Imported WebKit commit 356d83016b090995d08ad568f2d2c243aa55e831 (http://svn.webkit.org/repository/webkit/trunk@126147)

New snapshot including various build fixes for newer Qt 5

1 files changed, 840 insertions, 0 deletions

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 063b2f519..4297df1e5 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,843 @@
+2012-08-20  Mark Lam  <mark.lam@apple.com>
+
+        Fix broken non-JIT build.
+        https://bugs.webkit.org/show_bug.cgi?id=94564.
+
+        Reviewed by Filip Pizlo.
+
+        Added some UNUSED_PARAM() macros to make the compiler happy.
+
+        * runtime/Executable.cpp:
+        (JSC::EvalExecutable::compileInternal):
+        (JSC::ProgramExecutable::compileInternal):
+        (JSC::FunctionExecutable::compileForCallInternal):
+        (JSC::FunctionExecutable::compileForConstructInternal):
+
+2012-08-20  Mark Lam  <mark.lam@apple.com>
+
+        Fixed erroneous line number for LLint frame when throwing exceptions.
+        https://bugs.webkit.org/show_bug.cgi?id=94051.
+
+        Reviewed by Filip Pizlo.
+
+        For LLInt frames, before throwing an exception, adjust the PC from the
+        return PC back to the call PC if we are indeed at a call site.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::adjustPCIfAtCallSite):
+        (JSC):
+        (JSC::CodeBlock::bytecodeOffset):
+        * bytecode/CodeBlock.h:
+        (CodeBlock):
+        * llint/LLIntExceptions.cpp:
+        (JSC::LLInt::fixupPCforExceptionIfNeeded):
+        (LLInt):
+        (JSC::LLInt::interpreterThrowInCaller):
+        (JSC::LLInt::returnToThrow):
+        (JSC::LLInt::callToThrow):
+
+2012-08-20  Filip Pizlo  <fpizlo@apple.com>
+
+        fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object.html on 32-bit
+        https://bugs.webkit.org/show_bug.cgi?id=94538
+
+        Reviewed by Mark Hahnenberg.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+
+2012-08-20  Filip Pizlo  <fpizlo@apple.com>
+
+        fast/js/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object.html crashes on 32-bit
+        https://bugs.webkit.org/show_bug.cgi?id=94026
+
+        Reviewed by Mark Hahnenberg.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+
+2012-08-19  Filip Pizlo  <fpizlo@apple.com>
+
+        The relationship between abstract values and structure transition watchpoints should be rationalized
+        https://bugs.webkit.org/show_bug.cgi?id=94205
+
+        Reviewed by Geoffrey Garen.
+
+        This patch does a number of things related to the handling of the abstract values
+        arrising from values with structures known to be watchpointable:
+        
+        - This rationalizes the relationship between the structure that we know an object
+          to have *right now* based on having executed a check against that structure, and
+          the structure that we know the object could have *in the future* based on a type
+          check executed in the past over a structure that was watchpointable.
+        
+        - We use the above to assert that structure transition watchpoints are being used
+          soundly.
+        
+        - We use the above to strength reduce CheckStructure into StructureTransitionWatchpoint
+          whenever possible.
+        
+        - This rationalizes the handling of CFA over constants that appeared in the bytecode.
+          If at compile-time the constant has a watchpointable structure, then we can prove
+          what structures it may have in the future. The analysis uses this to both assert
+          that structure transition watchpoints are being used correctly, and to find
+          opportunities for using them more aggressively.
+        
+        The net effect of all of these changes is that OSR entry should work more smoothly.
+        It may also be a slight win due to strength reductions, though most of those strength
+        reductions would have already been done by the parser and the structure check hoister.
+
+        * GNUmakefile.list.am:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::beginBasicBlock):
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGAbstractValue.h:
+        (DFG):
+        (JSC::DFG::AbstractValue::clear):
+        (JSC::DFG::AbstractValue::isClear):
+        (JSC::DFG::AbstractValue::makeTop):
+        (JSC::DFG::AbstractValue::clobberStructures):
+        (JSC::DFG::AbstractValue::isTop):
+        (JSC::DFG::AbstractValue::setFuturePossibleStructure):
+        (AbstractValue):
+        (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
+        (JSC::DFG::AbstractValue::setMostSpecific):
+        (JSC::DFG::AbstractValue::set):
+        (JSC::DFG::AbstractValue::operator==):
+        (JSC::DFG::AbstractValue::merge):
+        (JSC::DFG::AbstractValue::filter):
+        (JSC::DFG::AbstractValue::filterValueByType):
+        (JSC::DFG::AbstractValue::validateType):
+        (JSC::DFG::AbstractValue::validate):
+        (JSC::DFG::AbstractValue::checkConsistency):
+        (JSC::DFG::AbstractValue::dump):
+        * dfg/DFGArgumentsSimplificationPhase.cpp:
+        (JSC::DFG::ArgumentsSimplificationPhase::run):
+        * dfg/DFGCSEPhase.cpp:
+        (JSC::DFG::CSEPhase::checkStructureLoadElimination):
+        (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
+        (JSC::DFG::CSEPhase::performNodeCSE):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
+        (Node):
+        (JSC::DFG::Node::hasStructure):
+        * dfg/DFGNodeType.h:
+        (DFG):
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
+        (JSC::DFG::SpeculativeJIT::forwardSpeculationWatchpoint):
+        (DFG):
+        (JSC::DFG::SpeculativeJIT::speculationWatchpointWithConditionalDirection):
+        (JSC::DFG::SpeculativeJIT::forwardSpeculationCheck):
+        (JSC::DFG::SpeculativeJIT::speculateArray):
+        * dfg/DFGSpeculativeJIT.h:
+        (SpeculativeJIT):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStructureAbstractValue.h: Added.
+        (DFG):
+        (StructureAbstractValue):
+        (JSC::DFG::StructureAbstractValue::StructureAbstractValue):
+        (JSC::DFG::StructureAbstractValue::clear):
+        (JSC::DFG::StructureAbstractValue::makeTop):
+        (JSC::DFG::StructureAbstractValue::top):
+        (JSC::DFG::StructureAbstractValue::add):
+        (JSC::DFG::StructureAbstractValue::addAll):
+        (JSC::DFG::StructureAbstractValue::contains):
+        (JSC::DFG::StructureAbstractValue::isSubsetOf):
+        (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan):
+        (JSC::DFG::StructureAbstractValue::isSupersetOf):
+        (JSC::DFG::StructureAbstractValue::filter):
+        (JSC::DFG::StructureAbstractValue::isClear):
+        (JSC::DFG::StructureAbstractValue::isTop):
+        (JSC::DFG::StructureAbstractValue::isClearOrTop):
+        (JSC::DFG::StructureAbstractValue::isNeitherClearNorTop):
+        (JSC::DFG::StructureAbstractValue::size):
+        (JSC::DFG::StructureAbstractValue::at):
+        (JSC::DFG::StructureAbstractValue::operator[]):
+        (JSC::DFG::StructureAbstractValue::last):
+        (JSC::DFG::StructureAbstractValue::speculationFromStructures):
+        (JSC::DFG::StructureAbstractValue::hasSingleton):
+        (JSC::DFG::StructureAbstractValue::singleton):
+        (JSC::DFG::StructureAbstractValue::operator==):
+        (JSC::DFG::StructureAbstractValue::dump):
+        (JSC::DFG::StructureAbstractValue::topValue):
+        * dfg/DFGStructureCheckHoistingPhase.cpp:
+        (JSC::DFG::StructureCheckHoistingPhase::run):
+
+2012-08-17  Filip Pizlo  <fpizlo@apple.com>
+
+        The current state of the call frame should be taken into account in the DFG for both predictions and proofs
+        https://bugs.webkit.org/show_bug.cgi?id=94412
+
+        Reviewed by Geoffrey Garen.
+
+        This ensures that no matter how smart the DFG gets, it'll always know through
+        which entrypoint OSR will try to enter, and with which values it will attempt
+        to do so. For prologue OSR, this has no effect other than adding the current
+        arguments to the argument predictions. For loop OSR, this makes our treatment
+        of the loop slightly more conservative - just conservative enough to ensure
+        that OSR succeeds.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::ProgramCodeBlock::compileOptimized):
+        (JSC::EvalCodeBlock::compileOptimized):
+        (JSC::FunctionCodeBlock::compileOptimized):
+        * bytecode/CodeBlock.h:
+        (CodeBlock):
+        (ProgramCodeBlock):
+        (EvalCodeBlock):
+        (FunctionCodeBlock):
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::initialize):
+        * dfg/DFGAbstractValue.h:
+        (JSC::DFG::AbstractValue::setMostSpecific):
+        (AbstractValue):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::fixVariableAccessPredictions):
+        (JSC::DFG::ByteCodeParser::parse):
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compile):
+        (JSC::DFG::tryCompile):
+        (JSC::DFG::tryCompileFunction):
+        * dfg/DFGDriver.h:
+        (DFG):
+        (JSC::DFG::tryCompile):
+        (JSC::DFG::tryCompileFunction):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::Graph):
+        (Graph):
+        * jit/JITDriver.h:
+        (JSC::jitCompileIfAppropriate):
+        (JSC::jitCompileFunctionIfAppropriate):
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * runtime/Executable.cpp:
+        (JSC::EvalExecutable::compileOptimized):
+        (JSC::EvalExecutable::compileInternal):
+        (JSC::ProgramExecutable::compileOptimized):
+        (JSC::ProgramExecutable::compileInternal):
+        (JSC::FunctionExecutable::compileOptimizedForCall):
+        (JSC::FunctionExecutable::compileOptimizedForConstruct):
+        (JSC::FunctionExecutable::compileForCallInternal):
+        (JSC::FunctionExecutable::compileForConstructInternal):
+        * runtime/Executable.h:
+        (EvalExecutable):
+        (ProgramExecutable):
+        (FunctionExecutable):
+        (JSC::FunctionExecutable::compileOptimizedFor):
+        * runtime/ExecutionHarness.h:
+        (JSC::prepareForExecution):
+        (JSC::prepareFunctionForExecution):
+
+2012-08-17  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG CSE should be more honest about when it changed the IR
+        https://bugs.webkit.org/show_bug.cgi?id=94408
+
+        Reviewed by Geoffrey Garen.
+
+        The CSE phase now always returns true if it changed the IR.
+
+        * dfg/DFGCSEPhase.cpp:
+        (JSC::DFG::CSEPhase::setReplacement):
+        (JSC::DFG::CSEPhase::eliminate):
+        (JSC::DFG::CSEPhase::performNodeCSE):
+
+2012-08-17  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG is still too pessimistic about what constitutes a side-effect on array accesses
+        https://bugs.webkit.org/show_bug.cgi?id=94309
+
+        Reviewed by Geoffrey Garen.
+
+        This change means that even if structure transition watchpoints are not used for
+        hoisting of clobbered structure checks, we still retain good performance on the
+        benchmarks we care about. That's important, since butterflies will likely make
+        most array structures not watchpointable.
+
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGStructureCheckHoistingPhase.cpp:
+        (JSC::DFG::StructureCheckHoistingPhase::run):
+
+2012-08-17  Milian Wolff  <milian.wolff@kdab.com>
+
+        [Qt] QNX build fails due to ctype usage in system headers
+        https://bugs.webkit.org/show_bug.cgi?id=93849
+
+        Reviewed by Simon Hausmann.
+
+        Move the check for whether DisallowCType should be active or not
+        to the DisallowCType.h header. This way, we can update the list
+        of platforms or OSes which do not work with this header in a
+        central place. All users can now safely include the header
+        and do not need to place custom guards around it.
+
+        * config.h:
+
+2012-08-16  Simon Hausmann  <simon.hausmann@nokia.com>
+
+        [Qt] Replace use of internal Weak smart pointer with JSWeakObjectMap
+        https://bugs.webkit.org/show_bug.cgi?id=93872
+
+        Reviewed by Kenneth Rohde Christiansen.
+
+        * Target.pri: Add missing JSWeakObjectMap file to build.
+
+2012-08-16  Filip Pizlo  <fpizlo@apple.com>
+
+        Structure check hoisting should be less expensive
+        https://bugs.webkit.org/show_bug.cgi?id=94201
+
+        Reviewed by Mark Hahnenberg.
+
+        This appears like a broad win on short-running programs.
+
+        * dfg/DFGArgumentsSimplificationPhase.cpp:
+        (JSC::DFG::ArgumentsSimplificationPhase::run):
+        * dfg/DFGCSEPhase.cpp:
+        (JSC::DFG::CSEPhase::performNodeCSE):
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compile):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::compareAndSwap):
+        (Graph):
+        (JSC::DFG::Graph::substitute):
+        (JSC::DFG::Graph::substituteGetLocal):
+        * dfg/DFGStructureCheckHoistingPhase.cpp:
+        (JSC::DFG::StructureCheckHoistingPhase::run):
+
+2012-08-16  Filip Pizlo  <fpizlo@apple.com>
+
+        All op_resolve_global instructions should end up in the list of global resolve instructions
+        https://bugs.webkit.org/show_bug.cgi?id=94247
+        <rdar://problem/12103500>
+
+        Reviewed by Mark Hahnenberg.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitResolveWithBase):
+
+2012-08-15  Bruno de Oliveira Abinader  <bruno.abinader@basyskom.com>
+
+        [css3-text] Add CSS3 Text decoration compile flag
+        https://bugs.webkit.org/show_bug.cgi?id=93863
+
+        Reviewed by Julien Chaffraix.
+
+        This patch handles the compile flag implementation, which will come disabled by
+        default, thus not exposing the CSS3 text decoration features to the web, unless
+        when explicitly enabling it with "--css3-text-decoration" build parameter.
+
+        * Configurations/FeatureDefines.xcconfig:
+
+2012-08-15  Sheriff Bot  <webkit.review.bot@gmail.com>
+
+        Unreviewed, rolling out r125687.
+        http://trac.webkit.org/changeset/125687
+        https://bugs.webkit.org/show_bug.cgi?id=94147
+
+        It broke the whole world (Requested by Ossy_night on #webkit).
+
+        * API/JSValueRef.cpp:
+        (JSValueToBoolean):
+        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+        * bytecode/Watchpoint.h:
+        (WatchpointSet):
+        * debugger/DebuggerCallFrame.h:
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGCFGSimplificationPhase.cpp:
+        (JSC::DFG::CFGSimplificationPhase::run):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::privateExecute):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_is_undefined):
+        (JSC::JIT::emit_op_jeq_null):
+        (JSC::JIT::emit_op_jneq_null):
+        (JSC::JIT::emit_op_eq_null):
+        (JSC::JIT::emit_op_neq_null):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_is_undefined):
+        (JSC::JIT::emit_op_jeq_null):
+        (JSC::JIT::emit_op_jneq_null):
+        (JSC::JIT::emit_op_eq_null):
+        (JSC::JIT::emit_op_neq_null):
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncFilter):
+        (JSC::arrayProtoFuncEvery):
+        (JSC::arrayProtoFuncSome):
+        * runtime/BooleanConstructor.cpp:
+        (JSC::constructBoolean):
+        (JSC::callBooleanConstructor):
+        * runtime/JSCell.h:
+        (JSCell):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        * runtime/JSGlobalObject.h:
+        (JSGlobalObject):
+        * runtime/JSString.h:
+        (JSC::JSCell::toBoolean):
+        (JSC::JSValue::toBoolean):
+        * runtime/JSValue.h:
+        * runtime/ObjectConstructor.cpp:
+        (JSC::toPropertyDescriptor):
+        * runtime/Operations.cpp:
+        (JSC::jsTypeStringForValue):
+        (JSC::jsIsObjectType):
+        * runtime/Operations.h:
+        (JSC):
+        (JSC::JSValue::equalSlowCaseInline):
+        * runtime/RegExpConstructor.cpp:
+        (JSC::setRegExpConstructorMultiline):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::regExpProtoFuncToString):
+        * runtime/Structure.h:
+
+2012-08-15  Gabor Ballabas  <gaborb@inf.u-szeged.hu>
+
+        Buildfix after r125541
+        https://bugs.webkit.org/show_bug.cgi?id=94097
+
+        Reviewed by Filip Pizlo.
+
+        r125541 has broken the traditional ARM port build of JSC.
+
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::neg32):
+        (JSC::MacroAssemblerARM::xor32):
+
+2012-08-14  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Change behavior of MasqueradesAsUndefined to better accommodate DFG changes
+        https://bugs.webkit.org/show_bug.cgi?id=93884
+
+        Reviewed by Geoffrey Garen.
+
+        With some upcoming changes to the DFG to remove uses of ClassInfo, we will be changing the behavior of 
+        MasqueradesAsUndefined. In order to make this change consistent across all of our execution engines, 
+        we will make this change to MasqueradesAsUndefined as a separate patch. After this patch, MasqueradesAsUndefined 
+        objects will only masquerade as undefined in their original context (i.e. their original JSGlobalObject). 
+        For example, if an object that masquerades as undefined in frame A is passed to frame B, it will not 
+        masquerade as undefined within frame B, but it will continue to masquerade in frame A.
+
+        There are two primary changes that are taking place here. One is to thread the ExecState* through 
+        JSValue::toBoolean and JSCell::toBoolean so that JSCell::toBoolean can check the object's 
+        JSGlobalObject to compare it to the lexical JSGlobalObject of the currently running code. If the two 
+        are distinct, then the object cannot MasqueradeAsUndefined.
+
+        The other change is to perform this comparison of JSGlobalObjects everywhere where the MasqueradesAsUndefined
+        flag in the Structure is checked. For C++ code, this check has been factored into its own function in 
+        Structure::masqueradesAsUndefined. We only perform this check in the DFG if the current JSGlobalObject has 
+        had a MasqueradesAsUndefined object allocated within its context. This conditional compilation is managed 
+        through the use of a WatchpointSet in each JSGlobalObject and alternate create() functions for JS DOM wrappers
+        that are MasqueradesAsUndefined.
+
+        * API/JSValueRef.cpp:
+        (JSValueToBoolean):
+        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def:
+        * bytecode/Watchpoint.h:
+        (WatchpointSet):
+        * debugger/DebuggerCallFrame.h:
+        (JSC::DebuggerCallFrame::callFrame):
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGCFGSimplificationPhase.cpp:
+        (JSC::DFG::CFGSimplificationPhase::run):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
+        (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
+        (JSC::DFG::SpeculativeJIT::compile):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::privateExecute):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_is_undefined):
+        (JSC::JIT::emit_op_jeq_null):
+        (JSC::JIT::emit_op_jneq_null):
+        (JSC::JIT::emit_op_eq_null):
+        (JSC::JIT::emit_op_neq_null):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_is_undefined):
+        (JSC::JIT::emit_op_jeq_null):
+        (JSC::JIT::emit_op_jneq_null):
+        (JSC::JIT::emit_op_eq_null):
+        (JSC::JIT::emit_op_neq_null):
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncFilter):
+        (JSC::arrayProtoFuncEvery):
+        (JSC::arrayProtoFuncSome):
+        * runtime/BooleanConstructor.cpp:
+        (JSC::constructBoolean):
+        (JSC::callBooleanConstructor):
+        * runtime/JSCell.h:
+        (JSCell):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        * runtime/JSGlobalObject.h:
+        (JSGlobalObject):
+        (JSC::JSGlobalObject::masqueradesAsUndefinedWatchpoint):
+        * runtime/JSString.h:
+        (JSC::JSCell::toBoolean):
+        (JSC::JSValue::toBoolean):
+        * runtime/JSValue.h:
+        * runtime/ObjectConstructor.cpp:
+        (JSC::toPropertyDescriptor):
+        * runtime/Operations.cpp:
+        (JSC::jsTypeStringForValue):
+        (JSC::jsIsObjectType):
+        * runtime/Operations.h:
+        (JSC):
+        (JSC::JSValue::equalSlowCaseInline):
+        * runtime/RegExpConstructor.cpp:
+        (JSC::setRegExpConstructorMultiline):
+        * runtime/RegExpPrototype.cpp:
+        (JSC::regExpProtoFuncToString):
+        * runtime/Structure.h:
+        (Structure):
+        (JSC::Structure::globalObjectOffset):
+        (JSC::Structure::masqueradesAsUndefined):
+        (JSC):
+
+2012-08-14  Filip Pizlo  <fpizlo@apple.com>
+
+        Unreviewed, build fix for !ENABLE(DFG_JIT)
+
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::privateCompilePatchGetArrayLength):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::privateCompilePatchGetArrayLength):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+
+2012-08-13  Filip Pizlo  <fpizlo@apple.com>
+
+        Array checks should use the structure, not the class info
+        https://bugs.webkit.org/show_bug.cgi?id=93150
+
+        Reviewed by Mark Hahnenberg.
+
+        This changes all array checks used in array accesses (get, put, get length,
+        push, pop) to use the structure, not the class info. Additionally, these
+        checks in the LLInt and baseline JIT record the structure in an ArrayProfile,
+        so that the DFG can know exactly what structure to check for.
+        
+        * CMakeLists.txt:
+        * GNUmakefile.list.am:
+        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Target.pri:
+        * bytecode/ArrayProfile.cpp: Added.
+        (JSC):
+        (JSC::ArrayProfile::computeUpdatedPrediction):
+        * bytecode/ArrayProfile.h: Added.
+        (JSC):
+        (JSC::arrayModeFromStructure):
+        (ArrayProfile):
+        (JSC::ArrayProfile::ArrayProfile):
+        (JSC::ArrayProfile::bytecodeOffset):
+        (JSC::ArrayProfile::addressOfLastSeenStructure):
+        (JSC::ArrayProfile::observeStructure):
+        (JSC::ArrayProfile::expectedStructure):
+        (JSC::ArrayProfile::structureIsPolymorphic):
+        (JSC::ArrayProfile::hasDefiniteStructure):
+        (JSC::ArrayProfile::observedArrayModes):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dump):
+        (JSC::CodeBlock::getArrayProfile):
+        (JSC):
+        (JSC::CodeBlock::getOrAddArrayProfile):
+        (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::executionEntryCount):
+        (JSC::CodeBlock::numberOfArrayProfiles):
+        (JSC::CodeBlock::arrayProfiles):
+        (JSC::CodeBlock::addArrayProfile):
+        (CodeBlock):
+        * bytecode/Instruction.h:
+        (JSC):
+        (JSC::Instruction::Instruction):
+        * bytecode/Opcode.h:
+        (JSC):
+        (JSC::padOpcodeName):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitGetArgumentByVal):
+        (JSC::BytecodeGenerator::emitGetByVal):
+        (JSC::BytecodeGenerator::emitPutByVal):
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::initialize):
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGAbstractValue.h:
+        (JSC::DFG::StructureAbstractValue::hasSingleton):
+        (StructureAbstractValue):
+        (JSC::DFG::StructureAbstractValue::singleton):
+        * dfg/DFGArgumentsSimplificationPhase.cpp:
+        (JSC::DFG::ArgumentsSimplificationPhase::run):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::speculateArray):
+        (DFG):
+        (JSC::DFG::SpeculativeJIT::compile):
+        (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
+        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
+        * dfg/DFGSpeculativeJIT.h:
+        (SpeculativeJIT):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGStructureCheckHoistingPhase.cpp:
+        (JSC::DFG::StructureCheckHoistingPhase::run):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::privateCompilePatchGetArrayLength):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_get_by_val):
+        (JSC::JIT::emit_op_put_by_val):
+        (JSC::JIT::privateCompilePatchGetArrayLength):
+        * llint/LLIntOffsetsExtractor.cpp:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/Structure.h:
+        (Structure):
+        (JSC::Structure::classInfoOffset):
+
+2012-08-14  Gabor Ballabas  <gaborb@inf.u-szeged.hu>
+
+        Rename functions in the ARM port of DFG-JIT for better code readability.
+        https://bugs.webkit.org/show_bug.cgi?id=93609
+
+        Reviewed by Zoltan Herczeg.
+
+        Rename functions in the ARM port of DFG-JIT for better code
+        readability, and for following the WebKit coding style
+        wherever it is possible.
+
+        * assembler/ARMAssembler.cpp:
+        (JSC::ARMAssembler::genInt):
+        (JSC::ARMAssembler::getImm):
+        (JSC::ARMAssembler::moveImm):
+        (JSC::ARMAssembler::encodeComplexImm):
+        (JSC::ARMAssembler::dataTransfer32):
+        (JSC::ARMAssembler::baseIndexTransfer32):
+        (JSC::ARMAssembler::dataTransfer16):
+        (JSC::ARMAssembler::baseIndexTransfer16):
+        (JSC::ARMAssembler::dataTransferFloat):
+        (JSC::ARMAssembler::baseIndexTransferFloat):
+        * assembler/ARMAssembler.h:
+        (JSC::ARMAssembler::bitAnd):
+        (JSC::ARMAssembler::bitAnds):
+        (JSC::ARMAssembler::eor):
+        (JSC::ARMAssembler::eors):
+        (JSC::ARMAssembler::sub):
+        (JSC::ARMAssembler::subs):
+        (JSC::ARMAssembler::rsb):
+        (JSC::ARMAssembler::rsbs):
+        (JSC::ARMAssembler::add):
+        (JSC::ARMAssembler::adds):
+        (JSC::ARMAssembler::adc):
+        (JSC::ARMAssembler::adcs):
+        (JSC::ARMAssembler::sbc):
+        (JSC::ARMAssembler::sbcs):
+        (JSC::ARMAssembler::rsc):
+        (JSC::ARMAssembler::rscs):
+        (JSC::ARMAssembler::tst):
+        (JSC::ARMAssembler::teq):
+        (JSC::ARMAssembler::cmp):
+        (JSC::ARMAssembler::cmn):
+        (JSC::ARMAssembler::orr):
+        (JSC::ARMAssembler::orrs):
+        (JSC::ARMAssembler::mov):
+        (JSC::ARMAssembler::movw):
+        (JSC::ARMAssembler::movt):
+        (JSC::ARMAssembler::movs):
+        (JSC::ARMAssembler::bic):
+        (JSC::ARMAssembler::bics):
+        (JSC::ARMAssembler::mvn):
+        (JSC::ARMAssembler::mvns):
+        (JSC::ARMAssembler::mul):
+        (JSC::ARMAssembler::muls):
+        (JSC::ARMAssembler::mull):
+        (JSC::ARMAssembler::vmov_f64):
+        (JSC::ARMAssembler::vadd_f64):
+        (JSC::ARMAssembler::vdiv_f64):
+        (JSC::ARMAssembler::vsub_f64):
+        (JSC::ARMAssembler::vmul_f64):
+        (JSC::ARMAssembler::vcmp_f64):
+        (JSC::ARMAssembler::vsqrt_f64):
+        (JSC::ARMAssembler::vabs_f64):
+        (JSC::ARMAssembler::vneg_f64):
+        (JSC::ARMAssembler::ldrImmediate):
+        (JSC::ARMAssembler::ldrUniqueImmediate):
+        (JSC::ARMAssembler::dtrUp):
+        (JSC::ARMAssembler::dtrUpRegister):
+        (JSC::ARMAssembler::dtrDown):
+        (JSC::ARMAssembler::dtrDownRegister):
+        (JSC::ARMAssembler::halfDtrUp):
+        (JSC::ARMAssembler::halfDtrUpRegister):
+        (JSC::ARMAssembler::halfDtrDown):
+        (JSC::ARMAssembler::halfDtrDownRegister):
+        (JSC::ARMAssembler::doubleDtrUp):
+        (JSC::ARMAssembler::doubleDtrDown):
+        (JSC::ARMAssembler::push):
+        (JSC::ARMAssembler::pop):
+        (JSC::ARMAssembler::poke):
+        (JSC::ARMAssembler::peek):
+        (JSC::ARMAssembler::vmov_vfp64):
+        (JSC::ARMAssembler::vmov_arm64):
+        (JSC::ARMAssembler::vmov_vfp32):
+        (JSC::ARMAssembler::vmov_arm32):
+        (JSC::ARMAssembler::vcvt_f64_s32):
+        (JSC::ARMAssembler::vcvt_s32_f64):
+        (JSC::ARMAssembler::vcvt_u32_f64):
+        (JSC::ARMAssembler::vcvt_f64_f32):
+        (JSC::ARMAssembler::vcvt_f32_f64):
+        (JSC::ARMAssembler::clz):
+        (JSC::ARMAssembler::lslRegister):
+        (JSC::ARMAssembler::lsrRegister):
+        (JSC::ARMAssembler::asrRegister):
+        (JSC::ARMAssembler::align):
+        (JSC::ARMAssembler::loadBranchTarget):
+        (JSC::ARMAssembler::vmov):
+        * assembler/MacroAssemblerARM.cpp:
+        (JSC::MacroAssemblerARM::load32WithUnalignedHalfWords):
+        * assembler/MacroAssemblerARM.h:
+        (JSC::MacroAssemblerARM::add32):
+        (JSC::MacroAssemblerARM::and32):
+        (JSC::MacroAssemblerARM::lshift32):
+        (JSC::MacroAssemblerARM::mul32):
+        (JSC::MacroAssemblerARM::or32):
+        (JSC::MacroAssemblerARM::rshift32):
+        (JSC::MacroAssemblerARM::urshift32):
+        (JSC::MacroAssemblerARM::sub32):
+        (JSC::MacroAssemblerARM::xor32):
+        (JSC::MacroAssemblerARM::countLeadingZeros32):
+        (JSC::MacroAssemblerARM::convertibleLoadPtr):
+        (JSC::MacroAssemblerARM::load32WithAddressOffsetPatch):
+        (JSC::MacroAssemblerARM::load32WithCompactAddressOffsetPatch):
+        (JSC::MacroAssemblerARM::store32WithAddressOffsetPatch):
+        (JSC::MacroAssemblerARM::store32):
+        (JSC::MacroAssemblerARM::pop):
+        (JSC::MacroAssemblerARM::push):
+        (JSC::MacroAssemblerARM::move):
+        (JSC::MacroAssemblerARM::swap):
+        (JSC::MacroAssemblerARM::branch32):
+        (JSC::MacroAssemblerARM::branchTest32):
+        (JSC::MacroAssemblerARM::mull32):
+        (JSC::MacroAssemblerARM::branchSub32):
+        (JSC::MacroAssemblerARM::compare32):
+        (JSC::MacroAssemblerARM::test32):
+        (JSC::MacroAssemblerARM::load32):
+        (JSC::MacroAssemblerARM::relativeTableJump):
+        (JSC::MacroAssemblerARM::moveWithPatch):
+        (JSC::MacroAssemblerARM::loadDouble):
+        (JSC::MacroAssemblerARM::moveDouble):
+        (JSC::MacroAssemblerARM::addDouble):
+        (JSC::MacroAssemblerARM::divDouble):
+        (JSC::MacroAssemblerARM::subDouble):
+        (JSC::MacroAssemblerARM::mulDouble):
+        (JSC::MacroAssemblerARM::sqrtDouble):
+        (JSC::MacroAssemblerARM::absDouble):
+        (JSC::MacroAssemblerARM::negateDouble):
+        (JSC::MacroAssemblerARM::convertInt32ToDouble):
+        (JSC::MacroAssemblerARM::convertFloatToDouble):
+        (JSC::MacroAssemblerARM::convertDoubleToFloat):
+        (JSC::MacroAssemblerARM::branchDouble):
+        (JSC::MacroAssemblerARM::branchTruncateDoubleToInt32):
+        (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32):
+        (JSC::MacroAssemblerARM::truncateDoubleToInt32):
+        (JSC::MacroAssemblerARM::truncateDoubleToUint32):
+        (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
+        (JSC::MacroAssemblerARM::branchDoubleNonZero):
+        (JSC::MacroAssemblerARM::branchDoubleZeroOrNaN):
+
+2012-08-13  Simon Hausmann  <simon.hausmann@nokia.com>
+
+        Unreviewed, rolling out r125444.
+        http://trac.webkit.org/changeset/125444
+        https://bugs.webkit.org/show_bug.cgi?id=93872
+
+        Broke some tests
+
+        * Target.pri:
+
+2012-08-13  Simon Hausmann  <simon.hausmann@nokia.com>
+
+        [Qt] Replace use of internal Weak smart pointer with JSWeakObjectMap
+        https://bugs.webkit.org/show_bug.cgi?id=93872
+
+        Reviewed by Kenneth Rohde Christiansen.
+
+        * Target.pri: Add missing JSWeakObjectMap file to build.
+
+2012-08-13  Raphael Kubo da Costa  <rakuco@webkit.org>
+
+        [CMake] Remove glib-related Find modules and write single new one instead.
+        https://bugs.webkit.org/show_bug.cgi?id=93786
+
+        Reviewed by Rob Buis.
+
+        * shell/PlatformEfl.cmake: Use GLIB_* instead of Glib_*.
+
+2012-08-12  Allan Sandfeld Jensen  <allan.jensen@nokia.com>
+
+        Doesn't build with ENABLE_JIT=0
+        https://bugs.webkit.org/show_bug.cgi?id=85042
+
+        Reviewed by Eric Seidel.
+
+        Include headers without which CallFrame.h does not build, and
+        fix gcc warning about comparing unsigned int with 0.
+
+        * dfg/DFGDriver.cpp:
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::isOpcode):
+
 2012-08-10  Yong Li  <yoli@rim.com>
 
         [BlackBerry] GCActivityCallback should always schedule GC even allocated bytes is a small number