<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[161398] branches/jsCStack/Source/JavaScriptCore</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/161398">161398</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2014-01-06 20:48:18 -0800 (Mon, 06 Jan 2014)</dd>
</dl>

<h3>Log Message</h3>
<pre>Merge trunk <a href="http://trac.webkit.org/projects/webkit/changeset/160294">r160294</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/160295">r160295</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/160328">r160328</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/160347">r160347</a>, <a href="http://trac.webkit.org/projects/webkit/changeset/160348">r160348</a>.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#branchesjsCStackSourceJavaScriptCoreCMakeListstxt">branches/jsCStack/Source/JavaScriptCore/CMakeLists.txt</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoreChangeLog">branches/jsCStack/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoreGNUmakefilelistam">branches/jsCStack/Source/JavaScriptCore/GNUmakefile.list.am</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxproj">branches/jsCStack/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">branches/jsCStack/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCorebytecodeCodeOrigincpp">branches/jsCStack/Source/JavaScriptCore/bytecode/CodeOrigin.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCorebytecodeExitKindcpp">branches/jsCStack/Source/JavaScriptCore/bytecode/ExitKind.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCorebytecodeExitKindh">branches/jsCStack/Source/JavaScriptCore/bytecode/ExitKind.h</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">branches/jsCStack/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGArrayModecpp">branches/jsCStack/Source/JavaScriptCore/dfg/DFGArrayMode.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGArrayModeh">branches/jsCStack/Source/JavaScriptCore/dfg/DFGArrayMode.h</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGCSEPhasecpp">branches/jsCStack/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGClobberizeh">branches/jsCStack/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGConstantFoldingPhasecpp">branches/jsCStack/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGFixupPhasecpp">branches/jsCStack/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGGraphcpp">branches/jsCStack/Source/JavaScriptCore/dfg/DFGGraph.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGNodeh">branches/jsCStack/Source/JavaScriptCore/dfg/DFGNode.h</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGNodeTypeh">branches/jsCStack/Source/JavaScriptCore/dfg/DFGNodeType.h</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGOSRExitBaseh">branches/jsCStack/Source/JavaScriptCore/dfg/DFGOSRExitBase.h</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGPlancpp">branches/jsCStack/Source/JavaScriptCore/dfg/DFGPlan.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp">branches/jsCStack/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGSSAConversionPhasecpp">branches/jsCStack/Source/JavaScriptCore/dfg/DFGSSAConversionPhase.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGSafeToExecuteh">branches/jsCStack/Source/JavaScriptCore/dfg/DFGSafeToExecute.h</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGSpeculativeJITcpp">branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGSpeculativeJITh">branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGStrengthReductionPhasecpp">branches/jsCStack/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGValidatecpp">branches/jsCStack/Source/JavaScriptCore/dfg/DFGValidate.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGWatchpointCollectionPhasecpp">branches/jsCStack/Source/JavaScriptCore/dfg/DFGWatchpointCollectionPhase.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoreftlFTLCapabilitiescpp">branches/jsCStack/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoreftlFTLIntrinsicRepositoryh">branches/jsCStack/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp">branches/jsCStack/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoreftlFTLOutputh">branches/jsCStack/Source/JavaScriptCore/ftl/FTLOutput.h</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoreruntimeJSObjectcpp">branches/jsCStack/Source/JavaScriptCore/runtime/JSObject.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoreruntimeJSObjecth">branches/jsCStack/Source/JavaScriptCore/runtime/JSObject.h</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGSSALoweringPhasecpp">branches/jsCStack/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGSSALoweringPhaseh">branches/jsCStack/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.h</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoretestsstressfloat32arrayoutofboundsjs">branches/jsCStack/Source/JavaScriptCore/tests/stress/float32array-out-of-bounds.js</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoretestsstressint32objectoutofboundsjs">branches/jsCStack/Source/JavaScriptCore/tests/stress/int32-object-out-of-bounds.js</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoretestsstressint32outofboundsjs">branches/jsCStack/Source/JavaScriptCore/tests/stress/int32-out-of-bounds.js</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoretestsstressuntypedequalityjs">branches/jsCStack/Source/JavaScriptCore/tests/stress/untyped-equality.js</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoretestsstressuntypedlessthanjs">branches/jsCStack/Source/JavaScriptCore/tests/stress/untyped-less-than.js</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchesjsCStackSourceJavaScriptCoreCMakeListstxt"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/CMakeLists.txt (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/CMakeLists.txt        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/CMakeLists.txt        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -162,6 +162,7 @@
</span><span class="cx">     dfg/DFGPredictionPropagationPhase.cpp
</span><span class="cx">     dfg/DFGResurrectionForValidationPhase.cpp
</span><span class="cx">     dfg/DFGSSAConversionPhase.cpp
</span><ins>+    dfg/DFGSSALoweringPhase.cpp
</ins><span class="cx">     dfg/DFGSpeculativeJIT.cpp
</span><span class="cx">     dfg/DFGSpeculativeJIT32_64.cpp
</span><span class="cx">     dfg/DFGSpeculativeJIT64.cpp
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/ChangeLog (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/ChangeLog        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/ChangeLog        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -1,5 +1,9 @@
</span><span class="cx"> 2014-01-06  Filip Pizlo  &lt;fpizlo@apple.com&gt;
</span><span class="cx"> 
</span><ins>+        Merge trunk r160294, r160295, r160328, r160347, r160348.
+
+2014-01-06  Filip Pizlo  &lt;fpizlo@apple.com&gt;
+
</ins><span class="cx">         Finish merging r160292: add more forgotten files.
</span><span class="cx"> 
</span><span class="cx">         * tests/stress/fold-typed-array-properties.js: Added.
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreGNUmakefilelistam"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/GNUmakefile.list.am (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/GNUmakefile.list.am        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/GNUmakefile.list.am        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -378,6 +378,8 @@
</span><span class="cx">         Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h \
</span><span class="cx">         Source/JavaScriptCore/dfg/DFGSSAConversionPhase.cpp \
</span><span class="cx">         Source/JavaScriptCore/dfg/DFGSSAConversionPhase.h \
</span><ins>+        Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp \
+        Source/JavaScriptCore/dfg/DFGSSALoweringPhase.h \
</ins><span class="cx">         Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp \
</span><span class="cx">         Source/JavaScriptCore/dfg/DFGStackLayoutPhase.h \
</span><span class="cx">         Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp \
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxproj"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -411,6 +411,7 @@
</span><span class="cx">     &lt;ClCompile Include=&quot;..\dfg\DFGSpeculativeJIT32_64.cpp&quot; /&gt;
</span><span class="cx">     &lt;ClCompile Include=&quot;..\dfg\DFGSpeculativeJIT64.cpp&quot; /&gt;
</span><span class="cx">     &lt;ClCompile Include=&quot;..\dfg\DFGSSAConversionPhase.cpp&quot; /&gt;
</span><ins>+    &lt;ClCompile Include=&quot;..\dfg\DFGSSALoweringPhase.cpp&quot; /&gt;
</ins><span class="cx">     &lt;ClCompile Include=&quot;..\dfg\DFGStackLayoutPhase.cpp&quot; /&gt;
</span><span class="cx">     &lt;ClCompile Include=&quot;..\dfg\DFGStrengthReductionPhase.cpp&quot; /&gt;
</span><span class="cx">     &lt;ClCompile Include=&quot;..\dfg\DFGThunks.cpp&quot; /&gt;
</span><span class="lines">@@ -919,6 +920,7 @@
</span><span class="cx">     &lt;ClInclude Include=&quot;..\dfg\DFGSlowPathGenerator.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\dfg\DFGSpeculativeJIT.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\dfg\DFGSSAConversionPhase.h&quot; /&gt;
</span><ins>+    &lt;ClInclude Include=&quot;..\dfg\DFGSSALoweringPhase.h&quot; /&gt;
</ins><span class="cx">     &lt;ClInclude Include=&quot;..\dfg\DFGStackLayoutPhase.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\dfg\DFGStrengthReductionPhase.h&quot; /&gt;
</span><span class="cx">     &lt;ClInclude Include=&quot;..\dfg\DFGStructureAbstractValue.h&quot; /&gt;
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -393,6 +393,8 @@
</span><span class="cx">                 0FC097A2146B28CC00CF2442 /* DFGThunks.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FC097A0146B28C700CF2442 /* DFGThunks.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 0FC20CB51852E2C600C9E954 /* DFGStrengthReductionPhase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FC20CB31852E2C600C9E954 /* DFGStrengthReductionPhase.cpp */; };
</span><span class="cx">                 0FC20CB61852E2C600C9E954 /* DFGStrengthReductionPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FC20CB41852E2C600C9E954 /* DFGStrengthReductionPhase.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+                0FC20CB918556A3500C9E954 /* DFGSSALoweringPhase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FC20CB718556A3500C9E954 /* DFGSSALoweringPhase.cpp */; };
+                0FC20CBA18556A3500C9E954 /* DFGSSALoweringPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FC20CB818556A3500C9E954 /* DFGSSALoweringPhase.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx">                 0FC314121814559100033232 /* RegisterSet.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FC314101814559100033232 /* RegisterSet.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx">                 0FC314131814559100033232 /* TempRegisterSet.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FC314111814559100033232 /* TempRegisterSet.cpp */; };
</span><span class="cx">                 0FC3141518146D7000033232 /* RegisterSet.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FC3141418146D7000033232 /* RegisterSet.cpp */; };
</span><span class="lines">@@ -1729,6 +1731,8 @@
</span><span class="cx">                 0FC097A0146B28C700CF2442 /* DFGThunks.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGThunks.h; path = dfg/DFGThunks.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0FC20CB31852E2C600C9E954 /* DFGStrengthReductionPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGStrengthReductionPhase.cpp; path = dfg/DFGStrengthReductionPhase.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0FC20CB41852E2C600C9E954 /* DFGStrengthReductionPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGStrengthReductionPhase.h; path = dfg/DFGStrengthReductionPhase.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><ins>+                0FC20CB718556A3500C9E954 /* DFGSSALoweringPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGSSALoweringPhase.cpp; path = dfg/DFGSSALoweringPhase.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
+                0FC20CB818556A3500C9E954 /* DFGSSALoweringPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGSSALoweringPhase.h; path = dfg/DFGSSALoweringPhase.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</ins><span class="cx">                 0FC314101814559100033232 /* RegisterSet.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = RegisterSet.h; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0FC314111814559100033232 /* TempRegisterSet.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = TempRegisterSet.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="cx">                 0FC3141418146D7000033232 /* RegisterSet.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = RegisterSet.cpp; sourceTree = &quot;&lt;group&gt;&quot;; };
</span><span class="lines">@@ -4001,6 +4005,8 @@
</span><span class="cx">                                 86880F4C14353B2100B08D42 /* DFGSpeculativeJIT64.cpp */,
</span><span class="cx">                                 A7D89CF017A0B8CC00773AD8 /* DFGSSAConversionPhase.cpp */,
</span><span class="cx">                                 A7D89CF117A0B8CC00773AD8 /* DFGSSAConversionPhase.h */,
</span><ins>+                                0FC20CB718556A3500C9E954 /* DFGSSALoweringPhase.cpp */,
+                                0FC20CB818556A3500C9E954 /* DFGSSALoweringPhase.h */,
</ins><span class="cx">                                 0F9FB4F217FCB91700CB67F8 /* DFGStackLayoutPhase.cpp */,
</span><span class="cx">                                 0F9FB4F317FCB91700CB67F8 /* DFGStackLayoutPhase.h */,
</span><span class="cx">                                 0FC20CB31852E2C600C9E954 /* DFGStrengthReductionPhase.cpp */,
</span><span class="lines">@@ -4426,6 +4432,7 @@
</span><span class="cx">                                 A73E1331179624CD00E4DEA8 /* DFGDesiredStructureChains.h in Headers */,
</span><span class="cx">                                 C2C0F7CE17BBFC5B00464FE4 /* DFGDesiredTransitions.h in Headers */,
</span><span class="cx">                                 0FE8534C1723CDA500B618F5 /* DFGDesiredWatchpoints.h in Headers */,
</span><ins>+                                0FC20CBA18556A3500C9E954 /* DFGSSALoweringPhase.h in Headers */,
</ins><span class="cx">                                 C2981FD917BAEE4B00A3BC98 /* DFGDesiredWeakReferences.h in Headers */,
</span><span class="cx">                                 C2981FDD17BAFF4400A3BC98 /* DFGDesiredWriteBarriers.h in Headers */,
</span><span class="cx">                                 0FF427651591A1CE004CB9FF /* DFGDisassembler.h in Headers */,
</span><span class="lines">@@ -5770,6 +5777,7 @@
</span><span class="cx">                                 969A079A0ED1D3AE00F1F681 /* Opcode.cpp in Sources */,
</span><span class="cx">                                 14280850107EC0D70013E7B2 /* Operations.cpp in Sources */,
</span><span class="cx">                                 0FE228EE1436AB2C00196C48 /* Options.cpp in Sources */,
</span><ins>+                                0FC20CB918556A3500C9E954 /* DFGSSALoweringPhase.cpp in Sources */,
</ins><span class="cx">                                 148F21BC107EC54D0042EC2C /* Parser.cpp in Sources */,
</span><span class="cx">                                 93052C340FB792190048FDC3 /* ParserArena.cpp in Sources */,
</span><span class="cx">                                 0F9FC8C314E1B5FE00D52AE0 /* PolymorphicPutByIdList.cpp in Sources */,
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCorebytecodeCodeOrigincpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/bytecode/CodeOrigin.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/bytecode/CodeOrigin.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/bytecode/CodeOrigin.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -59,6 +59,11 @@
</span><span class="cx"> 
</span><span class="cx"> void CodeOrigin::dump(PrintStream&amp; out) const
</span><span class="cx"> {
</span><ins>+    if (!isSet()) {
+        out.print(&quot;&lt;none&gt;&quot;);
+        return;
+    }
+    
</ins><span class="cx">     Vector&lt;CodeOrigin&gt; stack = inlineStack();
</span><span class="cx">     for (unsigned i = 0; i &lt; stack.size(); ++i) {
</span><span class="cx">         if (i)
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCorebytecodeExitKindcpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/bytecode/ExitKind.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/bytecode/ExitKind.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/bytecode/ExitKind.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -64,8 +64,6 @@
</span><span class="cx">         return &quot;LoadFromHole&quot;;
</span><span class="cx">     case OutOfBounds:
</span><span class="cx">         return &quot;OutOfBounds&quot;;
</span><del>-    case StoreToHoleOrOutOfBounds:
-        return &quot;StoreToHoleOrOutOfBounds&quot;;
</del><span class="cx">     case InadequateCoverage:
</span><span class="cx">         return &quot;InadequateCoverage&quot;;
</span><span class="cx">     case ArgumentsEscaped:
</span><span class="lines">@@ -96,7 +94,6 @@
</span><span class="cx">     case LoadFromHole: // Already counted directly by the baseline JIT.
</span><span class="cx">     case StoreToHole: // Already counted directly by the baseline JIT.
</span><span class="cx">     case OutOfBounds: // Already counted directly by the baseline JIT.
</span><del>-    case StoreToHoleOrOutOfBounds: // Already counted directly by the baseline JIT.
</del><span class="cx">         return false;
</span><span class="cx">     default:
</span><span class="cx">         return true;
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCorebytecodeExitKindh"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/bytecode/ExitKind.h (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/bytecode/ExitKind.h        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/bytecode/ExitKind.h        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -44,7 +44,6 @@
</span><span class="cx">     StoreToHole, // We had a store to a hole.
</span><span class="cx">     LoadFromHole, // We had a load from a hole.
</span><span class="cx">     OutOfBounds, // We had an out-of-bounds access to an array.
</span><del>-    StoreToHoleOrOutOfBounds, // We're simultaneously speculating that we're in bounds and not accessing a hole, and one of those things didn't pan out.
</del><span class="cx">     InadequateCoverage, // We exited because we ended up in code that didn't have profiling coverage.
</span><span class="cx">     ArgumentsEscaped, // We exited because arguments escaped but we didn't expect them to.
</span><span class="cx">     NotStringObject, // We exited because we shouldn't have attempted to optimize string object access.
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -1440,7 +1440,8 @@
</span><span class="cx">         m_state.setHaveStructures(true);
</span><span class="cx">         break;
</span><span class="cx">     }
</span><del>-    case GetIndexedPropertyStorage: {
</del><ins>+    case GetIndexedPropertyStorage:
+    case ConstantStoragePointer: {
</ins><span class="cx">         forNode(node).clear();
</span><span class="cx">         break; 
</span><span class="cx">     }
</span><span class="lines">@@ -1472,6 +1473,19 @@
</span><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">         
</span><ins>+    case CheckInBounds: {
+        JSValue left = forNode(node-&gt;child1()).value();
+        JSValue right = forNode(node-&gt;child2()).value();
+        if (left &amp;&amp; right &amp;&amp; left.isInt32() &amp;&amp; right.isInt32()
+            &amp;&amp; static_cast&lt;uint32_t&gt;(left.asInt32()) &lt; static_cast&lt;uint32_t&gt;(right.asInt32())) {
+            m_state.setFoundConstants(true);
+            break;
+        }
+        
+        node-&gt;setCanExit(true);
+        break;
+    }
+        
</ins><span class="cx">     case PutById:
</span><span class="cx">     case PutByIdDirect:
</span><span class="cx">         node-&gt;setCanExit(true);
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGArrayModecpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGArrayMode.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGArrayMode.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGArrayMode.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -548,6 +548,36 @@
</span><span class="cx">     }
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+bool permitsBoundsCheckLowering(Array::Type type)
+{
+    switch (type) {
+    case Array::Int32:
+    case Array::Double:
+    case Array::Contiguous:
+    case Array::Int8Array:
+    case Array::Int16Array:
+    case Array::Int32Array:
+    case Array::Uint8Array:
+    case Array::Uint8ClampedArray:
+    case Array::Uint16Array:
+    case Array::Uint32Array:
+    case Array::Float32Array:
+    case Array::Float64Array:
+        return true;
+    default:
+        // These don't allow for bounds check lowering either because the bounds
+        // check involves something other than GetArrayLength (like ArrayStorage),
+        // or because the bounds check isn't a speculation (like String, sort of),
+        // or because the type implies an impure access.
+        return false;
+    }
+}
+
+bool ArrayMode::permitsBoundsCheckLowering() const
+{
+    return DFG::permitsBoundsCheckLowering(type()) &amp;&amp; isInBounds();
+}
+
</ins><span class="cx"> void ArrayMode::dump(PrintStream&amp; out) const
</span><span class="cx"> {
</span><span class="cx">     out.print(type(), arrayClass(), speculation(), conversion());
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGArrayModeh"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGArrayMode.h (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGArrayMode.h        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGArrayMode.h        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -110,6 +110,8 @@
</span><span class="cx"> TypedArrayType toTypedArrayType(Array::Type);
</span><span class="cx"> Array::Type toArrayType(TypedArrayType);
</span><span class="cx"> 
</span><ins>+bool permitsBoundsCheckLowering(Array::Type);
+
</ins><span class="cx"> class ArrayMode {
</span><span class="cx"> public:
</span><span class="cx">     ArrayMode()
</span><span class="lines">@@ -292,7 +294,17 @@
</span><span class="cx">     
</span><span class="cx">     bool lengthNeedsStorage() const
</span><span class="cx">     {
</span><del>-        return isJSArray();
</del><ins>+        switch (type()) {
+        case Array::Undecided:
+        case Array::Int32:
+        case Array::Double:
+        case Array::Contiguous:
+        case Array::ArrayStorage:
+        case Array::SlowPutArrayStorage:
+            return true;
+        default:
+            return false;
+        }
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     ArrayMode modeForPut() const
</span><span class="lines">@@ -342,6 +354,8 @@
</span><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx">     
</span><ins>+    bool permitsBoundsCheckLowering() const;
+    
</ins><span class="cx">     bool benefitsFromOriginalArray() const
</span><span class="cx">     {
</span><span class="cx">         switch (type()) {
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGCSEPhasecpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -48,15 +48,21 @@
</span><span class="cx">     
</span><span class="cx">     bool run()
</span><span class="cx">     {
</span><del>-        ASSERT((cseMode == NormalCSE) == (m_graph.m_fixpointState == FixpointNotConverged));
</del><span class="cx">         ASSERT(m_graph.m_fixpointState != BeforeFixpoint);
</span><span class="cx">         
</span><span class="cx">         m_changed = false;
</span><span class="cx">         
</span><span class="cx">         m_graph.clearReplacements();
</span><span class="cx">         
</span><del>-        for (unsigned blockIndex = 0; blockIndex &lt; m_graph.numBlocks(); ++blockIndex)
-            performBlockCSE(m_graph.block(blockIndex));
</del><ins>+        if (m_graph.m_form == SSA) {
+            Vector&lt;BasicBlock*&gt; depthFirst;
+            m_graph.getBlocksInDepthFirstOrder(depthFirst);
+            for (unsigned i = 0; i &lt; depthFirst.size(); ++i)
+                performBlockCSE(depthFirst[i]);
+        } else {
+            for (unsigned blockIndex = 0; blockIndex &lt; m_graph.numBlocks(); ++blockIndex)
+                performBlockCSE(m_graph.block(blockIndex));
+        }
</ins><span class="cx">         
</span><span class="cx">         return m_changed;
</span><span class="cx">     }
</span><span class="lines">@@ -162,6 +168,21 @@
</span><span class="cx">         return 0;
</span><span class="cx">     }
</span><span class="cx">     
</span><ins>+    Node* constantStoragePointerCSE(Node* node)
+    {
+        for (unsigned i = endIndexForPureCSE(); i--;) {
+            Node* otherNode = m_currentBlock-&gt;at(i);
+            if (otherNode-&gt;op() != ConstantStoragePointer)
+                continue;
+            
+            if (otherNode-&gt;storagePointer() != node-&gt;storagePointer())
+                continue;
+            
+            return otherNode;
+        }
+        return 0;
+    }
+    
</ins><span class="cx">     Node* getCalleeLoadElimination()
</span><span class="cx">     {
</span><span class="cx">         for (unsigned i = m_indexInBlock; i--;) {
</span><span class="lines">@@ -1000,8 +1021,10 @@
</span><span class="cx">         if (cseMode == NormalCSE)
</span><span class="cx">             m_graph.performSubstitution(node);
</span><span class="cx">         
</span><del>-        if (node-&gt;op() == SetLocal)
</del><ins>+        if (node-&gt;containsMovHint()) {
+            ASSERT(node-&gt;op() != ZombieHint);
</ins><span class="cx">             node-&gt;child1()-&gt;mergeFlags(NodeRelevantToOSR);
</span><ins>+        }
</ins><span class="cx">         
</span><span class="cx">         switch (node-&gt;op()) {
</span><span class="cx">         
</span><span class="lines">@@ -1105,6 +1128,11 @@
</span><span class="cx">         }
</span><span class="cx">             
</span><span class="cx">         case Flush: {
</span><ins>+            if (m_graph.m_form == SSA) {
+                // FIXME: Enable Flush store elimination in SSA form.
+                // https://bugs.webkit.org/show_bug.cgi?id=125429
+                break;
+            }
</ins><span class="cx">             VariableAccessData* variableAccessData = node-&gt;variableAccessData();
</span><span class="cx">             VirtualRegister local = variableAccessData-&gt;local();
</span><span class="cx">             Node* replacement = node-&gt;child1().node();
</span><span class="lines">@@ -1154,6 +1182,12 @@
</span><span class="cx">             setReplacement(weakConstantCSE(node));
</span><span class="cx">             break;
</span><span class="cx">             
</span><ins>+        case ConstantStoragePointer:
+            if (cseMode == StoreElimination)
+                break;
+            setReplacement(constantStoragePointerCSE(node));
+            break;
+            
</ins><span class="cx">         case GetArrayLength:
</span><span class="cx">             if (cseMode == StoreElimination)
</span><span class="cx">                 break;
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGClobberize.h (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGClobberize.h        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGClobberize.h        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -116,6 +116,8 @@
</span><span class="cx">     case ExtractOSREntryLocal:
</span><span class="cx">     case Int52ToDouble:
</span><span class="cx">     case Int52ToValue:
</span><ins>+    case CheckInBounds:
+    case ConstantStoragePointer:
</ins><span class="cx">         return;
</span><span class="cx">         
</span><span class="cx">     case MovHintAndCheck:
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGConstantFoldingPhasecpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -142,6 +142,19 @@
</span><span class="cx">                 break;
</span><span class="cx">             }
</span><span class="cx">                 
</span><ins>+            case CheckInBounds: {
+                JSValue left = m_state.forNode(node-&gt;child1()).value();
+                JSValue right = m_state.forNode(node-&gt;child2()).value();
+                if (left &amp;&amp; right &amp;&amp; left.isInt32() &amp;&amp; right.isInt32()
+                    &amp;&amp; static_cast&lt;uint32_t&gt;(left.asInt32()) &lt; static_cast&lt;uint32_t&gt;(right.asInt32())) {
+                    node-&gt;convertToPhantom();
+                    eliminated = true;
+                    break;
+                }
+                
+                break;
+            }
+        
</ins><span class="cx">             case GetById:
</span><span class="cx">             case GetByIdFlush: {
</span><span class="cx">                 CodeOrigin codeOrigin = node-&gt;codeOrigin;
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -877,6 +877,11 @@
</span><span class="cx">         case Int52ToValue:
</span><span class="cx">         case InvalidationPoint:
</span><span class="cx">         case CheckArray:
</span><ins>+        case CheckInBounds:
+        case ConstantStoragePointer:
+            // These are just nodes that we don't currently expect to see during fixup.
+            // If we ever wanted to insert them prior to fixup, then we just have to create
+            // fixup rules for them.
</ins><span class="cx">             RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">             break;
</span><span class="cx"> 
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGGraphcpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGGraph.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGGraph.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGGraph.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -292,6 +292,12 @@
</span><span class="cx">         out.print(comma, &quot;^&quot;, node-&gt;phi()-&gt;index());
</span><span class="cx">     if (node-&gt;hasExecutionCounter())
</span><span class="cx">         out.print(comma, RawPointer(node-&gt;executionCounter()));
</span><ins>+    if (node-&gt;hasVariableWatchpointSet())
+        out.print(comma, RawPointer(node-&gt;variableWatchpointSet()));
+    if (node-&gt;hasTypedArray())
+        out.print(comma, inContext(JSValue(node-&gt;typedArray()), context));
+    if (node-&gt;hasStoragePointer())
+        out.print(comma, RawPointer(node-&gt;storagePointer()));
</ins><span class="cx">     if (op == JSConstant) {
</span><span class="cx">         out.print(comma, &quot;$&quot;, node-&gt;constantNumber());
</span><span class="cx">         JSValue value = valueOfJSConstant(node);
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGNodeh"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGNode.h (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGNode.h        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGNode.h        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -407,6 +407,13 @@
</span><span class="cx">         children.reset();
</span><span class="cx">     }
</span><span class="cx">     
</span><ins>+    void convertToConstantStoragePointer(void* pointer)
+    {
+        ASSERT(op() == GetIndexedPropertyStorage);
+        m_op = ConstantStoragePointer;
+        m_opInfo = bitwise_cast&lt;uintptr_t&gt;(pointer);
+    }
+    
</ins><span class="cx">     void convertToGetLocalUnlinked(VirtualRegister local)
</span><span class="cx">     {
</span><span class="cx">         m_op = GetLocalUnlinked;
</span><span class="lines">@@ -982,6 +989,16 @@
</span><span class="cx">     {
</span><span class="cx">         return reinterpret_cast&lt;JSArrayBufferView*&gt;(m_opInfo);
</span><span class="cx">     }
</span><ins>+    
+    bool hasStoragePointer()
+    {
+        return op() == ConstantStoragePointer;
+    }
+    
+    void* storagePointer()
+    {
+        return reinterpret_cast&lt;void*&gt;(m_opInfo);
+    }
</ins><span class="cx"> 
</span><span class="cx">     bool hasStructureTransitionData()
</span><span class="cx">     {
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGNodeTypeh"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGNodeType.h (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGNodeType.h        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGNodeType.h        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -171,6 +171,7 @@
</span><span class="cx">     macro(Arrayify, NodeMustGenerate) \
</span><span class="cx">     macro(ArrayifyToStructure, NodeMustGenerate) \
</span><span class="cx">     macro(GetIndexedPropertyStorage, NodeResultStorage) \
</span><ins>+    macro(ConstantStoragePointer, NodeResultStorage) \
</ins><span class="cx">     macro(TypedArrayWatchpoint, NodeMustGenerate) \
</span><span class="cx">     macro(GetByOffset, NodeResultJS) \
</span><span class="cx">     macro(PutByOffset, NodeMustGenerate) \
</span><span class="lines">@@ -191,6 +192,7 @@
</span><span class="cx">     macro(FunctionReentryWatchpoint, NodeMustGenerate) \
</span><span class="cx">     macro(CheckFunction, NodeMustGenerate) \
</span><span class="cx">     macro(AllocationProfileWatchpoint, NodeMustGenerate) \
</span><ins>+    macro(CheckInBounds, NodeMustGenerate) \
</ins><span class="cx">     \
</span><span class="cx">     /* Optimizations for array mutation. */\
</span><span class="cx">     macro(ArrayPush, NodeResultJS | NodeMustGenerate | NodeClobbersWorld) \
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGOSRExitBaseh"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGOSRExitBase.h (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGOSRExitBase.h        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGOSRExitBase.h        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -48,6 +48,8 @@
</span><span class="cx">         , m_codeOrigin(origin)
</span><span class="cx">         , m_codeOriginForExitProfile(originForProfile)
</span><span class="cx">     {
</span><ins>+        ASSERT(m_codeOrigin.isSet());
+        ASSERT(m_codeOriginForExitProfile.isSet());
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     ExitKind m_kind;
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGPlancpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGPlan.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGPlan.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGPlan.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -52,6 +52,7 @@
</span><span class="cx"> #include &quot;DFGPredictionPropagationPhase.h&quot;
</span><span class="cx"> #include &quot;DFGResurrectionForValidationPhase.h&quot;
</span><span class="cx"> #include &quot;DFGSSAConversionPhase.h&quot;
</span><ins>+#include &quot;DFGSSALoweringPhase.h&quot;
</ins><span class="cx"> #include &quot;DFGStackLayoutPhase.h&quot;
</span><span class="cx"> #include &quot;DFGStrengthReductionPhase.h&quot;
</span><span class="cx"> #include &quot;DFGTierUpCheckInjectionPhase.h&quot;
</span><span class="lines">@@ -266,9 +267,11 @@
</span><span class="cx">         performLoopPreHeaderCreation(dfg);
</span><span class="cx">         performCPSRethreading(dfg);
</span><span class="cx">         performSSAConversion(dfg);
</span><ins>+        performSSALowering(dfg);
</ins><span class="cx">         performLivenessAnalysis(dfg);
</span><span class="cx">         performCFA(dfg);
</span><span class="cx">         performLICM(dfg);
</span><ins>+        performCSE(dfg);
</ins><span class="cx">         performLivenessAnalysis(dfg);
</span><span class="cx">         performCFA(dfg);
</span><span class="cx">         if (Options::validateFTLOSRExitLiveness())
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -510,7 +510,8 @@
</span><span class="cx">         case CheckTierUpAndOSREnter:
</span><span class="cx">         case InvalidationPoint:
</span><span class="cx">         case Int52ToValue:
</span><del>-        case Int52ToDouble: {
</del><ins>+        case Int52ToDouble:
+        case CheckInBounds: {
</ins><span class="cx">             // This node should never be visible at this stage of compilation. It is
</span><span class="cx">             // inserted by fixup(), which follows this phase.
</span><span class="cx">             RELEASE_ASSERT_NOT_REACHED();
</span><span class="lines">@@ -578,6 +579,7 @@
</span><span class="cx">         case NotifyWrite:
</span><span class="cx">         case FunctionReentryWatchpoint:
</span><span class="cx">         case TypedArrayWatchpoint:
</span><ins>+        case ConstantStoragePointer:
</ins><span class="cx">             break;
</span><span class="cx">             
</span><span class="cx">         // This gets ignored because it already has a prediction.
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGSSAConversionPhasecpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGSSAConversionPhase.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGSSAConversionPhase.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGSSAConversionPhase.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -153,7 +153,7 @@
</span><span class="cx">                         NodeFlags result = resultFor(format);
</span><span class="cx">                         UseKind useKind = useKindFor(format);
</span><span class="cx">                         
</span><del>-                        node = m_insertionSet.insertNode(0, SpecNone, Phi, node-&gt;codeOrigin);
</del><ins>+                        node = m_insertionSet.insertNode(0, SpecNone, Phi, CodeOrigin());
</ins><span class="cx">                         node-&gt;mergeFlags(result);
</span><span class="cx">                         RELEASE_ASSERT((node-&gt;flags() &amp; NodeResultMask) == result);
</span><span class="cx">                         
</span><span class="lines">@@ -186,7 +186,7 @@
</span><span class="cx">                             // the value was already on the stack.
</span><span class="cx">                         } else {
</span><span class="cx">                             m_insertionSet.insertNode(
</span><del>-                                0, SpecNone, MovHint, node-&gt;codeOrigin, OpInfo(variable),
</del><ins>+                                0, SpecNone, MovHint, CodeOrigin(), OpInfo(variable),
</ins><span class="cx">                                 Edge(node));
</span><span class="cx">                         }
</span><span class="cx">                     }
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGSSALoweringPhasecpp"></a>
<div class="addfile"><h4>Added: branches/jsCStack/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp (0 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp                                (rev 0)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -0,0 +1,119 @@
</span><ins>+/*
+ * Copyright (C) 2013 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#include &quot;config.h&quot;
+#include &quot;DFGSSALoweringPhase.h&quot;
+
+#if ENABLE(DFG_JIT)
+
+#include &quot;DFGBasicBlockInlines.h&quot;
+#include &quot;DFGGraph.h&quot;
+#include &quot;DFGInsertionSet.h&quot;
+#include &quot;DFGPhase.h&quot;
+#include &quot;Operations.h&quot;
+
+namespace JSC { namespace DFG {
+
+class SSALoweringPhase : public Phase {
+    static const bool verbose = false;
+    
+public:
+    SSALoweringPhase(Graph&amp; graph)
+        : Phase(graph, &quot;SSA lowering&quot;)
+        , m_insertionSet(graph)
+    {
+    }
+    
+    bool run()
+    {
+        RELEASE_ASSERT(m_graph.m_form == SSA);
+        
+        for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
+            m_block = m_graph.block(blockIndex);
+            if (!m_block)
+                continue;
+            for (m_nodeIndex = 0; m_nodeIndex &lt; m_block-&gt;size(); ++m_nodeIndex) {
+                m_node = m_block-&gt;at(m_nodeIndex);
+                handleNode();
+            }
+            m_insertionSet.execute(m_block);
+        }
+
+        return true;
+    }
+
+private:
+    void handleNode()
+    {
+        switch (m_node-&gt;op()) {
+        case GetByVal:
+            lowerBoundsCheck(m_node-&gt;child1(), m_node-&gt;child2(), m_node-&gt;child3());
+            break;
+            
+        case PutByVal:
+        case PutByValDirect:
+            lowerBoundsCheck(
+                m_graph.varArgChild(m_node, 0),
+                m_graph.varArgChild(m_node, 1),
+                m_graph.varArgChild(m_node, 3));
+            break;
+            
+        default:
+            break;
+        }
+    }
+    
+    void lowerBoundsCheck(Edge base, Edge index, Edge storage)
+    {
+        if (!m_node-&gt;arrayMode().permitsBoundsCheckLowering())
+            return;
+        
+        if (!m_node-&gt;arrayMode().lengthNeedsStorage())
+            storage = Edge();
+        
+        Node* length = m_insertionSet.insertNode(
+            m_nodeIndex, SpecInt32, GetArrayLength, m_node-&gt;codeOrigin,
+            OpInfo(m_node-&gt;arrayMode().asWord()), base, storage);
+        m_insertionSet.insertNode(
+            m_nodeIndex, SpecInt32, CheckInBounds, m_node-&gt;codeOrigin,
+            index, Edge(length, KnownInt32Use));
+    }
+    
+    InsertionSet m_insertionSet;
+    BasicBlock* m_block;
+    unsigned m_nodeIndex;
+    Node* m_node;
+};
+
+bool performSSALowering(Graph&amp; graph)
+{
+    SamplingRegion samplingRegion(&quot;DFG SSA Lowering Phase&quot;);
+    return runPhase&lt;SSALoweringPhase&gt;(graph);
+}
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
</ins></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGSSALoweringPhaseh"></a>
<div class="addfile"><h4>Added: branches/jsCStack/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.h (0 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.h                                (rev 0)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.h        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -0,0 +1,45 @@
</span><ins>+/*
+ * Copyright (C) 2013 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+ */
+
+#ifndef DFGSSALoweringPhase_h
+#define DFGSSALoweringPhase_h
+
+#if ENABLE(DFG_JIT)
+
+namespace JSC { namespace DFG {
+
+class Graph;
+
+// Performs DFG-&gt;DFG lowerings that are only appropriate for SSA form and the FTL
+// backend. This is intended to be run after SSAConversionPhase.
+
+bool performSSALowering(Graph&amp;);
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
+#endif // DFGSSALoweringPhase_h
+
</ins></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGSafeToExecuteh"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGSafeToExecute.h (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGSafeToExecute.h        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGSafeToExecute.h        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -245,6 +245,8 @@
</span><span class="cx">     case NotifyWrite:
</span><span class="cx">     case FunctionReentryWatchpoint:
</span><span class="cx">     case TypedArrayWatchpoint:
</span><ins>+    case CheckInBounds:
+    case ConstantStoragePointer:
</ins><span class="cx">         return true;
</span><span class="cx">         
</span><span class="cx">     case GetByVal:
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -1742,7 +1742,7 @@
</span><span class="cx">     
</span><span class="cx">     if (arrayMode.isInBounds()) {
</span><span class="cx">         speculationCheck(
</span><del>-            StoreToHoleOrOutOfBounds, JSValueRegs(), 0,
</del><ins>+            OutOfBounds, JSValueRegs(), 0,
</ins><span class="cx">             m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength())));
</span><span class="cx">     } else {
</span><span class="cx">         MacroAssembler::Jump inBounds = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength()));
</span><span class="lines">@@ -4044,26 +4044,16 @@
</span><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-bool SpeculativeJIT::compileConstantIndexedPropertyStorage(Node* node)
</del><ins>+void SpeculativeJIT::compileConstantStoragePointer(Node* node)
</ins><span class="cx"> {
</span><del>-    JSArrayBufferView* view = m_jit.graph().tryGetFoldableViewForChild1(node);
-    if (!view)
-        return false;
-    if (view-&gt;mode() == FastTypedArray)
-        return false;
-    
</del><span class="cx">     GPRTemporary storage(this);
</span><span class="cx">     GPRReg storageGPR = storage.gpr();
</span><del>-    m_jit.move(TrustedImmPtr(view-&gt;vector()), storageGPR);
</del><ins>+    m_jit.move(TrustedImmPtr(node-&gt;storagePointer()), storageGPR);
</ins><span class="cx">     storageResult(storageGPR, node);
</span><del>-    return true;
</del><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void SpeculativeJIT::compileGetIndexedPropertyStorage(Node* node)
</span><span class="cx"> {
</span><del>-    if (compileConstantIndexedPropertyStorage(node))
-        return;
-    
</del><span class="cx">     SpeculateCellOperand base(this, node-&gt;child1());
</span><span class="cx">     GPRReg baseReg = base.gpr();
</span><span class="cx">     
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -2028,7 +2028,7 @@
</span><span class="cx">     void compileArithIMul(Node*);
</span><span class="cx">     void compileArithDiv(Node*);
</span><span class="cx">     void compileArithMod(Node*);
</span><del>-    bool compileConstantIndexedPropertyStorage(Node*);
</del><ins>+    void compileConstantStoragePointer(Node*);
</ins><span class="cx">     void compileGetIndexedPropertyStorage(Node*);
</span><span class="cx">     JITCompiler::Jump jumpForTypedArrayOutOfBounds(Node*, GPRReg baseGPR, GPRReg indexGPR);
</span><span class="cx">     void emitTypedArrayBoundsCheck(Node*, GPRReg baseGPR, GPRReg indexGPR);
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -1767,7 +1767,7 @@
</span><span class="cx"> 
</span><span class="cx">     if (arrayMode.isInBounds()) {
</span><span class="cx">         speculationCheck(
</span><del>-            StoreToHoleOrOutOfBounds, JSValueRegs(), 0,
</del><ins>+            OutOfBounds, JSValueRegs(), 0,
</ins><span class="cx">             m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength())));
</span><span class="cx">     } else {
</span><span class="cx">         MacroAssembler::Jump inBounds = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength()));
</span><span class="lines">@@ -3946,6 +3946,11 @@
</span><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    case ConstantStoragePointer: {
+        compileConstantStoragePointer(node);
+        break;
+    }
+        
</ins><span class="cx">     case GetTypedArrayByteOffset: {
</span><span class="cx">         compileGetTypedArrayByteOffset(node);
</span><span class="cx">         break;
</span><span class="lines">@@ -4762,6 +4767,7 @@
</span><span class="cx">     case CheckTierUpAndOSREnter:
</span><span class="cx">     case Int52ToDouble:
</span><span class="cx">     case Int52ToValue:
</span><ins>+    case CheckInBounds:
</ins><span class="cx">         RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">         break;
</span><span class="cx">     }
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -485,6 +485,7 @@
</span><span class="cx"> 
</span><span class="cx"> void SpeculativeJIT::nonSpeculativeNonPeepholeCompare(Node* node, MacroAssembler::RelationalCondition cond, S_JITOperation_EJJ helperFunction)
</span><span class="cx"> {
</span><ins>+    ASSERT(node-&gt;isBinaryUseKind(UntypedUse));
</ins><span class="cx">     JSValueOperand arg1(this, node-&gt;child1());
</span><span class="cx">     JSValueOperand arg2(this, node-&gt;child2());
</span><span class="cx">     GPRReg arg1GPR = arg1.gpr();
</span><span class="lines">@@ -2952,7 +2953,7 @@
</span><span class="cx">             
</span><span class="cx">             if (arrayMode.isInBounds()) {
</span><span class="cx">                 speculationCheck(
</span><del>-                    StoreToHoleOrOutOfBounds, JSValueRegs(), 0,
</del><ins>+                    OutOfBounds, JSValueRegs(), 0,
</ins><span class="cx">                     m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength())));
</span><span class="cx">             } else {
</span><span class="cx">                 MacroAssembler::Jump inBounds = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength()));
</span><span class="lines">@@ -4233,6 +4234,11 @@
</span><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">         
</span><ins>+    case ConstantStoragePointer: {
+        compileConstantStoragePointer(node);
+        break;
+    }
+        
</ins><span class="cx">     case GetTypedArrayByteOffset: {
</span><span class="cx">         compileGetTypedArrayByteOffset(node);
</span><span class="cx">         break;
</span><span class="lines">@@ -5050,6 +5056,7 @@
</span><span class="cx">     case Upsilon:
</span><span class="cx">     case GetArgument:
</span><span class="cx">     case ExtractOSREntryLocal:
</span><ins>+    case CheckInBounds:
</ins><span class="cx">         RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">         break;
</span><span class="cx">     }
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGStrengthReductionPhasecpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -95,9 +95,22 @@
</span><span class="cx">                 foldTypedArrayPropertyToConstant(view, jsNumber(view-&gt;byteOffset()));
</span><span class="cx">             break;
</span><span class="cx">             
</span><del>-        // FIXME: The constant-folding of GetIndexedPropertyStorage should be expressed
-        // as an IR transformation in this phase.
-        // https://bugs.webkit.org/show_bug.cgi?id=125395
</del><ins>+        case GetIndexedPropertyStorage:
+            if (JSArrayBufferView* view = m_graph.tryGetFoldableViewForChild1(m_node)) {
+                if (view-&gt;mode() != FastTypedArray) {
+                    prepareToFoldTypedArray(view);
+                    m_node-&gt;convertToConstantStoragePointer(view-&gt;vector());
+                    m_changed = true;
+                    break;
+                } else {
+                    // FIXME: It would be awesome to be able to fold the property storage for
+                    // these GC-allocated typed arrays. For now it doesn't matter because the
+                    // most common use-cases for constant typed arrays involve large arrays with
+                    // aliased buffer views.
+                    // https://bugs.webkit.org/show_bug.cgi?id=125425
+                }
+            }
+            break;
</ins><span class="cx">             
</span><span class="cx">         default:
</span><span class="cx">             break;
</span><span class="lines">@@ -106,11 +119,18 @@
</span><span class="cx">     
</span><span class="cx">     void foldTypedArrayPropertyToConstant(JSArrayBufferView* view, JSValue constant)
</span><span class="cx">     {
</span><ins>+        prepareToFoldTypedArray(view);
+        m_graph.convertToConstant(m_node, constant);
+        m_changed = true;
+    }
+    
+    void prepareToFoldTypedArray(JSArrayBufferView* view)
+    {
</ins><span class="cx">         m_insertionSet.insertNode(
</span><span class="cx">             m_nodeIndex, SpecNone, TypedArrayWatchpoint, m_node-&gt;codeOrigin,
</span><span class="cx">             OpInfo(view));
</span><del>-        m_graph.convertToConstant(m_node, constant);
-        m_changed = true;
</del><ins>+        m_insertionSet.insertNode(
+            m_nodeIndex, SpecNone, Phantom, m_node-&gt;codeOrigin, m_node-&gt;children);
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     InsertionSet m_insertionSet;
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGValidatecpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGValidate.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGValidate.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGValidate.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -191,7 +191,7 @@
</span><span class="cx">             break;
</span><span class="cx">             
</span><span class="cx">         case SSA:
</span><del>-            // FIXME: Implement SSA verification.
</del><ins>+            validateSSA();
</ins><span class="cx">             break;
</span><span class="cx">         }
</span><span class="cx">     }
</span><span class="lines">@@ -398,6 +398,40 @@
</span><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx">     
</span><ins>+    void validateSSA()
+    {
+        // FIXME: Add more things here.
+        // https://bugs.webkit.org/show_bug.cgi?id=123471
+        
+        for (BlockIndex blockIndex = 0; blockIndex &lt; m_graph.numBlocks(); ++blockIndex) {
+            BasicBlock* block = m_graph.block(blockIndex);
+            if (!block)
+                continue;
+            
+            unsigned nodeIndex = 0;
+            for (; nodeIndex &lt; block-&gt;size() &amp;&amp; !block-&gt;at(nodeIndex)-&gt;codeOrigin.isSet(); nodeIndex++) { }
+            
+            VALIDATE((block), nodeIndex &lt; block-&gt;size());
+            
+            for (; nodeIndex &lt; block-&gt;size(); nodeIndex++)
+                VALIDATE((block-&gt;at(nodeIndex)), block-&gt;at(nodeIndex)-&gt;codeOrigin.isSet());
+            
+            for (unsigned nodeIndex = 0; nodeIndex &lt; block-&gt;size(); ++nodeIndex) {
+                Node* node = block-&gt;at(nodeIndex);
+                switch (node-&gt;op()) {
+                case Phi:
+                    VALIDATE((node), !node-&gt;codeOrigin.isSet());
+                    break;
+                    
+                default:
+                    // FIXME: Add more things here.
+                    // https://bugs.webkit.org/show_bug.cgi?id=123471
+                    break;
+                }
+            }
+        }
+    }
+    
</ins><span class="cx">     void checkOperand(
</span><span class="cx">         BasicBlock* block, Operands&lt;size_t&gt;&amp; getLocalPositions,
</span><span class="cx">         Operands&lt;size_t&gt;&amp; setLocalPositions, VirtualRegister operand)
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGWatchpointCollectionPhasecpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGWatchpointCollectionPhase.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGWatchpointCollectionPhase.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGWatchpointCollectionPhase.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -138,18 +138,6 @@
</span><span class="cx">             addLazily(m_node-&gt;symbolTable()-&gt;m_functionEnteredOnce);
</span><span class="cx">             break;
</span><span class="cx">             
</span><del>-        case GetIndexedPropertyStorage:
-            if (JSArrayBufferView* view = m_graph.tryGetFoldableViewForChild1(m_node)) {
-                // FIXME: It would be awesome to be able to fold the property storage for
-                // these GC-allocated typed arrays. For now it doesn't matter because the
-                // most common use-cases for constant typed arrays involve large arrays with
-                // aliased buffer views.
-                if (view-&gt;mode() == FastTypedArray)
-                    break;
-                addLazily(view);
-            }
-            break;
-            
</del><span class="cx">         case TypedArrayWatchpoint:
</span><span class="cx">             addLazily(m_node-&gt;typedArray());
</span><span class="cx">             break;
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreftlFTLCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/ftl/FTLCapabilities.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/ftl/FTLCapabilities.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -109,6 +109,8 @@
</span><span class="cx">     case ValueToInt32:
</span><span class="cx">     case Branch:
</span><span class="cx">     case LogicalNot:
</span><ins>+    case CheckInBounds:
+    case ConstantStoragePointer:
</ins><span class="cx">         // These are OK.
</span><span class="cx">         break;
</span><span class="cx">     case GetById:
</span><span class="lines">@@ -179,6 +181,17 @@
</span><span class="cx">         }
</span><span class="cx">         break;
</span><span class="cx">     case CompareEq:
</span><ins>+        if (node-&gt;isBinaryUseKind(Int32Use))
+            break;
+        if (node-&gt;isBinaryUseKind(MachineIntUse))
+            break;
+        if (node-&gt;isBinaryUseKind(NumberUse))
+            break;
+        if (node-&gt;isBinaryUseKind(ObjectUse))
+            break;
+        if (node-&gt;isBinaryUseKind(UntypedUse))
+            break;
+        return CannotCompile;
</ins><span class="cx">     case CompareStrictEq:
</span><span class="cx">         if (node-&gt;isBinaryUseKind(Int32Use))
</span><span class="cx">             break;
</span><span class="lines">@@ -199,6 +212,8 @@
</span><span class="cx">             break;
</span><span class="cx">         if (node-&gt;isBinaryUseKind(NumberUse))
</span><span class="cx">             break;
</span><ins>+        if (node-&gt;isBinaryUseKind(UntypedUse))
+            break;
</ins><span class="cx">         return CannotCompile;
</span><span class="cx">     case Switch:
</span><span class="cx">         switch (node-&gt;switchData()-&gt;kind) {
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreftlFTLIntrinsicRepositoryh"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -68,6 +68,7 @@
</span><span class="cx">     macro(P_JITOperation_EStSS, functionType(intPtr, intPtr, intPtr, intPtr, intPtr)) \
</span><span class="cx">     macro(P_JITOperation_EStZ, functionType(intPtr, intPtr, intPtr, int32)) \
</span><span class="cx">     macro(S_JITOperation_EJ, functionType(intPtr, intPtr, int64)) \
</span><ins>+    macro(S_JITOperation_EJJ, functionType(intPtr, intPtr, int64, int64)) \
</ins><span class="cx">     macro(V_JITOperation_EJJJ, functionType(voidType, intPtr, int64, int64, int64)) \
</span><span class="cx">     macro(V_JITOperation_EOZD, functionType(voidType, intPtr, intPtr, int32, doubleType)) \
</span><span class="cx">     macro(V_JITOperation_EOZJ, functionType(voidType, intPtr, intPtr, int32, int64)) \
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -368,6 +368,9 @@
</span><span class="cx">         case GetButterfly:
</span><span class="cx">             compileGetButterfly();
</span><span class="cx">             break;
</span><ins>+        case ConstantStoragePointer:
+            compileConstantStoragePointer();
+            break;
</ins><span class="cx">         case GetIndexedPropertyStorage:
</span><span class="cx">             compileGetIndexedPropertyStorage();
</span><span class="cx">             break;
</span><span class="lines">@@ -377,6 +380,9 @@
</span><span class="cx">         case GetArrayLength:
</span><span class="cx">             compileGetArrayLength();
</span><span class="cx">             break;
</span><ins>+        case CheckInBounds:
+            compileCheckInBounds();
+            break;
</ins><span class="cx">         case GetByVal:
</span><span class="cx">             compileGetByVal();
</span><span class="cx">             break;
</span><span class="lines">@@ -1425,6 +1431,11 @@
</span><span class="cx">         setStorage(m_out.loadPtr(lowCell(m_node-&gt;child1()), m_heaps.JSObject_butterfly));
</span><span class="cx">     }
</span><span class="cx">     
</span><ins>+    void compileConstantStoragePointer()
+    {
+        setStorage(m_out.constIntPtr(m_node-&gt;storagePointer()));
+    }
+    
</ins><span class="cx">     void compileGetIndexedPropertyStorage()
</span><span class="cx">     {
</span><span class="cx">         LValue cell = lowCell(m_node-&gt;child1());
</span><span class="lines">@@ -1451,13 +1462,6 @@
</span><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx">         
</span><del>-        if (JSArrayBufferView* view = m_graph.tryGetFoldableView(m_node)) {
-            if (view-&gt;mode() != FastTypedArray) {
-                setStorage(m_out.constIntPtr(view-&gt;vector()));
-                return;
-            }
-        }
-        
</del><span class="cx">         setStorage(m_out.loadPtr(cell, m_heaps.JSArrayBufferView_vector));
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -1502,6 +1506,13 @@
</span><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx">     
</span><ins>+    void compileCheckInBounds()
+    {
+        speculate(
+            OutOfBounds, noValue(), 0,
+            m_out.aboveOrEqual(lowInt32(m_node-&gt;child1()), lowInt32(m_node-&gt;child2())));
+    }
+    
</ins><span class="cx">     void compileGetByVal()
</span><span class="cx">     {
</span><span class="cx">         switch (m_node-&gt;arrayMode().type()) {
</span><span class="lines">@@ -1514,11 +1525,6 @@
</span><span class="cx">                 m_heaps.indexedInt32Properties : m_heaps.indexedContiguousProperties;
</span><span class="cx">             
</span><span class="cx">             if (m_node-&gt;arrayMode().isInBounds()) {
</span><del>-                speculate(
-                    OutOfBounds, noValue(), 0,
-                    m_out.aboveOrEqual(
-                        index, m_out.load32(storage, m_heaps.Butterfly_publicLength)));
-                
</del><span class="cx">                 LValue result = m_out.load64(baseIndex(heap, storage, index, m_node-&gt;child2()));
</span><span class="cx">                 speculate(LoadFromHole, noValue(), 0, m_out.isZero64(result));
</span><span class="cx">                 setJSValue(result);
</span><span class="lines">@@ -1559,11 +1565,6 @@
</span><span class="cx">             IndexedAbstractHeap&amp; heap = m_heaps.indexedDoubleProperties;
</span><span class="cx">             
</span><span class="cx">             if (m_node-&gt;arrayMode().isInBounds()) {
</span><del>-                speculate(
-                    OutOfBounds, noValue(), 0,
-                    m_out.aboveOrEqual(
-                        index, m_out.load32(storage, m_heaps.Butterfly_publicLength)));
-                
</del><span class="cx">                 LValue result = m_out.loadDouble(
</span><span class="cx">                     baseIndex(heap, storage, index, m_node-&gt;child2()));
</span><span class="cx">                 
</span><span class="lines">@@ -1627,11 +1628,6 @@
</span><span class="cx">             TypedArrayType type = m_node-&gt;arrayMode().typedArrayType();
</span><span class="cx">             
</span><span class="cx">             if (isTypedView(type)) {
</span><del>-                speculate(
-                    OutOfBounds, noValue(), 0,
-                    m_out.aboveOrEqual(
-                        index, typedArrayLength(m_node-&gt;child1(), m_node-&gt;arrayMode())));
-                
</del><span class="cx">                 TypedPointer pointer = TypedPointer(
</span><span class="cx">                     m_heaps.typedArrayProperties,
</span><span class="cx">                     m_out.add(
</span><span class="lines">@@ -1819,14 +1815,6 @@
</span><span class="cx">             TypedArrayType type = m_node-&gt;arrayMode().typedArrayType();
</span><span class="cx">             
</span><span class="cx">             if (isTypedView(type)) {
</span><del>-                if (m_node-&gt;op() != PutByValAlias) {
-                    speculate(
-                        OutOfBounds, noValue(), 0,
-                        m_out.aboveOrEqual(
-                            index,
-                            typedArrayLength(child1, m_node-&gt;arrayMode(), base)));
-                }
-                
</del><span class="cx">                 TypedPointer pointer = TypedPointer(
</span><span class="cx">                     m_heaps.typedArrayProperties,
</span><span class="cx">                     m_out.add(
</span><span class="lines">@@ -2424,6 +2412,11 @@
</span><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx">         
</span><ins>+        if (m_node-&gt;isBinaryUseKind(UntypedUse)) {
+            nonSpeculativeCompare(LLVMIntEQ, operationCompareEq);
+            return;
+        }
+        
</ins><span class="cx">         RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">     }
</span><span class="cx">     
</span><span class="lines">@@ -2492,106 +2485,22 @@
</span><span class="cx">     
</span><span class="cx">     void compileCompareLess()
</span><span class="cx">     {
</span><del>-        if (m_node-&gt;isBinaryUseKind(Int32Use)) {
-            setBoolean(
-                m_out.lessThan(lowInt32(m_node-&gt;child1()), lowInt32(m_node-&gt;child2())));
-            return;
-        }
-        
-        if (m_node-&gt;isBinaryUseKind(MachineIntUse)) {
-            Int52Kind kind;
-            LValue left = lowWhicheverInt52(m_node-&gt;child1(), kind);
-            LValue right = lowInt52(m_node-&gt;child2(), kind);
-            setBoolean(m_out.lessThan(left, right));
-            return;
-        }
-        
-        if (m_node-&gt;isBinaryUseKind(NumberUse)) {
-            setBoolean(
-                m_out.doubleLessThan(lowDouble(m_node-&gt;child1()), lowDouble(m_node-&gt;child2())));
-            return;
-        }
-        
-        RELEASE_ASSERT_NOT_REACHED();
</del><ins>+        compare(LLVMIntSLT, LLVMRealOLT, operationCompareLess);
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     void compileCompareLessEq()
</span><span class="cx">     {
</span><del>-        if (m_node-&gt;isBinaryUseKind(Int32Use)) {
-            setBoolean(
-                m_out.lessThanOrEqual(lowInt32(m_node-&gt;child1()), lowInt32(m_node-&gt;child2())));
-            return;
-        }
-        
-        if (m_node-&gt;isBinaryUseKind(MachineIntUse)) {
-            Int52Kind kind;
-            LValue left = lowWhicheverInt52(m_node-&gt;child1(), kind);
-            LValue right = lowInt52(m_node-&gt;child2(), kind);
-            setBoolean(m_out.lessThanOrEqual(left, right));
-            return;
-        }
-        
-        if (m_node-&gt;isBinaryUseKind(NumberUse)) {
-            setBoolean(
-                m_out.doubleLessThanOrEqual(
-                    lowDouble(m_node-&gt;child1()), lowDouble(m_node-&gt;child2())));
-            return;
-        }
-        
-        RELEASE_ASSERT_NOT_REACHED();
</del><ins>+        compare(LLVMIntSLE, LLVMRealOLE, operationCompareLessEq);
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     void compileCompareGreater()
</span><span class="cx">     {
</span><del>-        if (m_node-&gt;isBinaryUseKind(Int32Use)) {
-            setBoolean(
-                m_out.greaterThan(lowInt32(m_node-&gt;child1()), lowInt32(m_node-&gt;child2())));
-            return;
-        }
-        
-        if (m_node-&gt;isBinaryUseKind(MachineIntUse)) {
-            Int52Kind kind;
-            LValue left = lowWhicheverInt52(m_node-&gt;child1(), kind);
-            LValue right = lowInt52(m_node-&gt;child2(), kind);
-            setBoolean(m_out.greaterThan(left, right));
-            return;
-        }
-        
-        if (m_node-&gt;isBinaryUseKind(NumberUse)) {
-            setBoolean(
-                m_out.doubleGreaterThan(
-                    lowDouble(m_node-&gt;child1()), lowDouble(m_node-&gt;child2())));
-            return;
-        }
-        
-        RELEASE_ASSERT_NOT_REACHED();
</del><ins>+        compare(LLVMIntSGT, LLVMRealOGT, operationCompareGreater);
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     void compileCompareGreaterEq()
</span><span class="cx">     {
</span><del>-        if (m_node-&gt;isBinaryUseKind(Int32Use)) {
-            setBoolean(
-                m_out.greaterThanOrEqual(
-                    lowInt32(m_node-&gt;child1()), lowInt32(m_node-&gt;child2())));
-            return;
-        }
-        
-        if (m_node-&gt;isBinaryUseKind(MachineIntUse)) {
-            Int52Kind kind;
-            LValue left = lowWhicheverInt52(m_node-&gt;child1(), kind);
-            LValue right = lowInt52(m_node-&gt;child2(), kind);
-            setBoolean(m_out.greaterThanOrEqual(left, right));
-            return;
-        }
-        
-        if (m_node-&gt;isBinaryUseKind(NumberUse)) {
-            setBoolean(
-                m_out.doubleGreaterThanOrEqual(
-                    lowDouble(m_node-&gt;child1()), lowDouble(m_node-&gt;child2())));
-            return;
-        }
-        
-        RELEASE_ASSERT_NOT_REACHED();
</del><ins>+        compare(LLVMIntSGE, LLVMRealOGE, operationCompareGreaterEq);
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     void compileLogicalNot()
</span><span class="lines">@@ -2830,6 +2739,69 @@
</span><span class="cx">             m_state.forNode(edge).m_value);
</span><span class="cx">     }
</span><span class="cx">     
</span><ins>+    void compare(
+        LIntPredicate intCondition, LRealPredicate realCondition,
+        S_JITOperation_EJJ helperFunction)
+    {
+        if (m_node-&gt;isBinaryUseKind(Int32Use)) {
+            LValue left = lowInt32(m_node-&gt;child1());
+            LValue right = lowInt32(m_node-&gt;child2());
+            setBoolean(m_out.icmp(intCondition, left, right));
+            return;
+        }
+        
+        if (m_node-&gt;isBinaryUseKind(MachineIntUse)) {
+            Int52Kind kind;
+            LValue left = lowWhicheverInt52(m_node-&gt;child1(), kind);
+            LValue right = lowInt52(m_node-&gt;child2(), kind);
+            setBoolean(m_out.icmp(intCondition, left, right));
+            return;
+        }
+        
+        if (m_node-&gt;isBinaryUseKind(NumberUse)) {
+            LValue left = lowDouble(m_node-&gt;child1());
+            LValue right = lowDouble(m_node-&gt;child2());
+            setBoolean(m_out.fcmp(realCondition, left, right));
+            return;
+        }
+        
+        if (m_node-&gt;isBinaryUseKind(UntypedUse)) {
+            nonSpeculativeCompare(intCondition, helperFunction);
+            return;
+        }
+        
+        RELEASE_ASSERT_NOT_REACHED();
+    }
+    
+    void nonSpeculativeCompare(LIntPredicate intCondition, S_JITOperation_EJJ helperFunction)
+    {
+        LValue left = lowJSValue(m_node-&gt;child1());
+        LValue right = lowJSValue(m_node-&gt;child2());
+        
+        LBasicBlock leftIsInt = FTL_NEW_BLOCK(m_out, (&quot;CompareEq untyped left is int&quot;));
+        LBasicBlock fastPath = FTL_NEW_BLOCK(m_out, (&quot;CompareEq untyped fast path&quot;));
+        LBasicBlock slowPath = FTL_NEW_BLOCK(m_out, (&quot;CompareEq untyped slow path&quot;));
+        LBasicBlock continuation = FTL_NEW_BLOCK(m_out, (&quot;CompareEq untyped continuation&quot;));
+        
+        m_out.branch(isNotInt32(left), slowPath, leftIsInt);
+        
+        LBasicBlock lastNext = m_out.appendTo(leftIsInt, fastPath);
+        m_out.branch(isNotInt32(right), slowPath, fastPath);
+        
+        m_out.appendTo(fastPath, slowPath);
+        ValueFromBlock fastResult = m_out.anchor(
+            m_out.icmp(intCondition, unboxInt32(left), unboxInt32(right)));
+        m_out.jump(continuation);
+        
+        m_out.appendTo(slowPath, continuation);
+        ValueFromBlock slowResult = m_out.anchor(m_out.notNull(vmCall(
+            m_out.operation(helperFunction), m_callFrame, left, right)));
+        m_out.jump(continuation);
+        
+        m_out.appendTo(continuation, lastNext);
+        setBoolean(m_out.phi(m_out.boolean, fastResult, slowResult));
+    }
+    
</ins><span class="cx">     LValue allocateCell(LValue allocator, LValue structure, LBasicBlock slowPath)
</span><span class="cx">     {
</span><span class="cx">         LBasicBlock success = FTL_NEW_BLOCK(m_out, (&quot;object allocation success&quot;));
</span><span class="lines">@@ -3130,15 +3102,12 @@
</span><span class="cx">     
</span><span class="cx">     template&lt;typename FunctionType&gt;
</span><span class="cx">     void contiguousPutByValOutOfBounds(
</span><del>-        FunctionType slowPathFunction,
-        LValue base, LValue storage, LValue index, LValue value,
</del><ins>+        FunctionType slowPathFunction, LValue base, LValue storage, LValue index, LValue value,
</ins><span class="cx">         LBasicBlock continuation)
</span><span class="cx">     {
</span><span class="cx">         LValue isNotInBounds = m_out.aboveOrEqual(
</span><span class="cx">             index, m_out.load32(storage, m_heaps.Butterfly_publicLength));
</span><del>-        if (m_node-&gt;arrayMode().isInBounds())
-            speculate(StoreToHoleOrOutOfBounds, noValue(), 0, isNotInBounds);
-        else {
</del><ins>+        if (!m_node-&gt;arrayMode().isInBounds()) {
</ins><span class="cx">             LBasicBlock notInBoundsCase =
</span><span class="cx">                 FTL_NEW_BLOCK(m_out, (&quot;PutByVal not in bounds&quot;));
</span><span class="cx">             LBasicBlock performStore =
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreftlFTLOutputh"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/ftl/FTLOutput.h (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/ftl/FTLOutput.h        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/ftl/FTLOutput.h        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -315,29 +315,31 @@
</span><span class="cx">     void storePtr(LValue value, LValue base, const AbstractField&amp; field) { storePtr(value, address(base, field)); }
</span><span class="cx">     void storeDouble(LValue value, LValue base, const AbstractField&amp; field) { storeDouble(value, address(base, field)); }
</span><span class="cx">     
</span><del>-    LValue equal(LValue left, LValue right) { return buildICmp(m_builder, LLVMIntEQ, left, right); }
-    LValue notEqual(LValue left, LValue right) { return buildICmp(m_builder, LLVMIntNE, left, right); }
-    LValue above(LValue left, LValue right) { return buildICmp(m_builder, LLVMIntUGT, left, right); }
-    LValue aboveOrEqual(LValue left, LValue right) { return buildICmp(m_builder, LLVMIntUGE, left, right); }
-    LValue below(LValue left, LValue right) { return buildICmp(m_builder, LLVMIntULT, left, right); }
-    LValue belowOrEqual(LValue left, LValue right) { return buildICmp(m_builder, LLVMIntULE, left, right); }
-    LValue greaterThan(LValue left, LValue right) { return buildICmp(m_builder, LLVMIntSGT, left, right); }
-    LValue greaterThanOrEqual(LValue left, LValue right) { return buildICmp(m_builder, LLVMIntSGE, left, right); }
-    LValue lessThan(LValue left, LValue right) { return buildICmp(m_builder, LLVMIntSLT, left, right); }
-    LValue lessThanOrEqual(LValue left, LValue right) { return buildICmp(m_builder, LLVMIntSLE, left, right); }
</del><ins>+    LValue icmp(LIntPredicate cond, LValue left, LValue right) { return buildICmp(m_builder, cond, left, right); }
+    LValue equal(LValue left, LValue right) { return icmp(LLVMIntEQ, left, right); }
+    LValue notEqual(LValue left, LValue right) { return icmp(LLVMIntNE, left, right); }
+    LValue above(LValue left, LValue right) { return icmp(LLVMIntUGT, left, right); }
+    LValue aboveOrEqual(LValue left, LValue right) { return icmp(LLVMIntUGE, left, right); }
+    LValue below(LValue left, LValue right) { return icmp(LLVMIntULT, left, right); }
+    LValue belowOrEqual(LValue left, LValue right) { return icmp(LLVMIntULE, left, right); }
+    LValue greaterThan(LValue left, LValue right) { return icmp(LLVMIntSGT, left, right); }
+    LValue greaterThanOrEqual(LValue left, LValue right) { return icmp(LLVMIntSGE, left, right); }
+    LValue lessThan(LValue left, LValue right) { return icmp(LLVMIntSLT, left, right); }
+    LValue lessThanOrEqual(LValue left, LValue right) { return icmp(LLVMIntSLE, left, right); }
</ins><span class="cx">     
</span><del>-    LValue doubleEqual(LValue left, LValue right) { return buildFCmp(m_builder, LLVMRealOEQ, left, right); }
-    LValue doubleNotEqualOrUnordered(LValue left, LValue right) { return buildFCmp(m_builder, LLVMRealUNE, left, right); }
-    LValue doubleLessThan(LValue left, LValue right) { return buildFCmp(m_builder, LLVMRealOLT, left, right); }
-    LValue doubleLessThanOrEqual(LValue left, LValue right) { return buildFCmp(m_builder, LLVMRealOLE, left, right); }
-    LValue doubleGreaterThan(LValue left, LValue right) { return buildFCmp(m_builder, LLVMRealOGT, left, right); }
-    LValue doubleGreaterThanOrEqual(LValue left, LValue right) { return buildFCmp(m_builder, LLVMRealOGE, left, right); }
-    LValue doubleEqualOrUnordered(LValue left, LValue right) { return buildFCmp(m_builder, LLVMRealUEQ, left, right); }
-    LValue doubleNotEqual(LValue left, LValue right) { return buildFCmp(m_builder, LLVMRealONE, left, right); }
-    LValue doubleLessThanOrUnordered(LValue left, LValue right) { return buildFCmp(m_builder, LLVMRealULT, left, right); }
-    LValue doubleLessThanOrEqualOrUnordered(LValue left, LValue right) { return buildFCmp(m_builder, LLVMRealULE, left, right); }
-    LValue doubleGreaterThanOrUnordered(LValue left, LValue right) { return buildFCmp(m_builder, LLVMRealUGT, left, right); }
-    LValue doubleGreaterThanOrEqualOrUnordered(LValue left, LValue right) { return buildFCmp(m_builder, LLVMRealUGE, left, right); }
</del><ins>+    LValue fcmp(LRealPredicate cond, LValue left, LValue right) { return buildFCmp(m_builder, cond, left, right); }
+    LValue doubleEqual(LValue left, LValue right) { return fcmp(LLVMRealOEQ, left, right); }
+    LValue doubleNotEqualOrUnordered(LValue left, LValue right) { return fcmp(LLVMRealUNE, left, right); }
+    LValue doubleLessThan(LValue left, LValue right) { return fcmp(LLVMRealOLT, left, right); }
+    LValue doubleLessThanOrEqual(LValue left, LValue right) { return fcmp(LLVMRealOLE, left, right); }
+    LValue doubleGreaterThan(LValue left, LValue right) { return fcmp(LLVMRealOGT, left, right); }
+    LValue doubleGreaterThanOrEqual(LValue left, LValue right) { return fcmp(LLVMRealOGE, left, right); }
+    LValue doubleEqualOrUnordered(LValue left, LValue right) { return fcmp(LLVMRealUEQ, left, right); }
+    LValue doubleNotEqual(LValue left, LValue right) { return fcmp(LLVMRealONE, left, right); }
+    LValue doubleLessThanOrUnordered(LValue left, LValue right) { return fcmp(LLVMRealULT, left, right); }
+    LValue doubleLessThanOrEqualOrUnordered(LValue left, LValue right) { return fcmp(LLVMRealULE, left, right); }
+    LValue doubleGreaterThanOrUnordered(LValue left, LValue right) { return fcmp(LLVMRealUGT, left, right); }
+    LValue doubleGreaterThanOrEqualOrUnordered(LValue left, LValue right) { return fcmp(LLVMRealUGE, left, right); }
</ins><span class="cx">     
</span><span class="cx">     LValue isZero8(LValue value) { return equal(value, int8Zero); }
</span><span class="cx">     LValue notZero8(LValue value) { return notEqual(value, int8Zero); }
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreruntimeJSObjectcpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/runtime/JSObject.cpp (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/runtime/JSObject.cpp        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/runtime/JSObject.cpp        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -906,7 +906,7 @@
</span><span class="cx">         return;
</span><span class="cx">     }
</span><span class="cx">     
</span><del>-    if (value.isDouble()) {
</del><ins>+    if (value.isDouble() &amp;&amp; value.asNumber() == value.asNumber()) {
</ins><span class="cx">         convertUndecidedToDouble(vm);
</span><span class="cx">         return;
</span><span class="cx">     }
</span><span class="lines">@@ -914,6 +914,24 @@
</span><span class="cx">     convertUndecidedToContiguous(vm);
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void JSObject::createInitialForValueAndSet(VM&amp; vm, unsigned index, JSValue value)
+{
+    if (value.isInt32()) {
+        createInitialInt32(vm, index + 1)[index].set(vm, this, value);
+        return;
+    }
+    
+    if (value.isDouble()) {
+        double doubleValue = value.asNumber();
+        if (doubleValue == doubleValue) {
+            createInitialDouble(vm, index + 1)[index] = doubleValue;
+            return;
+        }
+    }
+    
+    createInitialContiguous(vm, index + 1)[index].set(vm, this, value);
+}
+
</ins><span class="cx"> void JSObject::convertInt32ForValue(VM&amp; vm, JSValue value)
</span><span class="cx"> {
</span><span class="cx">     ASSERT(!value.isInt32());
</span><span class="lines">@@ -1993,8 +2011,8 @@
</span><span class="cx">             storage-&gt;m_numValuesInVector++;
</span><span class="cx">             break;
</span><span class="cx">         }
</span><del>-            
-        createInitialContiguous(vm, i + 1)[i].set(vm, this, value);
</del><ins>+        
+        createInitialForValueAndSet(vm, i, value);
</ins><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">         
</span><span class="lines">@@ -2142,7 +2160,7 @@
</span><span class="cx">             return true;
</span><span class="cx">         }
</span><span class="cx">         
</span><del>-        createInitialContiguous(vm, i + 1)[i].set(vm, this, value);
</del><ins>+        createInitialForValueAndSet(vm, i, value);
</ins><span class="cx">         return true;
</span><span class="cx">     }
</span><span class="cx">         
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreruntimeJSObjecth"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/runtime/JSObject.h (161397 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/runtime/JSObject.h        2014-01-07 04:45:57 UTC (rev 161397)
+++ branches/jsCStack/Source/JavaScriptCore/runtime/JSObject.h        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -757,6 +757,7 @@
</span><span class="cx">     ContiguousJSValues createInitialContiguous(VM&amp;, unsigned length);
</span><span class="cx">         
</span><span class="cx">     void convertUndecidedForValue(VM&amp;, JSValue);
</span><ins>+    void createInitialForValueAndSet(VM&amp;, unsigned index, JSValue);
</ins><span class="cx">     void convertInt32ForValue(VM&amp;, JSValue);
</span><span class="cx">         
</span><span class="cx">     ArrayStorage* createArrayStorage(VM&amp;, unsigned length, unsigned vectorLength);
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoretestsstressfloat32arrayoutofboundsjs"></a>
<div class="addfile"><h4>Added: branches/jsCStack/Source/JavaScriptCore/tests/stress/float32array-out-of-bounds.js (0 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/tests/stress/float32array-out-of-bounds.js                                (rev 0)
+++ branches/jsCStack/Source/JavaScriptCore/tests/stress/float32array-out-of-bounds.js        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+function make(value) {
+    var result = new Float32Array(1);
+    result[0] = value;
+    return result;
+}
+
+function foo(a, i) {
+    return a[i];
+}
+
+noInline(foo);
+
+function test(value) {
+    var result = foo(make(value), 0);
+    if (result != value)
+        throw &quot;Error: bad result: &quot; + result;
+}
+
+for (var i = 0; i &lt; 100000; ++i)
+    test(42);
+
+var result = foo(make(42), 1);
+if (result !== void 0)
+    throw &quot;Error: bad result: &quot; + result;
+
+Float32Array.prototype[1] = 23;
+result = foo(make(42), 1);
+if (result !== 23)
+    throw &quot;Error: bad result: &quot; + result;
</ins></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoretestsstressint32objectoutofboundsjs"></a>
<div class="addfile"><h4>Added: branches/jsCStack/Source/JavaScriptCore/tests/stress/int32-object-out-of-bounds.js (0 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/tests/stress/int32-object-out-of-bounds.js                                (rev 0)
+++ branches/jsCStack/Source/JavaScriptCore/tests/stress/int32-object-out-of-bounds.js        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -0,0 +1,37 @@
</span><ins>+function make(value) {
+    var result = {};
+    result[0] = value;
+    return result;
+}
+
+function foo(a, i) {
+    return a[i];
+}
+
+noInline(foo);
+
+function test(value) {
+    var result = foo(make(value), 0);
+    if (result != value)
+        throw &quot;Error: bad result: &quot; + result;
+}
+
+for (var i = 0; i &lt; 100000; ++i)
+    test(42);
+
+var result = foo(make(42), 1);
+if (result !== void 0)
+    throw &quot;Error: bad result: &quot; + result;
+
+result = foo(make(42), 100);
+if (result !== void 0)
+    throw &quot;Error: bad result: &quot; + result;
+
+result = foo(make(42), 10000);
+if (result !== void 0)
+    throw &quot;Error: bad result: &quot; + result;
+
+Object.prototype[10000] = 23;
+result = foo(make(42), 10000);
+if (result !== 23)
+    throw &quot;Error: bad result: &quot; + result;
</ins></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoretestsstressint32outofboundsjs"></a>
<div class="addfile"><h4>Added: branches/jsCStack/Source/JavaScriptCore/tests/stress/int32-out-of-bounds.js (0 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/tests/stress/int32-out-of-bounds.js                                (rev 0)
+++ branches/jsCStack/Source/JavaScriptCore/tests/stress/int32-out-of-bounds.js        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -0,0 +1,31 @@
</span><ins>+function foo(a, i) {
+    return a[i];
+}
+
+noInline(foo);
+
+function test(value) {
+    var result = foo([value], 0);
+    if (result != value)
+        throw &quot;Error: bad result: &quot; + result;
+}
+
+for (var i = 0; i &lt; 100000; ++i)
+    test(42);
+
+var result = foo([42], 1);
+if (result !== void 0)
+    throw &quot;Error: bad result: &quot; + result;
+
+result = foo([42], 100);
+if (result !== void 0)
+    throw &quot;Error: bad result: &quot; + result;
+
+result = foo([42], 10000);
+if (result !== void 0)
+    throw &quot;Error: bad result: &quot; + result;
+
+Array.prototype[10000] = 23;
+result = foo([42], 10000);
+if (result !== 23)
+    throw &quot;Error: bad result: &quot; + result;
</ins></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoretestsstressuntypedequalityjs"></a>
<div class="addfile"><h4>Added: branches/jsCStack/Source/JavaScriptCore/tests/stress/untyped-equality.js (0 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/tests/stress/untyped-equality.js                                (rev 0)
+++ branches/jsCStack/Source/JavaScriptCore/tests/stress/untyped-equality.js        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+function foo(a, b) {
+    return a == b;
+}
+
+noInline(foo);
+
+var data = [
+    [5, 6.5, false],
+    [&quot;foo&quot;, &quot;bar&quot;, false],
+    [true, false, false],
+    [&quot;42&quot;, 42, true],
+    [1.2, 1.2, true]
+];
+
+for (var i = 0; i &lt; 100000; ++i) {
+    var test = data[i % data.length];
+    var result = foo(test[0], test[1]);
+    if (result != test[2])
+        throw &quot;Error: bad result for &quot; + test + &quot;: &quot; + result;
+}
</ins></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoretestsstressuntypedlessthanjs"></a>
<div class="addfile"><h4>Added: branches/jsCStack/Source/JavaScriptCore/tests/stress/untyped-less-than.js (0 => 161398)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/tests/stress/untyped-less-than.js                                (rev 0)
+++ branches/jsCStack/Source/JavaScriptCore/tests/stress/untyped-less-than.js        2014-01-07 04:48:18 UTC (rev 161398)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+function foo(a, b) {
+    return a &lt; b;
+}
+
+noInline(foo);
+
+var data = [
+    [5, 6.5, true],
+    [&quot;foo&quot;, &quot;bar&quot;, false],
+    [true, false, false],
+    [false, true, true],
+    [&quot;42&quot;, 42, false],
+    [1.2, 1.2, false],
+    [&quot;-1&quot;, 1, true],
+    [-1, &quot;1&quot;, true]
+];
+
+for (var i = 0; i &lt; 100000; ++i) {
+    var test = data[i % data.length];
+    var result = foo(test[0], test[1]);
+    if (result != test[2])
+        throw &quot;Error: bad result for &quot; + test + &quot;: &quot; + result;
+}
</ins></span></pre>
</div>
</div>

</body>
</html>