Merge changes I55c6d71a,Ifb3277d4,Ia1b847a2,I7ba9cf3f,Ida2b2a8a,I1280ec90,I72f818d5,I2e3b588b,I9a4e6289,Ia724c78b,Icd8612c8,Ie31b15d7,Ie125edae,I77941a88,I89dae78b,I3516e5ca,I1a4c17b5,I2c4ecc1a,I9c8e6537,Ifac13115,Ie1f80e09,Ia541ed77,I60ce9d78

* changes:
  Merge WebKit at r82507: Update ThirdPartyProject.prop
  Merge WebKit at r82507: Cherry-pick change r88166 to add INSPECTOR guards to ScriptProfiler
  Merge WebKit at r82507: Work around a V8 bug
  Merge WebKit at r82507: JNIType renamed to JavaType
  Merge WebKit at r82507: IconDatabaseClient interface expanded
  Merge WebKit at r82507: Don't use new loss-free code path in HTMLCanvasElement::toDataURL()
  Merge WebKit at r82507: IcondDatabaseBase::iconForPageURL() renamed
  Merge WebKit at r82507: IconDatabaseBase::Open() signature changed
  Merge WebKit at r82507: Node::isContentEditable() renamed
  Merge WebKit at r82507: Use icon database through IconDatabaseBase
  Merge WebKit at r82507: toInputElement() is now a member of Node
  Merge WebKit at r82507: FrameLoaderClient::objectContentType() signature changed
  Merge WebKit at r82507: StringImpl::computeHash() removed
  Merge WebKit at r82507: Stub out FontPlatformData::setOrientation()
  Merge WebKit at r82507: Path::strokeBoundingRect() is now const
  Merge WebKit at r82507: Add missing UnusedParam.h include in ApplicationCacheGroup.cpp
  Merge WebKit at r82507: Continue to use Android's version of FontPlatformData.h
  Merge WebKit at r82507: Update signature of FontCustomPlatformData::fontPlatformData()
  Merge WebKit at r82507: Fix conflicts due to JNI refactoring
  Merge WebKit at r82507: Fix conflicts due to new StorageTracker
  Merge WebKit at r82507: Fix conflicts
  Merge WebKit at r82507: Fix makefiles
  Merge WebKit at r82507: Initial merge by git

1 files changed, 16 insertions, 13 deletions

diff --git a/Source/JavaScriptCore/jit/JITCall.cpp b/Source/JavaScriptCore/jit/JITCall.cpp
index 524e576..77c2a69 100644
--- a/Source/JavaScriptCore/jit/JITCall.cpp
+++ b/Source/JavaScriptCore/jit/JITCall.cpp
@@ -48,10 +48,11 @@ namespace JSC {
 
 void JIT::compileOpCallInitializeCallFrame()
 {
-    store32(regT1, Address(callFrameRegister, RegisterFile::ArgumentCount * static_cast<int>(sizeof(Register))));
-    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSFunction, m_scopeChain)), regT3); // newScopeChain
-    storePtr(regT0, Address(callFrameRegister, RegisterFile::Callee * static_cast<int>(sizeof(Register))));
-    storePtr(regT3, Address(callFrameRegister, RegisterFile::ScopeChain * static_cast<int>(sizeof(Register))));
+    // regT0 holds callee, regT1 holds argCount
+    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSFunction, m_scopeChain)), regT3); // scopeChain
+    emitPutIntToCallFrameHeader(regT1, RegisterFile::ArgumentCount);
+    emitPutCellToCallFrameHeader(regT0, RegisterFile::Callee);
+    emitPutCellToCallFrameHeader(regT3, RegisterFile::ScopeChain);
 }
 
 void JIT::emit_op_call_put_result(Instruction* instruction)
@@ -67,15 +68,16 @@ void JIT::compileOpCallVarargs(Instruction* instruction)
     int registerOffset = instruction[3].u.operand;
 
     emitGetVirtualRegister(argCountRegister, regT1);
+    emitFastArithImmToInt(regT1);
     emitGetVirtualRegister(callee, regT0);
     addPtr(Imm32(registerOffset), regT1, regT2);
 
     // Check for JSFunctions.
     emitJumpSlowCaseIfNotJSCell(regT0);
-    addSlowCase(branchPtr(NotEqual, Address(regT0), ImmPtr(m_globalData->jsFunctionVPtr)));
+    addSlowCase(branchPtr(NotEqual, Address(regT0), TrustedImmPtr(m_globalData->jsFunctionVPtr)));
 
     // Speculatively roll the callframe, assuming argCount will match the arity.
-    mul32(Imm32(sizeof(Register)), regT2, regT2);
+    mul32(TrustedImm32(sizeof(Register)), regT2, regT2);
     intptr_t offset = (intptr_t)sizeof(Register) * (intptr_t)RegisterFile::CallerFrame;
     addPtr(Imm32((int32_t)offset), regT2, regT3);
     addPtr(callFrameRegister, regT3);
@@ -118,14 +120,14 @@ void JIT::compileOpCall(OpcodeID opcodeID, Instruction* instruction, unsigned)
         stubCall.addArgument(JIT::Imm32(registerOffset));
         stubCall.addArgument(JIT::Imm32(argCount));
         stubCall.call();
-        wasEval = branchPtr(NotEqual, regT0, ImmPtr(JSValue::encode(JSValue())));
+        wasEval = branchPtr(NotEqual, regT0, TrustedImmPtr(JSValue::encode(JSValue())));
     }
 
     emitGetVirtualRegister(callee, regT0);
 
     // Check for JSFunctions.
     emitJumpSlowCaseIfNotJSCell(regT0);
-    addSlowCase(branchPtr(NotEqual, Address(regT0), ImmPtr(m_globalData->jsFunctionVPtr)));
+    addSlowCase(branchPtr(NotEqual, Address(regT0), TrustedImmPtr(m_globalData->jsFunctionVPtr)));
 
     // Speculatively roll the callframe, assuming argCount will match the arity.
     storePtr(callFrameRegister, Address(callFrameRegister, (RegisterFile::CallerFrame + registerOffset) * static_cast<int>(sizeof(Register))));
@@ -175,7 +177,7 @@ void JIT::compileOpCall(OpcodeID opcodeID, Instruction* instruction, unsigned ca
         stubCall.addArgument(JIT::Imm32(registerOffset));
         stubCall.addArgument(JIT::Imm32(argCount));
         stubCall.call();
-        wasEval = branchPtr(NotEqual, regT0, ImmPtr(JSValue::encode(JSValue())));
+        wasEval = branchPtr(NotEqual, regT0, TrustedImmPtr(JSValue::encode(JSValue())));
     }
 
     // This plants a check for a cached JSFunction value, so we can plant a fast link to the callee.
@@ -185,7 +187,7 @@ void JIT::compileOpCall(OpcodeID opcodeID, Instruction* instruction, unsigned ca
 
     BEGIN_UNINTERRUPTED_SEQUENCE(sequenceOpCall);
 
-    Jump jumpToSlow = branchPtrWithPatch(NotEqual, regT0, addressOfLinkedFunctionCheck, ImmPtr(JSValue::encode(JSValue())));
+    Jump jumpToSlow = branchPtrWithPatch(NotEqual, regT0, addressOfLinkedFunctionCheck, TrustedImmPtr(JSValue::encode(JSValue())));
 
     END_UNINTERRUPTED_SEQUENCE(sequenceOpCall);
 
@@ -199,8 +201,9 @@ void JIT::compileOpCall(OpcodeID opcodeID, Instruction* instruction, unsigned ca
     // Note that this omits to set up RegisterFile::CodeBlock, which is set in the callee
 
     loadPtr(Address(regT0, OBJECT_OFFSETOF(JSFunction, m_scopeChain)), regT1); // newScopeChain
-
-    store32(Imm32(argCount), Address(callFrameRegister, (registerOffset + RegisterFile::ArgumentCount) * static_cast<int>(sizeof(Register))));
+    
+    store32(TrustedImm32(Int32Tag), intTagFor(registerOffset + RegisterFile::ArgumentCount));
+    store32(Imm32(argCount), intPayloadFor(registerOffset + RegisterFile::ArgumentCount));
     storePtr(callFrameRegister, Address(callFrameRegister, (registerOffset + RegisterFile::CallerFrame) * static_cast<int>(sizeof(Register))));
     storePtr(regT0, Address(callFrameRegister, (registerOffset + RegisterFile::Callee) * static_cast<int>(sizeof(Register))));
     storePtr(regT1, Address(callFrameRegister, (registerOffset + RegisterFile::ScopeChain) * static_cast<int>(sizeof(Register))));
@@ -224,7 +227,7 @@ void JIT::compileOpCallSlowCase(Instruction* instruction, Vector<SlowCaseEntry>:
 
     // Fast check for JS function.
     Jump callLinkFailNotObject = emitJumpIfNotJSCell(regT0);
-    Jump callLinkFailNotJSFunction = branchPtr(NotEqual, Address(regT0), ImmPtr(m_globalData->jsFunctionVPtr));
+    Jump callLinkFailNotJSFunction = branchPtr(NotEqual, Address(regT0), TrustedImmPtr(m_globalData->jsFunctionVPtr));
 
     // Speculatively roll the callframe, assuming argCount will match the arity.
     storePtr(callFrameRegister, Address(callFrameRegister, (RegisterFile::CallerFrame + registerOffset) * static_cast<int>(sizeof(Register))));