[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2014-03-28  Michael Saboff  <msaboff@apple.com>

        Unreviewed, rolling r166248 back in.

        Turns out r166070 didn't cause a 2% performance loss in page load times

        Reverted changeset:

        Unreviewed, rolling out r166126.
        Rollout r166126 in prepartion to roll out prerequisite r166070

2014-03-27  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r166376.
        https://bugs.webkit.org/show_bug.cgi?id=130887

        This was a misguided optimization. (Requested by kling on
        #webkit).

        Reverted changeset:

        "Avoid fetching JSObject::structure() repeatedly in
        putDirectInternal."
        https://bugs.webkit.org/show_bug.cgi?id=130857
        http://trac.webkit.org/changeset/166376

2014-03-27  Oliver Hunt  <oliver@apple.com>

        Support spread operand in |new| expressions
        https://bugs.webkit.org/show_bug.cgi?id=130877

        Reviewed by Michael Saboff.

        Add support for the spread operator being applied in
        |new| expressions.  This required adding support for
        a new opcode, op_construct_varargs.  This is a relatively
        simple refactoring of the call_varargs implementation.

        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink):
        * bytecode/CallLinkInfo.h:
        (JSC::CallLinkInfo::callTypeFor):
        (JSC::CallLinkInfo::specializationKind):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitCallVarargs):
        (JSC::BytecodeGenerator::emitConstructVarargs):
        (JSC::BytecodeGenerator::emitConstruct):
        * bytecompiler/BytecodeGenerator.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        (JSC::JIT::emit_op_construct_varargs):
        (JSC::JIT::emitSlow_op_construct_varargs):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::emitSlow_op_construct_varargs):
        (JSC::JIT::emit_op_construct_varargs):
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITOperations.cpp:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseMemberExpression):

2014-03-27  Filip Pizlo  <fpizlo@apple.com>

        Revert http://trac.webkit.org/changeset/166386 because it broke builds.

        * Configurations/Base.xcconfig:
        * Configurations/LLVMForJSC.xcconfig:

2014-03-27  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, skip this test for now.

        * tests/stress/recurse-infinitely-on-getter.js:

2014-03-27  Filip Pizlo  <fpizlo@apple.com>

        Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
        https://bugs.webkit.org/show_bug.cgi?id=130867
        <rdar://problem/16432456> 

        Reviewed by Mark Hahnenberg.

        * Configurations/Base.xcconfig:
        * Configurations/LLVMForJSC.xcconfig:

2014-03-27  Andreas Kling  <akling@apple.com>

        Avoid fetching JSObject::structure() repeatedly in putDirectInternal.
        <https://webkit.org/b/130857>

        Use the cached Structure* instead of re-fetching it over and over since
        that's a non-trivial operation these days.

        Reviewed by Mark Hahnenberg.

        * runtime/JSObject.h:
        (JSC::JSObject::putDirectInternal):

2014-03-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        Check the remembered set bit faster
        https://bugs.webkit.org/show_bug.cgi?id=130860

        Reviewed by Oliver Hunt.

        Currently we look up the remembered set bit in the MarkedBlock in C++ code, but 
        that bit is also stored in the object. We should look it up there whenever possible.

        * heap/CopiedBlockInlines.h:
        (JSC::CopiedBlock::shouldReportLiveBytes):
        * heap/Heap.cpp:
        (JSC::Heap::addToRememberedSet):
        * heap/Heap.h:
        * heap/HeapInlines.h: Removed.
        * heap/SlotVisitorInlines.h:
        (JSC::SlotVisitor::reportExtraMemoryUsage):

2014-03-27  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Provide SPI to disallow remote inspection of a JSContext
        https://bugs.webkit.org/show_bug.cgi?id=130853

        Reviewed by Timothy Hatcher.

        * API/JSContextPrivate.h: Added.
        * API/JSContext.mm:
        (-[JSContext _remoteInspectionEnabled]):
        (-[JSContext _setRemoteInspectionEnabled:]):
        ObjC SPI to enable/disable remote inspection.

        * API/JSContextRefPrivate.h:
        * API/JSContextRef.cpp:
        (JSGlobalContextGetRemoteInspectionEnabled):
        (JSGlobalContextSetRemoteInspectionEnabled):
        C SPI to enable/disable remote inspection.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add new private header, and export as a private header.

2014-03-27  Mark Hahnenberg  <mhahnenberg@apple.com>

        Clean up questionable style in ScriptExecutable::prepareForExecutionImpl
        https://bugs.webkit.org/show_bug.cgi?id=130845

        Reviewed by Filip Pizlo.

        There was a hack added to make sure C Loop LLInt worked which included overriding the 
        global Options::useLLInt setting, which makes no sense to do here. We should put the 
        update of the global setting in Options::recomputeDependentOptions along with the other 
        execution engine flags.

        * runtime/Executable.cpp:
        (JSC::ScriptExecutable::prepareForExecutionImpl):
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2014-03-26  Filip Pizlo  <fpizlo@apple.com>

        Enable LLVM stackmap liveOuts computation
        https://bugs.webkit.org/show_bug.cgi?id=130821

        Reviewed by Andy Estes and Sam Weinig.

        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Record::dump):
        * llvm/library/LLVMExports.cpp:
        (initializeAndGetJSCLLVMAPI):

2014-03-26  Filip Pizlo  <fpizlo@apple.com>

        Parse stackmaps liveOuts
        https://bugs.webkit.org/show_bug.cgi?id=130801

        Reviewed by Geoffrey Garen.
        
        This just adds the code to parse them but doesn't do anything with them, yet.

        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::forStackmaps):
        * ftl/FTLLocation.h:
        (JSC::FTL::Location::forRegister):
        (JSC::FTL::Location::forIndirect):
        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::StackMaps::Location::parse):
        (JSC::FTL::StackMaps::Location::dump):
        (JSC::FTL::StackMaps::LiveOut::parse):
        (JSC::FTL::StackMaps::LiveOut::dump):
        (JSC::FTL::StackMaps::Record::parse):
        (JSC::FTL::StackMaps::Record::dump):
        * ftl/FTLStackMaps.h:

2014-03-26  Mark Lam  <mark.lam@apple.com>

        Build fix after r166307.

        Not reviewed.

        * runtime/JSCell.h:
        - The inline function isAPIValueWrapper() should not be exported.  This
          was causing a linkage error when building for 32-bit x86 on Mac.

2014-03-26  Filip Pizlo  <fpizlo@apple.com>

        Reasoning about DWARF register numbers should be moved out of FTL::Location
        https://bugs.webkit.org/show_bug.cgi?id=130792

        Reviewed by Oliver Hunt.
        
        Moving this code makes it possible for things other than FTL::Location to reason about
        DWARF register encoding. This refactoring also appears to reduce some code duplication
        and makes FTLLocation.cpp cleaner.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLDWARFRegister.cpp: Added.
        (JSC::FTL::DWARFRegister::reg):
        (JSC::FTL::DWARFRegister::dump):
        * ftl/FTLDWARFRegister.h: Added.
        (JSC::FTL::DWARFRegister::DWARFRegister):
        (JSC::FTL::DWARFRegister::dwarfRegNum):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::dump):
        (JSC::FTL::Location::isGPR):
        (JSC::FTL::Location::gpr):
        (JSC::FTL::Location::isFPR):
        (JSC::FTL::Location::fpr):
        * ftl/FTLLocation.h:
        (JSC::FTL::Location::hasDwarfReg):
        (JSC::FTL::Location::dwarfReg):

2014-03-26  Brent Fulgham  <bfulgham@apple.com>

        Unreviewed build fix.

        * runtime/JSCell.h: VS2013 confused about argument type.

2014-03-26  Zoltan Horvath  <zoltan@webkit.org>

        [CSS Shapes] Remove shape-inside support
        https://bugs.webkit.org/show_bug.cgi?id=130698

        Reviewed by David Hyatt.

        * Configurations/FeatureDefines.xcconfig:

2014-03-26  Dániel Bátyai  <dbatyai.u-szeged@partner.samsung.com>

        Rename hasFastArrayStorage to be more appropriate
        https://bugs.webkit.org/show_bug.cgi?id=130773

        Reviewed by Filip Pizlo.

        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::alreadyChecked):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGWatchpointCollectionPhase.cpp:
        (JSC::DFG::WatchpointCollectionPhase::handle):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNewArray):
        (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
        (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::unshift):
        (JSC::Butterfly::shift):
        * runtime/IndexingHeaderInlines.h:
        (JSC::IndexingHeader::preCapacity):
        * runtime/IndexingType.h:
        (JSC::hasArrayStorage):
        (JSC::hasAnyArrayStorage):
        (JSC::hasFastArrayStorage): Deleted.
        * runtime/JSArray.cpp:
        (JSC::JSArray::sortVector):
        (JSC::JSArray::compactForSorting):
        * runtime/JSArray.h:
        (JSC::JSArray::create):
        (JSC::JSArray::tryCreateUninitialized):
        * runtime/JSGlobalObject.cpp:
        * runtime/JSObject.cpp:
        (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
        * runtime/JSObject.h:
        (JSC::JSObject::ensureArrayStorage):
        (JSC::JSObject::arrayStorage):
        * runtime/StructureTransitionTable.h:
        (JSC::newIndexingType):

2014-03-26  Zan Dobersek  <zdobersek@igalia.com>

        Unreviewed. Removing the remaining Automake cruft.

        * GNUmakefile.list.am: Removed.

2014-03-25  Filip Pizlo  <fpizlo@apple.com>

        Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias
        https://bugs.webkit.org/show_bug.cgi?id=130764
        <rdar://problem/16304788>

        Reviewed by Sam Weinig.
        
        Being an arguments alias just means that your OSR exit recovery should attempt arguments
        creation. This is true of arguments locals. We had special cases that tried to make it not
        true of arguments locals. The only consequence of those special cases was to cause crashes
        in case of arguments that are also captured variables (i.e. we have SlowArguments). This
        change just removes those special cases.
        
        This change means that the FTL will now see SetLocals with a FlushedArguments format.
        Previously you wouldn't see them because previously only non-captured variable would be
        arguments aliases, and non-captured variables get completely SSAified - i.e. no SetLocals
        left. Adding handling for FlushedArguments is a benign and simple change since its
        behavior is identical to FlushedJSValue for that code's purposes.

        * dfg/DFGArgumentsSimplificationPhase.cpp:
        (JSC::DFG::ArgumentsSimplificationPhase::run):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
        * tests/stress/captured-arguments-variable.js: Added.
        (foo):
        (noInline):

2014-03-25  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add HeapInlines
        https://bugs.webkit.org/show_bug.cgi?id=130759

        Reviewed by Filip Pizlo.

        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/Heap.cpp:
        (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
        (JSC::MarkedBlockSnapshotFunctor::operator()):
        * heap/Heap.h: Also reindented while we're here.
        (JSC::Heap::writeBarrierBuffer):
        (JSC::Heap::vm):
        (JSC::Heap::objectSpace):
        (JSC::Heap::machineThreads):
        (JSC::Heap::operationInProgress):
        (JSC::Heap::allocatorForObjectWithoutDestructor):
        (JSC::Heap::allocatorForObjectWithNormalDestructor):
        (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
        (JSC::Heap::storageAllocator):
        (JSC::Heap::notifyIsSafeToCollect):
        (JSC::Heap::isSafeToCollect):
        (JSC::Heap::handleSet):
        (JSC::Heap::handleStack):
        (JSC::Heap::lastFullGCLength):
        (JSC::Heap::lastEdenGCLength):
        (JSC::Heap::increaseLastFullGCLength):
        (JSC::Heap::sizeBeforeLastEdenCollection):
        (JSC::Heap::sizeAfterLastEdenCollection):
        (JSC::Heap::sizeBeforeLastFullCollection):
        (JSC::Heap::sizeAfterLastFullCollection):
        (JSC::Heap::jitStubRoutines):
        (JSC::Heap::isDeferred):
        (JSC::Heap::structureIDTable):
        (JSC::Heap::removeCodeBlock):
        * heap/HeapInlines.h: Added.
        (JSC::Heap::shouldCollect):
        (JSC::Heap::isBusy):
        (JSC::Heap::isCollecting):
        (JSC::Heap::heap):
        (JSC::Heap::isLive):
        (JSC::Heap::isInRememberedSet):
        (JSC::Heap::isMarked):
        (JSC::Heap::testAndSetMarked):
        (JSC::Heap::setMarked):
        (JSC::Heap::isWriteBarrierEnabled):
        (JSC::Heap::writeBarrier):
        (JSC::Heap::reportExtraMemoryCost):
        (JSC::Heap::forEachProtectedCell):
        (JSC::Heap::forEachCodeBlock):
        (JSC::Heap::allocateWithNormalDestructor):
        (JSC::Heap::allocateWithImmortalStructureDestructor):
        (JSC::Heap::allocateWithoutDestructor):
        (JSC::Heap::tryAllocateStorage):
        (JSC::Heap::tryReallocateStorage):
        (JSC::Heap::ascribeOwner):
        (JSC::Heap::blockAllocator):
        (JSC::Heap::releaseSoon):
        (JSC::Heap::incrementDeferralDepth):
        (JSC::Heap::decrementDeferralDepth):
        (JSC::Heap::collectIfNecessaryOrDefer):
        (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
        (JSC::Heap::markListSet):
        * runtime/JSCInlines.h:

2014-03-25  Filip Pizlo  <fpizlo@apple.com>

        DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush
        https://bugs.webkit.org/show_bug.cgi?id=130760

        Reviewed by Mark Hahnenberg.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::setLocal):
        (JSC::DFG::ByteCodeParser::setArgument):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * tests/stress/assign-argument-in-inlined-call.js: Added.
        (f1):
        (getF2Arguments):
        (f2):
        (f3):
        * tests/stress/assign-captured-argument-in-inlined-call.js: Added.
        (f1):
        (f2):
        (f3):

2014-03-25  Filip Pizlo  <fpizlo@apple.com>

        Fix 32-bit getter call alignment.

        Reviewed by Mark Hahnenberg.

        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub):

2014-03-25  Filip Pizlo  <fpizlo@apple.com>

        Repatch should plant calls to getters directly rather than through a C helper
        https://bugs.webkit.org/show_bug.cgi?id=129589

        Reviewed by Mark Hahnenberg.
        
        As the title says. All of the superstructure for this was already in place, so now it
        was just a matter of actually emitting the call.
        
        8x speed-up for getter microbenchmarks. 

        * CMakeLists.txt:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PolymorphicGetByIdList.h:
        (JSC::GetByIdAccess::doesCalls):
        * jit/AccessorCallJITStubRoutine.cpp: Added.
        (JSC::AccessorCallJITStubRoutine::AccessorCallJITStubRoutine):
        (JSC::AccessorCallJITStubRoutine::~AccessorCallJITStubRoutine):
        (JSC::AccessorCallJITStubRoutine::visitWeak):
        * jit/AccessorCallJITStubRoutine.h: Added.
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::storeCell):
        * jit/GCAwareJITStubRoutine.h:
        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub):
        * runtime/GetterSetter.h:
        (JSC::GetterSetter::offsetOfGetter):
        (JSC::GetterSetter::offsetOfSetter):

2014-03-25  Michael Saboff  <msaboff@apple.com>

        Unreviewed, rolling out r166126.

        Rollout r166126 in prepartion to roll out prerequisite r166070

        Reverted changeset:

        "toThis() on a JSWorkerGlobalScope should return a JSProxy and
        not undefined"
        https://bugs.webkit.org/show_bug.cgi?id=130554
        http://trac.webkit.org/changeset/166126

2014-03-25  Oliver Hunt  <oliver@apple.com>

        AST incorrectly conflates readable and writable locations
        https://bugs.webkit.org/show_bug.cgi?id=130734

        Reviewed by Filip Pizlo.

        We need to distinguish between "locations" that are valid for reading
        and writing, vs those that may only be written.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::ForInNode::emitBytecode):
        (JSC::ForOfNode::emitBytecode):
        * parser/Nodes.h:
        (JSC::ExpressionNode::isAssignmentLocation):

2014-03-24  Oliver Hunt  <oliver@apple.com>

        ASSERTION FAILED in Parser: dst != localReg
        https://bugs.webkit.org/show_bug.cgi?id=130710

        Reviewed by Filip Pizlo.

        Just make sure we don't try to write to a captured constant,
        following the change to track captured variables separately.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::PostfixNode::emitResolve):
        (JSC::PrefixNode::emitResolve):

2014-03-25  Martin Robinson  <mrobinson@igalia.com>

        [GTK] Remove the autotools build
        https://bugs.webkit.org/show_bug.cgi?id=130717

        Reviewed by Anders Carlsson.

        * GNUmakefile.am: Removed.
        * config.h: Remove references to the autotools configure file.

2014-03-24  Filip Pizlo  <fpizlo@apple.com>

        More scaffolding for a stub routine to have a stub recursively embedded inside it
        https://bugs.webkit.org/show_bug.cgi?id=130770

        Reviewed by Oliver Hunt.

        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::unlink): VM& argument is superfluous.
        (JSC::CallLinkInfo::visitWeak): Factor this out, it used to be in CodeBlock::finalizeUnconditionally().
        * bytecode/CallLinkInfo.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finalizeUnconditionally): Factor out some functionality into CallLinkInfo::visitWeak(), and make sure we pass RepatchBuffer& in more places.
        (JSC::CodeBlock::unlinkCalls):
        (JSC::CodeBlock::unlinkIncomingCalls):
        * bytecode/PolymorphicGetByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
        (JSC::GetByIdAccess::visitWeak):
        (JSC::PolymorphicGetByIdList::visitWeak):
        * bytecode/PolymorphicGetByIdList.h:
        * bytecode/PolymorphicPutByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
        (JSC::PutByIdAccess::visitWeak):
        (JSC::PolymorphicPutByIdList::visitWeak):
        * bytecode/PolymorphicPutByIdList.h:
        * bytecode/StructureStubInfo.cpp: Pass RepatchBuffer& through.
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        * jit/ClosureCallStubRoutine.cpp: isClosureCall is unused.
        (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
        * jit/GCAwareJITStubRoutine.cpp:
        (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
        (JSC::createJITStubRoutine):
        * jit/GCAwareJITStubRoutine.h: Make it easier to construct one of these.
        (JSC::GCAwareJITStubRoutine::isClosureCall): Deleted.
        * jit/JITStubRoutine.cpp:
        (JSC::JITStubRoutine::visitWeak): This will allow future JITStubRoutine subclasses to have stubs recursively embedded inside them.
        * jit/JITStubRoutine.h:
        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub): Fix a possible GC bug where we weren't making the stub routine GC aware.
        (JSC::emitCustomSetterStub): Clean up some code.

2014-03-24  Geoffrey Garen  <ggaren@apple.com>

        Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage
        when WebKit is compiled with fcatch-undefined-behavior
        https://bugs.webkit.org/show_bug.cgi?id=130652

        Reviewed by Mark Hahnenberg.

        Use a static member function because the butterfly we pass in might be
        NULL, and passing NULL to a member function is undefined behavior.

        Stylistically, I think this new way reads a little more clearly, since it
        matches createOrGrowArrayRight, and it helps to convey that m_butterfly
        might not exist yet.

        * runtime/Butterfly.h:
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage
        because we might create. Split out the create path to avoid using NULL
        in a member function expression.

        Removed some unused versions of this function.

        * runtime/JSObject.cpp:
        (JSC::JSObject::growOutOfLineStorage): Updated for interface change.

2014-03-24  Oliver Hunt  <oliver@apple.com>

        Strict mode destructuring assignment crashes the parser.
        https://bugs.webkit.org/show_bug.cgi?id=130538

        Reviewed by Michael Saboff.

        The SyntaxChecker mode always return 1 for success, except
        for a small subset of functions where we needed exact information.
        This ends up just being a poor design decision as it means
        the parser can get confused between a function return 1, and
        the Resolve constant which was also 1. So we now use a unique
        type for every creation method.

        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createSourceElements):
        (JSC::SyntaxChecker::createFunctionBody):
        (JSC::SyntaxChecker::createArguments):
        (JSC::SyntaxChecker::createSpreadExpression):
        (JSC::SyntaxChecker::createArgumentsList):
        (JSC::SyntaxChecker::createPropertyList):
        (JSC::SyntaxChecker::createElementList):
        (JSC::SyntaxChecker::createFormalParameterList):
        (JSC::SyntaxChecker::createClause):
        (JSC::SyntaxChecker::createClauseList):
        (JSC::SyntaxChecker::createFuncDeclStatement):
        (JSC::SyntaxChecker::createBlockStatement):
        (JSC::SyntaxChecker::createExprStatement):
        (JSC::SyntaxChecker::createIfStatement):
        (JSC::SyntaxChecker::createForLoop):
        (JSC::SyntaxChecker::createForInLoop):
        (JSC::SyntaxChecker::createForOfLoop):
        (JSC::SyntaxChecker::createEmptyStatement):
        (JSC::SyntaxChecker::createVarStatement):
        (JSC::SyntaxChecker::createReturnStatement):
        (JSC::SyntaxChecker::createBreakStatement):
        (JSC::SyntaxChecker::createContinueStatement):
        (JSC::SyntaxChecker::createTryStatement):
        (JSC::SyntaxChecker::createSwitchStatement):
        (JSC::SyntaxChecker::createWhileStatement):
        (JSC::SyntaxChecker::createWithStatement):
        (JSC::SyntaxChecker::createDoWhileStatement):
        (JSC::SyntaxChecker::createLabelStatement):
        (JSC::SyntaxChecker::createThrowStatement):
        (JSC::SyntaxChecker::createDebugger):
        (JSC::SyntaxChecker::createConstStatement):
        (JSC::SyntaxChecker::appendConstDecl):
        (JSC::SyntaxChecker::combineCommaNodes):
        (JSC::SyntaxChecker::operatorStackPop):

2014-03-24  Brent Fulgham  <bfulgham@apple.com>

        Activate WebVTT Tests Once Merging is Complete
        https://bugs.webkit.org/show_bug.cgi?id=130420

        Reviewed by Eric Carlson.

        * Configurations/FeatureDefines.xcconfig: Turn on ENABLE(WEBVTT_REGIONS)

2014-03-24  Andreas Kling  <akling@apple.com>

        Stop pulling in all the macro assemblers from VM.h
        <https://webkit.org/b/130691>

        Remove #include of "GPRInfo.h". This breaks WebCore's dependency
        on macro assemblers headers and removes 8 includes from every
        .cpp file in the JS bindings.

        Reviewed by Geoff Garen.

        * runtime/VM.h:

2014-03-24  Gavin Barraclough  <barraclough@apple.com>

        Add support for thread QoS
        https://bugs.webkit.org/show_bug.cgi?id=130688

        Reviewed by Andreas Kling.

        * heap/BlockAllocator.cpp:
        (JSC::BlockAllocator::blockFreeingThreadStartFunc):
            - block freeing is a utility activity.

2014-03-24  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix CLOOP build.

        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
        (JSC::CodeBlock::resetStubDuringGCInternal): Deleted.
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::callLinkInfosEnd): Deleted.

2014-03-24  Gabor Rapcsanyi  <rgabor@webkit.org>

        [ARM64] GNU assembler doesn't work with LLInt arm64 backend.
        https://bugs.webkit.org/show_bug.cgi?id=130453
        
        Reviewed by Filip Pizlo.

        Change fp and lr to x29 and x30. Add both operand kinds to emitARM64()
        at sxtw and uxtw instructions.

        * offlineasm/arm64.rb:

2014-03-23  Hyowon Kim  <hw1008.kim@samsung.com>

        Move all EFL typedefs into EflTypedefs.h.
        https://bugs.webkit.org/show_bug.cgi?id=130511

        Reviewed by Gyuyoung Kim

        * heap/HeapTimer.h: Remove EFL typedefs.

2014-03-23  Filip Pizlo  <fpizlo@apple.com>

        Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters
        https://bugs.webkit.org/show_bug.cgi?id=130650
        <rdar://problem/16122966>

        Reviewed by Michael Saboff.
        
        Previously, it was only in the case of inlining that we would do SetLocal's beyond the
        previously established numLocals limit. But then we added generalized op_call_varargs
        handling, which results in us emitting SetLocals that didn't previously exist in the
        bytecode.
        
        This factors out the inliner's ensureLocals loop and calls it from op_call_varargs.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::ensureLocals):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parse):
        * ftl/FTLOSRExitCompiler.cpp:
        (JSC::FTL::compileStub): Make this do alignment correctly.
        * runtime/Options.h:
        * tests/stress/call-varargs-from-inlined-code.js: Added.
        * tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added.

2014-03-22  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, adjust sizes for ARM64.

        * ftl/FTLInlineCacheSize.cpp:
        (JSC::FTL::sizeOfCall):

2014-03-22  Filip Pizlo  <fpizlo@apple.com>

        Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant
        https://bugs.webkit.org/show_bug.cgi?id=130649
        <rdar://problem/16399949>

        Reviewed by Andreas Kling.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
        * tests/stress/fuzz-bug-16399949.js: Added.
        (tryItOut.f):
        (tryItOut):

2014-03-22  Filip Pizlo  <fpizlo@apple.com>

        Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks
        https://bugs.webkit.org/show_bug.cgi?id=130644

        Reviewed by Andreas Kling.
        
        This is conceptually a really simple change but it involves the following:
        
        - The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2.
        
        - CodeBlock uses a Bag of CallLinkInfos instead of a Vector.
        
        - Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no
          longer has a vector of slow path counts that shadows the CallLinkInfo vector.
        
        - Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions
          and not all relinking.
        
        This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since
        the CallLinkInfo and the call IC slow paths no longer rely on the call being associated
        with a op_call/op_construct instruction and a machine code return PC within such an
        instruction.

        * bytecode/CallLinkInfo.h:
        (JSC::getCallLinkInfoCodeOrigin):
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFor):
        (JSC::CallLinkStatus::computeDFGStatuses):
        * bytecode/CallLinkStatus.h:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printCallOp):
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::finalizeUnconditionally):
        (JSC::CodeBlock::getCallLinkInfoMap):
        (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
        (JSC::CodeBlock::addCallLinkInfo):
        (JSC::CodeBlock::unlinkCalls):
        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::stubInfoBegin):
        (JSC::CodeBlock::stubInfoEnd):
        (JSC::CodeBlock::callLinkInfosBegin):
        (JSC::CodeBlock::callLinkInfosEnd):
        (JSC::CodeBlock::byValInfo):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
        * dfg/DFGJITCode.h:
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::link):
        * dfg/DFGJITCompiler.h:
        (JSC::DFG::JITCompiler::addJSCall):
        (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
        * dfg/DFGOSRExitCompilerCommon.cpp:
        (JSC::DFG::reifyInlinedCallFrames):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::emitCall):
        * ftl/FTLCompile.cpp:
        (JSC::FTL::fixFunctionBasedOnStackMaps):
        * ftl/FTLInlineCacheSize.cpp:
        (JSC::FTL::sizeOfCall):
        * ftl/FTLJSCall.cpp:
        (JSC::FTL::JSCall::JSCall):
        (JSC::FTL::JSCall::emit):
        (JSC::FTL::JSCall::link):
        * ftl/FTLJSCall.h:
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        (JSC::JIT::privateCompile):
        * jit/JIT.h:
        * jit/JITCall.cpp:
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileOpCall):
        (JSC::JIT::compileOpCallSlowCase):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        (JSC::operationLinkFor):
        (JSC::operationVirtualFor):
        (JSC::operationLinkClosureCallFor):
        * jit/Repatch.cpp:
        (JSC::linkClosureCall):
        * jit/ThunkGenerators.cpp:
        (JSC::slowPathFor):
        (JSC::virtualForThunkGenerator):
        * tests/stress/eval-that-is-not-eval.js: Added.

2014-03-22  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix mispelled test name.

        * tests/stress/constand-folding-osr-exit.js: Removed.
        * tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js.

2014-03-22  Andreas Kling  <akling@apple.com>

        CREATE_DOM_WRAPPER doesn't need the ExecState.
        <https://webkit.org/b/130648>

        Add a fast path from JSGlobalObject to the VM so we don't have
        to dance via the Heap.

        Reviewed by Darin Adler.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::vm):

2014-03-22  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix FTL build.

        * ftl/FTLJITFinalizer.cpp:

2014-03-22  Michael Saboff  <msaboff@apple.com>

        toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined
        https://bugs.webkit.org/show_bug.cgi?id=130554

        Reviewed by Geoffrey Garen.

        Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject.
        Did some cleanup as well.  Moved the setting of the thisObject in a JSGlobalObject to
        happen in finishCreation() so that it will also happen for other derived classes including
        JSWorkerGlobalScopeBase.

        * API/JSContextRef.cpp:
        (JSGlobalContextCreateInGroup):
        * jsc.cpp:
        (GlobalObject::create):
        * API/tests/testapi.c:
        (globalObject_initialize): Eliminated ASSERT that the global object we are creating matches
        the result from JSContextGetGlobalObject() as that will return the proxy.       
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since
        we now call setGlobalThis in finishCreation().
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::finishCreation):
        (JSC::JSGlobalObject::setGlobalThis): Made this a private method.

2014-03-22  Andreas Kling  <akling@apple.com>

        Fix debug build.

        * bytecode/CodeBlock.cpp:
        * runtime/Executable.cpp:

2014-03-22  Andreas Kling  <akling@apple.com>

        Cut down on JSC profiler includes in WebCore & co.
        <https://webkit.org/b/130637>

        Most of WebKit was pulling in JSC's profiler headers via VM.h.

        Reviewed by Darin Adler.

        * dfg/DFGDisassembler.cpp:
        * dfg/DFGDisassembler.h:
        * dfg/DFGJITFinalizer.cpp:
        * jsc.cpp:
        * runtime/VM.cpp:
        * runtime/VM.h:

2014-03-22  Landry Breuil <landry@openbsd.org>

        Use pthread_stackseg_np() to find the stack bounds on OpenBSD.
        https://bugs.webkit.org/show_bug.cgi?id=129965

        Reviewed By Anders Carlsson.

2014-03-21  Mark Lam  <mark.lam@apple.com>

        Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
        <https://webkit.org/b/124508>

        Reviewed by Oliver Hunt.

        The issue is that BreakNode::emitBytecode() is holding onto a LabelScope
        pointer from the BytecodeGenerator's m_localScopes vector, and then it
        calls emitPopScopes().  emitPopScopes() may do finally clause handling
        which will require the m_localScopes to be cloned so that it can change
        the local scopes for the finally block, and then restore it after
        handling the finally clause.  These modifications of the m_localScopes
        vector will result in the LabelScope pointer in BreakNode::emitBytecode()
        becoming stale, thereby causing the crash.

        The same issue applies to the ContinueNode as well.

        The fix is to use the existing LabelScopePtr abstraction instead of raw
        LabelScope pointers.  The LabelScopePtr is resilient to the underlying
        vector re-allocating its backing store.

        I also changed the LabelScopePtr constructor that takes a LabelScopeStore
        to expect a reference to the owner store instead of a pointer because the
        owner store should never be a null pointer.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::newLabelScope):
        (JSC::BytecodeGenerator::breakTarget):
        (JSC::BytecodeGenerator::continueTarget):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/LabelScope.h:
        (JSC::LabelScopePtr::LabelScopePtr):
        (JSC::LabelScopePtr::operator bool):
        (JSC::LabelScopePtr::null):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ContinueNode::trivialTarget):
        (JSC::ContinueNode::emitBytecode):
        (JSC::BreakNode::trivialTarget):
        (JSC::BreakNode::emitBytecode):

2014-03-21  Mark Hahnenberg  <mhahnenberg@apple.com>

        6% SunSpider commandline regression due to r165940
        https://bugs.webkit.org/show_bug.cgi?id=130617

        Reviewed by Michael Saboff.

        In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected 
        before. Some of the benchmarks are never running a single EdenCollection, which causes 
        them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer 
        slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of 
        magnitude more than we normally would.

        The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works.

        * heap/Heap.cpp:
        (JSC::Heap::Heap):

2014-03-21  Filip Pizlo  <fpizlo@apple.com>

        Constants folded by DFG::ByteCodeParser should not be dead.
        https://bugs.webkit.org/show_bug.cgi?id=130576

        Reviewed by Mark Hahnenberg.
        
        This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This
        reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one
        or more folders in LLVM). Doing so has no performance impact since the other constant folders
        already subsume this one.
        
        Also added a test case for the specific bug that instigated this.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getJSConstantForValue):
        (JSC::DFG::ByteCodeParser::getJSConstant):
        (JSC::DFG::ByteCodeParser::inferredConstant):
        (JSC::DFG::ByteCodeParser::handleIntrinsic):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGNode.h:
        * dfg/DFGNodeFlags.h:
        * tests/stress/constand-folding-osr-exit.js: Added.
        (foo):
        (test):
        (.var):

2014-03-21  Mark Lam  <mark.lam@apple.com>

        StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
        <https://webkit.org/b/130566>

        Reviewed by Filip Pizlo.

        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):

2014-03-20  Filip Pizlo  <fpizlo@apple.com>

        FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values
        https://bugs.webkit.org/show_bug.cgi?id=130562
        <rdar://problem/16382842>

        Reviewed by Geoffrey Garen.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
        * tests/stress/uint32array-unsigned-load.js: Added.
        (foo):

2014-03-20  Brian Burg  <bburg@apple.com>

        Web Inspector: add frontend controller and models for replay sessions
        https://bugs.webkit.org/show_bug.cgi?id=130145

        Reviewed by Joseph Pecoraro.

        * inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain.

2014-03-20  Filip Pizlo  <fpizlo@apple.com>

        FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees
        https://bugs.webkit.org/show_bug.cgi?id=130546
        <rdar://problem/16383308>

        Reviewed by Mark Hahnenberg.
        
        Make AI do a better job of folding this.
        
        Also made the FTL backend be more tolerant of data representations. In this case it
        didn't know that "constant" was a valid representation. There is a finite set of
        possible representations, but broadly, we don't write code that presumes anything
        about the representation of an input; that's what methods like lowJSValue() are for.
        ValueToInt32 was previously not relying on those methods at all because it had some
        hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down
        to lowJSValue().

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
        (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
        * tests/stress/value-to-int32-undefined-constant.js: Added.
        (foo):
        * tests/stress/value-to-int32-undefined.js: Added.
        (foo):

2014-03-20  Mark Hahnenberg  <mhahnenberg@apple.com>

        Add some assertions back
        https://bugs.webkit.org/show_bug.cgi?id=130531

        Reviewed by Geoffrey Garen.

        We removed a useful set of assertions for verifying that MarkedBlocks were 
        in the state that we expected them to be in after clearing marks in the Heap. 
        We should add these back to catch bugs earlier.

        * heap/MarkedBlock.h:
        * heap/MarkedSpace.cpp:
        (JSC::VerifyMarkedOrRetired::operator()):
        (JSC::MarkedSpace::clearMarks):

2014-03-20  Filip Pizlo  <fpizlo@apple.com>

        Implement stackmap header version check and support new stackmap formats
        https://bugs.webkit.org/show_bug.cgi?id=130535
        <rdar://problem/16164284>

        Reviewed by Geoffrey Garen.
        
        Add the notion of versioning so that LLVMers can happily implement new stackmap formats
        without worrying about WebKit getting version-locked to LLVM. In the future, we will have
        to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have
        to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be
        happy to move backward in time to older versions of LLVM.

        * ftl/FTLStackMaps.cpp:
        (JSC::FTL::readObject):
        (JSC::FTL::StackMaps::Constant::parse):
        (JSC::FTL::StackMaps::StackSize::parse):
        (JSC::FTL::StackMaps::Location::parse):
        (JSC::FTL::StackMaps::Record::parse):
        (JSC::FTL::StackMaps::parse):
        (JSC::FTL::StackMaps::dump):
        (JSC::FTL::StackMaps::dumpMultiline):
        * ftl/FTLStackMaps.h:

2014-03-20  Filip Pizlo  <fpizlo@apple.com>

        Crash beneath operationTearOffActivation running this JS compression demo
        https://bugs.webkit.org/show_bug.cgi?id=130295
        <rdar://problem/16332337>

        Reviewed by Oliver Hunt.
        
        Make sure that we flush things as if we were at a terminal, if we are at a block with
        no forward edges. This fixes infinitely loopy code with captured variables.

        Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block.
        
        Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed
        it by itself. Now it's an artifact of CPS rethreading.
        
        Add a bunch of tests. All of them previously either crashed or returned bad output due
        to memory corruption.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::isCaptured):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::flushForTerminal):
        (JSC::DFG::ByteCodeParser::flushForReturn):
        (JSC::DFG::ByteCodeParser::flushIfTerminal):
        (JSC::DFG::ByteCodeParser::branchData):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCFGSimplificationPhase.cpp:
        (JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::run):
        (JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
        (JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp):
        (JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge):
        * dfg/DFGCSEPhase.cpp:
        (JSC::DFG::CSEPhase::performNodeCSE):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::clearFlagsOnAllNodes):
        * dfg/DFGGraph.h:
        * dfg/DFGNode.h:
        * dfg/DFGNodeFlags.cpp:
        (JSC::DFG::dumpNodeFlags):
        * dfg/DFGNodeFlags.h:
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * tests/stress/activation-test-loop.js: Added.
        (Inner.this.doStuff):
        (Inner):
        (foo.inner.isDone):
        (foo):
        * tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added.
        (bar):
        (foo):
        (noInline):
        * tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added.
        (bar):
        (foo):
        (noInline):
        * tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added.
        (bar):
        (foo):
        (noInline):
        * tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added.
        (bar):
        (foo):
        (noInline):
        * tests/stress/infinite-loop-that-uses-captured-variables.js: Added.
        (bar):
        (foo):
        (noInline):
        * tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
        (bar):
        (fuzz):
        (foo.f):
        (foo):
        * tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
        (bar):
        (foo.f):
        (foo):
        * tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
        (bar):
        (foo.f):
        (foo):
        * tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added.
        (bar):
        (foo):
        (noInline):

2014-03-20  Oliver Hunt  <oliver@apple.com>

        Incorrect behavior when mutating a typed array during set.
        https://bugs.webkit.org/show_bug.cgi?id=130428

        Reviewed by Geoffrey Garen.

        This fixes a null derefence that occurs if a typed array
        is mutated during the set() operation. The patch gets rid
        of the "Quickly" version of setIndex that is assigning
        JSValues of unknown type, as the numeric conversion can trigger
        side effects that lead to neutering, and so we deref null.

        * runtime/JSGenericTypedArrayView.h:
        (JSC::JSGenericTypedArrayView::setIndex):
        * runtime/JSGenericTypedArrayViewInlines.h:
        (JSC::JSGenericTypedArrayView<Adaptor>::set):
        (JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):

2014-03-20  Gavin Barraclough  <barraclough@apple.com>

        Remove IdentifierTable typedef, isIdentifier()
        https://bugs.webkit.org/show_bug.cgi?id=130533

        Rubber stamped by Geoff Garen.

        Code should use AtomicStringTable, isAtomic() directly.

        * API/JSClassRef.cpp:
        (OpaqueJSClass::~OpaqueJSClass):
        (OpaqueJSClassContextData::OpaqueJSClassContextData):
        (OpaqueJSClass::className):
        * API/JSClassRef.h:
        * bytecode/SpeculatedType.cpp:
        (JSC::speculationFromCell):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
        * heap/Heap.cpp:
        (JSC::Heap::collect):
        * interpreter/CallFrame.h:
        (JSC::ExecState::atomicStringTable):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::addVar):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::createBindingPattern):
        * runtime/Completion.cpp:
        (JSC::checkSyntax):
        (JSC::evaluate):
        * runtime/Identifier.cpp:
        (JSC::Identifier::checkCurrentAtomicStringTable):
        * runtime/Identifier.h:
        (JSC::Identifier::Identifier):
        * runtime/IdentifierInlines.h:
        (JSC::Identifier::add):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::dumpInContext):
        * runtime/JSLock.cpp:
        (JSC::JSLock::didAcquireLock):
        (JSC::JSLock::willReleaseLock):
        (JSC::JSLock::DropAllLocks::DropAllLocks):
        (JSC::JSLock::DropAllLocks::~DropAllLocks):
        * runtime/JSLock.h:
        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::find):
        (JSC::PropertyTable::get):
        (JSC::PropertyTable::findWithString):
        * runtime/PropertyName.h:
        (JSC::PropertyName::PropertyName):
        * runtime/PropertyNameArray.cpp:
        (JSC::PropertyNameArray::add):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::~VM):
        * runtime/VM.h:
        (JSC::VM::atomicStringTable):

2014-03-20  Gavin Barraclough  <barraclough@apple.com>

        Merge AtomicString, Identifier
        https://bugs.webkit.org/show_bug.cgi?id=128624

        Reviewed by Geoff Garen.

        WTF::StringImpl currently supports two uniquing mechanism - AtomicString and
        Identifer - that is one too many.

        Remove Identifier in favour of AtomicString. Identifier had two interesting
        mechanisms that we preserve.

        (1) JSC API VMs each get their own string table, switch the string table on
            API entry/exit.
        (2) JSC caches a pointer to the string table on the VM to avoid a thread
            specific access. Adds a new AtomicString::add method to support this.

        * API/JSAPIWrapperObject.mm:
            - updated includes.
        * JavaScriptCore.xcodeproj/project.pbxproj:
            - added IdentifierInlines.h.
        * inspector/JSInjectedScriptHostPrototype.cpp:
        * inspector/JSJavaScriptCallFramePrototype.cpp:
            - updated includes.
        * interpreter/CallFrame.h:
        (JSC::ExecState::atomicStringTable):
            - added, used via AtomicString::add to avoid thread-specific access.
        * runtime/ConsolePrototype.cpp:
            - updated includes.
        * runtime/Identifier.cpp:
        (JSC::Identifier::add):
        (JSC::Identifier::add8):
            - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
        * runtime/Identifier.h:
        (JSC::Identifier::Identifier):
            - added ASSERTS.
        (JSC::Identifier::add):
            - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
        * runtime/IdentifierInlines.h: Added.
        (JSC::Identifier::add):
            - moved from Identifier.h, use AtomicString::add.
        * runtime/JSCInlines.h:
            - added IdentifierInlines.h.
        * runtime/JSLock.h:
            - removed IdentifierTable.
        * runtime/PropertyNameArray.cpp:
            - updated includes.
        * runtime/SmallStrings.cpp:
        (JSC::SmallStringsStorage::SmallStringsStorage):
            - ensure all single character strings are Atomic.
        * runtime/VM.cpp:
        (JSC::VM::VM):
            - instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data.
        * runtime/VM.h:
        (JSC::VM::atomicStringTable):
            - added, used via AtomicString::add to avoid thread-specific access.

2014-03-20  Gabor Rapcsanyi  <rgabor@webkit.org>

        [ARM64] Fix assembler build issues and add cacheFlush support for Linux
        https://bugs.webkit.org/show_bug.cgi?id=130502

        Reviewed by Michael Saboff.

        Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t)
        because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well.
        Add cacheFlush support for Linux.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::linuxPageFlush):
        (JSC::ARM64Assembler::cacheFlush):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch):

2014-03-19  Gavin Barraclough  <barraclough@apple.com>

        https://bugs.webkit.org/show_bug.cgi?id=130494
        EmptyUnique strings are Identifiers/Atomic

        Reviewed by Geoff Garen.

        EmptyUnique strings should set the Identifier/Atomic flag.

        This fixes an unreproducible bug we believe exists in Identifier handling.
        Expected behaviour is that while Identifiers may reference EmptyUniques
        (StringImpls allocated as UIDs for PrivateNames), these are not created
        through the main Identifier constructor, the Identifier flag is not set
        on PrivateNames, and we should never lookup EmptyUnique strings in the
        IdentifierTable.

        Unfortunately that was happening. Some tables used to implement property
        access in the JIT hold StringImpl*s, and turn these back into Identifiers
        using the identfiier constructor. Since the code generator will now plant
        by-id (cachable) accesses to PrivateNames we can end up passing an
        EmptyUnique to Identifier::add, potentially leading to PrivateNames being
        uniqued together (though hard to prove, since the hash codes are random).

        * runtime/PropertyName.h:
        (JSC::PropertyName::PropertyName):
        (JSC::PropertyName::uid):
        (JSC::PropertyName::publicName):
        (JSC::PropertyName::asIndex):
            - PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
        * runtime/Structure.cpp:
        (JSC::Structure::getPropertyNamesFromStructure):
            - Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().

2014-03-19  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional.

        * dfg/DFGCommon.h:

2014-03-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        GC timer should intelligently choose between EdenCollections and FullCollections
        https://bugs.webkit.org/show_bug.cgi?id=128261

        Reviewed by Geoffrey Garen.

        Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer 
        always does FullCollections. To reduce the impact of the GC timer on the system this patch
        changes Heap so that it has two timers, one for each type of collection. The FullCollection
        timer is notified at the end of EdenCollections how much the Heap has grown since the last 
        FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't 
        be detected by an EdenCollection).

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/EdenGCActivityCallback.cpp: Added.
        (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
        (JSC::EdenGCActivityCallback::doCollection):
        (JSC::EdenGCActivityCallback::lastGCLength):
        (JSC::EdenGCActivityCallback::deathRate):
        (JSC::EdenGCActivityCallback::gcTimeSlice):
        * heap/EdenGCActivityCallback.h: Added.
        (JSC::GCActivityCallback::createEdenTimer):
        * heap/FullGCActivityCallback.cpp: Added.
        (JSC::FullGCActivityCallback::FullGCActivityCallback):
        (JSC::FullGCActivityCallback::doCollection):
        (JSC::FullGCActivityCallback::lastGCLength):
        (JSC::FullGCActivityCallback::deathRate):
        (JSC::FullGCActivityCallback::gcTimeSlice):
        * heap/FullGCActivityCallback.h: Added.
        (JSC::GCActivityCallback::createFullTimer):
        * heap/GCActivityCallback.cpp:
        (JSC::GCActivityCallback::GCActivityCallback):
        (JSC::GCActivityCallback::doWork):
        (JSC::GCActivityCallback::scheduleTimer):
        (JSC::GCActivityCallback::cancelTimer):
        (JSC::GCActivityCallback::didAllocate):
        (JSC::GCActivityCallback::willCollect):
        (JSC::GCActivityCallback::cancel):
        * heap/GCActivityCallback.h:
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::reportAbandonedObjectGraph):
        (JSC::Heap::didAbandon):
        (JSC::Heap::collectAllGarbage):
        (JSC::Heap::collect):
        (JSC::Heap::willStartCollection):
        (JSC::Heap::updateAllocationLimits):
        (JSC::Heap::didFinishCollection):
        (JSC::Heap::setFullActivityCallback):
        (JSC::Heap::setEdenActivityCallback):
        (JSC::Heap::fullActivityCallback):
        (JSC::Heap::edenActivityCallback):
        (JSC::Heap::setGarbageCollectionTimerEnabled):
        (JSC::Heap::didAllocate):
        (JSC::Heap::shouldDoFullCollection):
        * heap/Heap.h:
        (JSC::Heap::lastFullGCLength):
        (JSC::Heap::lastEdenGCLength):
        (JSC::Heap::increaseLastFullGCLength):
        (JSC::Heap::sizeBeforeLastEdenCollection):
        (JSC::Heap::sizeAfterLastEdenCollection):
        (JSC::Heap::sizeBeforeLastFullCollection):
        (JSC::Heap::sizeAfterLastFullCollection):
        * heap/HeapOperation.h:
        * heap/HeapStatistics.cpp:
        (JSC::HeapStatistics::showObjectStatistics):
        * heap/HeapTimer.cpp:
        (JSC::HeapTimer::timerDidFire):
        * jsc.cpp:
        (functionFullGC):
        (functionEdenGC):
        * runtime/Options.h:

2014-03-19  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r165926.
        https://bugs.webkit.org/show_bug.cgi?id=130488

        broke the iOS build (Requested by estes on #webkit).

        Reverted changeset:

        "GC timer should intelligently choose between EdenCollections
        and FullCollections"
        https://bugs.webkit.org/show_bug.cgi?id=128261
        http://trac.webkit.org/changeset/165926

2014-03-13  Mark Hahnenberg  <mhahnenberg@apple.com>

        GC timer should intelligently choose between EdenCollections and FullCollections
        https://bugs.webkit.org/show_bug.cgi?id=128261

        Reviewed by Geoffrey Garen.

        Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer 
        always does FullCollections. To reduce the impact of the GC timer on the system this patch
        changes Heap so that it has two timers, one for each type of collection. The FullCollection
        timer is notified at the end of EdenCollections how much the Heap has grown since the last 
        FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be 
        detected by an EdenCollection).

        * heap/GCActivityCallback.cpp:
        (JSC::GCActivityCallback::GCActivityCallback):
        (JSC::GCActivityCallback::doWork):
        (JSC::FullGCActivityCallback::FullGCActivityCallback):
        (JSC::FullGCActivityCallback::doCollection):
        (JSC::EdenGCActivityCallback::EdenGCActivityCallback):
        (JSC::EdenGCActivityCallback::doCollection):
        (JSC::GCActivityCallback::scheduleTimer):
        (JSC::GCActivityCallback::cancelTimer):
        (JSC::GCActivityCallback::didAllocate):
        (JSC::GCActivityCallback::willCollect):
        (JSC::GCActivityCallback::cancel):
        * heap/GCActivityCallback.h:
        (JSC::GCActivityCallback::GCActivityCallback):
        (JSC::GCActivityCallback::createFullTimer):
        (JSC::GCActivityCallback::createEdenTimer):
        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::didAbandon):
        (JSC::Heap::willStartCollection):
        (JSC::Heap::updateAllocationLimits):
        (JSC::Heap::setFullActivityCallback):
        (JSC::Heap::setEdenActivityCallback):
        (JSC::Heap::fullActivityCallback):
        (JSC::Heap::edenActivityCallback):
        (JSC::Heap::setGarbageCollectionTimerEnabled):
        (JSC::Heap::didAllocate):
        * heap/Heap.h:
        * heap/HeapTimer.cpp:
        (JSC::HeapTimer::timerDidFire):

2014-03-19  Filip Pizlo  <fpizlo@apple.com>

        REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit
        https://bugs.webkit.org/show_bug.cgi?id=130134

        Reviewed by Mark Hahnenberg.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers.
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1.
        (JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around.
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want.
        * jit/JITInlineCacheGenerator.h:
        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem.

2014-03-19  Mark Hahnenberg  <mhahnenberg@apple.com>

        Normalize some of the older JSC options
        https://bugs.webkit.org/show_bug.cgi?id=128753

        Reviewed by Michael Saboff.

        * runtime/Options.cpp:
        (JSC::Options::initialize):

2014-03-12  Mark Lam  <mark.lam@apple.com>

        Update type of local vars to match the type of String length.
        <https://webkit.org/b/130077>

        Reviewed by Geoffrey Garen.

        * runtime/JSStringJoiner.cpp:
        (JSC::JSStringJoiner::join):

2014-03-18  Filip Pizlo  <fpizlo@apple.com>

        Get rid of Flush in SSA
        https://bugs.webkit.org/show_bug.cgi?id=130440

        Reviewed by Sam Weinig.
        
        This is basically a red patch. We used to use backwards flow for determining what was
        flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't
        accomplish anything. Keeping them around in SSA can only make things hard.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGBasicBlock.cpp:
        (JSC::DFG::BasicBlock::SSAData::SSAData):
        * dfg/DFGBasicBlock.h:
        * dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed.
        * dfg/DFGFlushLivenessAnalysisPhase.h: Removed.
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGSSAConversionPhase.cpp:
        (JSC::DFG::SSAConversionPhase::run):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):

2014-03-18  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix iOS production build.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2014-03-18  Michael Saboff  <msaboff@apple.com>

        Update RegExp Tracing code
        https://bugs.webkit.org/show_bug.cgi?id=130381

        Reviewed by Andreas Kling.

        Updated the regular expression tracing code for 8/16 bit JIT as
        well as match only entry points.  Also added average string length
        metric.

        * runtime/RegExp.cpp:
        (JSC::RegExp::RegExp):
        (JSC::RegExp::match):
        (JSC::RegExp::printTraceData):
        * runtime/RegExp.h:
        * runtime/VM.cpp:
        (JSC::VM::addRegExpToTrace):
        (JSC::VM::dumpRegExpTrace):
        * runtime/VM.h:
        * yarr/YarrJIT.h:
        (JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr):
        (JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr):
        (JSC::Yarr::YarrCodeBlock::get8BitMatchAddr):
        (JSC::Yarr::YarrCodeBlock::get16BitMatchAddr):

2014-03-17  Filip Pizlo  <fpizlo@apple.com>

        Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:)
        https://bugs.webkit.org/show_bug.cgi?id=130300

        Reviewed by Mark Hahnenberg.
        
        We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's.
        This makes the DFG aware of this.
        
        Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to
        the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL.
        
        This also gives the DFG some abstractions for checking something is a cell or is other.
        This made this patch easier to write and also simplified a bunch of other stuff.
        
        1% speed-up on Octane.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::JumpList::JumpList):
        * bytecode/SpeculatedType.h:
        (JSC::isNotStringVarSpeculation):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::childFor):
        (JSC::DFG::Node::shouldSpeculateNotStringVar):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
        (JSC::DFG::SpeculativeJIT::compileInstanceOf):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        (JSC::DFG::SpeculativeJIT::compileBooleanCompare):
        (JSC::DFG::SpeculativeJIT::compileStringEquality):
        (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
        (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
        (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
        (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
        (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
        (JSC::DFG::SpeculativeJIT::speculateString):
        (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
        (JSC::DFG::SpeculativeJIT::speculateNotStringVar):
        (JSC::DFG::SpeculativeJIT::speculateNotCell):
        (JSC::DFG::SpeculativeJIT::speculateOther):
        (JSC::DFG::SpeculativeJIT::speculate):
        (JSC::DFG::SpeculativeJIT::emitSwitchChar):
        (JSC::DFG::SpeculativeJIT::emitSwitchString):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::blessedBooleanResult):
        (JSC::DFG::SpeculativeJIT::unblessedBooleanResult):
        (JSC::DFG::SpeculativeJIT::booleanResult):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::emitCall):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::branchIsCell):
        (JSC::DFG::branchNotCell):
        (JSC::DFG::SpeculativeJIT::branchIsOther):
        (JSC::DFG::SpeculativeJIT::branchNotOther):
        (JSC::DFG::SpeculativeJIT::moveTrueTo):
        (JSC::DFG::SpeculativeJIT::moveFalseTo):
        (JSC::DFG::SpeculativeJIT::blessBoolean):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
        (JSC::DFG::SpeculativeJIT::compile):
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        (JSC::DFG::SpeculativeJIT::branchIsCell):
        (JSC::DFG::SpeculativeJIT::branchNotCell):
        (JSC::DFG::SpeculativeJIT::branchIsOther):
        (JSC::DFG::SpeculativeJIT::branchNotOther):
        (JSC::DFG::SpeculativeJIT::moveTrueTo):
        (JSC::DFG::SpeculativeJIT::moveFalseTo):
        (JSC::DFG::SpeculativeJIT::blessBoolean):
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::lowString):
        (JSC::FTL::LowerDFGToLLVM::lowStringIdent):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateString):
        (JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
        (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar):
        * runtime/JSCJSValue.h:
        * tests/stress/string-ident-to-not-string-var-equality.js: Added.
        (foo):
        (bar):
        (test):

2014-03-18  Joseph Pecoraro  <pecoraro@apple.com>

        Add Copyright to framework.sb
        https://bugs.webkit.org/show_bug.cgi?id=130413

        Reviewed by Timothy Hatcher.

        Other sb files got the copyright. Follow suit.

        * framework.sb:

2014-03-18  Matthew Mirman  <mmirman@apple.com>

        Removed extra parens from if statement in a preprocessor define.
        https://bugs.webkit.org/show_bug.cgi?id=130408

        Reviewed by Filip Pizlo.

        * parser/Parser.cpp:

2014-03-18  Filip Pizlo  <fpizlo@apple.com>

        More FTL enabling.

        Rubber stamped by Dan Bernstein and Mark Hahnenberg.

        * Configurations/FeatureDefines.xcconfig:
        * ftl/FTLCompile.cpp:
        (JSC::FTL::compile):

2014-03-17  Michael Saboff  <msaboff@apple.com>

        V8 regexp spends most of its time in operationGetById
        https://bugs.webkit.org/show_bug.cgi?id=130380

        Reviewed by Filip Pizlo.

        Added String.length case to tryCacheGetByID that will only help the BaseLine JIT.
        When V8 regexp is run from the command line, this nets a 2% performance improvement.
        When the test is run for a longer amount of time, there is much less benefit as the
        DFG will emit the appropriate code for String.length.  This does remove
        operationGetById as the hottest function whne run from the command line.

        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):

2014-03-17  Andreas Kling  <akling@apple.com>

        Add one-deep cache to opaque roots hashset.
        <https://webkit.org/b/130357>

        The vast majority of WebCore JS wrappers will have their Document*
        as the root(). This change adds a simple optimization where we cache
        the last lookup and avoid going to the hashset for repeated queries.

        Looks like 0.4% progression on DYEB on my MBP.

        Reviewed by Mark Hahnenberg.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/OpaqueRootSet.h: Added.
        (JSC::OpaqueRootSet::OpaqueRootSet):
        (JSC::OpaqueRootSet::contains):
        (JSC::OpaqueRootSet::isEmpty):
        (JSC::OpaqueRootSet::clear):
        (JSC::OpaqueRootSet::add):
        (JSC::OpaqueRootSet::size):
        (JSC::OpaqueRootSet::begin):
        (JSC::OpaqueRootSet::end):
        * heap/SlotVisitor.h:

2014-03-17  Tibor Meszaros  <tmeszaros.u-szeged@partner.samsung.com>

        Implement Math.hypot
        https://bugs.webkit.org/show_bug.cgi?id=129486

        Reviewed by Darin Adler.

        * runtime/MathObject.cpp:
        (JSC::MathObject::finishCreation):
        (JSC::mathProtoFuncHypot):

2014-03-17  Zsolt Borbely  <borbezs@inf.u-szeged.hu>

        Fix the !ENABLE(PROMISES) build
        https://bugs.webkit.org/show_bug.cgi?id=130328

        Reviewed by Darin Adler.

        Add missing ENABLE(PROMISES) guards.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        * runtime/JSPromiseDeferred.cpp:
        * runtime/JSPromiseDeferred.h:
        * runtime/JSPromiseReaction.cpp:
        * runtime/JSPromiseReaction.h:
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:

2014-03-16  Andreas Kling  <akling@apple.com>

        REGRESSION(r165703): JSC tests crashing in StringImpl::destroy().
        <https://webkit.org/b/130304>

        Reviewed by Anders Carlsson.

        Unreviewed, restoring the old behavior of OpaqueJSString::identifier()
        that doesn't put a potentially unwanted string into the Identifier table.

        * API/OpaqueJSString.cpp:
        (OpaqueJSString::identifier):

2014-03-16  Brian Burg  <bburg@apple.com>

        Web Inspector: generated backend commands should reflect build system ENABLE settings
        https://bugs.webkit.org/show_bug.cgi?id=130111

        Reviewed by Timothy Hatcher.

        * CMakeLists.txt:

        Combine only the Inspector domains listed in INSPECTOR_DOMAINS,
        instead of globbing any .json file.

        * DerivedSources.make:

        Force the combined inspector protocol file to be regenerated if
        the content or list of domains itself changes.

2014-03-16  Brian Burg  <bburg@apple.com>

        Web Inspector: vended backend commands file should be generated as part of the build
        https://bugs.webkit.org/show_bug.cgi?id=130110

        Reviewed by Timothy Hatcher.

        * JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the
        private headers directory.

2014-03-16  Darin Adler  <darin@apple.com>

        Remove all uses of deprecatedCharacters from JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=130304

        Reviewed by Anders Carlsson.

        * API/JSValueRef.cpp:
        (JSValueMakeFromJSONString): Use characters16 in the 16-bit code path.
        * API/OpaqueJSString.cpp:
        (OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path.
        (OpaqueJSString::identifier): Get rid of custom Identifier constructor, and
        juse use the standard one that takes a String.
        (OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a
        hand-written alternative.

        * bindings/ScriptValue.cpp:
        (Deprecated::jsToInspectorValue): Create InspectorString from String directly
        instead of involving a character pointer. Use the String from Identifier
        directly instead of making a new String.

        * inspector/ContentSearchUtilities.cpp:
        (Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder
        instead of building a String a character at a time. This is still a very slow
        way to do this. Also use strchr to search for a character instead of building
        a String every time just to use find on it.

        * inspector/InspectorValues.cpp:
        (Inspector::doubleQuoteString): Remove unnecessary trip through a
        character pointer. This is still a really slow way to do this.
        (Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters
        instead of String::deprecatedCharacters. Still slow to always upconvert.

        * runtime/DateConstructor.cpp: Removed unneeded include.
        * runtime/DatePrototype.cpp: Ditto.

        * runtime/Identifier.h: Removed deprecatedCharacters function.

        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::encode): Added a type cast to avoid ambiguity with the two character-
        appending functions from JSStringBuilder. Removed unneeded code duplicating
        what JSStringBuilder already does in its character append function.
        (JSC::decode): Deleted code that creates a JSStringBuilder that is never used.
        (JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that
        is used outside this file have external linkage. Added a new overload that takes
        a StringView.
        (JSC::parseInt): Use StringView::substring to call parseIntOverflow.
        (JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a
        single character.

        * runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow.

        * runtime/JSStringBuilder.h: Marked this "lightly deprecated".
        (JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters.
        Made one overload private. Fixed a performance bug where we would reserve capacity
        in the 8-bit buffer but then append to the 16-bit buffer.

        * runtime/ObjectPrototype.cpp: Removed unneeded include.

        * runtime/StringPrototype.cpp:
        (JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert.
        (JSC::stringProtoFuncLink): Ditto.

2014-03-15  Filip Pizlo  <fpizlo@apple.com>

        FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies
        https://bugs.webkit.org/show_bug.cgi?id=130296

        Reviewed by Andreas Kling.
        
        During the 32-bit structure ID work, the second load of the structure was removed.
        That's wrong. The whole point of loading the structure ID again is that the structure
        ID would have been changed by the arrayification call, and we're verifying that the
        arrayification succeeded in changing the structure. If we check the old structure - as
        the code was doing after the 32-bit structure ID work - then this check is guaranteed
        to fail, causing a significant performance regression.
        
        It's actually amazing that the regression wasn't bigger. The reason is that if FTL
        code pathologically exits but the equivalent DFG code doesn't, then the exponential
        backoff almost perfectly guarantees that we just end up in the DFG. For this code, at
        the time at least, the DFG wasn't much slower so this didn't cause too much pain.

        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):

2014-03-15  Filip Pizlo  <fpizlo@apple.com>

        FTL should support CheckHasInstance/InstanceOf
        https://bugs.webkit.org/show_bug.cgi?id=130285

        Reviewed by Sam Weinig.
        
        Fairly straightforward; I also discovered an inaccurate FIXME in the process.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance):
        (JSC::FTL::LowerDFGToLLVM::compileInstanceOf):
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::phi):
        * tests/stress/instanceof.js: Added.
        * tests/stress/instanceof-not-cell.js: Added.

2014-03-15  Michael Saboff  <msaboff@apple.com>

        It should be possible to adjust DFG and FTL compiler thread priorities
        https://bugs.webkit.org/show_bug.cgi?id=130288

        Reviewed by Filip Pizlo.

        Added ability to change thread priorities relative to its current priority.
        Created options to adjust the priority of the DFG and FTL compilation work thread
        pools.  For two core systems, there might be three runnable threads, the main thread,
        the DFG compilation thread and the FTL compilation thread.  With the same priority,
        the scheduler is free to schedule whatever thread it wants.  By lowering the
        compilation threads, the main thread can run.  Further tests may suggest better values
        for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads.

        For a two-core device, this change has a net positive improvement of 1-3% across
        SunSpider, Octane, Kraken and AsmBench.

        * dfg/DFGWorklist.cpp:
        (JSC::DFG::Worklist::finishCreation):
        (JSC::DFG::Worklist::create):
        (JSC::DFG::ensureGlobalDFGWorklist):
        (JSC::DFG::ensureGlobalFTLWorklist):
        * dfg/DFGWorklist.h:
        * runtime/Options.cpp:
        (JSC::computePriorityDeltaOfWorkerThreads):
        * runtime/Options.h:

2014-03-15  David Kilzer  <ddkilzer@apple.com>

        [iOS] Define SYSTEM_VERSION_PREFIX consistently
        <http://webkit.org/b/130293>
        <rdar://problem/15926359>

        Reviewed by Dan Bernstein.

        * Configurations/Version.xcconfig:
        (SYSTEM_VERSION_PREFIX_iphoneos): Sync with
        Source/WebKit/mac/Version.xcconfig.

2014-03-15  David Kilzer  <ddkilzer@apple.com>

        Fix build: using integer absolute value function 'abs' when argument is of floating point type
        <http://webkit.org/b/130286>

        Reviewed by Filip Pizlo.

        Fixes the following build failure using trunk clang:

            JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value]
                    value = abs(value);
                            ^
            JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead
                    value = abs(value);
                            ^~~
                            fabs

        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to
        fabs().

2014-03-14  Oliver Hunt  <oliver@apple.com>

        Reinstate intialiser syntax in for-in loops
        https://bugs.webkit.org/show_bug.cgi?id=130269

        Reviewed by Michael Saboff.

        Disallowing the initialiser broke some sites so this patch re-allows
        the syntax.  We still disallow the syntax in 'of' and pattern based
        enumeration.

        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::isBindingNode):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseVarDeclarationList):
        (JSC::Parser<LexerType>::parseForStatement):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::operatorStackPop):

2014-03-14  Mark Lam  <mark.lam@apple.com>

        Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined.
        <https://webkit.org/b/130279>

        Reviewed by Filip Pizlo.

        If neither the getter nor setter are defined, accessing __lookupGetter__
        and __lookupSetter__ will return undefined as expected.  However, if the
        getter is defined but the setter is not, accessing __lookupSetter__ will
        crash the VM.  Similarly, accessing __lookupGetter__ when only the setter
        is defined will crash the VM.

        The reason is because objectProtoFuncLookupGetter() and
        objectProtoFuncLookupSetter() did not check if the getter and setter
        value is non-null before returning it as an EncodedJSValue.  The fix is
        to add the appropriate null checks.

        * runtime/ObjectPrototype.cpp:
        (JSC::objectProtoFuncLookupGetter):
        (JSC::objectProtoFuncLookupSetter):

2014-03-14  Mark Rowe  <mrowe@apple.com>

        Fix the production build.

        Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't
        be at the expected relative path when working from installed source.

        * Configurations/Base.xcconfig:

2014-03-14  Maciej Stachowiak  <mjs@apple.com>

        Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers
        https://bugs.webkit.org/show_bug.cgi?id=130276
        <rdar://problem/16266927>

        Reviewed by Simon Fraser.

        * API/APICast.h:
        * API/JSBase.cpp:
        * API/JSBase.h:
        * API/JSBasePrivate.h:
        * API/JSCallbackConstructor.cpp:
        * API/JSCallbackConstructor.h:
        * API/JSCallbackFunction.cpp:
        * API/JSCallbackFunction.h:
        * API/JSCallbackObject.cpp:
        * API/JSCallbackObject.h:
        * API/JSCallbackObjectFunctions.h:
        * API/JSClassRef.cpp:
        * API/JSClassRef.h:
        * API/JSContextRef.cpp:
        * API/JSContextRef.h:
        * API/JSContextRefPrivate.h:
        * API/JSObjectRef.cpp:
        * API/JSObjectRef.h:
        * API/JSProfilerPrivate.cpp:
        * API/JSProfilerPrivate.h:
        * API/JSRetainPtr.h:
        * API/JSStringRef.cpp:
        * API/JSStringRef.h:
        * API/JSStringRefBSTR.cpp:
        * API/JSStringRefBSTR.h:
        * API/JSStringRefCF.cpp:
        * API/JSStringRefCF.h:
        * API/JSValueRef.cpp:
        * API/JSValueRef.h:
        * API/JavaScript.h:
        * API/JavaScriptCore.h:
        * API/OpaqueJSString.cpp:
        * API/OpaqueJSString.h:
        * API/tests/JSNode.c:
        * API/tests/JSNode.h:
        * API/tests/JSNodeList.c:
        * API/tests/JSNodeList.h:
        * API/tests/Node.c:
        * API/tests/Node.h:
        * API/tests/NodeList.c:
        * API/tests/NodeList.h:
        * API/tests/minidom.c:
        * API/tests/minidom.js:
        * API/tests/testapi.c:
        * API/tests/testapi.js:
        * DerivedSources.make:
        * bindings/ScriptValue.cpp:
        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:
        * bytecode/EvalCodeCache.h:
        * bytecode/Instruction.h:
        * bytecode/JumpTable.cpp:
        * bytecode/JumpTable.h:
        * bytecode/Opcode.cpp:
        * bytecode/Opcode.h:
        * bytecode/SamplingTool.cpp:
        * bytecode/SamplingTool.h:
        * bytecode/SpeculatedType.cpp:
        * bytecode/SpeculatedType.h:
        * bytecode/ValueProfile.h:
        * bytecompiler/BytecodeGenerator.cpp:
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/Label.h:
        * bytecompiler/LabelScope.h:
        * bytecompiler/RegisterID.h:
        * debugger/DebuggerCallFrame.cpp:
        * debugger/DebuggerCallFrame.h:
        * dfg/DFGDesiredStructureChains.cpp:
        * dfg/DFGDesiredStructureChains.h:
        * heap/GCActivityCallback.cpp:
        * heap/GCActivityCallback.h:
        * inspector/ConsoleMessage.cpp:
        * inspector/ConsoleMessage.h:
        * inspector/IdentifiersFactory.cpp:
        * inspector/IdentifiersFactory.h:
        * inspector/InjectedScriptManager.cpp:
        * inspector/InjectedScriptManager.h:
        * inspector/InjectedScriptSource.js:
        * inspector/ScriptBreakpoint.h:
        * inspector/ScriptDebugListener.h:
        * inspector/ScriptDebugServer.cpp:
        * inspector/ScriptDebugServer.h:
        * inspector/agents/InspectorAgent.cpp:
        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        * inspector/agents/InspectorDebuggerAgent.h:
        * interpreter/Interpreter.cpp:
        * interpreter/Interpreter.h:
        * interpreter/JSStack.cpp:
        * interpreter/JSStack.h:
        * interpreter/Register.h:
        * jit/CompactJITCodeMap.h:
        * jit/JITStubs.cpp:
        * jit/JITStubs.h:
        * jit/JITStubsARM.h:
        * jit/JITStubsARMv7.h:
        * jit/JITStubsX86.h:
        * jit/JITStubsX86_64.h:
        * os-win32/stdbool.h:
        * parser/SourceCode.h:
        * parser/SourceProvider.h:
        * profiler/LegacyProfiler.cpp:
        * profiler/LegacyProfiler.h:
        * profiler/ProfileNode.cpp:
        * profiler/ProfileNode.h:
        * runtime/ArrayBufferView.cpp:
        * runtime/ArrayBufferView.h:
        * runtime/BatchedTransitionOptimizer.h:
        * runtime/CallData.h:
        * runtime/ConstructData.h:
        * runtime/DumpContext.cpp:
        * runtime/DumpContext.h:
        * runtime/ExceptionHelpers.cpp:
        * runtime/ExceptionHelpers.h:
        * runtime/InitializeThreading.cpp:
        * runtime/InitializeThreading.h:
        * runtime/IntegralTypedArrayBase.h:
        * runtime/IntendedStructureChain.cpp:
        * runtime/IntendedStructureChain.h:
        * runtime/JSActivation.cpp:
        * runtime/JSActivation.h:
        * runtime/JSExportMacros.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSNotAnObject.cpp:
        * runtime/JSNotAnObject.h:
        * runtime/JSPropertyNameIterator.cpp:
        * runtime/JSPropertyNameIterator.h:
        * runtime/JSSegmentedVariableObject.cpp:
        * runtime/JSSegmentedVariableObject.h:
        * runtime/JSSymbolTableObject.cpp:
        * runtime/JSSymbolTableObject.h:
        * runtime/JSTypeInfo.h:
        * runtime/JSVariableObject.cpp:
        * runtime/JSVariableObject.h:
        * runtime/PropertyTable.cpp:
        * runtime/PutPropertySlot.h:
        * runtime/SamplingCounter.cpp:
        * runtime/SamplingCounter.h:
        * runtime/Structure.cpp:
        * runtime/Structure.h:
        * runtime/StructureChain.cpp:
        * runtime/StructureChain.h:
        * runtime/StructureInlines.h:
        * runtime/StructureTransitionTable.h:
        * runtime/SymbolTable.cpp:
        * runtime/SymbolTable.h:
        * runtime/TypedArrayBase.h:
        * runtime/TypedArrayType.cpp:
        * runtime/TypedArrayType.h:
        * runtime/VM.cpp:
        * runtime/VM.h:
        * yarr/RegularExpression.cpp:
        * yarr/RegularExpression.h:

2014-03-14  Filip Pizlo  <fpizlo@apple.com>

        Final FTL iOS build magic
        https://bugs.webkit.org/show_bug.cgi?id=130281

        Reviewed by Michael Saboff.

        * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X.
        * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/

2014-03-14  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Gracefully handle nil name -[JSContext setName:]
        https://bugs.webkit.org/show_bug.cgi?id=130262

        Reviewed by Mark Hahnenberg.

        * API/JSContext.mm:
        (-[JSContext setName:]):
        Gracefully handle nil input.

        * API/tests/testapi.c:
        (globalContextNameTest):
        * API/tests/testapi.mm:
        Test for nil / NULL names in the ObjC and C APIs.

2014-03-11  Oliver Hunt  <oliver@apple.com>

        Improve dom error messages
        https://bugs.webkit.org/show_bug.cgi?id=130103

        Reviewed by Andreas Kling.

        Add new helper function.

        * runtime/Error.h:
        (JSC::throwVMTypeError):

2014-03-14  László Langó  <llango.u-szeged@partner.samsung.com>

        Remove unused method declaration.
        https://bugs.webkit.org/show_bug.cgi?id=130238

        Reviewed by Filip Pizlo.

        The implementation of CallFrame::dumpCaller was removed in
        http://trac.webkit.org/changeset/153183, but the declaration of it was not.

        * interpreter/CallFrame.h:
        Remove CallFrame::dumpCaller() method declaration.

2014-03-12  Sergio Villar Senin  <svillar@igalia.com>

        Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL
        https://bugs.webkit.org/show_bug.cgi?id=129612

        Reviewed by Darin Adler.

        For new code use static NeverDestroyed<T> instead.

        * API/JSAPIWrapperObject.mm:
        (jsAPIWrapperObjectHandleOwner):
        * API/JSManagedValue.mm:
        (managedValueHandleOwner):
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::objectGroupForBreakpointAction):
        * inspector/scripts/CodeGeneratorInspectorStrings.py:
        * interpreter/JSStack.cpp:
        (JSC::stackStatisticsMutex):
        * jit/ExecutableAllocator.cpp:
        (JSC::DemandExecutableAllocator::allocators):

2014-03-12  Gavin Barraclough  <barraclough@apple.com>

        Reduce memory use for static property maps
        https://bugs.webkit.org/show_bug.cgi?id=129986

        Reviewed by Andreas Kling.

        Static property tables are currently duplicated on first use from read-only memory into dirty memory
        in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
        (we use a custom hash table without a rehash) a lot of memory may be wasted.

        First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
        from string hashes to indicies into a densely packed array of values. Compute the index table at
        compile time as a part of the derived sources step, such that this may be read-only data.

        Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
        directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
        keys, which are Identifiers.

        * create_hash_table:
            - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
        * parser/Lexer.cpp:
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        (JSC::Lexer<T>::parseIdentifierSlowCase):
            - HashEntry -> HashTableValue.
        * parser/Lexer.h:
        (JSC::Keywords::getKeyword):
            - HashEntry -> HashTableValue.
        * runtime/ClassInfo.h:
            - removed HashEntry.
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
            - use HashTable::ConstIterator.
        (JSC::JSObject::put):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::findPropertyHashEntry):
            - HashEntry -> HashTableValue.
        (JSC::JSObject::reifyStaticFunctionsForDelete):
            - changed HashTable::ConstIterator interface.
        * runtime/JSObject.h:
            - HashEntry -> HashTableValue.
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):
            - table -> keys, keys array is now densely packed.
        (JSC::HashTable::deleteTable):
            - table -> keys.
        (JSC::setUpStaticFunctionSlot):
            - HashEntry -> HashTableValue.
        * runtime/Lookup.h:
        (JSC::HashTableValue::builtinGenerator):
        (JSC::HashTableValue::function):
        (JSC::HashTableValue::functionLength):
        (JSC::HashTableValue::propertyGetter):
        (JSC::HashTableValue::propertyPutter):
        (JSC::HashTableValue::lexerValue):
            - added accessor methods from HashEntry.
        (JSC::HashTable::copy):
            - fields changed.
        (JSC::HashTable::initializeIfNeeded):
            - table -> keys.
        (JSC::HashTable::entry):
            - HashEntry -> HashTableValue.
        (JSC::HashTable::ConstIterator::ConstIterator):
            - iterate packed value array, so no need to skipInvalidKeys().
        (JSC::HashTable::ConstIterator::value):
        (JSC::HashTable::ConstIterator::key):
        (JSC::HashTable::ConstIterator::operator->):
            - accessors now get HashTableValue/StringImpl* separately.
        (JSC::HashTable::ConstIterator::operator++):
            - iterate packed value array, so no need to skipInvalidKeys().
        (JSC::HashTable::end):
            - end is now size of dense not sparse array.
        (JSC::getStaticPropertySlot):
        (JSC::getStaticFunctionSlot):
        (JSC::getStaticValueSlot):
        (JSC::putEntry):
        (JSC::lookupPut):
            - HashEntry -> HashTableValue.

2014-03-13  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, fix Mac no-FTL build.

        * llvm/library/LLVMExports.cpp:
        (initializeAndGetJSCLLVMAPI):

2014-03-13  Juergen Ributzka  <juergen@apple.com>

        Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib
        https://bugs.webkit.org/show_bug.cgi?id=130224

        Reviewed by Filip Pizlo.

        This limits the exported symbols to only initializeAndGetJSCLLVMAPI from
        the LLVM dylib. This allows the dylib to be safely used with other LLVM
        dylibs on the same system. It also reduces the dynamic linking overhead
        and also reduces the size by 6MB, because the linker can now dead strip
        many unused functions.

        * Configurations/LLVMForJSC.xcconfig:

2014-03-13  Andreas Kling  <akling@apple.com>

        VM::discardAllCode() should clear the RegExp cache.
        <https://webkit.org/b/130144>

        Reviewed by Michael Saboff.

        * runtime/VM.cpp:
        (JSC::VM::discardAllCode):

2014-03-13  Andreas Kling  <akling@apple.com>

        Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
        <https://webkit.org/b/129995>

        This code path is not taken anymore on DYEB, and I can't explain why
        it was showing up in my profiles. Backing it out per JoePeck's suggestion.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):

2014-03-13  Filip Pizlo  <fpizlo@apple.com>

        FTL should support IsBlah
        https://bugs.webkit.org/show_bug.cgi?id=130202

        Reviewed by Geoffrey Garen.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
        (JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
        (JSC::FTL::LowerDFGToLLVM::compileIsNumber):
        (JSC::FTL::LowerDFGToLLVM::compileIsString):
        (JSC::FTL::LowerDFGToLLVM::compileIsObject):
        (JSC::FTL::LowerDFGToLLVM::compileIsFunction):
        (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
        (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
        (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
        (JSC::FTL::LowerDFGToLLVM::isNumber):
        (JSC::FTL::LowerDFGToLLVM::isNotNumber):
        (JSC::FTL::LowerDFGToLLVM::isBoolean):
        * ftl/FTLOSRExitCompiler.cpp:
        * tests/stress/is-undefined-exit-on-masquerader.js: Added.
        (bar):
        (foo):
        (test):
        * tests/stress/is-undefined-jettison-on-masquerader.js: Added.
        (foo):
        (test):
        * tests/stress/is-undefined-masquerader.js: Added.
        (foo):
        (test):

2014-03-13  Mark Lam  <mark.lam@apple.com>

        JS benchmarks crash with a bus error on 32-bit x86.
        <https://webkit.org/b/130203>

        Reviewed by Geoffrey Garen.

        The issue is that generateGetByIdStub() can potentially use the same register
        for the JSValue base register and the target tag register.  After loading the
        tag value into the target tag register, the JSValue base address is lost.
        The code then proceeds to load the payload value using the base register, and
        this results in a crash.

        The fix is to check if the base register is the same as the target tag register.
        If so, we should make a copy the base register first before loading the tag
        value, and use the copy to load the payload value instead.

        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub):

2014-03-12  Filip Pizlo  <fpizlo@apple.com>

        WebKit shouldn't crash on uniprocessor machines
        https://bugs.webkit.org/show_bug.cgi?id=130176

        Reviewed by Michael Saboff.
        
        Previously the math for computing the number of JIT compiler threads would come up with
        zero threads on uniprocessor machines, and then the Worklist code would assert.

        * runtime/Options.cpp:
        (JSC::computeNumberOfWorkerThreads):
        * runtime/Options.h:

2014-03-13  Radu Stavila  <stavila@adobe.com>

        Webkit not building on XCode 5.1 due to garbage collection no longer being supported
        https://bugs.webkit.org/show_bug.cgi?id=130087

        Reviewed by Mark Rowe.

        Disable garbage collection on macosx when not using internal SDK.

        * Configurations/Base.xcconfig:

2014-03-10  Darin Adler  <darin@apple.com>

        Avoid copy-prone idiom "for (auto item : collection)"
        https://bugs.webkit.org/show_bug.cgi?id=129990

        Reviewed by Geoffrey Garen.

        * heap/CodeBlockSet.h:
        (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
        * inspector/ScriptDebugServer.cpp:
        (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
        make explicit that we are iterating through pointers.
        (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
        (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
        get rid of an unneeded local variable.

2014-03-13  Brian Burg  <bburg@apple.com>

        Web Inspector: Remove unused callId parameter from evaluateInWebInspector
        https://bugs.webkit.org/show_bug.cgi?id=129744

        Reviewed by Timothy Hatcher.

        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::enable):
        (Inspector::InspectorAgent::evaluateForTestInFrontend):
        * inspector/agents/InspectorAgent.h:
        * inspector/protocol/InspectorDomain.json:

2014-03-11  Filip Pizlo  <fpizlo@apple.com>

        ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
        https://bugs.webkit.org/show_bug.cgi?id=130069

        Reviewed by Geoffrey Garen.
        
        This was a great assertion, and it represents our strictest interpretation of the rules of
        our intermediate representation. However, fixing DCE to actually preserve the relevant
        property would be hard, and it wouldn't have an observable effect right now because nobody
        actually uses the propery of CPS that this assertion is checking for.
        
        In particular, we do always require, and rely on, the fact that non-captured variables
        have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
        block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
        PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
        broken in this regard. But, in the strictest sense, CPS also means that for captured
        variables, variablesAtTail also continues to point to the last relevant use of the
        variable. In particular, if there are multiple GetLocals, then it should point to the last
        one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
        variables, except to check the VariableAccessData; but in that case, we don't really need
        the *last* relevant use of the variable - any node that mentions the same variable will do
        just fine.
        
        So, this change loosens the assertion and adds a detailed FIXME describing what we would
        have to do if we wanted to preserve the more strict property.
        
        This also makes changes to various debug printing paths so that validation doesn't crash
        during graph dump. This also adds tests for the interesting cases of DCE failing to
        preserve CPS in the strictest sense. This also attempts to win the record for longest test
        name.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::hashAsStringIfPossible):
        (JSC::CodeBlock::dumpAssumingJITType):
        * bytecode/CodeBlock.h:
        * bytecode/CodeOrigin.cpp:
        (JSC::InlineCallFrame::hashAsStringIfPossible):
        (JSC::InlineCallFrame::dumpBriefFunctionInformation):
        * bytecode/CodeOrigin.h:
        * dfg/DFGCPSRethreadingPhase.cpp:
        (JSC::DFG::CPSRethreadingPhase::run):
        * dfg/DFGDCEPhase.cpp:
        (JSC::DFG::DCEPhase::cleanVariables):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
        * runtime/FunctionExecutableDump.cpp:
        (JSC::FunctionExecutableDump::dump):
        * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
        (foo):
        * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
        (foo):

2014-03-12  Brian Burg  <bburg@apple.com>

        Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
        https://bugs.webkit.org/show_bug.cgi?id=129445

        Reviewed by Timothy Hatcher.

        There was a bug in the replay inputs code generator that would include
        headers for definitions of enum classes, even though they can be safely
        forward-declared.

        * replay/scripts/CodeGeneratorReplayInputs.py:
        (Generator.generate_includes): Only include for copy constructor if the
        type is a heavy scalar (i.e., String, URL), not a normal scalar
        (i.e., int, double, enum classes).

        (Generator.generate_type_forward_declarations): Forward-declare scalars
        that are enums or enum classes.

2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
        https://bugs.webkit.org/show_bug.cgi?id=130118

        Reviewed by Timothy Hatcher.

        * Configurations/FeatureDefines.xcconfig:

2014-03-12  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Hang in Remote Inspection triggering breakpoint from console
        https://bugs.webkit.org/show_bug.cgi?id=130032

        Reviewed by Timothy Hatcher.

        * inspector/EventLoop.h:
        * inspector/EventLoop.cpp:
        (Inspector::EventLoop::remoteInspectorRunLoopMode):
        (Inspector::EventLoop::cycle):
        Expose the run loop mode name so it can be used if needed by others.

        * inspector/remote/RemoteInspectorDebuggableConnection.h:
        * inspector/remote/RemoteInspectorDebuggableConnection.mm:
        (Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
        (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
        (Inspector::RemoteInspectorBlock::operator=):
        (Inspector::RemoteInspectorBlock::operator()):
        (Inspector::RemoteInspectorQueueTask):
        Instead of a dispatch_queue, have our own static Vector of debugger tasks.

        (Inspector::RemoteInspectorHandleRunSource):
        (Inspector::RemoteInspectorInitializeQueue):
        Initialize the static queue and run loop source. When the run loop source
        fires, it will exhaust the queue of debugger messages.

        (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
        (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
        When we get a debuggable connection add a run loop source for inspector commands.

        (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
        (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
        Enqueue blocks on our Vector instead of our dispatch_queue.

2014-03-12  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r165482.
        https://bugs.webkit.org/show_bug.cgi?id=130157

        Broke the windows build; "error C2466: cannot allocate an
        array of constant size 0" (Requested by jernoble on #webkit).

        Reverted changeset:

        "Reduce memory use for static property maps"
        https://bugs.webkit.org/show_bug.cgi?id=129986
        http://trac.webkit.org/changeset/165482

2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove HandleSet::m_nextToFinalize
        https://bugs.webkit.org/show_bug.cgi?id=130109

        Reviewed by Mark Lam.

        This is a remnant of when HandleSet contained things that needed to be finalized. 

        * heap/HandleSet.cpp:
        (JSC::HandleSet::HandleSet):
        (JSC::HandleSet::writeBarrier):
        * heap/HandleSet.h:
        (JSC::HandleSet::allocate):
        (JSC::HandleSet::deallocate):

2014-03-12  Mark Hahnenberg  <mhahnenberg@apple.com>

        Layout Test fast/workers/worker-gc.html is failing
        https://bugs.webkit.org/show_bug.cgi?id=130135

        Reviewed by Geoffrey Garen.

        When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's 
        main list of blocks, i.e. not in the retired list. When shutting down the VM this
        wasn't always the case which was causing ASSERTs to fire. We should rearrange things 
        so that allocators are notified with lastChanceToFinalize. This will give them 
        the chance to move their retired blocks back into the main list before removing them all.

        * heap/MarkedAllocator.cpp:
        (JSC::LastChanceToFinalize::operator()):
        (JSC::MarkedAllocator::lastChanceToFinalize):
        * heap/MarkedAllocator.h:
        * heap/MarkedSpace.cpp:
        (JSC::LastChanceToFinalize::operator()):
        (JSC::MarkedSpace::lastChanceToFinalize):

2014-03-12  Gavin Barraclough  <barraclough@apple.com>

        Reduce memory use for static property maps
        https://bugs.webkit.org/show_bug.cgi?id=129986

        Reviewed by Andreas Kling.

        Static property tables are currently duplicated on first use from read-only memory into dirty memory
        in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
        (we use a custom hash table without a rehash) a lot of memory may be wasted.

        First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
        from string hashes to indicies into a densely packed array of values. Compute the index table at
        compile time as a part of the derived sources step, such that this may be read-only data.

        Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
        directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
        keys, which are Identifiers.

        * create_hash_table:
            - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
        * parser/Lexer.cpp:
        (JSC::Lexer<LChar>::parseIdentifier):
        (JSC::Lexer<UChar>::parseIdentifier):
        (JSC::Lexer<T>::parseIdentifierSlowCase):
            - HashEntry -> HashTableValue.
        * parser/Lexer.h:
        (JSC::Keywords::getKeyword):
            - HashEntry -> HashTableValue.
        * runtime/ClassInfo.h:
            - removed HashEntry.
        * runtime/JSObject.cpp:
        (JSC::getClassPropertyNames):
            - use HashTable::ConstIterator.
        (JSC::JSObject::put):
        (JSC::JSObject::deleteProperty):
        (JSC::JSObject::findPropertyHashEntry):
            - HashEntry -> HashTableValue.
        (JSC::JSObject::reifyStaticFunctionsForDelete):
            - changed HashTable::ConstIterator interface.
        * runtime/JSObject.h:
            - HashEntry -> HashTableValue.
        * runtime/Lookup.cpp:
        (JSC::HashTable::createTable):
            - table -> keys, keys array is now densely packed.
        (JSC::HashTable::deleteTable):
            - table -> keys.
        (JSC::setUpStaticFunctionSlot):
            - HashEntry -> HashTableValue.
        * runtime/Lookup.h:
        (JSC::HashTableValue::builtinGenerator):
        (JSC::HashTableValue::function):
        (JSC::HashTableValue::functionLength):
        (JSC::HashTableValue::propertyGetter):
        (JSC::HashTableValue::propertyPutter):
        (JSC::HashTableValue::lexerValue):
            - added accessor methods from HashEntry.
        (JSC::HashTable::copy):
            - fields changed.
        (JSC::HashTable::initializeIfNeeded):
            - table -> keys.
        (JSC::HashTable::entry):
            - HashEntry -> HashTableValue.
        (JSC::HashTable::ConstIterator::ConstIterator):
            - iterate packed value array, so no need to skipInvalidKeys().
        (JSC::HashTable::ConstIterator::value):
        (JSC::HashTable::ConstIterator::key):
        (JSC::HashTable::ConstIterator::operator->):
            - accessors now get HashTableValue/StringImpl* separately.
        (JSC::HashTable::ConstIterator::operator++):
            - iterate packed value array, so no need to skipInvalidKeys().
        (JSC::HashTable::end):
            - end is now size of dense not sparse array.
        (JSC::getStaticPropertySlot):
        (JSC::getStaticFunctionSlot):
        (JSC::getStaticValueSlot):
        (JSC::putEntry):
        (JSC::lookupPut):
            - HashEntry -> HashTableValue.

2014-03-11  Filip Pizlo  <fpizlo@apple.com>

        It should be possible to build WebKit with FTL on iOS
        https://bugs.webkit.org/show_bug.cgi?id=130116

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
        https://bugs.webkit.org/show_bug.cgi?id=129778

        Reviewed by Geoffrey Garen.
        
        Also deduplicate the GetById getter call caching. Also add some small tests for
        get stubs.
        
        This change reduces the amount of code involved in GetById access caching and it
        creates data structures that can serve as an elegant scaffold for introducing other
        kinds of caches or improving current caching styles. It will definitely make getter
        performance improvements easier to implement.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::printGetByIdCacheStatus):
        * bytecode/GetByIdStatus.cpp:
        (JSC::GetByIdStatus::computeForStubInfo):
        * bytecode/PolymorphicGetByIdList.cpp: Added.
        (JSC::GetByIdAccess::GetByIdAccess):
        (JSC::GetByIdAccess::~GetByIdAccess):
        (JSC::GetByIdAccess::fromStructureStubInfo):
        (JSC::GetByIdAccess::visitWeak):
        (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
        (JSC::PolymorphicGetByIdList::from):
        (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
        (JSC::PolymorphicGetByIdList::currentSlowPathTarget):
        (JSC::PolymorphicGetByIdList::addAccess):
        (JSC::PolymorphicGetByIdList::isFull):
        (JSC::PolymorphicGetByIdList::isAlmostFull):
        (JSC::PolymorphicGetByIdList::didSelfPatching):
        (JSC::PolymorphicGetByIdList::visitWeak):
        * bytecode/PolymorphicGetByIdList.h: Added.
        (JSC::GetByIdAccess::GetByIdAccess):
        (JSC::GetByIdAccess::isSet):
        (JSC::GetByIdAccess::operator!):
        (JSC::GetByIdAccess::type):
        (JSC::GetByIdAccess::structure):
        (JSC::GetByIdAccess::chain):
        (JSC::GetByIdAccess::chainCount):
        (JSC::GetByIdAccess::stubRoutine):
        (JSC::GetByIdAccess::doesCalls):
        (JSC::PolymorphicGetByIdList::isEmpty):
        (JSC::PolymorphicGetByIdList::size):
        (JSC::PolymorphicGetByIdList::at):
        (JSC::PolymorphicGetByIdList::operator[]):
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::deref):
        (JSC::StructureStubInfo::visitWeakReferences):
        * bytecode/StructureStubInfo.h:
        (JSC::isGetByIdAccess):
        (JSC::StructureStubInfo::initGetByIdList):
        * jit/Repatch.cpp:
        (JSC::generateGetByIdStub):
        (JSC::tryCacheGetByID):
        (JSC::patchJumpToGetByIdStub):
        (JSC::tryBuildGetByIDList):
        (JSC::tryBuildPutByIdList):
        * tests/stress/getter.js: Added.
        (foo):
        (.o):
        * tests/stress/polymorphic-prototype-accesses.js: Added.
        (Foo):
        (Bar):
        (foo):
        * tests/stress/prototype-getter.js: Added.
        (Foo):
        (foo):
        * tests/stress/simple-prototype-accesses.js: Added.
        (Foo):
        (foo):

2014-03-11  Mark Hahnenberg  <mhahnenberg@apple.com>

        MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
        https://bugs.webkit.org/show_bug.cgi?id=129920

        Reviewed by Geoffrey Garen.

        This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
        when the amount of free space in a MarkedBlock drops below a certain threshold.
        Retired blocks are not considered for sweeping.

        This is profitable because it reduces churn during sweeping. To build a free list, 
        we have to scan through each cell in a block. After a collection, all objects that 
        are live in the block will remain live until the next FullCollection, at which time
        we un-retire all previously retired blocks. Thus, a small number of objects in a block
        that die during each EdenCollection could cause us to do a disproportiante amount of 
        sweeping for how much free memory we get back.

        This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.

        * heap/Heap.h:
        (JSC::Heap::didRetireBlockWithFreeListSize):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::tryAllocateHelper):
        (JSC::MarkedAllocator::removeBlock):
        (JSC::MarkedAllocator::reset):
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::forEachBlock):
        * heap/MarkedBlock.cpp:
        (JSC::MarkedBlock::sweepHelper):
        (JSC::MarkedBlock::clearMarksWithCollectionType):
        (JSC::MarkedBlock::didRetireBlock):
        * heap/MarkedBlock.h:
        (JSC::MarkedBlock::willRemoveBlock):
        (JSC::MarkedBlock::isLive):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::clearNewlyAllocated):
        (JSC::MarkedSpace::clearMarks):
        * runtime/Options.h:

2014-03-11  Andreas Kling  <akling@apple.com>

        Streamline PropertyTable for lookup-only access.
        <https://webkit.org/b/130060>

        The PropertyTable lookup algorithm was written to support both read
        and write access. This wasn't actually needed in most places.

        This change adds a PropertyTable::get() that just returns the value
        type (instead of an insertion iterator.) It also adds an early return
        for empty tables.

        Finally, up the minimum table capacity from 8 to 16. It was lowered
        to 8 in order to save memory, but that was before PropertyTables were
        GC allocated. Nowadays we don't have nearly as many tables, since all
        the unpinned transitions die off.

        Reviewed by Darin Adler.

        * runtime/PropertyMapHashTable.h:
        (JSC::PropertyTable::get):
        * runtime/Structure.cpp:
        (JSC::Structure::despecifyDictionaryFunction):
        (JSC::Structure::attributeChangeTransition):
        (JSC::Structure::get):
        (JSC::Structure::despecifyFunction):
        * runtime/StructureInlines.h:
        (JSC::Structure::get):

2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        REGRESSION(r165407): DoYouEvenBench crashes in DRT
        https://bugs.webkit.org/show_bug.cgi?id=130066

        Reviewed by Geoffrey Garen.

        The baseline JIT does a conditional store barrier for the put_by_id, but we need 
        an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.

        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_put_by_id):
        (JSC::JIT::emitWriteBarrier):

2014-03-10  Mark Lam  <mark.lam@apple.com>

        Resurrect bit-rotted JIT::probe() mechanism.
        <https://webkit.org/b/130067>

        Reviewed by Geoffrey Garen.

        * jit/JITStubs.cpp:
        - Added the needed #include <wtf/InlineASM.h>.

2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>

        Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.

        Rubber-stamped by Dan Bernstein.

        * Configurations/JavaScriptCore.xcconfig:

2014-03-10  Mark Lam  <mark.lam@apple.com>

        r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
        <https://webkit.org/b/130065>

        Reviewed by Michael Saboff.

        There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
        being able to return InvalidIndex.  Hence, the assertion is invalid.  Ditto for
        FPRInfo::toIndex().

        The fix is to remove the "result != InvalidIndex" assertions.

        * jit/FPRInfo.h:
        (JSC::FPRInfo::toIndex):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::toIndex):

2014-03-10  Mark Lam  <mark.lam@apple.com>

        Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
        <https://webkit.org/b/129955>

        Reviewed by Geoffrey Garen.

        The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
        stack memory every time it was called.  This is now fixed.

        * jit/JITOperations.cpp:

2014-03-10  Joseph Pecoraro  <pecoraro@apple.com>

        Better JSContext API for named evaluations (other than //# sourceURL)
        https://bugs.webkit.org/show_bug.cgi?id=129911

        Reviewed by Geoffrey Garen.

        * API/JSBase.h:
        * API/JSContext.h:
        * API/JSContext.mm:
        (-[JSContext evaluateScript:]):
        (-[JSContext evaluateScript:withSourceURL:]):
        Add new evaluateScript:withSourceURL:.

        * API/tests/testapi.c:
        (main):
        * API/tests/testapi.mm:
        (testObjectiveCAPI):
        Add tests for sourceURL in evaluate APIs. It should
        affect the exception objects.

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        Repatch should save and restore all used registers - not just temp ones - when making a call
        https://bugs.webkit.org/show_bug.cgi?id=130041

        Reviewed by Geoffrey Garen and Mark Hahnenberg.
        
        The save/restore code was written back when the only client was the DFG, which only uses a
        subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
        other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
        lead to data corruption on ARM64. 

        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::calleeSaveRegisters):
        (JSC::RegisterSet::numberOfSetGPRs):
        (JSC::RegisterSet::numberOfSetFPRs):
        * jit/RegisterSet.h:
        * jit/Repatch.cpp:
        (JSC::storeToWriteBarrierBuffer):
        (JSC::emitPutTransitionStub):
        * jit/ScratchRegisterAllocator.cpp:
        (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
        (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
        (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
        (JSC::ScratchRegisterAllocator::usedRegistersForCall):
        (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
        (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
        (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
        * jit/ScratchRegisterAllocator.h:

2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        Remove ConditionalStore barrier
        https://bugs.webkit.org/show_bug.cgi?id=130040

        Reviewed by Geoffrey Garen.

        ConditionalStoreBarrier was created when barriers were much more expensive. Now that 
        they're cheap(er), we can get rid of them. This also allows us to get rid of the write 
        barrier logic in emitPutTransitionStub because we always will have executed a write barrier 
        on the base object in the case where we are allocating and storing a new Butterfly into it. 
        Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object, 
        so we'd have to emit a write barrier in the transition case.

        This is performance neutral on the benchmarks we track.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::insertStoreBarrier):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isStoreBarrier):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        * jit/Repatch.cpp:
        (JSC::emitPutTransitionStub):

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        DFG and FTL should know that comparing anything to Misc is cheap and easy
        https://bugs.webkit.org/show_bug.cgi?id=130001

        Reviewed by Geoffrey Garen.
        
        - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
          comparison is just Untyped:.
        
        - This obviates the need for CompareStrictEqConstant, so remove it.
        
        - FTL had a thing called "Nully" which is really "Other". Rename it and add
          OtherUse.
        
        9% speed-up on box2d.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isBinaryUseKind):
        (JSC::DFG::Node::shouldSpeculateOther):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
        (JSC::DFG::SpeculativeJIT::compare):
        (JSC::DFG::SpeculativeJIT::compileStrictEq):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileNode):
        (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
        (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
        (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
        (JSC::FTL::LowerDFGToLLVM::isNotOther):
        (JSC::FTL::LowerDFGToLLVM::isOther):
        (JSC::FTL::LowerDFGToLLVM::speculate):
        (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
        (JSC::FTL::LowerDFGToLLVM::speculateNotCell):
        (JSC::FTL::LowerDFGToLLVM::speculateOther):
        (JSC::FTL::LowerDFGToLLVM::speculateMisc):
        * tests/stress/compare-strict-eq-integer-to-misc.js: Added.

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        Unreviewed, remove unintended change.

        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        jsc commandline shouldn't have a "console" because that confuses some tests into thinking
        that they're running in the browser.

        Rubber stamped by Mark Hahnenberg.

        * jsc.cpp:
        (GlobalObject::finishCreation):

2014-03-10  Filip Pizlo  <fpizlo@apple.com>

        Out-line ScratchRegisterAllocator

        Rubber stamped by Mark Hahnenberg.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * dfg/DFGDriver.cpp:
        (JSC::DFG::compileImpl):
        * jit/ScratchRegisterAllocator.cpp: Added.
        (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
        (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
        (JSC::ScratchRegisterAllocator::lock):
        (JSC::ScratchRegisterAllocator::allocateScratch):
        (JSC::ScratchRegisterAllocator::allocateScratchGPR):
        (JSC::ScratchRegisterAllocator::allocateScratchFPR):
        (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
        (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
        (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
        (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
        (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
        * jit/ScratchRegisterAllocator.h:

2014-03-10  Brent Fulgham  <bfulgham@apple.com>

        [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
        https://bugs.webkit.org/show_bug.cgi?id=130023

        Reviewed by Dean Jackson.

        * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
        path names to avoid accidental escaping of later string substitutions.

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for testb_i8r when register is accumulator.
        <https://webkit.org/b/130026>

        Generate the shorthand version of "test al, imm" when possible.

        Reviewed by Michael Saboff.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::testb_i8r):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for sub_ir when register is accumulator.
        <https://webkit.org/b/130025>

        Generate the shorthand version of "sub eax, imm" when possible.

        Reviewed by Michael Saboff.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::subl_ir):
        (JSC::X86Assembler::subq_ir):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for add_ir when register is accumulator.
        <https://webkit.org/b/130024>

        Generate the shorthand version of "add eax, imm" when possible.

        Reviewed by Michael Saboff.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::addl_ir):
        (JSC::X86Assembler::addq_ir):

2014-03-10  Mark Hahnenberg  <mhahnenberg@apple.com>

        writeBarrier in emitPutReplaceStub is unnecessary
        https://bugs.webkit.org/show_bug.cgi?id=130030

        Reviewed by Filip Pizlo.

        We already emit write barriers for each put-by-id when they're first compiled, so it's 
        redundant to emit a write barrier as part of the repatched code.

        * jit/Repatch.cpp:
        (JSC::emitPutReplaceStub):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for xor_ir when register is accumulator.
        <https://webkit.org/b/130008>

        Generate the shorthand version of "xor eax, imm" when possible.

        Reviewed by Benjamin Poulain.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::xorl_ir):
        (JSC::X86Assembler::xorq_ir):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for or_ir when register is accumulator.
        <https://webkit.org/b/130007>

        Generate the shorthand version of "or eax, imm" when possible.

        Reviewed by Benjamin Poulain.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::orl_ir):
        (JSC::X86Assembler::orq_ir):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for test_ir when register is accumulator.
        <https://webkit.org/b/130006>

        Generate the shorthand version of "test eax, imm" when possible.

        Reviewed by Benjamin Poulain.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::testl_i32r):
        (JSC::X86Assembler::testq_i32r):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for cmp_ir when register is accumulator.
        <https://webkit.org/b/130005>

        Generate the shorthand version of "cmp eax, imm" when possible.

        Reviewed by Benjamin Poulain.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::cmpl_ir):
        (JSC::X86Assembler::cmpq_ir):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
        <https://webkit.org/b/130002>

        Generate this:

            mov [address], imm32

        Instead of this:

            mov scratchRegister, imm32
            mov [address], scratchRegister

        For store64(imm, address) where the 64-bit immediate can be passed as
        a sign-extended 32-bit value.

        Reviewed by Benjamin Poulain.

        * assembler/MacroAssemblerX86_64.h:
        (CAN_SIGN_EXTEND_32_64):
        (JSC::MacroAssemblerX86_64::store64):

2014-03-10  Andreas Kling  <akling@apple.com>

        [X86_64] Smaller code for xchg_rr when one register is accumulator.
        <https://webkit.org/b/130004>

        Generate the 1-byte version of "xchg eax, reg" when possible.

        Reviewed by Benjamin Poulain.

        * assembler/X86Assembler.h:
        (JSC::X86Assembler::xchgl_rr):
        (JSC::X86Assembler::xchgq_rr):

2014-03-09  Filip Pizlo  <fpizlo@apple.com>

        GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=129998

        Reviewed by Geoffrey Garen.
        
        Not only is that the established contract, but this is used to signal to
        ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
        that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
        some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
        fine but previously it would have led to either an assertion failure, or data corruption, in
        the ScratchRegisterAllocator.

        * jit/GPRInfo.h:
        (JSC::GPRInfo::toIndex):

2014-03-09  Filip Pizlo  <fpizlo@apple.com>

        FTL fails the new equals-masquerader strictEqualConstant test
        https://bugs.webkit.org/show_bug.cgi?id=129996

        Reviewed by Mark Lam.
        
        It turns out that the FTL was trying to do the masquerading stuff for ===null. But
        that's wrong since none of the other engines do it. The DFG even had an ancient
        FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
        don't do it and JSValue::strictEqual() doesn't do it.
        
        Remove the FIXME and remove the extra checks in the FTL.
        
        This is a glorious patch: nothing but red and it fixes a test failure.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
        * ftl/FTLLowerDFGToLLVM.cpp:
        (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):

2014-03-09  Andreas Kling  <akling@apple.com>

        Short-circuit JSGlobalObjectInspectorController when not inspecting.
        <https://webkit.org/b/129995>

        Add an early return in reportAPIException() when the console agent
        is disabled. This avoids expensive symbolication during exceptions
        if there's nobody expecting the fancy backtrace anyway.

        ~2% progression on DYEB on my MBP.

        Reviewed by Geoff Garen.

        * inspector/JSGlobalObjectInspectorController.cpp:
        (Inspector::JSGlobalObjectInspectorController::reportAPIException):

2014-03-09  Andreas Kling  <akling@apple.com>

        Inline the trivial parts of GC deferral.
        <https://webkit.org/b/129984>

        Made most of the functions called by the DeferGC RAII object inline
        to avoid function call overhead.

        Looks like ~1% progression on DYEB.

        Reviewed by Geoffrey Garen.

        * heap/Heap.cpp:
        * heap/Heap.h:
        (JSC::Heap::incrementDeferralDepth):
        (JSC::Heap::decrementDeferralDepth):
        (JSC::Heap::collectIfNecessaryOrDefer):
        (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):

2014-03-08  Mark Lam  <mark.lam@apple.com>

        32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
        <https://webkit.org/b/129969>

        Reviewed by Geoffrey Garen.

        The 32-bit version of handleUncaughtException was missing the handling of an
        edge case for stack overflows where the current frame may already be the
        sentinel frame.  This edge case was handled in the 64-bit version.  The fix
        is to bring the 32-bit version up to parity.

        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * llint/LowLevelInterpreter32_64.asm:

2014-03-07  Mark Lam  <mark.lam@apple.com>

        Fix bugs in 32-bit Structure implementation.
        <https://webkit.org/b/129947>

        Reviewed by Mark Hahnenberg.

        Added the loading of the Structure (from the JSCell) before use that was
        missing in a few places.  Also added more test cases to equals-masquerader.js.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * llint/LowLevelInterpreter32_64.asm:
        * tests/stress/equals-masquerader.js:
        (equalsNull):
        (notEqualsNull):
        (strictEqualsNull):
        (strictNotEqualsNull):
        (equalsUndefined):
        (notEqualsUndefined):
        (strictEqualsUndefined):
        (strictNotEqualsUndefined):
        (isFalsey):
        (test):

2014-03-07  Andrew Trick  <atrick@apple.com>

        Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
        https://bugs.webkit.org/show_bug.cgi?id=129954

        Reviewed by Filip Pizlo.

        * tests/stress/float32-repeat-out-of-bounds.js:
        * tests/stress/int8-repeat-out-of-bounds.js:

2014-03-07  Michael Saboff  <msaboff@apple.com>

        .cfi directives in LowLevelInterpreter.cpp are providing no benefit
        https://bugs.webkit.org/show_bug.cgi?id=129945

        Reviewed by Mark Lam.

        Removed .cfi directive.  Verified that stack traces didn't regress in crash reporter
        or in lldb.

        * llint/LowLevelInterpreter.cpp:

2014-03-07  Oliver Hunt  <oliver@apple.com>

        Continue hangs when performing for-of over arguments
        https://bugs.webkit.org/show_bug.cgi?id=129915

        Reviewed by Geoffrey Garen.

        Put the continue label in the right place

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitEnumeration):

2014-03-07  peavo@outlook.com  <peavo@outlook.com>

        [Win64] Compile error after r165128.
        https://bugs.webkit.org/show_bug.cgi?id=129807

        Reviewed by Mark Lam.

        * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: 
        Check platform environment variable to determine if an assembler file should be generated.

2014-03-07  Michael Saboff  <msaboff@apple.com>

        Clarify how we deal with "special" registers
        https://bugs.webkit.org/show_bug.cgi?id=129806

        Already reviewed change being relanded.

        Relanding change set r165196 as it wasn't responsible for the breakage reported in
        https://bugs.webkit.org/show_bug.cgi?id=129822.  That appears to be a build or

        Reviewed by Michael Saboff.
        configuration issue.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::lastRegister):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::nextRegister):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::restoreInto):
        * ftl/FTLSaveRestore.cpp:
        (JSC::FTL::saveAllRegisters):
        (JSC::FTL::restoreAllRegisters):
        * ftl/FTLSlowPathCall.cpp:
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::reservedHardwareRegisters):
        (JSC::RegisterSet::runtimeRegisters):
        (JSC::RegisterSet::specialRegisters):
        (JSC::RegisterSet::calleeSaveRegisters):
        * jit/RegisterSet.h:

2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        Move GCActivityCallback to heap
        https://bugs.webkit.org/show_bug.cgi?id=129457

        Reviewed by Geoffrey Garen.

        All the other GC timer related stuff is there already.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
        * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
        * runtime/GCActivityCallback.cpp: Removed.
        * runtime/GCActivityCallback.h: Removed.

2014-03-07  Andrew Trick  <atrick@apple.com>

        Correct a comment typo from:
        FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
        https://bugs.webkit.org/show_bug.cgi?id=129865

        Reviewed by Mark Lam.

        * ftl/FTLOutput.h:
        (JSC::FTL::Output::doubleRem):

2014-03-07  Mark Hahnenberg  <mhahnenberg@apple.com>

        Use OwnPtr in StructureIDTable
        https://bugs.webkit.org/show_bug.cgi?id=129828

        Reviewed by Geoffrey Garen.

        This reduces the amount of boilerplate and fixes a memory leak.

        * runtime/StructureIDTable.cpp:
        (JSC::StructureIDTable::StructureIDTable):
        (JSC::StructureIDTable::resize):
        (JSC::StructureIDTable::flushOldTables):
        (JSC::StructureIDTable::allocateID):
        (JSC::StructureIDTable::deallocateID):
        * runtime/StructureIDTable.h:
        (JSC::StructureIDTable::table):
        (JSC::StructureIDTable::get):

2014-03-07  Andrew Trick  <atrick@apple.com>

        FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
        https://bugs.webkit.org/show_bug.cgi?id=129865

        Reviewed by Filip Pizlo.

        * ftl/FTLIntrinsicRepository.h:
        * ftl/FTLOutput.h:
        (JSC::FTL::Output::doubleRem):

2014-03-06  Filip Pizlo  <fpizlo@apple.com>

        If the FTL is build-time enabled then it should be run-time enabled.

        Rubber stamped by Geoffrey Garen.

        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/Options.h:

2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>

        [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
        https://bugs.webkit.org/show_bug.cgi?id=129852

        Reviewed by Geoffrey Garen.

        * framework.sb: Added.
        Sandbox extension to allow access to "com.apple.webinspector".

        * JavaScriptCore.xcodeproj/project.pbxproj:
        Add a Copy Resources build phase and include framework.sb.

        * Configurations/JavaScriptCore.xcconfig:
        Do not copy framework.sb on iOS.

2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
        https://bugs.webkit.org/show_bug.cgi?id=129858

        Reviewed by Mark Lam.

        It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock, 
        but now it ends up overwriting the IdentifierTable that JSLock just restored.

        * API/JSContextRef.cpp:
        (JSGlobalContextRelease):

2014-03-06  Oliver Hunt  <oliver@apple.com>

        Fix FTL build.

        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):

2014-03-06  Brent Fulgham  <bfulgham@apple.com>

        Unreviewed build fix after r165128.

        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
        performing 'Production' and 'DebugSuffix' type builds.

2014-03-06  Julien Brianceau  <jbriance@cisco.com>

        Unreviewed, fix style in my previous commit.
        https://bugs.webkit.org/show_bug.cgi?id=129833

        * runtime/JSConsole.cpp:

2014-03-06  Julien Brianceau  <jbriance@cisco.com>

        Build fix: add missing include in JSConole.cpp.
        https://bugs.webkit.org/show_bug.cgi?id=129833

        Reviewed by Oliver Hunt.

        * runtime/JSConsole.cpp:

2014-03-06  Oliver Hunt  <oliver@apple.com>

        Fix ARMv7

        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):

2014-03-06  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r165196.
        http://trac.webkit.org/changeset/165196
        https://bugs.webkit.org/show_bug.cgi?id=129822

        broke arm64 on hardware (Requested by bfulgham on #webkit).

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::lastRegister):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::isStackRelated):
        (JSC::MacroAssembler::firstRealRegister):
        (JSC::MacroAssembler::nextRegister):
        (JSC::MacroAssembler::secondRealRegister):
        * ftl/FTLLocation.cpp:
        (JSC::FTL::Location::restoreInto):
        * ftl/FTLSaveRestore.cpp:
        (JSC::FTL::saveAllRegisters):
        (JSC::FTL::restoreAllRegisters):
        * ftl/FTLSlowPathCall.cpp:
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::specialRegisters):
        (JSC::RegisterSet::calleeSaveRegisters):
        * jit/RegisterSet.h:

2014-03-06  Mark Lam  <mark.lam@apple.com>

        REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
        <https://webkit.org/b/129813>

        Reviewed by Michael Saboff.

        Fixed broken C loop LLINT build.

        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        * offlineasm/cloop.rb:

2014-03-03  Oliver Hunt  <oliver@apple.com>

        Support caching of custom setters
        https://bugs.webkit.org/show_bug.cgi?id=129519

        Reviewed by Filip Pizlo.

        This patch adds caching of assignment to properties that
        are backed by C functions. This provides most of the leg
        work required to start supporting setters, and resolves
        the remaining regressions from moving DOM properties up
        the prototype chain.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/PolymorphicPutByIdList.cpp:
        (JSC::PutByIdAccess::visitWeak):
        (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
        (JSC::PolymorphicPutByIdList::from):
        * bytecode/PolymorphicPutByIdList.h:
        (JSC::PutByIdAccess::transition):
        (JSC::PutByIdAccess::replace):
        (JSC::PutByIdAccess::customSetter):
        (JSC::PutByIdAccess::isCustom):
        (JSC::PutByIdAccess::oldStructure):
        (JSC::PutByIdAccess::chain):
        (JSC::PutByIdAccess::stubRoutine):
        * bytecode/PutByIdStatus.cpp:
        (JSC::PutByIdStatus::computeForStubInfo):
        (JSC::PutByIdStatus::computeFor):
        (JSC::PutByIdStatus::dump):
        * bytecode/PutByIdStatus.h:
        (JSC::PutByIdStatus::PutByIdStatus):
        (JSC::PutByIdStatus::takesSlowPath):
        (JSC::PutByIdStatus::makesCalls):
        * bytecode/StructureStubInfo.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::emitPutById):
        (JSC::DFG::ByteCodeParser::handlePutById):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        * dfg/DFGConstantFoldingPhase.cpp:
        (JSC::DFG::ConstantFoldingPhase::foldConstants):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasIdentifier):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileIn):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::cachedGetById):
        (JSC::DFG::SpeculativeJIT::cachedPutById):
        (JSC::DFG::SpeculativeJIT::compile):
        * jit/CCallHelpers.h:
        (JSC::CCallHelpers::setupArgumentsWithExecState):
        * jit/JITInlineCacheGenerator.cpp:
        (JSC::JITByIdGenerator::JITByIdGenerator):
        (JSC::JITPutByIdGenerator::JITPutByIdGenerator):
        * jit/JITInlineCacheGenerator.h:
        (JSC::JITGetByIdGenerator::JITGetByIdGenerator):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_get_by_id):
        (JSC::JIT::emit_op_put_by_id):
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::tryBuildGetByIDList):
        (JSC::emitCustomSetterStub):
        (JSC::tryCachePutByID):
        (JSC::tryBuildPutByIdList):
        * jit/SpillRegistersMode.h: Added.
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * runtime/Lookup.h:
        (JSC::putEntry):
        * runtime/PutPropertySlot.h:
        (JSC::PutPropertySlot::setCacheableCustomProperty):
        (JSC::PutPropertySlot::customSetter):
        (JSC::PutPropertySlot::isCacheablePut):
        (JSC::PutPropertySlot::isCacheableCustomProperty):
        (JSC::PutPropertySlot::cachedOffset):

2014-03-06  Filip Pizlo  <fpizlo@apple.com>

        FTL arity fixup should work on ARM64
        https://bugs.webkit.org/show_bug.cgi?id=129810

        Reviewed by Michael Saboff.
        
        - Using regT5 to pass the thunk return address to arityFixup is shady since that's a
          callee-save.
        
        - The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
        
        This makes some more tests pass.

        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compileFunction):
        * ftl/FTLLink.cpp:
        (JSC::FTL::link):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::prologueStackPointerDelta):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompile):
        * jit/ThunkGenerators.cpp:
        (JSC::arityFixup):
        * llint/LowLevelInterpreter64.asm:
        * offlineasm/arm64.rb:
        * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.

2014-03-06  Mark Hahnenberg  <mhahnenberg@apple.com>

        Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
        https://bugs.webkit.org/show_bug.cgi?id=129760

        Reviewed by Geoffrey Garen.

        r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. 
        The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::writeBarrier):
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::checkMarkByte):
        * jit/JIT.h:
        * jit/JITPropertyAccess.cpp:
        * jit/Repatch.cpp:
        (JSC::writeBarrier):

2014-03-06  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
        https://bugs.webkit.org/show_bug.cgi?id=127944

        Reviewed by Geoffrey Garen.

        Always expose the Console object in JSContexts, just like we
        do for web pages. The default behavior will route to an
        attached JSContext inspector. This can be overriden by
        setting the ConsoleClient on the JSGlobalObject, which WebCore
        does to get slightly different behavior.

        * CMakeLists.txt:
        * GNUmakefile.list.am:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        Update build systems.

        * API/tests/testapi.js:
        * API/tests/testapi.mm:
        Test that "console" exists in C and ObjC contexts.

        * runtime/ConsoleClient.cpp: Added.
        (JSC::ConsoleClient::printURLAndPosition):
        (JSC::ConsoleClient::printMessagePrefix):
        (JSC::ConsoleClient::printConsoleMessage):
        (JSC::ConsoleClient::printConsoleMessageWithArguments):
        (JSC::ConsoleClient::internalMessageWithTypeAndLevel):
        (JSC::ConsoleClient::logWithLevel):
        (JSC::ConsoleClient::clear):
        (JSC::ConsoleClient::dir):
        (JSC::ConsoleClient::dirXML):
        (JSC::ConsoleClient::table):
        (JSC::ConsoleClient::trace):
        (JSC::ConsoleClient::assertCondition):
        (JSC::ConsoleClient::group):
        (JSC::ConsoleClient::groupCollapsed):
        (JSC::ConsoleClient::groupEnd):
        * runtime/ConsoleClient.h: Added.
        (JSC::ConsoleClient::~ConsoleClient):
        New private interface for handling the console object's methods.
        A lot of the methods funnel through messageWithTypeAndLevel.

        * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
        Moved to JSC namespace.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::reset):
        (JSC::JSGlobalObject::visitChildren):
        Create the "console" object when initializing the environment.
        Also set the default console client to be the JS context inspector.

        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::setConsoleClient):
        (JSC::JSGlobalObject::consoleClient):
        Ability to change the console client, so WebCore can set a custom client.

        * runtime/ConsolePrototype.cpp: Added.
        (JSC::ConsolePrototype::finishCreation):
        (JSC::valueToStringWithUndefinedOrNullCheck):
        (JSC::consoleLogWithLevel):
        (JSC::consoleProtoFuncDebug):
        (JSC::consoleProtoFuncError):
        (JSC::consoleProtoFuncLog):
        (JSC::consoleProtoFuncWarn):
        (JSC::consoleProtoFuncClear):
        (JSC::consoleProtoFuncDir):
        (JSC::consoleProtoFuncDirXML):
        (JSC::consoleProtoFuncTable):
        (JSC::consoleProtoFuncTrace):
        (JSC::consoleProtoFuncAssert):
        (JSC::consoleProtoFuncCount):
        (JSC::consoleProtoFuncProfile):
        (JSC::consoleProtoFuncProfileEnd):
        (JSC::consoleProtoFuncTime):
        (JSC::consoleProtoFuncTimeEnd):
        (JSC::consoleProtoFuncTimeStamp):
        (JSC::consoleProtoFuncGroup):
        (JSC::consoleProtoFuncGroupCollapsed):
        (JSC::consoleProtoFuncGroupEnd):
        * runtime/ConsolePrototype.h: Added.
        (JSC::ConsolePrototype::create):
        (JSC::ConsolePrototype::createStructure):
        (JSC::ConsolePrototype::ConsolePrototype):
        Define the console object interface. Parse out required / expected
        arguments and throw expcetions when methods are misused.

        * runtime/JSConsole.cpp: Added.
        * runtime/JSConsole.h: Added.
        (JSC::JSConsole::createStructure):
        (JSC::JSConsole::create):
        (JSC::JSConsole::JSConsole):
        Empty "console" object. Everything is in the prototype.

        * inspector/JSConsoleClient.cpp: Added.
        (Inspector::JSConsoleClient::JSGlobalObjectConsole):
        (Inspector::JSConsoleClient::count):
        (Inspector::JSConsoleClient::profile):
        (Inspector::JSConsoleClient::profileEnd):
        (Inspector::JSConsoleClient::time):
        (Inspector::JSConsoleClient::timeEnd):
        (Inspector::JSConsoleClient::timeStamp):