged.hu>

        Reviewed by Nikolas Zimmermann.

        Speed up SVGSMILElement::findInstanceTime.
        https://bugs.webkit.org/show_bug.cgi?id=61025

        Add a new parameter to StdlibExtras.h::binarySerarch function
        to also handle cases when the array does not contain the key value.
        This is needed for an svg function.

        * wtf/StdLibExtras.h:
        (WTF::binarySearch):

2011-06-29  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Geoff Garen.

        https://bugs.webkit.org/show_bug.cgi?id=63669
        DFG JIT - fix spectral-norm regression

        The problem is a mis-speculation leading to us falling off the speculative path.
        Make the speculation logic slightly smarter, don't predict int if one of the
        operands is already loaded as a double (we use this logic already for compares).

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::shouldSpeculateInteger):

2011-06-29  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        DFG JIT does not do put_by_id transition caching.
        https://bugs.webkit.org/show_bug.cgi?id=63662

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addPropertyAccess):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::testPrototype):
        (JSC::DFG::tryCachePutByID):

2011-06-29  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Added a dummy write barrier emitting function in all the right places in the old JIT
        https://bugs.webkit.org/show_bug.cgi?id=63667
        
        SunSpider reports no change.

        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emit_op_put_scoped_var): Do it.

        (JSC::JIT::emit_op_put_global_var): Global object needs to be in a register
        for the sake of the write barrier.

        (JSC::JIT::emitWriteBarrier): Empty for now. Not for long!

        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_put_by_val):
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emit_op_put_scoped_var): Do it.

        (JSC::JIT::emit_op_put_global_var): Global object needs to be in a register
        for the sake of the write barrier.

        (JSC::JIT::emitWriteBarrier): Empty for now. Not for long!

2011-06-29  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        DFG JIT does not perform get_by_id self list caching.
        https://bugs.webkit.org/show_bug.cgi?id=63605

        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::tryBuildGetByIDList):
        (JSC::DFG::dfgBuildGetByIDList):
        * dfg/DFGRepatch.h:

2011-06-28  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        DFG JIT lacks array.length caching.
        https://bugs.webkit.org/show_bug.cgi?id=63505

        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::tryAllocate):
        (JSC::DFG::JITCodeGenerator::selectScratchGPR):
        (JSC::DFG::JITCodeGenerator::silentSpillAllRegisters):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addPropertyAccess):
        (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
        * dfg/DFGRegisterBank.h:
        (JSC::DFG::RegisterBank::tryAllocate):
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::tryCacheGetByID):

2011-06-28  Pierre Rossi  <pierre.rossi@gmail.com>

        Reviewed by Eric Seidel.

        Warnings in JSC's JIT on 32 bit
        https://bugs.webkit.org/show_bug.cgi?id=63259

        Fairly straightforward, just use ASSERT_JIT_OFFSET_UNUSED when it applies.

        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_method_check):
        (JSC::JIT::compileGetByIdHotPath):
        (JSC::JIT::emit_op_put_by_id):

2011-06-28  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r89968.
        http://trac.webkit.org/changeset/89968
        https://bugs.webkit.org/show_bug.cgi?id=63581

        Broke chromium windows compile (Requested by jamesr on
        #webkit).

        * wtf/Platform.h:

2011-06-28  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Fix sampling build
        https://bugs.webkit.org/show_bug.cgi?id=63579

        Gets opcode sampling building again, doesn't seem to work alas

        * bytecode/SamplingTool.cpp:
        (JSC::SamplingTool::notifyOfScope):
        * bytecode/SamplingTool.h:
        (JSC::SamplingTool::SamplingTool):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::enableSampler):
        * runtime/Executable.h:
        (JSC::ScriptExecutable::ScriptExecutable):

2011-06-28  Cary Clark  <caryclark@google.com>

        Reviewed by James Robinson.

        Use Skia if Skia on Mac Chrome is enabled
        https://bugs.webkit.org/show_bug.cgi?id=62999

        * wtf/Platform.h:
        Add switch to use Skia if, externally,
        Skia has been enabled by a gyp define.

2011-06-28  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        ASSERT when launching debug builds with interpreter and jit enabled
        https://bugs.webkit.org/show_bug.cgi?id=63566

        Add appropriate guards to the various Executable's memory reporting
        logic.

        * runtime/Executable.cpp:
        (JSC::EvalExecutable::compileInternal):
        (JSC::ProgramExecutable::compileInternal):
        (JSC::FunctionExecutable::compileForCallInternal):
        (JSC::FunctionExecutable::compileForConstructInternal):

2011-06-28  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=63563
        DFG JIT - add support for double arith to speculative path

        Add integer support for div & mod, add double support for div, mod,
        add, sub & mul, dynamically selecting based on operand types.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::FPRTemporary::FPRTemporary):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::assembler):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
        (JSC::DFG::SpeculateDoubleOperand::~SpeculateDoubleOperand):
        (JSC::DFG::SpeculateDoubleOperand::index):
        (JSC::DFG::SpeculateDoubleOperand::fpr):

2011-06-28  Oliver Hunt  <oliver@apple.com>

        Fix interpreter build.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):

2011-06-28  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=63561
        DFG JIT - don't always assume integer in relational compare

        If neither operand is known integer, or either is in double representation,
        then at least use a function call (don't bail off the speculative path).

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleCall):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isDataFormatDouble):
        (JSC::DFG::SpeculativeJIT::compareIsInteger):

2011-06-28  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Make constant array optimisation less strict about what constitutes a constant
        https://bugs.webkit.org/show_bug.cgi?id=63554

        Now allow string constants in array literals to actually be considered constant,
        and so avoid codegen in array literals with strings in them.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::addConstantBuffer):
        (JSC::CodeBlock::constantBuffer):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addConstantBuffer):
        (JSC::BytecodeGenerator::addStringConstant):
        (JSC::BytecodeGenerator::emitNewArray):
        * bytecompiler/BytecodeGenerator.h:
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::privateExecute):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):

2011-06-28  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=63560
        DFG_JIT allow allocation of specific machine registers

        This allow us to allocate the registers necessary to perform x86
        idiv instructions for div/mod, and may be useful for shifts, too.

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::GPRTemporary::GPRTemporary):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::allocate):
        (JSC::DFG::GPRResult::GPRResult):
        * dfg/DFGRegisterBank.h:
        (JSC::DFG::RegisterBank::allocateSpecific):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::isInteger):

2011-06-28  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=55040
        RegExp constructor returns the argument regexp instead of a new object

        Per 15.10.3.1, our current behaviour is correct if called as a function,
        but incorrect when called as a constructor.

        * runtime/RegExpConstructor.cpp:
        (JSC::constructRegExp):
        (JSC::constructWithRegExpConstructor):
        * runtime/RegExpConstructor.h:

2011-06-28  Luke Macpherson   <macpherson@chromium.org>

        Reviewed by Darin Adler.

        Clean up integer clamping functions in MathExtras.h and support arbitrary numeric types and limits.
        https://bugs.webkit.org/show_bug.cgi?id=63469

        * wtf/MathExtras.h:
        (defaultMinimumForClamp):
        Version of std::numeric_limits::min() that returns the largest negative value for floating point types.
        (defaultMaximumForClamp):
        Symmetric alias for std::numeric_limits::max()
        (clampTo):
        New templated clamping function that supports arbitrary output types.
        (clampToInteger):
        Use new clampTo template.
        (clampToFloat):
        Use new clampTo template.
        (clampToPositiveInteger):
        Use new clampTo template.

2011-06-28  Adam Roben  <aroben@apple.com>

        Windows Debug build fix after r89885

        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def: Exported
        JSGlobalData::releaseExecutableMemory for jsc.exe's benefit.

2011-06-28  Shinya Kawanaka  <shinyak@google.com>

        Reviewed by Kent Tamura.

        Add const to show() method in WTFString and AtomicString.
        https://bugs.webkit.org/show_bug.cgi?id=63515

        The lack of const in show() method is painful when
        doing something like printf-debug.

        * wtf/text/AtomicString.cpp:
        (WTF::AtomicString::show):
        * wtf/text/AtomicString.h:
        * wtf/text/WTFString.cpp:
        (String::show):
        * wtf/text/WTFString.h:

2011-06-27  Ryosuke Niwa  <rniwa@webkit.org>

        Build fix attempt after r89885.

        * JavaScriptCore.exp:
        * jsc.cpp:

2011-06-27  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        Support throwing away non-running code even while other code is running
        https://bugs.webkit.org/show_bug.cgi?id=63485

        Add a function to CodeBlock to support unlinking direct linked callsites,
        and then with that in place add logic to discard code from any function
        that is not currently on the stack.

        The unlinking completely reverts any optimized call sites, such that they
        may be relinked again in future.

        * JavaScriptCore.exp:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::unlinkCalls):
        (JSC::CodeBlock::clearEvalCache):
        * bytecode/CodeBlock.h:
        (JSC::CallLinkInfo::CallLinkInfo):
        (JSC::CallLinkInfo::unlink):
        * bytecode/EvalCodeCache.h:
        (JSC::EvalCodeCache::clear):
        * heap/Heap.cpp:
        (JSC::Heap::getConservativeRegisterRoots):
        * heap/Heap.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        * jit/JITWriteBarrier.h:
        (JSC::JITWriteBarrierBase::clear):
        * jsc.cpp:
        (GlobalObject::GlobalObject):
        (functionReleaseExecutableMemory):
        * runtime/Executable.cpp:
        (JSC::EvalExecutable::unlinkCalls):
        (JSC::ProgramExecutable::unlinkCalls):
        (JSC::FunctionExecutable::discardCode):
        (JSC::FunctionExecutable::unlinkCalls):
        * runtime/Executable.h:
        * runtime/JSGlobalData.cpp:
        (JSC::SafeRecompiler::returnValue):
        (JSC::SafeRecompiler::operator()):
        (JSC::JSGlobalData::releaseExecutableMemory):

2011-06-27  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Darin Adler & Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=50554
        RegExp.prototype.toString does not escape slashes

        The problem here is that we don't escape forwards slashes when converting
        a RegExp to a string. This means that RegExp("/").toString() is "///",
        which is not a valid RegExp literal. Also, we return an invalid literal
        for RegExp.prototype.toString() ("//", which is an empty single-line comment).

        From ES5:
        "NOTE: The returned String has the form of a RegularExpressionLiteral that
        evaluates to another RegExp object with the same behaviour as this object."

        * runtime/RegExpObject.cpp:
        (JSC::regExpObjectSource):
            - Escape forward slashes when getting the source of a RegExp.
        * runtime/RegExpPrototype.cpp:
        (JSC::regExpProtoFuncToString):
            - Remove unnecessary and erroneous hack to return "//" as the string
            representation of RegExp.prototype. This is not a valid RegExp literal
            (it is an empty single-line comment).

2011-06-27  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=63497
        Add DEBUG_WITH_BREAKPOINT support to the DFG JIT.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-06-27  Juan C. Montemayor  <jmont@apple.com>

        Reviewed by Mark Rowe.

        Indirectly including TextPosition.h and XPathGrammar.h causes compile errors
        https://bugs.webkit.org/show_bug.cgi?id=63392
        
        When both TextPosition.h and XPathGrammar.h are included a compile-error
        is caused, since XPathGrammar.h defines a macro called NUMBER and 
        TextPosition has a typedef named NUMBER.

        * wtf/text/TextPosition.h:
        (WTF::TextPosition::TextPosition):
        (WTF::TextPosition::minimumPosition):
        (WTF::TextPosition::belowRangePosition):

2011-06-27  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        DFG JIT does not perform put_by_id caching.
        https://bugs.webkit.org/show_bug.cgi?id=63409

        * bytecode/StructureStubInfo.h:
        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::cachedPutById):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addPropertyAccess):
        (JSC::DFG::JITCompiler::PropertyAccessRecord::PropertyAccessRecord):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGRepatch.cpp:
        (JSC::DFG::dfgRepatchByIdSelfAccess):
        (JSC::DFG::tryCacheGetByID):
        (JSC::DFG::appropriatePutByIdFunction):
        (JSC::DFG::tryCachePutByID):
        (JSC::DFG::dfgRepatchPutByID):
        * dfg/DFGRepatch.h:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-06-27  Gustavo Noronha Silva  <gns@gnome.org>

        Unreviewed build fix. One more filed missing during distcheck, for
        the MIPS build.

        * GNUmakefile.list.am:

2011-06-26  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        DFG non-speculative JIT has potentially harmful speculations with respect to arithmetic operations.
        https://bugs.webkit.org/show_bug.cgi?id=63347

        * dfg/DFGNonSpeculativeJIT.cpp:
            - Changed arithmetic operations to speculate in favor of integers.
        (JSC::DFG::NonSpeculativeJIT::valueToNumber):
        (JSC::DFG::NonSpeculativeJIT::knownConstantArithOp):
        (JSC::DFG::NonSpeculativeJIT::basicArithOp):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGNonSpeculativeJIT.h:
        * dfg/DFGOperations.cpp:
            - Added slow-path routines for arithmetic that perform no speculation; the
              non-speculative JIT will generate calls to these in cases where its
              speculation fails.
        * dfg/DFGOperations.h:

2011-06-24  Nikolas Zimmermann  <nzimmermann@rim.com>

        Reviewed by Rob Buis.

        Integrate SVG Fonts within GlyphPage concept, removing the special SVG code paths from Font, making it possible to reuse the simple text code path for SVG Fonts
        https://bugs.webkit.org/show_bug.cgi?id=59085

        * wtf/Platform.h: Force Qt-EWS into a full rebuild, otherwhise this patch breaks the EWS.

2011-06-24  Michael Saboff  <msaboff@apple.com>

        Reviewed by Gavin Barraclough.

        Arm Assembler, Immediate stack offset values truncated to 8 bits for add & sub
        https://bugs.webkit.org/show_bug.cgi?id=63345

        The methods ARMThumbImmediate::getUInt9 and ARMThumbImmediate::getUInt10
        return 9 and 10 bit quantities, therefore changed their return type from
        uint8_t to uint16_t.  Also casted the places where they are used as they
        are currently shifted and used as 7 or 8 bit values.

        These methods are currently used for literals for stack offsets, 
        including creating and destroying stack frames.  The prior truncation of
        the upper bits caused stack frames to be too small, thus allowing a
        JIT'ed function to access and overwrite stack space outside of the
        incorrectly sized stack frame.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMThumbImmediate::getUInt9):
        (JSC::ARMThumbImmediate::getUInt10):
        (JSC::ARMv7Assembler::add):
        (JSC::ARMv7Assembler::ldr):
        (JSC::ARMv7Assembler::str):
        (JSC::ARMv7Assembler::sub):
        (JSC::ARMv7Assembler::sub_S):

2011-06-24  Michael Saboff  <msaboff@apple.com>

        Reviewed by Geoffrey Garen.

        releaseFastMallocFreeMemory doesn't adjust free counts for scavenger
        https://bugs.webkit.org/show_bug.cgi?id=63015

        Added code to adjust class TCMalloc_PageHeap variables free_committed_pages_ and
        min_free_committed_pages_since_last_scavenge_ in ReleaseFreeList().  These 
        adjustments are a bug.  These need to reflect the pages that are released
        in ReleaseFreeLsit so that scavenge doesn't try to free that many pages as well.
        Made ReleaseFreeList a member of TCMalloc_PageHeap in the process.  Updated
        Check() and helper method CheckList() to check the number of actual free pages
        with free_committed_pages_.

        The symptom of the problem of the existing code is that the scavenger may
        run unneccesarily without any real work to do, i.e. pages on the free lists.
        The scanvenger would also end up freeing too many pages, that is going below 
        the current 528 target free pages.

        Note that the style of the changes was kept consistent with the
        existing style.

        * wtf/FastMalloc.cpp:
        (WTF::TCMalloc_PageHeap::Check):
        (WTF::TCMalloc_PageHeap::CheckList):
        (WTF::TCMalloc_PageHeap::ReleaseFreeList):

2011-06-24  Abhishek Arya  <inferno@chromium.org>

        Reviewed by Darin Adler.

        Match other clampTo* functions in style with clampToInteger(float)
        function.
        https://bugs.webkit.org/show_bug.cgi?id=53449

        * wtf/MathExtras.h:
        (clampToInteger):
        (clampToFloat):
        (clampToPositiveInteger):

2011-06-24  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r89594.
        http://trac.webkit.org/changeset/89594
        https://bugs.webkit.org/show_bug.cgi?id=63316

        It broke 5 tests on the Qt bot (Requested by Ossy_DC on
        #webkit).

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * icu/unicode/uscript.h: Removed.
        * wtf/unicode/ScriptCodesFromICU.h: Removed.
        * wtf/unicode/brew/UnicodeBrew.h:
        * wtf/unicode/glib/UnicodeGLib.h:
        * wtf/unicode/icu/UnicodeIcu.h:
        * wtf/unicode/qt4/UnicodeQt4.h:
        * wtf/unicode/wince/UnicodeWinCE.h:

2011-06-23  Filip Pizlo  <fpizlo@apple.com>

        Reviewed by Gavin Barraclough.

        DFG non-speculative JIT should have obvious optimizations for GetById and GetByVal
        https://bugs.webkit.org/show_bug.cgi?id=63173

        * dfg/DFGJITCodeGenerator.cpp:
        (JSC::DFG::JITCodeGenerator::cachedGetById):
        * dfg/DFGJITCodeGenerator.h:
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2011-06-23  Oliver Hunt  <oliver@apple.com>

        Fix Qt again.

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::readPointer):

2011-06-23  Oliver Hunt  <oliver@apple.com>

        Fix Qt Build

        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::readPointer):

2011-06-23  Stephanie Lewis  <slewis@apple.com>

        Reviewed by Darin Adler.

        https://bugs.webkit.org/show_bug.cgi?id=63298
        Replace Malloc with FastMalloc to match the rest of wtf.

        * wtf/BlockStack.h:
        (WTF::::~BlockStack):
        (WTF::::grow):
        (WTF::::shrink):

2011-06-23  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        Add the ability to dynamically modify linked call sites
        https://bugs.webkit.org/show_bug.cgi?id=63291

        Add JITWriteBarrier as a writebarrier class that allows
        reading and writing directly into the code stream.

        This required adding logic to all the assemblers to allow
        us to read values back out of the instruction stream.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::readPointer):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::readPointer):
        (JSC::ARMv7Assembler::readInt32):
        (JSC::ARMv7Assembler::decodeTwoWordOp5i6Imm4Reg4EncodedImmFirst):
        (JSC::ARMv7Assembler::decodeTwoWordOp5i6Imm4Reg4EncodedImmSecond):
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::readPointer):
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::readInt32):
        (JSC::MIPSAssembler::readPointer):
        * assembler/MacroAssemblerCodeRef.h:
        (JSC::MacroAssemblerCodePtr::operator!):
        * assembler/SH4Assembler.h:
        (JSC::SH4Assembler::readPCrelativeAddress):
        (JSC::SH4Assembler::readPointer):
        (JSC::SH4Assembler::readInt32):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::readPointer):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitAggregate):
        * bytecode/CodeBlock.h:
        (JSC::MethodCallLinkInfo::seenOnce):
        (JSC::MethodCallLinkInfo::setSeen):
        * heap/MarkStack.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        (JSC::JIT::linkCall):
        (JSC::JIT::linkConstruct):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::patchMethodCallProto):
        * jit/JITPropertyAccess32_64.cpp:
        * jit/JITWriteBarrier.h: Added.
        (JSC::JITWriteBarrierBase::operator UnspecifiedBoolType*):
        (JSC::JITWriteBarrierBase::operator!):
        (JSC::JITWriteBarrierBase::setFlagOnBarrier):
        (JSC::JITWriteBarrierBase::isFlagged):
        (JSC::JITWriteBarrierBase::setLocation):
        (JSC::JITWriteBarrierBase::location):
        (JSC::JITWriteBarrierBase::JITWriteBarrierBase):
        (JSC::JITWriteBarrierBase::set):
        (JSC::JITWriteBarrierBase::get):
        (JSC::JITWriteBarrier::JITWriteBarrier):
        (JSC::JITWriteBarrier::set):
        (JSC::JITWriteBarrier::get):
        (JSC::MarkStack::append):

2011-06-23  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=61585
        Crash running regexp /(?:(?=g))|(?:m).{2147483648,}/

        This is due to use of int instead of unsigned, bad math around
        the 2^31 boundary.

        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::ByteCompiler::emitDisjunction):
            - Change some uses of int to unsigned, refactor compare logic to
              restrict to the range 0..2^32-1 (rather than -2^32-1..2^32-1).
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generate):
        (JSC::Yarr::YarrGenerator::backtrack):
            - Ditto.

2011-06-22  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=63218
        DFG JIT - remove machine type guarantees from graph

        The DFG JIT currently makes assumptions about the types of machine registers
        that certain nodes will be loaded into. This will be broken as we generate
        nodes to produce both integer and double code paths. Remove int<->double
        conversions nodes. This design decision also gave rise to multiple types of
        constant nodes, requiring separate handling for each type. Merge these back
        into JSConstant.

        * dfg/DFGAliasTracker.h:
        (JSC::DFG::AliasTracker::equalIgnoringLaterNumericConversion):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getToInt32):
        (JSC::DFG::ByteCodeParser::getToNumber):
        (JSC::DFG::ByteCodeParser::toInt32):
        (JSC::DFG::ByteCodeParser::toNumber):
        (JSC::DFG::ByteCodeParser::isInt32Constant):
        (JSC::DFG::ByteCodeParser::isDoubleConstant):
        (JSC::DFG::ByteCodeParser::valueOfInt32Constant):
        (JSC::DFG::ByteCodeParser::valueOfDoubleConstant):
        (JSC::DFG::ByteCodeParser::one):
        (JSC::DFG::ByteCodeParser::predictInt32):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGJITCodeGenerator.h:
        (JSC::DFG::JITCodeGenerator::silentFillGPR):
        (JSC::DFG::JITCodeGenerator::silentFillFPR):
        (JSC::DFG::JITCodeGenerator::isJSConstant):
        (JSC::DFG::JITCodeGenerator::isDoubleConstant):
        (JSC::DFG::JITCodeGenerator::valueOfJSConstantAsImmPtr):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::fillNumericToDouble):
        (JSC::DFG::JITCompiler::fillInt32ToInteger):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::isJSConstant):
        (JSC::DFG::JITCompiler::isInt32Constant):
        (JSC::DFG::JITCompiler::isDoubleConstant):
        (JSC::DFG::JITCompiler::valueOfJSConstant):
        (JSC::DFG::JITCompiler::valueOfInt32Constant):
        (JSC::DFG::JITCompiler::valueOfDoubleConstant):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::Node):
        (JSC::DFG::Node::isConstant):
        (JSC::DFG::Node::notTakenBytecodeOffset):
        * dfg/DFGNonSpeculativeJIT.cpp:
        (JSC::DFG::NonSpeculativeJIT::isKnownInteger):
        (JSC::DFG::NonSpeculativeJIT::isKnownNumeric):
        (JSC::DFG::NonSpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
        (JSC::DFG::SpeculativeJIT::compile):

2011-06-23  Jungshik Shin  <jshin@chromium.org>

        Reviewed by Alexey Proskuryakov.

        Add ScriptCodesFromICU.h to wtf/unicode and make necessary changes in
        build files for ports not using ICU.
        Add icu/unicode/uscript.h for ports using ICU. It's taken from 
        ICU 3.6 (the version used on Mac OS 10.5)

        http://bugs.webkit.org/show_bug.cgi?id=20797

        * GNUmakefile.list.am:
        * JavaScriptCore.gypi:
        * icu/unicode/uscript.h: Added for UScriptCode enum.
        * wtf/unicode/ScriptCodesFromICU.h: UScriptCode enum added.
        * wtf/unicode/icu/UnicodeIcu.h:
        * wtf/unicode/brew/UnicodeBrew.h:
        * wtf/unicode/glib/UnicodeGLib.h:
        * wtf/unicode/qt4/UnicodeQt4.h:
        * wtf/unicode/wince/UnicodeWinCE.h:

2011-06-23  Ryuan Choi  <ryuan.choi@samsung.com>

        Reviewed by Andreas Kling.

        [EFL][WK2] Add PLATFORM(EFL) to use UNIX_DOMAIN_SOCKETS.
        https://bugs.webkit.org/show_bug.cgi?id=63228

        * wtf/Platform.h: Add PLATFORM(EFL) guard.

2011-06-23  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r89547.
        http://trac.webkit.org/changeset/89547
        https://bugs.webkit.org/show_bug.cgi?id=63252

        "Chrmium crash on start" (Requested by yurys on #webkit).

        * wtf/DynamicAnnotations.cpp:
        (WTFAnnotateBenignRaceSized):
        (WTFAnnotateHappensBefore):
        (WTFAnnotateHappensAfter):
        * wtf/DynamicAnnotations.h:

2011-06-23  Timur Iskhodzhanov  <timurrrr@google.com>

        Reviewed by David Levin.

        Make dynamic annotations weak symbols and prevent identical code folding by the linker
        https://bugs.webkit.org/show_bug.cgi?id=62443

        * wtf/DynamicAnnotations.cpp:
        (WTFAnnotateBenignRaceSized):
        (WTFAnnotateHappensBefore):
        (WTFAnnotateHappensAfter):
        * wtf/DynamicAnnotations.h:

2011-06-22  Yael Aharon  <yael.aharon@nokia.com>

        Reviewed by Andreas Kling.

        [Qt] Add a build flag for building with libxml2 and libxslt.
        https://bugs.webkit.org/show_bug.cgi?id=63113

        * wtf/Platform.h:

2011-06-22  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r89489.
        http://trac.webkit.org/changeset/89489
        https://bugs.webkit.org/show_bug.cgi?id=63203

        Broke chromium mac build on build.webkit.org (Requested by
        abarth on #webkit).

        * wtf/Platform.h:

2011-06-22  Cary Clark  <caryclark@google.com>

        Reviewed by Darin Fisher.

        Use Skia if Skia on Mac Chrome is enabled
        https://bugs.webkit.org/show_bug.cgi?id=62999

        * wtf/Platform.h:
        Add switch to use Skia if, externally,
        Skia has been enabled by a gyp define.

2011-06-22  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        * interpreter/RegisterFile.h: Removed unnecessary #include <stdio.h>.

2011-06-22  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Removed the conceit that global variables are local variables when running global code
        https://bugs.webkit.org/show_bug.cgi?id=63106
        
        This is required for write barrier correctness.
        
        SunSpider reports about a 0.5% regression, mostly from bitops-bitwise-and.js.
        I was able to reduce the regression with a tiny peephole optimization in
        the bytecompiler, but not eliminate it. I'm committing this assuming
        that turning on generational GC will win back at least 0.5%.

        (FWIW, the DFG JIT can easily eliminate any regression by sharing loads of
        the global object's var storage. I considered doing the same kind of
        optimization in the existing JIT, but it seemed like moving in the wrong
        direction.)

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::addGlobalVar):
        (JSC::BytecodeGenerator::BytecodeGenerator): Don't give global variables
        negative indices, since they're no longer negatively offset from the
        current stack frame.
        
        Do give global variables monotonically increasing positive indices, since
        that's much easier to work with.
        
        Don't limit the number of optimizable global variables, since it's no
        longer limited by the register file, since they're no longer stored in
        the register file.

        (JSC::BytecodeGenerator::registerFor): Global code never has any local
        registers because a var in global code is actually a property of the
        global object.

        (JSC::BytecodeGenerator::constRegisterFor): Ditto.

        (JSC::BytecodeGenerator::emitResolve): Did a tiny bit of constant
        propagation and dead code elimination to speed up our compiles and
        reduce WTFs / minute.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::registerFor): Removed special handling of globals.

        (JSC::BytecodeGenerator::shouldOptimizeLocals): Don't optimize locals in
        global code, since there are none.

        (JSC::BytecodeGenerator::canOptimizeNonLocals): Do optimize non-locals
        in global code (i.e., global vars), since there are some.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::callEval):
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::dumpRegisters):
        (JSC::Interpreter::execute):
        * interpreter/Interpreter.h: Updated for deleted / renamed code.

        * interpreter/RegisterFile.cpp:
        (JSC::RegisterFile::gatherConservativeRoots):
        (JSC::RegisterFile::releaseExcessCapacity): Updated for deleted / renamed
        data members.

        * interpreter/RegisterFile.h:
        (JSC::RegisterFile::begin):
        (JSC::RegisterFile::size):
        (JSC::RegisterFile::RegisterFile):
        (JSC::RegisterFile::shrink): Removed all code and comments dealing with
        global variables stored in the register file.

        (JSC::RegisterFile::grow): Updated for same.
        
        Also, a slight correctness fix: Test the VM commit end, and not just the
        in-use end, when checking for stack overflow. In theory, it's invalid to
        commit past the end of your allocation, even if you never touch that
        memory. This makes the usable size of the stack slightly smaller. No test
        because we don't know of any case in practice where this crashes.

        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData): Updated for changes above.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::resizeRegisters):
        (JSC::JSGlobalObject::addStaticGlobals):
        * runtime/JSGlobalObject.h: Simplified globals to have monotonically 
        increasing indexes, always located in our external storage.

2011-06-21  MORITA Hajime  <morrita@google.com>

        Unreviewed, rolling out r89401 and r89403.
        http://trac.webkit.org/changeset/89401
        http://trac.webkit.org/changeset/89403
        https://bugs.webkit.org/show_bug.cgi?id=62970

        Breaks mac build and mistakenly enables the spellcheck API

        * Configurations/FeatureDefines.xcconfig:
        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-06-21  Kent Tamura  <tkent@chromium.org>

        [Mac] Sort Xcode project files.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-06-20  MORITA Hajime  <morrita@google.com>

        Reviewed by Kent Tamura.

        Spellcheck API should be build-able.
        https://bugs.webkit.org/show_bug.cgi?id=62970

        No new tests, changing only build related files
        
        * Configurations/FeatureDefines.xcconfig:

2011-06-21  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Moved 'const' off the global-variable-as-local-variable crack pipe
        https://bugs.webkit.org/show_bug.cgi?id=63105
        
        This is necessary for moving the rest of the code off of same.
        
        Many problems remain in our handling of const. I have fixed none of them.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::scopeChain): New accessor, needed to enable
        const to directly implement its unique scoping rules.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::PrefixResolveNode::emitBytecode): Do specify that our resolve is
        for writing, so we don't overwrite const variables.

        (JSC::ConstDeclNode::emitCodeSingle): Don't assume that all declared const
        variables are available as local variables, since this won't be the case
        once global variables are not available as local variables. Instead, use
        put_scoped_var in the case where there is no local variable. Like a local
        variable, put_scoped_var succeeds even though const properties are
        read-only, since put_scoped_var skips read-only checks. (Yay?)

2011-06-21  Oliver Hunt  <oliver@apple.com>

        Reviewed by Alexey Proskuryakov.

        REGRESSION(r89257): It broke 2 jscore tests (Requested by Ossy_away on #webkit).
        https://bugs.webkit.org/show_bug.cgi?id=63052

        Release mode only failure, the stack overflow guards were getting there error
        handling inlined, so that they were essentially causing their own demise.

        * parser/JSParser.cpp:
        (JSC::JSParser::updateErrorMessage):
        (JSC::JSParser::updateErrorWithNameAndMessage):

2011-06-20  Kenneth Russell  <kbr@google.com>

        Unreviewed.

        Rolled out r89233 and r89235 because of crashes in http/tests/misc/acid3.html on Snow Leopard and other platforms
        https://bugs.webkit.org/show_bug.cgi?id=63022

        * wtf/Platform.h:

2011-06-18  Anders Carlsson  <andersca@apple.com>

        Reviewed by Darin Adler.

        Disallow assigning into PassOwnArrayPtr, PassOwnPtr and PassRefPtr
        https://bugs.webkit.org/show_bug.cgi?id=62940

        Remove clear() and all assignment operators except one which now has a COMPILE_ASSERT.

        * wtf/PassOwnArrayPtr.h:
        (WTF::PassOwnArrayPtr::operator=):
        * wtf/PassOwnPtr.h:
        (WTF::PassOwnPtr::operator=):
        * wtf/PassRefPtr.h:
        (WTF::PassRefPtr::operator=):
        (WTF::NonNullPassRefPtr::operator=):

2011-06-20  Oliver Hunt  <oliver@apple.com>

        Reviewed by Darin Adler.

        REGRESSION (r79060): Searching for a flight at united.com fails
        https://bugs.webkit.org/show_bug.cgi?id=63003

        This original change also broke Twitter, and we attempted to refine the fix to 
        address that problem (http://trac.webkit.org/changeset/80542), but since it still breaks United,
        we need to revert the change until we understand the problem better.

        * wtf/DateMath.cpp:
        (WTF::parseDateFromNullTerminatedCharacters):

2011-06-20  Juan C. Montemayor  <jmont@apple.com>

        Reviewed by Oliver Hunt.

        No context for javascript parse errors.
        https://bugs.webkit.org/show_bug.cgi?id=62613
        
        Parse errors now show more details like:
        "Unexpected token: ]"
        or
        "Expected token: while"
        
        For reserved names, numbers, indentifiers, strings, lexer errors, 
        and EOFs, the following error messages are printed:
        
        "Use of reserved word: super"
        "Unexpected number: 42"
        "Unexpected identifier: "
        "Unexpected string: "foobar""
        "Invalid token character sequence: \u4023"
        "Unexpected EOF"

        * parser/JSParser.cpp:
        (JSC::JSParser::consume):
        (JSC::JSParser::getToken):
        (JSC::JSParser::getTokenName):
        (JSC::JSParser::updateErrorMessageSpecialCase):
        (JSC::JSParser::updateErrorMessage):
        (JSC::JSParser::updateErrorWithNameAndMessage):
        (JSC::jsParse):
        (JSC::JSParser::JSParser):
        (JSC::JSParser::parseProgram):
        (JSC::JSParser::parseVarDeclarationList):
        (JSC::JSParser::parseForStatement):
        (JSC::JSParser::parseBreakStatement):
        (JSC::JSParser::parseContinueStatement):
        (JSC::JSParser::parseWithStatement):
        (JSC::JSParser::parseTryStatement):
        (JSC::JSParser::parseStatement):
        (JSC::JSParser::parseFormalParameters):
        (JSC::JSParser::parseFunctionInfo):
        (JSC::JSParser::parseAssignmentExpression):
        (JSC::JSParser::parsePrimaryExpression):
        (JSC::JSParser::parseMemberExpression):
        (JSC::JSParser::parseUnaryExpression):
        * parser/JSParser.h:
        * parser/Lexer.cpp:
        (JSC::Lexer::lex):
        * parser/Parser.cpp:
        (JSC::Parser::parse):

2011-06-20  Nikolas Zimmermann  <nzimmermann@rim.com>

        Reviewed by Rob Buis.

        Integrate SVG Fonts within GlyphPage concept, removing the special SVG code paths from Font, making it possible to reuse the simple text code path for SVG Fonts
        https://bugs.webkit.org/show_bug.cgi?id=59085

        * wtf/Platform.h: Force Qt-EWS into a full rebuild, otherwhise this patch breaks the EWS.

2011-06-19  Oliver Hunt  <oliver@apple.com>

        Reviewed by Sam Weinig.

        Correct logic for putting errors on the correct line when handling JSONP
        https://bugs.webkit.org/show_bug.cgi?id=62962

        Minor fix for the minor fix.  *sigh*

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):

2011-06-19  Oliver Hunt  <oliver@apple.com>

        Minor fix to correct layout test results.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::execute):

2011-06-17  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        JSONP is unnecessarily slow
        https://bugs.webkit.org/show_bug.cgi?id=62920

        JSONP has unfortunately become a fairly common idiom online, yet
        it triggers very poor performance in JSC as we end up doing codegen
        for a large number of property accesses that will
           * only be run once, so the vast amount of logic we dump to handle
             caching of accesses is unnecessary.
           * We are doing codegen that is directly proportional to just
             creating the object in the first place.

        This patch extends the use of the literal parser to JSONP-like structures
        in global code, handling a number of different forms I have seen online.
        In an extreme case this improves performance of JSONP by more than 2x
        due to removal of code generation and execution time, and a few optimisations
        that I made to the parser itself.

        * API/JSValueRef.cpp:
        (JSValueMakeFromJSONString):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::callEval):
        (JSC::Interpreter::execute):
        * parser/Lexer.cpp:
        (JSC::Lexer::isKeyword):
        * parser/Lexer.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * runtime/JSONObject.cpp:
        (JSC::JSONProtoFuncParse):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser::tryJSONPParse):
        (JSC::LiteralParser::makeIdentifier):
        (JSC::LiteralParser::Lexer::lex):
        (JSC::LiteralParser::Lexer::next):
        (JSC::isSafeStringCharacter):
        (JSC::LiteralParser::Lexer::lexString):
        (JSC::LiteralParser::Lexer::lexNumber):
        (JSC::LiteralParser::parse):
        * runtime/LiteralParser.h:
        (JSC::LiteralParser::LiteralParser):
        (JSC::LiteralParser::tryLiteralParse):
        (JSC::LiteralParser::Lexer::Lexer):

2011-06-18  Sheriff Bot  <webkit.review.bot@gmail.com>

        Unreviewed, rolling out r89184.
        http://trac.webkit.org/changeset/89184
        https://bugs.webkit.org/show_bug.cgi?id=62927

        It broke 22 tests on all bot (Requested by Ossy_weekend on
        #webkit).

        * API/JSValueRef.cpp:
        (JSValueMakeFromJSONString):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::callEval):
        (JSC::Interpreter::execute):
        * parser/Lexer.cpp:
        * parser/Lexer.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * runtime/JSONObject.cpp:
        (JSC::JSONProtoFuncParse):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser::Lexer::lex):
        (JSC::isSafeStringCharacter):
        (JSC::LiteralParser::Lexer::lexString):
        (JSC::LiteralParser::Lexer::lexNumber):
        (JSC::LiteralParser::parse):
        * runtime/LiteralParser.h:
        (JSC::LiteralParser::LiteralParser):
        (JSC::LiteralParser::tryLiteralParse):
        (JSC::LiteralParser::Lexer::Lexer):
        (JSC::LiteralParser::Lexer::next):

2011-06-17  Oliver Hunt  <oliver@apple.com>

        Reviewed by Gavin Barraclough.

        JSONP is unnecessarily slow
        https://bugs.webkit.org/show_bug.cgi?id=62920

        JSONP has unfortunately become a fairly common idiom online, yet
        it triggers very poor performance in JSC as we end up doing codegen
        for a large number of property accesses that will
           * only be run once, so the vast amount of logic we dump to handle
             caching of accesses is unnecessary.
           * We are doing codegen that is directly proportional to just
             creating the object in the first place.

        This patch extends the use of the literal parser to JSONP-like structures
        in global code, handling a number of different forms I have seen online.
        In an extreme case this improves performance of JSONP by more than 2x
        due to removal of code generation and execution time, and a few optimisations
        that I made to the parser itself.

        * API/JSValueRef.cpp:
        (JSValueMakeFromJSONString):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::callEval):
        (JSC::Interpreter::execute):
        * parser/Lexer.cpp:
        (JSC::Lexer::isKeyword):
        * parser/Lexer.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncEval):
        * runtime/JSONObject.cpp:
        (JSC::JSONProtoFuncParse):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser::tryJSONPParse):
        (JSC::LiteralParser::makeIdentifier):
        (JSC::LiteralParser::Lexer::lex):
        (JSC::LiteralParser::Lexer::next):
        (JSC::isSafeStringCharacter):
        (JSC::LiteralParser::Lexer::lexString):
        (JSC::LiteralParser::Lexer::lexNumber):
        (JSC::LiteralParser::parse):
        * runtime/LiteralParser.h:
        (JSC::LiteralParser::LiteralParser):
        (JSC::LiteralParser::tryLiteralParse):
        (JSC::LiteralParser::Lexer::Lexer):

2011-06-17  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Moved some property access JIT code into property access JIT files
        https://bugs.webkit.org/show_bug.cgi?id=62906

        * jit/JITOpcodes.cpp:
        * jit/JITOpcodes32_64.cpp:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_get_global_var):
        (JSC::JIT::emit_op_put_global_var):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_scoped_var):
        (JSC::JIT::emit_op_put_scoped_var):
        (JSC::JIT::emit_op_get_global_var):
        (JSC::JIT::emit_op_put_global_var):

2011-06-17  Anders Carlsson  <andersca@apple.com>

        Build fix.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-06-17  Geoffrey Garen  <ggaren@apple.com>

        Try to fix the Leopard build?

        * JavaScriptCore.xcodeproj/project.pbxproj:

2011-06-16  Geoffrey Garen  <ggaren@apple.com>

        Reviewed by Oliver Hunt.

        Added some write barrier action, compiled out by default
        https://bugs.webkit.org/show_bug.cgi?id=62844

        * JavaScriptCore.exp: Build!

        * JavaScriptCore.xcodeproj/project.pbxproj: Fixed an incremental build
        issue with Heap.cpp.

        * heap/Heap.cpp:
        (JSC::Heap::writeBarrierSlowCase):
        * heap/Heap.h:
        (JSC::Heap::writeBarrier):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::isAtomAligned):
        (JSC::MarkedBlock::blockFor):
        (JSC::MarkedBlock::atomNumber):
        (JSC::MarkedBlock::ownerSetNumber):
        (JSC::MarkedBlock::addOldSpaceOwner):
        (JSC::MarkedBlock::OwnerSet::OwnerSet):
        (JSC::MarkedBlock::OwnerSet::add):
        (JSC::MarkedBlock::OwnerSet::clear):
        (JSC::MarkedBlock::OwnerSet::size):
        (JSC::MarkedBlock::OwnerSet::didOverflow):
        (JSC::MarkedBlock::OwnerSet::owners): Added a basic write barrier that
        tracks owners for regions within blocks. Currently unused.

2011-06-17  Raphael Kubo da Costa  <kubo@profusion.mobi>

        Reviewed by Eric Seidel.

        [EFL] Add some OwnPtr specializations for EFL types.
        For now there are specializations for Ecore_Evas and Evas_Object.
        https://bugs.webkit.org/show_bug.cgi?id=62877

        * wtf/CMakeListsEfl.txt:
        * wtf/OwnPtrCommon.h:
        * wtf/efl/OwnPtrEfl.cpp: Added.
        (WTF::deleteOwnedPtr):

2011-06-17  Joone Hur  <joone.hur@collabora.co.uk>

        Reviewed by Martin Robinson.

        [GTK] Replace GdkRectangle by cairo_rectangle_int_t
        https://bugs.webkit.org/show_bug.cgi?id=60687

        Replace GdkRectangle by cairo_rectangle_int_t.

        * wtf/gobject/GTypedefs.h: Replace GdkRectangle by cairo_rectangle_int_t.

2011-06-16  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=53014
        ES5 strict mode keyword restrictions aren't implemented

        The following are future restricted words is strict mode code:
            implements, interface, let, package, private, protected, public, static, yield

        * parser/JSParser.h:
            - Add RESERVED_IF_STRICT token.
        * parser/Keywords.table:
            - Add new future restricted words.
        * parser/Lexer.cpp:
        (JSC::Lexer::parseIdentifier):
            - Check for RESERVED_IF_STRICT; in nonstrict code this is converted to IDENT.
        (JSC::Lexer::lex):
            - Pass strictMode flag to parseIdentifier.
        * parser/Lexer.h:
            - parseIdentifier needs a strictMode flag.
        * runtime/CommonIdentifiers.h:
            - Add identifiers for new reserved words.

2011-06-16  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Oliver Hunt.

        https://bugs.webkit.org/show_bug.cgi?id=23611
        Multiline Javascript comments cause incorrect parsing of following script.

        From the spec:
        "A MultiLineComment [is] simply discarded if it contains no line terminator,
        but if a MultiLineComment contains one or more line terminators, then it is
        replaced with a single line terminator, which becomes part of the stream of
        inputs for the syntactic grammar." 

        This may result in behavioural changes, due to automatic semicolon insertion.

        * parser/Lexer.cpp:
        (JSC::Lexer::parseMultilineComment):
            - Set m_terminator is we see a line terminator in a multiline comment.

2011-06-16  Gavin Barraclough  <barraclough@apple.com>

        Reviewed by Sam Weinig.

        https://bugs.webkit.org/show_bug.cgi?id=62824
        DFG JIT - add support for branch-fusion of compareEq, JSValue comparisons in SpeculativeJIT

        CompareEq of non-integer values is the most common cause of speculation failure.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
            - Support Equals.
        (JSC::DFG::SpeculativeJIT::compilePeepHoleEq):
            - new! - peephole optimized Eq of JSValues.
        (JSC::DFG::SpeculativeJIT::compile):
            - Add peephole optimization for CompareEq.
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::